212 lines
7.8 KiB
Bash
212 lines
7.8 KiB
Bash
#!/bin/sh
|
|
#
|
|
# Copyright (c) 2005 - 2007 Kungliga Tekniska Högskolan
|
|
# (Royal Institute of Technology, Stockholm, Sweden).
|
|
# All rights reserved.
|
|
#
|
|
# Redistribution and use in source and binary forms, with or without
|
|
# modification, are permitted provided that the following conditions
|
|
# are met:
|
|
#
|
|
# 1. Redistributions of source code must retain the above copyright
|
|
# notice, this list of conditions and the following disclaimer.
|
|
#
|
|
# 2. Redistributions in binary form must reproduce the above copyright
|
|
# notice, this list of conditions and the following disclaimer in the
|
|
# documentation and/or other materials provided with the distribution.
|
|
#
|
|
# 3. Neither the name of the Institute nor the names of its contributors
|
|
# may be used to endorse or promote products derived from this software
|
|
# without specific prior written permission.
|
|
#
|
|
# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
|
|
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
|
|
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
# SUCH DAMAGE.
|
|
#
|
|
# $Id$
|
|
#
|
|
|
|
srcdir="@srcdir@"
|
|
objdir="@objdir@"
|
|
|
|
stat="--statistic-file=${objdir}/statfile"
|
|
|
|
hxtool="${TESTS_ENVIRONMENT} ./hxtool ${stat}"
|
|
|
|
if ${hxtool} info | grep 'rsa: hcrypto null RSA' > /dev/null ; then
|
|
exit 77
|
|
fi
|
|
if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
|
|
exit 77
|
|
fi
|
|
|
|
${hxtool} request-create \
|
|
--subject="CN=Love,DC=it,DC=su,DC=se" \
|
|
--key="FILE:$srcdir/data/key.der" \
|
|
"${objdir}/request.out" || exit 1
|
|
|
|
${hxtool} request-print \
|
|
PKCS10:request.out > /dev/null || exit 1
|
|
|
|
${hxtool} request-create \
|
|
--subject="CN=Love,DC=it,DC=su,DC=se" \
|
|
--eku=1.2.3.4.5.6.7 --eku=1.2.3.4.5.6.8 \
|
|
--registered=1.2.3.4.5.6.9 --eku=1.2.3.4.5.6.10 \
|
|
--dnsname=nutcracker.test.h5l.se \
|
|
--dnsname=foo.nutcracker.test.h5l.se \
|
|
--kerberos=HTTP/foo.nutcracker.it.su.se@TEST.H5L.SE \
|
|
--kerberos=host/foo.nutcracker.it.su.se@TEST.H5L.SE \
|
|
--email=foo@test.h5l.se \
|
|
--key="FILE:$srcdir/data/key.der" \
|
|
"${objdir}/request.out" || exit 1
|
|
|
|
cat > "$objdir/expected" <<EOF
|
|
request print
|
|
PKCS#10 CertificationRequest:
|
|
name: CN=Love,DC=it,DC=su,DC=se
|
|
eku: {1.2.3.4.5.6.7}, {1.2.3.4.5.6.8}, {1.2.3.4.5.6.10}
|
|
san: rfc822Name: foo@test.h5l.se
|
|
san: dNSName: nutcracker.test.h5l.se
|
|
san: dNSName: foo.nutcracker.test.h5l.se
|
|
san: pkinit: HTTP/foo.nutcracker.it.su.se@TEST.H5L.SE
|
|
san: pkinit: host/foo.nutcracker.it.su.se@TEST.H5L.SE
|
|
san: registeredID: 1.2.3.4.5.6.9
|
|
EOF
|
|
|
|
# Check that we got what we wanted:
|
|
${hxtool} request-print \
|
|
PKCS10:request.out > "${objdir}/actual" || exit 1
|
|
|
|
diff "$objdir/expected" "${objdir}/actual" || exit 1
|
|
|
|
# Check that OpenSSL can parse our request:
|
|
if openssl version > /dev/null; then
|
|
openssl req -inform DER -in "${objdir}/request.out" -text | head -25 > "${objdir}/actual"
|
|
|
|
# Various versions of openssl differ slightly in their text output for our
|
|
# CSR. Figure out what to expect:
|
|
if grep "Version: 0" "${objdir}/actual" > /dev/null; then
|
|
v=0
|
|
else
|
|
v=1
|
|
fi
|
|
if grep "RSA Public-Key:" "${objdir}/actual" > /dev/null; then
|
|
k="RSA "
|
|
else
|
|
k=""
|
|
fi
|
|
# Note interpolation of $v and $k in the here doc below:
|
|
cat > "$objdir/expected" <<EOF
|
|
Certificate Request:
|
|
Data:
|
|
Version: $v (0x0)
|
|
Subject: DC = se, DC = su, DC = it, CN = Love
|
|
Subject Public Key Info:
|
|
Public Key Algorithm: rsaEncryption
|
|
${k}Public-Key: (1024 bit)
|
|
Modulus:
|
|
00:c2:aa:a2:42:b7:5b:99:a3:fd:ba:f0:9b:75:db:
|
|
ef:3c:9b:8c:cf:63:5f:46:d8:95:be:09:4a:a7:76:
|
|
79:77:61:30:ef:0b:98:d2:47:ea:9c:09:b9:b9:b7:
|
|
15:ac:4b:9c:2d:3f:f0:d9:99:9d:4d:5a:68:67:24:
|
|
58:5e:65:60:13:9f:4d:dc:2f:03:1d:cd:e9:b6:33:
|
|
c2:5c:c6:de:c9:93:6c:ec:8d:9a:67:0e:dd:31:20:
|
|
ac:91:39:7a:c1:8f:39:65:ff:b3:1f:cf:7a:aa:79:
|
|
8b:ed:eb:ad:a0:be:01:10:4c:5a:a7:47:1d:c6:ee:
|
|
79:39:5c:c7:11:6c:b9:e7:2b
|
|
Exponent: 65537 (0x10001)
|
|
Attributes:
|
|
Requested Extensions:
|
|
X509v3 Extended Key Usage: critical
|
|
1.2.3.4.5.6.7, 1.2.3.4.5.6.8, 1.2.3.4.5.6.10
|
|
X509v3 Subject Alternative Name:
|
|
email:foo@test.h5l.se, DNS:nutcracker.test.h5l.se, DNS:foo.nutcracker.test.h5l.se, othername:<unsupported>, othername:<unsupported>, Registered ID:1.2.3.4.5.6.9
|
|
Signature Algorithm: sha256WithRSAEncryption
|
|
EOF
|
|
if ! diff -u -w "${objdir}/expected" "${objdir}/actual"; then
|
|
cat > "$objdir/expected" <<EOF
|
|
Certificate Request:
|
|
Data:
|
|
Version: $v (0x0)
|
|
Subject: DC = se, DC = su, DC = it, CN = Love
|
|
Subject Public Key Info:
|
|
Public Key Algorithm: rsaEncryption
|
|
${k}Public-Key: (1024 bit)
|
|
Modulus:
|
|
00:c2:aa:a2:42:b7:5b:99:a3:fd:ba:f0:9b:75:db:
|
|
ef:3c:9b:8c:cf:63:5f:46:d8:95:be:09:4a:a7:76:
|
|
79:77:61:30:ef:0b:98:d2:47:ea:9c:09:b9:b9:b7:
|
|
15:ac:4b:9c:2d:3f:f0:d9:99:9d:4d:5a:68:67:24:
|
|
58:5e:65:60:13:9f:4d:dc:2f:03:1d:cd:e9:b6:33:
|
|
c2:5c:c6:de:c9:93:6c:ec:8d:9a:67:0e:dd:31:20:
|
|
ac:91:39:7a:c1:8f:39:65:ff:b3:1f:cf:7a:aa:79:
|
|
8b:ed:eb:ad:a0:be:01:10:4c:5a:a7:47:1d:c6:ee:
|
|
79:39:5c:c7:11:6c:b9:e7:2b
|
|
Exponent: 65537 (0x10001)
|
|
Attributes:
|
|
Requested Extensions:
|
|
X509v3 Extended Key Usage: critical
|
|
1.2.3.4.5.6.7, 1.2.3.4.5.6.8, 1.2.3.4.5.6.10
|
|
X509v3 Subject Alternative Name:
|
|
email:foo@test.h5l.se, DNS:nutcracker.test.h5l.se, DNS:foo.nutcracker.test.h5l.se, othername: 1.3.6.1.5.2.2::<unsupported>, othername: 1.3.6.1.5.2.2::<unsupported>, Registered ID:1.2.3.4.5.6.9
|
|
Signature Algorithm: sha256WithRSAEncryption
|
|
EOF
|
|
fi
|
|
fi
|
|
|
|
${hxtool} request-create \
|
|
--ca \
|
|
--ca-path-length=3 \
|
|
--subject="cn=ca-cert" \
|
|
--key=FILE:$srcdir/data/key.der \
|
|
pkcs10-request.der || exit 1
|
|
${hxtool} request-print PKCS10:pkcs10-request.der > "${objdir}/actual"|| exit 1
|
|
cat > "$objdir/expected" <<EOF
|
|
request print
|
|
PKCS#10 CertificationRequest:
|
|
cA: yes
|
|
pathLenConstraint: 3
|
|
name: CN=ca-cert
|
|
EOF
|
|
diff "$objdir/expected" "${objdir}/actual" || exit 1
|
|
|
|
${hxtool} request-create \
|
|
--ca \
|
|
--subject="cn=ca-cert" \
|
|
--key=FILE:$srcdir/data/key.der \
|
|
pkcs10-request.der || exit 1
|
|
${hxtool} request-print PKCS10:pkcs10-request.der > "${objdir}/actual"|| exit 1
|
|
cat > "$objdir/expected" <<EOF
|
|
request print
|
|
PKCS#10 CertificationRequest:
|
|
cA: yes
|
|
pathLenConstraint: unspecified
|
|
name: CN=ca-cert
|
|
EOF
|
|
diff "$objdir/expected" "${objdir}/actual" || exit 1
|
|
|
|
${hxtool} request-create \
|
|
--ee \
|
|
--subject="cn=ca-cert" \
|
|
--key=FILE:$srcdir/data/key.der \
|
|
pkcs10-request.der || exit 1
|
|
${hxtool} request-print PKCS10:pkcs10-request.der > "${objdir}/actual" || exit 1
|
|
cat > "$objdir/expected" <<EOF
|
|
request print
|
|
PKCS#10 CertificationRequest:
|
|
cA: no
|
|
pathLenConstraint: unspecified
|
|
name: CN=ca-cert
|
|
EOF
|
|
diff "$objdir/expected" "${objdir}/actual" || exit 1
|
|
|
|
exit 0
|