From ce234fd1b0c01e6e5fc7794888571f3fc699b7b4 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Apr 09 2015 22:04:07 +0000 Subject: Read nsCertType extension, write EnrollmentProfile Read the nsCertType extension from certificates and cache it, and learn to generate a nsCertType extension request. Don't expose it in the UI or over the bus, at least not yet, since the extension itself is deprecated. We may need it for the sake of OpenVPN use cases. When we have a template/profile name, go ahead and add it as a requested value for the enrollment certificate type in signing requests, in case it ends up being needed for implementing IPA ticket #57. It _should_ be ignored, like other extension requests, otherwise. --- diff --git a/src/certext.c b/src/certext.c index 57ee716..c4e741c 100644 --- a/src/certext.c +++ b/src/certext.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2009,2011,2012,2013,2014 Red Hat, Inc. + * Copyright (C) 2009,2011,2012,2013,2014,2015 Red Hat, Inc. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -315,26 +315,26 @@ cm_certext_read_ku(struct cm_store_entry *entry, PLArenaPool *arena, } } -/* Build a keyUsage extension value from a string, with each bit being +/* Build a BitString extension value from a string, with each bit being * represented by either a "1" or a "0", most significant bit first. */ static SECItem * -cm_certext_build_ku(struct cm_store_entry *entry, PLArenaPool *arena, - const char *ku_value) +cm_certext_build_bitstring(struct cm_store_entry *entry, PLArenaPool *arena, + const char *bitstring) { SECItem *ret, encoded, *bits; unsigned int i, used, val, len; - if ((ku_value == NULL) || (strlen(ku_value) == 0)) { + if ((bitstring == NULL) || (strlen(bitstring) == 0)) { /* Nothing to encode, so don't include this extension. */ return NULL; } - len = strlen(ku_value) + 1; + len = strlen(bitstring) + 1; bits = SECITEM_AllocItem(arena, NULL, len); memset(bits->data, '\0', len); for (i = 0, used = 0; - (ku_value != NULL) && (ku_value[i] != '\0'); + (bitstring != NULL) && (bitstring[i] != '\0'); i++) { - val = ((ku_value[i] == '1') ? 0x80 : 0x00) >> (i % 8); + val = ((bitstring[i] == '1') ? 0x80 : 0x00) >> (i % 8); bits->data[i / 8] |= val; if (val != 0) { used = i + 1; @@ -353,6 +353,15 @@ cm_certext_build_ku(struct cm_store_entry *entry, PLArenaPool *arena, return ret; } +/* Build a keyUsage extension value from a string, with each bit being + * represented by either a "1" or a "0", most significant bit first. */ +static SECItem * +cm_certext_build_ku(struct cm_store_entry *entry, PLArenaPool *arena, + const char *ku_value) +{ + return cm_certext_build_bitstring(entry, arena, ku_value); +} + /* Convert an OID to a printable string. For now, we're limited to components * that will fit into a "long". */ static char * @@ -1546,6 +1555,86 @@ cm_certext_build_ocsp_no_check(struct cm_store_entry *entry, return item; } +/* Build a Microsoft certtype extension value. */ +static SECItem * +cm_certext_build_profile(struct cm_store_entry *entry, + PLArenaPool *arena, + char *profile) +{ + SECItem value, encoded, *item; + unsigned int len = 0; + + if (strlen(profile) == 0) { + return NULL; + } + memset(&value, 0, sizeof(value)); + memset(&encoded, 0, sizeof(encoded)); + if (cm_store_utf8_to_bmp_string(profile, &value.data, &len) != -1) { + value.len = len; + if (SEC_ASN1EncodeItem(arena, &encoded, &value, + SEC_BMPStringTemplate) == &encoded) { + item = SECITEM_ArenaDupItem(arena, &encoded); + } else { + item = NULL; + } + free(value.data); + } else { + item = NULL; + } + return item; +} + +/* Build a Netscape certtype extension value. */ +static SECItem * +cm_certext_build_ns_certtype(struct cm_store_entry *entry, + PLArenaPool *arena, + char *certtype) +{ + char bitstring[] = "00000000"; + char *p, *q; + int len = 0; + + if (strlen(certtype) == 0) { + return NULL; + } + p = certtype; + while (*p != '\0') { + q = p + strcspn(p, ","); + if (strncasecmp(p, "client", q - p) == 0) { + bitstring[0] = '1'; + } else + if (strncasecmp(p, "server", q - p) == 0) { + bitstring[1] = '1'; + } else + if (strncasecmp(p, "email", q - p) == 0) { + bitstring[2] = '1'; + } else + if (strncasecmp(p, "objsign", q - p) == 0) { + bitstring[3] = '1'; + } else + if (strncasecmp(p, "reserved", q - p) == 0) { + bitstring[4] = '1'; + } else + if (strncasecmp(p, "sslca", q - p) == 0) { + bitstring[5] = '1'; + } else + if (strncasecmp(p, "emailca", q - p) == 0) { + bitstring[6] = '1'; + } else + if (strncasecmp(p, "objca", q - p) == 0) { + bitstring[7] = '1'; + } + p = q + strspn(q, ","); + } + if (strchr(bitstring, '1') != NULL) { + len = strrchr(bitstring, '1') - bitstring; + p[len + 1] = '\0'; + return cm_certext_build_bitstring(entry, arena, bitstring); + } else { + return NULL; + } +} + /* Build a requestedExtensions attribute. */ void cm_certext_build_csr_extensions(struct cm_store_entry *entry, @@ -1553,7 +1642,7 @@ cm_certext_build_csr_extensions(struct cm_store_entry *entry, unsigned char **extensions, size_t *length) { PLArenaPool *arena; - CERTCertExtension ext[11], *exts[12], **exts_ptr; + CERTCertExtension ext[13], *exts[14], **exts_ptr; SECOidData *oid; SECItem *item, encoded; SECItem der_false = { @@ -1730,6 +1819,30 @@ cm_certext_build_csr_extensions(struct cm_store_entry *entry, i++; } } + if (entry->cm_template_profile != NULL) { + oid = (SECOidData *) &oid_microsoft_certtype; + item = cm_certext_build_profile(entry, arena, + entry->cm_template_profile); + if ((item != NULL) && (oid != NULL)) { + ext[i].id = oid->oid; + ext[i].critical = der_false; + ext[i].value = *item; + exts[i] = &ext[i]; + i++; + } + } + if (entry->cm_template_ns_certtype != NULL) { + oid = SECOID_FindOIDByTag(SEC_OID_NS_CERT_EXT_CERT_TYPE); + item = cm_certext_build_ns_certtype(entry, arena, + entry->cm_template_ns_certtype); + if ((item != NULL) && (oid != NULL)) { + ext[i].id = oid->oid; + ext[i].critical = der_false; + ext[i].value = *item; + exts[i] = &ext[i]; + i++; + } + } exts[i++] = NULL; exts_ptr = exts; /* Encode the sequence. */ @@ -1928,6 +2041,76 @@ cm_certext_read_profile(struct cm_store_entry *entry, PLArenaPool *arena, } } +static void +cm_certext_read_ns_certtype(struct cm_store_entry *entry, PLArenaPool *arena, + CERTCertExtension *ext) +{ + SECItem item; + unsigned int i, bit; + char *tmp = NULL, *t = NULL; + + if (SEC_ASN1DecodeItem(arena, &item, SEC_BitStringTemplate, + &ext->value) == SECSuccess) { + /* A bitString decodes with length == number of bits, not + * bytes, which is what we want anyway. */ + tmp = talloc_zero_size(entry, item.len + 1); + for (i = 0; i < item.len; i++) { + bit = (item.data[i / 8] & (0x80 >> (i % 8))) ? 1 : 0; + sprintf(tmp + i, "%.*u", 1, bit); + } + } + talloc_free(entry->cm_cert_ns_certtype); + entry->cm_cert_ns_certtype = NULL; + if (tmp == NULL) { + return; + } + t = talloc_strdup(entry, ""); + if ((tmp != NULL) && (strlen(tmp) > 0)) { + if (tmp[0] == '1') { + t = talloc_strdup_append(t, ",client"); + } + } + if ((tmp != NULL) && (strlen(tmp) > 1)) { + if (tmp[1] == '1') { + t = talloc_strdup_append(t, ",server"); + } + } + if ((tmp != NULL) && (strlen(tmp) > 2)) { + if (tmp[2] == '1') { + t = talloc_strdup_append(t, ",email"); + } + } + if ((tmp != NULL) && (strlen(tmp) > 3)) { + if (tmp[3] == '1') { + t = talloc_strdup_append(t, ",objsign"); + } + } + if ((tmp != NULL) && (strlen(tmp) > 4)) { + if (tmp[4] == '1') { + t = talloc_strdup_append(t, ",reserved"); + } + } + if ((tmp != NULL) && (strlen(tmp) > 5)) { + if (tmp[5] == '1') { + t = talloc_strdup_append(t, ",sslCA"); + } + } + if ((tmp != NULL) && (strlen(tmp) > 6)) { + if (tmp[6] == '1') { + t = talloc_strdup_append(t, ",emailCA"); + } + } + if ((tmp != NULL) && (strlen(tmp) > 7)) { + if (tmp[7] == '1') { + t = talloc_strdup_append(t, ",objCA"); + } + } + if (strlen(t) > 0) { + entry->cm_cert_ns_certtype = talloc_strdup(entry, t + 1); + } + talloc_free(t); +} + /* Read the extensions from a certificate. */ void cm_certext_read_extensions(struct cm_store_entry *entry, PLArenaPool *arena, @@ -1937,7 +2120,7 @@ cm_certext_read_extensions(struct cm_store_entry *entry, PLArenaPool *arena, PLArenaPool *local_arena; SECOidData *ku_oid, *eku_oid, *san_oid, *freshest_crl_oid; SECOidData *basic_oid, *nsc_oid, *aia_oid, *crldp_oid, *profile_oid; - SECOidData *no_ocsp_check_oid; + SECOidData *no_ocsp_check_oid, *ns_certtype_oid; if (extensions == NULL) { return; @@ -2006,6 +2189,12 @@ cm_certext_read_extensions(struct cm_store_entry *entry, PLArenaPool *arena, return; } profile_oid = (SECOidData *) &oid_microsoft_certtype; + ns_certtype_oid = SECOID_FindOIDByTag(SEC_OID_NS_CERT_EXT_CERT_TYPE); + if (ns_certtype_oid == NULL) { + cm_log(1, "Internal library error: unable to look up OID for " + "nsCertType extension.\n"); + return; + } entry->cm_cert_no_ocsp_check = FALSE; for (i = 0; extensions[i] != NULL; i++) { if (SECITEM_ItemsAreEqual(&ku_oid->oid, &extensions[i]->id)) { @@ -2043,6 +2232,10 @@ cm_certext_read_extensions(struct cm_store_entry *entry, PLArenaPool *arena, &extensions[i]->id)) { entry->cm_cert_no_ocsp_check = TRUE; } + if (SECITEM_ItemsAreEqual(&ns_certtype_oid->oid, + &extensions[i]->id)) { + cm_certext_read_ns_certtype(entry, arena, extensions[i]); + } } if (arena == local_arena) { PORT_FreeArena(local_arena, PR_TRUE); diff --git a/src/certread.c b/src/certread.c index f054356..fb02996 100644 --- a/src/certread.c +++ b/src/certread.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2009,2010,2012,2014 Red Hat, Inc. + * Copyright (C) 2009,2010,2012,2014,2015 Red Hat, Inc. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -181,6 +181,8 @@ cm_certread_write_data_to_pipe(struct cm_store_entry *entry, FILE *fp) p = (unsigned char *) entry->cm_cert_profile; fprintf(fp, " %s\n", p ? cm_store_base64_from_bin(NULL, p, -1) : ""); fprintf(fp, " %d\n", entry->cm_cert_no_ocsp_check ? 1 : 0); + p = (unsigned char *) entry->cm_cert_ns_certtype; + fprintf(fp, " %s\n", p ? cm_store_base64_from_bin(NULL, p, -1) : ""); fprintf(fp, " %s\n", entry->cm_cert ?: ""); } @@ -428,6 +430,14 @@ cm_certread_read_data_from_buffer(struct cm_store_entry *entry, const char *p) entry->cm_cert_no_ocsp_check = (p != q) ? (atoi(p) != 0) : 0; break; case 23: + talloc_free(entry->cm_cert_ns_certtype); + entry->cm_cert_ns_certtype = (p == q) ? NULL : + cm_store_base64_as_bin(entry, + p, + q - p, + NULL); + break; + case 24: talloc_free(entry->cm_cert); entry->cm_cert = (p[strspn(p, " \r\n")] == '\0') ? NULL : diff --git a/src/store-files.c b/src/store-files.c index fcdb0ad..ade836f 100644 --- a/src/store-files.c +++ b/src/store-files.c @@ -98,6 +98,7 @@ enum cm_store_file_field { cm_store_entry_field_cert_ns_comment, cm_store_entry_field_cert_profile, cm_store_entry_field_cert_no_ocsp_check, + cm_store_entry_field_cert_ns_certtype, cm_store_entry_field_last_expiration_check, cm_store_entry_field_last_need_notify_check, @@ -119,6 +120,7 @@ enum cm_store_file_field { cm_store_entry_field_template_ns_comment, cm_store_entry_field_template_profile, cm_store_entry_field_template_no_ocsp_check, + cm_store_entry_field_template_ns_certtype, cm_store_entry_field_challenge_password, cm_store_entry_field_challenge_password_file, @@ -258,6 +260,7 @@ static struct cm_store_file_field_list { {cm_store_entry_field_cert_ns_comment, "cert_ns_comment"}, {cm_store_entry_field_cert_profile, "cert_profile"}, {cm_store_entry_field_cert_no_ocsp_check, "cert_no_ocsp_check"}, + {cm_store_entry_field_cert_ns_certtype, "cert_ns_certtype"}, {cm_store_entry_field_last_expiration_check, "last_expiration_check"}, {cm_store_entry_field_last_need_notify_check, "last_need_notify_check"}, @@ -280,6 +283,7 @@ static struct cm_store_file_field_list { {cm_store_entry_field_template_profile, "template_profile"}, /* right */ {cm_store_entry_field_template_profile, "ca_profile"}, /* wrong */ {cm_store_entry_field_template_no_ocsp_check, "template_no_ocsp_check"}, + {cm_store_entry_field_template_ns_certtype, "template_ns_certtype"}, {cm_store_entry_field_challenge_password, "template_challenge_password"}, /* right */ {cm_store_entry_field_challenge_password, "challenge_password"}, /* wrong */ @@ -945,6 +949,9 @@ cm_store_entry_read(void *parent, const char *filename, FILE *fp) ret->cm_cert_no_ocsp_check = atoi(p) != 0; talloc_free(p); break; + case cm_store_entry_field_cert_ns_certtype: + ret->cm_cert_ns_certtype = free_if_empty(p); + break; case cm_store_entry_field_last_expiration_check: /* backward compatibility before we split them * into two settings */ @@ -1022,6 +1029,9 @@ cm_store_entry_read(void *parent, const char *filename, FILE *fp) ret->cm_template_no_ocsp_check = atoi(p) != 0; talloc_free(p); break; + case cm_store_entry_field_template_ns_certtype: + ret->cm_template_ns_certtype = free_if_empty(p); + break; case cm_store_entry_field_challenge_password: ret->cm_template_challenge_password = free_if_empty(p); break; @@ -1225,6 +1235,7 @@ cm_store_ca_read(void *parent, const char *filename, FILE *fp) case cm_store_entry_field_cert_ns_comment: case cm_store_entry_field_cert_profile: case cm_store_entry_field_cert_no_ocsp_check: + case cm_store_entry_field_cert_ns_certtype: case cm_store_entry_field_last_expiration_check: case cm_store_entry_field_last_need_notify_check: case cm_store_entry_field_last_need_enroll_check: @@ -1244,6 +1255,7 @@ cm_store_ca_read(void *parent, const char *filename, FILE *fp) case cm_store_entry_field_template_ns_comment: case cm_store_entry_field_template_profile: case cm_store_entry_field_template_no_ocsp_check: + case cm_store_entry_field_template_ns_certtype: case cm_store_entry_field_challenge_password: case cm_store_entry_field_challenge_password_file: case cm_store_entry_field_csr: @@ -1762,6 +1774,8 @@ cm_store_entry_write(FILE *fp, struct cm_store_entry *entry) entry->cm_cert_ns_comment); cm_store_file_write_str(fp, cm_store_entry_field_cert_profile, entry->cm_cert_profile); + cm_store_file_write_str(fp, cm_store_entry_field_cert_ns_certtype, + entry->cm_cert_ns_certtype); cm_store_file_write_int(fp, cm_store_entry_field_cert_no_ocsp_check, entry->cm_cert_no_ocsp_check ? 1 : 0); @@ -1804,6 +1818,8 @@ cm_store_entry_write(FILE *fp, struct cm_store_entry *entry) entry->cm_template_profile); cm_store_file_write_int(fp, cm_store_entry_field_template_no_ocsp_check, entry->cm_template_no_ocsp_check ? 1 : 0); + cm_store_file_write_str(fp, cm_store_entry_field_template_ns_certtype, + entry->cm_template_ns_certtype); cm_store_file_write_str(fp, cm_store_entry_field_challenge_password, entry->cm_template_challenge_password); @@ -2528,6 +2544,8 @@ cm_store_entry_dup(void *parent, struct cm_store_entry *entry) ret->cm_cert_profile = cm_store_maybe_strdup(ret, entry->cm_cert_profile); ret->cm_cert_no_ocsp_check = entry->cm_cert_no_ocsp_check; + ret->cm_cert_ns_certtype = cm_store_maybe_strdup(ret, + entry->cm_cert_ns_certtype); ret->cm_last_need_notify_check = entry->cm_last_need_notify_check; ret->cm_last_need_enroll_check = entry->cm_last_need_enroll_check; @@ -2550,6 +2568,8 @@ cm_store_entry_dup(void *parent, struct cm_store_entry *entry) ret->cm_template_ns_comment = cm_store_maybe_strdup(ret, entry->cm_template_ns_comment); ret->cm_template_profile = cm_store_maybe_strdup(ret, entry->cm_template_profile); ret->cm_template_no_ocsp_check = entry->cm_template_no_ocsp_check; + ret->cm_template_ns_certtype = cm_store_maybe_strdup(ret, + entry->cm_template_ns_certtype); ret->cm_template_challenge_password = cm_store_maybe_strdup(ret, entry->cm_template_challenge_password); ret->cm_template_challenge_password_file = cm_store_maybe_strdup(ret, entry->cm_template_challenge_password_file); diff --git a/src/store-int.h b/src/store-int.h index 748017d..efd588e 100644 --- a/src/store-int.h +++ b/src/store-int.h @@ -90,6 +90,7 @@ struct cm_store_entry { char **cm_cert_ocsp_location; char *cm_cert_ns_comment; char *cm_cert_profile; + char *cm_cert_ns_certtype; unsigned int cm_cert_no_ocsp_check: 1; time_t cm_last_need_notify_check; time_t cm_last_need_enroll_check; @@ -133,6 +134,7 @@ struct cm_store_entry { char **cm_template_ocsp_location; char *cm_template_ns_comment; char *cm_template_profile; + char *cm_template_ns_certtype; unsigned int cm_template_no_ocsp_check: 1; /* A challenge password, which may be included (in cleartext form!) in * a CSR. */ diff --git a/tests/003-csrgen/expected.out b/tests/003-csrgen/expected.out index f6e08c7..7f4586c 100644 --- a/tests/003-csrgen/expected.out +++ b/tests/003-csrgen/expected.out @@ -29,8 +29,8 @@ Signature OK minicert.openssl.4096.pem: OK 4096 OK. The last CSR (the one with everything) was: - 0:d=0 hl=4 l=1173 cons: SEQUENCE - 4:d=1 hl=4 l=1087 cons: SEQUENCE + 0:d=0 hl=4 l=1241 cons: SEQUENCE + 4:d=1 hl=4 l=1155 cons: SEQUENCE 8:d=2 hl=2 l= 1 prim: INTEGER :00 11:d=2 hl=2 l= 22 cons: SEQUENCE 13:d=3 hl=2 l= 20 cons: SET @@ -42,7 +42,7 @@ The last CSR (the one with everything) was: 39:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption 50:d=4 hl=2 l= 0 prim: NULL 52:d=3 hl=2 l= 75 prim: BIT STRING - 129:d=2 hl=4 l= 962 cons: cont [ 0 ] + 129:d=2 hl=4 l=1030 cons: cont [ 0 ] 133:d=3 hl=2 l= 52 cons: SEQUENCE 135:d=4 hl=2 l= 9 prim: OBJECT :challengePassword 146:d=4 hl=2 l= 39 cons: SET @@ -51,10 +51,10 @@ The last CSR (the one with everything) was: 189:d=4 hl=2 l= 9 prim: OBJECT :friendlyName 200:d=4 hl=2 l= 48 cons: SET 202:d=5 hl=2 l= 46 prim: BMPSTRING - 250:d=3 hl=4 l= 841 cons: SEQUENCE + 250:d=3 hl=4 l= 909 cons: SEQUENCE 254:d=4 hl=2 l= 9 prim: OBJECT :Extension Request - 265:d=4 hl=4 l= 826 cons: SET - 269:d=5 hl=4 l= 822 cons: SEQUENCE + 265:d=4 hl=4 l= 894 cons: SET + 269:d=5 hl=4 l= 890 cons: SEQUENCE 273:d=6 hl=2 l= 14 cons: SEQUENCE 275:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage 280:d=7 hl=2 l= 1 prim: BOOLEAN :0 @@ -99,8 +99,16 @@ The last CSR (the one with everything) was: 1077:d=7 hl=2 l= 9 prim: OBJECT :OCSP No Check 1088:d=7 hl=2 l= 1 prim: BOOLEAN :0 1091:d=7 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:0500 - 1095:d=1 hl=2 l= 13 cons: SEQUENCE - 1097:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption - 1108:d=2 hl=2 l= 0 prim: NULL - 1110:d=1 hl=2 l= 65 prim: BIT STRING -Test complete (56 combinations). + 1095:d=6 hl=2 l= 44 cons: SEQUENCE + 1097:d=7 hl=2 l= 9 prim: OBJECT :1.3.6.1.4.1.311.20.2 + 1108:d=7 hl=2 l= 1 prim: BOOLEAN :0 + 1111:d=7 hl=2 l= 28 prim: OCTET STRING [HEX DUMP]:1E1A006300610041007700650073006F006D00650043006500720074 + 1141:d=6 hl=2 l= 20 cons: SEQUENCE + 1143:d=7 hl=2 l= 9 prim: OBJECT :Netscape Cert Type + 1154:d=7 hl=2 l= 1 prim: BOOLEAN :0 + 1157:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205A0 + 1163:d=1 hl=2 l= 13 cons: SEQUENCE + 1165:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption + 1176:d=2 hl=2 l= 0 prim: NULL + 1178:d=1 hl=2 l= 65 prim: BIT STRING +Test complete (69 combinations). diff --git a/tests/003-csrgen/run.sh b/tests/003-csrgen/run.sh index e9b54d3..502d0b0 100755 --- a/tests/003-csrgen/run.sh +++ b/tests/003-csrgen/run.sh @@ -106,6 +106,8 @@ iterate() { ipaddress=${16} freshestcrl=${17} no_ocsp_check=${18} + profile=${19} + ns_certtype=${20} ${certnickname:+cert_nickname=$cert_nickname} # Generate a new CSR using the copy of the key that's in a file. cat > entry.openssl.$size <<- EOF @@ -131,6 +133,8 @@ iterate() { ${ipaddress:+template_ipaddress=$ipaddress} ${freshestcrl:+template_freshest_crl=$freshestcrl} ${no_ocsp_check:+template_no_ocsp_check=$no_ocsp_check} + ${profile:+template_profile=$profile} + ${ns_certtype:+template_ns_certtype=$ns_certtype} EOF $toolsdir/keyiread entry.openssl.$size > /dev/null 2>&1 echo key_pubkey=616263 >> entry.openssl.$size @@ -159,6 +163,8 @@ iterate() { ${ipaddress:+template_ipaddress=$ipaddress} ${freshestcrl:+template_freshest_crl=$freshestcrl} ${no_ocsp_check:+template_no_ocsp_check=$no_ocsp_check} + ${profile:+template_profile=$profile} + ${ns_certtype:+template_ns_certtype=$ns_certtype} EOF grep ^key_pubkey_info= entry.openssl.$size >> entry.nss.$size echo key_pubkey=616263 >> entry.openssl.$size @@ -194,94 +200,104 @@ iterate() { iteration=1 for size in 1024 ; do - iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" + iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" "$profile" "$ns_certtype" done for subject in "" "Babs Jensen" CN=somehost "CN=Babs Jensen" ; do - iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" + iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" "$profile" "$ns_certtype" done subject= for subjectder in "" 30223120301E060355040313177361 30223120301E0603550403131773616265722E626F73746F6E2E7265646861742E636F6D ; do - iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" + iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" "$profile" "$ns_certtype" done subjectder= for hostname in "" "," localhost,localhost.localdomain; do - iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" + iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" "$profile" "$ns_certtype" done hostname= for email in "" "," root@localhost,root@localhost.localdomain; do - iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" + iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" "$profile" "$ns_certtype" done email= for principal in "" "," root@EXAMPLE.COM,root@FOO.EXAMPLE.COM; do - iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" + iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" "$profile" "$ns_certtype" done principal= for ku in "" 1 10 111 ; do - iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" + iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" "$profile" "$ns_certtype" done ku= for eku in "" "," id-kp-clientAuth,id-kp-emailProtection ; do - iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" + iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" "$profile" "$ns_certtype" done eku= for challengepassword in "" ChallengePasswordIsEncodedInPlainText ; do - iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" + iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" "$profile" "$ns_certtype" done challengepassword= for certfname in "" CertificateFriendlyName ; do - iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" + iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" "$profile" "$ns_certtype" done certfname= for ca in "" 0 1 ; do - iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" + iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" "$profile" "$ns_certtype" done ca= for capathlen in -1 3 ; do - iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" + iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" "$profile" "$ns_certtype" done capathlen= for crldp in "" "," http://crl-1.example.com:12345/get,http://crl-2.example.com:12345/get ; do - iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" + iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" "$profile" "$ns_certtype" done crldp= for ocsp in "" "," http://ocsp-1.example.com:12345,http://ocsp-2.example.com:12345 ; do - iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" + iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" "$profile" "$ns_certtype" done ocsp= for nscomment in "" "certmonger generated this request" ; do - iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" + iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" "$profile" "$ns_certtype" done nscomment= for ipaddress in "" "," "127.0.0.1" "::1" "blargh" "this request" "1.2.3.4,fe80::" ; do - iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" + iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" "$profile" "$ns_certtype" done ipaddress= for freshestcrl in "" "," http://crl-1.example.com:12345/getdelta,http://crl-2.example.com:12345/getdelta ; do - iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" + iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" "$profile" "$ns_certtype" done freshestcrl= for no_ocsp_check in "" 0 1 ; do - iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" + iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" "$profile" "$ns_certtype" done no_ocsp_check= +for profile in "" caLessThanAwesomeCert caAwesomeCert ; do + iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" "$profile" "$ns_certtype" +done +profile= + +for ns_certtype in "" client server email objsign reserved sslca emailca objca client,email ; do + iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" "$profile" "$ns_certtype" +done +ns_certtype= + size=512 subject="CN=Babs Jensen" hostname=localhost,localhost.localdomain @@ -300,7 +316,9 @@ subjectder= ipaddress="127.0.0.1,::1" freshestcrl=http://crl-1.example.com:12345/getdelta,http://crl-2.example.com:12345/getdelta no_ocsp_check=1 -iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" +profile=caAwesomeCert +ns_certtype=client,email +iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" "$profile" "$ns_certtype" echo "The last CSR (the one with everything) was:" openssl req -in csr.nss.$size -outform der | openssl asn1parse -inform der | sed 's,2.5.29.46,X509v3 Freshest CRL,g' cat $tmpdir/key.$size csr.nss.$size 1>&2 diff --git a/tests/004-selfsign/run.sh b/tests/004-selfsign/run.sh index 24c955e..7b2ee43 100755 --- a/tests/004-selfsign/run.sh +++ b/tests/004-selfsign/run.sh @@ -27,6 +27,9 @@ function append() { template_nscomment=certmonger generated this request template_ipaddress=127.0.0.1,::1 template_freshest_crl=http://dcrl-1.example.com:12345/get,http://dcrl-2.example.com:12345/get + template_no_ocsp_check=1 + template_profile=caAwesomeCert + template_ns_certtype=client,email EOF }