Add -force_pubkey -multivalue-rdn -set_issuer -set_subject -utf8 to x509 app

The -set_issuer, -set_subject, and -force_pubkey features can be used to 'rechain' PKIs, for more information see https://labs.apnic.net/nro-ta/ and https://blog.apnic.net/2023/12/14/models-of-trust-for-the-rpki/ OK tb@
author: job <> 2024-01-12 11:24:03 +0000
committer: job <> 2024-01-12 11:24:03 +0000
commit: a941bc4dee12272fae734d7e033698516cf7b2ee (patch)
tree: b556349cae6f3fe4c0d9ea5f86f104a74c5349a1 /src/regress/usr.bin/openssl
parent: 11bbbc8e1d1d1cf5984fb74c05165cd1cfb0251c (diff)
download: openbsd-a941bc4dee12272fae734d7e033698516cf7b2ee.tar.gz
openbsd-a941bc4dee12272fae734d7e033698516cf7b2ee.tar.bz2
openbsd-a941bc4dee12272fae734d7e033698516cf7b2ee.zip
1 files changed, 26 insertions, 1 deletions
diff --git a/src/regress/usr.bin/openssl/appstest.sh b/src/regress/usr.bin/openssl/appstest.sh
index 3125a424ec..ae93fd22df 100755
--- a/src/regress/usr.bin/openssl/appstest.sh
+++ b/src/regress/usr.bin/openssl/appstest.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# $OpenBSD: appstest.sh,v 1.58 2023/07/24 05:54:12 tb Exp $
+# $OpenBSD: appstest.sh,v 1.59 2024/01/12 11:24:02 job Exp $
 #
 # Copyright (c) 2016 Kinichiro Inoguchi <inoguchi@openbsd.org>
 #
@@ -834,13 +834,38 @@ __EOF__
        start_message "x509 ... issue cert for server csr#2"
+        $openssl_bin genrsa -out $server_dir/testkey.pem 2>&1
+        check_exit_status $?
+        $openssl_bin rsa -in $server_dir/testkey.pem -pubout \
+                -out $server_dir/testpubkey.pem 2>&1
+        check_exit_status $?
        revoke_cert=$server_dir/revoke_cert.pem
        $openssl_bin x509 -req -in $revoke_csr -CA $ca_cert -CAform pem \
                -CAkey $ca_key -CAkeyform pem \
                -CAserial $ca_dir/serial -set_serial 10 \
                -passin pass:$ca_pass -CAcreateserial -out $revoke_cert \
+                -set_issuer /CN=issuer -set_subject /CN=subject \
+                -force_pubkey $server_dir/testpubkey.pem
                > $revoke_cert.log 2>&1
        check_exit_status $?
+        
+        start_message "x509 ... check if csr#2 cert has proper issuer & subject"
+        if [ "$($openssl_bin x509 -in $revoke_cert -issuer -noout)" != \
+                "issuer= /CN=issuer" ]; then
+                exit 1
+        fi
+        if [ "$($openssl_bin x509 -in $revoke_cert -subject -noout)" != \
+                "subject= /CN=subject" ]; then
+                exit 1
+        fi
+        check_exit_status 0
+        start_message "x509 ... check if csr#2 cert pubkey was forced"
+        $openssl_bin x509 -in $revoke_cert -pubkey -noout > $revoke_cert.pub
+        check_exit_status $?
+        diff $server_dir/testpubkey.pem $revoke_cert.pub
+        check_exit_status $?
        start_message "ca ... issue cert for server csr#3"
author	job <>	2024-01-12 11:24:03 +0000
committer	job <>	2024-01-12 11:24:03 +0000
commit	a941bc4dee12272fae734d7e033698516cf7b2ee (patch)
tree	b556349cae6f3fe4c0d9ea5f86f104a74c5349a1 /src/regress/usr.bin/openssl
parent	11bbbc8e1d1d1cf5984fb74c05165cd1cfb0251c (diff)
download	openbsd-a941bc4dee12272fae734d7e033698516cf7b2ee.tar.gz openbsd-a941bc4dee12272fae734d7e033698516cf7b2ee.tar.bz2 openbsd-a941bc4dee12272fae734d7e033698516cf7b2ee.zip

diff --git a/src/regress/usr.bin/openssl/appstest.sh b/src/regress/usr.bin/openssl/appstest.sh index 3125a424ec..ae93fd22df 100755 --- a/src/regress/usr.bin/openssl/appstest.sh +++ b/src/regress/usr.bin/openssl/appstest.sh
@@ -1,6 +1,6 @@
1	#!/bin/sh	1	#!/bin/sh
2	#	2	#
3	# $OpenBSD: appstest.sh,v 1.58 2023/07/24 05:54:12 tb Exp $	3	# $OpenBSD: appstest.sh,v 1.59 2024/01/12 11:24:02 job Exp $
4	#	4	#
5	# Copyright (c) 2016 Kinichiro Inoguchi <inoguchi@openbsd.org>	5	# Copyright (c) 2016 Kinichiro Inoguchi <inoguchi@openbsd.org>
6	#	6	#
@@ -834,13 +834,38 @@ __EOF__
834		834
835	start_message "x509 ... issue cert for server csr#2"	835	start_message "x509 ... issue cert for server csr#2"
836		836
		837	$openssl_bin genrsa -out $server_dir/testkey.pem 2>&1
		838	check_exit_status $?
		839	$openssl_bin rsa -in $server_dir/testkey.pem -pubout \
		840	-out $server_dir/testpubkey.pem 2>&1
		841	check_exit_status $?
		842
837	revoke_cert=$server_dir/revoke_cert.pem	843	revoke_cert=$server_dir/revoke_cert.pem
838	$openssl_bin x509 -req -in $revoke_csr -CA $ca_cert -CAform pem \	844	$openssl_bin x509 -req -in $revoke_csr -CA $ca_cert -CAform pem \
839	-CAkey $ca_key -CAkeyform pem \	845	-CAkey $ca_key -CAkeyform pem \
840	-CAserial $ca_dir/serial -set_serial 10 \	846	-CAserial $ca_dir/serial -set_serial 10 \
841	-passin pass:$ca_pass -CAcreateserial -out $revoke_cert \	847	-passin pass:$ca_pass -CAcreateserial -out $revoke_cert \
		848	-set_issuer /CN=issuer -set_subject /CN=subject \
		849	-force_pubkey $server_dir/testpubkey.pem
842	> $revoke_cert.log 2>&1	850	> $revoke_cert.log 2>&1
843	check_exit_status $?	851	check_exit_status $?
		852
		853	start_message "x509 ... check if csr#2 cert has proper issuer & subject"
		854	if [ "$($openssl_bin x509 -in $revoke_cert -issuer -noout)" != \
		855	"issuer= /CN=issuer" ]; then
		856	exit 1
		857	fi
		858	if [ "$($openssl_bin x509 -in $revoke_cert -subject -noout)" != \
		859	"subject= /CN=subject" ]; then
		860	exit 1
		861	fi
		862	check_exit_status 0
		863
		864	start_message "x509 ... check if csr#2 cert pubkey was forced"
		865	$openssl_bin x509 -in $revoke_cert -pubkey -noout > $revoke_cert.pub
		866	check_exit_status $?
		867	diff $server_dir/testpubkey.pem $revoke_cert.pub
		868	check_exit_status $?
844		869
845	start_message "ca ... issue cert for server csr#3"	870	start_message "ca ... issue cert for server csr#3"
846		871