summaryrefslogtreecommitdiff
path: root/regress/lib/libcrypto
diff options
context:
space:
mode:
authorBob Beck <beck@cvs.openbsd.org>2017-01-25 10:29:35 +0000
committerBob Beck <beck@cvs.openbsd.org>2017-01-25 10:29:35 +0000
commit8191713f710e01ad30024c029808ef5d4dc25113 (patch)
tree86d0cda48deca6d366b54998d2d8d5c313599c2b /regress/lib/libcrypto
parenta54f59e187302c080f845a94935f827b7b78d47b (diff)
Add start of a regress for cert gen and validation. not clean, won't
hook it up yet
Diffstat (limited to 'regress/lib/libcrypto')
-rw-r--r--regress/lib/libcrypto/CA/Makefile21
-rwxr-xr-xregress/lib/libcrypto/CA/doit.sh115
-rw-r--r--regress/lib/libcrypto/CA/index.txt0
-rw-r--r--regress/lib/libcrypto/CA/intermediate.cnf129
-rw-r--r--regress/lib/libcrypto/CA/root.cnf129
5 files changed, 394 insertions, 0 deletions
diff --git a/regress/lib/libcrypto/CA/Makefile b/regress/lib/libcrypto/CA/Makefile
new file mode 100644
index 00000000000..c31c99c9465
--- /dev/null
+++ b/regress/lib/libcrypto/CA/Makefile
@@ -0,0 +1,21 @@
+# $OpenBSD: Makefile,v 1.1 2017/01/25 10:29:34 beck Exp $
+
+TESTS = \
+ doit.sh
+
+REGRESS_TARGETS= all_tests
+
+CLEANFILES += \
+1000.pem client.cert.pem intermediate.cert.pem root.cert.pem server.csr.pem \
+1001.pem client.csr.pem intermediate.csr.pem root.key.pem server.key.pem \
+chain.pem client.key.pem intermediate.key.pem server.cert.pem \
+int.txt int.txt.attr int.txt.old int.txt.attr.old \
+root.txt root.txt.attr root.txt.old root.txt.attr.old \
+intserial rootserial intserial.old rootserial.old
+
+all_tests: ${TESTS}
+ @for test in $>; do \
+ ./$$test; \
+ done
+
+.include <bsd.regress.mk>
diff --git a/regress/lib/libcrypto/CA/doit.sh b/regress/lib/libcrypto/CA/doit.sh
new file mode 100755
index 00000000000..3b0375a026c
--- /dev/null
+++ b/regress/lib/libcrypto/CA/doit.sh
@@ -0,0 +1,115 @@
+#!/bin/sh
+
+rm -rf root intermediate certs
+echo 1000 > rootserial
+cat /dev/null > root.txt
+echo 1000 > intserial
+cat /dev/null > int.txt
+
+# Vanna Vanna make me a root cert
+openssl genrsa -out root.key.pem 4096
+if [ $? -ne 0 ]; then
+ echo "*** Fail; Can't generate root rsa 4096 key"
+ exit 1
+fi
+
+openssl req -batch -config root.cnf -key root.key.pem -new -x509 -days 365 -sha256 -extensions v3_ca -out root.cert.pem
+if [ $? -ne 0 ]; then
+ echo "*** Fail; Can't generate root req"
+ exit 1
+fi
+
+# Make intermediate
+openssl genrsa -out intermediate.key.pem 2048
+if [ $? -ne 0 ]; then
+ echo "*** Fail; Can't generate intermediate rsa 2048 key"
+ exit 1
+fi
+
+openssl req -batch -config intermediate.cnf -new -sha256 \
+ -key intermediate.key.pem \
+ -out intermediate.csr.pem
+if [ $? -ne 0 ]; then
+ echo "*** Fail; Can't generate intermediate req"
+ exit 1
+fi
+
+# Sign intermediate
+openssl ca -batch -config root.cnf -extensions v3_intermediate_ca -days 10 -notext -md sha256 -in intermediate.csr.pem -out intermediate.cert.pem
+if [ $? -ne 0 ]; then
+ echo "*** Fail; Can't sign intermediate"
+ exit 1
+fi
+
+# Verify Intermediate
+openssl verify -CAfile ca.cert.pem intermediate.cert.pem
+if [ $? -ne 0]; then
+ echo "*** Fail; Intermediate CA does not validate"
+ exit 1
+fi
+
+cat intermediate.cert.pem root.cert.pem > chain.pem
+
+# make a server certificate
+
+openssl genrsa -out server.key.pem 2048
+if [ $? -ne 0]; then
+ echo "*** Fail; genrsa server"
+ exit 1
+fi
+
+
+openssl req -batch -config intermediate.cnf \
+ -key server.key.pem \
+ -new -sha256 -out server.csr.pem \
+ -subj '/CN=server/O=OpenBSD/OU=So and Sos/C=CA'
+if [ $? -ne 0]; then
+ echo "*** Fail; server req"
+ exit 1
+fi
+
+# sign server key
+openssl ca -batch -config intermediate.cnf -extensions server_cert -days 5 -notext -md sha256 -in server.csr.pem -out server.cert.pem
+if [ $? -ne 0 ]; then
+ echo "*** Fail; server sign"
+ exit 1
+fi
+
+# make a client certificate
+
+openssl genrsa -out client.key.pem 2048
+if [ $? -ne 0]; then
+ echo "*** Fail; genrsa client"
+ exit 1
+fi
+
+openssl req -batch -config intermediate.cnf \
+ -key client.key.pem \
+ -new -sha256 -out client.csr.pem \
+ -subj '/CN=client/O=OpenBSD/OU=So and Sos/C=CA'
+if [ $? -ne 0]; then
+ echo "*** Fail; client req"
+ exit 1
+fi
+
+# sign client key
+openssl ca -batch -config intermediate.cnf -extensions usr_cert -days 5 -notext -md sha256 -in client.csr.pem -out client.cert.pem
+if [ $? -ne 0 ]; then
+ echo "*** Fail; client sign"
+ exit 1
+fi
+
+# Verify Intermediate
+openssl verify -purpose sslserver -CAfile chain.pem server.cert.pem
+if [ $? -ne 0 ]; then
+ echo "*** Fail; server cert does not validate"
+ exit 1
+fi
+
+# Verify Intermediate
+openssl verify -purpose sslclient -CAfile chain.pem client.cert.pem
+if [ $? -ne 0 ]; then
+ echo "*** Fail; client cert does not validate"
+ exit 1
+fi
+
diff --git a/regress/lib/libcrypto/CA/index.txt b/regress/lib/libcrypto/CA/index.txt
new file mode 100644
index 00000000000..e69de29bb2d
--- /dev/null
+++ b/regress/lib/libcrypto/CA/index.txt
diff --git a/regress/lib/libcrypto/CA/intermediate.cnf b/regress/lib/libcrypto/CA/intermediate.cnf
new file mode 100644
index 00000000000..383f8f0b9be
--- /dev/null
+++ b/regress/lib/libcrypto/CA/intermediate.cnf
@@ -0,0 +1,129 @@
+# For regression tests
+default_ca = CA_regress
+
+[ CA_regress ]
+# Directory and file locations.
+dir = .
+certs = $dir
+crl_dir = $dir
+database = $dir/int.txt
+serial = $dir/intserial
+new_certs_dir = $dir
+
+# The root key and root certificate.
+private_key = $dir/intermediate.key.pem
+certificate = $dir/intermediate.cert.pem
+
+# For certificate revocation lists.
+crlnumber = $dir/crlnumber
+crl = $dir/ca.crl.pem
+crl_extensions = crl_ext
+default_crl_days = 30
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md = sha256
+
+name_opt = ca_default
+cert_opt = ca_default
+default_days = 10
+preserve = no
+policy = policy_loose
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits = 2048
+distinguished_name = req_distinguished_name
+string_mask = utf8only
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md = sha256
+
+# Extension to add when the -x509 option is used.
+x509_extensions = v3_ca
+
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName = Country Name (2 letter code)
+stateOrProvinceName = State or Province Name
+localityName = Locality Name
+0.organizationName = Organization Name
+organizationalUnitName = Organizational Unit Name
+commonName = Common Name
+emailAddress = Email Address
+
+# Optionally, specify some defaults.
+countryName_default = CA
+stateOrProvinceName_default = Alberta
+localityName_default = Edmonton
+0.organizationName_default = OpenBSD
+organizationalUnitName_default = So and Sos
+emailAddress_default = evilsoandsos@openbsd.org
+commonName_default = Regress Intermediate CA
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always
+
+[ ocsp ]
+# Extension for OCSP signing certificates (`man ocsp`).
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, OCSPSigning
+
diff --git a/regress/lib/libcrypto/CA/root.cnf b/regress/lib/libcrypto/CA/root.cnf
new file mode 100644
index 00000000000..7915a6ab0e3
--- /dev/null
+++ b/regress/lib/libcrypto/CA/root.cnf
@@ -0,0 +1,129 @@
+# For regression tests
+default_ca = CA_regress
+
+[ CA_regress ]
+# Directory and file locations.
+dir = .
+certs = $dir
+crl_dir = $dir
+database = $dir/root.txt
+serial = $dir/rootserial
+new_certs_dir = $dir
+
+# The root key and root certificate.
+private_key = $dir/root.key.pem
+certificate = $dir/root.cert.pem
+
+# For certificate revocation lists.
+crlnumber = $dir/crlnumber
+crl = $dir/ca.crl.pem
+crl_extensions = crl_ext
+default_crl_days = 30
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md = sha256
+
+name_opt = ca_default
+cert_opt = ca_default
+default_days = 375
+preserve = no
+policy = policy_strict
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits = 2048
+distinguished_name = req_distinguished_name
+string_mask = utf8only
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md = sha256
+
+# Extension to add when the -x509 option is used.
+x509_extensions = v3_ca
+
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName = Country Name (2 letter code)
+stateOrProvinceName = State or Province Name
+localityName = Locality Name
+0.organizationName = Organization Name
+organizationalUnitName = Organizational Unit Name
+commonName = Common Name
+emailAddress = Email Address
+
+# Optionally, specify some defaults.
+countryName_default = CA
+stateOrProvinceName_default = Alberta
+localityName_default = Edmonton
+0.organizationName_default = OpenBSD
+organizationalUnitName_default = So and Sos
+emailAddress_default = evilsoandsos@openbsd.org
+commonName_default = Regress Root CA
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always
+
+[ ocsp ]
+# Extension for OCSP signing certificates (`man ocsp`).
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, OCSPSigning
+