oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
Files
f6d1dfd60f34ef40532707d4e116bf5f19268a28
heimdal/lib/hx509/test_req.in
Nicolas Williams 7439820618 hcrypto, otp: Remove hcrypto and otp! 
We must switch to OpenSSL 3.x, and getting lib/hcrypto to provide
OpenSSL 3.x APIs is too large an undertaking.  Plus the hcrypto backend
is not safe, not secure (probably has timing leaks galore), and no one
has the resources to make it a world-class crypto library, so it just
has to go.
2026-01-18 16:09:31 -06:00

205 lines
7.6 KiB
Bash
Raw Blame History

#!/bin/sh
#
# Copyright (c) 2005 - 2007 Kungliga Tekniska Högskolan
# (Royal Institute of Technology, Stockholm, Sweden).
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# 3. Neither the name of the Institute nor the names of its contributors
# may be used to endorse or promote products derived from this software
# without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $Id$
#
srcdir="@srcdir@"
objdir="@objdir@"
stat="--statistic-file=${objdir}/statfile"
hxtool="${TESTS_ENVIRONMENT} ./hxtool ${stat}"
${hxtool} request-create \
--subject="CN=Love,DC=it,DC=su,DC=se" \
--key="FILE:$srcdir/data/key.der" \
"${objdir}/request.out" || exit 1
${hxtool} request-print \
PKCS10:request.out > /dev/null || exit 1
${hxtool} request-create \
--subject="CN=Love,DC=it,DC=su,DC=se" \
--eku=1.2.3.4.5.6.7 --eku=1.2.3.4.5.6.8 \
--registered=1.2.3.4.5.6.9 --eku=1.2.3.4.5.6.10 \
--dnsname=nutcracker.test.h5l.se \
--dnsname=foo.nutcracker.test.h5l.se \
--kerberos=HTTP/foo.nutcracker.it.su.se@TEST.H5L.SE \
--kerberos=host/foo.nutcracker.it.su.se@TEST.H5L.SE \
--email=foo@test.h5l.se \
--key="FILE:$srcdir/data/key.der" \
"${objdir}/request.out" || exit 1
cat > "$objdir/expected" <<EOF
request print
PKCS#10 CertificationRequest:
name: CN=Love,DC=it,DC=su,DC=se
eku: {1.2.3.4.5.6.7}, {1.2.3.4.5.6.8}, {1.2.3.4.5.6.10}
san: rfc822Name: foo@test.h5l.se
san: dNSName: nutcracker.test.h5l.se
san: dNSName: foo.nutcracker.test.h5l.se
san: pkinit: HTTP/foo.nutcracker.it.su.se@TEST.H5L.SE
san: pkinit: host/foo.nutcracker.it.su.se@TEST.H5L.SE
san: registeredID: 1.2.3.4.5.6.9
EOF
# Check that we got what we wanted:
${hxtool} request-print \
PKCS10:request.out > "${objdir}/actual" || exit 1
diff "$objdir/expected" "${objdir}/actual" || exit 1
# Check that OpenSSL can parse our request:
if openssl version > /dev/null; then
openssl req -inform DER -in "${objdir}/request.out" -text | head -25 > "${objdir}/actual"
# Various versions of openssl differ slightly in their text output for our
# CSR. Figure out what to expect:
if grep "Version: 0" "${objdir}/actual" > /dev/null; then
v=0
else
v=1
fi
if grep "RSA Public-Key:" "${objdir}/actual" > /dev/null; then
k="RSA "
else
k=""
fi
# Note interpolation of $v and $k in the here doc below:
cat > "$objdir/expected" <<EOF
Certificate Request:
Data:
Version: $v (0x0)
Subject: DC = se, DC = su, DC = it, CN = Love
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
${k}Public-Key: (1024 bit)
Modulus:
00:c2:aa:a2:42:b7:5b:99:a3:fd:ba:f0:9b:75:db:
ef:3c:9b:8c:cf:63:5f:46:d8:95:be:09:4a:a7:76:
79:77:61:30:ef:0b:98:d2:47:ea:9c:09:b9:b9:b7:
15:ac:4b:9c:2d:3f:f0:d9:99:9d:4d:5a:68:67:24:
58:5e:65:60:13:9f:4d:dc:2f:03:1d:cd:e9:b6:33:
c2:5c:c6:de:c9:93:6c:ec:8d:9a:67:0e:dd:31:20:
ac:91:39:7a:c1:8f:39:65:ff:b3:1f:cf:7a:aa:79:
8b:ed:eb:ad:a0:be:01:10:4c:5a:a7:47:1d:c6:ee:
79:39:5c:c7:11:6c:b9:e7:2b
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Extended Key Usage: critical
1.2.3.4.5.6.7, 1.2.3.4.5.6.8, 1.2.3.4.5.6.10
X509v3 Subject Alternative Name:
email:foo@test.h5l.se, DNS:nutcracker.test.h5l.se, DNS:foo.nutcracker.test.h5l.se, othername:<unsupported>, othername:<unsupported>, Registered ID:1.2.3.4.5.6.9
Signature Algorithm: sha256WithRSAEncryption
EOF
if ! diff -u -w "${objdir}/expected" "${objdir}/actual"; then
cat > "$objdir/expected" <<EOF
Certificate Request:
Data:
Version: $v (0x0)
Subject: DC = se, DC = su, DC = it, CN = Love
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
${k}Public-Key: (1024 bit)
Modulus:
00:c2:aa:a2:42:b7:5b:99:a3:fd:ba:f0:9b:75:db:
ef:3c:9b:8c:cf:63:5f:46:d8:95:be:09:4a:a7:76:
79:77:61:30:ef:0b:98:d2:47:ea:9c:09:b9:b9:b7:
15:ac:4b:9c:2d:3f:f0:d9:99:9d:4d:5a:68:67:24:
58:5e:65:60:13:9f:4d:dc:2f:03:1d:cd:e9:b6:33:
c2:5c:c6:de:c9:93:6c:ec:8d:9a:67:0e:dd:31:20:
ac:91:39:7a:c1:8f:39:65:ff:b3:1f:cf:7a:aa:79:
8b:ed:eb:ad:a0:be:01:10:4c:5a:a7:47:1d:c6:ee:
79:39:5c:c7:11:6c:b9:e7:2b
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Extended Key Usage: critical
1.2.3.4.5.6.7, 1.2.3.4.5.6.8, 1.2.3.4.5.6.10
X509v3 Subject Alternative Name:
email:foo@test.h5l.se, DNS:nutcracker.test.h5l.se, DNS:foo.nutcracker.test.h5l.se, othername: 1.3.6.1.5.2.2::<unsupported>, othername: 1.3.6.1.5.2.2::<unsupported>, Registered ID:1.2.3.4.5.6.9
Signature Algorithm: sha256WithRSAEncryption
EOF
fi
fi
${hxtool} request-create \
--ca \
--ca-path-length=3 \
--subject="cn=ca-cert" \
--key=FILE:$srcdir/data/key.der \
pkcs10-request.der || exit 1
${hxtool} request-print PKCS10:pkcs10-request.der > "${objdir}/actual"|| exit 1
cat > "$objdir/expected" <<EOF
request print
PKCS#10 CertificationRequest:
cA: yes
pathLenConstraint: 3
name: CN=ca-cert
EOF
diff "$objdir/expected" "${objdir}/actual" || exit 1
${hxtool} request-create \
--ca \
--subject="cn=ca-cert" \
--key=FILE:$srcdir/data/key.der \
pkcs10-request.der || exit 1
${hxtool} request-print PKCS10:pkcs10-request.der > "${objdir}/actual"|| exit 1
cat > "$objdir/expected" <<EOF
request print
PKCS#10 CertificationRequest:
cA: yes
pathLenConstraint: unspecified
name: CN=ca-cert
EOF
diff "$objdir/expected" "${objdir}/actual" || exit 1
${hxtool} request-create \
--ee \
--subject="cn=ca-cert" \
--key=FILE:$srcdir/data/key.der \
pkcs10-request.der || exit 1
${hxtool} request-print PKCS10:pkcs10-request.der > "${objdir}/actual" || exit 1
cat > "$objdir/expected" <<EOF
request print
PKCS#10 CertificationRequest:
cA: no
pathLenConstraint: unspecified
name: CN=ca-cert
EOF
diff "$objdir/expected" "${objdir}/actual" || exit 1
exit 0
Reference in New Issue View Git Blame Copy Permalink