tests: add test for generating x25519 and x448 certificates

These certs should work just fine for the purposes of cryptographic
e-mail (S/MIME).

These usage flags are also used in the end-entity certificates found
in https://datatracker.ietf.org/doc/draft-ietf-lamps-samples/

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

2 files changed, 102 insertions, 1 deletions

diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am
index 58041a9567..ef5f9029dd 100644
--- a/tests/cert-tests/Makefile.am
+++ b/tests/cert-tests/Makefile.am
@@ -112,7 +112,7 @@ dist_check_SCRIPTS = pathlen.sh aki.sh invalid-sig.sh email.sh \
 	pkcs12.sh certtool-crl-decoding.sh pkcs12-encode.sh pkcs12-corner-cases.sh inhibit-anypolicy.sh \
 	smime.sh cert-time.sh alt-chain.sh pkcs7-list-sign.sh pkcs7-eddsa.sh certtool-ecdsa.sh \
 	key-id.sh pkcs8.sh pkcs8-decode.sh ecdsa.sh illegal-rsa.sh pkcs8-invalid.sh key-invalid.sh \
-	pkcs8-eddsa.sh certtool-subca.sh certtool-verify-profiles.sh x509-duplicate-ext.sh
+	pkcs8-eddsa.sh certtool-subca.sh certtool-verify-profiles.sh x509-duplicate-ext.sh x25519-and-x448.sh
 
 dist_check_SCRIPTS += key-id.sh ecdsa.sh pkcs8-invalid.sh key-invalid.sh pkcs8-decode.sh pkcs8.sh pkcs8-eddsa.sh \
 	certtool-utf8.sh crq.sh
diff --git a/tests/cert-tests/x25519-and-x448.sh b/tests/cert-tests/x25519-and-x448.sh
new file mode 100755
index 0000000000..23fbd5f1ca
--- /dev/null
+++ b/tests/cert-tests/x25519-and-x448.sh
@@ -0,0 +1,101 @@
+#!/bin/sh
+
+# Copyright (C) 2021 Free Software Foundation, Inc.
+#
+# Author: Daniel Kahn Gillmor
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+#set -e
+
+: ${srcdir=.}
+: ${CERTTOOL=../../src/certtool${EXEEXT}}
+TMPFILE=crfg-kx.$$.tmp
+TMPCA=eddsa-ca.$$.tmp
+TMPCAKEY=eddsa-ca-key.$$.tmp
+TMPSUBCA=eddsa-subca.$$.tmp
+TMPSUBCAKEY=eddsa-subca-key.$$.tmp
+TMPKEY=kx-key.$$.tmp
+TMPTEMPL=template.$$.tmp
+TMPUSER=user.$$.tmp
+VERIFYOUT=verify.$$.tmp
+
+if ! test -x "${CERTTOOL}"; then
+	exit 77
+fi
+
+for curve in 25519 448; do
+    echo ca > $TMPTEMPL
+    echo "cn = Ed$curve CA" >> $TMPTEMPL
+
+    "${CERTTOOL}" --generate-privkey --key-type=ed$curve > $TMPCAKEY 2>/dev/null
+
+    "${CERTTOOL}" -d 2 --generate-self-signed --template $TMPTEMPL \
+	          --load-privkey $TMPCAKEY \
+	          --outfile $TMPCA >$TMPFILE 2>&1
+
+    if [ $? != 0 ]; then
+	cat $TMPFILE
+	exit 1
+    fi
+
+    echo ca > $TMPTEMPL
+    echo "cn = Ed$curve Mid CA" >> $TMPTEMPL
+
+    "${CERTTOOL}" --generate-privkey --key-type=ed$curve > $TMPSUBCAKEY 2>/dev/null
+
+    "${CERTTOOL}" -d 2 --generate-certificate --template $TMPTEMPL \
+	          --load-ca-privkey $TMPCAKEY \
+	          --load-ca-certificate $TMPCA \
+	          --load-privkey $TMPSUBCAKEY \
+	          --outfile $TMPSUBCA >$TMPFILE 2>&1
+
+    if [ $? != 0 ]; then
+	cat $TMPFILE
+	exit 1
+    fi
+
+    echo "cn = End-user" > $TMPTEMPL
+    echo email_protection_key >> $TMPTEMPL
+    echo encryption_key >> $TMPTEMPL
+
+    "${CERTTOOL}" --generate-privkey --key-type=x$curve > $TMPKEY 2>/dev/null
+
+    "${CERTTOOL}" -d 2 --generate-certificate --template $TMPTEMPL \
+	          --load-ca-privkey $TMPSUBCAKEY \
+	          --load-ca-certificate $TMPSUBCA \
+	          --load-privkey $TMPKEY \
+	          --outfile $TMPUSER >$TMPFILE 2>&1
+
+    if [ $? != 0 ]; then
+	cat $TMPFILE
+	exit 1
+    fi
+
+    cat $TMPUSER $TMPSUBCA $TMPCA > $TMPFILE
+    "${CERTTOOL}" --verify-chain <$TMPFILE > $VERIFYOUT
+
+    if [ $? != 0 ]; then
+	cat $VERIFYOUT
+	exit 1
+    fi
+
+    rm -f $VERIFYOUT $TMPUSER $TMPCA $TMPSUBCA $TMPTEMPL $TMPFILE
+    rm -f $TMPSUBCAKEY $TMPCAKEY $TMPKEY
+done
+
+exit 0