diff options
Diffstat (limited to '')
| -rwxr-xr-x | tests/cert-tests/certtool-rsa-pss.sh | 226 |
1 files changed, 226 insertions, 0 deletions
diff --git a/tests/cert-tests/certtool-rsa-pss.sh b/tests/cert-tests/certtool-rsa-pss.sh new file mode 100755 index 0000000..598351d --- /dev/null +++ b/tests/cert-tests/certtool-rsa-pss.sh @@ -0,0 +1,226 @@ +#!/bin/sh + +# Copyright (C) 2014 Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +#set -e + +: ${srcdir=.} +: ${CERTTOOL=../../src/certtool${EXEEXT}} +: ${DIFF=diff -b -B} +OUTFILE=cert-pss-privkey.$$.tmp +TMPFILE=cert-pss.$$.tmp +TMPFILE2=cert2-pss.$$.tmp + +if ! test -x "${CERTTOOL}"; then + exit 77 +fi + +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" +fi + +# Create an RSA-PSS private key, restricted to the use with RSA-PSS +${VALGRIND} "${CERTTOOL}" --generate-privkey \ + --key-type rsa-pss --outfile "$OUTFILE" +rc=$? + +if test "${rc}" != "0"; then + echo "Could not generate an RSA-PSS key" + exit 1 +fi + +# check whether description is present +grep 'modulus:' ${OUTFILE} +if test $? != 0;then + cat ${OUTFILE} + echo "PKCS#8 file does not contain modulus text" + exit 1 +fi + +for i in sha256 sha384 sha512;do +if test "${GNUTLS_FORCE_FIPS_MODE}" = 1 && test "$i" != sha384;then + continue +fi + +# Create an RSA-PSS private key, restricted to the use with RSA-PSS +${VALGRIND} "${CERTTOOL}" --generate-privkey --pkcs8 --password '' \ + --key-type rsa-pss --hash $i --outfile "$OUTFILE" +rc=$? + +if test "${rc}" != "0"; then + echo "Could not generate an RSA-PSS key ($i)" + exit 1 +fi + +${VALGRIND} "${CERTTOOL}" -k --password '' --infile "$OUTFILE" >/dev/null +rc=$? +if test "${rc}" != "0"; then + echo "Could not read generated an RSA-PSS key ($i)" + exit 1 +fi + +# Create an RSA-PSS certificate from an RSA-PSS private key +${VALGRIND} "${CERTTOOL}" --generate-self-signed \ + --pkcs8 --load-privkey "$OUTFILE" --password '' \ + --template "${srcdir}/templates/template-test.tmpl" \ + --outfile "${TMPFILE}" --hash $i +rc=$? + +if test "${rc}" != "0"; then + echo "Could not generate an RSA-PSS certificate from an RSA-PSS key ($i)" + exit 1 +fi + +rm -f "${TMPFILE}" + +# Create an RSA-PSS certificate from an RSA-PSS private key, with +# mismatched parameters +for j in sha256 sha384 sha512;do +${VALGRIND} "${CERTTOOL}" --generate-self-signed \ + --pkcs8 --load-privkey "$OUTFILE" --password '' \ + --template "${srcdir}/templates/template-test.tmpl" \ + --outfile "${TMPFILE}" --hash $j +rc=$? + +if test "$j" != "$j" && "${rc}" = "0"; then + echo "Unexpectedly succeeded to generate an RSA-PSS certificate ($j != $i)" + exit 1 +fi +done +rm -f "${TMPFILE}" + +# Create an RSA-PSS certificate from an RSA key +${VALGRIND} "${CERTTOOL}" --generate-certificate --key-type rsa-pss \ + --load-privkey "${srcdir}/../../doc/credentials/x509/key-rsa.pem" \ + --load-ca-privkey "${srcdir}/../../doc/credentials/x509/ca-key.pem" \ + --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" \ + --template "${srcdir}/templates/template-test.tmpl" \ + --outfile "${TMPFILE}" --hash $i +rc=$? + +if test "${rc}" != "0"; then + echo "Could not generate an RSA-PSS certificate $i" + exit 1 +fi + +${CERTTOOL} -i --infile ${TMPFILE}|grep -i "Subject Public Key Algorithm: RSA-PSS" +if test $? != 0;then + echo "Generated certificate is not RSA-PSS" + cat ${TMPFILE} + exit 1 +fi + +rm -f "${TMPFILE}" + +# Create an RSA certificate from an RSA key, with wrong key-type, should fail +${VALGRIND} "${CERTTOOL}" --generate-certificate --key-type ecdsa \ + --load-privkey "${srcdir}/../../doc/credentials/x509/key-rsa.pem" \ + --load-ca-privkey "${srcdir}/../../doc/credentials/x509/ca-key.pem" \ + --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" \ + --template "${srcdir}/templates/template-test.tmpl" \ + --outfile "${TMPFILE}" +rc=$? + +if test "${rc}" = "0"; then + echo "Succeeded with wrong key type" + exit 1 +fi + +# Create an RSA certificate from an RSA key, and sign it with RSA-PSS +${VALGRIND} "${CERTTOOL}" --generate-certificate --rsa --sign-params rsa-pss \ + --load-privkey "${srcdir}/../../doc/credentials/x509/key-rsa.pem" \ + --load-ca-privkey "${srcdir}/../../doc/credentials/x509/ca-key.pem" \ + --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" \ + --template "${srcdir}/templates/template-test.tmpl" \ + --outfile "${TMPFILE}" --hash $i +rc=$? + +if test "${rc}" != "0"; then + echo "Could not generate an RSA-PSS certificate" + exit 1 +fi + +${CERTTOOL} -i --infile ${TMPFILE}|tr -d '\r' > ${TMPFILE2} +grep -i 'Subject Public Key Algorithm: RSA$' ${TMPFILE2} >/dev/null +if test $? != 0;then + echo "Generated certificate is not RSA" + cat ${TMPFILE} + exit 1 +fi + +grep -i "Signature Algorithm: RSA-PSS" ${TMPFILE2} +if test $? != 0;then + echo "Generated certificate is not signed with RSA-PSS" + cat ${TMPFILE} + exit 1 +fi + +grep -i "Signature Algorithm: RSA-PSS-${i}" ${TMPFILE2} +if test $? != 0;then + echo "Generated certificate is not signed with RSA-PSS-${i}" + cat ${TMPFILE} + exit 1 +fi + +rm -f "${TMPFILE}" +rm -f "${TMPFILE2}" + +done + +# Convert an RSA-PSS key to an RSA key +# + +${VALGRIND} "${CERTTOOL}" --to-rsa --infile "${srcdir}/data/key-rsa-pss.pem" --outfile ${TMPFILE} +rc=$? + +if test "${rc}" != "0"; then + echo "Could not convert an RSA-PSS certificate" + exit 1 +fi + +${DIFF} "${srcdir}/data/key-rsa-pss-raw.pem" ${TMPFILE} +rc=$? + +if test "${rc}" != "0"; then + echo "RSA-PSS decoding failed" + exit ${rc} +fi + +echo "RSA-PSS to RSA conversion was successful" + +rm -f "${TMPFILE}" + +export TZ="UTC" + +. ${srcdir}/../scripts/common.sh + +skip_if_no_datefudge + +datefudge "2012-11-22" \ +${VALGRIND} "${CERTTOOL}" --verify --load-ca-certificate "${srcdir}/data/cert-rsa-pss.pem" --infile "${srcdir}/data/cert-rsa-pss.pem" +rc=$? + +if test "${rc}" != "0"; then + echo "There was an issue verifying the certificate" + exit 1 +fi + +rm -f "${TMPFILE}" + +exit 0 |