Copy relevant `certtool --p7-foo` tests to check `cmstool --foo`.
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
key-id.sh pkcs8.sh pkcs8-decode.sh ecdsa.sh illegal-rsa.sh pkcs8-invalid.sh key-invalid.sh \
pkcs8-eddsa.sh certtool-subca.sh certtool-verify-profiles.sh x509-duplicate-ext.sh x25519-and-x448.sh
+dist_check_SCRIPTS += cmstool.sh cms-cat.sh cms-broken-sigs.sh cms-constraints.sh cms-constraints2.sh cms-eddsa.sh cms-list-sign.sh
+
dist_check_SCRIPTS += key-id.sh ecdsa.sh pkcs8-invalid.sh key-invalid.sh pkcs8-decode.sh pkcs8.sh pkcs8-eddsa.sh \
certtool-utf8.sh crq.sh
--- /dev/null
+#!/bin/sh
+
+# Copyright (C) 2016 Red Hat, Inc.
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+#set -e
+
+srcdir="${srcdir:-.}"
+CMSTOOL="${CMSTOOL:-../../src/cmstool${EXEEXT}}"
+DIFF="${DIFF:-diff -b -B}"
+
+if ! test -x "${CMSTOOL}"; then
+ exit 77
+fi
+
+if ! test -z "${VALGRIND}"; then
+ VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15"
+fi
+
+OUTFILE=out-cms.$$.tmp
+OUTFILE2=out2-cms.$$.tmp
+
+# Test signing with MD5
+FILE="signing"
+${VALGRIND} "${CMSTOOL}" --sign --hash md5 --load-privkey "${srcdir}/../../doc/credentials/x509/key-rsa.pem" --load-certificate "${srcdir}/../../doc/credentials/x509/cert-rsa.pem" --infile "${srcdir}/data/pkcs7-detached.txt" >"${OUTFILE}"
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "${FILE}: PKCS7 struct signing with MD5 failed"
+ exit ${rc}
+fi
+
+FILE="signing-verify"
+${VALGRIND} "${CMSTOOL}" --verify --load-certificate "${srcdir}/../../doc/credentials/x509/cert-rsa.pem" <"${OUTFILE}"
+rc=$?
+
+if test "${rc}" != "1"; then
+ echo "${FILE}: PKCS7 struct signing succeeded verification with MD5"
+ exit ${rc}
+fi
+
+FILE="signing-verify"
+${VALGRIND} "${CMSTOOL}" --verify --verify-allow-broken --load-certificate "${srcdir}/../../doc/credentials/x509/cert-rsa.pem" <"${OUTFILE}"
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "${FILE}: PKCS7 struct signing failed with MD5 and allow-broken"
+ exit ${rc}
+fi
+
+rm -f "${OUTFILE}"
+rm -f "${OUTFILE2}"
+
+exit 0
--- /dev/null
+#!/bin/sh
+
+# Copyright (C) 2015 Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+#set -e
+
+srcdir="${srcdir:-.}"
+CMSTOOL="${CMSTOOL:-../../src/cmstool${EXEEXT}}"
+DIFF="${DIFF:-diff -b -B}"
+
+if ! test -x "${CMSTOOL}"; then
+ exit 77
+fi
+
+if ! test -z "${VALGRIND}"; then
+ VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15"
+fi
+
+OUTFILE=out-cms.$$.tmp
+
+. ${srcdir}/../scripts/common.sh
+
+skip_if_no_datefudge
+datefudge -s "2016-10-1" \
+${VALGRIND} "${CMSTOOL}" --verify-allow-broken --verify --inder --infile "${srcdir}/data/pkcs7-cat.p7" --load-ca-certificate "${srcdir}/data/pkcs7-cat-ca.pem"
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "PKCS7 verification failed (1)"
+ exit 1
+fi
+
+rm -f "${OUTFILE}"
+
+exit 0
--- /dev/null
+#!/bin/sh
+
+# Copyright (C) 2016 Red Hat, Inc.
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+#set -e
+
+srcdir="${srcdir:-.}"
+CMSTOOL="${CMSTOOL:-../../src/cmstool${EXEEXT}}"
+DIFF="${DIFF:-diff -b -B}"
+
+if ! test -x "${CMSTOOL}"; then
+ exit 77
+fi
+
+if ! test -z "${VALGRIND}"; then
+ VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15"
+fi
+
+OUTFILE=out-cms.$$.tmp
+
+. ${srcdir}/../scripts/common.sh
+
+skip_if_no_datefudge
+
+
+FILE="signing"
+echo "test: $FILE"
+${VALGRIND} "${CMSTOOL}" --sign --include-cert --load-privkey "${srcdir}/data/code-signing-cert.pem" --load-certificate "${srcdir}/data/code-signing-cert.pem" --infile "${srcdir}/data/pkcs7-detached.txt" >"${OUTFILE}"
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "${FILE}: PKCS7 struct signing failed"
+ exit ${rc}
+fi
+
+FILE="signing-verify-no-purpose"
+echo ""
+echo "test: $FILE"
+datefudge -s "2015-1-10" \
+${VALGRIND} "${CMSTOOL}" --verify --load-ca-certificate "${srcdir}/data/code-signing-ca.pem" <"${OUTFILE}"
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "${FILE}: PKCS7 struct signing failed verification (0)"
+ exit ${rc}
+fi
+
+FILE="signing-verify-valid-purpose"
+echo ""
+echo "test: $FILE"
+datefudge -s "2015-1-10" \
+${VALGRIND} "${CMSTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.3 --verify --load-ca-certificate "${srcdir}/data/code-signing-ca.pem" <"${OUTFILE}"
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "${FILE}: PKCS7 struct signing failed verification (1)"
+ exit ${rc}
+fi
+
+FILE="signing-verify-invalid-purpose"
+echo ""
+echo "test: $FILE"
+datefudge -s "2015-1-10" \
+${VALGRIND} "${CMSTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.1 --verify --load-ca-certificate "${srcdir}/data/code-signing-ca.pem" <"${OUTFILE}"
+rc=$?
+
+if test "${rc}" = "0"; then
+ echo "${FILE}: PKCS7 struct signing failed verification (2)"
+ exit 1
+fi
+
+FILE="signing-verify-invalid-date-1"
+echo ""
+echo "test: $FILE"
+datefudge -s "2011-1-10" \
+${VALGRIND} "${CMSTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.3 --verify --load-ca-certificate "${srcdir}/data/code-signing-ca.pem" <"${OUTFILE}"
+rc=$?
+
+if test "${rc}" = "0"; then
+ echo "${FILE}: PKCS7 struct signing failed verification (3)"
+ exit 1
+fi
+
+FILE="signing-verify-invalid-date-2"
+echo ""
+echo "test: $FILE"
+datefudge -s "2018-1-10" \
+${VALGRIND} "${CMSTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.3 --verify --load-ca-certificate "${srcdir}/data/code-signing-ca.pem" <"${OUTFILE}"
+rc=$?
+
+if test "${rc}" = "0"; then
+ echo "${FILE}: PKCS7 struct signing failed verification (4)"
+ exit 1
+fi
+
+rm -f "${OUTFILE}"
+
+exit 0
--- /dev/null
+#!/bin/sh
+
+# Copyright (C) 2016 Red Hat, Inc.
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+#set -e
+
+srcdir="${srcdir:-.}"
+CMSTOOL="${CMSTOOL:-../../src/cmstool${EXEEXT}}"
+DIFF="${DIFF:-diff -b -B}"
+
+if ! test -x "${CMSTOOL}"; then
+ exit 77
+fi
+
+if ! test -z "${VALGRIND}"; then
+ VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15"
+fi
+
+OUTFILE=out-cms.$$.tmp
+
+. ${srcdir}/../scripts/common.sh
+
+skip_if_no_datefudge
+
+
+FILE="signing"
+echo "test: $FILE"
+${VALGRIND} "${CMSTOOL}" --sign --include-cert --load-privkey "${srcdir}/data/code-signing-cert.pem" --load-certificate "${srcdir}/data/code-signing-cert.pem" --infile "${srcdir}/data/pkcs7-detached.txt" >"${OUTFILE}"
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "${FILE}: PKCS7 struct signing failed"
+ exit ${rc}
+fi
+
+FILE="signing-verify-no-purpose"
+echo ""
+echo "test: $FILE"
+datefudge -s "2015-1-10" \
+${VALGRIND} "${CMSTOOL}" --verify --load-certificate "${srcdir}/data/code-signing-cert.pem" <"${OUTFILE}"
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "${FILE}: PKCS7 struct signing failed verification (0)"
+ exit ${rc}
+fi
+
+FILE="signing-verify-valid-purpose"
+echo ""
+echo "test: $FILE"
+datefudge -s "2015-1-10" \
+${VALGRIND} "${CMSTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.3 --verify --load-certificate "${srcdir}/data/code-signing-cert.pem" <"${OUTFILE}"
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "${FILE}: PKCS7 struct signing failed verification (1)"
+ exit ${rc}
+fi
+
+FILE="signing-verify-invalid-purpose"
+echo ""
+echo "test: $FILE"
+datefudge -s "2015-1-10" \
+${VALGRIND} "${CMSTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.1 --verify --load-certificate "${srcdir}/data/code-signing-cert.pem" <"${OUTFILE}"
+rc=$?
+
+if test "${rc}" = "0"; then
+ echo "${FILE}: PKCS7 struct signing failed verification (2)"
+ exit 1
+fi
+
+FILE="signing-verify-invalid-date-1"
+echo ""
+echo "test: $FILE"
+datefudge -s "2011-1-10" \
+${VALGRIND} "${CMSTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.3 --verify --load-certificate "${srcdir}/data/code-signing-cert.pem" <"${OUTFILE}"
+rc=$?
+
+if test "${rc}" = "0"; then
+ echo "${FILE}: PKCS7 struct signing failed verification (3)"
+ exit 1
+fi
+
+FILE="signing-verify-invalid-date-2"
+echo ""
+echo "test: $FILE"
+datefudge -s "2018-1-10" \
+${VALGRIND} "${CMSTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.3 --verify --load-certificate "${srcdir}/data/code-signing-cert.pem" <"${OUTFILE}"
+rc=$?
+
+if test "${rc}" = "0"; then
+ echo "${FILE}: PKCS7 struct signing failed verification (4)"
+ exit 1
+fi
+
+rm -f "${OUTFILE}"
+
+exit 0
--- /dev/null
+#!/bin/sh
+
+# Copyright (C) 2017 Red Hat, Inc.
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program. If not, see <https://www.gnu.org/licenses/>
+
+#set -e
+
+srcdir="${srcdir:-.}"
+CMSTOOL="${CMSTOOL:-../../src/cmstool${EXEEXT}}"
+DIFF="${DIFF:-diff -b -B}"
+
+if ! test -x "${CMSTOOL}"; then
+ exit 77
+fi
+
+if ! test -z "${VALGRIND}"; then
+ VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15"
+fi
+
+OUTFILE=out-cms.$$.tmp
+OUTFILE2=out2-cms.$$.tmp
+
+. ${srcdir}/../scripts/common.sh
+
+skip_if_no_datefudge
+
+KEY="${srcdir}/../certs/ed25519.pem"
+CMS="${srcdir}/../certs/cert-ed25519.pem"
+
+# Test verification of saved file
+FILE="${srcdir}/data/pkcs7-eddsa-sig.p7s"
+${VALGRIND} "${CMSTOOL}" --inder --verify --load-certificate "${CMS}" --infile "${FILE}"
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "${FILE}: PKCS7 struct verification failed"
+ exit ${rc}
+fi
+
+# Test signing
+FILE="signing"
+${VALGRIND} "${CMSTOOL}" --sign --load-privkey "${KEY}" --load-certificate "${CMS}" --infile "${srcdir}/data/pkcs7-detached.txt" >"${OUTFILE}"
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "${FILE}: PKCS7 struct signing failed"
+ exit ${rc}
+fi
+
+FILE="signing-verify"
+${VALGRIND} "${CMSTOOL}" --verify --load-certificate "${CMS}" <"${OUTFILE}"
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "${FILE}: PKCS7 struct signing failed verification"
+ exit ${rc}
+fi
+
+#check extraction of embedded data in signature
+FILE="signing-verify-data"
+${VALGRIND} "${CMSTOOL}" --verify --show-data --load-certificate "${CMS}" --outfile "${OUTFILE2}" <"${OUTFILE}"
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "${FILE}: PKCS7 struct signing failed verification with data"
+ exit ${rc}
+fi
+
+cmp "${OUTFILE2}" "${srcdir}/data/pkcs7-detached.txt"
+rc=$?
+if test "${rc}" != "0"; then
+ echo "${FILE}: PKCS7 data detaching failed"
+ exit ${rc}
+fi
+
+FILE="signing-time"
+${VALGRIND} "${CMSTOOL}" --detached-sign --time --load-privkey "${KEY}" --load-certificate "${CMS}" --infile "${srcdir}/data/pkcs7-detached.txt" >"${OUTFILE}"
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "${FILE}: PKCS7 struct signing with time failed"
+ exit ${rc}
+fi
+
+${VALGRIND} "${CMSTOOL}" --info --infile "${OUTFILE}" >"${OUTFILE2}"
+grep 'contentType: 06092a864886f70d010701' ${OUTFILE2} >/dev/null 2>&1
+if test $? != 0;then
+ echo "Content-Type was not set in attributes"
+ exit 1
+fi
+
+${VALGRIND} "${CMSTOOL}" --info <"${OUTFILE}"|grep "Signing time:" "${OUTFILE}" >/dev/null 2>&1
+if test "${rc}" != "0"; then
+ echo "${FILE}: PKCS7 struct signing with time failed. No time was found."
+ exit ${rc}
+fi
+
+FILE="signing-time-verify"
+${VALGRIND} "${CMSTOOL}" --verify --load-certificate "${CMS}" --load-data "${srcdir}/data/pkcs7-detached.txt" <"${OUTFILE}"
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "${FILE}: PKCS7 struct signing with time failed verification"
+ exit ${rc}
+fi
+
+rm -f "${OUTFILE}"
+rm -f "${OUTFILE2}"
+
+exit 0
--- /dev/null
+#!/bin/sh
+
+# Copyright (C) 2017 Karl Tarbe
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+#set -e
+
+srcdir="${srcdir:-.}"
+CMSTOOL="${CMSTOOL:-../../src/cmstool${EXEEXT}}"
+DIFF="${DIFF:-diff -b -B}"
+
+if ! test -x "${CMSTOOL}"; then
+ exit 77
+fi
+
+if ! test -z "${VALGRIND}"; then
+ VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15"
+fi
+
+OUTFILE=out-cms.$$.tmp
+OUTFILE2=out2-cms.$$.tmp
+
+. ${srcdir}/../scripts/common.sh
+
+skip_if_no_datefudge
+# Test signing
+FILE="signing-with-cert-list"
+${VALGRIND} "${CMSTOOL}" --sign --load-certificate "${srcdir}/data/pkcs7-chain.pem" --load-privkey "${srcdir}/data/pkcs7-chain-endcert-key.pem" --infile "${srcdir}/data/pkcs7-detached.txt" >"${OUTFILE}"
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "${FILE}: PKCS7 struct signing failed"
+ exit ${rc}
+fi
+
+#test chain verification
+FILE="signing-verify"
+${VALGRIND} "${CMSTOOL}" --verify --load-ca-certificate "${srcdir}/data/pkcs7-chain-root.pem" <"${OUTFILE}"
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "${FILE}: PKCS7 struct signing failed verification"
+ exit ${rc}
+fi
+
+#check extraction of embedded data in signature
+FILE="signing-cert-list-verify-data"
+${VALGRIND} "${CMSTOOL}" --verify --show-data --load-ca-certificate "${srcdir}/data/pkcs7-chain-root.pem" --outfile "${OUTFILE2}" <"${OUTFILE}"
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "${FILE}: PKCS7 struct signing failed verification with data"
+ exit ${rc}
+fi
+
+cmp "${OUTFILE2}" "${srcdir}/data/pkcs7-detached.txt"
+rc=$?
+if test "${rc}" != "0"; then
+ echo "${FILE}: PKCS7 data detaching failed"
+ exit ${rc}
+fi
+
+rm -f "${OUTFILE}"
+rm -f "${OUTFILE2}"
+
+exit 0
--- /dev/null
+#!/bin/sh
+
+# Copyright (C) 2015 Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+#set -e
+
+srcdir="${srcdir:-.}"
+CMSTOOL="${CMSTOOL:-../../src/cmstool${EXEEXT}}"
+DIFF="${DIFF:-diff -b -B}"
+
+if ! test -x "${CMSTOOL}"; then
+ exit 77
+fi
+
+if ! test -z "${VALGRIND}"; then
+ VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15"
+fi
+
+OUTFILE=out-cms.$$.tmp
+OUTFILE2=out2-cms.$$.tmp
+TMPFILE=tmp-cms.$$.tmp
+
+. ${srcdir}/../scripts/common.sh
+
+skip_if_no_datefudge
+
+if test "${ENABLE_GOST}" = "1" && test "${GNUTLS_FORCE_FIPS_MODE}" != "1"
+then
+ GOST_P7B="rfc4490.p7b"
+else
+ GOST_P7B=""
+fi
+
+for FILE in single-ca.p7b full.p7b openssl.p7b openssl-keyid.p7b rfc4134-3.1.der rfc4134-3.2.der $GOST_P7B; do
+${VALGRIND} "${CMSTOOL}" --inder --info --infile "${srcdir}/data/${FILE}"|grep -v "Signing time" >"${OUTFILE}"
+rc=$?
+
+# We're done.
+if test "${rc}" != "0"; then
+ echo "${FILE}: PKCS7 decoding failed"
+ exit ${rc}
+fi
+
+${DIFF} "${OUTFILE}" "${srcdir}/data/${FILE}.out" >/dev/null
+if test "$?" != "0"; then
+ echo "${FILE}: PKCS7 decoding didn't produce the correct file"
+ exit 1
+fi
+done
+
+${VALGRIND} "${CMSTOOL}" --inder --info --infile "${srcdir}/data/full.p7b" --outfile "${TMPFILE}" --no-text
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "--no-text pkcs7 info failed 1"
+ exit ${rc}
+fi
+
+if grep -v '^-----BEGIN [A-Z0-9 ]\+-----$' ${TMPFILE} | grep -v '^[A-Za-z0-9/+=]\+$' | grep -v '^-----END [A-Z0-9 ]\+-----$' ; then
+ echo "--no-text pkcs7 info failed 2"
+ exit 1
+fi
+
+# check signatures
+
+for FILE in full.p7b openssl.p7b openssl-keyid.p7b; do
+# check validation with date prior to CA issuance
+datefudge -s "2011-1-10" \
+${VALGRIND} "${CMSTOOL}" --inder --verify --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" --infile "${srcdir}/data/${FILE}" >"${OUTFILE}"
+rc=$?
+
+if test "${rc}" = "0"; then
+ echo "${FILE}: PKCS7 verification succeeded with invalid date (1)"
+ exit 1
+fi
+
+# check validation with date prior to intermediate cert issuance
+datefudge -s "2011-5-28 08:38:00 UTC" \
+${VALGRIND} "${CMSTOOL}" --inder --verify --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" --infile "${srcdir}/data/${FILE}" >"${OUTFILE}"
+rc=$?
+
+if test "${rc}" = "0"; then
+ echo "${FILE}: PKCS7 verification succeeded with invalid date (2)"
+ exit 1
+fi
+
+# check validation with date after intermediate cert issuance
+datefudge -s "2038-10-13" \
+${VALGRIND} "${CMSTOOL}" --inder --verify --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" --infile "${srcdir}/data/${FILE}" >"${OUTFILE}"
+rc=$?
+
+if test "${rc}" = "0"; then
+ echo "${FILE}: PKCS7 verification succeeded with invalid date (3)"
+ exit 1
+fi
+
+${VALGRIND} "${CMSTOOL}" --inder --verify --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" --infile "${srcdir}/data/${FILE}" >"${OUTFILE}"
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "${FILE}: PKCS7 verification failed"
+ exit ${rc}
+fi
+done
+
+
+#check key purpose verification
+for FILE in full.p7b; do
+
+${VALGRIND} "${CMSTOOL}" --verify-purpose=1.3.6.1.5.5.7.3.1 --inder --verify --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" --infile "${srcdir}/data/${FILE}" >"${OUTFILE}"
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "${FILE}: PKCS7 verification failed with key purpose"
+ exit ${rc}
+fi
+
+${VALGRIND} "${CMSTOOL}" --verify-purpose=1.3.6.1.5.5.7.3.3 --inder --verify --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" --infile "${srcdir}/data/${FILE}" >"${OUTFILE}"
+rc=$?
+
+if test "${rc}" = "0"; then
+ echo "${FILE}: PKCS7 verification succeeded with wrong key purpose"
+ exit 2
+fi
+
+done
+
+# check signature with detached data
+
+FILE="detached.p7b"
+${VALGRIND} "${CMSTOOL}" --inder --verify --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" --infile "${srcdir}/data/${FILE}"
+rc=$?
+
+if test "${rc}" = "0"; then
+ echo "${FILE}: PKCS7 verification succeeded without providing detached data"
+ exit 2
+fi
+
+${VALGRIND} "${CMSTOOL}" --inder --verify --load-data "${srcdir}/data/pkcs7-detached.txt" --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" --infile "${srcdir}/data/${FILE}"
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "${FILE}: PKCS7 verification failed"
+ exit ${rc}
+fi
+
+# Test cert combination
+
+FILE="p7-combined"
+
+rm -f "${OUTFILE2}"
+for i in cert-ecc256.pem cert-ecc521.pem cert-ecc384.pem cert-ecc.pem cert-rsa-2432.pem;do
+ cat "${srcdir}/../certs"/$i >>"${OUTFILE2}"
+done
+${VALGRIND} "${CMSTOOL}" --generate --load-certificate "${OUTFILE2}" >"${OUTFILE}"
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "${FILE}: PKCS7 struct generation failed"
+ exit ${rc}
+fi
+
+${DIFF} "${OUTFILE}" "${srcdir}/data/p7-combined.out" >/dev/null
+if test "$?" != "0"; then
+ echo "${FILE}: PKCS7 generation didn't produce the correct file"
+ exit 1
+fi
+
+# Test signing
+FILE="signing"
+${VALGRIND} "${CMSTOOL}" --sign --load-privkey "${srcdir}/../../doc/credentials/x509/key-rsa.pem" --load-certificate "${srcdir}/../../doc/credentials/x509/cert-rsa.pem" --infile "${srcdir}/data/pkcs7-detached.txt" >"${OUTFILE}"
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "${FILE}: PKCS7 struct signing failed"
+ exit ${rc}
+fi
+
+FILE="signing-verify"
+${VALGRIND} "${CMSTOOL}" --verify --load-certificate "${srcdir}/../../doc/credentials/x509/cert-rsa.pem" <"${OUTFILE}"
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "${FILE}: PKCS7 struct signing failed verification"
+ exit ${rc}
+fi
+
+#check extraction of embedded data in signature
+FILE="signing-verify-data"
+${VALGRIND} "${CMSTOOL}" --verify --show-data --load-certificate "${srcdir}/../../doc/credentials/x509/cert-rsa.pem" --outfile "${OUTFILE2}" <"${OUTFILE}"
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "${FILE}: PKCS7 struct signing failed verification with data"
+ exit ${rc}
+fi
+
+cmp "${OUTFILE2}" "${srcdir}/data/pkcs7-detached.txt"
+rc=$?
+if test "${rc}" != "0"; then
+ echo "${FILE}: PKCS7 data detaching failed"
+ exit ${rc}
+fi
+
+FILE="signing-detached"
+${VALGRIND} "${CMSTOOL}" --detached-sign --load-privkey "${srcdir}/../../doc/credentials/x509/key-rsa.pem" --load-certificate "${srcdir}/../../doc/credentials/x509/cert-rsa.pem" --infile "${srcdir}/data/pkcs7-detached.txt" >"${OUTFILE}"
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "${FILE}: PKCS7 struct signing-detached failed"
+ exit ${rc}
+fi
+
+FILE="signing-detached-verify"
+${VALGRIND} "${CMSTOOL}" --verify --load-certificate "${srcdir}/../../doc/credentials/x509/cert-rsa.pem" --load-data "${srcdir}/data/pkcs7-detached.txt" <"${OUTFILE}"
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "${FILE}: PKCS7 struct signing-detached failed verification"
+ exit ${rc}
+fi
+
+# Test signing with broken algorithms
+FILE="signing-broken"
+${VALGRIND} "${CMSTOOL}" --hash md5 --sign --load-privkey "${srcdir}/../../doc/credentials/x509/key-rsa.pem" --load-certificate "${srcdir}/../../doc/credentials/x509/cert-rsa.pem" --infile "${srcdir}/data/pkcs7-detached.txt" >"${OUTFILE}"
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "${FILE}: PKCS7 struct signing-broken failed"
+ exit ${rc}
+fi
+
+FILE="signing-verify-broken"
+${VALGRIND} "${CMSTOOL}" --verify --load-certificate "${srcdir}/../../doc/credentials/x509/cert-rsa.pem" <"${OUTFILE}"
+rc=$?
+
+if test "${rc}" = "0"; then
+ echo "${FILE}: PKCS7 struct verification succeeded with broken algo"
+ exit 1
+fi
+
+FILE="signing-time"
+${VALGRIND} "${CMSTOOL}" --detached-sign --time --load-privkey "${srcdir}/../../doc/credentials/x509/key-rsa.pem" --load-certificate "${srcdir}/../../doc/credentials/x509/cert-rsa.pem" --infile "${srcdir}/data/pkcs7-detached.txt" >"${OUTFILE}"
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "${FILE}: PKCS7 struct signing with time failed"
+ exit ${rc}
+fi
+
+${VALGRIND} "${CMSTOOL}" --info --infile "${OUTFILE}" >"${OUTFILE2}"
+grep 'contentType: 06092a864886f70d010701' ${OUTFILE2} >/dev/null 2>&1
+if test $? != 0;then
+ echo "Content-Type was not set in attributes"
+ exit 1
+fi
+
+${VALGRIND} "${CMSTOOL}" --info <"${OUTFILE}"|grep "Signing time:" "${OUTFILE}" >/dev/null 2>&1
+if test "${rc}" != "0"; then
+ echo "${FILE}: PKCS7 struct signing with time failed. No time was found."
+ exit ${rc}
+fi
+
+FILE="signing-time-verify"
+${VALGRIND} "${CMSTOOL}" --verify --load-certificate "${srcdir}/../../doc/credentials/x509/cert-rsa.pem" --load-data "${srcdir}/data/pkcs7-detached.txt" <"${OUTFILE}"
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "${FILE}: PKCS7 struct signing with time failed verification"
+ exit ${rc}
+fi
+
+FILE="rsa-pss-signing"
+${VALGRIND} "${CMSTOOL}" --sign --load-privkey "${srcdir}/../../doc/credentials/x509/key-rsa-pss.pem" --load-certificate "${srcdir}/../../doc/credentials/x509/cert-rsa-pss.pem" --infile "${srcdir}/data/pkcs7-detached.txt" >"${OUTFILE}"
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "${FILE}: PKCS7 struct signing failed"
+ exit ${rc}
+fi
+
+FILE="rsa-pss-signing-verify"
+${VALGRIND} "${CMSTOOL}" --verify --load-certificate "${srcdir}/../../doc/credentials/x509/cert-rsa-pss.pem" <"${OUTFILE}"
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "${FILE}: PKCS7 struct signing failed verification"
+ exit ${rc}
+fi
+
+# Test BER encoding, see RFC 4134 Section 4.5
+# SHA1 signature, so --verify-allow-broken
+FILE="rfc4134-4.5"
+${VALGRIND} "${CMSTOOL}" --verify --verify-allow-broken --load-ca-certificate "${srcdir}/data/rfc4134-ca-rsa.pem" --infile "${srcdir}/data/rfc4134-4.5.p7b" --inder
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "${FILE}: PKCS7 BER parsing/decoding failed"
+ exit ${rc}
+fi
+
+if test "x$ENABLE_GOST" = "x1" && test "x${GNUTLS_FORCE_FIPS_MODE}" != "x1"
+then
+ FILE="gost01-signing"
+ ${VALGRIND} "${CMSTOOL}" --sign --load-privkey "${srcdir}/../../doc/credentials/x509/key-gost01.pem" --load-certificate "${srcdir}/../../doc/credentials/x509/cert-gost01.pem" --infile "${srcdir}/data/pkcs7-detached.txt" >"${OUTFILE}"
+ rc=$?
+
+ if test "${rc}" != "0"; then
+ echo "${FILE}: PKCS7 struct signing failed"
+ exit ${rc}
+ fi
+
+ FILE="gost01-signing-verify"
+ ${VALGRIND} "${CMSTOOL}" --verify --verify-allow-broken --load-certificate "${srcdir}/../../doc/credentials/x509/cert-gost01.pem" <"${OUTFILE}"
+ rc=$?
+
+ if test "${rc}" != "0"; then
+ echo "${FILE}: PKCS7 struct signing failed verification"
+ exit ${rc}
+ fi
+fi
+
+rm -f "${OUTFILE}"
+rm -f "${OUTFILE2}"
+rm -f "${TMPFILE}"
+
+exit 0
projects / thirdparty / gnutls.git / commitdiff
