summaryrefslogtreecommitdiffstats
path: root/tests/cert-tests/certtool-rsa-pss.sh
diff options
context:
space:
mode:
Diffstat (limited to 'tests/cert-tests/certtool-rsa-pss.sh')
-rwxr-xr-xtests/cert-tests/certtool-rsa-pss.sh226
1 files changed, 226 insertions, 0 deletions
diff --git a/tests/cert-tests/certtool-rsa-pss.sh b/tests/cert-tests/certtool-rsa-pss.sh
new file mode 100755
index 0000000..598351d
--- /dev/null
+++ b/tests/cert-tests/certtool-rsa-pss.sh
@@ -0,0 +1,226 @@
+#!/bin/sh
+
+# Copyright (C) 2014 Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+#set -e
+
+: ${srcdir=.}
+: ${CERTTOOL=../../src/certtool${EXEEXT}}
+: ${DIFF=diff -b -B}
+OUTFILE=cert-pss-privkey.$$.tmp
+TMPFILE=cert-pss.$$.tmp
+TMPFILE2=cert2-pss.$$.tmp
+
+if ! test -x "${CERTTOOL}"; then
+ exit 77
+fi
+
+if ! test -z "${VALGRIND}"; then
+ VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}"
+fi
+
+# Create an RSA-PSS private key, restricted to the use with RSA-PSS
+${VALGRIND} "${CERTTOOL}" --generate-privkey \
+ --key-type rsa-pss --outfile "$OUTFILE"
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "Could not generate an RSA-PSS key"
+ exit 1
+fi
+
+# check whether description is present
+grep 'modulus:' ${OUTFILE}
+if test $? != 0;then
+ cat ${OUTFILE}
+ echo "PKCS#8 file does not contain modulus text"
+ exit 1
+fi
+
+for i in sha256 sha384 sha512;do
+if test "${GNUTLS_FORCE_FIPS_MODE}" = 1 && test "$i" != sha384;then
+ continue
+fi
+
+# Create an RSA-PSS private key, restricted to the use with RSA-PSS
+${VALGRIND} "${CERTTOOL}" --generate-privkey --pkcs8 --password '' \
+ --key-type rsa-pss --hash $i --outfile "$OUTFILE"
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "Could not generate an RSA-PSS key ($i)"
+ exit 1
+fi
+
+${VALGRIND} "${CERTTOOL}" -k --password '' --infile "$OUTFILE" >/dev/null
+rc=$?
+if test "${rc}" != "0"; then
+ echo "Could not read generated an RSA-PSS key ($i)"
+ exit 1
+fi
+
+# Create an RSA-PSS certificate from an RSA-PSS private key
+${VALGRIND} "${CERTTOOL}" --generate-self-signed \
+ --pkcs8 --load-privkey "$OUTFILE" --password '' \
+ --template "${srcdir}/templates/template-test.tmpl" \
+ --outfile "${TMPFILE}" --hash $i
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "Could not generate an RSA-PSS certificate from an RSA-PSS key ($i)"
+ exit 1
+fi
+
+rm -f "${TMPFILE}"
+
+# Create an RSA-PSS certificate from an RSA-PSS private key, with
+# mismatched parameters
+for j in sha256 sha384 sha512;do
+${VALGRIND} "${CERTTOOL}" --generate-self-signed \
+ --pkcs8 --load-privkey "$OUTFILE" --password '' \
+ --template "${srcdir}/templates/template-test.tmpl" \
+ --outfile "${TMPFILE}" --hash $j
+rc=$?
+
+if test "$j" != "$j" && "${rc}" = "0"; then
+ echo "Unexpectedly succeeded to generate an RSA-PSS certificate ($j != $i)"
+ exit 1
+fi
+done
+rm -f "${TMPFILE}"
+
+# Create an RSA-PSS certificate from an RSA key
+${VALGRIND} "${CERTTOOL}" --generate-certificate --key-type rsa-pss \
+ --load-privkey "${srcdir}/../../doc/credentials/x509/key-rsa.pem" \
+ --load-ca-privkey "${srcdir}/../../doc/credentials/x509/ca-key.pem" \
+ --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" \
+ --template "${srcdir}/templates/template-test.tmpl" \
+ --outfile "${TMPFILE}" --hash $i
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "Could not generate an RSA-PSS certificate $i"
+ exit 1
+fi
+
+${CERTTOOL} -i --infile ${TMPFILE}|grep -i "Subject Public Key Algorithm: RSA-PSS"
+if test $? != 0;then
+ echo "Generated certificate is not RSA-PSS"
+ cat ${TMPFILE}
+ exit 1
+fi
+
+rm -f "${TMPFILE}"
+
+# Create an RSA certificate from an RSA key, with wrong key-type, should fail
+${VALGRIND} "${CERTTOOL}" --generate-certificate --key-type ecdsa \
+ --load-privkey "${srcdir}/../../doc/credentials/x509/key-rsa.pem" \
+ --load-ca-privkey "${srcdir}/../../doc/credentials/x509/ca-key.pem" \
+ --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" \
+ --template "${srcdir}/templates/template-test.tmpl" \
+ --outfile "${TMPFILE}"
+rc=$?
+
+if test "${rc}" = "0"; then
+ echo "Succeeded with wrong key type"
+ exit 1
+fi
+
+# Create an RSA certificate from an RSA key, and sign it with RSA-PSS
+${VALGRIND} "${CERTTOOL}" --generate-certificate --rsa --sign-params rsa-pss \
+ --load-privkey "${srcdir}/../../doc/credentials/x509/key-rsa.pem" \
+ --load-ca-privkey "${srcdir}/../../doc/credentials/x509/ca-key.pem" \
+ --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" \
+ --template "${srcdir}/templates/template-test.tmpl" \
+ --outfile "${TMPFILE}" --hash $i
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "Could not generate an RSA-PSS certificate"
+ exit 1
+fi
+
+${CERTTOOL} -i --infile ${TMPFILE}|tr -d '\r' > ${TMPFILE2}
+grep -i 'Subject Public Key Algorithm: RSA$' ${TMPFILE2} >/dev/null
+if test $? != 0;then
+ echo "Generated certificate is not RSA"
+ cat ${TMPFILE}
+ exit 1
+fi
+
+grep -i "Signature Algorithm: RSA-PSS" ${TMPFILE2}
+if test $? != 0;then
+ echo "Generated certificate is not signed with RSA-PSS"
+ cat ${TMPFILE}
+ exit 1
+fi
+
+grep -i "Signature Algorithm: RSA-PSS-${i}" ${TMPFILE2}
+if test $? != 0;then
+ echo "Generated certificate is not signed with RSA-PSS-${i}"
+ cat ${TMPFILE}
+ exit 1
+fi
+
+rm -f "${TMPFILE}"
+rm -f "${TMPFILE2}"
+
+done
+
+# Convert an RSA-PSS key to an RSA key
+#
+
+${VALGRIND} "${CERTTOOL}" --to-rsa --infile "${srcdir}/data/key-rsa-pss.pem" --outfile ${TMPFILE}
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "Could not convert an RSA-PSS certificate"
+ exit 1
+fi
+
+${DIFF} "${srcdir}/data/key-rsa-pss-raw.pem" ${TMPFILE}
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "RSA-PSS decoding failed"
+ exit ${rc}
+fi
+
+echo "RSA-PSS to RSA conversion was successful"
+
+rm -f "${TMPFILE}"
+
+export TZ="UTC"
+
+. ${srcdir}/../scripts/common.sh
+
+skip_if_no_datefudge
+
+datefudge "2012-11-22" \
+${VALGRIND} "${CERTTOOL}" --verify --load-ca-certificate "${srcdir}/data/cert-rsa-pss.pem" --infile "${srcdir}/data/cert-rsa-pss.pem"
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "There was an issue verifying the certificate"
+ exit 1
+fi
+
+rm -f "${TMPFILE}"
+
+exit 0