Add test case for non-ASCII password on PKCS#12 keys

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
sailfishos-mirror · May 25, 2017 · 962d242 · 962d242
1 parent e252034
commit 962d242
Show file tree

Hide file tree

Showing 5 changed files with 55 additions and 2 deletions.
diff --git a/tests/Makefile.am b/tests/Makefile.am
@@ -42,7 +42,7 @@ EXTRA_DIST = certs/ca.pem certs/ca-key.pem certs/user-cert.pem $(USER_KEYS) $(US
 dist_check_SCRIPTS =
 
 if HAVE_CWRAP
-dist_check_SCRIPTS += auth-username-pass auth-certificate id-test
+dist_check_SCRIPTS += auth-username-pass auth-certificate auth-nonascii id-test
 
 if TEST_PKCS11
 dist_check_SCRIPTS += auth-pkcs11
@@ -99,7 +99,7 @@ keyfiles: $(USER_KEYS) $(USER_CERTS)
 
 OPENSSL = openssl
 OSSLARGS = -in $< -out $@ -passout pass:password
-OSSLARGSP12 = -inkey $< -out $@ -in $${KEYFILE%-key-pkcs8.pem}-cert.pem -passout pass:password
+OSSLARGSP12 = -inkey $< -out $@ -in $${KEYFILE%-key-pkcs8.pem}-cert.pem -passout pass:$${PASSWORD%-password}
 
 # Strictly speaking this is only PKCS#1 for RSA. For EC it's probably
 # best described as RFC5915§4, and no idea what defines it for DSA.
@@ -156,6 +156,12 @@ $(certsdir)/ec-key-pkcs1-aes128.pem: certs/ec-key-pkcs1.pem
 	KEYFILE="$<"; $(OPENSSL) pkcs12 $(OSSLARGSP12) -export -macalg SHA256 \
 		-certpbe AES-256-CBC -keypbe AES-256-CBC
 
+# NB: Needs OpenSSL 1.1 or newer
+%-key-nonascii-password.p12: %-key-pkcs8.pem %-cert.pem
+	LC_ALL=en_GB.UTF-8 PASSWORD="$$(cat $(srcdir)/pass-UTF-8)" KEYFILE="$<" ; \
+	$(OPENSSL) pkcs12 $(OSSLARGSP12) -export -macalg SHA256 \
+		-certpbe AES-256-CBC -keypbe AES-256-CBC
+
 # This one makes GnuTLS behave strangely...
 %-key-aes256-cbc-md5-des-sha256.p12: %-key-pkcs8.pem %-cert.pem
 	KEYFILE="$<"; $(OPENSSL) pkcs12 $(OSSLARGSP12) -export -macalg SHA256 \

diff --git a/tests/auth-nonascii b/tests/auth-nonascii
@@ -0,0 +1,45 @@
+#!/bin/sh
+#
+# Copyright (C) 2016 Red Hat, Inc.
+#
+# This file is part of openconnect.
+#
+# This is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public License
+# as published by the Free Software Foundation; either version 2.1 of
+# the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>
+
+SERV="${SERV:-../src/ocserv}"
+srcdir=${srcdir:-.}
+top_builddir=${top_builddir:-..}
+
+. `dirname $0`/common.sh
+
+echo "Testing certificate auth with non-ASCII passwords... "
+
+launch_simple_sr_server -d 1 -f -c configs/test-user-cert.config
+PID=$!
+wait_server $PID
+
+KEY=${srcdir}/certs/user-key-nonascii-password.p12
+set -x
+for CHARSET in UTF-8 ISO8859-2; do
+    echo -n "Connecting to obtain cookie (with password charset ${CHARSET})... "
+    CERTARGS="-c ${KEY} --key-password $(cat ${srcdir}/pass-${CHARSET})"
+    ( echo "test" | LC_CTYPE=cs_CZ.${CHARSET} LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:443 -u test $CERTARGS --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly --passwd-on-stdin ) ||
+	fail $PID "Could not connect with charset ${CHARSET}!"
+done
+
+echo ok
+
+cleanup
+
+exit 0
diff --git a/tests/certs/user-key-nonascii-password.p12 b/tests/certs/user-key-nonascii-password.p12
diff --git a/tests/pass-ISO8859-2 b/tests/pass-ISO8859-2
@@ -0,0 +1 @@
+ï
diff --git a/tests/pass-UTF-8 b/tests/pass-UTF-8
@@ -0,0 +1 @@
+ĂŻ