diff options
| -rw-r--r-- | test/recipes/80-test_cms.t | 46 | ||||
| -rw-r--r-- | test/smime-certs/ca.cnf | 9 | ||||
| -rw-r--r-- | test/smime-certs/csrsa1.pem | 50 | ||||
| -rw-r--r-- | test/smime-certs/mksmime-certs.sh | 9 |
4 files changed, 113 insertions, 1 deletions
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t index 11a6636863..e10e086005 100644 --- a/test/recipes/80-test_cms.t +++ b/test/recipes/80-test_cms.t @@ -50,7 +50,7 @@ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib) $no_rc2 = 1 if disabled("legacy"); -plan tests => 14; +plan tests => 15; ok(run(test(["pkcs7_test"])), "test pkcs7"); @@ -889,6 +889,50 @@ subtest "CMS signed digest, S/MIME format" => sub { "Verify CMS signed digest, S/MIME format"); }; +subtest "CMS code signing test" => sub { + plan tests => 7; + my $sig_file = "signature.p7s"; + ok(run(app(["openssl", "cms", @prov, "-sign", "-in", $smcont, + "-certfile", catfile($smdir, "smroot.pem"), + "-signer", catfile($smdir, "smrsa1.pem"), + "-out", $sig_file])), + "accept perform CMS signature with smime certificate"); + + ok(run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file, + "-CAfile", catfile($smdir, "smroot.pem"), + "-content", $smcont])), + "accept verify CMS signature with smime certificate"); + + ok(!run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file, + "-CAfile", catfile($smdir, "smroot.pem"), + "-purpose", "codesign", + "-content", $smcont])), + "fail verify CMS signature with smime certificate for purpose code signing"); + + ok(!run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file, + "-CAfile", catfile($smdir, "smroot.pem"), + "-purpose", "football", + "-content", $smcont])), + "fail verify CMS signature with invalid purpose argument"); + + ok(run(app(["openssl", "cms", @prov, "-sign", "-in", $smcont, + "-certfile", catfile($smdir, "smroot.pem"), + "-signer", catfile($smdir, "csrsa1.pem"), + "-out", $sig_file])), + "accept perform CMS signature with code signing certificate"); + + ok(run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file, + "-CAfile", catfile($smdir, "smroot.pem"), + "-purpose", "codesign", + "-content", $smcont])), + "accept verify CMS signature with code signing certificate for purpose code signing"); + + ok(!run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file, + "-CAfile", catfile($smdir, "smroot.pem"), + "-content", $smcont])), + "fail verify CMS signature with code signing certificate for purpose smime_sign"); +}; + sub check_availability { my $tnam = shift; diff --git a/test/smime-certs/ca.cnf b/test/smime-certs/ca.cnf index 31bddea1fa..7d453e8957 100644 --- a/test/smime-certs/ca.cnf +++ b/test/smime-certs/ca.cnf @@ -54,6 +54,15 @@ keyUsage=critical, keyAgreement subjectKeyIdentifier=hash authorityKeyIdentifier=keyid +[ codesign_cert ] + +# These extensions are added when 'ca' signs a request for a code-signing +# end-entity certificate + +basicConstraints=CA:FALSE +keyUsage=critical, digitalSignature +extendedKeyUsage=codeSigning + [ v3_ca ] diff --git a/test/smime-certs/csrsa1.pem b/test/smime-certs/csrsa1.pem new file mode 100644 index 0000000000..d3276d9ec7 --- /dev/null +++ b/test/smime-certs/csrsa1.pem @@ -0,0 +1,50 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCo/4lYYYWu3tss +D9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT5Rcf/w3G +Q/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1lDz9mjsI2 +oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1U7OWaoIb +FYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5ep5LR2in +Kcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tniIQPYf55 +NB9KiR+3AgMBAAECggEAFvp/40uHUMquhGQ2wsl5/zzVV6ZECFGhIaoVdwiq7Npl +cERPGSxdt7mXg+AliGQO2JXIf4iDx273oYC3PFuWbn9YMQd5RUuAZ/oD+hB25QB8 +vmGJTeqDUgZ0+4qs0fsM5upPUqFrHnfEwoarS9oMh0HEQi9yWzHy7E/E9Rk0dm8Q +qAwfKKqqwBe0RIp6GOwRJ2AO4NLvPh1oddVX15zvVeDP5pmHScZKtGXf9sIKfJJo +JN7N5UaviOKEGpQtxKVNOjn1wYusvzrvz3U3TmvyXTGkPCdSxK/6bz0LN+Lwyfzw +RpSoNUe/cREZJkXDIIaqvmzlQVk1aKDdAx4+8ltyWQKBgQDahgSMZAAeGuQwtI+S +jor9dNWcxEr5Uf/iw5gWmp5E59CSyc35Zj5rdf4M12X7jPRqAbFcM6FgERtbKyYd +lg+PGgcKMYXKXJWimA6xU06+wwRl1iI/j718FCLeov6Lt17VHr8sjO3GiZ/WtHz1 +H6mqV8i9vcClmA6IyS+EQvtkBQKBgQDF+y0JwcbEzS3YqTHy4DGQtcCOkcLi+WM5 +APch7pev4I9MTgZdRnC6ZjnYKXQU9nzALZrH1PoHnFRZbsXbCFsmTdh/6g1L0b7B +/zfZhB+9LiB7NBpfHiUydj1JQfkw/EvnLbs7r5EYGbpkMhpzmmzE9Yv0d+xj1CPd +6kz/6CRdiwKBgBE1ZpxLr7qvMXModPn8obNuBPhweNsDexw3fP2itX4Fp2Y34DGY +vKenxhbqy4wwwHqsoXP6WOYA0t+uGTVRQO5rBUznM3sJKXuBb/7E6bmaD/mZEF9j +CXABAfH4cgU8roon/rQacQsmgWDeG80N7kWM3jEbBVXFELfy5/wJblSlAoGAUZax +eNPiljf4LNGNRAogYwKD2D05k1AzE8rSDanF2TUx2MBO3yGoUyjNrcdnjzwFLS2e +G7wpTfmeyTxdTWakKaTrE8vgrt5BPrFu0rUgX1YjDKLsO0axDZqspwQJLabLoPm3 +r2Eq6kOwDJqZTArXyFNo2daSFJHYNhvYn52LXwECgYB9CRrPMe0sWdbVPm55bXGM +Ern05LQuaLaDZjsbsaH9Q5YPk99Sq7jklyQ3ZuHodSLAArHGu/96uu66xtMrRYcj +c89fqFeqc/BwnkodvWJ3K80UNulnjfOcPVAPHaAr9GE9rJcjICNpu2+wJ2wi4JAF +rLxFTZXBDbnGZ9QtcGcJSw== +-----END PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIIDjTCCAnWgAwIBAgIUGi+UX00em2j4v8bJ1scHsD41/ccwDQYJKoZIhvcNAQEL +BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV +BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDgxNjExNTgwMFoYDzIxMjIw +ODE2MTE1ODAwWjBHMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91 +cDEgMB4GA1UEAwwXVGVzdCBDb2RlU2lnbiBFRSBSU0EgIzEwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lYYYWu3tssD9Vz++K3qBt6dWAr1H08c3a1 +rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJT +YgVFTeAxl++qnRDSWA2eBp4yuxsIVl1lDz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4 +I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFk +ijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5ep5LR2inKcc/SuIiJ7TvkGPX79ByST5b +rbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tniIQPYf55NB9KiR+3AgMBAAGjcjBwMAkG +A1UdEwQCMAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMB0G +A1UdDgQWBBTnm+IqrYpsOst2UeWOB5gil+FzojAfBgNVHSMEGDAWgBQVwRMha+JV +X6dqHVcg1s/zqXNkWTANBgkqhkiG9w0BAQsFAAOCAQEAMpLHe2q3OYJ8kKYAvjS5 +VDiESqPPVyYMSKb6B7bsex/BgFArxmk+8hOpuyuqSoejiyVAO9re/JrmQetM1tNo +7kd9R3WDL1D34hG7kgDTAaqbcBPDUc7gin8bTkZ3TJ6b7cUJrwh9XCwWXTcOlJ1O +5wXeF9mATyHZGwChOrroiEzDkRoOdePj0sKNZZRopjOVZ50d/X8JMCmW/x8lvOui +R+uDTotH9+sb3tghJ0cmpVKkFC0pXS/0DB5qVHrohJdkwLRu8AX3CWbcQgHWg7BR +ZbQ6TamQB8AlXdYj8Fs7m7DMkkmBxjrQUu3s7FRTALxp/lqMcoaZy+bdBzd59GaO +FQ== +-----END CERTIFICATE----- diff --git a/test/smime-certs/mksmime-certs.sh b/test/smime-certs/mksmime-certs.sh index 109b9c4abc..498190bcca 100644 --- a/test/smime-certs/mksmime-certs.sh +++ b/test/smime-certs/mksmime-certs.sh @@ -81,5 +81,14 @@ CN="Test S/MIME EE DH #1" $OPENSSL req -config ca.cnf -noenc \ $OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ -force_pubkey dhpub.pem \ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdh.pem + +# EE RSA code signing certificates: create request first +CN="Test CodeSign EE RSA #1" $OPENSSL req -config ca.cnf -noenc \ + -new -out req.pem -key ../certs/ee-key.pem +cat ../certs/ee-key.pem > csrsa1.pem +# Sign request: end entity extensions +$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36524 -extfile ca.cnf \ + -extensions codesign_cert >>csrsa1.pem + # Remove temp files. rm -f req.pem ecp.pem ecp2.pem dsap.pem dhp.pem dhpub.pem smtmp.pem smroot.srl |