tests: added tests for CRL generation APIs

2 files changed, 212 insertions, 1 deletions

diff --git a/tests/Makefile.am b/tests/Makefile.am
index 50eaf1bee1..046d43e502 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -117,7 +117,7 @@ ctests = mini-record-2 simple gc set_pkcs12_cred certder certuniqueid	\
 	 multi-alerts naked-alerts pkcs7-cat-parse set_known_dh_params_x509 \
 	 set_known_dh_params_anon set_known_dh_params_psk session-tickets-ok \
 	 session-tickets-missing set_x509_key_file_legacy status-request-ext \
-	 rng-no-onload dtls1-2-mtu-check
+	 rng-no-onload dtls1-2-mtu-check crl_apis
 
 if HAVE_SECCOMP_TESTS
 ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp
diff --git a/tests/crl_apis.c b/tests/crl_apis.c
new file mode 100644
index 0000000000..99708e389c
--- /dev/null
+++ b/tests/crl_apis.c
@@ -0,0 +1,211 @@
+/*
+ * Copyright (C) 2016 Red Hat, Inc.
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GnuTLS; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+#include <assert.h>
+
+#include "utils.h"
+#include "cert-common.h"
+
+static time_t mytime(time_t * t)
+{
+	time_t then = 1207000800;
+
+	if (t)
+		*t = then;
+
+	return then;
+}
+
+static unsigned char saved_crl_pem[] =
+	"-----BEGIN X509 CRL-----\n"
+	"MIICXzCByAIBADANBgkqhkiG9w0BAQUFADAPMQ0wCwYDVQQDEwRDQS0zFw0wODAz\n"
+	"MzEyMjAwMDBaFw0wODAzMzEyMjAxMDBaMFQwFAIDAQIDFw0wODAzMzEyMjAwMDBa\n"
+	"MB0CDFejHTI2Wi75obBaUhcNMDgwMzMxMjIwMDAwWjAdAgxXox0yNbNP0Ln15zwX\n"
+	"DTA4MDMzMTIyMDAwMFqgLzAtMB8GA1UdIwQYMBaAFPmohhljtqQUE2B2DwGaNTbv\n"
+	"8bSvMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBBQUAA4IBgQAcVsFF0HzAjAtD4Kwh\n"
+	"pJwVl6BEC4lybSIVB0+ls/b23cEOfU1wE8Ls+26EjUHLOTCdQgKMFgbEuhAgUOb6\n"
+	"kuatoWmi3R/42FJDvQxc+aYcEOX5ttbbB4KuS77zQ54Nv9RGyKcXqTDmax2MgqKg\n"
+	"moIbYhemiUl4zCshPZvv0NsHFiDtToSIHZIbIy3u63/Mb/tXCm2Eyrl8za8ELGaJ\n"
+	"5zjibO2wNRIwd7QbJJRkc6TrphfWxeU6tZi3rwOLoqf8x4EBWOcKXyUvIb+OxNVH\n"
+	"aMXFxVCTmDAqxe9HrEzZsQIGS7CDlWCghIUW8AQkPJ/IL4kUvZhmRxyqI8DF4mLI\n"
+	"XqCDF55CaQ5e2uMc3f5rvNTP1g1S7E/iZRTaATVhB6krha6X3MqEQ+VJnMklJPiI\n"
+	"aZY5JS5apO9ewXykxuK0/A3BeHSdK4fj3Q1mt1NzX4G9cU2T3VdPRbAgchoU2YV3\n"
+	"pBeFxTaJMEN+ajgixeXC69iE7aNBOFBLC38uPmMOpZ450q8=\n"
+	"-----END X509 CRL-----\n";
+
+static unsigned char saved_min_crl_pem[] =
+	"-----BEGIN X509 CRL-----\n"
+	"MIICUDCBuQIBADANBgkqhkiG9w0BAQUFADAPMQ0wCwYDVQQDEwRDQS0zFw0wODAz\n"
+	"MzEyMjAwMDBaMFQwFAIDAQIDFw0wODAzMzEyMjAwMDBaMB0CDFejHTI2Wi75obBa\n"
+	"UhcNMDgwMzMxMjIwMDAwWjAdAgxXox0yNbNP0Ln15zwXDTA4MDMzMTIyMDAwMFqg\n"
+	"LzAtMB8GA1UdIwQYMBaAFPmohhljtqQUE2B2DwGaNTbv8bSvMAoGA1UdFAQDAgEB\n"
+	"MA0GCSqGSIb3DQEBBQUAA4IBgQBwTFMCc5/y/rrVvv/rGD5BYF1rCk+Daln/aQvV\n"
+	"UgFwbaYsnSUoHdivEF6rrtSJGdZj5JWk7Y4oICL6NLeiLiM+AeBuaGbB9EjIQH8d\n"
+	"d4/QSR4VV/900xcWbSatycXq4k2nxnrFcC2TMD6ee0nQjs1YQcgBK5tEQBvtKa+w\n"
+	"qemp7/WPuY1YcDTIJ1myjyM0yJpBope/9uYWxcYgHCwK+o1QqpDlnq21539QtdbC\n"
+	"9isLxAohnvwmKJkRoYVUhi5jRjd4Yy/fiSAcQx+Gs+0kjRXqitAgofPUAyibMLZX\n"
+	"EvTZvGDCBF8OqlF6WdBLgcYDVzX7GnYEYFSccQtPYdanilf9IGO0ToF0MfPliawb\n"
+	"J/27rdbCDQXh3exSq4vGgdulmt+tmYsFwlivwvuCG/eV8KOLWv7q36jx4PzLJyiE\n"
+	"JJimFkzuwEEaFSmIM9UDEKfmDC10jVQ4c7Y7CPI5rLnPDtEOTNWsjlw/rC2/XLem\n"
+	"YdLVIwU0h1VJPvZsmbhU2baAhsM=\n"
+	"-----END X509 CRL-----\n";
+
+const gnutls_datum_t saved_crl = { saved_crl_pem, sizeof(saved_crl_pem)-1 };
+const gnutls_datum_t saved_min_crl = { saved_min_crl_pem, sizeof(saved_min_crl_pem)-1 };
+
+static void append_crt(gnutls_x509_crl_t crl, const gnutls_datum_t *pem)
+{
+	gnutls_x509_crt_t crt;
+	int ret;
+
+	assert(gnutls_x509_crt_init(&crt)>=0);
+	assert(gnutls_x509_crt_import(crt, pem, GNUTLS_X509_FMT_PEM)>=0);
+	ret = gnutls_x509_crl_set_crt(crl, crt, mytime(0));
+	if (ret != 0)
+		fail("gnutls_x509_crl_set_crt: %s\n", gnutls_strerror(ret));
+
+	gnutls_x509_crt_deinit(crt);
+}
+
+static void append_aki(gnutls_x509_crl_t crl, const gnutls_datum_t *pem)
+{
+	gnutls_x509_crt_t crt;
+	int ret;
+	unsigned char aki[128];
+	size_t aki_size;
+
+	assert(gnutls_x509_crt_init(&crt)>=0);
+	assert(gnutls_x509_crt_import(crt, pem, GNUTLS_X509_FMT_PEM)>=0);
+
+	aki_size = sizeof(aki);
+	assert(gnutls_x509_crt_get_subject_key_id(crt, aki, &aki_size, NULL) >= 0);
+
+	ret = gnutls_x509_crl_set_authority_key_id(crl, aki, aki_size);
+	if (ret != 0)
+		fail("gnutls_x509_crl_set_authority_key_id: %s\n", gnutls_strerror(ret));
+
+	gnutls_x509_crt_deinit(crt);
+}
+
+static void sign_crl(gnutls_x509_crl_t crl, const gnutls_datum_t *cert, const gnutls_datum_t *key)
+{
+	gnutls_x509_crt_t crt;
+	gnutls_x509_privkey_t pkey;
+	int ret;
+
+	assert(gnutls_x509_crt_init(&crt)>=0);
+	assert(gnutls_x509_privkey_init(&pkey)>=0);
+
+	assert(gnutls_x509_crt_import(crt, cert, GNUTLS_X509_FMT_PEM)>=0);
+	assert(gnutls_x509_privkey_import(pkey, key, GNUTLS_X509_FMT_PEM)>=0);
+
+	ret = gnutls_x509_crl_sign(crl, crt, pkey);
+	if (ret != 0)
+		fail("gnutls_x509_crl_sign: %s\n", gnutls_strerror(ret));
+
+	gnutls_x509_crt_deinit(crt);
+	gnutls_x509_privkey_deinit(pkey);
+}
+
+static gnutls_x509_crl_t generate_crl(unsigned skip_optional)
+{
+	gnutls_x509_crl_t crl;
+	int ret;
+
+	ret = gnutls_x509_crl_init(&crl);
+	if (ret != 0)
+		fail("gnutls_x509_crl_init\n");
+
+	ret = gnutls_x509_crl_set_version(crl, 1);
+	if (ret != 0)
+		fail("gnutls_x509_crl_set_version\n");
+
+	ret = gnutls_x509_crl_set_this_update(crl, mytime(0));
+	if (ret != 0)
+		fail("gnutls_x509_crl_set_this_update\n");
+
+	if (!skip_optional) {
+		ret = gnutls_x509_crl_set_next_update(crl, mytime(0)+60);
+		if (ret != 0)
+			fail("gnutls_x509_crl_set_next_update\n");
+	}
+
+	ret = gnutls_x509_crl_set_crt_serial(crl, "\x01\x02\x03", 3, mytime(0));
+	if (ret != 0)
+		fail("gnutls_x509_crl_set_serial %d\n", ret);
+
+	append_crt(crl, &cli_ca3_cert);
+	append_crt(crl, &subca3_cert);
+
+	append_aki(crl, &ca3_cert);
+
+	ret = gnutls_x509_crl_set_number(crl, "\x01", 1);
+	if (ret != 0)
+		fail("gnutls_x509_crl_set_number %d: %s\n",
+		     ret, gnutls_strerror(ret));
+
+	sign_crl(crl, &ca3_cert, &ca3_key);
+
+	return crl;
+}
+
+void doit(void)
+{
+	gnutls_datum_t out;
+	gnutls_x509_crl_t crl;
+
+	gnutls_global_set_time_function(mytime);
+
+	crl = generate_crl(0);
+
+	assert(gnutls_x509_crl_export2(crl, GNUTLS_X509_FMT_PEM, &out) >= 0);
+
+	fprintf(stdout, "%s", out.data);
+
+	assert(out.size == saved_crl.size);
+	assert(memcmp(out.data, saved_crl.data, out.size)==0);
+
+	gnutls_free(out.data);
+	gnutls_x509_crl_deinit(crl);
+
+	/* skip optional parts */
+	crl = generate_crl(1);
+
+	assert(gnutls_x509_crl_export2(crl, GNUTLS_X509_FMT_PEM, &out) >= 0);
+
+	fprintf(stdout, "%s", out.data);
+
+	assert(out.size == saved_min_crl.size);
+	assert(memcmp(out.data, saved_min_crl.data, out.size)==0);
+
+	gnutls_free(out.data);
+	gnutls_x509_crl_deinit(crl);
+}