From 3030935252918b35ff7c18fb6a279ba5ef841186 Mon Sep 17 00:00:00 2001
From: Fabian Mauchle <mauchle@macfma.switch.ch>
Date: Sun, 11 Oct 2020 22:00:55 +0200
Subject: [PATCH] add tests for new altnames

---
 tests/t_verify_cert.c | 84 +++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 82 insertions(+), 2 deletions(-)

diff --git a/tests/t_verify_cert.c b/tests/t_verify_cert.c
index 2ecc2f9..4a2e96f 100644
--- a/tests/t_verify_cert.c
+++ b/tests/t_verify_cert.c
@@ -151,14 +151,52 @@ bG9jYWwvcHJvZmlsZSNtZTAJBgcqhkjOPQQBAyMAMCACDniwUmV285CoguiJ6WmW\n\
 Ag5ZWNTJtmNNdKxh0Mahsw==\n\
 -----END CERTIFICATE-----"),
 
-        /* /CN=other, URI:https://other.local/profile#me */
-        *certsanuriother = getcert("-----BEGIN CERTIFICATE-----\n\
+    /* /CN=other, URI:https://other.local/profile#me */
+    *certsanuriother = getcert("-----BEGIN CERTIFICATE-----\n\
 MIIBATCBzaADAgECAhQLG7rYpl+8YbPNEtUgw6HRZYIc1DAJBgcqhkjOPQQBMBAx\n\
 DjAMBgNVBAMMBW90aGVyMB4XDTIwMTAwNjA5MDU0OVoXDTIwMTAxNjA5MDU0OVow\n\
 EDEOMAwGA1UEAwwFb3RoZXIwMjAQBgcqhkjOPQIBBgUrgQQABgMeAAScZ7M19uKE\n\
 DDXCtCGaM1KbqRZA/3VgQt+6iEFuoy0wKzApBgNVHREEIjAghh5odHRwczovL290\n\
 aGVyLmxvY2FsL3Byb2ZpbGUjbWUwCQYHKoZIzj0EAQMkADAhAg8AoOJVnRcp3gyY\n\
 Qe0Vy/UCDijCHK6Y5GkzWD7H008l\n\
+-----END CERTIFICATE-----"),
+
+    /* /CN=test, Registered ID:1.2.3.4 */
+    *certsanrid = getcert("-----BEGIN CERTIFICATE-----\n\
+MIHjMIGwoAMCAQICFBKq59XodNaMiLZDZbE7BMFn+GnAMAkGByqGSM49BAEwDzEN\n\
+MAsGA1UEAwwEdGVzdDAeFw0yMDEwMDYxNTA1NTBaFw0yMDEwMTYxNTA1NTBaMA8x\n\
+DTALBgNVBAMMBHRlc3QwMjAQBgcqhkjOPQIBBgUrgQQABgMeAAScZ7M19uKEDDXC\n\
+tCGaM1KbqRZA/3VgQt+6iEFuoxIwEDAOBgNVHREEBzAFiAMqAwQwCQYHKoZIzj0E\n\
+AQMjADAgAg4QFOirxwoC5OYpFArE8gIORG+zCoikzhvY95kBGvg=\n\
+-----END CERTIFICATE-----"),
+
+    /* /CN=other, Registered ID:1.2.3.9 */
+    *certsanridother = getcert("-----BEGIN CERTIFICATE-----\n\
+MIHmMIGyoAMCAQICFEvhI4VZvPr7cITrckvz6J576uy3MAkGByqGSM49BAEwEDEO\n\
+MAwGA1UEAwwFb3RoZXIwHhcNMjAxMDA2MTUwNzQzWhcNMjAxMDE2MTUwNzQzWjAQ\n\
+MQ4wDAYDVQQDDAVvdGhlcjAyMBAGByqGSM49AgEGBSuBBAAGAx4ABJxnszX24oQM\n\
+NcK0IZozUpupFkD/dWBC37qIQW6jEjAQMA4GA1UdEQQHMAWIAyoDCTAJBgcqhkjO\n\
+PQQBAyQAMCECDwCJMMBtTsOZNwvy43TlLgIOKtssl/hBDN/JcPbBQgI=\n\
+-----END CERTIFICATE-----"),
+
+    /* /CN=test, otherNAME 1.3.6.1.5.5.7.8.8;UTF8:test.local */
+    *certsanothername = getcert("-----BEGIN CERTIFICATE-----\n\
+MIH4MIHFoAMCAQICFHfn1oV2cr4BkkWImdYCJXkSmiKrMAkGByqGSM49BAEwDzEN\n\
+MAsGA1UEAwwEdGVzdDAeFw0yMDEwMDYxNTE4NTNaFw0yMDEwMTYxNTE4NTNaMA8x\n\
+DTALBgNVBAMMBHRlc3QwMjAQBgcqhkjOPQIBBgUrgQQABgMeAAScZ7M19uKEDDXC\n\
+tCGaM1KbqRZA/3VgQt+6iEFuoycwJTAjBgNVHREEHDAaoBgGCCsGAQUFBwgIoAwM\n\
+CnRlc3QubG9jYWwwCQYHKoZIzj0EAQMjADAgAg5picQbJfIM1Ljn7H/26QIOCLcA\n\
+UXfI8XA07aHTgzE=\n\
+-----END CERTIFICATE-----"),
+
+    /* /CN=other, otherNAME 1.3.6.1.5.5.7.8.8;UTF8:other.local */
+    *certsanothernameother = getcert("-----BEGIN CERTIFICATE-----\n\
+MIH6MIHGoAMCAQICFEa/hIvgCkqCF6ulCq3Jy3iw6XkwMAkGByqGSM49BAEwDzEN\n\
+MAsGA1UEAwwEdGVzdDAeFw0yMDEwMDYxNTIwMDhaFw0yMDEwMTYxNTIwMDhaMA8x\n\
+DTALBgNVBAMMBHRlc3QwMjAQBgcqhkjOPQIBBgUrgQQABgMeAAScZ7M19uKEDDXC\n\
+tCGaM1KbqRZA/3VgQt+6iEFuoygwJjAkBgNVHREEHTAboBkGCCsGAQUFBwgIoA0M\n\
+C290aGVyLmxvY2FsMAkGByqGSM49BAEDJAAwIQIOSOJ5OK2xzjrCweD/ImECDwDL\n\
+COiok62ckBQsaUG8AA==\n\
 -----END CERTIFICATE-----");
 
     memset(&conf, 0, sizeof(conf));
@@ -385,6 +423,7 @@ Qe0Vy/UCDijCHK6Y5GkzWD7H008l\n\
         freematchcertattr(&conf);
         free(match);
     }
+
     /* test explicit SAN URI regex */
     {
         conf.name = "test";
@@ -401,6 +440,38 @@ Qe0Vy/UCDijCHK6Y5GkzWD7H008l\n\
         free(match);
     }
 
+    /* test explicit SAN rID */
+    {
+        conf.name = "test";
+        conf.certnamecheck = 0;
+        match = stringcopy("SubjectAltName:rID:1.2.3.4",0);
+
+        ok(1,addmatchcertattr(&conf, match),"explicit san rid config");
+
+        ok(1,verifyconfcert(certsanrid, &conf),"explicit san rid");
+        ok(0,verifyconfcert(certsanridother, &conf),"negative explicit san rid");
+        ok(0,verifyconfcert(certsimple, &conf), "missing explicit san rid");
+
+        freematchcertattr(&conf);
+        free(match);
+    }
+
+    /* test explicit SAN otherNAME */
+    {
+        conf.name = "test";
+        conf.certnamecheck = 0;
+        match = stringcopy("SubjectAltName:otherName:1.3.6.1.5.5.7.8.8:/test.local/",0);
+
+        ok(1,addmatchcertattr(&conf, match),"explicit san otherName config");
+
+        ok(1,verifyconfcert(certsanothername, &conf),"explicit san otherName");
+        ok(0,verifyconfcert(certsanothernameother, &conf),"negative explicit san otherName");
+        ok(0,verifyconfcert(certsimple, &conf), "missing explicit san otherName");
+
+        freematchcertattr(&conf);
+        free(match);
+    }
+
     /* test valid config syntax */
     {
         conf.name = "test";
@@ -438,6 +509,11 @@ Qe0Vy/UCDijCHK6Y5GkzWD7H008l\n\
         ok(0,addmatchcertattr(&conf, match),"test invalid syntax ipv6");
         freematchcertattr(&conf);
         free(match);
+
+        match = stringcopy("SubjectAltName:rID:1:2",0);
+        ok(0,addmatchcertattr(&conf, match),"test invalid syntax rID");
+        freematchcertattr(&conf);
+        free(match);
     }
 
     /* test explicit & implicit combined */
@@ -463,6 +539,8 @@ Qe0Vy/UCDijCHK6Y5GkzWD7H008l\n\
         free(match);
     }
 
+    //TODO test new features
+    // - multiple attribute checks
 
     printf("1..%d\n", numtests);
     list_free(conf.hostports);
@@ -479,6 +557,8 @@ Qe0Vy/UCDijCHK6Y5GkzWD7H008l\n\
     X509_free(certcomplexother);
     X509_free(certsanuri);
     X509_free(certsanuriother);
+    X509_free(certsanrid);
+    X509_free(certsanridother);
 
     return 0;
 }