Merge pull request #1177 from dgarske/certreq_tests

Testing improvements for cert gen and TLS cert validation

.gitignore

@@ -81,6 +81,8 @@ certecc.der
 certecc.pem
 othercert.der
 othercert.pem
+certeccrsa.der
+certeccrsa.pem
 ntru-cert.der
 ntru-cert.pem
 ntru-key.raw

certs/ca-ecc-cert.pem

@@ -0,0 +1,53 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            97:b4:bd:16:78:f8:47:f2
+    Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=www.wolfssl.com/[email protected]
+        Validity
+            Not Before: Oct 20 18:19:06 2017 GMT
+            Not After : Oct 15 18:19:06 2037 GMT
+        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=www.wolfssl.com/[email protected]
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub: 
+                    04:02:d3:d9:6e:d6:01:8e:45:c8:b9:90:31:e5:c0:
+                    4c:e3:9e:ad:29:38:98:ba:10:d6:e9:09:2a:80:a9:
+                    2e:17:2a:b9:8a:bf:33:83:46:e3:95:0b:e4:77:40:
+                    b5:3b:43:45:33:0f:61:53:7c:37:44:c1:cb:fc:80:
+                    ca:e8:43:ea:a7
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                56:8E:9A:C3:F0:42:DE:18:B9:45:55:6E:F9:93:CF:EA:C3:F3:A5:21
+            X509v3 Authority Key Identifier: 
+                keyid:56:8E:9A:C3:F0:42:DE:18:B9:45:55:6E:F9:93:CF:EA:C3:F3:A5:21
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+    Signature Algorithm: ecdsa-with-SHA256
+         30:45:02:20:32:26:81:e4:15:ec:e3:aa:d3:e5:b8:2a:ca:a3:
+         06:a7:04:97:d8:43:7f:d4:94:47:f8:18:0d:93:52:23:8b:08:
+         02:21:00:e1:9e:34:d0:92:ee:56:0d:23:38:4a:20:bc:cf:11:
+         c3:33:77:96:81:56:2b:ca:c4:d5:c6:65:5d:36:73:2f:ba
+-----BEGIN CERTIFICATE-----
+MIICijCCAjCgAwIBAgIJAJe0vRZ4+EfyMAoGCCqGSM49BAMCMIGXMQswCQYDVQQG
+EwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4G
+A1UECgwHd29sZlNTTDEUMBIGA1UECwwLRGV2ZWxvcG1lbnQxGDAWBgNVBAMMD3d3
+dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAe
+Fw0xNzEwMjAxODE5MDZaFw0zNzEwMTUxODE5MDZaMIGXMQswCQYDVQQGEwJVUzET
+MBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4GA1UECgwH
+d29sZlNTTDEUMBIGA1UECwwLRGV2ZWxvcG1lbnQxGDAWBgNVBAMMD3d3dy53b2xm
+c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTBZMBMGByqG
+SM49AgEGCCqGSM49AwEHA0IABALT2W7WAY5FyLmQMeXATOOerSk4mLoQ1ukJKoCp
+LhcquYq/M4NG45UL5HdAtTtDRTMPYVN8N0TBy/yAyuhD6qejYzBhMB0GA1UdDgQW
+BBRWjprD8ELeGLlFVW75k8/qw/OlITAfBgNVHSMEGDAWgBRWjprD8ELeGLlFVW75
+k8/qw/OlITAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAKBggqhkjO
+PQQDAgNIADBFAiAyJoHkFezjqtPluCrKowanBJfYQ3/UlEf4GA2TUiOLCAIhAOGe
+NNCS7lYNIzhKILzPEcMzd5aBVivKxNXGZV02cy+6
+-----END CERTIFICATE-----

certs/ca-ecc-key.pem

@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgAuEzmHeXrEpZbSib
+bqCTmwdxi01gY4WZ5rsWcOkK9oChRANCAAQC09lu1gGORci5kDHlwEzjnq0pOJi6
+ENbpCSqAqS4XKrmKvzODRuOVC+R3QLU7Q0UzD2FTfDdEwcv8gMroQ+qn
+-----END PRIVATE KEY-----

certs/ca-ecc384-cert.pem

@@ -0,0 +1,58 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            f5:e1:8f:f1:4b:a6:83:8e
+    Signature Algorithm: ecdsa-with-SHA384
+        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=www.wolfssl.com/[email protected]
+        Validity
+            Not Before: Oct 20 18:19:06 2017 GMT
+            Not After : Oct 15 18:19:06 2037 GMT
+        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=www.wolfssl.com/[email protected]
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (384 bit)
+                pub: 
+                    04:ee:82:d4:39:9a:b1:27:82:f4:d7:ea:c6:bc:03:
+                    1d:4d:83:61:f4:03:ae:7e:bd:d8:5a:a5:b9:f0:8e:
+                    a2:a5:da:ce:87:3b:5a:ab:44:16:9c:f5:9f:62:dd:
+                    f6:20:cd:9c:76:3c:40:b1:3f:97:17:df:59:f6:cd:
+                    de:cd:46:35:c0:ed:5e:2e:48:b6:66:91:71:74:b7:
+                    0c:3f:b9:9a:b7:83:bd:93:3f:5f:50:2d:70:3f:de:
+                    35:25:e1:90:3b:86:e0
+                ASN1 OID: secp384r1
+                NIST CURVE: P-384
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                AB:E0:C3:26:4C:18:D4:72:BB:D2:84:8C:9C:0A:05:92:80:12:53:52
+            X509v3 Authority Key Identifier: 
+                keyid:AB:E0:C3:26:4C:18:D4:72:BB:D2:84:8C:9C:0A:05:92:80:12:53:52
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+    Signature Algorithm: ecdsa-with-SHA384
+         30:65:02:30:17:dd:b9:a5:e0:ec:8a:03:8b:66:45:69:ad:5e:
+         ad:32:bc:45:4c:89:85:3f:a1:dd:a4:74:4b:5d:08:65:1b:d8:
+         07:00:49:5d:ef:10:fc:eb:8f:64:a8:62:99:88:20:59:02:31:
+         00:94:40:64:29:86:d0:00:76:1c:98:23:9c:b7:9b:be:78:73:
+         3a:88:be:52:00:3f:e3:81:36:d9:14:22:3d:9e:a2:8a:4a:56:
+         9c:c4:3f:5f:88:2e:b1:a7:6c:4d:0e:cc:92
+-----BEGIN CERTIFICATE-----
+MIICxzCCAk2gAwIBAgIJAPXhj/FLpoOOMAoGCCqGSM49BAMDMIGXMQswCQYDVQQG
+EwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4G
+A1UECgwHd29sZlNTTDEUMBIGA1UECwwLRGV2ZWxvcG1lbnQxGDAWBgNVBAMMD3d3
+dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAe
+Fw0xNzEwMjAxODE5MDZaFw0zNzEwMTUxODE5MDZaMIGXMQswCQYDVQQGEwJVUzET
+MBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4GA1UECgwH
+d29sZlNTTDEUMBIGA1UECwwLRGV2ZWxvcG1lbnQxGDAWBgNVBAMMD3d3dy53b2xm
+c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTB2MBAGByqG
+SM49AgEGBSuBBAAiA2IABO6C1DmasSeC9NfqxrwDHU2DYfQDrn692FqlufCOoqXa
+zoc7WqtEFpz1n2Ld9iDNnHY8QLE/lxffWfbN3s1GNcDtXi5ItmaRcXS3DD+5mreD
+vZM/X1AtcD/eNSXhkDuG4KNjMGEwHQYDVR0OBBYEFKvgwyZMGNRyu9KEjJwKBZKA
+ElNSMB8GA1UdIwQYMBaAFKvgwyZMGNRyu9KEjJwKBZKAElNSMA8GA1UdEwEB/wQF
+MAMBAf8wDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMDA2gAMGUCMBfduaXg7IoD
+i2ZFaa1erTK8RUyJhT+h3aR0S10IZRvYBwBJXe8Q/OuPZKhimYggWQIxAJRAZCmG
+0AB2HJgjnLebvnhzOoi+UgA/44E22RQiPZ6iikpWnMQ/X4gusadsTQ7Mkg==
+-----END CERTIFICATE-----

certs/ca-ecc384-key.pem

@@ -0,0 +1,6 @@
+-----BEGIN PRIVATE KEY-----
+MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDB7FuPW0oGUbIrdqHju
+x36zxdHbLvPtDkiFsfLhejlWwPFiEg81tzm8nCXAduv+VXChZANiAATugtQ5mrEn
+gvTX6sa8Ax1Ng2H0A65+vdhapbnwjqKl2s6HO1qrRBac9Z9i3fYgzZx2PECxP5cX
+31n2zd7NRjXA7V4uSLZmkXF0tww/uZq3g72TP19QLXA/3jUl4ZA7huA=
+-----END PRIVATE KEY-----

certs/crl/caEcc384Crl.pem

@@ -0,0 +1,30 @@
+Certificate Revocation List (CRL):
+        Version 2 (0x1)
+    Signature Algorithm: ecdsa-with-SHA256
+        Issuer: /C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/[email protected]
+        Last Update: Oct 20 18:19:08 2017 GMT
+        Next Update: Jul 16 18:19:08 2020 GMT
+        CRL extensions:
+            X509v3 Authority Key Identifier: 
+                keyid:AB:E0:C3:26:4C:18:D4:72:BB:D2:84:8C:9C:0A:05:92:80:12:53:52
+
+            X509v3 CRL Number: 
+                8193
+No Revoked Certificates.
+    Signature Algorithm: ecdsa-with-SHA256
+         30:65:02:31:00:ad:70:4b:08:03:b6:ab:d4:9e:8d:dd:2a:05:
+         ec:07:6b:86:61:08:69:08:1e:01:02:42:22:5f:a9:6d:4f:de:
+         20:6b:aa:a0:8f:e4:0a:8e:40:7c:cf:84:fb:10:50:01:90:02:
+         30:50:35:d3:6c:44:bd:ad:56:9d:3e:47:09:ac:b8:0d:db:5c:
+         54:f2:1c:25:fb:d2:cb:63:2b:9e:17:a3:1e:0b:ba:15:a8:65:
+         7e:5b:94:c0:11:f4:e2:c9:f1:25:ba:08:26
+-----BEGIN X509 CRL-----
+MIIBcjCB+QIBATAKBggqhkjOPQQDAjCBlzELMAkGA1UEBhMCVVMxEzARBgNVBAgM
+Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZTU0wx
+FDASBgNVBAsMC0RldmVsb3BtZW50MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20x
+HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20XDTE3MTAyMDE4MTkwOFoX
+DTIwMDcxNjE4MTkwOFqgMDAuMB8GA1UdIwQYMBaAFKvgwyZMGNRyu9KEjJwKBZKA
+ElNSMAsGA1UdFAQEAgIgATAKBggqhkjOPQQDAgNoADBlAjEArXBLCAO2q9Sejd0q
+BewHa4ZhCGkIHgECQiJfqW1P3iBrqqCP5AqOQHzPhPsQUAGQAjBQNdNsRL2tVp0+
+RwmsuA3bXFTyHCX70stjK54Xox4LuhWoZX5blMAR9OLJ8SW6CCY=
+-----END X509 CRL-----

certs/crl/caEccCrl.pem

@@ -0,0 +1,28 @@
+Certificate Revocation List (CRL):
+        Version 2 (0x1)
+    Signature Algorithm: ecdsa-with-SHA256
+        Issuer: /C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/[email protected]
+        Last Update: Oct 20 18:19:08 2017 GMT
+        Next Update: Jul 16 18:19:08 2020 GMT
+        CRL extensions:
+            X509v3 Authority Key Identifier: 
+                keyid:56:8E:9A:C3:F0:42:DE:18:B9:45:55:6E:F9:93:CF:EA:C3:F3:A5:21
+
+            X509v3 CRL Number: 
+                8192
+No Revoked Certificates.
+    Signature Algorithm: ecdsa-with-SHA256
+         30:45:02:20:51:84:45:49:4b:69:3a:e0:84:d2:9c:e4:62:c9:
+         4c:30:83:ba:3e:5a:f6:ea:2c:54:50:17:26:4d:fc:82:5f:d2:
+         02:21:00:e5:6b:a6:1c:e3:83:07:cd:59:04:66:00:a0:76:77:
+         11:d8:82:76:fd:a9:2d:cc:3a:db:3a:0f:b5:1a:a6:f3:a8
+-----BEGIN X509 CRL-----
+MIIBUjCB+QIBATAKBggqhkjOPQQDAjCBlzELMAkGA1UEBhMCVVMxEzARBgNVBAgM
+Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZTU0wx
+FDASBgNVBAsMC0RldmVsb3BtZW50MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20x
+HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20XDTE3MTAyMDE4MTkwOFoX
+DTIwMDcxNjE4MTkwOFqgMDAuMB8GA1UdIwQYMBaAFFaOmsPwQt4YuUVVbvmTz+rD
+86UhMAsGA1UdFAQEAgIgADAKBggqhkjOPQQDAgNIADBFAiBRhEVJS2k64ITSnORi
+yUwwg7o+WvbqLFRQFyZN/IJf0gIhAOVrphzjgwfNWQRmAKB2dxHYgnb9qS3MOts6
+D7UapvOo
+-----END X509 CRL-----

certs/crl/gencrls.sh

@@ -55,6 +55,28 @@ mv tmp crl.revoked
 # remove revoked so next time through the normal CA won't have server revoked
 cp blank.index.txt demoCA/index.txt
 
+# caEccCrl
+openssl ca -config ../renewcerts/wolfssl.cnf -revoke ../server-revoked-cert.pem -keyfile ../ca-ecc-key.pem -cert ../ca-ecc-cert.pem
+
+openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out caEccCrl.pem -keyfile ../ca-ecc-key.pem -cert ../ca-ecc-cert.pem
+
+# metadata
+openssl crl -in caEccCrl.pem -text > tmp
+mv tmp caEccCrl.pem
+# install (only needed if working outside wolfssl)
+#cp caEccCrl.pem ~/wolfssl/certs/crl/caEccCrl.pem
+
+# caEcc384Crl
+openssl ca -config ../renewcerts/wolfssl.cnf -revoke ../server-revoked-cert.pem -keyfile ../ca-ecc384-key.pem -cert ../ca-ecc384-cert.pem
+
+openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out caEcc384Crl.pem -keyfile ../ca-ecc384-key.pem -cert ../ca-ecc384-cert.pem
+
+# metadata
+openssl crl -in caEcc384Crl.pem -text > tmp
+mv tmp caEcc384Crl.pem
+# install (only needed if working outside wolfssl)
+#cp caEcc384Crl.pem ~/wolfssl/certs/crl/caEcc384Crl.pem
+
 # cliCrl
 openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out cliCrl.pem -keyfile ../client-key.pem -cert ../client-cert.pem
 

certs/crl/include.am

@@ -7,9 +7,9 @@ EXTRA_DIST += \
 	     certs/crl/cliCrl.pem \
 	     certs/crl/eccSrvCRL.pem \
 	     certs/crl/eccCliCRL.pem \
-	     certs/crl/crl2.pem
+	     certs/crl/crl2.pem \
+	     certs/crl/caEccCrl.pem \
+	     certs/crl/caEcc384Crl.pem
 
 EXTRA_DIST += \
 	     certs/crl/crl.revoked
-
-

certs/ecc/genecc.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+
+# run from wolfssl root
+
+rm ./certs/ecc/*.old
+rm ./certs/ecc/index.txt*
+rm ./certs/ecc/serial
+rm ./certs/ecc/crlnumber
+
+touch ./certs/ecc/index.txt
+echo 1000 > ./certs/ecc/serial
+echo 2000 > ./certs/ecc/crlnumber
+
+# generate ECC 256-bit CA
+openssl ecparam -out ./certs/ca-ecc-key.par -name prime256v1
+openssl req -config ./certs/ecc/wolfssl.cnf -extensions v3_ca -x509 -nodes -newkey ec:./certs/ca-ecc-key.par -keyout ./certs/ca-ecc-key.pem -out ./certs/ca-ecc-cert.pem -sha256 -days 7300 -batch -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/[email protected]"
+
+openssl x509 -in ./certs/ca-ecc-cert.pem -inform PEM -out ./certs/ca-ecc-cert.der -outform DER
+openssl ec -in ./certs/ca-ecc-key.pem -inform PEM -out ./certs/ca-ecc-key.der -outform DER
+
+rm ./certs/ca-ecc-key.par
+
+# generate ECC 384-bit CA
+openssl ecparam -out ./certs/ca-ecc384-key.par -name secp384r1
+openssl req -config ./certs/ecc/wolfssl.cnf -extensions v3_ca -x509 -nodes -newkey ec:./certs/ca-ecc384-key.par -keyout ./certs/ca-ecc384-key.pem -out ./certs/ca-ecc384-cert.pem -sha384 -days 7300 -batch -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/[email protected]"
+
+openssl x509 -in ./certs/ca-ecc384-cert.pem -inform PEM -out ./certs/ca-ecc384-cert.der -outform DER
+openssl ec -in ./certs/ca-ecc384-key.pem -inform PEM -out ./certs/ca-ecc384-key.der -outform DER
+
+rm ./certs/ca-ecc384-key.par
+
+
+# Generate ECC 256-bit server cert
+openssl req -config ./certs/ecc/wolfssl.cnf -sha256 -new -key ./certs/ecc-key.pem -out ./certs/server-ecc-req.pem -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC/CN=www.wolfssl.com/[email protected]/"
+openssl x509 -req -in ./certs/server-ecc-req.pem -CA ./certs/ca-ecc-cert.pem -CAkey ./certs/ca-ecc-key.pem -CAcreateserial -out ./certs/server-ecc.pem -sha256
+
+# Sign server certificate
+openssl ca -config ./certs/ecc/wolfssl.cnf -extensions server_cert -days 3650 -notext -md sha256 -in ./certs/server-ecc-req.pem -out ./certs/server-ecc.pem
+openssl x509 -in ./certs/server-ecc.pem -outform der -out ./certs/server-ecc.der
+
+rm ./certs/server-ecc-req.pem 
+
+# Gen CRL
+openssl ca -config ./certs/ecc/wolfssl.cnf -gencrl -crldays 1000 -out ./certs/crl/caEccCrl.pem -keyfile ./certs/ca-ecc-key.pem -cert ./certs/ca-ecc-cert.pem
+openssl ca -config ./certs/ecc/wolfssl.cnf -gencrl -crldays 1000 -out ./certs/crl/caEcc384Crl.pem -keyfile ./certs/ca-ecc384-key.pem -cert ./certs/ca-ecc384-cert.pem
+
+# Also manually need to:
+# 1. Copy ./certs/server-ecc.der into ./certs/test/server-cert-ecc-badsig.der `cp ./certs/server-ecc.der ./certs/test/server-cert-ecc-badsig.der`
+# 2. Modify last byte so its invalidates signature in ./certs/test/server-cert-ecc-badsig.der
+# 3. Covert bad cert to pem `openssl x509 -inform der -in ./certs/test/server-cert-ecc-badsig.der -outform pem -out ./certs/test/server-cert-ecc-badsig.pem`
+# 4. Update AKID's for CA's in test.c certext_test() function akid_ecc.

certs/ecc/include.am

@@ -0,0 +1,8 @@
+# vim:ft=automake
+# All paths should be given relative to the root
+#
+
+EXTRA_DIST += \
+	     certs/ecc/genecc.sh \
+	     certs/ecc/wolfssl.cnf
+