diff options
author | Lutz Jaenicke <ljaenicke@phoenixcontact.com> | 2022-06-15 17:31:19 +0200 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2022-08-18 10:24:53 +0200 |
commit | 61a97676914df358dd014a9b6fe2ba01b0ebe508 (patch) | |
tree | 21ef0d136c366d88d226b1505c1a244a1f2a51fc /test | |
parent | 178696d6020878361a088086243d56203e0beaa9 (diff) |
X509: add tests for purpose code signing in verify application
Correct configuration according to CA Browser forum:
KU: critical,digitalSignature
XKU: codeSiging
Note: I did not find any other document formally defining the requirements
for code signing certificates.
Some combinations are explicitly forbidden, some flags can be ignored
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18567)
Diffstat (limited to 'test')
-rw-r--r-- | test/certs/ee-codesign-anyextkeyusage.pem | 19 | ||||
-rw-r--r-- | test/certs/ee-codesign-crlsign.pem | 19 | ||||
-rw-r--r-- | test/certs/ee-codesign-keycertsign.pem | 19 | ||||
-rw-r--r-- | test/certs/ee-codesign-noncritical.pem | 19 | ||||
-rw-r--r-- | test/certs/ee-codesign-serverauth.pem | 19 | ||||
-rw-r--r-- | test/certs/ee-codesign.pem | 19 | ||||
-rwxr-xr-x | test/certs/mkcert.sh | 7 | ||||
-rwxr-xr-x | test/certs/setup.sh | 8 | ||||
-rw-r--r-- | test/recipes/25-test_verify.t | 24 |
9 files changed, 150 insertions, 3 deletions
diff --git a/test/certs/ee-codesign-anyextkeyusage.pem b/test/certs/ee-codesign-anyextkeyusage.pem new file mode 100644 index 0000000000..1523f60784 --- /dev/null +++ b/test/certs/ee-codesign-anyextkeyusage.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDGzCCAgOgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg +Fw0yMjA2MTUxNjM0MDNaGA8yMTIyMDYxNjE2MzQwM1owGTEXMBUGA1UEAwwOc2Vy +dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY +YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT +5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l +Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1 +U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5 +ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn +iIQPYf55NB9KiR+3AgMBAAGjeDB2MB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi +l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA +MA4GA1UdDwEB/wQEAwIHgDAZBgNVHSUEEjAQBggrBgEFBQcDAwYEVR0lADANBgkq +hkiG9w0BAQsFAAOCAQEASlEaV64VMZE4Kj8ITpm8Xb418tbiLmuDEHZiZXOc9gRg +YNnxpP0ammixIlvDtGM9Liahg5yTwj78Hd6ejxcSLm5sckhA+WkhosAm2aelkVEA +kG0uqo2JOYd7RHh6rzvSCYfLX8gg9eqzq8qWw7Lbg9wyfC5V1Q+zYkuEQ4bBc5WT +iqh1Zad4Lp9yFsMTEbo8aKL3Ayu0ehR1OrKjRrHbk9q2XafZRoa41mjNEHvQ7KkW +PGkczOapAXRJRm7pRzI5m3lj07ITwdWiliu9Uv8KRKxkOunmSIGVBkeNMf7gGBiA +1k4+o8wcWcQZmsP6RxEvSm6k5610oHi0z0CVgijghw== +-----END CERTIFICATE----- diff --git a/test/certs/ee-codesign-crlsign.pem b/test/certs/ee-codesign-crlsign.pem new file mode 100644 index 0000000000..f604f99ceb --- /dev/null +++ b/test/certs/ee-codesign-crlsign.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDFTCCAf2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg +Fw0yMjA2MTUxNjA1NDFaGA8yMTIyMDYxNjE2MDU0MVowGTEXMBUGA1UEAwwOc2Vy +dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY +YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT +5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l +Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1 +U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5 +ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn +iIQPYf55NB9KiR+3AgMBAAGjcjBwMB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi +l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA +MA4GA1UdDwEB/wQEAwIBgjATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0B +AQsFAAOCAQEAaFJ20GAgOe8aS9FOHzBwnQWT8m0tqrRysb/iAVmrK1z3o5Jz3vBw +a5v1aMpWX19tp5tdIRqiGw0aAje8ZKBf4mK1Z9qZLmx+bat8Q4Re2s9wP67TUMfF +SKvCYLNws5zcDnt31Ckpnu+kLm6GIxlYy7q+DBJxzuPCkVLZTSRhFJPs9pyn2jHt +tGsQgkOAhOTKbldM9N66z+IqZJ3zXmmkrSVw45qDB50QpmaCJza1expIMderN/lh +j/ijMGyZOZXH4KkNCGxROyw0iHB7nZ5IdXLbpDDycJkixmmUBNjBh5huxgfzwGHT +ePW/iHQzvEzUWZJf3cx9GKRj5z2lJf9tPA== +-----END CERTIFICATE----- diff --git a/test/certs/ee-codesign-keycertsign.pem b/test/certs/ee-codesign-keycertsign.pem new file mode 100644 index 0000000000..8ba53eca1f --- /dev/null +++ b/test/certs/ee-codesign-keycertsign.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDFTCCAf2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg +Fw0yMjA2MTUxNjA1NDFaGA8yMTIyMDYxNjE2MDU0MVowGTEXMBUGA1UEAwwOc2Vy +dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY +YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT +5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l +Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1 +U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5 +ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn +iIQPYf55NB9KiR+3AgMBAAGjcjBwMB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi +l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA +MA4GA1UdDwEB/wQEAwIChDATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0B +AQsFAAOCAQEAGdAVHnk43W8f69NaXm/uddssUCiHln+gWON5n2fSZ5DC8eaUs/kt +hr+HonB4cl+MvEeLUKN5Zmt4BRpqf2tlncy4qhoIzl99LlQs01IO2hoIYkc9/gRW +xcyOAvRACEO3AlOLlKO00VjYfSc4zyf40LSme/DQOz9CWaAjOdpjF/AlWK5lHyB4 +Ra2EscTBE4kgrPiTQp5WG4mbbZ+H7Rd8dFrFY6/ZdmhqMCn04MUCtjfWFtPk6zAl +DY/MqhvkZNTfHfvI9+jmiUG3+dpcDmrjL/IgtBlZjFTKroOdXVjMj0j1oUvhSjWB +s1OhZ5bfbu9ZfwqQ0FqW3vzmJFENHxZmXg== +-----END CERTIFICATE----- diff --git a/test/certs/ee-codesign-noncritical.pem b/test/certs/ee-codesign-noncritical.pem new file mode 100644 index 0000000000..f15aafdb5b --- /dev/null +++ b/test/certs/ee-codesign-noncritical.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDEjCCAfqgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg +Fw0yMjA2MTUxNDI0MDBaGA8yMTIyMDYxNjE0MjQwMFowGTEXMBUGA1UEAwwOc2Vy +dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY +YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT +5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l +Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1 +U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5 +ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn +iIQPYf55NB9KiR+3AgMBAAGjbzBtMB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi +l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA +MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0BAQsF +AAOCAQEAAIP8ClZRmnDKLnyPPizy2Cf9SS5pp+tYxp4WlRCbbsPyF97GTRDY64Uk +dyoD91h+PEj6UW5N8ZbDkpRL8k3wCd3a2jSJEQl//o/L4ZwdewTQxXtyyQrsh3Or +HdgPg3qQllkJqkB6dlLCv8TsUXCiRkYuzE8x3ul0DjAfAiczwoFnhe+gXLJw74Lz +PQm41X56AMgkv+yVGhfLgsN03Tppd25blExT35DDlsJx0OkZcZibU9dNA2ZFaT4X +fIS0GL+9Pb/nm8b4UCcJDcNBut/TQnDZR5DysgrXCh0dXBFH5XZCczetbw4pW87I +vIgtz2if2ZzhbxAfWRBCa7razHVNIQ== +-----END CERTIFICATE----- diff --git a/test/certs/ee-codesign-serverauth.pem b/test/certs/ee-codesign-serverauth.pem new file mode 100644 index 0000000000..c1aececd36 --- /dev/null +++ b/test/certs/ee-codesign-serverauth.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDHzCCAgegAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg +Fw0yMjA2MTUxNjA1NDFaGA8yMTIyMDYxNjE2MDU0MVowGTEXMBUGA1UEAwwOc2Vy +dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY +YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT +5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l +Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1 +U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5 +ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn +iIQPYf55NB9KiR+3AgMBAAGjfDB6MB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi +l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA +MA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAwYIKwYBBQUHAwEw +DQYJKoZIhvcNAQELBQADggEBACt152hE0idWgezHBdihPN9dm7fWysPt3WemRlEX +pK/g5OxfmkgfdazyKJi1I6ym5eEaCV9HFnPBtZYli50Paztwm26tEyh0ud/Bnybq +X83ejhqyb3GJUTW3fkucNkKRlRto8C6zKfohS7+iwdBkIsxcGCJGYROKYJOGUiSZ +thOnVnVqglSLa37iS6oJOK2CQ1AHP4GTcgVMBL7W1fSFvrVj0GsgnifnsLWkCfLL +qlK6WXdpiJnjfgYmKfetglLknhGa7TGb0HIULyJ8hF4iVw08KLSH+os5fINizKbt +NjNoFebf6p842zU9EH8tF/m+CkCPAHpGOsrc1+bf77jpmX4= +-----END CERTIFICATE----- diff --git a/test/certs/ee-codesign.pem b/test/certs/ee-codesign.pem new file mode 100644 index 0000000000..230126eb9e --- /dev/null +++ b/test/certs/ee-codesign.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDFTCCAf2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg +Fw0yMjA2MTUxNDIyMDZaGA8yMTIyMDYxNjE0MjIwNlowGTEXMBUGA1UEAwwOc2Vy +dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY +YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT +5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l +Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1 +U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5 +ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn +iIQPYf55NB9KiR+3AgMBAAGjcjBwMB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi +l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA +MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0B +AQsFAAOCAQEAcewR/upUpqoeTqgF/9c+kKBLee3hRBxWZciK0kkjb1y2jo+4yI9h +0pe4Dk8mOVhR/r5pbFnz/MKzWkNXI/TMmpZDru1bM7ELBhwNoRE/pMriNA/0dopB +7txO1DPkcEU0gsTOWbhUPlu1E87FsVzWQ1EmLy1GCwVf60AZmeQgo1nEopTZF5iq +HNv9nkr3OB4MZCqk6UhWlwvWRDZnQuEoFDgg+HnmFJxfXavS3/q4q/YAlgfLbtPp +AZDhOL2XxgSmkIDfQX5sO9BT594mvZS0u9dk2VwdLlaGGsaB4lxUcD1uekaI2ivO +3sSdH6Ucc1agUAlQQWjXoPTcSEkti4kJaQ== +-----END CERTIFICATE----- diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh index c3f7ac14b5..88e8740037 100755 --- a/test/certs/mkcert.sh +++ b/test/certs/mkcert.sh @@ -233,12 +233,14 @@ geneealt() { genee() { local OPTIND=1 local purpose=serverAuth + local ku= - while getopts p: o + while getopts p:k: o do case $o in p) purpose="$OPTARG";; - *) echo "Usage: $0 genee [-p EKU] cn keyname certname cakeyname cacertname" >&2 + k) ku="keyUsage = $OPTARG";; + *) echo "Usage: $0 genee [-k KU] [-p EKU] cn keyname certname cakeyname cacertname" >&2 return 1;; esac done @@ -254,6 +256,7 @@ genee() { "subjectKeyIdentifier = hash" \ "authorityKeyIdentifier = keyid, issuer" \ "basicConstraints = CA:false" \ + "$ku" \ "extendedKeyUsage = $purpose" \ "subjectAltName = @alts" "DNS=${cn}") csr=$(req "$key" "CN = $cn") || return 1 diff --git a/test/certs/setup.sh b/test/certs/setup.sh index 64cff0293b..8bdb1c5efb 100755 --- a/test/certs/setup.sh +++ b/test/certs/setup.sh @@ -185,6 +185,14 @@ openssl x509 -in ee-client.pem -trustout \ ./mkcert.sh genee -p timeStamping server.example ee-key ee-timestampsign-rfc3161-noncritxku ca-key ca-cert ./mkcert.sh genee -p critical,timeStamping -k digitalSignature server.example ee-key ee-timestampsign-rfc3161-digsig ca-key ca-cert +# code signing certificate +./mkcert.sh genee -p codeSigning -k critical,digitalSignature server.example ee-key ee-codesign ca-key ca-cert +./mkcert.sh genee -p codeSigning,serverAuth -k critical,digitalSignature server.example ee-key ee-codesign-serverauth ca-key ca-cert +./mkcert.sh genee -p codeSigning,2.5.29.37.0 -k critical,digitalSignature server.example ee-key ee-codesign-anyextkeyusage ca-key ca-cert +./mkcert.sh genee -p codeSigning -k critical,digitalSignature,cRLSign server.example ee-key ee-codesign-crlsign ca-key ca-cert +./mkcert.sh genee -p codeSigning -k critical,digitalSignature,keyCertSign server.example ee-key ee-codesign-keycertsign ca-key ca-cert +./mkcert.sh genee -p codeSigning -k digitalSignature server.example ee-key ee-codesign-noncritical ca-key ca-cert + # Leaf cert security level variants # MD5 issuer signature OPENSSL_SIGALG=md5 \ diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t index 25daf32e39..d6d25759b5 100644 --- a/test/recipes/25-test_verify.t +++ b/test/recipes/25-test_verify.t @@ -29,7 +29,7 @@ sub verify { run(app([@args])); } -plan tests => 172; +plan tests => 182; # Canonical success ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), @@ -262,6 +262,28 @@ ok(!verify("ee-timestampsign-rfc3161-noncritxku", "timestampsign", [qw(root-cert ok(verify("ee-timestampsign-rfc3161-digsig", "timestampsign", [qw(root-cert)], [qw(ca-cert)]), "accept timestampsign according to RFC 3161 with digitalSignature"); +# EE variants wrt code signing +ok(verify("ee-codesign", "codesign", [qw(root-cert)], [qw(ca-cert)]), + "accept codesign"); +ok(!verify("ee-codesign-serverauth", "codesign", [qw(root-cert)], [qw(ca-cert)]), + "fail codesign with additional serverAuth"); +ok(!verify("ee-codesign-anyextkeyusage", "codesign", [qw(root-cert)], [qw(ca-cert)]), + "fail codesign with additional anyExtendedKeyUsage"); +ok(!verify("ee-codesign-crlsign", "codesign", [qw(root-cert)], [qw(ca-cert)]), + "fail codesign with additional cRLSign"); +ok(!verify("ee-codesign-keycertsign", "codesign", [qw(root-cert)], [qw(ca-cert)]), + "fail codesign with additional keyCertSign"); +ok(!verify("ee-codesign-noncritical", "codesign", [qw(root-cert)], [qw(ca-cert)]), + "fail codesign without critical KU"); +ok(!verify("ee-cert", "codesign", [qw(root-cert)], [qw(ca-cert)]), + "fail sslserver as code sign"); +ok(!verify("ee-client", "codesign", [qw(root-cert)], [qw(ca-cert)]), + "fail sslclient as codesign"); +ok(!verify("ee-timestampsign-CABforum", "codesign", [qw(root-cert)], [qw(ca-cert)]), + "fail timestampsign according to CAB forum as codesign"); +ok(!verify("ee-timestampsign-rfc3161", "codesign", [qw(root-cert)], [qw(ca-cert)]), + "fail timestampsign according to RFC 3161 as codesign"); + # Proxy certificates ok(!verify("pc1-cert", "sslclient", [qw(root-cert)], [qw(ee-client ca-cert)]), "fail to accept proxy cert without -allow_proxy_certs"); |