Open Bug 476979 Opened 16 years ago Updated 2 years ago

Add cert chain tests that will do cert validation for different ku/eku

Categories

(NSS :: Tools, enhancement, P2)

Product:
NSS
Component:
Tools
Type:
enhancement

Tracking

(Not tracked)

Status:
REOPENED
Milestone:
3.16.1

People

(Reporter: alvolkov.bgs, Unassigned)

Details

Attachments

(8 files, 3 obsolete files)

chains.sh patch v2 - add possibility to test legacy code with some chains tests.
3.29 KB, patch
slavomir.katuscak+mozilla
: review+
Details | Diff | Splinter Review
certutil patch v2 - address review comments of patch v1
25.13 KB, patch
nelson
: review+
Details | Diff | Splinter Review
secport.h - change PORT_Atoi to use strtol
551 bytes, patch
nelson
: review+
Details | Diff | Splinter Review
v2 certext.c patch to fix atoi error handling
4.47 KB, patch
nelson
: review+
Details | Diff | Splinter Review
Patch for chains.sh to support ku/eku/ns. (checked in)
5.85 KB, patch
alvolkov.bgs
: review+
Details | Diff | Splinter Review
Cert usages matrix.
339.40 KB, application/octet-stream
Details
Script to run the tests.
9.73 KB, text/plain
Details
Fix typo in data for nc cert type extension(committed).
642 bytes, patch
nelson
: review+
Details | Diff | Splinter Review
Need to have tests that check that old and libpkix validation code paths return same statuses. One of the things that need to test is cert chain validation for different cert usages. I suggest we add tests that will check a variety cert usages to our cert chain tests. To simplify the task, I've modify certutil to be able to accept values for key usage and extended key usage extension through the command line. Next step will be to change chains.sh script to use the feature.
Attachment #360641 - Flags: review?(nelson)
Attachment #360642 - Flags: review? → review?(slavomir.katuscak)
Comment on attachment 360642 [details] [diff] [review] certchain.sh patch v1 - add ability to generate and test certs for different usages Slavo, the patch adds feature to control ku/eku when cert get created. Also it adds a set of misc options to vfychain. misc options will be use to pass "-u 1" to the vfychain. Please review.
Attachment #360646 - Flags: review? → review?(slavomir.katuscak)
Comment on attachment 360646 [details] [diff] [review] chains.sh patch v2 - add possibility to test legacy code with some chains tests. Should be OK, just use "legacy" instead of "lagacy".
Attachment #360646 - Flags: review?(slavomir.katuscak) → review+
Attachment #360642 - Attachment is obsolete: true
Attachment #360642 - Flags: review?(slavomir.katuscak)
Comment on attachment 360641 [details] [diff] [review] certutil patch v1 - accept ku/eku extension values through command line I have not finished the review of this patch, but I have some initial findings. This patch has a lot of lines that are longer than 80 characters. It also creates lines in the output of the usage message that are longer than 80 characters. Here are examples of lines that are both (I have truncated these). >+ "\t\t [-f pwfile] [-d certdir] [-P dbprefix] [-1 | --keyUsage [keyUsageK >+ "\t\t [-2] [-3] [-4] [-5] [-6 | --extKeyUsage [extKeyUsageKeyword,...]]\ It helps a lot to break the strings at the \n characters. It also helps to adjust the spacing of the source lines, so that the end of the \t\t or %-20s comes at the offset in the source line where the output will appear when displayed. Then you can judge whether the output will be too long by whether the source is too long. E.g. instead of >+ "\t\t [-f pwfile] [-d certdir] [-P dbprefix] [-1 | --keyUsage [keyUsageK >+ "\t\t [-2] [-3] [-4] [-5] [-6 | --extKeyUsage [extKeyUsageKeyword,...]]\ have V--16 Spaces---V >+ "\t\t [-f pwfile] [-d certdir] [-P dbprefix] [-1 | --keyUsage ... >+ "\t\t [-2] [-3] [-4] [-5] [-6 | --extKeyUsage ... and instead of >+ FPS "%-20s \n%-20s Create key usage extension. Possible keywords: \ >+\"digitalSignature\"\n%-20s \"nonRepudiation\", \"keyEncipherment\", \ >+\"dataEncipherment\", \"keyAgreement\"\n%-20s \"certSigning\", \"crlSigning\", \"critical\"\n", have this: V---- 20 spaces ---v >+ FPS "%-20s \n" >+ "%-20s Create key usage extension. Possible keywords:\n" >+ "%-20s \"digitalSignature\", \"nonRepudiation\",\n" >+ "%-20s \"keyEncipherment\", \"dataEncipherment\",\n" >+ "%-20s \"keyAgreement\", \"certSigning\", \"crlSigning\",\n" >+ "%-20s \"critical\"\n", and instead of This really LOOOONG source line: >+ FPS "%-20s \n%-20s Create extended key usage extension. Possible keywords: \"serverAuth\",\n%-20s \"clientAuth\",\"codeSigning\",\"emailProtection\",\"timeStamp\",\"ocspResponder\",\n%-20s \"stepUp\", \"critical\"\n", have V---- 20 spaces ---v >+ FPS "%-20s \n" >+ "%-20s Create extended key usage extension. Possible keywords:\n" >+ "%-20s \"serverAuth\", \"clientAuth\", \"codeSigning\",\n" >+ "%-20s \"emailProtection\", \"timeStamp\", \"ocspResponder\",\n" >+ "%-20s \"stepUp\", \"critical\"\n", Here are some more long lines truncated >+ certutil_extns[ext_extKeyUsage].activated = >+ certutil.options[opt_AddCmdExtKeyUsageExt].activat >+ if (!certutil_extns[ext_extKeyUsage].activated) { >+ certutil_extns[ext_extKeyUsage].activated = >+ certutil.options[opt_AddExtKeyUsageExt].activat >- certutil_extns[ext_certPolicies] = >+ certutil_extns[ext_certPolicies].activated = > certutil.options[opt_AddCertPoliciesExt].activated >- certutil_extns[ext_policyConstr] = >+ certutil_extns[ext_policyConstr].activated = > certutil.options[opt_AddPolicyConstrExt].activated
Comment on attachment 360641 [details] [diff] [review] certutil patch v1 - accept ku/eku extension values through command line Browsers make lousy source code editors. That was supposed to be: V---- 20 spaces ---v >+ FPS "%-20s \n" >+ "%-20s Create extended key usage extension. Possible keywords:\n" >+ "%-20s \"serverAuth\", \"clientAuth\", \"codeSigning\",\n" >+ "%-20s \"emailProtection\", \"timeStamp\", \"ocspResponder\",\n" >+ "%-20s \"stepUp\", \"critical\"\n",
Severity: normal → enhancement
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Priority: -- → P2
Version: unspecified → trunk
Attachment #360641 - Flags: review?(nelson) → review-
Comment on attachment 360641 [details] [diff] [review] certutil patch v1 - accept ku/eku extension values through command line In addition to my previous comments, I have these comments about the patch to certext.c. Make strings and string variables const where possible and logical. For example, >+parseNextCmdInput(char **valueArray, int *value, char **nextPos, Those should both be const char **, and perhaps valueArray should be const char * const * (saying that the characters are const, and the pointers in the array of pointers are also const). >+ while (valueArray[arrIndex]) { >+ if (... >+ arrIndex += 1; >+ } Please make that a for loop, e.g. for (arrIndex = 0; valueArray[arrIndex]; arrIndex++) { >+static char * >+keyUsageKeyWordArray[] = { "digitalSignature", mke this static const char * const ... > static SECStatus >-AddKeyUsage (void *extHandle) >+AddKeyUsage (void *extHandle, const char *userSuppliedValue) All the values are user supplied, but some are supplied on the command line, so maybe the name should say that the value comes from the command line? >+ value = PORT_Atoi (buffer); >+ if (value < 0 || value > 6) >+ break; >+ if (value == 0) { >+ /* Checking that zero value of variable 'value' >+ * corresponds to '0' input made by user */ >+ char *chPtr = strchr(buffer, '0'); >+ if (chPtr == NULL) { >+ continue; >+ } >+ } That test, to try to differentiate between an invalid input and a zero input, is the wrong test, for two reasons. The big reason is that PORT_Atoi (which is just atoi) is defined to have UNDEFINED behavior on any error. One cannot count on it to return zero on error. That is the difference between atoi(X) and strtol(). Other that that, atoi(x) is equivalent to (int)strtol(X, (char **)NULL, 10). The second reason is that the test will come to the wrong conclusion on some inputs. For example, consider the input "A0B". According to the various man pages (including windows), the right way to detect error is to set errno to zero before calling strtol, and then check errno for non-zero afterwords. >+static char* >+extKeyUsageKeyWordArray[] = { "serverAuth", should be const char * const ...
Oh, one option is to write a new PORT_Atoi function that calls strol, and so is fully equivalent to it.
PORT_Atoi could even set an NSPR error, so that the caller would not need to check errno, but could call PORT_GetError.
Attachment #360641 - Attachment is obsolete: true
Attachment #361369 - Flags: review?
Attachment #361371 - Flags: review? → review+
Comment on attachment 361371 [details] [diff] [review] secport.h - change PORT_Atoi to use strtol >-#define PORT_Atoi atoi >+#define PORT_Atoi(buff) strtol(buff, NULL, 10) Please add an explicit cast to int, e.g. (int)strtol(buff, NULL, 10) then r=nelson
Attachment #361369 - Flags: review? → review?(nelson)
Attachment #361369 - Flags: review?(nelson) → review+
Comment on attachment 361369 [details] [diff] [review] certutil patch v2 - address review comments of patch v1 r=nelson The only remaining problem I see in this code is the use of strchr to attempt to detect failures of strtol. Please submit a supplemental patch to deal with that.
It also fixes the warning in keystuff.c
Attachment #362012 - Flags: review?(nelson)
Attachment #362012 - Flags: review?(nelson) → review-
Comment on attachment 362012 [details] [diff] [review] v1 certext.c patch to fix atoi error handling The patch appears to be OK, except for this hunk, which changes the behavior in the error case. >@@ -962,14 +953,11 @@ AddCrlDistPoint(void *extHandle) > buffer, sizeof(buffer)) == SECFailure) { > GEN_BREAK(SECFailure); > } >+ errno = 0; > intValue = PORT_Atoi (buffer); >- if (intValue == 0) { >- /* Checking that zero value of variable 'value' >- * corresponds to '0' input made by user */ >- char *chPtr = strchr(buffer, '0'); >- if (chPtr == NULL) { >- intValue = -1; >- } >+ if (errno) { >+ /* can not parse user input */ >+ continue; > }
Fix the last hunk and fix a warning in keystuff.c
Attachment #362012 - Attachment is obsolete: true
Attachment #362984 - Flags: review?(nelson)
Comment on attachment 362984 [details] [diff] [review] v2 certext.c patch to fix atoi error handling r=nelson
Attachment #362984 - Flags: review?(nelson) → review+
integrated.
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Alexei, this patch broke another test: cert.sh: #438: Certificate Key Usage Extension (11) - Looking for Digital Signature returned 0, expected is 1 - FAILED See cert.sh - cert_extensions_test() and certext.txt - TEST_11 Certificate Key Usage Extension.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Alexei just reported that Solaris's strtol does not set errno. :-( So, we need to have a platform-dependent ifdef, and continue to do it the "wrong" way for Solaris only.
Slavo, please work on adding these tests as a part of "chains" test suite.
Assignee: alexei.volkov.bugs → slavomir.katuscak
Target Milestone: 3.12.3 → 3.12.4
Attached file Cert usages matrix.
List of all combination to test - Alexei please verify if this matrix is OK, in my tests I got those tests that doesn't match expected results: SSL_SERVER/KEY ENCIPHERMENT (rsa) x SSL StepUp SSL_SERVER/KEY AGREEMENT (dh) x SSL Server SSL_SERVER/KEY AGREEMENT (dh) x SSL StepUp SSL_SERVER/DIGITAL SIGNATURE (dsa) x SSL Server SSL_SERVER/DIGITAL SIGNATURE (dsa) x SSL StepUp SSL_SERVER/DIGITAL SIGNATURE or AGREEMENT (ecc dsa/dh) x SSL Server SSL_SERVER/DIGITAL SIGNATURE or AGREEMENT (ecc dsa/dh) x SSL StepUp SSL_SERVER/KEY AGREEMENT (dh) x Email recipient EMAIL/DIGITAL SIGNATURE (dsa) x Email signer EMAIL/DIGITAL SIGNATURE (dsa) x Email recipient EMAIL/DIGITAL SIGNATURE or AGREEMENT (ecc dsa/dh) x Email signer EMAIL/DIGITAL SIGNATURE or AGREEMENT (ecc dsa/dh) x Email recipient SSL_CA/CERT SIGN x OCSP responder EMAIL_CA/CERT SIGN x OCSP responder OBJECT SIGNING CA/CERT SIGN x OCSP responder
Fix for list of failing tests: EMAIL/KEY AGREEMENT (dh) x Email recipient instead of SSL_SERVER/KEY AGREEMENT (dh) x Email recipient
Requires patch for chains.sh (attachment 384867 [details] [diff] [review]). Expected results are set by attached matrix (failing tests are marked). For now I don't use rsa/dsa/dh/ecc options, please provide the steps how to use them. I know that rsa is detault and for dsa I can use -k dsa, for ecc I can use -k ecc -q curve (which curve to use ??). I don't know what about the rest (dh ??).
Attachment #385144 - Flags: review? → review?(nelson)
Comment on attachment 385144 [details] [diff] [review] Fix typo in data for nc cert type extension(committed). r=nelson
Attachment #385144 - Flags: review?(nelson) → review+
Attachment #385144 - Attachment description: Fix typo in data for nc cert type extension. → Fix typo in data for nc cert type extension(committed).
Attachment #384867 - Flags: review?(alexei.volkov.bugs) → review+
Comment on attachment 384867 [details] [diff] [review] Patch for chains.sh to support ku/eku/ns. (checked in) Checking in chains.sh; /cvsroot/mozilla/security/nss/tests/chains/chains.sh,v <-- chains.sh new revision: 1.20; previous revision: 1.19 done
Attachment #384867 - Attachment description: Patch for chains.sh to support ku/eku/ns. → Patch for chains.sh to support ku/eku/ns. (checked in)
Alexei, please verify if expected results are correct (see Cert usages matrix - attachment), results differs from expected in those tests: SSL_SERVER/KEY ENCIPHERMENT (rsa) x SSL StepUp SSL_SERVER/KEY AGREEMENT (dh) x SSL Server SSL_SERVER/KEY AGREEMENT (dh) x SSL StepUp SSL_SERVER/DIGITAL SIGNATURE (dsa) x SSL Server SSL_SERVER/DIGITAL SIGNATURE (dsa) x SSL StepUp SSL_SERVER/DIGITAL SIGNATURE or AGREEMENT (ecc dsa/dh) x SSL Server SSL_SERVER/DIGITAL SIGNATURE or AGREEMENT (ecc dsa/dh) x SSL StepUp EMAIL/KEY AGREEMENT (dh) x Email recipient EMAIL/DIGITAL SIGNATURE (dsa) x Email signer EMAIL/DIGITAL SIGNATURE (dsa) x Email recipient EMAIL/DIGITAL SIGNATURE or AGREEMENT (ecc dsa/dh) x Email signer EMAIL/DIGITAL SIGNATURE or AGREEMENT (ecc dsa/dh) x Email recipient SSL_CA/CERT SIGN x OCSP responder EMAIL_CA/CERT SIGN x OCSP responder OBJECT SIGNING CA/CERT SIGN x OCSP responder
These tests look useful we should consider rebasing them on top of the current NSS trunk and checking them in.
Target Milestone: 3.12.4 → 3.16
Target Milestone: 3.16 → 3.16.1

The bug assignee is inactive on Bugzilla, and this bug has priority 'P2'.
:beurdouche, could you have a look please?

For more information, please visit auto_nag documentation.

Assignee: slavomir.katuscak+mozilla → nobody
Flags: needinfo?(bbeurdouche)
Severity: normal → S3

We have modified the bot to only consider P1 as high priority, so I'm cancelling the needinfo here.

Flags: needinfo?(bbeurdouche)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: