From 71c8cd20852d43fa142ca3f6e89a33431c506baf Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Sun, 19 Jun 2016 10:56:09 +0200 Subject: [PATCH] Make it possible to generate proxy certs with test/certs/mkcert.sh This extends 'req' to take more than one DN component, and to take them as full DN components and not just CN values. All other commands are changed to pass "CN = $cn" instead of just a CN value. This adds 'genpc', which differs from the other 'gen*' commands by not calling 'req', and expect the result from 'req' to come through stdin. Finally, test/certs/setup.sh gets the commands needed to generate a few proxy certificates. Reviewed-by: Rich Salz Reviewed-by: Stephen Henson --- test/certs/mkcert.sh | 39 +++++++++++++++++++++++++++++++-------- test/certs/setup.sh | 26 ++++++++++++++++++++++++++ 2 files changed, 57 insertions(+), 8 deletions(-) diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh index daa0679ee8..39e3a1e28c 100755 --- a/test/certs/mkcert.sh +++ b/test/certs/mkcert.sh @@ -49,17 +49,18 @@ key() { fi } +# Usage: $0 req keyname dn1 dn2 ... req() { local key=$1; shift - local cn=$1; shift key "$key" local errs stderr_onerror \ openssl req -new -"${OPENSSL_SIGALG}" -key "${key}.pem" \ - -config <(printf "[req]\n%s\n%s\n[dn]\nCN=%s\n" \ - "prompt = no" "distinguished_name = dn" "${cn}") + -config <(printf "[req]\n%s\n%s\n[dn]\n" \ + "prompt = no" "distinguished_name = dn" "${dn}" + for dn in "$@"; do echo "$dn"; done) } req_nocn() { @@ -93,7 +94,7 @@ genroot() { do exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku") done - csr=$(req "$key" "$cn") || return 1 + csr=$(req "$key" "CN = $cn") || return 1 echo "$csr" | cert "$cert" "$exts" -signkey "${key}.pem" -set_serial 1 -days "${DAYS}" } @@ -112,7 +113,7 @@ genca() { do exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku") done - csr=$(req "$key" "$cn") || return 1 + csr=$(req "$key" "CN = $cn") || return 1 echo "$csr" | cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \ -set_serial 2 -days "${DAYS}" @@ -133,12 +134,34 @@ gen_nonbc_ca() { do exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku") done - csr=$(req "$key" "$cn") || return 1 + csr=$(req "$key" "CN = $cn") || return 1 echo "$csr" | cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \ -set_serial 2 -days "${DAYS}" } +# Usage: $0 genpc keyname certname eekeyname eecertname pcext1 pcext2 ... +# +# Note: takes csr on stdin, so must be used with $0 req like this: +# +# $0 req keyname dn | $0 genpc keyname certname eekeyname eecertname pcext ... +genpc() { + local key=$1; shift + local cert=$1; shift + local cakey=$1; shift + local ca=$1; shift + + exts=$(printf "%s\n%s\n%s\n%s\n" \ + "subjectKeyIdentifier = hash" \ + "authorityKeyIdentifier = keyid, issuer:always" \ + "basicConstraints = CA:false" \ + "proxyCertInfo = critical, @pcexts"; + echo "[pcexts]"; + for x in "$@"; do echo $x; done) + cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \ + -set_serial 2 -days "${DAYS}" +} + genee() { local OPTIND=1 local purpose=serverAuth @@ -165,7 +188,7 @@ genee() { "basicConstraints = CA:false" \ "extendedKeyUsage = $purpose" \ "subjectAltName = @alts" "DNS=${cn}") - csr=$(req "$key" "$cn") || return 1 + csr=$(req "$key" "CN = $cn") || return 1 echo "$csr" | cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \ -set_serial 2 -days "${DAYS}" "$@" @@ -182,7 +205,7 @@ genss() { "basicConstraints = CA:false" \ "extendedKeyUsage = serverAuth" \ "subjectAltName = @alts" "DNS=${cn}") - csr=$(req "$key" "$cn") || return 1 + csr=$(req "$key" "CN = $cn") || return 1 echo "$csr" | cert "$cert" "$exts" -signkey "${key}.pem" \ -set_serial 1 -days "${DAYS}" "$@" diff --git a/test/certs/setup.sh b/test/certs/setup.sh index f34104613f..4eaf511ef4 100755 --- a/test/certs/setup.sh +++ b/test/certs/setup.sh @@ -182,3 +182,29 @@ OPENSSL_SIGALG=md5 \ # 768-bit leaf key OPENSSL_KEYBITS=768 \ ./mkcert.sh genee server.example ee-key-768 ee-cert-768 ca-key ca-cert + +# Proxy certificates, off of ee-client +# Start with some good ones +./mkcert.sh req pc1-key "0.CN = server.example" "1.CN = proxy 1" | \ + ./mkcert.sh genpc pc1-key pc1-cert ee-key ee-client \ + "language = id-ppl-anyLanguage" "pathlen = 1" "policy = text:AB" +./mkcert.sh req pc2-key "0.CN = server.example" "1.CN = proxy 1" "2.CN = proxy 2" | \ + ./mkcert.sh genpc pc2-key pc2-cert pc1-key pc1-cert \ + "language = id-ppl-anyLanguage" "pathlen = 0" "policy = text:AB" +# And now a couple of bad ones +# pc3: incorrect CN +./mkcert.sh req bad-pc3-key "0.CN = server.example" "1.CN = proxy 3" | \ + ./mkcert.sh genpc bad-pc3-key bad-pc3-cert pc1-key pc1-cert \ + "language = id-ppl-anyLanguage" "pathlen = 0" "policy = text:AB" +# pc4: incorrect pathlen +./mkcert.sh req bad-pc4-key "0.CN = server.example" "1.CN = proxy 1" "2.CN = proxy 4" | \ + ./mkcert.sh genpc bad-pc4-key bad-pc4-cert pc1-key pc1-cert \ + "language = id-ppl-anyLanguage" "pathlen = 1" "policy = text:AB" +# pc5: no policy +./mkcert.sh req pc5-key "0.CN = server.example" "1.CN = proxy 1" "2.CN = proxy 5" | \ + ./mkcert.sh genpc pc5-key pc5-cert pc1-key pc1-cert \ + "language = id-ppl-anyLanguage" "pathlen = 0" +# pc6: incorrect CN (made into a component of a multivalue RDN) +./mkcert.sh req bad-pc6-key "0.CN = server.example" "1.CN = proxy 1" "2.+CN = proxy 6" | \ + ./mkcert.sh genpc bad-pc6-key bad-pc6-cert pc1-key pc1-cert \ + "language = id-ppl-anyLanguage" "pathlen = 0" "policy = text:AB" -- 2.34.1