diff options
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/Makefile.am | 3 | ||||
| -rw-r--r-- | tests/cert-common.h | 216 | ||||
| -rw-r--r-- | tests/cert-tests/Makefile.am | 19 | ||||
| -rw-r--r-- | tests/cert-tests/data/gost-cert-nogost.pem | 45 | ||||
| -rw-r--r-- | tests/cert-tests/data/gost-cert.pem | 20 | ||||
| -rw-r--r-- | tests/cert-tests/data/gost01.p12 | bin | 0 -> 1047 bytes | |||
| -rw-r--r-- | tests/cert-tests/data/gost12-2.p12 | bin | 0 -> 1454 bytes | |||
| -rw-r--r-- | tests/cert-tests/data/gost12.p12 | bin | 0 -> 1454 bytes | |||
| -rw-r--r-- | tests/cert-tests/data/gost94-cert.pem | 33 | ||||
| -rw-r--r-- | tests/cert-tests/data/rfc4490.p7b | bin | 0 -> 300 bytes | |||
| -rw-r--r-- | tests/cert-tests/data/rfc4490.p7b.out | 14 | ||||
| -rwxr-xr-x | tests/cert-tests/gost | 103 | ||||
| -rwxr-xr-x | tests/cert-tests/pem-decoding | 27 | ||||
| -rwxr-xr-x | tests/cert-tests/pkcs12-gost | 86 | ||||
| -rwxr-xr-x | tests/cert-tests/pkcs7 | 30 | ||||
| -rw-r--r-- | tests/chainverify.c | 6 | ||||
| -rw-r--r-- | tests/key-import-export.c | 172 | ||||
| -rw-r--r-- | tests/oids.c | 24 | ||||
| -rw-r--r-- | tests/pkcs11/pkcs11-chainverify.c | 6 | ||||
| -rw-r--r-- | tests/privkey-keygen.c | 13 | ||||
| -rw-r--r-- | tests/test-chains.h | 78 | ||||
| -rw-r--r-- | tests/x509sign-verify-common.h | 39 | ||||
| -rw-r--r-- | tests/x509sign-verify-gost.c | 65 |
23 files changed, 991 insertions, 8 deletions
diff --git a/tests/Makefile.am b/tests/Makefile.am index c0beb5acda..437da63e6e 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -159,7 +159,8 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei client-sign-md5-rep tls12-invalid-key-exchanges session-rdn-read \ tls13-cert-key-exchange x509-cert-callback-ocsp gnutls_ocsp_resp_list_import2 \ server-sign-md5-rep privkey-keygen mini-tls-nonblock no-signal pkcs7-gen dtls-etm \ - x509sign-verify-rsa x509sign-verify-ecdsa mini-alignment oids atfork prf psk-file \ + x509sign-verify-rsa x509sign-verify-ecdsa x509sign-verify-gost \ + mini-alignment oids atfork prf psk-file \ status-request status-request-ok status-request-missing sign-verify-ext \ fallback-scsv pkcs8-key-decode urls dtls-rehandshake-cert \ key-usage-rsa key-usage-ecdhe-rsa mini-session-verify-function auto-verify \ diff --git a/tests/cert-common.h b/tests/cert-common.h index 7f312988ff..dcae0104e5 100644 --- a/tests/cert-common.h +++ b/tests/cert-common.h @@ -28,10 +28,16 @@ * CA: ca3_cert, ca3_key * TLS client: cli_ca3_cert, cli_ca3_key * TLS client (RSA PSS): cli_ca3_rsa_pss_cert, cli_ca3_rsa_pss_key + * TLS client (GOST R 34.10-2001): cligost01_ca3_cert, cligost01_ca3_key + * TLS client (GOST R 34.10-2012-256): cligost12_256_ca3_cert, cligost12_256_ca3_key + * TLS client (GOST R 34.10-2012-512): cligost12_512_ca3_cert, cligost12_512_ca3_key * IPv4 server (SAN: IPAddr: 127.0.0.1): server_ca3_ipaddr_cert, server_ca3_key * IPv4 server (RSA-PSS, SAN: localhost IPAddr: 127.0.0.1): server_ca3_rsa_pss_cert, server_ca3_rsa_pss_key * IPv4 server (RSA-PSS key, SAN: localhost IPAddr: 127.0.0.1): server_ca3_rsa_pss2_cert, server_ca3_rsa_pss2_key * IPv4 server (EdDSA, SAN: localhost IPAddr: 127.0.0.1): server_ca3_eddsa_cert, server_ca3_eddsa_key + * IPv4 server (GOST R 34.10-2001, SAN: localhost): server_ca3_gost01_cert, server_ca3_gost01_key + * IPv4 server (GOST R 34.10-2012-256, SAN: localhost): server_ca3_gost12-256_cert, server_ca3_gost12-256_key + * IPv4 server (GOST R 34.10-2012-512, SAN: localhost): server_ca3_gost12-512_cert, server_ca3_gost12-512_key * IPv6 server: server_ca3_localhost6_cert, server_ca3_key * IPv4 server: server_ca3_localhost_cert, server_ca3_key * IPv4 server: server_ca3_localhost_ecc_cert, server_ca3_ecc_key @@ -736,6 +742,111 @@ const gnutls_datum_t clidsa_ca3_cert = { (unsigned char*)clidsa_ca3_cert_pem, sizeof(clidsa_ca3_cert_pem)-1 }; +static char cligost01_ca3_cert_pem[] = + "-----BEGIN CERTIFICATE-----\n" + "MIIC4zCCAUugAwIBAgIIWcZXXAz6FbgwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UE\n" + "AxMEQ0EtMzAgFw0xNzA5MjMxMjQ1MTdaGA85OTk5MTIzMTIzNTk1OVowGzEZMBcG\n" + "A1UEAxMQR09TVC0yMDAxIGNsaWVudDBjMBwGBiqFAwICEzASBgcqhQMCAiQABgcq\n" + "hQMCAh4BA0MABEBuvOEDe9xPJY9jsnFckLyQ6B5XeDi4Wo2E4c05im/3iI+rlWGI\n" + "rTc6hMmWca0BVDL0lObZ0ZHb4Vhy0XREgvtro3YwdDAMBgNVHRMBAf8EAjAAMBMG\n" + "A1UdJQQMMAoGCCsGAQUFBwMCMA8GA1UdDwEB/wQFAwMHsAAwHQYDVR0OBBYEFCck\n" + "yCTDt+A6zS8SnMRrgbyjeQmoMB8GA1UdIwQYMBaAFPmohhljtqQUE2B2DwGaNTbv\n" + "8bSvMA0GCSqGSIb3DQEBCwUAA4IBgQACkq/DQhHMEZPL0NwPFpnf2+RDviEuRE+C\n" + "xaOMTbHgxIUSy6xQAaHXK5hNr9xk87OFPPXmNKPl1nVBXrDF0aj+YUVBT2QeJIpA\n" + "APfyjnPtdZpRl3MXrJbQ/VBCdShvmKhspiOkGO6K8ETDeqE57qtPsUaGApfNK7oL\n" + "WgevmnkaQqNTVJglOoB5o5IDNv0JuFEkKSEvCgS25OV+gl0rRHmWDaIdQtDJLQjV\n" + "24b99/woYj0Ql8WfvMUUUYqTX03zmV56k5DgoNusTxKG+r71WQwbeb3XiVjof6I7\n" + "ll3ANTdyf/KrysLx/tk1pNgfangArpAZzbCRejTQVYdVfCf3KDdwXvKlTHy9Jv+p\n" + "ZUSf7kMnBqcUHpbceiyHFCXNAKIdrMDkTJAeee7ktpeYMfdO9oBki+6a8RJjNHIr\n" + "wHe0DcExV7UsokG6jMl8kH7gb7EW0UphL3ncWyY8C4jbtf/q1kci6SZDcapXBpGp\n" + "adJdx9bycdOUm1cGiboUMMPiCA5bO+Q=\n" + "-----END CERTIFICATE-----\n"; + +static char cligost01_ca3_key_pem[] = + "-----BEGIN PRIVATE KEY-----\n" + "MEUCAQAwHAYGKoUDAgITMBIGByqFAwICJAAGByqFAwICHgEEIgQgVPdBJeLrp/Zh\n" + "2tiV6qz9N6HraKTFTKz4alNuGhK2iLM=\n" + "-----END PRIVATE KEY-----\n"; + +const gnutls_datum_t cligost01_ca3_key = { (unsigned char*)cligost01_ca3_key_pem, + sizeof(cligost01_ca3_key_pem)-1 +}; + +const gnutls_datum_t cligost01_ca3_cert = { (unsigned char*)cligost01_ca3_cert_pem, + sizeof(cligost01_ca3_cert_pem)-1 +}; + +static char cligost12_256_ca3_cert_pem[] = + "-----BEGIN CERTIFICATE-----\n" + "MIIC6jCCAVKgAwIBAgIIWcalgS6c0DMwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UE\n" + "AxMEQ0EtMzAgFw0xNzA5MjMxODE4NDJaGA85OTk5MTIzMTIzNTk1OVowHzEdMBsG\n" + "A1UEAxMUR09TVCAyMDEyLzI1NiBjbGllbnQwZjAfBggqhQMHAQEBATATBgcqhQMC\n" + "AiQABggqhQMHAQECAgNDAARArjme5Fb62BC4uPT8vQVim3xTjYY/RVvvUtAfYluY\n" + "o+8Zjz8A8VTFejK0Zok5f1dssbzrrHtRODJZsCuAjypIXqN2MHQwDAYDVR0TAQH/\n" + "BAIwADATBgNVHSUEDDAKBggrBgEFBQcDAjAPBgNVHQ8BAf8EBQMDB7AAMB0GA1Ud\n" + "DgQWBBTzHDVZRnSgaq4M3B7NdLResyKgajAfBgNVHSMEGDAWgBT5qIYZY7akFBNg\n" + "dg8BmjU27/G0rzANBgkqhkiG9w0BAQsFAAOCAYEAtAGi0lQdBC9Mp/TdqYFuMIDr\n" + "o/xGbie6Eq33BiqXo6B5DOiPZcE1Mi+y4htefvrEBkN4OLy4PbUHlfEC/ATs3X9S\n" + "cUHucm6gkyzUxTLPYPfTmXD24MRFDAJQKMvX8Pklbi7HyFZVYIQaJfEohaQZmuYR\n" + "S7Z03MW0Cbz6j7LGQl1Pyix78BLKeyLyAzQz63+hCuO46xp7TaGDKGI79Dd6Od0p\n" + "oY/B/MxfuP3RXhHrpjgp+Ev08dYoCH3Snps+TYWSyhkN0VhGRJgE5Tnhdly8XMW3\n" + "WKZqGYmWG+rBtiTgA6FZrw0qYwAsmN3yCo5pE+Ukd0Q5L0tugc0a9HK53AftG/zV\n" + "qf0DI+E4dEnUkVhdEQbW+rujGpAR0sgjgar5Zvwuu92BaV+AFucj7hVP1fqDySmp\n" + "E52EzrFcnCYrZb19aDJKgWevG5Vh6OEcu8Vx/zVFOoTx9ZCXniVLm7PaXyKXdhLv\n" + "Vhg3mi7koFAPGlTiKldJ/LKKPW0yti3I8L/p2F5+\n" + "-----END CERTIFICATE-----\n"; + +static char cligost12_256_ca3_key_pem[] = + "-----BEGIN PRIVATE KEY-----\n" + "MEgCAQAwHwYIKoUDBwEBAQEwEwYHKoUDAgIkAAYIKoUDBwEBAgIEIgQgnA1XIfe2\n" + "V3D0UVFQTRCHolA9v+r5cDt2tlr1gTZbDC8=\n" + "-----END PRIVATE KEY-----\n"; + +const gnutls_datum_t cligost12_256_ca3_key = { (unsigned char*)cligost12_256_ca3_key_pem, + sizeof(cligost12_256_ca3_key_pem)-1 +}; + +const gnutls_datum_t cligost12_256_ca3_cert = { (unsigned char*)cligost12_256_ca3_cert_pem, + sizeof(cligost12_256_ca3_cert_pem)-1 +}; + +static char cligost12_512_ca3_cert_pem[] = + "-----BEGIN CERTIFICATE-----\n" + "MIIDLzCCAZegAwIBAgIIWcalYA16syEwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UE\n" + "AxMEQ0EtMzAgFw0xNzA5MjMxODE4MDhaGA85OTk5MTIzMTIzNTk1OVowHzEdMBsG\n" + "A1UEAxMUR09TVCAyMDEyLzUxMiBjbGllbnQwgaowIQYIKoUDBwEBAQIwFQYJKoUD\n" + "BwECAQIBBggqhQMHAQECAwOBhAAEgYCyAdmv9viBTnemLvULAZ9RyaEf37ZAydKj\n" + "E3qLbZ5tTxgLAYhIIGApVPVb5SZxge3u2qY/ekkHjz9Asn5cPQ69wCvce87+2u1f\n" + "XcATUzYvR3UIL25C5BbNjDjGnufhjYAwT6uZ5xQ7j8/Wfr0MZU04O2CSUquKqfrB\n" + "DA81M2HvUqN2MHQwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDAjAP\n" + "BgNVHQ8BAf8EBQMDB7AAMB0GA1UdDgQWBBRYXgWHcQazcPFyxKrgRdfd2IPBozAf\n" + "BgNVHSMEGDAWgBT5qIYZY7akFBNgdg8BmjU27/G0rzANBgkqhkiG9w0BAQsFAAOC\n" + "AYEAUOpvomUtaFQm5O8bEQk/d3ghZLzwfMKRngSq0XbXDi8t+TV+kFvkzJ/hrAOP\n" + "/HPCQdnEvdV2HyZzDb9b8cVegRHPPooKSV8+HCTNVXNKZPRSlE42S5kFIAnAxbs5\n" + "vzGfipp6jQe9dqlCYseikxnE31o3AX7QAlNBaXELu0JnEY5BoJeKoja8XS40b1k9\n" + "kKRwAGkdh1OcAy6pW8AH4m61RMDWFzmPGgcb0JiDNp+9HQDSkG904niU8AlvmoQD\n" + "Q2AVd9mam4NIjmA0hkVuSh+7Tn2XnoGoGxN/+u72qaSUA6ybkbtkIKpMeJ8vciI1\n" + "6GRhBYpI0OuRiAIbDA9WhfCCKwj9ZaIsSSHC7qADRz3bR/89Et1mM40v5jbYNDkV\n" + "1cvlca3+pK3DxNP7y/q3QoUz8++z9VXzsdVHc4wNUyg4E8mjMcdLlRsZbST0WjX+\n" + "IhxAkfOexMu3nJ3EVbjgvox6eIxjiTWr2DP6x666UztrnFSBhhypwKHb8jW7PYJ2\n" + "lWlI\n" + "-----END CERTIFICATE-----\n"; + +static char cligost12_512_ca3_key_pem[] = + "-----BEGIN PRIVATE KEY-----\n" + "MGoCAQAwIQYIKoUDBwEBAQIwFQYJKoUDBwECAQIBBggqhQMHAQECAwRCBEA9uga7\n" + "LIPp1heDZYj5EozNtbrmsKYMXrFasBIVAFFVQVFd6/+YjttV6Vmx16OFWrM+/ydX\n" + "rB0aUqYPU8w5DUyk\n" + "-----END PRIVATE KEY-----\n"; + +const gnutls_datum_t cligost12_512_ca3_key = { (unsigned char*)cligost12_512_ca3_key_pem, + sizeof(cligost12_512_ca3_key_pem)-1 +}; + +const gnutls_datum_t cligost12_512_ca3_cert = { (unsigned char*)cligost12_512_ca3_cert_pem, + sizeof(cligost12_512_ca3_cert_pem)-1 +}; + static char server_ca3_ecc_key_pem[] = "-----BEGIN EC PRIVATE KEY-----\n" "MHgCAQEEIQDn1XFX7QxTKXl2ekfSrEARsq+06ySEeeOB+N0igwcNLqAKBggqhkjO\n" @@ -975,6 +1086,111 @@ const gnutls_datum_t server_ca3_eddsa_cert = { (unsigned char*)server_ca3_eddsa_ sizeof(server_ca3_eddsa_cert_pem)-1 }; +static char server_ca3_gost01_key_pem[] = + "-----BEGIN PRIVATE KEY-----\n" + "MEUCAQAwHAYGKoUDAgITMBIGByqFAwICJAAGByqFAwICHgEEIgQgR1lBLIr4WBpn\n" + "4MOCH8oxGWb52EPNL3gjNJiQuBQuf6U=\n" + "-----END PRIVATE KEY-----\n"; + +const gnutls_datum_t server_ca3_gost01_key = { (unsigned char*)server_ca3_gost01_key_pem, + sizeof(server_ca3_gost01_key_pem)-1 +}; + +static char server_ca3_gost01_cert_pem[] = + "-----BEGIN CERTIFICATE-----\n" + "MIIC7TCCAVWgAwIBAgIIWcZJ7xuHksUwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UE\n" + "AxMEQ0EtMzAgFw0xNzA5MjMxMTQ4MDFaGA85OTk5MTIzMTIzNTk1OVowDTELMAkG\n" + "A1UEAxMCR1IwYzAcBgYqhQMCAhMwEgYHKoUDAgIkAAYHKoUDAgIeAQNDAARA0Lvp\n" + "9MaoYDxzkURVz71Q3Sw9Wrwa2F483xDd0mOID8CK7JY8C8gz/1dfZniUObT1JMa6\n" + "hkGsQyFvPLD6Vr1bN6OBjTCBijAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuCCWxv\n" + "Y2FsaG9zdDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8BAf8EBQMDBzAAMB0G\n" + "A1UdDgQWBBSGUfwGWchcx3r3TNANllOEOFkTWDAfBgNVHSMEGDAWgBT5qIYZY7ak\n" + "FBNgdg8BmjU27/G0rzANBgkqhkiG9w0BAQsFAAOCAYEAXrO06eHEXlsbmRgSvCtu\n" + "mnXCG6KNI6K4WS411Adj3wLkfURlbLMTT6tBFLRq5EVWQqp867/xk577Rd85yC0P\n" + "biNXr0Am2DXEPOJnrmh3D/R8hy5gSozoZM7jfy3D9FK6l2O458teBe1l/aBZL7FW\n" + "EbM6W5SMqlDMkcZSa8hSuUHUtcTIbQzGdqkR9y/res8+INsRInpHgVZdEmTls8QM\n" + "UoBQMXtRgfAp22HHeCnH1rygTVglujU3SPAVEasKpN+D7ht4x2/M0sqljWmyew1B\n" + "ENyJ6fvnjLJLpLLoj3220cM+w7K+N5F2YKPi5POkSJJTUrsjUWpKD+J6V7NzPrYb\n" + "VtDA/qn1MJwJvob2L5lDcMPos4mk/HTRWT0MwcBovSGjLpVzrzGgVFdRzlxNDfWj\n" + "1qWGbXbdYK4akvQasESIfVu7jBROL9zm2JEGEvJYNMORqFUHczzpVyYhBiX3KCJb\n" + "6pd0K2Nq/UXI16aCWEw8hEiVHUwDd+0Qc3NR/DgeFciz\n" + "-----END CERTIFICATE-----\n"; + +const gnutls_datum_t server_ca3_gost01_cert = { (unsigned char*)server_ca3_gost01_cert_pem, + sizeof(server_ca3_gost01_cert_pem)-1 +}; + +static char server_ca3_gost12_256_key_pem[] = + "-----BEGIN PRIVATE KEY-----\n" + "MEgCAQAwHwYIKoUDBwEBAQEwEwYHKoUDAgIkAAYIKoUDBwEBAgIEIgQg0+JttJEV\n" + "Ud+XBzX9q13ByKK+j2b+mEmNIo1yB0wGleo=\n" + "-----END PRIVATE KEY-----\n"; + +const gnutls_datum_t server_ca3_gost12_256_key = { (unsigned char*)server_ca3_gost12_256_key_pem, + sizeof(server_ca3_gost12_256_key_pem)-1 +}; + +static char server_ca3_gost12_256_cert_pem[] = + "-----BEGIN CERTIFICATE-----\n" + "MIIC8DCCAVigAwIBAgIIWcZKgxkCMvcwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UE\n" + "AxMEQ0EtMzAgFw0xNzA5MjMxMTUwMjhaGA85OTk5MTIzMTIzNTk1OVowDTELMAkG\n" + "A1UEAxMCR1IwZjAfBggqhQMHAQEBATATBgcqhQMCAiQABggqhQMHAQECAgNDAARA\n" + "J9sMEEx0JW9QsT5bDqyc0TNcjVg9ZSdp4GkMtShM+OOgyBGrWK3zLP5IzHYSXja8\n" + "373QrJOUvdX7T7TUk5yU5aOBjTCBijAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuC\n" + "CWxvY2FsaG9zdDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8BAf8EBQMDBzAA\n" + "MB0GA1UdDgQWBBQYSEtdwsYrtnOq6Ya3nt8DgFPCQjAfBgNVHSMEGDAWgBT5qIYZ\n" + "Y7akFBNgdg8BmjU27/G0rzANBgkqhkiG9w0BAQsFAAOCAYEAikKRQ2s/mldqX1eX\n" + "DGXdQZs6S/RXywYCKYTr683TvXF5b3O80pM/kdwvD9/0LQhF/kkHawjGTEj6RbYe\n" + "rsAc3HQFq9AGrllin18nPRkVaOkxZQot5plfMBdJ6GVoe6shWejShZubDWsEmuoQ\n" + "jPW2P9lBbEuOuet0XLd5+uaoVmjPGpKaneWQxGyfT0eEfKVj+89zdX8MAf9aoEJf\n" + "RZulc73W91v51cX2zxnpA9u2XODMfBQIItAzi5+7jTzAExMFmx8dkzx+tM7D3Htr\n" + "/6Xajc2j6NnLmT56e+MAmEpf4AP7XdIVhyPvRIpW8V+bIvaFxo2XUKBipU9DarCi\n" + "o/0x8x4UaKlKQ8SkyppE2nDK98rPyObyWb6l5IN3fjv2XBjcwTz+t/SzzfHJNY7I\n" + "3I9J5vlWIG94FQn8Tj9vQ4swcNotVM74koaV7ZYWJm2mhZirVHwYBa3joHSVEs0u\n" + "m53rVbR+3MyzmsVtKIbqg76Tcf2Nm/cs+amFNCmB4vgcKhHO\n" + "-----END CERTIFICATE-----\n"; + +const gnutls_datum_t server_ca3_gost12_256_cert = { (unsigned char*)server_ca3_gost12_256_cert_pem, + sizeof(server_ca3_gost12_256_cert_pem)-1 +}; + +static char server_ca3_gost12_512_key_pem[] = + "-----BEGIN PRIVATE KEY-----\n" + "MGoCAQAwIQYIKoUDBwEBAQIwFQYJKoUDBwECAQIBBggqhQMHAQECAwRCBECS7bAh\n" + "TP5um5bxziaKkhb6xSI5WBQCSlaiHPBaMbgmgJiF8RubF7k0YMefpt0+sA3GvVGA\n" + "KjL7CLBERDm7Yvlv\n" + "-----END PRIVATE KEY-----\n"; + +const gnutls_datum_t server_ca3_gost12_512_key = { (unsigned char*)server_ca3_gost12_512_key_pem, + sizeof(server_ca3_gost12_512_key_pem)-1 +}; + +static char server_ca3_gost12_512_cert_pem[] = + "-----BEGIN CERTIFICATE-----\n" + "MIIDNTCCAZ2gAwIBAgIIWcZKvSvigz0wDQYJKoZIhvcNAQELBQAwDzENMAsGA1UE\n" + "AxMEQ0EtMzAgFw0xNzA5MjMxMTUxMjZaGA85OTk5MTIzMTIzNTk1OVowDTELMAkG\n" + "A1UEAxMCR1IwgaowIQYIKoUDBwEBAQIwFQYJKoUDBwECAQIBBggqhQMHAQECAwOB\n" + "hAAEgYAyMiKX4UdLpmVkJehhIY44Y2enFpWCeNSR6OocfHC8R6KTo0qxxEEcWm53\n" + "yNO3vSI5StDGbqEvJ4H28gBCNC8nIIjoA064jvJddDRDP2K9ZfgOah7GfToeOoo1\n" + "JT00+lhGcyv8lEUJo4NE0BUFD0K8En5FvJSc2yDcGhwllqkncaOBjTCBijAMBgNV\n" + "HRMBAf8EAjAAMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDATBgNVHSUEDDAKBggrBgEF\n" + "BQcDATAPBgNVHQ8BAf8EBQMDBzAAMB0GA1UdDgQWBBTzbWGJHENCLWA8WBZ5nIN5\n" + "xgOWfDAfBgNVHSMEGDAWgBT5qIYZY7akFBNgdg8BmjU27/G0rzANBgkqhkiG9w0B\n" + "AQsFAAOCAYEAi6XPIwiObZWVZbKPavY0itehtVC+c2jVoMMEToAfUx0w8zVGgCI9\n" + "bAN3/ONIZqXZ4m4n1zOz7xoWyCSZ34EnHPLyDsxvtFDJf5jasVGpOe3hPAnk56OY\n" + "D8SI5g6KI9yp0ZGjA1Q10u8pR7XJWAhySfbcLBZCHqi+okO91za9wTUIz3sXjchI\n" + "3WZSIqttT3sx3K1RfvFENXLQm+ctim08CJsA1kmUO4i4nU7KvG4thMW7GERZOi+L\n" + "F00WtDvSv5yDeuNyfB2GUZU1fMfkLzJk6qlzPY3Tfs4+x87F2TToC8zI9xf6ykin\n" + "edg9NbHMV4o4fGb81G9I1iQ7W1E9wDsQ3ZPl65q3L+pV9Vi7fw87AxrD8ccyLi30\n" + "C7HeG4LrIa6PQwTKSUwHayIkHCEG66Q5Tx6MK4qMYsNFCRsesKfEAfo1ZsHNcL1u\n" + "t8spicVYd8Z8nIH1y31KxUmoHzsTzHHrkBj70C1QCgw0l0HqzGpoFutJOxSoAG1/\n" + "W/XeciR4jbN5\n" + "-----END CERTIFICATE-----\n"; + +const gnutls_datum_t server_ca3_gost12_512_cert = { (unsigned char*)server_ca3_gost12_512_cert_pem, + sizeof(server_ca3_gost12_512_cert_pem)-1 +}; + /* shares server_ca3 key */ static char server_localhost6_ca3_cert_pem[] = "-----BEGIN CERTIFICATE-----\n" diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am index 150681e325..ff38b23bc4 100644 --- a/tests/cert-tests/Makefile.am +++ b/tests/cert-tests/Makefile.am @@ -43,7 +43,8 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem data/template-krb5name.pem data/template-krb5name-full.pem data/template-test-ecc.key \ data/template-rsa-sha3-256.pem data/template-rsa-sha3-512.pem data/template-rsa-sha3-224.pem \ data/template-rsa-sha3-384.pem data/long-oids.pem \ - data/name-constraints-ip2.pem data/chain-md5.pem data/gost-cert.pem \ + data/name-constraints-ip2.pem data/chain-md5.pem \ + data/gost-cert.pem data/gost-cert-nogost.pem data/gost94-cert.pem \ templates/template-tlsfeature.tmpl data/userid.pem data/cert-with-crl.p12 \ data/template-tlsfeature.pem data/template-tlsfeature.csr \ templates/template-tlsfeature-crq.tmpl templates/arb-extensions.tmpl data/arb-extensions.pem \ @@ -89,7 +90,8 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem data/pkcs8-pbes1-des-md5.pem data/pkcs8-invalid8.der data/key-invalid1.der \ data/key-invalid4.der data/key-invalid5.der data/key-invalid6.der \ data data/pkcs8-invalid9.der data/key-invalid2.der data/pkcs8-invalid10.der \ - data/key-invalid3.der data/pkcs8-eddsa.pem data/pkcs8-eddsa.pem.txt + data/key-invalid3.der data/pkcs8-eddsa.pem data/pkcs8-eddsa.pem.txt \ + data/rfc4490.p7b data/rfc4490.p7b.out data/gost01.p12 data/gost12.p12 data/gost12-2.p12 dist_check_SCRIPTS = pathlen aki invalid-sig email \ pkcs7 pkcs7-broken-sigs privkey-import name-constraints certtool-long-cn crl provable-privkey \ @@ -118,6 +120,13 @@ if ENABLE_DANE dist_check_SCRIPTS += dane endif +if ENABLE_GOST +dist_check_SCRIPTS += gost +if !WINDOWS +dist_check_SCRIPTS += pkcs12-gost +endif +endif + dist_check_SCRIPTS += certtool-rsa-pss certtool-eddsa TESTS = $(dist_check_SCRIPTS) @@ -141,5 +150,11 @@ if WINDOWS TESTS_ENVIRONMENT += WINDOWS=1 endif +if ENABLE_GOST +TESTS_ENVIRONMENT += ENABLE_GOST=1 +else +TESTS_ENVIRONMENT += ENABLE_GOST=0 +endif + distclean-local: rm -rf tmp-* *.tmp diff --git a/tests/cert-tests/data/gost-cert-nogost.pem b/tests/cert-tests/data/gost-cert-nogost.pem new file mode 100644 index 0000000000..bf280349fd --- /dev/null +++ b/tests/cert-tests/data/gost-cert-nogost.pem @@ -0,0 +1,45 @@ +X.509 Certificate Information: + Version: 3 + Serial Number (hex): 011f + Issuer: CN=SuperPlat CA 01,OU=SuperPlat CA,O=SuperPlat,L=Moscow,ST=Russia,C=RU + Validity: + Not Before: Fri Aug 17 06:47:36 UTC 2012 + Not After: Sat Aug 17 06:47:36 UTC 2013 + Subject: CN=SuperTerm0000001,OU=SuperPlat Terminals,O=SuperPlat,L=Moscow,ST=Russia,C=RU + Subject Public Key Algorithm: GOST R 34.10-2001 + Extensions: + Basic Constraints (not critical): + Certificate Authority (CA): FALSE + Unknown extension 2.16.840.1.113730.1.13 (not critical): + ASCII: ..OpenSSL Generated Certificate + Hexdump: 161d4f70656e53534c2047656e657261746564204365727469666963617465 + Subject Key Identifier (not critical): + 43fe227895724f4e3a74f264e4fd0b800c082e03 + Authority Key Identifier (not critical): + 9875a3b785c1641b23344d9bfbae0c2a256b44eb + Signature Algorithm: GOSTR341001 + Signature: + 8f:37:24:fd:be:f0:37:d9:f3:1a:5c:31:5e:33:ef:35 + 61:93:07:03:3d:4d:e8:2c:1b:39:a2:6c:d4:2f:85:35 + b2:43:1d:ed:b5:15:45:c7:10:38:41:28:68:29:62:20 + e6:92:8a:64:34:87:b8:b9:9f:ab:c8:04:6d:26:55:99 +Other Information: + Fingerprint: + sha1:621f34c4fdd7e93f9b8f18224ba0bcd1c63a4771 + sha256:ac6ecf4e7a876edf3e61f538d6061353c2015bfbdf60370492f7404d7f09e13a + +-----BEGIN CERTIFICATE----- +MIICXjCCAgugAwIBAgICAR8wCgYGKoUDAgIDBQAwdDELMAkGA1UEBhMCUlUxDzAN +BgNVBAgMBlJ1c3NpYTEPMA0GA1UEBwwGTW9zY293MRIwEAYDVQQKDAlTdXBlclBs +YXQxFTATBgNVBAsMDFN1cGVyUGxhdCBDQTEYMBYGA1UEAwwPU3VwZXJQbGF0IENB +IDAxMB4XDTEyMDgxNzA2NDczNloXDTEzMDgxNzA2NDczNlowfDELMAkGA1UEBhMC +UlUxDzANBgNVBAgMBlJ1c3NpYTEPMA0GA1UEBwwGTW9zY293MRIwEAYDVQQKDAlT +dXBlclBsYXQxHDAaBgNVBAsME1N1cGVyUGxhdCBUZXJtaW5hbHMxGTAXBgNVBAMM +EFN1cGVyVGVybTAwMDAwMDEwYzAcBgYqhQMCAhMwEgYHKoUDAgIjAQYHKoUDAgIe +AQNDAARA69rbaWL2GSV1NVaWMSrWRX8d/frrwbVjJerPQKjyNeDYZxgSjTTp3dck +6fQLx2OjQsu6n+vdyBPQex/iwbJBV6N7MHkwCQYDVR0TBAIwADAsBglghkgBhvhC +AQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFEP+ +IniVck9OOnTyZOT9C4AMCC4DMB8GA1UdIwQYMBaAFJh1o7eFwWQbIzRNm/uuDCol +a0TrMAoGBiqFAwICAwUAA0EAjzck/b7wN9nzGlwxXjPvNWGTBwM9TegsGzmibNQv +hTWyQx3ttRVFxxA4QShoKWIg5pKKZDSHuLmfq8gEbSZVmQ== +-----END CERTIFICATE----- diff --git a/tests/cert-tests/data/gost-cert.pem b/tests/cert-tests/data/gost-cert.pem index edcdb9e8a6..1501f83c4c 100644 --- a/tests/cert-tests/data/gost-cert.pem +++ b/tests/cert-tests/data/gost-cert.pem @@ -6,7 +6,18 @@ X.509 Certificate Information: Not Before: Fri Aug 17 06:47:36 UTC 2012 Not After: Sat Aug 17 06:47:36 UTC 2013 Subject: CN=SuperTerm0000001,OU=SuperPlat Terminals,O=SuperPlat,L=Moscow,ST=Russia,C=RU - Subject Public Key Algorithm: 1.2.643.2.2.19 + Subject Public Key Algorithm: GOST R 34.10-2001 + Algorithm Security Level: High (256 bits) + Curve: CryptoPro-A + Digest: GOSTR341194 + ParamSet: CryptoPro-A + X: + 00:e0:35:f2:a8:40:cf:ea:25:63:b5:c1:eb:fa:fd:1d + 7f:45:d6:2a:31:96:56:35:75:25:19:f6:62:69:db:da + eb + Y: + 57:41:b2:c1:e2:1f:7b:d0:13:c8:dd:eb:9f:ba:cb:42 + a3:63:c7:0b:f4:e9:24:d7:dd:e9:34:8d:12:18:67:d8 Extensions: Basic Constraints (not critical): Certificate Authority (CA): FALSE @@ -17,7 +28,7 @@ X.509 Certificate Information: 43fe227895724f4e3a74f264e4fd0b800c082e03 Authority Key Identifier (not critical): 9875a3b785c1641b23344d9bfbae0c2a256b44eb - Signature Algorithm: 1.2.643.2.2.3 + Signature Algorithm: GOSTR341001 Signature: 8f:37:24:fd:be:f0:37:d9:f3:1a:5c:31:5e:33:ef:35 61:93:07:03:3d:4d:e8:2c:1b:39:a2:6c:d4:2f:85:35 @@ -27,6 +38,11 @@ Other Information: Fingerprint: sha1:621f34c4fdd7e93f9b8f18224ba0bcd1c63a4771 sha256:ac6ecf4e7a876edf3e61f538d6061353c2015bfbdf60370492f7404d7f09e13a + Public Key ID: + sha1:43757042dae9e9f5fa92cc2d2cbf4950f28a7bd0 + sha256:cee4a59e7803bafb101af8e39e5355d7895e3b85e7616fe624d48f2c51e8bdbf + Public Key PIN: + pin-sha256:zuSlnngDuvsQGvjjnlNV14leO4XnYW/mJNSPLFHovb8= -----BEGIN CERTIFICATE----- MIICXjCCAgugAwIBAgICAR8wCgYGKoUDAgIDBQAwdDELMAkGA1UEBhMCUlUxDzAN diff --git a/tests/cert-tests/data/gost01.p12 b/tests/cert-tests/data/gost01.p12 Binary files differnew file mode 100644 index 0000000000..1420fbc69a --- /dev/null +++ b/tests/cert-tests/data/gost01.p12 diff --git a/tests/cert-tests/data/gost12-2.p12 b/tests/cert-tests/data/gost12-2.p12 Binary files differnew file mode 100644 index 0000000000..d7b7a6249c --- /dev/null +++ b/tests/cert-tests/data/gost12-2.p12 diff --git a/tests/cert-tests/data/gost12.p12 b/tests/cert-tests/data/gost12.p12 Binary files differnew file mode 100644 index 0000000000..d7b7a6249c --- /dev/null +++ b/tests/cert-tests/data/gost12.p12 diff --git a/tests/cert-tests/data/gost94-cert.pem b/tests/cert-tests/data/gost94-cert.pem new file mode 100644 index 0000000000..f4d63fb9d1 --- /dev/null +++ b/tests/cert-tests/data/gost94-cert.pem @@ -0,0 +1,33 @@ +X.509 Certificate Information: + Version: 1 + Serial Number (hex): 230ee360469524cec70be494182e7eeb + Issuer: EMAIL=GostR3410-94@example.com,C=RU,O=CryptoPro,CN=GostR3410-94 example + Validity: + Not Before: Tue Aug 16 12:32:50 UTC 2005 + Not After: Sun Aug 16 12:32:50 UTC 2015 + Subject: EMAIL=GostR3410-94@example.com,C=RU,O=CryptoPro,CN=GostR3410-94 example + Subject Public Key Algorithm: 1.2.643.2.2.20 + Signature Algorithm: 1.2.643.2.2.4 + Signature: + 11:c7:08:7e:12:dc:02:f1:02:23:29:47:76:8f:47:2a + 81:83:50:e3:07:cc:f2:e4:31:23:89:42:c8:73:e1:de + 22:f7:85:f3:55:bd:94:ec:46:91:9c:67:ac:58:d7:05 + 2a:a7:8c:b7:85:2a:01:75:85:f7:d7:38:03:fb:cd:43 +Other Information: + Fingerprint: + sha1:d43782a1f943a966f4ea1ac96bd048fe68d4d951 + sha256:19260c765a2c820be3612dc0431c045d37570f8e4de58ba218f10a8eeb0d42d7 + +-----BEGIN CERTIFICATE----- +MIICCzCCAboCECMO42BGlSTOxwvklBgufuswCAYGKoUDAgIEMGkxHTAbBgNVBAMM +FEdvc3RSMzQxMC05NCBleGFtcGxlMRIwEAYDVQQKDAlDcnlwdG9Qcm8xCzAJBgNV +BAYTAlJVMScwJQYJKoZIhvcNAQkBFhhHb3N0UjM0MTAtOTRAZXhhbXBsZS5jb20w +HhcNMDUwODE2MTIzMjUwWhcNMTUwODE2MTIzMjUwWjBpMR0wGwYDVQQDDBRHb3N0 +UjM0MTAtOTQgZXhhbXBsZTESMBAGA1UECgwJQ3J5cHRvUHJvMQswCQYDVQQGEwJS +VTEnMCUGCSqGSIb3DQEJARYYR29zdFIzNDEwLTk0QGV4YW1wbGUuY29tMIGlMBwG +BiqFAwICFDASBgcqhQMCAiACBgcqhQMCAh4BA4GEAASBgLuEZuF5nls02CyAfxOo +GWZxV/6MVCUhR28wCyd3RpjG+0dVvrey85NsObVCNyaE4g0QiiQOHwxCTSs7ESuo +v2Y5MlyUi8Go/htjEvYJJYfMdRv05YmKCYJo01x3pg+2kBATjeM+fJyR1qwNCCw+ +eMG1wra3Gqgqi0WBkzIydvp7MAgGBiqFAwICBANBABHHCH4S3ALxAiMpR3aPRyqB +g1DjB8zy5DEjiULIc+HeIveF81W9lOxGkZxnrFjXBSqnjLeFKgF1hffXOAP7zUM= +-----END CERTIFICATE----- diff --git a/tests/cert-tests/data/rfc4490.p7b b/tests/cert-tests/data/rfc4490.p7b Binary files differnew file mode 100644 index 0000000000..c6979804b8 --- /dev/null +++ b/tests/cert-tests/data/rfc4490.p7b diff --git a/tests/cert-tests/data/rfc4490.p7b.out b/tests/cert-tests/data/rfc4490.p7b.out new file mode 100644 index 0000000000..8237d70359 --- /dev/null +++ b/tests/cert-tests/data/rfc4490.p7b.out @@ -0,0 +1,14 @@ +Signers: + Signer's issuer DN: EMAIL=GostR3410-2001@example.com,C=RU,O=CryptoPro,CN=GostR3410-2001 example + Signer's serial: 2bf5c61ec211bd17c7dcd46266b42e21 + Signature Algorithm: GOSTR341001 + +-----BEGIN PKCS7----- +MIIBKAYJKoZIhvcNAQcCoIIBGTCCARUCAQExDDAKBgYqhQMCAgkFADAbBgkqhkiG +9w0BBwGgDgQMc2FtcGxlIHRleHQKMYHkMIHhAgEBMIGBMG0xHzAdBgNVBAMMFkdv +c3RSMzQxMC0yMDAxIGV4YW1wbGUxEjAQBgNVBAoMCUNyeXB0b1BybzELMAkGA1UE +BhMCUlUxKTAnBgkqhkiG9w0BCQEWGkdvc3RSMzQxMC0yMDAxQGV4YW1wbGUuY29t +AhAr9cYewhG9F8fc1GJmtC4hMAoGBiqFAwICCQUAMAoGBiqFAwICEwUABEDAw0LZ +P4/+JRERiHe/icPbg0IE1iD5aCqZ9v4wO+T0yPjVtNr74caRZzQfvKZ6DRJ7/RAl +xlHbjbL0jHF+7XKp +-----END PKCS7----- diff --git a/tests/cert-tests/gost b/tests/cert-tests/gost new file mode 100755 index 0000000000..885c2fa5c7 --- /dev/null +++ b/tests/cert-tests/gost @@ -0,0 +1,103 @@ +#!/bin/sh + +# Copyright (C) 2016-2017 Free Software Foundation, Inc. +# +# Author: Dmitry Eremin-Solenikov +# +# This file is part of GnuTLS. +# +# The GnuTLS is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public License +# as published by the Free Software Foundation; either version 2.1 of +# the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/> + +#set -e + +srcdir="${srcdir:-.}" +CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" +TMPFILE=gost.$$.tmp +TMPCA=gost-ca.$$.tmp +TMPCAKEY=gost-ca-key.$$.tmp +TMPSUBCA=gost-subca.$$.tmp +TMPSUBCAKEY=gost-subca-key.$$.tmp +TMPKEY=gost-key.$$.tmp +TMPTEMPL=template.$$.tmp +TMPUSER=user.$$.tmp +VERIFYOUT=verify.$$.tmp + +if ! test -x "${CERTTOOL}"; then + exit 77 +fi + +if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then + echo "Cannot run in FIPS140-2 mode" + exit 77 +fi + +echo ca > $TMPTEMPL +echo "cn = GOST STREEBOG 256 CA" >> $TMPTEMPL + +"${CERTTOOL}" --generate-privkey --key-type gost12-512 --curve TC26-512-A > $TMPCAKEY 2>/dev/null +#"${CERTTOOL}" --generate-privkey --key-type gost12-256 --curve CryptoPro-XchA > $TMPCAKEY 2>/dev/null + +"${CERTTOOL}" -d 2 --generate-self-signed --template $TMPTEMPL \ + --load-privkey $TMPCAKEY \ + --outfile $TMPCA \ + >$TMPFILE 2>&1 + +if [ $? != 0 ]; then + cat $TMPFILE + exit 1 +fi + +echo ca > $TMPTEMPL +"${CERTTOOL}" --generate-privkey --key-type gost12-256 --curve CryptoPro-A > $TMPSUBCAKEY 2>/dev/null +echo "cn = GOST STREEBOG-256 Mid CA" >> $TMPTEMPL + +"${CERTTOOL}" -d 2 --generate-certificate --template $TMPTEMPL \ + --load-ca-privkey $TMPCAKEY \ + --load-ca-certificate $TMPCA \ + --load-privkey $TMPSUBCAKEY \ + --outfile $TMPSUBCA \ + >$TMPFILE 2>&1 + +if [ $? != 0 ]; then + cat $TMPFILE + exit 1 +fi + +echo "cn = End-user" > $TMPTEMPL + +"${CERTTOOL}" --generate-privkey --key-type gost01 --curve CryptoPro-XchA > $TMPKEY 2>/dev/null + +"${CERTTOOL}" -d 2 --generate-certificate --template $TMPTEMPL \ + --load-ca-privkey $TMPSUBCAKEY \ + --load-ca-certificate $TMPSUBCA \ + --load-privkey $TMPKEY \ + --outfile $TMPUSER >$TMPFILE 2>&1 + +if [ $? != 0 ]; then + cat $TMPFILE + exit 1 +fi + +cat $TMPUSER $TMPSUBCA $TMPCA > $TMPFILE +"${CERTTOOL}" --verify-chain <$TMPFILE > $VERIFYOUT + +if [ $? != 0 ]; then + cat $VERIFYOUT + exit 1 +fi + +rm -f $VERIFYOUT $TMPUSER $TMPCA $TMPSUBCA $TMPTEMPL $TMPFILE +rm -f $TMPSUBCAKEY $TMPCAKEY $TMPKEY + +exit 0 diff --git a/tests/cert-tests/pem-decoding b/tests/cert-tests/pem-decoding index a31f412b48..0222ae72af 100755 --- a/tests/cert-tests/pem-decoding +++ b/tests/cert-tests/pem-decoding @@ -124,7 +124,13 @@ fi #check whether the cert with GOST parameters is decoded as expected -${VALGRIND} "${CERTTOOL}" --certificate-info --infile "${srcdir}/data/gost-cert.pem" >${TMPFILE} +if test "${ENABLE_GOST}" = "1"; then + GOSTCERT="${srcdir}/data/gost-cert.pem" +else + GOSTCERT="${srcdir}/data/gost-cert-nogost.pem" +fi + +${VALGRIND} "${CERTTOOL}" --certificate-info --infile "${GOSTCERT}" >${TMPFILE} rc=$? if test "${rc}" != "0"; then @@ -132,7 +138,7 @@ if test "${rc}" != "0"; then exit ${rc} fi -${DIFF} -I 'Algorithm Security Level' ${TMPFILE} "${srcdir}/data/gost-cert.pem" || ${DIFF} -I 'Algorithm Security Level' --strip-trailing-cr "${TMPFILE}" "${srcdir}/data/gost-cert.pem" +${DIFF} -u ${TMPFILE} "${GOSTCERT}" || ${DIFF} -u --strip-trailing-cr "${TMPFILE}" "${GOSTCERT}" rc=$? if test "${rc}" != "0"; then @@ -140,6 +146,23 @@ if test "${rc}" != "0"; then exit ${rc} fi +#check whether the cert with GOST 31.10/11-94 parameters is decoded as expected +${VALGRIND} "${CERTTOOL}" --certificate-info --infile "${srcdir}/data/gost94-cert.pem" >${TMPFILE} +rc=$? + +if test "${rc}" != "0"; then + echo "GOST94 cert decoding failed 1" + exit ${rc} +fi + +${DIFF} -I 'Algorithm Security Level' ${TMPFILE} "${srcdir}/data/gost94-cert.pem" || ${DIFF} -I 'Algorithm Security Level' --strip-trailing-cr "${TMPFILE}" "${srcdir}/data/gost94-cert.pem" +rc=$? + +if test "${rc}" != "0"; then + echo "GOST94 cert decoding failed 2" + exit ${rc} +fi + ${VALGRIND} "${CERTTOOL}" --certificate-info --infile "${srcdir}/data/multi-value-dn.pem" >${TMPFILE} rc=$? diff --git a/tests/cert-tests/pkcs12-gost b/tests/cert-tests/pkcs12-gost new file mode 100755 index 0000000000..ee9318f750 --- /dev/null +++ b/tests/cert-tests/pkcs12-gost @@ -0,0 +1,86 @@ +#!/bin/sh + +# Copyright (C) 2018 Dmitry Eremin-Solenikov +# Copyright (C) 2016 Red Hat, Inc. +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +# This test cannot run under windows because it passes UTF8 data on command +# line. This seems not to work under windows. + +srcdir="${srcdir:-.}" +CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" + +if ! test -x "${CERTTOOL}"; then + exit 77 +fi + +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=1" +fi + +DIFF="${DIFF:-diff}" +DEBUG="" + +TMPFILE=pkcs12-gost.$$.tmp +TMPFILE_PEM=pkcs12-gost.$$.tmp.pem + +echo "Testing decoding of known keys" +echo "==============================" + +ret=0 +for p12 in "gost01.p12 Пароль%20для%20PFX" "gost12.p12 Пароль%20для%20PFX" "gost12-2.p12 Пароль%20для%20PFX" ; do + set -- ${p12} + file="$1" + passwd=$(echo $2|sed 's/%20/ /g') + + if test "x$DEBUG" != "x"; then + ${VALGRIND} "${CERTTOOL}" -d 99 --p12-info --inder --password "${passwd}" \ + --infile "${srcdir}/data/${file}" + else + ${VALGRIND} "${CERTTOOL}" --p12-info --inder --password "${passwd}" \ + --infile "${srcdir}/data/${file}" >/dev/null + fi + rc=$? + if test ${rc} != 0; then + echo "PKCS12 FATAL ${p12}" + exit 1 + fi +done + + +echo "" +echo "Testing encoding/decoding" +echo "=========================" + +${VALGRIND} "${CERTTOOL}" --pkcs-cipher=gost28147-tc26z --hash streebog-256 --to-p12 --password "Пароль для PFX" --p12-name "my-key" --load-certificate "${srcdir}/../certs/cert-ecc256.pem" --load-privkey "${srcdir}/../certs/ecc256.pem" --load-ca-certificate "${srcdir}/../certs/ca-cert-ecc.pem" --outder --outfile $TMPFILE >/dev/null +rc=$? +if test ${rc} != 0; then + echo "PKCS12 FATAL encoding" + exit 1 +fi + +${VALGRIND} "${CERTTOOL}" --p12-info --inder --password "Пароль для PFX" --infile $TMPFILE >${TMPFILE_PEM} 2>/dev/null +rc=$? +if test ${rc} != 0; then + echo "PKCS12 FATAL decrypting/decoding" + exit 1 +fi + +rm -f "$TMPFILE" "$TMPFILE_PEM" + +exit 0 diff --git a/tests/cert-tests/pkcs7 b/tests/cert-tests/pkcs7 index 9f6d59b0c1..c9ce1e4d27 100755 --- a/tests/cert-tests/pkcs7 +++ b/tests/cert-tests/pkcs7 @@ -39,7 +39,14 @@ OUTFILE2=out2-pkcs7.$$.tmp check_for_datefudge -for FILE in single-ca.p7b full.p7b openssl.p7b openssl-keyid.p7b; do +if test "${ENABLE_GOST}" = "1" && test "${GNUTLS_FORCE_FIPS_MODE}" != "1" +then + GOST_P7B="rfc4490.p7b" +else + GOST_P7B="" +fi + +for FILE in single-ca.p7b full.p7b openssl.p7b openssl-keyid.p7b $GOST_P7B; do ${VALGRIND} "${CERTTOOL}" --inder --p7-info --infile "${srcdir}/data/${FILE}"|grep -v "Signing time" >"${OUTFILE}" rc=$? @@ -283,6 +290,27 @@ if test "${rc}" != "0"; then exit ${rc} fi +if test "x$ENABLE_GOST" = "x1" && test "x${GNUTLS_FORCE_FIPS_MODE}" != "x1" +then + FILE="gost01-signing" + ${VALGRIND} "${CERTTOOL}" --p7-sign --load-privkey "${srcdir}/../../doc/credentials/x509/key-gost01.pem" --load-certificate "${srcdir}/../../doc/credentials/x509/cert-gost01.pem" --infile "${srcdir}/data/pkcs7-detached.txt" >"${OUTFILE}" + rc=$? + + if test "${rc}" != "0"; then + echo "${FILE}: PKCS7 struct signing failed" + exit ${rc} + fi + + FILE="gost01-signing-verify" + ${VALGRIND} "${CERTTOOL}" --p7-verify --load-certificate "${srcdir}/../../doc/credentials/x509/cert-gost01.pem" <"${OUTFILE}" + rc=$? + + if test "${rc}" != "0"; then + echo "${FILE}: PKCS7 struct signing failed verification" + exit ${rc} + fi +fi + rm -f "${OUTFILE}" rm -f "${OUTFILE2}" diff --git a/tests/chainverify.c b/tests/chainverify.c index 585c52cdd8..143465cf10 100644 --- a/tests/chainverify.c +++ b/tests/chainverify.c @@ -88,6 +88,12 @@ void doit(void) printf("[%d]: Chain '%s'...\n", (int)i, chains[i].name); + if (chains[i].notfips && gnutls_fips140_mode_enabled()) { + if (debug) + printf("Skipping in FIPS mode...\n"); + continue; + } + for (j = 0; chains[i].chain[j]; j++) { if (debug > 2) printf("\tAdding certificate %d...", (int)j); diff --git a/tests/key-import-export.c b/tests/key-import-export.c index 70febb49ff..a9cb17a257 100644 --- a/tests/key-import-export.c +++ b/tests/key-import-export.c @@ -87,6 +87,10 @@ unsigned char false_ed25519_x[] = "\xac\xac\x9a\xb3\xc3\x41\x8d\x41\x22\x21\xc1\ unsigned char ed25519_x[] = "\xab\xaf\x98\xb3\xc3\x41\x8d\x41\x22\x21\xc1\x86\xa7\xb8\x70\xfb\x44\x6e\xc7\x7e\x20\x87\x7b\xd9\x22\xa4\x5d\xd2\x97\x09\xd5\x48"; unsigned char ed25519_k[] = "\x1c\xa9\x23\xdc\x35\xa8\xfd\xd6\x2d\xa8\x98\xb9\x60\x7b\xce\x10\x3d\xf4\x64\xc6\xe5\x4b\x0a\x65\x56\x6a\x3c\x73\x65\x51\xa2\x2f"; +unsigned char gost_x[] = "\x00\xc0\x0f\x88\x63\xd2\xdd\x10\xdf\x3c\x5e\xd8\x1a\xbc\x5a\x3d\x2c\xdd\x50\xbd\xcf\x55\x44\x91\x73\x3c\x60\xa8\xc6\xf4\xe9\xbb\xd0"; +unsigned char gost_y[] = "\x37\x5b\xbd\x56\xfa\xb0\x3c\x6f\x21\x43\xac\x41\x86\xba\xc6\x24\xf5\xb4\x39\x94\x78\x66\x5f\x57\xff\x33\xc8\x0b\x3c\x96\xec\x8a"; +unsigned char gost_k[] = "\x00\xa5\x7f\x2e\x14\xb8\x90\x98\x34\x23\x78\x2f\xcd\x43\xd8\xf9\x66\x19\x31\xca\x1f\x82\xc3\xe0\x67\x1a\x58\xf8\x8a\x2c\x41\x59\x47"; + gnutls_datum_t _dsa_p = {dsa_p, sizeof(dsa_p)-1}; gnutls_datum_t _dsa_q = {dsa_q, sizeof(dsa_q)-1}; gnutls_datum_t _dsa_g = {dsa_g, sizeof(dsa_g)-1}; @@ -110,6 +114,10 @@ gnutls_datum_t _false_ed25519_x = {false_ed25519_x, sizeof(false_ed25519_x)-1}; gnutls_datum_t _ed25519_x = {ed25519_x, sizeof(ed25519_x)-1}; gnutls_datum_t _ed25519_k = {ed25519_k, sizeof(ed25519_k)-1}; +gnutls_datum_t _gost_x = {gost_x, sizeof(gost_x)-1}; +gnutls_datum_t _gost_y = {gost_y, sizeof(gost_y)-1}; +gnutls_datum_t _gost_k = {gost_k, sizeof(gost_k)-1}; + unsigned char ecc_params[] = "\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07"; unsigned char ecc_point[] = "\x04\x41\x04\x3c\x15\x6f\x1d\x48\x3e\x64\x59\x13\x2c\x6d\x04\x1a\x38\x0d\x30\x5c\xe4\x3f\x55\xcb\xd9\x17\x15\x46\x72\x71\x92\xc1\xf8\xc6\x33\x3d\x04\x2e\xc8\xc1\x0f\xc0\x50\x04\x7b\x9f\xc9\x48\xb5\x40\xfa\x6f\x93\x82\x59\x61\x5e\x72\x57\xcb\x83\x06\xbd\xcc\x82\x94\xc1"; @@ -262,6 +270,8 @@ int check_privkey_import_export(void) gnutls_datum_t p, q, g, y, x; gnutls_datum_t m, e, u, e1, e2, d; gnutls_ecc_curve_t curve; + gnutls_digest_algorithm_t digest; + gnutls_gost_paramset_t paramset; int ret; global_init(); @@ -438,6 +448,62 @@ int check_privkey_import_export(void) gnutls_privkey_deinit(key); + /* GOST */ + ret = gnutls_privkey_init(&key); + if (ret < 0) + fail("error\n"); + + ret = gnutls_privkey_import_gost_raw(key, GNUTLS_ECC_CURVE_GOST256CPXA, GNUTLS_DIG_GOSTR_94, GNUTLS_GOST_PARAMSET_CP_A, &_gost_x, &_gost_y, &_gost_k); + if (ret < 0) + fail("error\n"); + + ret = gnutls_privkey_export_gost_raw2(key, &curve, &digest, ¶mset, &x, &y, &p, 0); + if (ret < 0) + fail("error\n"); + + if (curve != GNUTLS_ECC_CURVE_GOST256CPXA) { + fprintf(stderr, "unexpected curve value: %d\n", (int)curve); + exit(1); + } + if (digest != GNUTLS_DIG_GOSTR_94) { + fprintf(stderr, "unexpected digest value: %d\n", (int)digest); + exit(1); + } + if (paramset != GNUTLS_GOST_PARAMSET_CP_A) { + fprintf(stderr, "unexpected paramset value: %d\n", (int)paramset); + exit(1); + } + CMP("x", &x, gost_x); + CMP("y", &y, gost_y); + CMP("k", &p, gost_k); + gnutls_free(x.data); + gnutls_free(y.data); + gnutls_free(p.data); + + ret = gnutls_privkey_export_gost_raw2(key, &curve, &digest, ¶mset, &x, &y, &p, GNUTLS_EXPORT_FLAG_NO_LZ); + if (ret < 0) + fail("error\n"); + + if (curve != GNUTLS_ECC_CURVE_GOST256CPXA) { + fprintf(stderr, "unexpected curve value: %d\n", (int)curve); + exit(1); + } + if (digest != GNUTLS_DIG_GOSTR_94) { + fprintf(stderr, "unexpected digest value: %d\n", (int)digest); + exit(1); + } + if (paramset != GNUTLS_GOST_PARAMSET_CP_A) { + fprintf(stderr, "unexpected paramset value: %d\n", (int)paramset); + exit(1); + } + CMP_NO_LZ("x", &x, gost_x); + CMP_NO_LZ("y", &y, gost_y); + CMP_NO_LZ("k", &p, gost_k); + gnutls_free(x.data); + gnutls_free(y.data); + gnutls_free(p.data); + gnutls_privkey_deinit(key); + return 0; } @@ -769,6 +835,108 @@ int check_ed25519(void) return 0; } +static +int check_gost(void) +{ + gnutls_privkey_t key; + gnutls_pubkey_t pub; + gnutls_datum_t y, x, k; + gnutls_ecc_curve_t curve; + gnutls_digest_algorithm_t digest; + gnutls_gost_paramset_t paramset; + int ret; + + /* ECC */ + ret = gnutls_privkey_init(&key); + if (ret < 0) + fail("error\n"); + + ret = gnutls_pubkey_init(&pub); + if (ret < 0) + fail("error\n"); + + ret = gnutls_privkey_import_x509_raw(key, &server_ca3_gost01_key, GNUTLS_X509_FMT_PEM, 0, 0); + if (ret < 0) + fail("error\n"); + + ret = gnutls_pubkey_import_privkey(pub, key, 0, 0); + if (ret < 0) + fail("error\n"); + + ret = gnutls_pubkey_export_gost_raw2(pub, &curve, &digest, ¶mset, &x, &y, 0); + if (ret < 0) + fail("error\n"); + + if (curve != GNUTLS_ECC_CURVE_GOST256CPXA) { + fprintf(stderr, "unexpected curve value: %d\n", (int)curve); + exit(1); + } + if (digest != GNUTLS_DIG_GOSTR_94) { + fprintf(stderr, "unexpected digest value: %d\n", (int)digest); + exit(1); + } + if (paramset != GNUTLS_GOST_PARAMSET_CP_A) { + fprintf(stderr, "unexpected paramset value: %d\n", (int)paramset); + exit(1); + } + CMP("x", &x, gost_x); + CMP("y", &y, gost_y); + gnutls_free(x.data); + gnutls_free(y.data); + + ret = gnutls_pubkey_export_gost_raw2(pub, &curve, &digest, ¶mset, &x, &y, GNUTLS_EXPORT_FLAG_NO_LZ); + if (ret < 0) + fail("error\n"); + + if (curve != GNUTLS_ECC_CURVE_GOST256CPXA) { + fprintf(stderr, "unexpected curve value: %d\n", (int)curve); + exit(1); + } + if (digest != GNUTLS_DIG_GOSTR_94) { + fprintf(stderr, "unexpected digest value: %d\n", (int)digest); + exit(1); + } + if (paramset != GNUTLS_GOST_PARAMSET_CP_A) { + fprintf(stderr, "unexpected paramset value: %d\n", (int)paramset); + exit(1); + } + CMP_NO_LZ("x", &x, gost_x); + CMP_NO_LZ("y", &y, gost_y); + gnutls_free(x.data); + gnutls_free(y.data); + + + /* check the private key export */ + ret = gnutls_privkey_export_gost_raw2(key, &curve, &digest, ¶mset, &x, &y, &k, 0); + if (ret < 0) + fail("error\n"); + + if (curve != GNUTLS_ECC_CURVE_GOST256CPXA) { + fprintf(stderr, "unexpected curve value: %d\n", (int)curve); + exit(1); + } + if (digest != GNUTLS_DIG_GOSTR_94) { + fprintf(stderr, "unexpected digest value: %d\n", (int)digest); + exit(1); + } + if (paramset != GNUTLS_GOST_PARAMSET_CP_A) { + fprintf(stderr, "unexpected paramset value: %d\n", (int)paramset); + exit(1); + } + CMP("x", &x, gost_x); + CMP("y", &y, gost_y); + CMP("k", &k, gost_k); + gnutls_free(x.data); + gnutls_free(y.data); + gnutls_free(k.data); + + gnutls_privkey_deinit(key); + + gnutls_pubkey_deinit(pub); + + return 0; +} + void doit(void) { if (check_x509_privkey() != 0) { @@ -798,4 +966,8 @@ void doit(void) if (check_ed25519() != 0) { fail("error in ed25519 check\n"); } + + if (check_gost() != 0) { + fail("error in gost check\n"); + } } diff --git a/tests/oids.c b/tests/oids.c index 0ec0dde190..ed65b057a2 100644 --- a/tests/oids.c +++ b/tests/oids.c @@ -70,12 +70,28 @@ void doit(void) SELF_TEST_SIG(GNUTLS_SIGN_EDDSA_ED25519); + if (!gnutls_fips140_mode_enabled()) { +#ifdef ENABLE_GOST + SELF_TEST_SIG(GNUTLS_SIGN_GOST_94); + SELF_TEST_SIG(GNUTLS_SIGN_GOST_256); + SELF_TEST_SIG(GNUTLS_SIGN_GOST_512); +#endif + } + SELF_TEST_PK(GNUTLS_PK_RSA); SELF_TEST_PK(GNUTLS_PK_DSA); SELF_TEST_PK(GNUTLS_PK_EC); SELF_TEST_PK(GNUTLS_PK_RSA_PSS); SELF_TEST_PK(GNUTLS_PK_EDDSA_ED25519); + if (!gnutls_fips140_mode_enabled()) { +#ifdef ENABLE_GOST + SELF_TEST_PK(GNUTLS_PK_GOST_01); + SELF_TEST_PK(GNUTLS_PK_GOST_12_256); + SELF_TEST_PK(GNUTLS_PK_GOST_12_512); +#endif + } + SELF_TEST_DIG(GNUTLS_DIG_MD5); SELF_TEST_DIG(GNUTLS_DIG_SHA1); SELF_TEST_DIG(GNUTLS_DIG_SHA256); @@ -84,4 +100,12 @@ void doit(void) SELF_TEST_DIG(GNUTLS_DIG_SHA3_256); SELF_TEST_DIG(GNUTLS_DIG_SHA3_384); SELF_TEST_DIG(GNUTLS_DIG_SHA3_512); + + if (!gnutls_fips140_mode_enabled()) { +#ifdef ENABLE_GOST + SELF_TEST_DIG(GNUTLS_DIG_GOSTR_94); + SELF_TEST_DIG(GNUTLS_DIG_STREEBOG_256); + SELF_TEST_DIG(GNUTLS_DIG_STREEBOG_512); +#endif + } } diff --git a/tests/pkcs11/pkcs11-chainverify.c b/tests/pkcs11/pkcs11-chainverify.c index fda1e2de08..e9865b62b9 100644 --- a/tests/pkcs11/pkcs11-chainverify.c +++ b/tests/pkcs11/pkcs11-chainverify.c @@ -129,6 +129,12 @@ void doit(void) printf("Chain '%s' (%d)...\n", chains[i].name, (int) i); + if (chains[i].notfips && gnutls_fips140_mode_enabled()) { + if (debug) + printf("Skipping in FIPS mode...\n"); + continue; + } + for (j = 0; chains[i].chain[j]; j++) { if (debug > 2) printf("\tAdding certificate %d...", diff --git a/tests/privkey-keygen.c b/tests/privkey-keygen.c index 885cf58e57..85f803a6b3 100644 --- a/tests/privkey-keygen.c +++ b/tests/privkey-keygen.c @@ -67,6 +67,12 @@ static void sign_verify_data(gnutls_pk_algorithm_t algorithm, gnutls_x509_privke if (algorithm == GNUTLS_PK_EDDSA_ED25519) digest = GNUTLS_DIG_SHA512; + else if (algorithm == GNUTLS_PK_GOST_01) + digest = GNUTLS_DIG_GOSTR_94; + else if (algorithm == GNUTLS_PK_GOST_12_256) + digest = GNUTLS_DIG_STREEBOG_256; + else if (algorithm == GNUTLS_PK_GOST_12_512) + digest = GNUTLS_DIG_STREEBOG_512; else digest = GNUTLS_DIG_SHA256; @@ -119,6 +125,13 @@ void doit(void) algorithm == GNUTLS_PK_ECDH_X25519) continue; + if (gnutls_fips140_mode_enabled() && + (algorithm == GNUTLS_PK_GOST_01 || + algorithm == GNUTLS_PK_GOST_12_256 || + algorithm == GNUTLS_PK_GOST_12_512)) + continue; + + ret = gnutls_x509_privkey_init(&pkey); if (ret < 0) { fail("gnutls_x509_privkey_init: %d\n", diff --git a/tests/test-chains.h b/tests/test-chains.h index 934d743c0d..93768fd90c 100644 --- a/tests/test-chains.h +++ b/tests/test-chains.h @@ -3773,6 +3773,76 @@ static const char *tls_feat_superset[] = { NULL }; +#ifdef ENABLE_GOST +static const char *gost01[] = { + "-----BEGIN CERTIFICATE-----\n" + "MIIBfTCCASqgAwIBAgICASIwCgYGKoUDAgIDBQAwNzELMAkGA1UEBhMCUlUxKDAm\n" + "BgNVBAMMH0NBIGNlcnRpZmljYXRlIChQS0NTMTIgZXhhbXBsZSkwHhcNMTIwNjE0\n" + "MTkzMDE5WhcNMTcwNjE0MTkzMDE5WjA5MQswCQYDVQQGEwJSVTEqMCgGA1UEAwwh\n" + "VGVzdCBjZXJ0aWZpY2F0ZSAoUEtDUzEyIGV4YW1wbGUpMGMwHAYGKoUDAgITMBIG\n" + "ByqFAwICIwEGByqFAwICHgEDQwAEQHlSMCMAJZgoHUCIFmn+eqOgYlQy8h7SfjZ2\n" + "kMkJ4xTae8jtZYxHLq3P+qJeismsHdmqdqSBbOGGdOaJNNPbAZKjGjAYMAkGA1Ud\n" + "EwQCMAAwCwYDVR0PBAQDAgWgMAoGBiqFAwICAwUAA0EArslfUeqhW9eFkspn89+C\n" + "OQEJX6JoghiOjFYlky0XmaaDl3D6EcbID+B6cBEmcXF21xxIEeYJIAqGzOEnMXdT\n" + "cg==\n" + "-----END CERTIFICATE-----\n", + NULL, + "-----BEGIN CERTIFICATE-----\n" + "MIIBfTCCASqgAwIBAgIBADAKBgYqhQMCAgMFADA3MQswCQYDVQQGEwJSVTEoMCYG\n" + "A1UEAwwfQ0EgY2VydGlmaWNhdGUgKFBLQ1MxMiBleGFtcGxlKTAeFw0xMjA2MTQx\n" + "MzEyMzFaFw0xNzA2MTQxMzEyMzFaMDcxCzAJBgNVBAYTAlJVMSgwJgYDVQQDDB9D\n" + "QSBjZXJ0aWZpY2F0ZSAoUEtDUzEyIGV4YW1wbGUpMGMwHAYGKoUDAgITMBIGByqF\n" + "AwICIwEGByqFAwICHgEDQwAEQHxF7QOkGNDlnKWiBwdD80gToowegPcHR1Y1r2ZR\n" + "RQqB610f3uEWN/EikI7exYVRR0dmCyILLMmgRxX+KU4qmgejHTAbMAwGA1UdEwQF\n" + "MAMBAf8wCwYDVR0PBAQDAgEGMAoGBiqFAwICAwUAA0EAFnvKPRo2tQkI/iqu/CkP\n" + "YQJPW43KnRMqkmB/NnGOC5+wdivIA5yJaGbT2sQ1r+n6qyJnG32yV44DrSe7b2DV\n" + "OA==\n" + "-----END CERTIFICATE-----\n", + NULL +}; + +static const char *gost12_256[] = { + "-----BEGIN CERTIFICATE-----\n" + "MIICYjCCAg+gAwIBAgIBATAKBggqhQMHAQEDAjBWMSkwJwYJKoZIhvcNAQkBFhpH\n" + "b3N0UjM0MTAtMjAxMkBleGFtcGxlLmNvbTEpMCcGA1UEAxMgR29zdFIzNDEwLTIw\n" + "MTIgKDI1NiBiaXQpIGV4YW1wbGUwHhcNMTMxMTA1MTQwMjM3WhcNMzAxMTAxMTQw\n" + "MjM3WjBWMSkwJwYJKoZIhvcNAQkBFhpHb3N0UjM0MTAtMjAxMkBleGFtcGxlLmNv\n" + "bTEpMCcGA1UEAxMgR29zdFIzNDEwLTIwMTIgKDI1NiBiaXQpIGV4YW1wbGUwZjAf\n" + "BggqhQMHAQEBATATBgcqhQMCAiQABggqhQMHAQECAgNDAARAut/Qw1MUq9KPqkdH\n" + "C2xAF3K7TugHfo9n525D2s5mFZdD5pwf90/i4vF0mFmr9nfRwMYP4o0Pg1mOn5Rl\n" + "aXNYraOBwDCBvTAdBgNVHQ4EFgQU1fIeN1HaPbw+XWUzbkJ+kHJUT0AwCwYDVR0P\n" + "BAQDAgHGMA8GA1UdEwQIMAYBAf8CAQEwfgYDVR0BBHcwdYAU1fIeN1HaPbw+XWUz\n" + "bkJ+kHJUT0ChWqRYMFYxKTAnBgkqhkiG9w0BCQEWGkdvc3RSMzQxMC0yMDEyQGV4\n" + "YW1wbGUuY29tMSkwJwYDVQQDEyBHb3N0UjM0MTAtMjAxMiAoMjU2IGJpdCkgZXhh\n" + "bXBsZYIBATAKBggqhQMHAQEDAgNBAF5bm4BbARR6hJLEoWJkOsYV3Hd7kXQQjz3C\n" + "dqQfmHrz6TI6Xojdh/t8ckODv/587NS5/6KsM77vc6Wh90NAT2s=\n" + "-----END CERTIFICATE-----\n", + NULL +}; + +static const char *gost12_512[] = { + "-----BEGIN CERTIFICATE-----\n" + "MIIC6DCCAlSgAwIBAgIBATAKBggqhQMHAQEDAzBWMSkwJwYJKoZIhvcNAQkBFhpH\n" + "b3N0UjM0MTAtMjAxMkBleGFtcGxlLmNvbTEpMCcGA1UEAxMgR29zdFIzNDEwLTIw\n" + "MTIgKDUxMiBiaXQpIGV4YW1wbGUwHhcNMTMxMDA0MDczNjA0WhcNMzAxMDAxMDcz\n" + "NjA0WjBWMSkwJwYJKoZIhvcNAQkBFhpHb3N0UjM0MTAtMjAxMkBleGFtcGxlLmNv\n" + "bTEpMCcGA1UEAxMgR29zdFIzNDEwLTIwMTIgKDUxMiBiaXQpIGV4YW1wbGUwgaow\n" + "IQYIKoUDBwEBAQIwFQYJKoUDBwECAQICBggqhQMHAQECAwOBhAAEgYATGQ9VCiM5\n" + "FRGCQ8MEz2F1dANqhaEuywa8CbxOnTvaGJpFQVXQwkwvLFAKh7hk542vOEtxpKtT\n" + "CXfGf84nRhMH/Q9bZeAc2eO/yhxrsQhTBufa1Fuou2oe/jUOaG6RAtUUvRzhNTpp\n" + "RGGl1+EIY2vzzUua9j9Ol/gAoy/LNKQIfqOBwDCBvTAdBgNVHQ4EFgQUPcbTRXJZ\n" + "nHtjj+eBP7b5lcTMekIwCwYDVR0PBAQDAgHGMA8GA1UdEwQIMAYBAf8CAQEwfgYD\n" + "VR0BBHcwdYAUPcbTRXJZnHtjj+eBP7b5lcTMekKhWqRYMFYxKTAnBgkqhkiG9w0B\n" + "CQEWGkdvc3RSMzQxMC0yMDEyQGV4YW1wbGUuY29tMSkwJwYDVQQDEyBHb3N0UjM0\n" + "MTAtMjAxMiAoNTEyIGJpdCkgZXhhbXBsZYIBATAKBggqhQMHAQEDAwOBgQBObS7o\n" + "ppPTXzHyVR1DtPa8b57nudJzI4czhsfeX5HDntOq45t9B/qSs8dC6eGxbhHZ9zCO\n" + "SFtxWYdmg0au8XI9Xb8vTC1qdwWID7FFjMWDNQZb6lYh/J+8F2xKylvB5nIlRZqO\n" + "o3eUNFkNyHJwQCk2WoOlO16zwGk2tdKH4KmD5w==\n" + "-----END CERTIFICATE-----\n", + NULL +}; +#endif + #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5) # pragma GCC diagnostic push # pragma GCC diagnostic ignored "-Wunused-variable" @@ -3787,6 +3857,7 @@ static struct unsigned int expected_verify_result; const char *purpose; time_t expected_time; + unsigned notfips; } chains[] = { { "CVE-2014-0092", cve_2014_0092_check, &cve_2014_0092_check[1], @@ -3928,6 +3999,13 @@ static struct { "rsa pss: chain with increasing salt size - ok", rsa_pss_chain_increasing_salt_size_ok, &rsa_pss_chain_increasing_salt_size_ok[3], 0, 0, 0, 1501159136}, { "rsa pss: chain with alternating signatures - ok", rsa_pss_chain_pkcs11_pss_pkcs1_ok, &rsa_pss_chain_pkcs11_pss_pkcs1_ok[3], 0, 0, 0, 1501159136}, { "rsa pss: chain with changing hashes - ok", rsa_pss_chain_sha512_sha384_sha256_ok, &rsa_pss_chain_sha512_sha384_sha256_ok[3], 0, 0, 0, 1501159136}, +#ifdef ENABLE_GOST + { "gost 34.10-01 - ok", gost01, &gost01[2], 0, 0, 0, 1466612070, 1}, + { "gost 34.10-01 - not ok (due to profile)", gost01, &gost01[2], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA), + GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1466612070, 1}, + { "gost 34.10-12-256 - ok", gost12_256, &gost12_256[0], 0, 0, 0, 1466612070, 1}, + { "gost 34.10-12-512 - ok", gost12_512, &gost12_512[0], 0, 0, 0, 1466612070, 1}, +#endif { NULL, NULL, NULL, 0, 0} }; diff --git a/tests/x509sign-verify-common.h b/tests/x509sign-verify-common.h index 9f87229403..d7f3b41cfa 100644 --- a/tests/x509sign-verify-common.h +++ b/tests/x509sign-verify-common.h @@ -21,6 +21,39 @@ const gnutls_datum_t sha256_data = { 32 }; +/* gost r 34.11-94 hash of "hello" string */ +const gnutls_datum_t gostr94_data = { + (void *) + "\x92\xea\x6d\xdb\xaf\x40\x02\x0d\xf3\x65" + "\x1f\x27\x8f\xd7\x15\x12\x17\xa2\x4a\xa8" + "\xd2\x2e\xbd\x25\x19\xcf\xd4\xd8\x9e\x64" + "\x50\xea", + 32 +}; + +/* Streebog-256 hash of "hello" string */ +const gnutls_datum_t streebog256_data = { + (void *) + "\x3f\xb0\x70\x0a\x41\xce\x6e\x41\x41\x3b" + "\xa7\x64\xf9\x8b\xf2\x13\x5b\xa6\xde\xd5" + "\x16\xbe\xa2\xfa\xe8\x42\x9c\xc5\xbd\xd4" + "\x6d\x6d", + 32 +}; + +/* Streebog-512 hash of "hello" string */ +const gnutls_datum_t streebog512_data = { + (void *) + "\x8d\xf4\x14\x26\x09\x66\xbe\xb7\xb3\x4d" + "\x92\x07\x63\x07\x9e\x15\xdf\x1f\x63\x29" + "\x7e\xb3\xdd\x43\x11\xe8\xb5\x85\xd4\xbf" + "\x2f\x59\x23\x21\x4f\x1d\xfe\xd3\xfd\xee" + "\x4a\xaf\x01\x83\x30\xa1\x2a\xcd\xe0\xef" + "\xcc\x33\x8e\xb5\x29\x22\xf3\xe5\x71\x21" + "\x2d\x42\xc8\xde", + 64 +}; + const gnutls_datum_t invalid_hash_data = { (void *) "\xaa\xf4\xc6\x1d\xdc\xca\xe8\xa2\xda\xbe" @@ -78,6 +111,12 @@ void test_sig(gnutls_pk_algorithm_t pk, unsigned hash, unsigned bits) vflags |= GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1; } else if (hash == GNUTLS_DIG_SHA256) hash_data = &sha256_data; + else if (hash == GNUTLS_DIG_GOSTR_94) + hash_data = &gostr94_data; + else if (hash == GNUTLS_DIG_STREEBOG_256) + hash_data = &streebog256_data; + else if (hash == GNUTLS_DIG_STREEBOG_512) + hash_data = &streebog512_data; else abort(); diff --git a/tests/x509sign-verify-gost.c b/tests/x509sign-verify-gost.c new file mode 100644 index 0000000000..9a5c2eca7e --- /dev/null +++ b/tests/x509sign-verify-gost.c @@ -0,0 +1,65 @@ +/* + * Copyright (C) 2016-2017 Free Software Foundation, Inc. + * + * Author: Dmitry Eremin-Solenikov + * + * This file is part of GnuTLS. + * + * The GnuTLS is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public License + * as published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/> + * + */ + +/* Parts copied from GnuTLS example programs. */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#ifndef _WIN32 +# include <sys/types.h> +# include <netinet/in.h> +# include <sys/socket.h> +# include <arpa/inet.h> +# include <unistd.h> +#endif +#include <gnutls/gnutls.h> +#include <gnutls/x509.h> +#include <gnutls/abstract.h> + +#include "utils.h" + +#include "x509sign-verify-common.h" + +void doit(void) +{ +#ifndef ENABLE_GOST + exit(77); +#else + global_init(); + gnutls_global_set_log_function(tls_log_func); + if (debug) + gnutls_global_set_log_level(6); + + test_sig(GNUTLS_PK_GOST_01, GNUTLS_DIG_GOSTR_94, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA)); + test_sig(GNUTLS_PK_GOST_12_256, GNUTLS_DIG_STREEBOG_256, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA)); + test_sig(GNUTLS_PK_GOST_01, GNUTLS_DIG_GOSTR_94, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPXA)); + test_sig(GNUTLS_PK_GOST_12_256, GNUTLS_DIG_STREEBOG_256, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPXA)); + test_sig(GNUTLS_PK_GOST_12_512, GNUTLS_DIG_STREEBOG_512, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST512A)); + + gnutls_global_deinit(); +#endif +} |