Add 'openssl x509 -new' functionality to the libcrypto CLI utility

The ability to generate a new certificate is useful for testing and experimentation with rechaining PKIs. While there, alias '-key' to '-signkey' for compatibility. with and OK tb@
author: job <> 2024-01-26 11:58:37 +0000
committer: job <> 2024-01-26 11:58:37 +0000
commit: c6ef56532943eb3b0c27899a1d3ce888b8aacece (patch)
tree: 22591d8d23256836bf7d611b624a079dc6dafe19 /src/regress/usr.bin
parent: 8e3bd1f5107b38d2fddb407a32ad1da33da96688 (diff)
download: openbsd-c6ef56532943eb3b0c27899a1d3ce888b8aacece.tar.gz
openbsd-c6ef56532943eb3b0c27899a1d3ce888b8aacece.tar.bz2
openbsd-c6ef56532943eb3b0c27899a1d3ce888b8aacece.zip
1 files changed, 50 insertions, 1 deletions
diff --git a/src/regress/usr.bin/openssl/appstest.sh b/src/regress/usr.bin/openssl/appstest.sh
index 500fae0251..8c0e75deb4 100755
--- a/src/regress/usr.bin/openssl/appstest.sh
+++ b/src/regress/usr.bin/openssl/appstest.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# $OpenBSD: appstest.sh,v 1.60 2024/01/12 13:16:48 tb Exp $
+# $OpenBSD: appstest.sh,v 1.61 2024/01/26 11:58:36 job Exp $
 #
 # Copyright (c) 2016 Kinichiro Inoguchi <inoguchi@openbsd.org>
 #
@@ -867,6 +867,55 @@ __EOF__
        diff $server_dir/testpubkey.pem $revoke_cert.pub
        check_exit_status $?
+        start_message "x509 ... test -new"
+        $openssl_bin genrsa -out $server_dir/ca-new.key 2048
+        check_exit_status $?
+        $openssl_bin x509 -new -set_issuer '/CN=test-issuer' \
+                -set_subject '/CN=test-subject' \
+                -out $server_dir/new.pem -days 1 -key $server_dir/ca-new.key \
+                -force_pubkey $revoke_cert.pub
+        check_exit_status $?
+        $openssl_bin x509 -in $server_dir/new.pem -pubkey -noout \
+                > $server_dir/new.pem.pub
+        check_exit_status $?
+        start_message "x509 ... check if -new cert has proper pubkey"
+        diff $server_dir/testpubkey.pem $server_dir/new.pem.pub
+        check_exit_status $?
+        start_message "x509 ... check if -new cert has proper issuer & subject"
+        if [ "$($openssl_bin x509 -in $server_dir/new.pem -issuer -noout)" != \
+                "issuer= /CN=test-issuer" ]; then
+                exit 1
+        fi
+        if [ "$($openssl_bin x509 -in $server_dir/new.pem -subject -noout)" != \
+                "subject= /CN=test-subject" ]; then
+                exit 1
+        fi
+        check_exit_status 0
+        start_message "x509 ... test -new without -force_pubkey"
+        $openssl_bin x509 -new -set_subject '/CN=test-subject2' \
+                -out $server_dir/new2.pem -days 1 -key $server_dir/ca-new.key
+        check_exit_status $?
+        $openssl_bin x509 -in $server_dir/new2.pem -pubkey -noout \
+                > $server_dir/new2.pem.pub
+        check_exit_status $?
+        $openssl_bin rsa -in $server_dir/ca-new.key -pubout \
+                -out $server_dir/ca-new.pubkey
+        check_exit_status $?
+        diff $server_dir/new2.pem.pub $server_dir/ca-new.pubkey
+        check_exit_status $?
+        if [ "$($openssl_bin x509 -in $server_dir/new2.pem -issuer -noout)" \
+                != "issuer= /CN=test-subject2" ]; then
+                exit 1
+        fi
+        if [ "$($openssl_bin x509 -in $server_dir/new2.pem -subject -noout)" \
+                != "subject= /CN=test-subject2" ]; then
+                exit 1
+        fi
+        check_exit_status 0
        start_message "ca ... issue cert for server csr#3"
        sv_ecdsa_cert=$server_dir/sv_ecdsa_cert.pem
author	job <>	2024-01-26 11:58:37 +0000
committer	job <>	2024-01-26 11:58:37 +0000
commit	c6ef56532943eb3b0c27899a1d3ce888b8aacece (patch)
tree	22591d8d23256836bf7d611b624a079dc6dafe19 /src/regress/usr.bin
parent	8e3bd1f5107b38d2fddb407a32ad1da33da96688 (diff)
download	openbsd-c6ef56532943eb3b0c27899a1d3ce888b8aacece.tar.gz openbsd-c6ef56532943eb3b0c27899a1d3ce888b8aacece.tar.bz2 openbsd-c6ef56532943eb3b0c27899a1d3ce888b8aacece.zip

diff --git a/src/regress/usr.bin/openssl/appstest.sh b/src/regress/usr.bin/openssl/appstest.sh index 500fae0251..8c0e75deb4 100755 --- a/src/regress/usr.bin/openssl/appstest.sh +++ b/src/regress/usr.bin/openssl/appstest.sh
@@ -1,6 +1,6 @@
1	#!/bin/sh	1	#!/bin/sh
2	#	2	#
3	# $OpenBSD: appstest.sh,v 1.60 2024/01/12 13:16:48 tb Exp $	3	# $OpenBSD: appstest.sh,v 1.61 2024/01/26 11:58:36 job Exp $
4	#	4	#
5	# Copyright (c) 2016 Kinichiro Inoguchi <inoguchi@openbsd.org>	5	# Copyright (c) 2016 Kinichiro Inoguchi <inoguchi@openbsd.org>
6	#	6	#
@@ -867,6 +867,55 @@ __EOF__
867	diff $server_dir/testpubkey.pem $revoke_cert.pub	867	diff $server_dir/testpubkey.pem $revoke_cert.pub
868	check_exit_status $?	868	check_exit_status $?
869		869
		870	start_message "x509 ... test -new"
		871	$openssl_bin genrsa -out $server_dir/ca-new.key 2048
		872	check_exit_status $?
		873	$openssl_bin x509 -new -set_issuer '/CN=test-issuer' \
		874	-set_subject '/CN=test-subject' \
		875	-out $server_dir/new.pem -days 1 -key $server_dir/ca-new.key \
		876	-force_pubkey $revoke_cert.pub
		877	check_exit_status $?
		878	$openssl_bin x509 -in $server_dir/new.pem -pubkey -noout \
		879	> $server_dir/new.pem.pub
		880	check_exit_status $?
		881
		882	start_message "x509 ... check if -new cert has proper pubkey"
		883	diff $server_dir/testpubkey.pem $server_dir/new.pem.pub
		884	check_exit_status $?
		885
		886	start_message "x509 ... check if -new cert has proper issuer & subject"
		887	if [ "$($openssl_bin x509 -in $server_dir/new.pem -issuer -noout)" != \
		888	"issuer= /CN=test-issuer" ]; then
		889	exit 1
		890	fi
		891	if [ "$($openssl_bin x509 -in $server_dir/new.pem -subject -noout)" != \
		892	"subject= /CN=test-subject" ]; then
		893	exit 1
		894	fi
		895	check_exit_status 0
		896
		897	start_message "x509 ... test -new without -force_pubkey"
		898	$openssl_bin x509 -new -set_subject '/CN=test-subject2' \
		899	-out $server_dir/new2.pem -days 1 -key $server_dir/ca-new.key
		900	check_exit_status $?
		901	$openssl_bin x509 -in $server_dir/new2.pem -pubkey -noout \
		902	> $server_dir/new2.pem.pub
		903	check_exit_status $?
		904	$openssl_bin rsa -in $server_dir/ca-new.key -pubout \
		905	-out $server_dir/ca-new.pubkey
		906	check_exit_status $?
		907	diff $server_dir/new2.pem.pub $server_dir/ca-new.pubkey
		908	check_exit_status $?
		909	if [ "$($openssl_bin x509 -in $server_dir/new2.pem -issuer -noout)" \
		910	!= "issuer= /CN=test-subject2" ]; then
		911	exit 1
		912	fi
		913	if [ "$($openssl_bin x509 -in $server_dir/new2.pem -subject -noout)" \
		914	!= "subject= /CN=test-subject2" ]; then
		915	exit 1
		916	fi
		917	check_exit_status 0
		918
870	start_message "ca ... issue cert for server csr#3"	919	start_message "ca ... issue cert for server csr#3"
871		920
872	sv_ecdsa_cert=$server_dir/sv_ecdsa_cert.pem	921	sv_ecdsa_cert=$server_dir/sv_ecdsa_cert.pem