mirror of
https://github.com/openssl/openssl.git
synced 2024-11-27 05:21:51 +08:00
25-test_req.t: Add systematic SKID+AKID tests for self-issued (incl. self-signed) certs
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/16342)
This commit is contained in:
Dr. David von Oheimb
Dr. David von Oheimb
parent
adbd77f6d7
commit
00cf3a2d30
@ -1,18 +1,9 @@
|
||||
-----BEGIN CERTIFICATE REQUEST-----
|
||||
MIICzTCCAbcCAQAwVDELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
|
||||
ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDENMAsGA1UEAwwEdGVz
|
||||
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvdj9Ix
|
||||
sogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOzn1k5
|
||||
0DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/Wl9rF
|
||||
QtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0lYW5I
|
||||
NvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAcZGh7
|
||||
r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9CLNN
|
||||
sUcCAwEAAaA2MBYGCSqGSIb3DQEJAjEJDAdDb21wYW55MBwGCSqGSIb3DQEJDjEP
|
||||
MA0wCwYDVR0PBAQDAgeAMAsGCSqGSIb3DQEBCwOCAQEAYd4B+FkWRuVVDPYfrN8P
|
||||
UdZbLTggUGrpdhRibnoAsLNQ3cCS90OsCq5FLD6TVUCNb1gnp15Jp1WChQSyD3zC
|
||||
jb8VgivDeDOuk08Zy2Fl2+QvuwyQ9hKTAOTdAmP/bapAi7zniElSTP6BZ8vyEtuP
|
||||
FCEWJ5UjhvUYbZOG5WIHxhT+24CtYH3iHNir4OlDbsYrUBKEmQZIDj6WC01UT+4U
|
||||
/up2xKq1Y+rOUv2Xy3K9O/U1W/3AF7IvcDyd7+qQTGD8U2X3efzZYOffhTN+9Rvn
|
||||
5t82CnHLjFn4Co43RBiOcbjSDbvtaghtDiYB2tSUuqafHiuAJKx6zAm0Y2FR8X+z
|
||||
gg==
|
||||
MIIBJzCBsgIBADAPMQ0wCwYDVQQDDAR0ZXN0MHwwDQYJKoZIhvcNAQEBBQADawAw
|
||||
aAJhALntqSk2YVnhNalAikA2tuSOvHUKVSJlqjKmzlUPI+gQFyBWxtyQdwepI87t
|
||||
l8EW1in2IiOeN49W+OtVOlBiMxwqi/BcBltTbbSrlRpoSKOH6V7zIXvfsqjwWsDi
|
||||
37V1xQIDAQABoB4wHAYJKoZIhvcNAQkOMQ8wDTALBgNVHQ8EBAMCB4AwDQYJKoZI
|
||||
hvcNAQELBQADYQCu+Qad0pgxIY8PUo6pvg8nNruEyrk/0/weL+sPZxEv0hSrIaGo
|
||||
ZaVGcPGi67oidiUyM2eMwDUUz3UmPA4oHNGRCddnTMISDxynLEM55CUECLFxXhP+
|
||||
8dJsKuJ9jbdasn4=
|
||||
-----END CERTIFICATE REQUEST-----
|
||||
|
||||
@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;
|
||||
|
||||
setup("test_req");
|
||||
|
||||
plan tests => 43;
|
||||
plan tests => 91;
|
||||
|
||||
require_ok(srctop_file('test', 'recipes', 'tconversion.pl'));
|
||||
|
||||
@ -37,7 +37,7 @@ $ENV{MSYS2_ARG_CONV_EXCL} = "/CN=";
|
||||
|
||||
# Check for duplicate -addext parameters, and one "working" case.
|
||||
my @addext_args = ( "openssl", "req", "-new", "-out", "testreq.pem",
|
||||
"-key", srctop_file("test", "certs", "ee-key.pem"),
|
||||
"-key", srctop_file(@certs, "ee-key.pem"),
|
||||
"-config", srctop_file("test", "test.cnf"), @req_new );
|
||||
my $val = "subjectAltName=DNS:example.com";
|
||||
my $val2 = " " . $val;
|
||||
@ -298,7 +298,7 @@ subtest "generating certificate requests" => sub {
|
||||
plan tests => 2;
|
||||
|
||||
ok(run(app(["openssl", "req", "-config", srctop_file("test", "test.cnf"),
|
||||
"-key", srctop_file("test", "certs", "ee-key.pem"),
|
||||
"-key", srctop_file(@certs, "ee-key.pem"),
|
||||
@req_new, "-out", "testreq.pem"])),
|
||||
"Generating request");
|
||||
|
||||
@ -415,36 +415,150 @@ sub strict_verify {
|
||||
my @v3_ca = ("-addext", "basicConstraints = critical,CA:true",
|
||||
"-addext", "keyUsage = keyCertSign");
|
||||
my $SKID_AKID = "subjectKeyIdentifier,authorityKeyIdentifier";
|
||||
my $cert = "self-signed_v1_CA_no_KIDs.pem";
|
||||
generate_cert($cert);
|
||||
cert_ext_has_n_different_lines($cert, 0, $SKID_AKID); # no SKID and no AKID
|
||||
#TODO strict_verify($cert, 1); # self-signed v1 root cert should be accepted as CA
|
||||
|
||||
$ca_cert = "self-signed_v3_CA_default_SKID.pem";
|
||||
generate_cert($ca_cert, @v3_ca);
|
||||
has_SKID($ca_cert, 1);
|
||||
has_AKID($ca_cert, 0);
|
||||
strict_verify($ca_cert, 1);
|
||||
# # SKID
|
||||
|
||||
my $cert = "self-signed_v3_CA_hash_SKID.pem";
|
||||
generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = hash");
|
||||
has_SKID($cert, 1); # explicit hash SKID
|
||||
|
||||
$cert = "self-signed_v3_CA_no_SKID.pem";
|
||||
generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = none");
|
||||
cert_ext_has_n_different_lines($cert, 0, $SKID_AKID); # no SKID and no AKID
|
||||
#TODO strict_verify($cert, 0);
|
||||
|
||||
$cert = "self-signed_v3_CA_both_KIDs.pem";
|
||||
generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = hash",
|
||||
"-addext", "authorityKeyIdentifier = keyid:always");
|
||||
cert_ext_has_n_different_lines($cert, 3, $SKID_AKID); # SKID == AKID
|
||||
$cert = "self-signed_v3_CA_given_SKID.pem";
|
||||
generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = 45");
|
||||
cert_contains($cert, "Subject Key Identifier: 45 ", 1); # given SKID
|
||||
strict_verify($cert, 1);
|
||||
|
||||
# AKID of self-signed certs
|
||||
|
||||
$cert = "self-signed_v1_CA_no_KIDs.pem";
|
||||
generate_cert($cert);
|
||||
cert_ext_has_n_different_lines($cert, 0, $SKID_AKID); # no SKID and no AKID
|
||||
#TODO strict_verify($cert, 1); # self-signed v1 root cert should be accepted as CA
|
||||
|
||||
$ca_cert = "self-signed_v3_CA_default_SKID.pem"; # will also be used below
|
||||
generate_cert($ca_cert, @v3_ca);
|
||||
has_SKID($ca_cert, 1); # default SKID
|
||||
has_AKID($ca_cert, 0); # no default AKID
|
||||
strict_verify($ca_cert, 1);
|
||||
|
||||
$cert = "self-signed_v3_CA_no_AKID.pem";
|
||||
generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = none");
|
||||
has_AKID($cert, 0); # forced no AKID
|
||||
|
||||
$cert = "self-signed_v3_CA_explicit_AKID.pem";
|
||||
generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid");
|
||||
has_AKID($cert, 0); # for self-signed cert, AKID suppressed and not forced
|
||||
|
||||
$cert = "self-signed_v3_CA_forced_AKID.pem";
|
||||
generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid:always");
|
||||
cert_ext_has_n_different_lines($cert, 3, $SKID_AKID); # forced AKID, AKID == SKID
|
||||
strict_verify($cert, 1);
|
||||
|
||||
$cert = "self-signed_v3_CA_issuer_AKID.pem";
|
||||
generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = issuer");
|
||||
has_AKID($cert, 0); # suppressed AKID since not forced
|
||||
|
||||
$cert = "self-signed_v3_CA_forced_issuer_AKID.pem";
|
||||
generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = issuer:always");
|
||||
cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 1); # forced issuer AKID
|
||||
|
||||
$cert = "self-signed_v3_CA_nonforced_keyid_issuer_AKID.pem";
|
||||
generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid, issuer");
|
||||
has_AKID($cert, 0); # AKID not present because not forced and cert self-signed
|
||||
|
||||
$cert = "self-signed_v3_CA_keyid_forced_issuer_AKID.pem";
|
||||
generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid, issuer:always");
|
||||
cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 1); # issuer AKID forced, with keyid not forced
|
||||
|
||||
$cert = "self-signed_v3_CA_forced_keyid_issuer_AKID.pem";
|
||||
generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid:always, issuer");
|
||||
has_AKID($cert, 1); # AKID with keyid forced
|
||||
cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 0); # no issuer AKID
|
||||
|
||||
$cert = "self-signed_v3_CA_forced_keyid_forced_issuer_AKID.pem";
|
||||
generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid:always, issuer:always");
|
||||
cert_contains($cert, "Authority Key Identifier: keyid(:[0-9A-Fa-f]{2})+ DirName:/CN=CA serial:", 1); # AKID with keyid and issuer forced
|
||||
|
||||
$cert = "self-signed_v3_EE_wrong_keyUsage.pem";
|
||||
generate_cert($cert, "-addext", "keyUsage = keyCertSign");
|
||||
#TODO strict_verify($cert, 1); # should be accepted because RFC 5280 does not apply
|
||||
|
||||
$cert = "v3_EE_default_KIDs.pem";
|
||||
# AKID of self-issued but not self-signed certs
|
||||
|
||||
$cert = "self-issued_x509_v3_CA_default_KIDs.pem";
|
||||
ok(run(app([("openssl", "x509", "-copy_extensions", "copy",
|
||||
"-req", "-in", srctop_file(@certs, "ext-check.csr"),
|
||||
"-key", srctop_file(@certs, "ca-key.pem"),
|
||||
"-force_pubkey", srctop_file("test", "testrsapub.pem"),
|
||||
"-out", $cert)])), "generate using x509: $cert");
|
||||
cert_contains($cert, "Issuer: CN=test .*? Subject: CN=test", 1);
|
||||
cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID
|
||||
strict_verify($cert, 1);
|
||||
|
||||
$cert = "self-issued_v3_CA_default_KIDs.pem";
|
||||
generate_cert($cert, "-addext", "keyUsage = dataEncipherment",
|
||||
"-in", srctop_file(@certs, "x509-check.csr"));
|
||||
cert_contains($cert, "Issuer: CN=CA .*? Subject: CN=CA", 1);
|
||||
cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID
|
||||
strict_verify($cert, 1);
|
||||
|
||||
$cert = "self-issued_v3_CA_no_AKID.pem";
|
||||
generate_cert($cert, "-addext", "authorityKeyIdentifier = none",
|
||||
"-in", srctop_file(@certs, "x509-check.csr"));
|
||||
has_AKID($cert, 0);
|
||||
strict_verify($cert, 1);
|
||||
|
||||
$cert = "self-issued_v3_CA_explicit_AKID.pem";
|
||||
generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid",
|
||||
"-in", srctop_file(@certs, "x509-check.csr"));
|
||||
cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID
|
||||
strict_verify($cert, 1);
|
||||
|
||||
$cert = "self-issued_v3_CA_forced_AKID.pem";
|
||||
generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid:always",
|
||||
"-in", srctop_file(@certs, "x509-check.csr"));
|
||||
cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID
|
||||
|
||||
$cert = "self-issued_v3_CA_issuer_AKID.pem";
|
||||
generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = issuer",
|
||||
"-in", srctop_file(@certs, "x509-check.csr"));
|
||||
cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 1); # just issuer AKID
|
||||
|
||||
$cert = "self-issued_v3_CA_forced_issuer_AKID.pem";
|
||||
generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = issuer:always",
|
||||
"-in", srctop_file(@certs, "x509-check.csr"));
|
||||
cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 1); # just issuer AKID
|
||||
|
||||
$cert = "self-issued_v3_CA_keyid_issuer_AKID.pem";
|
||||
generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid, issuer",
|
||||
"-in", srctop_file(@certs, "x509-check.csr"));
|
||||
cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID, not forced
|
||||
|
||||
$cert = "self-issued_v3_CA_keyid_forced_issuer_AKID.pem";
|
||||
generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid, issuer:always",
|
||||
"-in", srctop_file(@certs, "x509-check.csr"));
|
||||
cert_ext_has_n_different_lines($cert, 6, $SKID_AKID); # SKID != AKID, with forced issuer
|
||||
|
||||
$cert = "self-issued_v3_CA_forced_keyid_and_issuer_AKID.pem";
|
||||
generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid:always, issuer:always",
|
||||
"-in", srctop_file(@certs, "x509-check.csr"));
|
||||
cert_ext_has_n_different_lines($cert, 6, $SKID_AKID); # SKID != AKID, both forced
|
||||
|
||||
# AKID of not self-issued certs
|
||||
|
||||
$cert = "regular_v3_EE_default_KIDs.pem";
|
||||
generate_cert($cert, "-addext", "keyUsage = dataEncipherment");
|
||||
cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID
|
||||
strict_verify($cert, 1, $ca_cert);
|
||||
$cert = "regular_v3_EE_copied_exts_default_KIDs.pem";
|
||||
generate_cert($cert, "-copy_extensions", "copy",
|
||||
"-in", srctop_file(@certs, "ext-check.csr"));
|
||||
cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID
|
||||
strict_verify($cert, 1);
|
||||
|
||||
$cert = "v3_EE_no_AKID.pem";
|
||||
generate_cert($cert, "-addext", "authorityKeyIdentifier = none");
|
||||
@ -452,16 +566,13 @@ has_SKID($cert, 1);
|
||||
has_AKID($cert, 0);
|
||||
strict_verify($cert, 0, $ca_cert);
|
||||
|
||||
$cert = "self-issued_v3_EE_default_KIDs.pem";
|
||||
generate_cert($cert, "-addext", "keyUsage = dataEncipherment",
|
||||
"-in", srctop_file(@certs, "x509-check.csr"));
|
||||
cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID
|
||||
strict_verify($cert, 1);
|
||||
|
||||
my $cert = "self-signed_CA_no_keyUsage.pem";
|
||||
# Key Usage
|
||||
|
||||
$cert = "self-signed_CA_no_keyUsage.pem";
|
||||
generate_cert($cert, "-in", srctop_file(@certs, "ext-check.csr"));
|
||||
has_keyUsage($cert, 0);
|
||||
my $cert = "self-signed_CA_with_keyUsages.pem";
|
||||
$cert = "self-signed_CA_with_keyUsages.pem";
|
||||
generate_cert($cert, "-in", srctop_file(@certs, "ext-check.csr"),
|
||||
"-copy_extensions", "copy");
|
||||
has_keyUsage($cert, 1);
|
||||
|
||||
@ -114,6 +114,7 @@ sub file_contains {
|
||||
open(DATA, $_) or return 0;
|
||||
$_= join('', <DATA>);
|
||||
close(DATA);
|
||||
s/\s+/ /g; # take multiple whitespace (including newline) as single space
|
||||
return m/$pattern/ ? 1 : 0;
|
||||
}
|
||||
|
||||
@ -125,7 +126,7 @@ sub cert_contains {
|
||||
my $out = "cert_contains.out";
|
||||
run(app(["openssl", "x509", "-noout", "-text", "-in", $cert, "-out", $out]));
|
||||
is(file_contains($out, $pattern), $expected, ($name ? "$name: " : "").
|
||||
"$cert should ".($expected ? "" : "not ")."contain $pattern");
|
||||
"$cert should ".($expected ? "" : "not ")."contain: \"$pattern\"");
|
||||
# not unlinking $out
|
||||
}
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user