diff --git a/test/certs/goodcn2-cert.pem b/test/certs/goodcn2-cert.pem new file mode 100644 index 0000000000..d22f899636 --- /dev/null +++ b/test/certs/goodcn2-cert.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDHTCCAgWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0 +IE5DIENBIDEwIBcNMjExMjAyMTcyNTAyWhgPMjEyMTEyMDMxNzI1MDJaMDwxIzAh +BgNVBAoMGkdvb2QgTkMgVGVzdCBDZXJ0aWZpY2F0ZSAxMRUwEwYDVQQDDAx3d3cu +Z29vZC5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqx1t7HiPe +kRAWdiGUt4pklKGZ7338An6R7/y0e/8Grx2jeUfyc19BAB7MW1p8L+zdMjbclNE0 +UZ6RZZNexfgMksNI/nW+4Lzu8qu2wFx1MjbTpMT8w/vnsGBMthxLu6+2wdnpdD1B +0led8xu7PSBgVULqyHcUvoLeRGEsB14yGx7dbIsokYxno1nr4u3BK5ic9KTTSxJR +Ig93qwo2pAZR7mfnOo33B9alhzvSwmEKJ9v7pERDnIP5ED0HaWFAeXl7GFgoH2y9 +QDyJVuwWsoSWIx4Mr8UIr0IbVJU6KsqEiqqc5P5rX/y4tYMkpHZd9U1EONd2uwmX +dwSp0LEmQb/DAgMBAAGjTTBLMB0GA1UdDgQWBBSfJPZqs1tk+xjjDrovr13ORDWn +ojAfBgNVHSMEGDAWgBQI0Zv55tVkcKDxaxqe7VLa3fVQQzAJBgNVHRMEAjAAMA0G +CSqGSIb3DQEBCwUAA4IBAQAEKXs56hB4DOO1vJe7pByfCHU33ij/ux7u68BdkDQ8 +S9SNaoD7h1XNSmC8kKULvpoKctJzJxh1IH4wtvGGGXsUt1By0a6Y5SnKW9/mG4NM +D4fGea0G2AeI8BHFs6vl8voYK9wgx9Ygus3Kj/8h6V7t2zB8ZhhVqpZkAQEjj0C2 +1IV273wD0VdZl7uB+MEKk+7eTjNMeo6JzlBBf5GhtA1WbLNdszMfI0ljo7HAX+9L +yco0xKSKkZQ+v7VdJBfC6odp+epPMZqfyHrkFzUr8XRJfriP1lydPK7AbXLVrLJg +fIXCvUdxQx4B1LaclUDORL5r2tRhRYdAEKtUz7RpQzJK +-----END CERTIFICATE----- diff --git a/test/certs/goodcn2-key.pem b/test/certs/goodcn2-key.pem new file mode 100644 index 0000000000..09337552a7 --- /dev/null +++ b/test/certs/goodcn2-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDqx1t7HiPekRAW +diGUt4pklKGZ7338An6R7/y0e/8Grx2jeUfyc19BAB7MW1p8L+zdMjbclNE0UZ6R +ZZNexfgMksNI/nW+4Lzu8qu2wFx1MjbTpMT8w/vnsGBMthxLu6+2wdnpdD1B0led +8xu7PSBgVULqyHcUvoLeRGEsB14yGx7dbIsokYxno1nr4u3BK5ic9KTTSxJRIg93 +qwo2pAZR7mfnOo33B9alhzvSwmEKJ9v7pERDnIP5ED0HaWFAeXl7GFgoH2y9QDyJ +VuwWsoSWIx4Mr8UIr0IbVJU6KsqEiqqc5P5rX/y4tYMkpHZd9U1EONd2uwmXdwSp +0LEmQb/DAgMBAAECggEAIdXrXDoCx1+2ptYNjuZIvqghBhNa38foP9YLYGOCZI82 +QUoIUWvJLY/74E3GI6GwjExhVbbo05ZzuNafv4fecMlx9YIerAytje5RSvw8FvPO +rP/RF/CSzFhB+KxCNbPt5fPYGOoUrfjHgc74jyqHEPsYsseDSe0O5UOLkZHaRHQX +bOhj/lXCN1KKsK+UXscRO55T5SRmHAe4RWaXX3Z4H6FGabKY+AVkT5GWq814PIFU +amoch4TwAKgAY8h7kpkfVgLNe3hLddLU0roakfM1cZdpf9n0EGGi21KluNvSa09a +tiDifv5WDkIQ/Ca2fUvE27atMb1gm4bUzp5OoTWhoQKBgQDrfuxqvouVvM3AyxUY +e6r7vegg5NiODjpBlT/QUqJjhqTSw6Tq4/f5VWnLy3bzipwvzxFQ8E2LjQMtl2Su +aQ8jSb9jwpmmWCoOecRExWgboYPzpczhnXpF4DIYhyomBKTBVbk9EI0wJ/tx9F1B +XCHhA3z8tJvkPTM+QAGGJxdcEQKBgQD/OHN4ujRZ5NgXZp4L9VDosMREvRUbwz+4 +7fgQ70JKdWIVbKFa5/TVIObspLZoRI0jaa4OaaE3v6rqF/yxdPsaPAXW7URR7K52 +HbI41skH0bcflISDdeTpqmlIRAzHG7MeAobV/ARmCnLpa7Lt4p8wT+zAzuY+ncv3 +DabNjePCkwKBgQDoVH/Jj9MGFw6mdbSKQvedBO5OBXfgLgkrSqN6UwwCRIO3q2y4 +j8/FHI8Tj9f6zXTpddAPmgPm+Wd5QzMBHoTgu5EmSoZrpe9X+Km5b0gWenJDnf9T +Vpma9mR17mOWvl4MnxXxOLMSH1/iPMMECHEkHNziMwzZT8eOUncucsKJAQKBgEnp +62c3ZhnysLJ2Qads8HWzW+QcbpSPw1CneoRNBoHR5QoXX9OYAcwHr1kxirI/yDBN +Vt9NsCcZF0Kcl8489svuPjK0nGithwkmKItViPr+vW4j8QyxhA44EC2hp6GyX/l8 ++dfXGN8Ef6siSbujOj8fpo1gXkYcJQnzpi85vJCJAoGAdheX12Afx94YbljuaCdT +T/E+t6xHHnDCpETHmsLh53H03Kv91JCrANMu+BZzKUXI+FW06GJB43S26hF5s+k5 +ZAjJKpgbVC1Jo4Zq5SjlCQhiOvwJ9rt2/6g7qzHZsQMjY/FZKd+8PMgPxWkvjeI7 +lAagooTJyC/VDf6LB05mitg= +-----END PRIVATE KEY----- diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh index 8ccf7bc6e3..c3f7ac14b5 100755 --- a/test/certs/mkcert.sh +++ b/test/certs/mkcert.sh @@ -195,6 +195,23 @@ genpc() { -set_serial 2 -days "${DAYS}" } +geneeconfig() { + local key=$1; shift + local cert=$1; shift + local cakey=$1; shift + local ca=$1; shift + local conf=$1; shift + + exts=$(printf "%s\n%s\n%s\n%s\n" \ + "subjectKeyIdentifier = hash" \ + "authorityKeyIdentifier = keyid" \ + "basicConstraints = CA:false"; \ + echo "$conf") + + cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \ + -set_serial 2 -days "${DAYS}" +} + # Usage: $0 geneealt keyname certname cakeyname cacertname alt1 alt2 ... # # Note: takes csr on stdin, so must be used with $0 req like this: @@ -206,15 +223,11 @@ geneealt() { local cakey=$1; shift local ca=$1; shift - exts=$(printf "%s\n%s\n%s\n%s\n" \ - "subjectKeyIdentifier = hash" \ - "authorityKeyIdentifier = keyid" \ - "basicConstraints = CA:false" \ - "subjectAltName = @alts"; + conf=$(echo "subjectAltName = @alts" echo "[alts]"; - for x in "$@"; do echo $x; done) - cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \ - -set_serial 2 -days "${DAYS}" + for x in "$@"; do echo "$x"; done) + + geneeconfig $key $cert $cakey $ca "$conf" } genee() { diff --git a/test/certs/setup.sh b/test/certs/setup.sh index f1d5d5187c..21f9355b8b 100755 --- a/test/certs/setup.sh +++ b/test/certs/setup.sh @@ -282,6 +282,12 @@ NC=$NC ./mkcert.sh genca "Test NC sub CA" ncca3-key ncca3-cert \ ./mkcert.sh geneealt goodcn1-key goodcn1-cert ncca1-key ncca1-cert \ "IP = 127.0.0.1" "IP = 192.168.0.1" +# all DNS-like CNs allowed by CA1, no SANs + +./mkcert.sh req goodcn2-key "O = Good NC Test Certificate 1" \ + "CN=www.good.org" | \ + ./mkcert.sh geneeconfig goodcn2-key goodcn2-cert ncca1-key ncca1-cert + # Some DNS-like CNs not permitted by CA1, no DNS SANs. ./mkcert.sh req badcn1-key "O = Good NC Test Certificate 1" \