Refactor: move all logics into CertificationAuthority

Signed-off-by: Yuuta Liang <yuutaw@student.cs.ubc.ca>

4 files changed, 64 insertions, 50 deletions

diff --git a/tests/.gitignore b/tests/.gitignore
index 507d98f..b44dda2 100644
--- a/tests/.gitignore
+++ b/tests/.gitignore
@@ -1,6 +1,11 @@
 *.key
 *.crt
-*.txt*
+index.txt
+index.txt.old
+index.txt.attr.old
 *.csr
 newcerts/
+subcrts/
 serial
+serial.old
+*.tar
diff --git a/tests/Makefile b/tests/Makefile
index 6a294b6..545114f 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -6,6 +6,22 @@ leaf.csr: leaf.key leaf.csr.cnf
 leaf.key:
 	openssl genrsa -out leaf.key 4096
 
+sub.crt.tar: sub.csr ca.cnf
+	rm -rf subcrts
+	mkdir subcrts
+	mkdir -p newcerts
+	touch index.txt
+	EXT=normal; openssl ca -batch -config ca.cnf -extensions extensions_sub_$$EXT -notext -rand_serial -in sub.csr -out subcrts/$$EXT.crt
+	EXT=basic_constraints_no; openssl ca -batch -config ca.cnf -extensions extensions_sub_$$EXT -notext -rand_serial -in sub.csr -out subcrts/$$EXT.crt
+	EXT=basic_constraints_wrong; openssl ca -batch -config ca.cnf -extensions extensions_sub_$$EXT -notext -rand_serial -in sub.csr -out subcrts/$$EXT.crt
+	EXT=key_usage_missing; openssl ca -batch -config ca.cnf -extensions extensions_sub_$$EXT -notext -rand_serial -in sub.csr -out subcrts/$$EXT.crt
+	EXT=key_usage_wrong_1; openssl ca -batch -config ca.cnf -extensions extensions_sub_$$EXT -notext -rand_serial -in sub.csr -out subcrts/$$EXT.crt
+	EXT=key_usage_wrong_2; openssl ca -batch -config ca.cnf -extensions extensions_sub_$$EXT -notext -rand_serial -in sub.csr -out subcrts/$$EXT.crt
+	EXT=key_usage_wrong_3; openssl ca -batch -config ca.cnf -extensions extensions_sub_$$EXT -notext -rand_serial -in sub.csr -out subcrts/$$EXT.crt
+	openssl ca -batch -config ca.cnf -notext -rand_serial -in sub.csr -out subcrts/v1.crt
+	tar cvf sub.crt.tar subcrts/
+	rm -rf subcrts/
+
 sub.crt: sub.csr
 	mkdir -p newcerts
 	touch index.txt
@@ -37,4 +53,4 @@ crlnumber:
 reset:
 	echo "!!! THIS WILL RESET EVERYTHING, INCLUDING PRIVATE KEYS !!!"
 	# sleep 5
-	rm -rf newcerts serial index.txt* private certs sub.csr crlnumber* ca.crl ca.crt sub.crt ca.key
+	rm -rf newcerts serial index.txt private certs sub.csr crlnumber* ca.crl ca.crt sub.crt ca.key index.txt.old subcrts/
diff --git a/tests/ca.cnf b/tests/ca.cnf
index ef5a9c9..9c034cc 100644
--- a/tests/ca.cnf
+++ b/tests/ca.cnf
@@ -15,13 +15,6 @@ RANDFILE	= $dir/.rand
 private_key	= $dir/ca.key
 certificate	= $dir/ca.crt
 
-# CRL
-crlnumber	= $dir/crlnumber
-crl		= $dir/ca.crl
-crl_extensions	= crl_ext
-# Root CA CRL: 1 year
-default_crl_days	= 365
-
 # Cryptography
 default_md	= sha512
 
@@ -54,55 +47,54 @@ x509_extensions		= extensions
 [ req_dn ]
 commonName		= Common Name
 countryName		= Country Name (2 letter code)
-# For simplicity
-#stateOrProvinceName	= State or Province Name
-#localityName		= Locality Name
-#0.organizationName	= Organization Name
-# CAB Baseline (BR) v2.0.0
-# OU name must not present
-# Email address is not recommended (as per Jimmy)
-#organizationalUnitName	= Organizational Unit Name
-#emailAddress		= Email Address
-
 commonName_default		= Test Root CA
 countryName_default		= CA
-#stateOrProvinceName_default	= British Columbia
-#localityName_default		= Vancouver
-#0.organizationName_default	= Yuuta Home
-#organizationalUnitName_default	= IT
-#emailAddress_default		= yuuta@yuuta.moe
 
 [ extensions ]
 subjectKeyIdentifier	= hash
 authorityKeyIdentifier	= keyid:always,issuer
 basicConstraints	= critical, CA:true
 keyUsage		= critical, digitalSignature, cRLSign, keyCertSign
-# Seems like it is completely unnecessary to put CRL and AIA in RootCA
-# because they point to the issuer's info.
-# crlDistributionPoints	= crldp
-# Because I don't have a real OID
-#certificatePolicies	= @polset
-# Seems like it is unnecessary.
-#authorityInfoAccess	= caIssuers;URI:http://home.yuuta.moe/pki/rootca.crt
-
-[ extensions_sub ]
+
+[ extensions_sub_normal ]
+subjectKeyIdentifier	= hash
+authorityKeyIdentifier	= keyid:always,issuer
+basicConstraints	= critical, CA:true
+keyUsage		= critical, digitalSignature, cRLSign, keyCertSign
+
+[ extensions_sub_basic_constraints_no ]
 subjectKeyIdentifier	= hash
 authorityKeyIdentifier	= keyid:always,issuer
-basicConstraints	= critical, CA:true, pathlen: 0
 keyUsage		= critical, digitalSignature, cRLSign, keyCertSign
-crlDistributionPoints	= crldp
-authorityInfoAccess	= caIssuers;URI:http://home.yuuta.moe/pki/rootca.crt
-
-#[ polset ]
-#policyIdentifier	= 1.3.6.1.4.1.191981.5.1.1
-#CPS.1			= "http://home.yuuta.moe/pki/policy"
-#userNotice.1		= @polset_notice
-#
-#[ polset_notice ]
-#explicitText	= "This certificate authority is for internal use only."
-
-[ crldp ]
-fullname	= URI:http://home.yuuta.moe/pki/rootca.crl
-
-[ crl_ext ]
-authorityKeyIdentifier	= keyid:always
+
+[ extensions_sub_basic_constraints_wrong ]
+subjectKeyIdentifier	= hash
+authorityKeyIdentifier	= keyid:always,issuer
+basicConstraints	= critical, CA:false
+keyUsage		= critical, digitalSignature, cRLSign, keyCertSign
+
+[ extensions_sub_key_usage_missing ]
+subjectKeyIdentifier	= hash
+authorityKeyIdentifier	= keyid:always,issuer
+basicConstraints	= critical, CA:true
+
+[ extensions_sub_key_usage_wrong_1 ]
+subjectKeyIdentifier	= hash
+authorityKeyIdentifier	= keyid:always,issuer
+basicConstraints	= critical, CA:true
+# No digitalSignature
+keyUsage		= critical, cRLSign, keyCertSign
+
+[ extensions_sub_key_usage_wrong_2 ]
+subjectKeyIdentifier	= hash
+authorityKeyIdentifier	= keyid:always,issuer
+basicConstraints	= critical, CA:true
+# No cRLSign
+keyUsage		= critical, digitalSignature, keyCertSign
+
+[ extensions_sub_key_usage_wrong_3 ]
+subjectKeyIdentifier	= hash
+authorityKeyIdentifier	= keyid:always,issuer
+basicConstraints	= critical, CA:true
+# No keyCertSign
+keyUsage		= critical, digitalSignature, cRLSign
diff --git a/tests/index.txt.attr b/tests/index.txt.attr
new file mode 100644
index 0000000..3a7e39e
--- /dev/null
+++ b/tests/index.txt.attr
@@ -0,0 +1 @@
+unique_subject = no