diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-12-07 08:58:30 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-12-07 10:34:05 +0100 |
commit | d1fe07f6090dfe964645162126988e9ddc0ab26c (patch) | |
tree | 851d158b7943c08d00395967377e91edf2edb4a9 | |
parent | b83c1eb1abffd7c5cf95c96074f45e66f28188f8 (diff) | |
download | gnutls-d1fe07f6090dfe964645162126988e9ddc0ab26c.tar.gz |
tests: added tests for CRL generation APIs
-rw-r--r-- | tests/Makefile.am | 2 | ||||
-rw-r--r-- | tests/crl_apis.c | 211 |
2 files changed, 212 insertions, 1 deletions
diff --git a/tests/Makefile.am b/tests/Makefile.am index 50eaf1bee1..046d43e502 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -117,7 +117,7 @@ ctests = mini-record-2 simple gc set_pkcs12_cred certder certuniqueid \ multi-alerts naked-alerts pkcs7-cat-parse set_known_dh_params_x509 \ set_known_dh_params_anon set_known_dh_params_psk session-tickets-ok \ session-tickets-missing set_x509_key_file_legacy status-request-ext \ - rng-no-onload dtls1-2-mtu-check + rng-no-onload dtls1-2-mtu-check crl_apis if HAVE_SECCOMP_TESTS ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp diff --git a/tests/crl_apis.c b/tests/crl_apis.c new file mode 100644 index 0000000000..99708e389c --- /dev/null +++ b/tests/crl_apis.c @@ -0,0 +1,211 @@ +/* + * Copyright (C) 2016 Red Hat, Inc. + * + * Author: Nikos Mavrogiannopoulos + * + * This file is part of GnuTLS. + * + * GnuTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with GnuTLS; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdlib.h> +#include <stdio.h> +#include <string.h> +#include <gnutls/gnutls.h> +#include <gnutls/x509.h> +#include <assert.h> + +#include "utils.h" +#include "cert-common.h" + +static time_t mytime(time_t * t) +{ + time_t then = 1207000800; + + if (t) + *t = then; + + return then; +} + +static unsigned char saved_crl_pem[] = + "-----BEGIN X509 CRL-----\n" + "MIICXzCByAIBADANBgkqhkiG9w0BAQUFADAPMQ0wCwYDVQQDEwRDQS0zFw0wODAz\n" + "MzEyMjAwMDBaFw0wODAzMzEyMjAxMDBaMFQwFAIDAQIDFw0wODAzMzEyMjAwMDBa\n" + "MB0CDFejHTI2Wi75obBaUhcNMDgwMzMxMjIwMDAwWjAdAgxXox0yNbNP0Ln15zwX\n" + "DTA4MDMzMTIyMDAwMFqgLzAtMB8GA1UdIwQYMBaAFPmohhljtqQUE2B2DwGaNTbv\n" + "8bSvMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBBQUAA4IBgQAcVsFF0HzAjAtD4Kwh\n" + "pJwVl6BEC4lybSIVB0+ls/b23cEOfU1wE8Ls+26EjUHLOTCdQgKMFgbEuhAgUOb6\n" + "kuatoWmi3R/42FJDvQxc+aYcEOX5ttbbB4KuS77zQ54Nv9RGyKcXqTDmax2MgqKg\n" + "moIbYhemiUl4zCshPZvv0NsHFiDtToSIHZIbIy3u63/Mb/tXCm2Eyrl8za8ELGaJ\n" + "5zjibO2wNRIwd7QbJJRkc6TrphfWxeU6tZi3rwOLoqf8x4EBWOcKXyUvIb+OxNVH\n" + "aMXFxVCTmDAqxe9HrEzZsQIGS7CDlWCghIUW8AQkPJ/IL4kUvZhmRxyqI8DF4mLI\n" + "XqCDF55CaQ5e2uMc3f5rvNTP1g1S7E/iZRTaATVhB6krha6X3MqEQ+VJnMklJPiI\n" + "aZY5JS5apO9ewXykxuK0/A3BeHSdK4fj3Q1mt1NzX4G9cU2T3VdPRbAgchoU2YV3\n" + "pBeFxTaJMEN+ajgixeXC69iE7aNBOFBLC38uPmMOpZ450q8=\n" + "-----END X509 CRL-----\n"; + +static unsigned char saved_min_crl_pem[] = + "-----BEGIN X509 CRL-----\n" + "MIICUDCBuQIBADANBgkqhkiG9w0BAQUFADAPMQ0wCwYDVQQDEwRDQS0zFw0wODAz\n" + "MzEyMjAwMDBaMFQwFAIDAQIDFw0wODAzMzEyMjAwMDBaMB0CDFejHTI2Wi75obBa\n" + "UhcNMDgwMzMxMjIwMDAwWjAdAgxXox0yNbNP0Ln15zwXDTA4MDMzMTIyMDAwMFqg\n" + "LzAtMB8GA1UdIwQYMBaAFPmohhljtqQUE2B2DwGaNTbv8bSvMAoGA1UdFAQDAgEB\n" + "MA0GCSqGSIb3DQEBBQUAA4IBgQBwTFMCc5/y/rrVvv/rGD5BYF1rCk+Daln/aQvV\n" + "UgFwbaYsnSUoHdivEF6rrtSJGdZj5JWk7Y4oICL6NLeiLiM+AeBuaGbB9EjIQH8d\n" + "d4/QSR4VV/900xcWbSatycXq4k2nxnrFcC2TMD6ee0nQjs1YQcgBK5tEQBvtKa+w\n" + "qemp7/WPuY1YcDTIJ1myjyM0yJpBope/9uYWxcYgHCwK+o1QqpDlnq21539QtdbC\n" + "9isLxAohnvwmKJkRoYVUhi5jRjd4Yy/fiSAcQx+Gs+0kjRXqitAgofPUAyibMLZX\n" + "EvTZvGDCBF8OqlF6WdBLgcYDVzX7GnYEYFSccQtPYdanilf9IGO0ToF0MfPliawb\n" + "J/27rdbCDQXh3exSq4vGgdulmt+tmYsFwlivwvuCG/eV8KOLWv7q36jx4PzLJyiE\n" + "JJimFkzuwEEaFSmIM9UDEKfmDC10jVQ4c7Y7CPI5rLnPDtEOTNWsjlw/rC2/XLem\n" + "YdLVIwU0h1VJPvZsmbhU2baAhsM=\n" + "-----END X509 CRL-----\n"; + +const gnutls_datum_t saved_crl = { saved_crl_pem, sizeof(saved_crl_pem)-1 }; +const gnutls_datum_t saved_min_crl = { saved_min_crl_pem, sizeof(saved_min_crl_pem)-1 }; + +static void append_crt(gnutls_x509_crl_t crl, const gnutls_datum_t *pem) +{ + gnutls_x509_crt_t crt; + int ret; + + assert(gnutls_x509_crt_init(&crt)>=0); + assert(gnutls_x509_crt_import(crt, pem, GNUTLS_X509_FMT_PEM)>=0); + ret = gnutls_x509_crl_set_crt(crl, crt, mytime(0)); + if (ret != 0) + fail("gnutls_x509_crl_set_crt: %s\n", gnutls_strerror(ret)); + + gnutls_x509_crt_deinit(crt); +} + +static void append_aki(gnutls_x509_crl_t crl, const gnutls_datum_t *pem) +{ + gnutls_x509_crt_t crt; + int ret; + unsigned char aki[128]; + size_t aki_size; + + assert(gnutls_x509_crt_init(&crt)>=0); + assert(gnutls_x509_crt_import(crt, pem, GNUTLS_X509_FMT_PEM)>=0); + + aki_size = sizeof(aki); + assert(gnutls_x509_crt_get_subject_key_id(crt, aki, &aki_size, NULL) >= 0); + + ret = gnutls_x509_crl_set_authority_key_id(crl, aki, aki_size); + if (ret != 0) + fail("gnutls_x509_crl_set_authority_key_id: %s\n", gnutls_strerror(ret)); + + gnutls_x509_crt_deinit(crt); +} + +static void sign_crl(gnutls_x509_crl_t crl, const gnutls_datum_t *cert, const gnutls_datum_t *key) +{ + gnutls_x509_crt_t crt; + gnutls_x509_privkey_t pkey; + int ret; + + assert(gnutls_x509_crt_init(&crt)>=0); + assert(gnutls_x509_privkey_init(&pkey)>=0); + + assert(gnutls_x509_crt_import(crt, cert, GNUTLS_X509_FMT_PEM)>=0); + assert(gnutls_x509_privkey_import(pkey, key, GNUTLS_X509_FMT_PEM)>=0); + + ret = gnutls_x509_crl_sign(crl, crt, pkey); + if (ret != 0) + fail("gnutls_x509_crl_sign: %s\n", gnutls_strerror(ret)); + + gnutls_x509_crt_deinit(crt); + gnutls_x509_privkey_deinit(pkey); +} + +static gnutls_x509_crl_t generate_crl(unsigned skip_optional) +{ + gnutls_x509_crl_t crl; + int ret; + + ret = gnutls_x509_crl_init(&crl); + if (ret != 0) + fail("gnutls_x509_crl_init\n"); + + ret = gnutls_x509_crl_set_version(crl, 1); + if (ret != 0) + fail("gnutls_x509_crl_set_version\n"); + + ret = gnutls_x509_crl_set_this_update(crl, mytime(0)); + if (ret != 0) + fail("gnutls_x509_crl_set_this_update\n"); + + if (!skip_optional) { + ret = gnutls_x509_crl_set_next_update(crl, mytime(0)+60); + if (ret != 0) + fail("gnutls_x509_crl_set_next_update\n"); + } + + ret = gnutls_x509_crl_set_crt_serial(crl, "\x01\x02\x03", 3, mytime(0)); + if (ret != 0) + fail("gnutls_x509_crl_set_serial %d\n", ret); + + append_crt(crl, &cli_ca3_cert); + append_crt(crl, &subca3_cert); + + append_aki(crl, &ca3_cert); + + ret = gnutls_x509_crl_set_number(crl, "\x01", 1); + if (ret != 0) + fail("gnutls_x509_crl_set_number %d: %s\n", + ret, gnutls_strerror(ret)); + + sign_crl(crl, &ca3_cert, &ca3_key); + + return crl; +} + +void doit(void) +{ + gnutls_datum_t out; + gnutls_x509_crl_t crl; + + gnutls_global_set_time_function(mytime); + + crl = generate_crl(0); + + assert(gnutls_x509_crl_export2(crl, GNUTLS_X509_FMT_PEM, &out) >= 0); + + fprintf(stdout, "%s", out.data); + + assert(out.size == saved_crl.size); + assert(memcmp(out.data, saved_crl.data, out.size)==0); + + gnutls_free(out.data); + gnutls_x509_crl_deinit(crl); + + /* skip optional parts */ + crl = generate_crl(1); + + assert(gnutls_x509_crl_export2(crl, GNUTLS_X509_FMT_PEM, &out) >= 0); + + fprintf(stdout, "%s", out.data); + + assert(out.size == saved_min_crl.size); + assert(memcmp(out.data, saved_min_crl.data, out.size)==0); + + gnutls_free(out.data); + gnutls_x509_crl_deinit(crl); +} |