diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2003-02-08 20:25:03 +0000 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2003-02-08 20:25:03 +0000 |
commit | 3f08429200ccfcab06ef151d5ebd5c57431cf284 (patch) | |
tree | 30f2677f698a1fe972db39fb834b6bdc40d3b7d8 /tests | |
parent | 00aef08f3f6446d82dcf0a884ab56e2146b36e82 (diff) | |
download | gnutls-3f08429200ccfcab06ef151d5ebd5c57431cf284.tar.gz |
Certificate revocation support is almost complete.
Diffstat (limited to 'tests')
-rw-r--r-- | tests/test20.pem | 192 | ||||
-rw-r--r-- | tests/test21.pem | 163 | ||||
-rw-r--r-- | tests/x509_test.c | 77 |
3 files changed, 422 insertions, 10 deletions
diff --git a/tests/test20.pem b/tests/test20.pem new file mode 100644 index 0000000000..957832d1e9 --- /dev/null +++ b/tests/test20.pem @@ -0,0 +1,192 @@ +[ The intermediate certificate has been revoked ] + +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 40 (0x28) + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=US, O=U.S. Government, OU=Dod, OU=Testing, CN=CA1-CP.06.01 + Validity + Not Before: Jan 1 12:01:00 1998 GMT + Not After : Jan 1 12:01:00 2048 GMT + Subject: C=US, O=U.S. Government, OU=DoD, OU=Testing, CN=User1-CP.06.01 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (1024 bit) + Modulus (1024 bit): + 00:e8:7b:95:4c:0c:45:eb:7b:b7:f0:01:23:a9:a8: + db:b0:ac:9d:1c:d0:eb:85:f1:ed:fd:5d:ab:1a:c9: + 36:eb:92:46:c9:55:4a:16:96:9f:08:86:1e:37:3e: + e7:f4:d2:ed:4a:df:8f:d5:4e:d1:db:1e:04:2c:cf: + b3:26:05:a0:85:f5:ab:b4:39:ce:50:2b:c3:2d:b8: + aa:95:d3:18:c9:a5:a4:41:81:cb:38:bb:8e:45:ce: + f3:0e:7e:c2:a8:77:fb:c4:45:ad:04:33:af:bd:73: + 2e:d0:15:57:fa:8f:53:29:5e:b8:5f:0c:f2:3c:e4: + c1:f3:ef:6b:0b:a7:9b:07:4b + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Non Repudiation, Key Encipherment + X509v3 Certificate Policies: + Policy: 2.16.840.1.101.3.1.48.1 + + X509v3 Subject Key Identifier: + 6B:20:B4:3C:F5:3D:CF:2B + X509v3 Authority Key Identifier: + keyid:08:80:26:97:3E:BE:09:CD + + Signature Algorithm: sha1WithRSAEncryption + 3f:3e:db:52:f6:84:57:b3:32:8e:17:bc:2c:93:bf:b2:88:fc: + e1:7e:f5:ae:f5:4f:b4:13:eb:85:88:d6:4c:9e:a9:eb:d1:82: + 7c:94:72:86:8d:ef:01:42:2d:f1:11:5a:97:51:85:6f:bd:9c: + e3:90:d0:1a:47:15:cc:b2:c9:c3:c7:03:3f:76:a3:b5:66:9c: + e4:76:7d:74:d3:c9:91:6f:8a:87:5d:a5:f6:0a:a3:9f:4e:b5: + 5c:08:d0:e1:79:db:6f:04:03:60:2b:97:86:0b:8f:13:db:f7: + 93:30:db:8a:6c:15:c0:81:0e:07:fe:12:01:15:f7:ef:2e:d3: + 51:69 +-----BEGIN CERTIFICATE----- +MIIChjCCAe+gAwIBAgIBKDANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEY +MBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsT +B1Rlc3RpbmcxFTATBgNVBAMTDENBMS1DUC4wNi4wMTAeFw05ODAxMDExMjAxMDBa +Fw00ODAxMDExMjAxMDBaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdv +dmVybm1lbnQxDDAKBgNVBAsTA0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UE +AxMOVXNlcjEtQ1AuMDYuMDEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOh7 +lUwMRet7t/ABI6mo27CsnRzQ64Xx7f1dqxrJNuuSRslVShaWnwiGHjc+5/TS7Urf +j9VO0dseBCzPsyYFoIX1q7Q5zlArwy24qpXTGMmlpEGByzi7jkXO8w5+wqh3+8RF +rQQzr71zLtAVV/qPUyleuF8M8jzkwfPvawunmwdLAgMBAAGjUjBQMA4GA1UdDwEB +/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATARBgNVHQ4ECgQIayC0PPU9 +zyswEwYDVR0jBAwwCoAICIAmlz6+Cc0wDQYJKoZIhvcNAQEFBQADgYEAPz7bUvaE +V7Myjhe8LJO/soj84X71rvVPtBPrhYjWTJ6p69GCfJRyho3vAUIt8RFal1GFb72c +45DQGkcVzLLJw8cDP3ajtWac5HZ9dNPJkW+Kh12l9gqjn061XAjQ4XnbbwQDYCuX +hguPE9v3kzDbimwVwIEOB/4SARX37y7TUWk= +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 39 (0x27) + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=US, O=U.S. Government, OU=DoD, OU=Testing, CN=Trust Anchor + Validity + Not Before: Jan 1 12:01:00 1998 GMT + Not After : Jan 1 12:01:00 2048 GMT + Subject: C=US, O=U.S. Government, OU=Dod, OU=Testing, CN=CA1-CP.06.01 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (1024 bit) + Modulus (1024 bit): + 00:c8:e0:c5:d9:07:4f:01:7d:41:f1:a3:ff:f8:45: + ee:c0:c7:4a:96:90:78:32:ea:76:fe:fd:76:8b:43: + 61:70:3d:bb:e9:6f:99:a4:84:b8:6a:0d:90:52:5f: + 72:90:2f:46:22:27:ca:7c:d6:d9:9d:bd:14:07:fc: + b6:c5:cd:7f:f7:38:a0:53:51:f5:79:8a:66:32:f7: + bf:40:d8:d1:1b:e2:8b:45:a7:a1:03:4a:c9:19:86: + db:58:dd:dd:88:cd:42:02:a0:25:94:5e:13:9b:9e: + 69:07:27:68:c4:73:cd:5b:82:01:64:2b:92:e2:af: + 59:bf:b4:aa:b6:20:e3:c5:25 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Certificate Policies: + Policy: 2.16.840.1.101.3.1.48.1 + + X509v3 Subject Key Identifier: + 08:80:26:97:3E:BE:09:CD + X509v3 Authority Key Identifier: + keyid:AB:9A:EB:F9:C2:E7:54:8F + + Signature Algorithm: sha1WithRSAEncryption + d1:9b:c8:1b:67:27:93:7d:a9:ea:ec:6a:1b:0f:01:bb:8d:0d: + ad:f1:ee:f6:03:64:24:be:4c:84:31:c9:5c:0e:8e:c5:4e:41: + 5f:96:d6:66:92:e7:29:72:e8:1e:2a:92:76:d1:1d:9b:2e:5c: + 2d:9c:37:92:08:31:9d:dc:63:b2:74:45:33:20:9a:c1:a6:2e: + a4:90:61:96:0a:ae:15:bb:af:06:d0:3c:ac:cb:64:73:91:f8: + ce:e7:4f:65:c3:9c:bd:7b:bb:5f:0e:7c:2b:ed:5c:69:21:94: + 44:bf:80:ea:e5:c5:3e:73:14:05:dd:7e:93:e7:a3:6e:d3:bc: + 3e:da +-----BEGIN CERTIFICATE----- +MIIClTCCAf6gAwIBAgIBJzANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEY +MBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsT +B1Rlc3RpbmcxFTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBa +Fw00ODAxMDExMjAxMDBaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdv +dmVybm1lbnQxDDAKBgNVBAsTA0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UE +AxMMQ0ExLUNQLjA2LjAxMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI4MXZ +B08BfUHxo//4Re7Ax0qWkHgy6nb+/XaLQ2FwPbvpb5mkhLhqDZBSX3KQL0YiJ8p8 +1tmdvRQH/LbFzX/3OKBTUfV5imYy979A2NEb4otFp6EDSskZhttY3d2IzUICoCWU +XhObnmkHJ2jEc81bggFkK5Lir1m/tKq2IOPFJQIDAQABo2MwYTAPBgNVHRMBAf8E +BTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATAR +BgNVHQ4ECgQICIAmlz6+Cc0wEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZIhvcN +AQEFBQADgYEA0ZvIG2cnk32p6uxqGw8Bu40NrfHu9gNkJL5MhDHJXA6OxU5BX5bW +ZpLnKXLoHiqSdtEdmy5cLZw3kggxndxjsnRFMyCawaYupJBhlgquFbuvBtA8rMtk +c5H4zudPZcOcvXu7Xw58K+1caSGURL+A6uXFPnMUBd1+k+ejbtO8Pto= +-----END CERTIFICATE----- +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=U.S. Government/OU=Dod/OU=Testing/CN=CA1-CP.06.01 + Last Update: Jan 1 12:01:00 1999 GMT + Next Update: Jan 1 12:01:00 2048 GMT + CRL extensions: + X509v3 CRL Number: + 1 + X509v3 Authority Key Identifier: + keyid:08:80:26:97:3E:BE:09:CD + +No Revoked Certificates. + Signature Algorithm: sha1WithRSAEncryption + 6e:42:5e:8d:f7:35:af:3b:42:6e:d0:ba:c4:96:77:89:91:03: + 0c:c5:b6:0b:11:6f:3a:f4:b0:86:60:a3:3e:a5:58:de:5a:c2: + 3c:d4:90:cd:d8:e6:a9:ea:62:a0:29:ee:ee:89:e0:3f:e1:c0: + 03:b8:4c:ed:b9:be:4a:83:7b:2b:35:ca:b9:f4:3b:0b:63:8d: + a0:0c:2f:a0:f6:60:9e:88:9d:83:b4:55:10:2c:54:07:20:fa: + 00:9b:b4:e3:27:76:c0:22:d8:46:90:9f:4b:6b:43:b5:72:e1: + 1c:40:e9:7b:e1:0b:c2:fd:f9:a5:b9:02:32:50:8e:da:ee:c9: + f9:37 +-----BEGIN X509 CRL----- +MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UE +ChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rp +bmcxFTATBgNVBAMTDENBMS1DUC4wNi4wMRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAx +MTIwMTAwWqAjMCEwCgYDVR0UBAMCAQEwEwYDVR0jBAwwCoAICIAmlz6+Cc0wDQYJ +KoZIhvcNAQEFBQADgYEAbkJejfc1rztCbtC6xJZ3iZEDDMW2CxFvOvSwhmCjPqVY +3lrCPNSQzdjmqepioCnu7ongP+HAA7hM7bm+SoN7KzXKufQ7C2ONoAwvoPZgnoid +g7RVECxUByD6AJu04yd2wCLYRpCfS2tDtXLhHEDpe+ELwv35pbkCMlCO2u7J+Tc= +-----END X509 CRL----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=U.S. Government/OU=DoD/OU=Testing/CN=Trust Anchor + Last Update: Jan 1 12:01:00 1999 GMT + Next Update: Jan 1 12:01:00 2048 GMT + CRL extensions: + X509v3 CRL Number: + 1 + X509v3 Authority Key Identifier: + keyid:AB:9A:EB:F9:C2:E7:54:8F + +Revoked Certificates: + Serial Number: 27 + Revocation Date: Jan 1 12:00:00 1999 GMT + X509v3 CRL Reason Code: + Key Compromise + Signature Algorithm: sha1WithRSAEncryption + 0b:b9:6a:67:07:a3:25:15:bb:42:fc:c7:d7:5f:fb:71:87:0b: + de:b6:9c:80:cc:47:dc:f4:94:fe:e7:ef:c8:b9:3b:6a:14:7e: + f9:1b:47:6a:bc:bf:59:e0:af:45:dc:b3:9c:b8:88:38:0f:19: + 06:28:2e:5a:d5:4f:aa:c3:72:b0:d9:fb:58:ba:1f:40:85:5a: + fb:f4:c3:dd:3f:a5:79:c7:b8:7b:53:70:19:0b:e3:e5:0f:9e: + db:04:6d:19:78:3e:80:2b:93:8d:32:94:15:f2:91:9d:6c:fb: + 3b:b4:72:88:92:8a:8a:6d:23:b4:01:78:46:40:a9:2d:e6:cd: + 0a:16 +-----BEGIN X509 CRL----- +MIIBbzCB2QIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UE +ChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rp +bmcxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNOTkwMTAxMTIwMTAwWhcNNDgwMTAx +MTIwMTAwWjAiMCACAScXDTk5MDEwMTEyMDAwMFowDDAKBgNVHRUEAwoBAaAjMCEw +CgYDVR0UBAMCAQEwEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZIhvcNAQEFBQAD +gYEAC7lqZwejJRW7QvzH11/7cYcL3racgMxH3PSU/ufvyLk7ahR++RtHary/WeCv +RdyznLiIOA8ZBiguWtVPqsNysNn7WLofQIVa+/TD3T+lece4e1NwGQvj5Q+e2wRt +GXg+gCuTjTKUFfKRnWz7O7RyiJKKim0jtAF4RkCpLebNChY= +-----END X509 CRL----- diff --git a/tests/test21.pem b/tests/test21.pem new file mode 100644 index 0000000000..2a3b253043 --- /dev/null +++ b/tests/test21.pem @@ -0,0 +1,163 @@ +[ The end certificate has been revoked ] + +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 42 (0x2a) + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=US, O=U.S. Government, OU=Dod, OU=Testing, CN=CA1-CP.06.02 + Validity + Not Before: Jan 1 12:01:00 1998 GMT + Not After : Jan 1 12:01:00 2048 GMT + Subject: C=US, O=U.S. Government, OU=DoD, OU=Testing, CN=User1-CP.06.02 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (1024 bit) + Modulus (1024 bit): + 00:ae:03:f4:7f:09:c5:e2:2b:16:e3:a6:c7:47:12: + 90:86:0d:4b:4a:7b:70:34:81:95:c7:39:ec:d6:b7: + fb:59:3b:94:90:fb:98:4f:59:3f:af:f8:ed:8b:03: + 54:ad:9b:c1:ee:1a:4c:a0:93:5e:d3:e4:fe:41:90: + e9:bb:0b:b3:02:57:6f:25:b8:93:8f:9f:e4:b7:80: + 62:85:e0:6e:66:57:8c:05:85:f8:12:88:97:cb:8a: + 7a:db:2a:0b:71:e4:09:ea:a1:05:a6:35:00:65:2a: + 79:fe:28:38:09:1a:90:43:fe:d6:36:05:ba:63:58: + b4:c6:81:fb:dc:7f:d2:77:01 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Non Repudiation, Key Encipherment + X509v3 Certificate Policies: + Policy: 2.16.840.1.101.3.1.48.1 + + X509v3 Subject Key Identifier: + 0B:D3:22:24:D2:3B:D5:13 + X509v3 Authority Key Identifier: + keyid:68:7C:56:39:D1:EC:2D:B5 + + Signature Algorithm: sha1WithRSAEncryption + a3:f8:9b:98:8c:6d:7a:2b:72:8d:99:6c:ce:30:9c:fe:ce:f2: + 33:fd:2c:9c:be:fc:a5:8a:4c:39:9d:cf:d9:33:ca:91:88:76: + 4e:1e:3e:07:0f:09:a9:7d:74:f8:cf:f3:c0:50:63:e4:1c:3b: + 22:6c:c2:21:17:d2:dc:61:6e:2a:67:15:73:21:c1:e0:e6:4b: + 31:c4:19:b5:75:80:f0:63:99:f7:86:2f:5a:ae:53:04:83:65: + 56:d4:e1:42:db:ac:42:3d:79:28:1a:b6:4c:93:4d:15:4c:83: + a4:17:6f:ca:8d:39:02:71:2c:45:8d:07:6c:84:2e:e9:98:4d: + 43:8d +-----BEGIN CERTIFICATE----- +MIIChjCCAe+gAwIBAgIBKjANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEY +MBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsT +B1Rlc3RpbmcxFTATBgNVBAMTDENBMS1DUC4wNi4wMjAeFw05ODAxMDExMjAxMDBa +Fw00ODAxMDExMjAxMDBaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdv +dmVybm1lbnQxDDAKBgNVBAsTA0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UE +AxMOVXNlcjEtQ1AuMDYuMDIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAK4D +9H8JxeIrFuOmx0cSkIYNS0p7cDSBlcc57Na3+1k7lJD7mE9ZP6/47YsDVK2bwe4a +TKCTXtPk/kGQ6bsLswJXbyW4k4+f5LeAYoXgbmZXjAWF+BKIl8uKetsqC3HkCeqh +BaY1AGUqef4oOAkakEP+1jYFumNYtMaB+9x/0ncBAgMBAAGjUjBQMA4GA1UdDwEB +/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATARBgNVHQ4ECgQIC9MiJNI7 +1RMwEwYDVR0jBAwwCoAIaHxWOdHsLbUwDQYJKoZIhvcNAQEFBQADgYEAo/ibmIxt +eityjZlszjCc/s7yM/0snL78pYpMOZ3P2TPKkYh2Th4+Bw8JqX10+M/zwFBj5Bw7 +ImzCIRfS3GFuKmcVcyHB4OZLMcQZtXWA8GOZ94YvWq5TBINlVtThQtusQj15KBq2 +TJNNFUyDpBdvyo05AnEsRY0HbIQu6ZhNQ40= +-----END CERTIFICATE----- + + +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 41 (0x29) + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=US, O=U.S. Government, OU=DoD, OU=Testing, CN=Trust Anchor + Validity + Not Before: Jan 1 12:01:00 1998 GMT + Not After : Jan 1 12:01:00 2048 GMT + Subject: C=US, O=U.S. Government, OU=Dod, OU=Testing, CN=CA1-CP.06.02 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (1024 bit) + Modulus (1024 bit): + 00:bf:21:e8:d5:dc:39:9e:68:b5:bc:3b:03:1f:00: + 6c:ab:e7:ef:0d:3b:13:35:0b:e5:01:62:c9:5b:39: + f5:a3:29:41:9d:86:55:fa:4f:11:5c:e4:03:89:54: + 90:69:4b:f4:23:78:0f:91:5a:85:02:c6:7c:4a:6f: + d4:12:94:ea:c1:98:00:eb:72:71:b3:f3:35:74:fd: + cd:09:0c:b6:94:de:84:a0:b1:51:16:64:4d:12:7b: + 10:55:5a:b2:9c:97:58:fb:c0:dd:11:bb:13:1e:02: + 9d:f8:db:f6:28:ca:f0:70:79:ad:d5:7a:a2:64:99: + 20:9c:ed:8d:93:8e:bb:96:11 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Certificate Policies: + Policy: 2.16.840.1.101.3.1.48.1 + + X509v3 Subject Key Identifier: + 68:7C:56:39:D1:EC:2D:B5 + X509v3 Authority Key Identifier: + keyid:AB:9A:EB:F9:C2:E7:54:8F + + Signature Algorithm: sha1WithRSAEncryption + bb:37:aa:fe:5a:a9:d2:ab:3a:da:4a:ca:e8:40:3c:d5:28:a5: + 87:2e:36:97:f2:a6:ca:71:37:99:5b:bd:18:f0:60:41:2d:01: + 50:38:bb:fa:b4:10:fa:6d:14:c5:81:25:ce:3d:92:34:ee:09: + e5:a0:58:78:2f:7c:95:52:45:08:75:fb:40:4f:32:54:ea:0f: + 05:07:79:ac:0f:ab:af:3e:07:0f:d4:28:3f:b8:25:c5:3a:8b: + 53:a4:dc:f5:51:5d:fa:26:85:a6:ab:15:b5:28:76:6f:11:f6: + 06:d5:01:d8:04:60:79:b4:e4:95:a3:65:e5:53:db:bb:4f:b2: + 73:62 +-----BEGIN CERTIFICATE----- +MIIClTCCAf6gAwIBAgIBKTANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEY +MBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsT +B1Rlc3RpbmcxFTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBa +Fw00ODAxMDExMjAxMDBaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdv +dmVybm1lbnQxDDAKBgNVBAsTA0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UE +AxMMQ0ExLUNQLjA2LjAyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/IejV +3DmeaLW8OwMfAGyr5+8NOxM1C+UBYslbOfWjKUGdhlX6TxFc5AOJVJBpS/QjeA+R +WoUCxnxKb9QSlOrBmADrcnGz8zV0/c0JDLaU3oSgsVEWZE0SexBVWrKcl1j7wN0R +uxMeAp342/YoyvBwea3VeqJkmSCc7Y2TjruWEQIDAQABo2MwYTAPBgNVHRMBAf8E +BTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATAR +BgNVHQ4ECgQIaHxWOdHsLbUwEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZIhvcN +AQEFBQADgYEAuzeq/lqp0qs62krK6EA81Silhy42l/KmynE3mVu9GPBgQS0BUDi7 ++rQQ+m0UxYElzj2SNO4J5aBYeC98lVJFCHX7QE8yVOoPBQd5rA+rrz4HD9QoP7gl +xTqLU6Tc9VFd+iaFpqsVtSh2bxH2BtUB2ARgebTklaNl5VPbu0+yc2I= +-----END CERTIFICATE----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=U.S. Government/OU=Dod/OU=Testing/CN=CA1-CP.06.02 + Last Update: Jan 1 12:01:00 1999 GMT + Next Update: Jan 1 12:01:00 2048 GMT + CRL extensions: + X509v3 CRL Number: + 1 + X509v3 Authority Key Identifier: + keyid:68:7C:56:39:D1:EC:2D:B5 + +Revoked Certificates: + Serial Number: 2A + Revocation Date: Jan 1 12:00:00 1999 GMT + X509v3 CRL Reason Code: + Key Compromise + Signature Algorithm: sha1WithRSAEncryption + 60:66:80:cd:5a:14:76:54:99:de:e1:8a:89:13:df:1c:01:48: + a0:a4:fb:f6:13:4e:be:d3:b1:68:60:34:68:87:a4:f4:ec:a9: + 0e:b0:ea:60:08:7f:b3:68:ec:5d:28:5e:2f:4a:6b:fe:ff:56: + 44:81:ef:b4:2b:7b:ca:d5:c3:c5:5c:a7:e0:dc:63:a5:fb:fb: + 06:40:0c:32:27:1c:75:4c:75:38:7d:55:12:54:d1:92:69:ad: + 31:ee:d1:3b:35:1e:1d:41:b3:5c:93:4f:7b:1d:41:73:d0:6f: + 48:28:47:d7:c6:d6:61:c9:32:39:97:58:24:18:dc:b4:22:89: + 16:0c +-----BEGIN X509 CRL----- +MIIBbzCB2QIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UE +ChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rp +bmcxFTATBgNVBAMTDENBMS1DUC4wNi4wMhcNOTkwMTAxMTIwMTAwWhcNNDgwMTAx +MTIwMTAwWjAiMCACASoXDTk5MDEwMTEyMDAwMFowDDAKBgNVHRUEAwoBAaAjMCEw +CgYDVR0UBAMCAQEwEwYDVR0jBAwwCoAIaHxWOdHsLbUwDQYJKoZIhvcNAQEFBQAD +gYEAYGaAzVoUdlSZ3uGKiRPfHAFIoKT79hNOvtOxaGA0aIek9OypDrDqYAh/s2js +XSheL0pr/v9WRIHvtCt7ytXDxVyn4Nxjpfv7BkAMMiccdUx1OH1VElTRkmmtMe7R +OzUeHUGzXJNPex1Bc9BvSChH18bWYckyOZdYJBjctCKJFgw= +-----END X509 CRL----- diff --git a/tests/x509_test.c b/tests/x509_test.c index 7df91202ba..f093387243 100644 --- a/tests/x509_test.c +++ b/tests/x509_test.c @@ -3,8 +3,6 @@ #include <string.h> #include <gnutls/x509.h> -#include <dmalloc.h> - #define MAX_FILE_SIZE 16*1024 struct file_res { @@ -18,6 +16,8 @@ static struct file_res test_files[] = { { "test3.pem", GNUTLS_CERT_INVALID | GNUTLS_CERT_NOT_TRUSTED }, { "test10.pem", 0 }, { "test13.pem", GNUTLS_CERT_INVALID | GNUTLS_CERT_NOT_TRUSTED }, + { "test20.pem", GNUTLS_CERT_REVOKED | GNUTLS_CERT_NOT_TRUSTED }, + { "test21.pem", GNUTLS_CERT_REVOKED | GNUTLS_CERT_NOT_TRUSTED }, { "test22.pem", GNUTLS_CERT_INVALID | GNUTLS_CERT_NOT_TRUSTED }, { "test23.pem", GNUTLS_CERT_INVALID | GNUTLS_CERT_NOT_TRUSTED }, { "test24.pem", 0 }, @@ -41,8 +41,13 @@ static void print_res( int x) printf("- certificate is NOT trusted\n"); else printf("- certificate is trusted\n"); + if (x&GNUTLS_CERT_CORRUPTED) printf("- Found a corrupted certificate.\n"); + + if (x&GNUTLS_CERT_REVOKED) + printf("- certificate is revoked.\n"); + return; } @@ -92,13 +97,13 @@ int i = 0, exp_result; } -#define PEM_SEP "-----BEGIN CERT" -#define PEM_SEP_SIZE (sizeof(PEM_SEP)-1) +#define CERT_SEP "-----BEGIN CERT" +#define CRL_SEP "-----BEGIN X509 CRL" /* Verifies a base64 encoded certificate list from memory */ int _verify_x509_mem( const char* cert, int cert_size, - const char *ca, int ca_size) + const char *ca, int ca_size, const char* crl, int crl_size) { int siz, i; const char *ptr; @@ -107,7 +112,8 @@ int _verify_x509_mem( const char* cert, int cert_size, gnutls_datum tmp; gnutls_x509_certificate *x509_cert_list = NULL; gnutls_x509_certificate x509_ca; - int x509_ncerts; + gnutls_x509_crl *x509_crl_list = NULL; + int x509_ncerts, x509_ncrls; /* Decode the CA certificate */ @@ -127,6 +133,50 @@ int _verify_x509_mem( const char* cert, int cert_size, exit(1); } + /* Decode the CRL list + */ + siz = crl_size; + ptr = crl; + + i = 1; + + if (strstr(ptr, CRL_SEP)!=NULL) /* if CRLs exist */ + do { + x509_crl_list = + (gnutls_x509_crl *) realloc( x509_crl_list, + i * + sizeof(gnutls_x509_crl)); + if (x509_crl_list == NULL) { + fprintf(stderr, "memory error\n"); + exit(1); + } + + tmp.data = (char*)ptr; + tmp.size = siz; + + ret = gnutls_x509_crl_init( &x509_crl_list[i-1]); + if (ret < 0) { + fprintf(stderr, "Error parsing the CRL[%d]: %s\n", i, gnutls_strerror(ret)); + exit(1); + } + + ret = gnutls_x509_crl_import( x509_crl_list[i-1], &tmp, GNUTLS_X509_FMT_PEM); + if (ret < 0) { + fprintf(stderr, "Error parsing the CRL[%d]: %s\n", i, gnutls_strerror(ret)); + exit(1); + } + + /* now we move ptr after the pem header */ + ptr = strstr(ptr, CRL_SEP); + if (ptr!=NULL) + ptr++; + + i++; + } while ((ptr = strstr(ptr, CRL_SEP)) != NULL); + + x509_ncrls = i - 1; + + /* Decode the certificate chain. */ siz = cert_size; @@ -160,23 +210,30 @@ int _verify_x509_mem( const char* cert, int cert_size, } /* now we move ptr after the pem header */ - ptr = strstr(ptr, PEM_SEP); + ptr = strstr(ptr, CERT_SEP); if (ptr!=NULL) ptr++; i++; - } while ((ptr = strstr(ptr, PEM_SEP)) != NULL); + } while ((ptr = strstr(ptr, CERT_SEP)) != NULL); x509_ncerts = i - 1; ret = gnutls_x509_certificate_list_verify( x509_cert_list, x509_ncerts, - &x509_ca, 1, NULL, 0, &output); + &x509_ca, 1, x509_crl_list, x509_ncrls, 0, &output); gnutls_x509_certificate_deinit( x509_ca); + for (i=0;i<x509_ncerts;i++) { gnutls_x509_certificate_deinit( x509_cert_list[i]); } + + for (i=0;i<x509_ncrls;i++) { + gnutls_x509_crl_deinit( x509_crl_list[i]); + } + free( x509_cert_list); + free( x509_crl_list); if ( ret < 0) { fprintf(stderr, "Error in verification: %s\n", gnutls_strerror(ret)); @@ -220,6 +277,6 @@ int _verify_x509_file( const char* certfile, const char *cafile) ca[ca_size] = 0; - return _verify_x509_mem( cert, cert_size, ca, ca_size); + return _verify_x509_mem( cert, cert_size, ca, ca_size, cert, cert_size); } |