xref: /freebsd/crypto/heimdal/lib/hx509/test_ca.in (revision f4b37ed0f8b307b1f3f0f630ca725d68f1dff30d)
1#!/bin/sh
2#
3# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
4# (Royal Institute of Technology, Stockholm, Sweden).
5# All rights reserved.
6#
7# Redistribution and use in source and binary forms, with or without
8# modification, are permitted provided that the following conditions
9# are met:
10#
11# 1. Redistributions of source code must retain the above copyright
12#    notice, this list of conditions and the following disclaimer.
13#
14# 2. Redistributions in binary form must reproduce the above copyright
15#    notice, this list of conditions and the following disclaimer in the
16#    documentation and/or other materials provided with the distribution.
17#
18# 3. Neither the name of the Institute nor the names of its contributors
19#    may be used to endorse or promote products derived from this software
20#    without specific prior written permission.
21#
22# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
23# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
26# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32# SUCH DAMAGE.
33#
34# $Id$
35#
36
37srcdir="@srcdir@"
38objdir="@objdir@"
39
40stat="--statistic-file=${objdir}/statfile"
41
42hxtool="${TESTS_ENVIRONMENT} ./hxtool ${stat}"
43
44if ${hxtool} info | grep 'rsa: hcrypto null RSA' > /dev/null ; then
45    exit 77
46fi
47if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
48    exit 77
49fi
50
51echo "create certificate request"
52${hxtool} request-create \
53	 --subject="CN=Love,DC=it,DC=su,DC=se" \
54	 --key=FILE:$srcdir/data/key.der \
55	 pkcs10-request.der || exit 1
56
57echo "issue certificate"
58${hxtool} issue-certificate \
59	  --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
60	  --subject="cn=foo" \
61	  --req="PKCS10:pkcs10-request.der" \
62	  --certificate="FILE:cert-ee.pem" || exit 1
63
64echo "verify certificate"
65${hxtool} verify --missing-revoke \
66	cert:FILE:cert-ee.pem \
67	anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
68
69echo "issue crl (no cert)"
70${hxtool} crl-sign \
71	--crl-file=crl.crl \
72	--signer=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key || exit 1
73
74echo "verify certificate (with CRL)"
75${hxtool} verify \
76	cert:FILE:cert-ee.pem \
77	crl:FILE:crl.crl \
78	anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
79
80echo "issue crl (with cert)"
81${hxtool} crl-sign \
82	--crl-file=crl.crl \
83	--signer=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
84	FILE:cert-ee.pem || exit 1
85
86echo "verify certificate (included in CRL)"
87${hxtool} verify \
88	cert:FILE:cert-ee.pem \
89	crl:FILE:crl.crl \
90	anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
91
92echo "issue crl (with cert)"
93${hxtool} crl-sign \
94	--crl-file=crl.crl \
95	--lifetime='1 month' \
96	--signer=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
97	FILE:cert-ee.pem || exit 1
98
99echo "verify certificate (included in CRL, and lifetime 1 month)"
100${hxtool} verify \
101	cert:FILE:cert-ee.pem \
102	crl:FILE:crl.crl \
103	anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
104
105echo "issue certificate (10years 1 month)"
106${hxtool} issue-certificate \
107	  --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
108	  --subject="cn=foo" \
109          --lifetime="10years 1 month" \
110	  --req="PKCS10:pkcs10-request.der" \
111	  --certificate="FILE:cert-ee.pem" || exit 1
112
113echo "issue certificate (with https ekus)"
114${hxtool} issue-certificate \
115	  --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
116	  --subject="cn=foo" \
117	  --type="https-server" \
118	  --type="https-client" \
119	  --req="PKCS10:pkcs10-request.der" \
120	  --certificate="FILE:cert-ee.pem" || exit 1
121
122echo "issue certificate (pkinit KDC)"
123${hxtool} issue-certificate \
124	  --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
125	  --subject="cn=foo" \
126	  --type="pkinit-kdc" \
127          --pk-init-principal="krbtgt/TEST.H5L.SE@TEST.H5L.SE" \
128	  --req="PKCS10:pkcs10-request.der" \
129	  --certificate="FILE:cert-ee.pem" || exit 1
130
131echo "issue certificate (pkinit client)"
132${hxtool} issue-certificate \
133	  --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
134	  --subject="cn=foo" \
135	  --type="pkinit-client" \
136          --pk-init-principal="lha@TEST.H5L.SE" \
137	  --req="PKCS10:pkcs10-request.der" \
138	  --certificate="FILE:cert-ee.pem" || exit 1
139
140echo "issue certificate (hostnames)"
141${hxtool} issue-certificate \
142	  --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
143	  --subject="cn=foo" \
144	  --type="https-server" \
145          --hostname="www.test.h5l.se" \
146          --hostname="ftp.test.h5l.se" \
147	  --req="PKCS10:pkcs10-request.der" \
148	  --certificate="FILE:cert-ee.pem" || exit 1
149
150echo "verify certificate hostname (ok)"
151${hxtool} verify --missing-revoke \
152	--hostname=www.test.h5l.se \
153	cert:FILE:cert-ee.pem \
154	anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
155
156echo "verify certificate hostname (fail)"
157${hxtool} verify --missing-revoke \
158	--hostname=www2.test.h5l.se \
159	cert:FILE:cert-ee.pem \
160	anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
161
162echo "verify certificate hostname (fail)"
163${hxtool} verify --missing-revoke \
164	--hostname=2www.test.h5l.se \
165	cert:FILE:cert-ee.pem \
166	anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
167
168echo "issue certificate (hostname in CN)"
169${hxtool} issue-certificate \
170	  --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
171	  --subject="cn=www.test.h5l.se" \
172	  --type="https-server" \
173	  --req="PKCS10:pkcs10-request.der" \
174	  --certificate="FILE:cert-ee.pem" || exit 1
175
176echo "verify certificate hostname (ok)"
177${hxtool} verify --missing-revoke \
178	--hostname=www.test.h5l.se \
179	cert:FILE:cert-ee.pem \
180	anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
181
182echo "verify certificate hostname (fail)"
183${hxtool} verify --missing-revoke \
184	--hostname=www2.test.h5l.se \
185	cert:FILE:cert-ee.pem \
186	anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
187
188echo "issue certificate (email)"
189${hxtool} issue-certificate \
190	  --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
191	  --subject="cn=foo" \
192          --email="lha@test.h5l.se" \
193          --email="test@test.h5l.se" \
194	  --req="PKCS10:pkcs10-request.der" \
195	  --certificate="FILE:cert-ee.pem" || exit 1
196
197echo "issue certificate (email, null subject DN)"
198${hxtool} issue-certificate \
199	  --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
200	  --subject="" \
201          --email="lha@test.h5l.se" \
202	  --req="PKCS10:pkcs10-request.der" \
203	  --certificate="FILE:cert-null.pem" || exit 1
204
205echo "issue certificate (jabber)"
206${hxtool} issue-certificate \
207	  --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
208	  --subject="cn=foo" \
209          --jid="lha@test.h5l.se" \
210	  --req="PKCS10:pkcs10-request.der" \
211	  --certificate="FILE:cert-ee.pem" || exit 1
212
213echo "issue self-signed cert"
214${hxtool} issue-certificate \
215	  --self-signed \
216	  --ca-private-key=FILE:$srcdir/data/key.der \
217	  --subject="cn=test" \
218	  --certificate="FILE:cert-ee.pem" || exit 1
219
220echo "issue ca cert"
221${hxtool} issue-certificate \
222	  --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
223	  --issue-ca \
224	  --subject="cn=ca-cert" \
225	  --req="PKCS10:pkcs10-request.der" \
226	  --certificate="FILE:cert-ca.der" || exit 1
227
228echo "issue self-signed ca cert"
229${hxtool} issue-certificate \
230	  --self-signed \
231	  --issue-ca \
232	  --ca-private-key=FILE:$srcdir/data/key.der \
233	  --subject="cn=ca-root" \
234	  --certificate="FILE:cert-ca.der" || exit 1
235
236echo "issue proxy certificate"
237${hxtool} issue-certificate \
238	  --ca-certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
239	  --issue-proxy \
240	  --req="PKCS10:pkcs10-request.der" \
241	  --certificate="FILE:cert-proxy.der" || exit 1
242
243echo "verify proxy cert"
244${hxtool} verify --missing-revoke \
245    --allow-proxy-certificate \
246    cert:FILE:cert-proxy.der \
247    chain:FILE:$srcdir/data/test.crt \
248    anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
249
250echo "issue ca cert (generate rsa key)"
251${hxtool} issue-certificate \
252	  --self-signed \
253	  --issue-ca \
254 	  --serial-number="deadbeaf" \
255	  --generate-key=rsa \
256          --path-length=-1 \
257	  --subject="cn=ca2-cert" \
258	  --certificate="FILE:cert-ca.pem" || exit 1
259
260echo "issue sub-ca cert (generate rsa key)"
261${hxtool} issue-certificate \
262	  --ca-certificate=FILE:cert-ca.pem \
263	  --issue-ca \
264 	  --serial-number="deadbeaf22" \
265	  --generate-key=rsa \
266	  --subject="cn=sub-ca2-cert" \
267	  --certificate="FILE:cert-sub-ca.pem" || exit 1
268
269echo "issue ee cert (generate rsa key)"
270${hxtool} issue-certificate \
271	  --ca-certificate=FILE:cert-ca.pem \
272	  --generate-key=rsa \
273	  --subject="cn=cert-ee2" \
274	  --certificate="FILE:cert-ee.pem" || exit 1
275
276echo "issue sub-ca ee cert (generate rsa key)"
277${hxtool} issue-certificate \
278	  --ca-certificate=FILE:cert-sub-ca.pem \
279	  --generate-key=rsa \
280	  --subject="cn=cert-sub-ee2" \
281	  --certificate="FILE:cert-sub-ee.pem" || exit 1
282
283echo "verify certificate (ee)"
284${hxtool} verify --missing-revoke \
285	cert:FILE:cert-ee.pem \
286	anchor:FILE:cert-ca.pem > /dev/null || exit 1
287
288echo "verify certificate (sub-ee)"
289${hxtool} verify --missing-revoke \
290	cert:FILE:cert-sub-ee.pem \
291	chain:FILE:cert-sub-ca.pem \
292	anchor:FILE:cert-ca.pem || exit 1
293
294echo "sign CMS signature (generate key)"
295${hxtool} cms-create-sd \
296	--certificate=FILE:cert-ee.pem \
297	"$srcdir/test_name.c" \
298	sd.data > /dev/null || exit 1
299
300echo "verify CMS signature (generate key)"
301${hxtool} cms-verify-sd \
302	--missing-revoke \
303	--anchors=FILE:cert-ca.pem \
304	sd.data sd.data.out > /dev/null || exit 1
305cmp "$srcdir/test_name.c" sd.data.out || exit 1
306
307echo "extend ca cert"
308${hxtool} issue-certificate \
309	  --self-signed \
310	  --issue-ca \
311          --lifetime="2years" \
312 	  --serial-number="deadbeaf" \
313	  --ca-private-key=FILE:cert-ca.pem \
314	  --subject="cn=ca2-cert" \
315	  --certificate="FILE:cert-ca.pem" || exit 1
316
317echo "verify certificate generated by previous ca"
318${hxtool} verify --missing-revoke \
319	cert:FILE:cert-ee.pem \
320	anchor:FILE:cert-ca.pem > /dev/null || exit 1
321
322echo "extend ca cert (template)"
323${hxtool} issue-certificate \
324	  --self-signed \
325	  --issue-ca \
326          --lifetime="3years" \
327	  --template-certificate="FILE:cert-ca.pem" \
328	  --template-fields="serialNumber,notBefore,subject" \
329          --path-length=-1 \
330	  --ca-private-key=FILE:cert-ca.pem \
331	  --certificate="FILE:cert-ca.pem" || exit 1
332
333echo "verify certificate generated by previous ca"
334${hxtool} verify --missing-revoke \
335	cert:FILE:cert-ee.pem \
336	anchor:FILE:cert-ca.pem > /dev/null || exit 1
337
338echo "extend sub-ca cert (template)"
339${hxtool} issue-certificate \
340	  --ca-certificate=FILE:cert-ca.pem \
341	  --issue-ca \
342          --lifetime="2years" \
343	  --template-certificate="FILE:cert-sub-ca.pem" \
344	  --template-fields="serialNumber,notBefore,subject,SPKI" \
345	  --certificate="FILE:cert-sub-ca2.pem" || exit 1
346
347echo "verify certificate (sub-ee) with extended chain"
348${hxtool} verify --missing-revoke \
349	cert:FILE:cert-sub-ee.pem \
350	chain:FILE:cert-sub-ca.pem \
351	anchor:FILE:cert-ca.pem > /dev/null || exit 1
352
353echo "+++++++++++ test basic constraints"
354
355echo "extend ca cert (too low path-length constraint)"
356${hxtool} issue-certificate \
357	  --self-signed \
358	  --issue-ca \
359          --lifetime="3years" \
360	  --template-certificate="FILE:cert-ca.pem" \
361	  --template-fields="serialNumber,notBefore,subject" \
362          --path-length=0 \
363	  --ca-private-key=FILE:cert-ca.pem \
364	  --certificate="FILE:cert-ca.pem" || exit 1
365
366echo "verify failure of certificate (sub-ee) with path-length constraint"
367${hxtool} verify --missing-revoke \
368	cert:FILE:cert-sub-ee.pem \
369	chain:FILE:cert-sub-ca.pem \
370	anchor:FILE:cert-ca.pem > /dev/null && exit 1
371
372echo "extend ca cert (exact path-length constraint)"
373${hxtool} issue-certificate \
374	  --self-signed \
375	  --issue-ca \
376          --lifetime="3years" \
377	  --template-certificate="FILE:cert-ca.pem" \
378	  --template-fields="serialNumber,notBefore,subject" \
379          --path-length=1 \
380	  --ca-private-key=FILE:cert-ca.pem \
381	  --certificate="FILE:cert-ca.pem" || exit 1
382
383echo "verify certificate (sub-ee) with exact path-length constraint"
384${hxtool} verify --missing-revoke \
385	cert:FILE:cert-sub-ee.pem \
386	chain:FILE:cert-sub-ca.pem \
387	anchor:FILE:cert-ca.pem > /dev/null || exit 1
388
389echo "Check missing basicConstrants.isCa"
390${hxtool} issue-certificate \
391	  --ca-certificate=FILE:cert-ca.pem \
392          --lifetime="2years" \
393	  --template-certificate="FILE:cert-sub-ca.pem" \
394	  --template-fields="serialNumber,notBefore,subject,SPKI" \
395	  --certificate="FILE:cert-sub-ca2.pem" || exit 1
396
397echo "verify failure certificate (sub-ee) with missing isCA"
398${hxtool} verify --missing-revoke \
399	cert:FILE:cert-sub-ee.pem \
400	chain:FILE:cert-sub-ca2.pem \
401	anchor:FILE:cert-ca.pem > /dev/null && exit 1
402
403echo "issue ee cert (crl uri)"
404${hxtool} issue-certificate \
405	  --ca-certificate=FILE:cert-ca.pem \
406	  --req="PKCS10:pkcs10-request.der" \
407	  --crl-uri="http://www.test.h5l.se/crl1.crl" \
408	  --subject="cn=cert-ee-crl-uri" \
409	  --certificate="FILE:cert-ee.pem" || exit 1
410
411echo "issue null subject cert"
412${hxtool} issue-certificate \
413	  --ca-certificate=FILE:cert-ca.pem \
414	  --req="PKCS10:pkcs10-request.der" \
415	  --subject="" \
416	  --email="lha@test.h5l.se" \
417	  --certificate="FILE:cert-ee.pem" || exit 1
418
419echo "verify certificate null subject"
420${hxtool} verify --missing-revoke \
421	cert:FILE:cert-ee.pem \
422	anchor:FILE:cert-ca.pem > /dev/null || exit 1
423
424exit 0
425