oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
Files
c80c04b2359ba67ecd4c2b1f2c452b0ec5f1e69b
heimdal/lib/hx509/test_ca.in
Nicolas Williams 37ab2a5308 hx509: Add DNSSRV and TCG SAN types and DN attrs 
This adds hx509 API and hxtool(1) support for PermanentIdentifier,
HardwareModuleName, and DNSSRV SAN types, as well as for serialNumber,
TPMManufacturer, TPMModel, and TPMVersion DN attributes.
2021-01-15 13:21:18 -06:00

481 lines
16 KiB
Bash
Raw Blame History

#!/bin/sh
#
# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
# (Royal Institute of Technology, Stockholm, Sweden).
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# 3. Neither the name of the Institute nor the names of its contributors
# may be used to endorse or promote products derived from this software
# without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $Id$
#
srcdir="@srcdir@"
objdir="@objdir@"
stat="--statistic-file=${objdir}/statfile"
hxtool="${TESTS_ENVIRONMENT} ./hxtool ${stat}"
if ${hxtool} info | grep 'rsa: hcrypto null RSA' > /dev/null ; then
exit 77
fi
if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
exit 77
fi
echo "create certificate request"
${hxtool} request-create \
--subject="CN=Love,DC=it,DC=su,DC=se" \
--key=FILE:$srcdir/data/key.der \
pkcs10-request.der || exit 1
echo "issue certificate"
${hxtool} issue-certificate \
--ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
--subject="cn=foo" \
--req="PKCS10:pkcs10-request.der" \
--certificate="FILE:cert-ee.pem" || exit 1
echo "verify certificate"
${hxtool} verify --missing-revoke \
cert:FILE:cert-ee.pem \
anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
echo "issue crl (no cert)"
${hxtool} crl-sign \
--crl-file=crl.crl \
--signer=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key || exit 1
echo "verify certificate (with CRL)"
${hxtool} verify \
cert:FILE:cert-ee.pem \
crl:FILE:crl.crl \
anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
echo "issue crl (with cert)"
${hxtool} crl-sign \
--crl-file=crl.crl \
--signer=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
FILE:cert-ee.pem || exit 1
echo "verify certificate (included in CRL)"
${hxtool} verify \
cert:FILE:cert-ee.pem \
crl:FILE:crl.crl \
anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
# XXX Check that the certs issued below have the requested content
echo "issue crl (with cert)"
${hxtool} crl-sign \
--crl-file=crl.crl \
--lifetime='1 month' \
--signer=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
FILE:cert-ee.pem || exit 1
echo "verify certificate (included in CRL, and lifetime 1 month)"
${hxtool} verify \
cert:FILE:cert-ee.pem \
crl:FILE:crl.crl \
anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
echo "issue certificate (10years 1 month)"
${hxtool} issue-certificate \
--ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
--subject="cn=foo" \
--lifetime="10years 1 month" \
--req="PKCS10:pkcs10-request.der" \
--permanent-id=1.2.3.4.5.6.6:SomeVendor:A0B1C2D3 \
--hardware-module-name=tcg-tpm20:SomeVendor:Z0Y1X2W3 \
--policy="1.2.3.4.5.6:data:foo this is a warning" \
--policy="id-x509-ce-certificatePolicies-anyPolicy" \
--policy-mapping="1.2.3.4.5.6:1.2.3.4.5.6" \
--policy-mapping="1.2.3.4.5.6:1.2.3.4.5.7" \
--certificate="FILE:cert-ee.pem" || exit 1
${hxtool} print --content FILE:cert-ee.pem || exit 1
echo "issue certificate (with https ekus)"
${hxtool} issue-certificate \
--ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
--subject="cn=foo" \
--type="https-server" \
--type="https-client" \
--req="PKCS10:pkcs10-request.der" \
--certificate="FILE:cert-ee.pem" || exit 1
${hxtool} print --content FILE:cert-ee.pem || exit 1
echo "issue certificate (pkinit KDC)"
${hxtool} issue-certificate \
--ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
--subject="cn=foo" \
--type="pkinit-kdc" \
--pk-init-principal="krbtgt/TEST.H5L.SE@TEST.H5L.SE" \
--req="PKCS10:pkcs10-request.der" \
--certificate="FILE:cert-ee.pem" || exit 1
${hxtool} print --content FILE:cert-ee.pem || exit 1
echo "issue certificate (pkinit client)"
${hxtool} issue-certificate \
--ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
--subject="cn=foo" \
--type="pkinit-client" \
--pk-init-principal="lha@TEST.H5L.SE" \
--req="PKCS10:pkcs10-request.der" \
--certificate="FILE:cert-ee.pem" || exit 1
${hxtool} print --content FILE:cert-ee.pem || exit 1
echo "issue certificate (hostnames)"
${hxtool} issue-certificate \
--ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
--subject="cn=foo" \
--type="https-server" \
--hostname="www.test.h5l.se" \
--hostname="ftp.test.h5l.se" \
--req="PKCS10:pkcs10-request.der" \
--certificate="FILE:cert-ee.pem" || exit 1
${hxtool} print --content FILE:cert-ee.pem || exit 1
echo "verify certificate hostname (ok)"
${hxtool} verify --missing-revoke \
--hostname=www.test.h5l.se \
cert:FILE:cert-ee.pem \
anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
echo "verify certificate hostname (fail)"
${hxtool} verify --missing-revoke \
--hostname=www2.test.h5l.se \
cert:FILE:cert-ee.pem \
anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
echo "verify certificate hostname (fail)"
${hxtool} verify --missing-revoke \
--hostname=2www.test.h5l.se \
cert:FILE:cert-ee.pem \
anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
echo "issue certificate (hostname in CN)"
${hxtool} issue-certificate \
--ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
--subject="cn=www.test.h5l.se" \
--type="https-server" \
--req="PKCS10:pkcs10-request.der" \
--certificate="FILE:cert-ee.pem" || exit 1
${hxtool} print --content FILE:cert-ee.pem || exit 1
echo "verify certificate hostname (ok)"
${hxtool} verify --missing-revoke \
--hostname=www.test.h5l.se \
cert:FILE:cert-ee.pem \
anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
echo "verify certificate hostname (fail)"
${hxtool} verify --missing-revoke \
--hostname=www2.test.h5l.se \
cert:FILE:cert-ee.pem \
anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
echo "issue certificate (email)"
${hxtool} issue-certificate \
--ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
--subject="cn=foo" \
--email="lha@test.h5l.se" \
--email="test@test.h5l.se" \
--req="PKCS10:pkcs10-request.der" \
--certificate="FILE:cert-ee.pem" || exit 1
${hxtool} print --content FILE:cert-ee.pem || exit 1
echo "issue certificate (email, null subject DN)"
${hxtool} issue-certificate \
--ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
--subject="" \
--email="lha@test.h5l.se" \
--req="PKCS10:pkcs10-request.der" \
--certificate="FILE:cert-null.pem" || exit 1
${hxtool} print --content FILE:cert-null.pem || exit 1
echo "issue certificate (jabber)"
${hxtool} issue-certificate \
--ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
--subject="cn=foo" \
--jid="lha@test.h5l.se" \
--req="PKCS10:pkcs10-request.der" \
--certificate="FILE:cert-ee.pem" || exit 1
${hxtool} print --content FILE:cert-ee.pem || exit 1
echo "issue self-signed cert"
${hxtool} issue-certificate \
--self-signed \
--ca-private-key=FILE:$srcdir/data/key.der \
--subject="cn=test" \
--certificate="FILE:cert-ee.pem" || exit 1
${hxtool} print --content FILE:cert-ee.pem || exit 1
echo "issue ca cert"
${hxtool} issue-certificate \
--ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
--issue-ca \
--subject="cn=ca-cert" \
--req="PKCS10:pkcs10-request.der" \
--certificate="FILE:cert-ca.der" || exit 1
${hxtool} print --content FILE:cert-ca.der || exit 1
echo "issue self-signed ca cert"
${hxtool} issue-certificate \
--self-signed \
--issue-ca \
--ca-private-key=FILE:$srcdir/data/key.der \
--subject="cn=ca-root" \
--certificate="FILE:cert-ca.der" || exit 1
${hxtool} print --content FILE:cert-ca.der || exit 1
echo "issue proxy certificate"
${hxtool} issue-certificate \
--ca-certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
--issue-proxy \
--req="PKCS10:pkcs10-request.der" \
--certificate="FILE:cert-proxy.der" || exit 1
${hxtool} print --content FILE:cert-proxy.der || exit 1
echo "verify proxy cert"
${hxtool} verify --missing-revoke \
--allow-proxy-certificate \
cert:FILE:cert-proxy.der \
chain:FILE:$srcdir/data/test.crt \
anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
echo "issue ca cert (generate rsa key)"
${hxtool} issue-certificate \
--self-signed \
--issue-ca \
--serial-number="deadbeaf" \
--generate-key=rsa \
--path-length=-1 \
--subject="cn=ca2-cert" \
--certificate="FILE:cert-ca.pem" || exit 1
${hxtool} print --content FILE:cert-ca.pem || exit 1
echo "issue sub-ca cert (generate rsa key)"
${hxtool} issue-certificate \
--ca-certificate=FILE:cert-ca.pem \
--issue-ca \
--serial-number="deadbeaf22" \
--generate-key=rsa \
--subject="cn=sub-ca2-cert" \
--certificate="FILE:cert-sub-ca.pem" || exit 1
${hxtool} print --content FILE:cert-sub-ca.pem || exit 1
echo "issue ee cert (generate rsa key)"
${hxtool} issue-certificate \
--ca-certificate=FILE:cert-ca.pem \
--generate-key=rsa \
--subject="cn=cert-ee2" \
--certificate="FILE:cert-ee.pem" || exit 1
${hxtool} print --content FILE:cert-ee.pem || exit 1
echo "issue sub-ca ee cert (generate rsa key)"
${hxtool} issue-certificate \
--ca-certificate=FILE:cert-sub-ca.pem \
--generate-key=rsa \
--subject="cn=cert-sub-ee2" \
--certificate="FILE:cert-sub-ee.pem" || exit 1
${hxtool} print --content FILE:cert-sub-ee.pem || exit 1
echo "verify certificate (ee)"
${hxtool} verify --missing-revoke \
cert:FILE:cert-ee.pem \
anchor:FILE:cert-ca.pem > /dev/null || exit 1
echo "verify certificate (sub-ee)"
${hxtool} verify --missing-revoke \
cert:FILE:cert-sub-ee.pem \
chain:FILE:cert-sub-ca.pem \
anchor:FILE:cert-ca.pem || exit 1
echo "sign CMS signature (generate key)"
${hxtool} cms-create-sd \
--certificate=FILE:cert-ee.pem \
"$srcdir/test_name.c" \
sd.data > /dev/null || exit 1
echo "verify CMS signature (generate key)"
${hxtool} cms-verify-sd \
--missing-revoke \
--anchors=FILE:cert-ca.pem \
sd.data sd.data.out > /dev/null || exit 1
cmp "$srcdir/test_name.c" sd.data.out || exit 1
echo "extend ca cert"
${hxtool} issue-certificate \
--self-signed \
--issue-ca \
--lifetime="2years" \
--serial-number="deadbeaf" \
--ca-private-key=FILE:cert-ca.pem \
--subject="cn=ca2-cert" \
--certificate="FILE:cert-ca.pem" || exit 1
${hxtool} print --content FILE:cert-ca.pem || exit 1
echo "verify certificate generated by previous ca"
${hxtool} verify --missing-revoke \
cert:FILE:cert-ee.pem \
anchor:FILE:cert-ca.pem > /dev/null || exit 1
echo "extend ca cert (template)"
${hxtool} issue-certificate \
--self-signed \
--issue-ca \
--lifetime="3years" \
--template-certificate="FILE:cert-ca.pem" \
--template-fields="serialNumber,notBefore,subject" \
--path-length=-1 \
--ca-private-key=FILE:cert-ca.pem \
--certificate="FILE:cert-ca.pem" || exit 1
${hxtool} print --content FILE:cert-ca.pem || exit 1
echo "verify certificate generated by previous ca"
${hxtool} verify --missing-revoke \
cert:FILE:cert-ee.pem \
anchor:FILE:cert-ca.pem > /dev/null || exit 1
echo "extend sub-ca cert (template)"
${hxtool} issue-certificate \
--ca-certificate=FILE:cert-ca.pem \
--issue-ca \
--lifetime="2years" \
--template-certificate="FILE:cert-sub-ca.pem" \
--template-fields="serialNumber,notBefore,subject,SPKI" \
--certificate="FILE:cert-sub-ca2.pem" || exit 1
${hxtool} print --content FILE:cert-sub-ca2.pem || exit 1
echo "verify certificate (sub-ee) with extended chain"
${hxtool} verify --missing-revoke \
cert:FILE:cert-sub-ee.pem \
chain:FILE:cert-sub-ca.pem \
anchor:FILE:cert-ca.pem > /dev/null || exit 1
echo "+++++++++++ test basic constraints"
echo "extend ca cert (too low path-length constraint)"
${hxtool} issue-certificate \
--self-signed \
--issue-ca \
--lifetime="3years" \
--template-certificate="FILE:cert-ca.pem" \
--template-fields="serialNumber,notBefore,subject" \
--path-length=0 \
--ca-private-key=FILE:cert-ca.pem \
--certificate="FILE:cert-ca.pem" || exit 1
echo "verify failure of certificate (sub-ee) with path-length constraint"
${hxtool} verify --missing-revoke \
cert:FILE:cert-sub-ee.pem \
chain:FILE:cert-sub-ca.pem \
anchor:FILE:cert-ca.pem > /dev/null && exit 1
echo "extend ca cert (exact path-length constraint)"
${hxtool} issue-certificate \
--self-signed \
--issue-ca \
--lifetime="3years" \
--template-certificate="FILE:cert-ca.pem" \
--template-fields="serialNumber,notBefore,subject" \
--path-length=1 \
--ca-private-key=FILE:cert-ca.pem \
--certificate="FILE:cert-ca.pem" || exit 1
echo "verify certificate (sub-ee) with exact path-length constraint"
${hxtool} verify --missing-revoke \
cert:FILE:cert-sub-ee.pem \
chain:FILE:cert-sub-ca.pem \
anchor:FILE:cert-ca.pem > /dev/null || exit 1
echo "Check missing basicConstrants.isCa"
${hxtool} issue-certificate \
--ca-certificate=FILE:cert-ca.pem \
--lifetime="2years" \
--template-certificate="FILE:cert-sub-ca.pem" \
--template-fields="serialNumber,notBefore,subject,SPKI" \
--certificate="FILE:cert-sub-ca2.pem" || exit 1
echo "verify failure certificate (sub-ee) with missing isCA"
${hxtool} verify --missing-revoke \
cert:FILE:cert-sub-ee.pem \
chain:FILE:cert-sub-ca2.pem \
anchor:FILE:cert-ca.pem > /dev/null && exit 1
echo "issue ee cert (crl uri)"
${hxtool} issue-certificate \
--ca-certificate=FILE:cert-ca.pem \
--req="PKCS10:pkcs10-request.der" \
--crl-uri="http://www.test.h5l.se/crl1.crl" \
--subject="cn=cert-ee-crl-uri" \
--certificate="FILE:cert-ee.pem" || exit 1
echo "issue null subject cert"
${hxtool} issue-certificate \
--ca-certificate=FILE:cert-ca.pem \
--req="PKCS10:pkcs10-request.der" \
--subject="" \
--email="lha@test.h5l.se" \
--certificate="FILE:cert-ee.pem" || exit 1
echo "verify certificate null subject"
${hxtool} verify --missing-revoke \
cert:FILE:cert-ee.pem \
anchor:FILE:cert-ca.pem > /dev/null || exit 1
echo "+++++++++++ test sigalg"
echo "issue cert with sha256"
${hxtool} issue-certificate \
--ca-certificate=FILE:cert-ca.pem \
--signature-algorithm=rsa-with-sha256 \
--subject="cn=foo" \
--req="PKCS10:pkcs10-request.der" \
--certificate="FILE:cert-ee.pem" || exit 1
echo "verify certificate"
${hxtool} verify --missing-revoke \
cert:FILE:cert-ee.pem \
anchor:FILE:cert-ca.pem > /dev/null || exit 1
echo "issue cert with sha1"
${hxtool} issue-certificate \
--ca-certificate=FILE:cert-ca.pem \
--signature-algorithm=rsa-with-sha1 \
--subject="cn=foo" \
--req="PKCS10:pkcs10-request.der" \
--certificate="FILE:cert-ee.pem" || exit 1
echo "verify certificate"
${hxtool} verify --missing-revoke \
cert:FILE:cert-ee.pem \
anchor:FILE:cert-ca.pem > /dev/null || exit 1
exit 0
Reference in New Issue View Git Blame Copy Permalink