[PATCH] also catch expired CAs

Ludwig Nussel ludwig.nussel at suse.de
Thu Oct 23 08:56:17 EDT 2008 

No idea how to fix that for gnutls though.

Signed-off-by: Ludwig Nussel <ludwig.nussel at suse.de>

---
 src/ne_openssl.c  |    6 +++++-
 test/makekeys.sh  |   38 ++++++++++++++++++++++++++------------
 test/openssl.conf |   10 ++++++----
 test/ssl.c        |   14 ++++++++++++++
 4 files changed, 51 insertions(+), 17 deletions(-)

diff --git a/src/ne_openssl.c b/src/ne_openssl.c
index 91ef671..598dd7a 100644
--- a/src/ne_openssl.c
+++ b/src/ne_openssl.c
@@ -411,9 +411,13 @@ static int check_certificate(ne_session *sess, SSL *ssl, ne_ssl_certificate *cha
 	/* TODO: and probably more result codes here... */
 	failures |= NE_SSL_UNTRUSTED;
 	break;
-	/* ignore these, since we've already noticed them: */
+	/* do NOT simply ignore these, they're also reported for chained certs */
     case X509_V_ERR_CERT_NOT_YET_VALID:
+	failures |= NE_SSL_NOTYETVALID;
+	break;
     case X509_V_ERR_CERT_HAS_EXPIRED:
+	failures |= NE_SSL_EXPIRED;
+	break;
         /* cert was trusted: */
     case X509_V_OK:
 	break;
diff --git a/test/makekeys.sh b/test/makekeys.sh
index 752225b..591cfdd 100755
--- a/test/makekeys.sh
+++ b/test/makekeys.sh
@@ -12,7 +12,8 @@ MKCERT="${REQ} -x509 -new -days 900"
 
 REQDN=reqDN
 STRMASK=default
-export REQDN STRMASK
+CADIR=./ca
+export REQDN STRMASK CADIR
 
 asn1date() {
 	date -d "$1" "+%y%m%d%H%M%SZ"
@@ -22,17 +23,14 @@ openssl version 1>&2
 
 set -ex
 
-rm -rf ca ca2
-mkdir ca
-touch ca/index.txt
-echo 01 > ca/serial
-
-mkdir ca2
-touch ca2/index.txt
-echo 01 > ca2/serial
+for i in ca ca1 ca2 ca3; do
+    rm -rf $i
+    mkdir $i
+    touch $i/index.txt
+    echo 01 > $i/serial
+    ${OPENSSL} genrsa -rand ${srcdir}/../configure > $i/key.pem
+done
 
-${OPENSSL} genrsa -rand ${srcdir}/../configure > ca/key.pem
-${OPENSSL} genrsa -rand ${srcdir}/../configure > ca2/key.pem
 ${OPENSSL} genrsa -rand ${srcdir}/../configure > client.key
 
 ${OPENSSL} dsaparam -genkey -rand ${srcdir}/../configure 1024 > client.dsap
@@ -72,6 +70,16 @@ EOF
 csr_fields IntermediaryCA | ${REQ} -new -key ca2/key.pem -out ca2.csr
 ${CA} -extensions caExt -days 3560 -in ca2.csr -out ca2/cert.pem
 
+csr_fields ExpiredCA | ${REQ} -new -key ca1/key.pem -out ca1/cert.csr
+
+csr_fields NotYetValidCA | ${REQ} -new -key ca3/key.pem -out ca3/cert.csr
+
+CADIR=./ca1 ${CA} -name neoncainit -startdate `asn1date "2 days ago"` -enddate `asn1date "yesterday"` \
+  -in ca1/cert.csr -keyfile ca1/key.pem -out ca1/cert.pem -selfsign
+
+CADIR=./ca3 ${CA} -name neoncainit -startdate `asn1date "tomorrow"` -enddate `asn1date "2 days"` \
+  -in ca3/cert.csr -keyfile ca3/key.pem -out ca3/cert.pem -selfsign
+
 csr_fields | ${REQ} -new -key ${srcdir}/server.key -out server.csr
 
 csr_fields | ${REQ} -new -key ${srcdir}/server.key -out expired.csr
@@ -187,10 +195,16 @@ for n in 1 2 3 4 5 6 7 8; do
 done
 
 # Sign this CSR using the intermediary CA
-${CA} -name neonca2 -days 900 -in server.csr -out ca2server.cert
+CADIR=./ca2 ${CA} -days 900 -in server.csr -out ca2server.cert
 # And create a file with the concatenation of both EE and intermediary
 # cert.
 cat ca2server.cert ca2/cert.pem > ca2server.pem
+ 
+# sign with expired CA
+CADIR=./ca1 ${CA} -days 3 -in server.csr -out ca1server.cert
+
+# sign with not yet valid CA
+CADIR=./ca3 ${CA} -days 3 -in server.csr -out ca3server.cert
 
 MKPKCS12="${OPENSSL} pkcs12 -export -passout stdin -in client.cert -inkey client.key"
 
diff --git a/test/openssl.conf b/test/openssl.conf
index 295aeae..781f904 100644
--- a/test/openssl.conf
+++ b/test/openssl.conf
@@ -2,7 +2,7 @@
 default_ca = neonca
 
 [neonca]
-dir = ./ca
+dir = ${ENV::CADIR}
 database = $dir/index.txt
 new_certs_dir = $dir
 certificate = $dir/cert.pem
@@ -13,17 +13,19 @@ default_md = md5
 x509_extensions = issuedExt
 unique_subject = no
 
-[neonca2]
-dir = ./ca2
+# same as neonca1 just +basicConstraints and without certificate to
+# allow creation of the initial self signed certificate
+[neoncainit]
+dir = ${ENV::CADIR}
 database = $dir/index.txt
 new_certs_dir = $dir
-certificate = $dir/cert.pem
 serial = $dir/serial
 private_key = $dir/key.pem
 policy = policy_any
 default_md = md5
 x509_extensions = issuedExt
 unique_subject = no
+basicConstraints = CA:TRUE
 
 [policy_any]
 countryName = optional
diff --git a/test/ssl.c b/test/ssl.c
index ea0ee0b..a9c1e12 100644
--- a/test/ssl.c
+++ b/test/ssl.c
@@ -844,6 +844,18 @@ static int fail_bad_urialtname(void)
                             "bad URI altname cert", NE_SSL_IDMISMATCH);
 }
 
+static int fail_ca_expired(void)
+{
+    return fail_ssl_request("ca1server.cert", "ca1/cert.pem", "localhost",
+                            "isser ca expired", NE_SSL_EXPIRED);
+}
+
+static int fail_ca_notyetvalid(void)
+{
+    return fail_ssl_request("ca3server.cert", "ca3/cert.pem", "localhost",
+                            "isser ca not yet valid", NE_SSL_NOTYETVALID);
+}
+
 /* Test that the SSL session is cached across connections. */
 static int session_cache(void)
 {
@@ -1716,6 +1728,8 @@ ne_test tests[] = {
     T(fail_host_ipaltname),
     T(fail_bad_ipaltname),
     T(fail_bad_urialtname),
+    T(fail_ca_expired),
+    T(fail_ca_notyetvalid),
 
     T(session_cache),
 	
-- 
1.5.6

More information about the neon mailing list