From f636d0f64fbcb978b06afe9f9576678afcee01c0 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Thu, 4 Nov 2021 13:51:31 -0400 Subject: [PATCH] Add a PEM validity checker and validate SCEP CA files If a non-PEM file was passed into add-scep-ca it would accept it without question but later fail with: status: CA_UNREACHABLE ca-error: Error: failed to verify signature on server response. Try to do basic validation of user-provided PEM files by: - stripping BEGIN/END headers - removing newlines and carriage returns - using OpenSSL EVP library to base64 decode the block This isn't fool-proof but it at least does some basic sanity checking to ensure the file(s) exist and appear to be PEM files. The unit tests use some Let's Encrypt CA certificates. https://bugzilla.redhat.com/show_bug.cgi?id=1492112 Signed-off-by: Rob Crittenden --- src/Makefile.am | 2 +- src/getcert-add-scep-ca.1.in | 2 + src/getcert.c | 39 ++++- src/util-o.c | 144 ++++++++++++++++++ src/util-o.h | 7 + tests/040-pem/bad.empty | 0 .../bad.isrg-root-x1-cross-signed.der.b64 | 25 +++ tests/040-pem/expected.out | 7 + .../good.isrg-root-x1-cross-signed.pem | 31 ++++ .../good.isrg-root-x1-cross-signed_cr.pem | 31 ++++ tests/040-pem/good.lets_encrypt_chain.pem | 93 +++++++++++ tests/040-pem/run.sh | 21 +++ tests/Makefile.am | 8 +- tests/tools/Makefile.am | 3 +- tests/tools/pem.c | 69 +++++++++ 15 files changed, 474 insertions(+), 8 deletions(-) create mode 100644 tests/040-pem/bad.empty create mode 100644 tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64 create mode 100644 tests/040-pem/expected.out create mode 100644 tests/040-pem/good.isrg-root-x1-cross-signed.pem create mode 100644 tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem create mode 100644 tests/040-pem/good.lets_encrypt_chain.pem create mode 100755 tests/040-pem/run.sh create mode 100644 tests/tools/pem.c diff --git a/src/Makefile.am b/src/Makefile.am index 53571c5..d8e0a2e 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -155,7 +155,7 @@ pkglibexecdir = $(libexecdir)/$(PACKAGE) getcert_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS) $(UUID_CFLAGS) getcert_SOURCES = getcert.c tm.c tm.h getcert_LDADD = libcm.a $(GETCERT_LIBS) $(KRB5_LIBS) $(NSS_LIBS) $(UUID_LIBS) \ - $(POPT_LIBS) $(LTLIBICONV) $(LDAP_LIBS) + $(POPT_LIBS) $(LTLIBICONV) $(LDAP_LIBS) $(OPENSSL_LIBS) if WITH_IPA bin_PROGRAMS += ipa-getcert ipa_getcert_CFLAGS = $(getcert_CFLAGS) diff --git a/src/getcert-add-scep-ca.1.in b/src/getcert-add-scep-ca.1.in index c2751ed..901791e 100644 --- a/src/getcert-add-scep-ca.1.in +++ b/src/getcert-add-scep-ca.1.in @@ -14,6 +14,8 @@ helper. The \fIadd\-scep\-ca\fR command is more or less a wrapper for the .SH OPTIONS .TP +All user\-provided certificate files must be in PEM format. +.TP \fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR The nickname to give to this CA configuration. This same value can later be passed in to \fIgetcert\fR's \fIrequest\fR, \fIresubmit\fR, and diff --git a/src/getcert.c b/src/getcert.c index 4afafcb..ddcb739 100644 --- a/src/getcert.c +++ b/src/getcert.c @@ -49,6 +49,7 @@ #include "submit-u.h" #include "tdbus.h" #include "tdbusm.h" +#include "util-o.h" #ifdef ENABLE_NLS #include @@ -4544,15 +4545,16 @@ add_scep_ca(const char *argv0, int argc, const char **argv) int c, prefer_non_renewal = 0, verbose = 0; dbus_bool_t b; static DBusMessage *req, *rep; + const char *poptarg; poptContext pctx; struct poptOption popts[] = { {"ca", 'c', POPT_ARG_STRING, &caname, 0, _("nickname to give to the new CA configuration"), HELP_TYPE_NAME}, {"url", 'u', POPT_ARG_STRING, &url, 0, _("location of SCEP server"), HELP_TYPE_URL}, {"id", 'i', POPT_ARG_STRING, &id, 0, _("CA identifier"), HELP_TYPE_ID}, - {"ca-cert", 'R', POPT_ARG_STRING, &root, 0, _("file containing CA's certificate"), HELP_TYPE_FILENAME}, - {"ra-cert", 'r', POPT_ARG_STRING, &racert, 0, _("file containing RA's certificate"), HELP_TYPE_FILENAME}, - {"other-certs", 'I', POPT_ARG_STRING, &certs, 0, _("file containing certificates in RA's certifying chain"), HELP_TYPE_FILENAME}, - {"signingca", 'N', POPT_ARG_STRING, &signingca, 0, _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME}, + {"ca-cert", 'R', POPT_ARG_STRING, NULL, 'R', _("file containing CA's certificate"), HELP_TYPE_FILENAME}, + {"ra-cert", 'r', POPT_ARG_STRING, NULL, 'r', _("file containing RA's certificate"), HELP_TYPE_FILENAME}, + {"other-certs", 'I', POPT_ARG_STRING, NULL, 'I', _("file containing certificates in RA's certifying chain"), HELP_TYPE_FILENAME}, + {"signingca", 'N', POPT_ARG_STRING, NULL, 'N', _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME}, {"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, _("prefer to not use the SCEP Renewal feature"), NULL}, {"session", 's', POPT_ARG_NONE, NULL, 's', _("connect to the certmonger service on the session bus"), NULL}, {"system", 'S', POPT_ARG_NONE, NULL, 'S', _("connect to the certmonger service on the system bus"), NULL}, @@ -4572,6 +4574,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv) return 1; } while ((c = poptGetNextOpt(pctx)) > 0) { + poptarg = poptGetOptArg(pctx); switch (c) { case 's': bus = cm_tdbus_session; @@ -4586,6 +4589,34 @@ add_scep_ca(const char *argv0, int argc, const char **argv) poptPrintHelp(pctx, stdout, 0); return 1; break; + case 'R': + if (validate_pem(globals.tctx, poptarg) != 0) { + printf("The root certificate(s) in %s is not valid PEM\n", poptarg); + return 1; + } + root = talloc_strdup(globals.tctx, poptarg); + break; + case 'r': + if (validate_pem(globals.tctx, poptarg) != 0) { + printf("The RA certificate(s) in %s is not valid PEM\n", poptarg); + return 1; + } + racert = talloc_strdup(globals.tctx, poptarg); + break; + case 'I': + if (validate_pem(globals.tctx, poptarg) != 0) { + printf("The certificate(s) in %s is not valid PEM\n", poptarg); + return 1; + } + certs = talloc_strdup(globals.tctx, poptarg); + break; + case 'N': + if (validate_pem(globals.tctx, poptarg) != 0) { + printf("The certificate(s) in %s is not valid PEM\n", poptarg); + return 1; + } + signingca = talloc_strdup(globals.tctx, poptarg); + break; } } if (c != -1) { diff --git a/src/util-o.c b/src/util-o.c index db45964..c05872c 100644 --- a/src/util-o.c +++ b/src/util-o.c @@ -598,3 +598,147 @@ util_private_EVP_PKEY_dup(EVP_PKEY *pkey) { return util_EVP_PKEY_dup(pkey, i2d_PrivateKey, d2i_PrivateKey); } + +static unsigned char * +decode_base64(const unsigned char *input, int length, int *outlength) { + int expected_len; + unsigned char *output; + int output_len; + + expected_len = 3 * length / 4; + output = calloc(expected_len + 1, 1); + output_len = EVP_DecodeBlock(output, input, length); + + if (output_len < 0) { + *outlength = -1; + free(output); + return NULL; + } + if (output_len % 3 != 0) { + *outlength = -1; + free(output); + return NULL; + } + if (expected_len != output_len) { + *outlength = -1; + free(output); + return NULL; + } + *outlength = output_len; + return output; +} + +int +validate_pem(void *parent, const char *path) +{ + char *p; + char *s = NULL, *sp, *sq; + int ret = 0; + FILE *fp; + struct stat st; + char *tmp1 = NULL; + unsigned char *tmp2 = NULL; + char *buffer; + int n, i, length; + int found = 0; + + fp = fopen(path, "r"); + if (fp == NULL) { + printf("Unable to open %s for reading: %s\n", + path, strerror(errno)); + return -1; + } + if (fstat(fileno(fp), &st) == -1) { + printf("Error opening %s for reading: %s\n", + path, strerror(errno)); + fclose(fp); + return -1; + } + if (st.st_size == 0) { + printf("%s is an empty file.\n", path); + fclose(fp); + return -1; + } + + buffer = malloc(st.st_size + 1); + if (buffer == NULL) { + printf("Error allocating memory.\n"); + fclose(fp); + return -1; + } + + n = 0; + while (n < st.st_size) { + i = fread(buffer + n, 1, st.st_size - n, fp); + if (i <= 0) { + printf("Error reading %s: %s.\n", + path, strerror(errno)); + fclose(fp); + ret = -1; + goto done; + } + n += i; + } + fclose(fp); + buffer[st.st_size] = '\0'; + length = st.st_size; + s = malloc(length + 1); + if (s == NULL) { + printf("Error allocating memory.\n"); + ret = -1; + goto done; + } + memcpy(s, buffer, length); + s[length] = '\0'; + sp = s; + tmp1 = NULL; + tmp2 = NULL; + while ((sp = strstr(sp, "-----BEGIN")) != NULL) { + sq = strstr(sp, "-----END"); + if (sq != NULL) { + found++; + sq += strcspn(sq, "\r\n"); + sq += strspn(sq, "\r\n"); + + /* Strip down to pure base64 so no headers, new lines or cr */ + tmp1 = strndup(sp, sq - sp); + p = strstr(tmp1, "-----BEGIN"); + if (p != NULL) { + p += strcspn(p, "\n"); + if (*p == '\n') { + p++; + } + memmove(tmp1, p, strlen(p) + 1); + } + p = strstr(tmp1, "\n-----END"); + if (p != NULL) { + *p = '\0'; + } + while ((p = strchr(tmp1, '\r')) != NULL) { + memmove(p, p + 1, strlen(p)); + } + while ((p = strchr(tmp1, '\n')) != NULL) { + memmove(p, p + 1, strlen(p)); + } + length = 0; + tmp2 = decode_base64((unsigned char *)tmp1, strlen(tmp1), &length); + if (length < 0) { + ret = -1; + goto done; + } + sp = sq; + } + } + + if (found == 0) { + ret = -1; + } + +done: + free(buffer); + free(s); + free(tmp1); + free(tmp2); + + return ret; +} diff --git a/src/util-o.h b/src/util-o.h index 916777b..8550e07 100644 --- a/src/util-o.h +++ b/src/util-o.h @@ -16,6 +16,12 @@ */ #ifndef utilo_h +#include +#include +#include +#include +#include + #define utilo_h struct cm_store_entry; @@ -71,5 +77,6 @@ int util_X509_set1_version(X509 *x, ASN1_INTEGER *version); void util_NETSCAPE_SPKI_set_sig_alg(NETSCAPE_SPKI *spki, const X509_ALGOR *sig_alg); EVP_PKEY *util_public_EVP_PKEY_dup(EVP_PKEY *pkey); EVP_PKEY *util_private_EVP_PKEY_dup(EVP_PKEY *pkey); +int validate_pem(void *parent, const char *path); #endif diff --git a/tests/040-pem/bad.empty b/tests/040-pem/bad.empty new file mode 100644 index 0000000..e69de29 diff --git a/tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64 b/tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64 new file mode 100644 index 0000000..f9d7e5b --- /dev/null +++ b/tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64 @@ -0,0 +1,25 @@ +MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/MSQwIgYDVQQK +ExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4X +DTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1owTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIElu +dGVybmV0IFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIi +MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B4 +93XCov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpLwYqGcWlK +ZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+DLtFJV4yAdLbaL9A4jXsD +cCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/ +iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeY +jzYIlefiN5YNNnWe+w5ysR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHdu +Rze6zqxZXmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4FQsD +j43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBcSLeCO5imfWCKoqMp +gsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2qlPRmP6zjzZN7IKw0KKP/32+IVQtQi +0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TNDTwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB +/zAOBgNVHQ8BAf8EBAMCAQYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBw +cy5pZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx ++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsG +AQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAv +oC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYE +FHm0WeZ7tuXkAXOACIjIGlj26ZtuMA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oG +rS+o44+/yQoDFVDC5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMr +AdSW9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuGWCLKTVXk +cGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9Ohe8Y4IWS6wY7bCkjCWDc +RQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFCDfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr +6GtPAQw4dy753ec5 diff --git a/tests/040-pem/expected.out b/tests/040-pem/expected.out new file mode 100644 index 0000000..0459fd2 --- /dev/null +++ b/tests/040-pem/expected.out @@ -0,0 +1,7 @@ +OK +OK +OK +got expected error with bad.empty +got expected error with bad.isrg-root-x1-cross-signed.der +got expected error with bad.notfound +OK diff --git a/tests/040-pem/good.isrg-root-x1-cross-signed.pem b/tests/040-pem/good.isrg-root-x1-cross-signed.pem new file mode 100644 index 0000000..239794a --- /dev/null +++ b/tests/040-pem/good.isrg-root-x1-cross-signed.pem @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ +MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT +DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow +TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh +cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB +AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC +ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL +wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D +LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK +4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5 +bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y +sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ +Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4 +FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc +SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql +PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND +TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1 +c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx ++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB +ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu +b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E +U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu +MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC +5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW +9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG +WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O +he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC +Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5 +-----END CERTIFICATE----- diff --git a/tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem b/tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem new file mode 100644 index 0000000..239794a --- /dev/null +++ b/tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ +MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT +DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow +TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh +cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB +AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC +ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL +wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D +LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK +4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5 +bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y +sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ +Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4 +FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc +SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql +PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND +TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1 +c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx ++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB +ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu +b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E +U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu +MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC +5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW +9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG +WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O +he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC +Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5 +-----END CERTIFICATE----- diff --git a/tests/040-pem/good.lets_encrypt_chain.pem b/tests/040-pem/good.lets_encrypt_chain.pem new file mode 100644 index 0000000..29a16ff --- /dev/null +++ b/tests/040-pem/good.lets_encrypt_chain.pem @@ -0,0 +1,93 @@ +-----BEGIN CERTIFICATE----- +MIIFjTCCA3WgAwIBAgIRANOxciY0IzLc9AUoUSrsnGowDQYJKoZIhvcNAQELBQAw +TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh +cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0MzU1 +WhcNMjExMDA2MTU0MzU1WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg +RW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDMwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc0wzwWuUuR7dyXTeDs2hjMOrX +NSYZJeG9vjXxcJIvt7hLQQWrqZ41CFjssSrEaIcLo+N15Obzp2JxunmBYB/XkZqf +89B4Z3HIaQ6Vkc/+5pnpYDxIzH7KTXcSJJ1HG1rrueweNwAcnKx7pwXqzkrrvUHl +Npi5y/1tPJZo3yMqQpAMhnRnyH+lmrhSYRQTP2XpgofL2/oOVvaGifOFP5eGr7Dc +Gu9rDZUWfcQroGWymQQ2dYBrrErzG5BJeC+ilk8qICUpBMZ0wNAxzY8xOJUWuqgz +uEPxsR/DMH+ieTETPS02+OP88jNquTkxxa/EjQ0dZBYzqvqEKbbUC8DYfcOTAgMB +AAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBU +BgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIB +FiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBSo +SmpjBH3duubRObemRWXv86jsoTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3Js +LnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEF +BQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsG +AQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYD +VR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIB +ABnPdSA0LTqmRf/Q1eaM2jLonG4bQdEnqOJQ8nCqxOeTRrToEKtwT++36gTSlBGx +A/5dut82jJQ2jxN8RI8L9QFXrWi4xXnA2EqA10yjHiR6H9cj6MFiOnb5In1eWsRM +UM2v3e9tNsCAgBukPHAg1lQh07rvFKm/Bz9BCjaxorALINUfZ9DD64j2igLIxle2 +DPxW8dI/F2loHMjXZjqG8RkqZUdoxtID5+90FgsGIfkMpqgRS05f4zPbCEHqCXl1 +eO5HyELTgcVlLXXQDgAWnRzut1hFJeczY1tjQQno6f6s+nMydLN26WuU4s3UYvOu +OsUxRlJu7TSRHqDC3lSE5XggVkzdaPkuKGQbGpny+01/47hfXXNB7HntWNZ6N2Vw +p7G6OfY+YQrZwIaQmhrIqJZuigsrbe3W+gdn5ykE9+Ky0VgVUsfxo52mwFYs1JKY +2PGDuWx8M6DlS6qQkvHaRUo0FMd8TsSlbF0/v965qGFKhSDeQoMpYnwcmQilRh/0 +ayLThlHLN81gSkJjVrPI0Y8xCVPB4twb1PFUd2fPM3sA1tJ83sZ5v8vgFv2yofKR +PB0t6JzUA81mSqM3kxl5e+IZwhYAyO0OTg3/fs8HqGTNKd9BqoUwSRBzp06JMg5b +rUCGwbCUDI0mxadJ3Bz4WxR6fyNpBK2yAinWEsikxqEt +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw +TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh +cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw +WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg +RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP +R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx +sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm +NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg +Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG +/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC +AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB +Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA +FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw +AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw +Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB +gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W +PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl +ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz +CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm +lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4 +avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2 +yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O +yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids +hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+ +HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv +MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX +nLRbwHOoq7hHwg== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ +MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT +DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow +TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh +cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB +AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC +ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL +wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D +LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK +4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5 +bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y +sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ +Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4 +FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc +SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql +PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND +TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1 +c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx ++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB +ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu +b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E +U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu +MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC +5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW +9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG +WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O +he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC +Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5 +-----END CERTIFICATE----- diff --git a/tests/040-pem/run.sh b/tests/040-pem/run.sh new file mode 100755 index 0000000..1d4d1f4 --- /dev/null +++ b/tests/040-pem/run.sh @@ -0,0 +1,21 @@ +#!/bin/bash -e + +cd "$tmpdir" +cp -p "$srcdir"/040-pem/bad.* $tmpdir +base64 -d < "$tmpdir"/bad.isrg-root-x1-cross-signed.der.b64 > "$tmpdir"/bad.isrg-root-x1-cross-signed.der +rm -f "$tmpdir"/bad.isrg-root-x1-cross-signed.der.b64 + +for good in "$srcdir"/040-pem/good.* ; do + if ! "$toolsdir"/pem "$good" ; then + exit 1 + fi +done +for bad in "$tmpdir"/bad.* bad.notfound; do + if "$toolsdir"/pem "$bad" > /dev/null; then + echo unexpected success with `basename "$bad"` + exit 1 + else + echo got expected error with `basename "$bad"` + fi +done +echo OK diff --git a/tests/Makefile.am b/tests/Makefile.am index 013d34b..e20b6d8 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -132,6 +132,8 @@ CLEANFILES = \ 038-ms-v2-template/actual.err \ 039-fromfile/actual.out \ 039-fromfile/actual.err + 040-pem/actual.out \ + 040-pem/actual.err EXTRA_DIST = \ run-tests.sh functions certmonger.conf tools/cachain.sh \ 001-keyiread/run.sh \ @@ -353,7 +355,8 @@ EXTRA_DIST = \ 038-ms-v2-template/expected.out \ 038-ms-v2-template/extract-extdata.py \ 038-ms-v2-template/run.sh \ - 039-fromfile/run.sh + 039-fromfile/run.sh \ + 040-pem/run.sh subdirs = \ 001-keyiread \ @@ -388,7 +391,8 @@ subdirs = \ 036-getcert \ 037-rekey2 \ 038-ms-v2-template \ - 039-fromfile + 039-fromfile \ + 040-pem if HAVE_DBM_NSSDB subdirs += \ diff --git a/tests/tools/Makefile.am b/tests/tools/Makefile.am index 53f658e..1a01ee6 100644 --- a/tests/tools/Makefile.am +++ b/tests/tools/Makefile.am @@ -16,7 +16,8 @@ endif noinst_PROGRAMS = keyiread keygen csrgen submit certread certsave oid2name \ name2oid iterate prefs dates listnicks pem2base base2pem \ dparse payload checksig base64 cadata citerate casave hooks \ - libexecdir canon srv addcinfo ls json json-utf8 printenv fromfile + libexecdir canon srv addcinfo ls json json-utf8 printenv fromfile \ + pem noinst_LIBRARIES = libtools.a if HAVE_OPENSSL noinst_PROGRAMS += pk7parse pk7env scepgen pk7verify pk7decrypt diff --git a/tests/tools/pem.c b/tests/tools/pem.c new file mode 100644 index 0000000..4fdd4f4 --- /dev/null +++ b/tests/tools/pem.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2021 Red Hat, Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +#include "../../src/config.h" + +#include +#include +#include +#ifdef HAVE_INTTYPES_H +#include +#endif +#include +#include +#include +#include +#include + +#include + +#include + +#include "../../src/util-o.h" + +int +main(int argc, const char **argv) +{ + const char *filename; + void *parent; + int i, ret = 0; + poptContext pctx; + struct poptOption popts[] = { + POPT_AUTOHELP + POPT_TABLEEND + }; + + parent = talloc_new(NULL); + pctx = poptGetContext("pem", argc, argv, popts, 0); + while ((i = poptGetNextOpt(pctx)) > 0) { + continue; + } + if (i != -1) { + poptPrintUsage(pctx, stdout, 0); + return 1; + } + while ((filename = poptGetArg(pctx)) != NULL) { + if (validate_pem(parent, (char *)filename) == 0) { + printf("OK\n"); + } else { + ret = 1; + } + } + talloc_free(parent); + poptFreeContext(pctx); + return ret; +} -- 2.31.1