3 # Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
4 # (Royal Institute of Technology, Stockholm, Sweden).
7 # Redistribution and use in source and binary forms, with or without
8 # modification, are permitted provided that the following conditions
11 # 1. Redistributions of source code must retain the above copyright
12 # notice, this list of conditions and the following disclaimer.
14 # 2. Redistributions in binary form must reproduce the above copyright
15 # notice, this list of conditions and the following disclaimer in the
16 # documentation and/or other materials provided with the distribution.
18 # 3. Neither the name of the Institute nor the names of its contributors
19 # may be used to endorse or promote products derived from this software
20 # without specific prior written permission.
22 # THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
23 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 # ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
26 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 # $Heimdal: test_ca.in 21345 2007-06-26 14:22:57Z lha $
41 stat
="--statistic-file=${objdir}/statfile"
43 hxtool
="${TESTS_ENVIRONMENT} ./hxtool ${stat}"
45 if ${hxtool} info |
grep 'rsa: hcrypto null RSA' > /dev
/null
; then
48 if ${hxtool} info |
grep 'rand: not available' > /dev
/null
; then
52 echo "create certificate request"
53 ${hxtool} request-create \
54 --subject="CN=Love,DC=it,DC=su,DC=se" \
55 --key=FILE
:$srcdir/data
/key.der \
56 pkcs10-request.der ||
exit 1
58 echo "issue certificate"
59 ${hxtool} issue-certificate \
60 --ca-certificate=FILE
:$srcdir/data
/ca.crt
,$srcdir/data
/ca.key \
62 --req="PKCS10:pkcs10-request.der" \
63 --certificate="FILE:cert-ee.pem" ||
exit 1
65 echo "verify certificate"
66 ${hxtool} verify
--missing-revoke \
67 cert
:FILE
:cert-ee.pem \
68 anchor
:FILE
:$srcdir/data
/ca.crt
> /dev
/null ||
exit 1
70 echo "issue crl (no cert)"
73 --signer=FILE
:$srcdir/data
/ca.crt
,$srcdir/data
/ca.key ||
exit 1
75 echo "verify certificate (with CRL)"
77 cert
:FILE
:cert-ee.pem \
79 anchor
:FILE
:$srcdir/data
/ca.crt
> /dev
/null ||
exit 1
81 echo "issue crl (with cert)"
84 --signer=FILE
:$srcdir/data
/ca.crt
,$srcdir/data
/ca.key \
85 FILE
:cert-ee.pem ||
exit 1
87 echo "verify certificate (included in CRL)"
89 cert
:FILE
:cert-ee.pem \
91 anchor
:FILE
:$srcdir/data
/ca.crt
> /dev
/null
&& exit 1
93 echo "issue crl (with cert)"
96 --lifetime='1 month' \
97 --signer=FILE
:$srcdir/data
/ca.crt
,$srcdir/data
/ca.key \
98 FILE
:cert-ee.pem ||
exit 1
100 echo "verify certificate (included in CRL, and lifetime 1 month)"
102 cert
:FILE
:cert-ee.pem \
104 anchor
:FILE
:$srcdir/data
/ca.crt
> /dev
/null
&& exit 1
106 echo "issue certificate (10years 1 month)"
107 ${hxtool} issue-certificate \
108 --ca-certificate=FILE
:$srcdir/data
/ca.crt
,$srcdir/data
/ca.key \
110 --lifetime="10years 1 month" \
111 --req="PKCS10:pkcs10-request.der" \
112 --certificate="FILE:cert-ee.pem" ||
exit 1
114 echo "issue certificate (with https ekus)"
115 ${hxtool} issue-certificate \
116 --ca-certificate=FILE
:$srcdir/data
/ca.crt
,$srcdir/data
/ca.key \
118 --type="https-server" \
119 --type="https-client" \
120 --req="PKCS10:pkcs10-request.der" \
121 --certificate="FILE:cert-ee.pem" ||
exit 1
123 echo "issue certificate (pkinit KDC)"
124 ${hxtool} issue-certificate \
125 --ca-certificate=FILE
:$srcdir/data
/ca.crt
,$srcdir/data
/ca.key \
127 --type="pkinit-kdc" \
128 --pk-init-principal="krbtgt/TEST.H5L.SE@TEST.H5L.SE" \
129 --req="PKCS10:pkcs10-request.der" \
130 --certificate="FILE:cert-ee.pem" ||
exit 1
132 echo "issue certificate (pkinit client)"
133 ${hxtool} issue-certificate \
134 --ca-certificate=FILE
:$srcdir/data
/ca.crt
,$srcdir/data
/ca.key \
136 --type="pkinit-client" \
137 --pk-init-principal="lha@TEST.H5L.SE" \
138 --req="PKCS10:pkcs10-request.der" \
139 --certificate="FILE:cert-ee.pem" ||
exit 1
141 echo "issue certificate (hostnames)"
142 ${hxtool} issue-certificate \
143 --ca-certificate=FILE
:$srcdir/data
/ca.crt
,$srcdir/data
/ca.key \
145 --type="https-server" \
146 --hostname="www.test.h5l.se" \
147 --hostname="ftp.test.h5l.se" \
148 --req="PKCS10:pkcs10-request.der" \
149 --certificate="FILE:cert-ee.pem" ||
exit 1
151 echo "verify certificate hostname (ok)"
152 ${hxtool} verify
--missing-revoke \
153 --hostname=www.
test.h5l.se \
154 cert
:FILE
:cert-ee.pem \
155 anchor
:FILE
:$srcdir/data
/ca.crt
> /dev
/null ||
exit 1
157 echo "verify certificate hostname (fail)"
158 ${hxtool} verify
--missing-revoke \
159 --hostname=www2.
test.h5l.se \
160 cert
:FILE
:cert-ee.pem \
161 anchor
:FILE
:$srcdir/data
/ca.crt
> /dev
/null
&& exit 1
163 echo "verify certificate hostname (fail)"
164 ${hxtool} verify
--missing-revoke \
165 --hostname=2www.
test.h5l.se \
166 cert
:FILE
:cert-ee.pem \
167 anchor
:FILE
:$srcdir/data
/ca.crt
> /dev
/null
&& exit 1
169 echo "issue certificate (hostname in CN)"
170 ${hxtool} issue-certificate \
171 --ca-certificate=FILE
:$srcdir/data
/ca.crt
,$srcdir/data
/ca.key \
172 --subject="cn=www.test.h5l.se" \
173 --type="https-server" \
174 --req="PKCS10:pkcs10-request.der" \
175 --certificate="FILE:cert-ee.pem" ||
exit 1
177 echo "verify certificate hostname (ok)"
178 ${hxtool} verify
--missing-revoke \
179 --hostname=www.
test.h5l.se \
180 cert
:FILE
:cert-ee.pem \
181 anchor
:FILE
:$srcdir/data
/ca.crt
> /dev
/null ||
exit 1
183 echo "verify certificate hostname (fail)"
184 ${hxtool} verify
--missing-revoke \
185 --hostname=www2.
test.h5l.se \
186 cert
:FILE
:cert-ee.pem \
187 anchor
:FILE
:$srcdir/data
/ca.crt
> /dev
/null
&& exit 1
189 echo "issue certificate (email)"
190 ${hxtool} issue-certificate \
191 --ca-certificate=FILE
:$srcdir/data
/ca.crt
,$srcdir/data
/ca.key \
193 --email="lha@test.h5l.se" \
194 --email="test@test.h5l.se" \
195 --req="PKCS10:pkcs10-request.der" \
196 --certificate="FILE:cert-ee.pem" ||
exit 1
198 echo "issue certificate (email, null subject DN)"
199 ${hxtool} issue-certificate \
200 --ca-certificate=FILE
:$srcdir/data
/ca.crt
,$srcdir/data
/ca.key \
202 --email="lha@test.h5l.se" \
203 --req="PKCS10:pkcs10-request.der" \
204 --certificate="FILE:cert-null.pem" ||
exit 1
206 echo "issue certificate (jabber)"
207 ${hxtool} issue-certificate \
208 --ca-certificate=FILE
:$srcdir/data
/ca.crt
,$srcdir/data
/ca.key \
210 --jid="lha@test.h5l.se" \
211 --req="PKCS10:pkcs10-request.der" \
212 --certificate="FILE:cert-ee.pem" ||
exit 1
214 echo "issue self-signed cert"
215 ${hxtool} issue-certificate \
217 --ca-private-key=FILE
:$srcdir/data
/key.der \
218 --subject="cn=test" \
219 --certificate="FILE:cert-ee.pem" ||
exit 1
222 ${hxtool} issue-certificate \
223 --ca-certificate=FILE
:$srcdir/data
/ca.crt
,$srcdir/data
/ca.key \
225 --subject="cn=ca-cert" \
226 --req="PKCS10:pkcs10-request.der" \
227 --certificate="FILE:cert-ca.der" ||
exit 1
229 echo "issue self-signed ca cert"
230 ${hxtool} issue-certificate \
233 --ca-private-key=FILE
:$srcdir/data
/key.der \
234 --subject="cn=ca-root" \
235 --certificate="FILE:cert-ca.der" ||
exit 1
237 echo "issue proxy certificate"
238 ${hxtool} issue-certificate \
239 --ca-certificate=FILE
:$srcdir/data
/test.crt
,$srcdir/data
/test.key \
241 --req="PKCS10:pkcs10-request.der" \
242 --certificate="FILE:cert-proxy.der" ||
exit 1
244 echo "verify proxy cert"
245 ${hxtool} verify
--missing-revoke \
246 --allow-proxy-certificate \
247 cert
:FILE
:cert-proxy.der \
248 chain
:FILE
:$srcdir/data
/test.crt \
249 anchor
:FILE
:$srcdir/data
/ca.crt
> /dev
/null ||
exit 1
251 echo "issue ca cert (generate rsa key)"
252 ${hxtool} issue-certificate \
255 --serial-number="deadbeaf" \
258 --subject="cn=ca2-cert" \
259 --certificate="FILE:cert-ca.pem" ||
exit 1
261 echo "issue sub-ca cert (generate rsa key)"
262 ${hxtool} issue-certificate \
263 --ca-certificate=FILE
:cert-ca.pem \
265 --serial-number="deadbeaf22" \
267 --subject="cn=sub-ca2-cert" \
268 --certificate="FILE:cert-sub-ca.pem" ||
exit 1
270 echo "issue ee cert (generate rsa key)"
271 ${hxtool} issue-certificate \
272 --ca-certificate=FILE
:cert-ca.pem \
274 --subject="cn=cert-ee2" \
275 --certificate="FILE:cert-ee.pem" ||
exit 1
277 echo "issue sub-ca ee cert (generate rsa key)"
278 ${hxtool} issue-certificate \
279 --ca-certificate=FILE
:cert-sub-ca.pem \
281 --subject="cn=cert-sub-ee2" \
282 --certificate="FILE:cert-sub-ee.pem" ||
exit 1
284 echo "verify certificate (ee)"
285 ${hxtool} verify
--missing-revoke \
286 cert
:FILE
:cert-ee.pem \
287 anchor
:FILE
:cert-ca.pem
> /dev
/null ||
exit 1
289 echo "verify certificate (sub-ee)"
290 ${hxtool} verify
--missing-revoke \
291 cert
:FILE
:cert-sub-ee.pem \
292 chain
:FILE
:cert-sub-ca.pem \
293 anchor
:FILE
:cert-ca.pem ||
exit 1
295 echo "sign CMS signature (generate key)"
296 ${hxtool} cms-create-sd \
297 --certificate=FILE
:cert-ee.pem \
298 "$srcdir/test_name.c" \
299 sd.data
> /dev
/null ||
exit 1
301 echo "verify CMS signature (generate key)"
302 ${hxtool} cms-verify-sd \
304 --anchors=FILE
:cert-ca.pem \
305 sd.data sd.data.out
> /dev
/null ||
exit 1
306 cmp "$srcdir/test_name.c" sd.data.out ||
exit 1
308 echo "extend ca cert"
309 ${hxtool} issue-certificate \
312 --lifetime="2years" \
313 --serial-number="deadbeaf" \
314 --ca-private-key=FILE
:cert-ca.pem \
315 --subject="cn=ca2-cert" \
316 --certificate="FILE:cert-ca.pem" ||
exit 1
318 echo "verify certificate generated by previous ca"
319 ${hxtool} verify
--missing-revoke \
320 cert
:FILE
:cert-ee.pem \
321 anchor
:FILE
:cert-ca.pem
> /dev
/null ||
exit 1
323 echo "extend ca cert (template)"
324 ${hxtool} issue-certificate \
327 --lifetime="3years" \
328 --template-certificate="FILE:cert-ca.pem" \
329 --template-fields="serialNumber,notBefore,subject" \
331 --ca-private-key=FILE
:cert-ca.pem \
332 --certificate="FILE:cert-ca.pem" ||
exit 1
334 echo "verify certificate generated by previous ca"
335 ${hxtool} verify
--missing-revoke \
336 cert
:FILE
:cert-ee.pem \
337 anchor
:FILE
:cert-ca.pem
> /dev
/null ||
exit 1
339 echo "extend sub-ca cert (template)"
340 ${hxtool} issue-certificate \
341 --ca-certificate=FILE
:cert-ca.pem \
343 --lifetime="2years" \
344 --template-certificate="FILE:cert-sub-ca.pem" \
345 --template-fields="serialNumber,notBefore,subject,SPKI" \
346 --certificate="FILE:cert-sub-ca2.pem" ||
exit 1
348 echo "verify certificate (sub-ee) with extended chain"
349 ${hxtool} verify
--missing-revoke \
350 cert
:FILE
:cert-sub-ee.pem \
351 chain
:FILE
:cert-sub-ca.pem \
352 anchor
:FILE
:cert-ca.pem
> /dev
/null ||
exit 1
354 echo "+++++++++++ test basic constraints"
356 echo "extend ca cert (too low path-length constraint)"
357 ${hxtool} issue-certificate \
360 --lifetime="3years" \
361 --template-certificate="FILE:cert-ca.pem" \
362 --template-fields="serialNumber,notBefore,subject" \
364 --ca-private-key=FILE
:cert-ca.pem \
365 --certificate="FILE:cert-ca.pem" ||
exit 1
367 echo "verify failure of certificate (sub-ee) with path-length constraint"
368 ${hxtool} verify
--missing-revoke \
369 cert
:FILE
:cert-sub-ee.pem \
370 chain
:FILE
:cert-sub-ca.pem \
371 anchor
:FILE
:cert-ca.pem
> /dev
/null
&& exit 1
373 echo "extend ca cert (exact path-length constraint)"
374 ${hxtool} issue-certificate \
377 --lifetime="3years" \
378 --template-certificate="FILE:cert-ca.pem" \
379 --template-fields="serialNumber,notBefore,subject" \
381 --ca-private-key=FILE
:cert-ca.pem \
382 --certificate="FILE:cert-ca.pem" ||
exit 1
384 echo "verify certificate (sub-ee) with exact path-length constraint"
385 ${hxtool} verify
--missing-revoke \
386 cert
:FILE
:cert-sub-ee.pem \
387 chain
:FILE
:cert-sub-ca.pem \
388 anchor
:FILE
:cert-ca.pem
> /dev
/null ||
exit 1
390 echo "Check missing basicConstrants.isCa"
391 ${hxtool} issue-certificate \
392 --ca-certificate=FILE
:cert-ca.pem \
393 --lifetime="2years" \
394 --template-certificate="FILE:cert-sub-ca.pem" \
395 --template-fields="serialNumber,notBefore,subject,SPKI" \
396 --certificate="FILE:cert-sub-ca2.pem" ||
exit 1
398 echo "verify failure certificate (sub-ee) with missing isCA"
399 ${hxtool} verify
--missing-revoke \
400 cert
:FILE
:cert-sub-ee.pem \
401 chain
:FILE
:cert-sub-ca2.pem \
402 anchor
:FILE
:cert-ca.pem
> /dev
/null
&& exit 1
404 echo "issue ee cert (crl uri)"
405 ${hxtool} issue-certificate \
406 --ca-certificate=FILE
:cert-ca.pem \
407 --req="PKCS10:pkcs10-request.der" \
408 --crl-uri="http://www.test.h5l.se/crl1.crl" \
409 --subject="cn=cert-ee-crl-uri" \
410 --certificate="FILE:cert-ee.pem" ||
exit 1
412 echo "issue null subject cert"
413 ${hxtool} issue-certificate \
414 --ca-certificate=FILE
:cert-ca.pem \
415 --req="PKCS10:pkcs10-request.der" \
417 --email="lha@test.h5l.se" \
418 --certificate="FILE:cert-ee.pem" ||
exit 1
420 echo "verify certificate null subject"
421 ${hxtool} verify
--missing-revoke \
422 cert
:FILE
:cert-ee.pem \
423 anchor
:FILE
:cert-ca.pem
> /dev
/null ||
exit 1
