010cc6087f
- Certificate format validation when adding the SCEP server's CA (#1492112) - Replace some SHA1 usages with SHA256 in the unit tests needed becaus of OpenSSL 3 update Resolves: #1492112
703 lines
27 KiB
Diff
703 lines
27 KiB
Diff
From f636d0f64fbcb978b06afe9f9576678afcee01c0 Mon Sep 17 00:00:00 2001
|
|
From: Rob Crittenden <rcritten@redhat.com>
|
|
Date: Thu, 4 Nov 2021 13:51:31 -0400
|
|
Subject: [PATCH] Add a PEM validity checker and validate SCEP CA files
|
|
|
|
If a non-PEM file was passed into add-scep-ca it would
|
|
accept it without question but later fail with:
|
|
|
|
status: CA_UNREACHABLE
|
|
ca-error: Error: failed to verify signature on server response.
|
|
|
|
Try to do basic validation of user-provided PEM files by:
|
|
|
|
- stripping BEGIN/END headers
|
|
- removing newlines and carriage returns
|
|
- using OpenSSL EVP library to base64 decode the block
|
|
|
|
This isn't fool-proof but it at least does some basic
|
|
sanity checking to ensure the file(s) exist and appear
|
|
to be PEM files.
|
|
|
|
The unit tests use some Let's Encrypt CA certificates.
|
|
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=1492112
|
|
|
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
---
|
|
src/Makefile.am | 2 +-
|
|
src/getcert-add-scep-ca.1.in | 2 +
|
|
src/getcert.c | 39 ++++-
|
|
src/util-o.c | 144 ++++++++++++++++++
|
|
src/util-o.h | 7 +
|
|
tests/040-pem/bad.empty | 0
|
|
.../bad.isrg-root-x1-cross-signed.der.b64 | 25 +++
|
|
tests/040-pem/expected.out | 7 +
|
|
.../good.isrg-root-x1-cross-signed.pem | 31 ++++
|
|
.../good.isrg-root-x1-cross-signed_cr.pem | 31 ++++
|
|
tests/040-pem/good.lets_encrypt_chain.pem | 93 +++++++++++
|
|
tests/040-pem/run.sh | 21 +++
|
|
tests/Makefile.am | 8 +-
|
|
tests/tools/Makefile.am | 3 +-
|
|
tests/tools/pem.c | 69 +++++++++
|
|
15 files changed, 474 insertions(+), 8 deletions(-)
|
|
create mode 100644 tests/040-pem/bad.empty
|
|
create mode 100644 tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64
|
|
create mode 100644 tests/040-pem/expected.out
|
|
create mode 100644 tests/040-pem/good.isrg-root-x1-cross-signed.pem
|
|
create mode 100644 tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem
|
|
create mode 100644 tests/040-pem/good.lets_encrypt_chain.pem
|
|
create mode 100755 tests/040-pem/run.sh
|
|
create mode 100644 tests/tools/pem.c
|
|
|
|
diff --git a/src/Makefile.am b/src/Makefile.am
|
|
index 53571c5..d8e0a2e 100644
|
|
--- a/src/Makefile.am
|
|
+++ b/src/Makefile.am
|
|
@@ -155,7 +155,7 @@ pkglibexecdir = $(libexecdir)/$(PACKAGE)
|
|
getcert_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS) $(UUID_CFLAGS)
|
|
getcert_SOURCES = getcert.c tm.c tm.h
|
|
getcert_LDADD = libcm.a $(GETCERT_LIBS) $(KRB5_LIBS) $(NSS_LIBS) $(UUID_LIBS) \
|
|
- $(POPT_LIBS) $(LTLIBICONV) $(LDAP_LIBS)
|
|
+ $(POPT_LIBS) $(LTLIBICONV) $(LDAP_LIBS) $(OPENSSL_LIBS)
|
|
if WITH_IPA
|
|
bin_PROGRAMS += ipa-getcert
|
|
ipa_getcert_CFLAGS = $(getcert_CFLAGS)
|
|
diff --git a/src/getcert-add-scep-ca.1.in b/src/getcert-add-scep-ca.1.in
|
|
index c2751ed..901791e 100644
|
|
--- a/src/getcert-add-scep-ca.1.in
|
|
+++ b/src/getcert-add-scep-ca.1.in
|
|
@@ -14,6 +14,8 @@ helper. The \fIadd\-scep\-ca\fR command is more or less a wrapper for the
|
|
|
|
.SH OPTIONS
|
|
.TP
|
|
+All user\-provided certificate files must be in PEM format.
|
|
+.TP
|
|
\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
|
|
The nickname to give to this CA configuration. This same value can later be
|
|
passed in to \fIgetcert\fR's \fIrequest\fR, \fIresubmit\fR, and
|
|
diff --git a/src/getcert.c b/src/getcert.c
|
|
index 4afafcb..ddcb739 100644
|
|
--- a/src/getcert.c
|
|
+++ b/src/getcert.c
|
|
@@ -49,6 +49,7 @@
|
|
#include "submit-u.h"
|
|
#include "tdbus.h"
|
|
#include "tdbusm.h"
|
|
+#include "util-o.h"
|
|
|
|
#ifdef ENABLE_NLS
|
|
#include <libintl.h>
|
|
@@ -4544,15 +4545,16 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
|
|
int c, prefer_non_renewal = 0, verbose = 0;
|
|
dbus_bool_t b;
|
|
static DBusMessage *req, *rep;
|
|
+ const char *poptarg;
|
|
poptContext pctx;
|
|
struct poptOption popts[] = {
|
|
{"ca", 'c', POPT_ARG_STRING, &caname, 0, _("nickname to give to the new CA configuration"), HELP_TYPE_NAME},
|
|
{"url", 'u', POPT_ARG_STRING, &url, 0, _("location of SCEP server"), HELP_TYPE_URL},
|
|
{"id", 'i', POPT_ARG_STRING, &id, 0, _("CA identifier"), HELP_TYPE_ID},
|
|
- {"ca-cert", 'R', POPT_ARG_STRING, &root, 0, _("file containing CA's certificate"), HELP_TYPE_FILENAME},
|
|
- {"ra-cert", 'r', POPT_ARG_STRING, &racert, 0, _("file containing RA's certificate"), HELP_TYPE_FILENAME},
|
|
- {"other-certs", 'I', POPT_ARG_STRING, &certs, 0, _("file containing certificates in RA's certifying chain"), HELP_TYPE_FILENAME},
|
|
- {"signingca", 'N', POPT_ARG_STRING, &signingca, 0, _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME},
|
|
+ {"ca-cert", 'R', POPT_ARG_STRING, NULL, 'R', _("file containing CA's certificate"), HELP_TYPE_FILENAME},
|
|
+ {"ra-cert", 'r', POPT_ARG_STRING, NULL, 'r', _("file containing RA's certificate"), HELP_TYPE_FILENAME},
|
|
+ {"other-certs", 'I', POPT_ARG_STRING, NULL, 'I', _("file containing certificates in RA's certifying chain"), HELP_TYPE_FILENAME},
|
|
+ {"signingca", 'N', POPT_ARG_STRING, NULL, 'N', _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME},
|
|
{"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, _("prefer to not use the SCEP Renewal feature"), NULL},
|
|
{"session", 's', POPT_ARG_NONE, NULL, 's', _("connect to the certmonger service on the session bus"), NULL},
|
|
{"system", 'S', POPT_ARG_NONE, NULL, 'S', _("connect to the certmonger service on the system bus"), NULL},
|
|
@@ -4572,6 +4574,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
|
|
return 1;
|
|
}
|
|
while ((c = poptGetNextOpt(pctx)) > 0) {
|
|
+ poptarg = poptGetOptArg(pctx);
|
|
switch (c) {
|
|
case 's':
|
|
bus = cm_tdbus_session;
|
|
@@ -4586,6 +4589,34 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
|
|
poptPrintHelp(pctx, stdout, 0);
|
|
return 1;
|
|
break;
|
|
+ case 'R':
|
|
+ if (validate_pem(globals.tctx, poptarg) != 0) {
|
|
+ printf("The root certificate(s) in %s is not valid PEM\n", poptarg);
|
|
+ return 1;
|
|
+ }
|
|
+ root = talloc_strdup(globals.tctx, poptarg);
|
|
+ break;
|
|
+ case 'r':
|
|
+ if (validate_pem(globals.tctx, poptarg) != 0) {
|
|
+ printf("The RA certificate(s) in %s is not valid PEM\n", poptarg);
|
|
+ return 1;
|
|
+ }
|
|
+ racert = talloc_strdup(globals.tctx, poptarg);
|
|
+ break;
|
|
+ case 'I':
|
|
+ if (validate_pem(globals.tctx, poptarg) != 0) {
|
|
+ printf("The certificate(s) in %s is not valid PEM\n", poptarg);
|
|
+ return 1;
|
|
+ }
|
|
+ certs = talloc_strdup(globals.tctx, poptarg);
|
|
+ break;
|
|
+ case 'N':
|
|
+ if (validate_pem(globals.tctx, poptarg) != 0) {
|
|
+ printf("The certificate(s) in %s is not valid PEM\n", poptarg);
|
|
+ return 1;
|
|
+ }
|
|
+ signingca = talloc_strdup(globals.tctx, poptarg);
|
|
+ break;
|
|
}
|
|
}
|
|
if (c != -1) {
|
|
diff --git a/src/util-o.c b/src/util-o.c
|
|
index db45964..c05872c 100644
|
|
--- a/src/util-o.c
|
|
+++ b/src/util-o.c
|
|
@@ -598,3 +598,147 @@ util_private_EVP_PKEY_dup(EVP_PKEY *pkey)
|
|
{
|
|
return util_EVP_PKEY_dup(pkey, i2d_PrivateKey, d2i_PrivateKey);
|
|
}
|
|
+
|
|
+static unsigned char *
|
|
+decode_base64(const unsigned char *input, int length, int *outlength) {
|
|
+ int expected_len;
|
|
+ unsigned char *output;
|
|
+ int output_len;
|
|
+
|
|
+ expected_len = 3 * length / 4;
|
|
+ output = calloc(expected_len + 1, 1);
|
|
+ output_len = EVP_DecodeBlock(output, input, length);
|
|
+
|
|
+ if (output_len < 0) {
|
|
+ *outlength = -1;
|
|
+ free(output);
|
|
+ return NULL;
|
|
+ }
|
|
+ if (output_len % 3 != 0) {
|
|
+ *outlength = -1;
|
|
+ free(output);
|
|
+ return NULL;
|
|
+ }
|
|
+ if (expected_len != output_len) {
|
|
+ *outlength = -1;
|
|
+ free(output);
|
|
+ return NULL;
|
|
+ }
|
|
+ *outlength = output_len;
|
|
+ return output;
|
|
+}
|
|
+
|
|
+int
|
|
+validate_pem(void *parent, const char *path)
|
|
+{
|
|
+ char *p;
|
|
+ char *s = NULL, *sp, *sq;
|
|
+ int ret = 0;
|
|
+ FILE *fp;
|
|
+ struct stat st;
|
|
+ char *tmp1 = NULL;
|
|
+ unsigned char *tmp2 = NULL;
|
|
+ char *buffer;
|
|
+ int n, i, length;
|
|
+ int found = 0;
|
|
+
|
|
+ fp = fopen(path, "r");
|
|
+ if (fp == NULL) {
|
|
+ printf("Unable to open %s for reading: %s\n",
|
|
+ path, strerror(errno));
|
|
+ return -1;
|
|
+ }
|
|
+ if (fstat(fileno(fp), &st) == -1) {
|
|
+ printf("Error opening %s for reading: %s\n",
|
|
+ path, strerror(errno));
|
|
+ fclose(fp);
|
|
+ return -1;
|
|
+ }
|
|
+ if (st.st_size == 0) {
|
|
+ printf("%s is an empty file.\n", path);
|
|
+ fclose(fp);
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ buffer = malloc(st.st_size + 1);
|
|
+ if (buffer == NULL) {
|
|
+ printf("Error allocating memory.\n");
|
|
+ fclose(fp);
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ n = 0;
|
|
+ while (n < st.st_size) {
|
|
+ i = fread(buffer + n, 1, st.st_size - n, fp);
|
|
+ if (i <= 0) {
|
|
+ printf("Error reading %s: %s.\n",
|
|
+ path, strerror(errno));
|
|
+ fclose(fp);
|
|
+ ret = -1;
|
|
+ goto done;
|
|
+ }
|
|
+ n += i;
|
|
+ }
|
|
+ fclose(fp);
|
|
+ buffer[st.st_size] = '\0';
|
|
+ length = st.st_size;
|
|
+ s = malloc(length + 1);
|
|
+ if (s == NULL) {
|
|
+ printf("Error allocating memory.\n");
|
|
+ ret = -1;
|
|
+ goto done;
|
|
+ }
|
|
+ memcpy(s, buffer, length);
|
|
+ s[length] = '\0';
|
|
+ sp = s;
|
|
+ tmp1 = NULL;
|
|
+ tmp2 = NULL;
|
|
+ while ((sp = strstr(sp, "-----BEGIN")) != NULL) {
|
|
+ sq = strstr(sp, "-----END");
|
|
+ if (sq != NULL) {
|
|
+ found++;
|
|
+ sq += strcspn(sq, "\r\n");
|
|
+ sq += strspn(sq, "\r\n");
|
|
+
|
|
+ /* Strip down to pure base64 so no headers, new lines or cr */
|
|
+ tmp1 = strndup(sp, sq - sp);
|
|
+ p = strstr(tmp1, "-----BEGIN");
|
|
+ if (p != NULL) {
|
|
+ p += strcspn(p, "\n");
|
|
+ if (*p == '\n') {
|
|
+ p++;
|
|
+ }
|
|
+ memmove(tmp1, p, strlen(p) + 1);
|
|
+ }
|
|
+ p = strstr(tmp1, "\n-----END");
|
|
+ if (p != NULL) {
|
|
+ *p = '\0';
|
|
+ }
|
|
+ while ((p = strchr(tmp1, '\r')) != NULL) {
|
|
+ memmove(p, p + 1, strlen(p));
|
|
+ }
|
|
+ while ((p = strchr(tmp1, '\n')) != NULL) {
|
|
+ memmove(p, p + 1, strlen(p));
|
|
+ }
|
|
+ length = 0;
|
|
+ tmp2 = decode_base64((unsigned char *)tmp1, strlen(tmp1), &length);
|
|
+ if (length < 0) {
|
|
+ ret = -1;
|
|
+ goto done;
|
|
+ }
|
|
+ sp = sq;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ if (found == 0) {
|
|
+ ret = -1;
|
|
+ }
|
|
+
|
|
+done:
|
|
+ free(buffer);
|
|
+ free(s);
|
|
+ free(tmp1);
|
|
+ free(tmp2);
|
|
+
|
|
+ return ret;
|
|
+}
|
|
diff --git a/src/util-o.h b/src/util-o.h
|
|
index 916777b..8550e07 100644
|
|
--- a/src/util-o.h
|
|
+++ b/src/util-o.h
|
|
@@ -16,6 +16,12 @@
|
|
*/
|
|
|
|
#ifndef utilo_h
|
|
+#include <openssl/err.h>
|
|
+#include <openssl/evp.h>
|
|
+#include <openssl/objects.h>
|
|
+#include <openssl/x509.h>
|
|
+#include <openssl/x509v3.h>
|
|
+
|
|
#define utilo_h
|
|
|
|
struct cm_store_entry;
|
|
@@ -71,5 +77,6 @@ int util_X509_set1_version(X509 *x, ASN1_INTEGER *version);
|
|
void util_NETSCAPE_SPKI_set_sig_alg(NETSCAPE_SPKI *spki, const X509_ALGOR *sig_alg);
|
|
EVP_PKEY *util_public_EVP_PKEY_dup(EVP_PKEY *pkey);
|
|
EVP_PKEY *util_private_EVP_PKEY_dup(EVP_PKEY *pkey);
|
|
+int validate_pem(void *parent, const char *path);
|
|
|
|
#endif
|
|
diff --git a/tests/040-pem/bad.empty b/tests/040-pem/bad.empty
|
|
new file mode 100644
|
|
index 0000000..e69de29
|
|
diff --git a/tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64 b/tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64
|
|
new file mode 100644
|
|
index 0000000..f9d7e5b
|
|
--- /dev/null
|
|
+++ b/tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64
|
|
@@ -0,0 +1,25 @@
|
|
+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/MSQwIgYDVQQK
|
|
+ExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4X
|
|
+DTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1owTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIElu
|
|
+dGVybmV0IFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIi
|
|
+MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B4
|
|
+93XCov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpLwYqGcWlK
|
|
+ZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+DLtFJV4yAdLbaL9A4jXsD
|
|
+cCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/
|
|
+iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeY
|
|
+jzYIlefiN5YNNnWe+w5ysR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHdu
|
|
+Rze6zqxZXmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4FQsD
|
|
+j43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBcSLeCO5imfWCKoqMp
|
|
+gsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2qlPRmP6zjzZN7IKw0KKP/32+IVQtQi
|
|
+0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TNDTwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB
|
|
+/zAOBgNVHQ8BAf8EBAMCAQYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBw
|
|
+cy5pZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
|
|
++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsG
|
|
+AQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAv
|
|
+oC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYE
|
|
+FHm0WeZ7tuXkAXOACIjIGlj26ZtuMA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oG
|
|
+rS+o44+/yQoDFVDC5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMr
|
|
+AdSW9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuGWCLKTVXk
|
|
+cGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9Ohe8Y4IWS6wY7bCkjCWDc
|
|
+RQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFCDfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr
|
|
+6GtPAQw4dy753ec5
|
|
diff --git a/tests/040-pem/expected.out b/tests/040-pem/expected.out
|
|
new file mode 100644
|
|
index 0000000..0459fd2
|
|
--- /dev/null
|
|
+++ b/tests/040-pem/expected.out
|
|
@@ -0,0 +1,7 @@
|
|
+OK
|
|
+OK
|
|
+OK
|
|
+got expected error with bad.empty
|
|
+got expected error with bad.isrg-root-x1-cross-signed.der
|
|
+got expected error with bad.notfound
|
|
+OK
|
|
diff --git a/tests/040-pem/good.isrg-root-x1-cross-signed.pem b/tests/040-pem/good.isrg-root-x1-cross-signed.pem
|
|
new file mode 100644
|
|
index 0000000..239794a
|
|
--- /dev/null
|
|
+++ b/tests/040-pem/good.isrg-root-x1-cross-signed.pem
|
|
@@ -0,0 +1,31 @@
|
|
+-----BEGIN CERTIFICATE-----
|
|
+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
|
|
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
|
|
+DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
|
|
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
|
|
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
|
|
+AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
|
|
+ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
|
|
+wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
|
|
+LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
|
|
+4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
|
|
+bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
|
|
+sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
|
|
+Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
|
|
+FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
|
|
+SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
|
|
+PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
|
|
+TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
|
|
+SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
|
|
+c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
|
|
++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
|
|
+ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
|
|
+b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
|
|
+U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
|
|
+MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
|
|
+5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
|
|
+9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
|
|
+WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
|
|
+he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
|
|
+Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
|
|
+-----END CERTIFICATE-----
|
|
diff --git a/tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem b/tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem
|
|
new file mode 100644
|
|
index 0000000..239794a
|
|
--- /dev/null
|
|
+++ b/tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem
|
|
@@ -0,0 +1,31 @@
|
|
+-----BEGIN CERTIFICATE-----
|
|
+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
|
|
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
|
|
+DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
|
|
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
|
|
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
|
|
+AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
|
|
+ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
|
|
+wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
|
|
+LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
|
|
+4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
|
|
+bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
|
|
+sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
|
|
+Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
|
|
+FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
|
|
+SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
|
|
+PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
|
|
+TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
|
|
+SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
|
|
+c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
|
|
++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
|
|
+ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
|
|
+b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
|
|
+U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
|
|
+MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
|
|
+5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
|
|
+9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
|
|
+WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
|
|
+he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
|
|
+Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
|
|
+-----END CERTIFICATE-----
|
|
diff --git a/tests/040-pem/good.lets_encrypt_chain.pem b/tests/040-pem/good.lets_encrypt_chain.pem
|
|
new file mode 100644
|
|
index 0000000..29a16ff
|
|
--- /dev/null
|
|
+++ b/tests/040-pem/good.lets_encrypt_chain.pem
|
|
@@ -0,0 +1,93 @@
|
|
+-----BEGIN CERTIFICATE-----
|
|
+MIIFjTCCA3WgAwIBAgIRANOxciY0IzLc9AUoUSrsnGowDQYJKoZIhvcNAQELBQAw
|
|
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
|
|
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0MzU1
|
|
+WhcNMjExMDA2MTU0MzU1WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
|
|
+RW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDMwggEi
|
|
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc0wzwWuUuR7dyXTeDs2hjMOrX
|
|
+NSYZJeG9vjXxcJIvt7hLQQWrqZ41CFjssSrEaIcLo+N15Obzp2JxunmBYB/XkZqf
|
|
+89B4Z3HIaQ6Vkc/+5pnpYDxIzH7KTXcSJJ1HG1rrueweNwAcnKx7pwXqzkrrvUHl
|
|
+Npi5y/1tPJZo3yMqQpAMhnRnyH+lmrhSYRQTP2XpgofL2/oOVvaGifOFP5eGr7Dc
|
|
+Gu9rDZUWfcQroGWymQQ2dYBrrErzG5BJeC+ilk8qICUpBMZ0wNAxzY8xOJUWuqgz
|
|
+uEPxsR/DMH+ieTETPS02+OP88jNquTkxxa/EjQ0dZBYzqvqEKbbUC8DYfcOTAgMB
|
|
+AAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBU
|
|
+BgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIB
|
|
+FiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBSo
|
|
+SmpjBH3duubRObemRWXv86jsoTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3Js
|
|
+LnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEF
|
|
+BQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsG
|
|
+AQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYD
|
|
+VR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIB
|
|
+ABnPdSA0LTqmRf/Q1eaM2jLonG4bQdEnqOJQ8nCqxOeTRrToEKtwT++36gTSlBGx
|
|
+A/5dut82jJQ2jxN8RI8L9QFXrWi4xXnA2EqA10yjHiR6H9cj6MFiOnb5In1eWsRM
|
|
+UM2v3e9tNsCAgBukPHAg1lQh07rvFKm/Bz9BCjaxorALINUfZ9DD64j2igLIxle2
|
|
+DPxW8dI/F2loHMjXZjqG8RkqZUdoxtID5+90FgsGIfkMpqgRS05f4zPbCEHqCXl1
|
|
+eO5HyELTgcVlLXXQDgAWnRzut1hFJeczY1tjQQno6f6s+nMydLN26WuU4s3UYvOu
|
|
+OsUxRlJu7TSRHqDC3lSE5XggVkzdaPkuKGQbGpny+01/47hfXXNB7HntWNZ6N2Vw
|
|
+p7G6OfY+YQrZwIaQmhrIqJZuigsrbe3W+gdn5ykE9+Ky0VgVUsfxo52mwFYs1JKY
|
|
+2PGDuWx8M6DlS6qQkvHaRUo0FMd8TsSlbF0/v965qGFKhSDeQoMpYnwcmQilRh/0
|
|
+ayLThlHLN81gSkJjVrPI0Y8xCVPB4twb1PFUd2fPM3sA1tJ83sZ5v8vgFv2yofKR
|
|
+PB0t6JzUA81mSqM3kxl5e+IZwhYAyO0OTg3/fs8HqGTNKd9BqoUwSRBzp06JMg5b
|
|
+rUCGwbCUDI0mxadJ3Bz4WxR6fyNpBK2yAinWEsikxqEt
|
|
+-----END CERTIFICATE-----
|
|
+-----BEGIN CERTIFICATE-----
|
|
+MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
|
|
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
|
|
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
|
|
+WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
|
|
+RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
|
|
+AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
|
|
+R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
|
|
+sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
|
|
+NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
|
|
+Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
|
|
+/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
|
|
+AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
|
|
+Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
|
|
+FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
|
|
+AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
|
|
+Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
|
|
+gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
|
|
+PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
|
|
+ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
|
|
+CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
|
|
+lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
|
|
+avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
|
|
+yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
|
|
+yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
|
|
+hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
|
|
+HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
|
|
+MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
|
|
+nLRbwHOoq7hHwg==
|
|
+-----END CERTIFICATE-----
|
|
+-----BEGIN CERTIFICATE-----
|
|
+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
|
|
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
|
|
+DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
|
|
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
|
|
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
|
|
+AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
|
|
+ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
|
|
+wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
|
|
+LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
|
|
+4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
|
|
+bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
|
|
+sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
|
|
+Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
|
|
+FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
|
|
+SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
|
|
+PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
|
|
+TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
|
|
+SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
|
|
+c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
|
|
++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
|
|
+ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
|
|
+b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
|
|
+U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
|
|
+MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
|
|
+5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
|
|
+9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
|
|
+WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
|
|
+he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
|
|
+Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
|
|
+-----END CERTIFICATE-----
|
|
diff --git a/tests/040-pem/run.sh b/tests/040-pem/run.sh
|
|
new file mode 100755
|
|
index 0000000..1d4d1f4
|
|
--- /dev/null
|
|
+++ b/tests/040-pem/run.sh
|
|
@@ -0,0 +1,21 @@
|
|
+#!/bin/bash -e
|
|
+
|
|
+cd "$tmpdir"
|
|
+cp -p "$srcdir"/040-pem/bad.* $tmpdir
|
|
+base64 -d < "$tmpdir"/bad.isrg-root-x1-cross-signed.der.b64 > "$tmpdir"/bad.isrg-root-x1-cross-signed.der
|
|
+rm -f "$tmpdir"/bad.isrg-root-x1-cross-signed.der.b64
|
|
+
|
|
+for good in "$srcdir"/040-pem/good.* ; do
|
|
+ if ! "$toolsdir"/pem "$good" ; then
|
|
+ exit 1
|
|
+ fi
|
|
+done
|
|
+for bad in "$tmpdir"/bad.* bad.notfound; do
|
|
+ if "$toolsdir"/pem "$bad" > /dev/null; then
|
|
+ echo unexpected success with `basename "$bad"`
|
|
+ exit 1
|
|
+ else
|
|
+ echo got expected error with `basename "$bad"`
|
|
+ fi
|
|
+done
|
|
+echo OK
|
|
diff --git a/tests/Makefile.am b/tests/Makefile.am
|
|
index 013d34b..e20b6d8 100644
|
|
--- a/tests/Makefile.am
|
|
+++ b/tests/Makefile.am
|
|
@@ -132,6 +132,8 @@ CLEANFILES = \
|
|
038-ms-v2-template/actual.err \
|
|
039-fromfile/actual.out \
|
|
039-fromfile/actual.err
|
|
+ 040-pem/actual.out \
|
|
+ 040-pem/actual.err
|
|
EXTRA_DIST = \
|
|
run-tests.sh functions certmonger.conf tools/cachain.sh \
|
|
001-keyiread/run.sh \
|
|
@@ -353,7 +355,8 @@ EXTRA_DIST = \
|
|
038-ms-v2-template/expected.out \
|
|
038-ms-v2-template/extract-extdata.py \
|
|
038-ms-v2-template/run.sh \
|
|
- 039-fromfile/run.sh
|
|
+ 039-fromfile/run.sh \
|
|
+ 040-pem/run.sh
|
|
|
|
subdirs = \
|
|
001-keyiread \
|
|
@@ -388,7 +391,8 @@ subdirs = \
|
|
036-getcert \
|
|
037-rekey2 \
|
|
038-ms-v2-template \
|
|
- 039-fromfile
|
|
+ 039-fromfile \
|
|
+ 040-pem
|
|
|
|
if HAVE_DBM_NSSDB
|
|
subdirs += \
|
|
diff --git a/tests/tools/Makefile.am b/tests/tools/Makefile.am
|
|
index 53f658e..1a01ee6 100644
|
|
--- a/tests/tools/Makefile.am
|
|
+++ b/tests/tools/Makefile.am
|
|
@@ -16,7 +16,8 @@ endif
|
|
noinst_PROGRAMS = keyiread keygen csrgen submit certread certsave oid2name \
|
|
name2oid iterate prefs dates listnicks pem2base base2pem \
|
|
dparse payload checksig base64 cadata citerate casave hooks \
|
|
- libexecdir canon srv addcinfo ls json json-utf8 printenv fromfile
|
|
+ libexecdir canon srv addcinfo ls json json-utf8 printenv fromfile \
|
|
+ pem
|
|
noinst_LIBRARIES = libtools.a
|
|
if HAVE_OPENSSL
|
|
noinst_PROGRAMS += pk7parse pk7env scepgen pk7verify pk7decrypt
|
|
diff --git a/tests/tools/pem.c b/tests/tools/pem.c
|
|
new file mode 100644
|
|
index 0000000..4fdd4f4
|
|
--- /dev/null
|
|
+++ b/tests/tools/pem.c
|
|
@@ -0,0 +1,69 @@
|
|
+/*
|
|
+ * Copyright (C) 2021 Red Hat, Inc.
|
|
+ *
|
|
+ * This program is free software: you can redistribute it and/or modify
|
|
+ * it under the terms of the GNU General Public License as published by
|
|
+ * the Free Software Foundation, either version 3 of the License, or
|
|
+ * (at your option) any later version.
|
|
+ *
|
|
+ * This program is distributed in the hope that it will be useful,
|
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+ * GNU General Public License for more details.
|
|
+ *
|
|
+ * You should have received a copy of the GNU General Public License
|
|
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
+ */
|
|
+
|
|
+#include "../../src/config.h"
|
|
+
|
|
+#include <sys/types.h>
|
|
+#include <errno.h>
|
|
+#include <fcntl.h>
|
|
+#ifdef HAVE_INTTYPES_H
|
|
+#include <inttypes.h>
|
|
+#endif
|
|
+#include <stdio.h>
|
|
+#include <stdint.h>
|
|
+#include <stdlib.h>
|
|
+#include <string.h>
|
|
+#include <unistd.h>
|
|
+
|
|
+#include <popt.h>
|
|
+
|
|
+#include <talloc.h>
|
|
+
|
|
+#include "../../src/util-o.h"
|
|
+
|
|
+int
|
|
+main(int argc, const char **argv)
|
|
+{
|
|
+ const char *filename;
|
|
+ void *parent;
|
|
+ int i, ret = 0;
|
|
+ poptContext pctx;
|
|
+ struct poptOption popts[] = {
|
|
+ POPT_AUTOHELP
|
|
+ POPT_TABLEEND
|
|
+ };
|
|
+
|
|
+ parent = talloc_new(NULL);
|
|
+ pctx = poptGetContext("pem", argc, argv, popts, 0);
|
|
+ while ((i = poptGetNextOpt(pctx)) > 0) {
|
|
+ continue;
|
|
+ }
|
|
+ if (i != -1) {
|
|
+ poptPrintUsage(pctx, stdout, 0);
|
|
+ return 1;
|
|
+ }
|
|
+ while ((filename = poptGetArg(pctx)) != NULL) {
|
|
+ if (validate_pem(parent, (char *)filename) == 0) {
|
|
+ printf("OK\n");
|
|
+ } else {
|
|
+ ret = 1;
|
|
+ }
|
|
+ }
|
|
+ talloc_free(parent);
|
|
+ poptFreeContext(pctx);
|
|
+ return ret;
|
|
+}
|
|
--
|
|
2.31.1
|
|
|