Tests: Add intermediate certificate tests to the sign-verify cases

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
diff --git a/tests/Makefile.am b/tests/Makefile.am
index a6606f0..93f46e2 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -3,6 +3,10 @@
 
 test_key = private-key.rsa
 test_cert = public-cert.pem
+ca_key = ca-key.ec
+ca_cert = ca-cert.pem
+int_key = int-key.ec
+int_cert = int-cert.pem
 test_arches = $(EFI_ARCH)
 
 check_PROGRAMS = test.pecoff
@@ -31,11 +35,25 @@
 
 AM_CFLAGS=-fpic -I/usr/include/efi -I/usr/include/efi/$(EFI_ARCH)
 
-$(test_key): Makefile
+%.rsa: Makefile
 	openssl genrsa -out $@ 2048
 
-$(test_cert): $(test_key) Makefile
-	openssl req -x509 -sha256 -subj '/' -new -key $< -out $@
+%.ec: Makefile
+	openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:prime256v1 -out $@
+
+$(ca_cert): $(ca_key) Makefile
+	openssl req -x509 -days 1 -sha256 -subj '/CN=CA Key/' -new -key $< -out $@
+
+$(int_cert): $(int_key) $(ca_cert) Makefile
+	openssl req -new -subj '/CN=Intermediate Certificate/' -key $< -out tmp.req
+	echo -e "[ca]\nbasicConstraints = critical, CA:true\n" > ca.cnf
+	openssl x509 -req -sha256 -CA $(ca_cert) -CAkey $(ca_key) -in tmp.req -set_serial 1 -days 1 -extfile ca.cnf -extensions ca -out $@
+	-rm -f tmp.req ca.cnf
+
+$(test_cert): $(test_key) $(int_cert) Makefile
+	openssl req -new -subj '/CN=Signer Certificate/' -key $< -out tmp.req
+	openssl x509 -req -sha256 -CA $(int_cert) -CAkey $(int_key) -in tmp.req -set_serial 1 -days 1 -out $@
+	-rm -f tmp.req
 
 TESTS = sign-verify.sh \
 	sign-verify-detached.sh \
@@ -65,4 +83,5 @@
 SH_LOG_COMPILER = $(srcdir)/test-wrapper.sh
 
 EXTRA_DIST = test.S $(TESTS) $(check_SCRIPTS)
-CLEANFILES = $(test_key) $(test_cert)
+CLEANFILES = $(test_key) $(test_cert) $(int_key) $(int_cert) $(ca_key) \
+	$(ca_cert)
diff --git a/tests/sign-attach-verify.sh b/tests/sign-attach-verify.sh
index 2ae6e70..21ed6db 100755
--- a/tests/sign-attach-verify.sh
+++ b/tests/sign-attach-verify.sh
@@ -3,7 +3,19 @@
 sig="test.sig"
 signed="test.signed"
 
-"$sbsign" --cert "$cert" --key "$key" --detached --output "$sig" "$image"
-cp "$image" "$signed"
-"$sbattach" --attach "$sig" "$signed"
-"$sbverify" --cert "$cert" "$signed"
+"$sbsign" --cert "$cert" --key "$key" --detached --output "$sig" "$image" || exit 1
+cp "$image" "$signed" || exit 1
+"$sbattach" --attach "$sig" "$signed" || exit 1
+"$sbverify" --cert "$cert" "$signed" || exit 1
+"$sbverify" --cert "$intcert" "$signed" || exit 1
+# there's no intermediate cert in the image so it can't chain to the ca which
+# is why this should fail
+"$sbverify" --cert "$cacert" "$signed" && exit 1
+
+# now add intermediates
+"$sbsign" --cert "$cert" --key "$key" --addcert "$intcert" --detached --output "$sig" "$image" || exit 1
+cp "$image" "$signed" || exit 1
+"$sbattach" --attach "$sig" "$signed" || exit 1
+"$sbverify" --cert "$cert" "$signed" || exit 1
+"$sbverify" --cert "$intcert" "$signed" || exit 1
+"$sbverify" --cert "$cacert" "$signed" || exit 1
diff --git a/tests/sign-verify-detached.sh b/tests/sign-verify-detached.sh
index 7b045e4..d2959be 100755
--- a/tests/sign-verify-detached.sh
+++ b/tests/sign-verify-detached.sh
@@ -2,5 +2,16 @@
 
 sig="test.sig"
 
-"$sbsign" --cert "$cert" --key "$key" --detached --output $sig "$image"
-"$sbverify" --cert "$cert" --detached $sig "$image"
+"$sbsign" --cert "$cert" --key "$key" --detached --output $sig "$image" || exit 1
+"$sbverify" --cert "$cert" --detached $sig "$image" || exit 1
+"$sbverify" --cert "$intcert" --detached $sig "$image" || exit 1
+# should fail because no intermediate
+"$sbverify" --cert "$cacert" --detached $sig "$image" && exit 1
+
+# now make sure everything succeeds with the intermediate added
+"$sbsign" --cert "$cert" --key "$key" --addcert "$intcert" --detached --output $sig "$image" || exit 1
+"$sbverify" --cert "$cert" --detached $sig "$image" || exit 1
+"$sbverify" --cert "$intcert" --detached $sig "$image" || exit 1
+"$sbverify" --cert "$cacert" --detached $sig "$image" || exit 1
+
+exit 0
diff --git a/tests/sign-verify.sh b/tests/sign-verify.sh
index cf493f3..a61aff8 100755
--- a/tests/sign-verify.sh
+++ b/tests/sign-verify.sh
@@ -2,5 +2,16 @@
 
 signed="test.signed"
 
-"$sbsign" --cert "$cert" --key "$key" --output "$signed" "$image"
-"$sbverify" --cert "$cert" "$signed"
+"$sbsign" --cert "$cert" --key "$key" --output "$signed" "$image" || exit 1
+"$sbverify" --cert "$cert" "$signed" || exit 1
+"$sbverify" --cert "$intcert" "$signed" || exit 1
+# there's no intermediate cert in the image so it can't chain to the ca which
+# is why this should fail
+"$sbverify" --cert "$cacert" "$signed" && exit 1
+
+# now add the intermediates and each level should succeed
+"$sbsign" --cert "$cert" --addcert "$intcert" --key "$key" --output "$signed" "$image" || exit 1
+"$sbverify" --cert "$cert" "$signed" || exit 1
+"$sbverify" --cert "$intcert" "$signed" || exit 1
+"$sbverify" --cert "$cacert" "$signed" || exit 1
+
diff --git a/tests/test-wrapper.sh b/tests/test-wrapper.sh
index b9c6cf1..4ef6710 100755
--- a/tests/test-wrapper.sh
+++ b/tests/test-wrapper.sh
@@ -11,8 +11,12 @@
 
 key="$datadir/private-key.rsa"
 cert="$datadir/public-cert.pem"
+intkey="$datadir/int-key.ec"
+intcert="$datadir/int-cert.pem"
+cakey="$datadir/ca-key.ec"
+cacert="$datadir/ca-cert.pem"
 
-export basedir datadir bindir sbsign sbverify sbattach key cert
+export basedir datadir bindir sbsign sbverify sbattach key cert intkey intcert cakey cacert
 
 # 'test' needs to be an absolute path, as we will cd to a temporary
 # directory before running the test