From 634c05829e0e2663d506a75c259bc13e6530246f Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Sun, 16 Sep 2018 15:35:19 +0200
Subject: certtool: updates in documentation in messages for CRL generation

This fixes the messages printed for the generation of a CRL, and
makes the return code of the CRL verification depending on the
verification result.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
---
 src/certtool-args.def |  3 ++-
 src/certtool-cfg.c    |  9 ++++-----
 src/certtool.c        | 10 +++++++---
 3 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/src/certtool-args.def b/src/certtool-args.def
index 0a980fb2db..84a40efb05 100644
--- a/src/certtool-args.def
+++ b/src/certtool-args.def
@@ -287,7 +287,8 @@ flag = {
 flag = {
     name      = generate-crl;
     descrip   = "Generate a CRL";
-    doc = "This option generates a Certificate Revocation List. When combined with --load-crl it would use the loaded CRL as base for the generated (i.e., all revoked certificates in the base will be copied to the new CRL).";
+    doc = "This option generates a Certificate Revocation List. When combined with --load-crl it would use the loaded CRL as base for the generated (i.e., all revoked certificates in the base will be copied to the new CRL).
+To add new certificates to the CRL use --load-certificate.";
 };
 
 
diff --git a/src/certtool-cfg.c b/src/certtool-cfg.c
index b2f4e9ce11..8d5f63417d 100644
--- a/src/certtool-cfg.c
+++ b/src/certtool-cfg.c
@@ -1576,7 +1576,7 @@ void read_serial_value(unsigned char *serial, size_t *size, size_t max_size,
 
 	while (true) {
 		fprintf(stderr,
-			"Enter the certificate's %s in decimal (123) or hex (0xabcd)\n"
+			"Enter the %s in decimal (123) or hex (0xabcd)\n"
 			"(default is 0x%s)\n"
 			"value: ",
 			label, encoded_default.data);
@@ -1679,7 +1679,7 @@ int default_serial(unsigned char *serial, size_t *size)
 void get_serial(unsigned char *serial, size_t *size)
 {
 	get_serial_value(serial, size, cfg.serial, cfg.serial_size,
-			default_serial, "serial number", "4.1.2.2");
+			default_serial, "certificate's serial number", "4.1.2.2");
 }
 
 static
@@ -1776,8 +1776,7 @@ time_t get_int_date(const char *txt_val, int int_val, const char *msg)
 
 		do {
 			days =
-			    read_int
-			    ("The certificate will expire in (days): ");
+			    read_int(msg);
 		}
 		while (days == 0);
 		return days_to_secs(days);
@@ -1816,7 +1815,7 @@ int get_crq_extensions_status(void)
 void get_crl_number(unsigned char* serial, size_t * size)
 {
 	get_serial_value(serial, size, cfg.crl_number, cfg.crl_number_size,
-			default_crl_number, "CRL number", "5.2.3");
+			default_crl_number, "CRL's serial number", "5.2.3");
 }
 
 int get_path_len(void)
diff --git a/src/certtool.c b/src/certtool.c
index 908cff3722..88f8fc52f1 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -796,7 +796,6 @@ generate_crl(gnutls_x509_crt_t ca_crt, common_info_st * cinfo)
 		app_exit(1);
 	}
 
-	fprintf(stderr, "Update times.\n");
 	secs = get_crl_next_update();
 
 	result =
@@ -2479,7 +2478,7 @@ void verify_crl(common_info_st * cinfo)
 	size_t size;
 	gnutls_datum_t dn;
 	unsigned int output;
-	int ret;
+	int ret, rc;
 	gnutls_datum_t pem, pout;
 	gnutls_x509_crl_t crl;
 	gnutls_x509_crt_t issuer;
@@ -2519,7 +2518,6 @@ void verify_crl(common_info_st * cinfo)
 
 	print_crl_info(crl, outfile);
 
-	fprintf(outfile, "Verification output: ");
 	ret = gnutls_x509_crl_verify(crl, &issuer, 1, 0, &output);
 	if (ret < 0) {
 		fprintf(stderr, "verification error: %s\n",
@@ -2527,10 +2525,14 @@ void verify_crl(common_info_st * cinfo)
 		app_exit(1);
 	}
 
+	fprintf(outfile, "Verification output: ");
+
 	if (output) {
 		fprintf(outfile, "Not verified. ");
+		rc = 1;
 	} else {
 		fprintf(outfile, "Verified.");
+		rc = 0;
 	}
 
 	ret =
@@ -2546,6 +2548,8 @@ void verify_crl(common_info_st * cinfo)
 	gnutls_free(pout.data);
 
 	fprintf(outfile, "\n");
+
+	app_exit(rc);
 }
 
 static void print_dn(const char *prefix, const gnutls_datum_t *raw)
-- 
cgit v1.2.1


From a7623bc56970ea26ef9b65750272ba9a38b364f2 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Sun, 16 Sep 2018 15:54:41 +0200
Subject: tests: added CRL verification tests

This tests CRL verification with certtool --verify-crl on correct
and incorrect cases.

Relates #564

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
---
 tests/cert-tests/Makefile.am             |  3 ++-
 tests/cert-tests/crl                     | 20 ++++++++++++++++++++
 tests/cert-tests/data/ca-crl-invalid.crl | 14 ++++++++++++++
 tests/cert-tests/data/ca-crl-invalid.pem | 21 +++++++++++++++++++++
 tests/cert-tests/data/ca-crl-valid.crl   | 14 ++++++++++++++
 tests/cert-tests/data/ca-crl-valid.pem   | 21 +++++++++++++++++++++
 6 files changed, 92 insertions(+), 1 deletion(-)
 create mode 100644 tests/cert-tests/data/ca-crl-invalid.crl
 create mode 100644 tests/cert-tests/data/ca-crl-invalid.pem
 create mode 100644 tests/cert-tests/data/ca-crl-valid.crl
 create mode 100644 tests/cert-tests/data/ca-crl-valid.pem

diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am
index 7da9e898f4..9e29079fc4 100644
--- a/tests/cert-tests/Makefile.am
+++ b/tests/cert-tests/Makefile.am
@@ -92,7 +92,8 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem
 	data/key-invalid4.der data/key-invalid5.der data/key-invalid6.der \
 	data data/pkcs8-invalid9.der data/key-invalid2.der data/pkcs8-invalid10.der \
 	data/key-invalid3.der data/pkcs8-eddsa.pem data/pkcs8-eddsa.pem.txt \
-	data/rfc4490.p7b data/rfc4490.p7b.out data/gost01.p12 data/gost12.p12 data/gost12-2.p12
+	data/rfc4490.p7b data/rfc4490.p7b.out data/gost01.p12 data/gost12.p12 data/gost12-2.p12 \
+	data/ca-crl-invalid.crl data/ca-crl-invalid.pem data/ca-crl-valid.pem data/ca-crl-valid.crl
 
 dist_check_SCRIPTS = pathlen aki invalid-sig email \
 	pkcs7 pkcs7-broken-sigs privkey-import name-constraints certtool-long-cn crl provable-privkey \
diff --git a/tests/cert-tests/crl b/tests/cert-tests/crl
index f82bb0196c..f1d1c9683c 100755
--- a/tests/cert-tests/crl
+++ b/tests/cert-tests/crl
@@ -265,6 +265,26 @@ if test "$?" != "0"; then
 	exit 1
 fi
 
+# Check CRL verification
+
+## CRL validation is expected to succeed
+${VALGRIND} "${CERTTOOL}" --verify-crl --infile "${srcdir}/data/ca-crl-valid.crl"  --load-ca-certificate \
+	"${srcdir}/data/ca-crl-valid.pem" >${OUTFILE} 2>${INFOFILE}
+rc=$?
+if test "${rc}" != "0"; then
+	echo "CRL verification failed"
+	exit ${rc}
+fi
+
+## CRL validation is expected to fail because the CA doesn't have the CRLSign key usage flag
+${VALGRIND} "${CERTTOOL}" --verify-crl --infile "${srcdir}/data/ca-crl-invalid.crl"  --load-ca-certificate \
+	"${srcdir}/data/ca-crl-invalid.pem" >${OUTFILE} 2>${INFOFILE}
+rc=$?
+if test "${rc}" = "0"; then
+	echo "CRL verification succeeded when shouldn't"
+	exit 1
+fi
+
 rm -f "${OUTFILE}"
 rm -f "${INFOFILE}"
 rm -f "${OUTFILE2}"
diff --git a/tests/cert-tests/data/ca-crl-invalid.crl b/tests/cert-tests/data/ca-crl-invalid.crl
new file mode 100644
index 0000000000..68b7c1159d
--- /dev/null
+++ b/tests/cert-tests/data/ca-crl-invalid.crl
@@ -0,0 +1,14 @@
+-----BEGIN X509 CRL-----
+MIICJjCB3wIBATA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEaMBgGCSqG
+SIb3DQEBCDALBglghkgBZQMEAgGiAwIBQDAPMQ0wCwYDVQQDEwRDQS0wFw0xODA5
+MTYxMzM1NDJaGA85OTk5MTIzMTIzNTk1OVowJzAlAhQocdck3Pu5MeIpUpjb4Fis
++aYhsRcNMTgwOTE2MTMzNTQyWqBBMD8wHwYDVR0jBBgwFoAUpNhDUvJwLqnKF+mm
+w5aF/wgkSEowHAYDVR0UBBUCE1ueXC860KlshpgThgNNyWGQU8QwPQYJKoZIhvcN
+AQEKMDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIB
+ogMCAUADggEBAElYoCVyM5W5vTfMeC7tI8WUqC3lIEXG+85AmY949KLvcx65ZAlX
+fLXxx+nj0fMmL/efQEHCbpK8MfZmdesuazELePLs+e94ESZbRD4IAg2S7jCqmQ6j
+Pr5vB/5A8xAIkUg+SDoPVX5VTH5UsVYhJmEfWnvkZehMst38CUqeyLJ5gp83d9nz
+IuaDaHL1EOh/F+Ul/PANnyot2tHh02WBRbLI0c0Sr7nsVvHwIMfNtB0kXFKg5fmJ
+puwhtNJGinWXpEgoMls7KXf+HOhiOwrMyTLxjhkawVRpjpdlMDPFp4sB0NdcIfr1
+HocKGTK84068uzN8Sk1QSuXpccL4YCr/fNo=
+-----END X509 CRL-----
diff --git a/tests/cert-tests/data/ca-crl-invalid.pem b/tests/cert-tests/data/ca-crl-invalid.pem
new file mode 100644
index 0000000000..24adf409bb
--- /dev/null
+++ b/tests/cert-tests/data/ca-crl-invalid.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDgTCCAjmgAwIBAgIUYrdL5TzzAJamxI3rTXeNdP+1SrUwPQYJKoZIhvcNAQEK
+MDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMC
+AUAwDzENMAsGA1UEAxMEQ0EtMDAgFw0xODA5MTYxMzIzNTNaGA85OTk5MTIzMTIz
+NTk1OVowDzENMAsGA1UEAxMEQ0EtMDCCAVIwPQYJKoZIhvcNAQEKMDCgDTALBglg
+hkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCAUADggEPADCC
+AQoCggEBAK4RFQTNLU6aXid/ji3MU6W4iAYfFHGyxOgd/69wJ/yFu/gfBqJ3lNVy
++FvQvWtqq1N+mPixWjNIjPrHHsfEWhfNXEi3tSbcNwBFxMJ5Wc07BrYdrpQqfNb/
+Qb3cZbmWmmWp/A+BBFD09sI2imjVvJstjCUux6xxGG4jgXAdGkcAXH7ehi+D7nXQ
+yuIlfAv0QH2gWtHJ1wc3tMHghxSpBhS+KU2QxuRlQPlQrFfTSzjjQSYJ8qqFvYDN
+4emSFKEc5iJSRPrleTNDtSf5BQ7JVBmvBOCkUvlkVV6QjU+zMaJbwqaQuE7mOHbo
+myUCujP/k6eKv+P3l6OI+zu7+zBaebkCAwEAAaNDMEEwDwYDVR0TAQH/BAUwAwEB
+/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBSk2ENS8nAuqcoX6abDloX/CCRI
+SjA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3DQEBCDAL
+BglghkgBZQMEAgGiAwIBQAOCAQEAkGJ1suWS6LS7NcYk37KmfREcOMmh9lQdi4re
+tycRwn2tDaaRvRaiHAGndxZAPTfF9yBJ5LOzcSvSGsCOa2GE5Y3WtIVInadSudli
+o8pxSoWon0vF7dBzZGbC+/iSbKoF7bwF4WTE9dqEdMWOE/+eHT3RsJqtk0PdbBqD
+nqjQyb6QdrKPveoDVyfxszLA2gdJoTA6J+DJ5s8j197Hp9zXoPoIWY5/JDKpQweD
+mGAS9Efhx5UPbnluqlj/HzG0U43gLajYcSenG35uszF+muS9FrsYZb0qtl9vQ5zJ
+zmSAnjFYa8/p/zmcZKmZf0GIrxUQzn1lddy0Ys42cF22gc3sSg==
+-----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/ca-crl-valid.crl b/tests/cert-tests/data/ca-crl-valid.crl
new file mode 100644
index 0000000000..d8d8ba8df1
--- /dev/null
+++ b/tests/cert-tests/data/ca-crl-valid.crl
@@ -0,0 +1,14 @@
+-----BEGIN X509 CRL-----
+MIICJjCB3wIBATA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEaMBgGCSqG
+SIb3DQEBCDALBglghkgBZQMEAgGiAwIBQDAPMQ0wCwYDVQQDEwRDQS0wFw0xODA5
+MTYxMzQ4MjBaGA85OTk5MTIzMTIzNTk1OVowJzAlAhQYv9ruS7EaM2V7tn8kz3Rh
+vQxmhxcNMTgwOTE2MTM0ODIwWqBBMD8wHwYDVR0jBBgwFoAUUPN34B1PsHCSBKfl
+DvkuCvTuz+QwHAYDVR0UBBUCE1ueXyYRxCO5zh+eeQTS31LHIvMwPQYJKoZIhvcN
+AQEKMDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIB
+ogMCAUADggEBAH+J2DiyaZ+qKWKnrRluWQK/KSJ/a+Do7ox18swNg3VMtEP360TB
+vh0/ctrbeb/H12YmwvrQdMPSIAcDiyBGannqG3L2mijDXZq3F2azL0WZiKAsDsBi
+a3DW28F9KDPBQYuiUVYCn/C3r0CtDJuv1eARZtyc2BLujRgXUibVJej6U26mtPjs
+DcDsXIWmBqRquMXhj0TY0MvkbNvT1XhDBBmSlQo+EC5zz5FZ4e9DvWiPcJqgkx4X
+S58Xh+tpQR9IyyO8OLkNpMy5Zy1J6o3rTO5ZScEzjaO45YmN7BFoMljOdD1W2ID5
+MHVXfLRltra7qiZLXKhZ0aHfkzD3Xdu74JQ=
+-----END X509 CRL-----
diff --git a/tests/cert-tests/data/ca-crl-valid.pem b/tests/cert-tests/data/ca-crl-valid.pem
new file mode 100644
index 0000000000..53dab807c3
--- /dev/null
+++ b/tests/cert-tests/data/ca-crl-valid.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDgTCCAjmgAwIBAgIUIhM6Lo4vY8WseBrZi5UmDsqK3AAwPQYJKoZIhvcNAQEK
+MDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMC
+AUAwDzENMAsGA1UEAxMEQ0EtMDAgFw0xODA5MTYxMzQ4MDVaGA85OTk5MTIzMTIz
+NTk1OVowDzENMAsGA1UEAxMEQ0EtMDCCAVIwPQYJKoZIhvcNAQEKMDCgDTALBglg
+hkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCAUADggEPADCC
+AQoCggEBANPX6SGS5KZmUtn1ZT5CtvcMv3hKLosvLEYzpvbjjprFdL3UmBlWSu9f
+u/0az9kT6D0maWKmtiF0AT4dD5CL/8391l2ZhiG9wxopBXAnxBRkO2+YZcaNY+ty
+4PqZauWc2InZ0rMYI8rfSbUREgWO+d8SBBbU2wACzh1AZwMbtjEc2aGP+PXiC4m0
+axxRk0lD4ZpklA8oVMIwUNS09NQcbn7YqlnxCVxd22Z40XspeCsihXkI2d1OXWmG
+J3HtEi3Ors1jyeGF3B68TplPJ3I1buuVTVJv32mVj4elQr78kTRtxyWoxL+pDt3y
+o95W+VOvuAfULQWNuk49w901t4mimEcCAwEAAaNDMEEwDwYDVR0TAQH/BAUwAwEB
+/zAPBgNVHQ8BAf8EBQMDBwYAMB0GA1UdDgQWBBRQ83fgHU+wcJIEp+UO+S4K9O7P
+5DA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3DQEBCDAL
+BglghkgBZQMEAgGiAwIBQAOCAQEAluZhfkQIDnSj+uQJpb0hTNW4cMqQXSM0khAe
+LYunzXvksXFnRz5w/qLNcvQQ94s1ej8RAXJQXG63x51eAlpwqLffcXA1rGCpUBwM
+9NsiNVkh/wMyZ0LcoyztvFRI/9JR40HzUWvp4k/SxLT25BQavlwborEO45HxHk1Q
+hEeWyuxNt/V9QKQ/DKtPQbbObT4gfg+mwWNntRS8VKqd1PsFr4oxmFXgGkpu04uW
+QV63kq7b54RzgYIPssm2Vr9JvLoZ+1q9VhZT08wx6NDxPIe70HydqTcfsOA8p84o
+MvcleJjNs4+1RPmNVhnnZDPYtBNnudn8NtMaN5AzZWa3Y41boA==
+-----END CERTIFICATE-----
-- 
cgit v1.2.1