#!/bin/sh # # Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan # (Royal Institute of Technology, Stockholm, Sweden). # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # 3. Neither the name of the Institute nor the names of its contributors # may be used to endorse or promote products derived from this software # without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # $Id$ # srcdir="@srcdir@" objdir="@objdir@" stat="--statistic-file=${objdir}/statfile" hxtool="${TESTS_ENVIRONMENT} ./hxtool ${stat}" echo "create certificate request" ${hxtool} request-create \ --subject="CN=Love,DC=it,DC=su,DC=se" \ --key=FILE:$srcdir/data/key.der \ pkcs10-request.der || exit 1 echo "issue certificate" ${hxtool} issue-certificate \ --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \ --subject="cn=foo" \ --req="PKCS10:pkcs10-request.der" \ --certificate="FILE:cert-ee.pem" || exit 1 echo "verify certificate" ${hxtool} verify --missing-revoke \ cert:FILE:cert-ee.pem \ anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1 echo "issue crl (no cert)" ${hxtool} crl-sign \ --crl-file=crl.crl \ --signer=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key || exit 1 echo "verify certificate (with CRL)" ${hxtool} verify \ cert:FILE:cert-ee.pem \ crl:FILE:crl.crl \ anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1 echo "issue crl (with cert)" ${hxtool} crl-sign \ --crl-file=crl.crl \ --signer=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \ FILE:cert-ee.pem || exit 1 echo "verify certificate (included in CRL)" ${hxtool} verify \ cert:FILE:cert-ee.pem \ crl:FILE:crl.crl \ anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1 # XXX Check that the certs issued below have the requested content echo "issue crl (with cert)" ${hxtool} crl-sign \ --crl-file=crl.crl \ --lifetime='1 month' \ --signer=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \ FILE:cert-ee.pem || exit 1 echo "verify certificate (included in CRL, and lifetime 1 month)" ${hxtool} verify \ cert:FILE:cert-ee.pem \ crl:FILE:crl.crl \ anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1 echo "issue certificate (10years 1 month)" ${hxtool} issue-certificate \ --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \ --subject="cn=foo" \ --lifetime="10years 1 month" \ --req="PKCS10:pkcs10-request.der" \ --permanent-id=1.2.3.4.5.6.6:SomeVendor:A0B1C2D3 \ --hardware-module-name=tcg-tpm20:SomeVendor:Z0Y1X2W3 \ --policy="1.2.3.4.5.6:data:foo this is a warning" \ --policy="id-x509-ce-certificatePolicies-anyPolicy" \ --policy-mapping="1.2.3.4.5.6:1.2.3.4.5.6" \ --policy-mapping="1.2.3.4.5.6:1.2.3.4.5.7" \ --certificate="FILE:cert-ee.pem" || exit 1 ${hxtool} print --content FILE:cert-ee.pem || exit 1 echo "issue certificate (with https ekus)" ${hxtool} issue-certificate \ --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \ --subject="cn=foo" \ --type="https-server" \ --type="https-client" \ --req="PKCS10:pkcs10-request.der" \ --certificate="FILE:cert-ee.pem" || exit 1 ${hxtool} print --content FILE:cert-ee.pem || exit 1 echo "issue certificate (pkinit KDC)" ${hxtool} issue-certificate \ --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \ --subject="cn=foo" \ --type="pkinit-kdc" \ --pk-init-principal="krbtgt/TEST.H5L.SE@TEST.H5L.SE" \ --req="PKCS10:pkcs10-request.der" \ --certificate="FILE:cert-ee.pem" || exit 1 ${hxtool} print --content FILE:cert-ee.pem || exit 1 echo "issue certificate (pkinit client)" ${hxtool} issue-certificate \ --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \ --subject="cn=foo" \ --type="pkinit-client" \ --pk-init-principal="lha@TEST.H5L.SE" \ --req="PKCS10:pkcs10-request.der" \ --certificate="FILE:cert-ee.pem" || exit 1 ${hxtool} print --content FILE:cert-ee.pem || exit 1 echo "issue certificate (hostnames)" ${hxtool} issue-certificate \ --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \ --subject="cn=foo" \ --type="https-server" \ --hostname="www.test.h5l.se" \ --hostname="ftp.test.h5l.se" \ --req="PKCS10:pkcs10-request.der" \ --certificate="FILE:cert-ee.pem" || exit 1 ${hxtool} print --content FILE:cert-ee.pem || exit 1 echo "verify certificate hostname (ok)" ${hxtool} verify --missing-revoke \ --hostname=www.test.h5l.se \ cert:FILE:cert-ee.pem \ anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1 echo "verify certificate hostname (fail)" ${hxtool} verify --missing-revoke \ --hostname=www2.test.h5l.se \ cert:FILE:cert-ee.pem \ anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1 echo "verify certificate hostname (fail)" ${hxtool} verify --missing-revoke \ --hostname=2www.test.h5l.se \ cert:FILE:cert-ee.pem \ anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1 echo "issue certificate (hostname in CN)" ${hxtool} issue-certificate \ --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \ --subject="cn=www.test.h5l.se" \ --type="https-server" \ --req="PKCS10:pkcs10-request.der" \ --certificate="FILE:cert-ee.pem" || exit 1 ${hxtool} print --content FILE:cert-ee.pem || exit 1 echo "verify certificate hostname (ok)" ${hxtool} verify --missing-revoke \ --hostname=www.test.h5l.se \ cert:FILE:cert-ee.pem \ anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1 echo "verify certificate hostname (fail)" ${hxtool} verify --missing-revoke \ --hostname=www2.test.h5l.se \ cert:FILE:cert-ee.pem \ anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1 echo "issue certificate (email)" ${hxtool} issue-certificate \ --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \ --subject="cn=foo" \ --email="lha@test.h5l.se" \ --email="test@test.h5l.se" \ --req="PKCS10:pkcs10-request.der" \ --certificate="FILE:cert-ee.pem" || exit 1 ${hxtool} print --content FILE:cert-ee.pem || exit 1 echo "issue certificate (email, null subject DN)" ${hxtool} issue-certificate \ --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \ --subject="" \ --email="lha@test.h5l.se" \ --req="PKCS10:pkcs10-request.der" \ --certificate="FILE:cert-null.pem" || exit 1 ${hxtool} print --content FILE:cert-null.pem || exit 1 echo "issue certificate (jabber)" ${hxtool} issue-certificate \ --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \ --subject="cn=foo" \ --jid="lha@test.h5l.se" \ --req="PKCS10:pkcs10-request.der" \ --certificate="FILE:cert-ee.pem" || exit 1 ${hxtool} print --content FILE:cert-ee.pem || exit 1 echo "issue self-signed cert" ${hxtool} issue-certificate \ --self-signed \ --ca-private-key=FILE:$srcdir/data/key.der \ --subject="cn=test" \ --certificate="FILE:cert-ee.pem" || exit 1 ${hxtool} print --content FILE:cert-ee.pem || exit 1 echo "issue ca cert" ${hxtool} issue-certificate \ --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \ --issue-ca \ --subject="cn=ca-cert" \ --req="PKCS10:pkcs10-request.der" \ --certificate="FILE:cert-ca.der" || exit 1 ${hxtool} print --content FILE:cert-ca.der || exit 1 echo "issue self-signed ca cert" ${hxtool} issue-certificate \ --self-signed \ --issue-ca \ --ca-private-key=FILE:$srcdir/data/key.der \ --subject="cn=ca-root" \ --certificate="FILE:cert-ca.der" || exit 1 ${hxtool} print --content FILE:cert-ca.der || exit 1 echo "issue proxy certificate" ${hxtool} issue-certificate \ --ca-certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \ --issue-proxy \ --req="PKCS10:pkcs10-request.der" \ --certificate="FILE:cert-proxy.der" || exit 1 ${hxtool} print --content FILE:cert-proxy.der || exit 1 echo "verify proxy cert" ${hxtool} verify --missing-revoke \ --allow-proxy-certificate \ cert:FILE:cert-proxy.der \ chain:FILE:$srcdir/data/test.crt \ anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1 echo "issue ca cert (generate rsa key)" ${hxtool} issue-certificate \ --self-signed \ --issue-ca \ --serial-number="deadbeaf" \ --generate-key=rsa \ --path-length=-1 \ --subject="cn=ca2-cert" \ --certificate="FILE:cert-ca.pem" || exit 1 ${hxtool} print --content FILE:cert-ca.pem || exit 1 echo "issue sub-ca cert (generate rsa key)" ${hxtool} issue-certificate \ --ca-certificate=FILE:cert-ca.pem \ --issue-ca \ --serial-number="deadbeaf22" \ --generate-key=rsa \ --subject="cn=sub-ca2-cert" \ --certificate="FILE:cert-sub-ca.pem" || exit 1 ${hxtool} print --content FILE:cert-sub-ca.pem || exit 1 echo "issue ee cert (generate rsa key)" ${hxtool} issue-certificate \ --ca-certificate=FILE:cert-ca.pem \ --generate-key=rsa \ --subject="cn=cert-ee2" \ --certificate="FILE:cert-ee.pem" || exit 1 ${hxtool} print --content FILE:cert-ee.pem || exit 1 echo "issue sub-ca ee cert (generate rsa key)" ${hxtool} issue-certificate \ --ca-certificate=FILE:cert-sub-ca.pem \ --generate-key=rsa \ --subject="cn=cert-sub-ee2" \ --certificate="FILE:cert-sub-ee.pem" || exit 1 ${hxtool} print --content FILE:cert-sub-ee.pem || exit 1 echo "verify certificate (ee)" ${hxtool} verify --missing-revoke \ cert:FILE:cert-ee.pem \ anchor:FILE:cert-ca.pem > /dev/null || exit 1 echo "verify certificate (sub-ee)" ${hxtool} verify --missing-revoke \ cert:FILE:cert-sub-ee.pem \ chain:FILE:cert-sub-ca.pem \ anchor:FILE:cert-ca.pem || exit 1 echo "sign CMS signature (generate key)" ${hxtool} cms-create-sd \ --certificate=FILE:cert-ee.pem \ "$srcdir/test_name.c" \ sd.data > /dev/null || exit 1 echo "verify CMS signature (generate key)" ${hxtool} cms-verify-sd \ --missing-revoke \ --anchors=FILE:cert-ca.pem \ sd.data sd.data.out > /dev/null || exit 1 cmp "$srcdir/test_name.c" sd.data.out || exit 1 echo "extend ca cert" ${hxtool} issue-certificate \ --self-signed \ --issue-ca \ --lifetime="2years" \ --serial-number="deadbeaf" \ --ca-private-key=FILE:cert-ca.pem \ --subject="cn=ca2-cert" \ --certificate="FILE:cert-ca.pem" || exit 1 ${hxtool} print --content FILE:cert-ca.pem || exit 1 echo "verify certificate generated by previous ca" ${hxtool} verify --missing-revoke \ cert:FILE:cert-ee.pem \ anchor:FILE:cert-ca.pem > /dev/null || exit 1 echo "extend ca cert (template)" ${hxtool} issue-certificate \ --self-signed \ --issue-ca \ --lifetime="3years" \ --template-certificate="FILE:cert-ca.pem" \ --template-fields="serialNumber,notBefore,subject" \ --path-length=-1 \ --ca-private-key=FILE:cert-ca.pem \ --certificate="FILE:cert-ca.pem" || exit 1 ${hxtool} print --content FILE:cert-ca.pem || exit 1 echo "verify certificate generated by previous ca" ${hxtool} verify --missing-revoke \ cert:FILE:cert-ee.pem \ anchor:FILE:cert-ca.pem > /dev/null || exit 1 echo "extend sub-ca cert (template)" ${hxtool} issue-certificate \ --ca-certificate=FILE:cert-ca.pem \ --issue-ca \ --lifetime="2years" \ --template-certificate="FILE:cert-sub-ca.pem" \ --template-fields="serialNumber,notBefore,subject,SPKI" \ --certificate="FILE:cert-sub-ca2.pem" || exit 1 ${hxtool} print --content FILE:cert-sub-ca2.pem || exit 1 echo "verify certificate (sub-ee) with extended chain" ${hxtool} verify --missing-revoke \ cert:FILE:cert-sub-ee.pem \ chain:FILE:cert-sub-ca.pem \ anchor:FILE:cert-ca.pem > /dev/null || exit 1 echo "+++++++++++ test basic constraints" echo "extend ca cert (too low path-length constraint)" ${hxtool} issue-certificate \ --self-signed \ --issue-ca \ --lifetime="3years" \ --template-certificate="FILE:cert-ca.pem" \ --template-fields="serialNumber,notBefore,subject" \ --path-length=0 \ --ca-private-key=FILE:cert-ca.pem \ --certificate="FILE:cert-ca.pem" || exit 1 echo "verify failure of certificate (sub-ee) with path-length constraint" ${hxtool} verify --missing-revoke \ cert:FILE:cert-sub-ee.pem \ chain:FILE:cert-sub-ca.pem \ anchor:FILE:cert-ca.pem > /dev/null && exit 1 echo "extend ca cert (exact path-length constraint)" ${hxtool} issue-certificate \ --self-signed \ --issue-ca \ --lifetime="3years" \ --template-certificate="FILE:cert-ca.pem" \ --template-fields="serialNumber,notBefore,subject" \ --path-length=1 \ --ca-private-key=FILE:cert-ca.pem \ --certificate="FILE:cert-ca.pem" || exit 1 echo "verify certificate (sub-ee) with exact path-length constraint" ${hxtool} verify --missing-revoke \ cert:FILE:cert-sub-ee.pem \ chain:FILE:cert-sub-ca.pem \ anchor:FILE:cert-ca.pem > /dev/null || exit 1 echo "Check missing basicConstrants.isCa" ${hxtool} issue-certificate \ --ca-certificate=FILE:cert-ca.pem \ --lifetime="2years" \ --template-certificate="FILE:cert-sub-ca.pem" \ --template-fields="serialNumber,notBefore,subject,SPKI" \ --certificate="FILE:cert-sub-ca2.pem" || exit 1 echo "verify failure certificate (sub-ee) with missing isCA" ${hxtool} verify --missing-revoke \ cert:FILE:cert-sub-ee.pem \ chain:FILE:cert-sub-ca2.pem \ anchor:FILE:cert-ca.pem > /dev/null && exit 1 echo "issue ee cert (crl uri)" ${hxtool} issue-certificate \ --ca-certificate=FILE:cert-ca.pem \ --req="PKCS10:pkcs10-request.der" \ --crl-uri="http://www.test.h5l.se/crl1.crl" \ --subject="cn=cert-ee-crl-uri" \ --certificate="FILE:cert-ee.pem" || exit 1 echo "issue null subject cert" ${hxtool} issue-certificate \ --ca-certificate=FILE:cert-ca.pem \ --req="PKCS10:pkcs10-request.der" \ --subject="" \ --email="lha@test.h5l.se" \ --certificate="FILE:cert-ee.pem" || exit 1 echo "verify certificate null subject" ${hxtool} verify --missing-revoke \ cert:FILE:cert-ee.pem \ anchor:FILE:cert-ca.pem > /dev/null || exit 1 echo "+++++++++++ test sigalg" echo "issue cert with sha256" ${hxtool} issue-certificate \ --ca-certificate=FILE:cert-ca.pem \ --signature-algorithm=rsa-with-sha256 \ --subject="cn=foo" \ --req="PKCS10:pkcs10-request.der" \ --certificate="FILE:cert-ee.pem" || exit 1 echo "verify certificate" ${hxtool} verify --missing-revoke \ cert:FILE:cert-ee.pem \ anchor:FILE:cert-ca.pem > /dev/null || exit 1 echo "issue cert with sha1" ${hxtool} issue-certificate \ --ca-certificate=FILE:cert-ca.pem \ --signature-algorithm=rsa-with-sha1 \ --subject="cn=foo" \ --req="PKCS10:pkcs10-request.der" \ --certificate="FILE:cert-ee.pem" || exit 1 echo "verify certificate" ${hxtool} verify --missing-revoke \ cert:FILE:cert-ee.pem \ anchor:FILE:cert-ca.pem > /dev/null || exit 1 echo "+++++++++++ test Ed25519" echo "issue self-signed Ed25519 ca cert" ${hxtool} issue-certificate \ --self-signed \ --issue-ca \ --generate-key=ed25519 \ --signature-algorithm=ed25519 \ --subject="cn=ed25519-ca" \ --certificate="FILE:cert-ed25519-ca.pem" || exit 1 ${hxtool} print --content FILE:cert-ed25519-ca.pem || exit 1 echo "verify Ed25519 CA cert with openssl" openssl x509 -in cert-ed25519-ca.pem -noout -text > /dev/null || exit 1 # Check signature algorithm is ED25519 openssl x509 -in cert-ed25519-ca.pem -noout -text | grep -q "Signature Algorithm: ED25519" || exit 1 # Check public key algorithm is ED25519 openssl x509 -in cert-ed25519-ca.pem -noout -text | grep -q "Public Key Algorithm: ED25519" || exit 1 echo "issue Ed25519 ee cert" ${hxtool} issue-certificate \ --ca-certificate=FILE:cert-ed25519-ca.pem \ --generate-key=ed25519 \ --signature-algorithm=ed25519 \ --subject="cn=ed25519-ee" \ --certificate="FILE:cert-ed25519-ee.pem" || exit 1 ${hxtool} print --content FILE:cert-ed25519-ee.pem || exit 1 echo "verify Ed25519 EE cert with openssl" openssl x509 -in cert-ed25519-ee.pem -noout -text > /dev/null || exit 1 # Check signature algorithm is ED25519 openssl x509 -in cert-ed25519-ee.pem -noout -text | grep -q "Signature Algorithm: ED25519" || exit 1 # Check public key algorithm is ED25519 openssl x509 -in cert-ed25519-ee.pem -noout -text | grep -q "Public Key Algorithm: ED25519" || exit 1 echo "verify Ed25519 chain with openssl" # Extract just the certificate (skip private key) openssl x509 -in cert-ed25519-ca.pem -out cert-ed25519-ca-only.pem || exit 1 openssl x509 -in cert-ed25519-ee.pem -out cert-ed25519-ee-only.pem || exit 1 openssl verify -CAfile cert-ed25519-ca-only.pem cert-ed25519-ee-only.pem || exit 1 echo "verify Ed25519 certificate" ${hxtool} verify --missing-revoke \ cert:FILE:cert-ed25519-ee.pem \ anchor:FILE:cert-ed25519-ca.pem > /dev/null || exit 1 echo "sign CMS signature (Ed25519)" ${hxtool} cms-create-sd \ --certificate=FILE:cert-ed25519-ee.pem \ "$srcdir/test_name.c" \ sd-ed25519.data > /dev/null || exit 1 echo "verify CMS signature (Ed25519)" ${hxtool} cms-verify-sd \ --missing-revoke \ --anchors=FILE:cert-ed25519-ca.pem \ sd-ed25519.data sd-ed25519.data.out > /dev/null || exit 1 cmp "$srcdir/test_name.c" sd-ed25519.data.out || exit 1 echo "+++++++++++ test Ed448" echo "issue self-signed Ed448 ca cert" ${hxtool} issue-certificate \ --self-signed \ --issue-ca \ --generate-key=ed448 \ --signature-algorithm=ed448 \ --subject="cn=ed448-ca" \ --certificate="FILE:cert-ed448-ca.pem" || exit 1 ${hxtool} print --content FILE:cert-ed448-ca.pem || exit 1 echo "verify Ed448 CA cert with openssl" openssl x509 -in cert-ed448-ca.pem -noout -text > /dev/null || exit 1 # Check signature algorithm is ED448 openssl x509 -in cert-ed448-ca.pem -noout -text | grep -q "Signature Algorithm: ED448" || exit 1 # Check public key algorithm is ED448 openssl x509 -in cert-ed448-ca.pem -noout -text | grep -q "Public Key Algorithm: ED448" || exit 1 echo "issue Ed448 ee cert" ${hxtool} issue-certificate \ --ca-certificate=FILE:cert-ed448-ca.pem \ --generate-key=ed448 \ --signature-algorithm=ed448 \ --subject="cn=ed448-ee" \ --certificate="FILE:cert-ed448-ee.pem" || exit 1 ${hxtool} print --content FILE:cert-ed448-ee.pem || exit 1 echo "verify Ed448 EE cert with openssl" openssl x509 -in cert-ed448-ee.pem -noout -text > /dev/null || exit 1 # Check signature algorithm is ED448 openssl x509 -in cert-ed448-ee.pem -noout -text | grep -q "Signature Algorithm: ED448" || exit 1 # Check public key algorithm is ED448 openssl x509 -in cert-ed448-ee.pem -noout -text | grep -q "Public Key Algorithm: ED448" || exit 1 echo "verify Ed448 chain with openssl" # Extract just the certificate (skip private key) openssl x509 -in cert-ed448-ca.pem -out cert-ed448-ca-only.pem || exit 1 openssl x509 -in cert-ed448-ee.pem -out cert-ed448-ee-only.pem || exit 1 openssl verify -CAfile cert-ed448-ca-only.pem cert-ed448-ee-only.pem || exit 1 echo "verify Ed448 certificate" ${hxtool} verify --missing-revoke \ cert:FILE:cert-ed448-ee.pem \ anchor:FILE:cert-ed448-ca.pem > /dev/null || exit 1 echo "sign CMS signature (Ed448)" ${hxtool} cms-create-sd \ --certificate=FILE:cert-ed448-ee.pem \ "$srcdir/test_name.c" \ sd-ed448.data > /dev/null || exit 1 echo "verify CMS signature (Ed448)" ${hxtool} cms-verify-sd \ --missing-revoke \ --anchors=FILE:cert-ed448-ca.pem \ sd-ed448.data sd-ed448.data.out > /dev/null || exit 1 cmp "$srcdir/test_name.c" sd-ed448.data.out || exit 1 echo "+++++++++++ test OpenSSL-generated Ed25519 certs" echo "generate Ed25519 CA key with openssl" openssl genpkey -algorithm Ed25519 -out ossl-ed25519-ca.key || exit 1 echo "generate self-signed Ed25519 CA cert with openssl" openssl req -new -x509 -key ossl-ed25519-ca.key -out ossl-ed25519-ca.pem \ -days 365 -subj "/CN=OpenSSL Ed25519 CA" \ -addext "basicConstraints=critical,CA:TRUE" \ -addext "keyUsage=critical,keyCertSign,cRLSign" || exit 1 echo "generate Ed25519 EE key with openssl" openssl genpkey -algorithm Ed25519 -out ossl-ed25519-ee.key || exit 1 echo "generate Ed25519 EE CSR with openssl" openssl req -new -key ossl-ed25519-ee.key -out ossl-ed25519-ee.csr \ -subj "/CN=OpenSSL Ed25519 EE" || exit 1 echo "sign Ed25519 EE cert with openssl CA" openssl x509 -req -in ossl-ed25519-ee.csr -CA ossl-ed25519-ca.pem \ -CAkey ossl-ed25519-ca.key -CAcreateserial \ -out ossl-ed25519-ee.pem -days 365 || exit 1 echo "verify OpenSSL Ed25519 CA cert with hxtool" ${hxtool} verify --missing-revoke \ cert:FILE:ossl-ed25519-ca.pem \ anchor:FILE:ossl-ed25519-ca.pem > /dev/null || exit 1 echo "verify OpenSSL Ed25519 EE cert with hxtool" ${hxtool} verify --missing-revoke \ cert:FILE:ossl-ed25519-ee.pem \ anchor:FILE:ossl-ed25519-ca.pem > /dev/null || exit 1 echo "+++++++++++ test OpenSSL-generated Ed448 certs" echo "generate Ed448 CA key with openssl" openssl genpkey -algorithm Ed448 -out ossl-ed448-ca.key || exit 1 echo "generate self-signed Ed448 CA cert with openssl" openssl req -new -x509 -key ossl-ed448-ca.key -out ossl-ed448-ca.pem \ -days 365 -subj "/CN=OpenSSL Ed448 CA" \ -addext "basicConstraints=critical,CA:TRUE" \ -addext "keyUsage=critical,keyCertSign,cRLSign" || exit 1 echo "generate Ed448 EE key with openssl" openssl genpkey -algorithm Ed448 -out ossl-ed448-ee.key || exit 1 echo "generate Ed448 EE CSR with openssl" openssl req -new -key ossl-ed448-ee.key -out ossl-ed448-ee.csr \ -subj "/CN=OpenSSL Ed448 EE" || exit 1 echo "sign Ed448 EE cert with openssl CA" openssl x509 -req -in ossl-ed448-ee.csr -CA ossl-ed448-ca.pem \ -CAkey ossl-ed448-ca.key -CAcreateserial \ -out ossl-ed448-ee.pem -days 365 || exit 1 echo "verify OpenSSL Ed448 CA cert with hxtool" ${hxtool} verify --missing-revoke \ cert:FILE:ossl-ed448-ca.pem \ anchor:FILE:ossl-ed448-ca.pem > /dev/null || exit 1 echo "verify OpenSSL Ed448 EE cert with hxtool" ${hxtool} verify --missing-revoke \ cert:FILE:ossl-ed448-ee.pem \ anchor:FILE:ossl-ed448-ca.pem > /dev/null || exit 1 exit 0