add test case
This commit is contained in:
Jacob Barthelmeh
parent
17f32c3e05
commit
f00263889b
23
certs/test/cert-ext-ndir.cfg
Normal file
23
certs/test/cert-ext-ndir.cfg
Normal file
@ -0,0 +1,23 @@
|
||||
[ req ]
|
||||
distinguished_name = req_distinguished_name
|
||||
prompt = no
|
||||
x509_extensions = constraints
|
||||
|
||||
[ req_distinguished_name ]
|
||||
C = US
|
||||
ST = Montana
|
||||
L = Bozeman
|
||||
O = Sawtooth
|
||||
OU = Consulting
|
||||
CN = www.wolfssl.com
|
||||
emailAddress = info@wolfsssl.com
|
||||
|
||||
[constraints]
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
basicConstraints=CA:TRUE
|
||||
nameConstraints=critical,permitted;dirName:dir_name
|
||||
|
||||
[dir_name]
|
||||
countryName = US
|
||||
|
||||
BIN
certs/test/cert-ext-ndir.der
Normal file
BIN
certs/test/cert-ext-ndir.der
Normal file
Binary file not shown.
@ -2,8 +2,9 @@
|
||||
|
||||
TMP="/tmp/`basename $0`"
|
||||
|
||||
KEY=certs/server-key.der
|
||||
gen_cert() {
|
||||
openssl req -x509 -keyform DER -key certs/server-key.der \
|
||||
openssl req -x509 -keyform DER -key $KEY \
|
||||
-days 1000 -new -outform DER -out $OUT -config $CONFIG \
|
||||
>$TMP 2>&1
|
||||
|
||||
@ -96,3 +97,34 @@ nsComment = "Testing Netscape Certificate Type"
|
||||
EOF
|
||||
gen_cert
|
||||
|
||||
KEY=certs/ca-key.der
|
||||
OUT=certs/test/cert-ext-ndir.der
|
||||
KEYFILE=certs/ca-key.der
|
||||
CONFIG=certs/test/cert-ext-ndir.cfg
|
||||
tee >$CONFIG <<EOF
|
||||
[ req ]
|
||||
distinguished_name = req_distinguished_name
|
||||
prompt = no
|
||||
x509_extensions = constraints
|
||||
|
||||
[ req_distinguished_name ]
|
||||
C = US
|
||||
ST = Montana
|
||||
L = Bozeman
|
||||
O = Sawtooth
|
||||
OU = Consulting
|
||||
CN = www.wolfssl.com
|
||||
emailAddress = info@wolfsssl.com
|
||||
|
||||
[constraints]
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
basicConstraints=CA:TRUE
|
||||
nameConstraints=critical,permitted;dirName:dir_name
|
||||
|
||||
[dir_name]
|
||||
countryName = US
|
||||
|
||||
EOF
|
||||
gen_cert
|
||||
|
||||
|
||||
@ -9,6 +9,8 @@ EXTRA_DIST += \
|
||||
certs/test/cert-ext-nc.der \
|
||||
certs/test/cert-ext-nct.cfg \
|
||||
certs/test/cert-ext-nct.der \
|
||||
certs/test/cert-ext-ndir.cfg \
|
||||
certs/test/cert-ext-ndir.der \
|
||||
certs/test/cert-ext-ns.der \
|
||||
certs/test/gen-ext-certs.sh \
|
||||
certs/test/server-duplicate-policy.pem \
|
||||
|
||||
85
tests/api.c
85
tests/api.c
@ -1267,6 +1267,90 @@ static void test_wolfSSL_CertManagerNameConstraint(void)
|
||||
#endif
|
||||
}
|
||||
|
||||
|
||||
static void test_wolfSSL_CertManagerNameConstraint2(void)
|
||||
{
|
||||
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \
|
||||
!defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \
|
||||
defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \
|
||||
defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES)
|
||||
const char* ca_cert = "./certs/test/cert-ext-ndir.der";
|
||||
const char* server_cert = "./certs/server-cert.pem";
|
||||
WOLFSSL_CERT_MANAGER* cm;
|
||||
WOLFSSL_X509 *x509, *ca;
|
||||
|
||||
const unsigned char *der;
|
||||
const unsigned char *pt;
|
||||
WOLFSSL_EVP_PKEY *priv;
|
||||
WOLFSSL_X509_NAME* name;
|
||||
int derSz;
|
||||
|
||||
/* C=US*/
|
||||
char altName[] = {
|
||||
0x30, 0x0D, 0x31, 0x0B, 0x30, 0x09,
|
||||
0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53
|
||||
};
|
||||
|
||||
/* C=ID */
|
||||
char altNameFail[] = {
|
||||
0x30, 0x0D, 0x31, 0x0B, 0x30, 0x09,
|
||||
0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x49, 0x44
|
||||
};
|
||||
|
||||
/* load in CA private key for signing */
|
||||
pt = ca_key_der_2048;
|
||||
AssertNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, &pt,
|
||||
sizeof_ca_key_der_2048));
|
||||
|
||||
AssertNotNull(cm = wolfSSL_CertManagerNew());
|
||||
AssertNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert,
|
||||
WOLFSSL_FILETYPE_ASN1));
|
||||
AssertNotNull((der = wolfSSL_X509_get_der(ca, &derSz)));
|
||||
AssertIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz,
|
||||
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
|
||||
|
||||
AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
|
||||
WOLFSSL_FILETYPE_PEM));
|
||||
AssertNotNull(name = wolfSSL_X509_get_subject_name(ca));
|
||||
AssertIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
|
||||
wolfSSL_X509_sign(x509, priv, EVP_sha256());
|
||||
AssertNotNull((der = wolfSSL_X509_get_der(x509, &derSz)));
|
||||
AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
|
||||
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
|
||||
|
||||
/* add in matching DIR alt name and resign */
|
||||
wolfSSL_X509_add_altname_ex(x509, altName, sizeof(altName), ASN_DIR_TYPE);
|
||||
wolfSSL_X509_sign(x509, priv, EVP_sha256());
|
||||
|
||||
AssertNotNull((der = wolfSSL_X509_get_der(x509, &derSz)));
|
||||
AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
|
||||
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
|
||||
wolfSSL_X509_free(x509);
|
||||
|
||||
/* check verify fail */
|
||||
AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
|
||||
WOLFSSL_FILETYPE_PEM));
|
||||
AssertNotNull(name = wolfSSL_X509_get_subject_name(ca));
|
||||
AssertIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
|
||||
|
||||
/* add in miss matching DIR alt name and resign */
|
||||
wolfSSL_X509_add_altname_ex(x509, altNameFail, sizeof(altNameFail),
|
||||
ASN_DIR_TYPE);
|
||||
|
||||
|
||||
wolfSSL_X509_sign(x509, priv, EVP_sha256());
|
||||
AssertNotNull((der = wolfSSL_X509_get_der(x509, &derSz)));
|
||||
AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
|
||||
WOLFSSL_FILETYPE_ASN1), ASN_NAME_INVALID_E);
|
||||
wolfSSL_CertManagerFree(cm);
|
||||
|
||||
wolfSSL_X509_free(x509);
|
||||
wolfSSL_X509_free(ca);
|
||||
wolfSSL_X509_MAME_free(name);
|
||||
wolfSSL_EVP_PKEY_free(priv);
|
||||
#endif
|
||||
}
|
||||
|
||||
static void test_wolfSSL_CertManagerCRL(void)
|
||||
{
|
||||
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && defined(HAVE_CRL) && \
|
||||
@ -39246,6 +39330,7 @@ void ApiTest(void)
|
||||
test_wolfSSL_CertManagerGetCerts();
|
||||
test_wolfSSL_CertManagerSetVerify();
|
||||
test_wolfSSL_CertManagerNameConstraint();
|
||||
test_wolfSSL_CertManagerNameConstraint2();
|
||||
test_wolfSSL_CertManagerCRL();
|
||||
test_wolfSSL_CTX_load_verify_locations_ex();
|
||||
test_wolfSSL_CTX_load_verify_buffer_ex();
|
||||
|
||||
@ -7799,6 +7799,11 @@ static int DecodeAltNames(const byte* input, int sz, DecodedCert* cert)
|
||||
WOLFSSL_MSG("\tfail: str length");
|
||||
return ASN_PARSE_E;
|
||||
}
|
||||
|
||||
if (GetSequence(input, &idx, &strLen, sz) < 0) {
|
||||
WOLFSSL_MSG("\tfail: seq length");
|
||||
return ASN_PARSE_E;
|
||||
}
|
||||
length -= (idx - lenStartIdx);
|
||||
|
||||
dirEntry = (DNS_entry*)XMALLOC(sizeof(DNS_entry), cert->heap,
|
||||
@ -12717,7 +12722,11 @@ int FlattenAltNames(byte* output, word32 outputSz, const DNS_entry* names)
|
||||
|
||||
curName = names;
|
||||
do {
|
||||
output[idx++] = ASN_CONTEXT_SPECIFIC | curName->type;
|
||||
output[idx] = ASN_CONTEXT_SPECIFIC | curName->type;
|
||||
if (curName->type == ASN_DIR_TYPE) {
|
||||
output[idx] |= ASN_CONSTRUCTED;
|
||||
}
|
||||
idx++;
|
||||
idx += SetLength(curName->len, output + idx);
|
||||
XMEMCPY(output + idx, curName->name, curName->len);
|
||||
idx += curName->len;
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user