1#!/bin/sh 2# 3# Copyright (c) 2006 - 2007 Kungliga Tekniska H�gskolan 4# (Royal Institute of Technology, Stockholm, Sweden). 5# All rights reserved. 6# 7# Redistribution and use in source and binary forms, with or without 8# modification, are permitted provided that the following conditions 9# are met: 10# 11# 1. Redistributions of source code must retain the above copyright 12# notice, this list of conditions and the following disclaimer. 13# 14# 2. Redistributions in binary form must reproduce the above copyright 15# notice, this list of conditions and the following disclaimer in the 16# documentation and/or other materials provided with the distribution. 17# 18# 3. Neither the name of the Institute nor the names of its contributors 19# may be used to endorse or promote products derived from this software 20# without specific prior written permission. 21# 22# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 23# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 26# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32# SUCH DAMAGE. 33# 34# $Id: test_ca.in 21345 2007-06-26 14:22:57Z lha $ 35# 36 37srcdir="@srcdir@" 38objdir="@objdir@" 39 40stat="--statistic-file=${objdir}/statfile" 41 42hxtool="${TESTS_ENVIRONMENT} ./hxtool ${stat}" 43 44if ${hxtool} info | grep 'rsa: hcrypto null RSA' > /dev/null ; then 45 exit 77 46fi 47if ${hxtool} info | grep 'rand: not available' > /dev/null ; then 48 exit 77 49fi 50 51echo "create certificate request" 52${hxtool} request-create \ 53 --subject="CN=Love,DC=it,DC=su,DC=se" \ 54 --key=FILE:$srcdir/data/key.der \ 55 pkcs10-request.der || exit 1 56 57echo "issue certificate" 58${hxtool} issue-certificate \ 59 --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \ 60 --subject="cn=foo" \ 61 --req="PKCS10:pkcs10-request.der" \ 62 --certificate="FILE:cert-ee.pem" || exit 1 63 64echo "verify certificate" 65${hxtool} verify --missing-revoke \ 66 cert:FILE:cert-ee.pem \ 67 anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1 68 69echo "issue crl (no cert)" 70${hxtool} crl-sign \ 71 --crl-file=crl.crl \ 72 --signer=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key || exit 1 73 74echo "verify certificate (with CRL)" 75${hxtool} verify \ 76 cert:FILE:cert-ee.pem \ 77 crl:FILE:crl.crl \ 78 anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1 79 80echo "issue crl (with cert)" 81${hxtool} crl-sign \ 82 --crl-file=crl.crl \ 83 --signer=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \ 84 FILE:cert-ee.pem || exit 1 85 86echo "verify certificate (included in CRL)" 87${hxtool} verify \ 88 cert:FILE:cert-ee.pem \ 89 crl:FILE:crl.crl \ 90 anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1 91 92echo "issue crl (with cert)" 93${hxtool} crl-sign \ 94 --crl-file=crl.crl \ 95 --lifetime='1 month' \ 96 --signer=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \ 97 FILE:cert-ee.pem || exit 1 98 99echo "verify certificate (included in CRL, and lifetime 1 month)" 100${hxtool} verify \ 101 cert:FILE:cert-ee.pem \ 102 crl:FILE:crl.crl \ 103 anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1 104 105echo "issue certificate (10years 1 month)" 106${hxtool} issue-certificate \ 107 --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \ 108 --subject="cn=foo" \ 109 --lifetime="10years 1 month" \ 110 --req="PKCS10:pkcs10-request.der" \ 111 --certificate="FILE:cert-ee.pem" || exit 1 112 113echo "issue certificate (with https ekus)" 114${hxtool} issue-certificate \ 115 --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \ 116 --subject="cn=foo" \ 117 --type="https-server" \ 118 --type="https-client" \ 119 --req="PKCS10:pkcs10-request.der" \ 120 --certificate="FILE:cert-ee.pem" || exit 1 121 122echo "issue certificate (pkinit KDC)" 123${hxtool} issue-certificate \ 124 --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \ 125 --subject="cn=foo" \ 126 --type="pkinit-kdc" \ 127 --pk-init-principal="krbtgt/TEST.H5L.SE@TEST.H5L.SE" \ 128 --req="PKCS10:pkcs10-request.der" \ 129 --certificate="FILE:cert-ee.pem" || exit 1 130 131echo "issue certificate (pkinit client)" 132${hxtool} issue-certificate \ 133 --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \ 134 --subject="cn=foo" \ 135 --type="pkinit-client" \ 136 --pk-init-principal="lha@TEST.H5L.SE" \ 137 --req="PKCS10:pkcs10-request.der" \ 138 --certificate="FILE:cert-ee.pem" || exit 1 139 140echo "issue certificate (hostnames)" 141${hxtool} issue-certificate \ 142 --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \ 143 --subject="cn=foo" \ 144 --type="https-server" \ 145 --hostname="www.test.h5l.se" \ 146 --hostname="ftp.test.h5l.se" \ 147 --req="PKCS10:pkcs10-request.der" \ 148 --certificate="FILE:cert-ee.pem" || exit 1 149 150echo "verify certificate hostname (ok)" 151${hxtool} verify --missing-revoke \ 152 --hostname=www.test.h5l.se \ 153 cert:FILE:cert-ee.pem \ 154 anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1 155 156echo "verify certificate hostname (fail)" 157${hxtool} verify --missing-revoke \ 158 --hostname=www2.test.h5l.se \ 159 cert:FILE:cert-ee.pem \ 160 anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1 161 162echo "verify certificate hostname (fail)" 163${hxtool} verify --missing-revoke \ 164 --hostname=2www.test.h5l.se \ 165 cert:FILE:cert-ee.pem \ 166 anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1 167 168echo "issue certificate (hostname in CN)" 169${hxtool} issue-certificate \ 170 --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \ 171 --subject="cn=www.test.h5l.se" \ 172 --type="https-server" \ 173 --req="PKCS10:pkcs10-request.der" \ 174 --certificate="FILE:cert-ee.pem" || exit 1 175 176echo "verify certificate hostname (ok)" 177${hxtool} verify --missing-revoke \ 178 --hostname=www.test.h5l.se \ 179 cert:FILE:cert-ee.pem \ 180 anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1 181 182echo "verify certificate hostname (fail)" 183${hxtool} verify --missing-revoke \ 184 --hostname=www2.test.h5l.se \ 185 cert:FILE:cert-ee.pem \ 186 anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1 187 188echo "issue certificate (email)" 189${hxtool} issue-certificate \ 190 --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \ 191 --subject="cn=foo" \ 192 --email="lha@test.h5l.se" \ 193 --email="test@test.h5l.se" \ 194 --req="PKCS10:pkcs10-request.der" \ 195 --certificate="FILE:cert-ee.pem" || exit 1 196 197echo "issue certificate (email, null subject DN)" 198${hxtool} issue-certificate \ 199 --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \ 200 --subject="" \ 201 --email="lha@test.h5l.se" \ 202 --req="PKCS10:pkcs10-request.der" \ 203 --certificate="FILE:cert-null.pem" || exit 1 204 205echo "issue certificate (jabber)" 206${hxtool} issue-certificate \ 207 --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \ 208 --subject="cn=foo" \ 209 --jid="lha@test.h5l.se" \ 210 --req="PKCS10:pkcs10-request.der" \ 211 --certificate="FILE:cert-ee.pem" || exit 1 212 213echo "issue self-signed cert" 214${hxtool} issue-certificate \ 215 --self-signed \ 216 --ca-private-key=FILE:$srcdir/data/key.der \ 217 --subject="cn=test" \ 218 --certificate="FILE:cert-ee.pem" || exit 1 219 220echo "issue ca cert" 221${hxtool} issue-certificate \ 222 --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \ 223 --issue-ca \ 224 --subject="cn=ca-cert" \ 225 --req="PKCS10:pkcs10-request.der" \ 226 --certificate="FILE:cert-ca.der" || exit 1 227 228echo "issue self-signed ca cert" 229${hxtool} issue-certificate \ 230 --self-signed \ 231 --issue-ca \ 232 --ca-private-key=FILE:$srcdir/data/key.der \ 233 --subject="cn=ca-root" \ 234 --certificate="FILE:cert-ca.der" || exit 1 235 236echo "issue proxy certificate" 237${hxtool} issue-certificate \ 238 --ca-certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \ 239 --issue-proxy \ 240 --req="PKCS10:pkcs10-request.der" \ 241 --certificate="FILE:cert-proxy.der" || exit 1 242 243echo "verify proxy cert" 244${hxtool} verify --missing-revoke \ 245 --allow-proxy-certificate \ 246 cert:FILE:cert-proxy.der \ 247 chain:FILE:$srcdir/data/test.crt \ 248 anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1 249 250echo "issue ca cert (generate rsa key)" 251${hxtool} issue-certificate \ 252 --self-signed \ 253 --issue-ca \ 254 --serial-number="deadbeaf" \ 255 --generate-key=rsa \ 256 --path-length=-1 \ 257 --subject="cn=ca2-cert" \ 258 --certificate="FILE:cert-ca.pem" || exit 1 259 260echo "issue sub-ca cert (generate rsa key)" 261${hxtool} issue-certificate \ 262 --ca-certificate=FILE:cert-ca.pem \ 263 --issue-ca \ 264 --serial-number="deadbeaf22" \ 265 --generate-key=rsa \ 266 --subject="cn=sub-ca2-cert" \ 267 --certificate="FILE:cert-sub-ca.pem" || exit 1 268 269echo "issue ee cert (generate rsa key)" 270${hxtool} issue-certificate \ 271 --ca-certificate=FILE:cert-ca.pem \ 272 --generate-key=rsa \ 273 --subject="cn=cert-ee2" \ 274 --certificate="FILE:cert-ee.pem" || exit 1 275 276echo "issue sub-ca ee cert (generate rsa key)" 277${hxtool} issue-certificate \ 278 --ca-certificate=FILE:cert-sub-ca.pem \ 279 --generate-key=rsa \ 280 --subject="cn=cert-sub-ee2" \ 281 --certificate="FILE:cert-sub-ee.pem" || exit 1 282 283echo "verify certificate (ee)" 284${hxtool} verify --missing-revoke \ 285 cert:FILE:cert-ee.pem \ 286 anchor:FILE:cert-ca.pem > /dev/null || exit 1 287 288echo "verify certificate (sub-ee)" 289${hxtool} verify --missing-revoke \ 290 cert:FILE:cert-sub-ee.pem \ 291 chain:FILE:cert-sub-ca.pem \ 292 anchor:FILE:cert-ca.pem || exit 1 293 294echo "sign CMS signature (generate key)" 295${hxtool} cms-create-sd \ 296 --certificate=FILE:cert-ee.pem \ 297 "$srcdir/test_name.c" \ 298 sd.data > /dev/null || exit 1 299 300echo "verify CMS signature (generate key)" 301${hxtool} cms-verify-sd \ 302 --missing-revoke \ 303 --anchors=FILE:cert-ca.pem \ 304 sd.data sd.data.out > /dev/null || exit 1 305cmp "$srcdir/test_name.c" sd.data.out || exit 1 306 307echo "extend ca cert" 308${hxtool} issue-certificate \ 309 --self-signed \ 310 --issue-ca \ 311 --lifetime="2years" \ 312 --serial-number="deadbeaf" \ 313 --ca-private-key=FILE:cert-ca.pem \ 314 --subject="cn=ca2-cert" \ 315 --certificate="FILE:cert-ca.pem" || exit 1 316 317echo "verify certificate generated by previous ca" 318${hxtool} verify --missing-revoke \ 319 cert:FILE:cert-ee.pem \ 320 anchor:FILE:cert-ca.pem > /dev/null || exit 1 321 322echo "extend ca cert (template)" 323${hxtool} issue-certificate \ 324 --self-signed \ 325 --issue-ca \ 326 --lifetime="3years" \ 327 --template-certificate="FILE:cert-ca.pem" \ 328 --template-fields="serialNumber,notBefore,subject" \ 329 --path-length=-1 \ 330 --ca-private-key=FILE:cert-ca.pem \ 331 --certificate="FILE:cert-ca.pem" || exit 1 332 333echo "verify certificate generated by previous ca" 334${hxtool} verify --missing-revoke \ 335 cert:FILE:cert-ee.pem \ 336 anchor:FILE:cert-ca.pem > /dev/null || exit 1 337 338echo "extend sub-ca cert (template)" 339${hxtool} issue-certificate \ 340 --ca-certificate=FILE:cert-ca.pem \ 341 --issue-ca \ 342 --lifetime="2years" \ 343 --template-certificate="FILE:cert-sub-ca.pem" \ 344 --template-fields="serialNumber,notBefore,subject,SPKI" \ 345 --certificate="FILE:cert-sub-ca2.pem" || exit 1 346 347echo "verify certificate (sub-ee) with extended chain" 348${hxtool} verify --missing-revoke \ 349 cert:FILE:cert-sub-ee.pem \ 350 chain:FILE:cert-sub-ca.pem \ 351 anchor:FILE:cert-ca.pem > /dev/null || exit 1 352 353echo "+++++++++++ test basic constraints" 354 355echo "extend ca cert (too low path-length constraint)" 356${hxtool} issue-certificate \ 357 --self-signed \ 358 --issue-ca \ 359 --lifetime="3years" \ 360 --template-certificate="FILE:cert-ca.pem" \ 361 --template-fields="serialNumber,notBefore,subject" \ 362 --path-length=0 \ 363 --ca-private-key=FILE:cert-ca.pem \ 364 --certificate="FILE:cert-ca.pem" || exit 1 365 366echo "verify failure of certificate (sub-ee) with path-length constraint" 367${hxtool} verify --missing-revoke \ 368 cert:FILE:cert-sub-ee.pem \ 369 chain:FILE:cert-sub-ca.pem \ 370 anchor:FILE:cert-ca.pem > /dev/null && exit 1 371 372echo "extend ca cert (exact path-length constraint)" 373${hxtool} issue-certificate \ 374 --self-signed \ 375 --issue-ca \ 376 --lifetime="3years" \ 377 --template-certificate="FILE:cert-ca.pem" \ 378 --template-fields="serialNumber,notBefore,subject" \ 379 --path-length=1 \ 380 --ca-private-key=FILE:cert-ca.pem \ 381 --certificate="FILE:cert-ca.pem" || exit 1 382 383echo "verify certificate (sub-ee) with exact path-length constraint" 384${hxtool} verify --missing-revoke \ 385 cert:FILE:cert-sub-ee.pem \ 386 chain:FILE:cert-sub-ca.pem \ 387 anchor:FILE:cert-ca.pem > /dev/null || exit 1 388 389echo "Check missing basicConstrants.isCa" 390${hxtool} issue-certificate \ 391 --ca-certificate=FILE:cert-ca.pem \ 392 --lifetime="2years" \ 393 --template-certificate="FILE:cert-sub-ca.pem" \ 394 --template-fields="serialNumber,notBefore,subject,SPKI" \ 395 --certificate="FILE:cert-sub-ca2.pem" || exit 1 396 397echo "verify failure certificate (sub-ee) with missing isCA" 398${hxtool} verify --missing-revoke \ 399 cert:FILE:cert-sub-ee.pem \ 400 chain:FILE:cert-sub-ca2.pem \ 401 anchor:FILE:cert-ca.pem > /dev/null && exit 1 402 403echo "issue ee cert (crl uri)" 404${hxtool} issue-certificate \ 405 --ca-certificate=FILE:cert-ca.pem \ 406 --req="PKCS10:pkcs10-request.der" \ 407 --crl-uri="http://www.test.h5l.se/crl1.crl" \ 408 --subject="cn=cert-ee-crl-uri" \ 409 --certificate="FILE:cert-ee.pem" || exit 1 410 411echo "issue null subject cert" 412${hxtool} issue-certificate \ 413 --ca-certificate=FILE:cert-ca.pem \ 414 --req="PKCS10:pkcs10-request.der" \ 415 --subject="" \ 416 --email="lha@test.h5l.se" \ 417 --certificate="FILE:cert-ee.pem" || exit 1 418 419echo "verify certificate null subject" 420${hxtool} verify --missing-revoke \ 421 cert:FILE:cert-ee.pem \ 422 anchor:FILE:cert-ca.pem > /dev/null || exit 1 423 424exit 0 425