xref: /freebsd/crypto/heimdal/lib/hx509/test_chain.in (revision 43a5ec4eb41567cc92586503212743d89686d78f)
1#!/bin/sh
2#
3# Copyright (c) 2004 - 2006 Kungliga Tekniska Högskolan
4# (Royal Institute of Technology, Stockholm, Sweden).
5# All rights reserved.
6#
7# Redistribution and use in source and binary forms, with or without
8# modification, are permitted provided that the following conditions
9# are met:
10#
11# 1. Redistributions of source code must retain the above copyright
12#    notice, this list of conditions and the following disclaimer.
13#
14# 2. Redistributions in binary form must reproduce the above copyright
15#    notice, this list of conditions and the following disclaimer in the
16#    documentation and/or other materials provided with the distribution.
17#
18# 3. Neither the name of the Institute nor the names of its contributors
19#    may be used to endorse or promote products derived from this software
20#    without specific prior written permission.
21#
22# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
23# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
26# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32# SUCH DAMAGE.
33#
34# $Id$
35#
36
37srcdir="@srcdir@"
38objdir="@objdir@"
39
40stat="--statistic-file=${objdir}/statfile"
41
42hxtool="${TESTS_ENVIRONMENT} ./hxtool ${stat}"
43if ${hxtool} info | grep 'rsa: hcrypto null RSA' > /dev/null ; then
44    exit 77
45fi
46if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
47    exit 77
48fi
49
50echo "cert -> root"
51${hxtool} verify --missing-revoke \
52	cert:FILE:$srcdir/data/test.crt \
53	chain:FILE:$srcdir/data/test.crt \
54	chain:FILE:$srcdir/data/ca.crt \
55	anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
56
57echo "cert -> root"
58${hxtool} verify --missing-revoke \
59	cert:FILE:$srcdir/data/test.crt \
60	chain:FILE:$srcdir/data/ca.crt \
61	anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
62
63echo "cert -> root"
64${hxtool} verify --missing-revoke \
65	cert:FILE:$srcdir/data/test.crt \
66	anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
67
68echo "sub-cert -> root"
69${hxtool} verify --missing-revoke \
70	cert:FILE:$srcdir/data/sub-cert.crt \
71	chain:FILE:$srcdir/data/ca.crt \
72	anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
73
74echo "sub-cert -> sub-ca -> root"
75${hxtool} verify --missing-revoke \
76	cert:FILE:$srcdir/data/sub-cert.crt \
77	chain:FILE:$srcdir/data/sub-ca.crt \
78	chain:FILE:$srcdir/data/ca.crt \
79	anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
80
81echo "sub-cert -> sub-ca"
82${hxtool} verify --missing-revoke \
83	cert:FILE:$srcdir/data/sub-cert.crt \
84	anchor:FILE:$srcdir/data/sub-ca.crt > /dev/null || exit 1
85
86echo "sub-cert -> sub-ca -> root"
87${hxtool} verify --missing-revoke \
88	cert:FILE:$srcdir/data/sub-cert.crt \
89	chain:FILE:$srcdir/data/sub-ca.crt \
90	chain:FILE:$srcdir/data/ca.crt \
91	anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
92
93echo "sub-cert -> sub-ca -> root"
94${hxtool} verify --missing-revoke \
95	cert:FILE:$srcdir/data/sub-cert.crt \
96	chain:FILE:$srcdir/data/ca.crt \
97	chain:FILE:$srcdir/data/sub-ca.crt \
98	anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
99
100echo "sub-cert -> sub-ca -> root"
101${hxtool} verify --missing-revoke \
102	cert:FILE:$srcdir/data/sub-cert.crt \
103	chain:FILE:$srcdir/data/sub-ca.crt \
104	anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
105
106echo "max depth 2 (ok)"
107${hxtool} verify --missing-revoke \
108	--max-depth=2 \
109	cert:FILE:$srcdir/data/sub-cert.crt \
110	chain:FILE:$srcdir/data/sub-ca.crt \
111	anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
112
113echo "max depth 1 (fail)"
114${hxtool} verify --missing-revoke \
115	--max-depth=1 \
116	cert:FILE:$srcdir/data/sub-cert.crt \
117	chain:FILE:$srcdir/data/sub-ca.crt \
118	anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
119
120echo "ocsp non-ca responder"
121${hxtool} verify \
122    cert:FILE:$srcdir/data/test.crt \
123    anchor:FILE:$srcdir/data/ca.crt \
124    ocsp:FILE:$srcdir/data/ocsp-resp1-ocsp.der > /dev/null || exit 1
125
126echo "ocsp ca responder"
127${hxtool} verify \
128    cert:FILE:$srcdir/data/test.crt \
129    anchor:FILE:$srcdir/data/ca.crt \
130    ocsp:FILE:$srcdir/data/ocsp-resp1-ca.der > /dev/null || exit 1
131
132echo "ocsp no-ca responder, missing cert"
133${hxtool} verify \
134    cert:FILE:$srcdir/data/test.crt \
135    anchor:FILE:$srcdir/data/ca.crt \
136    ocsp:FILE:$srcdir/data/ocsp-resp1-ocsp-no-cert.der > /dev/null && exit 1
137
138echo "ocsp no-ca responder, missing cert, in pool"
139${hxtool} verify \
140    cert:FILE:$srcdir/data/test.crt \
141    anchor:FILE:$srcdir/data/ca.crt \
142    ocsp:FILE:$srcdir/data/ocsp-resp1-ocsp-no-cert.der \
143    chain:FILE:$srcdir/data/ocsp-responder.crt > /dev/null || exit 1
144
145echo "ocsp no-ca responder, keyHash"
146${hxtool} verify \
147    cert:FILE:$srcdir/data/test.crt \
148    anchor:FILE:$srcdir/data/ca.crt \
149    ocsp:FILE:$srcdir/data/ocsp-resp1-keyhash.der > /dev/null || exit 1
150
151echo "ocsp revoked cert"
152${hxtool} verify \
153    cert:FILE:$srcdir/data/revoke.crt \
154    anchor:FILE:$srcdir/data/ca.crt \
155    ocsp:FILE:$srcdir/data/ocsp-resp2.der > /dev/null && exit 1
156
157for a in resp1-ocsp-no-cert resp1-ca resp1-keyhash resp2 ; do
158	echo "ocsp print reply $a"
159	${hxtool} ocsp-print \
160	    $srcdir/data/ocsp-${a}.der > /dev/null || exit 1
161done
162
163echo "ocsp verify exists"
164${hxtool} ocsp-verify \
165	--ocsp-file=$srcdir/data/ocsp-resp1-ca.der \
166	FILE:$srcdir/data/test.crt > /dev/null || exit 1
167
168echo "ocsp verify not exists"
169${hxtool} ocsp-verify \
170    --ocsp-file=$srcdir/data/ocsp-resp1.der \
171	FILE:$srcdir/data/ca.crt > /dev/null && exit 1
172
173echo "ocsp verify revoked"
174${hxtool} ocsp-verify \
175    --ocsp-file=$srcdir/data/ocsp-resp2.der \
176	FILE:$srcdir/data/revoke.crt > /dev/null && exit 1
177
178echo "crl non-revoked cert"
179${hxtool} verify \
180    cert:FILE:$srcdir/data/test.crt \
181    anchor:FILE:$srcdir/data/ca.crt \
182    crl:FILE:$srcdir/data/crl1.der > /dev/null || exit 1
183
184echo "crl revoked cert"
185${hxtool} verify \
186    cert:FILE:$srcdir/data/revoke.crt \
187    anchor:FILE:$srcdir/data/ca.crt \
188    crl:FILE:$srcdir/data/crl1.der > /dev/null && exit 1
189
190if ${hxtool} info | grep 'ecdsa: hcrypto null' > /dev/null ; then
191    echo "not testing ECDSA since hcrypto doesnt support ECDSA"
192else
193    echo "eccert -> root"
194    ${hxtool} verify --missing-revoke \
195    	cert:FILE:$srcdir/data/secp160r2TestServer.cert.pem \
196    	anchor:FILE:$srcdir/data/secp160r1TestCA.cert.pem > /dev/null || exit 1
197
198    echo "eccert -> root"
199    ${hxtool} verify --missing-revoke \
200    	cert:FILE:$srcdir/data/secp160r2TestClient.cert.pem \
201    	anchor:FILE:$srcdir/data/secp160r1TestCA.cert.pem > /dev/null || exit 1
202fi
203
204echo "proxy cert"
205${hxtool} verify --missing-revoke \
206    --allow-proxy-certificate \
207    cert:FILE:$srcdir/data/proxy-test.crt \
208    chain:FILE:$srcdir/data/test.crt \
209    anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
210
211echo "proxy cert (negative)"
212${hxtool} verify --missing-revoke \
213    cert:FILE:$srcdir/data/proxy-test.crt \
214    chain:FILE:$srcdir/data/test.crt \
215    anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
216
217echo "proxy cert (level fail)"
218${hxtool} verify --missing-revoke \
219    --allow-proxy-certificate \
220    cert:FILE:$srcdir/data/proxy-level-test.crt \
221    chain:FILE:$srcdir/data/proxy-test.crt \
222    chain:FILE:$srcdir/data/test.crt \
223    anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
224
225echo "not a proxy cert"
226${hxtool} verify --missing-revoke \
227    --allow-proxy-certificate \
228    cert:FILE:$srcdir/data/no-proxy-test.crt \
229    chain:FILE:$srcdir/data/test.crt \
230    anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
231
232echo "proxy cert (max level 10)"
233${hxtool} verify --missing-revoke \
234    --allow-proxy-certificate \
235    cert:FILE:$srcdir/data/proxy10-test.crt \
236    chain:FILE:$srcdir/data/test.crt \
237    anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
238
239echo "proxy cert (second level)"
240${hxtool} verify --missing-revoke \
241    --allow-proxy-certificate \
242    cert:FILE:$srcdir/data/proxy10-child-test.crt \
243    chain:FILE:$srcdir/data/proxy10-test.crt \
244    chain:FILE:$srcdir/data/test.crt \
245    anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
246
247echo "proxy cert (third level)"
248${hxtool} verify --missing-revoke \
249    --allow-proxy-certificate \
250    cert:FILE:$srcdir/data/proxy10-child-child-test.crt \
251    chain:FILE:$srcdir/data/proxy10-child-test.crt \
252    chain:FILE:$srcdir/data/proxy10-test.crt \
253    chain:FILE:$srcdir/data/test.crt \
254    anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
255
256exit 0
257