diff options
| author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2021-08-24 09:31:53 +0200 |
|---|---|---|
| committer | Dr. David von Oheimb <dev@ddvo.net> | 2021-11-11 20:18:56 +0100 |
| commit | 00cf3a2d30fc7642bf9f816a7c545115985a8c0c (patch) | |
| tree | 9672ca4139ee9051e2c55e5da64aa8ee6b32867b | |
| parent | adbd77f6d7cc4efb7b4bde483036fab8e48ce870 (diff) | |
25-test_req.t: Add systematic SKID+AKID tests for self-issued (incl. self-signed) certs
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16342)
| -rw-r--r-- | test/certs/ext-check.csr | 23 | ||||
| -rw-r--r-- | test/recipes/25-test_req.t | 157 | ||||
| -rw-r--r-- | test/recipes/tconversion.pl | 3 |
3 files changed, 143 insertions, 40 deletions
diff --git a/test/certs/ext-check.csr b/test/certs/ext-check.csr index ee974e05ce..a5ca888156 100644 --- a/test/certs/ext-check.csr +++ b/test/certs/ext-check.csr @@ -1,18 +1,9 @@ -----BEGIN CERTIFICATE REQUEST----- -MIICzTCCAbcCAQAwVDELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx -ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDENMAsGA1UEAwwEdGVz -dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvdj9Ix -sogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOzn1k5 -0DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/Wl9rF -QtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0lYW5I -NvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAcZGh7 -r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9CLNN -sUcCAwEAAaA2MBYGCSqGSIb3DQEJAjEJDAdDb21wYW55MBwGCSqGSIb3DQEJDjEP -MA0wCwYDVR0PBAQDAgeAMAsGCSqGSIb3DQEBCwOCAQEAYd4B+FkWRuVVDPYfrN8P -UdZbLTggUGrpdhRibnoAsLNQ3cCS90OsCq5FLD6TVUCNb1gnp15Jp1WChQSyD3zC -jb8VgivDeDOuk08Zy2Fl2+QvuwyQ9hKTAOTdAmP/bapAi7zniElSTP6BZ8vyEtuP -FCEWJ5UjhvUYbZOG5WIHxhT+24CtYH3iHNir4OlDbsYrUBKEmQZIDj6WC01UT+4U -/up2xKq1Y+rOUv2Xy3K9O/U1W/3AF7IvcDyd7+qQTGD8U2X3efzZYOffhTN+9Rvn -5t82CnHLjFn4Co43RBiOcbjSDbvtaghtDiYB2tSUuqafHiuAJKx6zAm0Y2FR8X+z -gg== +MIIBJzCBsgIBADAPMQ0wCwYDVQQDDAR0ZXN0MHwwDQYJKoZIhvcNAQEBBQADawAw +aAJhALntqSk2YVnhNalAikA2tuSOvHUKVSJlqjKmzlUPI+gQFyBWxtyQdwepI87t +l8EW1in2IiOeN49W+OtVOlBiMxwqi/BcBltTbbSrlRpoSKOH6V7zIXvfsqjwWsDi +37V1xQIDAQABoB4wHAYJKoZIhvcNAQkOMQ8wDTALBgNVHQ8EBAMCB4AwDQYJKoZI +hvcNAQELBQADYQCu+Qad0pgxIY8PUo6pvg8nNruEyrk/0/weL+sPZxEv0hSrIaGo +ZaVGcPGi67oidiUyM2eMwDUUz3UmPA4oHNGRCddnTMISDxynLEM55CUECLFxXhP+ +8dJsKuJ9jbdasn4= -----END CERTIFICATE REQUEST----- diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t index 235b53c61c..c1587b76d7 100644 --- a/test/recipes/25-test_req.t +++ b/test/recipes/25-test_req.t @@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/; setup("test_req"); -plan tests => 43; +plan tests => 91; require_ok(srctop_file('test', 'recipes', 'tconversion.pl')); @@ -37,7 +37,7 @@ $ENV{MSYS2_ARG_CONV_EXCL} = "/CN="; # Check for duplicate -addext parameters, and one "working" case. my @addext_args = ( "openssl", "req", "-new", "-out", "testreq.pem", - "-key", srctop_file("test", "certs", "ee-key.pem"), + "-key", srctop_file(@certs, "ee-key.pem"), "-config", srctop_file("test", "test.cnf"), @req_new ); my $val = "subjectAltName=DNS:example.com"; my $val2 = " " . $val; @@ -298,7 +298,7 @@ subtest "generating certificate requests" => sub { plan tests => 2; ok(run(app(["openssl", "req", "-config", srctop_file("test", "test.cnf"), - "-key", srctop_file("test", "certs", "ee-key.pem"), + "-key", srctop_file(@certs, "ee-key.pem"), @req_new, "-out", "testreq.pem"])), "Generating request"); @@ -415,36 +415,150 @@ sub strict_verify { my @v3_ca = ("-addext", "basicConstraints = critical,CA:true", "-addext", "keyUsage = keyCertSign"); my $SKID_AKID = "subjectKeyIdentifier,authorityKeyIdentifier"; -my $cert = "self-signed_v1_CA_no_KIDs.pem"; + +# # SKID + +my $cert = "self-signed_v3_CA_hash_SKID.pem"; +generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = hash"); +has_SKID($cert, 1); # explicit hash SKID + +$cert = "self-signed_v3_CA_no_SKID.pem"; +generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = none"); +cert_ext_has_n_different_lines($cert, 0, $SKID_AKID); # no SKID and no AKID +#TODO strict_verify($cert, 0); + +$cert = "self-signed_v3_CA_given_SKID.pem"; +generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = 45"); +cert_contains($cert, "Subject Key Identifier: 45 ", 1); # given SKID +strict_verify($cert, 1); + +# AKID of self-signed certs + +$cert = "self-signed_v1_CA_no_KIDs.pem"; generate_cert($cert); cert_ext_has_n_different_lines($cert, 0, $SKID_AKID); # no SKID and no AKID #TODO strict_verify($cert, 1); # self-signed v1 root cert should be accepted as CA -$ca_cert = "self-signed_v3_CA_default_SKID.pem"; +$ca_cert = "self-signed_v3_CA_default_SKID.pem"; # will also be used below generate_cert($ca_cert, @v3_ca); -has_SKID($ca_cert, 1); -has_AKID($ca_cert, 0); +has_SKID($ca_cert, 1); # default SKID +has_AKID($ca_cert, 0); # no default AKID strict_verify($ca_cert, 1); -$cert = "self-signed_v3_CA_no_SKID.pem"; -generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = none"); -cert_ext_has_n_different_lines($cert, 0, $SKID_AKID); # no SKID and no AKID -#TODO strict_verify($cert, 0); +$cert = "self-signed_v3_CA_no_AKID.pem"; +generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = none"); +has_AKID($cert, 0); # forced no AKID -$cert = "self-signed_v3_CA_both_KIDs.pem"; -generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = hash", - "-addext", "authorityKeyIdentifier = keyid:always"); -cert_ext_has_n_different_lines($cert, 3, $SKID_AKID); # SKID == AKID +$cert = "self-signed_v3_CA_explicit_AKID.pem"; +generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid"); +has_AKID($cert, 0); # for self-signed cert, AKID suppressed and not forced + +$cert = "self-signed_v3_CA_forced_AKID.pem"; +generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid:always"); +cert_ext_has_n_different_lines($cert, 3, $SKID_AKID); # forced AKID, AKID == SKID strict_verify($cert, 1); +$cert = "self-signed_v3_CA_issuer_AKID.pem"; +generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = issuer"); +has_AKID($cert, 0); # suppressed AKID since not forced + +$cert = "self-signed_v3_CA_forced_issuer_AKID.pem"; +generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = issuer:always"); +cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 1); # forced issuer AKID + +$cert = "self-signed_v3_CA_nonforced_keyid_issuer_AKID.pem"; +generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid, issuer"); +has_AKID($cert, 0); # AKID not present because not forced and cert self-signed + +$cert = "self-signed_v3_CA_keyid_forced_issuer_AKID.pem"; +generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid, issuer:always"); +cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 1); # issuer AKID forced, with keyid not forced + +$cert = "self-signed_v3_CA_forced_keyid_issuer_AKID.pem"; +generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid:always, issuer"); +has_AKID($cert, 1); # AKID with keyid forced +cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 0); # no issuer AKID + +$cert = "self-signed_v3_CA_forced_keyid_forced_issuer_AKID.pem"; +generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid:always, issuer:always"); +cert_contains($cert, "Authority Key Identifier: keyid(:[0-9A-Fa-f]{2})+ DirName:/CN=CA serial:", 1); # AKID with keyid and issuer forced + $cert = "self-signed_v3_EE_wrong_keyUsage.pem"; generate_cert($cert, "-addext", "keyUsage = keyCertSign"); #TODO strict_verify($cert, 1); # should be accepted because RFC 5280 does not apply -$cert = "v3_EE_default_KIDs.pem"; +# AKID of self-issued but not self-signed certs + +$cert = "self-issued_x509_v3_CA_default_KIDs.pem"; +ok(run(app([("openssl", "x509", "-copy_extensions", "copy", + "-req", "-in", srctop_file(@certs, "ext-check.csr"), + "-key", srctop_file(@certs, "ca-key.pem"), + "-force_pubkey", srctop_file("test", "testrsapub.pem"), + "-out", $cert)])), "generate using x509: $cert"); +cert_contains($cert, "Issuer: CN=test .*? Subject: CN=test", 1); +cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID +strict_verify($cert, 1); + +$cert = "self-issued_v3_CA_default_KIDs.pem"; +generate_cert($cert, "-addext", "keyUsage = dataEncipherment", + "-in", srctop_file(@certs, "x509-check.csr")); +cert_contains($cert, "Issuer: CN=CA .*? Subject: CN=CA", 1); +cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID +strict_verify($cert, 1); + +$cert = "self-issued_v3_CA_no_AKID.pem"; +generate_cert($cert, "-addext", "authorityKeyIdentifier = none", + "-in", srctop_file(@certs, "x509-check.csr")); +has_AKID($cert, 0); +strict_verify($cert, 1); + +$cert = "self-issued_v3_CA_explicit_AKID.pem"; +generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid", + "-in", srctop_file(@certs, "x509-check.csr")); +cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID +strict_verify($cert, 1); + +$cert = "self-issued_v3_CA_forced_AKID.pem"; +generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid:always", + "-in", srctop_file(@certs, "x509-check.csr")); +cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID + +$cert = "self-issued_v3_CA_issuer_AKID.pem"; +generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = issuer", + "-in", srctop_file(@certs, "x509-check.csr")); +cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 1); # just issuer AKID + +$cert = "self-issued_v3_CA_forced_issuer_AKID.pem"; +generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = issuer:always", + "-in", srctop_file(@certs, "x509-check.csr")); +cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 1); # just issuer AKID + +$cert = "self-issued_v3_CA_keyid_issuer_AKID.pem"; +generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid, issuer", + "-in", srctop_file(@certs, "x509-check.csr")); +cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID, not forced + +$cert = "self-issued_v3_CA_keyid_forced_issuer_AKID.pem"; +generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid, issuer:always", + "-in", srctop_file(@certs, "x509-check.csr")); +cert_ext_has_n_different_lines($cert, 6, $SKID_AKID); # SKID != AKID, with forced issuer + +$cert = "self-issued_v3_CA_forced_keyid_and_issuer_AKID.pem"; +generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid:always, issuer:always", + "-in", srctop_file(@certs, "x509-check.csr")); +cert_ext_has_n_different_lines($cert, 6, $SKID_AKID); # SKID != AKID, both forced + +# AKID of not self-issued certs + +$cert = "regular_v3_EE_default_KIDs.pem"; generate_cert($cert, "-addext", "keyUsage = dataEncipherment"); cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID strict_verify($cert, 1, $ca_cert); +$cert = "regular_v3_EE_copied_exts_default_KIDs.pem"; +generate_cert($cert, "-copy_extensions", "copy", + "-in", srctop_file(@certs, "ext-check.csr")); +cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID +strict_verify($cert, 1); $cert = "v3_EE_no_AKID.pem"; generate_cert($cert, "-addext", "authorityKeyIdentifier = none"); @@ -452,16 +566,13 @@ has_SKID($cert, 1); has_AKID($cert, 0); strict_verify($cert, 0, $ca_cert); -$cert = "self-issued_v3_EE_default_KIDs.pem"; -generate_cert($cert, "-addext", "keyUsage = dataEncipherment", - "-in", srctop_file(@certs, "x509-check.csr")); -cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID -strict_verify($cert, 1); -my $cert = "self-signed_CA_no_keyUsage.pem"; +# Key Usage + +$cert = "self-signed_CA_no_keyUsage.pem"; generate_cert($cert, "-in", srctop_file(@certs, "ext-check.csr")); has_keyUsage($cert, 0); -my $cert = "self-signed_CA_with_keyUsages.pem"; +$cert = "self-signed_CA_with_keyUsages.pem"; generate_cert($cert, "-in", srctop_file(@certs, "ext-check.csr"), "-copy_extensions", "copy"); has_keyUsage($cert, 1); diff --git a/test/recipes/tconversion.pl b/test/recipes/tconversion.pl index 87b037b34d..f60954c0ba 100644 --- a/test/recipes/tconversion.pl +++ b/test/recipes/tconversion.pl @@ -114,6 +114,7 @@ sub file_contains { open(DATA, $_) or return 0; $_= join('', <DATA>); close(DATA); + s/\s+/ /g; # take multiple whitespace (including newline) as single space return m/$pattern/ ? 1 : 0; } @@ -125,7 +126,7 @@ sub cert_contains { my $out = "cert_contains.out"; run(app(["openssl", "x509", "-noout", "-text", "-in", $cert, "-out", $out])); is(file_contains($out, $pattern), $expected, ($name ? "$name: " : ""). - "$cert should ".($expected ? "" : "not ")."contain $pattern"); + "$cert should ".($expected ? "" : "not ")."contain: \"$pattern\""); # not unlinking $out } |