cert extension test for 53229: certutil should not use gets(). julien:review+

security/nss/tests/cert/cert.sh

@@ -651,8 +651,79 @@ MODSCRIPT
   fi
 }
 
+############################## cert_extensions ###############################
+# local shell function to test cert extensions generation.
+##############################################################################
 
-############################## cert_stresscerts ################################
+checkRes()
+{
+    res=$1
+    filterList=$2
+    
+    [ $res -ne 0 ] && return 1
+
+    for fl in `echo $filterList | tr \| ' '`; do
+        fl="`echo $fl | tr _ ' '`"
+        expStat=0
+        if [ X`echo "$fl" | cut -c 1` = 'X!' ]; then
+            expStat=1
+            fl=`echo $fl | tr -d '!'`
+        fi
+        certutil -d ${CERT_EXTENSIONS_DIR} -L -n $CERTNAME | grep "$fl" >/dev/null 2>&1
+        [ $? -ne $expStat ] && return 1
+    done
+    return 0
+}
+
+
+cert_extensions()
+{
+
+    CERTNAME=TestExt
+    cert_create_cert ${CERT_EXTENSIONS_DIR} $CERTNAME 90 ${D_CERT_EXTENSTIONS}
+    TARG_FILE=${CERT_EXTENSIONS_DIR}/test.args
+
+    CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+
+    count=0
+    while read arg opt filterList; do
+        if [ "`echo $arg | cut -c 1`" = "#" ]; then
+            continue
+        fi
+        if [ "`echo $arg | cut -c 1`" = "!" ]; then
+            testName="$filterList"
+            continue
+        fi
+        if [ "$arg" = "=" ]; then
+            count=`expr $count + 1`
+            echo "#################################################"
+            CU_ACTION="Testing $testName"
+            certutil -d ${CERT_EXTENSIONS_DIR} -D -n $CERTNAME
+            echo certutil -d ${CERT_EXTENSIONS_DIR} -S -n $CERTNAME -t "u,u,u" \
+                -s "${CU_SUBJECT}" -x -f ${R_PWFILE} -z "${R_NOISE_FILE}" -$opt < $TARG_FILE
+            certutil -d ${CERT_EXTENSIONS_DIR} -S -n $CERTNAME -t "u,u,u" -o /tmp/cert \
+                -s "${CU_SUBJECT}" -x -f ${R_PWFILE} -z "${R_NOISE_FILE}" -$opt < $TARG_FILE
+            ret=$?  
+            echo "certutil options:"
+            cat $TARG_FILE
+            checkRes $ret "$filterList"
+            RET=$?
+            if [ "$RET" -ne 0 ]; then
+                CERTFAILED=$RET
+                html_failed "<TR><TD>${CU_ACTION} ($RET) " 
+                cert_log "ERROR: ${CU_ACTION} failed $RET"
+            else
+                html_passed "<TR><TD>${CU_ACTION}"
+            fi
+            rm -f $TARG_FILE
+        else
+            echo $arg >> $TARG_FILE
+        fi
+    done < ${QADIR}/cert/certext.txt
+}
+
+
+############################## cert_crl_ssl ############################
 # local shell function to generate certs and crls for SSL tests
 ########################################################################
 cert_crl_ssl()
@@ -796,6 +867,7 @@ cert_extended_ssl
 cert_ssl 
 cert_smime_client        
 cert_fips
+cert_extensions
 cert_crl_ssl
 if [ -n "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then
     cert_stresscerts 

security/nss/tests/cert/certext.txt

@@ -0,0 +1,132 @@
+# File syntax:
+# '#' comments.
+# If the line starts from '!'('! TEST_N Test Name String'),
+# then  'Test Name String' will be the name of a test(starting
+# from second space till the rest of the line).
+# All uncommented lines are hard codded answers to certutil
+# extension questions.
+# Line '= N string1|string2|string3': '=' is a stop sign
+# of certutil inputs and start of the test. 'N' is the number
+# of extension that will be tested. 'string1|string2|string3'
+# are grep patterns for test result verification. '_' in stringN
+# will be replaced to a space.
+# ################################################################
+! TEST_1 Certificate Key Usage Extension
+0
+1
+2
+3
+4
+5
+6
+10
+n
+= 1 Certificate_Key_Usage|Digital_Signature|Non-Repudiation|Key_Encipherment|Data_Encipherment|Key_Agreement|Certificate_Signing|CRL_Signing
+# ################################################################
+! TEST_2 Certificate Key Usage Extension
+0
+1
+2
+3
+4
+5
+6
+10
+y
+= 1 Certificate_Key_Usage|Digital_Signature|Critical:_True
+# ################################################################
+! TEST_3 Certificate Basic Constraints Extension
+y
+-1
+n
+= 2 Name:_Certificate_Basic_Constraints|Data:_Is_a_CA_with_no_maximum
+# ################################################################
+! TEST_4 Certificate Basic Constraints Extension
+n
+-1
+y
+= 2 Name:_Certificate_Basic_Constraints|Data:_Is_not_a_CA|Critical:_True
+# ################################################################
+! TEST_5 Certificate Authority Key Identifier Extension
+y
+12341235123
+
+
+y
+= 3 Name:_Certificate_Authority_Key_Identifier|Critical:_True|Key_ID:|12341235123
+# ################################################################
+! TEST_6 Certificate Authority Key Identifier Extension
+y
+
+3
+test.com
+
+214123
+y
+= 3 Name:_Certificate_Authority_Key_Identifier|Critical:_True|Issuer:|DNS_name:_"test.com"|Serial_Number:|214123
+# ################################################################
+! TEST_7 CRL Distribution Points Extension
+1
+1
+InstanceOfOtherName
+2
+rfc822Name
+3
+test.com
+4
+test@test.com
+6
+ediPArtyName
+8
+ipAddress
+9
+123451235
+10
+0
+10
+n
+n
+= 4 Name:_CRL_Distribution_Points|InstanceOfOtherName|rfc822Name|test.com|test@test.com|ediPArtyName
+# #################################################################
+! TEST_8 CRL Distribution Points Extension
+2
+SN=asdfsdf
+4
+3
+test.com
+10
+n
+n
+= 4 Name:_CRL_Distribution_Points|X520_Title|"asdfsdf"|Reasons:|DNS_name:_"test.com"
+# ################################################################
+! TEST_9 Certificate Type Extension
+0
+1
+2
+10
+n
+= 5 Name:_Certificate_Type|Data:_<SSL_Client,SSL_Server,S/MIME>
+# ################################################################
+! TEST_10 Extended Key Usage Extension
+0
+1
+2
+3
+4
+5
+6
+10
+y
+= 6 Name:_Extended_Key_Usage|Critical:_True|TLS_Web_Server_Authentication_Certificate|TLS_Web_Client_Authentication_Certificate|Code_Signing_Certificate|E-Mail_Protection_Certificate|Time_Stamping_Certifcate|OCSP_Responder_Certificate|Strong_Crypto_Export_Approved
+# ################################################################
+! TEST_11 Certificate Key Usage Extension
+
+1
+2
+3
+4
+5
+6
+10
+n
+= 1 Certificate_Key_Usage|!Digital_Signature|Non-Repudiation|Key_Encipherment|Data_Encipherment|Key_Agreement|Certificate_Signing|CRL_Signing

security/nss/tests/common/init.sh

@@ -360,6 +360,8 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
     EXT_SERVERDIR=${HOSTDIR}/ext_server
     EXT_CLIENTDIR=${HOSTDIR}/ext_client
 
+    CERT_EXTENSIONS_DIR=${HOSTDIR}/cert_extensions
+
     PWFILE=${TMP}/tests.pw.$$
     NOISE_FILE=${TMP}/tests_noise.$$
 
@@ -381,6 +383,7 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
     D_FIPS="FIPS.$version"
     D_EXT_SERVER="ExtendedServer.$version"
     D_EXT_CLIENT="ExtendedClient.$version"
+    D_CERT_EXTENSTIONS="CertExtensions.$version"
 
     # we need relative pathnames of these files abd directories, since our 
     # tools can't handle the unix style absolut pathnames on cygnus
@@ -394,6 +397,7 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
     R_EVEDIR=../eve
     R_EXT_SERVERDIR=../ext_server
     R_EXT_CLIENTDIR=../ext_client
+    R_CERT_EXT=../cert_extensions
 
     #
     # profiles are either paths or domains depending on the setting of