diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2019-12-23 20:07:38 +0000 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2019-12-23 20:07:38 +0000 |
commit | 58a45b8c2fbf2f0ff22e1c7c7762d0cb00855df9 (patch) | |
tree | 0ada5105ad31f386066dac2c5d7618db9d588f87 | |
parent | edbc4cad3cd81612e9c1abeb2c55df4f2d9ef9fa (diff) | |
parent | c35490f0a3d01aeb387c2de127110c8b1ec3c750 (diff) | |
download | gnutls-58a45b8c2fbf2f0ff22e1c7c7762d0cb00855df9.tar.gz |
Merge branch 'tmp-certtool-crq' into 'master'
certtool: always set extensions from template
See merge request gnutls/gnutls!1130
-rw-r--r-- | NEWS | 11 | ||||
-rw-r--r-- | src/certtool.c | 3 | ||||
-rw-r--r-- | tests/cert-tests/Makefile.am | 8 | ||||
-rwxr-xr-x | tests/cert-tests/crq | 91 | ||||
-rw-r--r-- | tests/cert-tests/data/crq-cert-no-ca-explicit.pem | 26 | ||||
-rw-r--r-- | tests/cert-tests/data/crq-cert-no-ca-honor.pem | 26 | ||||
-rw-r--r-- | tests/cert-tests/data/crq-cert-no-ca.pem | 19 | ||||
-rw-r--r-- | tests/cert-tests/templates/template-no-ca-explicit.tmpl | 13 | ||||
-rw-r--r-- | tests/cert-tests/templates/template-no-ca-honor.tmpl | 3 | ||||
-rw-r--r-- | tests/cert-tests/templates/template-no-ca.tmpl | 2 |
10 files changed, 194 insertions, 8 deletions
@@ -24,15 +24,18 @@ See the end for copying conditions. for all certificate verifications, not only under TLS. The configuration can be overriden using the GNUTLS_SYSTEM_PRIORITY_FILE environment variable. -** certtool: Added the --verify-profile option to set a certificate - verification profile. Use '--verify-profile low' for certificate verification - to apply the 'NORMAL' verification profile. - ** libgnutls: If a CA is found in the trusted list, check in addition to time validity, whether the algorithms comply to the expected level prior to accepting it. This addresses the problem of accepting CAs which would have been marked as insecure otherwise (#877). +** certtool: Added the --verify-profile option to set a certificate + verification profile. Use '--verify-profile low' for certificate verification + to apply the 'NORMAL' verification profile. + +** certtool: The add_extension template option is considered even when generating + a certificate from a certificate request. + ** API and ABI modifications: gnutls_ocsp_req_const_t: Added diff --git a/src/certtool.c b/src/certtool.c index 447f02f765..35438daafa 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -373,7 +373,6 @@ generate_certificate(gnutls_privkey_t * ret_key, get_oid_crt_set(crt); get_key_purpose_set(TYPE_CRT, crt); - get_extensions_crt_set(TYPE_CRT, crt); if (!batch) fprintf(stderr, @@ -467,6 +466,8 @@ generate_certificate(gnutls_privkey_t * ret_key, } } + get_extensions_crt_set(TYPE_CRT, crt); + /* append additional extensions */ if (cinfo->v1_cert == 0) { diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am index 76765889c6..c8abdbf74a 100644 --- a/tests/cert-tests/Makefile.am +++ b/tests/cert-tests/Makefile.am @@ -94,12 +94,14 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem data/key-invalid3.der data/pkcs8-eddsa.pem data/pkcs8-eddsa.pem.txt \ data/rfc4490.p7b data/rfc4490.p7b.out data/gost01.p12 data/gost12.p12 data/gost12-2.p12 \ data/ca-crl-invalid.crl data/ca-crl-invalid.pem data/ca-crl-valid.pem data/ca-crl-valid.crl \ - data/rfc4134-ca-rsa.pem data/rfc4134-4.5.p7b \ - data/key-gost01.p8 data/key-gost01-2.p8 data/key-gost01-2-enc.p8 \ + data/rfc4134-ca-rsa.pem data/rfc4134-4.5.p7b templates/template-no-ca.tmpl \ + data/key-gost01.p8 data/key-gost01-2.p8 data/key-gost01-2-enc.p8 data/crq-cert-no-ca.pem \ data/key-gost12-256.p8 data/key-gost12-256-2.p8 data/key-gost12-256-2-enc.p8 \ data/key-gost12-512.p8 data/grfc.crt data/gost-cert-ca.pem data/gost-cert-new.pem \ data/cert-with-non-digits-time-ca.pem data/cert-with-non-digits-time.pem \ - data/chain-512-leaf.pem data/chain-512-subca.pem data/chain-512-ca.pem + data/chain-512-leaf.pem data/chain-512-subca.pem data/chain-512-ca.pem \ + templates/template-no-ca-honor.tmpl templates/template-no-ca-explicit.tmpl \ + data/crq-cert-no-ca-explicit.pem data/crq-cert-no-ca-honor.pem dist_check_SCRIPTS = pathlen aki invalid-sig email \ pkcs7 pkcs7-broken-sigs privkey-import name-constraints certtool-long-cn crl provable-privkey \ diff --git a/tests/cert-tests/crq b/tests/cert-tests/crq index e29f17a17f..89099cfc0a 100755 --- a/tests/cert-tests/crq +++ b/tests/cert-tests/crq @@ -147,6 +147,97 @@ if test "${rc}" != "0"; then exit ${rc} fi +# check whether the generation with extension works +datefudge -s "2007-04-22" \ + "${CERTTOOL}" --generate-request \ + --load-privkey "${srcdir}/data/template-test.key" \ + --template "${srcdir}/templates/arb-extensions.tmpl" \ + --outfile $OUTFILE 2>/dev/null +rc=$? + +if test "${rc}" != "0"; then + echo "add_extension crq failed" + exit ${rc} +fi + +${DIFF} --ignore-matching-lines "Algorithm Security Level" "${srcdir}/data/arb-extensions.csr" "${OUTFILE}" >/dev/null 2>&1 +rc=$? + +if test "${rc}" != "0"; then + echo "Certificate request generation with explicit extensions failed" + exit ${rc} +fi + +# Generate certificate from CRQ with no explicit extensions +datefudge -s "2007-04-22" \ + "${CERTTOOL}" --generate-certificate \ + --load-ca-privkey "${srcdir}/../../doc/credentials/x509/ca-key.pem" \ + --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" \ + --load-request "${srcdir}/data/arb-extensions.csr" \ + --template "${srcdir}/templates/template-no-ca.tmpl" \ + --outfile "${OUTFILE}" 2>/dev/null +rc=$? + +if test "${rc}" != "0"; then + echo "generate certificate with crq failed" + exit ${rc} +fi + +${DIFF} --ignore-matching-lines "Algorithm Security Level" "${srcdir}/data/crq-cert-no-ca.pem" "${OUTFILE}" >/dev/null 2>&1 +rc=$? + +if test "${rc}" != "0"; then + echo "Certificate from request generation failed" + exit ${rc} +fi + +# Generate certificate from CRQ with CRQ extensions +datefudge -s "2007-04-22" \ + "${CERTTOOL}" --generate-certificate \ + --load-ca-privkey "${srcdir}/../../doc/credentials/x509/ca-key.pem" \ + --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" \ + --load-request "${srcdir}/data/arb-extensions.csr" \ + --template "${srcdir}/templates/template-no-ca-honor.tmpl" \ + --outfile "${OUTFILE}" 2>/dev/null +rc=$? + +if test "${rc}" != "0"; then + echo "generate certificate with crq failed" + exit ${rc} +fi + +${DIFF} --ignore-matching-lines "Algorithm Security Level" "${srcdir}/data/crq-cert-no-ca-honor.pem" "${OUTFILE}" >/dev/null 2>&1 +rc=$? + +if test "${rc}" != "0"; then + echo "Certificate from request generation with honor flag failed" + exit ${rc} +fi + +# Generate certificate from CRQ with explicit extensions +datefudge -s "2007-04-22" \ + "${CERTTOOL}" --generate-certificate \ + --load-ca-privkey "${srcdir}/../../doc/credentials/x509/ca-key.pem" \ + --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" \ + --load-request "${srcdir}/data/arb-extensions.csr" \ + --template "${srcdir}/templates/template-no-ca-explicit.tmpl" \ + --outfile "${OUTFILE}" 2>/dev/null +rc=$? + +if test "${rc}" != "0"; then + echo "generate certificate with crq failed" + exit ${rc} +fi + +${DIFF} --ignore-matching-lines "Algorithm Security Level" "${srcdir}/data/crq-cert-no-ca-explicit.pem" "${OUTFILE}" >/dev/null 2>&1 +rc=$? + +if test "${rc}" != "0"; then + echo "Certificate from request generation with explicit extensions failed" + exit ${rc} +fi + + rm -f "${OUTFILE}" "${OUTFILE2}" "${TMPFILE}" exit 0 diff --git a/tests/cert-tests/data/crq-cert-no-ca-explicit.pem b/tests/cert-tests/data/crq-cert-no-ca-explicit.pem new file mode 100644 index 0000000000..b912e94663 --- /dev/null +++ b/tests/cert-tests/data/crq-cert-no-ca-explicit.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEUzCCAwugAwIBAgIBAjANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDEw5HbnVU +TFMgVGVzdCBDQTAeFw0wNzA0MjIwMDAwMDBaFw0wODA0MjEwMDAwMDBaMHsxFTAT +BgNVBAMTDENpbmR5IExhdXBlcjEXMBUGA1UECxMOc2xlZXBpbmcgZGVwdC4xEjAQ +BgNVBAoTCUtva28gaW5jLjEPMA0GA1UECBMGQXR0aWtpMQswCQYDVQQGEwJHUjEX +MBUGCgmSJomT8ixkAQETB2NsYXVwZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ +AoGBAKXGznVDhL9kngInE/EDWfd5LZLtfC9QpAPxLXm5hosFfjq7RKqvhM8TmB4c +Sjj3My16n3LUa20msDE3cBD7QunYnRhlfhlJ/AWWBGiDHneGv+315RI7E/4zGJwa +eh1pr0cCYHofuejP28g0MFGWPYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjggGWMIIB +kjASBgMqAwQECwABAgMEBQYHqqvNMBIGA84HCAQLAAECAwQFBgeqq80wGgYGKgME +BQYHBBAdNM1a0GXcJ8F+lEewqqynMFwGCCoDj////38HBFAXjw5BPwQcydZK9kvz +tmx86sb6NKTXftZMlosmx2FwlEX0DZygoACRr30hJ4nAC3OHsdDXq2I91AKdS4bb +NlNiHTTNWtBl3CfBfpRHsKqspzBSBgYqg5nLAAcESNZK9kvztmx86sb6NKTXftZM +losmx2FwlEX0DZygoACRr30hJ4nAC3OHsdDXq2I91AKdS4bbNlNiHTTNWtBl3CfB +fpRHsKqspzANBgMYAQUEBgQEyv6+rzATBgpyCwwNDg8QEQEFAQH/BALK/jATBgQY +AQUBAQH/BAgEBr6vyv76+jAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUF +BwMEMB0GA1UdDgQWBBRdQK3wzpRAlYt+mZQdklQiynI2XzAfBgNVHSMEGDAWgBRN +VrdqAFjxZ5L0pnVVG45TAQPvzzANBgkqhkiG9w0BAQsFAAOCATEAdg6mnXMO1f+5 +/NAaoJ4In3Pse7TM+raJWwRBXqYXOgo66CM2Ffam0v8U8t7h+Uo0lu10u+2EwqZQ +Em2jDgZ4SS//FPg5WLRx3wBqtP/o/nsJnuIlXzeXOx2fYMnekrQAu453ClPPt0dX +D7oiSYfcodcTOlzj7c3cnSiKAONmSvQfpkPD4Uc5EEVIeAHCH/vsMhuEycLT0I1M +NwvxmTuH9y76orKNbPWHqSnsTm5sdF7Lz5+t3ph9hYEo8nI+hb0sx6w9HpPpAWaj +yYxN/XS76sFma09k4BFUq9RtshJh64GWVsNBLdXyrCArQJPgQehHm5ccrAJ81qM2 +q7M2H8aUbx3o3ASgTJTuYunS043A8TgPQuXFybSIM/zO3onh21PkVtfcUcRswdpf +oBQirZDyGA== +-----END CERTIFICATE----- diff --git a/tests/cert-tests/data/crq-cert-no-ca-honor.pem b/tests/cert-tests/data/crq-cert-no-ca-honor.pem new file mode 100644 index 0000000000..3b430d2537 --- /dev/null +++ b/tests/cert-tests/data/crq-cert-no-ca-honor.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEZzCCAx+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDEw5HbnVU +TFMgVGVzdCBDQTAeFw0wNzA0MjIwMDAwMDBaFw0wODA0MjEwMDAwMDBaMHsxFTAT +BgNVBAMTDENpbmR5IExhdXBlcjEXMBUGA1UECxMOc2xlZXBpbmcgZGVwdC4xEjAQ +BgNVBAoTCUtva28gaW5jLjEPMA0GA1UECBMGQXR0aWtpMQswCQYDVQQGEwJHUjEX +MBUGCgmSJomT8ixkAQETB2NsYXVwZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ +AoGBAKXGznVDhL9kngInE/EDWfd5LZLtfC9QpAPxLXm5hosFfjq7RKqvhM8TmB4c +Sjj3My16n3LUa20msDE3cBD7QunYnRhlfhlJ/AWWBGiDHneGv+315RI7E/4zGJwa +eh1pr0cCYHofuejP28g0MFGWPYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjggGqMIIB +pjASBgMqAwQECwABAgMEBQYHqqvNMBIGA84HCAQLAAECAwQFBgeqq80wGgYGKgME +BQYHBBAdNM1a0GXcJ8F+lEewqqynMFwGCCoDj////38HBFAXjw5BPwQcydZK9kvz +tmx86sb6NKTXftZMlosmx2FwlEX0DZygoACRr30hJ4nAC3OHsdDXq2I91AKdS4bb +NlNiHTTNWtBl3CfBfpRHsKqspzBSBgYqg5nLAAcESNZK9kvztmx86sb6NKTXftZM +losmx2FwlEX0DZygoACRr30hJ4nAC3OHsdDXq2I91AKdS4bbNlNiHTTNWtBl3CfB +fpRHsKqspzANBgMYAQUEBgQEyv6+rzATBgpyCwwNDg8QEQEFAQH/BALK/jATBgQY +AQUBAQH/BAgEBr6vyv76+jAMBgNVHRMBAf8EAjAAMBYGA1UdJQEB/wQMMAoGCCsG +AQUFBwMEMA8GA1UdDwEB/wQFAwMHgAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2S +VCLKcjZfMB8GA1UdIwQYMBaAFE1Wt2oAWPFnkvSmdVUbjlMBA+/PMA0GCSqGSIb3 +DQEBCwUAA4IBMQACwQBci5GYQ3clNSdRzf/8smu1nvZo8knhCp/i+IJiXdFX7pl0 +lBtKMXZVnL3zwidH11EP8XMsusISpcRMznEYT4sDLa2k5QWXq1T3tT8mkX2xnBox +gKJmFw5WcaaEyiMRrAfv5YxY1RT6Hn8nMgWpIdj3hY3tZ9I6urWD16wc/w/53acS +2pvfp3H0RRHC6S1ZBZhRWdB3ZH7pmMx0Wbsk9CC6bw9msjy7Qj4Rz+gQwHPJ+0y5 +2+w85DOmIGZmzw7vdZ+6oVsDCfcqIU0WYTD31CKMCAZys0nNyXxDNZJoyTUdcMjU +ccEnm7ptGVtNobiJCOlw4IFhHF78RZqnD5f1bIzkK9dL00vcXqlUqg4fC89fWHvL +tuLvUsrrvBco4tbB2XFWdBtIkQcWy7eFl9l3 +-----END CERTIFICATE----- diff --git a/tests/cert-tests/data/crq-cert-no-ca.pem b/tests/cert-tests/data/crq-cert-no-ca.pem new file mode 100644 index 0000000000..7cd684b20f --- /dev/null +++ b/tests/cert-tests/data/crq-cert-no-ca.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDCzCCAcOgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDEw5HbnVU +TFMgVGVzdCBDQTAeFw0wNzA0MjIwMDAwMDBaFw0wODA0MjEwMDAwMDBaMHsxFTAT +BgNVBAMTDENpbmR5IExhdXBlcjEXMBUGA1UECxMOc2xlZXBpbmcgZGVwdC4xEjAQ +BgNVBAoTCUtva28gaW5jLjEPMA0GA1UECBMGQXR0aWtpMQswCQYDVQQGEwJHUjEX +MBUGCgmSJomT8ixkAQETB2NsYXVwZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ +AoGBAKXGznVDhL9kngInE/EDWfd5LZLtfC9QpAPxLXm5hosFfjq7RKqvhM8TmB4c +Sjj3My16n3LUa20msDE3cBD7QunYnRhlfhlJ/AWWBGiDHneGv+315RI7E/4zGJwa +eh1pr0cCYHofuejP28g0MFGWPYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjUDBOMAwG +A1UdEwEB/wQCMAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMB8GA1Ud +IwQYMBaAFE1Wt2oAWPFnkvSmdVUbjlMBA+/PMA0GCSqGSIb3DQEBCwUAA4IBMQCP +Go/myevL2Ia/w3bOy+k/NdJ8OB5o6T42WHCcqvBOrcrQJEjhfZP8fl79KNGqNbxs +Fr6hwP1inY1yxdUtn0OCiKEB1Gp68QMb10eS7QarcMTiznUty8o+NHU9nV6I0kbO +4sBi6uMR5Hv0WQ6fQigjo11RQB7cN7mGqpMBzkCG47WLgk19uJhmFBaWNjtFDbY5 +e4mxQpAonicUoKlubJ1JY5gyZEjVriuWjnuxqhGyul7SnrzeSBQPR81gz1n1YjXJ +8aQ8FqyTG9tQkU0EkJwE1FxuFoqB0MHfTSn8THtZRLeSO5ymAQgmHU81IieTXFn9 +l37AavQFVpcyp1MHXIWn+CYjzQ38oo90SABRGMoiQSz0iRT+auCjnYZ3dNyax9HR +9zf+KHBvs5sSsslNWQb/ +-----END CERTIFICATE----- diff --git a/tests/cert-tests/templates/template-no-ca-explicit.tmpl b/tests/cert-tests/templates/template-no-ca-explicit.tmpl new file mode 100644 index 0000000000..041b4d2c9d --- /dev/null +++ b/tests/cert-tests/templates/template-no-ca-explicit.tmpl @@ -0,0 +1,13 @@ +cn = "No CA" +serial = 02 + +email_protection_key + +add_extension = "1.2.3.4 0001020304050607AAABCD" +add_extension = "5.6.7.8 0x0001020304050607AAABCD" +add_extension = "1.2.3.4.5.6.7 1d34cd5ad065dc27c17e9447b0aaaca7" +add_extension = "1.2.3.4294967295.7 178f0e413f041cc9d64af64bf3b66c7ceac6fa34a4d77ed64c968b26c761709445f40d9ca0a00091af7d212789c00b7387b1d0d7ab623dd4029d4b86db3653621d34cd5ad065dc27c17e9447b0aaaca7" +add_critical_extension = "9.10.11.12.13.14.15.16.17.1.5 CAFE" +add_extension = "1.2.6710656.7 d64af64bf3b66c7ceac6fa34a4d77ed64c968b26c761709445f40d9ca0a00091af7d212789c00b7387b1d0d7ab623dd4029d4b86db3653621d34cd5ad065dc27c17e9447b0aaaca7" +add_extension = "7.0.1.5 octet_string(CAFEBEAF)" +add_critical_extension = "7.0.1.5.1 octet_string(BEAFCAFEFAFA)" diff --git a/tests/cert-tests/templates/template-no-ca-honor.tmpl b/tests/cert-tests/templates/template-no-ca-honor.tmpl new file mode 100644 index 0000000000..05f21b8885 --- /dev/null +++ b/tests/cert-tests/templates/template-no-ca-honor.tmpl @@ -0,0 +1,3 @@ +cn = "No CA" +serial = 02 +honor_crq_extensions diff --git a/tests/cert-tests/templates/template-no-ca.tmpl b/tests/cert-tests/templates/template-no-ca.tmpl new file mode 100644 index 0000000000..6528a50e4b --- /dev/null +++ b/tests/cert-tests/templates/template-no-ca.tmpl @@ -0,0 +1,2 @@ +cn = "No CA" +serial = 02 |