Scripts to generate verify test certs

Reviewed-by: Richard Levitte <levitte@openssl.org>

2 files changed, 222 insertions, 0 deletions

diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh
new file mode 100755
index 0000000000..5116daaf79
--- /dev/null
+++ b/test/certs/mkcert.sh
@@ -0,0 +1,167 @@
+#! /bin/bash
+#
+# Copyright (c) 2016 Viktor Dukhovni <openssl-users@dukhovni.org>.
+# All rights reserved.
+#
+# Contributed to the OpenSSL project under the terms of the OpenSSL license
+# included with the version of the OpenSSL software that includes this module.
+
+# 100 years should be enough for now
+#
+DAYS=36525
+
+stderr_onerror() {
+    (
+        err=$("$@" >&3 2>&1) || {
+            printf "%s\n" "$err" >&2
+            exit 1
+        }
+    ) 3>&1
+}
+
+key() {
+    local key=$1; shift
+
+    local alg=rsa
+    if [ -n "$OPENSSL_KEYALG" ]; then
+        alg=$OPENSSL_KEYALG
+    fi
+
+    local bits=2048
+    if [ -n "$OPENSSL_KEYBITS" ]; then
+        bits=$OPENSSL_KEYBITS
+    fi
+
+    if [ ! -f "${key}.pem" ]; then
+        args=(-algorithm "$alg")
+        case $alg in
+        rsa) args=("${args[@]}" -pkeyopt rsa_keygen_bits:$bits );;
+        ecdsa) args=("${args[@]}" -pkeyopt "ec_paramgen_curve:$bits")
+               args=("${args[@]}" -pkeyopt ec_param_enc:named_curve);;
+        *) printf "Unsupported key algorithm: %s\n" "$alg" >&2; return 1;;
+        esac
+        stderr_onerror \
+            openssl genpkey "${args[@]}" -out "${key}.pem"
+    fi
+}
+
+req() {
+    local key=$1; shift
+    local cn=$1; shift
+
+    key "$key"
+    local errs
+
+    stderr_onerror \
+        openssl req -new -sha256 -key "${key}.pem" \
+            -config <(printf "[req]\n%s\n%s\n[dn]\nCN=%s\n" \
+		      "prompt = no" "distinguished_name = dn" "${cn}")
+}
+
+req_nocn() {
+    local key=$1; shift
+
+    key "$key"
+    stderr_onerror \
+        openssl req -new -sha256 -subj / -key "${key}.pem" \
+            -config <(printf "[req]\n%s\n[dn]\nCN_default =\n" \
+		      "distinguished_name = dn")
+}
+
+cert() {
+    local cert=$1; shift
+    local exts=$1; shift
+
+    stderr_onerror \
+        openssl x509 -req -sha256 -out "${cert}.pem" \
+            -extfile <(printf "%s\n" "$exts") "$@"
+}
+
+genroot() {
+    local cn=$1; shift
+    local key=$1; shift
+    local cert=$1; shift
+    local skid="subjectKeyIdentifier = hash"
+    local akid="authorityKeyIdentifier = keyid"
+
+    exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = CA:true")
+    csr=$(req "$key" "$cn") || return 1
+    echo "$csr" |
+       cert "$cert" "$exts" -signkey "${key}.pem" -set_serial 1 -days "${DAYS}"
+}
+
+genca() {
+    local cn=$1; shift
+    local key=$1; shift
+    local cert=$1; shift
+    local cakey=$1; shift
+    local cacert=$1; shift
+    local skid="subjectKeyIdentifier = hash"
+    local akid="authorityKeyIdentifier = keyid"
+
+    exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = CA:true")
+    csr=$(req "$key" "$cn") || return 1
+    echo "$csr" |
+        cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \
+	    -set_serial 2 -days "${DAYS}" "$@"
+}
+
+genee() {
+    local OPTIND=1
+    local purpose=serverAuth
+
+    while getopts p: o
+    do
+        case $o in
+        p) purpose="$OPTARG";;
+        *) echo "Usage: $0 genee [-p EKU] cn keyname certname cakeyname cacertname" >&2
+           return 1;;
+        esac
+    done
+
+    shift $((OPTIND - 1))
+    local cn=$1; shift
+    local key=$1; shift
+    local cert=$1; shift
+    local cakey=$1; shift
+    local ca=$1; shift
+
+    exts=$(printf "%s\n%s\n%s\n%s\n%s\n[alts]\n%s\n" \
+	    "subjectKeyIdentifier = hash" \
+	    "authorityKeyIdentifier = keyid, issuer" \
+	    "basicConstraints = CA:false" \
+	    "extendedKeyUsage = $purpose" \
+	    "subjectAltName = @alts" "DNS=${cn}")
+    csr=$(req "$key" "$cn") || return 1
+    echo "$csr" |
+	cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
+	    -set_serial 2 -days "${DAYS}" "$@"
+}
+
+genss() {
+    local cn=$1; shift
+    local key=$1; shift
+    local cert=$1; shift
+
+    exts=$(printf "%s\n%s\n%s\n%s\n%s\n[alts]\n%s\n" \
+	    "subjectKeyIdentifier   = hash" \
+	    "authorityKeyIdentifier = keyid, issuer" \
+	    "basicConstraints = CA:false" \
+	    "extendedKeyUsage = serverAuth" \
+	    "subjectAltName = @alts" "DNS=${cn}")
+    csr=$(req "$key" "$cn") || return 1
+    echo "$csr" |
+        cert "$cert" "$exts" -signkey "${key}.pem" \
+            -set_serial 1 -days "${DAYS}" "$@"
+}
+
+gennocn() {
+    local key=$1; shift
+    local cert=$1; shift
+
+    csr=$(req_nocn "$key") || return 1
+    echo "$csr" |
+	cert "$cert" "" -signkey "${key}.pem" -set_serial 1 -days -1 "$@"
+}
+
+"$@"
diff --git a/test/certs/setup.sh b/test/certs/setup.sh
new file mode 100755
index 0000000000..b50f7e3015
--- /dev/null
+++ b/test/certs/setup.sh
@@ -0,0 +1,55 @@
+#! /bin/sh
+
+# Primary root: root-cert
+# root certs variants: CA:false, key2, DN2
+# trust variants: +serverAuth -serverAuth +clientAuth
+#
+./mkcert.sh genroot "Root CA" root-key root-cert
+./mkcert.sh genss "Root CA" root-key root-nonca
+./mkcert.sh genroot "Root CA" root-key2 root-cert2
+./mkcert.sh genroot "Root Cert 2" root-key root-name2
+#
+openssl x509 -in root-cert.pem -trustout \
+    -addtrust serverAuth -out root+serverAuth.pem
+openssl x509 -in root-cert.pem -trustout \
+    -addreject serverAuth -out root-serverAuth.pem
+openssl x509 -in root-cert.pem -trustout \
+    -addtrust clientAuth -out root+clientAuth.pem
+
+# Primary intermediate ca: ca-cert
+# ca variants: CA:false, key2, DN2, issuer2, expired
+# trust variants: +serverAuth, -serverAuth, +clientAuth
+#
+./mkcert.sh genca "CA" ca-key ca-cert root-key root-cert
+./mkcert.sh genee "CA" ca-key ca-nonca root-key root-cert
+./mkcert.sh genca "CA" ca-key2 ca-cert2 root-key root-cert
+./mkcert.sh genca "CA2" ca-key ca-name2 root-key root-cert
+./mkcert.sh genca "CA" ca-key ca-root2 root-key2 root-cert2
+./mkcert.sh genca "CA" ca-key ca-expired root-key root-cert -days -1
+#
+openssl x509 -in ca-cert.pem -trustout \
+    -addtrust serverAuth -out ca+serverAuth.pem
+openssl x509 -in ca-cert.pem -trustout \
+    -addreject serverAuth -out ca-serverAuth.pem
+openssl x509 -in ca-cert.pem -trustout \
+    -addtrust clientAuth -out ca+clientAuth.pem
+
+# Primary leaf cert: ee-cert
+# ee variants: expired, issuer-key2, issuer-name2
+# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth
+# purpose variants: client
+#
+./mkcert.sh genee server.example ee-key ee-cert ca-key ca-cert
+./mkcert.sh genee server.example ee-key ee-expired ca-key ca-cert -days -1
+./mkcert.sh genee server.example ee-key ee-cert2 ca-key2 ca-cert2
+./mkcert.sh genee server.example ee-key ee-name2 ca-key ca-name2
+./mkcert.sh genee -p clientAuth server.example ee-key ee-client ca-key ca-cert
+#
+openssl x509 -in ee-cert.pem -trustout \
+    -addtrust serverAuth -out ee+serverAuth.pem
+openssl x509 -in ee-cert.pem -trustout \
+    -addreject serverAuth -out ee-serverAuth.pem
+openssl x509 -in ee-client.pem -trustout \
+    -addtrust clientAuth -out ee+clientAuth.pem
+openssl x509 -in ee-client.pem -trustout \
+    -addreject clientAuth -out ee-clientAuth.pem