diff options
Diffstat (limited to 'openssl')
| -rw-r--r-- | openssl/tests/Makefile | 30 | ||||
| -rw-r--r-- | openssl/tests/resource-set-test.c | 148 | ||||
| -rw-r--r-- | openssl/tests/test.conf | 41 |
3 files changed, 219 insertions, 0 deletions
diff --git a/openssl/tests/Makefile b/openssl/tests/Makefile new file mode 100644 index 00000000..f7b803eb --- /dev/null +++ b/openssl/tests/Makefile @@ -0,0 +1,30 @@ +# $Id$ + +OPENSSL_DIR = ../../openssl/openssl + +CFLAGS = -g -I${OPENSSL_DIR}/include + +# -H -Wl,-t + +BIN = resource-set-test +OBJ = resource-set-test.o +LIB = ${OPENSSL_DIR}/libcrypto.a + +all: ${BIN} + +clean: + rm -f ${BIN} ${OBJ} + +${BIN}: ${OBJ} ${LIB} Makefile + ${CC} -g -o $@ ${OBJ} ${LIB} + +# This test needs more work + +test: ${BIN} test.cer + ./${BIN} -v -a AS:17 -i IPv4:10.0.0.44 -d test.cer + +test.cer: test.conf + ${OPENSSL_DIR}/apps/openssl req -new -x509 -config test.conf -keyout test.key -out test.cer -outform DER + +immaculate: clean + rm -f test.key test.cer diff --git a/openssl/tests/resource-set-test.c b/openssl/tests/resource-set-test.c new file mode 100644 index 00000000..a14d7a72 --- /dev/null +++ b/openssl/tests/resource-set-test.c @@ -0,0 +1,148 @@ +/* $Id$ */ + +#include <stdio.h> +#include <unistd.h> +#include <openssl/bio.h> +#include <openssl/pem.h> +#include <openssl/err.h> +#include <openssl/x509.h> +#include <openssl/x509v3.h> +#include <openssl/safestack.h> + +static X509 *read_cert(const char *filename, int format, int verbose) +{ + X509 *x = NULL; + BIO *b; + + if ((b = BIO_new_file(filename, "r")) == NULL) + goto done; + + switch (format) { + case 'p': + x = PEM_read_bio_X509_AUX(b, NULL, NULL, NULL); + break; + case 'd': + x = d2i_X509_bio(b, NULL); + break; + } + + if (verbose && x != NULL) { + X509_print_fp(stdout, x); + printf("\n"); + } + +#if 0 + + if (x->rfc3779_addr == NULL) + x->rfc3779_addr = X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, + NULL, NULL); + + if (x->rfc3779_asid == NULL) + x->rfc3779_asid = X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum, + NULL, NULL); + +#else + + /* + * We run this for the side-effect of calling x509v3_cache_extensions() + */ + X509_check_ca(x); + +#endif + + done: + BIO_free(b); + return x; +} + +static void *parse_resource_set(int nid, char *text, int verbose) +{ + X509_EXTENSION *ext; + void *result; + + if ((ext = X509V3_EXT_conf_nid(NULL, NULL, nid, text)) == NULL) + return NULL; + + if (verbose) { + printf("Parsed resource set:\n"); + X509V3_EXT_print_fp(stdout, ext, 0, 3); + printf("\n"); + } + + result = X509V3_EXT_d2i(ext); + X509_EXTENSION_free(ext); + return result; +} + +#define lose(_msg_) \ + do { \ + if (_msg_) \ + fprintf(stderr, "%s: %s\n", argv[0], _msg_); \ + ret = 1; \ + goto done; \ + } while(0) + +int main(int argc, char *argv[]) +{ + STACK_OF(X509) *chain = NULL; + ASIdentifiers *asid = NULL; + IPAddrBlocks *addr = NULL; + int c, ret = 0, verbose = 0; + X509 *x; + + OpenSSL_add_all_algorithms(); + ERR_load_crypto_strings(); + + if ((chain = sk_X509_new_null()) == NULL) + lose("Couldn't allocate X509 stack"); + + while ((c = getopt(argc, argv, "p:d:a:i:v")) > 0) { + switch (c) { + case 'v': + verbose = 1; + break; + case 'p': + case 'd': + if ((x = read_cert(optarg, c, verbose)) == NULL) + lose("Couldn't read certificate"); + sk_X509_push(chain, x); + break; + case 'a': + if (asid != NULL) + lose("Can't specify more than one ASIdentifier"); + if ((asid = parse_resource_set(NID_sbgp_autonomousSysNum, optarg, verbose)) == NULL) + lose("Couldn't read ASIdentifier"); + break; + case 'i': + if (addr != NULL) + lose("Can't specify more than one IPAddrBlock"); + if ((addr = parse_resource_set(NID_sbgp_ipAddrBlock, optarg, verbose)) == NULL) + lose("Couldn't read IPAddrBlock"); + break; + default: + fprintf(stderr, "usage: %s" + " [-i IPAddrBlock] [-a ASIdentifier]" + " [-p PEM-certfile] [-d DER-certfile]\n", argv[0]); + ret = 1; + goto done; + } + } + + printf("Checking ASIdentifier coverage..."); + if (v3_asid_validate_resource_set(chain, asid, 0)) + printf("covered\n"); + else + printf("NOT covered\n"); + + printf("Checking IPAddrBlock coverage..."); + if (v3_addr_validate_resource_set(chain, addr, 0)) + printf("covered\n"); + else + printf("NOT covered\n"); + + done: + sk_X509_pop_free(chain, X509_free); + EVP_cleanup(); + ERR_free_strings(); + return ret; +} diff --git a/openssl/tests/test.conf b/openssl/tests/test.conf new file mode 100644 index 00000000..161eb5be --- /dev/null +++ b/openssl/tests/test.conf @@ -0,0 +1,41 @@ +# $Id$ + +[ req ] +default_bits = 1024 +encrypt_key = no +distinguished_name = req_dn +x509_extensions = req_x509_ext +prompt = no + +[ req_dn ] +C = US +ST = MA +L = Reading +O = Grunchweather Associates +OU = Software Engineering +CN = RFC3779 test cert +emailAddress = sra@hactrn.net + +[ req_x509_ext ] + +sbgp-autonomousSysNum = @asid_ext +sbgp-ipAddrBlock = @addr_ext + +[ asid_ext ] + +AS.0 = 1 +AS.1 = 3-22 +AS.2 = 2 +RDI.0 = inherit + +[ addr_ext ] + +IPv4-SAFI.0 = 1 : 10.0.0.6 /24 +IPv4.0 = 10.0.0.44 +IPv4.1 = 10.3.0.44 +IPv4.2 = 10.0.0.45 +IPv4.3 = 10.2.0.5 +IPv4.4 = 10.2.0.6- 10.3.0.0 +IPv6.0 = 2002:: +IPv6.1 = 2002::1 - 2002::14 +IPv6.2 = 2003::/33 |