1178825Sdfr#!/bin/sh 2178825Sdfr# 3233294Sstas# Copyright (c) 2004 - 2006 Kungliga Tekniska H��gskolan 4178825Sdfr# (Royal Institute of Technology, Stockholm, Sweden). 5178825Sdfr# All rights reserved. 6178825Sdfr# 7178825Sdfr# Redistribution and use in source and binary forms, with or without 8178825Sdfr# modification, are permitted provided that the following conditions 9178825Sdfr# are met: 10178825Sdfr# 11178825Sdfr# 1. Redistributions of source code must retain the above copyright 12178825Sdfr# notice, this list of conditions and the following disclaimer. 13178825Sdfr# 14178825Sdfr# 2. Redistributions in binary form must reproduce the above copyright 15178825Sdfr# notice, this list of conditions and the following disclaimer in the 16178825Sdfr# documentation and/or other materials provided with the distribution. 17178825Sdfr# 18178825Sdfr# 3. Neither the name of the Institute nor the names of its contributors 19178825Sdfr# may be used to endorse or promote products derived from this software 20178825Sdfr# without specific prior written permission. 21178825Sdfr# 22178825Sdfr# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 23178825Sdfr# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24178825Sdfr# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25178825Sdfr# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 26178825Sdfr# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27178825Sdfr# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28178825Sdfr# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29178825Sdfr# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30178825Sdfr# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31178825Sdfr# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32178825Sdfr# SUCH DAMAGE. 33178825Sdfr# 34233294Sstas# $Id$ 35178825Sdfr# 36178825Sdfr 37178825Sdfrsrcdir="@srcdir@" 38178825Sdfrobjdir="@objdir@" 39178825Sdfr 40178825Sdfrstat="--statistic-file=${objdir}/statfile" 41178825Sdfr 42178825Sdfrhxtool="${TESTS_ENVIRONMENT} ./hxtool ${stat}" 43178825Sdfrif ${hxtool} info | grep 'rsa: hcrypto null RSA' > /dev/null ; then 44178825Sdfr exit 77 45178825Sdfrfi 46178825Sdfrif ${hxtool} info | grep 'rand: not available' > /dev/null ; then 47178825Sdfr exit 77 48178825Sdfrfi 49178825Sdfr 50178825Sdfrecho "cert -> root" 51178825Sdfr${hxtool} verify --missing-revoke \ 52178825Sdfr cert:FILE:$srcdir/data/test.crt \ 53178825Sdfr chain:FILE:$srcdir/data/test.crt \ 54178825Sdfr chain:FILE:$srcdir/data/ca.crt \ 55178825Sdfr anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1 56178825Sdfr 57178825Sdfrecho "cert -> root" 58178825Sdfr${hxtool} verify --missing-revoke \ 59178825Sdfr cert:FILE:$srcdir/data/test.crt \ 60178825Sdfr chain:FILE:$srcdir/data/ca.crt \ 61178825Sdfr anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1 62178825Sdfr 63178825Sdfrecho "cert -> root" 64178825Sdfr${hxtool} verify --missing-revoke \ 65178825Sdfr cert:FILE:$srcdir/data/test.crt \ 66178825Sdfr anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1 67178825Sdfr 68178825Sdfrecho "sub-cert -> root" 69178825Sdfr${hxtool} verify --missing-revoke \ 70178825Sdfr cert:FILE:$srcdir/data/sub-cert.crt \ 71178825Sdfr chain:FILE:$srcdir/data/ca.crt \ 72178825Sdfr anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1 73178825Sdfr 74178825Sdfrecho "sub-cert -> sub-ca -> root" 75178825Sdfr${hxtool} verify --missing-revoke \ 76178825Sdfr cert:FILE:$srcdir/data/sub-cert.crt \ 77178825Sdfr chain:FILE:$srcdir/data/sub-ca.crt \ 78178825Sdfr chain:FILE:$srcdir/data/ca.crt \ 79178825Sdfr anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1 80178825Sdfr 81178825Sdfrecho "sub-cert -> sub-ca" 82178825Sdfr${hxtool} verify --missing-revoke \ 83178825Sdfr cert:FILE:$srcdir/data/sub-cert.crt \ 84178825Sdfr anchor:FILE:$srcdir/data/sub-ca.crt > /dev/null || exit 1 85178825Sdfr 86178825Sdfrecho "sub-cert -> sub-ca -> root" 87178825Sdfr${hxtool} verify --missing-revoke \ 88178825Sdfr cert:FILE:$srcdir/data/sub-cert.crt \ 89178825Sdfr chain:FILE:$srcdir/data/sub-ca.crt \ 90178825Sdfr chain:FILE:$srcdir/data/ca.crt \ 91178825Sdfr anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1 92178825Sdfr 93178825Sdfrecho "sub-cert -> sub-ca -> root" 94178825Sdfr${hxtool} verify --missing-revoke \ 95178825Sdfr cert:FILE:$srcdir/data/sub-cert.crt \ 96178825Sdfr chain:FILE:$srcdir/data/ca.crt \ 97178825Sdfr chain:FILE:$srcdir/data/sub-ca.crt \ 98178825Sdfr anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1 99178825Sdfr 100178825Sdfrecho "sub-cert -> sub-ca -> root" 101178825Sdfr${hxtool} verify --missing-revoke \ 102178825Sdfr cert:FILE:$srcdir/data/sub-cert.crt \ 103178825Sdfr chain:FILE:$srcdir/data/sub-ca.crt \ 104178825Sdfr anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1 105178825Sdfr 106178825Sdfrecho "max depth 2 (ok)" 107178825Sdfr${hxtool} verify --missing-revoke \ 108178825Sdfr --max-depth=2 \ 109178825Sdfr cert:FILE:$srcdir/data/sub-cert.crt \ 110178825Sdfr chain:FILE:$srcdir/data/sub-ca.crt \ 111178825Sdfr anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1 112178825Sdfr 113178825Sdfrecho "max depth 1 (fail)" 114178825Sdfr${hxtool} verify --missing-revoke \ 115178825Sdfr --max-depth=1 \ 116178825Sdfr cert:FILE:$srcdir/data/sub-cert.crt \ 117178825Sdfr chain:FILE:$srcdir/data/sub-ca.crt \ 118178825Sdfr anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1 119178825Sdfr 120178825Sdfrecho "ocsp non-ca responder" 121178825Sdfr${hxtool} verify \ 122178825Sdfr cert:FILE:$srcdir/data/test.crt \ 123178825Sdfr anchor:FILE:$srcdir/data/ca.crt \ 124178825Sdfr ocsp:FILE:$srcdir/data/ocsp-resp1-ocsp.der > /dev/null || exit 1 125178825Sdfr 126178825Sdfrecho "ocsp ca responder" 127178825Sdfr${hxtool} verify \ 128178825Sdfr cert:FILE:$srcdir/data/test.crt \ 129178825Sdfr anchor:FILE:$srcdir/data/ca.crt \ 130178825Sdfr ocsp:FILE:$srcdir/data/ocsp-resp1-ca.der > /dev/null || exit 1 131178825Sdfr 132178825Sdfrecho "ocsp no-ca responder, missing cert" 133178825Sdfr${hxtool} verify \ 134178825Sdfr cert:FILE:$srcdir/data/test.crt \ 135178825Sdfr anchor:FILE:$srcdir/data/ca.crt \ 136178825Sdfr ocsp:FILE:$srcdir/data/ocsp-resp1-ocsp-no-cert.der > /dev/null && exit 1 137178825Sdfr 138178825Sdfrecho "ocsp no-ca responder, missing cert, in pool" 139178825Sdfr${hxtool} verify \ 140178825Sdfr cert:FILE:$srcdir/data/test.crt \ 141178825Sdfr anchor:FILE:$srcdir/data/ca.crt \ 142178825Sdfr ocsp:FILE:$srcdir/data/ocsp-resp1-ocsp-no-cert.der \ 143178825Sdfr chain:FILE:$srcdir/data/ocsp-responder.crt > /dev/null || exit 1 144178825Sdfr 145178825Sdfrecho "ocsp no-ca responder, keyHash" 146178825Sdfr${hxtool} verify \ 147178825Sdfr cert:FILE:$srcdir/data/test.crt \ 148178825Sdfr anchor:FILE:$srcdir/data/ca.crt \ 149178825Sdfr ocsp:FILE:$srcdir/data/ocsp-resp1-keyhash.der > /dev/null || exit 1 150178825Sdfr 151178825Sdfrecho "ocsp revoked cert" 152178825Sdfr${hxtool} verify \ 153178825Sdfr cert:FILE:$srcdir/data/revoke.crt \ 154178825Sdfr anchor:FILE:$srcdir/data/ca.crt \ 155178825Sdfr ocsp:FILE:$srcdir/data/ocsp-resp2.der > /dev/null && exit 1 156178825Sdfr 157178825Sdfrfor a in resp1-ocsp-no-cert resp1-ca resp1-keyhash resp2 ; do 158178825Sdfr echo "ocsp print reply $a" 159178825Sdfr ${hxtool} ocsp-print \ 160178825Sdfr $srcdir/data/ocsp-${a}.der > /dev/null || exit 1 161178825Sdfrdone 162178825Sdfr 163178825Sdfrecho "ocsp verify exists" 164178825Sdfr${hxtool} ocsp-verify \ 165178825Sdfr --ocsp-file=$srcdir/data/ocsp-resp1-ca.der \ 166178825Sdfr FILE:$srcdir/data/test.crt > /dev/null || exit 1 167178825Sdfr 168178825Sdfrecho "ocsp verify not exists" 169178825Sdfr${hxtool} ocsp-verify \ 170178825Sdfr --ocsp-file=$srcdir/data/ocsp-resp1.der \ 171178825Sdfr FILE:$srcdir/data/ca.crt > /dev/null && exit 1 172178825Sdfr 173178825Sdfrecho "ocsp verify revoked" 174178825Sdfr${hxtool} ocsp-verify \ 175178825Sdfr --ocsp-file=$srcdir/data/ocsp-resp2.der \ 176178825Sdfr FILE:$srcdir/data/revoke.crt > /dev/null && exit 1 177178825Sdfr 178178825Sdfrecho "crl non-revoked cert" 179178825Sdfr${hxtool} verify \ 180178825Sdfr cert:FILE:$srcdir/data/test.crt \ 181178825Sdfr anchor:FILE:$srcdir/data/ca.crt \ 182178825Sdfr crl:FILE:$srcdir/data/crl1.der > /dev/null || exit 1 183178825Sdfr 184178825Sdfrecho "crl revoked cert" 185178825Sdfr${hxtool} verify \ 186178825Sdfr cert:FILE:$srcdir/data/revoke.crt \ 187178825Sdfr anchor:FILE:$srcdir/data/ca.crt \ 188178825Sdfr crl:FILE:$srcdir/data/crl1.der > /dev/null && exit 1 189178825Sdfr 190233294Sstasif ${hxtool} info | grep 'ecdsa: hcrypto null' > /dev/null ; then 191233294Sstas echo "not testing ECDSA since hcrypto doesnt support ECDSA" 192233294Sstaselse 193233294Sstas echo "eccert -> root" 194233294Sstas ${hxtool} verify --missing-revoke \ 195233294Sstas cert:FILE:$srcdir/data/secp160r2TestServer.cert.pem \ 196233294Sstas anchor:FILE:$srcdir/data/secp160r1TestCA.cert.pem > /dev/null || exit 1 197233294Sstas 198233294Sstas echo "eccert -> root" 199233294Sstas ${hxtool} verify --missing-revoke \ 200233294Sstas cert:FILE:$srcdir/data/secp160r2TestClient.cert.pem \ 201233294Sstas anchor:FILE:$srcdir/data/secp160r1TestCA.cert.pem > /dev/null || exit 1 202233294Sstasfi 203233294Sstas 204178825Sdfrecho "proxy cert" 205178825Sdfr${hxtool} verify --missing-revoke \ 206178825Sdfr --allow-proxy-certificate \ 207178825Sdfr cert:FILE:$srcdir/data/proxy-test.crt \ 208178825Sdfr chain:FILE:$srcdir/data/test.crt \ 209178825Sdfr anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1 210178825Sdfr 211178825Sdfrecho "proxy cert (negative)" 212178825Sdfr${hxtool} verify --missing-revoke \ 213178825Sdfr cert:FILE:$srcdir/data/proxy-test.crt \ 214178825Sdfr chain:FILE:$srcdir/data/test.crt \ 215178825Sdfr anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1 216178825Sdfr 217178825Sdfrecho "proxy cert (level fail)" 218178825Sdfr${hxtool} verify --missing-revoke \ 219178825Sdfr --allow-proxy-certificate \ 220178825Sdfr cert:FILE:$srcdir/data/proxy-level-test.crt \ 221178825Sdfr chain:FILE:$srcdir/data/proxy-test.crt \ 222178825Sdfr chain:FILE:$srcdir/data/test.crt \ 223178825Sdfr anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1 224178825Sdfr 225178825Sdfrecho "not a proxy cert" 226178825Sdfr${hxtool} verify --missing-revoke \ 227178825Sdfr --allow-proxy-certificate \ 228178825Sdfr cert:FILE:$srcdir/data/no-proxy-test.crt \ 229178825Sdfr chain:FILE:$srcdir/data/test.crt \ 230178825Sdfr anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1 231178825Sdfr 232178825Sdfrecho "proxy cert (max level 10)" 233178825Sdfr${hxtool} verify --missing-revoke \ 234178825Sdfr --allow-proxy-certificate \ 235178825Sdfr cert:FILE:$srcdir/data/proxy10-test.crt \ 236178825Sdfr chain:FILE:$srcdir/data/test.crt \ 237178825Sdfr anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1 238178825Sdfr 239178825Sdfrecho "proxy cert (second level)" 240178825Sdfr${hxtool} verify --missing-revoke \ 241178825Sdfr --allow-proxy-certificate \ 242178825Sdfr cert:FILE:$srcdir/data/proxy10-child-test.crt \ 243178825Sdfr chain:FILE:$srcdir/data/proxy10-test.crt \ 244178825Sdfr chain:FILE:$srcdir/data/test.crt \ 245178825Sdfr anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1 246178825Sdfr 247178825Sdfrecho "proxy cert (third level)" 248178825Sdfr${hxtool} verify --missing-revoke \ 249178825Sdfr --allow-proxy-certificate \ 250178825Sdfr cert:FILE:$srcdir/data/proxy10-child-child-test.crt \ 251178825Sdfr chain:FILE:$srcdir/data/proxy10-child-test.crt \ 252178825Sdfr chain:FILE:$srcdir/data/proxy10-test.crt \ 253178825Sdfr chain:FILE:$srcdir/data/test.crt \ 254178825Sdfr anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1 255178825Sdfr 256178825Sdfrexit 0 257