source: heimdal/trunk/lib/hx509/test_cms.in

Last change on this file was 1, checked in by Paul Smedley, 10 years ago

Initial commit of Heimdal 1.5.3
File size: 16.2 KB
Line 
1#!/bin/sh
2#
3# Copyright (c) 2005 Kungliga Tekniska Högskolan
4# (Royal Institute of Technology, Stockholm, Sweden).
5# All rights reserved.
6#
7# Redistribution and use in source and binary forms, with or without
8# modification, are permitted provided that the following conditions
9# are met:
10#
11# 1. Redistributions of source code must retain the above copyright
12# notice, this list of conditions and the following disclaimer.
13#
14# 2. Redistributions in binary form must reproduce the above copyright
15# notice, this list of conditions and the following disclaimer in the
16# documentation and/or other materials provided with the distribution.
17#
18# 3. Neither the name of the Institute nor the names of its contributors
19# may be used to endorse or promote products derived from this software
20# without specific prior written permission.
21#
22# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
23# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
26# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32# SUCH DAMAGE.
33#
34# $Id$
35#
36
37srcdir="@srcdir@"
38objdir="@objdir@"
39
40stat="--statistic-file=${objdir}/statfile"
41
42hxtool="${TESTS_ENVIRONMENT} ./hxtool ${stat}"
43
44if ${hxtool} info | grep 'rsa: hcrypto null RSA' > /dev/null ; then
45 exit 77
46fi
47if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
48 exit 77
49fi
50
51if ${hxtool} info | grep 'ecdsa: hcrypto null' > /dev/null ; then
52 echo "not testing ECDSA since hcrypto doesnt support ECDSA"
53else
54 echo "create signed data (ec)"
55 ${hxtool} cms-create-sd \
56 --certificate=FILE:$srcdir/data/secp160r2TestClient.pem \
57 "$srcdir/test_chain.in" \
58 sd.data > /dev/null || exit 1
59
60 echo "verify signed data (ec)"
61 ${hxtool} cms-verify-sd \
62 --missing-revoke \
63 --anchors=FILE:$srcdir/data/secp160r1TestCA.cert.pem \
64 sd.data sd.data.out > /dev/null || exit 1
65 cmp "$srcdir/test_chain.in" sd.data.out || exit 1
66fi
67
68echo "create signed data"
69${hxtool} cms-create-sd \
70 --certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
71 "$srcdir/test_chain.in" \
72 sd.data > /dev/null || exit 1
73
74echo "verify signed data"
75${hxtool} cms-verify-sd \
76 --missing-revoke \
77 --anchors=FILE:$srcdir/data/ca.crt \
78 sd.data sd.data.out > /dev/null || exit 1
79cmp "$srcdir/test_chain.in" sd.data.out || exit 1
80
81echo "create signed data (no signer)"
82${hxtool} cms-create-sd \
83 --no-signer \
84 --certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
85 "$srcdir/test_chain.in" \
86 sd.data > /dev/null || exit 1
87
88echo "verify signed data (no signer)"
89${hxtool} cms-verify-sd \
90 --missing-revoke \
91 --no-signer-allowed \
92 --anchors=FILE:$srcdir/data/ca.crt \
93 sd.data sd.data.out > signer.tmp || exit 1
94cmp "$srcdir/test_chain.in" sd.data.out || exit 1
95grep "unsigned" signer.tmp > /dev/null || exit 1
96
97echo "verify signed data (no signer) (test failure)"
98${hxtool} cms-verify-sd \
99 --missing-revoke \
100 --anchors=FILE:$srcdir/data/ca.crt \
101 sd.data sd.data.out 2> signer.tmp && exit 1
102grep "No signers where found" signer.tmp > /dev/null || exit 1
103
104echo "create signed data (id-by-name)"
105${hxtool} cms-create-sd \
106 --certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
107 --id-by-name \
108 "$srcdir/test_chain.in" \
109 sd.data > /dev/null || exit 1
110
111echo "verify signed data"
112${hxtool} cms-verify-sd \
113 --missing-revoke \
114 --anchors=FILE:$srcdir/data/ca.crt \
115 sd.data sd.data.out > /dev/null || exit 1
116cmp "$srcdir/test_chain.in" sd.data.out || exit 1
117
118echo "verify signed data (EE cert as anchor)"
119${hxtool} cms-verify-sd \
120 --missing-revoke \
121 --anchors=FILE:$srcdir/data/test.crt \
122 sd.data sd.data.out > /dev/null || exit 1
123cmp "$srcdir/test_chain.in" sd.data.out || exit 1
124
125echo "create signed data (password)"
126${hxtool} cms-create-sd \
127 --pass=PASS:foobar \
128 --certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test-pw.key \
129 "$srcdir/test_chain.in" \
130 sd.data > /dev/null || exit 1
131
132echo "verify signed data"
133${hxtool} cms-verify-sd \
134 --missing-revoke \
135 --anchors=FILE:$srcdir/data/ca.crt \
136 sd.data sd.data.out > /dev/null || exit 1
137cmp "$srcdir/test_chain.in" sd.data.out || exit 1
138
139echo "create signed data (combined)"
140${hxtool} cms-create-sd \
141 --certificate=FILE:$srcdir/data/test.combined.crt \
142 "$srcdir/test_chain.in" \
143 sd.data > /dev/null || exit 1
144
145echo "verify signed data"
146${hxtool} cms-verify-sd \
147 --missing-revoke \
148 --anchors=FILE:$srcdir/data/ca.crt \
149 sd.data sd.data.out > /dev/null || exit 1
150cmp "$srcdir/test_chain.in" sd.data.out || exit 1
151
152echo "create signed data (content info)"
153${hxtool} cms-create-sd \
154 --certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
155 --content-info \
156 "$srcdir/test_chain.in" \
157 sd.data > /dev/null || exit 1
158
159echo "verify signed data (content info)"
160${hxtool} cms-verify-sd \
161 --missing-revoke \
162 --anchors=FILE:$srcdir/data/ca.crt \
163 --content-info \
164 sd.data sd.data.out > /dev/null || exit 1
165cmp "$srcdir/test_chain.in" sd.data.out || exit 1
166
167echo "create signed data (content type)"
168${hxtool} cms-create-sd \
169 --certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
170 --content-type=1.1.1.1 \
171 "$srcdir/test_chain.in" \
172 sd.data > /dev/null || exit 1
173
174echo "verify signed data (content type)"
175${hxtool} cms-verify-sd \
176 --missing-revoke \
177 --anchors=FILE:$srcdir/data/ca.crt \
178 sd.data sd.data.out > /dev/null || exit 1
179cmp "$srcdir/test_chain.in" sd.data.out || exit 1
180
181echo "create signed data (pem)"
182${hxtool} cms-create-sd \
183 --certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
184 --pem \
185 "$srcdir/test_chain.in" \
186 sd.data > /dev/null || exit 1
187
188echo "verify signed data (pem)"
189${hxtool} cms-verify-sd \
190 --missing-revoke \
191 --anchors=FILE:$srcdir/data/ca.crt \
192 --pem \
193 sd.data sd.data.out > /dev/null
194cmp "$srcdir/test_chain.in" sd.data.out || exit 1
195
196echo "create signed data (pem, detached)"
197${hxtool} cms-create-sd \
198 --certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
199 --detached-signature \
200 --pem \
201 "$srcdir/test_chain.in" \
202 sd.data > /dev/null || exit 1
203
204echo "verify signed data (pem, detached)"
205${hxtool} cms-verify-sd \
206 --missing-revoke \
207 --anchors=FILE:$srcdir/data/ca.crt \
208 --pem \
209 --signed-content="$srcdir/test_chain.in" \
210 sd.data sd.data.out > /dev/null
211cmp "$srcdir/test_chain.in" sd.data.out || exit 1
212
213echo "create signed data (p12)"
214${hxtool} cms-create-sd \
215 --pass=PASS:foobar \
216 --certificate=PKCS12:$srcdir/data/test.p12 \
217 --signer=friendlyname-test \
218 "$srcdir/test_chain.in" \
219 sd.data > /dev/null || exit 1
220
221echo "verify signed data"
222${hxtool} cms-verify-sd \
223 --missing-revoke \
224 --anchors=FILE:$srcdir/data/ca.crt \
225 --content-info \
226 "$srcdir/data/test-signed-data" sd.data.out > /dev/null || exit 1
227cmp "$srcdir/data/static-file" sd.data.out || exit 1
228
229echo "verify signed data (no attr)"
230${hxtool} cms-verify-sd \
231 --missing-revoke \
232 --anchors=FILE:$srcdir/data/ca.crt \
233 --content-info \
234 "$srcdir/data/test-signed-data-noattr" sd.data.out > /dev/null || exit 1
235cmp "$srcdir/data/static-file" sd.data.out || exit 1
236
237echo "verify failure signed data (no attr, no certs)"
238${hxtool} cms-verify-sd \
239 --missing-revoke \
240 --anchors=FILE:$srcdir/data/ca.crt \
241 --content-info \
242 "$srcdir/data/test-signed-data-noattr-nocerts" \
243 sd.data.out > /dev/null 2>/dev/null && exit 1
244
245echo "verify signed data (no attr, no certs)"
246${hxtool} cms-verify-sd \
247 --missing-revoke \
248 --anchors=FILE:$srcdir/data/ca.crt \
249 --certificate=FILE:$srcdir/data/test.crt \
250 --content-info \
251 "$srcdir/data/test-signed-data-noattr-nocerts" \
252 sd.data.out > /dev/null || exit 1
253cmp "$srcdir/data/static-file" sd.data.out || exit 1
254
255echo "verify signed data - sha1"
256${hxtool} cms-verify-sd \
257 --missing-revoke \
258 --anchors=FILE:$srcdir/data/ca.crt \
259 --content-info \
260 "$srcdir/data/test-signed-sha-1" sd.data.out > /dev/null || exit 1
261cmp "$srcdir/data/static-file" sd.data.out || exit 1
262
263echo "verify signed data - sha256"
264${hxtool} cms-verify-sd \
265 --missing-revoke \
266 --anchors=FILE:$srcdir/data/ca.crt \
267 --content-info \
268 "$srcdir/data/test-signed-sha-256" sd.data.out > /dev/null || exit 1
269cmp "$srcdir/data/static-file" sd.data.out || exit 1
270
271#echo "verify signed data - sha512"
272#${hxtool} cms-verify-sd \
273# --missing-revoke \
274# --anchors=FILE:$srcdir/data/ca.crt \
275# --content-info \
276# "$srcdir/data/test-signed-sha-512" sd.data.out > /dev/null || exit 1
277#cmp "$srcdir/data/static-file" sd.data.out || exit 1
278
279
280echo "create signed data (subcert, no certs)"
281${hxtool} cms-create-sd \
282 --certificate=FILE:$srcdir/data/sub-cert.crt,$srcdir/data/sub-cert.key \
283 "$srcdir/test_chain.in" \
284 sd.data > /dev/null || exit 1
285
286echo "verify failure signed data"
287${hxtool} cms-verify-sd \
288 --missing-revoke \
289 --anchors=FILE:$srcdir/data/ca.crt \
290 sd.data sd.data.out > /dev/null 2> /dev/null && exit 1
291
292echo "verify success signed data"
293${hxtool} cms-verify-sd \
294 --missing-revoke \
295 --certificate=FILE:$srcdir/data/sub-ca.crt \
296 --anchors=FILE:$srcdir/data/ca.crt \
297 sd.data sd.data.out > /dev/null || exit 1
298cmp "$srcdir/test_chain.in" sd.data.out || exit 1
299
300echo "create signed data (subcert, certs)"
301${hxtool} cms-create-sd \
302 --certificate=FILE:$srcdir/data/sub-cert.crt,$srcdir/data/sub-cert.key \
303 --pool=FILE:$srcdir/data/sub-ca.crt \
304 --anchors=FILE:$srcdir/data/ca.crt \
305 "$srcdir/test_chain.in" \
306 sd.data > /dev/null || exit 1
307
308echo "verify success signed data"
309${hxtool} cms-verify-sd \
310 --missing-revoke \
311 --anchors=FILE:$srcdir/data/ca.crt \
312 sd.data sd.data.out > /dev/null || exit 1
313cmp "$srcdir/test_chain.in" sd.data.out || exit 1
314
315echo "create signed data (subcert, certs, no-root)"
316${hxtool} cms-create-sd \
317 --certificate=FILE:$srcdir/data/sub-cert.crt,$srcdir/data/sub-cert.key \
318 --pool=FILE:$srcdir/data/sub-ca.crt \
319 "$srcdir/test_chain.in" \
320 sd.data > /dev/null || exit 1
321
322echo "verify success signed data"
323${hxtool} cms-verify-sd \
324 --missing-revoke \
325 --anchors=FILE:$srcdir/data/ca.crt \
326 sd.data sd.data.out > /dev/null || exit 1
327cmp "$srcdir/test_chain.in" sd.data.out || exit 1
328
329echo "create signed data (subcert, no-subca, no-root)"
330${hxtool} cms-create-sd \
331 --certificate=FILE:$srcdir/data/sub-cert.crt,$srcdir/data/sub-cert.key \
332 "$srcdir/test_chain.in" \
333 sd.data > /dev/null || exit 1
334
335echo "verify failure signed data"
336${hxtool} cms-verify-sd \
337 --missing-revoke \
338 --anchors=FILE:$srcdir/data/ca.crt \
339 sd.data sd.data.out > /dev/null 2>/dev/null && exit 1
340
341echo "create signed data (sd cert)"
342${hxtool} cms-create-sd \
343 --certificate=FILE:$srcdir/data/test-ds-only.crt,$srcdir/data/test-ds-only.key \
344 "$srcdir/test_chain.in" \
345 sd.data > /dev/null || exit 1
346
347echo "create signed data (ke cert)"
348${hxtool} cms-create-sd \
349 --certificate=FILE:$srcdir/data/test-ke-only.crt,$srcdir/data/test-ke-only.key \
350 "$srcdir/test_chain.in" \
351 sd.data > /dev/null 2>/dev/null && exit 1
352
353echo "create signed data (sd + ke certs)"
354${hxtool} cms-create-sd \
355 --certificate=FILE:$srcdir/data/test-ke-only.crt,$srcdir/data/test-ke-only.key \
356 --certificate=FILE:$srcdir/data/test-ds-only.crt,$srcdir/data/test-ds-only.key \
357 "$srcdir/test_chain.in" \
358 sd.data > /dev/null || exit 1
359
360echo "create signed data (ke + sd certs)"
361${hxtool} cms-create-sd \
362 --certificate=FILE:$srcdir/data/test-ds-only.crt,$srcdir/data/test-ds-only.key \
363 --certificate=FILE:$srcdir/data/test-ke-only.crt,$srcdir/data/test-ke-only.key \
364 "$srcdir/test_chain.in" \
365 sd.data > /dev/null || exit 1
366
367echo "create signed data (detached)"
368${hxtool} cms-create-sd \
369 --certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
370 --detached-signature \
371 "$srcdir/test_chain.in" \
372 sd.data > /dev/null || exit 1
373
374echo "verify signed data (detached)"
375${hxtool} cms-verify-sd \
376 --missing-revoke \
377 --signed-content="$srcdir/test_chain.in" \
378 --anchors=FILE:$srcdir/data/ca.crt \
379 sd.data sd.data.out > /dev/null || exit 1
380cmp "$srcdir/test_chain.in" sd.data.out || exit 1
381
382echo "verify failure signed data (detached)"
383${hxtool} cms-verify-sd \
384 --missing-revoke \
385 --anchors=FILE:$srcdir/data/ca.crt \
386 sd.data sd.data.out > /dev/null 2>/dev/null && exit 1
387
388echo "create signed data (rsa)"
389${hxtool} cms-create-sd \
390 --peer-alg=1.2.840.113549.1.1.1 \
391 --certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
392 "$srcdir/test_chain.in" \
393 sd.data > /dev/null || exit 1
394
395echo "verify signed data (rsa)"
396${hxtool} cms-verify-sd \
397 --missing-revoke \
398 --anchors=FILE:$srcdir/data/ca.crt \
399 sd.data sd.data.out > /dev/null 2>/dev/null || exit 1
400cmp "$srcdir/test_chain.in" sd.data.out || exit 1
401
402echo "create signed data (pem, detached)"
403cp "$srcdir/test_chain.in" sd
404${hxtool} cms-sign \
405 --certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
406 --detached-signature \
407 --pem \
408 sd > /dev/null || exit 1
409
410echo "verify signed data (pem, detached)"
411${hxtool} cms-verify-sd \
412 --missing-revoke \
413 --anchors=FILE:$srcdir/data/ca.crt \
414 --pem \
415 sd.pem > /dev/null
416
417echo "create signed data (no certs, detached sig)"
418cp "$srcdir/test_chain.in" sd
419${hxtool} cms-sign \
420 --certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
421 --detached-signature \
422 --no-embedded-certs \
423 "$srcdir/data/static-file" \
424 sd > /dev/null || exit 1
425
426echo "create signed data (leif only, detached sig)"
427cp "$srcdir/test_chain.in" sd
428${hxtool} cms-sign \
429 --certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
430 --detached-signature \
431 --embed-leaf-only \
432 "$srcdir/data/static-file" \
433 sd > /dev/null || exit 1
434
435echo "create signed data (no certs, detached sig, 2 signers)"
436cp "$srcdir/test_chain.in" sd
437${hxtool} cms-sign \
438 --certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
439 --certificate=FILE:$srcdir/data/sub-cert.crt,$srcdir/data/sub-cert.key \
440 --detached-signature \
441 --no-embedded-certs \
442 "$srcdir/data/static-file" \
443 sd > /dev/null || exit 1
444
445echo "create signed data (no certs, detached sig, 3 signers)"
446cp "$srcdir/test_chain.in" sd
447${hxtool} cms-sign \
448 --certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
449 --certificate=FILE:$srcdir/data/sub-cert.crt,$srcdir/data/sub-cert.key \
450 --certificate=FILE:$srcdir/data/test-ds-only.crt,$srcdir/data/test-ds-only.key \
451 --detached-signature \
452 --no-embedded-certs \
453 "$srcdir/data/static-file" \
454 sd > /dev/null || exit 1
455
456echo "envelope data (content-type)"
457${hxtool} cms-envelope \
458 --certificate=FILE:$srcdir/data/test.crt \
459 --content-type=1.1.1.1 \
460 "$srcdir/data/static-file" \
461 ev.data > /dev/null || exit 1
462
463echo "unenvelope data (content-type)"
464${hxtool} cms-unenvelope \
465 --certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
466 ev.data ev.data.out \
467 FILE:$srcdir/data/test.crt,$srcdir/data/test.key > /dev/null || exit 1
468cmp "$srcdir/data/static-file" ev.data.out || exit 1
469
470echo "envelope data (content-info)"
471${hxtool} cms-envelope \
472 --certificate=FILE:$srcdir/data/test.crt \
473 --content-info \
474 "$srcdir/data/static-file" \
475 ev.data > /dev/null || exit 1
476
477echo "unenvelope data (content-info)"
478${hxtool} cms-unenvelope \
479 --certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
480 --content-info \
481 ev.data ev.data.out \
482 FILE:$srcdir/data/test.crt,$srcdir/data/test.key > /dev/null || exit 1
483cmp "$srcdir/data/static-file" ev.data.out || exit 1
484
485for a in des-ede3 aes-128 aes-256; do
486
487 rm -f ev.data ev.data.out
488 echo "envelope data ($a)"
489 ${hxtool} cms-envelope \
490 --encryption-type="$a-cbc" \
491 --certificate=FILE:$srcdir/data/test.crt \
492 "$srcdir/data/static-file" \
493 ev.data || exit 1
494
495 echo "unenvelope data ($a)"
496 ${hxtool} cms-unenvelope \
497 --certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
498 ev.data ev.data.out > /dev/null || exit 1
499 cmp "$srcdir/data/static-file" ev.data.out || exit 1
500done
501
502for a in rc2-40 rc2-64 rc2-128 des-ede3 aes-128 aes-256; do
503 echo "static unenvelope data ($a)"
504
505 rm -f ev.data.out
506 ${hxtool} cms-unenvelope \
507 --certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
508 --content-info \
509 --allow-weak \
510 "$srcdir/data/test-enveloped-$a" ev.data.out > /dev/null || exit 1
511 cmp "$srcdir/data/static-file" ev.data.out || exit 1
512done
513
514exit 0
Note: See TracBrowser for help on using the repository browser.