1 #!/bin/sh 2 # 3 # Copyright (c) 2004 - 2006 Kungliga Tekniska Hgskolan 4 # (Royal Institute of Technology, Stockholm, Sweden). 5 # All rights reserved. 6 # 7 # Redistribution and use in source and binary forms, with or without 8 # modification, are permitted provided that the following conditions 9 # are met: 10 # 11 # 1. Redistributions of source code must retain the above copyright 12 # notice, this list of conditions and the following disclaimer. 13 # 14 # 2. Redistributions in binary form must reproduce the above copyright 15 # notice, this list of conditions and the following disclaimer in the 16 # documentation and/or other materials provided with the distribution. 17 # 18 # 3. Neither the name of the Institute nor the names of its contributors 19 # may be used to endorse or promote products derived from this software 20 # without specific prior written permission. 21 # 22 # THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 23 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 # ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 26 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 # SUCH DAMAGE. 33 # 34 # Id 35 # 36 37 srcdir="@srcdir@" 38 objdir="@objdir@" 39 40 stat="--statistic-file=${objdir}/statfile" 41 42 hxtool="${TESTS_ENVIRONMENT} ./hxtool ${stat}" 43 if ${hxtool} info | grep 'rsa: hcrypto null RSA' > /dev/null ; then 44 exit 77 45 fi 46 if ${hxtool} info | grep 'rand: not available' > /dev/null ; then 47 exit 77 48 fi 49 50 echo "cert -> root" 51 ${hxtool} verify --missing-revoke \ 52 cert:FILE:$srcdir/data/test.crt \ 53 chain:FILE:$srcdir/data/test.crt \ 54 chain:FILE:$srcdir/data/ca.crt \ 55 anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1 56 57 echo "cert -> root" 58 ${hxtool} verify --missing-revoke \ 59 cert:FILE:$srcdir/data/test.crt \ 60 chain:FILE:$srcdir/data/ca.crt \ 61 anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1 62 63 echo "cert -> root" 64 ${hxtool} verify --missing-revoke \ 65 cert:FILE:$srcdir/data/test.crt \ 66 anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1 67 68 echo "sub-cert -> root" 69 ${hxtool} verify --missing-revoke \ 70 cert:FILE:$srcdir/data/sub-cert.crt \ 71 chain:FILE:$srcdir/data/ca.crt \ 72 anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1 73 74 echo "sub-cert -> sub-ca -> root" 75 ${hxtool} verify --missing-revoke \ 76 cert:FILE:$srcdir/data/sub-cert.crt \ 77 chain:FILE:$srcdir/data/sub-ca.crt \ 78 chain:FILE:$srcdir/data/ca.crt \ 79 anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1 80 81 echo "sub-cert -> sub-ca" 82 ${hxtool} verify --missing-revoke \ 83 cert:FILE:$srcdir/data/sub-cert.crt \ 84 anchor:FILE:$srcdir/data/sub-ca.crt > /dev/null || exit 1 85 86 echo "sub-cert -> sub-ca -> root" 87 ${hxtool} verify --missing-revoke \ 88 cert:FILE:$srcdir/data/sub-cert.crt \ 89 chain:FILE:$srcdir/data/sub-ca.crt \ 90 chain:FILE:$srcdir/data/ca.crt \ 91 anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1 92 93 echo "sub-cert -> sub-ca -> root" 94 ${hxtool} verify --missing-revoke \ 95 cert:FILE:$srcdir/data/sub-cert.crt \ 96 chain:FILE:$srcdir/data/ca.crt \ 97 chain:FILE:$srcdir/data/sub-ca.crt \ 98 anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1 99 100 echo "sub-cert -> sub-ca -> root" 101 ${hxtool} verify --missing-revoke \ 102 cert:FILE:$srcdir/data/sub-cert.crt \ 103 chain:FILE:$srcdir/data/sub-ca.crt \ 104 anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1 105 106 echo "max depth 2 (ok)" 107 ${hxtool} verify --missing-revoke \ 108 --max-depth=2 \ 109 cert:FILE:$srcdir/data/sub-cert.crt \ 110 chain:FILE:$srcdir/data/sub-ca.crt \ 111 anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1 112 113 echo "max depth 1 (fail)" 114 ${hxtool} verify --missing-revoke \ 115 --max-depth=1 \ 116 cert:FILE:$srcdir/data/sub-cert.crt \ 117 chain:FILE:$srcdir/data/sub-ca.crt \ 118 anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1 119 120 echo "ocsp non-ca responder" 121 ${hxtool} verify \ 122 cert:FILE:$srcdir/data/test.crt \ 123 anchor:FILE:$srcdir/data/ca.crt \ 124 ocsp:FILE:$srcdir/data/ocsp-resp1-ocsp.der > /dev/null || exit 1 125 126 echo "ocsp ca responder" 127 ${hxtool} verify \ 128 cert:FILE:$srcdir/data/test.crt \ 129 anchor:FILE:$srcdir/data/ca.crt \ 130 ocsp:FILE:$srcdir/data/ocsp-resp1-ca.der > /dev/null || exit 1 131 132 echo "ocsp no-ca responder, missing cert" 133 ${hxtool} verify \ 134 cert:FILE:$srcdir/data/test.crt \ 135 anchor:FILE:$srcdir/data/ca.crt \ 136 ocsp:FILE:$srcdir/data/ocsp-resp1-ocsp-no-cert.der > /dev/null && exit 1 137 138 echo "ocsp no-ca responder, missing cert, in pool" 139 ${hxtool} verify \ 140 cert:FILE:$srcdir/data/test.crt \ 141 anchor:FILE:$srcdir/data/ca.crt \ 142 ocsp:FILE:$srcdir/data/ocsp-resp1-ocsp-no-cert.der \ 143 chain:FILE:$srcdir/data/ocsp-responder.crt > /dev/null || exit 1 144 145 echo "ocsp no-ca responder, keyHash" 146 ${hxtool} verify \ 147 cert:FILE:$srcdir/data/test.crt \ 148 anchor:FILE:$srcdir/data/ca.crt \ 149 ocsp:FILE:$srcdir/data/ocsp-resp1-keyhash.der > /dev/null || exit 1 150 151 echo "ocsp revoked cert" 152 ${hxtool} verify \ 153 cert:FILE:$srcdir/data/revoke.crt \ 154 anchor:FILE:$srcdir/data/ca.crt \ 155 ocsp:FILE:$srcdir/data/ocsp-resp2.der > /dev/null && exit 1 156 157 for a in resp1-ocsp-no-cert resp1-ca resp1-keyhash resp2 ; do 158 echo "ocsp print reply $a" 159 ${hxtool} ocsp-print \ 160 $srcdir/data/ocsp-${a}.der > /dev/null || exit 1 161 done 162 163 echo "ocsp verify exists" 164 ${hxtool} ocsp-verify \ 165 --ocsp-file=$srcdir/data/ocsp-resp1-ca.der \ 166 FILE:$srcdir/data/test.crt > /dev/null || exit 1 167 168 echo "ocsp verify not exists" 169 ${hxtool} ocsp-verify \ 170 --ocsp-file=$srcdir/data/ocsp-resp1.der \ 171 FILE:$srcdir/data/ca.crt > /dev/null && exit 1 172 173 echo "ocsp verify revoked" 174 ${hxtool} ocsp-verify \ 175 --ocsp-file=$srcdir/data/ocsp-resp2.der \ 176 FILE:$srcdir/data/revoke.crt > /dev/null && exit 1 177 178 echo "crl non-revoked cert" 179 ${hxtool} verify \ 180 cert:FILE:$srcdir/data/test.crt \ 181 anchor:FILE:$srcdir/data/ca.crt \ 182 crl:FILE:$srcdir/data/crl1.der > /dev/null || exit 1 183 184 echo "crl revoked cert" 185 ${hxtool} verify \ 186 cert:FILE:$srcdir/data/revoke.crt \ 187 anchor:FILE:$srcdir/data/ca.crt \ 188 crl:FILE:$srcdir/data/crl1.der > /dev/null && exit 1 189 190 if ${hxtool} info | grep 'ecdsa: hcrypto null' > /dev/null ; then 191 echo "not testing ECDSA since hcrypto doesnt support ECDSA" 192 else 193 echo "eccert -> root" 194 ${hxtool} verify --missing-revoke \ 195 cert:FILE:$srcdir/data/secp256r2TestServer.cert.pem \ 196 anchor:FILE:$srcdir/data/secp256r1TestCA.cert.pem > /dev/null || exit 1 197 198 echo "eccert -> root" 199 ${hxtool} verify --missing-revoke \ 200 cert:FILE:$srcdir/data/secp256r2TestClient.cert.pem \ 201 anchor:FILE:$srcdir/data/secp256r1TestCA.cert.pem > /dev/null || exit 1 202 fi 203 204 echo "proxy cert" 205 ${hxtool} verify --missing-revoke \ 206 --allow-proxy-certificate \ 207 cert:FILE:$srcdir/data/proxy-test.crt \ 208 chain:FILE:$srcdir/data/test.crt \ 209 anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1 210 211 echo "proxy cert (negative)" 212 ${hxtool} verify --missing-revoke \ 213 cert:FILE:$srcdir/data/proxy-test.crt \ 214 chain:FILE:$srcdir/data/test.crt \ 215 anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1 216 217 echo "proxy cert (level fail)" 218 ${hxtool} verify --missing-revoke \ 219 --allow-proxy-certificate \ 220 cert:FILE:$srcdir/data/proxy-level-test.crt \ 221 chain:FILE:$srcdir/data/proxy-test.crt \ 222 chain:FILE:$srcdir/data/test.crt \ 223 anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1 224 225 echo "not a proxy cert" 226 ${hxtool} verify --missing-revoke \ 227 --allow-proxy-certificate \ 228 cert:FILE:$srcdir/data/no-proxy-test.crt \ 229 chain:FILE:$srcdir/data/test.crt \ 230 anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1 231 232 echo "proxy cert (max level 10)" 233 ${hxtool} verify --missing-revoke \ 234 --allow-proxy-certificate \ 235 cert:FILE:$srcdir/data/proxy10-test.crt \ 236 chain:FILE:$srcdir/data/test.crt \ 237 anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1 238 239 echo "proxy cert (second level)" 240 ${hxtool} verify --missing-revoke \ 241 --allow-proxy-certificate \ 242 cert:FILE:$srcdir/data/proxy10-child-test.crt \ 243 chain:FILE:$srcdir/data/proxy10-test.crt \ 244 chain:FILE:$srcdir/data/test.crt \ 245 anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1 246 247 echo "proxy cert (third level)" 248 ${hxtool} verify --missing-revoke \ 249 --allow-proxy-certificate \ 250 cert:FILE:$srcdir/data/proxy10-child-child-test.crt \ 251 chain:FILE:$srcdir/data/proxy10-child-test.crt \ 252 chain:FILE:$srcdir/data/proxy10-test.crt \ 253 chain:FILE:$srcdir/data/test.crt \ 254 anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1 255 256 exit 0 257
Indexes created Mon Apr 06 00:22:49 UTC 2026