tests: added unit test to verify that certificates with non-DER strict time fields are acceptedtmp-tolerate-certs-with-invalid-time

Also removed the old strict compliance DER test.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

5 files changed, 72 insertions, 117 deletions

diff --git a/tests/Makefile.am b/tests/Makefile.am
index 17304bb512..fa7975bd73 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -107,7 +107,7 @@ ctests = mini-record-2 simple gc set_pkcs12_cred cert certuniqueid	\
 	 mini-chain-unsorted x509-verify-with-crl mini-dtls-mtu privkey-verify-broken \
 	 mini-dtls-record-asym openpgp-callback key-import-export \
 	 mini-dtls-fork mini-dtls-pthread mini-key-material x509cert-invalid \
-	 strict-der tls-ext-register tls-supplemental mini-dtls0-9 \
+	 tls-ext-register tls-supplemental mini-dtls0-9 \
 	 mini-record-retvals mini-server-name tls-etm x509-cert-callback \
 	 sign-md5-rep privkey-keygen mini-tls-nonblock no-signal pkcs7-gen dtls-etm \
 	 x509sign-verify-rsa x509sign-verify-ecdsa mini-alignment oids atfork prf psk-file \
diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am
index 90641679fb..3ebe13604f 100644
--- a/tests/cert-tests/Makefile.am
+++ b/tests/cert-tests/Makefile.am
@@ -76,7 +76,7 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem
 	data/invalid-date-secs.der data/invalid-date-month.der data/invalid-date-day.der \
 	data/mem-leak.p12 data/alt-chain-new-ca.pem data/alt-chain-old-ca.pem \
 	data/alt-chain.pem data/pkcs7-chain.pem data/pkcs7-chain-root.pem \
-	data/pkcs7-chain-endcert-key.pem data/cert-rsa-pss.pem
+	data/pkcs7-chain-endcert-key.pem data/cert-rsa-pss.pem data/openssl-invalid-time-format.pem
 
 dist_check_SCRIPTS = pathlen aki certtool invalid-sig email \
 	pkcs7 pkcs7-broken-sigs privkey-import name-constraints certtool-long-cn crl provable-privkey \
diff --git a/tests/cert-tests/data/openssl-invalid-time-format.pem b/tests/cert-tests/data/openssl-invalid-time-format.pem
new file mode 100644
index 0000000000..7a55b47d8a
--- /dev/null
+++ b/tests/cert-tests/data/openssl-invalid-time-format.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDyjCCArKgAwIBAgICEAAwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxFjAUBgNVBAoT
+DWlpb3JkYW5vdi5jb20xIjAgBgNVBAMTGW92aXJ0Lmlpb3JkYW5vdi5jb20uNzE5NzUwIhcRMTQw
+NjE2MjIxMTA1KzAwMDAXDTI0MDYxNDIyMTEwNVowSTELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDWlp
+b3JkYW5vdi5jb20xIjAgBgNVBAMTGW92aXJ0Lmlpb3JkYW5vdi5jb20uNzE5NzUwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1gS9aSehHWenPdIAayB8eovfVe3h9vqwlTzfOZaiJK56f
+P1shhwu/shML9g9xADBtJ2MyXhgY+V20mJ2oOivqotTeIcHc0vs5fJcBuwWXxFt8ISDkFXhnsX+9
+8MP1Fhc3PEIxlhMitFK7+7d6JxSd6lQsIgeruyf2A+aSLD02QUpNdnhxJ48FMncJUrFycTDZtnb2
+REJWgl1cRa8MMtiLKoMYdC+t3P9Am27vOpRmh0U6rB4qym1wYj9JbEES4mbS/u1JQgKv+AXgS1QD
+5ZFpTXPDeOs2QPJtrwD2nu5Sd2aCMAv8MHqeR8nfaixkpKC4JxF6fnR+Ynn4wzKOdpOhAgMBAAGj
+gbcwgbQwHQYDVR0OBBYEFEhIahZoIh8Wzfpi/nbPJ81SQwFkMHIGA1UdIwRrMGmAFEhIahZoIh8W
+zfpi/nbPJ81SQwFkoU2kSzBJMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNaWlvcmRhbm92LmNvbTEi
+MCAGA1UEAxMZb3ZpcnQuaWlvcmRhbm92LmNvbS43MTk3NYICEAAwDwYDVR0TAQH/BAUwAwEB/zAO
+BgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQADggEBAAYMFGll2Ib7wpitipon6S9C25A8fnx7
+wLXKY3fUBJmtpLxTjSZfPbhmNkCvwGbmjG78AFbl+dY1+PDmEK1w2DgNWw2I9WcY4ULJoINo3YZv
+p2s53iYW3U+Syz+WLrIW0om5bM1Y0fw8KbuAuWsJzJfbd1hMGeMV6axKx7FbECuN0a02sCo2kIxk
+ckg/aGgshQ4EkqP79j7O25WaZdcBZDpYsqSDvcG6Oy4qM3dde/EBZiflPu4mvIwL15ilGXfO/zPk
+p49fcKm5YE8LC9PvsS+NSnD9avxRQq8bY4an2FUxoh5mSh+UY2rpd9yX7WCBtZ9TwHkkaeNehgRz
+7crbZrA=
+-----END CERTIFICATE-----
diff --git a/tests/cert-tests/tolerate-invalid-time b/tests/cert-tests/tolerate-invalid-time
new file mode 100755
index 0000000000..f8707441d3
--- /dev/null
+++ b/tests/cert-tests/tolerate-invalid-time
@@ -0,0 +1,50 @@
+#!/bin/sh
+
+# Copyright (C) 2017 Red Hat, Inc.
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>
+
+#set -e
+
+srcdir="${srcdir:-.}"
+CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}"
+PKGCONFIG="${PKG_CONFIG:-$(which pkg-config)}"
+DIFF="${DIFF:-diff -b -B}"
+
+if ! test -x "${CERTTOOL}"; then
+	exit 77
+fi
+
+if ! test -z "${VALGRIND}"; then
+	VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}"
+fi
+
+${PKGCONFIG} --version >/dev/null || exit 77
+
+${PKGCONFIG} --atleast-version=4.12 libtasn1 || exit 77
+
+# Check whether certificates with invalid time fields are accepted
+for file in openssl-invalid-time-format.pem;do
+	${VALGRIND} "${CERTTOOL}" -i --infile "${srcdir}/data/$file"
+	rc=$?
+
+	if test "${rc}" != "0";then
+		echo "file $file was not rejected"
+		exit 1
+	fi
+done
+
+exit 0
diff --git a/tests/strict-der.c b/tests/strict-der.c
deleted file mode 100644
index 8854c744d9..0000000000
--- a/tests/strict-der.c
+++ /dev/null
@@ -1,115 +0,0 @@
-/*
- * Copyright (C) 2011-2012 Free Software Foundation, Inc.
- *
- * Author: Nikos Mavrogiannopoulos
- *
- * This file is part of GnuTLS.
- *
- * GnuTLS is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 3 of the License, or
- * (at your option) any later version.
- *
- * GnuTLS is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with GnuTLS; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
- */
-
-/* Parts copied from GnuTLS example programs. */
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/types.h>
-#if !defined(_WIN32)
-#include <netinet/in.h>
-#include <sys/socket.h>
-#include <sys/wait.h>
-#include <arpa/inet.h>
-#endif
-#include <unistd.h>
-#include <gnutls/gnutls.h>
-#include <gnutls/x509.h>
-
-#include "utils.h"
-
-/* Test for gnutls_certificate_get_issuer() and implicitly for
- * gnutls_trust_list_get_issuer().
- */
-
-static void tls_log_func(int level, const char *str)
-{
-	fprintf(stderr, "<%d>| %s", level, str);
-}
-
-/* This certificate is modified to contain invalid DER. In older
- * gnutls versions that would still be parsed and the wrong DER was
- * "corrected" but now we should reject these */
-static unsigned char cert_pem[] =
-    "-----BEGIN CERTIFICATE-----\n"
-    "MIIFXzCCBEegAwIBAgIQHYWDpKNVUzEFx4Pq8yjxbTANBgkqhkiG9w0BAQUFADCBtTELMAkGA1UE\n"
-    "BhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBO\n"
-    "ZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29t\n"
-    "L3JwYSAoYykxMDEvMC0GA1UEAxMmVmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0g\n"
-    "RzMwHxcOMTQwMjI3MDAwMDAwWgAXDTE1MDIyODIzNTk1OVowZzELMAkGA1UEBhMCVVMxEzARBgNV\n"
-    "BAgTCldhc2hpbmd0b24xEDAOBgNVBAcUB1NlYXR0bGUxGDAWBgNVBAoUD0FtYXpvbi5jb20gSW5j\n"
-    "LjEXMBUGA1UEAxQOd3d3LmFtYXpvbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB\n"
-    "AQCXX4njj63+AK39SJXnf4ove+NO2Z46WgeccZuPUOD89/ucZg9C2K3uwo59QO1t2ZR5IucxVWaV\n"
-    "vSW/9z30hA2ObJco5Cw9o3ZdoFXn0rYUmbWMW+XmL+/bSBDdFPQGfP1WhsFKJJfJ9TIrXBAsTSzH\n"
-    "uC6qFZktvZ1yE0081+bdyOHVHjAQzSPsYFaSUqccMwPvy/sMaI+Um+GCf2PolJJwpI1+j6WmTEVg\n"
-    "RBNHarxtNqpcV3rAFdJ5imL427agMqFur4Iz/OYeoCRBEiKk02ctRzoBaTvF09OQqRg3I4T9bE71\n"
-    "xe1cdWo/sQ4nRiy1tfPBt+aBSiIRMh0Fdle780QFAgMBAAGjggG1MIIBsTBQBgNVHREESTBHghF1\n"
-    "ZWRhdGEuYW1hem9uLmNvbYIKYW1hem9uLmNvbYIIYW16bi5jb22CDHd3dy5hbXpuLmNvbYIOd3d3\n"
-    "LmFtYXpvbi5jb20wCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUH\n"
-    "AwEGCCsGAQUFBwMCMEMGA1UdIAQ8MDowOAYKYIZIAYb4RQEHNjAqMCgGCCsGAQUFBwIBFhxodHRw\n"
-    "czovL3d3dy52ZXJpc2lnbi5jb20vY3BzMB8GA1UdIwQYMBaAFA1EXBZTRMGCfh0gqyX0AWPYvnml\n"
-    "MEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9TVlJTZWN1cmUtRzMtY3JsLnZlcmlzaWduLmNvbS9T\n"
-    "VlJTZWN1cmVHMy5jcmwwdgYIKwYBBQUHAQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC52\n"
-    "ZXJpc2lnbi5jb20wQAYIKwYBBQUHMAKGNGh0dHA6Ly9TVlJTZWN1cmUtRzMtYWlhLnZlcmlzaWdu\n"
-    "LmNvbS9TVlJTZWN1cmVHMy5jZXIwDQYJKoZIhvcNAQEFBQADggEBADnmX45CNMkf57rQjB6ef7gf\n"
-    "3r5AfKiGMYdSim4TwU5qcpJicYiyqwQXAQbvZFuZTGzT0jXJROLAsjdHcQiR8D5u7mzVMbJg0kz0\n"
-    "yTsdDM5dFmVWme3l958NZI/I0qCtH+Z/O0cyivOTMARbBJ+92dqQ78U3He9gRNE9VCS3FNgObhwC\n"
-    "cr5tkKTlgSESpSRyBwnLucY4+ci5xjvYndHIzoxII/X9TKOIc2sC+b0H5KP8RcQLAO9G5Nra7+eJ\n"
-    "IC74ZgFvgejqTd2f8QeJljTsNxvG4P7vqQi73fCkTuVfCk5YDtTU2joGAujgBd1EjTIbjWYeoebV\n"
-    "gN5gPKxa/GbGsoQ=\n"
-    "-----END CERTIFICATE-----\n";
-
-const gnutls_datum_t cert = { cert_pem, sizeof(cert_pem) - 1};
-
-void doit(void)
-{
-	int ret;
-	gnutls_x509_crt_t crt;
-
-	/* this must be called once in the program
-	 */
-	global_init();
-
-	gnutls_global_set_log_function(tls_log_func);
-	if (debug)
-		gnutls_global_set_log_level(6);
-
-	gnutls_x509_crt_init(&crt);
-
-	ret =
-	    gnutls_x509_crt_import(crt, &cert, GNUTLS_X509_FMT_PEM);
-	if (ret >= 0) {
-		fail("gnutls_x509_crt_import allowed loading a cert with invalid DER\n");
-		exit(1);
-	}
-	gnutls_x509_crt_deinit(crt);
-
-	gnutls_global_deinit();
-
-	if (debug)
-		success("success");
-}