Add functionality needed to process proxy certificates.

6 files changed, 171 insertions, 9 deletions

diff --git a/test/CAss.cnf b/test/CAss.cnf
index 0884fee361..20f8f05e3d 100644
--- a/test/CAss.cnf
+++ b/test/CAss.cnf
@@ -71,4 +71,6 @@ emailAddress		= optional
 [ v3_ca ]
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid:always,issuer:always
-basicConstraints = CA:true
+basicConstraints = CA:true,pathlen:1
+keyUsage = cRLSign, keyCertSign
+issuerAltName=issuer:copy
diff --git a/test/Makefile.ssl b/test/Makefile.ssl
index 7b7b7a8e1f..b49dec0b3e 100644
--- a/test/Makefile.ssl
+++ b/test/Makefile.ssl
@@ -274,17 +274,23 @@ test_gen:
 	@echo "Generate and verify a certificate request"
 	@$(SET_SO_PATHS); sh ./testgen
 
-test_ss keyU.ss certU.ss certCA.ss: testss
+test_ss keyU.ss certU.ss certCA.ss certP1.ss keyP1.ss certP2.ss keyP2.ss \
+		intP1.ss intP2.ss: testss
 	@echo "Generate and certify a test certificate"
 	@$(SET_SO_PATHS); sh ./testss
+	@cat certCA.ss certU.ss > intP1.ss
+	@cat certCA.ss certU.ss certP1.ss > intP2.ss
 
 test_engine: 
 	@echo "Manipulate the ENGINE structures"
 	$(SET_SO_PATHS); ./$(ENGINETEST)
 
-test_ssl: keyU.ss certU.ss certCA.ss
+test_ssl: keyU.ss certU.ss certCA.ss certP1.ss keyP1.ss certP2.ss keyP2.ss \
+		intP1.ss intP2.ss
 	@echo "test SSL protocol"
 	@$(SET_SO_PATHS); sh ./testssl keyU.ss certU.ss certCA.ss
+	@$(SET_SO_PATHS); sh ./testssl keyP1.ss certP1.ss intP1.ss
+	@$(SET_SO_PATHS); sh ./testssl keyP2.ss certP2.ss intP2.ss
 
 test_ca:
 	@$(SET_SO_PATHS); if ../apps/openssl no-rsa; then \
diff --git a/test/P1ss.cnf b/test/P1ss.cnf
new file mode 100644
index 0000000000..864e4d2ad6
--- /dev/null
+++ b/test/P1ss.cnf
@@ -0,0 +1,37 @@
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+RANDFILE		= ./.rnd
+
+####################################################################
+[ req ]
+default_bits		= 512
+default_keyfile 	= keySS.pem
+distinguished_name	= req_distinguished_name
+encrypt_rsa_key		= no
+default_md		= md2
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= AU
+countryName_value		= AU
+
+organizationName                = Organization Name (eg, company)
+organizationName_value          = Dodgy Brothers
+
+0.commonName			= Common Name (eg, YOUR name)
+0.commonName_value		= Brother 1
+
+1.commonName			= Common Name (eg, YOUR name)
+1.commonName_value		= Brother 2
+
+2.commonName			= Common Name (eg, YOUR name)
+2.commonName_value		= Proxy 1
+
+[ v3_proxy ]
+basicConstraints=CA:FALSE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:foo
diff --git a/test/P2ss.cnf b/test/P2ss.cnf
new file mode 100644
index 0000000000..04a76cd34b
--- /dev/null
+++ b/test/P2ss.cnf
@@ -0,0 +1,45 @@
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+RANDFILE		= ./.rnd
+
+####################################################################
+[ req ]
+default_bits		= 512
+default_keyfile 	= keySS.pem
+distinguished_name	= req_distinguished_name
+encrypt_rsa_key		= no
+default_md		= md2
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= AU
+countryName_value		= AU
+
+organizationName                = Organization Name (eg, company)
+organizationName_value          = Dodgy Brothers
+
+0.commonName			= Common Name (eg, YOUR name)
+0.commonName_value		= Brother 1
+
+1.commonName			= Common Name (eg, YOUR name)
+1.commonName_value		= Brother 2
+
+2.commonName			= Common Name (eg, YOUR name)
+2.commonName_value		= Proxy 1
+
+3.commonName			= Common Name (eg, YOUR name)
+3.commonName_value		= Proxy 2
+
+[ v3_proxy ]
+basicConstraints=CA:FALSE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+proxyCertInfo=critical,@proxy_ext
+
+[ proxy_ext ]
+language=id-ppl-anyLanguage
+pathlen=0
+policy=text:bar
diff --git a/test/Uss.cnf b/test/Uss.cnf
index c89692d519..0c0ebb5f67 100644
--- a/test/Uss.cnf
+++ b/test/Uss.cnf
@@ -26,3 +26,11 @@ organizationName_value          = Dodgy Brothers
 
 1.commonName			= Common Name (eg, YOUR name)
 1.commonName_value		= Brother 2
+
+[ v3_ee ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+basicConstraints = CA:false
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+issuerAltName=issuer:copy
+
diff --git a/test/testss b/test/testss
index 8d3557f356..e71510befa 100644
--- a/test/testss
+++ b/test/testss
@@ -17,6 +17,18 @@ Ukey="keyU.ss"
 Ureq="reqU.ss"
 Ucert="certU.ss"
 
+P1conf="P1ss.cnf"
+P1key="keyP1.ss"
+P1req="reqP1.ss"
+P1cert="certP1.ss"
+P1intermediate="tmp_intP1.ss"
+
+P2conf="P2ss.cnf"
+P2key="keyP2.ss"
+P2req="reqP2.ss"
+P2cert="certP2.ss"
+P2intermediate="tmp_intP2.ss"
+
 echo
 echo "make a certificate request using 'req'"
 
@@ -35,7 +47,7 @@ if [ $? != 0 ]; then
 fi
 echo
 echo "convert the certificate request into a self signed certificate using 'x509'"
-$x509cmd -CAcreateserial -in $CAreq -days 30 -req -out $CAcert -signkey $CAkey >err.ss
+$x509cmd -CAcreateserial -in $CAreq -days 30 -req -out $CAcert -signkey $CAkey -extfile $CAconf -extensions v3_ca >err.ss
 if [ $? != 0 ]; then
 	echo "error using 'x509' to self sign a certificate request"
 	exit 1
@@ -68,18 +80,18 @@ if [ $? != 0 ]; then
 fi
 
 echo
-echo "make another certificate request using 'req'"
+echo "make a user certificate request using 'req'"
 $reqcmd -config $Uconf -out $Ureq -keyout $Ukey $req_new >err.ss
 if [ $? != 0 ]; then
-	echo "error using 'req' to generate a certificate request"
+	echo "error using 'req' to generate a user certificate request"
 	exit 1
 fi
 
 echo
-echo "sign certificate request with the just created CA via 'x509'"
-$x509cmd -CAcreateserial -in $Ureq -days 30 -req -out $Ucert -CA $CAcert -CAkey $CAkey >err.ss
+echo "sign user certificate request with the just created CA via 'x509'"
+$x509cmd -CAcreateserial -in $Ureq -days 30 -req -out $Ucert -CA $CAcert -CAkey $CAkey -extfile $Uconf -extensions v3_ee >err.ss
 if [ $? != 0 ]; then
-	echo "error using 'x509' to sign a certificate request"
+	echo "error using 'x509' to sign a user certificate request"
 	exit 1
 fi
 
@@ -89,11 +101,63 @@ echo "Certificate details"
 $x509cmd -subject -issuer -startdate -enddate -noout -in $Ucert
 
 echo
+echo "make a proxy certificate request using 'req'"
+$reqcmd -config $P1conf -out $P1req -keyout $P1key $req_new >err.ss
+if [ $? != 0 ]; then
+	echo "error using 'req' to generate a proxy certificate request"
+	exit 1
+fi
+
+echo
+echo "sign proxy certificate request with the just created user certificate via 'x509'"
+$x509cmd -CAcreateserial -in $P1req -days 30 -req -out $P1cert -CA $Ucert -CAkey $Ukey -extfile $P1conf -extensions v3_proxy >err.ss
+if [ $? != 0 ]; then
+	echo "error using 'x509' to sign a proxy certificate request"
+	exit 1
+fi
+
+cat $Ucert > $P1intermediate
+$verifycmd -CAfile $CAcert -untrusted $P1intermediate $P1cert
+echo
+echo "Certificate details"
+$x509cmd -subject -issuer -startdate -enddate -noout -in $P1cert
+
+echo
+echo "make another proxy certificate request using 'req'"
+$reqcmd -config $P2conf -out $P2req -keyout $P2key $req_new >err.ss
+if [ $? != 0 ]; then
+	echo "error using 'req' to generate another proxy certificate request"
+	exit 1
+fi
+
+echo
+echo "sign second proxy certificate request with the first proxy certificate via 'x509'"
+$x509cmd -CAcreateserial -in $P2req -days 30 -req -out $P2cert -CA $P1cert -CAkey $P1key -extfile $P2conf -extensions v3_proxy >err.ss
+if [ $? != 0 ]; then
+	echo "error using 'x509' to sign a second proxy certificate request"
+	exit 1
+fi
+
+cat $Ucert $P1cert > $P2intermediate
+$verifycmd -CAfile $CAcert -untrusted $P2intermediate $P2cert
+echo
+echo "Certificate details"
+$x509cmd -subject -issuer -startdate -enddate -noout -in $P2cert
+
+echo
 echo The generated CA certificate is $CAcert
 echo The generated CA private key is $CAkey
 
 echo The generated user certificate is $Ucert
 echo The generated user private key is $Ukey
 
+echo The first generated proxy certificate is $P1cert
+echo The first generated proxy private key is $P1key
+
+echo The second generated proxy certificate is $P2cert
+echo The second generated proxy private key is $P2key
+
 /bin/rm err.ss
+#/bin/rm $P1intermediate
+#/bin/rm $P2intermediate
 exit 0