From edcb18d63fc3bfac28866403157aa3a44108056c Mon Sep 17 00:00:00 2001
From: olszomal <Malgorzata.Olszowka@stunnel.org>
Date: Tue, 4 Apr 2023 14:52:30 +0200
Subject: [PATCH] Tests: use TSA-CRLfile

---
 cmake/CMakeTest.cmake               |  1 +
 tests/conf/makecerts.sh             | 60 ++++++++++++++++++++++++-----
 tests/conf/openssl_intermediate.cnf |  8 +++-
 tests/conf/openssl_tsa_root.cnf     | 16 ++++----
 4 files changed, 66 insertions(+), 19 deletions(-)

diff --git a/cmake/CMakeTest.cmake b/cmake/CMakeTest.cmake
index b95ae00..eb21512 100644
--- a/cmake/CMakeTest.cmake
+++ b/cmake/CMakeTest.cmake
@@ -59,6 +59,7 @@ string(SUBSTRING ${sha256sum} 0 64 leafhash)
 set(verify_opt "-CAfile" "${CERTS}/CACert.pem"
   "-CRLfile" "${CERTS}/CACertCRL.pem"
   "-TSA-CAfile" "${CERTS}/TSACA.pem"
+  "-TSA-CRLfile" "${CERTS}/TSACertCRL.pem"
 )
 # TODO "cat" extension
 set(extensions_4 "exe" "ex_" "msi" "cat")
diff --git a/tests/conf/makecerts.sh b/tests/conf/makecerts.sh
index b27ee83..f5c980e 100755
--- a/tests/conf/makecerts.sh
+++ b/tests/conf/makecerts.sh
@@ -54,14 +54,14 @@ make_certs() {
   test_result $?
 
   printf "\nGenerate intermediate CA certificate\n" >> "makecerts.log"
-  "$OPENSSL" genrsa -out CA/intermediate.key \
+  "$OPENSSL" genrsa -out CA/intermediateCA.key \
         2>> "makecerts.log" 1>&2
     TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c '
     script_path=$(pwd)
     OPENSSL="$0"
     export LD_LIBRARY_PATH="$1"
     CONF="${script_path}/openssl_intermediate.cnf"
-    "$OPENSSL" req -config "$CONF" -new -key CA/intermediate.key -out CA/intermediate.csr \
+    "$OPENSSL" req -config "$CONF" -new -key CA/intermediateCA.key -out CA/intermediateCA.csr \
         -subj "/C=PL/O=osslsigncode/OU=Certification Authority/CN=Intermediate CA" \
         2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
   test_result $?
@@ -70,10 +70,10 @@ make_certs() {
     OPENSSL="$0"
     export LD_LIBRARY_PATH="$1"
     CONF="${script_path}/openssl_root.cnf"
-    "$OPENSSL" ca -config "$CONF" -batch -in CA/intermediate.csr -out CA/intermediate.cer \
+    "$OPENSSL" ca -config "$CONF" -batch -in CA/intermediateCA.csr -out CA/intermediateCA.cer \
         2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
   test_result $?
-  "$OPENSSL" x509 -in CA/intermediate.cer -out tmp/intermediate.pem \
+  "$OPENSSL" x509 -in CA/intermediateCA.cer -out tmp/intermediateCA.pem \
       2>> "makecerts.log" 1>&2
   test_result $?
 
@@ -107,7 +107,7 @@ make_certs() {
   test_result $?
 
   printf "\nAttach intermediate certificate to revoked certificate\n" >> "makecerts.log"
-  cat tmp/intermediate.pem >> tmp/revoked.pem 2>> "makecerts.log"
+  cat tmp/intermediateCA.pem >> tmp/revoked.pem 2>> "makecerts.log"
   test_result $?
 
   printf "\nGenerate CRL file\n" >> "makecerts.log"
@@ -120,6 +120,11 @@ make_certs() {
         2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
   test_result $?
 
+  printf "\nConvert a CRL file from PEM to DER\n" >> "makecerts.log"
+  "$OPENSSL" crl -in tmp/CACertCRL.pem -inform PEM -out tmp/CACertCRL.der -outform DER \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
   printf "\nConvert revoked certificate to SPC format\n" >> "makecerts.log"
   "$OPENSSL" crl2pkcs7 -in tmp/CACertCRL.pem -certfile tmp/revoked.pem -outform DER -out tmp/revoked.spc \
       2>> "makecerts.log" 1>&2
@@ -166,7 +171,7 @@ make_certs() {
   test_result $?
 
   printf "\nAttach intermediate certificate to code signing certificate\n" >> "makecerts.log"
-  cat tmp/intermediate.pem >> tmp/cert.pem 2>> "makecerts.log"
+  cat tmp/intermediateCA.pem >> tmp/cert.pem 2>> "makecerts.log"
   test_result $?
 
   printf "\nConvert the certificate to SPC format\n" >> "makecerts.log"
@@ -211,7 +216,7 @@ make_certs() {
   test_result $?
 
   printf "\nAttach intermediate certificate to expired certificate\n" >> "makecerts.log"
-  cat tmp/intermediate.pem >> tmp/expired.pem 2>> "makecerts.log"
+  cat tmp/intermediateCA.pem >> tmp/expired.pem 2>> "makecerts.log"
   test_result $?
 
   printf "\nGenerate Root CA TSA certificate\n" >> "makecerts.log"
@@ -226,6 +231,40 @@ make_certs() {
         2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
   test_result $?
 
+  printf "\nGenerate TSA certificate to revoke\n" >> "makecerts.log"
+  CONF="${script_path}/openssl_tsa_root.cnf"
+  "$OPENSSL" req -config "$CONF" -new -nodes -keyout tmp/TSA_revoked.key -out CA/TSA_revoked.csr \
+      -subj "/C=PL/O=osslsigncode/OU=TSA/CN=Revoked/emailAddress=osslsigncode@example.com" \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+  CONF="${script_path}/openssl_tsa_root.cnf"
+  "$OPENSSL" ca -config "$CONF" -batch -in CA/TSA_revoked.csr -out CA/TSA_revoked.cer \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+  "$OPENSSL" x509 -in CA/TSA_revoked.cer -out tmp/TSA_revoked.pem \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nRevoke above certificate\n" >> "makecerts.log"
+  "$OPENSSL" ca -config "$CONF" -revoke CA/TSA_revoked.cer \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nGenerate TSA CRL file\n" >> "makecerts.log"
+  TZ=GMT faketime -f '@2019-01-01 00:00:00' /bin/bash -c '
+    script_path=$(pwd)
+    OPENSSL="$0"
+    export LD_LIBRARY_PATH="$1"
+    CONF="${script_path}/openssl_tsa_root.cnf"
+    "$OPENSSL" ca -config "$CONF" -gencrl -crldays 8766 -out tmp/TSACertCRL.pem \
+        2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
+  test_result $?
+
+  printf "\nConvert TSA CRL file from PEM to DER\n" >> "makecerts.log"
+  "$OPENSSL" crl -in tmp/TSACertCRL.pem -inform PEM -out tmp/TSACertCRL.der -outform DER \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
   printf "\nGenerate TSA certificate\n" >> "makecerts.log"
   CONF="${script_path}/openssl_tsa.cnf"
   "$OPENSSL" req -config "$CONF" -new -nodes -keyout tmp/TSA.key -out CA/TSA.csr \
@@ -243,10 +282,13 @@ make_certs() {
   cat tmp/TSA.pem tmp/TSACA.pem > tmp/tsa-chain.pem 2>> "makecerts.log"
 
 # copy new files
-  if test -s tmp/intermediate.pem -a -s tmp/CACert.pem -a -s tmp/CACertCRL.pem \
+  if test -s tmp/intermediateCA.pem -a -s tmp/CACert.pem \
+      -a -s tmp/CACertCRL.pem -a -s tmp/CACertCRL.der \
+      -a -s tmp/TSACertCRL.pem -a -s tmp/TSACertCRL.der \
       -a -s tmp/key.pem -a -s tmp/keyp.pem -a -s tmp/key.der -a -s tmp/key.pvk \
       -a -s tmp/cert.pem -a -s tmp/cert.p12 -a -s tmp/cert.der -a -s tmp/cert.spc \
-      -a -s tmp/crosscert.pem -a -s tmp/expired.pem -a -s tmp/revoked.pem -a -s tmp/revoked.spc \
+      -a -s tmp/crosscert.pem -a -s tmp/expired.pem -a -s tmp/revoked.pem \
+       -a -s tmp/revoked.spc -a -s tmp/TSA_revoked.pem \
       -a -s tmp/TSA.pem -a -s tmp/TSA.key -a -s tmp/tsa-chain.pem -a -s tmp/legacy.p12
   then
     mkdir -p "../certs"
diff --git a/tests/conf/openssl_intermediate.cnf b/tests/conf/openssl_intermediate.cnf
index 7ba40b1..d7359f8 100644
--- a/tests/conf/openssl_intermediate.cnf
+++ b/tests/conf/openssl_intermediate.cnf
@@ -1,8 +1,9 @@
 # OpenSSL intermediate CA configuration file
 
 [ default ]
-name                            = intermediate
+name                            = intermediateCA
 default_ca                      = CA_default
+crl_url                         = http://127.0.0.1:8080/$name
 
 [ CA_default ]
 # Directory and file locations
@@ -15,6 +16,7 @@ serial                          = $dir/CA/serial
 rand_serial                     = yes
 private_key                     = $dir/CA/$name.key
 certificate                     = $dir/tmp/$name.pem
+crlnumber                       = $dir/CA/crlnumber
 crl_extensions                  = crl_ext
 default_md                      = sha256
 preserve                        = no
@@ -50,6 +52,10 @@ basicConstraints                = CA:FALSE
 subjectKeyIdentifier            = hash
 authorityKeyIdentifier          = keyid, issuer
 extendedKeyUsage                = codeSigning
+crlDistributionPoints           = @crl_info
+
+[ crl_info ]
+URI.0                           = $crl_url
 
 [ policy_loose ]
 # Allow the intermediate CA to sign a more diverse range of certificates.
diff --git a/tests/conf/openssl_tsa_root.cnf b/tests/conf/openssl_tsa_root.cnf
index 5c60373..1810275 100644
--- a/tests/conf/openssl_tsa_root.cnf
+++ b/tests/conf/openssl_tsa_root.cnf
@@ -2,10 +2,8 @@
 
 [ default ]
 name                            = TSACA
-domain_suffix                   = timestampauthority.com
-aia_url                         = http://$name.$domain_suffix/$name.crt
-crl_url                         = http://$name.$domain_suffix/$name.crl
-ocsp_url                        = http://ocsp.$name.$domain_suffix:9080
+domain_suffix                   = timestampauthority
+crl_url                         = http://127.0.0.1:8080/$name
 name_opt                        = utf8, esc_ctrl, multiline, lname, align
 default_ca                      = CA_default
 
@@ -17,6 +15,7 @@ new_certs_dir                   = $dir/CA
 database                        = $dir/CA/index.txt
 serial                          = $dir/CA/serial
 crlnumber                       = $dir/CA/crlnumber
+crl_extensions                  = crl_ext
 rand_serial                     = yes
 private_key                     = $dir/CA/$name.key
 certificate                     = $dir/tmp/$name.pem
@@ -43,17 +42,16 @@ basicConstraints                = critical, CA:false
 extendedKeyUsage                = critical, timeStamping
 subjectKeyIdentifier            = hash
 authorityKeyIdentifier          = keyid:always
-authorityInfoAccess             = @issuer_info
 crlDistributionPoints           = @crl_info
 nameConstraints                 = @name_constraints
 
-[ issuer_info ]
-caIssuers;URI.0                 = $aia_url
-OCSP;URI.0                      = $ocsp_url
-
 [ crl_info ]
 URI.0                           = $crl_url
 
+[ crl_ext ]
+# Extension for CRLs
+authorityKeyIdentifier          = keyid:always
+
 [ name_constraints ]
 permitted;DNS.0=test.com
 permitted;DNS.1=test.org