Make it possible to generate proxy certs with test/certs/mkcert.sh

This extends 'req' to take more than one DN component, and to take them as full DN components and not just CN values. All other commands are changed to pass "CN = $cn" instead of just a CN value. This adds 'genpc', which differs from the other 'gen*' commands by not calling 'req', and expect the result from 'req' to come through stdin. Finally, test/certs/setup.sh gets the commands needed to generate a few proxy certificates. Reviewed-by: N Rich Salz <rsalz@openssl.org> Reviewed-by: N Stephen Henson <steve@openssl.org>

Make it possible to generate proxy certs with test/certs/mkcert.sh
This extends 'req' to take more than one DN component, and to take them as full DN components and not just CN values. All other commands are changed to pass "CN = $cn" instead of just a CN value. This adds 'genpc', which differs from the other 'gen*' commands by not calling 'req', and expect the result from 'req' to come through stdin. Finally, test/certs/setup.sh gets the commands needed to generate a few proxy certificates. Reviewed-by: N Rich Salz <rsalz@openssl.org> Reviewed-by: N Stephen Henson <steve@openssl.org>
71c8cd20 · Richard Levitte · d0ba7bc8 · 71c8cd20 · 71c8cd20
隐藏空白更改
内联并排

Showing with 57 addition and 8 deletion

test/certs/mkcert.sh test/certs/mkcert.sh +31 -8

test/certs/setup.sh test/certs/setup.sh +26 -0

未找到文件。
--- a/test/certs/mkcert.sh
+++ b/test/certs/mkcert.sh
@@ -49,17 +49,18 @@ key() {
    fi
 }

+# Usage: $0 req keyname dn1 dn2 ...
 req() {
    local key=$1; shift
-    local cn=$1; shift

    key "$key"
    local errs

    stderr_onerror \
        openssl req -new -"${OPENSSL_SIGALG}" -key "${key}.pem" \
-            -config <(printf "[req]\n%s\n%s\n[dn]\nCN=%s\n" \
-		      "prompt = no" "distinguished_name = dn" "${cn}")
+            -config <(printf "[req]\n%s\n%s\n[dn]\n" \
+		      "prompt = no" "distinguished_name = dn" "${dn}"
+                      for dn in "$@"; do echo "$dn"; done)
 }

 req_nocn() {
@@ -93,7 +94,7 @@ genroot() {
    do
        exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku")
    done
-    csr=$(req "$key" "$cn") || return 1
+    csr=$(req "$key" "CN = $cn") || return 1
    echo "$csr" |
       cert "$cert" "$exts" -signkey "${key}.pem" -set_serial 1 -days "${DAYS}"
 }
@@ -112,7 +113,7 @@ genca() {
    do
        exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku")
    done
-    csr=$(req "$key" "$cn") || return 1
+    csr=$(req "$key" "CN = $cn") || return 1
    echo "$csr" |
        cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \
 	    -set_serial 2 -days "${DAYS}"
@@ -133,12 +134,34 @@ gen_nonbc_ca() {
    do
        exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku")
    done
-    csr=$(req "$key" "$cn") || return 1
+    csr=$(req "$key" "CN = $cn") || return 1
    echo "$csr" |
        cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \
 	    -set_serial 2 -days "${DAYS}"
 }

+# Usage: $0 genpc keyname certname eekeyname eecertname pcext1 pcext2 ...
+#
+# Note: takes csr on stdin, so must be used with $0 req like this:
+#
+# $0 req keyname dn | $0 genpc keyname certname eekeyname eecertname pcext ...
+genpc() {
+    local key=$1; shift
+    local cert=$1; shift
+    local cakey=$1; shift
+    local ca=$1; shift
+
+    exts=$(printf "%s\n%s\n%s\n%s\n" \
+	    "subjectKeyIdentifier = hash" \
+	    "authorityKeyIdentifier = keyid, issuer:always" \
+	    "basicConstraints = CA:false" \
+	    "proxyCertInfo = critical, @pcexts";
+           echo "[pcexts]";
+           for x in "$@"; do echo $x; done)
+    cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
+	 -set_serial 2 -days "${DAYS}"
+}
+
 genee() {
    local OPTIND=1
    local purpose=serverAuth
@@ -165,7 +188,7 @@ genee() {
 	    "basicConstraints = CA:false" \
 	    "extendedKeyUsage = $purpose" \
 	    "subjectAltName = @alts" "DNS=${cn}")
-    csr=$(req "$key" "$cn") || return 1
+    csr=$(req "$key" "CN = $cn") || return 1
    echo "$csr" |
 	cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
 	    -set_serial 2 -days "${DAYS}" "$@"
@@ -182,7 +205,7 @@ genss() {
 	    "basicConstraints = CA:false" \
 	    "extendedKeyUsage = serverAuth" \
 	    "subjectAltName = @alts" "DNS=${cn}")
-    csr=$(req "$key" "$cn") || return 1
+    csr=$(req "$key" "CN = $cn") || return 1
    echo "$csr" |
        cert "$cert" "$exts" -signkey "${key}.pem" \
            -set_serial 1 -days "${DAYS}" "$@"

--- a/test/certs/setup.sh
+++ b/test/certs/setup.sh
@@ -182,3 +182,29 @@ OPENSSL_SIGALG=md5 \
 # 768-bit leaf key
 OPENSSL_KEYBITS=768 \
 ./mkcert.sh genee server.example ee-key-768 ee-cert-768 ca-key ca-cert
+
+# Proxy certificates, off of ee-client
+# Start with some good ones
+./mkcert.sh req pc1-key "0.CN = server.example" "1.CN = proxy 1" | \
+    ./mkcert.sh genpc pc1-key pc1-cert ee-key ee-client \
+                "language = id-ppl-anyLanguage" "pathlen = 1" "policy = text:AB"
+./mkcert.sh req pc2-key "0.CN = server.example" "1.CN = proxy 1" "2.CN = proxy 2" | \
+    ./mkcert.sh genpc pc2-key pc2-cert pc1-key pc1-cert \
+                "language = id-ppl-anyLanguage" "pathlen = 0" "policy = text:AB"
+# And now a couple of bad ones
+# pc3: incorrect CN
+./mkcert.sh req bad-pc3-key "0.CN = server.example" "1.CN = proxy 3" | \
+    ./mkcert.sh genpc bad-pc3-key bad-pc3-cert pc1-key pc1-cert \
+                "language = id-ppl-anyLanguage" "pathlen = 0" "policy = text:AB"
+# pc4: incorrect pathlen
+./mkcert.sh req bad-pc4-key "0.CN = server.example" "1.CN = proxy 1" "2.CN = proxy 4" | \
+    ./mkcert.sh genpc bad-pc4-key bad-pc4-cert pc1-key pc1-cert \
+                "language = id-ppl-anyLanguage" "pathlen = 1" "policy = text:AB"
+# pc5: no policy
+./mkcert.sh req pc5-key "0.CN = server.example" "1.CN = proxy 1" "2.CN = proxy 5" | \
+    ./mkcert.sh genpc pc5-key pc5-cert pc1-key pc1-cert \
+                "language = id-ppl-anyLanguage" "pathlen = 0"
+# pc6: incorrect CN (made into a component of a multivalue RDN)
+./mkcert.sh req bad-pc6-key "0.CN = server.example" "1.CN = proxy 1" "2.+CN = proxy 6" | \
+    ./mkcert.sh genpc bad-pc6-key bad-pc6-cert pc1-key pc1-cert \
+                "language = id-ppl-anyLanguage" "pathlen = 0" "policy = text:AB"