From 1fe366c28e1d26a10630bafe207a0cf56bb8a276 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Fri, 17 Feb 2017 09:56:24 +0100 Subject: tests: enhanced test suite to include invalid V1 certs That is, added X.509v1 certificates with attributes that shouldn't have been presented (valid for X.509v2 only). Signed-off-by: Nikos Mavrogiannopoulos --- tests/cert-tests/Makefile.am | 5 +-- tests/cert-tests/cert-sanity | 55 ++++++++++++++++++++++++++++++ tests/cert-tests/data/x509-v1-with-iid.pem | 19 +++++++++++ tests/cert-tests/data/x509-v1-with-sid.pem | 19 +++++++++++ 4 files changed, 96 insertions(+), 2 deletions(-) create mode 100755 tests/cert-tests/cert-sanity create mode 100644 tests/cert-tests/data/x509-v1-with-iid.pem create mode 100644 tests/cert-tests/data/x509-v1-with-sid.pem diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am index 4ea9af9806..b53904e95c 100644 --- a/tests/cert-tests/Makefile.am +++ b/tests/cert-tests/Makefile.am @@ -62,13 +62,14 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem data/code-signing-ca.pem data/code-signing-cert.pem data/multi-value-dn.pem \ data/pkcs7-cat-ca.pem data/pkcs7-cat.p7 data/openssl.p7b data/openssl.p7b.out \ data/openssl-keyid.p7b data/openssl-keyid.p7b.out data/openssl.p12 \ - data/openpgp-invalid1.pub data/openpgp-invalid2.pub data/openpgp-invalid3.pub + data/openpgp-invalid1.pub data/openpgp-invalid2.pub data/openpgp-invalid3.pub \ + data/x509-v1-with-sid.pem data/x509-v1-with-iid.pem dist_check_SCRIPTS = pathlen aki certtool invalid-sig email \ pkcs7 pkcs7-broken-sigs privkey-import name-constraints certtool-long-cn crl provable-privkey \ provable-dh userid sha2-test sha2-dsa-test provable-privkey-dsa2048 \ provable-privkey-rsa2048 provable-privkey-gen-default pkcs7-constraints \ - pkcs7-constraints2 certtool-long-oids pkcs7-cat + pkcs7-constraints2 certtool-long-oids pkcs7-cat cert-sanity if WANT_TEST_SUITE dist_check_SCRIPTS += provable-dh-default diff --git a/tests/cert-tests/cert-sanity b/tests/cert-tests/cert-sanity new file mode 100755 index 0000000000..edcefe963c --- /dev/null +++ b/tests/cert-tests/cert-sanity @@ -0,0 +1,55 @@ +#!/bin/sh + +# Copyright (C) 2017 Red Hat, Inc. +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +#set -e + +srcdir="${srcdir:-.}" +CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" +DIFF="${DIFF:-diff -b -B}" + +if ! test -x "${CERTTOOL}"; then + exit 77 +fi + +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" +fi + +# This checks whether invalid certificates are accepted + +${VALGRIND} "${CERTTOOL}" -i --infile "${srcdir}/data/x509-v1-with-sid.pem" +rc=$? + +if test "${rc}" != 1; then + echo "X509v1 certificate with subject unique ID was accepted" + exit 1 +fi + +${VALGRIND} "${CERTTOOL}" -i --infile "${srcdir}/data/x509-v1-with-iid.pem" +rc=$? + +if test "${rc}" != 1; then + echo "X509v1 certificate with issuer unique ID was accepted" + exit 1 +fi + + + +exit 0 diff --git a/tests/cert-tests/data/x509-v1-with-iid.pem b/tests/cert-tests/data/x509-v1-with-iid.pem new file mode 100644 index 0000000000..98456eb1a3 --- /dev/null +++ b/tests/cert-tests/data/x509-v1-with-iid.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDpzCCAo8CEAEAAAAAAAAAAAAAAAAAAAAwDQYJKoZIhvcNAQELBQAwdzELMAkGA1UEBhMCQ04x +EDAOBgNVBAgTB1NoYW5ueGkxDjAMBgNVBAcTBVhpJ2FuMRowGAYDVQQKExFYaWRpYW4gVW5pdmVy +c2l0eTENMAsGA1UECxMESUNUVDEbMBkGA1UEAxMSaWN0dC54aWRpYW4uZWR1LmNuMB4XDTE2MDky +ODA4MTg1OFoXDTI0MTIxNTA4MTg1OFowgaQxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdTaGFubnhp +MQ4wDAYDVQQHDAVYaSdhbjEaMBgGA1UECgwRWGlkaWFuIFVuaXZlcnNpdHkxDTALBgNVBAsMBFBo +LkQxGjAYBgNVBAMMEXBoZC54aWRpYW4uZWR1LmNuMSwwKgYJKoZIhvcNAQkBFh1jaGVuY2h1QHN0 +dW1haWwueGlkaWFuLmVkdS5jbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIBBvP+5 +LH95Ve5b9F1MkH0+ZVBQocjRlWdjdwhFCwrnh+pQ1Sb4NLuGCeVOrtOiiQDEo2egR1WAaDrBKEW0 +W0diJdSUbGO0ANEaOYH7WSAutMFyQmFD1K3H1zDTJxwrlct7ZwLClmVywfyJdN6yQR3s5+r+KE9L +ucgv+xOudc+5/Oq+ntLVHjj62UfrJ6cw2MqA0oVZF9WmZeAQ1JNUnIatzo1i2EeLpJKLgf6WfhmR +XGjm/KTU+e3alHPnpOcGb6FPkJE9mWezaGcIO8jfUjeP/a6L8qksj0vdCEx32g51RcDiUmvWFHpp +DGPFJkmuZEpw5FMFoPsVmeO2wlBOTPsCAwEAAYEGAAECAwQFMA0GCSqGSIb3DQEBCwUAA4IBAQBk +Hu9xmv32lFzvqvyzwN9bHxrprROBnKOpCZHTnFTRkZcZS8Ys0pc4uJ/zhLEsECA8bSN9YjhzfeTH +237ZcTlRetBK7SXm4TCC0J3D4TOc9zyjAqSXga9flUPmK7nbcwznA6V8KtRKRsS95C0fr2VQvsWR +wiguPKWwvBWWvy30PaYeZPzKTzJLu+g4L4+1jdXWhbdkinfHPXPM732lpd0Zg6FSVQi85K5IeqHI +F/WzKZEippbCHyQ7jk6I4QSKfK15th9yTGgu3ARXvAFlqqKObuAt57uFI4Wmk4M+vvAMHuoHxMdM +6V26CKUUV+Qu6rpQQ+guWob2Zyu0CwWA5rw6 +-----END CERTIFICATE----- \ No newline at end of file diff --git a/tests/cert-tests/data/x509-v1-with-sid.pem b/tests/cert-tests/data/x509-v1-with-sid.pem new file mode 100644 index 0000000000..f2127c8778 --- /dev/null +++ b/tests/cert-tests/data/x509-v1-with-sid.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDpDCCAowCEAEAAAAAAAAAAAAAAAAAAAAwDQYJKoZIhvcNAQELBQAwdzELMAkGA1UEBhMCQ04x +EDAOBgNVBAgTB1NoYW5ueGkxDjAMBgNVBAcTBVhpJ2FuMRowGAYDVQQKExFYaWRpYW4gVW5pdmVy +c2l0eTENMAsGA1UECxMESUNUVDEbMBkGA1UEAxMSaWN0dC54aWRpYW4uZWR1LmNuMB4XDTE2MDky +ODA4MTg1OVoXDTI0MTIxNTA4MTg1OVowgaQxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdTaGFubnhp +MQ4wDAYDVQQHDAVYaSdhbjEaMBgGA1UECgwRWGlkaWFuIFVuaXZlcnNpdHkxDTALBgNVBAsMBFBo +LkQxGjAYBgNVBAMMEXBoZC54aWRpYW4uZWR1LmNuMSwwKgYJKoZIhvcNAQkBFh1jaGVuY2h1QHN0 +dW1haWwueGlkaWFuLmVkdS5jbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK6YuRMn +V0cOz1rKSrRri1IajVBpJROr+L3N09XcKL1IOTFmV40aZG93v8o5pSIJ4Q/nqzmEqoChYLxnBSAe +I/3tLrtrYBNBmrJaum7M7fAcBGBvLlKv7hhN8l5ujHkHJwxBdU0Qma9KxUcJft1wlPaEYR/kC9Ls +jpoz2CW1e5H2CXtxyd5PRgX7FizUwl0myrSnJr1OF/ARjYsW5vFDd8CtPeoD4KFoHLn0d7lqSsl/ +t2g3hoJoe7e9Kkdm40ev7sOSEcJW4VqRplX1KZeuZm+Gmh44aw9QWLHiCtSrddDy36GvdsAeaCvi +boBIseUoNEtV/4JXTS83m3iIQ4ynyn0CAwEAAYIDAAEGMA0GCSqGSIb3DQEBCwUAA4IBAQAGOv7G +yuYn3thPJDabruSRDXJWaJHhY5t2PJYNkaoNSCNgJt+3gP4IvNFL3QmM+8Ezy5XpMU7MIrtmrxKp +MWKE86eY9mn+dP6fG4Ppvo+gSmO1DtofSiFzOA4jMmkVxOYeZyxgw2no+HY3CHZnbK+5wNYn6eP5 +zBtJKp9Uo4zd929wQxNZJR+XKLXF9rdRZOCp6Ez2p6MVTFYAvhILJ3xr0/4YWukqP1rLUDVRU6+F +xfRl0uGQbyIllsocinCJxy0PlskwqORHSgonefQdCU8Mg0neNJ/+RZ6v7xFz4+k9/QVBu+j8mWeX +LHCLvuer7Q6zHq+1JHAeuEp48clGUnG7 +-----END CERTIFICATE----- \ No newline at end of file -- cgit v1.2.1