test/smime-certs/{mksmime-certs.sh,ca.cnf}: simplify and speed up cert generation

Also remove inconsistent key usages from non-RSA certs.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19076)

test/smime-certs/ca.cnf

@@ -12,6 +12,7 @@ CN			= "Not Defined"
 default_ca		= ca
 
 ####################################################################
+
 [ req ]
 default_bits		= 2048
 default_keyfile 	= privkey.pem
@@ -30,7 +31,7 @@ organizationName		= OpenSSL Group
 # Take CN from environment so it can come from a script.
 commonName			= $ENV::CN
 
-[ usr_cert ]
+[ usr_rsa_cert ]
 
 # These extensions are added when 'ca' signs a request for a normal end-entity
 # certificate with key usage restrictions compatible with RSA keys
@@ -44,6 +45,11 @@ keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
 # subjectKeyIdentifier   = hash
 # authorityKeyIdentifier = keyid, issuer
 
+[ signer_cert ]
+
+basicConstraints = CA:FALSE
+keyUsage = critical, digitalSignature
+
 [ dh_cert ]
 
 # These extensions are added when 'ca' signs a request for an end-entity

test/smime-certs/mksmime-certs.sh

@@ -6,7 +6,6 @@
 # in the file LICENSE in the source distribution or at
 # https://www.openssl.org/source/license.html
 
-
 # Utility to recreate S/MIME certificates
 
 OPENSSL=../../apps/openssl
@@ -15,85 +14,57 @@ export OPENSSL_CONF
 
 # Root CA: create certificate directly
 CN="Test S/MIME RSA Root" $OPENSSL req -config ca.cnf -x509 -noenc \
-	-keyout smroot.pem -out smroot.pem -newkey rsa:2048 -days 36501
+	-keyout smroot.pem -out smroot.pem -key ../certs/ca-key.pem -days 36524
 
-# EE RSA certificates: create request first
-CN="Test S/MIME EE RSA #1" $OPENSSL req -config ca.cnf -noenc \
-	-keyout smrsa1.pem -out req.pem -newkey rsa:2048
-# Sign request: end entity extensions
-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
-	-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa1.pem
+# EE RSA certificates with respective extensions
+cp ../certs/ee-key.pem smrsa1.pem
+$OPENSSL x509 -new -key smrsa1.pem -subj "/CN=Test SMIME EE RSA #1" -days 36524 \
+         -CA smroot.pem	-extfile ca.cnf -extensions usr_rsa_cert >>smrsa1.pem
+cp ../certs/ee-key-3072.pem smrsa2.pem
+$OPENSSL x509 -new -key smrsa2.pem -subj "/CN=Test SMIME EE RSA #2" -days 36524 \
+         -CA smroot.pem	-extfile ca.cnf -extensions usr_rsa_cert >>smrsa2.pem
+cp ../certs/ee-key-4096.pem smrsa3.pem
+$OPENSSL x509 -new -key smrsa3.pem -subj "/CN=Test SMIME EE RSA #3" -days 36524 \
+         -CA smroot.pem	-extfile ca.cnf -extensions usr_rsa_cert >>smrsa3.pem
 
-CN="Test S/MIME EE RSA #2" $OPENSSL req -config ca.cnf -noenc \
-	-keyout smrsa2.pem -out req.pem -newkey rsa:2048
-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
-	-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa2.pem
+# Create DSA certificates with respective extensions
 
-CN="Test S/MIME EE RSA #3" $OPENSSL req -config ca.cnf -noenc \
-	-keyout smrsa3.pem -out req.pem -newkey rsa:2048
-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
-	-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa3.pem
+cp ../certs/server-dsa-key.pem smdsa1.pem
+$OPENSSL x509 -new -key smdsa1.pem -subj "/CN=Test SMIME EE DSA #1" -days 36524 \
+         -CA smroot.pem	-extfile ca.cnf -extensions signer_cert >>smdsa1.pem
+cp ../certs/server-dsa-key.pem smdsa2.pem
+$OPENSSL x509 -new -key smdsa2.pem -subj "/CN=Test SMIME EE DSA #1" -days 36524 \
+         -CA smroot.pem	-extfile ca.cnf -extensions signer_cert >>smdsa2.pem
+cp ../certs/server-dsa-key.pem smdsa3.pem
+$OPENSSL x509 -new -key smdsa3.pem -subj "/CN=Test SMIME EE DSA #1" -days 36524 \
+         -CA smroot.pem	-extfile ca.cnf -extensions signer_cert >>smdsa3.pem
 
-CN="Test S/MIME EE RSA 1024" $OPENSSL req -config ca.cnf -noenc \
-	-keyout smrsa1024.pem -out req.pem -newkey rsa:1024
-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
-	-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa1024.pem
+# Create EC certificates with respective extensions
 
-# Create DSA parameters
+cp ../certs/ee-ecdsa-key.pem smec1.pem
+$OPENSSL x509 -new -key smec1.pem -subj "/CN=Test SMIME EE EC #1" -days 36524 \
+         -CA smroot.pem -extfile ca.cnf -extensions signer_cert >>smec1.pem
+cp ../certs/server-ecdsa-key.pem smec2.pem
+$OPENSSL x509 -new -key smec2.pem -subj "/CN=Test SMIME EE EC #2" -days 36524 \
+         -CA smroot.pem -extfile ca.cnf -extensions signer_cert >>smec2.pem
 
-$OPENSSL dsaparam -out dsap.pem 2048
-
-CN="Test S/MIME EE DSA #1" $OPENSSL req -config ca.cnf -noenc \
-	-keyout smdsa1.pem -out req.pem -newkey dsa:dsap.pem
-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
-	-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa1.pem
-CN="Test S/MIME EE DSA #2" $OPENSSL req -config ca.cnf -noenc \
-	-keyout smdsa2.pem -out req.pem -newkey dsa:dsap.pem
-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
-	-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa2.pem
-CN="Test S/MIME EE DSA #3" $OPENSSL req -config ca.cnf -noenc \
-	-keyout smdsa3.pem -out req.pem -newkey dsa:dsap.pem
-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
-	-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa3.pem
-
-# Create EC parameters
-
-$OPENSSL ecparam -out ecp.pem -name P-256
-$OPENSSL ecparam -out ecp2.pem -name K-283
-
-CN="Test S/MIME EE EC #1" $OPENSSL req -config ca.cnf -noenc \
-	-keyout smec1.pem -out req.pem -newkey ec:ecp.pem
-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
-	-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec1.pem
-CN="Test S/MIME EE EC #2" $OPENSSL req -config ca.cnf -noenc \
-	-keyout smec2.pem -out req.pem -newkey ec:ecp2.pem
-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
-	-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec2.pem
 # Do not renew this cert as it is used for legacy data decrypt test
+#$OPENSSL ecparam -out ecp.pem -name P-256
 #CN="Test S/MIME EE EC #3" $OPENSSL req -config ca.cnf -noenc \
 #	-keyout smec3.pem -out req.pem -newkey ec:ecp.pem
-#$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
-#	-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec3.pem
-# Create X9.42 DH parameters.
+#$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36524 \
+#	-extfile ca.cnf -extensions signer_cert -CAcreateserial >>smec3.pem
+#rm ecp.pem req.pem
+
+# Create X9.42 DH parameters and key.
 $OPENSSL genpkey -genparam -algorithm DHX -out dhp.pem
-# Generate X9.42 DH key.
 $OPENSSL genpkey -paramfile dhp.pem -out smdh.pem
-$OPENSSL pkey -pubout -in smdh.pem -out dhpub.pem
-# Generate dummy request.
-CN="Test S/MIME EE DH #1" $OPENSSL req -config ca.cnf -noenc \
-	-keyout smtmp.pem -out req.pem -newkey rsa:2048
-# Sign request but force public key to DH
-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
-	-force_pubkey dhpub.pem \
-	-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdh.pem
+rm dhp.pem
+# Create X9.42 DH certificate with respective extensions
+$OPENSSL x509 -new -key smdh.pem -subj "/CN=Test SMIME EE DH" -days 36524 \
+         -CA smroot.pem	-extfile ca.cnf -extensions dh_cert >>smdh.pem
 
-# EE RSA code signing certificates: create request first
-CN="Test CodeSign EE RSA #1" $OPENSSL req -config ca.cnf -noenc \
-	-new -out req.pem -key ../certs/ee-key.pem
-cat ../certs/ee-key.pem > csrsa1.pem
-# Sign request: end entity extensions
-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36524 -extfile ca.cnf \
-	-extensions codesign_cert >>csrsa1.pem
-
-# Remove temp files.
-rm -f req.pem ecp.pem ecp2.pem dsap.pem dhp.pem dhpub.pem smtmp.pem smroot.srl
+# EE RSA code signing end entity certificate with respective extensions
+cp ../certs/ee-key.pem csrsa1.pem
+$OPENSSL x509 -new -key csrsa1.pem -subj "/CN=Test CodeSign EE RSA" -days 36524 \
+         -CA smroot.pem -extfile ca.cnf -extensions codesign_cert >>csrsa1.pem