util: rewrite test/prepend_testcerts_openssl.sh, update testdata

.travis.yml

@@ -17,6 +17,8 @@ script:
   - make
   # Verify that all files pass the golangci-lint code lints
   - make code-lint
+  # Verify that all testdata files are prepended with text
+  - make testdata-lint
   # Run unit tests
   - make test
   # Run integration tests

v2/makefile

@@ -37,4 +37,7 @@ integration:
 code-lint:
 	golangci-lint run
 
-.PHONY: clean zlint zlint-gtld-update test integration code-lint
+testdata-lint:
+	./test/prepend_testcerts_openssl.sh && git diff --exit-code testdata/
+
+.PHONY: clean zlint zlint-gtld-update test integration code-lint testdata-lint

v2/test/prepend_testcerts_openssl.sh

@@ -1,4 +1,39 @@
 #!/bin/bash
-for f in ../testlint/testCerts/*; do
-    openssl x509 -in $f -text -noout | cat - $f > /tmp/out && mv /tmp/out $f
+
+set -e -o pipefail
+
+BASE_DIR=$(dirname "$0")
+CERTS_DIR="$BASE_DIR/../testdata"
+TMP_DIR=$(mktemp -d -t zlint-XXXX)
+
+# Trap EXIT to cleanup the TMP_DIR
+trap '{ rmdir --ignore-fail-on-non-empty $TMP_DIR; }' EXIT
+
+# For every .pem file in the $CERTS directory, prepend 0penSSL text output if
+# required.
+for f in "$CERTS_DIR"/*.pem; do
+  # Skip any files that don't begin with a PEM header. These are assumed to
+  # already have the OpenSSL text output prepended.
+  if [[ ! $(head -n1 "$f") =~ "-----BEGIN" ]]; then
+    continue
+  fi
+
+  # If an argument is provided only consider filenames that match the provided
+  # argument. This allows only prepending a specific testcert instead of all
+  # unprepended testcerts.
+  CERT_NAME=$(basename "$f")
+  if [[ -n "$1" && ! $CERT_NAME =~ $1 ]]; then
+    continue
+  fi
+
+  # If the certificate has errors parsing with OpenSSL print a warning to stderr
+  # and continue. Sometimes our test data is too weird to parse and that's OK.
+  if ! openssl x509 -in "$f" -noout || false; then
+    echo "error parsing $f with OpenSSL" >&2
+    continue
+  fi
+
+  # Prepend the test cert with its -text OpenSSL output.
+  openssl x509 -text -in "$f" -outform PEM -out "$TMP_DIR/$CERT_NAME.new" \
+    && mv "$TMP_DIR/$CERT_NAME.new" "$f"
 done

v2/testdata/NCReservedIPNet.pem

@@ -1,3 +1,35 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: 
+        Validity
+            Not Before: Nov  1 00:00:00 2017 GMT
+            Not After : Nov  1 00:00:00 2017 GMT
+        Subject: 
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (512 bit)
+                Modulus:
+                    00:f5:0a:1c:80:44:f6:f2:4d:9a:93:06:18:40:d2:
+                    8e:ae:81:51:19:46:e1:b3:70:47:2f:c9:c9:36:5a:
+                    1e:58:fb:31:f4:eb:68:2b:98:80:a4:fb:34:32:de:
+                    ff:b6:f2:0d:9d:d4:42:72:fa:05:e6:10:ef:30:65:
+                    e8:0f:27:eb:2b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Name Constraints: 
+                Permitted:
+                  IP:192.0.0.0/255.255.0.0
+
+    Signature Algorithm: sha256WithRSAEncryption
+         46:99:a2:e4:6a:96:68:5c:42:bc:fd:c9:0b:21:96:0c:24:4e:
+         1c:ea:b1:e6:a5:52:5c:22:a9:da:d2:f5:07:6f:e1:c6:84:3c:
+         1f:b6:64:9e:21:75:4f:b4:34:4f:2d:8c:8a:fa:5d:9f:58:88:
+         35:74:91:d6:fb:2f:bd:83:fe:03
 -----BEGIN CERTIFICATE-----
 MIIBIDCBy6ADAgECAgEBMA0GCSqGSIb3DQEBCwUAMAAwHhcNMTcxMTAxMDAwMDAw
 WhcNMTcxMTAxMDAwMDAwWjAAMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAPUKHIBE

v2/testdata/NCValidIPNet.pem

@@ -1,3 +1,35 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: 
+        Validity
+            Not Before: Nov  1 00:00:00 2017 GMT
+            Not After : Nov  1 00:00:00 2017 GMT
+        Subject: 
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (512 bit)
+                Modulus:
+                    00:db:6b:43:17:4e:44:87:33:25:94:78:f3:36:d0:
+                    8b:a4:39:19:43:9c:f7:36:46:49:8a:9f:8e:7a:17:
+                    13:de:8d:f8:21:11:c7:e3:da:62:41:ec:44:23:e5:
+                    66:4a:89:e7:b7:40:7c:46:a8:fe:5d:99:c8:04:77:
+                    d6:39:3c:ca:c1
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Name Constraints: 
+                Permitted:
+                  IP:166.0.0.0/255.255.255.0
+
+    Signature Algorithm: sha256WithRSAEncryption
+         9a:b5:b6:b4:51:d7:81:0c:ce:36:a7:2a:a9:d3:44:67:21:cb:
+         46:10:28:c7:0d:1e:82:ee:24:29:df:aa:d6:f5:8a:ca:cc:f3:
+         98:dc:0f:f1:5f:9e:bb:1c:24:5b:a4:59:9b:43:01:47:fa:68:
+         d1:f1:95:4a:f7:ef:2e:51:ee:51
 -----BEGIN CERTIFICATE-----
 MIIBIDCBy6ADAgECAgEBMA0GCSqGSIb3DQEBCwUAMAAwHhcNMTcxMTAxMDAwMDAw
 WhcNMTcxMTAxMDAwMDAwWjAAMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANtrQxdO

v2/testdata/QcStmtEtsiEsealValidCert02.pem

@@ -1,3 +1,76 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            01:fe:6b:47:c7:09:10:a9:aa:fb:72:3e:37
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN = Lint Sub-CA, OU = Test, O = MTG, C = DE
+        Validity
+            Not Before: Nov 21 03:21:29 2018 GMT
+            Not After : Nov 21 03:21:29 2048 GMT
+        Subject: CN = www.example.com, OU = Test, O = MTG, L = Darmstadt, ST = Hessen, C = DE
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:bb:4f:7d:3c:11:46:52:c0:fc:4f:b3:00:5e:6f:
+                    d2:7d:dc:3d:58:1c:79:5a:d3:e0:c9:87:62:a8:e4:
+                    75:9f:47:38:ac:02:bb:3d:9a:03:08:e7:13:69:0e:
+                    4c:59:2a:f6:20:c5:60:35:44:51:d3:c2:28:5c:78:
+                    6e:88:59:f7:7a:4a:13:e9:8a:b1:51:68:d2:10:9e:
+                    be:fd:c2:e3:27:60:d2:ab:a4:df:27:b9:9d:df:44:
+                    dc:93:30:40:16:ee:f4:f7:bb:3e:fd:b8:c7:1b:ad:
+                    80:6d:4b:71:cc:82:73:a0:cf:3b:d7:ac:53:a7:f1:
+                    05:68:0d:8a:0c:5d:55:4a:c0:09:71:36:36:ac:03:
+                    49:94:97:ee:7c:cf:21:a3:7b:aa:85:81:e0:ee:c6:
+                    7c:f2:aa:d4:a4:dc:f8:7b:49:fe:b2:b6:5c:af:fd:
+                    ad:92:41:6f:33:18:52:28:51:d0:76:0b:d7:5f:86:
+                    b7:f8:b6:c5:88:fe:fd:e0:81:44:01:75:7e:60:9d:
+                    66:6b:c7:85:08:78:7b:aa:1d:31:77:24:8d:10:d5:
+                    34:d3:63:2b:1c:30:00:02:c3:ad:b2:17:c7:02:36:
+                    0f:98:6e:c4:bb:81:c7:b9:4f:19:d5:38:a7:5e:30:
+                    78:53:9b:b7:00:a6:24:00:c9:4e:53:9d:6c:1a:2c:
+                    02:55
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                keyid:E2:0F:66:4C:20:2C:78:21:2A:8F:29:DB:F9:99:F6:00:86:C4:AF:E1
+
+            X509v3 Subject Key Identifier: 
+                FC:90:7C:0F:39:F4:67:D1:E2:89:F2:EE:03:E6:3D:B9:76:C9:42:FA
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Subject Alternative Name: 
+                DNS:www.example.com
+            Authority Information Access: 
+                CA Issuers - URI:http://ca.example.com/ca.crt
+                OCSP - URI:http://ocsp.example.com/ocsp
+
+            X509v3 Certificate Policies: 
+                Policy: 1.2.3.4.5
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication
+            qcStatements: 
+                0w0......F..0V.....F..0L0$..http://example.com/en/test.pdf..en0$..http://example.com/de/test.pdf..de0......F..0......F...
+    Signature Algorithm: sha256WithRSAEncryption
+         5d:f9:41:ed:47:62:33:07:2e:9e:77:50:4b:a2:98:29:53:f7:
+         df:2c:e8:23:ef:00:d9:d7:ff:65:d8:92:72:fa:0f:cd:d9:63:
+         e5:29:bd:7a:e9:4d:2c:e5:ca:d7:4c:30:e0:4f:1d:03:82:12:
+         2b:1c:1d:49:44:a9:41:4b:3e:be:20:7c:50:e5:23:2b:5a:06:
+         b1:3b:18:7d:dd:3a:c3:20:0e:b2:b3:e4:f8:91:4b:35:e4:3e:
+         c4:79:32:99:b5:66:b2:be:fb:f1:86:3b:3c:f5:b6:3c:c4:3f:
+         85:ca:05:cf:92:a6:6b:43:dd:af:ca:17:74:0e:7e:ea:8c:64:
+         e4:68:2a:54:d5:25:81:e5:89:8b:83:54:8f:c8:8c:e7:a3:90:
+         44:ca:3e:12:a2:a5:e4:f2:e0:07:6d:e7:42:9e:df:b9:2e:89:
+         6d:24:67:8e:30:7e:e6:33:1a:f5:6f:56:b5:d8:89:9e:b3:1d:
+         46:fa:7d:3f:fd:fb:37:bb:0d:5a:36:66:20:a1:68:79:eb:95:
+         01:b6:9e:84:46:fe:e3:1b:da:ac:1a:57:a9:d3:5c:50:7a:4a:
+         67:58:e0:7c:45:36:90:1d:0b:c1:bf:86:0d:90:00:79:8e:ec:
+         7c:c0:06:0b:96:2f:be:91:20:f9:bc:2e:24:e2:50:19:d3:ee:
+         5d:99:fa:da
 -----BEGIN CERTIFICATE-----
 MIIEzjCCA7agAwIBAgINAf5rR8cJEKmq+3I+NzANBgkqhkiG9w0BAQsFADBAMRQw
 EgYDVQQDDAtMaW50IFN1Yi1DQTENMAsGA1UECwwEVGVzdDEMMAoGA1UECgwDTVRH

v2/testdata/QcStmtEtsiLangCodeUpperCaseCert23.pem

@@ -1,3 +1,76 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            0a:e4:f0:40:30:25:65:57:d5:68:eb:40:15
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN = Lint Sub-CA, OU = Test, O = MTG, C = DE
+        Validity
+            Not Before: Nov 21 03:21:34 2018 GMT
+            Not After : Nov 21 03:21:34 2048 GMT
+        Subject: CN = www.example.com, OU = Test, O = MTG, L = Darmstadt, ST = Hessen, C = DE
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:9b:ea:f5:bd:78:97:77:dd:c5:67:ad:3e:67:50:
+                    a4:ca:77:b4:44:97:4e:d4:67:af:8d:ba:42:05:fa:
+                    41:28:11:18:52:fe:5c:95:e1:f7:57:1f:3e:44:c0:
+                    99:da:9e:22:81:84:1b:98:db:95:bc:d3:49:5a:29:
+                    00:e4:9d:8f:63:5a:b1:00:5e:2a:c4:bf:9d:66:0e:
+                    18:f2:a6:7c:b7:5f:f4:96:e3:8b:27:b8:93:cc:fc:
+                    2b:52:34:5b:fc:8b:ac:76:82:1e:0c:3e:8e:3b:78:
+                    98:6a:35:88:c1:52:26:81:5c:e1:05:a8:e2:65:7c:
+                    c6:d0:d4:00:a4:9d:2c:41:89:f2:45:6d:1d:58:c0:
+                    f3:15:75:5d:b2:c3:ee:ac:c8:0a:73:19:a4:f8:c5:
+                    57:19:91:ed:a7:94:9a:1e:cd:1f:54:aa:db:a3:39:
+                    ab:e7:25:4a:41:f0:92:77:18:fa:ba:ef:63:7d:0b:
+                    65:fe:1c:e1:f9:70:36:f8:42:4e:07:e8:47:a5:7f:
+                    f1:47:16:dd:08:5b:45:e1:cc:8c:26:a8:a1:1d:f4:
+                    8d:6b:5f:74:cb:94:38:4d:a6:78:69:8f:34:9e:e2:
+                    e7:9f:02:06:ec:0f:a6:da:32:65:0a:df:5d:91:c3:
+                    6e:43:7a:16:9b:c9:eb:52:70:ae:c8:48:95:86:3e:
+                    16:27
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                keyid:E2:0F:66:4C:20:2C:78:21:2A:8F:29:DB:F9:99:F6:00:86:C4:AF:E1
+
+            X509v3 Subject Key Identifier: 
+                C8:9B:AA:58:F3:56:57:9C:C5:71:3A:64:C1:9D:0B:5E:79:44:96:56
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Subject Alternative Name: 
+                DNS:www.example.com
+            Authority Information Access: 
+                CA Issuers - URI:http://ca.example.com/ca.crt
+                OCSP - URI:http://ocsp.example.com/ocsp
+
+            X509v3 Certificate Policies: 
+                Policy: 1.2.3.4.5
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication
+            qcStatements: 
+                0w0......F..0V.....F..0L0$..http://example.com/en/test.pdf..EN0$..http://example.com/de/test.pdf..de0......F..0......F...
+    Signature Algorithm: sha256WithRSAEncryption
+         0a:b7:f5:a8:52:7e:47:f9:bf:e9:f9:c1:50:f1:a6:d3:81:21:
+         46:84:64:fe:14:79:0f:6e:a8:50:5e:37:ab:62:37:c3:51:da:
+         ea:51:aa:4a:9f:6f:60:24:cd:7d:a4:6a:b5:66:61:9d:3b:38:
+         82:2c:14:85:96:b3:0c:23:35:1c:c6:bc:2e:d7:09:71:a3:7b:
+         6b:45:96:d1:e0:c6:89:fb:0a:e1:76:7e:2e:83:cb:2e:d7:91:
+         eb:29:15:a7:1b:da:6b:f1:f7:fc:46:85:a4:30:7a:5a:76:04:
+         5e:e2:b2:f5:4a:9b:c1:54:54:c4:1d:87:9d:35:5a:a5:ec:5f:
+         f6:e5:f9:ad:f3:7f:6d:29:ae:52:03:07:7e:67:ec:0b:a4:f9:
+         98:76:66:f1:9f:85:19:e1:d5:de:cd:35:79:46:b2:61:c5:03:
+         35:24:70:ff:ef:82:84:af:f6:6f:95:dd:31:19:be:cd:aa:f6:
+         d0:41:1b:d6:4e:a8:08:db:ca:f5:fa:d6:47:77:bf:f8:5a:6a:
+         e7:d8:c9:0b:57:91:1e:4d:01:4e:9e:6d:62:dd:b4:b8:b8:05:
+         e9:6a:40:78:4c:c0:26:0c:99:ad:6a:72:1c:42:2b:4d:42:cf:
+         63:9a:d6:b8:cf:d3:ae:11:47:e9:34:73:7e:13:5c:b8:de:c9:
+         42:b7:19:b2
 -----BEGIN CERTIFICATE-----
 MIIEzjCCA7agAwIBAgINCuTwQDAlZVfVaOtAFTANBgkqhkiG9w0BAQsFADBAMRQw
 EgYDVQQDDAtMaW50IFN1Yi1DQTENMAsGA1UECwwEVGVzdDEMMAoGA1UECgwDTVRH

v2/testdata/QcStmtEtsiMissingEnglishPdsCert04.pem

@@ -1,3 +1,76 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            0b:a7:29:80:c7:a2:24:51:07:50:2a:90:8d
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN = Lint Sub-CA, OU = Test, O = MTG, C = DE
+        Validity
+            Not Before: Nov 21 03:21:29 2018 GMT
+            Not After : Nov 21 03:21:29 2048 GMT
+        Subject: CN = www.example.com, OU = Test, O = MTG, L = Darmstadt, ST = Hessen, C = DE
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:d2:47:99:12:e5:33:bd:47:eb:a1:ba:d0:b0:21:
+                    75:c5:2b:ad:5d:d1:7a:e2:0a:0e:cd:1f:42:0a:2f:
+                    ff:38:74:96:d6:c1:74:85:16:2d:c1:33:c1:bf:17:
+                    b8:fc:aa:2e:63:20:5d:6c:4b:89:c3:32:87:e6:28:
+                    5a:15:62:58:30:22:41:9e:9c:b5:a4:ee:39:2c:98:
+                    ee:90:2e:c7:e3:4f:9b:ba:d6:a8:87:a6:b3:90:50:
+                    8f:53:8d:53:63:7e:da:36:df:81:10:1e:6d:dd:6d:
+                    45:f8:6f:c7:45:5d:1c:66:b7:68:0d:e9:d7:e1:e0:
+                    68:a6:ef:ef:50:63:18:b3:41:0e:42:9c:17:6d:d9:
+                    da:65:9e:f8:3e:a0:92:d5:59:81:f3:1a:c9:f7:47:
+                    32:01:48:6b:a7:ca:84:c3:a1:3b:a1:3e:d2:d9:4f:
+                    c7:87:c3:08:67:8b:88:ff:87:92:c1:bc:be:48:d9:
+                    cd:a3:00:ee:3d:4c:6b:50:3a:a9:fb:b2:7c:f6:35:
+                    78:e6:c9:f9:9d:d4:c9:1f:63:e0:f3:6e:a2:0c:83:
+                    81:2a:29:65:30:27:a1:fe:74:d8:8d:a3:68:4e:3b:
+                    dd:99:15:7e:55:f4:aa:c0:f4:89:e5:3e:cf:66:ab:
+                    25:69:a9:82:d5:35:08:3f:d2:b5:0c:9e:fe:43:2a:
+                    62:6d
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                keyid:E2:0F:66:4C:20:2C:78:21:2A:8F:29:DB:F9:99:F6:00:86:C4:AF:E1
+
+            X509v3 Subject Key Identifier: 
+                18:C8:77:53:F8:49:C3:57:53:F6:0D:68:96:D7:F0:A0:D2:D8:56:4B
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Subject Alternative Name: 
+                DNS:www.example.com
+            Authority Information Access: 
+                CA Issuers - URI:http://ca.example.com/ca.crt
+                OCSP - URI:http://ocsp.example.com/ocsp
+
+            X509v3 Certificate Policies: 
+                Policy: 1.2.3.4.5
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication
+            qcStatements: 
+                0Q0......F..00.....F..0&0$..http://example.com/de/test.pdf..de0......F..0......F...
+    Signature Algorithm: sha256WithRSAEncryption
+         95:3a:a9:9e:ef:8c:a6:34:8a:08:23:01:01:85:ba:62:4c:6a:
+         80:c2:d7:5e:b7:fa:84:f7:11:a7:65:5f:c5:6b:d0:d7:18:ad:
+         6e:5b:d5:f6:cb:06:62:91:60:de:ed:33:ee:5f:aa:de:75:67:
+         40:bb:e9:7f:a3:11:db:ed:28:b4:c6:93:9e:f6:3d:94:cb:13:
+         d9:56:50:ef:5c:f7:eb:01:b8:a9:28:2e:2f:42:fb:2e:ba:9e:
+         cd:74:a1:1b:dd:e6:72:6d:ef:1a:8d:49:28:6d:9a:b1:8e:e1:
+         7e:6c:6d:5f:ab:26:23:25:71:3f:0f:4a:54:a9:10:7c:46:c2:
+         ba:51:b1:45:82:c9:43:e7:80:af:ba:51:76:9e:2e:e1:6a:01:
+         5f:7c:4a:40:ae:36:41:c0:da:fa:f7:61:ea:39:63:d0:c7:d1:
+         df:82:ef:ca:a7:b3:3e:4b:36:eb:e3:e2:d6:53:71:1f:6d:1a:
+         c9:40:b7:f9:eb:d4:5d:dd:d3:39:bb:a6:d9:db:f8:8a:f9:66:
+         21:e2:c2:44:bf:6d:a1:94:68:d0:5c:5a:76:f1:19:61:78:b5:
+         2c:0c:37:dd:c8:43:48:dd:07:27:88:e6:ac:5b:c3:a1:02:5c:
+         0f:1d:76:b4:47:59:d0:6c:72:9a:bc:b3:01:a6:f1:0b:9d:86:
+         64:6f:d0:9b
 -----BEGIN CERTIFICATE-----
 MIIEpzCCA4+gAwIBAgINC6cpgMeiJFEHUCqQjTANBgkqhkiG9w0BAQsFADBAMRQw
 EgYDVQQDDAtMaW50IFN1Yi1DQTENMAsGA1UECwwEVGVzdDEMMAoGA1UECgwDTVRH