Add a new Name Constraints test cert

Add a cert which complies with the name constraints but has no SAN extension Reviewed-by: Tomas Mraz <tomas@openssl.org>
2021-12-02 17:26:15 +00:00 · 2021-12-02 17:26:15 +00:00 · 3269c8bd94
commit 3269c8bd94
parent 6894e20b50
4 changed files with 74 additions and 8 deletions
--- a/test/certs/goodcn2-cert.pem
+++ b/test/certs/goodcn2-cert.pem
@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHTCCAgWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0
+IE5DIENBIDEwIBcNMjExMjAyMTcyNTAyWhgPMjEyMTEyMDMxNzI1MDJaMDwxIzAh
+BgNVBAoMGkdvb2QgTkMgVGVzdCBDZXJ0aWZpY2F0ZSAxMRUwEwYDVQQDDAx3d3cu
+Z29vZC5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqx1t7HiPe
+kRAWdiGUt4pklKGZ7338An6R7/y0e/8Grx2jeUfyc19BAB7MW1p8L+zdMjbclNE0
+UZ6RZZNexfgMksNI/nW+4Lzu8qu2wFx1MjbTpMT8w/vnsGBMthxLu6+2wdnpdD1B
+0led8xu7PSBgVULqyHcUvoLeRGEsB14yGx7dbIsokYxno1nr4u3BK5ic9KTTSxJR
+Ig93qwo2pAZR7mfnOo33B9alhzvSwmEKJ9v7pERDnIP5ED0HaWFAeXl7GFgoH2y9
+QDyJVuwWsoSWIx4Mr8UIr0IbVJU6KsqEiqqc5P5rX/y4tYMkpHZd9U1EONd2uwmX
+dwSp0LEmQb/DAgMBAAGjTTBLMB0GA1UdDgQWBBSfJPZqs1tk+xjjDrovr13ORDWn
+ojAfBgNVHSMEGDAWgBQI0Zv55tVkcKDxaxqe7VLa3fVQQzAJBgNVHRMEAjAAMA0G
+CSqGSIb3DQEBCwUAA4IBAQAEKXs56hB4DOO1vJe7pByfCHU33ij/ux7u68BdkDQ8
+S9SNaoD7h1XNSmC8kKULvpoKctJzJxh1IH4wtvGGGXsUt1By0a6Y5SnKW9/mG4NM
+D4fGea0G2AeI8BHFs6vl8voYK9wgx9Ygus3Kj/8h6V7t2zB8ZhhVqpZkAQEjj0C2
+1IV273wD0VdZl7uB+MEKk+7eTjNMeo6JzlBBf5GhtA1WbLNdszMfI0ljo7HAX+9L
+yco0xKSKkZQ+v7VdJBfC6odp+epPMZqfyHrkFzUr8XRJfriP1lydPK7AbXLVrLJg
+fIXCvUdxQx4B1LaclUDORL5r2tRhRYdAEKtUz7RpQzJK
+-----END CERTIFICATE-----
--- a/test/certs/goodcn2-key.pem
+++ b/test/certs/goodcn2-key.pem
@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDqx1t7HiPekRAW
+diGUt4pklKGZ7338An6R7/y0e/8Grx2jeUfyc19BAB7MW1p8L+zdMjbclNE0UZ6R
+ZZNexfgMksNI/nW+4Lzu8qu2wFx1MjbTpMT8w/vnsGBMthxLu6+2wdnpdD1B0led
+8xu7PSBgVULqyHcUvoLeRGEsB14yGx7dbIsokYxno1nr4u3BK5ic9KTTSxJRIg93
+qwo2pAZR7mfnOo33B9alhzvSwmEKJ9v7pERDnIP5ED0HaWFAeXl7GFgoH2y9QDyJ
+VuwWsoSWIx4Mr8UIr0IbVJU6KsqEiqqc5P5rX/y4tYMkpHZd9U1EONd2uwmXdwSp
+0LEmQb/DAgMBAAECggEAIdXrXDoCx1+2ptYNjuZIvqghBhNa38foP9YLYGOCZI82
+QUoIUWvJLY/74E3GI6GwjExhVbbo05ZzuNafv4fecMlx9YIerAytje5RSvw8FvPO
+rP/RF/CSzFhB+KxCNbPt5fPYGOoUrfjHgc74jyqHEPsYsseDSe0O5UOLkZHaRHQX
+bOhj/lXCN1KKsK+UXscRO55T5SRmHAe4RWaXX3Z4H6FGabKY+AVkT5GWq814PIFU
+amoch4TwAKgAY8h7kpkfVgLNe3hLddLU0roakfM1cZdpf9n0EGGi21KluNvSa09a
+tiDifv5WDkIQ/Ca2fUvE27atMb1gm4bUzp5OoTWhoQKBgQDrfuxqvouVvM3AyxUY
+e6r7vegg5NiODjpBlT/QUqJjhqTSw6Tq4/f5VWnLy3bzipwvzxFQ8E2LjQMtl2Su
+aQ8jSb9jwpmmWCoOecRExWgboYPzpczhnXpF4DIYhyomBKTBVbk9EI0wJ/tx9F1B
+XCHhA3z8tJvkPTM+QAGGJxdcEQKBgQD/OHN4ujRZ5NgXZp4L9VDosMREvRUbwz+4
+7fgQ70JKdWIVbKFa5/TVIObspLZoRI0jaa4OaaE3v6rqF/yxdPsaPAXW7URR7K52
+HbI41skH0bcflISDdeTpqmlIRAzHG7MeAobV/ARmCnLpa7Lt4p8wT+zAzuY+ncv3
+DabNjePCkwKBgQDoVH/Jj9MGFw6mdbSKQvedBO5OBXfgLgkrSqN6UwwCRIO3q2y4
+j8/FHI8Tj9f6zXTpddAPmgPm+Wd5QzMBHoTgu5EmSoZrpe9X+Km5b0gWenJDnf9T
+Vpma9mR17mOWvl4MnxXxOLMSH1/iPMMECHEkHNziMwzZT8eOUncucsKJAQKBgEnp
+62c3ZhnysLJ2Qads8HWzW+QcbpSPw1CneoRNBoHR5QoXX9OYAcwHr1kxirI/yDBN
+Vt9NsCcZF0Kcl8489svuPjK0nGithwkmKItViPr+vW4j8QyxhA44EC2hp6GyX/l8
+dfXGN8Ef6siSbujOj8fpo1gXkYcJQnzpi85vJCJAoGAdheX12Afx94YbljuaCdT
+T/E+t6xHHnDCpETHmsLh53H03Kv91JCrANMu+BZzKUXI+FW06GJB43S26hF5s+k5
+ZAjJKpgbVC1Jo4Zq5SjlCQhiOvwJ9rt2/6g7qzHZsQMjY/FZKd+8PMgPxWkvjeI7
+lAagooTJyC/VDf6LB05mitg=
+-----END PRIVATE KEY-----
--- a/test/certs/mkcert.sh
+++ b/test/certs/mkcert.sh
@ -195,6 +195,23 @@ genpc() {
 	 -set_serial 2 -days "${DAYS}"
 }

+geneeconfig() {
+    local key=$1; shift
+    local cert=$1; shift
+    local cakey=$1; shift
+    local ca=$1; shift
+    local conf=$1; shift
+
+    exts=$(printf "%s\n%s\n%s\n%s\n" \
+        "subjectKeyIdentifier = hash" \
+        "authorityKeyIdentifier = keyid" \
+        "basicConstraints = CA:false"; \
+        echo "$conf")
+
+    cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
+        -set_serial 2 -days "${DAYS}"
+}
+
 # Usage: $0 geneealt keyname certname cakeyname cacertname alt1 alt2 ...
 #
 # Note: takes csr on stdin, so must be used with $0 req like this:
@ -206,15 +223,11 @@ geneealt() {
    local cakey=$1; shift
    local ca=$1; shift

-    exts=$(printf "%s\n%s\n%s\n%s\n" \
-	    "subjectKeyIdentifier = hash" \
-	    "authorityKeyIdentifier = keyid" \
-	    "basicConstraints = CA:false" \
-	    "subjectAltName = @alts";
+    conf=$(echo "subjectAltName = @alts"
           echo "[alts]";
-           for x in "$@"; do echo $x; done)
-    cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
-	 -set_serial 2 -days "${DAYS}"
+           for x in "$@"; do echo "$x"; done)
+
+    geneeconfig $key $cert $cakey $ca "$conf"
 }

 genee() {
--- a/test/certs/setup.sh
+++ b/test/certs/setup.sh
@ -282,6 +282,12 @@ NC=$NC ./mkcert.sh genca "Test NC sub CA" ncca3-key ncca3-cert \
    ./mkcert.sh geneealt goodcn1-key goodcn1-cert ncca1-key ncca1-cert \
    "IP = 127.0.0.1" "IP = 192.168.0.1"

+# all DNS-like CNs allowed by CA1, no SANs
+
+./mkcert.sh req goodcn2-key "O = Good NC Test Certificate 1" \
+    "CN=www.good.org" | \
+    ./mkcert.sh geneeconfig goodcn2-key goodcn2-cert ncca1-key ncca1-cert
+
 # Some DNS-like CNs not permitted by CA1, no DNS SANs.

 ./mkcert.sh req badcn1-key "O = Good NC Test Certificate 1" \