aboutsummaryrefslogtreecommitdiff
path: root/tests
diff options
context:
space:
mode:
Diffstat (limited to 'tests')
-rw-r--r--tests/.gitignore1
-rw-r--r--tests/Makefile40
-rw-r--r--tests/ca.cnf108
-rw-r--r--tests/leaf.csr.cnf9
4 files changed, 158 insertions, 0 deletions
diff --git a/tests/.gitignore b/tests/.gitignore
new file mode 100644
index 0000000..237b712
--- /dev/null
+++ b/tests/.gitignore
@@ -0,0 +1 @@
+ca.key
diff --git a/tests/Makefile b/tests/Makefile
new file mode 100644
index 0000000..6a294b6
--- /dev/null
+++ b/tests/Makefile
@@ -0,0 +1,40 @@
+.POSIX:
+
+leaf.csr: leaf.key leaf.csr.cnf
+ openssl req -new -key leaf.key -out leaf.csr -config leaf.csr.cnf
+
+leaf.key:
+ openssl genrsa -out leaf.key 4096
+
+sub.crt: sub.csr
+ mkdir -p newcerts
+ touch index.txt
+ openssl ca \
+ -verbose \
+ -config ca.cnf \
+ -extensions extensions_sub \
+ -notext \
+ -rand_serial \
+ -in sub.csr \
+ -out sub.crt
+
+ca.crt:
+ openssl req \
+ -verbose \
+ -config ca.cnf \
+ -new \
+ -x509 \
+ -key ca.key \
+ -days 9132 \
+ -out ca.crt
+
+ca.key:
+ openssl ecparam -name P-256 -genkey -out ca.key
+
+crlnumber:
+ echo 0000 > crlnumber
+
+reset:
+ echo "!!! THIS WILL RESET EVERYTHING, INCLUDING PRIVATE KEYS !!!"
+ # sleep 5
+ rm -rf newcerts serial index.txt* private certs sub.csr crlnumber* ca.crl ca.crt sub.crt ca.key
diff --git a/tests/ca.cnf b/tests/ca.cnf
new file mode 100644
index 0000000..ef5a9c9
--- /dev/null
+++ b/tests/ca.cnf
@@ -0,0 +1,108 @@
+[ ca ]
+default_ca = CA
+
+[ CA ]
+# Database
+dir = .
+certs = $dir/certs/
+crl_dir = $dir/crl
+new_certs_dir = $dir/newcerts
+database = $dir/index.txt
+# Although we use $ openssl ca -rand_serial, this seems necessary.
+serial = $dir/serial
+RANDFILE = $dir/.rand
+
+private_key = $dir/ca.key
+certificate = $dir/ca.crt
+
+# CRL
+crlnumber = $dir/crlnumber
+crl = $dir/ca.crl
+crl_extensions = crl_ext
+# Root CA CRL: 1 year
+default_crl_days = 365
+
+# Cryptography
+default_md = sha512
+
+# Policy
+name_opt = ca_default
+cert_opt = ca_default
+# Intermediate CA: 10 years
+default_days = 3650
+preserve = no
+policy = policy_ca
+
+[ policy_ca ]
+countryName = optional
+stateOrProvinceName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[ req ]
+default_bits = 4096
+distinguished_name = req_dn
+string_mask = utf8only
+
+# s/sha512/sha256/, according to Jimmy (isrg uses sha256)
+default_md = sha256
+
+x509_extensions = extensions
+
+[ req_dn ]
+commonName = Common Name
+countryName = Country Name (2 letter code)
+# For simplicity
+#stateOrProvinceName = State or Province Name
+#localityName = Locality Name
+#0.organizationName = Organization Name
+# CAB Baseline (BR) v2.0.0
+# OU name must not present
+# Email address is not recommended (as per Jimmy)
+#organizationalUnitName = Organizational Unit Name
+#emailAddress = Email Address
+
+commonName_default = Test Root CA
+countryName_default = CA
+#stateOrProvinceName_default = British Columbia
+#localityName_default = Vancouver
+#0.organizationName_default = Yuuta Home
+#organizationalUnitName_default = IT
+#emailAddress_default = yuuta@yuuta.moe
+
+[ extensions ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+# Seems like it is completely unnecessary to put CRL and AIA in RootCA
+# because they point to the issuer's info.
+# crlDistributionPoints = crldp
+# Because I don't have a real OID
+#certificatePolicies = @polset
+# Seems like it is unnecessary.
+#authorityInfoAccess = caIssuers;URI:http://home.yuuta.moe/pki/rootca.crt
+
+[ extensions_sub ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen: 0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+crlDistributionPoints = crldp
+authorityInfoAccess = caIssuers;URI:http://home.yuuta.moe/pki/rootca.crt
+
+#[ polset ]
+#policyIdentifier = 1.3.6.1.4.1.191981.5.1.1
+#CPS.1 = "http://home.yuuta.moe/pki/policy"
+#userNotice.1 = @polset_notice
+#
+#[ polset_notice ]
+#explicitText = "This certificate authority is for internal use only."
+
+[ crldp ]
+fullname = URI:http://home.yuuta.moe/pki/rootca.crl
+
+[ crl_ext ]
+authorityKeyIdentifier = keyid:always
diff --git a/tests/leaf.csr.cnf b/tests/leaf.csr.cnf
new file mode 100644
index 0000000..d2b88cd
--- /dev/null
+++ b/tests/leaf.csr.cnf
@@ -0,0 +1,9 @@
+[req]
+distinguished_name = req_distinguished_name
+
+# https://github.com/openssl/openssl/issues/3536#issuecomment-306520579
+prompt = no
+
+[req_distinguished_name]
+countryName = CA
+commonName = Test Leaf
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-30 19:08:10 +0000