diff options
author | Bob Beck <beck@cvs.openbsd.org> | 2017-01-25 10:29:35 +0000 |
---|---|---|
committer | Bob Beck <beck@cvs.openbsd.org> | 2017-01-25 10:29:35 +0000 |
commit | 8191713f710e01ad30024c029808ef5d4dc25113 (patch) | |
tree | 86d0cda48deca6d366b54998d2d8d5c313599c2b /regress/lib/libcrypto | |
parent | a54f59e187302c080f845a94935f827b7b78d47b (diff) |
Add start of a regress for cert gen and validation. not clean, won't
hook it up yet
Diffstat (limited to 'regress/lib/libcrypto')
-rw-r--r-- | regress/lib/libcrypto/CA/Makefile | 21 | ||||
-rwxr-xr-x | regress/lib/libcrypto/CA/doit.sh | 115 | ||||
-rw-r--r-- | regress/lib/libcrypto/CA/index.txt | 0 | ||||
-rw-r--r-- | regress/lib/libcrypto/CA/intermediate.cnf | 129 | ||||
-rw-r--r-- | regress/lib/libcrypto/CA/root.cnf | 129 |
5 files changed, 394 insertions, 0 deletions
diff --git a/regress/lib/libcrypto/CA/Makefile b/regress/lib/libcrypto/CA/Makefile new file mode 100644 index 00000000000..c31c99c9465 --- /dev/null +++ b/regress/lib/libcrypto/CA/Makefile @@ -0,0 +1,21 @@ +# $OpenBSD: Makefile,v 1.1 2017/01/25 10:29:34 beck Exp $ + +TESTS = \ + doit.sh + +REGRESS_TARGETS= all_tests + +CLEANFILES += \ +1000.pem client.cert.pem intermediate.cert.pem root.cert.pem server.csr.pem \ +1001.pem client.csr.pem intermediate.csr.pem root.key.pem server.key.pem \ +chain.pem client.key.pem intermediate.key.pem server.cert.pem \ +int.txt int.txt.attr int.txt.old int.txt.attr.old \ +root.txt root.txt.attr root.txt.old root.txt.attr.old \ +intserial rootserial intserial.old rootserial.old + +all_tests: ${TESTS} + @for test in $>; do \ + ./$$test; \ + done + +.include <bsd.regress.mk> diff --git a/regress/lib/libcrypto/CA/doit.sh b/regress/lib/libcrypto/CA/doit.sh new file mode 100755 index 00000000000..3b0375a026c --- /dev/null +++ b/regress/lib/libcrypto/CA/doit.sh @@ -0,0 +1,115 @@ +#!/bin/sh + +rm -rf root intermediate certs +echo 1000 > rootserial +cat /dev/null > root.txt +echo 1000 > intserial +cat /dev/null > int.txt + +# Vanna Vanna make me a root cert +openssl genrsa -out root.key.pem 4096 +if [ $? -ne 0 ]; then + echo "*** Fail; Can't generate root rsa 4096 key" + exit 1 +fi + +openssl req -batch -config root.cnf -key root.key.pem -new -x509 -days 365 -sha256 -extensions v3_ca -out root.cert.pem +if [ $? -ne 0 ]; then + echo "*** Fail; Can't generate root req" + exit 1 +fi + +# Make intermediate +openssl genrsa -out intermediate.key.pem 2048 +if [ $? -ne 0 ]; then + echo "*** Fail; Can't generate intermediate rsa 2048 key" + exit 1 +fi + +openssl req -batch -config intermediate.cnf -new -sha256 \ + -key intermediate.key.pem \ + -out intermediate.csr.pem +if [ $? -ne 0 ]; then + echo "*** Fail; Can't generate intermediate req" + exit 1 +fi + +# Sign intermediate +openssl ca -batch -config root.cnf -extensions v3_intermediate_ca -days 10 -notext -md sha256 -in intermediate.csr.pem -out intermediate.cert.pem +if [ $? -ne 0 ]; then + echo "*** Fail; Can't sign intermediate" + exit 1 +fi + +# Verify Intermediate +openssl verify -CAfile ca.cert.pem intermediate.cert.pem +if [ $? -ne 0]; then + echo "*** Fail; Intermediate CA does not validate" + exit 1 +fi + +cat intermediate.cert.pem root.cert.pem > chain.pem + +# make a server certificate + +openssl genrsa -out server.key.pem 2048 +if [ $? -ne 0]; then + echo "*** Fail; genrsa server" + exit 1 +fi + + +openssl req -batch -config intermediate.cnf \ + -key server.key.pem \ + -new -sha256 -out server.csr.pem \ + -subj '/CN=server/O=OpenBSD/OU=So and Sos/C=CA' +if [ $? -ne 0]; then + echo "*** Fail; server req" + exit 1 +fi + +# sign server key +openssl ca -batch -config intermediate.cnf -extensions server_cert -days 5 -notext -md sha256 -in server.csr.pem -out server.cert.pem +if [ $? -ne 0 ]; then + echo "*** Fail; server sign" + exit 1 +fi + +# make a client certificate + +openssl genrsa -out client.key.pem 2048 +if [ $? -ne 0]; then + echo "*** Fail; genrsa client" + exit 1 +fi + +openssl req -batch -config intermediate.cnf \ + -key client.key.pem \ + -new -sha256 -out client.csr.pem \ + -subj '/CN=client/O=OpenBSD/OU=So and Sos/C=CA' +if [ $? -ne 0]; then + echo "*** Fail; client req" + exit 1 +fi + +# sign client key +openssl ca -batch -config intermediate.cnf -extensions usr_cert -days 5 -notext -md sha256 -in client.csr.pem -out client.cert.pem +if [ $? -ne 0 ]; then + echo "*** Fail; client sign" + exit 1 +fi + +# Verify Intermediate +openssl verify -purpose sslserver -CAfile chain.pem server.cert.pem +if [ $? -ne 0 ]; then + echo "*** Fail; server cert does not validate" + exit 1 +fi + +# Verify Intermediate +openssl verify -purpose sslclient -CAfile chain.pem client.cert.pem +if [ $? -ne 0 ]; then + echo "*** Fail; client cert does not validate" + exit 1 +fi + diff --git a/regress/lib/libcrypto/CA/index.txt b/regress/lib/libcrypto/CA/index.txt new file mode 100644 index 00000000000..e69de29bb2d --- /dev/null +++ b/regress/lib/libcrypto/CA/index.txt diff --git a/regress/lib/libcrypto/CA/intermediate.cnf b/regress/lib/libcrypto/CA/intermediate.cnf new file mode 100644 index 00000000000..383f8f0b9be --- /dev/null +++ b/regress/lib/libcrypto/CA/intermediate.cnf @@ -0,0 +1,129 @@ +# For regression tests +default_ca = CA_regress + +[ CA_regress ] +# Directory and file locations. +dir = . +certs = $dir +crl_dir = $dir +database = $dir/int.txt +serial = $dir/intserial +new_certs_dir = $dir + +# The root key and root certificate. +private_key = $dir/intermediate.key.pem +certificate = $dir/intermediate.cert.pem + +# For certificate revocation lists. +crlnumber = $dir/crlnumber +crl = $dir/ca.crl.pem +crl_extensions = crl_ext +default_crl_days = 30 + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +name_opt = ca_default +cert_opt = ca_default +default_days = 10 +preserve = no +policy = policy_loose + +[ policy_strict ] +# The root CA should only sign intermediate certificates that match. +# See the POLICY FORMAT section of `man ca`. +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ policy_loose ] +# Allow the intermediate CA to sign a more diverse range of certificates. +# See the POLICY FORMAT section of the `ca` man page. +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +# Options for the `req` tool (`man req`). +default_bits = 2048 +distinguished_name = req_distinguished_name +string_mask = utf8only + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +# Extension to add when the -x509 option is used. +x509_extensions = v3_ca + +[ req_distinguished_name ] +# See <https://en.wikipedia.org/wiki/Certificate_signing_request>. +countryName = Country Name (2 letter code) +stateOrProvinceName = State or Province Name +localityName = Locality Name +0.organizationName = Organization Name +organizationalUnitName = Organizational Unit Name +commonName = Common Name +emailAddress = Email Address + +# Optionally, specify some defaults. +countryName_default = CA +stateOrProvinceName_default = Alberta +localityName_default = Edmonton +0.organizationName_default = OpenBSD +organizationalUnitName_default = So and Sos +emailAddress_default = evilsoandsos@openbsd.org +commonName_default = Regress Intermediate CA + +[ v3_ca ] +# Extensions for a typical CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ v3_intermediate_ca ] +# Extensions for a typical intermediate CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true, pathlen:0 +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ usr_cert ] +# Extensions for client certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = client, email +nsComment = "OpenSSL Generated Client Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, emailProtection + +[ server_cert ] +# Extensions for server certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = server +nsComment = "OpenSSL Generated Server Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth + +[ crl_ext ] +# Extension for CRLs (`man x509v3_config`). +authorityKeyIdentifier=keyid:always + +[ ocsp ] +# Extension for OCSP signing certificates (`man ocsp`). +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, digitalSignature +extendedKeyUsage = critical, OCSPSigning + diff --git a/regress/lib/libcrypto/CA/root.cnf b/regress/lib/libcrypto/CA/root.cnf new file mode 100644 index 00000000000..7915a6ab0e3 --- /dev/null +++ b/regress/lib/libcrypto/CA/root.cnf @@ -0,0 +1,129 @@ +# For regression tests +default_ca = CA_regress + +[ CA_regress ] +# Directory and file locations. +dir = . +certs = $dir +crl_dir = $dir +database = $dir/root.txt +serial = $dir/rootserial +new_certs_dir = $dir + +# The root key and root certificate. +private_key = $dir/root.key.pem +certificate = $dir/root.cert.pem + +# For certificate revocation lists. +crlnumber = $dir/crlnumber +crl = $dir/ca.crl.pem +crl_extensions = crl_ext +default_crl_days = 30 + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +name_opt = ca_default +cert_opt = ca_default +default_days = 375 +preserve = no +policy = policy_strict + +[ policy_strict ] +# The root CA should only sign intermediate certificates that match. +# See the POLICY FORMAT section of `man ca`. +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ policy_loose ] +# Allow the intermediate CA to sign a more diverse range of certificates. +# See the POLICY FORMAT section of the `ca` man page. +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +# Options for the `req` tool (`man req`). +default_bits = 2048 +distinguished_name = req_distinguished_name +string_mask = utf8only + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +# Extension to add when the -x509 option is used. +x509_extensions = v3_ca + +[ req_distinguished_name ] +# See <https://en.wikipedia.org/wiki/Certificate_signing_request>. +countryName = Country Name (2 letter code) +stateOrProvinceName = State or Province Name +localityName = Locality Name +0.organizationName = Organization Name +organizationalUnitName = Organizational Unit Name +commonName = Common Name +emailAddress = Email Address + +# Optionally, specify some defaults. +countryName_default = CA +stateOrProvinceName_default = Alberta +localityName_default = Edmonton +0.organizationName_default = OpenBSD +organizationalUnitName_default = So and Sos +emailAddress_default = evilsoandsos@openbsd.org +commonName_default = Regress Root CA + +[ v3_ca ] +# Extensions for a typical CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ v3_intermediate_ca ] +# Extensions for a typical intermediate CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true, pathlen:0 +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ usr_cert ] +# Extensions for client certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = client, email +nsComment = "OpenSSL Generated Client Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, emailProtection + +[ server_cert ] +# Extensions for server certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = server +nsComment = "OpenSSL Generated Server Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth + +[ crl_ext ] +# Extension for CRLs (`man x509v3_config`). +authorityKeyIdentifier=keyid:always + +[ ocsp ] +# Extension for OCSP signing certificates (`man ocsp`). +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, digitalSignature +extendedKeyUsage = critical, OCSPSigning + |