tests: check certificate generation from certificate request

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

8 files changed, 185 insertions, 3 deletions

diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am
index 76765889c6..c8abdbf74a 100644
--- a/tests/cert-tests/Makefile.am
+++ b/tests/cert-tests/Makefile.am
@@ -94,12 +94,14 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem
 	data/key-invalid3.der data/pkcs8-eddsa.pem data/pkcs8-eddsa.pem.txt \
 	data/rfc4490.p7b data/rfc4490.p7b.out data/gost01.p12 data/gost12.p12 data/gost12-2.p12 \
 	data/ca-crl-invalid.crl data/ca-crl-invalid.pem data/ca-crl-valid.pem data/ca-crl-valid.crl \
-	data/rfc4134-ca-rsa.pem data/rfc4134-4.5.p7b \
-	data/key-gost01.p8 data/key-gost01-2.p8 data/key-gost01-2-enc.p8 \
+	data/rfc4134-ca-rsa.pem data/rfc4134-4.5.p7b templates/template-no-ca.tmpl \
+	data/key-gost01.p8 data/key-gost01-2.p8 data/key-gost01-2-enc.p8 data/crq-cert-no-ca.pem \
 	data/key-gost12-256.p8 data/key-gost12-256-2.p8 data/key-gost12-256-2-enc.p8 \
 	data/key-gost12-512.p8 data/grfc.crt data/gost-cert-ca.pem data/gost-cert-new.pem \
 	data/cert-with-non-digits-time-ca.pem data/cert-with-non-digits-time.pem \
-	data/chain-512-leaf.pem data/chain-512-subca.pem data/chain-512-ca.pem
+	data/chain-512-leaf.pem data/chain-512-subca.pem data/chain-512-ca.pem \
+	templates/template-no-ca-honor.tmpl templates/template-no-ca-explicit.tmpl \
+	data/crq-cert-no-ca-explicit.pem data/crq-cert-no-ca-honor.pem
 
 dist_check_SCRIPTS = pathlen aki invalid-sig email \
 	pkcs7 pkcs7-broken-sigs privkey-import name-constraints certtool-long-cn crl provable-privkey \
diff --git a/tests/cert-tests/crq b/tests/cert-tests/crq
index e29f17a17f..89099cfc0a 100755
--- a/tests/cert-tests/crq
+++ b/tests/cert-tests/crq
@@ -147,6 +147,97 @@ if test "${rc}" != "0"; then
 	exit ${rc}
 fi
 
+# check whether the generation with extension works
+datefudge -s "2007-04-22" \
+	"${CERTTOOL}" --generate-request \
+		--load-privkey "${srcdir}/data/template-test.key" \
+		--template "${srcdir}/templates/arb-extensions.tmpl" \
+		--outfile $OUTFILE 2>/dev/null
+rc=$?
+
+if test "${rc}" != "0"; then
+	echo "add_extension crq failed"
+	exit ${rc}
+fi
+
+${DIFF} --ignore-matching-lines "Algorithm Security Level" "${srcdir}/data/arb-extensions.csr" "${OUTFILE}" >/dev/null 2>&1
+rc=$?
+
+if test "${rc}" != "0"; then
+	echo "Certificate request generation with explicit extensions failed"
+	exit ${rc}
+fi
+
+# Generate certificate from CRQ with no explicit extensions
+datefudge -s "2007-04-22" \
+	"${CERTTOOL}" --generate-certificate \
+		--load-ca-privkey "${srcdir}/../../doc/credentials/x509/ca-key.pem" \
+		--load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" \
+		--load-request "${srcdir}/data/arb-extensions.csr" \
+		--template "${srcdir}/templates/template-no-ca.tmpl" \
+		--outfile "${OUTFILE}" 2>/dev/null
+rc=$?
+
+if test "${rc}" != "0"; then
+	echo "generate certificate with crq failed"
+	exit ${rc}
+fi
+
+${DIFF} --ignore-matching-lines "Algorithm Security Level" "${srcdir}/data/crq-cert-no-ca.pem" "${OUTFILE}" >/dev/null 2>&1
+rc=$?
+
+if test "${rc}" != "0"; then
+	echo "Certificate from request generation failed"
+	exit ${rc}
+fi
+
+# Generate certificate from CRQ with CRQ extensions
+datefudge -s "2007-04-22" \
+	"${CERTTOOL}" --generate-certificate \
+		--load-ca-privkey "${srcdir}/../../doc/credentials/x509/ca-key.pem" \
+		--load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" \
+		--load-request "${srcdir}/data/arb-extensions.csr" \
+		--template "${srcdir}/templates/template-no-ca-honor.tmpl" \
+		--outfile "${OUTFILE}" 2>/dev/null
+rc=$?
+
+if test "${rc}" != "0"; then
+	echo "generate certificate with crq failed"
+	exit ${rc}
+fi
+
+${DIFF} --ignore-matching-lines "Algorithm Security Level" "${srcdir}/data/crq-cert-no-ca-honor.pem" "${OUTFILE}" >/dev/null 2>&1
+rc=$?
+
+if test "${rc}" != "0"; then
+	echo "Certificate from request generation with honor flag failed"
+	exit ${rc}
+fi
+
+# Generate certificate from CRQ with explicit extensions
+datefudge -s "2007-04-22" \
+	"${CERTTOOL}" --generate-certificate \
+		--load-ca-privkey "${srcdir}/../../doc/credentials/x509/ca-key.pem" \
+		--load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" \
+		--load-request "${srcdir}/data/arb-extensions.csr" \
+		--template "${srcdir}/templates/template-no-ca-explicit.tmpl" \
+		--outfile "${OUTFILE}" 2>/dev/null
+rc=$?
+
+if test "${rc}" != "0"; then
+	echo "generate certificate with crq failed"
+	exit ${rc}
+fi
+
+${DIFF} --ignore-matching-lines "Algorithm Security Level" "${srcdir}/data/crq-cert-no-ca-explicit.pem" "${OUTFILE}" >/dev/null 2>&1
+rc=$?
+
+if test "${rc}" != "0"; then
+	echo "Certificate from request generation with explicit extensions failed"
+	exit ${rc}
+fi
+
+
 rm -f "${OUTFILE}" "${OUTFILE2}" "${TMPFILE}"
 
 exit 0
diff --git a/tests/cert-tests/data/crq-cert-no-ca-explicit.pem b/tests/cert-tests/data/crq-cert-no-ca-explicit.pem
new file mode 100644
index 0000000000..b912e94663
--- /dev/null
+++ b/tests/cert-tests/data/crq-cert-no-ca-explicit.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEUzCCAwugAwIBAgIBAjANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDEw5HbnVU
+TFMgVGVzdCBDQTAeFw0wNzA0MjIwMDAwMDBaFw0wODA0MjEwMDAwMDBaMHsxFTAT
+BgNVBAMTDENpbmR5IExhdXBlcjEXMBUGA1UECxMOc2xlZXBpbmcgZGVwdC4xEjAQ
+BgNVBAoTCUtva28gaW5jLjEPMA0GA1UECBMGQXR0aWtpMQswCQYDVQQGEwJHUjEX
+MBUGCgmSJomT8ixkAQETB2NsYXVwZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAKXGznVDhL9kngInE/EDWfd5LZLtfC9QpAPxLXm5hosFfjq7RKqvhM8TmB4c
+Sjj3My16n3LUa20msDE3cBD7QunYnRhlfhlJ/AWWBGiDHneGv+315RI7E/4zGJwa
+eh1pr0cCYHofuejP28g0MFGWPYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjggGWMIIB
+kjASBgMqAwQECwABAgMEBQYHqqvNMBIGA84HCAQLAAECAwQFBgeqq80wGgYGKgME
+BQYHBBAdNM1a0GXcJ8F+lEewqqynMFwGCCoDj////38HBFAXjw5BPwQcydZK9kvz
+tmx86sb6NKTXftZMlosmx2FwlEX0DZygoACRr30hJ4nAC3OHsdDXq2I91AKdS4bb
+NlNiHTTNWtBl3CfBfpRHsKqspzBSBgYqg5nLAAcESNZK9kvztmx86sb6NKTXftZM
+losmx2FwlEX0DZygoACRr30hJ4nAC3OHsdDXq2I91AKdS4bbNlNiHTTNWtBl3CfB
+fpRHsKqspzANBgMYAQUEBgQEyv6+rzATBgpyCwwNDg8QEQEFAQH/BALK/jATBgQY
+AQUBAQH/BAgEBr6vyv76+jAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUF
+BwMEMB0GA1UdDgQWBBRdQK3wzpRAlYt+mZQdklQiynI2XzAfBgNVHSMEGDAWgBRN
+VrdqAFjxZ5L0pnVVG45TAQPvzzANBgkqhkiG9w0BAQsFAAOCATEAdg6mnXMO1f+5
+/NAaoJ4In3Pse7TM+raJWwRBXqYXOgo66CM2Ffam0v8U8t7h+Uo0lu10u+2EwqZQ
+Em2jDgZ4SS//FPg5WLRx3wBqtP/o/nsJnuIlXzeXOx2fYMnekrQAu453ClPPt0dX
+D7oiSYfcodcTOlzj7c3cnSiKAONmSvQfpkPD4Uc5EEVIeAHCH/vsMhuEycLT0I1M
+NwvxmTuH9y76orKNbPWHqSnsTm5sdF7Lz5+t3ph9hYEo8nI+hb0sx6w9HpPpAWaj
+yYxN/XS76sFma09k4BFUq9RtshJh64GWVsNBLdXyrCArQJPgQehHm5ccrAJ81qM2
+q7M2H8aUbx3o3ASgTJTuYunS043A8TgPQuXFybSIM/zO3onh21PkVtfcUcRswdpf
+oBQirZDyGA==
+-----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/crq-cert-no-ca-honor.pem b/tests/cert-tests/data/crq-cert-no-ca-honor.pem
new file mode 100644
index 0000000000..3b430d2537
--- /dev/null
+++ b/tests/cert-tests/data/crq-cert-no-ca-honor.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEZzCCAx+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDEw5HbnVU
+TFMgVGVzdCBDQTAeFw0wNzA0MjIwMDAwMDBaFw0wODA0MjEwMDAwMDBaMHsxFTAT
+BgNVBAMTDENpbmR5IExhdXBlcjEXMBUGA1UECxMOc2xlZXBpbmcgZGVwdC4xEjAQ
+BgNVBAoTCUtva28gaW5jLjEPMA0GA1UECBMGQXR0aWtpMQswCQYDVQQGEwJHUjEX
+MBUGCgmSJomT8ixkAQETB2NsYXVwZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAKXGznVDhL9kngInE/EDWfd5LZLtfC9QpAPxLXm5hosFfjq7RKqvhM8TmB4c
+Sjj3My16n3LUa20msDE3cBD7QunYnRhlfhlJ/AWWBGiDHneGv+315RI7E/4zGJwa
+eh1pr0cCYHofuejP28g0MFGWPYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjggGqMIIB
+pjASBgMqAwQECwABAgMEBQYHqqvNMBIGA84HCAQLAAECAwQFBgeqq80wGgYGKgME
+BQYHBBAdNM1a0GXcJ8F+lEewqqynMFwGCCoDj////38HBFAXjw5BPwQcydZK9kvz
+tmx86sb6NKTXftZMlosmx2FwlEX0DZygoACRr30hJ4nAC3OHsdDXq2I91AKdS4bb
+NlNiHTTNWtBl3CfBfpRHsKqspzBSBgYqg5nLAAcESNZK9kvztmx86sb6NKTXftZM
+losmx2FwlEX0DZygoACRr30hJ4nAC3OHsdDXq2I91AKdS4bbNlNiHTTNWtBl3CfB
+fpRHsKqspzANBgMYAQUEBgQEyv6+rzATBgpyCwwNDg8QEQEFAQH/BALK/jATBgQY
+AQUBAQH/BAgEBr6vyv76+jAMBgNVHRMBAf8EAjAAMBYGA1UdJQEB/wQMMAoGCCsG
+AQUFBwMEMA8GA1UdDwEB/wQFAwMHgAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2S
+VCLKcjZfMB8GA1UdIwQYMBaAFE1Wt2oAWPFnkvSmdVUbjlMBA+/PMA0GCSqGSIb3
+DQEBCwUAA4IBMQACwQBci5GYQ3clNSdRzf/8smu1nvZo8knhCp/i+IJiXdFX7pl0
+lBtKMXZVnL3zwidH11EP8XMsusISpcRMznEYT4sDLa2k5QWXq1T3tT8mkX2xnBox
+gKJmFw5WcaaEyiMRrAfv5YxY1RT6Hn8nMgWpIdj3hY3tZ9I6urWD16wc/w/53acS
+2pvfp3H0RRHC6S1ZBZhRWdB3ZH7pmMx0Wbsk9CC6bw9msjy7Qj4Rz+gQwHPJ+0y5
+2+w85DOmIGZmzw7vdZ+6oVsDCfcqIU0WYTD31CKMCAZys0nNyXxDNZJoyTUdcMjU
+ccEnm7ptGVtNobiJCOlw4IFhHF78RZqnD5f1bIzkK9dL00vcXqlUqg4fC89fWHvL
+tuLvUsrrvBco4tbB2XFWdBtIkQcWy7eFl9l3
+-----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/crq-cert-no-ca.pem b/tests/cert-tests/data/crq-cert-no-ca.pem
new file mode 100644
index 0000000000..7cd684b20f
--- /dev/null
+++ b/tests/cert-tests/data/crq-cert-no-ca.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCzCCAcOgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDEw5HbnVU
+TFMgVGVzdCBDQTAeFw0wNzA0MjIwMDAwMDBaFw0wODA0MjEwMDAwMDBaMHsxFTAT
+BgNVBAMTDENpbmR5IExhdXBlcjEXMBUGA1UECxMOc2xlZXBpbmcgZGVwdC4xEjAQ
+BgNVBAoTCUtva28gaW5jLjEPMA0GA1UECBMGQXR0aWtpMQswCQYDVQQGEwJHUjEX
+MBUGCgmSJomT8ixkAQETB2NsYXVwZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAKXGznVDhL9kngInE/EDWfd5LZLtfC9QpAPxLXm5hosFfjq7RKqvhM8TmB4c
+Sjj3My16n3LUa20msDE3cBD7QunYnRhlfhlJ/AWWBGiDHneGv+315RI7E/4zGJwa
+eh1pr0cCYHofuejP28g0MFGWPYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjUDBOMAwG
+A1UdEwEB/wQCMAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMB8GA1Ud
+IwQYMBaAFE1Wt2oAWPFnkvSmdVUbjlMBA+/PMA0GCSqGSIb3DQEBCwUAA4IBMQCP
+Go/myevL2Ia/w3bOy+k/NdJ8OB5o6T42WHCcqvBOrcrQJEjhfZP8fl79KNGqNbxs
+Fr6hwP1inY1yxdUtn0OCiKEB1Gp68QMb10eS7QarcMTiznUty8o+NHU9nV6I0kbO
+4sBi6uMR5Hv0WQ6fQigjo11RQB7cN7mGqpMBzkCG47WLgk19uJhmFBaWNjtFDbY5
+e4mxQpAonicUoKlubJ1JY5gyZEjVriuWjnuxqhGyul7SnrzeSBQPR81gz1n1YjXJ
+8aQ8FqyTG9tQkU0EkJwE1FxuFoqB0MHfTSn8THtZRLeSO5ymAQgmHU81IieTXFn9
+l37AavQFVpcyp1MHXIWn+CYjzQ38oo90SABRGMoiQSz0iRT+auCjnYZ3dNyax9HR
+9zf+KHBvs5sSsslNWQb/
+-----END CERTIFICATE-----
diff --git a/tests/cert-tests/templates/template-no-ca-explicit.tmpl b/tests/cert-tests/templates/template-no-ca-explicit.tmpl
new file mode 100644
index 0000000000..041b4d2c9d
--- /dev/null
+++ b/tests/cert-tests/templates/template-no-ca-explicit.tmpl
@@ -0,0 +1,13 @@
+cn = "No CA"
+serial = 02
+
+email_protection_key
+
+add_extension = "1.2.3.4 0001020304050607AAABCD"
+add_extension = "5.6.7.8 0x0001020304050607AAABCD"
+add_extension = "1.2.3.4.5.6.7 1d34cd5ad065dc27c17e9447b0aaaca7"
+add_extension = "1.2.3.4294967295.7 178f0e413f041cc9d64af64bf3b66c7ceac6fa34a4d77ed64c968b26c761709445f40d9ca0a00091af7d212789c00b7387b1d0d7ab623dd4029d4b86db3653621d34cd5ad065dc27c17e9447b0aaaca7"
+add_critical_extension = "9.10.11.12.13.14.15.16.17.1.5 CAFE"
+add_extension = "1.2.6710656.7 d64af64bf3b66c7ceac6fa34a4d77ed64c968b26c761709445f40d9ca0a00091af7d212789c00b7387b1d0d7ab623dd4029d4b86db3653621d34cd5ad065dc27c17e9447b0aaaca7"
+add_extension = "7.0.1.5 octet_string(CAFEBEAF)"
+add_critical_extension = "7.0.1.5.1 octet_string(BEAFCAFEFAFA)"
diff --git a/tests/cert-tests/templates/template-no-ca-honor.tmpl b/tests/cert-tests/templates/template-no-ca-honor.tmpl
new file mode 100644
index 0000000000..05f21b8885
--- /dev/null
+++ b/tests/cert-tests/templates/template-no-ca-honor.tmpl
@@ -0,0 +1,3 @@
+cn = "No CA"
+serial = 02
+honor_crq_extensions
diff --git a/tests/cert-tests/templates/template-no-ca.tmpl b/tests/cert-tests/templates/template-no-ca.tmpl
new file mode 100644
index 0000000000..6528a50e4b
--- /dev/null
+++ b/tests/cert-tests/templates/template-no-ca.tmpl
@@ -0,0 +1,2 @@
+cn = "No CA"
+serial = 02