xref: /freebsd/crypto/heimdal/lib/hx509/test_cms.in (revision e6bfd18d21b225af6a0ed67ceeaf1293b7b9eba5)
1#!/bin/sh
2#
3# Copyright (c) 2005 Kungliga Tekniska Högskolan
4# (Royal Institute of Technology, Stockholm, Sweden).
5# All rights reserved.
6#
7# Redistribution and use in source and binary forms, with or without
8# modification, are permitted provided that the following conditions
9# are met:
10#
11# 1. Redistributions of source code must retain the above copyright
12#    notice, this list of conditions and the following disclaimer.
13#
14# 2. Redistributions in binary form must reproduce the above copyright
15#    notice, this list of conditions and the following disclaimer in the
16#    documentation and/or other materials provided with the distribution.
17#
18# 3. Neither the name of the Institute nor the names of its contributors
19#    may be used to endorse or promote products derived from this software
20#    without specific prior written permission.
21#
22# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
23# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
26# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32# SUCH DAMAGE.
33#
34# $Id$
35#
36
37srcdir="@srcdir@"
38objdir="@objdir@"
39
40stat="--statistic-file=${objdir}/statfile"
41
42hxtool="${TESTS_ENVIRONMENT} ./hxtool ${stat}"
43
44if ${hxtool} info | grep 'rsa: hcrypto null RSA' > /dev/null ; then
45    exit 77
46fi
47if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
48    exit 77
49fi
50
51if ${hxtool} info | grep 'ecdsa: hcrypto null' > /dev/null ; then
52    echo "not testing ECDSA since hcrypto doesnt support ECDSA"
53else
54    echo "create signed data (ec)"
55    ${hxtool} cms-create-sd \
56    	--certificate=FILE:$srcdir/data/secp160r2TestClient.pem \
57    	"$srcdir/test_chain.in" \
58    	sd.data > /dev/null || exit 1
59
60    echo "verify signed data (ec)"
61    ${hxtool} cms-verify-sd \
62    	--missing-revoke \
63    	--anchors=FILE:$srcdir/data/secp160r1TestCA.cert.pem \
64    	sd.data sd.data.out > /dev/null || exit 1
65    cmp "$srcdir/test_chain.in" sd.data.out || exit 1
66fi
67
68echo "create signed data"
69${hxtool} cms-create-sd \
70	--certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
71	"$srcdir/test_chain.in" \
72	sd.data > /dev/null || exit 1
73
74echo "verify signed data"
75${hxtool} cms-verify-sd \
76	--missing-revoke \
77	--anchors=FILE:$srcdir/data/ca.crt \
78	sd.data sd.data.out > /dev/null || exit 1
79cmp "$srcdir/test_chain.in" sd.data.out || exit 1
80
81echo "create signed data (no signer)"
82${hxtool} cms-create-sd \
83        --no-signer \
84	--certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
85	"$srcdir/test_chain.in" \
86	sd.data > /dev/null || exit 1
87
88echo "verify signed data (no signer)"
89${hxtool} cms-verify-sd \
90	--missing-revoke \
91        --no-signer-allowed \
92	--anchors=FILE:$srcdir/data/ca.crt \
93	sd.data sd.data.out > signer.tmp || exit 1
94cmp "$srcdir/test_chain.in" sd.data.out || exit 1
95grep "unsigned" signer.tmp > /dev/null || exit 1
96
97echo "verify signed data (no signer) (test failure)"
98${hxtool} cms-verify-sd \
99	--missing-revoke \
100	--anchors=FILE:$srcdir/data/ca.crt \
101	sd.data sd.data.out 2> signer.tmp && exit 1
102grep "No signers where found" signer.tmp > /dev/null || exit 1
103
104echo "create signed data (id-by-name)"
105${hxtool} cms-create-sd \
106	--certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
107	--id-by-name \
108	"$srcdir/test_chain.in" \
109	sd.data > /dev/null || exit 1
110
111echo "verify signed data"
112${hxtool} cms-verify-sd \
113	--missing-revoke \
114	--anchors=FILE:$srcdir/data/ca.crt \
115	sd.data sd.data.out > /dev/null || exit 1
116cmp "$srcdir/test_chain.in" sd.data.out || exit 1
117
118echo "verify signed data (EE cert as anchor)"
119${hxtool} cms-verify-sd \
120	--missing-revoke \
121	--anchors=FILE:$srcdir/data/test.crt \
122	sd.data sd.data.out > /dev/null || exit 1
123cmp "$srcdir/test_chain.in" sd.data.out || exit 1
124
125echo "create signed data (password)"
126${hxtool} cms-create-sd \
127	--pass=PASS:foobar \
128	--certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test-pw.key \
129	"$srcdir/test_chain.in" \
130	sd.data > /dev/null || exit 1
131
132echo "verify signed data"
133${hxtool} cms-verify-sd \
134	--missing-revoke \
135	--anchors=FILE:$srcdir/data/ca.crt \
136	sd.data sd.data.out > /dev/null || exit 1
137cmp "$srcdir/test_chain.in" sd.data.out || exit 1
138
139echo "create signed data (combined)"
140${hxtool} cms-create-sd \
141	--certificate=FILE:$srcdir/data/test.combined.crt \
142	"$srcdir/test_chain.in" \
143	sd.data > /dev/null || exit 1
144
145echo "verify signed data"
146${hxtool} cms-verify-sd \
147	--missing-revoke \
148	--anchors=FILE:$srcdir/data/ca.crt \
149	sd.data sd.data.out > /dev/null || exit 1
150cmp "$srcdir/test_chain.in" sd.data.out || exit 1
151
152echo "create signed data  (content info)"
153${hxtool} cms-create-sd \
154	--certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
155	--content-info \
156	"$srcdir/test_chain.in" \
157	sd.data > /dev/null || exit 1
158
159echo "verify signed data (content info)"
160${hxtool} cms-verify-sd \
161	--missing-revoke \
162	--anchors=FILE:$srcdir/data/ca.crt \
163	--content-info \
164	sd.data sd.data.out > /dev/null || exit 1
165cmp "$srcdir/test_chain.in" sd.data.out || exit 1
166
167echo "create signed data  (content type)"
168${hxtool} cms-create-sd \
169	--certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
170	--content-type=1.1.1.1 \
171	"$srcdir/test_chain.in" \
172	sd.data > /dev/null || exit 1
173
174echo "verify signed data (content type)"
175${hxtool} cms-verify-sd \
176	--missing-revoke \
177	--anchors=FILE:$srcdir/data/ca.crt \
178	sd.data sd.data.out > /dev/null || exit 1
179cmp "$srcdir/test_chain.in" sd.data.out || exit 1
180
181echo "create signed data (pem)"
182${hxtool} cms-create-sd \
183	--certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
184	--pem \
185	"$srcdir/test_chain.in" \
186	sd.data > /dev/null || exit 1
187
188echo "verify signed data (pem)"
189${hxtool} cms-verify-sd \
190	--missing-revoke \
191	--anchors=FILE:$srcdir/data/ca.crt \
192	--pem \
193        sd.data sd.data.out > /dev/null
194cmp "$srcdir/test_chain.in" sd.data.out || exit 1
195
196echo "create signed data (pem, detached)"
197${hxtool} cms-create-sd \
198	--certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
199	--detached-signature \
200	--pem \
201	"$srcdir/test_chain.in" \
202	sd.data > /dev/null || exit 1
203
204echo "verify signed data (pem, detached)"
205${hxtool} cms-verify-sd \
206	--missing-revoke \
207	--anchors=FILE:$srcdir/data/ca.crt \
208	--pem \
209        --signed-content="$srcdir/test_chain.in" \
210        sd.data sd.data.out > /dev/null
211cmp "$srcdir/test_chain.in" sd.data.out || exit 1
212
213echo "create signed data (p12)"
214${hxtool} cms-create-sd \
215	--pass=PASS:foobar \
216	--certificate=PKCS12:$srcdir/data/test.p12 \
217	--signer=friendlyname-test \
218	"$srcdir/test_chain.in" \
219	sd.data > /dev/null || exit 1
220
221echo "verify signed data"
222${hxtool} cms-verify-sd \
223	--missing-revoke \
224	--anchors=FILE:$srcdir/data/ca.crt \
225	--content-info \
226	"$srcdir/data/test-signed-data" sd.data.out > /dev/null || exit 1
227cmp "$srcdir/data/static-file" sd.data.out || exit 1
228
229echo "verify signed data (no attr)"
230${hxtool} cms-verify-sd \
231	--missing-revoke \
232	--anchors=FILE:$srcdir/data/ca.crt \
233	--content-info \
234	"$srcdir/data/test-signed-data-noattr" sd.data.out > /dev/null || exit 1
235cmp "$srcdir/data/static-file" sd.data.out || exit 1
236
237echo "verify failure signed data (no attr, no certs)"
238${hxtool} cms-verify-sd \
239	--missing-revoke \
240	--anchors=FILE:$srcdir/data/ca.crt \
241	--content-info \
242	"$srcdir/data/test-signed-data-noattr-nocerts" \
243	sd.data.out > /dev/null 2>/dev/null && exit 1
244
245echo "verify signed data (no attr, no certs)"
246${hxtool} cms-verify-sd \
247	--missing-revoke \
248	--anchors=FILE:$srcdir/data/ca.crt \
249	--certificate=FILE:$srcdir/data/test.crt \
250	--content-info \
251	"$srcdir/data/test-signed-data-noattr-nocerts" \
252	sd.data.out > /dev/null || exit 1
253cmp "$srcdir/data/static-file" sd.data.out || exit 1
254
255echo "verify signed data - sha1"
256${hxtool} cms-verify-sd \
257	--missing-revoke \
258	--anchors=FILE:$srcdir/data/ca.crt \
259	--content-info \
260	"$srcdir/data/test-signed-sha-1" sd.data.out > /dev/null || exit 1
261cmp "$srcdir/data/static-file" sd.data.out || exit 1
262
263echo "verify signed data - sha256"
264${hxtool} cms-verify-sd \
265	--missing-revoke \
266	--anchors=FILE:$srcdir/data/ca.crt \
267	--content-info \
268	"$srcdir/data/test-signed-sha-256" sd.data.out > /dev/null || exit 1
269cmp "$srcdir/data/static-file" sd.data.out || exit 1
270
271#echo "verify signed data - sha512"
272#${hxtool} cms-verify-sd \
273#	--missing-revoke \
274#	--anchors=FILE:$srcdir/data/ca.crt \
275#	--content-info \
276#	"$srcdir/data/test-signed-sha-512" sd.data.out > /dev/null || exit 1
277#cmp "$srcdir/data/static-file" sd.data.out || exit 1
278
279
280echo "create signed data (subcert, no certs)"
281${hxtool} cms-create-sd \
282	--certificate=FILE:$srcdir/data/sub-cert.crt,$srcdir/data/sub-cert.key \
283	"$srcdir/test_chain.in" \
284	sd.data > /dev/null || exit 1
285
286echo "verify failure signed data"
287${hxtool} cms-verify-sd \
288	--missing-revoke \
289	--anchors=FILE:$srcdir/data/ca.crt \
290	sd.data sd.data.out > /dev/null 2> /dev/null && exit 1
291
292echo "verify success signed data"
293${hxtool} cms-verify-sd \
294	--missing-revoke \
295	--certificate=FILE:$srcdir/data/sub-ca.crt \
296	--anchors=FILE:$srcdir/data/ca.crt \
297	sd.data sd.data.out > /dev/null || exit 1
298cmp "$srcdir/test_chain.in" sd.data.out || exit 1
299
300echo "create signed data (subcert, certs)"
301${hxtool} cms-create-sd \
302	--certificate=FILE:$srcdir/data/sub-cert.crt,$srcdir/data/sub-cert.key \
303	--pool=FILE:$srcdir/data/sub-ca.crt \
304	--anchors=FILE:$srcdir/data/ca.crt \
305	"$srcdir/test_chain.in" \
306	sd.data > /dev/null || exit 1
307
308echo "verify success signed data"
309${hxtool} cms-verify-sd \
310	--missing-revoke \
311	--anchors=FILE:$srcdir/data/ca.crt \
312	sd.data sd.data.out > /dev/null || exit 1
313cmp "$srcdir/test_chain.in" sd.data.out || exit 1
314
315echo "create signed data (subcert, certs, no-root)"
316${hxtool} cms-create-sd \
317	--certificate=FILE:$srcdir/data/sub-cert.crt,$srcdir/data/sub-cert.key \
318	--pool=FILE:$srcdir/data/sub-ca.crt \
319	"$srcdir/test_chain.in" \
320	sd.data > /dev/null || exit 1
321
322echo "verify success signed data"
323${hxtool} cms-verify-sd \
324	--missing-revoke \
325	--anchors=FILE:$srcdir/data/ca.crt \
326	sd.data sd.data.out > /dev/null || exit 1
327cmp "$srcdir/test_chain.in" sd.data.out || exit 1
328
329echo "create signed data (subcert, no-subca, no-root)"
330${hxtool} cms-create-sd \
331	--certificate=FILE:$srcdir/data/sub-cert.crt,$srcdir/data/sub-cert.key \
332	"$srcdir/test_chain.in" \
333	sd.data > /dev/null || exit 1
334
335echo "verify failure signed data"
336${hxtool} cms-verify-sd \
337	--missing-revoke \
338	--anchors=FILE:$srcdir/data/ca.crt \
339	sd.data sd.data.out > /dev/null 2>/dev/null && exit 1
340
341echo "create signed data (sd cert)"
342${hxtool} cms-create-sd \
343	--certificate=FILE:$srcdir/data/test-ds-only.crt,$srcdir/data/test-ds-only.key \
344	"$srcdir/test_chain.in" \
345	sd.data > /dev/null || exit 1
346
347echo "create signed data (ke cert)"
348${hxtool} cms-create-sd \
349	--certificate=FILE:$srcdir/data/test-ke-only.crt,$srcdir/data/test-ke-only.key \
350	"$srcdir/test_chain.in" \
351	sd.data > /dev/null 2>/dev/null && exit 1
352
353echo "create signed data (sd + ke certs)"
354${hxtool} cms-create-sd \
355	--certificate=FILE:$srcdir/data/test-ke-only.crt,$srcdir/data/test-ke-only.key \
356	--certificate=FILE:$srcdir/data/test-ds-only.crt,$srcdir/data/test-ds-only.key \
357	"$srcdir/test_chain.in" \
358	sd.data > /dev/null || exit 1
359
360echo "create signed data (ke + sd certs)"
361${hxtool} cms-create-sd \
362	--certificate=FILE:$srcdir/data/test-ds-only.crt,$srcdir/data/test-ds-only.key \
363	--certificate=FILE:$srcdir/data/test-ke-only.crt,$srcdir/data/test-ke-only.key \
364	"$srcdir/test_chain.in" \
365	sd.data > /dev/null || exit 1
366
367echo "create signed data (detached)"
368${hxtool} cms-create-sd \
369	--certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
370	--detached-signature \
371	"$srcdir/test_chain.in" \
372	sd.data > /dev/null || exit 1
373
374echo "verify signed data (detached)"
375${hxtool} cms-verify-sd \
376	--missing-revoke \
377	--signed-content="$srcdir/test_chain.in" \
378	--anchors=FILE:$srcdir/data/ca.crt \
379	sd.data sd.data.out > /dev/null || exit 1
380cmp "$srcdir/test_chain.in" sd.data.out || exit 1
381
382echo "verify failure signed data (detached)"
383${hxtool} cms-verify-sd \
384	--missing-revoke \
385	--anchors=FILE:$srcdir/data/ca.crt \
386	sd.data sd.data.out > /dev/null 2>/dev/null && exit 1
387
388echo "create signed data (rsa)"
389${hxtool} cms-create-sd \
390	--peer-alg=1.2.840.113549.1.1.1 \
391	--certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
392	"$srcdir/test_chain.in" \
393	sd.data > /dev/null || exit 1
394
395echo "verify signed data (rsa)"
396${hxtool} cms-verify-sd \
397	--missing-revoke \
398	--anchors=FILE:$srcdir/data/ca.crt \
399	sd.data sd.data.out > /dev/null 2>/dev/null || exit 1
400cmp "$srcdir/test_chain.in" sd.data.out || exit 1
401
402echo "create signed data (pem, detached)"
403cp "$srcdir/test_chain.in" sd
404${hxtool} cms-sign \
405	--certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
406	--detached-signature \
407	--pem \
408	sd > /dev/null || exit 1
409
410echo "verify signed data (pem, detached)"
411${hxtool} cms-verify-sd \
412	--missing-revoke \
413	--anchors=FILE:$srcdir/data/ca.crt \
414	--pem \
415	sd.pem > /dev/null
416
417echo "create signed data (no certs, detached sig)"
418cp "$srcdir/test_chain.in" sd
419${hxtool} cms-sign \
420	--certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
421	--detached-signature \
422	--no-embedded-certs \
423	"$srcdir/data/static-file" \
424	sd > /dev/null || exit 1
425
426echo "create signed data (leif only, detached sig)"
427cp "$srcdir/test_chain.in" sd
428${hxtool} cms-sign \
429	--certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
430	--detached-signature \
431	--embed-leaf-only \
432	"$srcdir/data/static-file" \
433	sd > /dev/null || exit 1
434
435echo "create signed data (no certs, detached sig, 2 signers)"
436cp "$srcdir/test_chain.in" sd
437${hxtool} cms-sign \
438	--certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
439	--certificate=FILE:$srcdir/data/sub-cert.crt,$srcdir/data/sub-cert.key \
440	--detached-signature \
441	--no-embedded-certs \
442	"$srcdir/data/static-file" \
443	sd > /dev/null || exit 1
444
445echo "create signed data (no certs, detached sig, 3 signers)"
446cp "$srcdir/test_chain.in" sd
447${hxtool} cms-sign \
448	--certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
449	--certificate=FILE:$srcdir/data/sub-cert.crt,$srcdir/data/sub-cert.key \
450	--certificate=FILE:$srcdir/data/test-ds-only.crt,$srcdir/data/test-ds-only.key \
451	--detached-signature \
452	--no-embedded-certs \
453	"$srcdir/data/static-file" \
454	sd > /dev/null || exit 1
455
456echo "envelope data (content-type)"
457${hxtool} cms-envelope \
458	--certificate=FILE:$srcdir/data/test.crt \
459	--content-type=1.1.1.1 \
460	"$srcdir/data/static-file" \
461	ev.data > /dev/null || exit 1
462
463echo "unenvelope data (content-type)"
464${hxtool} cms-unenvelope \
465	--certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
466	ev.data ev.data.out \
467	FILE:$srcdir/data/test.crt,$srcdir/data/test.key > /dev/null || exit 1
468cmp "$srcdir/data/static-file" ev.data.out || exit 1
469
470echo "envelope data (content-info)"
471${hxtool} cms-envelope \
472	--certificate=FILE:$srcdir/data/test.crt \
473	--content-info \
474	"$srcdir/data/static-file" \
475	ev.data > /dev/null || exit 1
476
477echo "unenvelope data (content-info)"
478${hxtool} cms-unenvelope \
479	--certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
480	--content-info \
481	ev.data ev.data.out \
482	FILE:$srcdir/data/test.crt,$srcdir/data/test.key > /dev/null || exit 1
483cmp "$srcdir/data/static-file" ev.data.out || exit 1
484
485for a in des-ede3 aes-128 aes-256; do
486
487	rm -f ev.data ev.data.out
488	echo "envelope data ($a)"
489	${hxtool} cms-envelope \
490	        --encryption-type="$a-cbc" \
491		--certificate=FILE:$srcdir/data/test.crt \
492		"$srcdir/data/static-file" \
493		ev.data  || exit 1
494
495	echo "unenvelope data ($a)"
496	${hxtool} cms-unenvelope \
497		--certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
498		ev.data ev.data.out > /dev/null || exit 1
499	cmp "$srcdir/data/static-file" ev.data.out || exit 1
500done
501
502for a in rc2-40 rc2-64 rc2-128 des-ede3 aes-128 aes-256; do
503    echo "static unenvelope data ($a)"
504
505    rm -f ev.data.out
506    ${hxtool} cms-unenvelope \
507	--certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
508	--content-info \
509	--allow-weak \
510	"$srcdir/data/test-enveloped-$a" ev.data.out > /dev/null || exit 1
511    cmp "$srcdir/data/static-file" ev.data.out || exit 1
512done
513
514exit 0
515