diff options
| author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2022-09-24 23:59:12 +0200 |
|---|---|---|
| committer | Dr. David von Oheimb <dev@ddvo.net> | 2023-01-24 15:16:47 +0100 |
| commit | 342e3652c791bdb06e08abcc169b4456c83ccd00 (patch) | |
| tree | 87190b58432cd73cc8dd1d4bfd9dfd027f2f236f /test | |
| parent | 66fc90f18c44cdac0126c35ffedb99ba7a8b9825 (diff) | |
APPS: generated certs bear X.509 V3, unless -x509v1 option of req app is given
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19271)
Diffstat (limited to 'test')
| -rw-r--r-- | test/ca-and-certs.cnf | 2 | ||||
| -rw-r--r-- | test/recipes/25-test_req.t | 29 | ||||
| -rw-r--r-- | test/recipes/25-test_x509.t | 7 | ||||
| -rw-r--r-- | test/recipes/80-test_ca.t | 29 | ||||
| -rw-r--r-- | test/recipes/90-test_store.t | 2 | ||||
| -rw-r--r-- | test/recipes/tconversion.pl | 18 |
6 files changed, 66 insertions, 21 deletions
diff --git a/test/ca-and-certs.cnf b/test/ca-and-certs.cnf index 463b49954c..58ca0eda64 100644 --- a/test/ca-and-certs.cnf +++ b/test/ca-and-certs.cnf @@ -31,6 +31,8 @@ organizationName = Dodgy Brothers 0.commonName = Brother 1 1.commonName = $ENV::CN2 +[ empty ] + [ v3_ee ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t index a11fe36a58..1487fa70be 100644 --- a/test/recipes/25-test_req.t +++ b/test/recipes/25-test_req.t @@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/; setup("test_req"); -plan tests => 92; +plan tests => 102; require_ok(srctop_file('test', 'recipes', 'tconversion.pl')); @@ -393,16 +393,7 @@ sub generate_cert { push(@cmd, ("-CA", $ca_cert, "-CAkey", $ca_key)) unless $ss; ok(run(app([@cmd])), "generate $cert"); } -sub has_SKID { - my $cert = shift @_; - my $expect = shift @_; - cert_contains($cert, "Subject Key Identifier", $expect); -} -sub has_AKID { - my $cert = shift @_; - my $expect = shift @_; - cert_contains($cert, "Authority Key Identifier", $expect); -} + sub has_keyUsage { my $cert = shift @_; my $expect = shift @_; @@ -424,6 +415,12 @@ my $SKID_AKID = "subjectKeyIdentifier,authorityKeyIdentifier"; # # SKID +my $cert = "self-signed_default_SKID_no_explicit_exts.pem"; +generate_cert($cert); +has_version($cert, 3); +has_SKID($cert, 1); # SKID added, though no explicit extensions given +has_AKID($cert, 0); + my $cert = "self-signed_v3_CA_hash_SKID.pem"; generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = hash"); has_SKID($cert, 1); # explicit hash SKID @@ -441,7 +438,8 @@ strict_verify($cert, 1); # AKID of self-signed certs $cert = "self-signed_v1_CA_no_KIDs.pem"; -generate_cert($cert); +generate_cert($cert, "-x509v1"); +has_version($cert, 1); cert_ext_has_n_different_lines($cert, 0, $SKID_AKID); # no SKID and no AKID #TODO strict_verify($cert, 1); # self-signed v1 root cert should be accepted as CA @@ -515,6 +513,8 @@ strict_verify($cert, 1); $cert = "self-issued_v3_CA_no_AKID.pem"; generate_cert($cert, "-addext", "authorityKeyIdentifier = none", "-in", srctop_file(@certs, "x509-check.csr")); +has_version($cert, 3); +has_SKID($cert, 1); # SKID added, though no explicit extensions given has_AKID($cert, 0); strict_verify($cert, 1); @@ -556,6 +556,11 @@ cert_ext_has_n_different_lines($cert, 6, $SKID_AKID); # SKID != AKID, both force # AKID of not self-issued certs +$cert = "regular_v3_EE_default_KIDs_no_other_exts.pem"; +generate_cert($cert, "-key", srctop_file(@certs, "ee-key.pem")); +has_version($cert, 3); +cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID + $cert = "regular_v3_EE_default_KIDs.pem"; generate_cert($cert, "-addext", "keyUsage = dataEncipherment", "-key", srctop_file(@certs, "ee-key.pem")); diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t index 0d4fc548cc..c843d3870a 100644 --- a/test/recipes/25-test_x509.t +++ b/test/recipes/25-test_x509.t @@ -16,7 +16,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/; setup("test_x509"); -plan tests => 29; +plan tests => 32; # Prevent MSys2 filename munging for arguments that look like file paths but # aren't @@ -202,6 +202,11 @@ ok(run(app(["openssl", "x509", "-req", "-text", "-CAcreateserial", # Verify issuer is CA ok(get_issuer($b_cert) =~ /CN=ca.example.com/); +# although no explicit extensions given: +has_version($b_cert, 3); +has_SKID($b_cert, 1); +has_AKID($b_cert, 1); + SKIP: { skip "EC is not supported by this OpenSSL build", 1 if disabled("ec"); diff --git a/test/recipes/80-test_ca.t b/test/recipes/80-test_ca.t index eb025f4d59..6a7a74b7e7 100644 --- a/test/recipes/80-test_ca.t +++ b/test/recipes/80-test_ca.t @@ -25,18 +25,25 @@ my $std_openssl_cnf = '"' . srctop_file("apps", $^O eq "VMS" ? "openssl-vms.cnf" : "openssl.cnf") . '"'; +sub src_file { + return srctop_file("test", "certs", shift); +} + rmtree("demoCA", { safe => 0 }); -plan tests => 15; +plan tests => 20; + +require_ok(srctop_file("test", "recipes", "tconversion.pl")); + SKIP: { - my $cakey = srctop_file("test", "certs", "ca-key.pem"); + my $cakey = src_file("ca-key.pem"); $ENV{OPENSSL_CONFIG} = qq(-config "$cnf"); skip "failed creating CA structure", 4 if !ok(run(perlapp(["CA.pl","-newca", "-extra-req", "-key $cakey"], stdin => undef)), 'creating CA structure'); - my $eekey = srctop_file("test", "certs", "ee-key.pem"); + my $eekey = src_file("ee-key.pem"); $ENV{OPENSSL_CONFIG} = qq(-config "$cnf"); skip "failed creating new certificate request", 3 if !ok(run(perlapp(["CA.pl","-newreq", @@ -53,7 +60,7 @@ plan tests => 15; skip "CT not configured, can't use -precert", 1 if disabled("ct"); - my $eekey2 = srctop_file("test", "certs", "ee-key-3072.pem"); + my $eekey2 = src_file("ee-key-3072.pem"); $ENV{OPENSSL_CONFIG} = qq(-config "$cnf"); ok(run(perlapp(["CA.pl", "-precert", '-extra-req', "-section userreq -key $eekey2"], stderr => undef)), 'creating new pre-certificate'); @@ -65,17 +72,25 @@ SKIP: { is(yes(cmdstr(app(["openssl", "ca", "-config", $cnf, - "-in", srctop_file("test", "certs", "sm2-csr.pem"), + "-in", src_file("sm2-csr.pem"), "-out", "sm2-test.crt", "-sigopt", "distid:1234567812345678", "-vfyopt", "distid:1234567812345678", "-md", "sm3", - "-cert", srctop_file("test", "certs", "sm2-root.crt"), - "-keyfile", srctop_file("test", "certs", "sm2-root.key")]))), + "-cert", src_file("sm2-root.crt"), + "-keyfile", src_file("sm2-root.key")]))), 0, "Signing SM2 certificate request"); } +my $v3_cert = "v3-test.crt"; +ok(run(app(["openssl", "ca", "-batch", "-config", $cnf, "-extensions", "empty", + "-in", src_file("x509-check.csr"), "-out", $v3_cert]))); +# although no explicit extensions given: +has_version($v3_cert, 3); +has_SKID($v3_cert, 1); +has_AKID($v3_cert, 1); + test_revoke('notimes', { should_succeed => 1, }); diff --git a/test/recipes/90-test_store.t b/test/recipes/90-test_store.t index 12a8a32d98..3af8178e89 100644 --- a/test/recipes/90-test_store.t +++ b/test/recipes/90-test_store.t @@ -402,7 +402,7 @@ sub init { }, grep(/-key-pkcs8-pbes2-sha256\.pem$/, @generated_files)) # *-cert.pem (intermediary for the .p12 inits) && run(app(["openssl", "req", "-x509", @std_args, - "-config", $cnf, "-noenc", + "-config", $cnf, "-reqexts", "v3_ca", "-noenc", "-key", $cakey, "-out", "cacert.pem"])) && runall(sub { my $srckey = shift; diff --git a/test/recipes/tconversion.pl b/test/recipes/tconversion.pl index 063be620a3..222ef1ac13 100644 --- a/test/recipes/tconversion.pl +++ b/test/recipes/tconversion.pl @@ -132,6 +132,24 @@ sub cert_contains { # not unlinking $out } +sub has_version { + my $cert = shift @_; + my $expect = shift @_; + cert_contains($cert, "Version: $expect", 1); +} + +sub has_SKID { + my $cert = shift @_; + my $expect = shift @_; + cert_contains($cert, "Subject Key Identifier", $expect); +} + +sub has_AKID { + my $cert = shift @_; + my $expect = shift @_; + cert_contains($cert, "Authority Key Identifier", $expect); +} + sub uniq (@) { my %seen = (); grep { not $seen{$_}++ } @_; |