From d7ff9d5e217873609d79efe279f2634e3a3dd8b4 Mon Sep 17 00:00:00 2001 From: Yuuta Liang Date: Wed, 25 Oct 2023 03:30:45 +0800 Subject: Refactor: move all logics into CertificationAuthority Signed-off-by: Yuuta Liang --- tests/ca.cnf | 88 +++++++++++++++++++++++++++--------------------------------- 1 file changed, 40 insertions(+), 48 deletions(-) (limited to 'tests/ca.cnf') diff --git a/tests/ca.cnf b/tests/ca.cnf index ef5a9c9..9c034cc 100644 --- a/tests/ca.cnf +++ b/tests/ca.cnf @@ -15,13 +15,6 @@ RANDFILE = $dir/.rand private_key = $dir/ca.key certificate = $dir/ca.crt -# CRL -crlnumber = $dir/crlnumber -crl = $dir/ca.crl -crl_extensions = crl_ext -# Root CA CRL: 1 year -default_crl_days = 365 - # Cryptography default_md = sha512 @@ -54,55 +47,54 @@ x509_extensions = extensions [ req_dn ] commonName = Common Name countryName = Country Name (2 letter code) -# For simplicity -#stateOrProvinceName = State or Province Name -#localityName = Locality Name -#0.organizationName = Organization Name -# CAB Baseline (BR) v2.0.0 -# OU name must not present -# Email address is not recommended (as per Jimmy) -#organizationalUnitName = Organizational Unit Name -#emailAddress = Email Address - commonName_default = Test Root CA countryName_default = CA -#stateOrProvinceName_default = British Columbia -#localityName_default = Vancouver -#0.organizationName_default = Yuuta Home -#organizationalUnitName_default = IT -#emailAddress_default = yuuta@yuuta.moe [ extensions ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true keyUsage = critical, digitalSignature, cRLSign, keyCertSign -# Seems like it is completely unnecessary to put CRL and AIA in RootCA -# because they point to the issuer's info. -# crlDistributionPoints = crldp -# Because I don't have a real OID -#certificatePolicies = @polset -# Seems like it is unnecessary. -#authorityInfoAccess = caIssuers;URI:http://home.yuuta.moe/pki/rootca.crt - -[ extensions_sub ] + +[ extensions_sub_normal ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ extensions_sub_basic_constraints_no ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer -basicConstraints = critical, CA:true, pathlen: 0 keyUsage = critical, digitalSignature, cRLSign, keyCertSign -crlDistributionPoints = crldp -authorityInfoAccess = caIssuers;URI:http://home.yuuta.moe/pki/rootca.crt - -#[ polset ] -#policyIdentifier = 1.3.6.1.4.1.191981.5.1.1 -#CPS.1 = "http://home.yuuta.moe/pki/policy" -#userNotice.1 = @polset_notice -# -#[ polset_notice ] -#explicitText = "This certificate authority is for internal use only." - -[ crldp ] -fullname = URI:http://home.yuuta.moe/pki/rootca.crl - -[ crl_ext ] -authorityKeyIdentifier = keyid:always + +[ extensions_sub_basic_constraints_wrong ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:false +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ extensions_sub_key_usage_missing ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true + +[ extensions_sub_key_usage_wrong_1 ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +# No digitalSignature +keyUsage = critical, cRLSign, keyCertSign + +[ extensions_sub_key_usage_wrong_2 ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +# No cRLSign +keyUsage = critical, digitalSignature, keyCertSign + +[ extensions_sub_key_usage_wrong_3 ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +# No keyCertSign +keyUsage = critical, digitalSignature, cRLSign -- cgit v1.2.3