summaryrefslogtreecommitdiff
path: root/src/regress/lib/libcrypto/CA
diff options
context:
space:
mode:
Diffstat (limited to 'src/regress/lib/libcrypto/CA')
-rw-r--r--src/regress/lib/libcrypto/CA/Makefile21
-rwxr-xr-xsrc/regress/lib/libcrypto/CA/doit.sh116
-rw-r--r--src/regress/lib/libcrypto/CA/intermediate.cnf130
-rw-r--r--src/regress/lib/libcrypto/CA/root.cnf130
4 files changed, 0 insertions, 397 deletions
diff --git a/src/regress/lib/libcrypto/CA/Makefile b/src/regress/lib/libcrypto/CA/Makefile
deleted file mode 100644
index c31c99c946..0000000000
--- a/src/regress/lib/libcrypto/CA/Makefile
+++ /dev/null
@@ -1,21 +0,0 @@
1# $OpenBSD: Makefile,v 1.1 2017/01/25 10:29:34 beck Exp $
2
3TESTS = \
4 doit.sh
5
6REGRESS_TARGETS= all_tests
7
8CLEANFILES += \
91000.pem client.cert.pem intermediate.cert.pem root.cert.pem server.csr.pem \
101001.pem client.csr.pem intermediate.csr.pem root.key.pem server.key.pem \
11chain.pem client.key.pem intermediate.key.pem server.cert.pem \
12int.txt int.txt.attr int.txt.old int.txt.attr.old \
13root.txt root.txt.attr root.txt.old root.txt.attr.old \
14intserial rootserial intserial.old rootserial.old
15
16all_tests: ${TESTS}
17 @for test in $>; do \
18 ./$$test; \
19 done
20
21.include <bsd.regress.mk>
diff --git a/src/regress/lib/libcrypto/CA/doit.sh b/src/regress/lib/libcrypto/CA/doit.sh
deleted file mode 100755
index 110d89d67f..0000000000
--- a/src/regress/lib/libcrypto/CA/doit.sh
+++ /dev/null
@@ -1,116 +0,0 @@
1#!/bin/sh
2# $OpenBSD: doit.sh,v 1.2 2018/07/17 17:06:49 tb Exp $
3
4rm -rf root intermediate certs
5echo 1000 > rootserial
6cat /dev/null > root.txt
7echo 1000 > intserial
8cat /dev/null > int.txt
9
10# Vanna Vanna make me a root cert
11openssl genrsa -out root.key.pem 4096
12if [ $? -ne 0 ]; then
13 echo "*** Fail; Can't generate root rsa 4096 key"
14 exit 1
15fi
16
17openssl req -batch -config root.cnf -key root.key.pem -new -x509 -days 365 -sha256 -extensions v3_ca -out root.cert.pem
18if [ $? -ne 0 ]; then
19 echo "*** Fail; Can't generate root req"
20 exit 1
21fi
22
23# Make intermediate
24openssl genrsa -out intermediate.key.pem 2048
25if [ $? -ne 0 ]; then
26 echo "*** Fail; Can't generate intermediate rsa 2048 key"
27 exit 1
28fi
29
30openssl req -batch -config intermediate.cnf -new -sha256 \
31 -key intermediate.key.pem \
32 -out intermediate.csr.pem
33if [ $? -ne 0 ]; then
34 echo "*** Fail; Can't generate intermediate req"
35 exit 1
36fi
37
38# Sign intermediate
39openssl ca -batch -config root.cnf -extensions v3_intermediate_ca -days 10 -notext -md sha256 -in intermediate.csr.pem -out intermediate.cert.pem
40if [ $? -ne 0 ]; then
41 echo "*** Fail; Can't sign intermediate"
42 exit 1
43fi
44
45# Verify Intermediate
46openssl verify -CAfile ca.cert.pem intermediate.cert.pem
47if [ $? -ne 0]; then
48 echo "*** Fail; Intermediate CA does not validate"
49 exit 1
50fi
51
52cat intermediate.cert.pem root.cert.pem > chain.pem
53
54# make a server certificate
55
56openssl genrsa -out server.key.pem 2048
57if [ $? -ne 0]; then
58 echo "*** Fail; genrsa server"
59 exit 1
60fi
61
62
63openssl req -batch -config intermediate.cnf \
64 -key server.key.pem \
65 -new -sha256 -out server.csr.pem \
66 -subj '/CN=server/O=OpenBSD/OU=So and Sos/C=CA'
67if [ $? -ne 0]; then
68 echo "*** Fail; server req"
69 exit 1
70fi
71
72# sign server key
73openssl ca -batch -config intermediate.cnf -extensions server_cert -days 5 -notext -md sha256 -in server.csr.pem -out server.cert.pem
74if [ $? -ne 0 ]; then
75 echo "*** Fail; server sign"
76 exit 1
77fi
78
79# make a client certificate
80
81openssl genrsa -out client.key.pem 2048
82if [ $? -ne 0]; then
83 echo "*** Fail; genrsa client"
84 exit 1
85fi
86
87openssl req -batch -config intermediate.cnf \
88 -key client.key.pem \
89 -new -sha256 -out client.csr.pem \
90 -subj '/CN=client/O=OpenBSD/OU=So and Sos/C=CA'
91if [ $? -ne 0]; then
92 echo "*** Fail; client req"
93 exit 1
94fi
95
96# sign client key
97openssl ca -batch -config intermediate.cnf -extensions usr_cert -days 5 -notext -md sha256 -in client.csr.pem -out client.cert.pem
98if [ $? -ne 0 ]; then
99 echo "*** Fail; client sign"
100 exit 1
101fi
102
103# Verify Intermediate
104openssl verify -purpose sslserver -CAfile chain.pem server.cert.pem
105if [ $? -ne 0 ]; then
106 echo "*** Fail; server cert does not validate"
107 exit 1
108fi
109
110# Verify Intermediate
111openssl verify -purpose sslclient -CAfile chain.pem client.cert.pem
112if [ $? -ne 0 ]; then
113 echo "*** Fail; client cert does not validate"
114 exit 1
115fi
116
diff --git a/src/regress/lib/libcrypto/CA/intermediate.cnf b/src/regress/lib/libcrypto/CA/intermediate.cnf
deleted file mode 100644
index 9a95487c00..0000000000
--- a/src/regress/lib/libcrypto/CA/intermediate.cnf
+++ /dev/null
@@ -1,130 +0,0 @@
1# $OpenBSD: intermediate.cnf,v 1.2 2018/07/17 17:06:49 tb Exp $
2# For regression tests
3default_ca = CA_regress
4
5[ CA_regress ]
6# Directory and file locations.
7dir = .
8certs = $dir
9crl_dir = $dir
10database = $dir/int.txt
11serial = $dir/intserial
12new_certs_dir = $dir
13
14# The root key and root certificate.
15private_key = $dir/intermediate.key.pem
16certificate = $dir/intermediate.cert.pem
17
18# For certificate revocation lists.
19crlnumber = $dir/crlnumber
20crl = $dir/ca.crl.pem
21crl_extensions = crl_ext
22default_crl_days = 30
23
24# SHA-1 is deprecated, so use SHA-2 instead.
25default_md = sha256
26
27name_opt = ca_default
28cert_opt = ca_default
29default_days = 10
30preserve = no
31policy = policy_loose
32
33[ policy_strict ]
34# The root CA should only sign intermediate certificates that match.
35# See the POLICY FORMAT section of `man ca`.
36countryName = match
37stateOrProvinceName = match
38organizationName = match
39organizationalUnitName = optional
40commonName = supplied
41emailAddress = optional
42
43[ policy_loose ]
44# Allow the intermediate CA to sign a more diverse range of certificates.
45# See the POLICY FORMAT section of the `ca` man page.
46countryName = optional
47stateOrProvinceName = optional
48localityName = optional
49organizationName = optional
50organizationalUnitName = optional
51commonName = supplied
52emailAddress = optional
53
54[ req ]
55# Options for the `req` tool (`man req`).
56default_bits = 2048
57distinguished_name = req_distinguished_name
58string_mask = utf8only
59
60# SHA-1 is deprecated, so use SHA-2 instead.
61default_md = sha256
62
63# Extension to add when the -x509 option is used.
64x509_extensions = v3_ca
65
66[ req_distinguished_name ]
67# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
68countryName = Country Name (2 letter code)
69stateOrProvinceName = State or Province Name
70localityName = Locality Name
710.organizationName = Organization Name
72organizationalUnitName = Organizational Unit Name
73commonName = Common Name
74emailAddress = Email Address
75
76# Optionally, specify some defaults.
77countryName_default = CA
78stateOrProvinceName_default = Alberta
79localityName_default = Edmonton
800.organizationName_default = OpenBSD
81organizationalUnitName_default = So and Sos
82emailAddress_default = evilsoandsos@openbsd.org
83commonName_default = Regress Intermediate CA
84
85[ v3_ca ]
86# Extensions for a typical CA (`man x509v3_config`).
87subjectKeyIdentifier = hash
88authorityKeyIdentifier = keyid:always,issuer
89basicConstraints = critical, CA:true
90keyUsage = critical, digitalSignature, cRLSign, keyCertSign
91
92[ v3_intermediate_ca ]
93# Extensions for a typical intermediate CA (`man x509v3_config`).
94subjectKeyIdentifier = hash
95authorityKeyIdentifier = keyid:always,issuer
96basicConstraints = critical, CA:true, pathlen:0
97keyUsage = critical, digitalSignature, cRLSign, keyCertSign
98
99[ usr_cert ]
100# Extensions for client certificates (`man x509v3_config`).
101basicConstraints = CA:FALSE
102nsCertType = client, email
103nsComment = "OpenSSL Generated Client Certificate"
104subjectKeyIdentifier = hash
105authorityKeyIdentifier = keyid,issuer
106keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
107extendedKeyUsage = clientAuth, emailProtection
108
109[ server_cert ]
110# Extensions for server certificates (`man x509v3_config`).
111basicConstraints = CA:FALSE
112nsCertType = server
113nsComment = "OpenSSL Generated Server Certificate"
114subjectKeyIdentifier = hash
115authorityKeyIdentifier = keyid,issuer:always
116keyUsage = critical, digitalSignature, keyEncipherment
117extendedKeyUsage = serverAuth
118
119[ crl_ext ]
120# Extension for CRLs (`man x509v3_config`).
121authorityKeyIdentifier=keyid:always
122
123[ ocsp ]
124# Extension for OCSP signing certificates (`man ocsp`).
125basicConstraints = CA:FALSE
126subjectKeyIdentifier = hash
127authorityKeyIdentifier = keyid,issuer
128keyUsage = critical, digitalSignature
129extendedKeyUsage = critical, OCSPSigning
130
diff --git a/src/regress/lib/libcrypto/CA/root.cnf b/src/regress/lib/libcrypto/CA/root.cnf
deleted file mode 100644
index b22e161476..0000000000
--- a/src/regress/lib/libcrypto/CA/root.cnf
+++ /dev/null
@@ -1,130 +0,0 @@
1# $OpenBSD: root.cnf,v 1.2 2018/07/17 17:06:49 tb Exp $
2# For regression tests
3default_ca = CA_regress
4
5[ CA_regress ]
6# Directory and file locations.
7dir = .
8certs = $dir
9crl_dir = $dir
10database = $dir/root.txt
11serial = $dir/rootserial
12new_certs_dir = $dir
13
14# The root key and root certificate.
15private_key = $dir/root.key.pem
16certificate = $dir/root.cert.pem
17
18# For certificate revocation lists.
19crlnumber = $dir/crlnumber
20crl = $dir/ca.crl.pem
21crl_extensions = crl_ext
22default_crl_days = 30
23
24# SHA-1 is deprecated, so use SHA-2 instead.
25default_md = sha256
26
27name_opt = ca_default
28cert_opt = ca_default
29default_days = 375
30preserve = no
31policy = policy_strict
32
33[ policy_strict ]
34# The root CA should only sign intermediate certificates that match.
35# See the POLICY FORMAT section of `man ca`.
36countryName = match
37stateOrProvinceName = match
38organizationName = match
39organizationalUnitName = optional
40commonName = supplied
41emailAddress = optional
42
43[ policy_loose ]
44# Allow the intermediate CA to sign a more diverse range of certificates.
45# See the POLICY FORMAT section of the `ca` man page.
46countryName = optional
47stateOrProvinceName = optional
48localityName = optional
49organizationName = optional
50organizationalUnitName = optional
51commonName = supplied
52emailAddress = optional
53
54[ req ]
55# Options for the `req` tool (`man req`).
56default_bits = 2048
57distinguished_name = req_distinguished_name
58string_mask = utf8only
59
60# SHA-1 is deprecated, so use SHA-2 instead.
61default_md = sha256
62
63# Extension to add when the -x509 option is used.
64x509_extensions = v3_ca
65
66[ req_distinguished_name ]
67# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
68countryName = Country Name (2 letter code)
69stateOrProvinceName = State or Province Name
70localityName = Locality Name
710.organizationName = Organization Name
72organizationalUnitName = Organizational Unit Name
73commonName = Common Name
74emailAddress = Email Address
75
76# Optionally, specify some defaults.
77countryName_default = CA
78stateOrProvinceName_default = Alberta
79localityName_default = Edmonton
800.organizationName_default = OpenBSD
81organizationalUnitName_default = So and Sos
82emailAddress_default = evilsoandsos@openbsd.org
83commonName_default = Regress Root CA
84
85[ v3_ca ]
86# Extensions for a typical CA (`man x509v3_config`).
87subjectKeyIdentifier = hash
88authorityKeyIdentifier = keyid:always,issuer
89basicConstraints = critical, CA:true
90keyUsage = critical, digitalSignature, cRLSign, keyCertSign
91
92[ v3_intermediate_ca ]
93# Extensions for a typical intermediate CA (`man x509v3_config`).
94subjectKeyIdentifier = hash
95authorityKeyIdentifier = keyid:always,issuer
96basicConstraints = critical, CA:true, pathlen:0
97keyUsage = critical, digitalSignature, cRLSign, keyCertSign
98
99[ usr_cert ]
100# Extensions for client certificates (`man x509v3_config`).
101basicConstraints = CA:FALSE
102nsCertType = client, email
103nsComment = "OpenSSL Generated Client Certificate"
104subjectKeyIdentifier = hash
105authorityKeyIdentifier = keyid,issuer
106keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
107extendedKeyUsage = clientAuth, emailProtection
108
109[ server_cert ]
110# Extensions for server certificates (`man x509v3_config`).
111basicConstraints = CA:FALSE
112nsCertType = server
113nsComment = "OpenSSL Generated Server Certificate"
114subjectKeyIdentifier = hash
115authorityKeyIdentifier = keyid,issuer:always
116keyUsage = critical, digitalSignature, keyEncipherment
117extendedKeyUsage = serverAuth
118
119[ crl_ext ]
120# Extension for CRLs (`man x509v3_config`).
121authorityKeyIdentifier=keyid:always
122
123[ ocsp ]
124# Extension for OCSP signing certificates (`man ocsp`).
125basicConstraints = CA:FALSE
126subjectKeyIdentifier = hash
127authorityKeyIdentifier = keyid,issuer
128keyUsage = critical, digitalSignature
129extendedKeyUsage = critical, OCSPSigning
130
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-12-27 12:11:49 +0000