File 0536-Add-test-to-reproduce-ERL-1030-failure.patch of Package erlang
From 97b98c9320d69c49e824353a6a9b99a6f1226397 Mon Sep 17 00:00:00 2001
From: Tim Gleeson <tgleeson@cisco.com>
Date: Fri, 6 Sep 2019 09:58:30 +0100
Subject: [PATCH 1/3] Add test to reproduce ERL-1030 failure
---
lib/ssl/test/make_certs.erl | 84 ++++++++++++++++++++++++++++++++++++++++++
lib/ssl/test/ssl_crl_SUITE.erl | 19 ++++++++--
2 files changed, 99 insertions(+), 4 deletions(-)
diff --git a/lib/ssl/test/make_certs.erl b/lib/ssl/test/make_certs.erl
index 76bf0fa895..70f718cb12 100644
--- a/lib/ssl/test/make_certs.erl
+++ b/lib/ssl/test/make_certs.erl
@@ -33,6 +33,7 @@
v2_crls = true,
ecc_certs = false,
issuing_distribution_point = false,
+ crldp_crlissuer = false,
crl_port = 8000,
openssl_cmd = "openssl",
hostname = "host.example.com"}).
@@ -66,6 +67,8 @@ make_config([{ecc_certs, Bool}|T], C) when is_boolean(Bool) ->
make_config(T, C#config{ecc_certs = Bool});
make_config([{issuing_distribution_point, Bool}|T], C) when is_boolean(Bool) ->
make_config(T, C#config{issuing_distribution_point = Bool});
+make_config([{crldp_crlissuer, Bool}|T], C) when is_boolean(Bool) ->
+ make_config(T, C#config{crldp_crlissuer = Bool});
make_config([{openssl_cmd, Cmd}|T], C) when is_list(Cmd) ->
make_config(T, C#config{openssl_cmd = Cmd});
make_config([{hostname, Hostname}|T], C) when is_list(Hostname) ->
@@ -482,6 +485,87 @@ ca_cnf(
"crlDistributionPoints=@crl_section\n"
];
+ca_cnf(
+ Root,
+ #config{
+ crldp_crlissuer = true,
+ hostname = Hostname} = C) ->
+ ["# Purpose: Configuration for CAs.\n"
+ "\n"
+ "ROOTDIR = " ++ Root ++ "\n"
+ "default_ca = ca\n"
+ "\n"
+
+ "[ca]\n"
+ "dir = $ROOTDIR/", C#config.commonName, "\n"
+ "certs = $dir/certs\n"
+ "crl_dir = $dir/crl\n"
+ "database = $dir/index.txt\n"
+ "new_certs_dir = $dir/newcerts\n"
+ "certificate = $dir/cert.pem\n"
+ "serial = $dir/serial\n"
+ "crl = $dir/crl.pem\n",
+ ["crlnumber = $dir/crlnumber\n" || C#config.v2_crls],
+ "private_key = $dir/private/key.pem\n"
+ "RANDFILE = $dir/private/RAND\n"
+ "\n"
+ "x509_extensions = user_cert\n",
+ ["crl_extensions = crl_ext\n" || C#config.v2_crls],
+ "unique_subject = no\n"
+ "default_days = 3600\n"
+ "default_md = sha1\n"
+ "preserve = no\n"
+ "policy = policy_match\n"
+ "\n"
+
+ "[policy_match]\n"
+ "commonName = supplied\n"
+ "organizationalUnitName = optional\n"
+ "organizationName = match\n"
+ "countryName = match\n"
+ "localityName = match\n"
+ "emailAddress = supplied\n"
+ "\n"
+
+ "[crl_ext]\n"
+ "authorityKeyIdentifier=keyid:always,issuer:always\n",
+
+ "[user_cert]\n"
+ "basicConstraints = CA:false\n"
+ "keyUsage = nonRepudiation, digitalSignature, keyEncipherment\n"
+ "subjectKeyIdentifier = hash\n"
+ "authorityKeyIdentifier = keyid,issuer:always\n"
+ "subjectAltName = DNS.1:" ++ Hostname ++ "\n"
+ "issuerAltName = issuer:copy\n"
+ "crlDistributionPoints=crl_section\n"
+
+ "[crl_section]\n"
+ "fullname=URI:http://localhost/",C#config.commonName,"/crl.pem\n"
+ "CRLissuer=dirName:issuer_sect\n"
+
+ "[issuer_sect]\n"
+ "C=UK\n"
+ "O=Organisation\n"
+ "CN=Some Name\n"
+
+ "[user_cert_digital_signature_only]\n"
+ "basicConstraints = CA:false\n"
+ "keyUsage = digitalSignature\n"
+ "subjectKeyIdentifier = hash\n"
+ "authorityKeyIdentifier = keyid,issuer:always\n"
+ "subjectAltName = DNS.1:" ++ Hostname ++ "\n"
+ "issuerAltName = issuer:copy\n"
+ "\n"
+
+ "[ca_cert]\n"
+ "basicConstraints = critical,CA:true\n"
+ "keyUsage = cRLSign, keyCertSign\n"
+ "subjectKeyIdentifier = hash\n"
+ "authorityKeyIdentifier = keyid:always,issuer:always\n"
+ "subjectAltName = email:copy\n"
+ "issuerAltName = issuer:copy\n"
+ ];
+
ca_cnf(
Root,
#config{
diff --git a/lib/ssl/test/ssl_crl_SUITE.erl b/lib/ssl/test/ssl_crl_SUITE.erl
index b2fd3874a8..47d4b04d90 100644
--- a/lib/ssl/test/ssl_crl_SUITE.erl
+++ b/lib/ssl/test/ssl_crl_SUITE.erl
@@ -42,7 +42,8 @@ groups() ->
{check_true, [], [{group, v2_crl},
{group, v1_crl},
{group, idp_crl},
- {group, crl_hash_dir}]},
+ {group, crl_hash_dir},
+ {group, crl_verify_crldp_crlissuer}]},
{check_peer, [], [{group, v2_crl},
{group, v1_crl},
{group, idp_crl},
@@ -54,7 +55,8 @@ groups() ->
{v2_crl, [], basic_tests()},
{v1_crl, [], basic_tests()},
{idp_crl, [], basic_tests()},
- {crl_hash_dir, [], basic_tests() ++ crl_hash_dir_tests()}].
+ {crl_hash_dir, [], basic_tests() ++ crl_hash_dir_tests()},
+ {crl_verify_crldp_crlissuer, [], [crl_verify_valid]}].
basic_tests() ->
[crl_verify_valid, crl_verify_revoked, crl_verify_no_crl].
@@ -108,8 +110,8 @@ init_per_group(Group, Config0) ->
CertDir = filename:join(proplists:get_value(priv_dir, Config0), Group),
{CertOpts, Config} = init_certs(CertDir, Group, Config0),
{ok, _} = make_certs:all(DataDir, CertDir, CertOpts),
- CrlCacheOpts = case Group of
- crl_hash_dir ->
+ CrlCacheOpts = case need_hash_dir(Group) of
+ true ->
CrlDir = filename:join(CertDir, "crls"),
%% Copy CRLs to their hashed filenames.
%% Find the hashes with 'openssl crl -noout -hash -in crl.pem'.
@@ -462,8 +464,17 @@ is_idp(idp_crl) ->
is_idp(_) ->
false.
+need_hash_dir(crl_hash_dir) ->
+ true;
+need_hash_dir(crl_verify_crldp_crlissuer) ->
+ true;
+need_hash_dir(_) ->
+ false.
+
init_certs(_,v1_crl, Config) ->
{[{v2_crls, false}], Config};
+init_certs(_,crl_verify_crldp_crlissuer , Config) ->
+ {[{crldp_crlissuer, true}], Config};
init_certs(_, idp_crl, Config) ->
Port = proplists:get_value(httpd_port, Config),
{[{crl_port,Port},
--
2.16.4
