diff options
Diffstat (limited to 'test/certs')
-rwxr-xr-x | test/certs/mkcert.sh | 39 | ||||
-rwxr-xr-x | test/certs/setup.sh | 26 |
2 files changed, 57 insertions, 8 deletions
diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh index daa0679ee8..39e3a1e28c 100755 --- a/test/certs/mkcert.sh +++ b/test/certs/mkcert.sh @@ -49,17 +49,18 @@ key() { fi } +# Usage: $0 req keyname dn1 dn2 ... req() { local key=$1; shift - local cn=$1; shift key "$key" local errs stderr_onerror \ openssl req -new -"${OPENSSL_SIGALG}" -key "${key}.pem" \ - -config <(printf "[req]\n%s\n%s\n[dn]\nCN=%s\n" \ - "prompt = no" "distinguished_name = dn" "${cn}") + -config <(printf "[req]\n%s\n%s\n[dn]\n" \ + "prompt = no" "distinguished_name = dn" "${dn}" + for dn in "$@"; do echo "$dn"; done) } req_nocn() { @@ -93,7 +94,7 @@ genroot() { do exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku") done - csr=$(req "$key" "$cn") || return 1 + csr=$(req "$key" "CN = $cn") || return 1 echo "$csr" | cert "$cert" "$exts" -signkey "${key}.pem" -set_serial 1 -days "${DAYS}" } @@ -112,7 +113,7 @@ genca() { do exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku") done - csr=$(req "$key" "$cn") || return 1 + csr=$(req "$key" "CN = $cn") || return 1 echo "$csr" | cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \ -set_serial 2 -days "${DAYS}" @@ -133,12 +134,34 @@ gen_nonbc_ca() { do exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku") done - csr=$(req "$key" "$cn") || return 1 + csr=$(req "$key" "CN = $cn") || return 1 echo "$csr" | cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \ -set_serial 2 -days "${DAYS}" } +# Usage: $0 genpc keyname certname eekeyname eecertname pcext1 pcext2 ... +# +# Note: takes csr on stdin, so must be used with $0 req like this: +# +# $0 req keyname dn | $0 genpc keyname certname eekeyname eecertname pcext ... +genpc() { + local key=$1; shift + local cert=$1; shift + local cakey=$1; shift + local ca=$1; shift + + exts=$(printf "%s\n%s\n%s\n%s\n" \ + "subjectKeyIdentifier = hash" \ + "authorityKeyIdentifier = keyid, issuer:always" \ + "basicConstraints = CA:false" \ + "proxyCertInfo = critical, @pcexts"; + echo "[pcexts]"; + for x in "$@"; do echo $x; done) + cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \ + -set_serial 2 -days "${DAYS}" +} + genee() { local OPTIND=1 local purpose=serverAuth @@ -165,7 +188,7 @@ genee() { "basicConstraints = CA:false" \ "extendedKeyUsage = $purpose" \ "subjectAltName = @alts" "DNS=${cn}") - csr=$(req "$key" "$cn") || return 1 + csr=$(req "$key" "CN = $cn") || return 1 echo "$csr" | cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \ -set_serial 2 -days "${DAYS}" "$@" @@ -182,7 +205,7 @@ genss() { "basicConstraints = CA:false" \ "extendedKeyUsage = serverAuth" \ "subjectAltName = @alts" "DNS=${cn}") - csr=$(req "$key" "$cn") || return 1 + csr=$(req "$key" "CN = $cn") || return 1 echo "$csr" | cert "$cert" "$exts" -signkey "${key}.pem" \ -set_serial 1 -days "${DAYS}" "$@" diff --git a/test/certs/setup.sh b/test/certs/setup.sh index f34104613f..4eaf511ef4 100755 --- a/test/certs/setup.sh +++ b/test/certs/setup.sh @@ -182,3 +182,29 @@ OPENSSL_SIGALG=md5 \ # 768-bit leaf key OPENSSL_KEYBITS=768 \ ./mkcert.sh genee server.example ee-key-768 ee-cert-768 ca-key ca-cert + +# Proxy certificates, off of ee-client +# Start with some good ones +./mkcert.sh req pc1-key "0.CN = server.example" "1.CN = proxy 1" | \ + ./mkcert.sh genpc pc1-key pc1-cert ee-key ee-client \ + "language = id-ppl-anyLanguage" "pathlen = 1" "policy = text:AB" +./mkcert.sh req pc2-key "0.CN = server.example" "1.CN = proxy 1" "2.CN = proxy 2" | \ + ./mkcert.sh genpc pc2-key pc2-cert pc1-key pc1-cert \ + "language = id-ppl-anyLanguage" "pathlen = 0" "policy = text:AB" +# And now a couple of bad ones +# pc3: incorrect CN +./mkcert.sh req bad-pc3-key "0.CN = server.example" "1.CN = proxy 3" | \ + ./mkcert.sh genpc bad-pc3-key bad-pc3-cert pc1-key pc1-cert \ + "language = id-ppl-anyLanguage" "pathlen = 0" "policy = text:AB" +# pc4: incorrect pathlen +./mkcert.sh req bad-pc4-key "0.CN = server.example" "1.CN = proxy 1" "2.CN = proxy 4" | \ + ./mkcert.sh genpc bad-pc4-key bad-pc4-cert pc1-key pc1-cert \ + "language = id-ppl-anyLanguage" "pathlen = 1" "policy = text:AB" +# pc5: no policy +./mkcert.sh req pc5-key "0.CN = server.example" "1.CN = proxy 1" "2.CN = proxy 5" | \ + ./mkcert.sh genpc pc5-key pc5-cert pc1-key pc1-cert \ + "language = id-ppl-anyLanguage" "pathlen = 0" +# pc6: incorrect CN (made into a component of a multivalue RDN) +./mkcert.sh req bad-pc6-key "0.CN = server.example" "1.CN = proxy 1" "2.+CN = proxy 6" | \ + ./mkcert.sh genpc bad-pc6-key bad-pc6-cert pc1-key pc1-cert \ + "language = id-ppl-anyLanguage" "pathlen = 0" "policy = text:AB" |