...
 
Commits (8)
......@@ -13,6 +13,10 @@ See the end for copying conditions.
** libgnutls: Introduced a function group to set known DH parameters
using groups from RFC7919.
** libgnutls: Introduced time and constraints checks in the end certificate
in the gnutls_x509_crt_verify_data2() and gnutls_pkcs7_verify_direct()
functions.
** certtool: --get-dh-params will output parameters from the RFC7919
groups.
......@@ -23,6 +27,7 @@ gnutls_pkcs7_get_embedded_data_oid: Added
gnutls_anon_set_server_known_dh_params: Added
gnutls_certificate_set_known_dh_params: Added
gnutls_psk_set_server_known_dh_params: Added
gnutls_x509_crt_check_key_purpose: Added
* Version 3.5.5 (released 2016-10-09)
......
......@@ -2332,6 +2332,8 @@ FUNCS += functions/gnutls_x509_crt_check_hostname2
FUNCS += functions/gnutls_x509_crt_check_hostname2.short
FUNCS += functions/gnutls_x509_crt_check_issuer
FUNCS += functions/gnutls_x509_crt_check_issuer.short
FUNCS += functions/gnutls_x509_crt_check_key_purpose
FUNCS += functions/gnutls_x509_crt_check_key_purpose.short
FUNCS += functions/gnutls_x509_crt_check_revocation
FUNCS += functions/gnutls_x509_crt_check_revocation.short
FUNCS += functions/gnutls_x509_crt_cpy_crl_dist_points
......
......@@ -960,6 +960,7 @@ APIMANS += gnutls_x509_crt_check_email.3
APIMANS += gnutls_x509_crt_check_hostname.3
APIMANS += gnutls_x509_crt_check_hostname2.3
APIMANS += gnutls_x509_crt_check_issuer.3
APIMANS += gnutls_x509_crt_check_key_purpose.3
APIMANS += gnutls_x509_crt_check_revocation.3
APIMANS += gnutls_x509_crt_cpy_crl_dist_points.3
APIMANS += gnutls_x509_crt_deinit.3
......
......@@ -134,8 +134,10 @@ static const gnutls_error_entry error_entries[] = {
ERROR_ENTRY(N_("Error in password file."), GNUTLS_E_SRP_PWD_ERROR),
ERROR_ENTRY(N_("Wrong padding in PKCS1 packet."),
GNUTLS_E_PKCS1_WRONG_PAD),
ERROR_ENTRY(N_("The requested session has expired."),
ERROR_ENTRY(N_("The session or certificate has expired."),
GNUTLS_E_EXPIRED),
ERROR_ENTRY(N_("The certificate is not yet activated."),
GNUTLS_E_NOT_YET_ACTIVATED),
ERROR_ENTRY(N_("Hashing has failed."), GNUTLS_E_HASH_FAILED),
ERROR_ENTRY(N_("Base64 decoding error."),
GNUTLS_E_BASE64_DECODING_ERROR),
......
......@@ -2813,6 +2813,7 @@ unsigned gnutls_fips140_mode_enabled(void);
#define GNUTLS_E_UNAVAILABLE_DURING_HANDSHAKE -408
#define GNUTLS_E_PK_INVALID_PUBKEY -409
#define GNUTLS_E_PK_INVALID_PRIVKEY -410
#define GNUTLS_E_NOT_YET_ACTIVATED -411
#define GNUTLS_E_UNIMPLEMENTED_FEATURE -1250
......
......@@ -81,6 +81,8 @@ extern "C" {
#define GNUTLS_KP_IPSEC_IKE "1.3.6.1.5.5.7.3.17"
#define GNUTLS_KP_ANY "2.5.29.37.0"
#define GNUTLS_KP_FLAG_DISALLOW_ANY 1
#define GNUTLS_OID_AIA "1.3.6.1.5.5.7.1.1"
#define GNUTLS_OID_AD_OCSP "1.3.6.1.5.5.7.48.1"
#define GNUTLS_OID_AD_CAISSUERS "1.3.6.1.5.5.7.48.2"
......@@ -981,6 +983,9 @@ int gnutls_x509_crt_set_key_purpose_oid(gnutls_x509_crt_t cert,
const void *oid,
unsigned int critical);
unsigned gnutls_x509_crt_check_key_purpose(gnutls_x509_crt_t cert,
const char *purpose, unsigned flags);
/* Private key handling.
*/
......
......@@ -1123,6 +1123,7 @@ GNUTLS_3_4
gnutls_certificate_set_known_dh_params;
gnutls_anon_set_server_known_dh_params;
gnutls_psk_set_server_known_dh_params;
gnutls_x509_crt_check_key_purpose;
local:
*;
};
......
......@@ -965,6 +965,14 @@ gnutls_pkcs7_get_embedded_data_oid(gnutls_pkcs7_t pkcs7)
* provided are NULL then the data in the encapsulatedContent field
* will be used instead.
*
* Note that, unlike gnutls_pkcs7_verify() this function does not
* verify the key purpose of the signer. It is expected for the caller
* to verify the intended purpose of the %signer -e.g., via gnutls_x509_crt_get_key_purpose_oid(),
* or gnutls_x509_crt_check_key_purpose().
*
* Note also, that since GnuTLS 3.5.6 this function introduces checks in the
* end certificate (@signer), including time checks and key usage checks.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value. A verification error results to a
* %GNUTLS_E_PK_SIG_VERIFY_FAILED and the lack of encapsulated data
......@@ -1239,8 +1247,8 @@ int gnutls_pkcs7_verify(gnutls_pkcs7_t pkcs7,
signer = find_signer(pkcs7, tl, vdata, vdata_size, &info);
if (signer) {
ret =
gnutls_x509_crt_verify_data2(signer, info.algo, flags,
&sigdata, &info.sig);
gnutls_x509_crt_verify_data3(signer, info.algo, vdata, vdata_size,
&sigdata, &info.sig, flags);
if (ret < 0) {
gnutls_assert();
}
......
......@@ -2857,7 +2857,7 @@ _gnutls_x509_crt_check_revocation(gnutls_x509_crt_t cert,
* @crl_list: should contain a list of gnutls_x509_crl_t types
* @crl_list_length: the length of the crl_list
*
* This function will return check if the given certificate is
* This function will check if the given certificate is
* revoked. It is assumed that the CRLs have been verified before.
*
* Returns: 0 if the certificate is NOT revoked, and 1 if it is. A
......@@ -2873,6 +2873,28 @@ gnutls_x509_crt_check_revocation(gnutls_x509_crt_t cert,
}
/**
* gnutls_x509_crt_check_key_purpose:
* @cert: should contain a #gnutls_x509_crt_t type
* @purpose: a key purpose OID (e.g., %GNUTLS_KP_CODE_SIGNING)
* @flags: zero or %GNUTLS_KP_FLAG_DISALLOW_ANY
*
* This function will check whether the given certificate matches
* the provided key purpose. If @flags contains %GNUTLS_KP_FLAG_ALLOW_ANY then
* it a certificate marked for any purpose will not match.
*
* Returns: zero if the key purpose doesn't match, and non-zero otherwise.
*
* Since: 3.5.6
**/
unsigned
gnutls_x509_crt_check_key_purpose(gnutls_x509_crt_t cert,
const char *purpose,
unsigned flags)
{
return _gnutls_check_key_purpose(cert, purpose, (flags&GNUTLS_KP_FLAG_DISALLOW_ANY)?1:0);
}
/**
* gnutls_x509_crt_get_preferred_hash_algorithm:
* @crt: Holds the certificate
* @hash: The result of the call with the hash algorithm used for signature
......@@ -3862,8 +3884,8 @@ gnutls_x509_crt_import_url(gnutls_x509_crt_t crt,
return ret;
}
/**
* gnutls_x509_crt_verify_data2:
/*-
* gnutls_x509_crt_verify_data3:
* @crt: Holds the certificate to verify with
* @algo: The signature algorithm used
* @flags: Zero or an OR list of #gnutls_certificate_verify_flags
......@@ -3874,16 +3896,19 @@ gnutls_x509_crt_import_url(gnutls_x509_crt_t crt,
* parameters from the certificate.
*
* Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
* is returned, and zero or positive code on success.
* is returned, %GNUTLS_E_EXPIRED or %GNUTLS_E_NOT_YET_ACTIVATED on expired
* or not yet activated certificate and zero or positive code on success.
*
* Since: 3.4.0
**/
* Since: 3.5.6
-*/
int
gnutls_x509_crt_verify_data2(gnutls_x509_crt_t crt,
gnutls_sign_algorithm_t algo,
unsigned int flags,
const gnutls_datum_t * data,
const gnutls_datum_t * signature)
gnutls_x509_crt_verify_data3(gnutls_x509_crt_t crt,
gnutls_sign_algorithm_t algo,
gnutls_typed_vdata_st *vdata,
unsigned int vdata_size,
const gnutls_datum_t *data,
const gnutls_datum_t *signature,
unsigned int flags)
{
int ret;
gnutls_pubkey_t pubkey;
......@@ -3893,6 +3918,7 @@ gnutls_x509_crt_verify_data2(gnutls_x509_crt_t crt,
return GNUTLS_E_INVALID_REQUEST;
}
ret = gnutls_pubkey_init(&pubkey);
if (ret < 0)
return gnutls_assert_val(ret);
......@@ -3904,5 +3930,70 @@ gnutls_x509_crt_verify_data2(gnutls_x509_crt_t crt,
ret = gnutls_pubkey_verify_data2(pubkey, algo, flags, data, signature);
gnutls_pubkey_deinit(pubkey);
if (ret >= 0) {
time_t now = gnutls_time(0);
int res;
unsigned usage, i;
if (!(flags & GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS) ||
!(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS)) {
if (now > gnutls_x509_crt_get_expiration_time(crt)) {
return gnutls_assert_val(GNUTLS_E_EXPIRED);
}
if (now < gnutls_x509_crt_get_activation_time(crt)) {
return gnutls_assert_val(GNUTLS_E_NOT_YET_ACTIVATED);
}
}
res = gnutls_x509_crt_get_key_usage(crt, &usage, NULL);
if (res >= 0) {
if (!(usage & GNUTLS_KEY_DIGITAL_SIGNATURE)) {
return gnutls_assert_val(GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE);
}
}
for (i=0;i<vdata_size;i++) {
if (vdata[i].type == GNUTLS_DT_KEY_PURPOSE_OID) {
res = _gnutls_check_key_purpose(crt, (char *)vdata[i].data, 0);
if (res == 0)
return gnutls_assert_val(GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE);
break;
}
}
}
return ret;
}
/**
* gnutls_x509_crt_verify_data2:
* @crt: Holds the certificate to verify with
* @algo: The signature algorithm used
* @flags: Zero or an OR list of #gnutls_certificate_verify_flags
* @data: holds the signed data
* @signature: contains the signature
*
* This function will verify the given signed data, using the
* parameters from the certificate.
*
* Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
* is returned, %GNUTLS_E_EXPIRED or %GNUTLS_E_NOT_YET_ACTIVATED on expired
* or not yet activated certificate and zero or positive code on success.
*
* Note that since GnuTLS 3.5.6 this function introduces checks in the
* end certificate (@crt), including time checks and key usage checks.
*
* Since: 3.4.0
**/
int
gnutls_x509_crt_verify_data2(gnutls_x509_crt_t crt,
gnutls_sign_algorithm_t algo,
unsigned int flags,
const gnutls_datum_t *data,
const gnutls_datum_t *signature)
{
return gnutls_x509_crt_verify_data3(crt, algo, NULL, 0,
data, signature, flags);
}
......@@ -406,6 +406,15 @@ int _gnutls_x509_crq_set_extension(gnutls_x509_crq_t crq,
const gnutls_datum_t * ext_data,
unsigned int critical);
int
gnutls_x509_crt_verify_data3(gnutls_x509_crt_t crt,
gnutls_sign_algorithm_t algo,
gnutls_typed_vdata_st *vdata,
unsigned int vdata_size,
const gnutls_datum_t *data,
const gnutls_datum_t *signature,
unsigned int flags);
unsigned int
_gnutls_verify_crt_status(const gnutls_x509_crt_t * certificate_list,
int clist_size,
......
......@@ -542,6 +542,30 @@ generate_certificate(gnutls_privkey_t * ret_key,
}
}
result = get_code_sign_status();
if (result) {
result =
gnutls_x509_crt_set_key_purpose_oid
(crt, GNUTLS_KP_CODE_SIGNING, 0);
if (result < 0) {
fprintf(stderr, "key_kp: %s\n",
gnutls_strerror(result));
exit(1);
}
}
result = get_time_stamp_status();
if (result) {
result =
gnutls_x509_crt_set_key_purpose_oid
(crt, GNUTLS_KP_TIME_STAMPING, 0);
if (result < 0) {
fprintf(stderr, "key_kp: %s\n",
gnutls_strerror(result));
exit(1);
}
}
if (ca_status) {
result = get_cert_sign_status();
if (result)
......@@ -551,33 +575,10 @@ generate_certificate(gnutls_privkey_t * ret_key,
if (result)
usage |= GNUTLS_KEY_CRL_SIGN;
result = get_code_sign_status();
if (result) {
result =
gnutls_x509_crt_set_key_purpose_oid
(crt, GNUTLS_KP_CODE_SIGNING, 0);
if (result < 0) {
fprintf(stderr, "key_kp: %s\n",
gnutls_strerror(result));
exit(1);
}
}
crt_constraints_set(crt);
result = get_time_stamp_status();
if (result) {
result =
gnutls_x509_crt_set_key_purpose_oid
(crt, GNUTLS_KP_TIME_STAMPING, 0);
if (result < 0) {
fprintf(stderr, "key_kp: %s\n",
gnutls_strerror(result));
exit(1);
}
}
}
get_ocsp_issuer_set(crt);
get_ca_issuers_set(crt);
......@@ -2051,6 +2052,50 @@ void generate_request(common_info_st * cinfo)
usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
}
ret = get_code_sign_status();
if (ret) {
ret = gnutls_x509_crq_set_key_purpose_oid
(crq, GNUTLS_KP_CODE_SIGNING, 0);
if (ret < 0) {
fprintf(stderr, "key_kp: %s\n",
gnutls_strerror(ret));
exit(1);
}
}
ret = get_time_stamp_status();
if (ret) {
ret = gnutls_x509_crq_set_key_purpose_oid
(crq, GNUTLS_KP_TIME_STAMPING, 0);
if (ret < 0) {
fprintf(stderr, "key_kp: %s\n",
gnutls_strerror(ret));
exit(1);
}
}
ret = get_ipsec_ike_status();
if (ret) {
ret = gnutls_x509_crq_set_key_purpose_oid
(crq, GNUTLS_KP_IPSEC_IKE, 0);
if (ret < 0) {
fprintf(stderr, "key_kp: %s\n",
gnutls_strerror(ret));
exit(1);
}
}
ret = get_ocsp_sign_status();
if (ret) {
ret = gnutls_x509_crq_set_key_purpose_oid
(crq, GNUTLS_KP_OCSP_SIGNING, 0);
if (ret < 0) {
fprintf(stderr, "key_kp: %s\n",
gnutls_strerror(ret));
exit(1);
}
}
if (ca_status) {
ret = get_cert_sign_status();
if (ret)
......@@ -2060,49 +2105,7 @@ void generate_request(common_info_st * cinfo)
if (ret)
usage |= GNUTLS_KEY_CRL_SIGN;
ret = get_code_sign_status();
if (ret) {
ret = gnutls_x509_crq_set_key_purpose_oid
(crq, GNUTLS_KP_CODE_SIGNING, 0);
if (ret < 0) {
fprintf(stderr, "key_kp: %s\n",
gnutls_strerror(ret));
exit(1);
}
}
ret = get_ocsp_sign_status();
if (ret) {
ret = gnutls_x509_crq_set_key_purpose_oid
(crq, GNUTLS_KP_OCSP_SIGNING, 0);
if (ret < 0) {
fprintf(stderr, "key_kp: %s\n",
gnutls_strerror(ret));
exit(1);
}
}
ret = get_time_stamp_status();
if (ret) {
ret = gnutls_x509_crq_set_key_purpose_oid
(crq, GNUTLS_KP_TIME_STAMPING, 0);
if (ret < 0) {
fprintf(stderr, "key_kp: %s\n",
gnutls_strerror(ret));
exit(1);
}
}
ret = get_ipsec_ike_status();
if (ret) {
ret = gnutls_x509_crq_set_key_purpose_oid
(crq, GNUTLS_KP_IPSEC_IKE, 0);
if (ret < 0) {
fprintf(stderr, "key_kp: %s\n",
gnutls_strerror(ret));
exit(1);
}
}
}
ret = gnutls_x509_crq_set_key_usage(crq, usage);
......@@ -2912,9 +2915,16 @@ void verify_pkcs7(common_info_st * cinfo, const char *purpose, unsigned display_
if (HAVE_OPT(VERIFY_ALLOW_BROKEN))
flags |= GNUTLS_VERIFY_ALLOW_BROKEN;
if (signer)
if (signer) {
ret = gnutls_pkcs7_verify_direct(pkcs7, signer, i, detached.data!=NULL?&detached:NULL, flags);
else
if (ret >= 0 && purpose) {
unsigned res = gnutls_x509_crt_check_key_purpose(signer, purpose, 0);
if (res == 0)
ret = GNUTLS_E_CONSTRAINT_ERROR;
}
} else
ret = gnutls_pkcs7_verify(pkcs7, tl, vdata, vdata_size, i, detached.data!=NULL?&detached:NULL, flags);
if (ret < 0) {
fprintf(stderr, "\tSignature status: verification failed: %s\n", gnutls_strerror(ret));
......
......@@ -873,6 +873,7 @@ gnutls_x509_crt_check_email@GNUTLS_3_4
gnutls_x509_crt_check_hostname2@GNUTLS_3_4
gnutls_x509_crt_check_hostname@GNUTLS_3_4
gnutls_x509_crt_check_issuer@GNUTLS_3_4
gnutls_x509_crt_check_key_purpose@GNUTLS_3_4
gnutls_x509_crt_check_revocation@GNUTLS_3_4
gnutls_x509_crt_cpy_crl_dist_points@GNUTLS_3_4
gnutls_x509_crt_deinit@GNUTLS_3_4
......
......@@ -58,12 +58,14 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem
data/ca-secret.gpg data/srv-public.gpg data/srv-public-127.0.0.1-signed.gpg \
data/srv-public-localhost-signed.gpg data/selfsigs/alice-mallory-badsig18.pub \
data/selfsigs/alice-mallory-irrelevantsig.pub data/selfsigs/alice-mallory-nosig18.pub \
data/selfsigs/alice.pub data/key-utf8-1.p12 data/key-utf8-2.p12
data/selfsigs/alice.pub data/key-utf8-1.p12 data/key-utf8-2.p12 \
data/code-signing-ca.pem data/code-signing-cert.pem
dist_check_SCRIPTS = pathlen aki certtool invalid-sig email \
pkcs7 pkcs7-broken-sigs privkey-import name-constraints certtool-long-cn crl provable-privkey \
provable-dh userid sha2-test sha2-dsa-test provable-privkey-dsa2048 \
provable-privkey-rsa2048 provable-privkey-gen-default
provable-privkey-rsa2048 provable-privkey-gen-default pkcs7-constraints \
pkcs7-constraints2
if WANT_TEST_SUITE
dist_check_SCRIPTS += provable-dh-default
......
-----BEGIN CERTIFICATE-----
MIID4jCCAkqgAwIBAgIBADANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDEwRDQS0w
MCAXDTEwMDIyNzE1MjE0MloYDzk5OTkxMjMxMjM1OTU5WjAPMQ0wCwYDVQQDEwRD
QS0wMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA0QHh//JKi30BDok3
1lzQFhXhthwyc5aG/O6jW3LfxYD0I6Ubmyryuo+Hss0RSZruSbxrYIMTFTIYtd56
d4/2CFT7OYsIjaf5vb7oMfITT1epnYnKxuBekfIAHjRlxXf5hddDQ9vsLmkr7wlT
zVyVX7fUYz1WuEiSVNHui+69idEZHAuwuz0P+kRoHJA8O2D8S71w01V0969yerOo
Rqq2za9HCWcGrKHSAwY8ce01YsFJj6ozVfrt3khXrLpNosd72oEupC+p4zGABdT9
6GaMh47yX5jkCeh/ZTz8Ek3S6t5ryRi5UoyrD/bg5VHaW5SF3AUzgUKs9biV/K6R
OdqO7nk3xf37IQUHG3WZyUYpZ9LZLJZaBu4Tftzn71kYQ0JTBK06QLp43eArSSeo
IDyR6V7+rsaq23c0l2AFeGzSwCxUpcga4o5FrKLSEcEcgDJ8sxXr8KTjBKVg8k/O
M4T3xpAp0ZKR4sGJMB7sw8mmXkpICc2ZN+GrueP+xcJojNxJAgMBAAGjRzBFMA8G
A1UdEwEB/wQFMAMBAf8wEwYDVR0lBAwwCgYIKwYBBQUHAwMwHQYDVR0OBBYEFB8W
FXxAZlq94LBofKwIfsW3krrlMA0GCSqGSIb3DQEBCwUAA4IBgQBPG/pba5oHECfJ
1Z4q5FSO8AYG+v/KaaP0XSdsQOpxRW0/yYvWdGfGSd8NcFNYwBxDRPF6758cE72E
uSPF5EDH1rZDHsxQhUl5lwmBcP69hlLCeMzsWHsJmobqpv9hIbi+zb37CGQrOXwq
+0qc3tqQjw7979j1SfifLF/eo5DxWiJFgL7t2IjvJsIUTi5MdYVeiLn0WzVGvQ4h
yYlvBF/yg1YOvxHunbapL3hCImnzhCFQ/qFe0w+VjgkK9Fuz18lyYfxBoqziyMhR
9aBAjsHoAqZtnSLLFHYl4wh6dHjxAUr5r1GwO4cQGK7+dP1m8cVQoQfCPeQLE8GZ
aZwk/of7ywtjSEMJNMKP3NmKkGzoD48iIhtMbfZ+bXG4JWM8VD9bEw0JSf/ymCGV
Q+S+SiTqWSzb6Eq/rTkHa5IT1pFLySIZcsgjkw82VXSe4PEzlaFKTYePG1NU1Y3n
nrJ60/+PwcCFh7oVcZ0MTfuZmZxnhdID0cvxFd0VAo22Hxofbnw=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIG5AIBAAKCAYEA0QHh//JKi30BDok31lzQFhXhthwyc5aG/O6jW3LfxYD0I6Ub
myryuo+Hss0RSZruSbxrYIMTFTIYtd56d4/2CFT7OYsIjaf5vb7oMfITT1epnYnK
xuBekfIAHjRlxXf5hddDQ9vsLmkr7wlTzVyVX7fUYz1WuEiSVNHui+69idEZHAuw
uz0P+kRoHJA8O2D8S71w01V0969yerOoRqq2za9HCWcGrKHSAwY8ce01YsFJj6oz
Vfrt3khXrLpNosd72oEupC+p4zGABdT96GaMh47yX5jkCeh/ZTz8Ek3S6t5ryRi5
UoyrD/bg5VHaW5SF3AUzgUKs9biV/K6ROdqO7nk3xf37IQUHG3WZyUYpZ9LZLJZa
Bu4Tftzn71kYQ0JTBK06QLp43eArSSeoIDyR6V7+rsaq23c0l2AFeGzSwCxUpcga
4o5FrKLSEcEcgDJ8sxXr8KTjBKVg8k/OM4T3xpAp0ZKR4sGJMB7sw8mmXkpICc2Z
N+GrueP+xcJojNxJAgMBAAECggGBAK4EGEuGSoSKpmeY3bGPgvzwaQW7wlG0oV1T
vxTzttX1AM/wtuRhRMkJmZzH2j3jTcR8qRYo66l5FVPPET4c0WasgqKtXIi8s1VE
7oQvHd6wiRsOT5N32aU/zNNZIubfdhP2Xx3PrHwTuq2BoZFZJVEVeDLMLjiuy47t
XuSI+KwXOQW9wf6S34uqithFSrDRlh3lc1uxSfqyy+jXTiLQHfVwmv98FPWEoZs9
BPSB4DIB5iJEPgu3KXcp2j2Iu/zsgnPPSxvzYATguVB/zZ5TbsGuxNI519pj/9N2
q/Y+8/9xJKp9Rmn5rRpDpojhvR5YVqkMo7+2uBcY/X2OfKxf9yNXbsRfV9KxfqDk
CXHcMx4hP7dgVweAFa3cc4mNSLmExbKEd0RtwZHedyzGG9TE1l6n0rTBrTOAtHda
EqrI9Q9cGhdQRKzIx4o5c3uD07I2r+1xoPZzCI0eEglzo+oSriJIvr4Mgwla7xWI
kK74R8W6Wx0QWB/9iHC6GV6kGQDCAQKBwQDu8ecDftQ/Onk6KjbBcm9XfnVM3ER9
BKkWgmWvl9QOdNBYU2Hd7RrHAhjmILauyUp+62nNnGKxPLujLnVIicLtiGnivqQC
Sd2wEu1/tw6e4groQUxPD+c6kSXvGKUW+QKOvnGmQ4CkfBIST16TJrEMNvSBr5/B
A2LlufI5lPT8aMiF/mZfVS5axzOnmR7weggwK3T5kf/nw0JT5b28RuL1ck31Cb75
EQezK4YkB+n5qgjBHM3bo6tO18s+YIVDlwkCgcEA3+zy8mmRh9SPjmJaM7bxoUHn
Q5oY1Umd6DH1uGi2qMe9cB1Dfcy8BomhKVrDgU4Hyo0Gc8oPaCsKiPYWy+pbYQ5L
o5JhsxWXhXfIqumWgvodXE03dLc405tFIyiSoaaCHaKVMotlp2781CBhjxJTfiKu
IL1i11C4lEpgcoE4uGP57irU7oFAesdM9osGi7UV+op/72mOWRkEEixHOmTIIvyN
e9MCBIVrmW5GM8Tp0oIwQ5V88nmmNxliZlA8HStBAoHAVxKbxnBPVAMw7fs4HOJg
pJeWkz2pT42FOIioGYbQZbw3uBgaj865dU/UVvgQ2jzMAtgypBSa+k9RaTOi1Z4u
BHUzcMdb6OGWAXXESkgg8dEZfG1fK2h2MKd4FVr7vhVb0zyfGaF7nXUA+N8nbaQp
3HOiQigHpURgo6pRFJ6tb9WXTQzZrV/TFo2Ey0xHNAakOTl81P1ZLdG/t+b+bz+9
sQfIVMUKbKTCE46GwVaI8sv9iLHAaouH/6EvlTmDFpBRAoHAMHCQiZH+slRwDYwH
GULM+GZKQdx23MTFDPKpxg+Y2+ABgdxCulbsoblqDIke27zmgJGLQMcIGC+fYsth
WRFEXTV7dVH4IoZcNboYxagsL/8tFMd7ZJsyBsyC4z0moyNi6EhAYCO5hMPEm5q5
n/qF5zZXVqvBUvSaSTHhtUNw4qp16WiIkWOScDzm0Dp42wX8UCtfy4mZCnsX31qG
ugINLUxWyt91g0bdZN5u/0nsjuYszKHs2oMoSqkKGTnoFyNBAoHBALrm0k/JNOWb
5Z9toqLnpzTM5hJQwQdzQFjuEyQa9DrC15kojjU4rwstVTRxVm+SJMoqWFbxPGe3
28ijA0q226EdRnOP4d+xvapN5+1cQCAlfYKp7zC58smnC5dsIkVMoRGtMq4upZYH
rMQUYRcsjnjBf8hi3yyOyj4ENUMjsT4LZntfBKzc6Mv9PhoVWMPjndKxZFUJCwwE
hvmwhInAUuxIP18v/KkrgsZLva9xp6UARnB6Gpe3bFMLOWNb621Qgw==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIEIjCCAoqgAwIBAgIMWAXZ+AOk7Jxgz3G8MA0GCSqGSIb3DQEBCwUAMA8xDTAL
BgNVBAMTBENBLTAwHhcNMTQwMjI3MTUyMTQyWhcNMTYwMjI3MTUyMTQyWjAXMRUw
EwYDVQQDEwxjb2RlIHNpZ25pbmcwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGK
AoIBgQDSnOotbRouMDqya42qSS20QLVxRfIfER8RtF/51S75Wxfdx9hgfre0Ldg+
tNwbo0Je2vVta/OwDO1L/RsAc+//PSeuMVH0wIZZmGR3HpbY13spcwYJEuapIOkJ
LCy4jhllyTK8h8WI17mMf5WCzcfcH70ISZAUMGqrVOaTuviBcf8S5/sG251R+5ft
dBzz/sVV8GTSkGmn0LyihwzNyJ+5AhgsoKI5HJXU+ThNvJ0oUTIW/oh1qZMcdZdO
aCInIgeOLDj9K0CAw/E1Jfe05SccEzMQwY+zFhIUwzzKHPvIfLNkW6eHJca2zNgI
/CfSNtdwCSFkYykUduQveANM5+7/+jtbbUywfoz/2CY6WYsoarcPec8xlSbNBVmo
L5sfYoPRn+9MyuozV8UFlPupqc5AKYrMZXkwbud/KT6+Y/vrtU+ktpndJjhEB7Ot
4Y+WlqKml3QnLJWmyfbzTnXmB4FINMj/2Jl/Ay1BB45CBDpY0Z7uGm08FPi4hNaS
UTVlihMCAwEAAaN2MHQwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcD
AzAPBgNVHQ8BAf8EBQMDB4AAMB0GA1UdDgQWBBQR8od2h7W6lKTua1ZH3WTtTklw
0jAfBgNVHSMEGDAWgBQfFhV8QGZaveCwaHysCH7Ft5K65TANBgkqhkiG9w0BAQsF
AAOCAYEAvcUiycPKmDMquWBWw62FZPhA/kjUrIuyGChxxsv+pt4al6SNzcuXGfDJ
Us4Z0pwnMsvoy69HZFDyhkQ3uclgeYmR4rz0uNLrjvBoPlxK1gYPdqbN/gA8SvTi
y5yr/XnVriMzs6HpaWh0zGAuzaVbpRo79Ba+VPJsbSHETzM4iKzhxp+8WA2G0yaD
zw70KL0SzYh6QlhARtSAZ+3VDFFAAYHIpJr1qg5OS6AmPezUhE135iwvIGiBv3sh
aFIxEVGFIKkzelmpT5lq1qjQocV/KrJzrGYMshhJ847BWMROT1fXq/jL+lg38J0A
yy8pMCO1eYr9+7Dfea/OubGWcQPIGE+2XzUSPzLXJHrteq7y2dt2NLbto/QVsD41
hFxvxKwfVSKhrUtuymaBynPfTo9ObFb4Y+BvxDnfYSp+myuNXNWocDGVsc+kFlhs
syKjkVJhZNTAP7LC8lYRIb42FOsJ6CiRmpXNj5/UIoXgjsMVF/4eIClvbqSui50Q
vKWlsnP1
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIG4gIBAAKCAYEA0pzqLW0aLjA6smuNqkkttEC1cUXyHxEfEbRf+dUu+VsX3cfY
YH63tC3YPrTcG6NCXtr1bWvzsAztS/0bAHPv/z0nrjFR9MCGWZhkdx6W2Nd7KXMG
CRLmqSDpCSwsuI4ZZckyvIfFiNe5jH+Vgs3H3B+9CEmQFDBqq1Tmk7r4gXH/Euf7
BtudUfuX7XQc8/7FVfBk0pBpp9C8oocMzcifuQIYLKCiORyV1Pk4TbydKFEyFv6I
damTHHWXTmgiJyIHjiw4/StAgMPxNSX3tOUnHBMzEMGPsxYSFMM8yhz7yHyzZFun
hyXGtszYCPwn0jbXcAkhZGMpFHbkL3gDTOfu//o7W21MsH6M/9gmOlmLKGq3D3nP
MZUmzQVZqC+bH2KD0Z/vTMrqM1fFBZT7qanOQCmKzGV5MG7nfyk+vmP767VPpLaZ
3SY4RAezreGPlpaippd0JyyVpsn280515geBSDTI/9iZfwMtQQeOQgQ6WNGe7hpt
PBT4uITWklE1ZYoTAgMBAAECggGAOpt5uuxaVbIME2xEfrdgZYGAPCYnqyd7itSz
xHTjXnZP3OJovulkO1pqi4COo445wOWTWECrDjl6qyOiqOyaQ1+END/7O217tWDn
zBISDgNgfXdJnarJzxSeZHQLecvpG17ypG3vtRW6x3MVatHSpNmcI7s8wbF7bXPx
ufhUgMj1HxC41P6194NYkrY1/FvQFAsSM1oGXLGEXIHSOU1zzOrdSUXl/piKxToY
xeEPppF5q9ZmqL9odYnvcd0ea99W032FM7kkbNT6ycYzRmQEx7c+tAWlx7nqn9it
5f6oMJJwjSu+ZAm8YgZh4zQogWWL7+YYIrNQNoL74RG4EVPCupvrn/Z13XUK6N0e
qtCJeam/jsPsANL1rcu1te5wkzGJgs6KHrbrtKthoibJ73ivGxy46zWRJTNjFx9l
mCM5B5Img1vJizmFeCs2dFHXAi9Lx/t8IKHdydFjAAyZ4a0paz3HfmpHBWKFsm5J
4DgWU+WXqSsu+uftmiCz9d5e7lJJAoHBAPRyn0vX9a9GpM4olgaEtmBJh/UWA3s3
otzxwOgeXJgWnWEkccPBMkNXFRO5LPO3oriakidBi3k0Q8rFaYuJ1Vf4v3WHJPZc
pOBYiTsOeQihjiSQdtrS6syborWGQyFsJnnbpSjoKTfb5RisSTev3Di5u5bqcgU/
TMOoPvB3rBR92Z6K5n9ZD+XrFJwAIGfFVqRaxLZLItfGRJkBkvvzDZsuGoGOScS5
FkcpFRSxRHWu2Ifdlz0ARUuV8+5uEVZBTQKBwQDckPPPMS3m0hNbl3D5P4GYn605
Vxn9njHEAWlCfnGbPhsSTT2nw/jdJp60jHEVlDOAyKpDf3wkz1iQMO9sx9fYASv/
stY9u/12ERNKkqvmqhsjxTAgFWYeAyoS2N4DIGWQXWWCcOsvPREwb9ym6q29bxtr
PKs9tTVRsnwrEFRZfsUTWPyV1ngBkVVk5MVGHYjUMM7iEHQsucOnnCDitauGaAx4
kPSdng9wSelJXw2VJSrlfSOfOIRmQtd8iSn5SN8CgcAtdsgT1hW2xL/QLBJDIhm9
bM+hkLeTCjT7POdxBHyaONKKh7m0+9C6X47m/TDUH1pfVThLntAu+b6GDxNjRX5t
fzE0za7dNzvfEfhsCHQQW+PQ/yFr74CGD4hClLcVl0TMs0JTimJoJjjEzv5LIiUm
U70FA5OzUCOZ3Efgd5GEuidoalMWal0fmQpbPVbJlhVYOh2N/gl78j896eIJhBoK
u5docytbMEVpdMWb9KBT9vIEyvze9pbsyPX2aXhF/50CgcBWF+pi7HJbT5KoxLMf
Ry+h0GoAIMSPX2lTda2Ne+eCTjqo6SdwzajdQc7e8JbPcnqsASecky10/M438jHy
hwr0UHjJJRhFHpTvufiKujeJIMrZKoX/b/rdKiUJGEeIduPN9vbBdKwIU1DbVD6P
lLjeYXkVYagBvTKjwgR/lq8mA7qPM8PcBMvw6LapXDa4iJy5HpgSW5PNRXFegi2/
8GOUYhbEFOi2gVTLYr5Bmm2l0s0sqKz34Eql099ix/NvT4cCgcBg1KRXwvz/U8pI
mP9FcUKCL9CkRiPPzsjGv6qs2nvzUXaR5Bb/sX5cvKHNxlkgxYpvgH0oSJTfk0js
zceyce2B8VGBNzPW4O9L1JOZXH6vwBWsbEJM04neYQipu8ytZO4zjLWdOHd/9g/v
x7hmweYs7oL+lVlEPY2QfnqPBG2hlETuccsVgEQ+4i/gDuJIVHFlqgbyHmoKJaN5
s7oeXUTQfAMXdjKkWGrgS9dbDpTXdcfPeg2cC0K1DvYWpcS9bJ8=
-----END RSA PRIVATE KEY-----
......@@ -26,8 +26,12 @@ DIFF="${DIFF:-diff -b -B}"
if ! test -z "${VALGRIND}"; then
VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15"
fi
OUTFILE=out-pkcs7.tmp
OUTFILE2=out2-pkcs7.tmp
OUTFILE=out-pkcs7.$$.tmp
OUTFILE2=out2-pkcs7.$$.tmp
. ${srcdir}/../scripts/common.sh
check_for_datefudge
for FILE in single-ca.p7b full.p7b; do
${VALGRIND} "${CERTTOOL}" --inder --p7-info --infile "${srcdir}/data/${FILE}"|grep -v "Signing time" >"${OUTFILE}"
......@@ -49,6 +53,36 @@ done
# check signatures
for FILE in full.p7b; do
# check validation with date prior to CA issuance
datefudge -s "2011-1-10" \
${VALGRIND} "${CERTTOOL}" --inder --p7-verify --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" --infile "${srcdir}/data/${FILE}" >"${OUTFILE}"
rc=$?
if test "${rc}" = "0"; then
echo "${FILE}: PKCS7 verification succeeded with invalid date (1)"
exit 1
fi
# check validation with date prior to intermediate cert issuance
datefudge -s "2011-5-28 08:38:00 UTC" \
${VALGRIND} "${CERTTOOL}" --inder --p7-verify --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" --infile "${srcdir}/data/${FILE}" >"${OUTFILE}"
rc=$?
if test "${rc}" = "0"; then
echo "${FILE}: PKCS7 verification succeeded with invalid date (2)"
exit 1
fi
# check validation with date after intermediate cert issuance
datefudge -s "2038-10-12" \
${VALGRIND} "${CERTTOOL}" --inder --p7-verify --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" --infile "${srcdir}/data/${FILE}" >"${OUTFILE}"
rc=$?
if test "${rc}" = "0"; then
echo "${FILE}: PKCS7 verification succeeded with invalid date (3)"
exit 1
fi
${VALGRIND} "${CERTTOOL}" --inder --p7-verify --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" --infile "${srcdir}/data/${FILE}" >"${OUTFILE}"
rc=$?
......
#!/bin/sh
# Copyright (C) 2016 Red Hat, Inc.
#
# This file is part of GnuTLS.
#
# GnuTLS is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 3 of the License, or (at
# your option) any later version.
#
# GnuTLS is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with GnuTLS; if not, write to the Free Software Foundation,
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#set -e
srcdir="${srcdir:-.}"
CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}"
DIFF="${DIFF:-diff -b -B}"
if ! test -z "${VALGRIND}"; then
VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15"
fi
OUTFILE=out-pkcs7.$$.tmp
. ${srcdir}/../scripts/common.sh
check_for_datefudge
FILE="signing"
echo "test: $FILE"
${VALGRIND} "${CERTTOOL}" --p7-sign --p7-include-cert --load-privkey "${srcdir}/data/code-signing-cert.pem" --load-certificate "${srcdir}/data/code-signing-cert.pem" --infile "${srcdir}/data/pkcs7-detached.txt" >"${OUTFILE}"
rc=$?
if test "${rc}" != "0"; then
echo "${FILE}: PKCS7 struct signing failed"
exit ${rc}
fi
FILE="signing-verify-no-purpose"
echo ""
echo "test: $FILE"
datefudge -s "2015-1-10" \
${VALGRIND} "${CERTTOOL}" --p7-verify --load-ca-certificate "${srcdir}/data/code-signing-ca.pem" <"${OUTFILE}"
rc=$?
if test "${rc}" != "0"; then
echo "${FILE}: PKCS7 struct signing failed verification (0)"
exit ${rc}
fi
FILE="signing-verify-valid-purpose"
echo ""
echo "test: $FILE"
datefudge -s "2015-1-10" \
${VALGRIND} "${CERTTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.3 --p7-verify --load-ca-certificate "${srcdir}/data/code-signing-ca.pem" <"${OUTFILE}"
rc=$?
if test "${rc}" != "0"; then
echo "${FILE}: PKCS7 struct signing failed verification (1)"
exit ${rc}
fi
FILE="signing-verify-invalid-purpose"
echo ""
echo "test: $FILE"
datefudge -s "2015-1-10" \
${VALGRIND} "${CERTTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.1 --p7-verify --load-ca-certificate "${srcdir}/data/code-signing-ca.pem" <"${OUTFILE}"
rc=$?
if test "${rc}" = "0"; then
echo "${FILE}: PKCS7 struct signing failed verification (2)"
exit 1
fi
FILE="signing-verify-invalid-date-1"
echo ""
echo "test: $FILE"
datefudge -s "2011-1-10" \
${VALGRIND} "${CERTTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.3 --p7-verify --load-ca-certificate "${srcdir}/data/code-signing-ca.pem" <"${OUTFILE}"
rc=$?
if test "${rc}" = "0"; then
echo "${FILE}: PKCS7 struct signing failed verification (3)"
exit 1
fi
FILE="signing-verify-invalid-date-2"
echo ""
echo "test: $FILE"
datefudge -s "2018-1-10" \
${VALGRIND} "${CERTTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.3 --p7-verify --load-ca-certificate "${srcdir}/data/code-signing-ca.pem" <"${OUTFILE}"
rc=$?
if test "${rc}" = "0"; then
echo "${FILE}: PKCS7 struct signing failed verification (4)"
exit 1
fi
rm -f "${OUTFILE}"
exit 0
#!/bin/sh
# Copyright (C) 2016 Red Hat, Inc.
#
# This file is part of GnuTLS.
#
# GnuTLS is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 3 of the License, or (at
# your option) any later version.
#
# GnuTLS is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with GnuTLS; if not, write to the Free Software Foundation,
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#set -e
srcdir="${srcdir:-.}"
CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}"
DIFF="${DIFF:-diff -b -B}"
if ! test -z "${VALGRIND}"; then
VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15"
fi
OUTFILE=out-pkcs7.$$.tmp
. ${srcdir}/../scripts/common.sh
check_for_datefudge
FILE="signing"
echo "test: $FILE"
${VALGRIND} "${CERTTOOL}" --p7-sign --p7-include-cert --load-privkey "${srcdir}/data/code-signing-cert.pem" --load-certificate "${srcdir}/data/code-signing-cert.pem" --infile "${srcdir}/data/pkcs7-detached.txt" >"${OUTFILE}"
rc=$?
if test "${rc}" != "0"; then
echo "${FILE}: PKCS7 struct signing failed"
exit ${rc}
fi
FILE="signing-verify-no-purpose"
echo ""
echo "test: $FILE"
datefudge -s "2015-1-10" \
${VALGRIND} "${CERTTOOL}" --p7-verify --load-certificate "${srcdir}/data/code-signing-cert.pem" <"${OUTFILE}"
rc=$?
if test "${rc}" != "0"; then
echo "${FILE}: PKCS7 struct signing failed verification (0)"
exit ${rc}
fi
FILE="signing-verify-valid-purpose"
echo ""
echo "test: $FILE"
datefudge -s "2015-1-10" \
${VALGRIND} "${CERTTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.3 --p7-verify --load-certificate "${srcdir}/data/code-signing-cert.pem" <"${OUTFILE}"
rc=$?
if test "${rc}" != "0"; then
echo "${FILE}: PKCS7 struct signing failed verification (1)"
exit ${rc}
fi
FILE="signing-verify-invalid-purpose"
echo ""
echo "test: $FILE"
datefudge -s "2015-1-10" \
${VALGRIND} "${CERTTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.1 --p7-verify --load-certificate "${srcdir}/data/code-signing-cert.pem" <"${OUTFILE}"
rc=$?
if test "${rc}" = "0"; then
echo "${FILE}: PKCS7 struct signing failed verification (2)"
exit 1
fi
FILE="signing-verify-invalid-date-1"
echo ""
echo "test: $FILE"
datefudge -s "2011-1-10" \
${VALGRIND} "${CERTTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.3 --p7-verify --load-certificate "${srcdir}/data/code-signing-cert.pem" <"${OUTFILE}"
rc=$?
if test "${rc}" = "0"; then
echo "${FILE}: PKCS7 struct signing failed verification (3)"
exit 1
fi
FILE="signing-verify-invalid-date-2"
echo ""
echo "test: $FILE"
datefudge -s "2018-1-10" \
${VALGRIND} "${CERTTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.3 --p7-verify --load-certificate "${srcdir}/data/code-signing-cert.pem" <"${OUTFILE}"
rc=$?
if test "${rc}" = "0"; then
echo "${FILE}: PKCS7 struct signing failed verification (4)"
exit 1
fi
rm -f "${OUTFILE}"
exit 0
......@@ -68,6 +68,16 @@ static char pem1_key[] =
const gnutls_datum_t cert = {(void *) pem1_cert, sizeof(pem1_cert)-1};
const gnutls_datum_t key = {(void *) pem1_key, sizeof(pem1_key)-1};
static time_t mytime(time_t * t)
{
time_t then = 1199142000;
if (t)
*t = then;
return then;
}
static void tls_log_func(int level, const char *str)
{
fprintf(stderr, "%s |<%d>| %s", "err", level, str);
......@@ -89,6 +99,7 @@ void doit(void)
char *oid;
gnutls_datum_t data;
gnutls_global_set_time_function(mytime);
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(6);
......
......@@ -28,12 +28,26 @@ if ! test -z "${VALGRIND}"; then
fi
OUTFILE=out-pkcs7.$$.tmp
. ${srcdir}/../scripts/common.sh
check_for_datefudge
#try verification
datefudge -s "2010-10-10" \
${VALGRIND} "${CERTTOOL}" --inder --p7-verify --infile "${srcdir}/data/test1.cat" --load-certificate "${srcdir}/data/ca.pem"
rc=$?
if test "${rc}" = "0"; then
echo "PKCS7 verification succeeded with invalid date"
exit 1
fi
datefudge -s "2016-10-10" \
${VALGRIND} "${CERTTOOL}" --inder --p7-verify --infile "${srcdir}/data/test1.cat" --load-certificate "${srcdir}/data/ca.pem"
rc=$?
if test "${rc}" != "0"; then
echo "${FILE}: PKCS7 verification failed"
echo "PKCS7 verification failed"
exit ${rc}
fi
......