From 8b8af84e4467219954b2fcd6c597ab8578e14a61 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mar 29 2022 19:36:36 +0000 Subject: tests: Test that the CA constraint DER encoding is correct A TRUE value was being set to 1 instead of 255 Also correct a hardcoded test filename for a previous test. --- diff --git a/tests/026-local/expected.openssl1 b/tests/026-local/expected.openssl1 index feef31b..730c183 100644 --- a/tests/026-local/expected.openssl1 +++ b/tests/026-local/expected.openssl1 @@ -72,4 +72,5 @@ Certificate: cert: OK cert cipher: OK key cipher: OK +CA constraint: OK OK. diff --git a/tests/026-local/expected.openssl3 b/tests/026-local/expected.openssl3 index 6cd5ed3..ef7fc2d 100644 --- a/tests/026-local/expected.openssl3 +++ b/tests/026-local/expected.openssl3 @@ -67,4 +67,5 @@ Certificate: cert: OK cert cipher: OK key cipher: OK +CA constraint: OK OK. diff --git a/tests/026-local/run.sh b/tests/026-local/run.sh index b8dc869..ebc5ca9 100755 --- a/tests/026-local/run.sh +++ b/tests/026-local/run.sh @@ -54,8 +54,8 @@ echo "[verify]" openssl verify -CAfile $tmpdir/ca-cert cert # Check the encryption used in the creds file -certenc=`openssl pkcs12 -info -in /tmp/foo/creds -passin pass: -nodes 2>&1 | grep "PKCS7 Encrypted data:" | awk '{ print $6 }' | sed 's/,//'` -keyenc=`openssl pkcs12 -info -in /tmp/foo/creds -passin pass: -nokeys 2>&1 | grep "Shrouded Keybag:" | awk '{ print $5 }' | sed 's/,//'` +certenc=`openssl pkcs12 -info -in $tmpdir/creds -passin pass: -nodes 2>&1 | grep "PKCS7 Encrypted data:" | awk '{ print $6 }' | sed 's/,//'` +keyenc=`openssl pkcs12 -info -in $tmpdir/creds -passin pass: -nokeys 2>&1 | grep "Shrouded Keybag:" | awk '{ print $5 }' | sed 's/,//'` if [ $certenc != "AES-128-CBC" ]; then echo "Fail, cert cipher is $certenc" @@ -68,4 +68,12 @@ else echo "key cipher: OK" fi +openssl pkcs12 -nokeys -in $tmpdir/creds -passin pass: -nodes > $tmpdir/ca.pem +openssl asn1parse -in $tmpdir/ca.pem -strictpem 2>&1 | grep -q 30030101FF +if [ $? -eq 0 ]; then + echo "CA constraint: OK" +else + echo "Unexpected DER encoding of CA constraint" +fi + echo OK.