summaryrefslogtreecommitdiff
path: root/tests/cert-tests/Makefile.am
Commit message (Collapse)AuthorAgeFilesLines
* gnutls_hash/hmac_copy: check its usability in all casesNikos Mavrogiannopoulos2019-06-261-0/+1
| | | | | | | During the test suite run we require that all supported MAC and hash algorithms implement the copy function. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* certtool: CA certificates will contain the digital signature key usage flagNikos Mavrogiannopoulos2019-05-201-1/+1
| | | | | | | | | This change ensures that all certificates will contain the digital signature key usage flag if that's specified in the template. Resolves: #767 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* fuzz: added fuzzer for certificate verificationNikos Mavrogiannopoulos2019-03-271-1/+1
| | | | | | | | This also adds a reproducer for CVE-2019-3829. Resolves: #694 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Use https:// for www.gnu.org and www.example.comTim Rühsen2019-03-131-1/+1
| | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* x509: corrected issue in the algorithm parameters comparisonNikos Mavrogiannopoulos2019-02-141-2/+2
| | | | | | | | | | | | | | | | Each certificate has two fields to set the signature algorithm and parameters used for the digital signature. One of the fields is authenticated and the other is not. It is required from RFC5280 to enforce the equality of these fields, but currently due to an issue we wouldn't enforce the equality of the parameters fields. This fix corrects the issue. We also move an RSA-PSS certificate in chainverify that was relying on invalid parameters, to this set of invalid certificates. Resolves: #698 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests/cert-tests/certtool: SKIP if --disable-bash-tests was givenTim Rühsen2018-12-181-0/+4
| | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* cert-tests: test parsing and decoding of GOST private keysDmitry Eremin-Solenikov2018-11-161-2/+5
| | | | | | | Add a test for parsing and decoding GOST private keys in different formats, incuding encrypted keys. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* tests: add testfile from RFC4134 Section 4.5Dmitry Eremin-Solenikov2018-11-141-1/+2
| | | | | | | Add test example demonstrating indefinite-length BER encoding of PKCS#7 data. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* tests: added CRL verification testsNikos Mavrogiannopoulos2018-09-171-1/+2
| | | | | | | | | This tests CRL verification with certtool --verify-crl on correct and incorrect cases. Relates #564 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* Corrected the importing of ECDSA public keysNikos Mavrogiannopoulos2018-08-071-3/+3
| | | | | | | | | | | | This seems to be a regression since EdDSA support. The call to _gnutls_x509_get_pk_algorithm() in public key import was unnecessary and in fact it was overriding the available curve with a curve associated with the OID. As the ECDSA OID doesn't include the curve, that had the result of deleting the already read curve. Resolves #538 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* tests: verify that certtool operates as expected with dates after 2038Nikos Mavrogiannopoulos2018-07-021-0/+1
| | | | | | | | | That is, whether it works with a time_t of 64-bit size, and fails with a time_t of 32-bit size. Resolves #370 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* tests: check explicitly the size of time_tNikos Mavrogiannopoulos2018-07-021-1/+1
| | | | | | | | Previously we were disabling the 2038 tests on 32-bit systems, but there can be 32-bit systems with a 64-bit time_t. Ensure that we run the right tests. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* tests: add PKCS#12 test script for GOST 28147-89-encrypted filesDmitry Eremin-Solenikov2018-06-231-1/+4
| | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* tests: expand pkcs7 test to also check GOST filesDmitry Eremin-Solenikov2018-06-231-1/+2
| | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* Support GOST private keys generationDmitry Eremin-Solenikov2018-06-231-0/+4
| | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* Support importing/exporting X.509 GOST public keysDmitry Eremin-Solenikov2018-06-231-1/+8
| | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* distclean temp. test files for 'make distcheck'Tim Rühsen2018-06-141-0/+3
| | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* Fix tests/cert-tests/template-test for 'make distcheck'Tim Rühsen2018-06-011-1/+1
| | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* certtool: honor --ask-pass when loading a private keyNikos Mavrogiannopoulos2018-05-071-2/+2
| | | | | | | | | This also improves the password prompt when the password requested is not for a smart card. Resolves: #436 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* require nettle 3.3 or laterNikos Mavrogiannopoulos2018-02-191-4/+0
| | | | | | This will simplify handling of the x25519 key exchange. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: combined key and cert teststmp-simplify-testsNikos Mavrogiannopoulos2017-11-211-4/+26
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: use certtool to check RSA-PSS to RSA conversionNikos Mavrogiannopoulos2017-08-151-0/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: improved detection of 64-bit systemstmp-added-x86-buildNikos Mavrogiannopoulos2017-08-111-0/+1
| | | | | | | We now use the ${ac_cv_sizeof_unsigned_long_int} variable which gives the numbers used in the host system, not the build one. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: added check on Ed25519 chain verificationNikos Mavrogiannopoulos2017-07-171-1/+1
| | | | | | | This chain was generated using certtool, and passed verification with OpenSSL's implementation (commit: db0f35dda18403accabe98e7780f3dfc516f49de) Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: pkcs7: added ed25519 basic signing and verification checksNikos Mavrogiannopoulos2017-07-171-2/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: parse and interpret an EdDSA public keyNikos Mavrogiannopoulos2017-07-171-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: added Ed25519 key and certificate generation testsNikos Mavrogiannopoulos2017-07-171-2/+3
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Removed support for openpgp certificates and keysNikos Mavrogiannopoulos2017-06-161-17/+4
| | | | | | Resolves #178 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: added unit test to verify that certificates with non-DER strict time ↵tmp-tolerate-certs-with-invalid-timeNikos Mavrogiannopoulos2017-06-051-1/+1
| | | | | | | | fields are accepted Also removed the old strict compliance DER test. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* x509: implement RSA-PSS signature schemeDaiki Ueno2017-05-291-2/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch enables RSA-PSS signature scheme in the X.509 functions and certtool. When creating RSA-PSS signature, there are 3 different scenarios: a. both a private key and a certificate are RSA-PSS b. the private key is RSA, while the certificate is RSA-PSS c. both the private key and the certificate are RSA For (a) and (b), the RSA-PSS parameters are read from the certificate. Any conflicts in parameters between the private key and the certificate are reported as an error. For (c), the sign functions, such as gnutls_x509_crt_privkey_sign() or gnutls_privkey_sign_data(), shall be instructed to generate an RSA-PSS signature. This can be done with the new flag GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS. Verification is similar to signing, except for the case (c), use the flag GNUTLS_VERIFY_USE_RSA_PSS instead of GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS. From the command line, certtool has a couple of new options: --rsa-pss and --rsa-pss-sign. The --rsa-pss option indicates that the generated private key or certificate is restricted to RSA-PSS, while the --rsa-pss-sign option indicates that the generated certificate is signed with RSA-PSS. For simplicity, there is no means of choosing arbitrary salt length. When it is not given by a private key or a certificate, it is automatically calculated from the underlying hash algorithm and the RSA modulus bits. [minor naming changes by nmav] Signed-off-by: Daiki Ueno <dueno@redhat.com> Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: add test for signing with certificate listKarl Tarbe2017-05-151-2/+3
| | | | | | | Signing with one certificate, but includes the other certificates inside the PKCS#7 structure. Signed-off-by: Karl Tarbe <karl.tarbe@cyber.ee>
* tests: introduced checks in alternative chain discoveryNikos Mavrogiannopoulos2017-05-101-2/+3
| | | | | | | These cope with alternative chain discovery in the case of insecure algorithm found in the chain. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* tests: utilize the email_protection_key template optiontmp-certtool-updateNikos Mavrogiannopoulos2017-05-051-5/+1
| | | | | | | This ensures that generated certificates and requests will include that key purpose when the option is present. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Removed support for libidn1Nikos Mavrogiannopoulos2017-05-011-2/+0
| | | | | | | | | | Currently we support both IDNA2003 and IDNA2008. However, IDNA2003 is already obsolete by registrars and NICs, thus there is no reason to continue supporting it. We switch to IDNA2008 exclusively using libidn2. Resolves #194 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* pkcs12: eliminate mem leaks in _pkcs12_decode_safe_contentsNikos Mavrogiannopoulos2017-04-251-1/+2
| | | | | | | | This makes sure we deinitialize previously available elements. This addresses: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1173 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: added checks with certificates that contain invalid time fieldtmp-increase-testsNikos Mavrogiannopoulos2017-04-071-2/+3
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: added unit test for the certtool smime conversion functionalityNikos Mavrogiannopoulos2017-04-061-2/+4
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: added PKCS#12 unit test with AES fileNikos Mavrogiannopoulos2017-04-061-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: added unit test for inhibit anypolicy generationNikos Mavrogiannopoulos2017-04-061-1/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: added unit test for PKCS#12 with file that uses PBES1 with no saltNikos Mavrogiannopoulos2017-04-061-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: added unit test for PKCS#12 with file that uses PBES1 with no salttmp-pkcs12-zero-salt-fixNikos Mavrogiannopoulos2017-04-041-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: add unit test for PKCS#12 with file that uses SHA512 for MACNikos Mavrogiannopoulos2017-04-041-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: added unit test for PKCS#12 with file with no salt in MACNikos Mavrogiannopoulos2017-04-041-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: verify that the encryption OID is printedNikos Mavrogiannopoulos2017-04-041-1/+2
| | | | | | | | That is, verify whether certtool --p12-info will print the actual encryption OID on unsupported files, rather than the generic PBES2 algorithm. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: added checks with problematic PKCS#12 filesNikos Mavrogiannopoulos2017-03-311-2/+3
| | | | | | | These check whether parsing of unsupported files (e.g., with RC2-128), will succeed. This serves as functionality check for gnutls_pkcs8_info. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: split PKCS#12 encoding from decoding testsNikos Mavrogiannopoulos2017-03-081-1/+1
| | | | | | | Enhanced PKCS#12 encoding tests, with the encoding of a file which contains a cert, a key and a CRL. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: added PKCS#12 file decoding containing a CRLNikos Mavrogiannopoulos2017-03-081-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: added CRL decoding unit tests using certtoolNikos Mavrogiannopoulos2017-03-081-2/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: converted FIPS140-2 mode checks in Makefiles to run-time in scriptsNikos Mavrogiannopoulos2017-03-081-5/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* tests: check whether a certificate with illegal version is rejectedNikos Mavrogiannopoulos2017-03-031-1/+1
| | | | | | That is, whether a certificate with version zero fails to import. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
View Lorry Controller Status