Add start of a regress for cert gen and validation. not clean, won't

hook it up yet
author: beck <> 2017-01-25 10:29:34 +0000
committer: beck <> 2017-01-25 10:29:34 +0000
commit: fe779bdf8fe3a5ca93fe1aa8bdc24ea59b8b7adc (patch)
tree: c63f4134e60dae4d18bf283d0cb878f3ce09895c /src
parent: 5db8efb14ac2f2c5972558f52104b5187d102a2d (diff)
download: openbsd-fe779bdf8fe3a5ca93fe1aa8bdc24ea59b8b7adc.tar.gz
openbsd-fe779bdf8fe3a5ca93fe1aa8bdc24ea59b8b7adc.tar.bz2
openbsd-fe779bdf8fe3a5ca93fe1aa8bdc24ea59b8b7adc.zip
5 files changed, 394 insertions, 0 deletions
diff --git a/src/regress/lib/libcrypto/CA/Makefile b/src/regress/lib/libcrypto/CA/Makefile
new file mode 100644
index 0000000000..c31c99c946
--- /dev/null
+++ b/src/regress/lib/libcrypto/CA/Makefile
@@ -0,0 +1,21 @@
+#       $OpenBSD: Makefile,v 1.1 2017/01/25 10:29:34 beck Exp $
+TESTS = \
+        doit.sh
+REGRESS_TARGETS= all_tests
+CLEANFILES += \
+1000.pem client.cert.pem intermediate.cert.pem root.cert.pem  server.csr.pem \
+1001.pem client.csr.pem intermediate.csr.pem  root.key.pem  server.key.pem \
+chain.pem client.key.pem intermediate.key.pem  server.cert.pem \
+int.txt  int.txt.attr int.txt.old int.txt.attr.old  \
+root.txt root.txt.attr root.txt.old root.txt.attr.old \
+intserial rootserial intserial.old rootserial.old
+all_tests: ${TESTS}
+        @for test in $>; do \
+                ./$$test; \
+        done
+.include <bsd.regress.mk>
diff --git a/src/regress/lib/libcrypto/CA/doit.sh b/src/regress/lib/libcrypto/CA/doit.sh
new file mode 100755
index 0000000000..3b0375a026
--- /dev/null
+++ b/src/regress/lib/libcrypto/CA/doit.sh
@@ -0,0 +1,115 @@
+#!/bin/sh
+rm -rf root intermediate certs
+echo 1000 > rootserial
+cat /dev/null > root.txt
+echo 1000 > intserial
+cat /dev/null > int.txt
+# Vanna Vanna make me a root cert
+openssl genrsa -out root.key.pem 4096
+if [ $? -ne 0 ]; then
+   echo "*** Fail;  Can't generate root rsa 4096 key"
+   exit 1
+fi   
+openssl req -batch -config root.cnf -key root.key.pem -new -x509 -days 365 -sha256 -extensions v3_ca -out root.cert.pem
+if [ $? -ne 0 ]; then
+   echo "*** Fail;  Can't generate root req"
+   exit 1
+fi   
+# Make intermediate
+openssl genrsa -out intermediate.key.pem 2048
+if [ $? -ne 0 ]; then
+   echo "*** Fail;  Can't generate intermediate rsa 2048 key"
+   exit 1
+fi   
+openssl req -batch -config intermediate.cnf -new -sha256 \
+      -key intermediate.key.pem \
+      -out intermediate.csr.pem
+if [ $? -ne 0 ]; then
+   echo "*** Fail;  Can't generate intermediate req"
+   exit 1
+fi   
+# Sign intermediate
+openssl ca -batch -config root.cnf -extensions v3_intermediate_ca -days 10 -notext -md sha256 -in intermediate.csr.pem -out intermediate.cert.pem 
+if [ $? -ne 0 ]; then
+   echo "*** Fail;  Can't sign intermediate"
+   exit 1
+fi   
+# Verify Intermediate
+openssl verify -CAfile ca.cert.pem intermediate.cert.pem
+if [ $? -ne 0]; then
+   echo "*** Fail; Intermediate CA does not validate"
+   exit 1
+fi   
+cat intermediate.cert.pem root.cert.pem > chain.pem
+# make a server certificate
+openssl genrsa -out server.key.pem 2048
+if [ $? -ne 0]; then
+   echo "*** Fail; genrsa server"
+   exit 1
+fi   
+openssl req -batch -config intermediate.cnf \
+      -key server.key.pem \
+      -new -sha256 -out server.csr.pem \
+      -subj '/CN=server/O=OpenBSD/OU=So and Sos/C=CA'
+if [ $? -ne 0]; then
+   echo "*** Fail; server req"
+   exit 1
+fi   
+# sign server key
+openssl ca -batch -config intermediate.cnf -extensions server_cert -days 5 -notext -md sha256 -in server.csr.pem -out server.cert.pem
+if [ $? -ne 0 ]; then
+   echo "*** Fail; server sign"
+   exit 1
+fi   
+# make a client certificate
+openssl genrsa -out client.key.pem 2048
+if [ $? -ne 0]; then
+   echo "*** Fail; genrsa client"
+   exit 1
+fi   
+openssl req -batch -config intermediate.cnf \
+      -key client.key.pem \
+      -new -sha256 -out client.csr.pem \
+      -subj '/CN=client/O=OpenBSD/OU=So and Sos/C=CA'
+if [ $? -ne 0]; then
+   echo "*** Fail; client req"
+   exit 1
+fi   
+# sign client key
+openssl ca -batch -config intermediate.cnf -extensions usr_cert -days 5 -notext -md sha256 -in client.csr.pem -out client.cert.pem
+if [ $? -ne 0 ]; then
+   echo "*** Fail; client sign"
+   exit 1
+fi
+# Verify Intermediate
+openssl verify -purpose sslserver -CAfile chain.pem server.cert.pem
+if [ $? -ne 0 ]; then
+   echo "*** Fail; server cert does not validate"
+   exit 1
+fi   
+# Verify Intermediate
+openssl verify -purpose sslclient -CAfile chain.pem client.cert.pem
+if [ $? -ne 0 ]; then
+   echo "*** Fail; client cert does not validate"
+   exit 1
+fi   
diff --git a/src/regress/lib/libcrypto/CA/index.txt b/src/regress/lib/libcrypto/CA/index.txt
new file mode 100644
index 0000000000..e69de29bb2
--- /dev/null
+++ b/src/regress/lib/libcrypto/CA/index.txt
diff --git a/src/regress/lib/libcrypto/CA/intermediate.cnf b/src/regress/lib/libcrypto/CA/intermediate.cnf
new file mode 100644
index 0000000000..383f8f0b9b
--- /dev/null
+++ b/src/regress/lib/libcrypto/CA/intermediate.cnf
@@ -0,0 +1,129 @@
+# For regression tests
+default_ca = CA_regress
+[ CA_regress ]
+# Directory and file locations.
+dir               = .
+certs             = $dir
+crl_dir           = $dir
+database          = $dir/int.txt
+serial            = $dir/intserial
+new_certs_dir     = $dir
+# The root key and root certificate.
+private_key       = $dir/intermediate.key.pem
+certificate       = $dir/intermediate.cert.pem
+# For certificate revocation lists.
+crlnumber         = $dir/crlnumber
+crl               = $dir/ca.crl.pem
+crl_extensions    = crl_ext
+default_crl_days  = 30
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha256
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 10
+preserve          = no
+policy            = policy_loose
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md          = sha256
+# Extension to add when the -x509 option is used.
+x509_extensions     = v3_ca
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name
+localityName                    = Locality Name
+0.organizationName              = Organization Name
+organizationalUnitName          = Organizational Unit Name
+commonName                      = Common Name
+emailAddress                    = Email Address
+# Optionally, specify some defaults.
+countryName_default             = CA
+stateOrProvinceName_default     = Alberta
+localityName_default            = Edmonton
+0.organizationName_default      = OpenBSD
+organizationalUnitName_default  = So and Sos
+emailAddress_default            = evilsoandsos@openbsd.org
+commonName_default              = Regress Intermediate CA
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always
+[ ocsp ]
+# Extension for OCSP signing certificates (`man ocsp`).
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, OCSPSigning
diff --git a/src/regress/lib/libcrypto/CA/root.cnf b/src/regress/lib/libcrypto/CA/root.cnf
new file mode 100644
index 0000000000..7915a6ab0e
--- /dev/null
+++ b/src/regress/lib/libcrypto/CA/root.cnf
@@ -0,0 +1,129 @@
+# For regression tests
+default_ca = CA_regress
+[ CA_regress ]
+# Directory and file locations.
+dir               = .
+certs             = $dir
+crl_dir           = $dir
+database          = $dir/root.txt
+serial            = $dir/rootserial
+new_certs_dir     = $dir
+# The root key and root certificate.
+private_key       = $dir/root.key.pem
+certificate       = $dir/root.cert.pem
+# For certificate revocation lists.
+crlnumber         = $dir/crlnumber
+crl               = $dir/ca.crl.pem
+crl_extensions    = crl_ext
+default_crl_days  = 30
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha256
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 375
+preserve          = no
+policy            = policy_strict
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md          = sha256
+# Extension to add when the -x509 option is used.
+x509_extensions     = v3_ca
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name
+localityName                    = Locality Name
+0.organizationName              = Organization Name
+organizationalUnitName          = Organizational Unit Name
+commonName                      = Common Name
+emailAddress                    = Email Address
+# Optionally, specify some defaults.
+countryName_default             = CA
+stateOrProvinceName_default     = Alberta
+localityName_default            = Edmonton
+0.organizationName_default      = OpenBSD
+organizationalUnitName_default  = So and Sos
+emailAddress_default            = evilsoandsos@openbsd.org
+commonName_default              = Regress Root CA
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always
+[ ocsp ]
+# Extension for OCSP signing certificates (`man ocsp`).
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, OCSPSigning
author	beck <>	2017-01-25 10:29:34 +0000
committer	beck <>	2017-01-25 10:29:34 +0000
commit	fe779bdf8fe3a5ca93fe1aa8bdc24ea59b8b7adc (patch)
tree	c63f4134e60dae4d18bf283d0cb878f3ce09895c /src
parent	5db8efb14ac2f2c5972558f52104b5187d102a2d (diff)
download	openbsd-fe779bdf8fe3a5ca93fe1aa8bdc24ea59b8b7adc.tar.gz openbsd-fe779bdf8fe3a5ca93fe1aa8bdc24ea59b8b7adc.tar.bz2 openbsd-fe779bdf8fe3a5ca93fe1aa8bdc24ea59b8b7adc.zip

diff --git a/src/regress/lib/libcrypto/CA/Makefile b/src/regress/lib/libcrypto/CA/Makefile new file mode 100644 index 0000000000..c31c99c946 --- /dev/null +++ b/src/regress/lib/libcrypto/CA/Makefile
@@ -0,0 +1,21 @@
	1	# $OpenBSD: Makefile,v 1.1 2017/01/25 10:29:34 beck Exp $
	2
	3	TESTS = \
	4	doit.sh
	5
	6	REGRESS_TARGETS= all_tests
	7
	8	CLEANFILES += \
	9	1000.pem client.cert.pem intermediate.cert.pem root.cert.pem server.csr.pem \
	10	1001.pem client.csr.pem intermediate.csr.pem root.key.pem server.key.pem \
	11	chain.pem client.key.pem intermediate.key.pem server.cert.pem \
	12	int.txt int.txt.attr int.txt.old int.txt.attr.old \
	13	root.txt root.txt.attr root.txt.old root.txt.attr.old \
	14	intserial rootserial intserial.old rootserial.old
	15
	16	all_tests: ${TESTS}
	17	@for test in $>; do \
	18	./$$test; \
	19	done
	20
	21	.include <bsd.regress.mk>


diff --git a/src/regress/lib/libcrypto/CA/doit.sh b/src/regress/lib/libcrypto/CA/doit.sh new file mode 100755 index 0000000000..3b0375a026 --- /dev/null +++ b/src/regress/lib/libcrypto/CA/doit.sh
@@ -0,0 +1,115 @@
	1	#!/bin/sh
	2
	3	rm -rf root intermediate certs
	4	echo 1000 > rootserial
	5	cat /dev/null > root.txt
	6	echo 1000 > intserial
	7	cat /dev/null > int.txt
	8
	9	# Vanna Vanna make me a root cert
	10	openssl genrsa -out root.key.pem 4096
	11	if [ $? -ne 0 ]; then
	12	echo "*** Fail; Can't generate root rsa 4096 key"
	13	exit 1
	14	fi
	15
	16	openssl req -batch -config root.cnf -key root.key.pem -new -x509 -days 365 -sha256 -extensions v3_ca -out root.cert.pem
	17	if [ $? -ne 0 ]; then
	18	echo "*** Fail; Can't generate root req"
	19	exit 1
	20	fi
	21
	22	# Make intermediate
	23	openssl genrsa -out intermediate.key.pem 2048
	24	if [ $? -ne 0 ]; then
	25	echo "*** Fail; Can't generate intermediate rsa 2048 key"
	26	exit 1
	27	fi
	28
	29	openssl req -batch -config intermediate.cnf -new -sha256 \
	30	-key intermediate.key.pem \
	31	-out intermediate.csr.pem
	32	if [ $? -ne 0 ]; then
	33	echo "*** Fail; Can't generate intermediate req"
	34	exit 1
	35	fi
	36
	37	# Sign intermediate
	38	openssl ca -batch -config root.cnf -extensions v3_intermediate_ca -days 10 -notext -md sha256 -in intermediate.csr.pem -out intermediate.cert.pem
	39	if [ $? -ne 0 ]; then
	40	echo "*** Fail; Can't sign intermediate"
	41	exit 1
	42	fi
	43
	44	# Verify Intermediate
	45	openssl verify -CAfile ca.cert.pem intermediate.cert.pem
	46	if [ $? -ne 0]; then
	47	echo "*** Fail; Intermediate CA does not validate"
	48	exit 1
	49	fi
	50
	51	cat intermediate.cert.pem root.cert.pem > chain.pem
	52
	53	# make a server certificate
	54
	55	openssl genrsa -out server.key.pem 2048
	56	if [ $? -ne 0]; then
	57	echo "*** Fail; genrsa server"
	58	exit 1
	59	fi
	60
	61
	62	openssl req -batch -config intermediate.cnf \
	63	-key server.key.pem \
	64	-new -sha256 -out server.csr.pem \
	65	-subj '/CN=server/O=OpenBSD/OU=So and Sos/C=CA'
	66	if [ $? -ne 0]; then
	67	echo "*** Fail; server req"
	68	exit 1
	69	fi
	70
	71	# sign server key
	72	openssl ca -batch -config intermediate.cnf -extensions server_cert -days 5 -notext -md sha256 -in server.csr.pem -out server.cert.pem
	73	if [ $? -ne 0 ]; then
	74	echo "*** Fail; server sign"
	75	exit 1
	76	fi
	77
	78	# make a client certificate
	79
	80	openssl genrsa -out client.key.pem 2048
	81	if [ $? -ne 0]; then
	82	echo "*** Fail; genrsa client"
	83	exit 1
	84	fi
	85
	86	openssl req -batch -config intermediate.cnf \
	87	-key client.key.pem \
	88	-new -sha256 -out client.csr.pem \
	89	-subj '/CN=client/O=OpenBSD/OU=So and Sos/C=CA'
	90	if [ $? -ne 0]; then
	91	echo "*** Fail; client req"
	92	exit 1
	93	fi
	94
	95	# sign client key
	96	openssl ca -batch -config intermediate.cnf -extensions usr_cert -days 5 -notext -md sha256 -in client.csr.pem -out client.cert.pem
	97	if [ $? -ne 0 ]; then
	98	echo "*** Fail; client sign"
	99	exit 1
	100	fi
	101
	102	# Verify Intermediate
	103	openssl verify -purpose sslserver -CAfile chain.pem server.cert.pem
	104	if [ $? -ne 0 ]; then
	105	echo "*** Fail; server cert does not validate"
	106	exit 1
	107	fi
	108
	109	# Verify Intermediate
	110	openssl verify -purpose sslclient -CAfile chain.pem client.cert.pem
	111	if [ $? -ne 0 ]; then
	112	echo "*** Fail; client cert does not validate"
	113	exit 1
	114	fi
	115


diff --git a/src/regress/lib/libcrypto/CA/index.txt b/src/regress/lib/libcrypto/CA/index.txt new file mode 100644 index 0000000000..e69de29bb2 --- /dev/null +++ b/src/regress/lib/libcrypto/CA/index.txt


diff --git a/src/regress/lib/libcrypto/CA/intermediate.cnf b/src/regress/lib/libcrypto/CA/intermediate.cnf new file mode 100644 index 0000000000..383f8f0b9b --- /dev/null +++ b/src/regress/lib/libcrypto/CA/intermediate.cnf
@@ -0,0 +1,129 @@
	1	# For regression tests
	2	default_ca = CA_regress
	3
	4	[ CA_regress ]
	5	# Directory and file locations.
	6	dir = .
	7	certs = $dir
	8	crl_dir = $dir
	9	database = $dir/int.txt
	10	serial = $dir/intserial
	11	new_certs_dir = $dir
	12
	13	# The root key and root certificate.
	14	private_key = $dir/intermediate.key.pem
	15	certificate = $dir/intermediate.cert.pem
	16
	17	# For certificate revocation lists.
	18	crlnumber = $dir/crlnumber
	19	crl = $dir/ca.crl.pem
	20	crl_extensions = crl_ext
	21	default_crl_days = 30
	22
	23	# SHA-1 is deprecated, so use SHA-2 instead.
	24	default_md = sha256
	25
	26	name_opt = ca_default
	27	cert_opt = ca_default
	28	default_days = 10
	29	preserve = no
	30	policy = policy_loose
	31
	32	[ policy_strict ]
	33	# The root CA should only sign intermediate certificates that match.
	34	# See the POLICY FORMAT section of `man ca`.
	35	countryName = match
	36	stateOrProvinceName = match
	37	organizationName = match
	38	organizationalUnitName = optional
	39	commonName = supplied
	40	emailAddress = optional
	41
	42	[ policy_loose ]
	43	# Allow the intermediate CA to sign a more diverse range of certificates.
	44	# See the POLICY FORMAT section of the `ca` man page.
	45	countryName = optional
	46	stateOrProvinceName = optional
	47	localityName = optional
	48	organizationName = optional
	49	organizationalUnitName = optional
	50	commonName = supplied
	51	emailAddress = optional
	52
	53	[ req ]
	54	# Options for the `req` tool (`man req`).
	55	default_bits = 2048
	56	distinguished_name = req_distinguished_name
	57	string_mask = utf8only
	58
	59	# SHA-1 is deprecated, so use SHA-2 instead.
	60	default_md = sha256
	61
	62	# Extension to add when the -x509 option is used.
	63	x509_extensions = v3_ca
	64
	65	[ req_distinguished_name ]
	66	# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
	67	countryName = Country Name (2 letter code)
	68	stateOrProvinceName = State or Province Name
	69	localityName = Locality Name
	70	0.organizationName = Organization Name
	71	organizationalUnitName = Organizational Unit Name
	72	commonName = Common Name
	73	emailAddress = Email Address
	74
	75	# Optionally, specify some defaults.
	76	countryName_default = CA
	77	stateOrProvinceName_default = Alberta
	78	localityName_default = Edmonton
	79	0.organizationName_default = OpenBSD
	80	organizationalUnitName_default = So and Sos
	81	emailAddress_default = evilsoandsos@openbsd.org
	82	commonName_default = Regress Intermediate CA
	83
	84	[ v3_ca ]
	85	# Extensions for a typical CA (`man x509v3_config`).
	86	subjectKeyIdentifier = hash
	87	authorityKeyIdentifier = keyid:always,issuer
	88	basicConstraints = critical, CA:true
	89	keyUsage = critical, digitalSignature, cRLSign, keyCertSign
	90
	91	[ v3_intermediate_ca ]
	92	# Extensions for a typical intermediate CA (`man x509v3_config`).
	93	subjectKeyIdentifier = hash
	94	authorityKeyIdentifier = keyid:always,issuer
	95	basicConstraints = critical, CA:true, pathlen:0
	96	keyUsage = critical, digitalSignature, cRLSign, keyCertSign
	97
	98	[ usr_cert ]
	99	# Extensions for client certificates (`man x509v3_config`).
	100	basicConstraints = CA:FALSE
	101	nsCertType = client, email
	102	nsComment = "OpenSSL Generated Client Certificate"
	103	subjectKeyIdentifier = hash
	104	authorityKeyIdentifier = keyid,issuer
	105	keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
	106	extendedKeyUsage = clientAuth, emailProtection
	107
	108	[ server_cert ]
	109	# Extensions for server certificates (`man x509v3_config`).
	110	basicConstraints = CA:FALSE
	111	nsCertType = server
	112	nsComment = "OpenSSL Generated Server Certificate"
	113	subjectKeyIdentifier = hash
	114	authorityKeyIdentifier = keyid,issuer:always
	115	keyUsage = critical, digitalSignature, keyEncipherment
	116	extendedKeyUsage = serverAuth
	117
	118	[ crl_ext ]
	119	# Extension for CRLs (`man x509v3_config`).
	120	authorityKeyIdentifier=keyid:always
	121
	122	[ ocsp ]
	123	# Extension for OCSP signing certificates (`man ocsp`).
	124	basicConstraints = CA:FALSE
	125	subjectKeyIdentifier = hash
	126	authorityKeyIdentifier = keyid,issuer
	127	keyUsage = critical, digitalSignature
	128	extendedKeyUsage = critical, OCSPSigning
	129


diff --git a/src/regress/lib/libcrypto/CA/root.cnf b/src/regress/lib/libcrypto/CA/root.cnf new file mode 100644 index 0000000000..7915a6ab0e --- /dev/null +++ b/src/regress/lib/libcrypto/CA/root.cnf
@@ -0,0 +1,129 @@
	1	# For regression tests
	2	default_ca = CA_regress
	3
	4	[ CA_regress ]
	5	# Directory and file locations.
	6	dir = .
	7	certs = $dir
	8	crl_dir = $dir
	9	database = $dir/root.txt
	10	serial = $dir/rootserial
	11	new_certs_dir = $dir
	12
	13	# The root key and root certificate.
	14	private_key = $dir/root.key.pem
	15	certificate = $dir/root.cert.pem
	16
	17	# For certificate revocation lists.
	18	crlnumber = $dir/crlnumber
	19	crl = $dir/ca.crl.pem
	20	crl_extensions = crl_ext
	21	default_crl_days = 30
	22
	23	# SHA-1 is deprecated, so use SHA-2 instead.
	24	default_md = sha256
	25
	26	name_opt = ca_default
	27	cert_opt = ca_default
	28	default_days = 375
	29	preserve = no
	30	policy = policy_strict
	31
	32	[ policy_strict ]
	33	# The root CA should only sign intermediate certificates that match.
	34	# See the POLICY FORMAT section of `man ca`.
	35	countryName = match
	36	stateOrProvinceName = match
	37	organizationName = match
	38	organizationalUnitName = optional
	39	commonName = supplied
	40	emailAddress = optional
	41
	42	[ policy_loose ]
	43	# Allow the intermediate CA to sign a more diverse range of certificates.
	44	# See the POLICY FORMAT section of the `ca` man page.
	45	countryName = optional
	46	stateOrProvinceName = optional
	47	localityName = optional
	48	organizationName = optional
	49	organizationalUnitName = optional
	50	commonName = supplied
	51	emailAddress = optional
	52
	53	[ req ]
	54	# Options for the `req` tool (`man req`).
	55	default_bits = 2048
	56	distinguished_name = req_distinguished_name
	57	string_mask = utf8only
	58
	59	# SHA-1 is deprecated, so use SHA-2 instead.
	60	default_md = sha256
	61
	62	# Extension to add when the -x509 option is used.
	63	x509_extensions = v3_ca
	64
	65	[ req_distinguished_name ]
	66	# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
	67	countryName = Country Name (2 letter code)
	68	stateOrProvinceName = State or Province Name
	69	localityName = Locality Name
	70	0.organizationName = Organization Name
	71	organizationalUnitName = Organizational Unit Name
	72	commonName = Common Name
	73	emailAddress = Email Address
	74
	75	# Optionally, specify some defaults.
	76	countryName_default = CA
	77	stateOrProvinceName_default = Alberta
	78	localityName_default = Edmonton
	79	0.organizationName_default = OpenBSD
	80	organizationalUnitName_default = So and Sos
	81	emailAddress_default = evilsoandsos@openbsd.org
	82	commonName_default = Regress Root CA
	83
	84	[ v3_ca ]
	85	# Extensions for a typical CA (`man x509v3_config`).
	86	subjectKeyIdentifier = hash
	87	authorityKeyIdentifier = keyid:always,issuer
	88	basicConstraints = critical, CA:true
	89	keyUsage = critical, digitalSignature, cRLSign, keyCertSign
	90
	91	[ v3_intermediate_ca ]
	92	# Extensions for a typical intermediate CA (`man x509v3_config`).
	93	subjectKeyIdentifier = hash
	94	authorityKeyIdentifier = keyid:always,issuer
	95	basicConstraints = critical, CA:true, pathlen:0
	96	keyUsage = critical, digitalSignature, cRLSign, keyCertSign
	97
	98	[ usr_cert ]
	99	# Extensions for client certificates (`man x509v3_config`).
	100	basicConstraints = CA:FALSE
	101	nsCertType = client, email
	102	nsComment = "OpenSSL Generated Client Certificate"
	103	subjectKeyIdentifier = hash
	104	authorityKeyIdentifier = keyid,issuer
	105	keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
	106	extendedKeyUsage = clientAuth, emailProtection
	107
	108	[ server_cert ]
	109	# Extensions for server certificates (`man x509v3_config`).
	110	basicConstraints = CA:FALSE
	111	nsCertType = server
	112	nsComment = "OpenSSL Generated Server Certificate"
	113	subjectKeyIdentifier = hash
	114	authorityKeyIdentifier = keyid,issuer:always
	115	keyUsage = critical, digitalSignature, keyEncipherment
	116	extendedKeyUsage = serverAuth
	117
	118	[ crl_ext ]
	119	# Extension for CRLs (`man x509v3_config`).
	120	authorityKeyIdentifier=keyid:always
	121
	122	[ ocsp ]
	123	# Extension for OCSP signing certificates (`man ocsp`).
	124	basicConstraints = CA:FALSE
	125	subjectKeyIdentifier = hash
	126	authorityKeyIdentifier = keyid,issuer
	127	keyUsage = critical, digitalSignature
	128	extendedKeyUsage = critical, OCSPSigning
	129