diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 17:47:29 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 17:47:29 +0000 |
| commit | 4f5791ebd03eaec1c7da0865a383175b05102712 (patch) | |
| tree | 8ce7b00f7a76baa386372422adebbe64510812d4 /third_party/heimdal/lib/hx509/test_ca.in | |
| parent | Initial commit. (diff) | |
| download | samba-4f5791ebd03eaec1c7da0865a383175b05102712.tar.xz samba-4f5791ebd03eaec1c7da0865a383175b05102712.zip | |
Adding upstream version 2:4.17.12+dfsg.upstream/2%4.17.12+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'third_party/heimdal/lib/hx509/test_ca.in')
| -rw-r--r-- | third_party/heimdal/lib/hx509/test_ca.in | 480 |
1 files changed, 480 insertions, 0 deletions
diff --git a/third_party/heimdal/lib/hx509/test_ca.in b/third_party/heimdal/lib/hx509/test_ca.in new file mode 100644 index 0000000..cf739a1 --- /dev/null +++ b/third_party/heimdal/lib/hx509/test_ca.in @@ -0,0 +1,480 @@ +#!/bin/sh +# +# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan +# (Royal Institute of Technology, Stockholm, Sweden). +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# 3. Neither the name of the Institute nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $Id$ +# + +srcdir="@srcdir@" +objdir="@objdir@" + +stat="--statistic-file=${objdir}/statfile" + +hxtool="${TESTS_ENVIRONMENT} ./hxtool ${stat}" + +if ${hxtool} info | grep 'rsa: hcrypto null RSA' > /dev/null ; then + exit 77 +fi +if ${hxtool} info | grep 'rand: not available' > /dev/null ; then + exit 77 +fi + +echo "create certificate request" +${hxtool} request-create \ + --subject="CN=Love,DC=it,DC=su,DC=se" \ + --key=FILE:$srcdir/data/key.der \ + pkcs10-request.der || exit 1 + +echo "issue certificate" +${hxtool} issue-certificate \ + --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \ + --subject="cn=foo" \ + --req="PKCS10:pkcs10-request.der" \ + --certificate="FILE:cert-ee.pem" || exit 1 + +echo "verify certificate" +${hxtool} verify --missing-revoke \ + cert:FILE:cert-ee.pem \ + anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1 + +echo "issue crl (no cert)" +${hxtool} crl-sign \ + --crl-file=crl.crl \ + --signer=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key || exit 1 + +echo "verify certificate (with CRL)" +${hxtool} verify \ + cert:FILE:cert-ee.pem \ + crl:FILE:crl.crl \ + anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1 + +echo "issue crl (with cert)" +${hxtool} crl-sign \ + --crl-file=crl.crl \ + --signer=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \ + FILE:cert-ee.pem || exit 1 + +echo "verify certificate (included in CRL)" +${hxtool} verify \ + cert:FILE:cert-ee.pem \ + crl:FILE:crl.crl \ + anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1 + +# XXX Check that the certs issued below have the requested content + +echo "issue crl (with cert)" +${hxtool} crl-sign \ + --crl-file=crl.crl \ + --lifetime='1 month' \ + --signer=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \ + FILE:cert-ee.pem || exit 1 + +echo "verify certificate (included in CRL, and lifetime 1 month)" +${hxtool} verify \ + cert:FILE:cert-ee.pem \ + crl:FILE:crl.crl \ + anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1 + +echo "issue certificate (10years 1 month)" +${hxtool} issue-certificate \ + --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \ + --subject="cn=foo" \ + --lifetime="10years 1 month" \ + --req="PKCS10:pkcs10-request.der" \ + --permanent-id=1.2.3.4.5.6.6:SomeVendor:A0B1C2D3 \ + --hardware-module-name=tcg-tpm20:SomeVendor:Z0Y1X2W3 \ + --policy="1.2.3.4.5.6:data:foo this is a warning" \ + --policy="id-x509-ce-certificatePolicies-anyPolicy" \ + --policy-mapping="1.2.3.4.5.6:1.2.3.4.5.6" \ + --policy-mapping="1.2.3.4.5.6:1.2.3.4.5.7" \ + --certificate="FILE:cert-ee.pem" || exit 1 +${hxtool} print --content FILE:cert-ee.pem || exit 1 + +echo "issue certificate (with https ekus)" +${hxtool} issue-certificate \ + --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \ + --subject="cn=foo" \ + --type="https-server" \ + --type="https-client" \ + --req="PKCS10:pkcs10-request.der" \ + --certificate="FILE:cert-ee.pem" || exit 1 +${hxtool} print --content FILE:cert-ee.pem || exit 1 + +echo "issue certificate (pkinit KDC)" +${hxtool} issue-certificate \ + --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \ + --subject="cn=foo" \ + --type="pkinit-kdc" \ + --pk-init-principal="krbtgt/TEST.H5L.SE@TEST.H5L.SE" \ + --req="PKCS10:pkcs10-request.der" \ + --certificate="FILE:cert-ee.pem" || exit 1 +${hxtool} print --content FILE:cert-ee.pem || exit 1 + +echo "issue certificate (pkinit client)" +${hxtool} issue-certificate \ + --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \ + --subject="cn=foo" \ + --type="pkinit-client" \ + --pk-init-principal="lha@TEST.H5L.SE" \ + --req="PKCS10:pkcs10-request.der" \ + --certificate="FILE:cert-ee.pem" || exit 1 +${hxtool} print --content FILE:cert-ee.pem || exit 1 + +echo "issue certificate (hostnames)" +${hxtool} issue-certificate \ + --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \ + --subject="cn=foo" \ + --type="https-server" \ + --hostname="www.test.h5l.se" \ + --hostname="ftp.test.h5l.se" \ + --req="PKCS10:pkcs10-request.der" \ + --certificate="FILE:cert-ee.pem" || exit 1 +${hxtool} print --content FILE:cert-ee.pem || exit 1 + +echo "verify certificate hostname (ok)" +${hxtool} verify --missing-revoke \ + --hostname=www.test.h5l.se \ + cert:FILE:cert-ee.pem \ + anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1 + +echo "verify certificate hostname (fail)" +${hxtool} verify --missing-revoke \ + --hostname=www2.test.h5l.se \ + cert:FILE:cert-ee.pem \ + anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1 + +echo "verify certificate hostname (fail)" +${hxtool} verify --missing-revoke \ + --hostname=2www.test.h5l.se \ + cert:FILE:cert-ee.pem \ + anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1 + +echo "issue certificate (hostname in CN)" +${hxtool} issue-certificate \ + --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \ + --subject="cn=www.test.h5l.se" \ + --type="https-server" \ + --req="PKCS10:pkcs10-request.der" \ + --certificate="FILE:cert-ee.pem" || exit 1 +${hxtool} print --content FILE:cert-ee.pem || exit 1 + +echo "verify certificate hostname (ok)" +${hxtool} verify --missing-revoke \ + --hostname=www.test.h5l.se \ + cert:FILE:cert-ee.pem \ + anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1 + +echo "verify certificate hostname (fail)" +${hxtool} verify --missing-revoke \ + --hostname=www2.test.h5l.se \ + cert:FILE:cert-ee.pem \ + anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1 + +echo "issue certificate (email)" +${hxtool} issue-certificate \ + --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \ + --subject="cn=foo" \ + --email="lha@test.h5l.se" \ + --email="test@test.h5l.se" \ + --req="PKCS10:pkcs10-request.der" \ + --certificate="FILE:cert-ee.pem" || exit 1 +${hxtool} print --content FILE:cert-ee.pem || exit 1 + +echo "issue certificate (email, null subject DN)" +${hxtool} issue-certificate \ + --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \ + --subject="" \ + --email="lha@test.h5l.se" \ + --req="PKCS10:pkcs10-request.der" \ + --certificate="FILE:cert-null.pem" || exit 1 +${hxtool} print --content FILE:cert-null.pem || exit 1 + +echo "issue certificate (jabber)" +${hxtool} issue-certificate \ + --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \ + --subject="cn=foo" \ + --jid="lha@test.h5l.se" \ + --req="PKCS10:pkcs10-request.der" \ + --certificate="FILE:cert-ee.pem" || exit 1 +${hxtool} print --content FILE:cert-ee.pem || exit 1 + +echo "issue self-signed cert" +${hxtool} issue-certificate \ + --self-signed \ + --ca-private-key=FILE:$srcdir/data/key.der \ + --subject="cn=test" \ + --certificate="FILE:cert-ee.pem" || exit 1 +${hxtool} print --content FILE:cert-ee.pem || exit 1 + +echo "issue ca cert" +${hxtool} issue-certificate \ + --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \ + --issue-ca \ + --subject="cn=ca-cert" \ + --req="PKCS10:pkcs10-request.der" \ + --certificate="FILE:cert-ca.der" || exit 1 +${hxtool} print --content FILE:cert-ca.der || exit 1 + +echo "issue self-signed ca cert" +${hxtool} issue-certificate \ + --self-signed \ + --issue-ca \ + --ca-private-key=FILE:$srcdir/data/key.der \ + --subject="cn=ca-root" \ + --certificate="FILE:cert-ca.der" || exit 1 +${hxtool} print --content FILE:cert-ca.der || exit 1 + +echo "issue proxy certificate" +${hxtool} issue-certificate \ + --ca-certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \ + --issue-proxy \ + --req="PKCS10:pkcs10-request.der" \ + --certificate="FILE:cert-proxy.der" || exit 1 +${hxtool} print --content FILE:cert-proxy.der || exit 1 + +echo "verify proxy cert" +${hxtool} verify --missing-revoke \ + --allow-proxy-certificate \ + cert:FILE:cert-proxy.der \ + chain:FILE:$srcdir/data/test.crt \ + anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1 + +echo "issue ca cert (generate rsa key)" +${hxtool} issue-certificate \ + --self-signed \ + --issue-ca \ + --serial-number="deadbeaf" \ + --generate-key=rsa \ + --path-length=-1 \ + --subject="cn=ca2-cert" \ + --certificate="FILE:cert-ca.pem" || exit 1 +${hxtool} print --content FILE:cert-ca.pem || exit 1 + +echo "issue sub-ca cert (generate rsa key)" +${hxtool} issue-certificate \ + --ca-certificate=FILE:cert-ca.pem \ + --issue-ca \ + --serial-number="deadbeaf22" \ + --generate-key=rsa \ + --subject="cn=sub-ca2-cert" \ + --certificate="FILE:cert-sub-ca.pem" || exit 1 +${hxtool} print --content FILE:cert-sub-ca.pem || exit 1 + +echo "issue ee cert (generate rsa key)" +${hxtool} issue-certificate \ + --ca-certificate=FILE:cert-ca.pem \ + --generate-key=rsa \ + --subject="cn=cert-ee2" \ + --certificate="FILE:cert-ee.pem" || exit 1 +${hxtool} print --content FILE:cert-ee.pem || exit 1 + +echo "issue sub-ca ee cert (generate rsa key)" +${hxtool} issue-certificate \ + --ca-certificate=FILE:cert-sub-ca.pem \ + --generate-key=rsa \ + --subject="cn=cert-sub-ee2" \ + --certificate="FILE:cert-sub-ee.pem" || exit 1 +${hxtool} print --content FILE:cert-sub-ee.pem || exit 1 + +echo "verify certificate (ee)" +${hxtool} verify --missing-revoke \ + cert:FILE:cert-ee.pem \ + anchor:FILE:cert-ca.pem > /dev/null || exit 1 + +echo "verify certificate (sub-ee)" +${hxtool} verify --missing-revoke \ + cert:FILE:cert-sub-ee.pem \ + chain:FILE:cert-sub-ca.pem \ + anchor:FILE:cert-ca.pem || exit 1 + +echo "sign CMS signature (generate key)" +${hxtool} cms-create-sd \ + --certificate=FILE:cert-ee.pem \ + "$srcdir/test_name.c" \ + sd.data > /dev/null || exit 1 + +echo "verify CMS signature (generate key)" +${hxtool} cms-verify-sd \ + --missing-revoke \ + --anchors=FILE:cert-ca.pem \ + sd.data sd.data.out > /dev/null || exit 1 +cmp "$srcdir/test_name.c" sd.data.out || exit 1 + +echo "extend ca cert" +${hxtool} issue-certificate \ + --self-signed \ + --issue-ca \ + --lifetime="2years" \ + --serial-number="deadbeaf" \ + --ca-private-key=FILE:cert-ca.pem \ + --subject="cn=ca2-cert" \ + --certificate="FILE:cert-ca.pem" || exit 1 +${hxtool} print --content FILE:cert-ca.pem || exit 1 + +echo "verify certificate generated by previous ca" +${hxtool} verify --missing-revoke \ + cert:FILE:cert-ee.pem \ + anchor:FILE:cert-ca.pem > /dev/null || exit 1 + +echo "extend ca cert (template)" +${hxtool} issue-certificate \ + --self-signed \ + --issue-ca \ + --lifetime="3years" \ + --template-certificate="FILE:cert-ca.pem" \ + --template-fields="serialNumber,notBefore,subject" \ + --path-length=-1 \ + --ca-private-key=FILE:cert-ca.pem \ + --certificate="FILE:cert-ca.pem" || exit 1 +${hxtool} print --content FILE:cert-ca.pem || exit 1 + +echo "verify certificate generated by previous ca" +${hxtool} verify --missing-revoke \ + cert:FILE:cert-ee.pem \ + anchor:FILE:cert-ca.pem > /dev/null || exit 1 + +echo "extend sub-ca cert (template)" +${hxtool} issue-certificate \ + --ca-certificate=FILE:cert-ca.pem \ + --issue-ca \ + --lifetime="2years" \ + --template-certificate="FILE:cert-sub-ca.pem" \ + --template-fields="serialNumber,notBefore,subject,SPKI" \ + --certificate="FILE:cert-sub-ca2.pem" || exit 1 +${hxtool} print --content FILE:cert-sub-ca2.pem || exit 1 + +echo "verify certificate (sub-ee) with extended chain" +${hxtool} verify --missing-revoke \ + cert:FILE:cert-sub-ee.pem \ + chain:FILE:cert-sub-ca.pem \ + anchor:FILE:cert-ca.pem > /dev/null || exit 1 + +echo "+++++++++++ test basic constraints" + +echo "extend ca cert (too low path-length constraint)" +${hxtool} issue-certificate \ + --self-signed \ + --issue-ca \ + --lifetime="3years" \ + --template-certificate="FILE:cert-ca.pem" \ + --template-fields="serialNumber,notBefore,subject" \ + --path-length=0 \ + --ca-private-key=FILE:cert-ca.pem \ + --certificate="FILE:cert-ca.pem" || exit 1 + +echo "verify failure of certificate (sub-ee) with path-length constraint" +${hxtool} verify --missing-revoke \ + cert:FILE:cert-sub-ee.pem \ + chain:FILE:cert-sub-ca.pem \ + anchor:FILE:cert-ca.pem > /dev/null && exit 1 + +echo "extend ca cert (exact path-length constraint)" +${hxtool} issue-certificate \ + --self-signed \ + --issue-ca \ + --lifetime="3years" \ + --template-certificate="FILE:cert-ca.pem" \ + --template-fields="serialNumber,notBefore,subject" \ + --path-length=1 \ + --ca-private-key=FILE:cert-ca.pem \ + --certificate="FILE:cert-ca.pem" || exit 1 + +echo "verify certificate (sub-ee) with exact path-length constraint" +${hxtool} verify --missing-revoke \ + cert:FILE:cert-sub-ee.pem \ + chain:FILE:cert-sub-ca.pem \ + anchor:FILE:cert-ca.pem > /dev/null || exit 1 + +echo "Check missing basicConstrants.isCa" +${hxtool} issue-certificate \ + --ca-certificate=FILE:cert-ca.pem \ + --lifetime="2years" \ + --template-certificate="FILE:cert-sub-ca.pem" \ + --template-fields="serialNumber,notBefore,subject,SPKI" \ + --certificate="FILE:cert-sub-ca2.pem" || exit 1 + +echo "verify failure certificate (sub-ee) with missing isCA" +${hxtool} verify --missing-revoke \ + cert:FILE:cert-sub-ee.pem \ + chain:FILE:cert-sub-ca2.pem \ + anchor:FILE:cert-ca.pem > /dev/null && exit 1 + +echo "issue ee cert (crl uri)" +${hxtool} issue-certificate \ + --ca-certificate=FILE:cert-ca.pem \ + --req="PKCS10:pkcs10-request.der" \ + --crl-uri="http://www.test.h5l.se/crl1.crl" \ + --subject="cn=cert-ee-crl-uri" \ + --certificate="FILE:cert-ee.pem" || exit 1 + +echo "issue null subject cert" +${hxtool} issue-certificate \ + --ca-certificate=FILE:cert-ca.pem \ + --req="PKCS10:pkcs10-request.der" \ + --subject="" \ + --email="lha@test.h5l.se" \ + --certificate="FILE:cert-ee.pem" || exit 1 + +echo "verify certificate null subject" +${hxtool} verify --missing-revoke \ + cert:FILE:cert-ee.pem \ + anchor:FILE:cert-ca.pem > /dev/null || exit 1 + +echo "+++++++++++ test sigalg" + +echo "issue cert with sha256" +${hxtool} issue-certificate \ + --ca-certificate=FILE:cert-ca.pem \ + --signature-algorithm=rsa-with-sha256 \ + --subject="cn=foo" \ + --req="PKCS10:pkcs10-request.der" \ + --certificate="FILE:cert-ee.pem" || exit 1 + +echo "verify certificate" +${hxtool} verify --missing-revoke \ + cert:FILE:cert-ee.pem \ + anchor:FILE:cert-ca.pem > /dev/null || exit 1 + +echo "issue cert with sha1" +${hxtool} issue-certificate \ + --ca-certificate=FILE:cert-ca.pem \ + --signature-algorithm=rsa-with-sha1 \ + --subject="cn=foo" \ + --req="PKCS10:pkcs10-request.der" \ + --certificate="FILE:cert-ee.pem" || exit 1 + +echo "verify certificate" +${hxtool} verify --missing-revoke \ + cert:FILE:cert-ee.pem \ + anchor:FILE:cert-ca.pem > /dev/null || exit 1 + +exit 0 |