Scripts to generate verify test certs
Reviewed-by: Richard Levitte <levitte@openssl.org>
This commit is contained in:
parent
6e32825631
commit
8478351737
167
test/certs/mkcert.sh
Executable file
167
test/certs/mkcert.sh
Executable file
@ -0,0 +1,167 @@
|
||||
#! /bin/bash
|
||||
#
|
||||
# Copyright (c) 2016 Viktor Dukhovni <openssl-users@dukhovni.org>.
|
||||
# All rights reserved.
|
||||
#
|
||||
# Contributed to the OpenSSL project under the terms of the OpenSSL license
|
||||
# included with the version of the OpenSSL software that includes this module.
|
||||
|
||||
# 100 years should be enough for now
|
||||
#
|
||||
DAYS=36525
|
||||
|
||||
stderr_onerror() {
|
||||
(
|
||||
err=$("$@" >&3 2>&1) || {
|
||||
printf "%s\n" "$err" >&2
|
||||
exit 1
|
||||
}
|
||||
) 3>&1
|
||||
}
|
||||
|
||||
key() {
|
||||
local key=$1; shift
|
||||
|
||||
local alg=rsa
|
||||
if [ -n "$OPENSSL_KEYALG" ]; then
|
||||
alg=$OPENSSL_KEYALG
|
||||
fi
|
||||
|
||||
local bits=2048
|
||||
if [ -n "$OPENSSL_KEYBITS" ]; then
|
||||
bits=$OPENSSL_KEYBITS
|
||||
fi
|
||||
|
||||
if [ ! -f "${key}.pem" ]; then
|
||||
args=(-algorithm "$alg")
|
||||
case $alg in
|
||||
rsa) args=("${args[@]}" -pkeyopt rsa_keygen_bits:$bits );;
|
||||
ecdsa) args=("${args[@]}" -pkeyopt "ec_paramgen_curve:$bits")
|
||||
args=("${args[@]}" -pkeyopt ec_param_enc:named_curve);;
|
||||
*) printf "Unsupported key algorithm: %s\n" "$alg" >&2; return 1;;
|
||||
esac
|
||||
stderr_onerror \
|
||||
openssl genpkey "${args[@]}" -out "${key}.pem"
|
||||
fi
|
||||
}
|
||||
|
||||
req() {
|
||||
local key=$1; shift
|
||||
local cn=$1; shift
|
||||
|
||||
key "$key"
|
||||
local errs
|
||||
|
||||
stderr_onerror \
|
||||
openssl req -new -sha256 -key "${key}.pem" \
|
||||
-config <(printf "[req]\n%s\n%s\n[dn]\nCN=%s\n" \
|
||||
"prompt = no" "distinguished_name = dn" "${cn}")
|
||||
}
|
||||
|
||||
req_nocn() {
|
||||
local key=$1; shift
|
||||
|
||||
key "$key"
|
||||
stderr_onerror \
|
||||
openssl req -new -sha256 -subj / -key "${key}.pem" \
|
||||
-config <(printf "[req]\n%s\n[dn]\nCN_default =\n" \
|
||||
"distinguished_name = dn")
|
||||
}
|
||||
|
||||
cert() {
|
||||
local cert=$1; shift
|
||||
local exts=$1; shift
|
||||
|
||||
stderr_onerror \
|
||||
openssl x509 -req -sha256 -out "${cert}.pem" \
|
||||
-extfile <(printf "%s\n" "$exts") "$@"
|
||||
}
|
||||
|
||||
genroot() {
|
||||
local cn=$1; shift
|
||||
local key=$1; shift
|
||||
local cert=$1; shift
|
||||
local skid="subjectKeyIdentifier = hash"
|
||||
local akid="authorityKeyIdentifier = keyid"
|
||||
|
||||
exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = CA:true")
|
||||
csr=$(req "$key" "$cn") || return 1
|
||||
echo "$csr" |
|
||||
cert "$cert" "$exts" -signkey "${key}.pem" -set_serial 1 -days "${DAYS}"
|
||||
}
|
||||
|
||||
genca() {
|
||||
local cn=$1; shift
|
||||
local key=$1; shift
|
||||
local cert=$1; shift
|
||||
local cakey=$1; shift
|
||||
local cacert=$1; shift
|
||||
local skid="subjectKeyIdentifier = hash"
|
||||
local akid="authorityKeyIdentifier = keyid"
|
||||
|
||||
exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = CA:true")
|
||||
csr=$(req "$key" "$cn") || return 1
|
||||
echo "$csr" |
|
||||
cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \
|
||||
-set_serial 2 -days "${DAYS}" "$@"
|
||||
}
|
||||
|
||||
genee() {
|
||||
local OPTIND=1
|
||||
local purpose=serverAuth
|
||||
|
||||
while getopts p: o
|
||||
do
|
||||
case $o in
|
||||
p) purpose="$OPTARG";;
|
||||
*) echo "Usage: $0 genee [-p EKU] cn keyname certname cakeyname cacertname" >&2
|
||||
return 1;;
|
||||
esac
|
||||
done
|
||||
|
||||
shift $((OPTIND - 1))
|
||||
local cn=$1; shift
|
||||
local key=$1; shift
|
||||
local cert=$1; shift
|
||||
local cakey=$1; shift
|
||||
local ca=$1; shift
|
||||
|
||||
exts=$(printf "%s\n%s\n%s\n%s\n%s\n[alts]\n%s\n" \
|
||||
"subjectKeyIdentifier = hash" \
|
||||
"authorityKeyIdentifier = keyid, issuer" \
|
||||
"basicConstraints = CA:false" \
|
||||
"extendedKeyUsage = $purpose" \
|
||||
"subjectAltName = @alts" "DNS=${cn}")
|
||||
csr=$(req "$key" "$cn") || return 1
|
||||
echo "$csr" |
|
||||
cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
|
||||
-set_serial 2 -days "${DAYS}" "$@"
|
||||
}
|
||||
|
||||
genss() {
|
||||
local cn=$1; shift
|
||||
local key=$1; shift
|
||||
local cert=$1; shift
|
||||
|
||||
exts=$(printf "%s\n%s\n%s\n%s\n%s\n[alts]\n%s\n" \
|
||||
"subjectKeyIdentifier = hash" \
|
||||
"authorityKeyIdentifier = keyid, issuer" \
|
||||
"basicConstraints = CA:false" \
|
||||
"extendedKeyUsage = serverAuth" \
|
||||
"subjectAltName = @alts" "DNS=${cn}")
|
||||
csr=$(req "$key" "$cn") || return 1
|
||||
echo "$csr" |
|
||||
cert "$cert" "$exts" -signkey "${key}.pem" \
|
||||
-set_serial 1 -days "${DAYS}" "$@"
|
||||
}
|
||||
|
||||
gennocn() {
|
||||
local key=$1; shift
|
||||
local cert=$1; shift
|
||||
|
||||
csr=$(req_nocn "$key") || return 1
|
||||
echo "$csr" |
|
||||
cert "$cert" "" -signkey "${key}.pem" -set_serial 1 -days -1 "$@"
|
||||
}
|
||||
|
||||
"$@"
|
55
test/certs/setup.sh
Executable file
55
test/certs/setup.sh
Executable file
@ -0,0 +1,55 @@
|
||||
#! /bin/sh
|
||||
|
||||
# Primary root: root-cert
|
||||
# root certs variants: CA:false, key2, DN2
|
||||
# trust variants: +serverAuth -serverAuth +clientAuth
|
||||
#
|
||||
./mkcert.sh genroot "Root CA" root-key root-cert
|
||||
./mkcert.sh genss "Root CA" root-key root-nonca
|
||||
./mkcert.sh genroot "Root CA" root-key2 root-cert2
|
||||
./mkcert.sh genroot "Root Cert 2" root-key root-name2
|
||||
#
|
||||
openssl x509 -in root-cert.pem -trustout \
|
||||
-addtrust serverAuth -out root+serverAuth.pem
|
||||
openssl x509 -in root-cert.pem -trustout \
|
||||
-addreject serverAuth -out root-serverAuth.pem
|
||||
openssl x509 -in root-cert.pem -trustout \
|
||||
-addtrust clientAuth -out root+clientAuth.pem
|
||||
|
||||
# Primary intermediate ca: ca-cert
|
||||
# ca variants: CA:false, key2, DN2, issuer2, expired
|
||||
# trust variants: +serverAuth, -serverAuth, +clientAuth
|
||||
#
|
||||
./mkcert.sh genca "CA" ca-key ca-cert root-key root-cert
|
||||
./mkcert.sh genee "CA" ca-key ca-nonca root-key root-cert
|
||||
./mkcert.sh genca "CA" ca-key2 ca-cert2 root-key root-cert
|
||||
./mkcert.sh genca "CA2" ca-key ca-name2 root-key root-cert
|
||||
./mkcert.sh genca "CA" ca-key ca-root2 root-key2 root-cert2
|
||||
./mkcert.sh genca "CA" ca-key ca-expired root-key root-cert -days -1
|
||||
#
|
||||
openssl x509 -in ca-cert.pem -trustout \
|
||||
-addtrust serverAuth -out ca+serverAuth.pem
|
||||
openssl x509 -in ca-cert.pem -trustout \
|
||||
-addreject serverAuth -out ca-serverAuth.pem
|
||||
openssl x509 -in ca-cert.pem -trustout \
|
||||
-addtrust clientAuth -out ca+clientAuth.pem
|
||||
|
||||
# Primary leaf cert: ee-cert
|
||||
# ee variants: expired, issuer-key2, issuer-name2
|
||||
# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth
|
||||
# purpose variants: client
|
||||
#
|
||||
./mkcert.sh genee server.example ee-key ee-cert ca-key ca-cert
|
||||
./mkcert.sh genee server.example ee-key ee-expired ca-key ca-cert -days -1
|
||||
./mkcert.sh genee server.example ee-key ee-cert2 ca-key2 ca-cert2
|
||||
./mkcert.sh genee server.example ee-key ee-name2 ca-key ca-name2
|
||||
./mkcert.sh genee -p clientAuth server.example ee-key ee-client ca-key ca-cert
|
||||
#
|
||||
openssl x509 -in ee-cert.pem -trustout \
|
||||
-addtrust serverAuth -out ee+serverAuth.pem
|
||||
openssl x509 -in ee-cert.pem -trustout \
|
||||
-addreject serverAuth -out ee-serverAuth.pem
|
||||
openssl x509 -in ee-client.pem -trustout \
|
||||
-addtrust clientAuth -out ee+clientAuth.pem
|
||||
openssl x509 -in ee-client.pem -trustout \
|
||||
-addreject clientAuth -out ee-clientAuth.pem
|
Loading…
x
Reference in New Issue
Block a user