0.79.14-6
- Certificate format validation when adding the SCEP server's CA (#1492112) - Replace some SHA1 usages with SHA256 in the unit tests needed becaus of OpenSSL 3 update Resolves: #1492112
This commit is contained in:
Rob Crittenden
parent
ea4ff2c97f
commit
010cc6087f
|
|
@ -0,0 +1,702 @@
|
|||
From f636d0f64fbcb978b06afe9f9576678afcee01c0 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Thu, 4 Nov 2021 13:51:31 -0400
|
||||
Subject: [PATCH] Add a PEM validity checker and validate SCEP CA files
|
||||
|
||||
If a non-PEM file was passed into add-scep-ca it would
|
||||
accept it without question but later fail with:
|
||||
|
||||
status: CA_UNREACHABLE
|
||||
ca-error: Error: failed to verify signature on server response.
|
||||
|
||||
Try to do basic validation of user-provided PEM files by:
|
||||
|
||||
- stripping BEGIN/END headers
|
||||
- removing newlines and carriage returns
|
||||
- using OpenSSL EVP library to base64 decode the block
|
||||
|
||||
This isn't fool-proof but it at least does some basic
|
||||
sanity checking to ensure the file(s) exist and appear
|
||||
to be PEM files.
|
||||
|
||||
The unit tests use some Let's Encrypt CA certificates.
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1492112
|
||||
|
||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
src/Makefile.am | 2 +-
|
||||
src/getcert-add-scep-ca.1.in | 2 +
|
||||
src/getcert.c | 39 ++++-
|
||||
src/util-o.c | 144 ++++++++++++++++++
|
||||
src/util-o.h | 7 +
|
||||
tests/040-pem/bad.empty | 0
|
||||
.../bad.isrg-root-x1-cross-signed.der.b64 | 25 +++
|
||||
tests/040-pem/expected.out | 7 +
|
||||
.../good.isrg-root-x1-cross-signed.pem | 31 ++++
|
||||
.../good.isrg-root-x1-cross-signed_cr.pem | 31 ++++
|
||||
tests/040-pem/good.lets_encrypt_chain.pem | 93 +++++++++++
|
||||
tests/040-pem/run.sh | 21 +++
|
||||
tests/Makefile.am | 8 +-
|
||||
tests/tools/Makefile.am | 3 +-
|
||||
tests/tools/pem.c | 69 +++++++++
|
||||
15 files changed, 474 insertions(+), 8 deletions(-)
|
||||
create mode 100644 tests/040-pem/bad.empty
|
||||
create mode 100644 tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64
|
||||
create mode 100644 tests/040-pem/expected.out
|
||||
create mode 100644 tests/040-pem/good.isrg-root-x1-cross-signed.pem
|
||||
create mode 100644 tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem
|
||||
create mode 100644 tests/040-pem/good.lets_encrypt_chain.pem
|
||||
create mode 100755 tests/040-pem/run.sh
|
||||
create mode 100644 tests/tools/pem.c
|
||||
|
||||
diff --git a/src/Makefile.am b/src/Makefile.am
|
||||
index 53571c5..d8e0a2e 100644
|
||||
--- a/src/Makefile.am
|
||||
+++ b/src/Makefile.am
|
||||
@@ -155,7 +155,7 @@ pkglibexecdir = $(libexecdir)/$(PACKAGE)
|
||||
getcert_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS) $(UUID_CFLAGS)
|
||||
getcert_SOURCES = getcert.c tm.c tm.h
|
||||
getcert_LDADD = libcm.a $(GETCERT_LIBS) $(KRB5_LIBS) $(NSS_LIBS) $(UUID_LIBS) \
|
||||
- $(POPT_LIBS) $(LTLIBICONV) $(LDAP_LIBS)
|
||||
+ $(POPT_LIBS) $(LTLIBICONV) $(LDAP_LIBS) $(OPENSSL_LIBS)
|
||||
if WITH_IPA
|
||||
bin_PROGRAMS += ipa-getcert
|
||||
ipa_getcert_CFLAGS = $(getcert_CFLAGS)
|
||||
diff --git a/src/getcert-add-scep-ca.1.in b/src/getcert-add-scep-ca.1.in
|
||||
index c2751ed..901791e 100644
|
||||
--- a/src/getcert-add-scep-ca.1.in
|
||||
+++ b/src/getcert-add-scep-ca.1.in
|
||||
@@ -14,6 +14,8 @@ helper. The \fIadd\-scep\-ca\fR command is more or less a wrapper for the
|
||||
|
||||
.SH OPTIONS
|
||||
.TP
|
||||
+All user\-provided certificate files must be in PEM format.
|
||||
+.TP
|
||||
\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
|
||||
The nickname to give to this CA configuration. This same value can later be
|
||||
passed in to \fIgetcert\fR's \fIrequest\fR, \fIresubmit\fR, and
|
||||
diff --git a/src/getcert.c b/src/getcert.c
|
||||
index 4afafcb..ddcb739 100644
|
||||
--- a/src/getcert.c
|
||||
+++ b/src/getcert.c
|
||||
@@ -49,6 +49,7 @@
|
||||
#include "submit-u.h"
|
||||
#include "tdbus.h"
|
||||
#include "tdbusm.h"
|
||||
+#include "util-o.h"
|
||||
|
||||
#ifdef ENABLE_NLS
|
||||
#include <libintl.h>
|
||||
@@ -4544,15 +4545,16 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
|
||||
int c, prefer_non_renewal = 0, verbose = 0;
|
||||
dbus_bool_t b;
|
||||
static DBusMessage *req, *rep;
|
||||
+ const char *poptarg;
|
||||
poptContext pctx;
|
||||
struct poptOption popts[] = {
|
||||
{"ca", 'c', POPT_ARG_STRING, &caname, 0, _("nickname to give to the new CA configuration"), HELP_TYPE_NAME},
|
||||
{"url", 'u', POPT_ARG_STRING, &url, 0, _("location of SCEP server"), HELP_TYPE_URL},
|
||||
{"id", 'i', POPT_ARG_STRING, &id, 0, _("CA identifier"), HELP_TYPE_ID},
|
||||
- {"ca-cert", 'R', POPT_ARG_STRING, &root, 0, _("file containing CA's certificate"), HELP_TYPE_FILENAME},
|
||||
- {"ra-cert", 'r', POPT_ARG_STRING, &racert, 0, _("file containing RA's certificate"), HELP_TYPE_FILENAME},
|
||||
- {"other-certs", 'I', POPT_ARG_STRING, &certs, 0, _("file containing certificates in RA's certifying chain"), HELP_TYPE_FILENAME},
|
||||
- {"signingca", 'N', POPT_ARG_STRING, &signingca, 0, _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME},
|
||||
+ {"ca-cert", 'R', POPT_ARG_STRING, NULL, 'R', _("file containing CA's certificate"), HELP_TYPE_FILENAME},
|
||||
+ {"ra-cert", 'r', POPT_ARG_STRING, NULL, 'r', _("file containing RA's certificate"), HELP_TYPE_FILENAME},
|
||||
+ {"other-certs", 'I', POPT_ARG_STRING, NULL, 'I', _("file containing certificates in RA's certifying chain"), HELP_TYPE_FILENAME},
|
||||
+ {"signingca", 'N', POPT_ARG_STRING, NULL, 'N', _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME},
|
||||
{"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, _("prefer to not use the SCEP Renewal feature"), NULL},
|
||||
{"session", 's', POPT_ARG_NONE, NULL, 's', _("connect to the certmonger service on the session bus"), NULL},
|
||||
{"system", 'S', POPT_ARG_NONE, NULL, 'S', _("connect to the certmonger service on the system bus"), NULL},
|
||||
@@ -4572,6 +4574,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
|
||||
return 1;
|
||||
}
|
||||
while ((c = poptGetNextOpt(pctx)) > 0) {
|
||||
+ poptarg = poptGetOptArg(pctx);
|
||||
switch (c) {
|
||||
case 's':
|
||||
bus = cm_tdbus_session;
|
||||
@@ -4586,6 +4589,34 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
|
||||
poptPrintHelp(pctx, stdout, 0);
|
||||
return 1;
|
||||
break;
|
||||
+ case 'R':
|
||||
+ if (validate_pem(globals.tctx, poptarg) != 0) {
|
||||
+ printf("The root certificate(s) in %s is not valid PEM\n", poptarg);
|
||||
+ return 1;
|
||||
+ }
|
||||
+ root = talloc_strdup(globals.tctx, poptarg);
|
||||
+ break;
|
||||
+ case 'r':
|
||||
+ if (validate_pem(globals.tctx, poptarg) != 0) {
|
||||
+ printf("The RA certificate(s) in %s is not valid PEM\n", poptarg);
|
||||
+ return 1;
|
||||
+ }
|
||||
+ racert = talloc_strdup(globals.tctx, poptarg);
|
||||
+ break;
|
||||
+ case 'I':
|
||||
+ if (validate_pem(globals.tctx, poptarg) != 0) {
|
||||
+ printf("The certificate(s) in %s is not valid PEM\n", poptarg);
|
||||
+ return 1;
|
||||
+ }
|
||||
+ certs = talloc_strdup(globals.tctx, poptarg);
|
||||
+ break;
|
||||
+ case 'N':
|
||||
+ if (validate_pem(globals.tctx, poptarg) != 0) {
|
||||
+ printf("The certificate(s) in %s is not valid PEM\n", poptarg);
|
||||
+ return 1;
|
||||
+ }
|
||||
+ signingca = talloc_strdup(globals.tctx, poptarg);
|
||||
+ break;
|
||||
}
|
||||
}
|
||||
if (c != -1) {
|
||||
diff --git a/src/util-o.c b/src/util-o.c
|
||||
index db45964..c05872c 100644
|
||||
--- a/src/util-o.c
|
||||
+++ b/src/util-o.c
|
||||
@@ -598,3 +598,147 @@ util_private_EVP_PKEY_dup(EVP_PKEY *pkey)
|
||||
{
|
||||
return util_EVP_PKEY_dup(pkey, i2d_PrivateKey, d2i_PrivateKey);
|
||||
}
|
||||
+
|
||||
+static unsigned char *
|
||||
+decode_base64(const unsigned char *input, int length, int *outlength) {
|
||||
+ int expected_len;
|
||||
+ unsigned char *output;
|
||||
+ int output_len;
|
||||
+
|
||||
+ expected_len = 3 * length / 4;
|
||||
+ output = calloc(expected_len + 1, 1);
|
||||
+ output_len = EVP_DecodeBlock(output, input, length);
|
||||
+
|
||||
+ if (output_len < 0) {
|
||||
+ *outlength = -1;
|
||||
+ free(output);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ if (output_len % 3 != 0) {
|
||||
+ *outlength = -1;
|
||||
+ free(output);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ if (expected_len != output_len) {
|
||||
+ *outlength = -1;
|
||||
+ free(output);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ *outlength = output_len;
|
||||
+ return output;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+validate_pem(void *parent, const char *path)
|
||||
+{
|
||||
+ char *p;
|
||||
+ char *s = NULL, *sp, *sq;
|
||||
+ int ret = 0;
|
||||
+ FILE *fp;
|
||||
+ struct stat st;
|
||||
+ char *tmp1 = NULL;
|
||||
+ unsigned char *tmp2 = NULL;
|
||||
+ char *buffer;
|
||||
+ int n, i, length;
|
||||
+ int found = 0;
|
||||
+
|
||||
+ fp = fopen(path, "r");
|
||||
+ if (fp == NULL) {
|
||||
+ printf("Unable to open %s for reading: %s\n",
|
||||
+ path, strerror(errno));
|
||||
+ return -1;
|
||||
+ }
|
||||
+ if (fstat(fileno(fp), &st) == -1) {
|
||||
+ printf("Error opening %s for reading: %s\n",
|
||||
+ path, strerror(errno));
|
||||
+ fclose(fp);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ if (st.st_size == 0) {
|
||||
+ printf("%s is an empty file.\n", path);
|
||||
+ fclose(fp);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ buffer = malloc(st.st_size + 1);
|
||||
+ if (buffer == NULL) {
|
||||
+ printf("Error allocating memory.\n");
|
||||
+ fclose(fp);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ n = 0;
|
||||
+ while (n < st.st_size) {
|
||||
+ i = fread(buffer + n, 1, st.st_size - n, fp);
|
||||
+ if (i <= 0) {
|
||||
+ printf("Error reading %s: %s.\n",
|
||||
+ path, strerror(errno));
|
||||
+ fclose(fp);
|
||||
+ ret = -1;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ n += i;
|
||||
+ }
|
||||
+ fclose(fp);
|
||||
+ buffer[st.st_size] = '\0';
|
||||
+ length = st.st_size;
|
||||
+ s = malloc(length + 1);
|
||||
+ if (s == NULL) {
|
||||
+ printf("Error allocating memory.\n");
|
||||
+ ret = -1;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ memcpy(s, buffer, length);
|
||||
+ s[length] = '\0';
|
||||
+ sp = s;
|
||||
+ tmp1 = NULL;
|
||||
+ tmp2 = NULL;
|
||||
+ while ((sp = strstr(sp, "-----BEGIN")) != NULL) {
|
||||
+ sq = strstr(sp, "-----END");
|
||||
+ if (sq != NULL) {
|
||||
+ found++;
|
||||
+ sq += strcspn(sq, "\r\n");
|
||||
+ sq += strspn(sq, "\r\n");
|
||||
+
|
||||
+ /* Strip down to pure base64 so no headers, new lines or cr */
|
||||
+ tmp1 = strndup(sp, sq - sp);
|
||||
+ p = strstr(tmp1, "-----BEGIN");
|
||||
+ if (p != NULL) {
|
||||
+ p += strcspn(p, "\n");
|
||||
+ if (*p == '\n') {
|
||||
+ p++;
|
||||
+ }
|
||||
+ memmove(tmp1, p, strlen(p) + 1);
|
||||
+ }
|
||||
+ p = strstr(tmp1, "\n-----END");
|
||||
+ if (p != NULL) {
|
||||
+ *p = '\0';
|
||||
+ }
|
||||
+ while ((p = strchr(tmp1, '\r')) != NULL) {
|
||||
+ memmove(p, p + 1, strlen(p));
|
||||
+ }
|
||||
+ while ((p = strchr(tmp1, '\n')) != NULL) {
|
||||
+ memmove(p, p + 1, strlen(p));
|
||||
+ }
|
||||
+ length = 0;
|
||||
+ tmp2 = decode_base64((unsigned char *)tmp1, strlen(tmp1), &length);
|
||||
+ if (length < 0) {
|
||||
+ ret = -1;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ sp = sq;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (found == 0) {
|
||||
+ ret = -1;
|
||||
+ }
|
||||
+
|
||||
+done:
|
||||
+ free(buffer);
|
||||
+ free(s);
|
||||
+ free(tmp1);
|
||||
+ free(tmp2);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
diff --git a/src/util-o.h b/src/util-o.h
|
||||
index 916777b..8550e07 100644
|
||||
--- a/src/util-o.h
|
||||
+++ b/src/util-o.h
|
||||
@@ -16,6 +16,12 @@
|
||||
*/
|
||||
|
||||
#ifndef utilo_h
|
||||
+#include <openssl/err.h>
|
||||
+#include <openssl/evp.h>
|
||||
+#include <openssl/objects.h>
|
||||
+#include <openssl/x509.h>
|
||||
+#include <openssl/x509v3.h>
|
||||
+
|
||||
#define utilo_h
|
||||
|
||||
struct cm_store_entry;
|
||||
@@ -71,5 +77,6 @@ int util_X509_set1_version(X509 *x, ASN1_INTEGER *version);
|
||||
void util_NETSCAPE_SPKI_set_sig_alg(NETSCAPE_SPKI *spki, const X509_ALGOR *sig_alg);
|
||||
EVP_PKEY *util_public_EVP_PKEY_dup(EVP_PKEY *pkey);
|
||||
EVP_PKEY *util_private_EVP_PKEY_dup(EVP_PKEY *pkey);
|
||||
+int validate_pem(void *parent, const char *path);
|
||||
|
||||
#endif
|
||||
diff --git a/tests/040-pem/bad.empty b/tests/040-pem/bad.empty
|
||||
new file mode 100644
|
||||
index 0000000..e69de29
|
||||
diff --git a/tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64 b/tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64
|
||||
new file mode 100644
|
||||
index 0000000..f9d7e5b
|
||||
--- /dev/null
|
||||
+++ b/tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64
|
||||
@@ -0,0 +1,25 @@
|
||||
+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/MSQwIgYDVQQK
|
||||
+ExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4X
|
||||
+DTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1owTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIElu
|
||||
+dGVybmV0IFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIi
|
||||
+MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B4
|
||||
+93XCov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpLwYqGcWlK
|
||||
+ZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+DLtFJV4yAdLbaL9A4jXsD
|
||||
+cCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/
|
||||
+iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeY
|
||||
+jzYIlefiN5YNNnWe+w5ysR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHdu
|
||||
+Rze6zqxZXmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4FQsD
|
||||
+j43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBcSLeCO5imfWCKoqMp
|
||||
+gsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2qlPRmP6zjzZN7IKw0KKP/32+IVQtQi
|
||||
+0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TNDTwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB
|
||||
+/zAOBgNVHQ8BAf8EBAMCAQYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBw
|
||||
+cy5pZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
|
||||
++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsG
|
||||
+AQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAv
|
||||
+oC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYE
|
||||
+FHm0WeZ7tuXkAXOACIjIGlj26ZtuMA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oG
|
||||
+rS+o44+/yQoDFVDC5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMr
|
||||
+AdSW9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuGWCLKTVXk
|
||||
+cGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9Ohe8Y4IWS6wY7bCkjCWDc
|
||||
+RQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFCDfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr
|
||||
+6GtPAQw4dy753ec5
|
||||
diff --git a/tests/040-pem/expected.out b/tests/040-pem/expected.out
|
||||
new file mode 100644
|
||||
index 0000000..0459fd2
|
||||
--- /dev/null
|
||||
+++ b/tests/040-pem/expected.out
|
||||
@@ -0,0 +1,7 @@
|
||||
+OK
|
||||
+OK
|
||||
+OK
|
||||
+got expected error with bad.empty
|
||||
+got expected error with bad.isrg-root-x1-cross-signed.der
|
||||
+got expected error with bad.notfound
|
||||
+OK
|
||||
diff --git a/tests/040-pem/good.isrg-root-x1-cross-signed.pem b/tests/040-pem/good.isrg-root-x1-cross-signed.pem
|
||||
new file mode 100644
|
||||
index 0000000..239794a
|
||||
--- /dev/null
|
||||
+++ b/tests/040-pem/good.isrg-root-x1-cross-signed.pem
|
||||
@@ -0,0 +1,31 @@
|
||||
+-----BEGIN CERTIFICATE-----
|
||||
+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
|
||||
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
|
||||
+DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
|
||||
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
|
||||
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
|
||||
+AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
|
||||
+ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
|
||||
+wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
|
||||
+LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
|
||||
+4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
|
||||
+bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
|
||||
+sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
|
||||
+Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
|
||||
+FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
|
||||
+SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
|
||||
+PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
|
||||
+TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
|
||||
+SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
|
||||
+c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
|
||||
++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
|
||||
+ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
|
||||
+b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
|
||||
+U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
|
||||
+MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
|
||||
+5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
|
||||
+9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
|
||||
+WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
|
||||
+he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
|
||||
+Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
|
||||
+-----END CERTIFICATE-----
|
||||
diff --git a/tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem b/tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem
|
||||
new file mode 100644
|
||||
index 0000000..239794a
|
||||
--- /dev/null
|
||||
+++ b/tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem
|
||||
@@ -0,0 +1,31 @@
|
||||
+-----BEGIN CERTIFICATE-----
|
||||
+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
|
||||
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
|
||||
+DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
|
||||
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
|
||||
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
|
||||
+AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
|
||||
+ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
|
||||
+wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
|
||||
+LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
|
||||
+4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
|
||||
+bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
|
||||
+sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
|
||||
+Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
|
||||
+FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
|
||||
+SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
|
||||
+PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
|
||||
+TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
|
||||
+SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
|
||||
+c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
|
||||
++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
|
||||
+ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
|
||||
+b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
|
||||
+U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
|
||||
+MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
|
||||
+5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
|
||||
+9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
|
||||
+WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
|
||||
+he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
|
||||
+Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
|
||||
+-----END CERTIFICATE-----
|
||||
diff --git a/tests/040-pem/good.lets_encrypt_chain.pem b/tests/040-pem/good.lets_encrypt_chain.pem
|
||||
new file mode 100644
|
||||
index 0000000..29a16ff
|
||||
--- /dev/null
|
||||
+++ b/tests/040-pem/good.lets_encrypt_chain.pem
|
||||
@@ -0,0 +1,93 @@
|
||||
+-----BEGIN CERTIFICATE-----
|
||||
+MIIFjTCCA3WgAwIBAgIRANOxciY0IzLc9AUoUSrsnGowDQYJKoZIhvcNAQELBQAw
|
||||
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
|
||||
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0MzU1
|
||||
+WhcNMjExMDA2MTU0MzU1WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
|
||||
+RW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDMwggEi
|
||||
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc0wzwWuUuR7dyXTeDs2hjMOrX
|
||||
+NSYZJeG9vjXxcJIvt7hLQQWrqZ41CFjssSrEaIcLo+N15Obzp2JxunmBYB/XkZqf
|
||||
+89B4Z3HIaQ6Vkc/+5pnpYDxIzH7KTXcSJJ1HG1rrueweNwAcnKx7pwXqzkrrvUHl
|
||||
+Npi5y/1tPJZo3yMqQpAMhnRnyH+lmrhSYRQTP2XpgofL2/oOVvaGifOFP5eGr7Dc
|
||||
+Gu9rDZUWfcQroGWymQQ2dYBrrErzG5BJeC+ilk8qICUpBMZ0wNAxzY8xOJUWuqgz
|
||||
+uEPxsR/DMH+ieTETPS02+OP88jNquTkxxa/EjQ0dZBYzqvqEKbbUC8DYfcOTAgMB
|
||||
+AAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBU
|
||||
+BgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIB
|
||||
+FiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBSo
|
||||
+SmpjBH3duubRObemRWXv86jsoTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3Js
|
||||
+LnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEF
|
||||
+BQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsG
|
||||
+AQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYD
|
||||
+VR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIB
|
||||
+ABnPdSA0LTqmRf/Q1eaM2jLonG4bQdEnqOJQ8nCqxOeTRrToEKtwT++36gTSlBGx
|
||||
+A/5dut82jJQ2jxN8RI8L9QFXrWi4xXnA2EqA10yjHiR6H9cj6MFiOnb5In1eWsRM
|
||||
+UM2v3e9tNsCAgBukPHAg1lQh07rvFKm/Bz9BCjaxorALINUfZ9DD64j2igLIxle2
|
||||
+DPxW8dI/F2loHMjXZjqG8RkqZUdoxtID5+90FgsGIfkMpqgRS05f4zPbCEHqCXl1
|
||||
+eO5HyELTgcVlLXXQDgAWnRzut1hFJeczY1tjQQno6f6s+nMydLN26WuU4s3UYvOu
|
||||
+OsUxRlJu7TSRHqDC3lSE5XggVkzdaPkuKGQbGpny+01/47hfXXNB7HntWNZ6N2Vw
|
||||
+p7G6OfY+YQrZwIaQmhrIqJZuigsrbe3W+gdn5ykE9+Ky0VgVUsfxo52mwFYs1JKY
|
||||
+2PGDuWx8M6DlS6qQkvHaRUo0FMd8TsSlbF0/v965qGFKhSDeQoMpYnwcmQilRh/0
|
||||
+ayLThlHLN81gSkJjVrPI0Y8xCVPB4twb1PFUd2fPM3sA1tJ83sZ5v8vgFv2yofKR
|
||||
+PB0t6JzUA81mSqM3kxl5e+IZwhYAyO0OTg3/fs8HqGTNKd9BqoUwSRBzp06JMg5b
|
||||
+rUCGwbCUDI0mxadJ3Bz4WxR6fyNpBK2yAinWEsikxqEt
|
||||
+-----END CERTIFICATE-----
|
||||
+-----BEGIN CERTIFICATE-----
|
||||
+MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
|
||||
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
|
||||
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
|
||||
+WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
|
||||
+RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
|
||||
+AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
|
||||
+R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
|
||||
+sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
|
||||
+NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
|
||||
+Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
|
||||
+/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
|
||||
+AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
|
||||
+Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
|
||||
+FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
|
||||
+AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
|
||||
+Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
|
||||
+gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
|
||||
+PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
|
||||
+ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
|
||||
+CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
|
||||
+lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
|
||||
+avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
|
||||
+yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
|
||||
+yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
|
||||
+hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
|
||||
+HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
|
||||
+MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
|
||||
+nLRbwHOoq7hHwg==
|
||||
+-----END CERTIFICATE-----
|
||||
+-----BEGIN CERTIFICATE-----
|
||||
+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
|
||||
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
|
||||
+DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
|
||||
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
|
||||
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
|
||||
+AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
|
||||
+ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
|
||||
+wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
|
||||
+LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
|
||||
+4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
|
||||
+bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
|
||||
+sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
|
||||
+Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
|
||||
+FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
|
||||
+SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
|
||||
+PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
|
||||
+TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
|
||||
+SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
|
||||
+c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
|
||||
++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
|
||||
+ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
|
||||
+b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
|
||||
+U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
|
||||
+MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
|
||||
+5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
|
||||
+9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
|
||||
+WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
|
||||
+he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
|
||||
+Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
|
||||
+-----END CERTIFICATE-----
|
||||
diff --git a/tests/040-pem/run.sh b/tests/040-pem/run.sh
|
||||
new file mode 100755
|
||||
index 0000000..1d4d1f4
|
||||
--- /dev/null
|
||||
+++ b/tests/040-pem/run.sh
|
||||
@@ -0,0 +1,21 @@
|
||||
+#!/bin/bash -e
|
||||
+
|
||||
+cd "$tmpdir"
|
||||
+cp -p "$srcdir"/040-pem/bad.* $tmpdir
|
||||
+base64 -d < "$tmpdir"/bad.isrg-root-x1-cross-signed.der.b64 > "$tmpdir"/bad.isrg-root-x1-cross-signed.der
|
||||
+rm -f "$tmpdir"/bad.isrg-root-x1-cross-signed.der.b64
|
||||
+
|
||||
+for good in "$srcdir"/040-pem/good.* ; do
|
||||
+ if ! "$toolsdir"/pem "$good" ; then
|
||||
+ exit 1
|
||||
+ fi
|
||||
+done
|
||||
+for bad in "$tmpdir"/bad.* bad.notfound; do
|
||||
+ if "$toolsdir"/pem "$bad" > /dev/null; then
|
||||
+ echo unexpected success with `basename "$bad"`
|
||||
+ exit 1
|
||||
+ else
|
||||
+ echo got expected error with `basename "$bad"`
|
||||
+ fi
|
||||
+done
|
||||
+echo OK
|
||||
diff --git a/tests/Makefile.am b/tests/Makefile.am
|
||||
index 013d34b..e20b6d8 100644
|
||||
--- a/tests/Makefile.am
|
||||
+++ b/tests/Makefile.am
|
||||
@@ -132,6 +132,8 @@ CLEANFILES = \
|
||||
038-ms-v2-template/actual.err \
|
||||
039-fromfile/actual.out \
|
||||
039-fromfile/actual.err
|
||||
+ 040-pem/actual.out \
|
||||
+ 040-pem/actual.err
|
||||
EXTRA_DIST = \
|
||||
run-tests.sh functions certmonger.conf tools/cachain.sh \
|
||||
001-keyiread/run.sh \
|
||||
@@ -353,7 +355,8 @@ EXTRA_DIST = \
|
||||
038-ms-v2-template/expected.out \
|
||||
038-ms-v2-template/extract-extdata.py \
|
||||
038-ms-v2-template/run.sh \
|
||||
- 039-fromfile/run.sh
|
||||
+ 039-fromfile/run.sh \
|
||||
+ 040-pem/run.sh
|
||||
|
||||
subdirs = \
|
||||
001-keyiread \
|
||||
@@ -388,7 +391,8 @@ subdirs = \
|
||||
036-getcert \
|
||||
037-rekey2 \
|
||||
038-ms-v2-template \
|
||||
- 039-fromfile
|
||||
+ 039-fromfile \
|
||||
+ 040-pem
|
||||
|
||||
if HAVE_DBM_NSSDB
|
||||
subdirs += \
|
||||
diff --git a/tests/tools/Makefile.am b/tests/tools/Makefile.am
|
||||
index 53f658e..1a01ee6 100644
|
||||
--- a/tests/tools/Makefile.am
|
||||
+++ b/tests/tools/Makefile.am
|
||||
@@ -16,7 +16,8 @@ endif
|
||||
noinst_PROGRAMS = keyiread keygen csrgen submit certread certsave oid2name \
|
||||
name2oid iterate prefs dates listnicks pem2base base2pem \
|
||||
dparse payload checksig base64 cadata citerate casave hooks \
|
||||
- libexecdir canon srv addcinfo ls json json-utf8 printenv fromfile
|
||||
+ libexecdir canon srv addcinfo ls json json-utf8 printenv fromfile \
|
||||
+ pem
|
||||
noinst_LIBRARIES = libtools.a
|
||||
if HAVE_OPENSSL
|
||||
noinst_PROGRAMS += pk7parse pk7env scepgen pk7verify pk7decrypt
|
||||
diff --git a/tests/tools/pem.c b/tests/tools/pem.c
|
||||
new file mode 100644
|
||||
index 0000000..4fdd4f4
|
||||
--- /dev/null
|
||||
+++ b/tests/tools/pem.c
|
||||
@@ -0,0 +1,69 @@
|
||||
+/*
|
||||
+ * Copyright (C) 2021 Red Hat, Inc.
|
||||
+ *
|
||||
+ * This program is free software: you can redistribute it and/or modify
|
||||
+ * it under the terms of the GNU General Public License as published by
|
||||
+ * the Free Software Foundation, either version 3 of the License, or
|
||||
+ * (at your option) any later version.
|
||||
+ *
|
||||
+ * This program is distributed in the hope that it will be useful,
|
||||
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+ * GNU General Public License for more details.
|
||||
+ *
|
||||
+ * You should have received a copy of the GNU General Public License
|
||||
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
+ */
|
||||
+
|
||||
+#include "../../src/config.h"
|
||||
+
|
||||
+#include <sys/types.h>
|
||||
+#include <errno.h>
|
||||
+#include <fcntl.h>
|
||||
+#ifdef HAVE_INTTYPES_H
|
||||
+#include <inttypes.h>
|
||||
+#endif
|
||||
+#include <stdio.h>
|
||||
+#include <stdint.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <string.h>
|
||||
+#include <unistd.h>
|
||||
+
|
||||
+#include <popt.h>
|
||||
+
|
||||
+#include <talloc.h>
|
||||
+
|
||||
+#include "../../src/util-o.h"
|
||||
+
|
||||
+int
|
||||
+main(int argc, const char **argv)
|
||||
+{
|
||||
+ const char *filename;
|
||||
+ void *parent;
|
||||
+ int i, ret = 0;
|
||||
+ poptContext pctx;
|
||||
+ struct poptOption popts[] = {
|
||||
+ POPT_AUTOHELP
|
||||
+ POPT_TABLEEND
|
||||
+ };
|
||||
+
|
||||
+ parent = talloc_new(NULL);
|
||||
+ pctx = poptGetContext("pem", argc, argv, popts, 0);
|
||||
+ while ((i = poptGetNextOpt(pctx)) > 0) {
|
||||
+ continue;
|
||||
+ }
|
||||
+ if (i != -1) {
|
||||
+ poptPrintUsage(pctx, stdout, 0);
|
||||
+ return 1;
|
||||
+ }
|
||||
+ while ((filename = poptGetArg(pctx)) != NULL) {
|
||||
+ if (validate_pem(parent, (char *)filename) == 0) {
|
||||
+ printf("OK\n");
|
||||
+ } else {
|
||||
+ ret = 1;
|
||||
+ }
|
||||
+ }
|
||||
+ talloc_free(parent);
|
||||
+ poptFreeContext(pctx);
|
||||
+ return ret;
|
||||
+}
|
||||
--
|
||||
2.31.1
|
||||
|
||||
|
|
@ -0,0 +1,31 @@
|
|||
From 657c9ab79a00a2003f7c02c535418896cacc410a Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Mon, 15 Nov 2021 09:58:40 -0500
|
||||
Subject: [PATCH] =?UTF-8?q?Fix=20implicit=20declaration=20of=20function=20?=
|
||||
=?UTF-8?q?=E2=80=98PEM=5Fread=5Fbio=5FX509=E2=80=99?=
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Add an include for openssl/pem.h
|
||||
|
||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
src/submit-n.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/submit-n.c b/src/submit-n.c
|
||||
index 3dcb820a..4f763a16 100644
|
||||
--- a/src/submit-n.c
|
||||
+++ b/src/submit-n.c
|
||||
@@ -33,6 +33,7 @@
|
||||
#include <openssl/pkcs7.h>
|
||||
#include <openssl/stack.h>
|
||||
#include <openssl/x509.h>
|
||||
+#include <openssl/pem.h>
|
||||
|
||||
#include <cert.h>
|
||||
#include <certdb.h>
|
||||
--
|
||||
2.31.1
|
||||
|
||||
|
|
@ -0,0 +1,46 @@
|
|||
From 2ef0a885962ecf558a8080b19652a5bd0c11c228 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Thu, 17 Mar 2022 15:44:00 -0400
|
||||
Subject: [PATCH] Remove dependency on SHA-1
|
||||
|
||||
---
|
||||
tests/033-scep/run.sh | 4 ++--
|
||||
tests/tools/cachain.sh | 2 +-
|
||||
2 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/tests/033-scep/run.sh b/tests/033-scep/run.sh
|
||||
index a36cd5a..baaa581 100755
|
||||
--- a/tests/033-scep/run.sh
|
||||
+++ b/tests/033-scep/run.sh
|
||||
@@ -148,7 +148,7 @@ check_nonce
|
||||
check_digest sha256
|
||||
echo OK
|
||||
echo "[gic, old trust root]"
|
||||
-set_digest sha1
|
||||
+set_digest sha256
|
||||
$toolsdir/scepgen ca entry > scepdata
|
||||
if test x`grep ^gic: scepdata | cut -f2- -d:` = x ; then
|
||||
echo missing gic
|
||||
@@ -158,7 +158,7 @@ check_verified
|
||||
check_msgtype $SCEP_MSGTYPE_GETCERTINITIAL
|
||||
check_txid
|
||||
check_nonce
|
||||
-check_digest sha1
|
||||
+check_digest sha256
|
||||
echo OK
|
||||
echo "[req next, no trust root]"
|
||||
if test x`grep ^req.next.: scepdata | cut -f2- -d:` = x ; then
|
||||
diff --git a/tests/tools/cachain.sh b/tests/tools/cachain.sh
|
||||
index 58f0c49..93aca9b 100755
|
||||
--- a/tests/tools/cachain.sh
|
||||
+++ b/tests/tools/cachain.sh
|
||||
@@ -1,5 +1,5 @@
|
||||
#!/bin/bash -e
|
||||
-digest=sha1
|
||||
+digest=sha256
|
||||
keytype=rsa:1024
|
||||
serial=12345678
|
||||
cat > openssl.cnf << EOF
|
||||
--
|
||||
2.31.1
|
||||
|
||||
|
|
@ -28,7 +28,7 @@
|
|||
|
||||
Name: certmonger
|
||||
Version: 0.79.14
|
||||
Release: 5%{?dist}
|
||||
Release: 6%{?dist}
|
||||
Summary: Certificate status monitor and PKI enrollment client
|
||||
|
||||
License: GPLv3+
|
||||
|
|
@ -43,6 +43,9 @@ Patch0006: 0006-Fix-file-descriptor-leak-when-executing-CA-helpers.patch
|
|||
Patch0007: 0007-Update-csrgen-test-to-understand-OpenSSL-3.0.0-outpu.patch
|
||||
Patch0008: 0008-Use-implicit-empty-FALSE-for-extensions.patch
|
||||
Patch0009: 0009-Use-extensions-template-from-NSS.patch
|
||||
Patch0010: 0010-Add-a-PEM-validity-checker-and-validate-SCEP-CA-file.patch
|
||||
Patch0011: 0011-Fix-implicit-declaration-of-function-PEM_read_bio_X5.patch
|
||||
Patch0012: 0012-Remove-dependency-on-SHA-1.patch
|
||||
|
||||
|
||||
BuildRequires: autoconf
|
||||
|
|
@ -273,6 +276,11 @@ exit 0
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Mar 17 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.14-6
|
||||
- Certificate format validation when adding the SCEP server's CA
|
||||
(#1492112)
|
||||
- Replace some SHA1 usages with SHA256 in the unit tests
|
||||
|
||||
* Thu Oct 07 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.14-5
|
||||
- Certmonger SCEP renewal should not use old challenges (#1990926)
|
||||
- Certmonger certificates stuck in NEED_GUIDANCE (#2001082)
|
||||
|
|
|
|||
Loading…
Reference in New Issue