add RSA-PSS CRL test case

2025-08-03 12:44:45 +02:00 · 2024-01-05 14:47:53 -08:00
parent 74f0625c89
commit d58acef895
4 changed files with 37 additions and 0 deletions
--- a/certs/crl/crl_rsapss.pem
+++ b/certs/crl/crl_rsapss.pem
@@ -0,0 +1,16 @@
+-----BEGIN X509 CRL-----
+MIICbjCCASYCAQEwPQYJKoZIhvcNAQEKMDCgDTALBglghkgBZQMEAgGhGjAYBgkq
+hkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCASAwgZ0xCzAJBgNVBAYTAlVTMRAwDgYD
+VQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRgwFgYDVQQKDA93b2xmU1NM
+X1JTQS1QU1MxFTATBgNVBAsMDFJvb3QtUlNBLVBTUzEYMBYGA1UEAwwPd3d3Lndv
+bGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0yNDAx
+MDUyMjM0MDNaFw0yNjEwMDEyMjM0MDNaMBQwEgIBAhcNMjQwMTA1MjIzNDAzWqAO
+MAwwCgYDVR0UBAMCAQMwPQYJKoZIhvcNAQEKMDCgDTALBglghkgBZQMEAgGhGjAY
+BgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCASADggEBADcOR4Ay7OIHoQeH9AJ9
+y26uPqALflnmCTv8uUKkPhWvPoXZpAF7Sq0xCFAyYxbEtonLV0yQMWlPJWYtr3w8
+R6GIa+9A2iFR0MiDD/pppgIem+aP2DK72HObH96CgM5vRLlQ3ti8g72wfVVTZdi5
+G6QX1tZH8M8FMRcGyyiFeMaA1fLVry0uAyer9bIqPQ1JZ7VE1GzFnVByQ+BtPK8b
+8OSIZud1VvxgETKYkRjvzA+fOwz/J4sum2MS4oLMXZ4DOt3RKDzqXc8o5NpZGOah
+ViGgZLWhsCeuBqmJV9+gHJUDv4EFnE4UE6U75qZvkKgSvYxNL7u9sNSU8tu7a+Ay
+oxw=
+-----END X509 CRL-----
--- a/certs/crl/gencrls.sh
+++ b/certs/crl/gencrls.sh
@@ -56,6 +56,10 @@ echo "Step 3"
 openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out crl.pem -keyfile ../ca-key.pem -cert ../ca-cert.pem
 check_result $?

+echo "Step 3 RSA-PSS"
+openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out crl_rsapss.pem -keyfile ../rsapss/root-rsapss-priv.pem -cert ../rsapss/root-rsapss.pem
+check_result $?
+
 # metadata
 echo "Step 4"
 openssl crl -in crl.pem -text > tmp
--- a/certs/renewcerts.sh
+++ b/certs/renewcerts.sh
@@ -838,6 +838,7 @@ run_renewcerts(){
    cd ./crl || { echo "Failed to switch to dir ./crl"; exit 1; }
    echo "changed directory: cd/crl"
    echo ""
+    # has dependency on rsapss generation (rsapss should be ran first)
    ./gencrls.sh
    check_result $? "gencrls.sh"
    echo "ran ./gencrls.sh"
--- a/tests/api.c
+++ b/tests/api.c
@@ -3044,6 +3044,10 @@ static int test_wolfSSL_CertManagerCRL(void)
    const char* ca_cert = "./certs/ca-cert.pem";
    const char* crl1     = "./certs/crl/crl.pem";
    const char* crl2     = "./certs/crl/crl2.pem";
+#ifdef WC_RSA_PSS
+    const char* crl_rsapss = "./certs/crl/crl_rsapss.pem";
+    const char* ca_rsapss  = "certs/rsapss/root-rsapss.pem";
+#endif
    const unsigned char crl_buff[] = {
        0x30, 0x82, 0x02, 0x04, 0x30, 0x81, 0xed, 0x02,
        0x01, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
@@ -3199,6 +3203,18 @@ static int test_wolfSSL_CertManagerCRL(void)
    ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(cm, crl_buff, sizeof(crl_buff),
        WOLFSSL_FILETYPE_ASN1), 1);

+#if !defined(NO_FILESYSTEM) && defined(WC_RSA_PSS)
+    /* loading should fail without the CA set */
+    ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, crl_rsapss,
+        WOLFSSL_FILETYPE_PEM), ASN_CRL_NO_SIGNER_E);
+
+    /* now successfully load the RSA-PSS crl once loading in it's CA */
+    ExpectIntEQ(WOLFSSL_SUCCESS,
+        wolfSSL_CertManagerLoadCA(cm, ca_rsapss, NULL));
+    ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, crl_rsapss,
+        WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
+#endif
+
    wolfSSL_CertManagerFree(cm);
 #endif