search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
expose hx509_certs_ref
[heimdal.git] / lib / hx509 / test_ca.in
blob2ca294ea79e95f68e2de899e3e4bf56b8040eba5
1 #!/bin/sh
2 #
3 # Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
4 # (Royal Institute of Technology, Stockholm, Sweden).
5 # All rights reserved.
6 #
7 # Redistribution and use in source and binary forms, with or without
8 # modification, are permitted provided that the following conditions
9 # are met:
10 #
11 # 1. Redistributions of source code must retain the above copyright
12 # notice, this list of conditions and the following disclaimer.
13 #
14 # 2. Redistributions in binary form must reproduce the above copyright
15 # notice, this list of conditions and the following disclaimer in the
16 # documentation and/or other materials provided with the distribution.
17 #
18 # 3. Neither the name of the Institute nor the names of its contributors
19 # may be used to endorse or promote products derived from this software
20 # without specific prior written permission.
21 #
22 # THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
23 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 # ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
26 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 # SUCH DAMAGE.
33 #
34 # $Id$
35 #
36
37 srcdir="@srcdir@"
38 objdir="@objdir@"
39
40 stat="--statistic-file=${objdir}/statfile"
41
42 hxtool="${TESTS_ENVIRONMENT} ./hxtool ${stat}"
43
44 if ${hxtool} info | grep 'rsa: hcrypto null RSA' > /dev/null ; then
45 exit 77
46 fi
47 if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
48 exit 77
49 fi
50
51 echo "create certificate request"
52 ${hxtool} request-create \
53 --subject="CN=Love,DC=it,DC=su,DC=se" \
54 --key=FILE:$srcdir/data/key.der \
55 pkcs10-request.der || exit 1
56
57 echo "issue certificate"
58 ${hxtool} issue-certificate \
59 --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
60 --subject="cn=foo" \
61 --req="PKCS10:pkcs10-request.der" \
62 --certificate="FILE:cert-ee.pem" || exit 1
63
64 echo "verify certificate"
65 ${hxtool} verify --missing-revoke \
66 cert:FILE:cert-ee.pem \
67 anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
68
69 echo "issue crl (no cert)"
70 ${hxtool} crl-sign \
71 --crl-file=crl.crl \
72 --signer=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key || exit 1
73
74 echo "verify certificate (with CRL)"
75 ${hxtool} verify \
76 cert:FILE:cert-ee.pem \
77 crl:FILE:crl.crl \
78 anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
79
80 echo "issue crl (with cert)"
81 ${hxtool} crl-sign \
82 --crl-file=crl.crl \
83 --signer=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
84 FILE:cert-ee.pem || exit 1
85
86 echo "verify certificate (included in CRL)"
87 ${hxtool} verify \
88 cert:FILE:cert-ee.pem \
89 crl:FILE:crl.crl \
90 anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
91
92 echo "issue crl (with cert)"
93 ${hxtool} crl-sign \
94 --crl-file=crl.crl \
95 --lifetime='1 month' \
96 --signer=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
97 FILE:cert-ee.pem || exit 1
98
99 echo "verify certificate (included in CRL, and lifetime 1 month)"
100 ${hxtool} verify \
101 cert:FILE:cert-ee.pem \
102 crl:FILE:crl.crl \
103 anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
104
105 echo "issue certificate (10years 1 month)"
106 ${hxtool} issue-certificate \
107 --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
108 --subject="cn=foo" \
109 --lifetime="10years 1 month" \
110 --req="PKCS10:pkcs10-request.der" \
111 --certificate="FILE:cert-ee.pem" || exit 1
112
113 echo "issue certificate (with https ekus)"
114 ${hxtool} issue-certificate \
115 --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
116 --subject="cn=foo" \
117 --type="https-server" \
118 --type="https-client" \
119 --req="PKCS10:pkcs10-request.der" \
120 --certificate="FILE:cert-ee.pem" || exit 1
121
122 echo "issue certificate (pkinit KDC)"
123 ${hxtool} issue-certificate \
124 --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
125 --subject="cn=foo" \
126 --type="pkinit-kdc" \
127 --pk-init-principal="krbtgt/TEST.H5L.SE@TEST.H5L.SE" \
128 --req="PKCS10:pkcs10-request.der" \
129 --certificate="FILE:cert-ee.pem" || exit 1
130
131 echo "issue certificate (pkinit client)"
132 ${hxtool} issue-certificate \
133 --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
134 --subject="cn=foo" \
135 --type="pkinit-client" \
136 --pk-init-principal="lha@TEST.H5L.SE" \
137 --req="PKCS10:pkcs10-request.der" \
138 --certificate="FILE:cert-ee.pem" || exit 1
139
140 echo "issue certificate (hostnames)"
141 ${hxtool} issue-certificate \
142 --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
143 --subject="cn=foo" \
144 --type="https-server" \
145 --hostname="www.test.h5l.se" \
146 --hostname="ftp.test.h5l.se" \
147 --req="PKCS10:pkcs10-request.der" \
148 --certificate="FILE:cert-ee.pem" || exit 1
149
150 echo "verify certificate hostname (ok)"
151 ${hxtool} verify --missing-revoke \
152 --hostname=www.test.h5l.se \
153 cert:FILE:cert-ee.pem \
154 anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
155
156 echo "verify certificate hostname (fail)"
157 ${hxtool} verify --missing-revoke \
158 --hostname=www2.test.h5l.se \
159 cert:FILE:cert-ee.pem \
160 anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
161
162 echo "verify certificate hostname (fail)"
163 ${hxtool} verify --missing-revoke \
164 --hostname=2www.test.h5l.se \
165 cert:FILE:cert-ee.pem \
166 anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
167
168 echo "issue certificate (hostname in CN)"
169 ${hxtool} issue-certificate \
170 --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
171 --subject="cn=www.test.h5l.se" \
172 --type="https-server" \
173 --req="PKCS10:pkcs10-request.der" \
174 --certificate="FILE:cert-ee.pem" || exit 1
175
176 echo "verify certificate hostname (ok)"
177 ${hxtool} verify --missing-revoke \
178 --hostname=www.test.h5l.se \
179 cert:FILE:cert-ee.pem \
180 anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
181
182 echo "verify certificate hostname (fail)"
183 ${hxtool} verify --missing-revoke \
184 --hostname=www2.test.h5l.se \
185 cert:FILE:cert-ee.pem \
186 anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
187
188 echo "issue certificate (email)"
189 ${hxtool} issue-certificate \
190 --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
191 --subject="cn=foo" \
192 --email="lha@test.h5l.se" \
193 --email="test@test.h5l.se" \
194 --req="PKCS10:pkcs10-request.der" \
195 --certificate="FILE:cert-ee.pem" || exit 1
196
197 echo "issue certificate (email, null subject DN)"
198 ${hxtool} issue-certificate \
199 --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
200 --subject="" \
201 --email="lha@test.h5l.se" \
202 --req="PKCS10:pkcs10-request.der" \
203 --certificate="FILE:cert-null.pem" || exit 1
204
205 echo "issue certificate (jabber)"
206 ${hxtool} issue-certificate \
207 --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
208 --subject="cn=foo" \
209 --jid="lha@test.h5l.se" \
210 --req="PKCS10:pkcs10-request.der" \
211 --certificate="FILE:cert-ee.pem" || exit 1
212
213 echo "issue self-signed cert"
214 ${hxtool} issue-certificate \
215 --self-signed \
216 --ca-private-key=FILE:$srcdir/data/key.der \
217 --subject="cn=test" \
218 --certificate="FILE:cert-ee.pem" || exit 1
219
220 echo "issue ca cert"
221 ${hxtool} issue-certificate \
222 --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
223 --issue-ca \
224 --subject="cn=ca-cert" \
225 --req="PKCS10:pkcs10-request.der" \
226 --certificate="FILE:cert-ca.der" || exit 1
227
228 echo "issue self-signed ca cert"
229 ${hxtool} issue-certificate \
230 --self-signed \
231 --issue-ca \
232 --ca-private-key=FILE:$srcdir/data/key.der \
233 --subject="cn=ca-root" \
234 --certificate="FILE:cert-ca.der" || exit 1
235
236 echo "issue proxy certificate"
237 ${hxtool} issue-certificate \
238 --ca-certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
239 --issue-proxy \
240 --req="PKCS10:pkcs10-request.der" \
241 --certificate="FILE:cert-proxy.der" || exit 1
242
243 echo "verify proxy cert"
244 ${hxtool} verify --missing-revoke \
245 --allow-proxy-certificate \
246 cert:FILE:cert-proxy.der \
247 chain:FILE:$srcdir/data/test.crt \
248 anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
249
250 echo "issue ca cert (generate rsa key)"
251 ${hxtool} issue-certificate \
252 --self-signed \
253 --issue-ca \
254 --serial-number="deadbeaf" \
255 --generate-key=rsa \
256 --path-length=-1 \
257 --subject="cn=ca2-cert" \
258 --certificate="FILE:cert-ca.pem" || exit 1
259
260 echo "issue sub-ca cert (generate rsa key)"
261 ${hxtool} issue-certificate \
262 --ca-certificate=FILE:cert-ca.pem \
263 --issue-ca \
264 --serial-number="deadbeaf22" \
265 --generate-key=rsa \
266 --subject="cn=sub-ca2-cert" \
267 --certificate="FILE:cert-sub-ca.pem" || exit 1
268
269 echo "issue ee cert (generate rsa key)"
270 ${hxtool} issue-certificate \
271 --ca-certificate=FILE:cert-ca.pem \
272 --generate-key=rsa \
273 --subject="cn=cert-ee2" \
274 --certificate="FILE:cert-ee.pem" || exit 1
275
276 echo "issue sub-ca ee cert (generate rsa key)"
277 ${hxtool} issue-certificate \
278 --ca-certificate=FILE:cert-sub-ca.pem \
279 --generate-key=rsa \
280 --subject="cn=cert-sub-ee2" \
281 --certificate="FILE:cert-sub-ee.pem" || exit 1
282
283 echo "verify certificate (ee)"
284 ${hxtool} verify --missing-revoke \
285 cert:FILE:cert-ee.pem \
286 anchor:FILE:cert-ca.pem > /dev/null || exit 1
287
288 echo "verify certificate (sub-ee)"
289 ${hxtool} verify --missing-revoke \
290 cert:FILE:cert-sub-ee.pem \
291 chain:FILE:cert-sub-ca.pem \
292 anchor:FILE:cert-ca.pem || exit 1
293
294 echo "sign CMS signature (generate key)"
295 ${hxtool} cms-create-sd \
296 --certificate=FILE:cert-ee.pem \
297 "$srcdir/test_name.c" \
298 sd.data > /dev/null || exit 1
299
300 echo "verify CMS signature (generate key)"
301 ${hxtool} cms-verify-sd \
302 --missing-revoke \
303 --anchors=FILE:cert-ca.pem \
304 sd.data sd.data.out > /dev/null || exit 1
305 cmp "$srcdir/test_name.c" sd.data.out || exit 1
306
307 echo "extend ca cert"
308 ${hxtool} issue-certificate \
309 --self-signed \
310 --issue-ca \
311 --lifetime="2years" \
312 --serial-number="deadbeaf" \
313 --ca-private-key=FILE:cert-ca.pem \
314 --subject="cn=ca2-cert" \
315 --certificate="FILE:cert-ca.pem" || exit 1
316
317 echo "verify certificate generated by previous ca"
318 ${hxtool} verify --missing-revoke \
319 cert:FILE:cert-ee.pem \
320 anchor:FILE:cert-ca.pem > /dev/null || exit 1
321
322 echo "extend ca cert (template)"
323 ${hxtool} issue-certificate \
324 --self-signed \
325 --issue-ca \
326 --lifetime="3years" \
327 --template-certificate="FILE:cert-ca.pem" \
328 --template-fields="serialNumber,notBefore,subject" \
329 --path-length=-1 \
330 --ca-private-key=FILE:cert-ca.pem \
331 --certificate="FILE:cert-ca.pem" || exit 1
332
333 echo "verify certificate generated by previous ca"
334 ${hxtool} verify --missing-revoke \
335 cert:FILE:cert-ee.pem \
336 anchor:FILE:cert-ca.pem > /dev/null || exit 1
337
338 echo "extend sub-ca cert (template)"
339 ${hxtool} issue-certificate \
340 --ca-certificate=FILE:cert-ca.pem \
341 --issue-ca \
342 --lifetime="2years" \
343 --template-certificate="FILE:cert-sub-ca.pem" \
344 --template-fields="serialNumber,notBefore,subject,SPKI" \
345 --certificate="FILE:cert-sub-ca2.pem" || exit 1
346
347 echo "verify certificate (sub-ee) with extended chain"
348 ${hxtool} verify --missing-revoke \
349 cert:FILE:cert-sub-ee.pem \
350 chain:FILE:cert-sub-ca.pem \
351 anchor:FILE:cert-ca.pem > /dev/null || exit 1
352
353 echo "+++++++++++ test basic constraints"
354
355 echo "extend ca cert (too low path-length constraint)"
356 ${hxtool} issue-certificate \
357 --self-signed \
358 --issue-ca \
359 --lifetime="3years" \
360 --template-certificate="FILE:cert-ca.pem" \
361 --template-fields="serialNumber,notBefore,subject" \
362 --path-length=0 \
363 --ca-private-key=FILE:cert-ca.pem \
364 --certificate="FILE:cert-ca.pem" || exit 1
365
366 echo "verify failure of certificate (sub-ee) with path-length constraint"
367 ${hxtool} verify --missing-revoke \
368 cert:FILE:cert-sub-ee.pem \
369 chain:FILE:cert-sub-ca.pem \
370 anchor:FILE:cert-ca.pem > /dev/null && exit 1
371
372 echo "extend ca cert (exact path-length constraint)"
373 ${hxtool} issue-certificate \
374 --self-signed \
375 --issue-ca \
376 --lifetime="3years" \
377 --template-certificate="FILE:cert-ca.pem" \
378 --template-fields="serialNumber,notBefore,subject" \
379 --path-length=1 \
380 --ca-private-key=FILE:cert-ca.pem \
381 --certificate="FILE:cert-ca.pem" || exit 1
382
383 echo "verify certificate (sub-ee) with exact path-length constraint"
384 ${hxtool} verify --missing-revoke \
385 cert:FILE:cert-sub-ee.pem \
386 chain:FILE:cert-sub-ca.pem \
387 anchor:FILE:cert-ca.pem > /dev/null || exit 1
388
389 echo "Check missing basicConstrants.isCa"
390 ${hxtool} issue-certificate \
391 --ca-certificate=FILE:cert-ca.pem \
392 --lifetime="2years" \
393 --template-certificate="FILE:cert-sub-ca.pem" \
394 --template-fields="serialNumber,notBefore,subject,SPKI" \
395 --certificate="FILE:cert-sub-ca2.pem" || exit 1
396
397 echo "verify failure certificate (sub-ee) with missing isCA"
398 ${hxtool} verify --missing-revoke \
399 cert:FILE:cert-sub-ee.pem \
400 chain:FILE:cert-sub-ca2.pem \
401 anchor:FILE:cert-ca.pem > /dev/null && exit 1
402
403 echo "issue ee cert (crl uri)"
404 ${hxtool} issue-certificate \
405 --ca-certificate=FILE:cert-ca.pem \
406 --req="PKCS10:pkcs10-request.der" \
407 --crl-uri="http://www.test.h5l.se/crl1.crl" \
408 --subject="cn=cert-ee-crl-uri" \
409 --certificate="FILE:cert-ee.pem" || exit 1
410
411 echo "issue null subject cert"
412 ${hxtool} issue-certificate \
413 --ca-certificate=FILE:cert-ca.pem \
414 --req="PKCS10:pkcs10-request.der" \
415 --subject="" \
416 --email="lha@test.h5l.se" \
417 --certificate="FILE:cert-ee.pem" || exit 1
418
419 echo "verify certificate null subject"
420 ${hxtool} verify --missing-revoke \
421 cert:FILE:cert-ee.pem \
422 anchor:FILE:cert-ca.pem > /dev/null || exit 1
423
424 exit 0
Heimdal