crypto/heimdal/lib/hx509/test_ca.in

   1 #!/bin/sh
   2 #
   3 # Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
   4 # (Royal Institute of Technology, Stockholm, Sweden).
   5 # All rights reserved.
   6 #
   7 # Redistribution and use in source and binary forms, with or without
   8 # modification, are permitted provided that the following conditions
   9 # are met:
  10 #
  11 # 1. Redistributions of source code must retain the above copyright
  12 #    notice, this list of conditions and the following disclaimer.
  13 #
  14 # 2. Redistributions in binary form must reproduce the above copyright
  15 #    notice, this list of conditions and the following disclaimer in the
  16 #    documentation and/or other materials provided with the distribution.
  17 #
  18 # 3. Neither the name of the Institute nor the names of its contributors
  19 #    may be used to endorse or promote products derived from this software
  20 #    without specific prior written permission.
  21 #
  22 # THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  23 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  24 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  25 # ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  26 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  27 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  28 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  29 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  30 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  31 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  32 # SUCH DAMAGE.
  33 #
  34 # $Id: test_ca.in 21345 2007-06-26 14:22:57Z lha $
  35 #
  36
  37 srcdir="@srcdir@"
  38 objdir="@objdir@"
  39
  40 stat="--statistic-file=${objdir}/statfile"
  41
  42 hxtool="${TESTS_ENVIRONMENT} ./hxtool ${stat}"
  43
  44 if ${hxtool} info | grep 'rsa: hcrypto null RSA' > /dev/null ; then
  45     exit 77
  46 fi
  47 if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
  48     exit 77
  49 fi
  50
  51 echo "create certificate request"
  52 ${hxtool} request-create \
  53          --subject="CN=Love,DC=it,DC=su,DC=se" \
  54          --key=FILE:$srcdir/data/key.der \
  55          pkcs10-request.der || exit 1
  56
  57 echo "issue certificate"
  58 ${hxtool} issue-certificate \
  59           --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
  60           --subject="cn=foo" \
  61           --req="PKCS10:pkcs10-request.der" \
  62           --certificate="FILE:cert-ee.pem" || exit 1
  63
  64 echo "verify certificate"
  65 ${hxtool} verify --missing-revoke \
  66         cert:FILE:cert-ee.pem \
  67         anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
  68
  69 echo "issue crl (no cert)"
  70 ${hxtool} crl-sign \
  71         --crl-file=crl.crl \
  72         --signer=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key || exit 1
  73
  74 echo "verify certificate (with CRL)"
  75 ${hxtool} verify \
  76         cert:FILE:cert-ee.pem \
  77         crl:FILE:crl.crl \
  78         anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
  79
  80 echo "issue crl (with cert)"
  81 ${hxtool} crl-sign \
  82         --crl-file=crl.crl \
  83         --signer=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
  84         FILE:cert-ee.pem || exit 1
  85
  86 echo "verify certificate (included in CRL)"
  87 ${hxtool} verify \
  88         cert:FILE:cert-ee.pem \
  89         crl:FILE:crl.crl \
  90         anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
  91
  92 echo "issue crl (with cert)"
  93 ${hxtool} crl-sign \
  94         --crl-file=crl.crl \
  95         --lifetime='1 month' \
  96         --signer=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
  97         FILE:cert-ee.pem || exit 1
  98
  99 echo "verify certificate (included in CRL, and lifetime 1 month)"
 100 ${hxtool} verify \
 101         cert:FILE:cert-ee.pem \
 102         crl:FILE:crl.crl \
 103         anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
 104
 105 echo "issue certificate (10years 1 month)"
 106 ${hxtool} issue-certificate \
 107           --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
 108           --subject="cn=foo" \
 109           --lifetime="10years 1 month" \
 110           --req="PKCS10:pkcs10-request.der" \
 111           --certificate="FILE:cert-ee.pem" || exit 1
 112
 113 echo "issue certificate (with https ekus)"
 114 ${hxtool} issue-certificate \
 115           --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
 116           --subject="cn=foo" \
 117           --type="https-server" \
 118           --type="https-client" \
 119           --req="PKCS10:pkcs10-request.der" \
 120           --certificate="FILE:cert-ee.pem" || exit 1
 121
 122 echo "issue certificate (pkinit KDC)"
 123 ${hxtool} issue-certificate \
 124           --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
 125           --subject="cn=foo" \
 126           --type="pkinit-kdc" \
 127           --pk-init-principal="krbtgt/TEST.H5L.SE@TEST.H5L.SE" \
 128           --req="PKCS10:pkcs10-request.der" \
 129           --certificate="FILE:cert-ee.pem" || exit 1
 130
 131 echo "issue certificate (pkinit client)"
 132 ${hxtool} issue-certificate \
 133           --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
 134           --subject="cn=foo" \
 135           --type="pkinit-client" \
 136           --pk-init-principal="lha@TEST.H5L.SE" \
 137           --req="PKCS10:pkcs10-request.der" \
 138           --certificate="FILE:cert-ee.pem" || exit 1
 139
 140 echo "issue certificate (hostnames)"
 141 ${hxtool} issue-certificate \
 142           --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
 143           --subject="cn=foo" \
 144           --type="https-server" \
 145           --hostname="www.test.h5l.se" \
 146           --hostname="ftp.test.h5l.se" \
 147           --req="PKCS10:pkcs10-request.der" \
 148           --certificate="FILE:cert-ee.pem" || exit 1
 149
 150 echo "verify certificate hostname (ok)"
 151 ${hxtool} verify --missing-revoke \
 152         --hostname=www.test.h5l.se \
 153         cert:FILE:cert-ee.pem \
 154         anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
 155
 156 echo "verify certificate hostname (fail)"
 157 ${hxtool} verify --missing-revoke \
 158         --hostname=www2.test.h5l.se \
 159         cert:FILE:cert-ee.pem \
 160         anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
 161
 162 echo "verify certificate hostname (fail)"
 163 ${hxtool} verify --missing-revoke \
 164         --hostname=2www.test.h5l.se \
 165         cert:FILE:cert-ee.pem \
 166         anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
 167
 168 echo "issue certificate (hostname in CN)"
 169 ${hxtool} issue-certificate \
 170           --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
 171           --subject="cn=www.test.h5l.se" \
 172           --type="https-server" \
 173           --req="PKCS10:pkcs10-request.der" \
 174           --certificate="FILE:cert-ee.pem" || exit 1
 175
 176 echo "verify certificate hostname (ok)"
 177 ${hxtool} verify --missing-revoke \
 178         --hostname=www.test.h5l.se \
 179         cert:FILE:cert-ee.pem \
 180         anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
 181
 182 echo "verify certificate hostname (fail)"
 183 ${hxtool} verify --missing-revoke \
 184         --hostname=www2.test.h5l.se \
 185         cert:FILE:cert-ee.pem \
 186         anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
 187
 188 echo "issue certificate (email)"
 189 ${hxtool} issue-certificate \
 190           --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
 191           --subject="cn=foo" \
 192           --email="lha@test.h5l.se" \
 193           --email="test@test.h5l.se" \
 194           --req="PKCS10:pkcs10-request.der" \
 195           --certificate="FILE:cert-ee.pem" || exit 1
 196
 197 echo "issue certificate (email, null subject DN)"
 198 ${hxtool} issue-certificate \
 199           --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
 200           --subject="" \
 201           --email="lha@test.h5l.se" \
 202           --req="PKCS10:pkcs10-request.der" \
 203           --certificate="FILE:cert-null.pem" || exit 1
 204
 205 echo "issue certificate (jabber)"
 206 ${hxtool} issue-certificate \
 207           --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
 208           --subject="cn=foo" \
 209           --jid="lha@test.h5l.se" \
 210           --req="PKCS10:pkcs10-request.der" \
 211           --certificate="FILE:cert-ee.pem" || exit 1
 212
 213 echo "issue self-signed cert"
 214 ${hxtool} issue-certificate \
 215           --self-signed \
 216           --ca-private-key=FILE:$srcdir/data/key.der \
 217           --subject="cn=test" \
 218           --certificate="FILE:cert-ee.pem" || exit 1
 219
 220 echo "issue ca cert"
 221 ${hxtool} issue-certificate \
 222           --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
 223           --issue-ca \
 224           --subject="cn=ca-cert" \
 225           --req="PKCS10:pkcs10-request.der" \
 226           --certificate="FILE:cert-ca.der" || exit 1
 227
 228 echo "issue self-signed ca cert"
 229 ${hxtool} issue-certificate \
 230           --self-signed \
 231           --issue-ca \
 232           --ca-private-key=FILE:$srcdir/data/key.der \
 233           --subject="cn=ca-root" \
 234           --certificate="FILE:cert-ca.der" || exit 1
 235
 236 echo "issue proxy certificate"
 237 ${hxtool} issue-certificate \
 238           --ca-certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
 239           --issue-proxy \
 240           --req="PKCS10:pkcs10-request.der" \
 241           --certificate="FILE:cert-proxy.der" || exit 1
 242
 243 echo "verify proxy cert"
 244 ${hxtool} verify --missing-revoke \
 245     --allow-proxy-certificate \
 246     cert:FILE:cert-proxy.der \
 247     chain:FILE:$srcdir/data/test.crt \
 248     anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
 249
 250 echo "issue ca cert (generate rsa key)"
 251 ${hxtool} issue-certificate \
 252           --self-signed \
 253           --issue-ca \
 254           --serial-number="deadbeaf" \
 255           --generate-key=rsa \
 256           --path-length=-1 \
 257           --subject="cn=ca2-cert" \
 258           --certificate="FILE:cert-ca.pem" || exit 1
 259
 260 echo "issue sub-ca cert (generate rsa key)"
 261 ${hxtool} issue-certificate \
 262           --ca-certificate=FILE:cert-ca.pem \
 263           --issue-ca \
 264           --serial-number="deadbeaf22" \
 265           --generate-key=rsa \
 266           --subject="cn=sub-ca2-cert" \
 267           --certificate="FILE:cert-sub-ca.pem" || exit 1
 268
 269 echo "issue ee cert (generate rsa key)"
 270 ${hxtool} issue-certificate \
 271           --ca-certificate=FILE:cert-ca.pem \
 272           --generate-key=rsa \
 273           --subject="cn=cert-ee2" \
 274           --certificate="FILE:cert-ee.pem" || exit 1
 275
 276 echo "issue sub-ca ee cert (generate rsa key)"
 277 ${hxtool} issue-certificate \
 278           --ca-certificate=FILE:cert-sub-ca.pem \
 279           --generate-key=rsa \
 280           --subject="cn=cert-sub-ee2" \
 281           --certificate="FILE:cert-sub-ee.pem" || exit 1
 282
 283 echo "verify certificate (ee)"
 284 ${hxtool} verify --missing-revoke \
 285         cert:FILE:cert-ee.pem \
 286         anchor:FILE:cert-ca.pem > /dev/null || exit 1
 287
 288 echo "verify certificate (sub-ee)"
 289 ${hxtool} verify --missing-revoke \
 290         cert:FILE:cert-sub-ee.pem \
 291         chain:FILE:cert-sub-ca.pem \
 292         anchor:FILE:cert-ca.pem || exit 1
 293
 294 echo "sign CMS signature (generate key)"
 295 ${hxtool} cms-create-sd \
 296         --certificate=FILE:cert-ee.pem \
 297         "$srcdir/test_name.c" \
 298         sd.data > /dev/null || exit 1
 299
 300 echo "verify CMS signature (generate key)"
 301 ${hxtool} cms-verify-sd \
 302         --missing-revoke \
 303         --anchors=FILE:cert-ca.pem \
 304         sd.data sd.data.out > /dev/null || exit 1
 305 cmp "$srcdir/test_name.c" sd.data.out || exit 1
 306
 307 echo "extend ca cert"
 308 ${hxtool} issue-certificate \
 309           --self-signed \
 310           --issue-ca \
 311           --lifetime="2years" \
 312           --serial-number="deadbeaf" \
 313           --ca-private-key=FILE:cert-ca.pem \
 314           --subject="cn=ca2-cert" \
 315           --certificate="FILE:cert-ca.pem" || exit 1
 316
 317 echo "verify certificate generated by previous ca"
 318 ${hxtool} verify --missing-revoke \
 319         cert:FILE:cert-ee.pem \
 320         anchor:FILE:cert-ca.pem > /dev/null || exit 1
 321
 322 echo "extend ca cert (template)"
 323 ${hxtool} issue-certificate \
 324           --self-signed \
 325           --issue-ca \
 326           --lifetime="3years" \
 327           --template-certificate="FILE:cert-ca.pem" \
 328           --template-fields="serialNumber,notBefore,subject" \
 329           --path-length=-1 \
 330           --ca-private-key=FILE:cert-ca.pem \
 331           --certificate="FILE:cert-ca.pem" || exit 1
 332
 333 echo "verify certificate generated by previous ca"
 334 ${hxtool} verify --missing-revoke \
 335         cert:FILE:cert-ee.pem \
 336         anchor:FILE:cert-ca.pem > /dev/null || exit 1
 337
 338 echo "extend sub-ca cert (template)"
 339 ${hxtool} issue-certificate \
 340           --ca-certificate=FILE:cert-ca.pem \
 341           --issue-ca \
 342           --lifetime="2years" \
 343           --template-certificate="FILE:cert-sub-ca.pem" \
 344           --template-fields="serialNumber,notBefore,subject,SPKI" \
 345           --certificate="FILE:cert-sub-ca2.pem" || exit 1
 346
 347 echo "verify certificate (sub-ee) with extended chain"
 348 ${hxtool} verify --missing-revoke \
 349         cert:FILE:cert-sub-ee.pem \
 350         chain:FILE:cert-sub-ca.pem \
 351         anchor:FILE:cert-ca.pem > /dev/null || exit 1
 352
 353 echo "+++++++++++ test basic constraints"
 354
 355 echo "extend ca cert (too low path-length constraint)"
 356 ${hxtool} issue-certificate \
 357           --self-signed \
 358           --issue-ca \
 359           --lifetime="3years" \
 360           --template-certificate="FILE:cert-ca.pem" \
 361           --template-fields="serialNumber,notBefore,subject" \
 362           --path-length=0 \
 363           --ca-private-key=FILE:cert-ca.pem \
 364           --certificate="FILE:cert-ca.pem" || exit 1
 365
 366 echo "verify failure of certificate (sub-ee) with path-length constraint"
 367 ${hxtool} verify --missing-revoke \
 368         cert:FILE:cert-sub-ee.pem \
 369         chain:FILE:cert-sub-ca.pem \
 370         anchor:FILE:cert-ca.pem > /dev/null && exit 1
 371
 372 echo "extend ca cert (exact path-length constraint)"
 373 ${hxtool} issue-certificate \
 374           --self-signed \
 375           --issue-ca \
 376           --lifetime="3years" \
 377           --template-certificate="FILE:cert-ca.pem" \
 378           --template-fields="serialNumber,notBefore,subject" \
 379           --path-length=1 \
 380           --ca-private-key=FILE:cert-ca.pem \
 381           --certificate="FILE:cert-ca.pem" || exit 1
 382
 383 echo "verify certificate (sub-ee) with exact path-length constraint"
 384 ${hxtool} verify --missing-revoke \
 385         cert:FILE:cert-sub-ee.pem \
 386         chain:FILE:cert-sub-ca.pem \
 387         anchor:FILE:cert-ca.pem > /dev/null || exit 1
 388
 389 echo "Check missing basicConstrants.isCa"
 390 ${hxtool} issue-certificate \
 391           --ca-certificate=FILE:cert-ca.pem \
 392           --lifetime="2years" \
 393           --template-certificate="FILE:cert-sub-ca.pem" \
 394           --template-fields="serialNumber,notBefore,subject,SPKI" \
 395           --certificate="FILE:cert-sub-ca2.pem" || exit 1
 396
 397 echo "verify failure certificate (sub-ee) with missing isCA"
 398 ${hxtool} verify --missing-revoke \
 399         cert:FILE:cert-sub-ee.pem \
 400         chain:FILE:cert-sub-ca2.pem \
 401         anchor:FILE:cert-ca.pem > /dev/null && exit 1
 402
 403 echo "issue ee cert (crl uri)"
 404 ${hxtool} issue-certificate \
 405           --ca-certificate=FILE:cert-ca.pem \
 406           --req="PKCS10:pkcs10-request.der" \
 407           --crl-uri="http://www.test.h5l.se/crl1.crl" \
 408           --subject="cn=cert-ee-crl-uri" \
 409           --certificate="FILE:cert-ee.pem" || exit 1
 410
 411 echo "issue null subject cert"
 412 ${hxtool} issue-certificate \
 413           --ca-certificate=FILE:cert-ca.pem \
 414           --req="PKCS10:pkcs10-request.der" \
 415           --subject="" \
 416           --email="lha@test.h5l.se" \
 417           --certificate="FILE:cert-ee.pem" || exit 1
 418
 419 echo "verify certificate null subject"
 420 ${hxtool} verify --missing-revoke \
 421         cert:FILE:cert-ee.pem \
 422         anchor:FILE:cert-ca.pem > /dev/null || exit 1
 423
 424 exit 0