diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2019-11-25 22:36:22 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2019-11-25 22:40:56 +0100 |
commit | 0511a2b6318c72e0bf99456dc9234950e9188cf6 (patch) | |
tree | 83ddd9cd9ddeec45ba010f303a13419c54eb043f | |
parent | 1fe4f8e289d666979618fbb909983ac05aad11ac (diff) | |
download | gnutls-0511a2b6318c72e0bf99456dc9234950e9188cf6.tar.gz |
certtool: always include the CRL distribution points on CAs
Previously we would omit the CRL distribution points from a non-self
signed CA certificate, even if contained in the template.
Resolves: #765
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-rw-r--r-- | NEWS | 3 | ||||
-rw-r--r-- | src/certtool.c | 19 | ||||
-rw-r--r-- | tests/cert-tests/Makefile.am | 2 | ||||
-rw-r--r-- | tests/cert-tests/data/template-sgenerate.pem | 22 | ||||
-rwxr-xr-x | tests/cert-tests/template-test | 21 |
5 files changed, 57 insertions, 10 deletions
@@ -15,6 +15,9 @@ See the end for copying conditions. ** libgnutls: Corrected issue with TLS 1.2 session ticket handling as client during resumption (#841). +** certtool: CRL distribution points will be set in CA certificates even when + non self-signed (#765). + ** gnutls-cli/serv: added raw public-key handling capabilities (RFC7250). Key material can be set via the --rawpkkeyfile and --rawpkfile flags. diff --git a/src/certtool.c b/src/certtool.c index 2e4ab86e93..34188f4c6d 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -306,7 +306,6 @@ static void verify_provable_privkey(common_info_st * cinfo) return; } - static gnutls_x509_crt_t generate_certificate(gnutls_privkey_t * ret_key, gnutls_x509_crt_t ca_crt, int proxy, @@ -579,6 +578,7 @@ generate_certificate(gnutls_privkey_t * ret_key, app_exit(1); } } + } else if (ca_status) { /* CAs always sign */ if (get_sign_status(server)) @@ -776,6 +776,15 @@ generate_certificate(gnutls_privkey_t * ret_key, gnutls_x509_spki_deinit(spki); } + /* always set CRL distribution points on CAs, but also on certificates + * generated with --generate-self-signed. The latter is to retain + * compatibility with previous versions of certtool. */ + if (ca_status || (!proxy && ca_crt == NULL)) { + get_crl_dist_point_set(crt); + } else if (!proxy && ca_crt != NULL) { + gnutls_x509_crt_cpy_crl_dist_points(crt, ca_crt); + } + *ret_key = key; return crt; @@ -956,8 +965,6 @@ void generate_self_signed(common_info_st * cinfo) if (!key) key = load_private_key(1, cinfo); - get_crl_dist_point_set(crt); - print_certificate_info(crt, stdlog, 0); fprintf(stdlog, "\n\nSigning certificate...\n"); @@ -1003,12 +1010,6 @@ static void generate_signed_certificate(common_info_st * cinfo) crt = generate_certificate(&key, ca_crt, 0, cinfo); - /* Copy the CRL distribution points. - */ - gnutls_x509_crt_cpy_crl_dist_points(crt, ca_crt); - /* it doesn't matter if we couldn't copy the CRL dist points. - */ - print_certificate_info(crt, stdlog, 0); fprintf(stdlog, "\n\nSigning certificate...\n"); diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am index 8944670dc4..5a22e4534e 100644 --- a/tests/cert-tests/Makefile.am +++ b/tests/cert-tests/Makefile.am @@ -78,7 +78,7 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem data/alt-chain.pem data/pkcs7-chain.pem data/pkcs7-chain-root.pem data/chain-eddsa.pem \ data/pkcs7-chain-endcert-key.pem data/cert-rsa-pss.pem data/openssl-invalid-time-format.pem \ data/cert-eddsa.pem data/pubkey-eddsa.pem data/pkcs7-eddsa-sig.p7s \ - data/key-ca.pem data/key-user.pem \ + data/key-ca.pem data/key-user.pem data/template-sgenerate.pem \ data/ca-gnutls-keyid.pem data/ca-no-keyid.pem data/ca-weird-keyid.pem \ data/key-ca-1234.p8 data/key-ca-empty.p8 data/key-ca-null.p8 \ data/openssl-key-ecc.p8 data/key-ecc.p8 data/key-ecc.pem suppressions.valgrind \ diff --git a/tests/cert-tests/data/template-sgenerate.pem b/tests/cert-tests/data/template-sgenerate.pem new file mode 100644 index 0000000000..b16915c8fa --- /dev/null +++ b/tests/cert-tests/data/template-sgenerate.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDtDCCAmygAwIBAgIBBzANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDEw5HbnVU +TFMgVGVzdCBDQTAeFw0wNzA0MjIwMDAwMDBaFw0xNDA1MjUwMDAwMDBaMFsxDDAK +BgNVBAMTA05pazEPMA0GA1UECBMGQXR0aWtpMQswCQYDVQQGEwJHUjEaMBgGA1UE +BBMRTWF2cm9naWFubm9wb3Vsb3MxETAPBgNVBAkTCEFya2FkaWFzMIGfMA0GCSqG +SIb3DQEBAQUAA4GNADCBiQKBgQClxs51Q4S/ZJ4CJxPxA1n3eS2S7XwvUKQD8S15 +uYaLBX46u0Sqr4TPE5geHEo49zMtep9y1GttJrAxN3AQ+0Lp2J0YZX4ZSfwFlgRo +gx53hr/t9eUSOxP+MxicGnodaa9HAmB6H7noz9vINDBRlj2MllwAvGHeCA+xNiF/ +qQDjBQIDAQABo4IBFzCCARMwDwYDVR0TAQH/BAUwAwEB/zBqBgNVHREEYzBhggx3 +d3cubm9uZS5vcmeCE3d3dy5tb3JldGhhbm9uZS5vcmeCF3d3dy5ldmVubW9yZXRo +YW5vbmUub3JnhwTAqAEBgQ1ub25lQG5vbmUub3JngQ53aGVyZUBub25lLm9yZzAT +BgNVHSUEDDAKBggrBgEFBQcDCTAPBgNVHQ8BAf8EBQMDB4QAMB0GA1UdDgQWBBRd +QK3wzpRAlYt+mZQdklQiynI2XzAfBgNVHSMEGDAWgBRNVrdqAFjxZ5L0pnVVG45T +AQPvzzAuBgNVHR8EJzAlMCOgIaAfhh1odHRwOi8vd3d3LmdldGNybC5jcmwvZ2V0 +Y3JsLzANBgkqhkiG9w0BAQsFAAOCATEAddMzLqCJ+KkNgn/mcz19mEh4ZSiJzS14 +d4SLlcImMFJSPRQ6hwjKXB4N5vljr5pr69e9bg9kzuw622xjT+8YNKJH9c4VEcyK +HEemVemeMJAU10d7XVnQAExt9w+siPJlXMpjG2ij/DNmoi8PWUq1qhIskJohYg9C +NVXdViL29z5wMmh91mQI7xt6vw8S4WrmSZrkrkAXK07h5yeqjIQYht2iQjLZF2rO +3d0h3u7RdyV1uG93C3FW0Dthqqon6UdEjuPeYCK/7cWe3BhBGIJ/SRDVYXp3VtlS +Ms66n3bpSxrI1el+2lHfDTJwGgIvLhXz3bmznkqbg482rJkFTuS/DmwiTcErF+rF +E3zPAchY2B+ieRe5944OsQcfhaZDVyUcrC5FtFp0Q/LFmPgy55dR1g== +-----END CERTIFICATE----- diff --git a/tests/cert-tests/template-test b/tests/cert-tests/template-test index 43e28fe15d..f7ebefb664 100755 --- a/tests/cert-tests/template-test +++ b/tests/cert-tests/template-test @@ -93,6 +93,27 @@ fi rm -f ${TMPFILE} +echo "Running test for certificate generation with --generate-self-signed" + +datefudge -s "2007-04-22" \ + "${CERTTOOL}" --generate-certificate \ + --load-privkey "${srcdir}/data/template-test.key" \ + --load-ca-privkey "${srcdir}/../../doc/credentials/x509/ca-key.pem" \ + --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" \ + --template "${srcdir}/templates/template-dn.tmpl" \ + --outfile ${TMPFILE} 2>/dev/null + +${DIFF} "${srcdir}/data/template-sgenerate.pem" ${TMPFILE} >/dev/null 2>&1 +rc=$? + +# We're done. +if test "${rc}" != "0"; then + echo "Test 3-a non-self-signed generation failed" + exit ${rc} +fi + +rm -f ${TMPFILE} + datefudge -s "2007-04-22" \ "${CERTTOOL}" --generate-self-signed \ --load-privkey "${srcdir}/data/template-test.key" \ |