./mkcert.sh geneeextra server.example ee-key ee-cert-policies ca-key ca-cert "certificatePolicies=1.3.6.1.4.1.16604.998855.1"
# We can create a cert with a duplicate policy oid - but its actually invalid!
./mkcert.sh geneeextra server.example ee-key ee-cert-policies-bad ca-key ca-cert "certificatePolicies=1.3.6.1.4.1.16604.998855.1,1.3.6.1.4.1.16604.998855.1"
+
+# EC cert signed by curve ca with SHA3-224, SHA3-256, SHA3-384, SHA3-512
+OPENSSL_SIGALG="sha3-224" ./mkcert.sh genee server.example ee-key-ec-named-named ee-cert-ec-sha3-224 ca-key-ec-named ca-cert-ec-named
+OPENSSL_SIGALG="sha3-256" ./mkcert.sh genee server.example ee-key-ec-named-named ee-cert-ec-sha3-256 ca-key-ec-named ca-cert-ec-named
+OPENSSL_SIGALG="sha3-384" ./mkcert.sh genee server.example ee-key-ec-named-named ee-cert-ec-sha3-384 ca-key-ec-named ca-cert-ec-named
+OPENSSL_SIGALG="sha3-512" ./mkcert.sh genee server.example ee-key-ec-named-named ee-cert-ec-sha3-512 ca-key-ec-named ca-cert-ec-named
run(app([@args]));
}
-plan tests => 185;
+plan tests => 193;
# Canonical success
ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
# Explicit vs named curve tests
SKIP: {
- skip "EC is not supported by this OpenSSL build", 3
+ skip "EC is not supported by this OpenSSL build", 7
if disabled("ec");
ok(!verify("ee-cert-ec-explicit", "", ["root-cert"],
["ca-cert-ec-named"]),
ok(verify("ee-cert-ec-named-named", "", ["root-cert"],
["ca-cert-ec-named"]),
"accept named curve leaf with named curve intermediate");
+ ok(verify("ee-cert-ec-sha3-224", "", ["root-cert"], ["ca-cert-ec-named"], ),
+ "accept cert generated with EC and SHA3-224");
+ ok(verify("ee-cert-ec-sha3-256", "", ["root-cert"], ["ca-cert-ec-named"], ),
+ "accept cert generated with EC and SHA3-256");
+ ok(verify("ee-cert-ec-sha3-384", "", ["root-cert"], ["ca-cert-ec-named"], ),
+ "accept cert generated with EC and SHA3-384");
+ ok(verify("ee-cert-ec-sha3-512", "", ["root-cert"], ["ca-cert-ec-named"], ),
+ "accept cert generated with EC and SHA3-512");
}
# Same as above but with base provider used for decoding
SKIP: {
my $provpath = bldtop_dir("providers");
my @prov = ("-provider-path", $provpath);
- skip "EC is not supported or FIPS is disabled", 3
+ skip "EC is not supported or FIPS is disabled", 7
if disabled("ec") || $no_fips;
run(test(["fips_version_test", "-config", $provconf, ">3.0.0"]),
ok(verify("ee-cert-ec-named-named", "", ["root-cert"],
["ca-cert-ec-named"], @prov),
"accept named curve leaf with named curve intermediate w/fips");
+ ok(verify("ee-cert-ec-sha3-224", "", ["root-cert"], ["ca-cert-ec-named"], @prov),
+ "accept cert generated with EC and SHA3-224 w/fips");
+ ok(verify("ee-cert-ec-sha3-256", "", ["root-cert"], ["ca-cert-ec-named"], @prov),
+ "accept cert generated with EC and SHA3-256 w/fips");
+ ok(verify("ee-cert-ec-sha3-384", "", ["root-cert"], ["ca-cert-ec-named"], @prov),
+ "accept cert generated with EC and SHA3-384 w/fips");
+ ok(verify("ee-cert-ec-sha3-512", "", ["root-cert"], ["ca-cert-ec-named"], @prov),
+ "accept cert generated with EC and SHA3-512 w/fips");
delete $ENV{OPENSSL_CONF};
}