diff options
author | Daniel Kahn Gillmor <dkg@fifthhorseman.net> | 2021-08-11 15:59:21 -0400 |
---|---|---|
committer | Daniel Kahn Gillmor <dkg@fifthhorseman.net> | 2021-09-17 16:33:21 -0400 |
commit | 30f3e456621a42ad38c5f153702af611e4a02625 (patch) | |
tree | da6be7c6e974dc22a6038c91fc58c23f1bd9a0ec | |
parent | d9ee30970e6a213b5e2185492ead0d1259e41ace (diff) | |
download | gnutls-30f3e456621a42ad38c5f153702af611e4a02625.tar.gz |
tests: add test for generating x25519 and x448 certificates
These certs should work just fine for the purposes of cryptographic
e-mail (S/MIME).
These usage flags are also used in the end-entity certificates found
in https://datatracker.ietf.org/doc/draft-ietf-lamps-samples/
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
-rw-r--r-- | tests/cert-tests/Makefile.am | 2 | ||||
-rwxr-xr-x | tests/cert-tests/x25519-and-x448.sh | 101 |
2 files changed, 102 insertions, 1 deletions
diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am index 58041a9567..ef5f9029dd 100644 --- a/tests/cert-tests/Makefile.am +++ b/tests/cert-tests/Makefile.am @@ -112,7 +112,7 @@ dist_check_SCRIPTS = pathlen.sh aki.sh invalid-sig.sh email.sh \ pkcs12.sh certtool-crl-decoding.sh pkcs12-encode.sh pkcs12-corner-cases.sh inhibit-anypolicy.sh \ smime.sh cert-time.sh alt-chain.sh pkcs7-list-sign.sh pkcs7-eddsa.sh certtool-ecdsa.sh \ key-id.sh pkcs8.sh pkcs8-decode.sh ecdsa.sh illegal-rsa.sh pkcs8-invalid.sh key-invalid.sh \ - pkcs8-eddsa.sh certtool-subca.sh certtool-verify-profiles.sh x509-duplicate-ext.sh + pkcs8-eddsa.sh certtool-subca.sh certtool-verify-profiles.sh x509-duplicate-ext.sh x25519-and-x448.sh dist_check_SCRIPTS += key-id.sh ecdsa.sh pkcs8-invalid.sh key-invalid.sh pkcs8-decode.sh pkcs8.sh pkcs8-eddsa.sh \ certtool-utf8.sh crq.sh diff --git a/tests/cert-tests/x25519-and-x448.sh b/tests/cert-tests/x25519-and-x448.sh new file mode 100755 index 0000000000..23fbd5f1ca --- /dev/null +++ b/tests/cert-tests/x25519-and-x448.sh @@ -0,0 +1,101 @@ +#!/bin/sh + +# Copyright (C) 2021 Free Software Foundation, Inc. +# +# Author: Daniel Kahn Gillmor +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +#set -e + +: ${srcdir=.} +: ${CERTTOOL=../../src/certtool${EXEEXT}} +TMPFILE=crfg-kx.$$.tmp +TMPCA=eddsa-ca.$$.tmp +TMPCAKEY=eddsa-ca-key.$$.tmp +TMPSUBCA=eddsa-subca.$$.tmp +TMPSUBCAKEY=eddsa-subca-key.$$.tmp +TMPKEY=kx-key.$$.tmp +TMPTEMPL=template.$$.tmp +TMPUSER=user.$$.tmp +VERIFYOUT=verify.$$.tmp + +if ! test -x "${CERTTOOL}"; then + exit 77 +fi + +for curve in 25519 448; do + echo ca > $TMPTEMPL + echo "cn = Ed$curve CA" >> $TMPTEMPL + + "${CERTTOOL}" --generate-privkey --key-type=ed$curve > $TMPCAKEY 2>/dev/null + + "${CERTTOOL}" -d 2 --generate-self-signed --template $TMPTEMPL \ + --load-privkey $TMPCAKEY \ + --outfile $TMPCA >$TMPFILE 2>&1 + + if [ $? != 0 ]; then + cat $TMPFILE + exit 1 + fi + + echo ca > $TMPTEMPL + echo "cn = Ed$curve Mid CA" >> $TMPTEMPL + + "${CERTTOOL}" --generate-privkey --key-type=ed$curve > $TMPSUBCAKEY 2>/dev/null + + "${CERTTOOL}" -d 2 --generate-certificate --template $TMPTEMPL \ + --load-ca-privkey $TMPCAKEY \ + --load-ca-certificate $TMPCA \ + --load-privkey $TMPSUBCAKEY \ + --outfile $TMPSUBCA >$TMPFILE 2>&1 + + if [ $? != 0 ]; then + cat $TMPFILE + exit 1 + fi + + echo "cn = End-user" > $TMPTEMPL + echo email_protection_key >> $TMPTEMPL + echo encryption_key >> $TMPTEMPL + + "${CERTTOOL}" --generate-privkey --key-type=x$curve > $TMPKEY 2>/dev/null + + "${CERTTOOL}" -d 2 --generate-certificate --template $TMPTEMPL \ + --load-ca-privkey $TMPSUBCAKEY \ + --load-ca-certificate $TMPSUBCA \ + --load-privkey $TMPKEY \ + --outfile $TMPUSER >$TMPFILE 2>&1 + + if [ $? != 0 ]; then + cat $TMPFILE + exit 1 + fi + + cat $TMPUSER $TMPSUBCA $TMPCA > $TMPFILE + "${CERTTOOL}" --verify-chain <$TMPFILE > $VERIFYOUT + + if [ $? != 0 ]; then + cat $VERIFYOUT + exit 1 + fi + + rm -f $VERIFYOUT $TMPUSER $TMPCA $TMPSUBCA $TMPTEMPL $TMPFILE + rm -f $TMPSUBCAKEY $TMPCAKEY $TMPKEY +done + +exit 0 |