Commit 962d2421 authored by David Woodhouse's avatar David Woodhouse

Add test case for non-ASCII password on PKCS#12 keys

Signed-off-by: default avatarDavid Woodhouse <dwmw2@infradead.org>
parent e2520344
......@@ -42,7 +42,7 @@ EXTRA_DIST = certs/ca.pem certs/ca-key.pem certs/user-cert.pem $(USER_KEYS) $(US
dist_check_SCRIPTS =
if HAVE_CWRAP
dist_check_SCRIPTS += auth-username-pass auth-certificate id-test
dist_check_SCRIPTS += auth-username-pass auth-certificate auth-nonascii id-test
if TEST_PKCS11
dist_check_SCRIPTS += auth-pkcs11
......@@ -99,7 +99,7 @@ keyfiles: $(USER_KEYS) $(USER_CERTS)
OPENSSL = openssl
OSSLARGS = -in $< -out $@ -passout pass:password
OSSLARGSP12 = -inkey $< -out $@ -in $${KEYFILE%-key-pkcs8.pem}-cert.pem -passout pass:password
OSSLARGSP12 = -inkey $< -out $@ -in $${KEYFILE%-key-pkcs8.pem}-cert.pem -passout pass:$${PASSWORD%-password}
# Strictly speaking this is only PKCS#1 for RSA. For EC it's probably
# best described as RFC5915§4, and no idea what defines it for DSA.
......@@ -156,6 +156,12 @@ $(certsdir)/ec-key-pkcs1-aes128.pem: certs/ec-key-pkcs1.pem
KEYFILE="$<"; $(OPENSSL) pkcs12 $(OSSLARGSP12) -export -macalg SHA256 \
-certpbe AES-256-CBC -keypbe AES-256-CBC
# NB: Needs OpenSSL 1.1 or newer
%-key-nonascii-password.p12: %-key-pkcs8.pem %-cert.pem
LC_ALL=en_GB.UTF-8 PASSWORD="$$(cat $(srcdir)/pass-UTF-8)" KEYFILE="$<" ; \
$(OPENSSL) pkcs12 $(OSSLARGSP12) -export -macalg SHA256 \
-certpbe AES-256-CBC -keypbe AES-256-CBC
# This one makes GnuTLS behave strangely...
%-key-aes256-cbc-md5-des-sha256.p12: %-key-pkcs8.pem %-cert.pem
KEYFILE="$<"; $(OPENSSL) pkcs12 $(OSSLARGSP12) -export -macalg SHA256 \
......
#!/bin/sh
#
# Copyright (C) 2016 Red Hat, Inc.
#
# This file is part of openconnect.
#
# This is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public License
# as published by the Free Software Foundation; either version 2.1 of
# the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>
SERV="${SERV:-../src/ocserv}"
srcdir=${srcdir:-.}
top_builddir=${top_builddir:-..}
. `dirname $0`/common.sh
echo "Testing certificate auth with non-ASCII passwords... "
launch_simple_sr_server -d 1 -f -c configs/test-user-cert.config
PID=$!
wait_server $PID
KEY=${srcdir}/certs/user-key-nonascii-password.p12
set -x
for CHARSET in UTF-8 ISO8859-2; do
echo -n "Connecting to obtain cookie (with password charset ${CHARSET})... "
CERTARGS="-c ${KEY} --key-password $(cat ${srcdir}/pass-${CHARSET})"
( echo "test" | LC_CTYPE=cs_CZ.${CHARSET} LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:443 -u test $CERTARGS --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly --passwd-on-stdin ) ||
fail $PID "Could not connect with charset ${CHARSET}!"
done
echo ok
cleanup
exit 0
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment