Merge branch 'tmp-certtool-crq' into 'master'

certtool: always set extensions from template

See merge request gnutls/gnutls!1130

10 files changed, 194 insertions, 8 deletions

diff --git a/NEWS b/NEWS
index 2e16805007..67051289ab 100644
--- a/NEWS
+++ b/NEWS
@@ -24,15 +24,18 @@ See the end for copying conditions.
    for all certificate verifications, not only under TLS. The configuration can
    be overriden using the GNUTLS_SYSTEM_PRIORITY_FILE environment variable.
 
-** certtool: Added the --verify-profile option to set a certificate
-   verification profile. Use '--verify-profile low' for certificate verification
-   to apply the 'NORMAL' verification profile.
-
 ** libgnutls: If a CA is found in the trusted list, check in addition to
    time validity, whether the algorithms comply to the expected level prior
    to accepting it. This addresses the problem of accepting CAs which would
    have been marked as insecure otherwise (#877).
 
+** certtool: Added the --verify-profile option to set a certificate
+   verification profile. Use '--verify-profile low' for certificate verification
+   to apply the 'NORMAL' verification profile.
+
+** certtool: The add_extension template option is considered even when generating
+   a certificate from a certificate request.
+
 ** API and ABI modifications:
 gnutls_ocsp_req_const_t: Added
 
diff --git a/src/certtool.c b/src/certtool.c
index 447f02f765..35438daafa 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -373,7 +373,6 @@ generate_certificate(gnutls_privkey_t * ret_key,
 
 			get_oid_crt_set(crt);
 			get_key_purpose_set(TYPE_CRT, crt);
-			get_extensions_crt_set(TYPE_CRT, crt);
 
 			if (!batch)
 				fprintf(stderr,
@@ -467,6 +466,8 @@ generate_certificate(gnutls_privkey_t * ret_key,
 		}
 	}
 
+	get_extensions_crt_set(TYPE_CRT, crt);
+
 	/* append additional extensions */
 	if (cinfo->v1_cert == 0) {
 
diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am
index 76765889c6..c8abdbf74a 100644
--- a/tests/cert-tests/Makefile.am
+++ b/tests/cert-tests/Makefile.am
@@ -94,12 +94,14 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem
 	data/key-invalid3.der data/pkcs8-eddsa.pem data/pkcs8-eddsa.pem.txt \
 	data/rfc4490.p7b data/rfc4490.p7b.out data/gost01.p12 data/gost12.p12 data/gost12-2.p12 \
 	data/ca-crl-invalid.crl data/ca-crl-invalid.pem data/ca-crl-valid.pem data/ca-crl-valid.crl \
-	data/rfc4134-ca-rsa.pem data/rfc4134-4.5.p7b \
-	data/key-gost01.p8 data/key-gost01-2.p8 data/key-gost01-2-enc.p8 \
+	data/rfc4134-ca-rsa.pem data/rfc4134-4.5.p7b templates/template-no-ca.tmpl \
+	data/key-gost01.p8 data/key-gost01-2.p8 data/key-gost01-2-enc.p8 data/crq-cert-no-ca.pem \
 	data/key-gost12-256.p8 data/key-gost12-256-2.p8 data/key-gost12-256-2-enc.p8 \
 	data/key-gost12-512.p8 data/grfc.crt data/gost-cert-ca.pem data/gost-cert-new.pem \
 	data/cert-with-non-digits-time-ca.pem data/cert-with-non-digits-time.pem \
-	data/chain-512-leaf.pem data/chain-512-subca.pem data/chain-512-ca.pem
+	data/chain-512-leaf.pem data/chain-512-subca.pem data/chain-512-ca.pem \
+	templates/template-no-ca-honor.tmpl templates/template-no-ca-explicit.tmpl \
+	data/crq-cert-no-ca-explicit.pem data/crq-cert-no-ca-honor.pem
 
 dist_check_SCRIPTS = pathlen aki invalid-sig email \
 	pkcs7 pkcs7-broken-sigs privkey-import name-constraints certtool-long-cn crl provable-privkey \
diff --git a/tests/cert-tests/crq b/tests/cert-tests/crq
index e29f17a17f..89099cfc0a 100755
--- a/tests/cert-tests/crq
+++ b/tests/cert-tests/crq
@@ -147,6 +147,97 @@ if test "${rc}" != "0"; then
 	exit ${rc}
 fi
 
+# check whether the generation with extension works
+datefudge -s "2007-04-22" \
+	"${CERTTOOL}" --generate-request \
+		--load-privkey "${srcdir}/data/template-test.key" \
+		--template "${srcdir}/templates/arb-extensions.tmpl" \
+		--outfile $OUTFILE 2>/dev/null
+rc=$?
+
+if test "${rc}" != "0"; then
+	echo "add_extension crq failed"
+	exit ${rc}
+fi
+
+${DIFF} --ignore-matching-lines "Algorithm Security Level" "${srcdir}/data/arb-extensions.csr" "${OUTFILE}" >/dev/null 2>&1
+rc=$?
+
+if test "${rc}" != "0"; then
+	echo "Certificate request generation with explicit extensions failed"
+	exit ${rc}
+fi
+
+# Generate certificate from CRQ with no explicit extensions
+datefudge -s "2007-04-22" \
+	"${CERTTOOL}" --generate-certificate \
+		--load-ca-privkey "${srcdir}/../../doc/credentials/x509/ca-key.pem" \
+		--load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" \
+		--load-request "${srcdir}/data/arb-extensions.csr" \
+		--template "${srcdir}/templates/template-no-ca.tmpl" \
+		--outfile "${OUTFILE}" 2>/dev/null
+rc=$?
+
+if test "${rc}" != "0"; then
+	echo "generate certificate with crq failed"
+	exit ${rc}
+fi
+
+${DIFF} --ignore-matching-lines "Algorithm Security Level" "${srcdir}/data/crq-cert-no-ca.pem" "${OUTFILE}" >/dev/null 2>&1
+rc=$?
+
+if test "${rc}" != "0"; then
+	echo "Certificate from request generation failed"
+	exit ${rc}
+fi
+
+# Generate certificate from CRQ with CRQ extensions
+datefudge -s "2007-04-22" \
+	"${CERTTOOL}" --generate-certificate \
+		--load-ca-privkey "${srcdir}/../../doc/credentials/x509/ca-key.pem" \
+		--load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" \
+		--load-request "${srcdir}/data/arb-extensions.csr" \
+		--template "${srcdir}/templates/template-no-ca-honor.tmpl" \
+		--outfile "${OUTFILE}" 2>/dev/null
+rc=$?
+
+if test "${rc}" != "0"; then
+	echo "generate certificate with crq failed"
+	exit ${rc}
+fi
+
+${DIFF} --ignore-matching-lines "Algorithm Security Level" "${srcdir}/data/crq-cert-no-ca-honor.pem" "${OUTFILE}" >/dev/null 2>&1
+rc=$?
+
+if test "${rc}" != "0"; then
+	echo "Certificate from request generation with honor flag failed"
+	exit ${rc}
+fi
+
+# Generate certificate from CRQ with explicit extensions
+datefudge -s "2007-04-22" \
+	"${CERTTOOL}" --generate-certificate \
+		--load-ca-privkey "${srcdir}/../../doc/credentials/x509/ca-key.pem" \
+		--load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" \
+		--load-request "${srcdir}/data/arb-extensions.csr" \
+		--template "${srcdir}/templates/template-no-ca-explicit.tmpl" \
+		--outfile "${OUTFILE}" 2>/dev/null
+rc=$?
+
+if test "${rc}" != "0"; then
+	echo "generate certificate with crq failed"
+	exit ${rc}
+fi
+
+${DIFF} --ignore-matching-lines "Algorithm Security Level" "${srcdir}/data/crq-cert-no-ca-explicit.pem" "${OUTFILE}" >/dev/null 2>&1
+rc=$?
+
+if test "${rc}" != "0"; then
+	echo "Certificate from request generation with explicit extensions failed"
+	exit ${rc}
+fi
+
+
 rm -f "${OUTFILE}" "${OUTFILE2}" "${TMPFILE}"
 
 exit 0
diff --git a/tests/cert-tests/data/crq-cert-no-ca-explicit.pem b/tests/cert-tests/data/crq-cert-no-ca-explicit.pem
new file mode 100644
index 0000000000..b912e94663
--- /dev/null
+++ b/tests/cert-tests/data/crq-cert-no-ca-explicit.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEUzCCAwugAwIBAgIBAjANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDEw5HbnVU
+TFMgVGVzdCBDQTAeFw0wNzA0MjIwMDAwMDBaFw0wODA0MjEwMDAwMDBaMHsxFTAT
+BgNVBAMTDENpbmR5IExhdXBlcjEXMBUGA1UECxMOc2xlZXBpbmcgZGVwdC4xEjAQ
+BgNVBAoTCUtva28gaW5jLjEPMA0GA1UECBMGQXR0aWtpMQswCQYDVQQGEwJHUjEX
+MBUGCgmSJomT8ixkAQETB2NsYXVwZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAKXGznVDhL9kngInE/EDWfd5LZLtfC9QpAPxLXm5hosFfjq7RKqvhM8TmB4c
+Sjj3My16n3LUa20msDE3cBD7QunYnRhlfhlJ/AWWBGiDHneGv+315RI7E/4zGJwa
+eh1pr0cCYHofuejP28g0MFGWPYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjggGWMIIB
+kjASBgMqAwQECwABAgMEBQYHqqvNMBIGA84HCAQLAAECAwQFBgeqq80wGgYGKgME
+BQYHBBAdNM1a0GXcJ8F+lEewqqynMFwGCCoDj////38HBFAXjw5BPwQcydZK9kvz
+tmx86sb6NKTXftZMlosmx2FwlEX0DZygoACRr30hJ4nAC3OHsdDXq2I91AKdS4bb
+NlNiHTTNWtBl3CfBfpRHsKqspzBSBgYqg5nLAAcESNZK9kvztmx86sb6NKTXftZM
+losmx2FwlEX0DZygoACRr30hJ4nAC3OHsdDXq2I91AKdS4bbNlNiHTTNWtBl3CfB
+fpRHsKqspzANBgMYAQUEBgQEyv6+rzATBgpyCwwNDg8QEQEFAQH/BALK/jATBgQY
+AQUBAQH/BAgEBr6vyv76+jAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUF
+BwMEMB0GA1UdDgQWBBRdQK3wzpRAlYt+mZQdklQiynI2XzAfBgNVHSMEGDAWgBRN
+VrdqAFjxZ5L0pnVVG45TAQPvzzANBgkqhkiG9w0BAQsFAAOCATEAdg6mnXMO1f+5
+/NAaoJ4In3Pse7TM+raJWwRBXqYXOgo66CM2Ffam0v8U8t7h+Uo0lu10u+2EwqZQ
+Em2jDgZ4SS//FPg5WLRx3wBqtP/o/nsJnuIlXzeXOx2fYMnekrQAu453ClPPt0dX
+D7oiSYfcodcTOlzj7c3cnSiKAONmSvQfpkPD4Uc5EEVIeAHCH/vsMhuEycLT0I1M
+NwvxmTuH9y76orKNbPWHqSnsTm5sdF7Lz5+t3ph9hYEo8nI+hb0sx6w9HpPpAWaj
+yYxN/XS76sFma09k4BFUq9RtshJh64GWVsNBLdXyrCArQJPgQehHm5ccrAJ81qM2
+q7M2H8aUbx3o3ASgTJTuYunS043A8TgPQuXFybSIM/zO3onh21PkVtfcUcRswdpf
+oBQirZDyGA==
+-----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/crq-cert-no-ca-honor.pem b/tests/cert-tests/data/crq-cert-no-ca-honor.pem
new file mode 100644
index 0000000000..3b430d2537
--- /dev/null
+++ b/tests/cert-tests/data/crq-cert-no-ca-honor.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEZzCCAx+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDEw5HbnVU
+TFMgVGVzdCBDQTAeFw0wNzA0MjIwMDAwMDBaFw0wODA0MjEwMDAwMDBaMHsxFTAT
+BgNVBAMTDENpbmR5IExhdXBlcjEXMBUGA1UECxMOc2xlZXBpbmcgZGVwdC4xEjAQ
+BgNVBAoTCUtva28gaW5jLjEPMA0GA1UECBMGQXR0aWtpMQswCQYDVQQGEwJHUjEX
+MBUGCgmSJomT8ixkAQETB2NsYXVwZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAKXGznVDhL9kngInE/EDWfd5LZLtfC9QpAPxLXm5hosFfjq7RKqvhM8TmB4c
+Sjj3My16n3LUa20msDE3cBD7QunYnRhlfhlJ/AWWBGiDHneGv+315RI7E/4zGJwa
+eh1pr0cCYHofuejP28g0MFGWPYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjggGqMIIB
+pjASBgMqAwQECwABAgMEBQYHqqvNMBIGA84HCAQLAAECAwQFBgeqq80wGgYGKgME
+BQYHBBAdNM1a0GXcJ8F+lEewqqynMFwGCCoDj////38HBFAXjw5BPwQcydZK9kvz
+tmx86sb6NKTXftZMlosmx2FwlEX0DZygoACRr30hJ4nAC3OHsdDXq2I91AKdS4bb
+NlNiHTTNWtBl3CfBfpRHsKqspzBSBgYqg5nLAAcESNZK9kvztmx86sb6NKTXftZM
+losmx2FwlEX0DZygoACRr30hJ4nAC3OHsdDXq2I91AKdS4bbNlNiHTTNWtBl3CfB
+fpRHsKqspzANBgMYAQUEBgQEyv6+rzATBgpyCwwNDg8QEQEFAQH/BALK/jATBgQY
+AQUBAQH/BAgEBr6vyv76+jAMBgNVHRMBAf8EAjAAMBYGA1UdJQEB/wQMMAoGCCsG
+AQUFBwMEMA8GA1UdDwEB/wQFAwMHgAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2S
+VCLKcjZfMB8GA1UdIwQYMBaAFE1Wt2oAWPFnkvSmdVUbjlMBA+/PMA0GCSqGSIb3
+DQEBCwUAA4IBMQACwQBci5GYQ3clNSdRzf/8smu1nvZo8knhCp/i+IJiXdFX7pl0
+lBtKMXZVnL3zwidH11EP8XMsusISpcRMznEYT4sDLa2k5QWXq1T3tT8mkX2xnBox
+gKJmFw5WcaaEyiMRrAfv5YxY1RT6Hn8nMgWpIdj3hY3tZ9I6urWD16wc/w/53acS
+2pvfp3H0RRHC6S1ZBZhRWdB3ZH7pmMx0Wbsk9CC6bw9msjy7Qj4Rz+gQwHPJ+0y5
+2+w85DOmIGZmzw7vdZ+6oVsDCfcqIU0WYTD31CKMCAZys0nNyXxDNZJoyTUdcMjU
+ccEnm7ptGVtNobiJCOlw4IFhHF78RZqnD5f1bIzkK9dL00vcXqlUqg4fC89fWHvL
+tuLvUsrrvBco4tbB2XFWdBtIkQcWy7eFl9l3
+-----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/crq-cert-no-ca.pem b/tests/cert-tests/data/crq-cert-no-ca.pem
new file mode 100644
index 0000000000..7cd684b20f
--- /dev/null
+++ b/tests/cert-tests/data/crq-cert-no-ca.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCzCCAcOgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDEw5HbnVU
+TFMgVGVzdCBDQTAeFw0wNzA0MjIwMDAwMDBaFw0wODA0MjEwMDAwMDBaMHsxFTAT
+BgNVBAMTDENpbmR5IExhdXBlcjEXMBUGA1UECxMOc2xlZXBpbmcgZGVwdC4xEjAQ
+BgNVBAoTCUtva28gaW5jLjEPMA0GA1UECBMGQXR0aWtpMQswCQYDVQQGEwJHUjEX
+MBUGCgmSJomT8ixkAQETB2NsYXVwZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAKXGznVDhL9kngInE/EDWfd5LZLtfC9QpAPxLXm5hosFfjq7RKqvhM8TmB4c
+Sjj3My16n3LUa20msDE3cBD7QunYnRhlfhlJ/AWWBGiDHneGv+315RI7E/4zGJwa
+eh1pr0cCYHofuejP28g0MFGWPYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjUDBOMAwG
+A1UdEwEB/wQCMAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMB8GA1Ud
+IwQYMBaAFE1Wt2oAWPFnkvSmdVUbjlMBA+/PMA0GCSqGSIb3DQEBCwUAA4IBMQCP
+Go/myevL2Ia/w3bOy+k/NdJ8OB5o6T42WHCcqvBOrcrQJEjhfZP8fl79KNGqNbxs
+Fr6hwP1inY1yxdUtn0OCiKEB1Gp68QMb10eS7QarcMTiznUty8o+NHU9nV6I0kbO
+4sBi6uMR5Hv0WQ6fQigjo11RQB7cN7mGqpMBzkCG47WLgk19uJhmFBaWNjtFDbY5
+e4mxQpAonicUoKlubJ1JY5gyZEjVriuWjnuxqhGyul7SnrzeSBQPR81gz1n1YjXJ
+8aQ8FqyTG9tQkU0EkJwE1FxuFoqB0MHfTSn8THtZRLeSO5ymAQgmHU81IieTXFn9
+l37AavQFVpcyp1MHXIWn+CYjzQ38oo90SABRGMoiQSz0iRT+auCjnYZ3dNyax9HR
+9zf+KHBvs5sSsslNWQb/
+-----END CERTIFICATE-----
diff --git a/tests/cert-tests/templates/template-no-ca-explicit.tmpl b/tests/cert-tests/templates/template-no-ca-explicit.tmpl
new file mode 100644
index 0000000000..041b4d2c9d
--- /dev/null
+++ b/tests/cert-tests/templates/template-no-ca-explicit.tmpl
@@ -0,0 +1,13 @@
+cn = "No CA"
+serial = 02
+
+email_protection_key
+
+add_extension = "1.2.3.4 0001020304050607AAABCD"
+add_extension = "5.6.7.8 0x0001020304050607AAABCD"
+add_extension = "1.2.3.4.5.6.7 1d34cd5ad065dc27c17e9447b0aaaca7"
+add_extension = "1.2.3.4294967295.7 178f0e413f041cc9d64af64bf3b66c7ceac6fa34a4d77ed64c968b26c761709445f40d9ca0a00091af7d212789c00b7387b1d0d7ab623dd4029d4b86db3653621d34cd5ad065dc27c17e9447b0aaaca7"
+add_critical_extension = "9.10.11.12.13.14.15.16.17.1.5 CAFE"
+add_extension = "1.2.6710656.7 d64af64bf3b66c7ceac6fa34a4d77ed64c968b26c761709445f40d9ca0a00091af7d212789c00b7387b1d0d7ab623dd4029d4b86db3653621d34cd5ad065dc27c17e9447b0aaaca7"
+add_extension = "7.0.1.5 octet_string(CAFEBEAF)"
+add_critical_extension = "7.0.1.5.1 octet_string(BEAFCAFEFAFA)"
diff --git a/tests/cert-tests/templates/template-no-ca-honor.tmpl b/tests/cert-tests/templates/template-no-ca-honor.tmpl
new file mode 100644
index 0000000000..05f21b8885
--- /dev/null
+++ b/tests/cert-tests/templates/template-no-ca-honor.tmpl
@@ -0,0 +1,3 @@
+cn = "No CA"
+serial = 02
+honor_crq_extensions
diff --git a/tests/cert-tests/templates/template-no-ca.tmpl b/tests/cert-tests/templates/template-no-ca.tmpl
new file mode 100644
index 0000000000..6528a50e4b
--- /dev/null
+++ b/tests/cert-tests/templates/template-no-ca.tmpl
@@ -0,0 +1,2 @@
+cn = "No CA"
+serial = 02