tests: split PKCS#12 encoding from decoding tests

Enhanced PKCS#12 encoding tests, with the encoding of a file
which contains a cert, a key and a CRL.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

3 files changed, 110 insertions, 35 deletions

diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am
index 6daf5beab8..d1b466ed85 100644
--- a/tests/cert-tests/Makefile.am
+++ b/tests/cert-tests/Makefile.am
@@ -75,7 +75,7 @@ dist_check_SCRIPTS = pathlen aki certtool invalid-sig email \
 	provable-dh userid sha2-test sha2-dsa-test provable-privkey-dsa2048 \
 	provable-privkey-rsa2048 provable-privkey-gen-default pkcs7-constraints \
 	pkcs7-constraints2 certtool-long-oids pkcs7-cat cert-sanity cert-critical \
-	pkcs12 certtool-crl-decoding
+	pkcs12 certtool-crl-decoding pkcs12-encode
 
 if WANT_TEST_SUITE
 dist_check_SCRIPTS += provable-dh-default
diff --git a/tests/cert-tests/pkcs12 b/tests/cert-tests/pkcs12
index 9b85cd97f3..33958b21c0 100755
--- a/tests/cert-tests/pkcs12
+++ b/tests/cert-tests/pkcs12
@@ -45,7 +45,6 @@ TMPFILE_PEM=pkcs12.$$.pem.tmp
 
 DEBUG="1"
 
-ret=0
 for p12 in "cert-with-crl.p12 password" "client.p12 foobar" "openssl.p12 CaudFocwijRupogDoicsApfiHadManUgNa" "noclient.p12" "unclient.p12" "pkcs12_2certs.p12"; do
 	set -- ${p12}
 	file="$1"
@@ -109,36 +108,4 @@ if test "${rc}" != "0"; then
 	exit ${rc}
 fi
 
-# test whether we can encode a certificate, a key and a CA
-${VALGRIND} "${CERTTOOL}" --to-p12 --password 123456 --p12-name "my-key" --load-certificate "${srcdir}/../certs/cert-ecc256.pem" --load-privkey "${srcdir}/../certs/ecc256.pem" --load-ca-certificate "${srcdir}/../certs/ca-cert-ecc.pem" --outder --outfile $TMPFILE >/dev/null
-rc=$?
-if test ${rc} != 0; then
-	echo "PKCS12 FATAL encoding 2"
-	exit 1
-fi
-
-${VALGRIND} "${CERTTOOL}" --p12-info --inder --password 123456 --infile $TMPFILE >${TMPFILE_PEM} 2>/dev/null
-rc=$?
-if test ${rc} != 0; then
-	echo "PKCS12 FATAL decrypting/decoding 2"
-	exit 1
-fi
-
-grep "BEGIN ENCRYPTED PRIVATE KEY" ${TMPFILE_PEM} >/dev/null 2>&1
-rc=$?
-
-if test "${rc}" != "0"; then
-	exit ${rc}
-fi
-
-count=`grep -c "BEGIN CERTIFICATE" ${TMPFILE_PEM}`
-
-if test "$count" != "2"; then
-	echo "Only one certificate was included"
-	exit 1
-fi
-
-rm -f ${TMPFILE_PEM} $TMPFILE
-
-#echo "NEON PKCS12 DONE (rc ${ret})"
-exit ${ret}
+exit 0
diff --git a/tests/cert-tests/pkcs12-encode b/tests/cert-tests/pkcs12-encode
new file mode 100755
index 0000000000..265c0df542
--- /dev/null
+++ b/tests/cert-tests/pkcs12-encode
@@ -0,0 +1,108 @@
+#!/bin/sh
+
+# Copyright (C) 2004-2012 Free Software Foundation, Inc.
+# Copyright (C) 2017 Red Hat, Inc.
+#
+# Author: Simon Josefsson
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+srcdir="${srcdir:-.}"
+CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}"
+
+if ! test -x "${CERTTOOL}"; then
+	exit 77
+fi
+
+if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then
+	echo "Cannot run in FIPS140-2 mode"
+	exit 77
+fi
+
+if ! test -z "${VALGRIND}"; then
+	VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=1"
+fi
+
+DIFF="${DIFF:-diff -b -B}"
+DEBUG=""
+
+TMPFILE=pkcs12.$$.tmp
+TMPFILE_PEM=pkcs12.$$.pem.tmp
+
+# test whether we can encode a certificate, a key and a CA
+${VALGRIND} "${CERTTOOL}" --to-p12 --password 123456 --p12-name "my-key" --load-certificate "${srcdir}/../certs/cert-ecc256.pem" --load-privkey "${srcdir}/../certs/ecc256.pem" --load-ca-certificate "${srcdir}/../certs/ca-cert-ecc.pem" --outder --outfile $TMPFILE >/dev/null
+rc=$?
+if test ${rc} != 0; then
+	echo "PKCS12 FATAL encoding 2"
+	exit 1
+fi
+
+${VALGRIND} "${CERTTOOL}" --p12-info --inder --password 123456 --infile $TMPFILE >${TMPFILE_PEM} 2>/dev/null
+rc=$?
+if test ${rc} != 0; then
+	echo "PKCS12 FATAL decrypting/decoding 2"
+	exit 1
+fi
+
+grep "BEGIN ENCRYPTED PRIVATE KEY" ${TMPFILE_PEM} >/dev/null 2>&1
+rc=$?
+
+if test "${rc}" != "0"; then
+	exit ${rc}
+fi
+
+count=`grep -c "BEGIN CERTIFICATE" ${TMPFILE_PEM}`
+
+if test "$count" != "2"; then
+	echo "Only one certificate was included"
+	exit 1
+fi
+
+# Check whether we can encode a PKCS#12 file with cert / key and CRL
+${VALGRIND} "${CERTTOOL}" --to-p12 --password 123456 --pkcs-cipher aes-128 --p12-name "my-combo-key" --load-crl "${srcdir}/data/crl-demo1.pem" --load-certificate "${srcdir}/../certs/cert-ecc256.pem" --load-privkey "${srcdir}/../certs/ecc256.pem" --load-ca-certificate "${srcdir}/../certs/ca-cert-ecc.pem" --outder --outfile $TMPFILE >/dev/null
+rc=$?
+if test ${rc} != 0; then
+	echo "PKCS12 FATAL encoding 3"
+	exit 1
+fi
+
+# Check whether the contents are the expected ones
+${VALGRIND} "${CERTTOOL}" --p12-info --inder --password 123456 --infile $TMPFILE >${TMPFILE_PEM} 2>/dev/null
+rc=$?
+if test ${rc} != 0; then
+	echo "PKCS12 FATAL decrypting/decoding 3"
+	exit 1
+fi
+
+grep "BEGIN CERTIFICATE" ${TMPFILE_PEM} >/dev/null 2>&1
+if test "$?" != "0"; then
+	exit ${rc}
+fi
+
+grep "BEGIN CRL" ${TMPFILE_PEM} >/dev/null 2>&1
+if test "$?" != "0"; then
+	exit ${rc}
+fi
+
+grep "BEGIN ENCRYPTED PRIVATE KEY" ${TMPFILE_PEM} >/dev/null 2>&1
+if test "$?" != "0"; then
+	exit ${rc}
+fi
+
+rm -f ${TMPFILE_PEM} $TMPFILE
+
+exit ${ret}