summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/regress/lib/libcrypto/CA/Makefile21
-rwxr-xr-xsrc/regress/lib/libcrypto/CA/doit.sh115
-rw-r--r--src/regress/lib/libcrypto/CA/index.txt0
-rw-r--r--src/regress/lib/libcrypto/CA/intermediate.cnf129
-rw-r--r--src/regress/lib/libcrypto/CA/root.cnf129
5 files changed, 394 insertions, 0 deletions
diff --git a/src/regress/lib/libcrypto/CA/Makefile b/src/regress/lib/libcrypto/CA/Makefile
new file mode 100644
index 0000000000..c31c99c946
--- /dev/null
+++ b/src/regress/lib/libcrypto/CA/Makefile
@@ -0,0 +1,21 @@
1# $OpenBSD: Makefile,v 1.1 2017/01/25 10:29:34 beck Exp $
2
3TESTS = \
4 doit.sh
5
6REGRESS_TARGETS= all_tests
7
8CLEANFILES += \
91000.pem client.cert.pem intermediate.cert.pem root.cert.pem server.csr.pem \
101001.pem client.csr.pem intermediate.csr.pem root.key.pem server.key.pem \
11chain.pem client.key.pem intermediate.key.pem server.cert.pem \
12int.txt int.txt.attr int.txt.old int.txt.attr.old \
13root.txt root.txt.attr root.txt.old root.txt.attr.old \
14intserial rootserial intserial.old rootserial.old
15
16all_tests: ${TESTS}
17 @for test in $>; do \
18 ./$$test; \
19 done
20
21.include <bsd.regress.mk>
diff --git a/src/regress/lib/libcrypto/CA/doit.sh b/src/regress/lib/libcrypto/CA/doit.sh
new file mode 100755
index 0000000000..3b0375a026
--- /dev/null
+++ b/src/regress/lib/libcrypto/CA/doit.sh
@@ -0,0 +1,115 @@
1#!/bin/sh
2
3rm -rf root intermediate certs
4echo 1000 > rootserial
5cat /dev/null > root.txt
6echo 1000 > intserial
7cat /dev/null > int.txt
8
9# Vanna Vanna make me a root cert
10openssl genrsa -out root.key.pem 4096
11if [ $? -ne 0 ]; then
12 echo "*** Fail; Can't generate root rsa 4096 key"
13 exit 1
14fi
15
16openssl req -batch -config root.cnf -key root.key.pem -new -x509 -days 365 -sha256 -extensions v3_ca -out root.cert.pem
17if [ $? -ne 0 ]; then
18 echo "*** Fail; Can't generate root req"
19 exit 1
20fi
21
22# Make intermediate
23openssl genrsa -out intermediate.key.pem 2048
24if [ $? -ne 0 ]; then
25 echo "*** Fail; Can't generate intermediate rsa 2048 key"
26 exit 1
27fi
28
29openssl req -batch -config intermediate.cnf -new -sha256 \
30 -key intermediate.key.pem \
31 -out intermediate.csr.pem
32if [ $? -ne 0 ]; then
33 echo "*** Fail; Can't generate intermediate req"
34 exit 1
35fi
36
37# Sign intermediate
38openssl ca -batch -config root.cnf -extensions v3_intermediate_ca -days 10 -notext -md sha256 -in intermediate.csr.pem -out intermediate.cert.pem
39if [ $? -ne 0 ]; then
40 echo "*** Fail; Can't sign intermediate"
41 exit 1
42fi
43
44# Verify Intermediate
45openssl verify -CAfile ca.cert.pem intermediate.cert.pem
46if [ $? -ne 0]; then
47 echo "*** Fail; Intermediate CA does not validate"
48 exit 1
49fi
50
51cat intermediate.cert.pem root.cert.pem > chain.pem
52
53# make a server certificate
54
55openssl genrsa -out server.key.pem 2048
56if [ $? -ne 0]; then
57 echo "*** Fail; genrsa server"
58 exit 1
59fi
60
61
62openssl req -batch -config intermediate.cnf \
63 -key server.key.pem \
64 -new -sha256 -out server.csr.pem \
65 -subj '/CN=server/O=OpenBSD/OU=So and Sos/C=CA'
66if [ $? -ne 0]; then
67 echo "*** Fail; server req"
68 exit 1
69fi
70
71# sign server key
72openssl ca -batch -config intermediate.cnf -extensions server_cert -days 5 -notext -md sha256 -in server.csr.pem -out server.cert.pem
73if [ $? -ne 0 ]; then
74 echo "*** Fail; server sign"
75 exit 1
76fi
77
78# make a client certificate
79
80openssl genrsa -out client.key.pem 2048
81if [ $? -ne 0]; then
82 echo "*** Fail; genrsa client"
83 exit 1
84fi
85
86openssl req -batch -config intermediate.cnf \
87 -key client.key.pem \
88 -new -sha256 -out client.csr.pem \
89 -subj '/CN=client/O=OpenBSD/OU=So and Sos/C=CA'
90if [ $? -ne 0]; then
91 echo "*** Fail; client req"
92 exit 1
93fi
94
95# sign client key
96openssl ca -batch -config intermediate.cnf -extensions usr_cert -days 5 -notext -md sha256 -in client.csr.pem -out client.cert.pem
97if [ $? -ne 0 ]; then
98 echo "*** Fail; client sign"
99 exit 1
100fi
101
102# Verify Intermediate
103openssl verify -purpose sslserver -CAfile chain.pem server.cert.pem
104if [ $? -ne 0 ]; then
105 echo "*** Fail; server cert does not validate"
106 exit 1
107fi
108
109# Verify Intermediate
110openssl verify -purpose sslclient -CAfile chain.pem client.cert.pem
111if [ $? -ne 0 ]; then
112 echo "*** Fail; client cert does not validate"
113 exit 1
114fi
115
diff --git a/src/regress/lib/libcrypto/CA/index.txt b/src/regress/lib/libcrypto/CA/index.txt
new file mode 100644
index 0000000000..e69de29bb2
--- /dev/null
+++ b/src/regress/lib/libcrypto/CA/index.txt
diff --git a/src/regress/lib/libcrypto/CA/intermediate.cnf b/src/regress/lib/libcrypto/CA/intermediate.cnf
new file mode 100644
index 0000000000..383f8f0b9b
--- /dev/null
+++ b/src/regress/lib/libcrypto/CA/intermediate.cnf
@@ -0,0 +1,129 @@
1# For regression tests
2default_ca = CA_regress
3
4[ CA_regress ]
5# Directory and file locations.
6dir = .
7certs = $dir
8crl_dir = $dir
9database = $dir/int.txt
10serial = $dir/intserial
11new_certs_dir = $dir
12
13# The root key and root certificate.
14private_key = $dir/intermediate.key.pem
15certificate = $dir/intermediate.cert.pem
16
17# For certificate revocation lists.
18crlnumber = $dir/crlnumber
19crl = $dir/ca.crl.pem
20crl_extensions = crl_ext
21default_crl_days = 30
22
23# SHA-1 is deprecated, so use SHA-2 instead.
24default_md = sha256
25
26name_opt = ca_default
27cert_opt = ca_default
28default_days = 10
29preserve = no
30policy = policy_loose
31
32[ policy_strict ]
33# The root CA should only sign intermediate certificates that match.
34# See the POLICY FORMAT section of `man ca`.
35countryName = match
36stateOrProvinceName = match
37organizationName = match
38organizationalUnitName = optional
39commonName = supplied
40emailAddress = optional
41
42[ policy_loose ]
43# Allow the intermediate CA to sign a more diverse range of certificates.
44# See the POLICY FORMAT section of the `ca` man page.
45countryName = optional
46stateOrProvinceName = optional
47localityName = optional
48organizationName = optional
49organizationalUnitName = optional
50commonName = supplied
51emailAddress = optional
52
53[ req ]
54# Options for the `req` tool (`man req`).
55default_bits = 2048
56distinguished_name = req_distinguished_name
57string_mask = utf8only
58
59# SHA-1 is deprecated, so use SHA-2 instead.
60default_md = sha256
61
62# Extension to add when the -x509 option is used.
63x509_extensions = v3_ca
64
65[ req_distinguished_name ]
66# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
67countryName = Country Name (2 letter code)
68stateOrProvinceName = State or Province Name
69localityName = Locality Name
700.organizationName = Organization Name
71organizationalUnitName = Organizational Unit Name
72commonName = Common Name
73emailAddress = Email Address
74
75# Optionally, specify some defaults.
76countryName_default = CA
77stateOrProvinceName_default = Alberta
78localityName_default = Edmonton
790.organizationName_default = OpenBSD
80organizationalUnitName_default = So and Sos
81emailAddress_default = evilsoandsos@openbsd.org
82commonName_default = Regress Intermediate CA
83
84[ v3_ca ]
85# Extensions for a typical CA (`man x509v3_config`).
86subjectKeyIdentifier = hash
87authorityKeyIdentifier = keyid:always,issuer
88basicConstraints = critical, CA:true
89keyUsage = critical, digitalSignature, cRLSign, keyCertSign
90
91[ v3_intermediate_ca ]
92# Extensions for a typical intermediate CA (`man x509v3_config`).
93subjectKeyIdentifier = hash
94authorityKeyIdentifier = keyid:always,issuer
95basicConstraints = critical, CA:true, pathlen:0
96keyUsage = critical, digitalSignature, cRLSign, keyCertSign
97
98[ usr_cert ]
99# Extensions for client certificates (`man x509v3_config`).
100basicConstraints = CA:FALSE
101nsCertType = client, email
102nsComment = "OpenSSL Generated Client Certificate"
103subjectKeyIdentifier = hash
104authorityKeyIdentifier = keyid,issuer
105keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
106extendedKeyUsage = clientAuth, emailProtection
107
108[ server_cert ]
109# Extensions for server certificates (`man x509v3_config`).
110basicConstraints = CA:FALSE
111nsCertType = server
112nsComment = "OpenSSL Generated Server Certificate"
113subjectKeyIdentifier = hash
114authorityKeyIdentifier = keyid,issuer:always
115keyUsage = critical, digitalSignature, keyEncipherment
116extendedKeyUsage = serverAuth
117
118[ crl_ext ]
119# Extension for CRLs (`man x509v3_config`).
120authorityKeyIdentifier=keyid:always
121
122[ ocsp ]
123# Extension for OCSP signing certificates (`man ocsp`).
124basicConstraints = CA:FALSE
125subjectKeyIdentifier = hash
126authorityKeyIdentifier = keyid,issuer
127keyUsage = critical, digitalSignature
128extendedKeyUsage = critical, OCSPSigning
129
diff --git a/src/regress/lib/libcrypto/CA/root.cnf b/src/regress/lib/libcrypto/CA/root.cnf
new file mode 100644
index 0000000000..7915a6ab0e
--- /dev/null
+++ b/src/regress/lib/libcrypto/CA/root.cnf
@@ -0,0 +1,129 @@
1# For regression tests
2default_ca = CA_regress
3
4[ CA_regress ]
5# Directory and file locations.
6dir = .
7certs = $dir
8crl_dir = $dir
9database = $dir/root.txt
10serial = $dir/rootserial
11new_certs_dir = $dir
12
13# The root key and root certificate.
14private_key = $dir/root.key.pem
15certificate = $dir/root.cert.pem
16
17# For certificate revocation lists.
18crlnumber = $dir/crlnumber
19crl = $dir/ca.crl.pem
20crl_extensions = crl_ext
21default_crl_days = 30
22
23# SHA-1 is deprecated, so use SHA-2 instead.
24default_md = sha256
25
26name_opt = ca_default
27cert_opt = ca_default
28default_days = 375
29preserve = no
30policy = policy_strict
31
32[ policy_strict ]
33# The root CA should only sign intermediate certificates that match.
34# See the POLICY FORMAT section of `man ca`.
35countryName = match
36stateOrProvinceName = match
37organizationName = match
38organizationalUnitName = optional
39commonName = supplied
40emailAddress = optional
41
42[ policy_loose ]
43# Allow the intermediate CA to sign a more diverse range of certificates.
44# See the POLICY FORMAT section of the `ca` man page.
45countryName = optional
46stateOrProvinceName = optional
47localityName = optional
48organizationName = optional
49organizationalUnitName = optional
50commonName = supplied
51emailAddress = optional
52
53[ req ]
54# Options for the `req` tool (`man req`).
55default_bits = 2048
56distinguished_name = req_distinguished_name
57string_mask = utf8only
58
59# SHA-1 is deprecated, so use SHA-2 instead.
60default_md = sha256
61
62# Extension to add when the -x509 option is used.
63x509_extensions = v3_ca
64
65[ req_distinguished_name ]
66# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
67countryName = Country Name (2 letter code)
68stateOrProvinceName = State or Province Name
69localityName = Locality Name
700.organizationName = Organization Name
71organizationalUnitName = Organizational Unit Name
72commonName = Common Name
73emailAddress = Email Address
74
75# Optionally, specify some defaults.
76countryName_default = CA
77stateOrProvinceName_default = Alberta
78localityName_default = Edmonton
790.organizationName_default = OpenBSD
80organizationalUnitName_default = So and Sos
81emailAddress_default = evilsoandsos@openbsd.org
82commonName_default = Regress Root CA
83
84[ v3_ca ]
85# Extensions for a typical CA (`man x509v3_config`).
86subjectKeyIdentifier = hash
87authorityKeyIdentifier = keyid:always,issuer
88basicConstraints = critical, CA:true
89keyUsage = critical, digitalSignature, cRLSign, keyCertSign
90
91[ v3_intermediate_ca ]
92# Extensions for a typical intermediate CA (`man x509v3_config`).
93subjectKeyIdentifier = hash
94authorityKeyIdentifier = keyid:always,issuer
95basicConstraints = critical, CA:true, pathlen:0
96keyUsage = critical, digitalSignature, cRLSign, keyCertSign
97
98[ usr_cert ]
99# Extensions for client certificates (`man x509v3_config`).
100basicConstraints = CA:FALSE
101nsCertType = client, email
102nsComment = "OpenSSL Generated Client Certificate"
103subjectKeyIdentifier = hash
104authorityKeyIdentifier = keyid,issuer
105keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
106extendedKeyUsage = clientAuth, emailProtection
107
108[ server_cert ]
109# Extensions for server certificates (`man x509v3_config`).
110basicConstraints = CA:FALSE
111nsCertType = server
112nsComment = "OpenSSL Generated Server Certificate"
113subjectKeyIdentifier = hash
114authorityKeyIdentifier = keyid,issuer:always
115keyUsage = critical, digitalSignature, keyEncipherment
116extendedKeyUsage = serverAuth
117
118[ crl_ext ]
119# Extension for CRLs (`man x509v3_config`).
120authorityKeyIdentifier=keyid:always
121
122[ ocsp ]
123# Extension for OCSP signing certificates (`man ocsp`).
124basicConstraints = CA:FALSE
125subjectKeyIdentifier = hash
126authorityKeyIdentifier = keyid,issuer
127keyUsage = critical, digitalSignature
128extendedKeyUsage = critical, OCSPSigning
129
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-21 15:35:59 +0000