Warning, /pim/libkleo/autotests/fixtures/keyresolvercoretest/readme.md is written in an unsupported language. File is not indexed.
0001 # Fixture for KeyResolverTest 0002 0003 ## Setup 0004 0005 Set the `GNUPGHOME` environment variable to this folder: 0006 ``` 0007 export GNUPGHOME=$(pwd) 0008 ``` 0009 0010 ## Generate OpenPGP test keys 0011 0012 Note: gpg 2.3 is needed for the --no-auto-trust-new-key option. 0013 0014 ``` 0015 # Create an ultimately trusted CA key 0016 gpg --quick-gen-key --batch --pinentry-mode loopback --passphrase "" "Ultimately trusted CA <ca-ultimate@example.net>" default default never 0017 0018 # Create a fully trusted CA key 0019 gpg --quick-gen-key --batch --pinentry-mode loopback --passphrase "" "Fully trusted CA <ca-full@example.net>" default default never 0020 gpg --edit-key --command-fd 0 ca-full@example.net <<eof 0021 trust 0022 4 0023 save 0024 eof 0025 gpg --quick-sign-key --default-key $(gpg -K --batch --with-colons ca-ultimate@example.net | grep fpr | head -1 | cut -d ':' -f 10) --batch --pinentry-mode loopback --passphrase "" $(gpg -k --batch --with-colons ca-full@example.net | grep fpr | head -1 | cut -d ':' -f 10) 0026 0027 # Create a marginally trusted CA key 0028 gpg --quick-gen-key --batch --pinentry-mode loopback --passphrase "" "Marginally trusted CA <ca-marginal@example.net>" default default never 0029 gpg --edit-key --command-fd 0 ca-marginal@example.net <<eof 0030 trust 0031 3 0032 save 0033 eof 0034 gpg --quick-sign-key --default-key $(gpg -K --batch --with-colons ca-ultimate@example.net | grep fpr | head -1 | cut -d ':' -f 10) --batch --pinentry-mode loopback --passphrase "" $(gpg -k --batch --with-colons ca-marginal@example.net | grep fpr | head -1 | cut -d ':' -f 10) 0035 0036 # Sender with OpenPGP and S/MIME certificate 0037 gpg --quick-gen-key --batch --pinentry-mode loopback --passphrase "" sender-mixed@example.net default default never 0038 0039 # Sender with OpenPGP key only 0040 gpg --quick-gen-key --batch --pinentry-mode loopback --passphrase "" sender-openpgp@example.net default default never 0041 0042 # Recipient with ultimate validity (higher than corresponding S/MIME certificate) 0043 gpg --quick-gen-key --batch --pinentry-mode loopback --passphrase "" "prefer-openpgp@example.net" default default never 0044 gpg --delete-secret-keys --batch --yes $(gpg -K --batch --with-colons prefer-openpgp@example.net | grep fpr | head -1 | cut -d ':' -f 10) 0045 0046 # Recipient with full validity (same as corresponding S/MIME certificate) 0047 gpg --quick-gen-key --batch --pinentry-mode loopback --passphrase "" --no-auto-trust-new-key "full-validity@example.net" default default never 0048 gpg --delete-secret-keys --batch --yes $(gpg -K --batch --with-colons full-validity@example.net | grep fpr | head -1 | cut -d ':' -f 10) 0049 gpg --quick-sign-key --default-key $(gpg -K --batch --with-colons ca-full@example.net | grep fpr | head -1 | cut -d ':' -f 10) --batch --pinentry-mode loopback --passphrase "" $(gpg -k --batch --with-colons full-validity@example.net | grep fpr | head -1 | cut -d ':' -f 10) 0050 0051 # Recipient with marginal validity (lower than corresponding S/MIME certificate) 0052 gpg --quick-gen-key --batch --pinentry-mode loopback --passphrase "" --no-auto-trust-new-key "prefer-smime@example.net" default default never 0053 gpg --delete-secret-keys --batch --yes $(gpg -K --batch --with-colons prefer-smime@example.net | grep fpr | head -1 | cut -d ':' -f 10) 0054 gpg --quick-sign-key --default-key $(gpg -K --batch --with-colons ca-marginal@example.net | grep fpr | head -1 | cut -d ':' -f 10) --batch --pinentry-mode loopback --passphrase "" $(gpg -k --batch --with-colons prefer-smime@example.net | grep fpr | head -1 | cut -d ':' -f 10) 0055 0056 # OpenPGP-only recipient with full validity 0057 gpg --quick-gen-key --batch --pinentry-mode loopback --passphrase "" --no-auto-trust-new-key "openpgp-only@example.net" default default never 0058 gpg --delete-secret-keys --batch --yes $(gpg -K --batch --with-colons openpgp-only@example.net | grep fpr | head -1 | cut -d ':' -f 10) 0059 gpg --quick-sign-key --default-key $(gpg -K --batch --with-colons ca-full@example.net | grep fpr | head -1 | cut -d ':' -f 10) --batch --pinentry-mode loopback --passphrase "" $(gpg -k --batch --with-colons openpgp-only@example.net | grep fpr | head -1 | cut -d ':' -f 10) 0060 ``` 0061 0062 ### Unused OpenPGP keys 0063 ``` 0064 gpg --quick-gen-key --batch --pinentry-mode loopback --passphrase "" "Untrusted OpenPGP 1 <untrusted-openpgp@example.net>" default default never 0065 gpg --delete-secret-keys --batch --yes $(gpg -K --batch --with-colons "Untrusted OpenPGP 1 <untrusted-openpgp@example.net>" | grep fpr | head -1 | cut -d ':' -f 10) 0066 gpg --edit-key --command-fd 0 "Untrusted OpenPGP 1 <untrusted-openpgp@example.net>" <<eof 0067 trust 0068 1 0069 save 0070 eof 0071 0072 gpg --quick-gen-key --batch --pinentry-mode loopback --passphrase "" "Untrusted OpenPGP 2 <untrusted-openpgp@example.net>" default default never 0073 gpg --delete-secret-keys --batch --yes $(gpg -K --batch --with-colons "Untrusted OpenPGP 2 <untrusted-openpgp@example.net>" | grep fpr | head -1 | cut -d ':' -f 10) 0074 gpg --edit-key --command-fd 0 "Untrusted OpenPGP 2 <untrusted-openpgp@example.net>" <<eof 0075 trust 0076 1 0077 save 0078 eof 0079 0080 gpg --quick-gen-key --batch --pinentry-mode loopback --passphrase "" "Untrusted Mixed OpenPGP <untrusted-mixed@example.net>" default default never 0081 gpg --delete-secret-keys --batch --yes $(gpg -K --batch --with-colons untrusted-mixed@example.net | grep fpr | head -1 | cut -d ':' -f 10) 0082 gpg --edit-key --command-fd 0 untrusted-mixed@example.net <<eof 0083 trust 0084 1 0085 save 0086 eof 0087 0088 gpg --quick-gen-key --batch --pinentry-mode loopback --passphrase "" "Expired <expired@example.net>" default default seconds=1 0089 gpg --delete-secret-keys --batch --yes $(gpg -K --batch --with-colons expired@example.net | grep fpr | head -1 | cut -d ':' -f 10) 0090 ``` 0091 0092 ## Generate S/MIME test keys 0093 0094 ### Generate a Test CA certificate and mark it as trusted 0095 0096 ``` 0097 mkdir -p demoCA/newcerts 0098 touch demoCA/index.txt 0099 echo test | openssl req -x509 \ 0100 --passout stdin \ 0101 -subj "/CN=Test CA/O=example/C=DE" \ 0102 --addext "keyUsage = critical, Certificate Sign, CRL Sign" \ 0103 -days 36524 \ 0104 -newkey rsa:2048 \ 0105 -keyout test-ca.key.pem \ 0106 -out test-ca.cert.pem 0107 gpgsm --import test-ca.cert.pem 0108 gpgsm -k "Test CA" | grep 'sha1 fpr' | sed 's/\s*sha1 fpr:\s*\([0-9A-F].*\)/\1 S relax/' >>trustlist.txt 0109 ``` 0110 0111 ### Generate some test keys certified by the Test CA 0112 0113 ``` 0114 # Sender with OpenPGP and S/MIME certificate 0115 gpgsm --gen-key --armor --batch --pinentry-mode loopback --passphrase "" <<eof >sender-mixed.req.pem 0116 dummy 0117 Key-Type: RSA 0118 Key-Length: 2048 0119 Key-Usage: sign, encrypt 0120 Name-DN: CN=Sender Mixed,O=example,C=DE 0121 Name-Email: sender-mixed@example.net 0122 eof 0123 echo test | openssl ca -config ./openssl.cnf -batch --passin stdin -keyfile test-ca.key.pem -in sender-mixed.req.pem -out sender-mixed.cert.pem 0124 gpgsm --import sender-mixed.cert.pem 0125 0126 # Sender with S/MIME certificate only 0127 gpgsm --gen-key --armor --batch --pinentry-mode loopback --passphrase "" <<eof >sender-smime.req.pem 0128 dummy 0129 Key-Type: RSA 0130 Key-Length: 2048 0131 Key-Usage: sign, encrypt 0132 Name-DN: CN=Sender S/MIME,O=example,C=DE 0133 Name-Email: sender-smime@example.net 0134 eof 0135 echo test | openssl ca -config ./openssl.cnf -batch --passin stdin -keyfile test-ca.key.pem -in sender-smime.req.pem -out sender-smime.cert.pem 0136 gpgsm --import sender-smime.cert.pem 0137 0138 # Recipient with full validity (higher than corresponding OpenPGP key) 0139 gpgsm --gen-key --armor --batch --pinentry-mode loopback --passphrase "" <<eof >prefer-smime.req.pem 0140 dummy 0141 Key-Type: RSA 0142 Key-Length: 2048 0143 Key-Usage: sign, encrypt 0144 Name-DN: CN=Trusted S/MIME,O=example,C=DE 0145 Name-Email: prefer-smime@example.net 0146 eof 0147 echo test | openssl ca -config ./openssl.cnf -batch --passin stdin -keyfile test-ca.key.pem -in prefer-smime.req.pem -out prefer-smime.cert.pem 0148 gpgsm --import prefer-smime.cert.pem 0149 0150 # Recipient with full validity (same as corresponding S/MIME certificate) 0151 gpgsm --gen-key --armor --batch --pinentry-mode loopback --passphrase "" <<eof >full-validity.req.pem 0152 dummy 0153 Key-Type: RSA 0154 Key-Length: 2048 0155 Key-Usage: sign, encrypt 0156 Name-DN: CN=S/MIME w/ same validity as OpenPGP,O=example,C=DE 0157 Name-Email: full-validity@example.net 0158 eof 0159 echo test | openssl ca -config ./openssl.cnf -batch --passin stdin -keyfile test-ca.key.pem -in full-validity.req.pem -out full-validity.cert.pem 0160 gpgsm --import full-validity.cert.pem 0161 0162 # Recipient with full validity (lower than corresponding OpenPGP key) 0163 gpgsm --gen-key --armor --batch --pinentry-mode loopback --passphrase "" <<eof >prefer-openpgp.req.pem 0164 dummy 0165 Key-Type: RSA 0166 Key-Length: 2048 0167 Key-Usage: sign, encrypt 0168 Name-DN: CN=S/MIME w/ lower validity than OpenPGP,O=example,C=DE 0169 Name-Email: prefer-openpgp@example.net 0170 eof 0171 echo test | openssl ca -config ./openssl.cnf -batch --passin stdin -keyfile test-ca.key.pem -in prefer-openpgp.req.pem -out prefer-openpgp.cert.pem 0172 gpgsm --import prefer-openpgp.cert.pem 0173 0174 # S/MIME-only recipient with full validity 0175 gpgsm --gen-key --armor --batch --pinentry-mode loopback --passphrase "" <<eof >smime-only.req.pem 0176 dummy 0177 Key-Type: RSA 0178 Key-Length: 2048 0179 Key-Usage: sign, encrypt 0180 Name-DN: CN=S/MIME w/ full validity,O=example,C=DE 0181 Name-Email: smime-only@example.net 0182 eof 0183 echo test | openssl ca -config ./openssl.cnf -batch --passin stdin -keyfile test-ca.key.pem -in smime-only.req.pem -out smime-only.cert.pem 0184 gpgsm --import smime-only.cert.pem 0185 # remove the corresponding secret key in private-keys-v1.d 0186 ```