Add Restricted PSS certificate and key

[openssl.git] / test / certs / mkcert.sh

diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh
index bf61548dba72b469f71f2a382f313114f3292869..e03b19014ea64351697a822abe3d2e033a916c3e 100755 (executable)
--- a/test/certs/mkcert.sh
+++ b/test/certs/mkcert.sh
@@ -4,7 +4,7 @@
 # Copyright (c) 2016 Viktor Dukhovni <openssl-users@dukhovni.org>.
 # All rights reserved.
 #
-# Licensed under the OpenSSL license (the "License").  You may not use
+# Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
 # in the file LICENSE in the source distribution or at
 # https://www.openssl.org/source/license.html
@@ -233,6 +233,35 @@ genee() {
            -set_serial 2 -days "${DAYS}" "$@"
 }
 
+geneenocsr() {
+    local OPTIND=1
+    local purpose=serverAuth
+
+    while getopts p: o
+    do
+        case $o in
+        p) purpose="$OPTARG";;
+        *) echo "Usage: $0 genee [-p EKU] cn certname cakeyname cacertname" >&2
+           return 1;;
+        esac
+    done
+
+    shift $((OPTIND - 1))
+    local cn=$1; shift
+    local cert=$1; shift
+    local cakey=$1; shift
+    local ca=$1; shift
+
+    exts=$(printf "%s\n%s\n%s\n%s\n%s\n[alts]\n%s\n" \
+           "subjectKeyIdentifier = hash" \
+           "authorityKeyIdentifier = keyid, issuer" \
+           "basicConstraints = CA:false" \
+           "extendedKeyUsage = $purpose" \
+           "subjectAltName = @alts" "DNS=${cn}")
+       cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
+           -set_serial 2 -days "${DAYS}" "$@"
+}
+
 genss() {
     local cn=$1; shift
     local key=$1; shift