Add x509 certificate validation regression tests

The validation tests are originaly createtd by Steffen Ullrich. OK tb@ No objection jsing@
author: jan <> 2021-02-16 21:39:17 +0000
committer: jan <> 2021-02-16 21:39:17 +0000
commit: eae607b14c32520d0f00ba84ea11eab9af6f151c (patch)
tree: 376c45d2715913e4d706075a999dcb5067ec8d62
parent: 972d2a7aab0f7cf4db8798e6f47311550728f254 (diff)
download: openbsd-eae607b14c32520d0f00ba84ea11eab9af6f151c.tar.gz
openbsd-eae607b14c32520d0f00ba84ea11eab9af6f151c.tar.bz2
openbsd-eae607b14c32520d0f00ba84ea11eab9af6f151c.zip
3 files changed, 242 insertions, 2 deletions
diff --git a/src/regress/usr.bin/openssl/Makefile b/src/regress/usr.bin/openssl/Makefile
index 0ef7928ea4..d41b65a3f4 100644
--- a/src/regress/usr.bin/openssl/Makefile
+++ b/src/regress/usr.bin/openssl/Makefile
@@ -1,6 +1,6 @@
-#       $OpenBSD: Makefile,v 1.6 2018/03/19 03:41:40 beck Exp $
+#       $OpenBSD: Makefile,v 1.7 2021/02/16 21:39:17 jan Exp $
-SUBDIR= options
+SUBDIR= options x509
 CLEANFILES+= testdsa.key testdsa.pem rsakey.pem rsacert.pem dsa512.pem
 CLEANFILES+= appstest_dir
diff --git a/src/regress/usr.bin/openssl/x509/Makefile b/src/regress/usr.bin/openssl/x509/Makefile
new file mode 100644
index 0000000000..b20cb1d9bd
--- /dev/null
+++ b/src/regress/usr.bin/openssl/x509/Makefile
@@ -0,0 +1,129 @@
+# $OpenBSD: Makefile,v 1.1 2021/02/16 21:39:17 jan Exp $
+# Copyright (c) 2021 Jan Klemkow <j.klemkow@wemelug.de>
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+# This regression test is based on manual test descriptions from:
+# https://github.com/noxxi/libressl-tests
+# The following port must be installed for the regression tests:
+# p5-IO-Socket-SSL      perl interface to SSL sockets
+PERL =          perl
+OPENSSL ?=      openssl
+PKG_REQUIRE != pkg_info -e 'p5-IO-Socket-SSL-*'
+.if empty (PKG_REQUIRE)
+regress:
+        @echo "missing package p5-IO-Socket-SSL"
+        @echo SKIPPED
+.endif
+REGRESS_TARGETS +=      test-inlabel-wildcard-cert-no-CA-client
+REGRESS_TARGETS +=      test-inlabel-wildcard-cert-CA-client
+REGRESS_TARGETS +=      test-common-wildcard-cert-no-CA-client
+REGRESS_TARGETS +=      test-common-wildcard-cert-CA-client
+REGRESS_TARGETS +=      test-verify-unusual-wildcard-cert
+REGRESS_TARGETS +=      test-openssl-verify-common-wildcard-cert
+REGRESS_TARGETS +=      test-chain-certificates-s_server
+REGRESS_TARGETS +=      test-alternative-chain
+REGRESS_CLEANUP =       cleanup-ssl
+REGRESS_SETUP_ONCE =    create-libressl-test-certs
+REGRESS_EXPECTED_FAILURES +=    test-unusual-wildcard-cert-no-CA-client
+REGRESS_EXPECTED_FAILURES +=    test-common-wildcard-cert-no-CA-client
+REGRESS_EXPECTED_FAILURES +=    test-common-wildcard-cert-CA-client
+REGRESS_EXPECTED_FAILURES +=    test-verify-unusual-wildcard-cert
+create-libressl-test-certs: create-libressl-test-certs.pl
+        ${PERL} ${.CURDIR}/$@.pl
+cleanup-ssl:
+        rm *.pem *.key
+test-inlabel-wildcard-cert-no-CA-client:
+        # unusual wildcard cert, no CA given to client
+        # start server
+        ${OPENSSL} s_server -cert server-unusual-wildcard.pem \
+            -key server-unusual-wildcard.pem & \
+            timeout=$$(($$(date +%s) + 5)); \
+            while fstat -p $$! | ! grep -q 'tcp .* \*:4433$$'; \
+                do test $$(date +%s) -lt $$timeout || exit 1; done
+        # start client
+        echo "Q" | ${OPENSSL} s_client -verify_return_error \
+            | grep "Verify return code: 21"
+test-inlabel-wildcard-cert-CA-client:
+        # unusual wildcard cert, CA given to client
+        # start server
+        ${OPENSSL} s_server -cert server-unusual-wildcard.pem \
+            -key server-unusual-wildcard.pem & \
+            timeout=$$(($$(date +%s) + 5)); \
+            while fstat -p $$! | ! grep -q 'tcp .* \*:4433$$'; \
+                do test $$(date +%s) -lt $$timeout || exit 1; done
+        # start client
+        echo "Q" | ${OPENSSL} s_client -CAfile caR.pem \
+            | grep "Verify return code: 0"
+test-common-wildcard-cert-no-CA-client:
+        # common wildcard cert, no CA given to client
+        # start server
+        ${OPENSSL} s_server -cert server-common-wildcard.pem \
+            -key server-common-wildcard.pem & \
+            timeout=$$(($$(date +%s) + 5)); \
+            while fstat -p $$! | ! grep -q 'tcp .* \*:4433$$'; \
+                do test $$(date +%s) -lt $$timeout || exit 1; done
+        # start client
+        echo "Q" | ${OPENSSL} s_client \
+            | grep "Verify return code: 21"
+test-common-wildcard-cert-CA-client:
+        # common wildcard cert, CA given to client
+        # start server
+        ${OPENSSL} s_server -cert server-unusual-wildcard.pem \
+            -key server-unusual-wildcard.pem & \
+            timeout=$$(($$(date +%s) + 5)); \
+            while fstat -p $$! | ! grep -q 'tcp .* \*:4433$$'; \
+                do test $$(date +%s) -lt $$timeout || exit 1; done
+        # start client
+        echo "Q" | ${OPENSSL} s_client -CAfile caR.pem \
+            | grep "Verify return code: 21"
+test-verify-unusual-wildcard-cert:
+        # openssl verify, unusual wildcard cert
+        ${OPENSSL} verify -CAfile caR.pem server-unusual-wildcard.pem \
+            | grep "server-unusual-wildcard.pem: OK"
+test-openssl-verify-common-wildcard-cert:
+        # openssl verify, common wildcard cert
+        ${OPENSSL} verify -CAfile caR.pem server-common-wildcard.pem \
+            | grep "server-common-wildcard.pem: OK"
+test-chain-certificates-s_server:
+        # Not all chain certificates are sent in s_server
+        # start server
+        # ${OPENSSL} s_server -cert server-subca.pem        -CAfile subcaR.pem
+        ${OPENSSL} s_server -cert server-subca-chainS.pem -CAfile subcaR.pem & \
+            timeout=$$(($$(date +%s) + 5)); \
+            while fstat -p $$! | ! grep -q 'tcp .* \*:4433$$'; \
+                do test $$(date +%s) -lt $$timeout || exit 1; done
+        # start client
+         ${OPENSSL} s_client -CAfile caR.pem | grep "Verify return code: 0"
+test-alternative-chain:
+        # alternative chain not found
+        ${OPENSSL} verify -verbose -trusted caR.pem -untrusted chainSX.pem \
+           server-subca.pem | grep "server-subca.pem: OK"
+.include <bsd.regress.mk>
diff --git a/src/regress/usr.bin/openssl/x509/create-libressl-test-certs.pl b/src/regress/usr.bin/openssl/x509/create-libressl-test-certs.pl
new file mode 100755
index 0000000000..fdb718aadc
--- /dev/null
+++ b/src/regress/usr.bin/openssl/x509/create-libressl-test-certs.pl
@@ -0,0 +1,111 @@
+#!/usr/bin/perl
+# Copyright (c) 2021 Steffen Ullrich <sullr@cpan.org>
+# Public Domain
+use strict;
+use warnings;
+use IO::Socket::SSL::Utils;
+# primitive CA - ROOT
+my @ca = cert(
+    CA => 1,
+    subject => { CN => 'ROOT' }
+);
+out('caR.pem', pem(crt => $ca[0]));
+out('caR.key', pem(key => $ca[1]));
+# server certificate where SAN contains in-label wildcards, which a
+# client MAY choose to accept as per RFC 6125 section 6.4.3.
+my @leafcert = cert(
+    issuer => \@ca,
+    purpose => 'server',
+    subject => { CN => 'server.local' },
+    subjectAltNames => [ 
+        [ DNS => 'bar.server.local' ],
+        [ DNS => 'www*.server.local'], 
+        [ DNS => '*.www.server.local'], 
+        [ DNS => 'foo.server.local' ],
+        [ DNS => 'server.local' ],
+    ]
+);
+out('server-unusual-wildcard.pem', pem(@leafcert));
+@leafcert = cert(
+    issuer => \@ca,
+    purpose => 'server',
+    subject => { CN => 'server.local' },
+    subjectAltNames => [ 
+        [ DNS => 'bar.server.local' ],
+        [ DNS => '*.www.server.local'], 
+        [ DNS => 'foo.server.local' ],
+        [ DNS => 'server.local' ],
+    ]
+);
+out('server-common-wildcard.pem', pem(@leafcert));
+# alternative CA - OLD_ROOT
+my @caO = cert(
+    CA => 1,
+    subject => { CN => 'OLD_ROOT' }
+);
+out('caO.pem', pem(crt => $caO[0]));
+out('caO.key', pem(key => $caO[1]));
+# alternative ROOT CA, signed by OLD_ROOT, same key as other ROOT CA
+my @caX = cert(
+    issuer => \@caO,
+    CA => 1,
+    subject => { CN => 'ROOT' },
+    key => $ca[1],
+);
+out('caX.pem', pem(crt => $caX[0]));
+out('caX.key', pem(key => $caX[1]));
+# subCA below ROOT
+my @subcaR = cert(
+    issuer => \@ca,
+    CA => 1,
+    subject => { CN => 'SubCA.of.ROOT' }
+);
+out('subcaR.pem', pem(crt => $subcaR[0]));
+out('subcaR.key', pem(key => $subcaR[1]));
+out('chainSX.pem', pem($subcaR[0]), pem($caX[0]));
+@leafcert = cert(
+    issuer => \@subcaR,
+    purpose => 'server',
+    subject => { CN => 'server.subca.local' },
+    subjectAltNames => [ 
+        [ DNS => 'server.subca.local' ],
+    ]
+);
+out('server-subca.pem', pem(@leafcert));
+out('server-subca-chainSX.pem', pem(@leafcert, $subcaR[0], $caX[0]));
+out('server-subca-chainS.pem', pem(@leafcert, $subcaR[0]));
+sub cert { CERT_create(not_after => 10*365*86400+time(), @_) }
+sub pem {
+    my @default = qw(crt key);
+    my %m = (key => \&PEM_key2string, crt => \&PEM_cert2string);
+    my $result = '';
+    while (my $f = shift(@_)) {
+        my $v;
+        if ($f =~m{^(key|crt)$}) {
+            $v = shift(@_);
+        } else {
+            $v = $f;
+            $f = shift(@default) || 'crt';
+        }
+        $f = $m{$f} || die "wrong key $f";
+        $result .= $f->($v);
+    }
+    return $result;
+}
+    
+sub out {
+    my $file = shift;
+    open(my $fh,'>',"$file") or die "failed to create $file: $!";
+    print $fh @_
+}
author	jan <>	2021-02-16 21:39:17 +0000
committer	jan <>	2021-02-16 21:39:17 +0000
commit	eae607b14c32520d0f00ba84ea11eab9af6f151c (patch)
tree	376c45d2715913e4d706075a999dcb5067ec8d62
parent	972d2a7aab0f7cf4db8798e6f47311550728f254 (diff)
download	openbsd-eae607b14c32520d0f00ba84ea11eab9af6f151c.tar.gz openbsd-eae607b14c32520d0f00ba84ea11eab9af6f151c.tar.bz2 openbsd-eae607b14c32520d0f00ba84ea11eab9af6f151c.zip

diff --git a/src/regress/usr.bin/openssl/Makefile b/src/regress/usr.bin/openssl/Makefile index 0ef7928ea4..d41b65a3f4 100644 --- a/src/regress/usr.bin/openssl/Makefile +++ b/src/regress/usr.bin/openssl/Makefile
@@ -1,6 +1,6 @@
1	# $OpenBSD: Makefile,v 1.6 2018/03/19 03:41:40 beck Exp $	1	# $OpenBSD: Makefile,v 1.7 2021/02/16 21:39:17 jan Exp $
2		2
3	SUBDIR= options	3	SUBDIR= options x509
4		4
5	CLEANFILES+= testdsa.key testdsa.pem rsakey.pem rsacert.pem dsa512.pem	5	CLEANFILES+= testdsa.key testdsa.pem rsakey.pem rsacert.pem dsa512.pem
6	CLEANFILES+= appstest_dir	6	CLEANFILES+= appstest_dir


diff --git a/src/regress/usr.bin/openssl/x509/Makefile b/src/regress/usr.bin/openssl/x509/Makefile new file mode 100644 index 0000000000..b20cb1d9bd --- /dev/null +++ b/src/regress/usr.bin/openssl/x509/Makefile
@@ -0,0 +1,129 @@
		1	# $OpenBSD: Makefile,v 1.1 2021/02/16 21:39:17 jan Exp $
		2
		3	# Copyright (c) 2021 Jan Klemkow <j.klemkow@wemelug.de>
		4	#
		5	# Permission to use, copy, modify, and distribute this software for any
		6	# purpose with or without fee is hereby granted, provided that the above
		7	# copyright notice and this permission notice appear in all copies.
		8	#
		9	# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
		10	# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
		11	# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
		12	# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
		13	# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
		14	# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
		15	# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
		16
		17	# This regression test is based on manual test descriptions from:
		18	# https://github.com/noxxi/libressl-tests
		19
		20	# The following port must be installed for the regression tests:
		21	# p5-IO-Socket-SSL perl interface to SSL sockets
		22
		23	PERL = perl
		24	OPENSSL ?= openssl
		25
		26	PKG_REQUIRE != pkg_info -e 'p5-IO-Socket-SSL-*'
		27	.if empty (PKG_REQUIRE)
		28	regress:
		29	@echo "missing package p5-IO-Socket-SSL"
		30	@echo SKIPPED
		31	.endif
		32
		33	REGRESS_TARGETS += test-inlabel-wildcard-cert-no-CA-client
		34	REGRESS_TARGETS += test-inlabel-wildcard-cert-CA-client
		35	REGRESS_TARGETS += test-common-wildcard-cert-no-CA-client
		36	REGRESS_TARGETS += test-common-wildcard-cert-CA-client
		37	REGRESS_TARGETS += test-verify-unusual-wildcard-cert
		38	REGRESS_TARGETS += test-openssl-verify-common-wildcard-cert
		39	REGRESS_TARGETS += test-chain-certificates-s_server
		40	REGRESS_TARGETS += test-alternative-chain
		41	REGRESS_CLEANUP = cleanup-ssl
		42	REGRESS_SETUP_ONCE = create-libressl-test-certs
		43
		44	REGRESS_EXPECTED_FAILURES += test-unusual-wildcard-cert-no-CA-client
		45	REGRESS_EXPECTED_FAILURES += test-common-wildcard-cert-no-CA-client
		46	REGRESS_EXPECTED_FAILURES += test-common-wildcard-cert-CA-client
		47	REGRESS_EXPECTED_FAILURES += test-verify-unusual-wildcard-cert
		48
		49	create-libressl-test-certs: create-libressl-test-certs.pl
		50	${PERL} ${.CURDIR}/$@.pl
		51
		52	cleanup-ssl:
		53	rm .pem .key
		54
		55	test-inlabel-wildcard-cert-no-CA-client:
		56	# unusual wildcard cert, no CA given to client
		57	# start server
		58	${OPENSSL} s_server -cert server-unusual-wildcard.pem \
		59	-key server-unusual-wildcard.pem & \
		60	timeout=$$(($$(date +%s) + 5)); \
		61	while fstat -p $$! \| ! grep -q 'tcp .* \*:4433$$'; \
		62	do test $$(date +%s) -lt $$timeout \|\| exit 1; done
		63	# start client
		64	echo "Q" \| ${OPENSSL} s_client -verify_return_error \
		65	\| grep "Verify return code: 21"
		66
		67	test-inlabel-wildcard-cert-CA-client:
		68	# unusual wildcard cert, CA given to client
		69	# start server
		70	${OPENSSL} s_server -cert server-unusual-wildcard.pem \
		71	-key server-unusual-wildcard.pem & \
		72	timeout=$$(($$(date +%s) + 5)); \
		73	while fstat -p $$! \| ! grep -q 'tcp .* \*:4433$$'; \
		74	do test $$(date +%s) -lt $$timeout \|\| exit 1; done
		75	# start client
		76	echo "Q" \| ${OPENSSL} s_client -CAfile caR.pem \
		77	\| grep "Verify return code: 0"
		78
		79	test-common-wildcard-cert-no-CA-client:
		80	# common wildcard cert, no CA given to client
		81	# start server
		82	${OPENSSL} s_server -cert server-common-wildcard.pem \
		83	-key server-common-wildcard.pem & \
		84	timeout=$$(($$(date +%s) + 5)); \
		85	while fstat -p $$! \| ! grep -q 'tcp .* \*:4433$$'; \
		86	do test $$(date +%s) -lt $$timeout \|\| exit 1; done
		87	# start client
		88	echo "Q" \| ${OPENSSL} s_client \
		89	\| grep "Verify return code: 21"
		90
		91	test-common-wildcard-cert-CA-client:
		92	# common wildcard cert, CA given to client
		93	# start server
		94	${OPENSSL} s_server -cert server-unusual-wildcard.pem \
		95	-key server-unusual-wildcard.pem & \
		96	timeout=$$(($$(date +%s) + 5)); \
		97	while fstat -p $$! \| ! grep -q 'tcp .* \*:4433$$'; \
		98	do test $$(date +%s) -lt $$timeout \|\| exit 1; done
		99	# start client
		100	echo "Q" \| ${OPENSSL} s_client -CAfile caR.pem \
		101	\| grep "Verify return code: 21"
		102
		103	test-verify-unusual-wildcard-cert:
		104	# openssl verify, unusual wildcard cert
		105	${OPENSSL} verify -CAfile caR.pem server-unusual-wildcard.pem \
		106	\| grep "server-unusual-wildcard.pem: OK"
		107
		108	test-openssl-verify-common-wildcard-cert:
		109	# openssl verify, common wildcard cert
		110	${OPENSSL} verify -CAfile caR.pem server-common-wildcard.pem \
		111	\| grep "server-common-wildcard.pem: OK"
		112
		113	test-chain-certificates-s_server:
		114	# Not all chain certificates are sent in s_server
		115	# start server
		116	# ${OPENSSL} s_server -cert server-subca.pem -CAfile subcaR.pem
		117	${OPENSSL} s_server -cert server-subca-chainS.pem -CAfile subcaR.pem & \
		118	timeout=$$(($$(date +%s) + 5)); \
		119	while fstat -p $$! \| ! grep -q 'tcp .* \*:4433$$'; \
		120	do test $$(date +%s) -lt $$timeout \|\| exit 1; done
		121	# start client
		122	${OPENSSL} s_client -CAfile caR.pem \| grep "Verify return code: 0"
		123
		124	test-alternative-chain:
		125	# alternative chain not found
		126	${OPENSSL} verify -verbose -trusted caR.pem -untrusted chainSX.pem \
		127	server-subca.pem \| grep "server-subca.pem: OK"
		128
		129	.include <bsd.regress.mk>


diff --git a/src/regress/usr.bin/openssl/x509/create-libressl-test-certs.pl b/src/regress/usr.bin/openssl/x509/create-libressl-test-certs.pl new file mode 100755 index 0000000000..fdb718aadc --- /dev/null +++ b/src/regress/usr.bin/openssl/x509/create-libressl-test-certs.pl
@@ -0,0 +1,111 @@
		1	#!/usr/bin/perl
		2
		3	# Copyright (c) 2021 Steffen Ullrich <sullr@cpan.org>
		4	# Public Domain
		5
		6	use strict;
		7	use warnings;
		8	use IO::Socket::SSL::Utils;
		9
		10	# primitive CA - ROOT
		11	my @ca = cert(
		12	CA => 1,
		13	subject => { CN => 'ROOT' }
		14	);
		15	out('caR.pem', pem(crt => $ca[0]));
		16	out('caR.key', pem(key => $ca[1]));
		17
		18	# server certificate where SAN contains in-label wildcards, which a
		19	# client MAY choose to accept as per RFC 6125 section 6.4.3.
		20	my @leafcert = cert(
		21	issuer => \@ca,
		22	purpose => 'server',
		23	subject => { CN => 'server.local' },
		24	subjectAltNames => [
		25	[ DNS => 'bar.server.local' ],
		26	[ DNS => 'www*.server.local'],
		27	[ DNS => '*.www.server.local'],
		28	[ DNS => 'foo.server.local' ],
		29	[ DNS => 'server.local' ],
		30	]
		31	);
		32	out('server-unusual-wildcard.pem', pem(@leafcert));
		33
		34	@leafcert = cert(
		35	issuer => \@ca,
		36	purpose => 'server',
		37	subject => { CN => 'server.local' },
		38	subjectAltNames => [
		39	[ DNS => 'bar.server.local' ],
		40	[ DNS => '*.www.server.local'],
		41	[ DNS => 'foo.server.local' ],
		42	[ DNS => 'server.local' ],
		43	]
		44	);
		45	out('server-common-wildcard.pem', pem(@leafcert));
		46
		47	# alternative CA - OLD_ROOT
		48	my @caO = cert(
		49	CA => 1,
		50	subject => { CN => 'OLD_ROOT' }
		51	);
		52	out('caO.pem', pem(crt => $caO[0]));
		53	out('caO.key', pem(key => $caO[1]));
		54
		55	# alternative ROOT CA, signed by OLD_ROOT, same key as other ROOT CA
		56	my @caX = cert(
		57	issuer => \@caO,
		58	CA => 1,
		59	subject => { CN => 'ROOT' },
		60	key => $ca[1],
		61	);
		62	out('caX.pem', pem(crt => $caX[0]));
		63	out('caX.key', pem(key => $caX[1]));
		64
		65	# subCA below ROOT
		66	my @subcaR = cert(
		67	issuer => \@ca,
		68	CA => 1,
		69	subject => { CN => 'SubCA.of.ROOT' }
		70	);
		71	out('subcaR.pem', pem(crt => $subcaR[0]));
		72	out('subcaR.key', pem(key => $subcaR[1]));
		73	out('chainSX.pem', pem($subcaR[0]), pem($caX[0]));
		74
		75	@leafcert = cert(
		76	issuer => \@subcaR,
		77	purpose => 'server',
		78	subject => { CN => 'server.subca.local' },
		79	subjectAltNames => [
		80	[ DNS => 'server.subca.local' ],
		81	]
		82	);
		83	out('server-subca.pem', pem(@leafcert));
		84	out('server-subca-chainSX.pem', pem(@leafcert, $subcaR[0], $caX[0]));
		85	out('server-subca-chainS.pem', pem(@leafcert, $subcaR[0]));
		86
		87
		88	sub cert { CERT_create(not_after => 1036586400+time(), @_) }
		89	sub pem {
		90	my @default = qw(crt key);
		91	my %m = (key => \&PEM_key2string, crt => \&PEM_cert2string);
		92	my $result = '';
		93	while (my $f = shift(@_)) {
		94	my $v;
		95	if ($f =~m{^(key\|crt)$}) {
		96	$v = shift(@_);
		97	} else {
		98	$v = $f;
		99	$f = shift(@default) \|\| 'crt';
		100	}
		101	$f = $m{$f} \|\| die "wrong key $f";
		102	$result .= $f->($v);
		103	}
		104	return $result;
		105	}
		106
		107	sub out {
		108	my $file = shift;
		109	open(my $fh,'>',"$file") or die "failed to create $file: $!";
		110	print $fh @_
		111	}