diff options
44 files changed, 730 insertions, 167 deletions
diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi index 6f605dfa1c..b304d67fb9 100644 --- a/doc/cha-gtls-app.texi +++ b/doc/cha-gtls-app.texi @@ -1610,7 +1610,7 @@ will disable CRL or OCSP checks in the verification of the certificate chain. @item %VERIFY_ALLOW_X509_V1_CA_CRT @tab will allow V1 CAs in chains. -@item %PROFILE_(LOW|LEGACY|MEDIUM|HIGH|ULTRA) @tab +@item %PROFILE_(LOW|LEGACY|MEDIUM|HIGH|ULTRA|FUTURE) @tab require a certificate verification profile the corresponds to the specified security level, see @ref{tab:key-sizes} for the mappings to values. diff --git a/lib/Makefile.am b/lib/Makefile.am index fe9cf63a2f..83b328e89a 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -72,7 +72,7 @@ COBJECTS = range.c record.c compress.c debug.c cipher.c gthreads.h handshake-tls pk.c cert-cred.c global.c constate.c anon_cred.c pkix_asn1_tab.c gnutls_asn1_tab.c \ mem.c fingerprint.c tls-sig.c ecc.c alert.c privkey_raw.c atomic.h \ system/certs.c system/threads.c system/fastopen.c system/sockets.c \ - str-iconv.c system.c \ + str-iconv.c system.c profiles.c profiles.h \ str.c str-unicode.c str-idna.c state.c cert-cred-x509.c file.c supplemental.c \ random.c crypto-api.c crypto-api.h privkey.c pcert.c pubkey.c locks.c dtls.c \ system_override.c crypto-backend.c verify-tofu.c pin.c tpm.c fips.c \ diff --git a/lib/algorithms/secparams.c b/lib/algorithms/secparams.c index 9041ecab74..efd1f47530 100644 --- a/lib/algorithms/secparams.c +++ b/lib/algorithms/secparams.c @@ -91,7 +91,8 @@ gnutls_sec_param_to_pk_bits(gnutls_pk_algorithm_t algo, else if (IS_EC(algo)||IS_GOSTEC(algo)) ret = p->ecc_bits; else - ret = p->pk_bits; break; + ret = p->pk_bits; + break; } ); return ret; diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h index a153f7fac9..5c5f6ca506 100644 --- a/lib/includes/gnutls/x509.h +++ b/lib/includes/gnutls/x509.h @@ -988,6 +988,7 @@ typedef enum gnutls_certificate_verify_flags { /** * gnutls_certificate_verification_profiles_t: + * @GNUTLS_PROFILE_UNKNOWN: An invalid/unknown profile. * @GNUTLS_PROFILE_VERY_WEAK: A verification profile that * corresponds to @GNUTLS_SEC_PARAM_VERY_WEAK (64 bits) * @GNUTLS_PROFILE_LOW: A verification profile that @@ -999,8 +1000,10 @@ typedef enum gnutls_certificate_verify_flags { * @GNUTLS_PROFILE_HIGH: A verification profile that * corresponds to @GNUTLS_SEC_PARAM_HIGH (128 bits) * @GNUTLS_PROFILE_ULTRA: A verification profile that - * corresponds to @GNUTLS_SEC_PARAM_ULTRA (256 bits) -% * @GNUTLS_PROFILE_SUITEB128: A verification profile that + * corresponds to @GNUTLS_SEC_PARAM_ULTRA (192 bits) + * @GNUTLS_PROFILE_FUTURE: A verification profile that + * corresponds to @GNUTLS_SEC_PARAM_FUTURE (256 bits) + * @GNUTLS_PROFILE_SUITEB128: A verification profile that * applies the SUITEB128 rules * @GNUTLS_PROFILE_SUITEB192: A verification profile that * applies the SUITEB192 rules @@ -1008,12 +1011,14 @@ typedef enum gnutls_certificate_verify_flags { * Enumeration of different certificate verification profiles. */ typedef enum gnutls_certificate_verification_profiles_t { + GNUTLS_PROFILE_UNKNOWN = 0, GNUTLS_PROFILE_VERY_WEAK = 1, GNUTLS_PROFILE_LOW = 2, GNUTLS_PROFILE_LEGACY = 4, GNUTLS_PROFILE_MEDIUM = 5, GNUTLS_PROFILE_HIGH = 6, GNUTLS_PROFILE_ULTRA = 7, + GNUTLS_PROFILE_FUTURE = 9, GNUTLS_PROFILE_SUITEB128=32, GNUTLS_PROFILE_SUITEB192=33 diff --git a/lib/libgnutls.map b/lib/libgnutls.map index ec8aadf558..2ed202e279 100644 --- a/lib/libgnutls.map +++ b/lib/libgnutls.map @@ -1336,6 +1336,9 @@ GNUTLS_PRIVATE_3_4 { _gnutls_mpi_ops; _gnutls_mpi_log; _gnutls_mpi_release; + # tests/time.c + _gnutls_utcTime2gtime; + _gnutls_x509_generalTime2gtime; # Internal symbols needed by tests/: _gnutls_default_priority_string; diff --git a/lib/priority.c b/lib/priority.c index 900bbf7783..1ed5d84927 100644 --- a/lib/priority.c +++ b/lib/priority.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2004-2015 Free Software Foundation, Inc. - * Copyright (C) 2015-2017 Red Hat, Inc. + * Copyright (C) 2015-2019 Red Hat, Inc. * * Author: Nikos Mavrogiannopoulos * @@ -36,10 +36,17 @@ #include "errno.h" #include "ext/srp.h" #include <gnutls/gnutls.h> +#include "profiles.h" #include "c-strcase.h" #define MAX_ELEMENTS 64 +#define ENABLE_PROFILE(c, profile) do { \ + c->additional_verify_flags &= 0x00ffffff; \ + c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(profile); \ + c->level = _gnutls_profile_to_sec_level(profile); \ + } while(0) + /* This function is used by the test suite */ char *_gnutls_resolve_priorities(const char* priorities); const char *_gnutls_default_priority_string = DEFAULT_PRIORITY_STRING; @@ -839,51 +846,39 @@ static void disable_wildcards(gnutls_priority_t c) } static void enable_profile_very_weak(gnutls_priority_t c) { - c->additional_verify_flags &= 0x00ffffff; - c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_VERY_WEAK); - c->level = GNUTLS_SEC_PARAM_VERY_WEAK; + ENABLE_PROFILE(c, GNUTLS_PROFILE_VERY_WEAK); } static void enable_profile_low(gnutls_priority_t c) { - c->additional_verify_flags &= 0x00ffffff; - c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_LOW); - c->level = GNUTLS_SEC_PARAM_LOW; + ENABLE_PROFILE(c, GNUTLS_PROFILE_LOW); } static void enable_profile_legacy(gnutls_priority_t c) { - c->additional_verify_flags &= 0x00ffffff; - c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_LEGACY); - c->level = GNUTLS_SEC_PARAM_LEGACY; + ENABLE_PROFILE(c, GNUTLS_PROFILE_LEGACY); +} +static void enable_profile_medium(gnutls_priority_t c) +{ + ENABLE_PROFILE(c, GNUTLS_PROFILE_MEDIUM); } static void enable_profile_high(gnutls_priority_t c) { - c->additional_verify_flags &= 0x00ffffff; - c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_HIGH); - c->level = GNUTLS_SEC_PARAM_HIGH; + ENABLE_PROFILE(c, GNUTLS_PROFILE_HIGH); } static void enable_profile_ultra(gnutls_priority_t c) { - c->additional_verify_flags &= 0x00ffffff; - c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA); - c->level = GNUTLS_SEC_PARAM_ULTRA; + ENABLE_PROFILE(c, GNUTLS_PROFILE_ULTRA); } -static void enable_profile_medium(gnutls_priority_t c) +static void enable_profile_future(gnutls_priority_t c) { - c->additional_verify_flags &= 0x00ffffff; - c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_MEDIUM); - c->level = GNUTLS_SEC_PARAM_MEDIUM; + ENABLE_PROFILE(c, GNUTLS_PROFILE_FUTURE); } static void enable_profile_suiteb128(gnutls_priority_t c) { - c->additional_verify_flags &= 0x00ffffff; - c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_SUITEB128); - c->level = GNUTLS_SEC_PARAM_HIGH; + ENABLE_PROFILE(c, GNUTLS_PROFILE_SUITEB128); } static void enable_profile_suiteb192(gnutls_priority_t c) { - c->additional_verify_flags &= 0x00ffffff; - c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_SUITEB192); - c->level = GNUTLS_SEC_PARAM_ULTRA; + ENABLE_PROFILE(c, GNUTLS_PROFILE_SUITEB128); } static void enable_safe_renegotiation(gnutls_priority_t c) { diff --git a/lib/priority_options.gperf b/lib/priority_options.gperf index a955ec85e6..c0524e5a09 100644 --- a/lib/priority_options.gperf +++ b/lib/priority_options.gperf @@ -33,6 +33,7 @@ PROFILE_LEGACY, enable_profile_legacy PROFILE_MEDIUM, enable_profile_medium PROFILE_HIGH, enable_profile_high PROFILE_ULTRA, enable_profile_ultra +PROFILE_FUTURE, enable_profile_future PROFILE_SUITEB128, enable_profile_suiteb128 PROFILE_SUITEB192, enable_profile_suiteb192 NEW_PADDING, dummy_func diff --git a/lib/profiles.c b/lib/profiles.c new file mode 100644 index 0000000000..729ae51a0d --- /dev/null +++ b/lib/profiles.c @@ -0,0 +1,74 @@ +/* + * Copyright (C) 2019 Red Hat, Inc. + * + * Author: Nikos Mavrogiannopoulos + * + * This file is part of GnuTLS. + * + * The GnuTLS is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public License + * as published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <https://www.gnu.org/licenses/> + * + */ + +#include "gnutls_int.h" +#include <algorithms.h> +#include "errors.h" +#include <x509/common.h> +#include "c-strcase.h" +#include "profiles.h" + +typedef struct { + const char *name; + gnutls_certificate_verification_profiles_t profile; + gnutls_sec_param_t sec_param; +} gnutls_profile_entry; + +static const gnutls_profile_entry profiles[] = { + {"Very weak", GNUTLS_PROFILE_VERY_WEAK, GNUTLS_SEC_PARAM_VERY_WEAK}, + {"Low", GNUTLS_PROFILE_LOW, GNUTLS_SEC_PARAM_LOW}, + {"Legacy", GNUTLS_PROFILE_LEGACY, GNUTLS_SEC_PARAM_LEGACY}, + {"Medium", GNUTLS_PROFILE_MEDIUM, GNUTLS_SEC_PARAM_MEDIUM}, + {"High", GNUTLS_PROFILE_HIGH, GNUTLS_SEC_PARAM_HIGH}, + {"Ultra", GNUTLS_PROFILE_ULTRA, GNUTLS_SEC_PARAM_ULTRA}, + {"Future", GNUTLS_PROFILE_FUTURE, GNUTLS_SEC_PARAM_FUTURE}, + {"SuiteB128", GNUTLS_PROFILE_SUITEB128, GNUTLS_SEC_PARAM_HIGH}, + {"SuiteB192", GNUTLS_PROFILE_SUITEB192, GNUTLS_SEC_PARAM_ULTRA}, + {NULL, 0, 0} +}; + +gnutls_sec_param_t _gnutls_profile_to_sec_level(gnutls_certificate_verification_profiles_t profile) +{ + const gnutls_profile_entry *p; + + for(p = profiles; p->name != NULL; p++) { + if (profile == p->profile) + return p->sec_param; + } + + return GNUTLS_SEC_PARAM_UNKNOWN; +} + +gnutls_certificate_verification_profiles_t _gnutls_profile_get_id(const char *name) +{ + const gnutls_profile_entry *p; + + if (name == NULL) + return GNUTLS_PROFILE_UNKNOWN; + + for(p = profiles; p->name != NULL; p++) { + if (c_strcasecmp(p->name, name) == 0) + return p->profile; + } + + return GNUTLS_PROFILE_UNKNOWN; +} diff --git a/lib/profiles.h b/lib/profiles.h new file mode 100644 index 0000000000..a2aae2a687 --- /dev/null +++ b/lib/profiles.h @@ -0,0 +1,32 @@ +/* + * Copyright (C) 2019 Red Hat, Inc. + * + * Author: Nikos Mavrogiannopoulos + * + * This file is part of GnuTLS. + * + * The GnuTLS is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public License + * as published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <https://www.gnu.org/licenses/> + * + */ + +#ifndef GNUTLS_LIB_PROFILES_H +#define GNUTLS_LIB_PROFILES_H + +#include <gnutls/gnutls.h> +#include <gnutls/x509.h> + +gnutls_certificate_verification_profiles_t _gnutls_profile_get_id(const char *name) __GNUTLS_PURE__; +gnutls_sec_param_t _gnutls_profile_to_sec_level(gnutls_certificate_verification_profiles_t profile) __GNUTLS_PURE__; + +#endif /* GNUTLS_LIB_PROFILES_H */ diff --git a/lib/x509/time.c b/lib/x509/time.c index 0b3e78b090..daaac7687b 100644 --- a/lib/x509/time.c +++ b/lib/x509/time.c @@ -34,6 +34,8 @@ #include "extras/hex.h" #include <common.h> +time_t _gnutls_utcTime2gtime(const char *ttime); + /* TIME functions * Conversions between generalized or UTC time to time_t * @@ -171,7 +173,7 @@ static time_t time2gtime(const char *ttime, int year) * * (seconds are optional) */ -static time_t utcTime2gtime(const char *ttime) +time_t _gnutls_utcTime2gtime(const char *ttime) { char xx[3]; int year; @@ -345,7 +347,7 @@ time_t _gnutls_x509_get_time(ASN1_TYPE c2, const char *where, int force_general) len = sizeof(ttime) - 1; result = asn1_read_value(c2, name, ttime, &len); if (result == ASN1_SUCCESS) - c_time = utcTime2gtime(ttime); + c_time = _gnutls_utcTime2gtime(ttime); } /* We cannot handle dates after 2031 in 32 bit machines. diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 17404022f8..e6577cad03 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -461,7 +461,7 @@ static unsigned is_level_acceptable( gnutls_sec_param_t sp; int hash; - if (profile == 0) + if (profile == GNUTLS_PROFILE_UNKNOWN) return 1; pkalg = gnutls_x509_crt_get_pk_algorithm(crt, &bits); @@ -481,6 +481,7 @@ static unsigned is_level_acceptable( CASE_SEC_PARAM(GNUTLS_PROFILE_MEDIUM, GNUTLS_SEC_PARAM_MEDIUM); CASE_SEC_PARAM(GNUTLS_PROFILE_HIGH, GNUTLS_SEC_PARAM_HIGH); CASE_SEC_PARAM(GNUTLS_PROFILE_ULTRA, GNUTLS_SEC_PARAM_ULTRA); + CASE_SEC_PARAM(GNUTLS_PROFILE_FUTURE, GNUTLS_SEC_PARAM_FUTURE); case GNUTLS_PROFILE_SUITEB128: case GNUTLS_PROFILE_SUITEB192: { unsigned curve, issuer_curve; @@ -563,6 +564,9 @@ static unsigned is_level_acceptable( } break; + case GNUTLS_PROFILE_UNKNOWN: /* already checked; avoid compiler warnings */ + _gnutls_debug_log("An unknown profile (%d) was encountered\n", (int)profile); + return gnutls_assert_val(0); } } diff --git a/src/certtool.c b/src/certtool.c index f34f7d4573..2e4ab86e93 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2003-2016 Free Software Foundation, Inc. - * Copyright (C) 2015-2017 Red Hat, Inc. + * Copyright (C) 2015-2019 Red Hat, Inc. * * This file is part of GnuTLS. * @@ -579,6 +579,10 @@ generate_certificate(gnutls_privkey_t * ret_key, app_exit(1); } } + } else if (ca_status) { + /* CAs always sign */ + if (get_sign_status(server)) + usage |= GNUTLS_KEY_DIGITAL_SIGNATURE; } result = get_key_agreement_status(); diff --git a/src/serv.c b/src/serv.c index fbb40258a5..6043fed7fe 100644 --- a/src/serv.c +++ b/src/serv.c @@ -99,7 +99,7 @@ static void tcp_server(const char *name, int port); #define SMALL_READ_TEST (2147483647) -#define GERR(ret) fprintf(stdout, "Error: %s\n", safe_strerror(ret)) +#define GERR(ret) fprintf(stderr, "Error: %s\n", safe_strerror(ret)) #define HTTP_END "</BODY></HTML>\n\n" diff --git a/tests/Makefile.am b/tests/Makefile.am index eb65e94858..f3602e7009 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -150,7 +150,7 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei mini-termination mini-x509-cas mini-x509-2 pkcs12_simple tls-pthread \ mini-emsgsize-dtls chainverify-unsorted mini-overhead tls12-ffdhe \ mini-dtls-heartbeat mini-x509-callbacks key-openssl priorities priorities-groups \ - gnutls_x509_privkey_import gnutls_x509_crt_list_import \ + gnutls_x509_privkey_import gnutls_x509_crt_list_import time \ sign-verify-ext4 tls-neg-ext4-key resume-lifetime memset0 memset1 \ mini-dtls-srtp rsa-encrypt-decrypt mini-loss-time gnutls-strcodes \ mini-record mini-dtls-record handshake-timeout mini-record-range \ @@ -481,7 +481,7 @@ dist_check_SCRIPTS += fastopen.sh pkgconfig.sh starttls.sh starttls-ftp.sh start ocsp-tests/ocsp-test cipher-listings.sh sni-hostname.sh server-multi-keys.sh \ psktool.sh ocsp-tests/ocsp-load-chain gnutls-cli-save-data.sh gnutls-cli-debug.sh \ sni-resume.sh ocsp-tests/ocsptool cert-reencoding.sh pkcs7-cat.sh long-crl.sh \ - serv-udp.sh logfile-option.sh gnutls-cli-resume.sh + serv-udp.sh logfile-option.sh gnutls-cli-resume.sh profile-tests.sh dist_check_SCRIPTS += gnutls-cli-self-signed.sh gnutls-cli-invalid-crl.sh diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am index 0d13aeaa75..06bdf42950 100644 --- a/tests/cert-tests/Makefile.am +++ b/tests/cert-tests/Makefile.am @@ -107,7 +107,7 @@ dist_check_SCRIPTS = pathlen aki invalid-sig email \ pkcs12 certtool-crl-decoding pkcs12-encode pkcs12-corner-cases inhibit-anypolicy \ smime cert-time alt-chain pkcs7-list-sign pkcs7-eddsa certtool-ecdsa \ key-id pkcs8 pkcs8-decode ecdsa illegal-rsa pkcs8-invalid key-invalid \ - pkcs8-eddsa + pkcs8-eddsa certtool-subca dist_check_SCRIPTS += key-id ecdsa pkcs8-invalid key-invalid pkcs8-decode pkcs8 pkcs8-eddsa \ certtool-utf8 crq diff --git a/tests/cert-tests/certtool-subca b/tests/cert-tests/certtool-subca new file mode 100755 index 0000000000..6bd5d94def --- /dev/null +++ b/tests/cert-tests/certtool-subca @@ -0,0 +1,108 @@ +#!/bin/sh + +# Copyright (C) 2019 Red Hat, Inc. +# +# Author: Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +#set -e + +# This is a reproducer for #767 + +srcdir="${srcdir:-.}" +CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" +DIFF="${DIFF:-diff}" + +if ! test -x "${CERTTOOL}"; then + exit 77 +fi + +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15" +fi + +ROOT_CA_TMPL=root.ca.$$.tmp +SUB_CA_TMPL=sub.ca.$$.tmp +ROOT_PRIVKEY=root.key.$$.tmp +ROOT_CA_CERT=root.ca.cert.$$.tmp +CSR_FILE=csr.$$.tmp +OUTFILE=out3.$$.tmp + +. ${srcdir}/../scripts/common.sh + +cat >${ROOT_CA_TMPL} <<_EOF_ +organization = "Example" +cn = "Root CA" +expiration_days = 700 +ca +cert_signing_key +crl_signing_key +_EOF_ + +cat >${SUB_CA_TMPL} <<_EOF_ +organization = "Example" +cn = "Example CA" +expiration_days = 350 +crl_dist_points = "http://crl.example.com/Root_CA.crl" +ca +signing_key +cert_signing_key +crl_signing_key +path_len = 0 +_EOF_ + +${CERTTOOL} --generate-privkey --key-type ecdsa --outfile ${ROOT_PRIVKEY} >/dev/null +if test $? != 0;then + echo "Error generating privkey" + exit 1 +fi + +${CERTTOOL} --generate-self-signed --load-privkey ${ROOT_PRIVKEY} --template ${ROOT_CA_TMPL} > ${ROOT_CA_CERT} 2>&1 +if test $? != 0;then + echo "Error generating root CA" + exit 1 +fi + +grep "Digital signature" ${ROOT_CA_CERT} >/dev/null +if test $? = 0;then + echo "root CA: found the digital signature flag although not specified!" + exit 1 +fi + +${CERTTOOL} --generate-request --load-privkey ${ROOT_PRIVKEY} --template ${SUB_CA_TMPL} --outfile ${CSR_FILE} +if test $? != 0;then + cat ${SUB_CA_TMPL} + echo "Error generating csr" + exit 1 +fi + +${CERTTOOL} --generate-certificate --load-ca-privkey ${ROOT_PRIVKEY} --load-ca-certificate ${ROOT_CA_CERT} --load-request ${CSR_FILE} --template ${SUB_CA_TMPL} >${OUTFILE} 2>&1 +if test $? != 0;then + echo "Error generating sub CA" + exit 1 +fi + +grep "Digital signature" ${OUTFILE} >/dev/null +if test $? != 0;then + echo "Cannot find the digital signature flag!" + exit 1 +fi + +rm -f "${ROOT_PRIVKEY}" "${ROOT_CA_CERT}" "${CSR_FILE}" "${ROOT_CA_TMPL}" "${SUB_CA_TMPL}" "${OUTFILE}" + +exit 0 diff --git a/tests/cert-tests/data/inhibit-anypolicy.pem b/tests/cert-tests/data/inhibit-anypolicy.pem index 4291cdf9a8..d643afd005 100644 --- a/tests/cert-tests/data/inhibit-anypolicy.pem +++ b/tests/cert-tests/data/inhibit-anypolicy.pem @@ -15,11 +15,11 @@ LL7L+JnX+yvGuzn1R8ZV5YR7AgMBAAGjggFGMIIBQjAPBgNVHRMBAf8EBTADAQH/ MGoGA1UdEQRjMGGCDHd3dy5ub25lLm9yZ4ITd3d3Lm1vcmV0aGFub25lLm9yZ4IX d3d3LmV2ZW5tb3JldGhhbm9uZS5vcmeHBMCoAQGBDW5vbmVAbm9uZS5vcmeBDndo ZXJlQG5vbmUub3JnMA0GA1UdNgEB/wQDAgEDMBMGA1UdJQQMMAoGCCsGAQUFBwMJ -MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0OBBYEFHU6t/xzZCkUSWER/c6Qy/Y9HIoT +MA8GA1UdDwEB/wQFAwMHhAAwHQYDVR0OBBYEFHU6t/xzZCkUSWER/c6Qy/Y9HIoT MG8GA1UdHwRoMGYwZKBioGCGHmh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwx L4YeaHR0cDovL3d3dy5nZXRjcmwuY3JsL2dldGNybDIvhh5odHRwOi8vd3d3Lmdl -dGNybC5jcmwvZ2V0Y3JsMy8wDQYJKoZIhvcNAQELBQADgYEAe+eZiFD221AO6yOk -DUmizGBiFhG169EgOToWHboZ1E/LzeljhQbOMcQgPlMLsifiUGpi3Qn7aj/zYv86 -ppO+0jmQZHjsALyPk/kEQkloIXi9Ibo0nwAH+BNkeaOIHl9m5ms/8xaaYi2GdyQO -hzSspr1AGSQtA6ZMTs1mqEXyyFk= +dGNybC5jcmwvZ2V0Y3JsMy8wDQYJKoZIhvcNAQELBQADgYEAhmQB01JYW2WVvkNe +hjyKLjoKc5ME9VrjpckT4BEXcGibgrjOcABH00DNDqiS6b1NAslxtuVp9eYlZNw1 +4Na7FBkGHIt5+T8sNnTuVV7X4S7/1uE3qHtfVdXTkL2foYjkihQet+DY9PnLbduM +CAnd9OWhyE2r4jwQGaJU9vZ3rJY= -----END CERTIFICATE----- diff --git a/tests/cert-tests/data/long-serial.pem b/tests/cert-tests/data/long-serial.pem index 289b3f31c0..e7e96e831b 100644 --- a/tests/cert-tests/data/long-serial.pem +++ b/tests/cert-tests/data/long-serial.pem @@ -15,11 +15,11 @@ Gnodaa9HAmB6H7noz9vINDBRlj2MllwAvGHeCA+xNiF/qQDjBQIDAQABo4IBNzCC ATMwDwYDVR0TAQH/BAUwAwEB/zBqBgNVHREEYzBhggx3d3cubm9uZS5vcmeCE3d3 dy5tb3JldGhhbm9uZS5vcmeCF3d3dy5ldmVubW9yZXRoYW5vbmUub3JnhwTAqAEB gQ1ub25lQG5vbmUub3JngQ53aGVyZUBub25lLm9yZzATBgNVHSUEDDAKBggrBgEF -BQcDCTAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBRdQK3wzpRAlYt+mZQdklQi +BQcDCTAPBgNVHQ8BAf8EBQMDB4QAMB0GA1UdDgQWBBRdQK3wzpRAlYt+mZQdklQi ynI2XzBvBgNVHR8EaDBmMGSgYqBghh5odHRwOi8vd3d3LmdldGNybC5jcmwvZ2V0 Y3JsMS+GHmh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwyL4YeaHR0cDovL3d3 -dy5nZXRjcmwuY3JsL2dldGNybDMvMA0GCSqGSIb3DQEBCwUAA4GBAB9UxZeBoXQ7 -LChiAWCRxfw7eDkQzprXArfFMcUHQlmX/rOmgmNRtvPOvrdTaECMWV87bhZjm5OY -x3vFgNLgwEIOd50rPwFlR0imNafpbgwQD35vJ5CEnIt6gFDfViJ+cjsyl0tnV8x+ -mrab87Cjzb0a1Uwdk0P2k7QOhrQVBx1q +dy5nZXRjcmwuY3JsL2dldGNybDMvMA0GCSqGSIb3DQEBCwUAA4GBAHkjOKCpVUDK +zobnWDx5zl0XSe1P+mF576BoSBN6Qs6M5Vt2r8+annglcn6ovd+uk89jRmy/lrkn +7wWc+xIrgG97CWNIJ23WZg2b5+ervdIdMUDs/Kf9ZVZwOnBhO9tMHyU5ZmWKEpD4 +nmgDQNFBHFx5LQU9RthnskMBT034eJtV -----END CERTIFICATE----- diff --git a/tests/cert-tests/data/template-crq.pem b/tests/cert-tests/data/template-crq.pem index 4a0dfd8ea7..03ad32c484 100644 --- a/tests/cert-tests/data/template-crq.pem +++ b/tests/cert-tests/data/template-crq.pem @@ -11,12 +11,12 @@ BAwTA0RyLjEPMA0GA1UEQRMGamFja2FsMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB iQKBgQClxs51Q4S/ZJ4CJxPxA1n3eS2S7XwvUKQD8S15uYaLBX46u0Sqr4TPE5ge HEo49zMtep9y1GttJrAxN3AQ+0Lp2J0YZX4ZSfwFlgRogx53hr/t9eUSOxP+Mxic Gnodaa9HAmB6H7noz9vINDBRlj2MllwAvGHeCA+xNiF/qQDjBQIDAQABo4HrMIHo -MA8GA1UdDwEB/wQFAwMHhAAwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwkwDAYDVR0T +MA8GA1UdDwEB/wQFAwMHgAAwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwkwDAYDVR0T AQH/BAIwADAdBgNVHQ4EFgQUXUCt8M6UQJWLfpmUHZJUIspyNl8wHwYDVR0jBBgw FoAUXUCt8M6UQJWLfpmUHZJUIspyNl8wbwYDVR0fBGgwZjBkoGKgYIYeaHR0cDov L3d3dy5nZXRjcmwuY3JsL2dldGNybDEvhh5odHRwOi8vd3d3LmdldGNybC5jcmwv Z2V0Y3JsMi+GHmh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwzLzANBgkqhkiG -9w0BAQsFAAOBgQBntg42qQ31Jk0RZ8zET4GBx4WMcWM/vv5DRFrJ2r3veFgcclrB -C88k0HerP2c6siAAOeXSLOuZ+W6du+5E7537y2lC87PW/cmanoY7Pkjhz9VjzJlh -bEQLFHHq5TMSKvnsn5IUSJefiOzJZ45saN0uGMYAfN0NWJPum+ofcyXZWQ== +9w0BAQsFAAOBgQCOk24K2VFpVFj/V4UHHk2U385GP2Q7+Eoh+2B83Vabf44NxRiA +XGfPmTvgYjislNavehaItPd1wQV8E+/I2s4wZWxgl0+jDWL9iR9S08wSqahKhbp1 +TeO3Hy5BLghvYDqTciOnyARxlZCtfAQslkUQ32q6ivSOxNQ3leLY92Myew== -----END CERTIFICATE----- diff --git a/tests/cert-tests/data/template-date.pem b/tests/cert-tests/data/template-date.pem index c1613ca680..3db9239cd0 100644 --- a/tests/cert-tests/data/template-date.pem +++ b/tests/cert-tests/data/template-date.pem @@ -14,10 +14,10 @@ QunYnRhlfhlJ/AWWBGiDHneGv+315RI7E/4zGJwaeh1pr0cCYHofuejP28g0MFGW PYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjgfUwgfIwDwYDVR0TAQH/BAUwAwEB/zBq BgNVHREEYzBhggx3d3cubm9uZS5vcmeCE3d3dy5tb3JldGhhbm9uZS5vcmeCF3d3 dy5ldmVubW9yZXRoYW5vbmUub3JnhwTAqAEBgQ1ub25lQG5vbmUub3JngQ53aGVy -ZUBub25lLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTAPBgNVHQ8BAf8EBQMDBwQA +ZUBub25lLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTAPBgNVHQ8BAf8EBQMDB4QA MB0GA1UdDgQWBBRdQK3wzpRAlYt+mZQdklQiynI2XzAuBgNVHR8EJzAlMCOgIaAf hh1odHRwOi8vd3d3LmdldGNybC5jcmwvZ2V0Y3JsLzANBgkqhkiG9w0BAQsFAAOB -gQCDciVqhKW/vwPxoMJ1Ch6CAtKoPCTj2Anie1AxogSpNFZuzzUHoiKq9XxnUGaU -4wEsmHU9JuDBbjpR8rmTs2zsRTnDk2yqMjXa8j1iUhRxWwoIYbJLBblMene7aVbV -cTdJSs4Y73J6cDqvumU/rhdYw48PQbaIwhABqqiPiM3vGw== +gQCXDjCtllqexMxEBrKpt5POz7mQfWT5lhFk4GFY1V5u5s/ipuGRVZb4BMLIsCHR +O7dGbyY/TonCjFdHhvCrmzsfstlHnA+bt9/1GrDP7vFIi+3hx2OnHLd3TvDR8WJ7 +84upUqvWAqXUZ/UXiVrvnS4bJ5jN5pa+k8t4G8GGDA1JlA== -----END CERTIFICATE----- diff --git a/tests/cert-tests/data/template-dates-after2038.pem b/tests/cert-tests/data/template-dates-after2038.pem index 865ddc901a..0cf9f8fd8e 100644 --- a/tests/cert-tests/data/template-dates-after2038.pem +++ b/tests/cert-tests/data/template-dates-after2038.pem @@ -14,10 +14,10 @@ QunYnRhlfhlJ/AWWBGiDHneGv+315RI7E/4zGJwaeh1pr0cCYHofuejP28g0MFGW PYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjgfUwgfIwDwYDVR0TAQH/BAUwAwEB/zBq BgNVHREEYzBhggx3d3cubm9uZS5vcmeCE3d3dy5tb3JldGhhbm9uZS5vcmeCF3d3 dy5ldmVubW9yZXRoYW5vbmUub3JnhwTAqAEBgQ1ub25lQG5vbmUub3JngQ53aGVy -ZUBub25lLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTAPBgNVHQ8BAf8EBQMDBwQA +ZUBub25lLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTAPBgNVHQ8BAf8EBQMDB4QA MB0GA1UdDgQWBBRdQK3wzpRAlYt+mZQdklQiynI2XzAuBgNVHR8EJzAlMCOgIaAf hh1odHRwOi8vd3d3LmdldGNybC5jcmwvZ2V0Y3JsLzANBgkqhkiG9w0BAQsFAAOB -gQCTELknONiixbQdjpBVaelZZfymC4ixUfw/IqeWMK7bYoPWi3JQyY8McQOtijna -RZwSVga9nthtBhHYjxuW3w8kPYQCoyK3ugw7aI8WYmlGeEAT+BiVualE3ZMm7Lf0 -CwmtHA8I0CHKEzfsMCN3wu9EJ3C+9nq5qRtm2lfQSbSsvw== +gQBBZKTdpnE+SG7bxPJ3yWUa3/H2fXYTJFzP2g5sKsW9y439SJBvbNuerczRsvNB +QfokkinVQB3LKSC1jZ5Py5rzaDS0PJxpz0u9DrzstpPWjfzOv0cmCr7dcpxFL2JC +ItOU/OLb2SYTfo8PwWs3/G3e4yYsGrR/kwfWA0nj6Sms3Q== -----END CERTIFICATE----- diff --git a/tests/cert-tests/data/template-dn.pem b/tests/cert-tests/data/template-dn.pem index 5ebc8eb9a0..9c37d823a5 100644 --- a/tests/cert-tests/data/template-dn.pem +++ b/tests/cert-tests/data/template-dn.pem @@ -11,9 +11,9 @@ NDBRlj2MllwAvGHeCA+xNiF/qQDjBQIDAQABo4H1MIHyMA8GA1UdEwEB/wQFMAMB Af8wagYDVR0RBGMwYYIMd3d3Lm5vbmUub3JnghN3d3cubW9yZXRoYW5vbmUub3Jn ghd3d3cuZXZlbm1vcmV0aGFub25lLm9yZ4cEwKgBAYENbm9uZUBub25lLm9yZ4EO d2hlcmVAbm9uZS5vcmcwEwYDVR0lBAwwCgYIKwYBBQUHAwkwDwYDVR0PAQH/BAUD -AwcEADAdBgNVHQ4EFgQUXUCt8M6UQJWLfpmUHZJUIspyNl8wLgYDVR0fBCcwJTAj +AweEADAdBgNVHQ4EFgQUXUCt8M6UQJWLfpmUHZJUIspyNl8wLgYDVR0fBCcwJTAj oCGgH4YdaHR0cDovL3d3dy5nZXRjcmwuY3JsL2dldGNybC8wDQYJKoZIhvcNAQEL -BQADgYEAjhN+oIDCWn6jdXIJMfd3co3SeVd/HY8Hu6TUnXs/fmkJY6Hglq6f8YYE -M74eH5HF+ixUOSDvXLGVhR5uZoP9CGBSPJdINOIRyDzUYv6TVydAe1TvKLjacZm0 -jq8Pe2CXpQAaHhHKt84mSQx1jnYYYmfupyNwqq7XFTSjLAZyyPA= +BQADgYEAh/QtfeAkHwXad7u+sSiD2uAmal1eJPagxC/kqq8AnI8Fa3QCIawMYi+V +/WerX8qk7xY4LPma6VW/uC89TvISMR4DqrubKy4ELt4tvDcVIi+n8pInxdNBMX/u +3lygdVTLLDWBMernpeZWGauaxdEWlSMyyucYQyDm14iSBfhyj9M= -----END CERTIFICATE----- diff --git a/tests/cert-tests/data/template-generalized.pem b/tests/cert-tests/data/template-generalized.pem index f7e9c4aaeb..cbbcdd0ae9 100644 --- a/tests/cert-tests/data/template-generalized.pem +++ b/tests/cert-tests/data/template-generalized.pem @@ -15,9 +15,9 @@ NDBRlj2MllwAvGHeCA+xNiF/qQDjBQIDAQABo4H1MIHyMA8GA1UdEwEB/wQFMAMB Af8wagYDVR0RBGMwYYIMd3d3Lm5vbmUub3JnghN3d3cubW9yZXRoYW5vbmUub3Jn ghd3d3cuZXZlbm1vcmV0aGFub25lLm9yZ4cEwKgBAYENbm9uZUBub25lLm9yZ4EO d2hlcmVAbm9uZS5vcmcwEwYDVR0lBAwwCgYIKwYBBQUHAwkwDwYDVR0PAQH/BAUD -AwcEADAdBgNVHQ4EFgQUXUCt8M6UQJWLfpmUHZJUIspyNl8wLgYDVR0fBCcwJTAj +AweEADAdBgNVHQ4EFgQUXUCt8M6UQJWLfpmUHZJUIspyNl8wLgYDVR0fBCcwJTAj oCGgH4YdaHR0cDovL3d3dy5nZXRjcmwuY3JsL2dldGNybC8wDQYJKoZIhvcNAQEL -BQADgYEAimJGv9nzp+fiQL6JR2iN5XCr2I8Omtd+qiDwdkrBUJ5QOjgYrO27pIQb -hLG+gg1V3VVwk3JzJQkBsvX2+8jGKDpytHul+tfrhZO32BlEwgAviDz54LpEgPsQ -w2mqTIswGzS+5ZH7kCpAmEYc7bkO3Qs9JMLXY17QKnsyiV0rOVM= +BQADgYEAdwNEsT9EnaXSHaR8r1/jUw7cEQWNN/gUHpy917Ha5brc633LJopAhfR4 +i6CAZrAA46GAxTNvLaah5OXGDbHxGcEwcOwFT6/RJ3a+52U8LKa3DjAeaWoxlARL +1xfKBMbORS0+7lY0D7Oh9BYVgqL2FUet4Cohf2qgDsMM9siz204= -----END CERTIFICATE----- diff --git a/tests/cert-tests/data/template-krb5name.pem b/tests/cert-tests/data/template-krb5name.pem index d69e86f30b..038bb7722e 100644 --- a/tests/cert-tests/data/template-krb5name.pem +++ b/tests/cert-tests/data/template-krb5name.pem @@ -15,9 +15,9 @@ ETAPoAMCAQGhCDAGGwR1c2VyoDIGBisGAQUCAqAoMCagCxsJUkVBTE0uQ09NoRcw FaADAgEBoQ4wDBsESFRUUBsEdXNlcqA6BgYrBgEFAgKgMDAuoAsbCVJFQUxNLkNP TaEfMB2gAwIBAaEWMBQbBWNvbXAxGwVjb21wMhsEdXNlcoENbm9uZUBub25lLm9y Z4EOd2hlcmVAbm9uZS5vcmcwEwYDVR0lBAwwCgYIKwYBBQUHAwkwDwYDVR0PAQH/ -BAUDAwcEADAdBgNVHQ4EFgQUXUCt8M6UQJWLfpmUHZJUIspyNl8wLgYDVR0fBCcw +BAUDAweEADAdBgNVHQ4EFgQUXUCt8M6UQJWLfpmUHZJUIspyNl8wLgYDVR0fBCcw JTAjoCGgH4YdaHR0cDovL3d3dy5nZXRjcmwuY3JsL2dldGNybC8wDQYJKoZIhvcN -AQELBQADgYEAiidPcCe/oD+6FKl81oTtd1m7T7mq6PTat2YQMlVG0zqEICkhULXx -Z8UqatZZLjSYSye1pOGrwqU/nXzXZbvogTnfYriaE0wgLviYKjX3EucAX2XqC2ED -qbyao1Ia+vL+ugK7z+UBm/xIAurC5b9B4cOQ6ULq+k7c+miyyrxCWow= +AQELBQADgYEAMM+b9XNFH/cn9WQCMZMr12izyBl69S3M1D4MQvA2XIGFR1h10+VS +cYKIfTICbYuV/s44bVpQJ8Nj9cumMu6SqURpfKmnr8gDFvadY8Q1PPbtmKn/iahI +hb5Ro4Li5R6DZtKfdYEfsljUinSWnUnBwAtGJgbhSrGwN5di1NPV1Nw= -----END CERTIFICATE----- diff --git a/tests/cert-tests/data/template-nc.pem b/tests/cert-tests/data/template-nc.pem index 680fce1642..9cba2bd15b 100644 --- a/tests/cert-tests/data/template-nc.pem +++ b/tests/cert-tests/data/template-nc.pem @@ -15,10 +15,10 @@ oGswCocIwKgFAP///wAwCocICgoAAP//AAAwCocIrBd6AP///gAwIocg/Ez+j3/6 GL0AAAAAAAAAAP//////////AAAAAAAAAAAwDYILZXhhbXBsZS5jb20wEoEQbm1h dkBleGFtcGxlLmNvbaFrMAqHCAoKZAD///8AMAqHCAoKZQD///8AMCKHIPxM/o9/ +hi9cshkuQAAAAD///////////////8AAAAAMAWCA25ldDAFggNvcmcwAoIAMA2B -C2V4YW1wbGUubmV0MAyBCmV4YW1wbGUubGkwDwYDVR0PAQH/BAUDAwcEADAdBgNV +C2V4YW1wbGUubmV0MAyBCmV4YW1wbGUubGkwDwYDVR0PAQH/BAUDAweEADAdBgNV HQ4EFgQUXUCt8M6UQJWLfpmUHZJUIspyNl8wLgYDVR0fBCcwJTAjoCGgH4YdaHR0 -cDovL3d3dy5nZXRjcmwuY3JsL2dldGNybC8wDQYJKoZIhvcNAQELBQADgYEAEIi1 -EPKT1uwVZvy99QuUGTxC/sMrF/k9M9+uV6+C4f8ikqQOhgSl4t5BdalgVLZzUeGr -oBGhbdjGrIq6kQiVgdeRZG+HlzVvr3+K69TTA15B86IdDg6dS8YCOVsoZvNcT8xw -2knOQmqXE7GqEPO3VCfOVTTl1u+69cU2X41MMhM= +cDovL3d3dy5nZXRjcmwuY3JsL2dldGNybC8wDQYJKoZIhvcNAQELBQADgYEApURg +xJuSGg3iogTI7x9HjgCi6ohSVKnX31i63ommreoKiy9sz5oPfsEuDcP0KaQMgK2V +xPMcBZbaCJHkRmWsjkEx3XcxWwtMnP1oj54N067C/mhamgUfR4KPdmorcgk9vZz9 +jI0FbegyqTQzRD40p4OQsCzVlqgixif4gRDhQWI= -----END CERTIFICATE----- diff --git a/tests/cert-tests/data/template-othername-xmpp.pem b/tests/cert-tests/data/template-othername-xmpp.pem index b81716b774..3d06423147 100644 --- a/tests/cert-tests/data/template-othername-xmpp.pem +++ b/tests/cert-tests/data/template-othername-xmpp.pem @@ -1,5 +1,5 @@ -----BEGIN CERTIFICATE----- -MIIDazCCAtSgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBbMQwwCgYDVQQDEwNOaWsx +MIIDaDCCAtGgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBbMQwwCgYDVQQDEwNOaWsx DzANBgNVBAgTBkF0dGlraTELMAkGA1UEBhMCR1IxGjAYBgNVBAQTEU1hdnJvZ2lh bm5vcG91bG9zMREwDwYDVQQJEwhBcmthZGlhczAeFw0wNzA0MjIwMDAwMDBaFw0x NDA1MjUwMDAwMDBaMFsxDDAKBgNVBAMTA05pazEPMA0GA1UECBMGQXR0aWtpMQsw @@ -7,15 +7,15 @@ CQYDVQQGEwJHUjEaMBgGA1UEBBMRTWF2cm9naWFubm9wb3Vsb3MxETAPBgNVBAkT CEFya2FkaWFzMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQClxs51Q4S/ZJ4C JxPxA1n3eS2S7XwvUKQD8S15uYaLBX46u0Sqr4TPE5geHEo49zMtep9y1GttJrAx N3AQ+0Lp2J0YZX4ZSfwFlgRogx53hr/t9eUSOxP+MxicGnodaa9HAmB6H7noz9vI -NDBRlj2MllwAvGHeCA+xNiF/qQDjBQIDAQABo4IBPTCCATkwDwYDVR0TAQH/BAUw -AwEB/zCBsAYDVR0RBIGoMIGlggx3d3cubm9uZS5vcmeCE3d3dy5tb3JldGhhbm9u -ZS5vcmeCF3d3dy5ldmVubW9yZXRoYW5vbmUub3JnhwTAqAEBoCMGCCsGAQUFBwgF -oBcMFWp1bGlldEBpbS5leGFtcGxlLmNvbaAdBggrBgEFBQcIBaARDA9oZWxsb0Bo -ZWxsby5vcmeBDW5vbmVAbm9uZS5vcmeBDndoZXJlQG5vbmUub3JnMBMGA1UdJQQM -MAoGCCsGAQUFBwMJMA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0OBBYEFF1ArfDOlECV -i36ZlB2SVCLKcjZfMC4GA1UdHwQnMCUwI6AhoB+GHWh0dHA6Ly93d3cuZ2V0Y3Js -LmNybC9nZXRjcmwvMA0GCSqGSIb3DQEBCwUAA4GBAA9/JPNTkMZUlpZ39qrSm2Oa -r9lAeDOnMbEYHcXnmmAjjPNL0DePjRD6xfayqPvrE6F5/Og4I9+UbHlSw8470qYr -RBOHjqp+vn0+k9AKeoO0tB692XZEs/AqqQCVvizCOlrhpdrYRDIhf7pWIC0VUz+o -+9bYIjtqHhWAO1mM5016 +NDBRlj2MllwAvGHeCA+xNiF/qQDjBQIDAQABo4IBOjCCATYwDAYDVR0TAQH/BAIw +ADCBsAYDVR0RBIGoMIGlggx3d3cubm9uZS5vcmeCE3d3dy5tb3JldGhhbm9uZS5v +cmeCF3d3dy5ldmVubW9yZXRoYW5vbmUub3JnhwTAqAEBoCMGCCsGAQUFBwgFoBcM +FWp1bGlldEBpbS5leGFtcGxlLmNvbaAdBggrBgEFBQcIBaARDA9oZWxsb0BoZWxs +by5vcmeBDW5vbmVAbm9uZS5vcmeBDndoZXJlQG5vbmUub3JnMBMGA1UdJQQMMAoG +CCsGAQUFBwMJMA8GA1UdDwEB/wQFAwMHgAAwHQYDVR0OBBYEFF1ArfDOlECVi36Z +lB2SVCLKcjZfMC4GA1UdHwQnMCUwI6AhoB+GHWh0dHA6Ly93d3cuZ2V0Y3JsLmNy +bC9nZXRjcmwvMA0GCSqGSIb3DQEBCwUAA4GBAB6XUDXasilW0/gnhFaULkIALaK8 +khY1aUIPJo4nXaCUdSl4HwDR+Q+fBJEQ+b7HJ/2V8+iQHQxJhI+CoQ5AxXjSVS4Y +TJVB5uq4wIyGpwcu/QGysyBb4NqMA7kWh13J6vIblBO9+AWVGui2w+Sy1OgmDkty +GLmLQS2MD1u7p41J -----END CERTIFICATE----- diff --git a/tests/cert-tests/data/template-othername.pem b/tests/cert-tests/data/template-othername.pem index 540bd81547..6bb3227099 100644 --- a/tests/cert-tests/data/template-othername.pem +++ b/tests/cert-tests/data/template-othername.pem @@ -14,9 +14,9 @@ MCygDRsLVkFOUkVJTi5PUkehGzAZoAYCBAAAAAKhDzANGwRyaWNrGwVhZG1pbqAX BgQqBAUGoA8EDWEgdGVzdCBzdHJpbmegHQYIKwYBBQUHCAegEQwPbm1hdkBnbnV0 bHMub3JnoB0GCCsGAQUFBwgFoBEMD25tYXZAZ251dGxzLm9yZ4ENbm9uZUBub25l Lm9yZ4EOd2hlcmVAbm9uZS5vcmcwEwYDVR0lBAwwCgYIKwYBBQUHAwkwDwYDVR0P -AQH/BAUDAwcEADAdBgNVHQ4EFgQUXUCt8M6UQJWLfpmUHZJUIspyNl8wLgYDVR0f +AQH/BAUDAweEADAdBgNVHQ4EFgQUXUCt8M6UQJWLfpmUHZJUIspyNl8wLgYDVR0f BCcwJTAjoCGgH4YdaHR0cDovL3d3dy5nZXRjcmwuY3JsL2dldGNybC8wDQYJKoZI -hvcNAQELBQADgYEAavwEUhW+tvs0qcj09ZchA4AYTmhq8Wx3EzhDHpPA6xlERWxs -NB07bA7dJ1XzbCn4Q2DIT6AVQARQuQdT5S6kbnk2LjAPgMLNS90MaNBhV5Qiea+f -yL/FTC/chuDBR6pGUOW5c8oPP85WAHVBQXX2GLN0esCnTtLX18Jinfl06hU= +hvcNAQELBQADgYEANTKeCgs/Cv8N3nn7f4v3h+X5m5GSzNcdpdQ/joEv1Lkb8Sl4 +soXQqoBFHcbj8AQEeRSXSZAD1cBoAwVsVfzkdXxGZ+7T3s50ogKSSITfp91783e1 +VO4VaeA5Wsi46x3CE8Uzry8a4bP7GhzH6rRW846oSqH07J4L2QAVilN5SF0= -----END CERTIFICATE----- diff --git a/tests/cert-tests/data/template-overflow.pem b/tests/cert-tests/data/template-overflow.pem index c0b025070c..c9bf31e9c3 100644 --- a/tests/cert-tests/data/template-overflow.pem +++ b/tests/cert-tests/data/template-overflow.pem @@ -15,9 +15,9 @@ UZY9jJZcALxh3ggPsTYhf6kA4wUCAwEAAaOB9TCB8jAPBgNVHRMBAf8EBTADAQH/ MGoGA1UdEQRjMGGCDHd3dy5ub25lLm9yZ4ITd3d3Lm1vcmV0aGFub25lLm9yZ4IX d3d3LmV2ZW5tb3JldGhhbm9uZS5vcmeHBMCoAQGBDW5vbmVAbm9uZS5vcmeBDndo ZXJlQG5vbmUub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA8GA1UdDwEB/wQFAwMH -BAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMC4GA1UdHwQnMCUwI6Ah +hAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMC4GA1UdHwQnMCUwI6Ah oB+GHWh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwvMA0GCSqGSIb3DQEBCwUA -A4GBABVMpMML6zxcl5ww9Mshd8c15oobslbMFRWtoCigFDtxL0QjXBLdqDvcnDEd -TRCqJSBtZRyXRby6OcYppKLKgM+fO3JS1SHKgs44jabShdrEoR1HLQqMh57sM1Oq -OTA4++PhC1+dEAknkRqNxGQU1gqxx/iDVst45s/XLzwQYF+N +A4GBAAjokEJilLen8WR+iXKNgsnS6nJNobQaH0PXqekrbsMcd/z+S2gAmXsZjpZm +QfVl8w8a0hxFgE9AfdJu79pHBtdrSczCfUY1VfvlMU46iZBmSMFFbKV7B8THn0QK +Bj7A6XUC1uTjlYeujSi06LhC7CzykjoxYjjEc96552k8Sxsp -----END CERTIFICATE----- diff --git a/tests/cert-tests/data/template-overflow2.pem b/tests/cert-tests/data/template-overflow2.pem index 43e8efadc6..2de2af0282 100644 --- a/tests/cert-tests/data/template-overflow2.pem +++ b/tests/cert-tests/data/template-overflow2.pem @@ -15,9 +15,9 @@ UZY9jJZcALxh3ggPsTYhf6kA4wUCAwEAAaOB9TCB8jAPBgNVHRMBAf8EBTADAQH/ MGoGA1UdEQRjMGGCDHd3dy5ub25lLm9yZ4ITd3d3Lm1vcmV0aGFub25lLm9yZ4IX d3d3LmV2ZW5tb3JldGhhbm9uZS5vcmeHBMCoAQGBDW5vbmVAbm9uZS5vcmeBDndo ZXJlQG5vbmUub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA8GA1UdDwEB/wQFAwMH -BAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMC4GA1UdHwQnMCUwI6Ah +hAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMC4GA1UdHwQnMCUwI6Ah oB+GHWh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwvMA0GCSqGSIb3DQEBCwUA -A4GBAHUypGH/Jaxkyd3DdX5OCJ54+Qvre3/abi3fT1vBR28zQBYH7RdbAJobNsro -vKoa4Bugc43llXjxztpxB078pj0nsn9yE1OSsOryBWP6yZ/OfoxD5uZrUuXwkx0Q -HfijaNBnIn/xBO7No7VqvUK0QrNy11HqWi7KrxjcaWcBwZ7D +A4GBAJxCy6TeatkbCtKlTS76T5pPPkNX0w654BOFOvbOjJ/Qd0QjI+bCRDvjLKN4 +s3KVjhWaX/IhR4kql1FSrIfD9Cs+/JN91hlNhH5eK2p8NfRXSeAZby2d1UzYZDV/ +qFbnBROQbuH08KfoGU7dYwsOcEZpQ38SpVwHUJJSDSzkKx88 -----END CERTIFICATE----- diff --git a/tests/cert-tests/data/template-rsa-sha3-224.pem b/tests/cert-tests/data/template-rsa-sha3-224.pem index 8b2a0fb903..f20544c747 100644 --- a/tests/cert-tests/data/template-rsa-sha3-224.pem +++ b/tests/cert-tests/data/template-rsa-sha3-224.pem @@ -15,11 +15,11 @@ PYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjggE3MIIBMzAPBgNVHRMBAf8EBTADAQH/ MGoGA1UdEQRjMGGCDHd3dy5ub25lLm9yZ4ITd3d3Lm1vcmV0aGFub25lLm9yZ4IX d3d3LmV2ZW5tb3JldGhhbm9uZS5vcmeHBMCoAQGBDW5vbmVAbm9uZS5vcmeBDndo ZXJlQG5vbmUub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA8GA1UdDwEB/wQFAwMH -BAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMG8GA1UdHwRoMGYwZKBi +hAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMG8GA1UdHwRoMGYwZKBi oGCGHmh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwxL4YeaHR0cDovL3d3dy5n ZXRjcmwuY3JsL2dldGNybDIvhh5odHRwOi8vd3d3LmdldGNybC5jcmwvZ2V0Y3Js -My8wDQYJYIZIAWUDBAMNBQADgYEABZpsvNQi0mtwO88lqAsN/iTB1BvXlaCNVPiB -f52WMSgJskJV+Gxhx0zwnSvqC7Iiq8SpF20ROC+3ROq1IuGIlO9/Q8aXfW/cK3Nn -qfVEMmdNkmUO2bTy1yhs6xpuoQmvDTA/kYo0DsZhIZdWOzuvUEZ48oztkiFsXjmo -NkjpuP4= +My8wDQYJYIZIAWUDBAMNBQADgYEAiA3TxnYSzSnqDbf9QEV5hFeyq1z7u2fW6pKL ++BkmwDm5mX7Lb5tZ2wBFkF9rx/OrxH5d/yXXy5FAvTIALLtYy6z1M5SHn9ygpQQu +H8fAnT7kou6eqdi1wWZUUcANUR8qUGyqGfWZvckoUBaleQG1x6g35bDuDu2zPcVW +II7WDzo= -----END CERTIFICATE----- diff --git a/tests/cert-tests/data/template-rsa-sha3-256.pem b/tests/cert-tests/data/template-rsa-sha3-256.pem index 35a083ac3c..ff6dcfcb4c 100644 --- a/tests/cert-tests/data/template-rsa-sha3-256.pem +++ b/tests/cert-tests/data/template-rsa-sha3-256.pem @@ -15,11 +15,11 @@ PYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjggE3MIIBMzAPBgNVHRMBAf8EBTADAQH/ MGoGA1UdEQRjMGGCDHd3dy5ub25lLm9yZ4ITd3d3Lm1vcmV0aGFub25lLm9yZ4IX d3d3LmV2ZW5tb3JldGhhbm9uZS5vcmeHBMCoAQGBDW5vbmVAbm9uZS5vcmeBDndo ZXJlQG5vbmUub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA8GA1UdDwEB/wQFAwMH -BAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMG8GA1UdHwRoMGYwZKBi +hAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMG8GA1UdHwRoMGYwZKBi oGCGHmh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwxL4YeaHR0cDovL3d3dy5n ZXRjcmwuY3JsL2dldGNybDIvhh5odHRwOi8vd3d3LmdldGNybC5jcmwvZ2V0Y3Js -My8wDQYJYIZIAWUDBAMOBQADgYEApWQSGVKFbbUOZVsgXfx978CNxewsZGsNdrAU -X98wxysQGe8tQNvftPRB+NijWo5f49HjAfVhWxCr51f8pat+IPK8U7iRY3Uxxz+G -xRO0qfP0AyAQIYOvWkKi6RqvoVReh+69n2fSTgdhvKJrKITRlPL+kNbYlA2i3v2G -j1AK27Y= +My8wDQYJYIZIAWUDBAMOBQADgYEASyYQIkWmWNRwjHnLCFZmwAVdE833hh0gf8ne +3HbW2splDnfDUoKxqpMd7ViLCoWwoh6Y24d0yvZc1RGy83Z0Q0QuA8kAtYnMZ3j/ +ZtXZGq6010ZqkcHP43MZgLFru27diymDbgGxzsP9rOc1GnIi0OKo5EpJI1KHaG+k +0ObmT5U= -----END CERTIFICATE----- diff --git a/tests/cert-tests/data/template-rsa-sha3-384.pem b/tests/cert-tests/data/template-rsa-sha3-384.pem index b6de699f96..33c4b31ab4 100644 --- a/tests/cert-tests/data/template-rsa-sha3-384.pem +++ b/tests/cert-tests/data/template-rsa-sha3-384.pem @@ -15,11 +15,11 @@ PYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjggE3MIIBMzAPBgNVHRMBAf8EBTADAQH/ MGoGA1UdEQRjMGGCDHd3dy5ub25lLm9yZ4ITd3d3Lm1vcmV0aGFub25lLm9yZ4IX d3d3LmV2ZW5tb3JldGhhbm9uZS5vcmeHBMCoAQGBDW5vbmVAbm9uZS5vcmeBDndo ZXJlQG5vbmUub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA8GA1UdDwEB/wQFAwMH -BAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMG8GA1UdHwRoMGYwZKBi +hAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMG8GA1UdHwRoMGYwZKBi oGCGHmh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwxL4YeaHR0cDovL3d3dy5n ZXRjcmwuY3JsL2dldGNybDIvhh5odHRwOi8vd3d3LmdldGNybC5jcmwvZ2V0Y3Js -My8wDQYJYIZIAWUDBAMPBQADgYEAI2ltSzA62kJqSBTWBmwot8d7go5NXNcM8vsE -XFdnFiT86ne33o58fXIA/TBr/f2rurIPKH3EbDQb00sr0ULrHYAF3KK1QkwOBMX6 -kWejpBlptV58liwBYhA3+ONp6K7yaiRGJzxA2xI4EZuUvsHy5F+oIpMb1ZlTmGMg -ib2amD4= +My8wDQYJYIZIAWUDBAMPBQADgYEAXFYGBk+qE52LESjshhK+jIXr3Tp7yZqV7oN8 +E/BBzXI+TelNmo1Rf/l7uOfQGsCDmBmP23F75UFNYk/1dYe1Sz6ODITLVRjy+upC +YkKTj/EcPeoeHvATe6bn3ohJcBEmbNAVu2IgGzHvewytKKlBk9EcR9uSENIuTY6A +bdXq6Sw= -----END CERTIFICATE----- diff --git a/tests/cert-tests/data/template-rsa-sha3-512.pem b/tests/cert-tests/data/template-rsa-sha3-512.pem index 05a24766a0..ab773ef1ad 100644 --- a/tests/cert-tests/data/template-rsa-sha3-512.pem +++ b/tests/cert-tests/data/template-rsa-sha3-512.pem @@ -15,11 +15,11 @@ PYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjggE3MIIBMzAPBgNVHRMBAf8EBTADAQH/ MGoGA1UdEQRjMGGCDHd3dy5ub25lLm9yZ4ITd3d3Lm1vcmV0aGFub25lLm9yZ4IX d3d3LmV2ZW5tb3JldGhhbm9uZS5vcmeHBMCoAQGBDW5vbmVAbm9uZS5vcmeBDndo ZXJlQG5vbmUub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA8GA1UdDwEB/wQFAwMH -BAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMG8GA1UdHwRoMGYwZKBi +hAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMG8GA1UdHwRoMGYwZKBi oGCGHmh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwxL4YeaHR0cDovL3d3dy5n ZXRjcmwuY3JsL2dldGNybDIvhh5odHRwOi8vd3d3LmdldGNybC5jcmwvZ2V0Y3Js -My8wDQYJYIZIAWUDBAMQBQADgYEADQwUNzbut+lsgGPm1ELQ+yIzKKUDpiGyUmVY -4DHFKVHKAAM4p6eRY4CQhrGcQIAF/cv7BMlMtXwVPCMGmUiws3RpT5IR5PBU3ppM -CB7kDZ93BwHwXOoURU9wlYcUiRKmbN6rZ5YOUBYwYPZhyPcgnZPO8S7+2fbIo07i -TFELtZ0= +My8wDQYJYIZIAWUDBAMQBQADgYEAiBWEi/IhCQ6qpxX7KlClo6Xdwfbn2Zg5iftl +hNV1nZ23hLvG8YhqqKVOU0kk1jhnyjQeJN8Hj9wrEJTNmwhmFie/ftC0amYjFZMv +/iWOqRwTjaSkGSetq0yTaZ05NUEbvL6KdorNuJslts42zmShjNWDIYtpW4o+p7c1 +IfKnPj0= -----END CERTIFICATE----- diff --git a/tests/cert-tests/data/template-test.pem b/tests/cert-tests/data/template-test.pem index 1acd2fe0ae..a9e23b2ea7 100644 --- a/tests/cert-tests/data/template-test.pem +++ b/tests/cert-tests/data/template-test.pem @@ -15,11 +15,11 @@ PYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjggE3MIIBMzAPBgNVHRMBAf8EBTADAQH/ MGoGA1UdEQRjMGGCDHd3dy5ub25lLm9yZ4ITd3d3Lm1vcmV0aGFub25lLm9yZ4IX d3d3LmV2ZW5tb3JldGhhbm9uZS5vcmeHBMCoAQGBDW5vbmVAbm9uZS5vcmeBDndo ZXJlQG5vbmUub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA8GA1UdDwEB/wQFAwMH -BAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMG8GA1UdHwRoMGYwZKBi +hAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMG8GA1UdHwRoMGYwZKBi oGCGHmh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwxL4YeaHR0cDovL3d3dy5n ZXRjcmwuY3JsL2dldGNybDIvhh5odHRwOi8vd3d3LmdldGNybC5jcmwvZ2V0Y3Js -My8wDQYJKoZIhvcNAQELBQADgYEANoDHZVtHbnn3dqVR0BEl6OYe8jIpVAP75prg -D1YB1+WutTKvdhs+2BMDty5wpHH5HBTbjBIZ8gvAv9696YSruOKQDPAbd3ideC1g -GLGFgndio377X8IKw9J9pDhyaHUcKbn6GgnerDvnxiAdPboFO9/zBi+0EQN/fndh -wRsuQhk= +My8wDQYJKoZIhvcNAQELBQADgYEAY/wOee5PsT1eZiuE2SOF2y+Qlf7GeRNhqJ2V +KRtS7wdLJXjxL+Tp0TJTyAfGCgxg3cFRbeSGg+gffo9wO4y/cP6hzVeBtYD+RNSK +ATUrYVtniKQulLOeNu/VyCYeLfD+8gQK0s44MIKuzCKUa01QO97slLa0qEG5qqxO +IXPMNFM= -----END CERTIFICATE----- diff --git a/tests/cert-tests/data/template-tlsfeature.csr b/tests/cert-tests/data/template-tlsfeature.csr index 2db290c3f1..191fac319b 100644 --- a/tests/cert-tests/data/template-tlsfeature.csr +++ b/tests/cert-tests/data/template-tlsfeature.csr @@ -26,12 +26,11 @@ PKCS #10 Certificate Request Information: RFC822Name: none@none.org RFC822Name: where@none.org Basic Constraints (critical): - Certificate Authority (CA): TRUE + Certificate Authority (CA): FALSE Key Purpose (critical): OCSP signing. Key Usage (critical): Digital signature. - Certificate signing. TLS Features (not critical): OCSP Status Request(5) 17 @@ -45,19 +44,19 @@ Other Information: Self signature: verified -----BEGIN NEW CERTIFICATE REQUEST----- -MIICrDCCAhUCAQAwgZoxFTATBgNVBAMTDENpbmR5IExhdXBlcjEXMBUGA1UECxMO +MIICqTCCAhICAQAwgZoxFTATBgNVBAMTDENpbmR5IExhdXBlcjEXMBUGA1UECxMO c2xlZXBpbmcgZGVwdC4xEjAQBgNVBAoTCUtva28gaW5jLjEPMA0GA1UECBMGQXR0 aWtpMQswCQYDVQQGEwJHUjEXMBUGCgmSJomT8ixkAQETB2NsYXVwZXIxDDAKBgNV BAwTA0RyLjEPMA0GA1UEQRMGamFja2FsMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB iQKBgQClxs51Q4S/ZJ4CJxPxA1n3eS2S7XwvUKQD8S15uYaLBX46u0Sqr4TPE5ge HEo49zMtep9y1GttJrAxN3AQ+0Lp2J0YZX4ZSfwFlgRogx53hr/t9eUSOxP+Mxic -Gnodaa9HAmB6H7noz9vINDBRlj2MllwAvGHeCA+xNiF/qQDjBQIDAQABoIHQMIHN -BgkqhkiG9w0BCQ4xgb8wgbwwagYDVR0RBGMwYYIMd3d3Lm5vbmUub3JnghN3d3cu +Gnodaa9HAmB6H7noz9vINDBRlj2MllwAvGHeCA+xNiF/qQDjBQIDAQABoIHNMIHK +BgkqhkiG9w0BCQ4xgbwwgbkwagYDVR0RBGMwYYIMd3d3Lm5vbmUub3JnghN3d3cu bW9yZXRoYW5vbmUub3Jnghd3d3cuZXZlbm1vcmV0aGFub25lLm9yZ4cEwKgBAYEN -bm9uZUBub25lLm9yZ4EOd2hlcmVAbm9uZS5vcmcwDwYDVR0TAQH/BAUwAwEB/zAW -BgNVHSUBAf8EDDAKBggrBgEFBQcDCTAPBgNVHQ8BAf8EBQMDB4QAMBQGCCsGAQUF -BwEYBAgwBgIBBQIBETANBgkqhkiG9w0BAQsFAAOBgQBp5DB6ksTU78tli6cYkxB4 -DRPIGOhL87o4gpsOQNSS61ECYTf2wxGqPA1sM/8syNn0hU1hGVqZG2ydYmR6PxkO -/FfKNmxI5+cRA8oKk6zNhu42tll3NLFbYZV9cp8+JpBQMLBIXxU23UggnsxoVrks -C1I6oDxIq5kDixlWKnaMGA== +bm9uZUBub25lLm9yZ4EOd2hlcmVAbm9uZS5vcmcwDAYDVR0TAQH/BAIwADAWBgNV +HSUBAf8EDDAKBggrBgEFBQcDCTAPBgNVHQ8BAf8EBQMDB4AAMBQGCCsGAQUFBwEY +BAgwBgIBBQIBETANBgkqhkiG9w0BAQsFAAOBgQAIayiRbitKkrg0YAtj/cqij5xx +6ictys5F3XvdsTgTINPpW41TqFJltPFfFJXRCwJI/aitPXH4so+xS6sFYHKHYXnu +DGGwNRE0bmW9+/MhgkMLdLNw22MRiyDK1TM5CWAe9CCX8jzyRnnKXIvpPXv0yLhY +kT9W7Sjw72lPTehtsg== -----END NEW CERTIFICATE REQUEST----- diff --git a/tests/cert-tests/data/template-tlsfeature.pem b/tests/cert-tests/data/template-tlsfeature.pem index 23ba2886a1..a412a42c13 100644 --- a/tests/cert-tests/data/template-tlsfeature.pem +++ b/tests/cert-tests/data/template-tlsfeature.pem @@ -1,5 +1,5 @@ -----BEGIN CERTIFICATE----- -MIIENzCCA6CgAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBuDEVMBMGA1UEAxMMQ2lu +MIIENDCCA52gAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBuDEVMBMGA1UEAxMMQ2lu ZHkgTGF1cGVyMRcwFQYKCZImiZPyLGQBARMHY2xhdXBlcjEXMBUGA1UECxMOc2xl ZXBpbmcgZGVwdC4xEjAQBgNVBAoTCUtva28gaW5jLjEPMA0GA1UECBMGQXR0aWtp MQswCQYDVQQGEwJHUjEMMAoGA1UEDBMDRHIuMQ8wDQYDVQRBEwZqYWNrYWwxHDAa @@ -11,15 +11,15 @@ DBMDRHIuMQ8wDQYDVQRBEwZqYWNrYWwxHDAaBgkqhkiG9w0BCQEWDW5vbmVAbm9u ZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKXGznVDhL9kngInE/ED Wfd5LZLtfC9QpAPxLXm5hosFfjq7RKqvhM8TmB4cSjj3My16n3LUa20msDE3cBD7 QunYnRhlfhlJ/AWWBGiDHneGv+315RI7E/4zGJwaeh1pr0cCYHofuejP28g0MFGW -PYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjggFNMIIBSTAUBggrBgEFBQcBGAQIMAYC -AQUCAREwDwYDVR0TAQH/BAUwAwEB/zBqBgNVHREEYzBhggx3d3cubm9uZS5vcmeC -E3d3dy5tb3JldGhhbm9uZS5vcmeCF3d3dy5ldmVubW9yZXRoYW5vbmUub3JnhwTA -qAEBgQ1ub25lQG5vbmUub3JngQ53aGVyZUBub25lLm9yZzATBgNVHSUEDDAKBggr -BgEFBQcDCTAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBRdQK3wzpRAlYt+mZQd -klQiynI2XzBvBgNVHR8EaDBmMGSgYqBghh5odHRwOi8vd3d3LmdldGNybC5jcmwv -Z2V0Y3JsMS+GHmh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwyL4YeaHR0cDov -L3d3dy5nZXRjcmwuY3JsL2dldGNybDMvMA0GCSqGSIb3DQEBCwUAA4GBAG4dVgPt -cB2JnNlNacL+MnggU4TyYTnpEvBWUnjiZxvsKMAk+XcqeW61hjl0u0wQGWBOsSeS -yLcnXHKApdI0LUkWhkKGqZaUSktd9v5sBzP1IXsXHMRsa1ZPazsSYbQ+EQggOnEP -s6Zw/bt1SYHBdqk8+yBXq54AYT4EK+6Me/pX +PYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjggFKMIIBRjAUBggrBgEFBQcBGAQIMAYC +AQUCAREwDAYDVR0TAQH/BAIwADBqBgNVHREEYzBhggx3d3cubm9uZS5vcmeCE3d3 +dy5tb3JldGhhbm9uZS5vcmeCF3d3dy5ldmVubW9yZXRoYW5vbmUub3JnhwTAqAEB +gQ1ub25lQG5vbmUub3JngQ53aGVyZUBub25lLm9yZzATBgNVHSUEDDAKBggrBgEF +BQcDCTAPBgNVHQ8BAf8EBQMDB4AAMB0GA1UdDgQWBBRdQK3wzpRAlYt+mZQdklQi +ynI2XzBvBgNVHR8EaDBmMGSgYqBghh5odHRwOi8vd3d3LmdldGNybC5jcmwvZ2V0 +Y3JsMS+GHmh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwyL4YeaHR0cDovL3d3 +dy5nZXRjcmwuY3JsL2dldGNybDMvMA0GCSqGSIb3DQEBCwUAA4GBAEoSB3eLhcMA +/pAOs3A9GW23Yi9C1QXNCoTbE/nzxNKLjGVVDMIOW5soLsmX7KXavAG12qJ6ZmXK +3rdgx30vVOqZdELVu+Ht9GxcUf1MRWOTYUhKyD9trJ5BYR2vpaakIM0MoFnpc7d2 +tO6NAkRin8u7kYutdFqTGhAz4gVXWXGF -----END CERTIFICATE----- diff --git a/tests/cert-tests/data/template-unique.pem b/tests/cert-tests/data/template-unique.pem index e08e5b53ec..538c0a28a8 100644 --- a/tests/cert-tests/data/template-unique.pem +++ b/tests/cert-tests/data/template-unique.pem @@ -11,10 +11,10 @@ NDBRlj2MllwAvGHeCA+xNiF/qQDjBQIDAQABgQgAERQjJCUSJIIGAAAVIyQlo4H1 MIHyMA8GA1UdEwEB/wQFMAMBAf8wagYDVR0RBGMwYYIMd3d3Lm5vbmUub3JnghN3 d3cubW9yZXRoYW5vbmUub3Jnghd3d3cuZXZlbm1vcmV0aGFub25lLm9yZ4cEwKgB AYENbm9uZUBub25lLm9yZ4EOd2hlcmVAbm9uZS5vcmcwEwYDVR0lBAwwCgYIKwYB -BQUHAwkwDwYDVR0PAQH/BAUDAwcEADAdBgNVHQ4EFgQUXUCt8M6UQJWLfpmUHZJU +BQUHAwkwDwYDVR0PAQH/BAUDAweEADAdBgNVHQ4EFgQUXUCt8M6UQJWLfpmUHZJU IspyNl8wLgYDVR0fBCcwJTAjoCGgH4YdaHR0cDovL3d3dy5nZXRjcmwuY3JsL2dl -dGNybC8wDQYJKoZIhvcNAQELBQADgYEAlJcMko5hA7LLxZWylww49HrmiKCRMjH/ -FMPi5WW54n8YfRQuOD8wvHUl3EcJHCXBu0nlWQJfIfGiPIBTTX7EJCS3KQpX296p -q1xClFdGqXCNOzy0Ld64Qh7qgt5TlvV+uzGgfkzaPqksBhhVLXlUNS2cCSiyi075 -wxR6TEOsjqE= +dGNybC8wDQYJKoZIhvcNAQELBQADgYEAR0YLJcy/QThClfMri0ULVGRRl8YlxGc8 +HSl+TtabcK2Ei3bl0G1yMz02/jaIqi87DWssKL42bmT1qieyOFik3a+jXY377P7G +ssW54WKXQvhpR1b3JZ2RADaj8g9+E9zrUsSlVNaDC33f3DoTzU/tryw25V7U1quj +ALQTc/0hW1k= -----END CERTIFICATE----- diff --git a/tests/cert-tests/sha3-test b/tests/cert-tests/sha3-test index abb20bca04..dc3cf8f6ba 100755 --- a/tests/cert-tests/sha3-test +++ b/tests/cert-tests/sha3-test @@ -50,8 +50,8 @@ datefudge -s "2007-04-22" \ rc=$? if test -f "${srcdir}/data/template-rsa-$i.pem";then -${DIFF} "${srcdir}/data/template-rsa-$i.pem" "${TMPFILE}" >/dev/null 2>&1 -rc=$? + ${DIFF} "${srcdir}/data/template-rsa-$i.pem" "${TMPFILE}" >/dev/null 2>&1 + rc=$? fi # We're done. diff --git a/tests/cert-tests/template-test b/tests/cert-tests/template-test index fe954e528a..43e28fe15d 100755 --- a/tests/cert-tests/template-test +++ b/tests/cert-tests/template-test @@ -149,7 +149,6 @@ else # We're done. if test "${rc}" != "0"; then - echo $TMPFILE echo "Test 5-2 (overflow2) failed" exit ${rc} fi diff --git a/tests/cert-tests/templates/template-othername-xmpp.tmpl b/tests/cert-tests/templates/template-othername-xmpp.tmpl index 1e9a85f846..017dfbaa83 100644 --- a/tests/cert-tests/templates/template-othername-xmpp.tmpl +++ b/tests/cert-tests/templates/template-othername-xmpp.tmpl @@ -33,9 +33,6 @@ crl_dist_points = "http://www.getcrl.crl/getcrl/" email = "where@none.org" -# Whether this is a CA certificate or not -ca - # Whether this certificate will be used for a TLS client #tls_www_client diff --git a/tests/cert-tests/templates/template-tlsfeature.tmpl b/tests/cert-tests/templates/template-tlsfeature.tmpl index 7a03b49afb..f4d3f69abb 100644 --- a/tests/cert-tests/templates/template-tlsfeature.tmpl +++ b/tests/cert-tests/templates/template-tlsfeature.tmpl @@ -65,9 +65,6 @@ crl_dist_points = "http://www.getcrl.crl/getcrl3/" email = "where@none.org" -# Whether this is a CA certificate or not -ca - # Whether this certificate will be used for a TLS client #tls_www_client diff --git a/tests/profile-tests.sh b/tests/profile-tests.sh new file mode 100755 index 0000000000..71295fd5a6 --- /dev/null +++ b/tests/profile-tests.sh @@ -0,0 +1,243 @@ +#!/bin/sh + +# Copyright (C) 2019 Red Hat, Inc. +# +# Author: Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/> +# + +# This program tests whether the profile keywords work as expected + +srcdir="${srcdir:-.}" +SERV="${SERV:-../src/gnutls-serv${EXEEXT}}" +CLI="${CLI:-../src/gnutls-cli${EXEEXT}}" +TMPFILE=config.$$.tmp +export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 + +if ! test -x "${SERV}"; then + exit 77 +fi + +if ! test -x "${CLI}"; then + exit 77 +fi + +if test "${WINDIR}" != ""; then + exit 77 +fi + +. "${srcdir}/scripts/common.sh" + +CAFILE="./profile-ca.$$.tmp" +CERT="./profile-cert.$$.tmp" + + +echo "Testing with a 256 bit ECDSA key" + +cat >${CAFILE} <<_EOF_ +-----BEGIN CERTIFICATE----- +MIIBZjCCAQugAwIBAgIUT/9x+s6cBhBHWoZH5fBi9c0aBPswCgYIKoZIzj0EAwIw +DzENMAsGA1UEAxMEQ0EtMDAgFw0xOTA1MjAxMzAxNTdaGA85OTk5MTIzMTIzNTk1 +OVowDzENMAsGA1UEAxMEQ0EtMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABI7d +qggkXNbYfXi5rMqdvvX26GJ02A63B5sueaS0w1LITLeMb0mhx4trpXMkJ3lr05lY +JCfr6sUTAlYLMBLZJ+ajQzBBMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUD +AwcGADAdBgNVHQ4EFgQUUkk7xPS5Uf53q8YLEhz5KGqeZH0wCgYIKoZIzj0EAwID +SQAwRgIhAKL/lPu6hOTwA/FfB+dMkkVeeZA+6CeXgbnxeA6HXy3bAiEAvO3+1VhR +RIHc3JBuIsLlrwaovXAZHgXNGV2WalixDHI= +-----END CERTIFICATE----- +_EOF_ +cat >${CERT} <<_EOF_ +-----BEGIN CERTIFICATE----- +MIIBnTCCAUOgAwIBAgIUUoqE4mD73XmLCryaMad6AXl6TjAwCgYIKoZIzj0EAwIw +DzENMAsGA1UEAxMEQ0EtMDAgFw0xOTA1MjAxMzAxNTdaGA85OTk5MTIzMTIzNTk1 +OVowEzERMA8GA1UEAxMIc2VydmVyLTEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC +AAScHgQMZCm5GLjGs64tN8hmK+KmDOTBU0fyqc9Tle6WjgFFBzPeHv8vLcrp5HTI +mNtKFNCaLN73r9h8xk3qG2pno3cwdTAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuC +CWxvY2FsaG9zdDAPBgNVHQ8BAf8EBQMDB4AAMB0GA1UdDgQWBBRpzYoZdeLYgscj +yokMBbda3FnghzAfBgNVHSMEGDAWgBRSSTvE9LlR/nerxgsSHPkoap5kfTAKBggq +hkjOPQQDAgNIADBFAiATJTdJ176UocB1BGDTTwJAuNKurPFZzlEaeYHS3tetXAIh +AP/RStdc8DV/AtHZOF1/FF3fB/tS3d+vb2f0QsTbcl5f +-----END CERTIFICATE----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIG5Gt+KTDxw5cevzwL0Sfo2AJZNeVtu3GHSnpICvsSiBoAoGCCqGSM49 +AwEHoUQDQgAEnB4EDGQpuRi4xrOuLTfIZivipgzkwVNH8qnPU5Xulo4BRQcz3h7/ +Ly3K6eR0yJjbShTQmize96/YfMZN6htqZw== +-----END EC PRIVATE KEY----- +_EOF_ +KEY="${CERT}" + +eval "${GETPORT}" +launch_server $$ --echo --priority "NORMAL" --x509keyfile ${KEY} --x509certfile ${CERT} +PID=$! +wait_server ${PID} + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_VERY_WEAK --verify-hostname localhost --x509cafile "${CAFILE}" </dev/null >/dev/null || + fail ${PID} "expected connection to succeed (1)" + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_LOW --verify-hostname localhost --x509cafile "${CAFILE}" </dev/null >/dev/null || + fail ${PID} "expected connection to succeed (2)" + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_LEGACY --verify-hostname localhost --x509cafile "${CAFILE}" </dev/null >/dev/null || + fail ${PID} "expected connection to succeed (3)" + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_HIGH --verify-hostname localhost --x509cafile "${CAFILE}" </dev/null >/dev/null || + fail ${PID} "expected connection to succeed (4)" + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_ULTRA --verify-hostname localhost --x509cafile "${CAFILE}" </dev/null >/dev/null && + fail ${PID} "expected connection to fail (1)" + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_FUTURE --verify-hostname localhost --x509cafile "${CAFILE}" </dev/null >/dev/null && + fail ${PID} "expected connection to fail (2)" + +kill ${PID} +wait + + +echo "Testing with a 384 bit ECDSA key" + +cat >${CAFILE} <<_EOF_ +-----BEGIN CERTIFICATE----- +MIIBojCCASigAwIBAgIUFMelLI8WwXyoyKjZGXXXcLb4N1EwCgYIKoZIzj0EAwMw +DzENMAsGA1UEAxMEQ0EtMDAgFw0xOTA1MjAxMzA2MDNaGA85OTk5MTIzMTIzNTk1 +OVowDzENMAsGA1UEAxMEQ0EtMDB2MBAGByqGSM49AgEGBSuBBAAiA2IABNxXKt1I +dpBTxQ5oefACUoUgdEwLNkbrjMeEYbB1Wz9d5Uk9nJPjQOGx85ct3FysauMxzBGy +BKnBEYViamZiffXu3zzNlIZY+tCbc3MUqs6q60CuNIw4UjakKhgD6II2MKNDMEEw +DwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwYAMB0GA1UdDgQWBBQJ9QXM +rPF8/z2VviCfhSp2ezf1AjAKBggqhkjOPQQDAwNoADBlAjEA5nmuJqRQFLgHYnN5 +MRmMfT+TvkLL+MPBo9lK8cbFzweV/PdySLRKNylOH4y70UyzAjBk3kFH7KC1AGMz ++A87+Rx+7BHOIdKIp91wx8LhMIdbeX9yi3w6YRsjHoLxKtJ8FYE= +-----END CERTIFICATE----- +_EOF_ +cat >${CERT} <<_EOF_ +-----BEGIN CERTIFICATE----- +MIIB2DCCAWCgAwIBAgIUJiHZy9J/MQzCJPjaP3Zy+JTXHgowCgYIKoZIzj0EAwMw +DzENMAsGA1UEAxMEQ0EtMDAgFw0xOTA1MjAxMzA2MDNaGA85OTk5MTIzMTIzNTk1 +OVowEzERMA8GA1UEAxMIc2VydmVyLTEwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATP +agsLKT6MLGFsxWyBjDmyrfcAreBZtGDe9tS8jYItbM8y/ulvjCnwW/dwmVBe6UKX +n7WIJ7nxvp/j0k59TwpMxfpSn51NhiaViMQ4ZxA34qm+H3gUl8r1GC9I/EPTYe2j +dzB1MAwGA1UdEwEB/wQCMAAwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA8GA1UdDwEB +/wQFAwMHgAAwHQYDVR0OBBYEFO2V2sn+n3Kj0sA2leiLp/RQDmt/MB8GA1UdIwQY +MBaAFAn1Bcys8Xz/PZW+IJ+FKnZ7N/UCMAoGCCqGSM49BAMDA2YAMGMCL37ZZOM0 +fKI8jzlZRF64IOB/hVbvMD5WOMqFN/M8BjbPSywuRy9/JIq0KiFw3IKUAjAJZSsJ +fd8/9po81LJwyfUF/fTwPa7CNExb4BoDRtDDc7s/ciXI/13rxwkJnlAytwI= +-----END CERTIFICATE----- +-----BEGIN EC PRIVATE KEY----- +MIGlAgEBBDEAtrbWqGFyxd+qLlU0VHGvS5CpuAg0fPvODXzu8qHGREvxMYJL5d0I +YfU7emquAuq/oAcGBSuBBAAioWQDYgAEz2oLCyk+jCxhbMVsgYw5sq33AK3gWbRg +3vbUvI2CLWzPMv7pb4wp8Fv3cJlQXulCl5+1iCe58b6f49JOfU8KTMX6Up+dTYYm +lYjEOGcQN+Kpvh94FJfK9RgvSPxD02Ht +-----END EC PRIVATE KEY----- +_EOF_ +KEY="${CERT}" + +eval "${GETPORT}" +launch_server $$ --echo --priority "NORMAL" --x509keyfile ${KEY} --x509certfile ${CERT} +PID=$! +wait_server ${PID} + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_VERY_WEAK --verify-hostname localhost --x509cafile "${CAFILE}" </dev/null >/dev/null || + fail ${PID} "expected connection to succeed (1)" + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_LOW --verify-hostname localhost --x509cafile "${CAFILE}" </dev/null >/dev/null || + fail ${PID} "expected connection to succeed (2)" + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_LEGACY --verify-hostname localhost --x509cafile "${CAFILE}" </dev/null >/dev/null || + fail ${PID} "expected connection to succeed (3)" + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_HIGH --verify-hostname localhost --x509cafile "${CAFILE}" </dev/null >/dev/null || + fail ${PID} "expected connection to succeed (4)" + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_ULTRA --verify-hostname localhost --x509cafile "${CAFILE}" </dev/null >/dev/null || + fail ${PID} "expected connection to succeed (5)" + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_FUTURE --verify-hostname localhost --x509cafile "${CAFILE}" </dev/null >/dev/null && + fail ${PID} "expected connection to fail (1)" + +kill ${PID} +wait + +echo "Testing with a 521 bit ECDSA key" + +cat >${CAFILE} <<_EOF_ +-----BEGIN CERTIFICATE----- +MIIB7TCCAU6gAwIBAgIUW9MXlkeIARoHEeP+DmgMfSOh9xkwCgYIKoZIzj0EAwQw +DzENMAsGA1UEAxMEQ0EtMDAgFw0xOTA1MjAxMzE4MDVaGA85OTk5MTIzMTIzNTk1 +OVowDzENMAsGA1UEAxMEQ0EtMDCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEASRD +p6ArQF3bkC7rMzUo6RGle3LCDVkrVrcS0vMRKz6D436g/yO0+om5Xbny/z3Weo4x +E8dat+dQp2sHurso6ByhAbm08MqxKUqaU4G69xvTYTOSMljDtx/3upsF955J5/CT +/F8czPBR9jebQZOCXWI0clpFSTGTYFnqHVlyTTwCgd87o0MwQTAPBgNVHRMBAf8E +BTADAQH/MA8GA1UdDwEB/wQFAwMHBgAwHQYDVR0OBBYEFI2SeRAmyVkAAEabKWfy +SREfJqJfMAoGCCqGSM49BAMEA4GMADCBiAJCAc8sUwRR5Q5u52YSdaEiHgnWlNTJ +nP7ckTAiSCEmhp2L8wdvG2274oTjvw3gbUHLc310AAoIvUcZfaXB6zooIpl9AkIB +NK1JHzm60+USUDxJoQngtl8KdM9jR9UmjZ5hVhd/k5FeNYbb6Z+kuIasE4SlnJnd +VIEgdnjXtlI3n052VLjDKg4= +-----END CERTIFICATE----- +_EOF_ +cat >${CERT} <<_EOF_ +-----BEGIN CERTIFICATE----- +MIICJDCCAYagAwIBAgIUTNrzhsX4+TV92p8tYrrUclDsYsUwCgYIKoZIzj0EAwQw +DzENMAsGA1UEAxMEQ0EtMDAgFw0xOTA1MjAxMzE4MDVaGA85OTk5MTIzMTIzNTk1 +OVowEzERMA8GA1UEAxMIc2VydmVyLTEwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA +BAGAb9ToCqbQ8wImyiIN3Zf3T8WrwB/R28f0w8wq0W5a71FGayY0VU5exSBV7nnj +X8xFwUb+BpIVRQ4ZsryQCDDANACxXE3hwae59mqO9JhrTUQL7KyDaZ8W6KbACn8h +fYsOay/3ub0wdNdG8aJIcZzmrX1DNM0Jt/rW1d2nzuv6lZqCfqN3MHUwDAYDVR0T +AQH/BAIwADAUBgNVHREEDTALgglsb2NhbGhvc3QwDwYDVR0PAQH/BAUDAweAADAd +BgNVHQ4EFgQUv46ZnyF9oFn6yVCPl8WJ2InprhowHwYDVR0jBBgwFoAUjZJ5ECbJ +WQAARpspZ/JJER8mol8wCgYIKoZIzj0EAwQDgYsAMIGHAkIAh0/UdYPTSWmtTRNZ +d1VGCBW+Pw9aMkSTd8byWgle8+z1aQdZYQF46MHDuRC3zkooAYXPjbYCbLba5W/x +K1MVvfoCQThH3TCLj/Qci1788SNJ2bvN4bGe9m71cRhJWOXx5GRUHjvRJ5dttllq +dPzh992Fym1fGoyKne2xm172IG2LvTI0 +-----END CERTIFICATE----- +-----BEGIN EC PRIVATE KEY----- +MIHcAgEBBEIBZEu+h1ouDy17i0vGtm39PIrwWCGmjiQkCp1HnPSGod6SM2O3j4Mf +PH5pp8dPYx0LmHXTe+/P/oiIf128sSlsIGCgBwYFK4EEACOhgYkDgYYABAGAb9To +CqbQ8wImyiIN3Zf3T8WrwB/R28f0w8wq0W5a71FGayY0VU5exSBV7nnjX8xFwUb+ +BpIVRQ4ZsryQCDDANACxXE3hwae59mqO9JhrTUQL7KyDaZ8W6KbACn8hfYsOay/3 +ub0wdNdG8aJIcZzmrX1DNM0Jt/rW1d2nzuv6lZqCfg== +-----END EC PRIVATE KEY----- +_EOF_ +KEY="${CERT}" + +eval "${GETPORT}" +launch_server $$ --echo --priority "NORMAL" --x509keyfile ${KEY} --x509certfile ${CERT} +PID=$! +wait_server ${PID} + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_VERY_WEAK --verify-hostname localhost --x509cafile "${CAFILE}" </dev/null >/dev/null || + fail ${PID} "expected connection to succeed (1)" + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_LOW --verify-hostname localhost --x509cafile "${CAFILE}" </dev/null >/dev/null || + fail ${PID} "expected connection to succeed (2)" + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_LEGACY --verify-hostname localhost --x509cafile "${CAFILE}" </dev/null >/dev/null || + fail ${PID} "expected connection to succeed (3)" + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_HIGH --verify-hostname localhost --x509cafile "${CAFILE}" </dev/null >/dev/null || + fail ${PID} "expected connection to succeed (4)" + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_ULTRA --verify-hostname localhost --x509cafile "${CAFILE}" </dev/null >/dev/null || + fail ${PID} "expected connection to succeed (5)" + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_FUTURE --verify-hostname localhost --x509cafile "${CAFILE}" </dev/null >/dev/null || + fail ${PID} "expected connection to succeed (6)" + +kill ${PID} +wait + +rm -f ${TMPFILE} ${CAFILE} ${CERT} + +exit 0 diff --git a/tests/suite/certs/create-chain.sh b/tests/suite/certs/create-chain.sh index 494a5d92e5..c616189e63 100755 --- a/tests/suite/certs/create-chain.sh +++ b/tests/suite/certs/create-chain.sh @@ -16,6 +16,11 @@ LAST=`expr ${NUM} - 1` rm -rf "${OUTPUT}" mkdir -p "${OUTPUT}" +#KEY_TYPE_ROOT="--key-type rsa-pss --bits 2048 --hash sha384 --salt-size 64" +KEY_TYPE_ROOT="--key-type ecdsa --curve secp521r1" +KEY_TYPE_SUBCA="--key-type rsa-pss --bits 2048 --hash sha256 --salt-size 64" +KEY_TYPE="--key-type ecdsa --curve secp521r1" + counter=0 while test ${counter} -lt ${NUM}; do if test ${counter} = ${LAST}; then @@ -25,7 +30,7 @@ while test ${counter} -lt ${NUM}; do fi if test ${counter} = 0; then - "${CERTTOOL}" --key-type rsa-pss --bits 2048 --hash sha256 --salt-size 64 --generate-privkey >"${OUTPUT}/${name}.key" 2>/dev/null + "${CERTTOOL}" ${KEY_TYPE} --generate-privkey >"${OUTPUT}/${name}.key" 2>/dev/null # ROOT CA echo "cn = ${name}" >"${TEMPLATE}" echo "ca" >>"${TEMPLATE}" @@ -40,7 +45,7 @@ while test ${counter} -lt ${NUM}; do "${OUTPUT}/${name}.crl" --template "${TEMPLATE}" 2>/dev/null else if test ${counter} = ${LAST}; then - "${CERTTOOL}" --key-type rsa --bits 2048 --generate-privkey >"${OUTPUT}/${name}.key" 2>/dev/null + "${CERTTOOL}" ${KEY_TYPE} --generate-privkey >"${OUTPUT}/${name}.key" 2>/dev/null # END certificate echo "cn = ${name}" >"${TEMPLATE}" echo "dns_name = localhost" >>"${TEMPLATE}" @@ -52,7 +57,7 @@ while test ${counter} -lt ${NUM}; do --load-ca-privkey "${OUTPUT}/${prev_name}.key" \ --outfile "${OUTPUT}/${name}.crt" --template "${TEMPLATE}" -d 4 #2>/dev/null else - "${CERTTOOL}" --key-type rsa-pss --bits 2048 --hash sha384 --salt-size 48 --generate-privkey >"${OUTPUT}/${name}.key" -d 4 #2>/dev/null + "${CERTTOOL}" ${KEY_TYPE_SUBCA} --generate-privkey >"${OUTPUT}/${name}.key" -d 4 #2>/dev/null # intermediate CA echo "cn = ${name}" >"${TEMPLATE}" echo "ca" >>"${TEMPLATE}" diff --git a/tests/time.c b/tests/time.c new file mode 100644 index 0000000000..7f5240d026 --- /dev/null +++ b/tests/time.c @@ -0,0 +1,94 @@ +/* + * Copyright (C) 2019 Red Hat, Inc. + * + * Author: Nikos Mavrogiannopoulos + * + * This file is part of GnuTLS. + * + * GnuTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <https://www.gnu.org/licenses/> + * + */ + +/* That's a unit test of _gnutls_utcTime2gtime() and _gnutls_x509_generalTime2gtime() + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <stdlib.h> + +#include <string.h> +#include <gnutls/gnutls.h> + +#include "utils.h" + +time_t _gnutls_utcTime2gtime(const char *ttime); +time_t _gnutls_x509_generalTime2gtime(const char *ttime); + +struct time_tests_st { + const char *time_str; + time_t utime; +}; + +struct time_tests_st general_time_tests[] = { + { + .time_str = "20190520133237Z", + .utime = 1558359157 + }, + { + .time_str = "20170101000000Z", + .utime = 1483228800 + }, + { + .time_str = "19700101000000Z", + .utime = 0 + }, +}; + +struct time_tests_st utc_time_tests[] = { + { + .time_str = "190520133237", + .utime = 1558359157 + }, + { + .time_str = "170101000000Z", + .utime = 1483228800 + }, +}; + + +void doit(void) +{ + time_t t; + unsigned i; + + for (i=0;i<sizeof(general_time_tests)/sizeof(general_time_tests[0]);i++) { + t = _gnutls_x509_generalTime2gtime(general_time_tests[i].time_str); + if (t != general_time_tests[i].utime) { + fprintf(stderr, "%s: Error in GeneralTime conversion\n", general_time_tests[i].time_str); + fprintf(stderr, "got: %lu, expected: %lu\n", (unsigned long)t, general_time_tests[i].utime); + } + } + + for (i=0;i<sizeof(utc_time_tests)/sizeof(utc_time_tests[0]);i++) { + t = _gnutls_utcTime2gtime(utc_time_tests[i].time_str); + if (t != utc_time_tests[i].utime) { + fprintf(stderr, "%s: Error in utcTime conversion\n", utc_time_tests[i].time_str); + fprintf(stderr, "got: %lu, expected: %lu\n", (unsigned long)t, utc_time_tests[i].utime); + } + } +} + |