1#! /usr/bin/env perl 2# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. 3# 4# Licensed under the Apache License 2.0 (the "License"). You may not use 5# this file except in compliance with the License. You can obtain a copy 6# in the file LICENSE in the source distribution or at 7# https://www.openssl.org/source/license.html 8 9 10use strict; 11use warnings; 12 13use OpenSSL::Test::Utils; 14use OpenSSL::Test qw/:DEFAULT srctop_file/; 15 16setup("test_req"); 17 18plan tests => 91; 19 20require_ok(srctop_file('test', 'recipes', 'tconversion.pl')); 21 22my @certs = qw(test certs); 23 24# What type of key to generate? 25my @req_new; 26if (disabled("rsa")) { 27 @req_new = ("-newkey", "dsa:".srctop_file("apps", "dsa512.pem")); 28} else { 29 @req_new = ("-new"); 30 note("There should be a 2 sequences of .'s and some +'s."); 31 note("There should not be more that at most 80 per line"); 32} 33 34# Prevent MSys2 filename munging for arguments that look like file paths but 35# aren't 36$ENV{MSYS2_ARG_CONV_EXCL} = "/CN="; 37 38# Check for duplicate -addext parameters, and one "working" case. 39my @addext_args = ( "openssl", "req", "-new", "-out", "testreq.pem", 40 "-key", srctop_file(@certs, "ee-key.pem"), 41 "-config", srctop_file("test", "test.cnf"), @req_new ); 42my $val = "subjectAltName=DNS:example.com"; 43my $val2 = " " . $val; 44my $val3 = $val; 45$val3 =~ s/=/ =/; 46ok( run(app([@addext_args, "-addext", $val]))); 47ok(!run(app([@addext_args, "-addext", $val, "-addext", $val]))); 48ok(!run(app([@addext_args, "-addext", $val, "-addext", $val2]))); 49ok(!run(app([@addext_args, "-addext", $val, "-addext", $val3]))); 50ok(!run(app([@addext_args, "-addext", $val2, "-addext", $val3]))); 51 52subtest "generating alt certificate requests with RSA" => sub { 53 plan tests => 3; 54 55 SKIP: { 56 skip "RSA is not supported by this OpenSSL build", 2 57 if disabled("rsa"); 58 59 ok(run(app(["openssl", "req", 60 "-config", srctop_file("test", "test.cnf"), 61 "-section", "altreq", 62 "-new", "-out", "testreq-rsa.pem", "-utf8", 63 "-key", srctop_file("test", "testrsa.pem")])), 64 "Generating request"); 65 66 ok(run(app(["openssl", "req", 67 "-config", srctop_file("test", "test.cnf"), 68 "-verify", "-in", "testreq-rsa.pem", "-noout"])), 69 "Verifying signature on request"); 70 71 ok(run(app(["openssl", "req", 72 "-config", srctop_file("test", "test.cnf"), 73 "-section", "altreq", 74 "-verify", "-in", "testreq-rsa.pem", "-noout"])), 75 "Verifying signature on request"); 76 } 77}; 78 79 80subtest "generating certificate requests with RSA" => sub { 81 plan tests => 8; 82 83 SKIP: { 84 skip "RSA is not supported by this OpenSSL build", 2 85 if disabled("rsa"); 86 87 ok(!run(app(["openssl", "req", 88 "-config", srctop_file("test", "test.cnf"), 89 "-new", "-out", "testreq-rsa.pem", "-utf8", 90 "-key", srctop_file("test", "testrsa.pem"), 91 "-keyform", "DER"])), 92 "Checking that mismatching keyform fails"); 93 94 ok(run(app(["openssl", "req", 95 "-config", srctop_file("test", "test.cnf"), 96 "-new", "-out", "testreq-rsa.pem", "-utf8", 97 "-key", srctop_file("test", "testrsa.pem"), 98 "-keyform", "PEM"])), 99 "Generating request"); 100 101 ok(run(app(["openssl", "req", 102 "-config", srctop_file("test", "test.cnf"), 103 "-verify", "-in", "testreq-rsa.pem", "-noout"])), 104 "Verifying signature on request"); 105 106 ok(run(app(["openssl", "req", 107 "-config", srctop_file("test", "test.cnf"), 108 "-modulus", "-in", "testreq-rsa.pem", "-noout"])), 109 "Printing a modulus of the request key"); 110 111 ok(run(app(["openssl", "req", 112 "-config", srctop_file("test", "test.cnf"), 113 "-new", "-out", "testreq_withattrs_pem.pem", "-utf8", 114 "-key", srctop_file("test", "testrsa_withattrs.pem")])), 115 "Generating request from a key with extra attributes - PEM"); 116 117 ok(run(app(["openssl", "req", 118 "-config", srctop_file("test", "test.cnf"), 119 "-verify", "-in", "testreq_withattrs_pem.pem", "-noout"])), 120 "Verifying signature on request from a key with extra attributes - PEM"); 121 122 ok(run(app(["openssl", "req", 123 "-config", srctop_file("test", "test.cnf"), 124 "-new", "-out", "testreq_withattrs_der.pem", "-utf8", 125 "-key", srctop_file("test", "testrsa_withattrs.der"), 126 "-keyform", "DER"])), 127 "Generating request from a key with extra attributes - PEM"); 128 129 ok(run(app(["openssl", "req", 130 "-config", srctop_file("test", "test.cnf"), 131 "-verify", "-in", "testreq_withattrs_der.pem", "-noout"])), 132 "Verifying signature on request from a key with extra attributes - PEM"); 133 } 134}; 135 136subtest "generating certificate requests with RSA-PSS" => sub { 137 plan tests => 12; 138 139 SKIP: { 140 skip "RSA is not supported by this OpenSSL build", 2 141 if disabled("rsa"); 142 143 ok(run(app(["openssl", "req", 144 "-config", srctop_file("test", "test.cnf"), 145 "-new", "-out", "testreq-rsapss.pem", "-utf8", 146 "-key", srctop_file("test", "testrsapss.pem")])), 147 "Generating request"); 148 ok(run(app(["openssl", "req", 149 "-config", srctop_file("test", "test.cnf"), 150 "-verify", "-in", "testreq-rsapss.pem", "-noout"])), 151 "Verifying signature on request"); 152 153 ok(run(app(["openssl", "req", 154 "-config", srctop_file("test", "test.cnf"), 155 "-new", "-out", "testreq-rsapss2.pem", "-utf8", 156 "-sigopt", "rsa_padding_mode:pss", 157 "-sigopt", "rsa_pss_saltlen:-1", 158 "-key", srctop_file("test", "testrsapss.pem")])), 159 "Generating request"); 160 ok(run(app(["openssl", "req", 161 "-config", srctop_file("test", "test.cnf"), 162 "-verify", "-in", "testreq-rsapss2.pem", "-noout"])), 163 "Verifying signature on request"); 164 165 ok(run(app(["openssl", "req", 166 "-config", srctop_file("test", "test.cnf"), 167 "-new", "-out", "testreq-rsapssmand.pem", "-utf8", 168 "-sigopt", "rsa_padding_mode:pss", 169 "-key", srctop_file("test", "testrsapssmandatory.pem")])), 170 "Generating request"); 171 ok(run(app(["openssl", "req", 172 "-config", srctop_file("test", "test.cnf"), 173 "-verify", "-in", "testreq-rsapssmand.pem", "-noout"])), 174 "Verifying signature on request"); 175 176 ok(run(app(["openssl", "req", 177 "-config", srctop_file("test", "test.cnf"), 178 "-new", "-out", "testreq-rsapssmand2.pem", "-utf8", 179 "-sigopt", "rsa_pss_saltlen:100", 180 "-key", srctop_file("test", "testrsapssmandatory.pem")])), 181 "Generating request"); 182 ok(run(app(["openssl", "req", 183 "-config", srctop_file("test", "test.cnf"), 184 "-verify", "-in", "testreq-rsapssmand2.pem", "-noout"])), 185 "Verifying signature on request"); 186 187 ok(!run(app(["openssl", "req", 188 "-config", srctop_file("test", "test.cnf"), 189 "-new", "-out", "testreq-rsapss3.pem", "-utf8", 190 "-sigopt", "rsa_padding_mode:pkcs1", 191 "-key", srctop_file("test", "testrsapss.pem")])), 192 "Generating request with expected failure"); 193 194 ok(!run(app(["openssl", "req", 195 "-config", srctop_file("test", "test.cnf"), 196 "-new", "-out", "testreq-rsapss3.pem", "-utf8", 197 "-sigopt", "rsa_pss_saltlen:-4", 198 "-key", srctop_file("test", "testrsapss.pem")])), 199 "Generating request with expected failure"); 200 201 ok(!run(app(["openssl", "req", 202 "-config", srctop_file("test", "test.cnf"), 203 "-new", "-out", "testreq-rsapssmand3.pem", "-utf8", 204 "-sigopt", "rsa_pss_saltlen:10", 205 "-key", srctop_file("test", "testrsapssmandatory.pem")])), 206 "Generating request with expected failure"); 207 208 ok(!run(app(["openssl", "req", 209 "-config", srctop_file("test", "test.cnf"), 210 "-new", "-out", "testreq-rsapssmand3.pem", "-utf8", 211 "-sha256", 212 "-key", srctop_file("test", "testrsapssmandatory.pem")])), 213 "Generating request with expected failure"); 214 } 215}; 216 217subtest "generating certificate requests with DSA" => sub { 218 plan tests => 2; 219 220 SKIP: { 221 skip "DSA is not supported by this OpenSSL build", 2 222 if disabled("dsa"); 223 224 ok(run(app(["openssl", "req", 225 "-config", srctop_file("test", "test.cnf"), 226 "-new", "-out", "testreq-dsa.pem", "-utf8", 227 "-key", srctop_file("test", "testdsa.pem")])), 228 "Generating request"); 229 230 ok(run(app(["openssl", "req", 231 "-config", srctop_file("test", "test.cnf"), 232 "-verify", "-in", "testreq-dsa.pem", "-noout"])), 233 "Verifying signature on request"); 234 } 235}; 236 237subtest "generating certificate requests with ECDSA" => sub { 238 plan tests => 2; 239 240 SKIP: { 241 skip "ECDSA is not supported by this OpenSSL build", 2 242 if disabled("ec"); 243 244 ok(run(app(["openssl", "req", 245 "-config", srctop_file("test", "test.cnf"), 246 "-new", "-out", "testreq-ec.pem", "-utf8", 247 "-key", srctop_file("test", "testec-p256.pem")])), 248 "Generating request"); 249 250 ok(run(app(["openssl", "req", 251 "-config", srctop_file("test", "test.cnf"), 252 "-verify", "-in", "testreq-ec.pem", "-noout"])), 253 "Verifying signature on request"); 254 } 255}; 256 257subtest "generating certificate requests with Ed25519" => sub { 258 plan tests => 2; 259 260 SKIP: { 261 skip "Ed25519 is not supported by this OpenSSL build", 2 262 if disabled("ec"); 263 264 ok(run(app(["openssl", "req", 265 "-config", srctop_file("test", "test.cnf"), 266 "-new", "-out", "testreq-ed25519.pem", "-utf8", 267 "-key", srctop_file("test", "tested25519.pem")])), 268 "Generating request"); 269 270 ok(run(app(["openssl", "req", 271 "-config", srctop_file("test", "test.cnf"), 272 "-verify", "-in", "testreq-ed25519.pem", "-noout"])), 273 "Verifying signature on request"); 274 } 275}; 276 277subtest "generating certificate requests with Ed448" => sub { 278 plan tests => 2; 279 280 SKIP: { 281 skip "Ed448 is not supported by this OpenSSL build", 2 282 if disabled("ec"); 283 284 ok(run(app(["openssl", "req", 285 "-config", srctop_file("test", "test.cnf"), 286 "-new", "-out", "testreq-ed448.pem", "-utf8", 287 "-key", srctop_file("test", "tested448.pem")])), 288 "Generating request"); 289 290 ok(run(app(["openssl", "req", 291 "-config", srctop_file("test", "test.cnf"), 292 "-verify", "-in", "testreq-ed448.pem", "-noout"])), 293 "Verifying signature on request"); 294 } 295}; 296 297subtest "generating certificate requests" => sub { 298 plan tests => 2; 299 300 ok(run(app(["openssl", "req", "-config", srctop_file("test", "test.cnf"), 301 "-key", srctop_file(@certs, "ee-key.pem"), 302 @req_new, "-out", "testreq.pem"])), 303 "Generating request"); 304 305 ok(run(app(["openssl", "req", "-config", srctop_file("test", "test.cnf"), 306 "-verify", "-in", "testreq.pem", "-noout"])), 307 "Verifying signature on request"); 308}; 309 310subtest "generating SM2 certificate requests" => sub { 311 plan tests => 4; 312 313 SKIP: { 314 skip "SM2 is not supported by this OpenSSL build", 4 315 if disabled("sm2"); 316 ok(run(app(["openssl", "req", 317 "-config", srctop_file("test", "test.cnf"), 318 "-new", "-key", srctop_file(@certs, "sm2.key"), 319 "-sigopt", "distid:1234567812345678", 320 "-out", "testreq-sm2.pem", "-sm3"])), 321 "Generating SM2 certificate request"); 322 323 ok(run(app(["openssl", "req", 324 "-config", srctop_file("test", "test.cnf"), 325 "-verify", "-in", "testreq-sm2.pem", "-noout", 326 "-vfyopt", "distid:1234567812345678", "-sm3"])), 327 "Verifying signature on SM2 certificate request"); 328 329 ok(run(app(["openssl", "req", 330 "-config", srctop_file("test", "test.cnf"), 331 "-new", "-key", srctop_file(@certs, "sm2.key"), 332 "-sigopt", "hexdistid:DEADBEEF", 333 "-out", "testreq-sm2.pem", "-sm3"])), 334 "Generating SM2 certificate request with hex id"); 335 336 ok(run(app(["openssl", "req", 337 "-config", srctop_file("test", "test.cnf"), 338 "-verify", "-in", "testreq-sm2.pem", "-noout", 339 "-vfyopt", "hexdistid:DEADBEEF", "-sm3"])), 340 "Verifying signature on SM2 certificate request"); 341 } 342}; 343 344my @openssl_args = ("req", "-config", srctop_file("apps", "openssl.cnf")); 345 346run_conversion('req conversions', 347 "testreq.pem"); 348run_conversion('req conversions -- testreq2', 349 srctop_file("test", "testreq2.pem")); 350 351sub run_conversion { 352 my $title = shift; 353 my $reqfile = shift; 354 355 subtest $title => sub { 356 run(app(["openssl", @openssl_args, 357 "-in", $reqfile, "-inform", "p", 358 "-noout", "-text"], 359 stderr => "req-check.err", stdout => undef)); 360 open DATA, "req-check.err"; 361 SKIP: { 362 plan skip_all => "skipping req conversion test for $reqfile" 363 if grep /Unknown Public Key/, map { s/\R//; } <DATA>; 364 365 tconversion( -type => 'req', -in => $reqfile, 366 -args => [ @openssl_args ] ); 367 } 368 close DATA; 369 unlink "req-check.err"; 370 371 done_testing(); 372 }; 373} 374 375# Test both generation and verification of certs w.r.t. RFC 5280 requirements 376 377my $ca_cert; # will be set below 378sub generate_cert { 379 my $cert = shift @_; 380 my $ss = $cert =~ m/self-signed/; 381 my $is_ca = $cert =~ m/CA/; 382 my $cn = $is_ca ? "CA" : "EE"; 383 my $ca_key = srctop_file(@certs, "ca-key.pem"); 384 my $key = $is_ca ? $ca_key : srctop_file(@certs, "ee-key.pem"); 385 my @cmd = ("openssl", "req", "-config", "", "-x509", 386 "-key", $key, "-subj", "/CN=$cn", @_, "-out", $cert); 387 push(@cmd, ("-CA", $ca_cert, "-CAkey", $ca_key)) unless $ss; 388 ok(run(app([@cmd])), "generate $cert"); 389} 390sub has_SKID { 391 my $cert = shift @_; 392 my $expect = shift @_; 393 cert_contains($cert, "Subject Key Identifier", $expect); 394} 395sub has_AKID { 396 my $cert = shift @_; 397 my $expect = shift @_; 398 cert_contains($cert, "Authority Key Identifier", $expect); 399} 400sub has_keyUsage { 401 my $cert = shift @_; 402 my $expect = shift @_; 403 cert_contains($cert, "Key Usage", $expect); 404} 405sub strict_verify { 406 my $cert = shift @_; 407 my $expect = shift @_; 408 my $trusted = shift @_; 409 $trusted = $cert unless $trusted; 410 ok(run(app(["openssl", "verify", "-x509_strict", "-trusted", $trusted, 411 "-partial_chain", $cert])) == $expect, 412 "strict verify allow $cert"); 413} 414 415my @v3_ca = ("-addext", "basicConstraints = critical,CA:true", 416 "-addext", "keyUsage = keyCertSign"); 417my $SKID_AKID = "subjectKeyIdentifier,authorityKeyIdentifier"; 418 419# # SKID 420 421my $cert = "self-signed_v3_CA_hash_SKID.pem"; 422generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = hash"); 423has_SKID($cert, 1); # explicit hash SKID 424 425$cert = "self-signed_v3_CA_no_SKID.pem"; 426generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = none"); 427cert_ext_has_n_different_lines($cert, 0, $SKID_AKID); # no SKID and no AKID 428#TODO strict_verify($cert, 0); 429 430$cert = "self-signed_v3_CA_given_SKID.pem"; 431generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = 45"); 432cert_contains($cert, "Subject Key Identifier: 45 ", 1); # given SKID 433strict_verify($cert, 1); 434 435# AKID of self-signed certs 436 437$cert = "self-signed_v1_CA_no_KIDs.pem"; 438generate_cert($cert); 439cert_ext_has_n_different_lines($cert, 0, $SKID_AKID); # no SKID and no AKID 440#TODO strict_verify($cert, 1); # self-signed v1 root cert should be accepted as CA 441 442$ca_cert = "self-signed_v3_CA_default_SKID.pem"; # will also be used below 443generate_cert($ca_cert, @v3_ca); 444has_SKID($ca_cert, 1); # default SKID 445has_AKID($ca_cert, 0); # no default AKID 446strict_verify($ca_cert, 1); 447 448$cert = "self-signed_v3_CA_no_AKID.pem"; 449generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = none"); 450has_AKID($cert, 0); # forced no AKID 451 452$cert = "self-signed_v3_CA_explicit_AKID.pem"; 453generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid"); 454has_AKID($cert, 0); # for self-signed cert, AKID suppressed and not forced 455 456$cert = "self-signed_v3_CA_forced_AKID.pem"; 457generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid:always"); 458cert_ext_has_n_different_lines($cert, 3, $SKID_AKID); # forced AKID, AKID == SKID 459strict_verify($cert, 1); 460 461$cert = "self-signed_v3_CA_issuer_AKID.pem"; 462generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = issuer"); 463has_AKID($cert, 0); # suppressed AKID since not forced 464 465$cert = "self-signed_v3_CA_forced_issuer_AKID.pem"; 466generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = issuer:always"); 467cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 1); # forced issuer AKID 468 469$cert = "self-signed_v3_CA_nonforced_keyid_issuer_AKID.pem"; 470generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid, issuer"); 471has_AKID($cert, 0); # AKID not present because not forced and cert self-signed 472 473$cert = "self-signed_v3_CA_keyid_forced_issuer_AKID.pem"; 474generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid, issuer:always"); 475cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 1); # issuer AKID forced, with keyid not forced 476 477$cert = "self-signed_v3_CA_forced_keyid_issuer_AKID.pem"; 478generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid:always, issuer"); 479has_AKID($cert, 1); # AKID with keyid forced 480cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 0); # no issuer AKID 481 482$cert = "self-signed_v3_CA_forced_keyid_forced_issuer_AKID.pem"; 483generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid:always, issuer:always"); 484cert_contains($cert, "Authority Key Identifier: keyid(:[0-9A-Fa-f]{2})+ DirName:/CN=CA serial:", 1); # AKID with keyid and issuer forced 485 486$cert = "self-signed_v3_EE_wrong_keyUsage.pem"; 487generate_cert($cert, "-addext", "keyUsage = keyCertSign"); 488#TODO strict_verify($cert, 1); # should be accepted because RFC 5280 does not apply 489 490# AKID of self-issued but not self-signed certs 491 492$cert = "self-issued_x509_v3_CA_default_KIDs.pem"; 493ok(run(app([("openssl", "x509", "-copy_extensions", "copy", 494 "-req", "-in", srctop_file(@certs, "ext-check.csr"), 495 "-key", srctop_file(@certs, "ca-key.pem"), 496 "-force_pubkey", srctop_file("test", "testrsapub.pem"), 497 "-out", $cert)])), "generate using x509: $cert"); 498cert_contains($cert, "Issuer: CN=test .*? Subject: CN=test", 1); 499cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID 500strict_verify($cert, 1); 501 502$cert = "self-issued_v3_CA_default_KIDs.pem"; 503generate_cert($cert, "-addext", "keyUsage = dataEncipherment", 504 "-in", srctop_file(@certs, "x509-check.csr")); 505cert_contains($cert, "Issuer: CN=CA .*? Subject: CN=CA", 1); 506cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID 507strict_verify($cert, 1); 508 509$cert = "self-issued_v3_CA_no_AKID.pem"; 510generate_cert($cert, "-addext", "authorityKeyIdentifier = none", 511 "-in", srctop_file(@certs, "x509-check.csr")); 512has_AKID($cert, 0); 513strict_verify($cert, 1); 514 515$cert = "self-issued_v3_CA_explicit_AKID.pem"; 516generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid", 517 "-in", srctop_file(@certs, "x509-check.csr")); 518cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID 519strict_verify($cert, 1); 520 521$cert = "self-issued_v3_CA_forced_AKID.pem"; 522generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid:always", 523 "-in", srctop_file(@certs, "x509-check.csr")); 524cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID 525 526$cert = "self-issued_v3_CA_issuer_AKID.pem"; 527generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = issuer", 528 "-in", srctop_file(@certs, "x509-check.csr")); 529cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 1); # just issuer AKID 530 531$cert = "self-issued_v3_CA_forced_issuer_AKID.pem"; 532generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = issuer:always", 533 "-in", srctop_file(@certs, "x509-check.csr")); 534cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 1); # just issuer AKID 535 536$cert = "self-issued_v3_CA_keyid_issuer_AKID.pem"; 537generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid, issuer", 538 "-in", srctop_file(@certs, "x509-check.csr")); 539cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID, not forced 540 541$cert = "self-issued_v3_CA_keyid_forced_issuer_AKID.pem"; 542generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid, issuer:always", 543 "-in", srctop_file(@certs, "x509-check.csr")); 544cert_ext_has_n_different_lines($cert, 6, $SKID_AKID); # SKID != AKID, with forced issuer 545 546$cert = "self-issued_v3_CA_forced_keyid_and_issuer_AKID.pem"; 547generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid:always, issuer:always", 548 "-in", srctop_file(@certs, "x509-check.csr")); 549cert_ext_has_n_different_lines($cert, 6, $SKID_AKID); # SKID != AKID, both forced 550 551# AKID of not self-issued certs 552 553$cert = "regular_v3_EE_default_KIDs.pem"; 554generate_cert($cert, "-addext", "keyUsage = dataEncipherment"); 555cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID 556strict_verify($cert, 1, $ca_cert); 557$cert = "regular_v3_EE_copied_exts_default_KIDs.pem"; 558generate_cert($cert, "-copy_extensions", "copy", 559 "-in", srctop_file(@certs, "ext-check.csr")); 560cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID 561strict_verify($cert, 1); 562 563$cert = "v3_EE_no_AKID.pem"; 564generate_cert($cert, "-addext", "authorityKeyIdentifier = none"); 565has_SKID($cert, 1); 566has_AKID($cert, 0); 567strict_verify($cert, 0, $ca_cert); 568 569 570# Key Usage 571 572$cert = "self-signed_CA_no_keyUsage.pem"; 573generate_cert($cert, "-in", srctop_file(@certs, "ext-check.csr")); 574has_keyUsage($cert, 0); 575$cert = "self-signed_CA_with_keyUsages.pem"; 576generate_cert($cert, "-in", srctop_file(@certs, "ext-check.csr"), 577 "-copy_extensions", "copy"); 578has_keyUsage($cert, 1); 579