The branch master has been updated via 00cf3a2d30fc7642bf9f816a7c545115985a8c0c (commit) via adbd77f6d7cc4efb7b4bde483036fab8e48ce870 (commit) from b0c1214e1e82bc4c98eadd11d368b4ba9ffa202c (commit)
- Log ----------------------------------------------------------------- commit 00cf3a2d30fc7642bf9f816a7c545115985a8c0c Author: Dr. David von Oheimb <david.von.ohe...@siemens.com> Date: Tue Aug 24 09:31:53 2021 +0200 25-test_req.t: Add systematic SKID+AKID tests for self-issued (incl. self-signed) certs Reviewed-by: Viktor Dukhovni <vik...@openssl.org> Reviewed-by: Tomas Mraz <to...@openssl.org> Reviewed-by: Dmitry Belyavskiy <beld...@gmail.com> (Merged from https://github.com/openssl/openssl/pull/16342) commit adbd77f6d7cc4efb7b4bde483036fab8e48ce870 Author: Dr. David von Oheimb <david.von.ohe...@siemens.com> Date: Tue Aug 17 23:13:28 2021 +0200 X509: Fix handling of AKID and SKID extensions according to configuration Fixes #16300 Reviewed-by: Viktor Dukhovni <vik...@openssl.org> Reviewed-by: Tomas Mraz <to...@openssl.org> Reviewed-by: Dmitry Belyavskiy <beld...@gmail.com> (Merged from https://github.com/openssl/openssl/pull/16342) ----------------------------------------------------------------------- Summary of changes: apps/ca.c | 11 +++- apps/include/apps.h | 1 + apps/lib/apps.c | 20 ++++-- apps/pkcs12.c | 2 +- apps/req.c | 4 +- apps/x509.c | 4 ++ crypto/x509/v3_akid.c | 13 ++-- crypto/x509/v3_conf.c | 18 ++++- doc/man5/x509v3_config.pod | 1 + test/certs/ext-check.csr | 23 ++----- test/recipes/25-test_req.t | 157 +++++++++++++++++++++++++++++++++++++------- test/recipes/tconversion.pl | 3 +- 12 files changed, 199 insertions(+), 58 deletions(-) diff --git a/apps/ca.c b/apps/ca.c index 24883615ed..1e77bf50c5 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -1709,7 +1709,16 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, /* Initialize the context structure */ X509V3_set_ctx(&ext_ctx, selfsign ? ret : x509, - ret, req, NULL, X509V3_CTX_REPLACE); + ret, NULL /* no need to give req, needed info is in ret */, + NULL, X509V3_CTX_REPLACE); + /* prepare fallback for AKID, but only if issuer cert equals subject cert */ + if (selfsign) { + if (!X509V3_set_issuer_pkey(&ext_ctx, pkey)) + goto end; + if (!cert_matches_key(ret, pkey)) + BIO_printf(bio_err, + "Warning: Signature key and public key of cert do not match\n"); + } /* Lets add the extensions, if there are any */ if (ext_sect) { diff --git a/apps/include/apps.h b/apps/include/apps.h index 9d5db16600..6018a83ca4 100644 --- a/apps/include/apps.h +++ b/apps/include/apps.h @@ -247,6 +247,7 @@ int x509_req_ctrl_string(X509_REQ *x, const char *value); int init_gen_str(EVP_PKEY_CTX **pctx, const char *algname, ENGINE *e, int do_param, OSSL_LIB_CTX *libctx, const char *propq); +int cert_matches_key(const X509 *cert, const EVP_PKEY *pkey); int do_X509_sign(X509 *x, EVP_PKEY *pkey, const char *md, STACK_OF(OPENSSL_STRING) *sigopts, X509V3_CTX *ext_ctx); int do_X509_verify(X509 *x, EVP_PKEY *pkey, STACK_OF(OPENSSL_STRING) *vfyopts); diff --git a/apps/lib/apps.c b/apps/lib/apps.c index b15abac857..82eeaea249 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -2224,8 +2224,8 @@ static int adapt_keyid_ext(X509 *cert, X509V3_CTX *ext_ctx, idx = X509v3_get_ext_by_OBJ(exts, X509_EXTENSION_get_object(new_ext), -1); if (idx >= 0) { X509_EXTENSION *found_ext = X509v3_get_ext(exts, idx); - ASN1_OCTET_STRING *data = X509_EXTENSION_get_data(found_ext); - int disabled = ASN1_STRING_length(data) <= 2; /* config said "none" */ + ASN1_OCTET_STRING *encoded = X509_EXTENSION_get_data(found_ext); + int disabled = ASN1_STRING_length(encoded) <= 2; /* indicating "none" */ if (disabled) { X509_delete_ext(cert, idx); @@ -2239,6 +2239,16 @@ static int adapt_keyid_ext(X509 *cert, X509V3_CTX *ext_ctx, return rv; } +int cert_matches_key(const X509 *cert, const EVP_PKEY *pkey) +{ + int match; + + ERR_set_mark(); + match = X509_check_private_key(cert, pkey); + ERR_pop_to_mark(); + return match; +} + /* Ensure RFC 5280 compliance, adapt keyIDs as needed, and sign the cert info */ int do_X509_sign(X509 *cert, EVP_PKEY *pkey, const char *md, STACK_OF(OPENSSL_STRING) *sigopts, X509V3_CTX *ext_ctx) @@ -2254,16 +2264,14 @@ int do_X509_sign(X509 *cert, EVP_PKEY *pkey, const char *md, goto end; /* - * Add default SKID before such that default AKID can make use of it + * Add default SKID before AKID such that AKID can make use of it * in case the certificate is self-signed */ /* Prevent X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER */ if (!adapt_keyid_ext(cert, ext_ctx, "subjectKeyIdentifier", "hash", 1)) goto end; /* Prevent X509_V_ERR_MISSING_AUTHORITY_KEY_IDENTIFIER */ - ERR_set_mark(); - self_sign = X509_check_private_key(cert, pkey); - ERR_pop_to_mark(); + self_sign = cert_matches_key(cert, pkey); if (!adapt_keyid_ext(cert, ext_ctx, "authorityKeyIdentifier", "keyid, issuer", !self_sign)) goto end; diff --git a/apps/pkcs12.c b/apps/pkcs12.c index dcb173f201..acc45c405a 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -555,7 +555,7 @@ int pkcs12_main(int argc, char **argv) /* Look for matching private key */ for (i = 0; i < sk_X509_num(certs); i++) { x = sk_X509_value(certs, i); - if (X509_check_private_key(x, key)) { + if (cert_matches_key(x, key)) { ee_cert = x; /* Zero keyid and alias */ X509_keyid_set1(ee_cert, NULL, 0); diff --git a/apps/req.c b/apps/req.c index 7997ea7649..274f839902 100644 --- a/apps/req.c +++ b/apps/req.c @@ -838,11 +838,9 @@ int req_main(int argc, char **argv) if (CAcert == NULL) { if (!X509V3_set_issuer_pkey(&ext_ctx, issuer_key)) goto end; - ERR_set_mark(); - if (!X509_check_private_key(new_x509, issuer_key)) + if (!cert_matches_key(new_x509, issuer_key)) BIO_printf(bio_err, "Warning: Signature key and public key of cert do not match\n"); - ERR_pop_to_mark(); } X509V3_set_nconf(&ext_ctx, req_conf); diff --git a/apps/x509.c b/apps/x509.c index b88fb4f5ea..ff95821bab 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -810,6 +810,10 @@ int x509_main(int argc, char **argv) goto end; if (!x509toreq && !reqfile && !newcert && !self_signed(ctx, x)) goto end; + } else { + if (privkey != NULL && !cert_matches_key(x, privkey)) + BIO_printf(bio_err, + "Warning: Signature key and public key of cert do not match\n"); } if (sno != NULL && !X509_set_serialNumber(x, sno)) diff --git a/crypto/x509/v3_akid.c b/crypto/x509/v3_akid.c index 43b515f50c..59ea439edd 100644 --- a/crypto/x509/v3_akid.c +++ b/crypto/x509/v3_akid.c @@ -161,8 +161,13 @@ static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, */ i = X509_get_ext_by_NID(issuer_cert, NID_subject_key_identifier, -1); if (i >= 0 && (ext = X509_get_ext(issuer_cert, i)) != NULL - && !(same_issuer && !ss)) + && !(same_issuer && !ss)) { ikeyid = X509V3_EXT_d2i(ext); + if (ASN1_STRING_length(ikeyid) == 0) /* indicating "none" */ { + ASN1_OCTET_STRING_free(ikeyid); + ikeyid = NULL; + } + } if (ikeyid == NULL && same_issuer && ctx->issuer_pkey != NULL) { /* generate fallback AKID, emulating s2i_skey_id(..., "hash") */ X509_PUBKEY *pubkey = NULL; @@ -171,15 +176,13 @@ static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, ikeyid = ossl_x509_pubkey_hash(pubkey); X509_PUBKEY_free(pubkey); } - if ((keyid == 2 || issuer == 0) - && (ikeyid == NULL - || ASN1_STRING_length(ikeyid) <= 2) /* indicating "none" */) { + if (keyid == 2 && ikeyid == NULL) { ERR_raise(ERR_LIB_X509V3, X509V3_R_UNABLE_TO_GET_ISSUER_KEYID); goto err; } } - if (issuer == 2 || (issuer == 1 && ikeyid == NULL)) { + if (issuer == 2 || (issuer == 1 && !ss && ikeyid == NULL)) { isname = X509_NAME_dup(X509_get_issuer_name(issuer_cert)); serial = ASN1_INTEGER_dup(X509_get0_serialNumber(issuer_cert)); if (isname == NULL || serial == NULL) { diff --git a/crypto/x509/v3_conf.c b/crypto/x509/v3_conf.c index 1c11d671b2..b95c652468 100644 --- a/crypto/x509/v3_conf.c +++ b/crypto/x509/v3_conf.c @@ -311,13 +311,27 @@ int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, const char *section, { X509_EXTENSION *ext; STACK_OF(CONF_VALUE) *nval; - CONF_VALUE *val; - int i; + const CONF_VALUE *val; + int i, akid = -1, skid = -1; if ((nval = NCONF_get_section(conf, section)) == NULL) return 0; for (i = 0; i < sk_CONF_VALUE_num(nval); i++) { val = sk_CONF_VALUE_value(nval, i); + if (strcmp(val->name, "authorityKeyIdentifier") == 0) + akid = i; + else if (strcmp(val->name, "subjectKeyIdentifier") == 0) + skid = i; + } + for (i = 0; i < sk_CONF_VALUE_num(nval); i++) { + val = sk_CONF_VALUE_value(nval, i); + if (skid > akid && akid >= 0) { + /* make sure SKID is handled before AKID */ + if (i == akid) + val = sk_CONF_VALUE_value(nval, skid); + else if (i == skid) + val = sk_CONF_VALUE_value(nval, akid); + } if ((ext = X509V3_EXT_nconf_int(conf, ctx, val->section, val->name, val->value)) == NULL) return 0; diff --git a/doc/man5/x509v3_config.pod b/doc/man5/x509v3_config.pod index 2a3afee27f..0114b45505 100644 --- a/doc/man5/x509v3_config.pod +++ b/doc/man5/x509v3_config.pod @@ -208,6 +208,7 @@ If B<always> is present but no value can be obtained, an error is returned. If B<issuer> is present, and in addition it has the option B<always> specified or B<keyid> is not present, then the issuer DN and serial number are copied from the issuer certificate. +If this fails, an error is returned. Examples: diff --git a/test/certs/ext-check.csr b/test/certs/ext-check.csr index ee974e05ce..a5ca888156 100644 --- a/test/certs/ext-check.csr +++ b/test/certs/ext-check.csr @@ -1,18 +1,9 @@ -----BEGIN CERTIFICATE REQUEST----- -MIICzTCCAbcCAQAwVDELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx -ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDENMAsGA1UEAwwEdGVz -dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvdj9Ix -sogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOzn1k5 -0DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/Wl9rF -QtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0lYW5I -NvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAcZGh7 -r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9CLNN -sUcCAwEAAaA2MBYGCSqGSIb3DQEJAjEJDAdDb21wYW55MBwGCSqGSIb3DQEJDjEP -MA0wCwYDVR0PBAQDAgeAMAsGCSqGSIb3DQEBCwOCAQEAYd4B+FkWRuVVDPYfrN8P -UdZbLTggUGrpdhRibnoAsLNQ3cCS90OsCq5FLD6TVUCNb1gnp15Jp1WChQSyD3zC -jb8VgivDeDOuk08Zy2Fl2+QvuwyQ9hKTAOTdAmP/bapAi7zniElSTP6BZ8vyEtuP -FCEWJ5UjhvUYbZOG5WIHxhT+24CtYH3iHNir4OlDbsYrUBKEmQZIDj6WC01UT+4U -/up2xKq1Y+rOUv2Xy3K9O/U1W/3AF7IvcDyd7+qQTGD8U2X3efzZYOffhTN+9Rvn -5t82CnHLjFn4Co43RBiOcbjSDbvtaghtDiYB2tSUuqafHiuAJKx6zAm0Y2FR8X+z -gg== +MIIBJzCBsgIBADAPMQ0wCwYDVQQDDAR0ZXN0MHwwDQYJKoZIhvcNAQEBBQADawAw +aAJhALntqSk2YVnhNalAikA2tuSOvHUKVSJlqjKmzlUPI+gQFyBWxtyQdwepI87t +l8EW1in2IiOeN49W+OtVOlBiMxwqi/BcBltTbbSrlRpoSKOH6V7zIXvfsqjwWsDi +37V1xQIDAQABoB4wHAYJKoZIhvcNAQkOMQ8wDTALBgNVHQ8EBAMCB4AwDQYJKoZI +hvcNAQELBQADYQCu+Qad0pgxIY8PUo6pvg8nNruEyrk/0/weL+sPZxEv0hSrIaGo +ZaVGcPGi67oidiUyM2eMwDUUz3UmPA4oHNGRCddnTMISDxynLEM55CUECLFxXhP+ +8dJsKuJ9jbdasn4= -----END CERTIFICATE REQUEST----- diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t index 235b53c61c..c1587b76d7 100644 --- a/test/recipes/25-test_req.t +++ b/test/recipes/25-test_req.t @@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/; setup("test_req"); -plan tests => 43; +plan tests => 91; require_ok(srctop_file('test', 'recipes', 'tconversion.pl')); @@ -37,7 +37,7 @@ $ENV{MSYS2_ARG_CONV_EXCL} = "/CN="; # Check for duplicate -addext parameters, and one "working" case. my @addext_args = ( "openssl", "req", "-new", "-out", "testreq.pem", - "-key", srctop_file("test", "certs", "ee-key.pem"), + "-key", srctop_file(@certs, "ee-key.pem"), "-config", srctop_file("test", "test.cnf"), @req_new ); my $val = "subjectAltName=DNS:example.com"; my $val2 = " " . $val; @@ -298,7 +298,7 @@ subtest "generating certificate requests" => sub { plan tests => 2; ok(run(app(["openssl", "req", "-config", srctop_file("test", "test.cnf"), - "-key", srctop_file("test", "certs", "ee-key.pem"), + "-key", srctop_file(@certs, "ee-key.pem"), @req_new, "-out", "testreq.pem"])), "Generating request"); @@ -415,36 +415,150 @@ sub strict_verify { my @v3_ca = ("-addext", "basicConstraints = critical,CA:true", "-addext", "keyUsage = keyCertSign"); my $SKID_AKID = "subjectKeyIdentifier,authorityKeyIdentifier"; -my $cert = "self-signed_v1_CA_no_KIDs.pem"; + +# # SKID + +my $cert = "self-signed_v3_CA_hash_SKID.pem"; +generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = hash"); +has_SKID($cert, 1); # explicit hash SKID + +$cert = "self-signed_v3_CA_no_SKID.pem"; +generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = none"); +cert_ext_has_n_different_lines($cert, 0, $SKID_AKID); # no SKID and no AKID +#TODO strict_verify($cert, 0); + +$cert = "self-signed_v3_CA_given_SKID.pem"; +generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = 45"); +cert_contains($cert, "Subject Key Identifier: 45 ", 1); # given SKID +strict_verify($cert, 1); + +# AKID of self-signed certs + +$cert = "self-signed_v1_CA_no_KIDs.pem"; generate_cert($cert); cert_ext_has_n_different_lines($cert, 0, $SKID_AKID); # no SKID and no AKID #TODO strict_verify($cert, 1); # self-signed v1 root cert should be accepted as CA -$ca_cert = "self-signed_v3_CA_default_SKID.pem"; +$ca_cert = "self-signed_v3_CA_default_SKID.pem"; # will also be used below generate_cert($ca_cert, @v3_ca); -has_SKID($ca_cert, 1); -has_AKID($ca_cert, 0); +has_SKID($ca_cert, 1); # default SKID +has_AKID($ca_cert, 0); # no default AKID strict_verify($ca_cert, 1); -$cert = "self-signed_v3_CA_no_SKID.pem"; -generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = none"); -cert_ext_has_n_different_lines($cert, 0, $SKID_AKID); # no SKID and no AKID -#TODO strict_verify($cert, 0); +$cert = "self-signed_v3_CA_no_AKID.pem"; +generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = none"); +has_AKID($cert, 0); # forced no AKID -$cert = "self-signed_v3_CA_both_KIDs.pem"; -generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = hash", - "-addext", "authorityKeyIdentifier = keyid:always"); -cert_ext_has_n_different_lines($cert, 3, $SKID_AKID); # SKID == AKID +$cert = "self-signed_v3_CA_explicit_AKID.pem"; +generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid"); +has_AKID($cert, 0); # for self-signed cert, AKID suppressed and not forced + +$cert = "self-signed_v3_CA_forced_AKID.pem"; +generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid:always"); +cert_ext_has_n_different_lines($cert, 3, $SKID_AKID); # forced AKID, AKID == SKID strict_verify($cert, 1); +$cert = "self-signed_v3_CA_issuer_AKID.pem"; +generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = issuer"); +has_AKID($cert, 0); # suppressed AKID since not forced + +$cert = "self-signed_v3_CA_forced_issuer_AKID.pem"; +generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = issuer:always"); +cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 1); # forced issuer AKID + +$cert = "self-signed_v3_CA_nonforced_keyid_issuer_AKID.pem"; +generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid, issuer"); +has_AKID($cert, 0); # AKID not present because not forced and cert self-signed + +$cert = "self-signed_v3_CA_keyid_forced_issuer_AKID.pem"; +generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid, issuer:always"); +cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 1); # issuer AKID forced, with keyid not forced + +$cert = "self-signed_v3_CA_forced_keyid_issuer_AKID.pem"; +generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid:always, issuer"); +has_AKID($cert, 1); # AKID with keyid forced +cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 0); # no issuer AKID + +$cert = "self-signed_v3_CA_forced_keyid_forced_issuer_AKID.pem"; +generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid:always, issuer:always"); +cert_contains($cert, "Authority Key Identifier: keyid(:[0-9A-Fa-f]{2})+ DirName:/CN=CA serial:", 1); # AKID with keyid and issuer forced + $cert = "self-signed_v3_EE_wrong_keyUsage.pem"; generate_cert($cert, "-addext", "keyUsage = keyCertSign"); #TODO strict_verify($cert, 1); # should be accepted because RFC 5280 does not apply -$cert = "v3_EE_default_KIDs.pem"; +# AKID of self-issued but not self-signed certs + +$cert = "self-issued_x509_v3_CA_default_KIDs.pem"; +ok(run(app([("openssl", "x509", "-copy_extensions", "copy", + "-req", "-in", srctop_file(@certs, "ext-check.csr"), + "-key", srctop_file(@certs, "ca-key.pem"), + "-force_pubkey", srctop_file("test", "testrsapub.pem"), + "-out", $cert)])), "generate using x509: $cert"); +cert_contains($cert, "Issuer: CN=test .*? Subject: CN=test", 1); +cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID +strict_verify($cert, 1); + +$cert = "self-issued_v3_CA_default_KIDs.pem"; +generate_cert($cert, "-addext", "keyUsage = dataEncipherment", + "-in", srctop_file(@certs, "x509-check.csr")); +cert_contains($cert, "Issuer: CN=CA .*? Subject: CN=CA", 1); +cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID +strict_verify($cert, 1); + +$cert = "self-issued_v3_CA_no_AKID.pem"; +generate_cert($cert, "-addext", "authorityKeyIdentifier = none", + "-in", srctop_file(@certs, "x509-check.csr")); +has_AKID($cert, 0); +strict_verify($cert, 1); + +$cert = "self-issued_v3_CA_explicit_AKID.pem"; +generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid", + "-in", srctop_file(@certs, "x509-check.csr")); +cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID +strict_verify($cert, 1); + +$cert = "self-issued_v3_CA_forced_AKID.pem"; +generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid:always", + "-in", srctop_file(@certs, "x509-check.csr")); +cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID + +$cert = "self-issued_v3_CA_issuer_AKID.pem"; +generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = issuer", + "-in", srctop_file(@certs, "x509-check.csr")); +cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 1); # just issuer AKID + +$cert = "self-issued_v3_CA_forced_issuer_AKID.pem"; +generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = issuer:always", + "-in", srctop_file(@certs, "x509-check.csr")); +cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 1); # just issuer AKID + +$cert = "self-issued_v3_CA_keyid_issuer_AKID.pem"; +generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid, issuer", + "-in", srctop_file(@certs, "x509-check.csr")); +cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID, not forced + +$cert = "self-issued_v3_CA_keyid_forced_issuer_AKID.pem"; +generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid, issuer:always", + "-in", srctop_file(@certs, "x509-check.csr")); +cert_ext_has_n_different_lines($cert, 6, $SKID_AKID); # SKID != AKID, with forced issuer + +$cert = "self-issued_v3_CA_forced_keyid_and_issuer_AKID.pem"; +generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid:always, issuer:always", + "-in", srctop_file(@certs, "x509-check.csr")); +cert_ext_has_n_different_lines($cert, 6, $SKID_AKID); # SKID != AKID, both forced + +# AKID of not self-issued certs + +$cert = "regular_v3_EE_default_KIDs.pem"; generate_cert($cert, "-addext", "keyUsage = dataEncipherment"); cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID strict_verify($cert, 1, $ca_cert); +$cert = "regular_v3_EE_copied_exts_default_KIDs.pem"; +generate_cert($cert, "-copy_extensions", "copy", + "-in", srctop_file(@certs, "ext-check.csr")); +cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID +strict_verify($cert, 1); $cert = "v3_EE_no_AKID.pem"; generate_cert($cert, "-addext", "authorityKeyIdentifier = none"); @@ -452,16 +566,13 @@ has_SKID($cert, 1); has_AKID($cert, 0); strict_verify($cert, 0, $ca_cert); -$cert = "self-issued_v3_EE_default_KIDs.pem"; -generate_cert($cert, "-addext", "keyUsage = dataEncipherment", - "-in", srctop_file(@certs, "x509-check.csr")); -cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID -strict_verify($cert, 1); -my $cert = "self-signed_CA_no_keyUsage.pem"; +# Key Usage + +$cert = "self-signed_CA_no_keyUsage.pem"; generate_cert($cert, "-in", srctop_file(@certs, "ext-check.csr")); has_keyUsage($cert, 0); -my $cert = "self-signed_CA_with_keyUsages.pem"; +$cert = "self-signed_CA_with_keyUsages.pem"; generate_cert($cert, "-in", srctop_file(@certs, "ext-check.csr"), "-copy_extensions", "copy"); has_keyUsage($cert, 1); diff --git a/test/recipes/tconversion.pl b/test/recipes/tconversion.pl index 87b037b34d..f60954c0ba 100644 --- a/test/recipes/tconversion.pl +++ b/test/recipes/tconversion.pl @@ -114,6 +114,7 @@ sub file_contains { open(DATA, $_) or return 0; $_= join('', <DATA>); close(DATA); + s/\s+/ /g; # take multiple whitespace (including newline) as single space return m/$pattern/ ? 1 : 0; } @@ -125,7 +126,7 @@ sub cert_contains { my $out = "cert_contains.out"; run(app(["openssl", "x509", "-noout", "-text", "-in", $cert, "-out", $out])); is(file_contains($out, $pattern), $expected, ($name ? "$name: " : ""). - "$cert should ".($expected ? "" : "not ")."contain $pattern"); + "$cert should ".($expected ? "" : "not ")."contain: \"$pattern\""); # not unlinking $out }