Home Verkennen Help
Inloggen
OWEALs
/
openssl
spiegel van git://git.openssl.org/openssl.git
2
0
Vork 0
Bestanden Issues 1 Wiki
Boom: 6594baf645
Aftakkingen Labels
openssl
/
test
/
recipes
/
25-test_x509.t

25-test_x509.t 12 KB
Geschiedenis Ruwe

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308 
  1. #! /usr/bin/env perl
    2. 

  2. # Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.
    3. 

  3. #
    4. 

  4. # Licensed under the Apache License 2.0 (the "License").  You may not use
    5. 

  5. # this file except in compliance with the License.  You can obtain a copy
    6. 

  6. # in the file LICENSE in the source distribution or at
    7. 

  7. # https://www.openssl.org/source/license.html
    8. 

  8. 

  9. 

  10. use strict;
    11. 

  11. use warnings;
    12. 

  12. 

  13. use File::Spec;
    14. 

  14. use OpenSSL::Test::Utils;
    15. 

  15. use OpenSSL::Test qw/:DEFAULT srctop_file/;
    16. 

  16. 

  17. setup("test_x509");
    18. 

  18. 

  19. plan tests => 51;
    20. 

  20. 

  21. # Prevent MSys2 filename munging for arguments that look like file paths but
    22. 

  22. # aren't
    23. 

  23. $ENV{MSYS2_ARG_CONV_EXCL} = "/CN=";
    24. 

  24. 

  25. require_ok(srctop_file("test", "recipes", "tconversion.pl"));
    26. 

  26. 

  27. my @certs = qw(test certs);
    28. 

  28. my $pem = srctop_file(@certs, "cyrillic.pem");
    29. 

  29. my $out_msb = "out-cyrillic.msb";
    30. 

  30. my $out_utf8 = "out-cyrillic.utf8";
    31. 

  31. my $der = "cyrillic.der";
    32. 

  32. my $der2 = "cyrillic.der";
    33. 

  33. my $msb = srctop_file(@certs, "cyrillic.msb");
    34. 

  34. my $utf = srctop_file(@certs, "cyrillic.utf8");
    35. 

  35. 

  36. ok(run(app(["openssl", "x509", "-text", "-in", $pem, "-out", $out_msb,
    37. 

  37.             "-nameopt", "esc_msb"])));
    38. 

  38. is(cmp_text($out_msb, $msb),
    39. 

  39.    0, 'Comparing esc_msb output with cyrillic.msb');
    40. 

  40. ok(run(app(["openssl", "x509", "-text", "-in", $pem, "-out", $out_utf8,
    41. 

  41.             "-nameopt", "utf8"])));
    42. 

  42. is(cmp_text($out_utf8, $utf),
    43. 

  43.    0, 'Comparing utf8 output with cyrillic.utf8');
    44. 

  44. 

  45. SKIP: {
    46. 

  46.     skip "DES disabled", 1 if disabled("des");
    47. 

  47.     skip "Platform doesn't support command line UTF-8", 1 if $^O =~ /^(VMS|msys)$/;
    48. 

  48. 

  49.     my $p12 = srctop_file("test", "shibboleth.pfx");
    50. 

  50.     my $p12pass = "σύνθημα γνώρισμα";
    51. 

  51.     my $out_pem = "out.pem";
    52. 

  52.     ok(run(app(["openssl", "x509", "-text", "-in", $p12, "-out", $out_pem,
    53. 

  53.                 "-passin", "pass:$p12pass"])));
    54. 

  54.     # not unlinking $out_pem
    55. 

  55. }
    56. 

  56. 

  57. ok(!run(app(["openssl", "x509", "-in", $pem, "-inform", "DER",
    58. 

  58.              "-out", $der, "-outform", "DER"])),
    59. 

  59.    "Checking failure of mismatching -inform DER");
    60. 

  60. ok(run(app(["openssl", "x509", "-in", $pem, "-inform", "PEM",
    61. 

  61.             "-out", $der, "-outform", "DER"])),
    62. 

  62.    "Conversion to DER");
    63. 

  63. ok(!run(app(["openssl", "x509", "-in", $der, "-inform", "PEM",
    64. 

  64.              "-out", $der2, "-outform", "DER"])),
    65. 

  65.    "Checking failure of mismatching -inform PEM");
    66. 

  66. 

  67. # producing and checking self-issued (but not self-signed) cert
    68. 

  68. my $subj = "/CN=CA"; # using same DN as in issuer of ee-cert.pem
    69. 

  69. my $extfile = srctop_file("test", "v3_ca_exts.cnf");
    70. 

  70. my $pkey = srctop_file(@certs, "ca-key.pem"); # issuer private key
    71. 

  71. my $pubkey = "ca-pubkey.pem"; # the corresponding issuer public key
    72. 

  72. # use any (different) key for signing our self-issued cert:
    73. 

  73. my $key = srctop_file(@certs, "serverkey.pem");
    74. 

  74. my $selfout = "self-issued.out";
    75. 

  75. my $testcert = srctop_file(@certs, "ee-cert.pem");
    76. 

  76. ok(run(app(["openssl", "pkey", "-in", $pkey, "-pubout", "-out", $pubkey]))
    77. 

  77. && run(app(["openssl", "x509", "-new", "-force_pubkey", $pubkey, "-subj", $subj,
    78. 

  78.             "-extfile", $extfile, "-key", $key, "-out", $selfout]))
    79. 

  79. && run(app(["openssl", "verify", "-no_check_time",
    80. 

  80.             "-trusted", $selfout, "-partial_chain", $testcert])));
    81. 

  81. # not unlinking $pubkey
    82. 

  82. # not unlinking $selfout
    83. 

  83. 

  84. # test -set_issuer option
    85. 

  85. my $ca_issu = srctop_file(@certs, "ca-cert.pem"); # issuer cert
    86. 

  86. my $caout_issu = "ca-issu.out";
    87. 

  87. ok(run(app(["openssl", "x509", "-new", "-force_pubkey", $key, "-subj", "/CN=EE",
    88. 

  88.             "-set_issuer", "/CN=TEST-CA", "-extfile", $extfile, "-CA", $ca_issu,
    89. 

  89.             "-CAkey", $pkey, "-text", "-out", $caout_issu])));
    90. 

  90. ok(get_issuer($caout_issu) =~ /CN=TEST-CA/);
    91. 

  91. # not unlinking $caout
    92. 

  92. 

  93. # simple way of directly producing a CA-signed cert with private/pubkey input
    94. 

  94. my $ca = srctop_file(@certs, "ca-cert.pem"); # issuer cert
    95. 

  95. my $caout = "ca-issued.out";
    96. 

  96. ok(run(app(["openssl", "x509", "-new", "-force_pubkey", $key, "-subj", "/CN=EE",
    97. 

  97.             "-extfile", $extfile, "-CA", $ca, "-CAkey", $pkey, "-out", $caout]))
    98. 

  98. && run(app(["openssl", "verify", "-no_check_time",
    99. 

  99.             "-trusted", $ca, "-partial_chain", $caout])));
    100. 

  100. 

  101. subtest 'x509 -- x.509 v1 certificate' => sub {
    102. 

  102.     tconversion( -type => 'x509', -prefix => 'x509v1',
    103. 

  103.                  -in => srctop_file("test", "testx509.pem") );
    104. 

  104. };
    105. 

  105. subtest 'x509 -- first x.509 v3 certificate' => sub {
    106. 

  106.     tconversion( -type => 'x509', -prefix => 'x509v3-1',
    107. 

  107.                  -in => srctop_file("test", "v3-cert1.pem") );
    108. 

  108. };
    109. 

  109. subtest 'x509 -- second x.509 v3 certificate' => sub {
    110. 

  110.     tconversion( -type => 'x509', -prefix => 'x509v3-2',
    111. 

  111.                  -in => srctop_file("test", "v3-cert2.pem") );
    112. 

  112. };
    113. 

  113. 

  114. subtest 'x509 -- pathlen' => sub {
    115. 

  115.     ok(run(test(["v3ext", srctop_file(@certs, "pathlen.pem")])));
    116. 

  116. };
    117. 

  117. 

  118. cert_contains(srctop_file(@certs, "fake-gp.pem"),
    119. 

  119.               "2.16.528.1.1003.1.3.5.5.2-1-0000006666-Z-12345678-01.015-12345678",
    120. 

  120.               1, 'x500 -- subjectAltName');
    121. 

  121. 

  122. cert_contains(srctop_file(@certs, "ext-noAssertion.pem"),
    123. 

  123.               "No Assertion",
    124. 

  124.               1, 'X.509 Not Assertion Extension');
    125. 

  125. 

  126. cert_contains(srctop_file(@certs, "ext-groupAC.pem"),
    127. 

  127.               "Group Attribute Certificate",
    128. 

  128.               1, 'X.509 Group Attribute Certificate Extension');
    129. 

  129. 

  130. cert_contains(srctop_file(@certs, "ext-sOAIdentifier.pem"),
    131. 

  131.               "Source of Authority",
    132. 

  132.               1, 'X.509 Source of Authority Extension');
    133. 

  133. 

  134. cert_contains(srctop_file(@certs, "ext-noRevAvail.pem"),
    135. 

  135.               "No Revocation Available",
    136. 

  136.               1, 'X.509 No Revocation Available');
    137. 

  137. 

  138. cert_contains(srctop_file(@certs, "ext-singleUse.pem"),
    139. 

  139.               "Single Use",
    140. 

  140.               1, 'X509v3 Single Use');
    141. 

  141. 

  142. cert_contains(srctop_file(@certs, "ext-indirectIssuer.pem"),
    143. 

  143.               "Indirect Issuer",
    144. 

  144.               1, 'X.509 Indirect Issuer');
    145. 

  145. 

  146. sub test_errors { # actually tests diagnostics of OSSL_STORE
    147. 

  147.     my ($expected, $cert, @opts) = @_;
    148. 

  148.     my $infile = srctop_file(@certs, $cert);
    149. 

  149.     my @args = qw(openssl x509 -in);
    150. 

  150.     push(@args, $infile, @opts);
    151. 

  151.     my $tmpfile = 'out.txt';
    152. 

  152.     my $res =  grep(/-text/, @opts) ? run(app([@args], stdout => $tmpfile))
    153. 

  153.                                     : !run(app([@args], stderr => $tmpfile));
    154. 

  154.     my $found = 0;
    155. 

  155.     open(my $in, '<', $tmpfile) or die "Could not open file $tmpfile";
    156. 

  156.     while(<$in>) {
    157. 

  157.         print; # this may help debugging
    158. 

  158.         $res &&= !m/asn1 encoding/; # output must not include ASN.1 parse errors
    159. 

  159.         $found = 1 if m/$expected/; # output must include $expected
    160. 

  160.     }
    161. 

  161.     close $in;
    162. 

  162.     # $tmpfile is kept to help with investigation in case of failure
    163. 

  163.     return $res && $found;
    164. 

  164. }
    165. 

  165. 

  166. # 3 tests for non-existence of spurious OSSL_STORE ASN.1 parse error output.
    167. 

  167. # This requires provoking a failure exit of the app after reading input files.
    168. 

  168. ok(test_errors("Bad output format", "root-cert.pem", '-outform', 'http'),
    169. 

  169.    "load root-cert errors");
    170. 

  170. ok(test_errors("RC2-40-CBC", "v3-certs-RC2.p12", '-passin', 'pass:v3-certs'),
    171. 

  171.    "load v3-certs-RC2 no asn1 errors"); # error msg should mention "RC2-40-CBC"
    172. 

  172. SKIP: {
    173. 

  173.     skip "sm2 not disabled", 1 if !disabled("sm2");
    174. 

  174. 

  175.     ok(test_errors("Unable to load Public Key", "sm2.pem", '-text'),
    176. 

  176.        "error loading unsupported sm2 cert");
    177. 

  177. }
    178. 

  178. 

  179. # 3 tests for -dateopts formats
    180. 

  180. ok(run(app(["openssl", "x509", "-noout", "-dates", "-dateopt", "rfc_822",
    181. 

  181. 	     "-in", srctop_file("test/certs", "ca-cert.pem")])),
    182. 

  182.    "Run with rfc_8222 -dateopt format");
    183. 

  183. ok(run(app(["openssl", "x509", "-noout", "-dates", "-dateopt", "iso_8601",
    184. 

  184. 	     "-in", srctop_file("test/certs", "ca-cert.pem")])),
    185. 

  185.    "Run with iso_8601 -dateopt format");
    186. 

  186. ok(!run(app(["openssl", "x509", "-noout", "-dates", "-dateopt", "invalid_format",
    187. 

  187. 	     "-in", srctop_file("test/certs", "ca-cert.pem")])),
    188. 

  188.    "Run with invalid -dateopt format");
    189. 

  189. 

  190. # Tests for signing certs (broken in 1.1.1o)
    191. 

  191. my $a_key = "a-key.pem";
    192. 

  192. my $a_cert = "a-cert.pem";
    193. 

  193. my $a2_cert = "a2-cert.pem";
    194. 

  194. my $ca_key = "ca-key.pem";
    195. 

  195. my $ca_cert = "ca-cert.pem";
    196. 

  196. my $cnf = srctop_file('apps', 'openssl.cnf');
    197. 

  197. 

  198. # Create cert A
    199. 

  199. ok(run(app(["openssl", "req", "-x509", "-newkey", "rsa:2048",
    200. 

  200.             "-config", $cnf,
    201. 

  201.             "-keyout", $a_key, "-out", $a_cert, "-days", "365",
    202. 

  202.             "-nodes", "-subj", "/CN=test.example.com"])));
    203. 

  203. # Create cert CA - note key size
    204. 

  204. ok(run(app(["openssl", "req", "-x509", "-newkey", "rsa:4096",
    205. 

  205.             "-config", $cnf,
    206. 

  206.             "-keyout", $ca_key, "-out", $ca_cert, "-days", "3650",
    207. 

  207.             "-nodes", "-subj", "/CN=ca.example.com"])));
    208. 

  208. # Sign cert A with CA (errors on 1.1.1o)
    209. 

  209. ok(run(app(["openssl", "x509", "-in", $a_cert, "-CA", $ca_cert,
    210. 

  210.             "-CAkey", $ca_key, "-set_serial", "1234567890",
    211. 

  211.             "-preserve_dates", "-sha256", "-text", "-out", $a2_cert])));
    212. 

  212. # verify issuer is CA
    213. 

  213. ok(get_issuer($a2_cert) =~ /CN=ca.example.com/);
    214. 

  214. 

  215. my $in_csr = srctop_file('test', 'certs', 'x509-check.csr');
    216. 

  216. my $in_key = srctop_file('test', 'certs', 'x509-check-key.pem');
    217. 

  217. my $invextfile = srctop_file('test', 'invalid-x509.cnf');
    218. 

  218. # Test that invalid extensions settings fail
    219. 

  219. ok(!run(app(["openssl", "x509", "-req", "-in", $in_csr, "-signkey", $in_key,
    220. 

  220.             "-out", "/dev/null", "-days", "3650" , "-extensions", "ext",
    221. 

  221.             "-extfile", $invextfile])));
    222. 

  222. 

  223. # Tests for issue #16080 (fixed in 1.1.1o)
    224. 

  224. my $b_key = "b-key.pem";
    225. 

  225. my $b_csr = "b-cert.csr";
    226. 

  226. my $b_cert = "b-cert.pem";
    227. 

  227. # Create the CSR
    228. 

  228. ok(run(app(["openssl", "req", "-new", "-newkey", "rsa:4096",
    229. 

  229.             "-keyout", $b_key, "-out", $b_csr, "-nodes",
    230. 

  230.             "-config", $cnf,
    231. 

  231.             "-subj", "/CN=b.example.com"])));
    232. 

  232. # Sign it - position of "-text" matters!
    233. 

  233. ok(run(app(["openssl", "x509", "-req", "-text", "-CAcreateserial",
    234. 

  234.             "-CA", $ca_cert, "-CAkey", $ca_key,
    235. 

  235.             "-in", $b_csr, "-out", $b_cert])));
    236. 

  236. # Verify issuer is CA
    237. 

  237. ok(get_issuer($b_cert) =~ /CN=ca.example.com/);
    238. 

  238. 

  239. # although no explicit extensions given:
    240. 

  240. has_version($b_cert, 3);
    241. 

  241. has_SKID($b_cert, 1);
    242. 

  242. has_AKID($b_cert, 1);
    243. 

  243. 

  244. # Tests for https://github.com/openssl/openssl/issues/10442 (fixed in 1.1.1a)
    245. 

  245. # (incorrect default `-CAcreateserial` if `-CA` path has a dot in it)
    246. 

  246. my $folder_with_dot = "test_x509.folder";
    247. 

  247. ok(mkdir $folder_with_dot);
    248. 

  248. my $ca_cert_dot_in_dir = File::Spec->catfile($folder_with_dot, "ca-cert.pem");
    249. 

  249. ok(copy($ca_cert,$ca_cert_dot_in_dir));
    250. 

  250. my $ca_serial_dot_in_dir = File::Spec->catfile($folder_with_dot, "ca-cert.srl");
    251. 

  251. 

  252. ok(run(app(["openssl", "x509", "-req", "-text", "-CAcreateserial",
    253. 

  253.             "-CA", $ca_cert_dot_in_dir, "-CAkey", $ca_key,
    254. 

  254.             "-in", $b_csr])));
    255. 

  255. ok(-e $ca_serial_dot_in_dir);
    256. 

  256. 

  257. # Tests for explict start and end dates of certificates
    258. 

  258. my %today = (strftime("%Y-%m-%d", gmtime) => 1);
    259. 

  259. my $enddate;
    260. 

  260. ok(run(app(["openssl", "x509", "-req", "-text",
    261. 

  261. 	    "-key", $b_key,
    262. 

  262. 	    "-not_before", "20231031000000Z",
    263. 

  263. 	    "-not_after", "today",
    264. 

  264.             "-in", $b_csr, "-out", $b_cert]))
    265. 

  265. && get_not_before($b_cert) =~ /Oct 31 00:00:00 2023 GMT/
    266. 

  266. && ++$today{strftime("%Y-%m-%d", gmtime)}
    267. 

  267. && (grep { defined $today{$_} } get_not_after_date($b_cert)));
    268. 

  268. # explicit start and end dates
    269. 

  269. ok(run(app(["openssl", "x509", "-req", "-text",
    270. 

  270. 	    "-key", $b_key,
    271. 

  271. 	    "-not_before", "20231031000000Z",
    272. 

  272. 	    "-not_after", "20231231000000Z",
    273. 

  273. 	    "-days", "99",
    274. 

  274.             "-in", $b_csr, "-out", $b_cert]))
    275. 

  275. && get_not_before($b_cert) =~ /Oct 31 00:00:00 2023 GMT/
    276. 

  276. && get_not_after($b_cert) =~ /Dec 31 00:00:00 2023 GMT/);
    277. 

  277. # start date today and days
    278. 

  278. %today = (strftime("%Y-%m-%d", gmtime) => 1);
    279. 

  279. $enddate = strftime("%Y-%m-%d", gmtime(time + 99 * 24 * 60 * 60));
    280. 

  280. ok(run(app(["openssl", "x509", "-req", "-text",
    281. 

  281. 	    "-key", $b_key,
    282. 

  282. 	    "-not_before", "today",
    283. 

  283. 	    "-days", "99",
    284. 

  284.             "-in", $b_csr, "-out", $b_cert]))
    285. 

  285. && ++$today{strftime("%Y-%m-%d", gmtime)}
    286. 

  286. && (grep { defined $today{$_} } get_not_before_date($b_cert))
    287. 

  287. && get_not_after_date($b_cert) eq $enddate);
    288. 

  288. # end date before start date
    289. 

  289. ok(!run(app(["openssl", "x509", "-req", "-text",
    290. 

  290. 	      "-key", $b_key,
    291. 

  291. 	      "-not_before", "today",
    292. 

  292. 	      "-not_after", "20231031000000Z",
    293. 

  293.               "-in", $b_csr, "-out", $b_cert])));
    294. 

  294. # default days option
    295. 

  295. %today = (strftime("%Y-%m-%d", gmtime) => 1);
    296. 

  296. $enddate = strftime("%Y-%m-%d", gmtime(time + 30 * 24 * 60 * 60));
    297. 

  297. ok(run(app(["openssl", "x509", "-req", "-text",
    298. 

  298. 	    "-key", $b_key,
    299. 

  299.             "-in", $b_csr, "-out", $b_cert]))
    300. 

  300. && ++$today{strftime("%Y-%m-%d", gmtime)}
    301. 

  301. && (grep { defined $today{$_} } get_not_before_date($b_cert))
    302. 

  302. && get_not_after_date($b_cert) eq $enddate);
    303. 

  303. 

  304. SKIP: {
    305. 

  305.     skip "EC is not supported by this OpenSSL build", 1
    306. 

  306.         if disabled("ec");
    307. 

  307.     ok(run(test(["x509_test"])), "running x509_test");
    308. 

  308. }
    309.