Sync usage with man page.
[netbsd-mini2440.git] / crypto / dist / heimdal / lib / hx509 / test_ca.in
blobb67d6d19d5e7679ce995a8b06df3433fa7725c3b
1 #!/bin/sh
3 # Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
4 # (Royal Institute of Technology, Stockholm, Sweden).
5 # All rights reserved.
7 # Redistribution and use in source and binary forms, with or without
8 # modification, are permitted provided that the following conditions
9 # are met:
11 # 1. Redistributions of source code must retain the above copyright
12 # notice, this list of conditions and the following disclaimer.
14 # 2. Redistributions in binary form must reproduce the above copyright
15 # notice, this list of conditions and the following disclaimer in the
16 # documentation and/or other materials provided with the distribution.
18 # 3. Neither the name of the Institute nor the names of its contributors
19 # may be used to endorse or promote products derived from this software
20 # without specific prior written permission.
22 # THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
23 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 # ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
26 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 # SUCH DAMAGE.
34 # $Heimdal: test_ca.in 21345 2007-06-26 14:22:57Z lha $
35 # $NetBSD$
38 srcdir="@srcdir@"
39 objdir="@objdir@"
41 stat="--statistic-file=${objdir}/statfile"
43 hxtool="${TESTS_ENVIRONMENT} ./hxtool ${stat}"
45 if ${hxtool} info | grep 'rsa: hcrypto null RSA' > /dev/null ; then
46 exit 77
48 if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
49 exit 77
52 echo "create certificate request"
53 ${hxtool} request-create \
54 --subject="CN=Love,DC=it,DC=su,DC=se" \
55 --key=FILE:$srcdir/data/key.der \
56 pkcs10-request.der || exit 1
58 echo "issue certificate"
59 ${hxtool} issue-certificate \
60 --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
61 --subject="cn=foo" \
62 --req="PKCS10:pkcs10-request.der" \
63 --certificate="FILE:cert-ee.pem" || exit 1
65 echo "verify certificate"
66 ${hxtool} verify --missing-revoke \
67 cert:FILE:cert-ee.pem \
68 anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
70 echo "issue crl (no cert)"
71 ${hxtool} crl-sign \
72 --crl-file=crl.crl \
73 --signer=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key || exit 1
75 echo "verify certificate (with CRL)"
76 ${hxtool} verify \
77 cert:FILE:cert-ee.pem \
78 crl:FILE:crl.crl \
79 anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
81 echo "issue crl (with cert)"
82 ${hxtool} crl-sign \
83 --crl-file=crl.crl \
84 --signer=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
85 FILE:cert-ee.pem || exit 1
87 echo "verify certificate (included in CRL)"
88 ${hxtool} verify \
89 cert:FILE:cert-ee.pem \
90 crl:FILE:crl.crl \
91 anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
93 echo "issue crl (with cert)"
94 ${hxtool} crl-sign \
95 --crl-file=crl.crl \
96 --lifetime='1 month' \
97 --signer=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
98 FILE:cert-ee.pem || exit 1
100 echo "verify certificate (included in CRL, and lifetime 1 month)"
101 ${hxtool} verify \
102 cert:FILE:cert-ee.pem \
103 crl:FILE:crl.crl \
104 anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
106 echo "issue certificate (10years 1 month)"
107 ${hxtool} issue-certificate \
108 --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
109 --subject="cn=foo" \
110 --lifetime="10years 1 month" \
111 --req="PKCS10:pkcs10-request.der" \
112 --certificate="FILE:cert-ee.pem" || exit 1
114 echo "issue certificate (with https ekus)"
115 ${hxtool} issue-certificate \
116 --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
117 --subject="cn=foo" \
118 --type="https-server" \
119 --type="https-client" \
120 --req="PKCS10:pkcs10-request.der" \
121 --certificate="FILE:cert-ee.pem" || exit 1
123 echo "issue certificate (pkinit KDC)"
124 ${hxtool} issue-certificate \
125 --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
126 --subject="cn=foo" \
127 --type="pkinit-kdc" \
128 --pk-init-principal="krbtgt/TEST.H5L.SE@TEST.H5L.SE" \
129 --req="PKCS10:pkcs10-request.der" \
130 --certificate="FILE:cert-ee.pem" || exit 1
132 echo "issue certificate (pkinit client)"
133 ${hxtool} issue-certificate \
134 --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
135 --subject="cn=foo" \
136 --type="pkinit-client" \
137 --pk-init-principal="lha@TEST.H5L.SE" \
138 --req="PKCS10:pkcs10-request.der" \
139 --certificate="FILE:cert-ee.pem" || exit 1
141 echo "issue certificate (hostnames)"
142 ${hxtool} issue-certificate \
143 --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
144 --subject="cn=foo" \
145 --type="https-server" \
146 --hostname="www.test.h5l.se" \
147 --hostname="ftp.test.h5l.se" \
148 --req="PKCS10:pkcs10-request.der" \
149 --certificate="FILE:cert-ee.pem" || exit 1
151 echo "verify certificate hostname (ok)"
152 ${hxtool} verify --missing-revoke \
153 --hostname=www.test.h5l.se \
154 cert:FILE:cert-ee.pem \
155 anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
157 echo "verify certificate hostname (fail)"
158 ${hxtool} verify --missing-revoke \
159 --hostname=www2.test.h5l.se \
160 cert:FILE:cert-ee.pem \
161 anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
163 echo "verify certificate hostname (fail)"
164 ${hxtool} verify --missing-revoke \
165 --hostname=2www.test.h5l.se \
166 cert:FILE:cert-ee.pem \
167 anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
169 echo "issue certificate (hostname in CN)"
170 ${hxtool} issue-certificate \
171 --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
172 --subject="cn=www.test.h5l.se" \
173 --type="https-server" \
174 --req="PKCS10:pkcs10-request.der" \
175 --certificate="FILE:cert-ee.pem" || exit 1
177 echo "verify certificate hostname (ok)"
178 ${hxtool} verify --missing-revoke \
179 --hostname=www.test.h5l.se \
180 cert:FILE:cert-ee.pem \
181 anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
183 echo "verify certificate hostname (fail)"
184 ${hxtool} verify --missing-revoke \
185 --hostname=www2.test.h5l.se \
186 cert:FILE:cert-ee.pem \
187 anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
189 echo "issue certificate (email)"
190 ${hxtool} issue-certificate \
191 --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
192 --subject="cn=foo" \
193 --email="lha@test.h5l.se" \
194 --email="test@test.h5l.se" \
195 --req="PKCS10:pkcs10-request.der" \
196 --certificate="FILE:cert-ee.pem" || exit 1
198 echo "issue certificate (email, null subject DN)"
199 ${hxtool} issue-certificate \
200 --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
201 --subject="" \
202 --email="lha@test.h5l.se" \
203 --req="PKCS10:pkcs10-request.der" \
204 --certificate="FILE:cert-null.pem" || exit 1
206 echo "issue certificate (jabber)"
207 ${hxtool} issue-certificate \
208 --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
209 --subject="cn=foo" \
210 --jid="lha@test.h5l.se" \
211 --req="PKCS10:pkcs10-request.der" \
212 --certificate="FILE:cert-ee.pem" || exit 1
214 echo "issue self-signed cert"
215 ${hxtool} issue-certificate \
216 --self-signed \
217 --ca-private-key=FILE:$srcdir/data/key.der \
218 --subject="cn=test" \
219 --certificate="FILE:cert-ee.pem" || exit 1
221 echo "issue ca cert"
222 ${hxtool} issue-certificate \
223 --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
224 --issue-ca \
225 --subject="cn=ca-cert" \
226 --req="PKCS10:pkcs10-request.der" \
227 --certificate="FILE:cert-ca.der" || exit 1
229 echo "issue self-signed ca cert"
230 ${hxtool} issue-certificate \
231 --self-signed \
232 --issue-ca \
233 --ca-private-key=FILE:$srcdir/data/key.der \
234 --subject="cn=ca-root" \
235 --certificate="FILE:cert-ca.der" || exit 1
237 echo "issue proxy certificate"
238 ${hxtool} issue-certificate \
239 --ca-certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
240 --issue-proxy \
241 --req="PKCS10:pkcs10-request.der" \
242 --certificate="FILE:cert-proxy.der" || exit 1
244 echo "verify proxy cert"
245 ${hxtool} verify --missing-revoke \
246 --allow-proxy-certificate \
247 cert:FILE:cert-proxy.der \
248 chain:FILE:$srcdir/data/test.crt \
249 anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
251 echo "issue ca cert (generate rsa key)"
252 ${hxtool} issue-certificate \
253 --self-signed \
254 --issue-ca \
255 --serial-number="deadbeaf" \
256 --generate-key=rsa \
257 --path-length=-1 \
258 --subject="cn=ca2-cert" \
259 --certificate="FILE:cert-ca.pem" || exit 1
261 echo "issue sub-ca cert (generate rsa key)"
262 ${hxtool} issue-certificate \
263 --ca-certificate=FILE:cert-ca.pem \
264 --issue-ca \
265 --serial-number="deadbeaf22" \
266 --generate-key=rsa \
267 --subject="cn=sub-ca2-cert" \
268 --certificate="FILE:cert-sub-ca.pem" || exit 1
270 echo "issue ee cert (generate rsa key)"
271 ${hxtool} issue-certificate \
272 --ca-certificate=FILE:cert-ca.pem \
273 --generate-key=rsa \
274 --subject="cn=cert-ee2" \
275 --certificate="FILE:cert-ee.pem" || exit 1
277 echo "issue sub-ca ee cert (generate rsa key)"
278 ${hxtool} issue-certificate \
279 --ca-certificate=FILE:cert-sub-ca.pem \
280 --generate-key=rsa \
281 --subject="cn=cert-sub-ee2" \
282 --certificate="FILE:cert-sub-ee.pem" || exit 1
284 echo "verify certificate (ee)"
285 ${hxtool} verify --missing-revoke \
286 cert:FILE:cert-ee.pem \
287 anchor:FILE:cert-ca.pem > /dev/null || exit 1
289 echo "verify certificate (sub-ee)"
290 ${hxtool} verify --missing-revoke \
291 cert:FILE:cert-sub-ee.pem \
292 chain:FILE:cert-sub-ca.pem \
293 anchor:FILE:cert-ca.pem || exit 1
295 echo "sign CMS signature (generate key)"
296 ${hxtool} cms-create-sd \
297 --certificate=FILE:cert-ee.pem \
298 "$srcdir/test_name.c" \
299 sd.data > /dev/null || exit 1
301 echo "verify CMS signature (generate key)"
302 ${hxtool} cms-verify-sd \
303 --missing-revoke \
304 --anchors=FILE:cert-ca.pem \
305 sd.data sd.data.out > /dev/null || exit 1
306 cmp "$srcdir/test_name.c" sd.data.out || exit 1
308 echo "extend ca cert"
309 ${hxtool} issue-certificate \
310 --self-signed \
311 --issue-ca \
312 --lifetime="2years" \
313 --serial-number="deadbeaf" \
314 --ca-private-key=FILE:cert-ca.pem \
315 --subject="cn=ca2-cert" \
316 --certificate="FILE:cert-ca.pem" || exit 1
318 echo "verify certificate generated by previous ca"
319 ${hxtool} verify --missing-revoke \
320 cert:FILE:cert-ee.pem \
321 anchor:FILE:cert-ca.pem > /dev/null || exit 1
323 echo "extend ca cert (template)"
324 ${hxtool} issue-certificate \
325 --self-signed \
326 --issue-ca \
327 --lifetime="3years" \
328 --template-certificate="FILE:cert-ca.pem" \
329 --template-fields="serialNumber,notBefore,subject" \
330 --path-length=-1 \
331 --ca-private-key=FILE:cert-ca.pem \
332 --certificate="FILE:cert-ca.pem" || exit 1
334 echo "verify certificate generated by previous ca"
335 ${hxtool} verify --missing-revoke \
336 cert:FILE:cert-ee.pem \
337 anchor:FILE:cert-ca.pem > /dev/null || exit 1
339 echo "extend sub-ca cert (template)"
340 ${hxtool} issue-certificate \
341 --ca-certificate=FILE:cert-ca.pem \
342 --issue-ca \
343 --lifetime="2years" \
344 --template-certificate="FILE:cert-sub-ca.pem" \
345 --template-fields="serialNumber,notBefore,subject,SPKI" \
346 --certificate="FILE:cert-sub-ca2.pem" || exit 1
348 echo "verify certificate (sub-ee) with extended chain"
349 ${hxtool} verify --missing-revoke \
350 cert:FILE:cert-sub-ee.pem \
351 chain:FILE:cert-sub-ca.pem \
352 anchor:FILE:cert-ca.pem > /dev/null || exit 1
354 echo "+++++++++++ test basic constraints"
356 echo "extend ca cert (too low path-length constraint)"
357 ${hxtool} issue-certificate \
358 --self-signed \
359 --issue-ca \
360 --lifetime="3years" \
361 --template-certificate="FILE:cert-ca.pem" \
362 --template-fields="serialNumber,notBefore,subject" \
363 --path-length=0 \
364 --ca-private-key=FILE:cert-ca.pem \
365 --certificate="FILE:cert-ca.pem" || exit 1
367 echo "verify failure of certificate (sub-ee) with path-length constraint"
368 ${hxtool} verify --missing-revoke \
369 cert:FILE:cert-sub-ee.pem \
370 chain:FILE:cert-sub-ca.pem \
371 anchor:FILE:cert-ca.pem > /dev/null && exit 1
373 echo "extend ca cert (exact path-length constraint)"
374 ${hxtool} issue-certificate \
375 --self-signed \
376 --issue-ca \
377 --lifetime="3years" \
378 --template-certificate="FILE:cert-ca.pem" \
379 --template-fields="serialNumber,notBefore,subject" \
380 --path-length=1 \
381 --ca-private-key=FILE:cert-ca.pem \
382 --certificate="FILE:cert-ca.pem" || exit 1
384 echo "verify certificate (sub-ee) with exact path-length constraint"
385 ${hxtool} verify --missing-revoke \
386 cert:FILE:cert-sub-ee.pem \
387 chain:FILE:cert-sub-ca.pem \
388 anchor:FILE:cert-ca.pem > /dev/null || exit 1
390 echo "Check missing basicConstrants.isCa"
391 ${hxtool} issue-certificate \
392 --ca-certificate=FILE:cert-ca.pem \
393 --lifetime="2years" \
394 --template-certificate="FILE:cert-sub-ca.pem" \
395 --template-fields="serialNumber,notBefore,subject,SPKI" \
396 --certificate="FILE:cert-sub-ca2.pem" || exit 1
398 echo "verify failure certificate (sub-ee) with missing isCA"
399 ${hxtool} verify --missing-revoke \
400 cert:FILE:cert-sub-ee.pem \
401 chain:FILE:cert-sub-ca2.pem \
402 anchor:FILE:cert-ca.pem > /dev/null && exit 1
404 echo "issue ee cert (crl uri)"
405 ${hxtool} issue-certificate \
406 --ca-certificate=FILE:cert-ca.pem \
407 --req="PKCS10:pkcs10-request.der" \
408 --crl-uri="http://www.test.h5l.se/crl1.crl" \
409 --subject="cn=cert-ee-crl-uri" \
410 --certificate="FILE:cert-ee.pem" || exit 1
412 echo "issue null subject cert"
413 ${hxtool} issue-certificate \
414 --ca-certificate=FILE:cert-ca.pem \
415 --req="PKCS10:pkcs10-request.der" \
416 --subject="" \
417 --email="lha@test.h5l.se" \
418 --certificate="FILE:cert-ee.pem" || exit 1
420 echo "verify certificate null subject"
421 ${hxtool} verify --missing-revoke \
422 cert:FILE:cert-ee.pem \
423 anchor:FILE:cert-ca.pem > /dev/null || exit 1
425 exit 0