Generate a certificate with critical id-pkix-ocsp-nocheck extension

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/12947)
author: Tomas Mraz <tmraz@fedoraproject.org> 2020-09-23 09:43:43 +0200
committer: Dr. David von Oheimb <David.von.Oheimb@siemens.com> 2020-09-26 14:03:23 +0200
commit: cf61b97d5fb9208ac254e999d86b1cf40c12b442 (patch)
tree: c929223c512f5c8d662510bdc2d279ddd5d6104a /test/certs
parent: 37326895b75297071560eb09d167f3ac90af71b4 (diff)
2 files changed, 38 insertions, 1 deletions
diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh
index 32fd5874d9..a564e30c6b 100755
--- a/test/certs/mkcert.sh
+++ b/test/certs/mkcert.sh
@@ -233,6 +233,40 @@ genee() {
 	    -set_serial 2 -days "${DAYS}" "$@"
 }
 
+geneeextra() {
+    local OPTIND=1
+    local purpose=serverAuth
+
+    while getopts p: o
+    do
+        case $o in
+        p) purpose="$OPTARG";;
+        *) echo "Usage: $0 geneeextra [-p EKU] cn keyname certname cakeyname cacertname extraext" >&2
+           return 1;;
+        esac
+    done
+
+    shift $((OPTIND - 1))
+    local cn=$1; shift
+    local key=$1; shift
+    local cert=$1; shift
+    local cakey=$1; shift
+    local ca=$1; shift
+    local extraext=$1; shift
+
+    exts=$(printf "%s\n%s\n%s\n%s\n%s\n%s\n[alts]\n%s\n" \
+	    "subjectKeyIdentifier = hash" \
+	    "authorityKeyIdentifier = keyid, issuer" \
+	    "basicConstraints = CA:false" \
+	    "extendedKeyUsage = $purpose" \
+	    "subjectAltName = @alts"\
+	    "$extraext" "DNS=${cn}")
+    csr=$(req "$key" "CN = $cn") || return 1
+    echo "$csr" |
+	cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
+	    -set_serial 2 -days "${DAYS}" "$@"
+}
+
 geneenocsr() {
     local OPTIND=1
     local purpose=serverAuth
@@ -241,7 +275,7 @@ geneenocsr() {
     do
         case $o in
         p) purpose="$OPTARG";;
-        *) echo "Usage: $0 genee [-p EKU] cn certname cakeyname cacertname" >&2
+        *) echo "Usage: $0 geneenocsr [-p EKU] cn certname cakeyname cacertname" >&2
            return 1;;
         esac
     done
diff --git a/test/certs/setup.sh b/test/certs/setup.sh
index ee3d678219..58d824ee26 100755
--- a/test/certs/setup.sh
+++ b/test/certs/setup.sh
@@ -400,3 +400,6 @@ OPENSSL_SIGALG=ED448 OPENSSL_KEYALG=ed448 ./mkcert.sh genroot "Root Ed448" \
     root-ed448-key root-ed448-cert
 OPENSSL_SIGALG=ED448 OPENSSL_KEYALG=ed448 ./mkcert.sh genee ed448 \
     server-ed448-key server-ed448-cert root-ed448-key root-ed448-cert
+
+# Cert with id-pkix-ocsp-no-check
+./mkcert.sh geneeextra server.example ee-key ee-cert-ocsp-nocheck ca-key ca-cert "1.3.6.1.5.5.7.48.1.5=critical,DER:05:00"
author	Tomas Mraz <tmraz@fedoraproject.org>	2020-09-23 09:43:43 +0200
committer	Dr. David von Oheimb <David.von.Oheimb@siemens.com>	2020-09-26 14:03:23 +0200
commit	cf61b97d5fb9208ac254e999d86b1cf40c12b442 (patch)
tree	c929223c512f5c8d662510bdc2d279ddd5d6104a /test/certs
parent	37326895b75297071560eb09d167f3ac90af71b4 (diff)