diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-10-18 10:02:29 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-10-18 12:58:36 +0200 |
commit | 08a8f68e38c1c6491db4997140a0d43711b54830 (patch) | |
tree | 2af943f220132abd9e295030520410768c93a944 /tests | |
parent | e93c96952b8bccedc23014fcbc7b9c0a52b2b559 (diff) | |
download | gnutls-08a8f68e38c1c6491db4997140a0d43711b54830.tar.gz |
tests: introduced verification constraints checks for PKCS#7 structures
That is, key purpose checks and more elaborate time checks.
Diffstat (limited to 'tests')
-rw-r--r-- | tests/cert-tests/Makefile.am | 6 | ||||
-rw-r--r-- | tests/cert-tests/data/code-signing-ca.pem | 62 | ||||
-rw-r--r-- | tests/cert-tests/data/code-signing-cert.pem | 64 | ||||
-rwxr-xr-x | tests/cert-tests/pkcs7 | 38 | ||||
-rwxr-xr-x | tests/cert-tests/pkcs7-constraints | 108 | ||||
-rwxr-xr-x | tests/cert-tests/pkcs7-constraints2 | 108 | ||||
-rw-r--r-- | tests/pkcs7-gen.c | 11 | ||||
-rwxr-xr-x | tests/suite/pkcs7-cat | 16 |
8 files changed, 408 insertions, 5 deletions
diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am index fb8c3ddd9e..adbb345d3b 100644 --- a/tests/cert-tests/Makefile.am +++ b/tests/cert-tests/Makefile.am @@ -58,12 +58,14 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem data/ca-secret.gpg data/srv-public.gpg data/srv-public-127.0.0.1-signed.gpg \ data/srv-public-localhost-signed.gpg data/selfsigs/alice-mallory-badsig18.pub \ data/selfsigs/alice-mallory-irrelevantsig.pub data/selfsigs/alice-mallory-nosig18.pub \ - data/selfsigs/alice.pub data/key-utf8-1.p12 data/key-utf8-2.p12 + data/selfsigs/alice.pub data/key-utf8-1.p12 data/key-utf8-2.p12 \ + data/code-signing-ca.pem data/code-signing-cert.pem dist_check_SCRIPTS = pathlen aki certtool invalid-sig email \ pkcs7 pkcs7-broken-sigs privkey-import name-constraints certtool-long-cn crl provable-privkey \ provable-dh userid sha2-test sha2-dsa-test provable-privkey-dsa2048 \ - provable-privkey-rsa2048 provable-privkey-gen-default + provable-privkey-rsa2048 provable-privkey-gen-default pkcs7-constraints \ + pkcs7-constraints2 if WANT_TEST_SUITE dist_check_SCRIPTS += provable-dh-default diff --git a/tests/cert-tests/data/code-signing-ca.pem b/tests/cert-tests/data/code-signing-ca.pem new file mode 100644 index 0000000000..30d5c8f0a1 --- /dev/null +++ b/tests/cert-tests/data/code-signing-ca.pem @@ -0,0 +1,62 @@ +-----BEGIN CERTIFICATE----- +MIID4jCCAkqgAwIBAgIBADANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDEwRDQS0w +MCAXDTEwMDIyNzE1MjE0MloYDzk5OTkxMjMxMjM1OTU5WjAPMQ0wCwYDVQQDEwRD +QS0wMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA0QHh//JKi30BDok3 +1lzQFhXhthwyc5aG/O6jW3LfxYD0I6Ubmyryuo+Hss0RSZruSbxrYIMTFTIYtd56 +d4/2CFT7OYsIjaf5vb7oMfITT1epnYnKxuBekfIAHjRlxXf5hddDQ9vsLmkr7wlT +zVyVX7fUYz1WuEiSVNHui+69idEZHAuwuz0P+kRoHJA8O2D8S71w01V0969yerOo +Rqq2za9HCWcGrKHSAwY8ce01YsFJj6ozVfrt3khXrLpNosd72oEupC+p4zGABdT9 +6GaMh47yX5jkCeh/ZTz8Ek3S6t5ryRi5UoyrD/bg5VHaW5SF3AUzgUKs9biV/K6R +OdqO7nk3xf37IQUHG3WZyUYpZ9LZLJZaBu4Tftzn71kYQ0JTBK06QLp43eArSSeo +IDyR6V7+rsaq23c0l2AFeGzSwCxUpcga4o5FrKLSEcEcgDJ8sxXr8KTjBKVg8k/O +M4T3xpAp0ZKR4sGJMB7sw8mmXkpICc2ZN+GrueP+xcJojNxJAgMBAAGjRzBFMA8G +A1UdEwEB/wQFMAMBAf8wEwYDVR0lBAwwCgYIKwYBBQUHAwMwHQYDVR0OBBYEFB8W +FXxAZlq94LBofKwIfsW3krrlMA0GCSqGSIb3DQEBCwUAA4IBgQBPG/pba5oHECfJ +1Z4q5FSO8AYG+v/KaaP0XSdsQOpxRW0/yYvWdGfGSd8NcFNYwBxDRPF6758cE72E +uSPF5EDH1rZDHsxQhUl5lwmBcP69hlLCeMzsWHsJmobqpv9hIbi+zb37CGQrOXwq ++0qc3tqQjw7979j1SfifLF/eo5DxWiJFgL7t2IjvJsIUTi5MdYVeiLn0WzVGvQ4h +yYlvBF/yg1YOvxHunbapL3hCImnzhCFQ/qFe0w+VjgkK9Fuz18lyYfxBoqziyMhR +9aBAjsHoAqZtnSLLFHYl4wh6dHjxAUr5r1GwO4cQGK7+dP1m8cVQoQfCPeQLE8GZ +aZwk/of7ywtjSEMJNMKP3NmKkGzoD48iIhtMbfZ+bXG4JWM8VD9bEw0JSf/ymCGV +Q+S+SiTqWSzb6Eq/rTkHa5IT1pFLySIZcsgjkw82VXSe4PEzlaFKTYePG1NU1Y3n +nrJ60/+PwcCFh7oVcZ0MTfuZmZxnhdID0cvxFd0VAo22Hxofbnw= +-----END CERTIFICATE----- +-----BEGIN RSA PRIVATE KEY----- +MIIG5AIBAAKCAYEA0QHh//JKi30BDok31lzQFhXhthwyc5aG/O6jW3LfxYD0I6Ub +myryuo+Hss0RSZruSbxrYIMTFTIYtd56d4/2CFT7OYsIjaf5vb7oMfITT1epnYnK +xuBekfIAHjRlxXf5hddDQ9vsLmkr7wlTzVyVX7fUYz1WuEiSVNHui+69idEZHAuw +uz0P+kRoHJA8O2D8S71w01V0969yerOoRqq2za9HCWcGrKHSAwY8ce01YsFJj6oz +Vfrt3khXrLpNosd72oEupC+p4zGABdT96GaMh47yX5jkCeh/ZTz8Ek3S6t5ryRi5 +UoyrD/bg5VHaW5SF3AUzgUKs9biV/K6ROdqO7nk3xf37IQUHG3WZyUYpZ9LZLJZa +Bu4Tftzn71kYQ0JTBK06QLp43eArSSeoIDyR6V7+rsaq23c0l2AFeGzSwCxUpcga +4o5FrKLSEcEcgDJ8sxXr8KTjBKVg8k/OM4T3xpAp0ZKR4sGJMB7sw8mmXkpICc2Z +N+GrueP+xcJojNxJAgMBAAECggGBAK4EGEuGSoSKpmeY3bGPgvzwaQW7wlG0oV1T +vxTzttX1AM/wtuRhRMkJmZzH2j3jTcR8qRYo66l5FVPPET4c0WasgqKtXIi8s1VE +7oQvHd6wiRsOT5N32aU/zNNZIubfdhP2Xx3PrHwTuq2BoZFZJVEVeDLMLjiuy47t +XuSI+KwXOQW9wf6S34uqithFSrDRlh3lc1uxSfqyy+jXTiLQHfVwmv98FPWEoZs9 +BPSB4DIB5iJEPgu3KXcp2j2Iu/zsgnPPSxvzYATguVB/zZ5TbsGuxNI519pj/9N2 +q/Y+8/9xJKp9Rmn5rRpDpojhvR5YVqkMo7+2uBcY/X2OfKxf9yNXbsRfV9KxfqDk +CXHcMx4hP7dgVweAFa3cc4mNSLmExbKEd0RtwZHedyzGG9TE1l6n0rTBrTOAtHda +EqrI9Q9cGhdQRKzIx4o5c3uD07I2r+1xoPZzCI0eEglzo+oSriJIvr4Mgwla7xWI +kK74R8W6Wx0QWB/9iHC6GV6kGQDCAQKBwQDu8ecDftQ/Onk6KjbBcm9XfnVM3ER9 +BKkWgmWvl9QOdNBYU2Hd7RrHAhjmILauyUp+62nNnGKxPLujLnVIicLtiGnivqQC +Sd2wEu1/tw6e4groQUxPD+c6kSXvGKUW+QKOvnGmQ4CkfBIST16TJrEMNvSBr5/B +A2LlufI5lPT8aMiF/mZfVS5axzOnmR7weggwK3T5kf/nw0JT5b28RuL1ck31Cb75 +EQezK4YkB+n5qgjBHM3bo6tO18s+YIVDlwkCgcEA3+zy8mmRh9SPjmJaM7bxoUHn +Q5oY1Umd6DH1uGi2qMe9cB1Dfcy8BomhKVrDgU4Hyo0Gc8oPaCsKiPYWy+pbYQ5L +o5JhsxWXhXfIqumWgvodXE03dLc405tFIyiSoaaCHaKVMotlp2781CBhjxJTfiKu +IL1i11C4lEpgcoE4uGP57irU7oFAesdM9osGi7UV+op/72mOWRkEEixHOmTIIvyN +e9MCBIVrmW5GM8Tp0oIwQ5V88nmmNxliZlA8HStBAoHAVxKbxnBPVAMw7fs4HOJg +pJeWkz2pT42FOIioGYbQZbw3uBgaj865dU/UVvgQ2jzMAtgypBSa+k9RaTOi1Z4u +BHUzcMdb6OGWAXXESkgg8dEZfG1fK2h2MKd4FVr7vhVb0zyfGaF7nXUA+N8nbaQp +3HOiQigHpURgo6pRFJ6tb9WXTQzZrV/TFo2Ey0xHNAakOTl81P1ZLdG/t+b+bz+9 +sQfIVMUKbKTCE46GwVaI8sv9iLHAaouH/6EvlTmDFpBRAoHAMHCQiZH+slRwDYwH +GULM+GZKQdx23MTFDPKpxg+Y2+ABgdxCulbsoblqDIke27zmgJGLQMcIGC+fYsth +WRFEXTV7dVH4IoZcNboYxagsL/8tFMd7ZJsyBsyC4z0moyNi6EhAYCO5hMPEm5q5 +n/qF5zZXVqvBUvSaSTHhtUNw4qp16WiIkWOScDzm0Dp42wX8UCtfy4mZCnsX31qG +ugINLUxWyt91g0bdZN5u/0nsjuYszKHs2oMoSqkKGTnoFyNBAoHBALrm0k/JNOWb +5Z9toqLnpzTM5hJQwQdzQFjuEyQa9DrC15kojjU4rwstVTRxVm+SJMoqWFbxPGe3 +28ijA0q226EdRnOP4d+xvapN5+1cQCAlfYKp7zC58smnC5dsIkVMoRGtMq4upZYH +rMQUYRcsjnjBf8hi3yyOyj4ENUMjsT4LZntfBKzc6Mv9PhoVWMPjndKxZFUJCwwE +hvmwhInAUuxIP18v/KkrgsZLva9xp6UARnB6Gpe3bFMLOWNb621Qgw== +-----END RSA PRIVATE KEY----- diff --git a/tests/cert-tests/data/code-signing-cert.pem b/tests/cert-tests/data/code-signing-cert.pem new file mode 100644 index 0000000000..0d04f13a15 --- /dev/null +++ b/tests/cert-tests/data/code-signing-cert.pem @@ -0,0 +1,64 @@ +-----BEGIN CERTIFICATE----- +MIIEIjCCAoqgAwIBAgIMWAXZ+AOk7Jxgz3G8MA0GCSqGSIb3DQEBCwUAMA8xDTAL +BgNVBAMTBENBLTAwHhcNMTQwMjI3MTUyMTQyWhcNMTYwMjI3MTUyMTQyWjAXMRUw +EwYDVQQDEwxjb2RlIHNpZ25pbmcwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGK +AoIBgQDSnOotbRouMDqya42qSS20QLVxRfIfER8RtF/51S75Wxfdx9hgfre0Ldg+ +tNwbo0Je2vVta/OwDO1L/RsAc+//PSeuMVH0wIZZmGR3HpbY13spcwYJEuapIOkJ +LCy4jhllyTK8h8WI17mMf5WCzcfcH70ISZAUMGqrVOaTuviBcf8S5/sG251R+5ft +dBzz/sVV8GTSkGmn0LyihwzNyJ+5AhgsoKI5HJXU+ThNvJ0oUTIW/oh1qZMcdZdO +aCInIgeOLDj9K0CAw/E1Jfe05SccEzMQwY+zFhIUwzzKHPvIfLNkW6eHJca2zNgI +/CfSNtdwCSFkYykUduQveANM5+7/+jtbbUywfoz/2CY6WYsoarcPec8xlSbNBVmo +L5sfYoPRn+9MyuozV8UFlPupqc5AKYrMZXkwbud/KT6+Y/vrtU+ktpndJjhEB7Ot +4Y+WlqKml3QnLJWmyfbzTnXmB4FINMj/2Jl/Ay1BB45CBDpY0Z7uGm08FPi4hNaS +UTVlihMCAwEAAaN2MHQwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcD +AzAPBgNVHQ8BAf8EBQMDB4AAMB0GA1UdDgQWBBQR8od2h7W6lKTua1ZH3WTtTklw +0jAfBgNVHSMEGDAWgBQfFhV8QGZaveCwaHysCH7Ft5K65TANBgkqhkiG9w0BAQsF +AAOCAYEAvcUiycPKmDMquWBWw62FZPhA/kjUrIuyGChxxsv+pt4al6SNzcuXGfDJ +Us4Z0pwnMsvoy69HZFDyhkQ3uclgeYmR4rz0uNLrjvBoPlxK1gYPdqbN/gA8SvTi +y5yr/XnVriMzs6HpaWh0zGAuzaVbpRo79Ba+VPJsbSHETzM4iKzhxp+8WA2G0yaD +zw70KL0SzYh6QlhARtSAZ+3VDFFAAYHIpJr1qg5OS6AmPezUhE135iwvIGiBv3sh +aFIxEVGFIKkzelmpT5lq1qjQocV/KrJzrGYMshhJ847BWMROT1fXq/jL+lg38J0A +yy8pMCO1eYr9+7Dfea/OubGWcQPIGE+2XzUSPzLXJHrteq7y2dt2NLbto/QVsD41 +hFxvxKwfVSKhrUtuymaBynPfTo9ObFb4Y+BvxDnfYSp+myuNXNWocDGVsc+kFlhs +syKjkVJhZNTAP7LC8lYRIb42FOsJ6CiRmpXNj5/UIoXgjsMVF/4eIClvbqSui50Q +vKWlsnP1 +-----END CERTIFICATE----- +-----BEGIN RSA PRIVATE KEY----- +MIIG4gIBAAKCAYEA0pzqLW0aLjA6smuNqkkttEC1cUXyHxEfEbRf+dUu+VsX3cfY +YH63tC3YPrTcG6NCXtr1bWvzsAztS/0bAHPv/z0nrjFR9MCGWZhkdx6W2Nd7KXMG +CRLmqSDpCSwsuI4ZZckyvIfFiNe5jH+Vgs3H3B+9CEmQFDBqq1Tmk7r4gXH/Euf7 +BtudUfuX7XQc8/7FVfBk0pBpp9C8oocMzcifuQIYLKCiORyV1Pk4TbydKFEyFv6I +damTHHWXTmgiJyIHjiw4/StAgMPxNSX3tOUnHBMzEMGPsxYSFMM8yhz7yHyzZFun +hyXGtszYCPwn0jbXcAkhZGMpFHbkL3gDTOfu//o7W21MsH6M/9gmOlmLKGq3D3nP +MZUmzQVZqC+bH2KD0Z/vTMrqM1fFBZT7qanOQCmKzGV5MG7nfyk+vmP767VPpLaZ +3SY4RAezreGPlpaippd0JyyVpsn280515geBSDTI/9iZfwMtQQeOQgQ6WNGe7hpt +PBT4uITWklE1ZYoTAgMBAAECggGAOpt5uuxaVbIME2xEfrdgZYGAPCYnqyd7itSz +xHTjXnZP3OJovulkO1pqi4COo445wOWTWECrDjl6qyOiqOyaQ1+END/7O217tWDn +zBISDgNgfXdJnarJzxSeZHQLecvpG17ypG3vtRW6x3MVatHSpNmcI7s8wbF7bXPx +ufhUgMj1HxC41P6194NYkrY1/FvQFAsSM1oGXLGEXIHSOU1zzOrdSUXl/piKxToY +xeEPppF5q9ZmqL9odYnvcd0ea99W032FM7kkbNT6ycYzRmQEx7c+tAWlx7nqn9it +5f6oMJJwjSu+ZAm8YgZh4zQogWWL7+YYIrNQNoL74RG4EVPCupvrn/Z13XUK6N0e +qtCJeam/jsPsANL1rcu1te5wkzGJgs6KHrbrtKthoibJ73ivGxy46zWRJTNjFx9l +mCM5B5Img1vJizmFeCs2dFHXAi9Lx/t8IKHdydFjAAyZ4a0paz3HfmpHBWKFsm5J +4DgWU+WXqSsu+uftmiCz9d5e7lJJAoHBAPRyn0vX9a9GpM4olgaEtmBJh/UWA3s3 +otzxwOgeXJgWnWEkccPBMkNXFRO5LPO3oriakidBi3k0Q8rFaYuJ1Vf4v3WHJPZc +pOBYiTsOeQihjiSQdtrS6syborWGQyFsJnnbpSjoKTfb5RisSTev3Di5u5bqcgU/ +TMOoPvB3rBR92Z6K5n9ZD+XrFJwAIGfFVqRaxLZLItfGRJkBkvvzDZsuGoGOScS5 +FkcpFRSxRHWu2Ifdlz0ARUuV8+5uEVZBTQKBwQDckPPPMS3m0hNbl3D5P4GYn605 +Vxn9njHEAWlCfnGbPhsSTT2nw/jdJp60jHEVlDOAyKpDf3wkz1iQMO9sx9fYASv/ +stY9u/12ERNKkqvmqhsjxTAgFWYeAyoS2N4DIGWQXWWCcOsvPREwb9ym6q29bxtr +PKs9tTVRsnwrEFRZfsUTWPyV1ngBkVVk5MVGHYjUMM7iEHQsucOnnCDitauGaAx4 +kPSdng9wSelJXw2VJSrlfSOfOIRmQtd8iSn5SN8CgcAtdsgT1hW2xL/QLBJDIhm9 +bM+hkLeTCjT7POdxBHyaONKKh7m0+9C6X47m/TDUH1pfVThLntAu+b6GDxNjRX5t +fzE0za7dNzvfEfhsCHQQW+PQ/yFr74CGD4hClLcVl0TMs0JTimJoJjjEzv5LIiUm +U70FA5OzUCOZ3Efgd5GEuidoalMWal0fmQpbPVbJlhVYOh2N/gl78j896eIJhBoK +u5docytbMEVpdMWb9KBT9vIEyvze9pbsyPX2aXhF/50CgcBWF+pi7HJbT5KoxLMf +Ry+h0GoAIMSPX2lTda2Ne+eCTjqo6SdwzajdQc7e8JbPcnqsASecky10/M438jHy +hwr0UHjJJRhFHpTvufiKujeJIMrZKoX/b/rdKiUJGEeIduPN9vbBdKwIU1DbVD6P +lLjeYXkVYagBvTKjwgR/lq8mA7qPM8PcBMvw6LapXDa4iJy5HpgSW5PNRXFegi2/ +8GOUYhbEFOi2gVTLYr5Bmm2l0s0sqKz34Eql099ix/NvT4cCgcBg1KRXwvz/U8pI +mP9FcUKCL9CkRiPPzsjGv6qs2nvzUXaR5Bb/sX5cvKHNxlkgxYpvgH0oSJTfk0js +zceyce2B8VGBNzPW4O9L1JOZXH6vwBWsbEJM04neYQipu8ytZO4zjLWdOHd/9g/v +x7hmweYs7oL+lVlEPY2QfnqPBG2hlETuccsVgEQ+4i/gDuJIVHFlqgbyHmoKJaN5 +s7oeXUTQfAMXdjKkWGrgS9dbDpTXdcfPeg2cC0K1DvYWpcS9bJ8= +-----END RSA PRIVATE KEY----- diff --git a/tests/cert-tests/pkcs7 b/tests/cert-tests/pkcs7 index 31a8eb9998..9e1b607038 100755 --- a/tests/cert-tests/pkcs7 +++ b/tests/cert-tests/pkcs7 @@ -26,8 +26,12 @@ DIFF="${DIFF:-diff -b -B}" if ! test -z "${VALGRIND}"; then VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15" fi -OUTFILE=out-pkcs7.tmp -OUTFILE2=out2-pkcs7.tmp +OUTFILE=out-pkcs7.$$.tmp +OUTFILE2=out2-pkcs7.$$.tmp + +. ${srcdir}/../scripts/common.sh + +check_for_datefudge for FILE in single-ca.p7b full.p7b; do ${VALGRIND} "${CERTTOOL}" --inder --p7-info --infile "${srcdir}/data/${FILE}"|grep -v "Signing time" >"${OUTFILE}" @@ -49,6 +53,36 @@ done # check signatures for FILE in full.p7b; do +# check validation with date prior to CA issuance +datefudge -s "2011-1-10" \ +${VALGRIND} "${CERTTOOL}" --inder --p7-verify --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" --infile "${srcdir}/data/${FILE}" >"${OUTFILE}" +rc=$? + +if test "${rc}" = "0"; then + echo "${FILE}: PKCS7 verification succeeded with invalid date (1)" + exit 1 +fi + +# check validation with date prior to intermediate cert issuance +datefudge -s "2011-5-28 08:38:00 UTC" \ +${VALGRIND} "${CERTTOOL}" --inder --p7-verify --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" --infile "${srcdir}/data/${FILE}" >"${OUTFILE}" +rc=$? + +if test "${rc}" = "0"; then + echo "${FILE}: PKCS7 verification succeeded with invalid date (2)" + exit 1 +fi + +# check validation with date after intermediate cert issuance +datefudge -s "2038-10-12" \ +${VALGRIND} "${CERTTOOL}" --inder --p7-verify --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" --infile "${srcdir}/data/${FILE}" >"${OUTFILE}" +rc=$? + +if test "${rc}" = "0"; then + echo "${FILE}: PKCS7 verification succeeded with invalid date (3)" + exit 1 +fi + ${VALGRIND} "${CERTTOOL}" --inder --p7-verify --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" --infile "${srcdir}/data/${FILE}" >"${OUTFILE}" rc=$? diff --git a/tests/cert-tests/pkcs7-constraints b/tests/cert-tests/pkcs7-constraints new file mode 100755 index 0000000000..8b786b6d82 --- /dev/null +++ b/tests/cert-tests/pkcs7-constraints @@ -0,0 +1,108 @@ +#!/bin/sh + +# Copyright (C) 2016 Red Hat, Inc. +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +#set -e + +srcdir="${srcdir:-.}" +CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" +DIFF="${DIFF:-diff -b -B}" +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15" +fi +OUTFILE=out-pkcs7.$$.tmp + +. ${srcdir}/../scripts/common.sh + +check_for_datefudge + + +FILE="signing" +echo "test: $FILE" +${VALGRIND} "${CERTTOOL}" --p7-sign --p7-include-cert --load-privkey "${srcdir}/data/code-signing-cert.pem" --load-certificate "${srcdir}/data/code-signing-cert.pem" --infile "${srcdir}/data/pkcs7-detached.txt" >"${OUTFILE}" +rc=$? + +if test "${rc}" != "0"; then + echo "${FILE}: PKCS7 struct signing failed" + exit ${rc} +fi + +FILE="signing-verify-no-purpose" +echo "" +echo "test: $FILE" +datefudge -s "2015-1-10" \ +${VALGRIND} "${CERTTOOL}" --p7-verify --load-ca-certificate "${srcdir}/data/code-signing-ca.pem" <"${OUTFILE}" +rc=$? + +if test "${rc}" != "0"; then + echo "${FILE}: PKCS7 struct signing failed verification (0)" + exit ${rc} +fi + +FILE="signing-verify-valid-purpose" +echo "" +echo "test: $FILE" +datefudge -s "2015-1-10" \ +${VALGRIND} "${CERTTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.3 --p7-verify --load-ca-certificate "${srcdir}/data/code-signing-ca.pem" <"${OUTFILE}" +rc=$? + +if test "${rc}" != "0"; then + echo "${FILE}: PKCS7 struct signing failed verification (1)" + exit ${rc} +fi + +FILE="signing-verify-invalid-purpose" +echo "" +echo "test: $FILE" +datefudge -s "2015-1-10" \ +${VALGRIND} "${CERTTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.1 --p7-verify --load-ca-certificate "${srcdir}/data/code-signing-ca.pem" <"${OUTFILE}" +rc=$? + +if test "${rc}" = "0"; then + echo "${FILE}: PKCS7 struct signing failed verification (2)" + exit 1 +fi + +FILE="signing-verify-invalid-date-1" +echo "" +echo "test: $FILE" +datefudge -s "2011-1-10" \ +${VALGRIND} "${CERTTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.3 --p7-verify --load-ca-certificate "${srcdir}/data/code-signing-ca.pem" <"${OUTFILE}" +rc=$? + +if test "${rc}" = "0"; then + echo "${FILE}: PKCS7 struct signing failed verification (3)" + exit 1 +fi + +FILE="signing-verify-invalid-date-2" +echo "" +echo "test: $FILE" +datefudge -s "2018-1-10" \ +${VALGRIND} "${CERTTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.3 --p7-verify --load-ca-certificate "${srcdir}/data/code-signing-ca.pem" <"${OUTFILE}" +rc=$? + +if test "${rc}" = "0"; then + echo "${FILE}: PKCS7 struct signing failed verification (4)" + exit 1 +fi + +rm -f "${OUTFILE}" + +exit 0 diff --git a/tests/cert-tests/pkcs7-constraints2 b/tests/cert-tests/pkcs7-constraints2 new file mode 100755 index 0000000000..a31961f78e --- /dev/null +++ b/tests/cert-tests/pkcs7-constraints2 @@ -0,0 +1,108 @@ +#!/bin/sh + +# Copyright (C) 2016 Red Hat, Inc. +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +#set -e + +srcdir="${srcdir:-.}" +CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" +DIFF="${DIFF:-diff -b -B}" +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15" +fi +OUTFILE=out-pkcs7.$$.tmp + +. ${srcdir}/../scripts/common.sh + +check_for_datefudge + + +FILE="signing" +echo "test: $FILE" +${VALGRIND} "${CERTTOOL}" --p7-sign --p7-include-cert --load-privkey "${srcdir}/data/code-signing-cert.pem" --load-certificate "${srcdir}/data/code-signing-cert.pem" --infile "${srcdir}/data/pkcs7-detached.txt" >"${OUTFILE}" +rc=$? + +if test "${rc}" != "0"; then + echo "${FILE}: PKCS7 struct signing failed" + exit ${rc} +fi + +FILE="signing-verify-no-purpose" +echo "" +echo "test: $FILE" +datefudge -s "2015-1-10" \ +${VALGRIND} "${CERTTOOL}" --p7-verify --load-certificate "${srcdir}/data/code-signing-cert.pem" <"${OUTFILE}" +rc=$? + +if test "${rc}" != "0"; then + echo "${FILE}: PKCS7 struct signing failed verification (0)" + exit ${rc} +fi + +FILE="signing-verify-valid-purpose" +echo "" +echo "test: $FILE" +datefudge -s "2015-1-10" \ +${VALGRIND} "${CERTTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.3 --p7-verify --load-certificate "${srcdir}/data/code-signing-cert.pem" <"${OUTFILE}" +rc=$? + +if test "${rc}" != "0"; then + echo "${FILE}: PKCS7 struct signing failed verification (1)" + exit ${rc} +fi + +FILE="signing-verify-invalid-purpose" +echo "" +echo "test: $FILE" +datefudge -s "2015-1-10" \ +${VALGRIND} "${CERTTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.1 --p7-verify --load-certificate "${srcdir}/data/code-signing-cert.pem" <"${OUTFILE}" +rc=$? + +if test "${rc}" = "0"; then + echo "${FILE}: PKCS7 struct signing failed verification (2)" + exit 1 +fi + +FILE="signing-verify-invalid-date-1" +echo "" +echo "test: $FILE" +datefudge -s "2011-1-10" \ +${VALGRIND} "${CERTTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.3 --p7-verify --load-certificate "${srcdir}/data/code-signing-cert.pem" <"${OUTFILE}" +rc=$? + +if test "${rc}" = "0"; then + echo "${FILE}: PKCS7 struct signing failed verification (3)" + exit 1 +fi + +FILE="signing-verify-invalid-date-2" +echo "" +echo "test: $FILE" +datefudge -s "2018-1-10" \ +${VALGRIND} "${CERTTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.3 --p7-verify --load-certificate "${srcdir}/data/code-signing-cert.pem" <"${OUTFILE}" +rc=$? + +if test "${rc}" = "0"; then + echo "${FILE}: PKCS7 struct signing failed verification (4)" + exit 1 +fi + +rm -f "${OUTFILE}" + +exit 0 diff --git a/tests/pkcs7-gen.c b/tests/pkcs7-gen.c index f7c51a9afc..a96cef7f58 100644 --- a/tests/pkcs7-gen.c +++ b/tests/pkcs7-gen.c @@ -68,6 +68,16 @@ static char pem1_key[] = const gnutls_datum_t cert = {(void *) pem1_cert, sizeof(pem1_cert)-1}; const gnutls_datum_t key = {(void *) pem1_key, sizeof(pem1_key)-1}; +static time_t mytime(time_t * t) +{ + time_t then = 1199142000; + + if (t) + *t = then; + + return then; +} + static void tls_log_func(int level, const char *str) { fprintf(stderr, "%s |<%d>| %s", "err", level, str); @@ -89,6 +99,7 @@ void doit(void) char *oid; gnutls_datum_t data; + gnutls_global_set_time_function(mytime); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(6); diff --git a/tests/suite/pkcs7-cat b/tests/suite/pkcs7-cat index 6e32375cf2..a034b0c487 100755 --- a/tests/suite/pkcs7-cat +++ b/tests/suite/pkcs7-cat @@ -28,12 +28,26 @@ if ! test -z "${VALGRIND}"; then fi OUTFILE=out-pkcs7.$$.tmp +. ${srcdir}/../scripts/common.sh + +check_for_datefudge + #try verification +datefudge -s "2010-10-10" \ +${VALGRIND} "${CERTTOOL}" --inder --p7-verify --infile "${srcdir}/data/test1.cat" --load-certificate "${srcdir}/data/ca.pem" +rc=$? + +if test "${rc}" = "0"; then + echo "PKCS7 verification succeeded with invalid date" + exit 1 +fi + +datefudge -s "2016-10-10" \ ${VALGRIND} "${CERTTOOL}" --inder --p7-verify --infile "${srcdir}/data/test1.cat" --load-certificate "${srcdir}/data/ca.pem" rc=$? if test "${rc}" != "0"; then - echo "${FILE}: PKCS7 verification failed" + echo "PKCS7 verification failed" exit ${rc} fi |