diff options
Diffstat (limited to 'tests')
-rw-r--r-- | tests/.gitignore | 7 | ||||
-rw-r--r-- | tests/Makefile | 18 | ||||
-rw-r--r-- | tests/ca.cnf | 88 | ||||
-rw-r--r-- | tests/index.txt.attr | 1 |
4 files changed, 64 insertions, 50 deletions
diff --git a/tests/.gitignore b/tests/.gitignore index 507d98f..b44dda2 100644 --- a/tests/.gitignore +++ b/tests/.gitignore @@ -1,6 +1,11 @@ *.key *.crt -*.txt* +index.txt +index.txt.old +index.txt.attr.old *.csr newcerts/ +subcrts/ serial +serial.old +*.tar diff --git a/tests/Makefile b/tests/Makefile index 6a294b6..545114f 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -6,6 +6,22 @@ leaf.csr: leaf.key leaf.csr.cnf leaf.key: openssl genrsa -out leaf.key 4096 +sub.crt.tar: sub.csr ca.cnf + rm -rf subcrts + mkdir subcrts + mkdir -p newcerts + touch index.txt + EXT=normal; openssl ca -batch -config ca.cnf -extensions extensions_sub_$$EXT -notext -rand_serial -in sub.csr -out subcrts/$$EXT.crt + EXT=basic_constraints_no; openssl ca -batch -config ca.cnf -extensions extensions_sub_$$EXT -notext -rand_serial -in sub.csr -out subcrts/$$EXT.crt + EXT=basic_constraints_wrong; openssl ca -batch -config ca.cnf -extensions extensions_sub_$$EXT -notext -rand_serial -in sub.csr -out subcrts/$$EXT.crt + EXT=key_usage_missing; openssl ca -batch -config ca.cnf -extensions extensions_sub_$$EXT -notext -rand_serial -in sub.csr -out subcrts/$$EXT.crt + EXT=key_usage_wrong_1; openssl ca -batch -config ca.cnf -extensions extensions_sub_$$EXT -notext -rand_serial -in sub.csr -out subcrts/$$EXT.crt + EXT=key_usage_wrong_2; openssl ca -batch -config ca.cnf -extensions extensions_sub_$$EXT -notext -rand_serial -in sub.csr -out subcrts/$$EXT.crt + EXT=key_usage_wrong_3; openssl ca -batch -config ca.cnf -extensions extensions_sub_$$EXT -notext -rand_serial -in sub.csr -out subcrts/$$EXT.crt + openssl ca -batch -config ca.cnf -notext -rand_serial -in sub.csr -out subcrts/v1.crt + tar cvf sub.crt.tar subcrts/ + rm -rf subcrts/ + sub.crt: sub.csr mkdir -p newcerts touch index.txt @@ -37,4 +53,4 @@ crlnumber: reset: echo "!!! THIS WILL RESET EVERYTHING, INCLUDING PRIVATE KEYS !!!" # sleep 5 - rm -rf newcerts serial index.txt* private certs sub.csr crlnumber* ca.crl ca.crt sub.crt ca.key + rm -rf newcerts serial index.txt private certs sub.csr crlnumber* ca.crl ca.crt sub.crt ca.key index.txt.old subcrts/ diff --git a/tests/ca.cnf b/tests/ca.cnf index ef5a9c9..9c034cc 100644 --- a/tests/ca.cnf +++ b/tests/ca.cnf @@ -15,13 +15,6 @@ RANDFILE = $dir/.rand private_key = $dir/ca.key certificate = $dir/ca.crt -# CRL -crlnumber = $dir/crlnumber -crl = $dir/ca.crl -crl_extensions = crl_ext -# Root CA CRL: 1 year -default_crl_days = 365 - # Cryptography default_md = sha512 @@ -54,55 +47,54 @@ x509_extensions = extensions [ req_dn ] commonName = Common Name countryName = Country Name (2 letter code) -# For simplicity -#stateOrProvinceName = State or Province Name -#localityName = Locality Name -#0.organizationName = Organization Name -# CAB Baseline (BR) v2.0.0 -# OU name must not present -# Email address is not recommended (as per Jimmy) -#organizationalUnitName = Organizational Unit Name -#emailAddress = Email Address - commonName_default = Test Root CA countryName_default = CA -#stateOrProvinceName_default = British Columbia -#localityName_default = Vancouver -#0.organizationName_default = Yuuta Home -#organizationalUnitName_default = IT -#emailAddress_default = yuuta@yuuta.moe [ extensions ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true keyUsage = critical, digitalSignature, cRLSign, keyCertSign -# Seems like it is completely unnecessary to put CRL and AIA in RootCA -# because they point to the issuer's info. -# crlDistributionPoints = crldp -# Because I don't have a real OID -#certificatePolicies = @polset -# Seems like it is unnecessary. -#authorityInfoAccess = caIssuers;URI:http://home.yuuta.moe/pki/rootca.crt - -[ extensions_sub ] + +[ extensions_sub_normal ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ extensions_sub_basic_constraints_no ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer -basicConstraints = critical, CA:true, pathlen: 0 keyUsage = critical, digitalSignature, cRLSign, keyCertSign -crlDistributionPoints = crldp -authorityInfoAccess = caIssuers;URI:http://home.yuuta.moe/pki/rootca.crt - -#[ polset ] -#policyIdentifier = 1.3.6.1.4.1.191981.5.1.1 -#CPS.1 = "http://home.yuuta.moe/pki/policy" -#userNotice.1 = @polset_notice -# -#[ polset_notice ] -#explicitText = "This certificate authority is for internal use only." - -[ crldp ] -fullname = URI:http://home.yuuta.moe/pki/rootca.crl - -[ crl_ext ] -authorityKeyIdentifier = keyid:always + +[ extensions_sub_basic_constraints_wrong ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:false +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ extensions_sub_key_usage_missing ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true + +[ extensions_sub_key_usage_wrong_1 ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +# No digitalSignature +keyUsage = critical, cRLSign, keyCertSign + +[ extensions_sub_key_usage_wrong_2 ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +# No cRLSign +keyUsage = critical, digitalSignature, keyCertSign + +[ extensions_sub_key_usage_wrong_3 ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +# No keyCertSign +keyUsage = critical, digitalSignature, cRLSign diff --git a/tests/index.txt.attr b/tests/index.txt.attr new file mode 100644 index 0000000..3a7e39e --- /dev/null +++ b/tests/index.txt.attr @@ -0,0 +1 @@ +unique_subject = no |