tests: verify that critical extensions can be stored

That is, ensure that we don't repeat the regression of
certtool not processing free-form critical extensions when no
other free-form extensions are present.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

4 files changed, 67 insertions, 1 deletions

diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am
index 875aeb795b..b0ea3b3fb7 100644
--- a/tests/cert-tests/Makefile.am
+++ b/tests/cert-tests/Makefile.am
@@ -67,7 +67,8 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem
 	data/openpgp-invalid5.pub data/openpgp-invalid6.pub templates/template-long-dns.tmpl \
 	data/long-dns.pem data/template-long-dns-crq.pem data/openpgp-invalid7.pub \
 	data/openpgp-invalid8.pub data/chain-with-critical-on-root.pem \
-	data/chain-with-critical-on-intermediate.pem data/chain-with-critical-on-endcert.pem
+	data/chain-with-critical-on-intermediate.pem data/chain-with-critical-on-endcert.pem \
+	templates/crit-extensions.tmpl data/crit-extensions.pem
 
 dist_check_SCRIPTS = pathlen aki certtool invalid-sig email \
 	pkcs7 pkcs7-broken-sigs privkey-import name-constraints certtool-long-cn crl provable-privkey \
diff --git a/tests/cert-tests/data/crit-extensions.pem b/tests/cert-tests/data/crit-extensions.pem
new file mode 100644
index 0000000000..1932f15ac6
--- /dev/null
+++ b/tests/cert-tests/data/crit-extensions.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxTCCAi6gAwIBAgIBCTANBgkqhkiG9w0BAQsFADB7MRUwEwYDVQQDEwxDaW5k
+eSBMYXVwZXIxFzAVBgoJkiaJk/IsZAEBEwdjbGF1cGVyMRcwFQYDVQQLEw5zbGVl
+cGluZyBkZXB0LjESMBAGA1UEChMJS29rbyBpbmMuMQ8wDQYDVQQIEwZBdHRpa2kx
+CzAJBgNVBAYTAkdSMB4XDTA3MDQyMjAwMDAwMFoXDTE0MDUyNTAwMDAwMFowezEV
+MBMGA1UEAxMMQ2luZHkgTGF1cGVyMRcwFQYKCZImiZPyLGQBARMHY2xhdXBlcjEX
+MBUGA1UECxMOc2xlZXBpbmcgZGVwdC4xEjAQBgNVBAoTCUtva28gaW5jLjEPMA0G
+A1UECBMGQXR0aWtpMQswCQYDVQQGEwJHUjCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
+gYkCgYEApcbOdUOEv2SeAicT8QNZ93ktku18L1CkA/EtebmGiwV+OrtEqq+EzxOY
+HhxKOPczLXqfctRrbSawMTdwEPtC6didGGV+GUn8BZYEaIMed4a/7fXlEjsT/jMY
+nBp6HWmvRwJgeh+56M/byDQwUZY9jJZcALxh3ggPsTYhf6kA4wUCAwEAAaNZMFcw
+EwYKcgsMDQ4PEBEBBQEB/wQCyv4wEwYEGAEFAQEB/wQIBAa+r8r++vowDAYDVR0T
+AQH/BAIwADAdBgNVHQ4EFgQUXUCt8M6UQJWLfpmUHZJUIspyNl8wDQYJKoZIhvcN
+AQELBQADgYEAdjqRZzydF4n3TULyfijErRJumCsQR+ClN67Ugki8yje0y1tOSqgc
+qz7JrxHEg9iEzgjS8DeIegcYar/hGMRmhcR4peqNq0/9Dp8eVxZk4mJIhmprDLX9
+sZlt0y+kUci35DcdOfnVMPlogp2iG/arUfmKdvpRmGuXaEC36L5j/l0=
+-----END CERTIFICATE-----
diff --git a/tests/cert-tests/template-exts-test b/tests/cert-tests/template-exts-test
index 8475981d00..32e90f91e3 100755
--- a/tests/cert-tests/template-exts-test
+++ b/tests/cert-tests/template-exts-test
@@ -52,6 +52,24 @@ fi
 
 rm -f "$OUTFILE"
 
+# Test adding critical extensions only
+datefudge -s "2007-04-22" \
+	"${CERTTOOL}" --generate-self-signed \
+		--load-privkey "${srcdir}/data/template-test.key" \
+		--template "${srcdir}/templates/crit-extensions.tmpl" \
+		--outfile $OUTFILE #2>/dev/null
+
+${DIFF} "${srcdir}/data/crit-extensions.pem" $OUTFILE #>/dev/null 2>&1
+rc=$?
+
+# We're done.
+if test "${rc}" != "0"; then
+	echo "Test with critical only failed"
+	exit ${rc}
+fi
+
+rm -f "$OUTFILE"
+
 datefudge -s "2007-04-22" \
 	"${CERTTOOL}" --generate-request \
 		--load-privkey "${srcdir}/data/template-test.key" \
diff --git a/tests/cert-tests/templates/crit-extensions.tmpl b/tests/cert-tests/templates/crit-extensions.tmpl
new file mode 100644
index 0000000000..e16f316055
--- /dev/null
+++ b/tests/cert-tests/templates/crit-extensions.tmpl
@@ -0,0 +1,30 @@
+# X.509 Certificate options
+#
+# DN options
+
+# The organization of the subject.
+organization = "Koko inc."
+
+# The organizational unit of the subject.
+unit = "sleeping dept."
+
+# The locality of the subject.
+# locality =
+
+# The state of the certificate owner.
+state = "Attiki"
+
+# The country of the subject. Two letter code.
+country = GR
+
+# The common name of the certificate owner.
+cn = "Cindy Lauper"
+
+# A user id of the certificate owner.
+uid = "clauper"
+
+serial = 9
+expiration_days = 2590
+
+add_critical_extension = "9.10.11.12.13.14.15.16.17.1.5 CAFE"
+add_critical_extension = "7.0.1.5.1 octet_string(BEAFCAFEFAFA)"