Context Navigation

← Previous Change
Next Change →

Changeset c0bb823 in mod_gnutls for test

Timestamp:

Jan 30, 2016, 4:45:41 PM (4 years ago)

Author:

Thomas Klute <thomas2.klute@…>

Branches:

debian/master, debian/stretch-backports, jessie-backports, master, upstream

Children:

dc55c77

Parents:

4d2d182

Message:

Test suite: Create rogue client certificate for client auth test

Test case 18 (verification of a client certificate not issued by the
accepted CA) used the Rogue CA certificate as a client
certificate. However, recent gnutls-cli (from GnuTLS git at the time
of this commit) detects the constraint violation and rejects the
certificate, so the test fails before mod_gnutls can check the
certificate. Create a rougue client certificate with correct
constraints to make the test work as expected.

Location:

test

Files:

: 1 added
: 4 edited

.gitignore (modified) (2 diffs)
Makefile.am (modified) (1 diff)
rogueclient.template.in (added)
test_ca.mk (modified) (1 diff)
tests/18_client_verification_wrong_cert/gnutls-cli.args (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

test/.gitignore

-                      r4d2d182
+                      rc0bb823
 imposter
 rogueca
+rogueclient
 client.uid
 server.uid
 …
 authority.template
 imposter.template
+rogueclient.template
 msva.gnupghome
 *.log

test/Makefile.am

-                      r4d2d182
+                      rc0bb823
 # Identities in the miniature CA, server, and client environment for
 # the test suite
+identities = server authority client imposter rogueca
+shared_identities = server authority client imposter rogueca
+pgp_identities = $(shared_identities)
+x509_only_identities = rogueclient
+x509_identities = $(shared_identities) $(x509_only_identities)
+identities = $(shared_identities) $(x509_only_identities)
 # Append strings after ":=" to each identity to generate a list of
 # necessary files
 pgp_tokens = $(identities:=/secring.gpg) $(identities:=/cert.pgp) \
         $(identities:=/secret.pgp)
 x509_keys = $(identities:=/secret.key)
 x509_certs = $(identities:=/x509.pem)
+pgp_tokens = $(pgp_identities:=/secring.gpg) $(pgp_identities:=/cert.pgp) \
+        $(pgp_identities:=/secret.pgp)
+x509_keys = $(x509_identities:=/secret.key)
+x509_certs = $(x509_identities:=/x509.pem)
 x509_tokens = $(x509_certs) $(x509_keys)
 tokens = $(x509_tokens) $(pgp_tokens)

test/test_ca.mk

-                      r4d2d182
+                      rc0bb823
         certtool --generate-request --load-privkey $(dir $@)secret.key --template $< > $@
+# normal case: certificates signed by test CA
 %/x509.pem: %.template %/cert-request authority/secret.key authority/x509.pem
         certtool --generate-certificate --load-ca-certificate authority/x509.pem --load-ca-privkey authority/secret.key --load-request $(dir $@)cert-request --template $< > $@
+# error case: certificates signed by rogue CA
+rogue%/x509.pem: rogue%.template rogue%/cert-request rogueca/x509.pem
+        certtool --generate-certificate --load-ca-certificate rogueca/x509.pem --load-ca-privkey rogueca/secret.key --load-request $(dir $@)cert-request --template $< > $@
 %/softhsm.db: %/x509.pem %/secret.key

test/tests/18_client_verification_wrong_cert/gnutls-cli.args

r4d2d182	rc0bb823
1		--x509certfile=rogueca/x509.pem
2		--x509keyfile=rogueca/secret.key
	1	--x509certfile=rogueclient/x509.pem
	2	--x509keyfile=rogueclient/secret.key
3	3	--x509cafile=authority/x509.pem
4	4	--priority=NORMAL

Note: See TracChangeset for help on using the changeset viewer.