1#! /usr/bin/env perl 2# Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved. 3# 4# Licensed under the Apache License 2.0 (the "License"). You may not use 5# this file except in compliance with the License. You can obtain a copy 6# in the file LICENSE in the source distribution or at 7# https://www.openssl.org/source/license.html 8 9 10use strict; 11use warnings; 12 13use OpenSSL::Test::Utils; 14use OpenSSL::Test qw/:DEFAULT srctop_file/; 15 16setup("test_req"); 17 18plan tests => 110; 19 20require_ok(srctop_file('test', 'recipes', 'tconversion.pl')); 21 22my @certs = qw(test certs); 23 24# What type of key to generate? 25my @req_new; 26if (disabled("rsa")) { 27 @req_new = ("-newkey", "dsa:".srctop_file("apps", "dsa512.pem")); 28} else { 29 @req_new = ("-new"); 30 note("There should be a 2 sequences of .'s and some +'s."); 31 note("There should not be more that at most 80 per line"); 32} 33 34# Prevent MSys2 filename munging for arguments that look like file paths but 35# aren't 36$ENV{MSYS2_ARG_CONV_EXCL} = "/CN="; 37 38# Check for duplicate -addext parameters, and one "working" case. 39my @addext_args = ( "openssl", "req", "-new", "-out", "testreq-addexts.pem", 40 "-key", srctop_file(@certs, "ee-key.pem"), 41 "-config", srctop_file("test", "test.cnf"), @req_new ); 42my $val = "subjectAltName=DNS:example.com"; 43my $val1 = "subjectAltName=otherName:1.2.3.4;UTF8:test,email:info\@example.com"; 44my $val2 = " " . $val; 45my $val3 = $val; 46$val3 =~ s/=/ =/; 47ok( run(app([@addext_args, "-addext", $val]))); 48ok( run(app([@addext_args, "-addext", $val1]))); 49$val1 =~ s/UTF8/XXXX/; # execute the error handling in do_othername 50ok(!run(app([@addext_args, "-addext", $val1]))); 51ok(!run(app([@addext_args, "-addext", $val, "-addext", $val]))); 52ok(!run(app([@addext_args, "-addext", $val, "-addext", $val2]))); 53ok(!run(app([@addext_args, "-addext", $val, "-addext", $val3]))); 54ok(!run(app([@addext_args, "-addext", $val2, "-addext", $val3]))); 55ok(run(app([@addext_args, "-addext", "SXNetID=1:one, 2:two, 3:three"]))); 56ok(run(app([@addext_args, "-addext", "subjectAltName=dirName:dirname_sec"]))); 57 58ok(run(app([@addext_args, "-addext", "keyUsage=digitalSignature", 59 "-reqexts", "reqexts"]))); # referring to section in test.cnf 60 61# If a CSR is provided with neither of -key or -CA/-CAkey, this should fail. 62ok(!run(app(["openssl", "req", "-x509", 63 "-in", srctop_file(@certs, "x509-check.csr"), 64 "-out", "testreq.pem"]))); 65 66subtest "generating alt certificate requests with RSA" => sub { 67 plan tests => 3; 68 69 SKIP: { 70 skip "RSA is not supported by this OpenSSL build", 2 71 if disabled("rsa"); 72 73 ok(run(app(["openssl", "req", 74 "-config", srctop_file("test", "test.cnf"), 75 "-section", "altreq", 76 "-new", "-out", "testreq-rsa.pem", "-utf8", 77 "-key", srctop_file("test", "testrsa.pem")])), 78 "Generating request"); 79 80 ok(run(app(["openssl", "req", 81 "-config", srctop_file("test", "test.cnf"), 82 "-verify", "-in", "testreq-rsa.pem", "-noout"])), 83 "Verifying signature on request"); 84 85 ok(run(app(["openssl", "req", 86 "-config", srctop_file("test", "test.cnf"), 87 "-section", "altreq", 88 "-verify", "-in", "testreq-rsa.pem", "-noout"])), 89 "Verifying signature on request"); 90 } 91}; 92 93 94subtest "generating certificate requests with RSA" => sub { 95 plan tests => 8; 96 97 SKIP: { 98 skip "RSA is not supported by this OpenSSL build", 2 99 if disabled("rsa"); 100 101 ok(!run(app(["openssl", "req", 102 "-config", srctop_file("test", "test.cnf"), 103 "-new", "-out", "testreq-rsa.pem", "-utf8", 104 "-key", srctop_file("test", "testrsa.pem"), 105 "-keyform", "DER"])), 106 "Checking that mismatching keyform fails"); 107 108 ok(run(app(["openssl", "req", 109 "-config", srctop_file("test", "test.cnf"), 110 "-new", "-out", "testreq-rsa.pem", "-utf8", 111 "-key", srctop_file("test", "testrsa.pem"), 112 "-keyform", "PEM"])), 113 "Generating request"); 114 115 ok(run(app(["openssl", "req", 116 "-config", srctop_file("test", "test.cnf"), 117 "-verify", "-in", "testreq-rsa.pem", "-noout"])), 118 "Verifying signature on request"); 119 120 ok(run(app(["openssl", "req", 121 "-config", srctop_file("test", "test.cnf"), 122 "-modulus", "-in", "testreq-rsa.pem", "-noout"])), 123 "Printing a modulus of the request key"); 124 125 ok(run(app(["openssl", "req", 126 "-config", srctop_file("test", "test.cnf"), 127 "-new", "-out", "testreq_withattrs_pem.pem", "-utf8", 128 "-key", srctop_file("test", "testrsa_withattrs.pem")])), 129 "Generating request from a key with extra attributes - PEM"); 130 131 ok(run(app(["openssl", "req", 132 "-config", srctop_file("test", "test.cnf"), 133 "-verify", "-in", "testreq_withattrs_pem.pem", "-noout"])), 134 "Verifying signature on request from a key with extra attributes - PEM"); 135 136 ok(run(app(["openssl", "req", 137 "-config", srctop_file("test", "test.cnf"), 138 "-new", "-out", "testreq_withattrs_der.pem", "-utf8", 139 "-key", srctop_file("test", "testrsa_withattrs.der"), 140 "-keyform", "DER"])), 141 "Generating request from a key with extra attributes - PEM"); 142 143 ok(run(app(["openssl", "req", 144 "-config", srctop_file("test", "test.cnf"), 145 "-verify", "-in", "testreq_withattrs_der.pem", "-noout"])), 146 "Verifying signature on request from a key with extra attributes - PEM"); 147 } 148}; 149 150subtest "generating certificate requests with RSA-PSS" => sub { 151 plan tests => 12; 152 153 SKIP: { 154 skip "RSA is not supported by this OpenSSL build", 2 155 if disabled("rsa"); 156 157 ok(run(app(["openssl", "req", 158 "-config", srctop_file("test", "test.cnf"), 159 "-new", "-out", "testreq-rsapss.pem", "-utf8", 160 "-key", srctop_file("test", "testrsapss.pem")])), 161 "Generating request"); 162 ok(run(app(["openssl", "req", 163 "-config", srctop_file("test", "test.cnf"), 164 "-verify", "-in", "testreq-rsapss.pem", "-noout"])), 165 "Verifying signature on request"); 166 167 ok(run(app(["openssl", "req", 168 "-config", srctop_file("test", "test.cnf"), 169 "-new", "-out", "testreq-rsapss2.pem", "-utf8", 170 "-sigopt", "rsa_padding_mode:pss", 171 "-sigopt", "rsa_pss_saltlen:-1", 172 "-key", srctop_file("test", "testrsapss.pem")])), 173 "Generating request"); 174 ok(run(app(["openssl", "req", 175 "-config", srctop_file("test", "test.cnf"), 176 "-verify", "-in", "testreq-rsapss2.pem", "-noout"])), 177 "Verifying signature on request"); 178 179 ok(run(app(["openssl", "req", 180 "-config", srctop_file("test", "test.cnf"), 181 "-new", "-out", "testreq-rsapssmand.pem", "-utf8", 182 "-sigopt", "rsa_padding_mode:pss", 183 "-key", srctop_file("test", "testrsapssmandatory.pem")])), 184 "Generating request"); 185 ok(run(app(["openssl", "req", 186 "-config", srctop_file("test", "test.cnf"), 187 "-verify", "-in", "testreq-rsapssmand.pem", "-noout"])), 188 "Verifying signature on request"); 189 190 ok(run(app(["openssl", "req", 191 "-config", srctop_file("test", "test.cnf"), 192 "-new", "-out", "testreq-rsapssmand2.pem", "-utf8", 193 "-sigopt", "rsa_pss_saltlen:100", 194 "-key", srctop_file("test", "testrsapssmandatory.pem")])), 195 "Generating request"); 196 ok(run(app(["openssl", "req", 197 "-config", srctop_file("test", "test.cnf"), 198 "-verify", "-in", "testreq-rsapssmand2.pem", "-noout"])), 199 "Verifying signature on request"); 200 201 ok(!run(app(["openssl", "req", 202 "-config", srctop_file("test", "test.cnf"), 203 "-new", "-out", "testreq-rsapss3.pem", "-utf8", 204 "-sigopt", "rsa_padding_mode:pkcs1", 205 "-key", srctop_file("test", "testrsapss.pem")])), 206 "Generating request with expected failure"); 207 208 ok(!run(app(["openssl", "req", 209 "-config", srctop_file("test", "test.cnf"), 210 "-new", "-out", "testreq-rsapss3.pem", "-utf8", 211 "-sigopt", "rsa_pss_saltlen:-5", 212 "-key", srctop_file("test", "testrsapss.pem")])), 213 "Generating request with expected failure"); 214 215 ok(!run(app(["openssl", "req", 216 "-config", srctop_file("test", "test.cnf"), 217 "-new", "-out", "testreq-rsapssmand3.pem", "-utf8", 218 "-sigopt", "rsa_pss_saltlen:10", 219 "-key", srctop_file("test", "testrsapssmandatory.pem")])), 220 "Generating request with expected failure"); 221 222 ok(!run(app(["openssl", "req", 223 "-config", srctop_file("test", "test.cnf"), 224 "-new", "-out", "testreq-rsapssmand3.pem", "-utf8", 225 "-sha256", 226 "-key", srctop_file("test", "testrsapssmandatory.pem")])), 227 "Generating request with expected failure"); 228 } 229}; 230 231subtest "generating certificate requests with DSA" => sub { 232 plan tests => 2; 233 234 SKIP: { 235 skip "DSA is not supported by this OpenSSL build", 2 236 if disabled("dsa"); 237 238 ok(run(app(["openssl", "req", 239 "-config", srctop_file("test", "test.cnf"), 240 "-new", "-out", "testreq-dsa.pem", "-utf8", 241 "-key", srctop_file("test", "testdsa.pem")])), 242 "Generating request"); 243 244 ok(run(app(["openssl", "req", 245 "-config", srctop_file("test", "test.cnf"), 246 "-verify", "-in", "testreq-dsa.pem", "-noout"])), 247 "Verifying signature on request"); 248 } 249}; 250 251subtest "generating certificate requests with ECDSA" => sub { 252 plan tests => 2; 253 254 SKIP: { 255 skip "ECDSA is not supported by this OpenSSL build", 2 256 if disabled("ec"); 257 258 ok(run(app(["openssl", "req", 259 "-config", srctop_file("test", "test.cnf"), 260 "-new", "-out", "testreq-ec.pem", "-utf8", 261 "-key", srctop_file("test", "testec-p256.pem")])), 262 "Generating request"); 263 264 ok(run(app(["openssl", "req", 265 "-config", srctop_file("test", "test.cnf"), 266 "-verify", "-in", "testreq-ec.pem", "-noout"])), 267 "Verifying signature on request"); 268 } 269}; 270 271subtest "generating certificate requests with Ed25519" => sub { 272 plan tests => 2; 273 274 SKIP: { 275 skip "Ed25519 is not supported by this OpenSSL build", 2 276 if disabled("ecx"); 277 278 ok(run(app(["openssl", "req", 279 "-config", srctop_file("test", "test.cnf"), 280 "-new", "-out", "testreq-ed25519.pem", "-utf8", 281 "-key", srctop_file("test", "tested25519.pem")])), 282 "Generating request"); 283 284 ok(run(app(["openssl", "req", 285 "-config", srctop_file("test", "test.cnf"), 286 "-verify", "-in", "testreq-ed25519.pem", "-noout"])), 287 "Verifying signature on request"); 288 } 289}; 290 291subtest "generating certificate requests with Ed448" => sub { 292 plan tests => 2; 293 294 SKIP: { 295 skip "Ed448 is not supported by this OpenSSL build", 2 296 if disabled("ecx"); 297 298 ok(run(app(["openssl", "req", 299 "-config", srctop_file("test", "test.cnf"), 300 "-new", "-out", "testreq-ed448.pem", "-utf8", 301 "-key", srctop_file("test", "tested448.pem")])), 302 "Generating request"); 303 304 ok(run(app(["openssl", "req", 305 "-config", srctop_file("test", "test.cnf"), 306 "-verify", "-in", "testreq-ed448.pem", "-noout"])), 307 "Verifying signature on request"); 308 } 309}; 310 311subtest "generating certificate requests" => sub { 312 plan tests => 2; 313 314 ok(run(app(["openssl", "req", "-config", srctop_file("test", "test.cnf"), 315 "-key", srctop_file(@certs, "ee-key.pem"), 316 @req_new, "-out", "testreq.pem"])), 317 "Generating request"); 318 319 ok(run(app(["openssl", "req", "-config", srctop_file("test", "test.cnf"), 320 "-verify", "-in", "testreq.pem", "-noout"])), 321 "Verifying signature on request"); 322}; 323 324subtest "generating SM2 certificate requests" => sub { 325 plan tests => 4; 326 327 SKIP: { 328 skip "SM2 is not supported by this OpenSSL build", 4 329 if disabled("sm2"); 330 ok(run(app(["openssl", "req", 331 "-config", srctop_file("test", "test.cnf"), 332 "-new", "-key", srctop_file(@certs, "sm2.key"), 333 "-sigopt", "distid:1234567812345678", 334 "-out", "testreq-sm2.pem", "-sm3"])), 335 "Generating SM2 certificate request"); 336 337 ok(run(app(["openssl", "req", 338 "-config", srctop_file("test", "test.cnf"), 339 "-verify", "-in", "testreq-sm2.pem", "-noout", 340 "-vfyopt", "distid:1234567812345678", "-sm3"])), 341 "Verifying signature on SM2 certificate request"); 342 343 ok(run(app(["openssl", "req", 344 "-config", srctop_file("test", "test.cnf"), 345 "-new", "-key", srctop_file(@certs, "sm2.key"), 346 "-sigopt", "hexdistid:DEADBEEF", 347 "-out", "testreq-sm2.pem", "-sm3"])), 348 "Generating SM2 certificate request with hex id"); 349 350 ok(run(app(["openssl", "req", 351 "-config", srctop_file("test", "test.cnf"), 352 "-verify", "-in", "testreq-sm2.pem", "-noout", 353 "-vfyopt", "hexdistid:DEADBEEF", "-sm3"])), 354 "Verifying signature on SM2 certificate request"); 355 } 356}; 357 358my @openssl_args = ("req", "-config", srctop_file("apps", "openssl.cnf")); 359 360run_conversion('req conversions', 361 "testreq.pem"); 362run_conversion('req conversions -- testreq2', 363 srctop_file("test", "testreq2.pem")); 364 365sub run_conversion { 366 my $title = shift; 367 my $reqfile = shift; 368 369 subtest $title => sub { 370 run(app(["openssl", @openssl_args, 371 "-in", $reqfile, "-inform", "p", 372 "-noout", "-text"], 373 stderr => "req-check.err", stdout => undef)); 374 open DATA, "req-check.err"; 375 SKIP: { 376 plan skip_all => "skipping req conversion test for $reqfile" 377 if grep /Unknown Public Key/, map { s/\R//; } <DATA>; 378 379 tconversion( -type => 'req', -in => $reqfile, 380 -args => [ @openssl_args ] ); 381 } 382 close DATA; 383 unlink "req-check.err"; 384 385 done_testing(); 386 }; 387} 388 389# Test both generation and verification of certs w.r.t. RFC 5280 requirements 390 391my $ca_cert; # will be set below 392sub generate_cert { 393 my $cert = shift @_; 394 my $ss = $cert =~ m/self-signed/; 395 my $is_ca = $cert =~ m/CA/; 396 my $cn = $is_ca ? "CA" : "EE"; 397 my $ca_key = srctop_file(@certs, "ca-key.pem"); 398 my $key = $is_ca ? $ca_key : srctop_file(@certs, "ee-key.pem"); 399 my @cmd = ("openssl", "req", "-config", "", "-x509", 400 "-subj", "/CN=$cn", @_, "-out", $cert); 401 push(@cmd, ("-key", $key)) if $ss; 402 push(@cmd, ("-CA", $ca_cert, "-CAkey", $ca_key)) unless $ss; 403 ok(run(app([@cmd])), "generate $cert"); 404} 405 406sub has_keyUsage { 407 my $cert = shift @_; 408 my $expect = shift @_; 409 cert_contains($cert, "Key Usage", $expect); 410} 411sub strict_verify { 412 my $cert = shift @_; 413 my $expect = shift @_; 414 my $trusted = shift @_; 415 $trusted = $cert unless $trusted; 416 ok(run(app(["openssl", "verify", "-x509_strict", "-trusted", $trusted, 417 "-partial_chain", $cert])) == $expect, 418 "strict verify allow $cert"); 419} 420 421my @v3_ca = ("-addext", "basicConstraints = critical,CA:true", 422 "-addext", "keyUsage = keyCertSign"); 423my $SKID_AKID = "subjectKeyIdentifier,authorityKeyIdentifier"; 424 425# # SKID 426 427my $cert = "self-signed_default_SKID_no_explicit_exts.pem"; 428generate_cert($cert); 429has_version($cert, 3); 430has_SKID($cert, 1); # SKID added, though no explicit extensions given 431has_AKID($cert, 0); 432 433my $cert = "self-signed_v3_CA_hash_SKID.pem"; 434generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = hash"); 435has_SKID($cert, 1); # explicit hash SKID 436 437$cert = "self-signed_v3_CA_no_SKID.pem"; 438generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = none"); 439cert_ext_has_n_different_lines($cert, 0, $SKID_AKID); # no SKID and no AKID 440#TODO strict_verify($cert, 0); 441 442$cert = "self-signed_v3_CA_given_SKID.pem"; 443generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = 45"); 444cert_contains($cert, "Subject Key Identifier: 45 ", 1); # given SKID 445strict_verify($cert, 1); 446 447# AKID of self-signed certs 448 449$cert = "self-signed_v1_CA_no_KIDs.pem"; 450generate_cert($cert, "-x509v1"); 451has_version($cert, 1); 452cert_ext_has_n_different_lines($cert, 0, $SKID_AKID); # no SKID and no AKID 453#TODO strict_verify($cert, 1); # self-signed v1 root cert should be accepted as CA 454 455$ca_cert = "self-signed_v3_CA_default_SKID.pem"; # will also be used below 456generate_cert($ca_cert, @v3_ca); 457has_SKID($ca_cert, 1); # default SKID 458has_AKID($ca_cert, 0); # no default AKID 459strict_verify($ca_cert, 1); 460 461$cert = "self-signed_v3_CA_no_AKID.pem"; 462generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = none"); 463has_AKID($cert, 0); # forced no AKID 464 465$cert = "self-signed_v3_CA_explicit_AKID.pem"; 466generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid"); 467has_AKID($cert, 0); # for self-signed cert, AKID suppressed and not forced 468 469$cert = "self-signed_v3_CA_forced_AKID.pem"; 470generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid:always"); 471cert_ext_has_n_different_lines($cert, 3, $SKID_AKID); # forced AKID, AKID == SKID 472strict_verify($cert, 1); 473 474$cert = "self-signed_v3_CA_issuer_AKID.pem"; 475generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = issuer"); 476has_AKID($cert, 0); # suppressed AKID since not forced 477 478$cert = "self-signed_v3_CA_forced_issuer_AKID.pem"; 479generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = issuer:always"); 480cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 1); # forced issuer AKID 481 482$cert = "self-signed_v3_CA_nonforced_keyid_issuer_AKID.pem"; 483generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid, issuer"); 484has_AKID($cert, 0); # AKID not present because not forced and cert self-signed 485 486$cert = "self-signed_v3_CA_keyid_forced_issuer_AKID.pem"; 487generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid, issuer:always"); 488cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 1); # issuer AKID forced, with keyid not forced 489 490$cert = "self-signed_v3_CA_forced_keyid_issuer_AKID.pem"; 491generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid:always, issuer"); 492has_AKID($cert, 1); # AKID with keyid forced 493cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 0); # no issuer AKID 494 495$cert = "self-signed_v3_CA_forced_keyid_forced_issuer_AKID.pem"; 496generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid:always, issuer:always"); 497cert_contains($cert, "Authority Key Identifier: keyid(:[0-9A-Fa-f]{2})+ DirName:/CN=CA serial:", 1); # AKID with keyid and issuer forced 498 499$cert = "self-signed_v3_EE_wrong_keyUsage.pem"; 500generate_cert($cert, "-addext", "keyUsage = keyCertSign"); 501#TODO strict_verify($cert, 1); # should be accepted because RFC 5280 does not apply 502 503# AKID of self-issued but not self-signed certs 504 505$cert = "self-issued_x509_v3_CA_default_KIDs.pem"; 506ok(run(app([("openssl", "x509", "-copy_extensions", "copy", 507 "-req", "-in", srctop_file(@certs, "ext-check.csr"), 508 "-key", srctop_file(@certs, "ca-key.pem"), 509 "-force_pubkey", srctop_file("test", "testrsapub.pem"), 510 "-out", $cert)])), "generate using x509: $cert"); 511cert_contains($cert, "Issuer: CN=test .*? Subject: CN=test", 1); 512cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID 513strict_verify($cert, 1); 514 515$cert = "self-issued_v3_CA_default_KIDs.pem"; 516generate_cert($cert, "-addext", "keyUsage = dataEncipherment", 517 "-in", srctop_file(@certs, "x509-check.csr")); 518cert_contains($cert, "Issuer: CN=CA .*? Subject: CN=CA", 1); 519cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID 520strict_verify($cert, 1); 521 522$cert = "self-issued_v3_CA_no_AKID.pem"; 523generate_cert($cert, "-addext", "authorityKeyIdentifier = none", 524 "-in", srctop_file(@certs, "x509-check.csr")); 525has_version($cert, 3); 526has_SKID($cert, 1); # SKID added, though no explicit extensions given 527has_AKID($cert, 0); 528strict_verify($cert, 1); 529 530$cert = "self-issued_v3_CA_explicit_AKID.pem"; 531generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid", 532 "-in", srctop_file(@certs, "x509-check.csr")); 533cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID 534strict_verify($cert, 1); 535 536$cert = "self-issued_v3_CA_forced_AKID.pem"; 537generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid:always", 538 "-in", srctop_file(@certs, "x509-check.csr")); 539cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID 540 541$cert = "self-issued_v3_CA_issuer_AKID.pem"; 542generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = issuer", 543 "-in", srctop_file(@certs, "x509-check.csr")); 544cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 1); # just issuer AKID 545 546$cert = "self-issued_v3_CA_forced_issuer_AKID.pem"; 547generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = issuer:always", 548 "-in", srctop_file(@certs, "x509-check.csr")); 549cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 1); # just issuer AKID 550 551$cert = "self-issued_v3_CA_keyid_issuer_AKID.pem"; 552generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid, issuer", 553 "-in", srctop_file(@certs, "x509-check.csr")); 554cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID, not forced 555 556$cert = "self-issued_v3_CA_keyid_forced_issuer_AKID.pem"; 557generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid, issuer:always", 558 "-in", srctop_file(@certs, "x509-check.csr")); 559cert_ext_has_n_different_lines($cert, 6, $SKID_AKID); # SKID != AKID, with forced issuer 560 561$cert = "self-issued_v3_CA_forced_keyid_and_issuer_AKID.pem"; 562generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid:always, issuer:always", 563 "-in", srctop_file(@certs, "x509-check.csr")); 564cert_ext_has_n_different_lines($cert, 6, $SKID_AKID); # SKID != AKID, both forced 565 566# AKID of not self-issued certs 567 568$cert = "regular_v3_EE_default_KIDs_no_other_exts.pem"; 569generate_cert($cert, "-key", srctop_file(@certs, "ee-key.pem")); 570has_version($cert, 3); 571cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID 572 573$cert = "regular_v3_EE_default_KIDs.pem"; 574generate_cert($cert, "-addext", "keyUsage = dataEncipherment", 575 "-key", srctop_file(@certs, "ee-key.pem")); 576cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID 577strict_verify($cert, 1, $ca_cert); 578 579$cert = "regular_v3_EE_copied_exts_default_KIDs.pem"; 580generate_cert($cert, "-copy_extensions", "copy", 581 "-in", srctop_file(@certs, "ext-check.csr")); 582cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID 583strict_verify($cert, 1); 584 585$cert = "v3_EE_no_AKID.pem"; 586generate_cert($cert, "-addext", "authorityKeyIdentifier = none", 587 "-key", srctop_file(@certs, "ee-key.pem")); 588has_SKID($cert, 1); 589has_AKID($cert, 0); 590strict_verify($cert, 0, $ca_cert); 591 592 593# Key Usage 594 595$cert = "self-signed_CA_no_keyUsage.pem"; 596generate_cert($cert, "-in", srctop_file(@certs, "ext-check.csr")); 597has_keyUsage($cert, 0); 598$cert = "self-signed_CA_with_keyUsages.pem"; 599generate_cert($cert, "-in", srctop_file(@certs, "ext-check.csr"), 600 "-copy_extensions", "copy"); 601has_keyUsage($cert, 1); 602 603# Generate cert using req with '-modulus' 604ok(run(app(["openssl", "req", "-x509", "-new", "-days", "365", 605 "-key", srctop_file("test", "testrsa.pem"), 606 "-config", srctop_file('test', 'test.cnf'), 607 "-out", "testreq-cert.pem", 608 "-modulus"])), "cert req creation - with -modulus"); 609 610# Verify cert 611ok(run(app(["openssl", "x509", "-in", "testreq-cert.pem", 612 "-noout", "-text"])), "cert verification"); 613 614# Generate cert with explicit start and end dates 615my %today = (strftime("%Y-%m-%d", gmtime) => 1); 616my $cert = "self-signed_explicit_date.pem"; 617ok(run(app(["openssl", "req", "-x509", "-new", "-text", 618 "-config", srctop_file('test', 'test.cnf'), 619 "-key", srctop_file("test", "testrsa.pem"), 620 "-not_before", "today", 621 "-not_after", "today", 622 "-out", $cert])) 623&& ++$today{strftime("%Y-%m-%d", gmtime)} 624&& (grep { defined $today{$_} } get_not_before_date($cert)) 625&& (grep { defined $today{$_} } get_not_after_date($cert)), "explicit start and end dates"); 626