summaryrefslogtreecommitdiff
path: root/src/regress/lib
diff options
context:
space:
mode:
authorbluhm <>2020-12-26 00:48:56 +0000
committerbluhm <>2020-12-26 00:48:56 +0000
commit372139d1875d84b03f353b5e29bc15eaebc4e731 (patch)
tree8e19801668ace3679c2d08f51d784954a2e50fef /src/regress/lib
parent95764717d7af82e5f8e8784798747c0ec240a84b (diff)
downloadopenbsd-372139d1875d84b03f353b5e29bc15eaebc4e731.tar.gz
openbsd-372139d1875d84b03f353b5e29bc15eaebc4e731.tar.bz2
openbsd-372139d1875d84b03f353b5e29bc15eaebc4e731.zip
Convert CA regress implementation from shell script to make file.
Ensure that it works with obj directory and link regress to build.
Diffstat (limited to 'src/regress/lib')
-rw-r--r--src/regress/lib/libcrypto/CA/Makefile106
-rwxr-xr-xsrc/regress/lib/libcrypto/CA/doit.sh116
-rw-r--r--src/regress/lib/libcrypto/CA/intermediate.cnf9
-rw-r--r--src/regress/lib/libcrypto/CA/root.cnf7
-rw-r--r--src/regress/lib/libcrypto/Makefile3
5 files changed, 100 insertions, 141 deletions
diff --git a/src/regress/lib/libcrypto/CA/Makefile b/src/regress/lib/libcrypto/CA/Makefile
index c31c99c946..3e445d2de0 100644
--- a/src/regress/lib/libcrypto/CA/Makefile
+++ b/src/regress/lib/libcrypto/CA/Makefile
@@ -1,21 +1,97 @@
1# $OpenBSD: Makefile,v 1.1 2017/01/25 10:29:34 beck Exp $ 1# $OpenBSD: Makefile,v 1.2 2020/12/26 00:48:56 bluhm Exp $
2 2
3TESTS = \ 3CLEANFILES += *.pem *.serial *.txt *.attr *.old
4 doit.sh
5 4
6REGRESS_TARGETS= all_tests 5REGRESS_SETUP_ONCE += root.serial intermediate.serial
6root.serial intermediate.serial:
7 echo 1000 >$@
7 8
8CLEANFILES += \ 9REGRESS_SETUP_ONCE += root.txt intermediate.txt
91000.pem client.cert.pem intermediate.cert.pem root.cert.pem server.csr.pem \ 10root.txt intermediate.txt:
101001.pem client.csr.pem intermediate.csr.pem root.key.pem server.key.pem \ 11 true >$@
11chain.pem client.key.pem intermediate.key.pem server.cert.pem \
12int.txt int.txt.attr int.txt.old int.txt.attr.old \
13root.txt root.txt.attr root.txt.old root.txt.attr.old \
14intserial rootserial intserial.old rootserial.old
15 12
16all_tests: ${TESTS} 13# Vanna Vanna make me a root cert
17 @for test in $>; do \ 14root.key.pem:
18 ./$$test; \ 15 # generate root rsa 4096 key
19 done 16 openssl genrsa -out root.key.pem 4096
17
18root.cert.pem: root.cnf root.key.pem
19 # generate root req
20 openssl req -batch -config ${.CURDIR}/root.cnf -key root.key.pem \
21 -new -x509 -days 365 -sha256 -extensions v3_ca -out root.cert.pem
22
23# Make intermediate
24intermediate.key.pem:
25 # generate intermediate rsa 2048 key
26 openssl genrsa -out intermediate.key.pem 2048
27
28intermediate.csr.pem: intermediate.cnf intermediate.key.pem
29 # generate intermediate req
30 openssl req -batch -config ${.CURDIR}/intermediate.cnf -new -sha256 \
31 -key intermediate.key.pem -out intermediate.csr.pem
32
33# Sign intermediate
34intermediate.cert.pem: root.cnf root.cert.pem intermediate.csr.pem
35 # sign intermediate
36 openssl ca -batch -config ${.CURDIR}/root.cnf \
37 -extensions v3_intermediate_ca -days 10 -notext -md sha256 \
38 -in intermediate.csr.pem -out intermediate.cert.pem
39
40REGRESS_TARGETS += run-verify-intermediate
41# Verify Intermediate
42run-verify-intermediate: root.cert.pem intermediate.cert.pem
43 # validate intermediate CA
44 openssl verify -CAfile root.cert.pem intermediate.cert.pem
45
46chain.pem: intermediate.cert.pem root.cert.pem
47 cat intermediate.cert.pem root.cert.pem > chain.pem
48
49# Make a server certificate
50server.key.pem:
51 # genrsa server
52 openssl genrsa -out server.key.pem 2048
53
54server.csr.pem: intermediate.cnf server.key.pem
55 # server req
56 openssl req -batch -config ${.CURDIR}/intermediate.cnf -new -sha256 \
57 -subj '/CN=server/O=OpenBSD/OU=So and Sos/C=CA' \
58 -key server.key.pem -out server.csr.pem
59
60# Sign server key
61server.cert.pem: intermediate.cnf intermediate.cert.pem server.csr.pem
62 # server sign
63 openssl ca -batch -config ${.CURDIR}/intermediate.cnf \
64 -extensions server_cert -days 5 -notext -md sha256 \
65 -in server.csr.pem -out server.cert.pem
66
67# Make a client certificate
68client.key.pem:
69 # genrsa client
70 openssl genrsa -out client.key.pem 2048
71
72client.csr.pem: intermediate.cnf intermediate.cert.pem client.key.pem
73 # client req
74 openssl req -batch -config ${.CURDIR}/intermediate.cnf -new -sha256 \
75 -subj '/CN=client/O=OpenBSD/OU=So and Sos/C=CA' \
76 -key client.key.pem -out client.csr.pem
77
78# Sign client key
79client.cert.pem: intermediate.cnf intermediate.txt client.csr.pem
80 # client sign
81 openssl ca -batch -config ${.CURDIR}/intermediate.cnf \
82 -extensions usr_cert -days 5 -notext -md sha256 \
83 -in client.csr.pem -out client.cert.pem
84
85REGRESS_TARGETS += run-verify-server
86# Verify Intermediate
87run-verify-server: chain.pem server.cert.pem
88 # validate server cert
89 openssl verify -purpose sslserver -CAfile chain.pem server.cert.pem
90
91REGRESS_TARGETS += run-verify-client
92# Verify Intermediate
93run-verify-client: chain.pem client.cert.pem
94 # validate client cert
95 openssl verify -purpose sslclient -CAfile chain.pem client.cert.pem
20 96
21.include <bsd.regress.mk> 97.include <bsd.regress.mk>
diff --git a/src/regress/lib/libcrypto/CA/doit.sh b/src/regress/lib/libcrypto/CA/doit.sh
deleted file mode 100755
index 110d89d67f..0000000000
--- a/src/regress/lib/libcrypto/CA/doit.sh
+++ /dev/null
@@ -1,116 +0,0 @@
1#!/bin/sh
2# $OpenBSD: doit.sh,v 1.2 2018/07/17 17:06:49 tb Exp $
3
4rm -rf root intermediate certs
5echo 1000 > rootserial
6cat /dev/null > root.txt
7echo 1000 > intserial
8cat /dev/null > int.txt
9
10# Vanna Vanna make me a root cert
11openssl genrsa -out root.key.pem 4096
12if [ $? -ne 0 ]; then
13 echo "*** Fail; Can't generate root rsa 4096 key"
14 exit 1
15fi
16
17openssl req -batch -config root.cnf -key root.key.pem -new -x509 -days 365 -sha256 -extensions v3_ca -out root.cert.pem
18if [ $? -ne 0 ]; then
19 echo "*** Fail; Can't generate root req"
20 exit 1
21fi
22
23# Make intermediate
24openssl genrsa -out intermediate.key.pem 2048
25if [ $? -ne 0 ]; then
26 echo "*** Fail; Can't generate intermediate rsa 2048 key"
27 exit 1
28fi
29
30openssl req -batch -config intermediate.cnf -new -sha256 \
31 -key intermediate.key.pem \
32 -out intermediate.csr.pem
33if [ $? -ne 0 ]; then
34 echo "*** Fail; Can't generate intermediate req"
35 exit 1
36fi
37
38# Sign intermediate
39openssl ca -batch -config root.cnf -extensions v3_intermediate_ca -days 10 -notext -md sha256 -in intermediate.csr.pem -out intermediate.cert.pem
40if [ $? -ne 0 ]; then
41 echo "*** Fail; Can't sign intermediate"
42 exit 1
43fi
44
45# Verify Intermediate
46openssl verify -CAfile ca.cert.pem intermediate.cert.pem
47if [ $? -ne 0]; then
48 echo "*** Fail; Intermediate CA does not validate"
49 exit 1
50fi
51
52cat intermediate.cert.pem root.cert.pem > chain.pem
53
54# make a server certificate
55
56openssl genrsa -out server.key.pem 2048
57if [ $? -ne 0]; then
58 echo "*** Fail; genrsa server"
59 exit 1
60fi
61
62
63openssl req -batch -config intermediate.cnf \
64 -key server.key.pem \
65 -new -sha256 -out server.csr.pem \
66 -subj '/CN=server/O=OpenBSD/OU=So and Sos/C=CA'
67if [ $? -ne 0]; then
68 echo "*** Fail; server req"
69 exit 1
70fi
71
72# sign server key
73openssl ca -batch -config intermediate.cnf -extensions server_cert -days 5 -notext -md sha256 -in server.csr.pem -out server.cert.pem
74if [ $? -ne 0 ]; then
75 echo "*** Fail; server sign"
76 exit 1
77fi
78
79# make a client certificate
80
81openssl genrsa -out client.key.pem 2048
82if [ $? -ne 0]; then
83 echo "*** Fail; genrsa client"
84 exit 1
85fi
86
87openssl req -batch -config intermediate.cnf \
88 -key client.key.pem \
89 -new -sha256 -out client.csr.pem \
90 -subj '/CN=client/O=OpenBSD/OU=So and Sos/C=CA'
91if [ $? -ne 0]; then
92 echo "*** Fail; client req"
93 exit 1
94fi
95
96# sign client key
97openssl ca -batch -config intermediate.cnf -extensions usr_cert -days 5 -notext -md sha256 -in client.csr.pem -out client.cert.pem
98if [ $? -ne 0 ]; then
99 echo "*** Fail; client sign"
100 exit 1
101fi
102
103# Verify Intermediate
104openssl verify -purpose sslserver -CAfile chain.pem server.cert.pem
105if [ $? -ne 0 ]; then
106 echo "*** Fail; server cert does not validate"
107 exit 1
108fi
109
110# Verify Intermediate
111openssl verify -purpose sslclient -CAfile chain.pem client.cert.pem
112if [ $? -ne 0 ]; then
113 echo "*** Fail; client cert does not validate"
114 exit 1
115fi
116
diff --git a/src/regress/lib/libcrypto/CA/intermediate.cnf b/src/regress/lib/libcrypto/CA/intermediate.cnf
index 9a95487c00..bbf189d268 100644
--- a/src/regress/lib/libcrypto/CA/intermediate.cnf
+++ b/src/regress/lib/libcrypto/CA/intermediate.cnf
@@ -1,4 +1,4 @@
1# $OpenBSD: intermediate.cnf,v 1.2 2018/07/17 17:06:49 tb Exp $ 1# $OpenBSD: intermediate.cnf,v 1.3 2020/12/26 00:48:56 bluhm Exp $
2# For regression tests 2# For regression tests
3default_ca = CA_regress 3default_ca = CA_regress
4 4
@@ -7,9 +7,9 @@ default_ca = CA_regress
7dir = . 7dir = .
8certs = $dir 8certs = $dir
9crl_dir = $dir 9crl_dir = $dir
10database = $dir/int.txt 10database = $dir/intermediate.txt
11serial = $dir/intserial 11serial = $dir/intermediate.serial
12new_certs_dir = $dir 12new_certs_dir = $dir
13 13
14# The root key and root certificate. 14# The root key and root certificate.
15private_key = $dir/intermediate.key.pem 15private_key = $dir/intermediate.key.pem
@@ -127,4 +127,3 @@ subjectKeyIdentifier = hash
127authorityKeyIdentifier = keyid,issuer 127authorityKeyIdentifier = keyid,issuer
128keyUsage = critical, digitalSignature 128keyUsage = critical, digitalSignature
129extendedKeyUsage = critical, OCSPSigning 129extendedKeyUsage = critical, OCSPSigning
130
diff --git a/src/regress/lib/libcrypto/CA/root.cnf b/src/regress/lib/libcrypto/CA/root.cnf
index b22e161476..506542e943 100644
--- a/src/regress/lib/libcrypto/CA/root.cnf
+++ b/src/regress/lib/libcrypto/CA/root.cnf
@@ -1,4 +1,4 @@
1# $OpenBSD: root.cnf,v 1.2 2018/07/17 17:06:49 tb Exp $ 1# $OpenBSD: root.cnf,v 1.3 2020/12/26 00:48:56 bluhm Exp $
2# For regression tests 2# For regression tests
3default_ca = CA_regress 3default_ca = CA_regress
4 4
@@ -8,8 +8,8 @@ dir = .
8certs = $dir 8certs = $dir
9crl_dir = $dir 9crl_dir = $dir
10database = $dir/root.txt 10database = $dir/root.txt
11serial = $dir/rootserial 11serial = $dir/root.serial
12new_certs_dir = $dir 12new_certs_dir = $dir
13 13
14# The root key and root certificate. 14# The root key and root certificate.
15private_key = $dir/root.key.pem 15private_key = $dir/root.key.pem
@@ -127,4 +127,3 @@ subjectKeyIdentifier = hash
127authorityKeyIdentifier = keyid,issuer 127authorityKeyIdentifier = keyid,issuer
128keyUsage = critical, digitalSignature 128keyUsage = critical, digitalSignature
129extendedKeyUsage = critical, OCSPSigning 129extendedKeyUsage = critical, OCSPSigning
130
diff --git a/src/regress/lib/libcrypto/Makefile b/src/regress/lib/libcrypto/Makefile
index 7ec659bfc2..6f7b024c47 100644
--- a/src/regress/lib/libcrypto/Makefile
+++ b/src/regress/lib/libcrypto/Makefile
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile,v 1.40 2020/09/18 10:19:31 tb Exp $ 1# $OpenBSD: Makefile,v 1.41 2020/12/26 00:48:56 bluhm Exp $
2 2
3SUBDIR += aead 3SUBDIR += aead
4SUBDIR += aeswrap 4SUBDIR += aeswrap
@@ -7,6 +7,7 @@ SUBDIR += base64
7SUBDIR += bf 7SUBDIR += bf
8SUBDIR += bio 8SUBDIR += bio
9SUBDIR += bn 9SUBDIR += bn
10SUBDIR += CA
10SUBDIR += cast 11SUBDIR += cast
11SUBDIR += certs 12SUBDIR += certs
12SUBDIR += chacha 13SUBDIR += chacha
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-17 21:34:41 +0000