tests: added unit test for inhibit anypolicy generation

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

4 files changed, 215 insertions, 1 deletions

diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am
index 1a27470e89..1434f0d9b0 100644
--- a/tests/cert-tests/Makefile.am
+++ b/tests/cert-tests/Makefile.am
@@ -71,13 +71,14 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem
 	templates/crit-extensions.tmpl data/crit-extensions.pem data/x509-with-zero-version.pem \
 	data/key-corpus-rc2-1.p12 data/key-corpus-rc2-2.p12 data/key-corpus-rc2-3.p12 \
 	data/key-corpus-rc2-1.p12.out data/no-salt.p12 data/mac-sha512.p12 data/pbes1-no-salt.p12 \
+	templates/inhibit-anypolicy.tmpl data/inhibit-anypolicy.pem
 
 dist_check_SCRIPTS = pathlen aki certtool invalid-sig email \
 	pkcs7 pkcs7-broken-sigs privkey-import name-constraints certtool-long-cn crl provable-privkey \
 	provable-dh userid sha2-test sha2-dsa-test provable-privkey-dsa2048 \
 	provable-privkey-rsa2048 provable-privkey-gen-default pkcs7-constraints \
 	pkcs7-constraints2 certtool-long-oids pkcs7-cat cert-sanity cert-critical \
-	pkcs12 certtool-crl-decoding pkcs12-encode pkcs12-corner-cases
+	pkcs12 certtool-crl-decoding pkcs12-encode pkcs12-corner-cases inhibit-anypolicy
 
 if WANT_TEST_SUITE
 dist_check_SCRIPTS += provable-dh-default
diff --git a/tests/cert-tests/data/inhibit-anypolicy.pem b/tests/cert-tests/data/inhibit-anypolicy.pem
new file mode 100644
index 0000000000..4291cdf9a8
--- /dev/null
+++ b/tests/cert-tests/data/inhibit-anypolicy.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEMDCCA5mgAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBuDEVMBMGA1UEAxMMQ2lu
+ZHkgTGF1cGVyMRcwFQYKCZImiZPyLGQBARMHY2xhdXBlcjEXMBUGA1UECxMOc2xl
+ZXBpbmcgZGVwdC4xEjAQBgNVBAoTCUtva28gaW5jLjEPMA0GA1UECBMGQXR0aWtp
+MQswCQYDVQQGEwJHUjEMMAoGA1UEDBMDRHIuMQ8wDQYDVQRBEwZqYWNrYWwxHDAa
+BgkqhkiG9w0BCQEWDW5vbmVAbm9uZS5vcmcwHhcNMTcwNDIyMDAwMDAwWhcNMjQw
+NTI1MDAwMDAwWjCBuDEVMBMGA1UEAxMMQ2luZHkgTGF1cGVyMRcwFQYKCZImiZPy
+LGQBARMHY2xhdXBlcjEXMBUGA1UECxMOc2xlZXBpbmcgZGVwdC4xEjAQBgNVBAoT
+CUtva28gaW5jLjEPMA0GA1UECBMGQXR0aWtpMQswCQYDVQQGEwJHUjEMMAoGA1UE
+DBMDRHIuMQ8wDQYDVQRBEwZqYWNrYWwxHDAaBgkqhkiG9w0BCQEWDW5vbmVAbm9u
+ZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMAPzTo0+1jP5iqvrVIf
+z7OH5NTe9yufEyVcwT5b90WN0P+1uZVzevBl2p3cjRfQxFZkXVMc0W0pbmO8ec6Q
+dvgzzlE+78v9rX+S266TbE+TfwOASfk0TBJP+QNou2nnoe5lOvJS9Ht0N9cEunlu
+LL7L+JnX+yvGuzn1R8ZV5YR7AgMBAAGjggFGMIIBQjAPBgNVHRMBAf8EBTADAQH/
+MGoGA1UdEQRjMGGCDHd3dy5ub25lLm9yZ4ITd3d3Lm1vcmV0aGFub25lLm9yZ4IX
+d3d3LmV2ZW5tb3JldGhhbm9uZS5vcmeHBMCoAQGBDW5vbmVAbm9uZS5vcmeBDndo
+ZXJlQG5vbmUub3JnMA0GA1UdNgEB/wQDAgEDMBMGA1UdJQQMMAoGCCsGAQUFBwMJ
+MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0OBBYEFHU6t/xzZCkUSWER/c6Qy/Y9HIoT
+MG8GA1UdHwRoMGYwZKBioGCGHmh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwx
+L4YeaHR0cDovL3d3dy5nZXRjcmwuY3JsL2dldGNybDIvhh5odHRwOi8vd3d3Lmdl
+dGNybC5jcmwvZ2V0Y3JsMy8wDQYJKoZIhvcNAQELBQADgYEAe+eZiFD221AO6yOk
+DUmizGBiFhG169EgOToWHboZ1E/LzeljhQbOMcQgPlMLsifiUGpi3Qn7aj/zYv86
+ppO+0jmQZHjsALyPk/kEQkloIXi9Ibo0nwAH+BNkeaOIHl9m5ms/8xaaYi2GdyQO
+hzSspr1AGSQtA6ZMTs1mqEXyyFk=
+-----END CERTIFICATE-----
diff --git a/tests/cert-tests/inhibit-anypolicy b/tests/cert-tests/inhibit-anypolicy
new file mode 100755
index 0000000000..7e82a20014
--- /dev/null
+++ b/tests/cert-tests/inhibit-anypolicy
@@ -0,0 +1,87 @@
+#!/bin/sh
+
+# Copyright (C) 2017 Red Hat, Inc.
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+#set -e
+
+srcdir="${srcdir:-.}"
+CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}"
+DIFF="${DIFF:-diff}"
+
+if ! test -x "${CERTTOOL}"; then
+	exit 77
+fi
+
+export TZ="UTC"
+TMPFILE=tmp-inhibit.pem.$$.tmp
+TEMPLFILE=template.inhibit.$$.tmp
+CAFILE=inhibit-ca.$$.tmp
+SUBCAFILE=inhibit-subca.$$.tmp
+
+. ${srcdir}/../scripts/common.sh
+
+check_for_datefudge
+
+datefudge -s "2017-04-22" \
+	"${CERTTOOL}" --generate-self-signed \
+		--load-privkey "${srcdir}/data/key-ca.pem" \
+		--template "${srcdir}/templates/inhibit-anypolicy.tmpl" \
+		--outfile ${CAFILE} 2>/dev/null
+
+${DIFF} "${srcdir}/data/inhibit-anypolicy.pem" ${CAFILE}
+rc=$?
+
+# We're done.
+if test "${rc}" != "0"; then
+	echo "CA generation failed ${CAFILE}"
+	exit ${rc}
+fi
+
+# generate leaf
+echo ca > $TEMPLFILE
+echo "cn = sub-CA" >> $TEMPLFILE
+
+datefudge -s "2017-04-23" \
+"${CERTTOOL}" -d 2 --generate-certificate --template $TEMPLFILE \
+	--load-ca-privkey "${srcdir}/data/key-ca.pem" \
+	--load-ca-certificate $CAFILE \
+	--load-privkey "${srcdir}/data/key-subca.pem" \
+	--outfile $SUBCAFILE
+
+if [ $? != 0 ]; then
+	cat $TMPFILE
+	exit 1
+fi
+
+cat $SUBCAFILE $CAFILE > ${TMPFILE}
+
+# we do not support the inhibit any policy extension for verification
+datefudge -s "2017-04-25" "${CERTTOOL}" --verify-chain --infile ${TMPFILE}
+rc=$?
+if test "$rc" != "0"; then
+	echo "Verification failed unexpectedly ($rc)"
+	exit 1
+fi
+
+rm -f ${TMPFILE}
+rm -f ${TEMPLFILE}
+rm -f ${CAFILE}
+rm -f ${SUBCAFILE}
+
+exit 0
diff --git a/tests/cert-tests/templates/inhibit-anypolicy.tmpl b/tests/cert-tests/templates/inhibit-anypolicy.tmpl
new file mode 100644
index 0000000000..f76331791e
--- /dev/null
+++ b/tests/cert-tests/templates/inhibit-anypolicy.tmpl
@@ -0,0 +1,101 @@
+# X.509 Certificate options
+#
+# DN options
+
+# The organization of the subject.
+organization = "Koko inc."
+
+# The organizational unit of the subject.
+unit = "sleeping dept."
+
+# The locality of the subject.
+# locality =
+
+# The state of the certificate owner.
+state = "Attiki"
+
+# The country of the subject. Two letter code.
+country = GR
+
+# The common name of the certificate owner.
+cn = "Cindy Lauper"
+
+# A user id of the certificate owner.
+uid = "clauper"
+
+# If the supported DN OIDs are not adequate you can set
+# any OID here.
+# For example set the X.520 Title and the X.520 Pseudonym
+# by using OID and string pairs.
+dn_oid = 2.5.4.12 Dr.
+dn_oid = 2.5.4.65 jackal
+
+# This is deprecated and should not be used in new
+# certificates.
+pkcs9_email = "none@none.org"
+
+# The serial number of the certificate
+serial = 7
+
+inhibit_anypolicy_skip_certs = 3
+
+# In how many days, counting from today, this certificate will expire.
+expiration_days = 2590
+
+# X.509 v3 extensions
+
+# A dnsname in case of a WWW server.
+dns_name = "www.none.org"
+dns_name = "www.morethanone.org"
+
+# An IP address in case of a server.
+ip_address = "192.168.1.1"
+
+dns_name = "www.evenmorethanone.org"
+
+# An email in case of a person
+email = "none@none.org"
+
+# An URL that has CRLs (certificate revocation lists)
+# available. Needed in CA certificates.
+crl_dist_points = "http://www.getcrl.crl/getcrl1/"
+crl_dist_points = "http://www.getcrl.crl/getcrl2/"
+crl_dist_points = "http://www.getcrl.crl/getcrl3/"
+
+email = "where@none.org"
+
+# Whether this is a CA certificate or not
+ca
+
+# Whether this certificate will be used for a TLS client
+#tls_www_client
+
+# Whether this certificate will be used for a TLS server
+#tls_www_server
+
+# Whether this certificate will be used to sign data (needed
+# in TLS DHE ciphersuites).
+signing_key
+
+# Whether this certificate will be used to encrypt data (needed
+# in TLS RSA ciphersuites). Note that it is preferred to use different
+# keys for encryption and signing.
+#encryption_key
+
+# Whether this key will be used to sign other certificates.
+cert_signing_key
+
+# Whether this key will be used to sign CRLs.
+#crl_signing_key
+
+# Whether this key will be used to sign code.
+#code_signing_key
+
+# Whether this key will be used to sign OCSP data.
+ocsp_signing_key
+
+# Whether this key will be used for time stamping.
+#time_stamping_key
+
+# Whether this key will be used for IPsec IKE operations.
+#ipsec_ike_key