diff options
Diffstat (limited to 'lib/public_key/test/pkits_SUITE.erl')
-rw-r--r-- | lib/public_key/test/pkits_SUITE.erl | 623 |
1 files changed, 504 insertions, 119 deletions
diff --git a/lib/public_key/test/pkits_SUITE.erl b/lib/public_key/test/pkits_SUITE.erl index e59f299399..31725a09be 100644 --- a/lib/public_key/test/pkits_SUITE.erl +++ b/lib/public_key/test/pkits_SUITE.erl @@ -1,7 +1,7 @@ %% %% %CopyrightBegin% %% -%% Copyright Ericsson AB 2008-2011. All Rights Reserved. +%% Copyright Ericsson AB 2008-2012. All Rights Reserved. %% %% The contents of this file are subject to the Erlang Public License, %% Version 1.1, (the "License"); you may not use this file except in @@ -33,6 +33,7 @@ -define(CERTS, "pkits/certs"). -define(MIME, "pkits/smime"). -define(CONV, "pkits/smime-pem"). +-define(CRL, "pkits/crls"). -define(NIST1, "2.16.840.1.101.3.2.1.48.1"). -define(NIST2, "2.16.840.1.101.3.2.1.48.2"). @@ -42,8 +43,8 @@ -define(NIST6, "2.16.840.1.101.3.2.1.48.6"). -record(verify_state, { - certs_db, - crl_info, + crls, + crl_paths, revoke_state}). %% suite() -> @@ -54,9 +55,9 @@ all() -> {group, validity_periods}, {group, verifying_name_chaining}, {group, verifying_paths_with_self_issued_certificates}, - %%{group, basic_certificate_revocation_tests}, - %%{group, delta_crls}, - %%{group, distribution_points}, + {group, basic_certificate_revocation_tests}, + {group, delta_crls}, + {group, distribution_points}, {group, verifying_basic_constraints}, {group, key_usage}, {group, name_constraints}, @@ -72,20 +73,22 @@ groups() -> [invalid_name_chain, whitespace_name_chain, capitalization_name_chain, uid_name_chain, attrib_name_chain, string_name_chain]}, {verifying_paths_with_self_issued_certificates, [], - [basic_valid, %%basic_invalid, - crl_signing_valid, crl_signing_invalid]}, - %% {basic_certificate_revocation_tests, [], - %% [missing_CRL, revoked_CA, revoked_peer, invalid_CRL_signature, - %% invalid_CRL_issuer, invalid_CRL, valid_CRL, - %% unknown_CRL_extension, old_CRL, fresh_CRL, valid_serial, - %% invalid_serial, valid_seperate_keys, invalid_separate_keys]}, - %% {delta_crls, [], [delta_without_crl, valid_delta_crls, invalid_delta_crls]}, - %% {distribution_points, [], [valid_distribution_points, - %% valid_distribution_points_no_issuing_distribution_point, - %% invalid_distribution_points, valid_only_contains, - %% invalid_only_contains, valid_only_some_reasons, - %% invalid_only_some_reasons, valid_indirect_crl, - %% invalid_indirect_crl, valid_crl_issuer, invalid_crl_issuer]}, + [basic_valid, basic_invalid, crl_signing_valid, crl_signing_invalid]}, + {basic_certificate_revocation_tests, [], + [missing_CRL, + revoked_CA, + revoked_peer, + invalid_CRL_signature, + invalid_CRL_issuer, invalid_CRL, valid_CRL, + unknown_CRL_extension, old_CRL, fresh_CRL, valid_serial, + invalid_serial, valid_seperate_keys, invalid_separate_keys]}, + {delta_crls, [], [delta_without_crl, valid_delta_crls, invalid_delta_crls]}, + {distribution_points, [], [valid_distribution_points, + valid_distribution_points_no_issuing_distribution_point, + invalid_distribution_points, valid_only_contains, + invalid_only_contains, valid_only_some_reasons, + invalid_only_some_reasons, valid_indirect_crl, + invalid_indirect_crl, valid_crl_issuer, invalid_crl_issuer]}, {verifying_basic_constraints,[], [missing_basic_constraints, valid_basic_constraint, invalid_path_constraints, valid_path_constraints]}, @@ -118,10 +121,10 @@ end_per_testcase(_Func, Config) -> init_per_suite(Config) -> try crypto:start() of - ok -> - crypto_support_check(Config) + ok -> + Config catch _:_ -> - {skip, "Crypto did not start"} + {skip, "Crypto did not start"} end. end_per_suite(_Config) -> @@ -272,8 +275,8 @@ crl_signing_invalid(doc) -> crl_signing_invalid(suite) -> []; crl_signing_invalid(Config) when is_list(Config) -> - run([%% { "4.5.7", "Invalid Basic Self-Issued CRL Signing Key Test7 EE", - %% {bad_cert, {revoked, keyCompromise}}}, + run([{ "4.5.7", "Invalid Basic Self-Issued CRL Signing Key Test7 EE", + {bad_cert, {revoked, keyCompromise}}}, { "4.5.8", "Invalid Basic Self-Issued CRL Signing Key Test8 EE", {bad_cert, invalid_key_usage}} ]). @@ -284,7 +287,7 @@ missing_CRL(doc) -> missing_CRL(suite) -> []; missing_CRL(Config) when is_list(Config) -> - run([{ "4.4.1", "Missing CRL Test1 EE",{bad_cert, + run([{ "4.4.1", "Invalid Missing CRL Test1 EE",{bad_cert, revocation_status_undetermined}}]). revoked_CA(doc) -> @@ -300,8 +303,8 @@ revoked_peer(doc) -> revoked_peer(suite) -> []; revoked_peer(Config) when is_list(Config) -> - run([{ "4.4.3", "Invalid Revoked EE Test3 EE", {bad_cert, - {revoked, keyCompromise}}}]). + run([{ "4.4.3", "Invalid Revoked EE Test3 EE", + {bad_cert, {revoked, keyCompromise}}}]). invalid_CRL_signature(doc) -> [""]; @@ -309,8 +312,7 @@ invalid_CRL_signature(suite) -> []; invalid_CRL_signature(Config) when is_list(Config) -> run([{ "4.4.4", "Invalid Bad CRL Signature Test4 EE", - {bad_cert, revocation_status_undetermined}}]). - + {bad_cert, revocation_status_undetermined}}]). invalid_CRL_issuer(doc) -> [""]; invalid_CRL_issuer(suite) -> @@ -396,9 +398,9 @@ invalid_separate_keys(doc) -> invalid_separate_keys(suite) -> []; invalid_separate_keys(Config) when is_list(Config) -> - run([{ "4.4.20", "Invalid Separate Certificate and CRL Keys Test20", + run([{ "4.4.20", "Invalid Separate Certificate and CRL Keys Test20 EE", {bad_cert, {revoked, keyCompromise}}}, - { "4.4.21", "Invalid Separate Certificate and CRL Keys Test21", + { "4.4.21", "Invalid Separate Certificate and CRL Keys Test21 EE", {bad_cert, revocation_status_undetermined}} ]). %%----------------------------------------------------------------------------- @@ -456,11 +458,11 @@ invalid_key_usage(Config) when is_list(Config) -> run([{ "4.7.1", "Invalid keyUsage Critical keyCertSign False Test1 EE", {bad_cert,invalid_key_usage} }, { "4.7.2", "Invalid keyUsage Not Critical keyCertSign False Test2 EE", - {bad_cert,invalid_key_usage}} - %% { "4.7.4", "Invalid keyUsage Critical cRLSign False Test4 EE", - %% {bad_cert, revocation_status_undetermined}}, - %% { "4.7.5", "Invalid keyUsage Not Critical cRLSign False Test5 EE", - %% {bad_cert, revocation_status_undetermined}} + {bad_cert,invalid_key_usage}}, + { "4.7.4", "Invalid keyUsage Critical cRLSign False Test4 EE", + {bad_cert, invalid_key_usage}}, + { "4.7.5", "Invalid keyUsage Not Critical cRLSign False Test5 EE", + {bad_cert, invalid_key_usage}} ]). valid_key_usage(doc) -> @@ -652,7 +654,7 @@ valid_distribution_points_no_issuing_distribution_point(doc) -> valid_distribution_points_no_issuing_distribution_point(suite) -> []; valid_distribution_points_no_issuing_distribution_point(Config) when is_list(Config) -> - run([{ "4.14.10", "Valid No issuingDistributionPoint Test10", ok} + run([{ "4.14.10", "Valid No issuingDistributionPoint Test10 EE", ok} ]). invalid_distribution_points(doc) -> @@ -675,17 +677,16 @@ valid_only_contains(doc) -> valid_only_contains(suite) -> []; valid_only_contains(Config) when is_list(Config) -> - run([{ "4.14.13", "Valid onlyContainsCACerts CRL Test13 EE", ok}]). - + run([{ "4.14.13", "Valid only Contains CA Certs Test13 EE", ok}]). invalid_only_contains(doc) -> [""]; invalid_only_contains(suite) -> []; invalid_only_contains(Config) when is_list(Config) -> - run([{ "4.14.11", "Invalid onlyContainsUserCerts CRL Test11 EE", + run([{ "4.14.11", "Invalid onlyContainsUserCerts Test11 EE", {bad_cert, revocation_status_undetermined}}, - { "4.14.12", "Invalid onlyContainsCACerts CRL Test12 EE", + { "4.14.12", "Invalid onlyContainsCACerts Test12 EE", {bad_cert, revocation_status_undetermined}}, { "4.14.14", "Invalid onlyContainsAttributeCerts Test14 EE", {bad_cert, revocation_status_undetermined}} @@ -743,9 +744,9 @@ valid_crl_issuer(doc) -> valid_crl_issuer(suite) -> []; valid_crl_issuer(Config) when is_list(Config) -> - run([{ "4.14.28", "Valid cRLIssuer Test28 EE", ok}%%, - %%{ "4.14.29", "Valid cRLIssuer Test29 EE", ok}, - %%{ "4.14.33", "Valid cRLIssuer Test33 EE", ok} + run([{ "4.14.28", "Valid cRLIssuer Test28 EE", ok}, + { "4.14.29", "Valid cRLIssuer Test29 EE", ok}, + { "4.14.33", "Valid cRLIssuer Test33 EE", ok} ]). invalid_crl_issuer(doc) -> @@ -825,7 +826,7 @@ run([],_) -> ok. path_validation_options(TA, Chap, Test) -> case needs_crl_options(Chap) of true -> - crl_options(TA, Test); + crl_options(TA, Chap, Test); false -> Fun = fun(_,{bad_cert, _} = Reason, _) -> @@ -854,54 +855,262 @@ needs_crl_options("4.15" ++ _) -> needs_crl_options(_) -> false. -crl_options(TA, Test) -> - case read_crls(Test) of - [] -> - []; - CRLs -> - Fun = - fun(_,{bad_cert, _} = Reason, _) -> - {fail, Reason}; - (_,{extension, - #'Extension'{extnID = ?'id-ce-cRLDistributionPoints', - extnValue = Value}}, UserState0) -> - UserState = update_crls(Value, UserState0), +crl_options(_TA, Chap, _Test) -> + CRLNames = crl_names(Chap), + CRLs = crls(CRLNames), + Paths = lists:map(fun(CRLName) -> crl_path(CRLName) end, CRLNames), + + test_server:format("Paths ~p ~n Names ~p ~n", [Paths, CRLNames]), + Fun = + fun(_,{bad_cert, _} = Reason, _) -> + {fail, Reason}; + (_,{extension, + #'Extension'{extnID = ?'id-ce-cRLDistributionPoints', + extnValue = Value}}, UserState0) -> + UserState = update_crls(Value, UserState0), + {valid, UserState}; + (_,{extension, _}, UserState) -> + {unknown, UserState}; + (OtpCert, Valid, UserState) when Valid == valid; + Valid == valid_peer -> + DerCRLs = UserState#verify_state.crls, + Paths = UserState#verify_state.crl_paths, + Crls = [{DerCRL, public_key:der_decode('CertificateList', + DerCRL)} || DerCRL <- DerCRLs], + + test_server:format("START ~n", []), + CRLInfo0 = crl_info(OtpCert, Crls, []), + test_server:format("END ~n", []), + CRLInfo = lists:reverse(CRLInfo0), + PathDb = crl_path_db(lists:reverse(Crls), Paths, []), + + test_server:format("Pathdb: ~p~n", [PathDb]), + test_server:format("CRL INFO: ~p~n", [CRLInfo]), + + Fun = fun(DP, CRLtoValidate, Id, PathDb0) -> + trusted_cert_and_path(DP, CRLtoValidate, Id, PathDb0) + end, + + case CRLInfo of + [] -> {valid, UserState}; - (_,{extension, _}, UserState) -> - {unknown, UserState}; - (OtpCert, Valid, UserState) when Valid == valid; - Valid == valid_peer -> - {ErlCerts, CRLs} = UserState#verify_state.crl_info, - CRLInfo0 = - crl_info(OtpCert, - ErlCerts,[{DerCRL, public_key:der_decode('CertificateList', - DerCRL)} || DerCRL <- CRLs], - []), - CRLInfo = lists:reverse(CRLInfo0), - Certs = UserState#verify_state.certs_db, - Fun = fun(DP, CRLtoValidate, Id, CertsDb) -> - trusted_cert_and_path(DP, CRLtoValidate, Id, CertsDb) - end, - Ignore = ignore_sign_test_when_building_path(Test), + [_|_] -> case public_key:pkix_crls_validate(OtpCert, CRLInfo, - [{issuer_fun,{Fun, {Ignore, Certs}}}]) of + [{issuer_fun,{Fun, PathDb}}]) of valid -> {valid, UserState}; Reason -> {fail, Reason} end - end, + end + end, - Certs = read_certs(Test), - ErlCerts = [public_key:pkix_decode_cert(Cert, otp) || Cert <- Certs], + [{verify_fun, {Fun, #verify_state{crls = CRLs, + crl_paths = Paths}}}]. - [{verify_fun, {Fun, #verify_state{certs_db = [TA| Certs], - crl_info = {ErlCerts, CRLs}}}}] - end. +crl_path_db([], [], Acc) -> + Acc; +crl_path_db([{_, CRL} |CRLs], [Path | Paths], Acc) -> + CertPath = lists:flatten(lists:map(fun([]) -> + []; + (CertFile) -> + test_server:format("Certfile ~p", [CertFile]), + read_certs(CertFile) + end, Path)), + crl_path_db(CRLs, Paths, [{CRL, CertPath}| Acc]). + +crl_names("4.4.1") -> + ["Trust Anchor Root CRL"]; +crl_names("4.4.2") -> + ["Trust Anchor Root CRL", "Good CA CRL", "Revoked subCA CRL"]; +crl_names("4.4.3") -> + ["Trust Anchor Root CRL", "Good CA CRL", "Revoked subCA CRL"]; +crl_names("4.4.4") -> + ["Trust Anchor Root CRL", "Bad CRL Signature CA CRL"]; +crl_names("4.4.5") -> + ["Trust Anchor Root CRL", "Bad CRL Issuer Name CA CRL"]; +crl_names("4.4.6") -> + ["Trust Anchor Root CRL", "Wrong CRL CA CRL"]; +crl_names("4.4.7") -> + ["Trust Anchor Root CRL", "Two CRLs CA Good CRL", "Two CRLs CA Bad CRL"]; +crl_names("4.4.8") -> + ["Trust Anchor Root CRL", "Unknown CRL Entry Extension CA CRL"]; +crl_names(Chap) when Chap == "4.4.9"; + Chap == "4.4.10"-> + ["Trust Anchor Root CRL", "Unknown CRL Extension CA CRL"]; +crl_names("4.4.11") -> + ["Trust Anchor Root CRL", "Old CRL nextUpdate CA CRL"]; +crl_names("4.4.12") -> + ["Trust Anchor Root CRL", "pre2000 CRL nextUpdate CA CRL"]; +crl_names("4.4.13") -> + ["Trust Anchor Root CRL", "GeneralizedTime CRL nextUpdate CA CRL"]; +crl_names(Chap) when Chap == "4.4.14"; + Chap == "4.4.15"-> + ["Trust Anchor Root CRL", "Negative Serial Number CA CRL"]; +crl_names(Chap) when Chap == "4.4.16"; + Chap == "4.4.17"; + Chap == "4.4.18" -> + ["Trust Anchor Root CRL", "Long Serial Number CA CRL"]; +crl_names(Chap)when Chap == "4.4.19"; + Chap == "4.4.20" -> + ["Trust Anchor Root CRL", "Separate Certificate and CRL Keys CRL"]; +crl_names("4.4.21") -> + ["Trust Anchor Root CRL", "Separate Certificate and CRL Keys CA2 CRL"]; +crl_names(Chap) when Chap == "4.5.1"; + Chap == "4.5.2"-> + ["Trust Anchor Root CRL", "Basic Self-Issued New Key CA CRL"]; +crl_names(Chap) when Chap == "4.5.3"; + Chap == "4.5.4"; + Chap == "4.5.5" -> + ["Trust Anchor Root CRL", "Basic Self-Issued Old Key Self-Issued Cert CRL", + "Basic Self-Issued Old Key CA CRL"]; +crl_names(Chap) when Chap == "4.5.6"; + Chap == "4.5.7"; + Chap == "4.5.8" -> + ["Trust Anchor Root CRL", "Basic Self-Issued CRL Signing Key CRL Cert CRL", + "Basic Self-Issued CRL Signing Key CA CRL" + ]; +crl_names("4.7.4") -> + ["Trust Anchor Root CRL", "keyUsage Critical cRLSign False CA CRL"]; +crl_names("4.7.5") -> + ["Trust Anchor Root CRL", "keyUsage Not Critical cRLSign False CA CRL"]; +crl_names(Chap) when Chap == "4.14.1"; + Chap == "4.14.2"; + Chap == "4.14.3"; + Chap == "4.14.4" -> + ["Trust Anchor Root CRL", "distributionPoint1 CA CRL"]; +crl_names(Chap) when Chap == "4.14.5"; + Chap == "4.14.6"; + Chap == "4.14.7"; + Chap == "4.14.8"; + Chap == "4.14.9" -> + ["Trust Anchor Root CRL", "distributionPoint2 CA CRL"]; +crl_names("4.14.10") -> + ["Trust Anchor Root CRL", "No issuingDistributionPoint CA CRL"]; +crl_names("4.14.11") -> + ["Trust Anchor Root CRL", "onlyContainsUserCerts CA CRL"]; +crl_names(Chap) when Chap == "4.14.12"; + Chap == "4.14.13" -> + ["Trust Anchor Root CRL", "onlyContainsCACerts CA CRL"]; +crl_names("4.14.14") -> + ["Trust Anchor Root CRL", "onlyContainsAttributeCerts CA CRL"]; +crl_names(Chap) when Chap == "4.14.15"; + Chap == "4.14.16" -> + ["Trust Anchor Root CRL", "onlySomeReasons CA1 compromise CRL", + "onlySomeReasons CA1 other reasons CRL"]; +crl_names("4.14.17") -> + ["Trust Anchor Root CRL", + "onlySomeReasons CA2 CRL1", "onlySomeReasons CA2 CRL2"]; +crl_names("4.14.18") -> + ["Trust Anchor Root CRL", + "onlySomeReasons CA3 compromise CRL", "onlySomeReasons CA3 other reasons CRL"]; +crl_names(Chap) when Chap == "4.14.19"; + Chap == "4.14.20"; + Chap == "4.14.21" -> + ["Trust Anchor Root CRL", "onlySomeReasons CA4 compromise CRL", + "onlySomeReasons CA4 other reasons CRL"]; +crl_names(Chap) when Chap == "4.14.22"; + Chap == "4.14.23"; + Chap == "4.14.24"; + Chap == "4.14.25"; + Chap == "4.14.26" -> + ["Trust Anchor Root CRL", "indirectCRL CA1 CRL"]; +crl_names("4.14.27") -> + ["Trust Anchor Root CRL", "Good CA CRL"]; + +crl_names(Chap) when Chap == "4.14.28"; + Chap == "4.14.29" -> + ["Trust Anchor Root CRL", "indirectCRL CA3 CRL", "indirectCRL CA3 cRLIssuer CRL"]; +crl_names("4.14.30") -> + ["Trust Anchor Root CRL", "indirectCRL CA4 cRLIssuer CRL"]; +crl_names(Chap) when Chap == "4.14.31"; + Chap == "4.14.32"; + Chap == "4.14.33"; + Chap == "4.14.34"; + Chap == "4.14.35" -> + ["Trust Anchor Root CRL", "indirectCRL CA5 CRL"]; +crl_names("4.15.1") -> + ["Trust Anchor Root CRL", "deltaCRLIndicator No Base CA CRL"]; +crl_names(Chap) when Chap == "4.15.2"; + Chap == "4.15.3"; + Chap == "4.15.4"; + Chap == "4.15.5"; + Chap == "4.15.6"; + Chap == "4.15.7" -> + ["Trust Anchor Root CRL", "deltaCRL CA1 CRL", "deltaCRL CA1 deltaCRL"]; +crl_names(Chap) when Chap == "4.15.8"; + Chap == "4.15.9" -> + ["Trust Anchor Root CRL", "deltaCRL CA2 CRL", "deltaCRL CA2 deltaCRL"]; +crl_names("4.15.10") -> + ["Trust Anchor Root CRL", "deltaCRL CA3 CRL", "deltaCRL CA3 deltaCRL"]. + +crl_root_cert() -> + "Trust Anchor Root Certificate". + +crl_path("Trust Anchor Root CRL") -> + []; %% Signed directly by crl_root_cert +crl_path("Revoked subCA CRL") -> + ["Good CA Cert", "Revoked subCA Cert"]; +crl_path("indirectCRL CA3 cRLIssuer CRL") -> + ["indirectCRL CA3 Cert", "indirectCRL CA3 cRLIssuer Cert"]; +crl_path("Two CRLs CA Good CRL") -> + ["Two CRLs CA Cert"]; +crl_path("Two CRLs CA Bad CRL") -> + ["Two CRLs CA Cert"]; +crl_path("Separate Certificate and CRL Keys CRL") -> + ["Separate Certificate and CRL Keys CRL Signing Cert"]; +crl_path("Separate Certificate and CRL Keys CA2 CRL") -> + ["Separate Certificate and CRL Keys CA2 CRL Signing Cert"]; +crl_path("Basic Self-Issued Old Key Self-Issued Cert CRL") -> + ["Basic Self-Issued Old Key CA Cert"]; +crl_path("Basic Self-Issued Old Key CA CRL") -> + ["Basic Self-Issued Old Key CA Cert", "Basic Self-Issued Old Key NewWithOld CA Cert"]; + +crl_path("Basic Self-Issued CRL Signing Key CRL Cert CRL") -> + ["Basic Self-Issued CRL Signing Key CA Cert"]; +crl_path("Basic Self-Issued CRL Signing Key CA CRL") -> + ["Basic Self-Issued CRL Signing Key CA Cert", "Basic Self-Issued CRL Signing Key CRL Cert"]; + +crl_path("onlySomeReasons CA1 compromise CRL") -> + ["onlySomeReasons CA1 Cert"]; +crl_path("onlySomeReasons CA1 other reasons CRL") -> + ["onlySomeReasons CA1 Cert"]; +crl_path("onlySomeReasons CA3 other reasons CRL") -> + ["onlySomeReasons CA3 Cert"]; +crl_path("onlySomeReasons CA3 compromise CRL") -> + ["onlySomeReasons CA3 Cert"]; +crl_path("onlySomeReasons CA4 compromise CRL") -> + ["onlySomeReasons CA4 Cert"]; +crl_path("onlySomeReasons CA4 other reasons CRL") -> + ["onlySomeReasons CA4 Cert"]; +crl_path("Basic Self-Issued New Key CA CRL") -> + ["Basic Self-Issued New Key CA Cert"]; +crl_path("deltaCRL CA1 deltaCRL") -> + crl_path("deltaCRL CA2 CRL"); +crl_path("deltaCRL CA2 deltaCRL") -> + crl_path("deltaCRL CA2 CRL"); +crl_path("deltaCRL CA3 deltaCRL") -> + crl_path("deltaCRL CA3 CRL"); +crl_path(CRL) when CRL == "onlySomeReasons CA2 CRL1"; + CRL == "onlySomeReasons CA2 CRL2" -> + ["onlySomeReasons CA2 Cert"]; + +crl_path(CRL) -> + L = length(CRL), + Base = string:sub_string(CRL, 1, L -3), + [Base ++ "Cert"]. + +crls(CRLS) -> + lists:foldl(fun([], Acc) -> + Acc; + (CRLFile, Acc) -> + [CRL] = read_crls(CRLFile), + [CRL | Acc] + end, [], CRLS). -crl_info(_, _, [], Acc) -> +crl_info(_, [], Acc) -> Acc; -crl_info(OtpCert, Certs, [{_, #'CertificateList'{tbsCertList = +crl_info(OtpCert, [{_, #'CertificateList'{tbsCertList = #'TBSCertList'{issuer = Issuer, crlExtensions = CRLExtensions}}} = CRL | Rest], Acc) -> @@ -910,17 +1119,39 @@ crl_info(OtpCert, Certs, [{_, #'CertificateList'{tbsCertList = ExtList = pubkey_cert:extensions_list(CRLExtensions), DPs = case pubkey_cert:select_extension(?'id-ce-cRLDistributionPoints', Extensions) of #'Extension'{extnValue = Value} -> - lists:map(fun(Point) -> pubkey_cert_records:transform(Point, decode) end, Value); + TDPS = lists:foldl(fun(Point, Acc) -> + Dp = pubkey_cert_records:transform(Point, decode), + IDP = pubkey_cert:select_extension(?'id-ce-issuingDistributionPoint', Extensions), + case Dp#'DistributionPoint'.cRLIssuer of + asn1_NOVALUE -> + [Dp | Acc]; + DpCRLIssuer -> + CRLIssuer = dp_crlissuer_to_issuer(DpCRLIssuer), + CertIssuer = OtpTBSCert#'OTPTBSCertificate'.issuer, + case pubkey_cert:is_issuer(CRLIssuer, CertIssuer) of + true -> + [Dp | Acc]; + false when (IDP =/= undefined) -> + Acc; + false -> + [Dp | Acc] + end + end + end, [], Value), + test_server:format("DPs: ~p ~n", [TDPS]), + TDPS; _ -> - case same_issuer(OtpCert, Issuer) of - true -> - [make_dp(ExtList, asn1_NOVALUE, Issuer)]; + test_server:format("NO DP extension ~p ~n", [Extensions]), + case same_issuer(OtpCert, Issuer) of + true -> + [make_dp(ExtList, asn1_NOVALUE, Issuer)]; false -> - [make_dp(ExtList, Issuer, ignore)] - end + [make_dp(ExtList, Issuer, ignore)] + end end, DPsCRLs = lists:map(fun(DP) -> {DP, CRL} end, DPs), - crl_info(OtpCert, Certs, Rest, DPsCRLs ++ Acc). + crl_info(OtpCert, Rest, DPsCRLs ++ Acc). + ignore_sign_test_when_building_path("Invalid Bad CRL Signature Test4") -> true; @@ -952,21 +1183,36 @@ make_dp(Extensions, Issuer0, DpInfo) -> mk_issuer_dp(asn1_NOVALUE, Issuer) -> {asn1_NOVALUE, {fullName, [{directoryName, Issuer}]}}; mk_issuer_dp(Issuer, _) -> + io:format("Issuer ~p~n", [Issuer]), {[{directoryName, Issuer}], asn1_NOVALUE}. update_crls(_, State) -> State. -trusted_cert_and_path(DP, CRL, Id, {Ignore, CertsList}) -> - case crl_issuer(crl_issuer_name(DP), CRL, Id, CertsList, CertsList, Ignore) of - {ok, IssuerCert, DerIssuerCert} -> - Certs = [{public_key:pkix_decode_cert(Cert, otp), Cert} || Cert <- CertsList], - CertChain = build_chain(Certs, Certs, IssuerCert, Ignore, [DerIssuerCert]), - {ok, public_key:pkix_decode_cert(hd(CertChain), otp), CertChain}; - Other -> - Other +trusted_cert_and_path(_, #'CertificateList'{tbsCertList = + #'TBSCertList'{issuer = Issuer}} = CRL, _, PathDb) -> + [TrustedDERCert] = read_certs(crl_root_cert()), + TrustedCert = public_key:pkix_decode_cert(TrustedDERCert, otp), + + io:format("CRL~p ~n", [CRL]), + + case lists:keysearch(CRL, 1, PathDb) of + {_, {CRL, [ _| _] = Path}} -> + {ok, TrustedCert, [TrustedDERCert | Path]}; + {_, {CRL, []}} -> + {ok, TrustedCert, [TrustedDERCert]} end. +%% trusted_cert_and_path(DP, CRL, Id, {Ignore, CertsList}) -> +%% case crl_issuer(crl_issuer_name(DP), CRL, Id, CertsList, CertsList, Ignore) of +%% {ok, IssuerCert, DerIssuerCert} -> +%% Certs = [{public_key:pkix_decode_cert(Cert, otp), Cert} || Cert <- CertsList], +%% CertChain = build_chain(Certs, Certs, IssuerCert, Ignore, [DerIssuerCert]), +%% {ok, public_key:pkix_decode_cert(hd(CertChain), otp), CertChain}; +%% Other -> +%% Other +%% end. + crl_issuer_name(#'DistributionPoint'{cRLIssuer = asn1_NOVALUE}) -> undefined; crl_issuer_name(#'DistributionPoint'{cRLIssuer = [{directoryName, Issuer}]}) -> @@ -981,7 +1227,7 @@ build_chain([{First, DerFirst}|Certs], All, Cert, Ignore, Acc) -> Acc; false -> case public_key:pkix_is_issuer(Cert, First) - %%andalso check_extension_cert_signer(First) + andalso check_extension_cert_signer(First) andalso is_signer(First, Cert, Ignore) of true -> @@ -1068,8 +1314,8 @@ crl_issuer(IssuerName, CRL, Id, [Cert | Rest], All, false) -> ErlCert = public_key:pkix_decode_cert(Cert, otp), TBSCertificate = ErlCert#'OTPCertificate'.tbsCertificate, SerialNumber = TBSCertificate#'OTPTBSCertificate'.serialNumber, - %%Issuer = public_key:pkix_normalize_name( - %% TBSCertificate#'OTPTBSCertificate'.subject), + %Issuer = public_key:pkix_normalize_name( + % TBSCertificate#'OTPTBSCertificate'.subject), Bool = is_signer(ErlCert, CRL, false), case {SerialNumber, IssuerName} of Id when Bool == true -> @@ -1125,19 +1371,22 @@ crl_issuer(IssuerName, CRL, [Cert | Rest], Ignore) -> end. read_certs(Test) -> - File = test_file(Test), + File = cert_file(Test), Ders = erl_make_certs:pem_to_der(File), [Cert || {'Certificate', Cert, not_encrypted} <- Ders]. read_crls(Test) -> - File = test_file(Test), + File = crl_file(Test), Ders = erl_make_certs:pem_to_der(File), [CRL || {'CertificateList', CRL, not_encrypted} <- Ders]. -test_file(Test) -> - io:format("TEST: ~p~n", [Test]), +cert_file(Test) -> file(?CONV, lists:append(string:tokens(Test, " -")) ++ ".pem"). +crl_file(Test) -> + file(?CRL, lists:append(string:tokens(Test, " -")) ++ ".pem"). + + file(Sub,File) -> TestDir = case get(datadir) of undefined -> "./pkits_SUITE_data"; @@ -1242,17 +1491,15 @@ intermidiate_cas(Chap) when Chap == "4.6.2" -> intermidiate_cas(Chap) when Chap == "4.6.3" -> ["basicConstraints Not Critical cA False CA Cert"]; -intermidiate_cas(Chap) when Chap == "4.5.2"; - Chap == "4.5.5" -> - ["Basic Self-Issued New Key CA Cert"]; - -intermidiate_cas(Chap) when Chap == "4.5.1" -> +intermidiate_cas(Chap) when Chap == "4.5.1"; + Chap == "4.5.2" -> ["Basic Self-Issued New Key OldWithNew CA Cert", "Basic Self-Issued New Key CA Cert"]; intermidiate_cas(Chap) when Chap == "4.5.3" -> ["Basic Self-Issued Old Key NewWithOld CA Cert", "Basic Self-Issued Old Key CA Cert"]; -intermidiate_cas(Chap) when Chap == "4.5.4" -> +intermidiate_cas(Chap) when Chap == "4.5.4"; + Chap == "4.5.5" -> ["Basic Self-Issued Old Key CA Cert"]; intermidiate_cas(Chap) when Chap == "4.13.1"; @@ -1301,9 +1548,6 @@ intermidiate_cas(Chap) when Chap == "4.13.19" -> ["nameConstraints DN1 Self-Issued CA Cert", "nameConstraints DN1 CA Cert"]; -intermidiate_cas(Chap) when Chap == "4.5.6" -> - ["Basic Self-Issued CRL Signing Key CA Cert"]; - intermidiate_cas(Chap) when Chap == "4.7.1"; Chap == "4.7.4" -> ["keyUsage Critical keyCertSign False CA Cert"]; @@ -1387,11 +1631,147 @@ intermidiate_cas(Chap) when Chap == "4.6.16" -> "pathLenConstraint0 Self-Issued CA Cert", "pathLenConstraint0 CA Cert"]; -intermidiate_cas(Chap) when Chap == "4.5.7"; - Chap == "4.5.8" - -> - ["Basic Self-Issued CRL Signing Key CRL Cert", - "Basic Self-Issued CRL Signing Key CA Cert"]. +intermidiate_cas(Chap) when Chap == "4.4.1" -> + ["No CRL CA Cert"]; + +intermidiate_cas(Chap) when Chap == "4.4.2" -> + ["Revoked subCA Cert", "Good CA Cert"]; + +intermidiate_cas(Chap) when Chap == "4.4.3" -> + ["Good CA Cert"]; + +intermidiate_cas(Chap) when Chap == "4.4.4" -> + ["Bad CRL Signature CA Cert"]; + +intermidiate_cas(Chap) when Chap == "4.4.5" -> + ["Bad CRL Issuer Name CA Cert"]; + +intermidiate_cas(Chap) when Chap == "4.4.6" -> + ["Wrong CRL CA Cert"]; + +intermidiate_cas(Chap) when Chap == "4.4.7" -> + ["Two CRLs CA Cert"]; + +intermidiate_cas(Chap) when Chap == "4.4.8" -> + ["Unknown CRL Entry Extension CA Cert"]; + +intermidiate_cas(Chap) when Chap == "4.4.9"; + Chap == "4.4.10" -> + ["Unknown CRL Extension CA Cert"]; + +intermidiate_cas(Chap) when Chap == "4.4.11" -> + ["Old CRL nextUpdate CA Cert"]; + +intermidiate_cas(Chap) when Chap == "4.4.12" -> + ["pre2000 CRL nextUpdate CA Cert"]; + +intermidiate_cas(Chap) when Chap == "4.4.13" -> + ["GeneralizedTime CRL nextUpdate CA Cert"]; + +intermidiate_cas(Chap) when Chap == "4.4.14"; + Chap == "4.4.15" -> + ["Negative Serial Number CA Cert"]; + +intermidiate_cas(Chap) when Chap == "4.4.16"; + Chap == "4.4.17"; + Chap == "4.4.18" -> + ["Long Serial Number CA Cert"]; + +intermidiate_cas(Chap) when Chap == "4.4.19"; + Chap == "4.4.20" -> + ["Separate Certificate and CRL Keys Certificate Signing CA Cert"]; + +intermidiate_cas(Chap) when Chap == "4.4.21" -> + ["Separate Certificate and CRL Keys CA2 Certificate Signing CA Cert"]; + +intermidiate_cas(Chap) when Chap == "4.14.1"; + Chap == "4.14.2"; + Chap == "4.14.3"; + Chap == "4.14.4" -> + ["distributionPoint1 CA Cert"]; +intermidiate_cas(Chap) when Chap == "4.14.5"; + Chap == "4.14.6"; + Chap == "4.14.7"; + Chap == "4.14.8"; + Chap == "4.14.9" -> + ["distributionPoint2 CA Cert"]; + +intermidiate_cas(Chap) when Chap == "4.14.10" -> + ["No issuingDistributionPoint CA Cert"]; + +intermidiate_cas(Chap) when Chap == "4.14.11" -> + ["onlyContainsUserCerts CA Cert"]; + +intermidiate_cas(Chap) when Chap == "4.14.12"; + Chap == "4.14.13" -> + ["onlyContainsCACerts CA Cert"]; + +intermidiate_cas(Chap) when Chap == "4.14.14" -> + ["onlyContainsAttributeCerts CA Cert"]; + +intermidiate_cas(Chap) when Chap == "4.14.15"; + Chap == "4.14.16" -> + ["onlySomeReasons CA1 Cert"]; + +intermidiate_cas(Chap) when Chap == "4.14.17" -> + ["onlySomeReasons CA2 Cert"]; + +intermidiate_cas(Chap) when Chap == "4.14.18" -> + ["onlySomeReasons CA3 Cert"]; + +intermidiate_cas(Chap) when Chap == "4.14.19"; + Chap == "4.14.20"; + Chap == "4.14.21" -> + ["onlySomeReasons CA4 Cert"]; + +intermidiate_cas(Chap) when Chap == "4.14.22"; + Chap == "4.14.23" -> + ["indirectCRL CA1 Cert"]; + +intermidiate_cas(Chap) when Chap == "4.14.24"; + Chap == "4.14.25"; + Chap == "4.14.26" -> + ["indirectCRL CA2 Cert"]; +%%FOO +intermidiate_cas(Chap) when Chap == "4.14.27" -> + ["indirectCRL CA2 Cert"]; + +intermidiate_cas(Chap) when Chap == "4.14.28"; + Chap == "4.14.29" -> + ["indirectCRL CA3 Cert"]; + +intermidiate_cas(Chap) when Chap == "4.14.31"; + Chap == "4.14.32"; + Chap == "4.14.33" -> + ["indirectCRL CA6 Cert"]; + +intermidiate_cas(Chap) when Chap == "4.14.34"; + Chap == "4.14.35" -> + ["indirectCRL CA5 Cert"]; + +intermidiate_cas(Chap) when Chap == "4.15.1" -> + ["deltaCRLIndicator No Base CA Cert"]; + +intermidiate_cas(Chap) when Chap == "4.15.2"; + Chap == "4.15.3"; + Chap == "4.15.4"; + Chap == "4.15.5"; + Chap == "4.15.6"; + Chap == "4.15.7" -> + ["deltaCRL CA1 Cert"]; + +intermidiate_cas(Chap) when Chap == "4.15.8"; + Chap == "4.15.9" -> + ["deltaCRL CA2 Cert"]; + +intermidiate_cas(Chap) when Chap == "4.15.10" -> + ["deltaCRL CA3 Cert"]; + +intermidiate_cas(Chap) when Chap == "4.5.6"; + Chap == "4.5.7" -> + ["Basic Self-Issued CRL Signing Key CA Cert"]; +intermidiate_cas(Chap) when Chap == "4.5.8" -> + ["Basic Self-Issued CRL Signing Key CRL Cert"]. error(Format, Args, File0, Line) -> File = filename:basename(File0), @@ -1511,6 +1891,7 @@ inhibit_any_policy() -> {"4.12.10", "Invalid Self-Issued inhibitAnyPolicy Test10", 43 }]. crypto_support_check(Config) -> + crypto:start(), try crypto:sha256(<<"Test">>) of _ -> Config @@ -1518,3 +1899,7 @@ crypto_support_check(Config) -> crypto:stop(), {skip, "To old version of openssl"} end. + +dp_crlissuer_to_issuer(DPCRLIssuer) -> + [{directoryName, Issuer}] = pubkey_cert_records:transform(DPCRLIssuer, decode), + Issuer. |