diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2019-11-27 10:43:56 +0000 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2019-11-27 10:43:56 +0000 |
| commit | b754ea635be382e2ccd9f5fcca89b35eff305c1c (patch) | |
| tree | 83ddd9cd9ddeec45ba010f303a13419c54eb043f | |
| parent | dd5dee2ed68d93c8915c91b4965313de57da2943 (diff) | |
| parent | 0511a2b6318c72e0bf99456dc9234950e9188cf6 (diff) | |
| download | gnutls-b754ea635be382e2ccd9f5fcca89b35eff305c1c.tar.gz | |
Merge branch 'tmp-fix-crl-dist-points' into 'master'
Add CRL distribution points to non-self-signed certificates
Closes #765
See merge request gnutls/gnutls!1123
| -rw-r--r-- | NEWS | 3 | ||||
| -rw-r--r-- | src/certtool.c | 19 | ||||
| -rw-r--r-- | tests/cert-tests/Makefile.am | 2 | ||||
| -rw-r--r-- | tests/cert-tests/data/template-sgenerate.pem | 22 | ||||
| -rwxr-xr-x | tests/cert-tests/template-test | 21 | ||||
| -rw-r--r-- | tests/scripts/common.sh | 6 |
6 files changed, 60 insertions, 13 deletions
@@ -15,6 +15,9 @@ See the end for copying conditions. ** libgnutls: Corrected issue with TLS 1.2 session ticket handling as client during resumption (#841). +** certtool: CRL distribution points will be set in CA certificates even when + non self-signed (#765). + ** gnutls-cli/serv: added raw public-key handling capabilities (RFC7250). Key material can be set via the --rawpkkeyfile and --rawpkfile flags. diff --git a/src/certtool.c b/src/certtool.c index 2e4ab86e93..34188f4c6d 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -306,7 +306,6 @@ static void verify_provable_privkey(common_info_st * cinfo) return; } - static gnutls_x509_crt_t generate_certificate(gnutls_privkey_t * ret_key, gnutls_x509_crt_t ca_crt, int proxy, @@ -579,6 +578,7 @@ generate_certificate(gnutls_privkey_t * ret_key, app_exit(1); } } + } else if (ca_status) { /* CAs always sign */ if (get_sign_status(server)) @@ -776,6 +776,15 @@ generate_certificate(gnutls_privkey_t * ret_key, gnutls_x509_spki_deinit(spki); } + /* always set CRL distribution points on CAs, but also on certificates + * generated with --generate-self-signed. The latter is to retain + * compatibility with previous versions of certtool. */ + if (ca_status || (!proxy && ca_crt == NULL)) { + get_crl_dist_point_set(crt); + } else if (!proxy && ca_crt != NULL) { + gnutls_x509_crt_cpy_crl_dist_points(crt, ca_crt); + } + *ret_key = key; return crt; @@ -956,8 +965,6 @@ void generate_self_signed(common_info_st * cinfo) if (!key) key = load_private_key(1, cinfo); - get_crl_dist_point_set(crt); - print_certificate_info(crt, stdlog, 0); fprintf(stdlog, "\n\nSigning certificate...\n"); @@ -1003,12 +1010,6 @@ static void generate_signed_certificate(common_info_st * cinfo) crt = generate_certificate(&key, ca_crt, 0, cinfo); - /* Copy the CRL distribution points. - */ - gnutls_x509_crt_cpy_crl_dist_points(crt, ca_crt); - /* it doesn't matter if we couldn't copy the CRL dist points. - */ - print_certificate_info(crt, stdlog, 0); fprintf(stdlog, "\n\nSigning certificate...\n"); diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am index 8944670dc4..5a22e4534e 100644 --- a/tests/cert-tests/Makefile.am +++ b/tests/cert-tests/Makefile.am @@ -78,7 +78,7 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem data/alt-chain.pem data/pkcs7-chain.pem data/pkcs7-chain-root.pem data/chain-eddsa.pem \ data/pkcs7-chain-endcert-key.pem data/cert-rsa-pss.pem data/openssl-invalid-time-format.pem \ data/cert-eddsa.pem data/pubkey-eddsa.pem data/pkcs7-eddsa-sig.p7s \ - data/key-ca.pem data/key-user.pem \ + data/key-ca.pem data/key-user.pem data/template-sgenerate.pem \ data/ca-gnutls-keyid.pem data/ca-no-keyid.pem data/ca-weird-keyid.pem \ data/key-ca-1234.p8 data/key-ca-empty.p8 data/key-ca-null.p8 \ data/openssl-key-ecc.p8 data/key-ecc.p8 data/key-ecc.pem suppressions.valgrind \ diff --git a/tests/cert-tests/data/template-sgenerate.pem b/tests/cert-tests/data/template-sgenerate.pem new file mode 100644 index 0000000000..b16915c8fa --- /dev/null +++ b/tests/cert-tests/data/template-sgenerate.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDtDCCAmygAwIBAgIBBzANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDEw5HbnVU +TFMgVGVzdCBDQTAeFw0wNzA0MjIwMDAwMDBaFw0xNDA1MjUwMDAwMDBaMFsxDDAK +BgNVBAMTA05pazEPMA0GA1UECBMGQXR0aWtpMQswCQYDVQQGEwJHUjEaMBgGA1UE +BBMRTWF2cm9naWFubm9wb3Vsb3MxETAPBgNVBAkTCEFya2FkaWFzMIGfMA0GCSqG +SIb3DQEBAQUAA4GNADCBiQKBgQClxs51Q4S/ZJ4CJxPxA1n3eS2S7XwvUKQD8S15 +uYaLBX46u0Sqr4TPE5geHEo49zMtep9y1GttJrAxN3AQ+0Lp2J0YZX4ZSfwFlgRo +gx53hr/t9eUSOxP+MxicGnodaa9HAmB6H7noz9vINDBRlj2MllwAvGHeCA+xNiF/ +qQDjBQIDAQABo4IBFzCCARMwDwYDVR0TAQH/BAUwAwEB/zBqBgNVHREEYzBhggx3 +d3cubm9uZS5vcmeCE3d3dy5tb3JldGhhbm9uZS5vcmeCF3d3dy5ldmVubW9yZXRo +YW5vbmUub3JnhwTAqAEBgQ1ub25lQG5vbmUub3JngQ53aGVyZUBub25lLm9yZzAT +BgNVHSUEDDAKBggrBgEFBQcDCTAPBgNVHQ8BAf8EBQMDB4QAMB0GA1UdDgQWBBRd +QK3wzpRAlYt+mZQdklQiynI2XzAfBgNVHSMEGDAWgBRNVrdqAFjxZ5L0pnVVG45T +AQPvzzAuBgNVHR8EJzAlMCOgIaAfhh1odHRwOi8vd3d3LmdldGNybC5jcmwvZ2V0 +Y3JsLzANBgkqhkiG9w0BAQsFAAOCATEAddMzLqCJ+KkNgn/mcz19mEh4ZSiJzS14 +d4SLlcImMFJSPRQ6hwjKXB4N5vljr5pr69e9bg9kzuw622xjT+8YNKJH9c4VEcyK +HEemVemeMJAU10d7XVnQAExt9w+siPJlXMpjG2ij/DNmoi8PWUq1qhIskJohYg9C +NVXdViL29z5wMmh91mQI7xt6vw8S4WrmSZrkrkAXK07h5yeqjIQYht2iQjLZF2rO +3d0h3u7RdyV1uG93C3FW0Dthqqon6UdEjuPeYCK/7cWe3BhBGIJ/SRDVYXp3VtlS +Ms66n3bpSxrI1el+2lHfDTJwGgIvLhXz3bmznkqbg482rJkFTuS/DmwiTcErF+rF +E3zPAchY2B+ieRe5944OsQcfhaZDVyUcrC5FtFp0Q/LFmPgy55dR1g== +-----END CERTIFICATE----- diff --git a/tests/cert-tests/template-test b/tests/cert-tests/template-test index 43e28fe15d..f7ebefb664 100755 --- a/tests/cert-tests/template-test +++ b/tests/cert-tests/template-test @@ -93,6 +93,27 @@ fi rm -f ${TMPFILE} +echo "Running test for certificate generation with --generate-self-signed" + +datefudge -s "2007-04-22" \ + "${CERTTOOL}" --generate-certificate \ + --load-privkey "${srcdir}/data/template-test.key" \ + --load-ca-privkey "${srcdir}/../../doc/credentials/x509/ca-key.pem" \ + --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" \ + --template "${srcdir}/templates/template-dn.tmpl" \ + --outfile ${TMPFILE} 2>/dev/null + +${DIFF} "${srcdir}/data/template-sgenerate.pem" ${TMPFILE} >/dev/null 2>&1 +rc=$? + +# We're done. +if test "${rc}" != "0"; then + echo "Test 3-a non-self-signed generation failed" + exit ${rc} +fi + +rm -f ${TMPFILE} + datefudge -s "2007-04-22" \ "${CERTTOOL}" --generate-self-signed \ --load-privkey "${srcdir}/data/template-test.key" \ diff --git a/tests/scripts/common.sh b/tests/scripts/common.sh index 95f8a5298e..4c7d12cf62 100644 --- a/tests/scripts/common.sh +++ b/tests/scripts/common.sh @@ -74,13 +74,13 @@ GETPORT=' check_for_datefudge() { # On certain platforms running datefudge date fails (e.g., x86 datefudge # with x86-64 date app). - if test "${SKIP_DATEFUDGE_CHECK}" = 1;then + if test "${SKIP_DATEFUDGE_CHECK}" = 1 || test -z "${top_builddir}";then return fi - TSTAMP=`datefudge -s "2006-09-23" "${top_builddir}/tests/datefudge-check" || true` + TSTAMP=`datefudge -s "2006-09-23" "${top_builddir}/tests/datefudge-check"` if test "$TSTAMP" != "1158969600" || test "$WINDOWS" = 1; then - echo $TSTAMP + echo "timestamp: ${TSTAMP}" echo "You need datefudge to run this test" exit 77 fi |