diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2020-12-26 00:48:57 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2020-12-26 00:48:57 +0000 |
| commit | 641bade757772ac0b6ff6d42125e0937743fc852 (patch) | |
| tree | 4e8a237b9b3bc79bb55f1a0cb5da01403df18fca /regress/lib | |
| parent | ab01d1207da5a4d9ae00235be19f7e160a729ab6 (diff) | |
Convert CA regress implementation from shell script to make file.
Ensure that it works with obj directory and link regress to build.
Diffstat (limited to 'regress/lib')
| -rw-r--r-- | regress/lib/libcrypto/CA/Makefile | 106 | ||||
| -rwxr-xr-x | regress/lib/libcrypto/CA/doit.sh | 116 | ||||
| -rw-r--r-- | regress/lib/libcrypto/CA/intermediate.cnf | 9 | ||||
| -rw-r--r-- | regress/lib/libcrypto/CA/root.cnf | 7 | ||||
| -rw-r--r-- | regress/lib/libcrypto/Makefile | 3 |
5 files changed, 100 insertions, 141 deletions
diff --git a/regress/lib/libcrypto/CA/Makefile b/regress/lib/libcrypto/CA/Makefile index c31c99c9465..3e445d2de00 100644 --- a/regress/lib/libcrypto/CA/Makefile +++ b/regress/lib/libcrypto/CA/Makefile @@ -1,21 +1,97 @@ -# $OpenBSD: Makefile,v 1.1 2017/01/25 10:29:34 beck Exp $ +# $OpenBSD: Makefile,v 1.2 2020/12/26 00:48:56 bluhm Exp $ -TESTS = \ - doit.sh +CLEANFILES += *.pem *.serial *.txt *.attr *.old -REGRESS_TARGETS= all_tests +REGRESS_SETUP_ONCE += root.serial intermediate.serial +root.serial intermediate.serial: + echo 1000 >$@ -CLEANFILES += \ -1000.pem client.cert.pem intermediate.cert.pem root.cert.pem server.csr.pem \ -1001.pem client.csr.pem intermediate.csr.pem root.key.pem server.key.pem \ -chain.pem client.key.pem intermediate.key.pem server.cert.pem \ -int.txt int.txt.attr int.txt.old int.txt.attr.old \ -root.txt root.txt.attr root.txt.old root.txt.attr.old \ -intserial rootserial intserial.old rootserial.old +REGRESS_SETUP_ONCE += root.txt intermediate.txt +root.txt intermediate.txt: + true >$@ -all_tests: ${TESTS} - @for test in $>; do \ - ./$$test; \ - done +# Vanna Vanna make me a root cert +root.key.pem: + # generate root rsa 4096 key + openssl genrsa -out root.key.pem 4096 + +root.cert.pem: root.cnf root.key.pem + # generate root req + openssl req -batch -config ${.CURDIR}/root.cnf -key root.key.pem \ + -new -x509 -days 365 -sha256 -extensions v3_ca -out root.cert.pem + +# Make intermediate +intermediate.key.pem: + # generate intermediate rsa 2048 key + openssl genrsa -out intermediate.key.pem 2048 + +intermediate.csr.pem: intermediate.cnf intermediate.key.pem + # generate intermediate req + openssl req -batch -config ${.CURDIR}/intermediate.cnf -new -sha256 \ + -key intermediate.key.pem -out intermediate.csr.pem + +# Sign intermediate +intermediate.cert.pem: root.cnf root.cert.pem intermediate.csr.pem + # sign intermediate + openssl ca -batch -config ${.CURDIR}/root.cnf \ + -extensions v3_intermediate_ca -days 10 -notext -md sha256 \ + -in intermediate.csr.pem -out intermediate.cert.pem + +REGRESS_TARGETS += run-verify-intermediate +# Verify Intermediate +run-verify-intermediate: root.cert.pem intermediate.cert.pem + # validate intermediate CA + openssl verify -CAfile root.cert.pem intermediate.cert.pem + +chain.pem: intermediate.cert.pem root.cert.pem + cat intermediate.cert.pem root.cert.pem > chain.pem + +# Make a server certificate +server.key.pem: + # genrsa server + openssl genrsa -out server.key.pem 2048 + +server.csr.pem: intermediate.cnf server.key.pem + # server req + openssl req -batch -config ${.CURDIR}/intermediate.cnf -new -sha256 \ + -subj '/CN=server/O=OpenBSD/OU=So and Sos/C=CA' \ + -key server.key.pem -out server.csr.pem + +# Sign server key +server.cert.pem: intermediate.cnf intermediate.cert.pem server.csr.pem + # server sign + openssl ca -batch -config ${.CURDIR}/intermediate.cnf \ + -extensions server_cert -days 5 -notext -md sha256 \ + -in server.csr.pem -out server.cert.pem + +# Make a client certificate +client.key.pem: + # genrsa client + openssl genrsa -out client.key.pem 2048 + +client.csr.pem: intermediate.cnf intermediate.cert.pem client.key.pem + # client req + openssl req -batch -config ${.CURDIR}/intermediate.cnf -new -sha256 \ + -subj '/CN=client/O=OpenBSD/OU=So and Sos/C=CA' \ + -key client.key.pem -out client.csr.pem + +# Sign client key +client.cert.pem: intermediate.cnf intermediate.txt client.csr.pem + # client sign + openssl ca -batch -config ${.CURDIR}/intermediate.cnf \ + -extensions usr_cert -days 5 -notext -md sha256 \ + -in client.csr.pem -out client.cert.pem + +REGRESS_TARGETS += run-verify-server +# Verify Intermediate +run-verify-server: chain.pem server.cert.pem + # validate server cert + openssl verify -purpose sslserver -CAfile chain.pem server.cert.pem + +REGRESS_TARGETS += run-verify-client +# Verify Intermediate +run-verify-client: chain.pem client.cert.pem + # validate client cert + openssl verify -purpose sslclient -CAfile chain.pem client.cert.pem .include <bsd.regress.mk> diff --git a/regress/lib/libcrypto/CA/doit.sh b/regress/lib/libcrypto/CA/doit.sh deleted file mode 100755 index 110d89d67f3..00000000000 --- a/regress/lib/libcrypto/CA/doit.sh +++ /dev/null @@ -1,116 +0,0 @@ -#!/bin/sh -# $OpenBSD: doit.sh,v 1.2 2018/07/17 17:06:49 tb Exp $ - -rm -rf root intermediate certs -echo 1000 > rootserial -cat /dev/null > root.txt -echo 1000 > intserial -cat /dev/null > int.txt - -# Vanna Vanna make me a root cert -openssl genrsa -out root.key.pem 4096 -if [ $? -ne 0 ]; then - echo "*** Fail; Can't generate root rsa 4096 key" - exit 1 -fi - -openssl req -batch -config root.cnf -key root.key.pem -new -x509 -days 365 -sha256 -extensions v3_ca -out root.cert.pem -if [ $? -ne 0 ]; then - echo "*** Fail; Can't generate root req" - exit 1 -fi - -# Make intermediate -openssl genrsa -out intermediate.key.pem 2048 -if [ $? -ne 0 ]; then - echo "*** Fail; Can't generate intermediate rsa 2048 key" - exit 1 -fi - -openssl req -batch -config intermediate.cnf -new -sha256 \ - -key intermediate.key.pem \ - -out intermediate.csr.pem -if [ $? -ne 0 ]; then - echo "*** Fail; Can't generate intermediate req" - exit 1 -fi - -# Sign intermediate -openssl ca -batch -config root.cnf -extensions v3_intermediate_ca -days 10 -notext -md sha256 -in intermediate.csr.pem -out intermediate.cert.pem -if [ $? -ne 0 ]; then - echo "*** Fail; Can't sign intermediate" - exit 1 -fi - -# Verify Intermediate -openssl verify -CAfile ca.cert.pem intermediate.cert.pem -if [ $? -ne 0]; then - echo "*** Fail; Intermediate CA does not validate" - exit 1 -fi - -cat intermediate.cert.pem root.cert.pem > chain.pem - -# make a server certificate - -openssl genrsa -out server.key.pem 2048 -if [ $? -ne 0]; then - echo "*** Fail; genrsa server" - exit 1 -fi - - -openssl req -batch -config intermediate.cnf \ - -key server.key.pem \ - -new -sha256 -out server.csr.pem \ - -subj '/CN=server/O=OpenBSD/OU=So and Sos/C=CA' -if [ $? -ne 0]; then - echo "*** Fail; server req" - exit 1 -fi - -# sign server key -openssl ca -batch -config intermediate.cnf -extensions server_cert -days 5 -notext -md sha256 -in server.csr.pem -out server.cert.pem -if [ $? -ne 0 ]; then - echo "*** Fail; server sign" - exit 1 -fi - -# make a client certificate - -openssl genrsa -out client.key.pem 2048 -if [ $? -ne 0]; then - echo "*** Fail; genrsa client" - exit 1 -fi - -openssl req -batch -config intermediate.cnf \ - -key client.key.pem \ - -new -sha256 -out client.csr.pem \ - -subj '/CN=client/O=OpenBSD/OU=So and Sos/C=CA' -if [ $? -ne 0]; then - echo "*** Fail; client req" - exit 1 -fi - -# sign client key -openssl ca -batch -config intermediate.cnf -extensions usr_cert -days 5 -notext -md sha256 -in client.csr.pem -out client.cert.pem -if [ $? -ne 0 ]; then - echo "*** Fail; client sign" - exit 1 -fi - -# Verify Intermediate -openssl verify -purpose sslserver -CAfile chain.pem server.cert.pem -if [ $? -ne 0 ]; then - echo "*** Fail; server cert does not validate" - exit 1 -fi - -# Verify Intermediate -openssl verify -purpose sslclient -CAfile chain.pem client.cert.pem -if [ $? -ne 0 ]; then - echo "*** Fail; client cert does not validate" - exit 1 -fi - diff --git a/regress/lib/libcrypto/CA/intermediate.cnf b/regress/lib/libcrypto/CA/intermediate.cnf index 9a95487c00d..bbf189d2682 100644 --- a/regress/lib/libcrypto/CA/intermediate.cnf +++ b/regress/lib/libcrypto/CA/intermediate.cnf @@ -1,4 +1,4 @@ -# $OpenBSD: intermediate.cnf,v 1.2 2018/07/17 17:06:49 tb Exp $ +# $OpenBSD: intermediate.cnf,v 1.3 2020/12/26 00:48:56 bluhm Exp $ # For regression tests default_ca = CA_regress @@ -7,9 +7,9 @@ default_ca = CA_regress dir = . certs = $dir crl_dir = $dir -database = $dir/int.txt -serial = $dir/intserial -new_certs_dir = $dir +database = $dir/intermediate.txt +serial = $dir/intermediate.serial +new_certs_dir = $dir # The root key and root certificate. private_key = $dir/intermediate.key.pem @@ -127,4 +127,3 @@ subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer keyUsage = critical, digitalSignature extendedKeyUsage = critical, OCSPSigning - diff --git a/regress/lib/libcrypto/CA/root.cnf b/regress/lib/libcrypto/CA/root.cnf index b22e1614769..506542e943b 100644 --- a/regress/lib/libcrypto/CA/root.cnf +++ b/regress/lib/libcrypto/CA/root.cnf @@ -1,4 +1,4 @@ -# $OpenBSD: root.cnf,v 1.2 2018/07/17 17:06:49 tb Exp $ +# $OpenBSD: root.cnf,v 1.3 2020/12/26 00:48:56 bluhm Exp $ # For regression tests default_ca = CA_regress @@ -8,8 +8,8 @@ dir = . certs = $dir crl_dir = $dir database = $dir/root.txt -serial = $dir/rootserial -new_certs_dir = $dir +serial = $dir/root.serial +new_certs_dir = $dir # The root key and root certificate. private_key = $dir/root.key.pem @@ -127,4 +127,3 @@ subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer keyUsage = critical, digitalSignature extendedKeyUsage = critical, OCSPSigning - diff --git a/regress/lib/libcrypto/Makefile b/regress/lib/libcrypto/Makefile index 7ec659bfc26..6f7b024c47d 100644 --- a/regress/lib/libcrypto/Makefile +++ b/regress/lib/libcrypto/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.40 2020/09/18 10:19:31 tb Exp $ +# $OpenBSD: Makefile,v 1.41 2020/12/26 00:48:56 bluhm Exp $ SUBDIR += aead SUBDIR += aeswrap @@ -7,6 +7,7 @@ SUBDIR += base64 SUBDIR += bf SUBDIR += bio SUBDIR += bn +SUBDIR += CA SUBDIR += cast SUBDIR += certs SUBDIR += chacha |