Tests: Add intermediate certificate tests to the sign-verify cases

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>

tests/Makefile.am

@@ -3,6 +3,10 @@ AUTOMAKE_OPTIONS = parallel-tests
 
 test_key = private-key.rsa
 test_cert = public-cert.pem
+ca_key = ca-key.ec
+ca_cert = ca-cert.pem
+int_key = int-key.ec
+int_cert = int-cert.pem
 test_arches = $(EFI_ARCH)
 
 check_PROGRAMS = test.pecoff
@@ -31,11 +35,25 @@ check_SCRIPTS = test-wrapper.sh
 
 AM_CFLAGS=-fpic -I/usr/include/efi -I/usr/include/efi/$(EFI_ARCH)
 
-$(test_key): Makefile
+%.rsa: Makefile
 	openssl genrsa -out $@ 2048
 
-$(test_cert): $(test_key) Makefile
-	openssl req -x509 -sha256 -subj '/' -new -key $< -out $@
+%.ec: Makefile
+	openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:prime256v1 -out $@
+
+$(ca_cert): $(ca_key) Makefile
+	openssl req -x509 -days 1 -sha256 -subj '/CN=CA Key/' -new -key $< -out $@
+
+$(int_cert): $(int_key) $(ca_cert) Makefile
+	openssl req -new -subj '/CN=Intermediate Certificate/' -key $< -out tmp.req
+	echo -e "[ca]\nbasicConstraints = critical, CA:true\n" > ca.cnf
+	openssl x509 -req -sha256 -CA $(ca_cert) -CAkey $(ca_key) -in tmp.req -set_serial 1 -days 1 -extfile ca.cnf -extensions ca -out $@
+	-rm -f tmp.req ca.cnf
+
+$(test_cert): $(test_key) $(int_cert) Makefile
+	openssl req -new -subj '/CN=Signer Certificate/' -key $< -out tmp.req
+	openssl x509 -req -sha256 -CA $(int_cert) -CAkey $(int_key) -in tmp.req -set_serial 1 -days 1 -out $@
+	-rm -f tmp.req
 
 TESTS = sign-verify.sh \
 	sign-verify-detached.sh \
@@ -65,4 +83,5 @@ AM_TESTS_ENVIRONMENT = TEST_ARCHES='$(test_arches)'; export TEST_ARCHES;
 SH_LOG_COMPILER = $(srcdir)/test-wrapper.sh
 
 EXTRA_DIST = test.S $(TESTS) $(check_SCRIPTS)
-CLEANFILES = $(test_key) $(test_cert)
+CLEANFILES = $(test_key) $(test_cert) $(int_key) $(int_cert) $(ca_key) \
+	$(ca_cert)