zzy/openssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
openssl/test/certs/setup.sh
Viktor Dukhovni 33cc5dde47 Compat self-signed trust with reject-only aux data 
When auxiliary data contains only reject entries, continue to trust
self-signed objects just as when no auxiliary data is present.

This makes it possible to reject specific uses without changing
what's accepted (and thus overring the underlying EKU).

Added new supported certs and doubled test count from 38 to 76.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-01-31 21:24:12 -05:00

146 lines
6.1 KiB
Bash
Executable File
Raw Blame History

#! /bin/sh
# Primary root: root-cert
# root cert variants: CA:false, key2, DN2
# trust variants: +serverAuth -serverAuth +clientAuth -clientAuth +anyEKU -anyEKU
#
./mkcert.sh genroot "Root CA" root-key root-cert
./mkcert.sh genss "Root CA" root-key root-nonca
./mkcert.sh genroot "Root CA" root-key2 root-cert2
./mkcert.sh genroot "Root Cert 2" root-key root-name2
#
openssl x509 -in root-cert.pem -trustout \
-addtrust serverAuth -out root+serverAuth.pem
openssl x509 -in root-cert.pem -trustout \
-addreject serverAuth -out root-serverAuth.pem
openssl x509 -in root-cert.pem -trustout \
-addtrust clientAuth -out root+clientAuth.pem
openssl x509 -in root-cert.pem -trustout \
-addreject clientAuth -out root-clientAuth.pem
openssl x509 -in root-cert.pem -trustout \
-addreject anyExtendedKeyUsage -out root-anyEKU.pem
openssl x509 -in root-cert.pem -trustout \
-addtrust anyExtendedKeyUsage -out root+anyEKU.pem
openssl x509 -in root-cert2.pem -trustout \
-addtrust serverAuth -out root2+serverAuth.pem
openssl x509 -in root-cert2.pem -trustout \
-addreject serverAuth -out root2-serverAuth.pem
openssl x509 -in root-cert2.pem -trustout \
-addtrust clientAuth -out root2+clientAuth.pem
# primary client-EKU root: croot-cert
# trust variants: +serverAuth -serverAuth +clientAuth +anyEKU -anyEKU
#
./mkcert.sh genroot "Root CA" root-key croot-cert clientAuth
#
openssl x509 -in croot-cert.pem -trustout \
-addtrust serverAuth -out croot+serverAuth.pem
openssl x509 -in croot-cert.pem -trustout \
-addreject serverAuth -out croot-serverAuth.pem
openssl x509 -in croot-cert.pem -trustout \
-addtrust clientAuth -out croot+clientAuth.pem
openssl x509 -in croot-cert.pem -trustout \
-addreject clientAuth -out croot-clientAuth.pem
openssl x509 -in croot-cert.pem -trustout \
-addreject anyExtendedKeyUsage -out croot-anyEKU.pem
openssl x509 -in croot-cert.pem -trustout \
-addtrust anyExtendedKeyUsage -out croot+anyEKU.pem
# primary server-EKU root: sroot-cert
# trust variants: +serverAuth -serverAuth +clientAuth +anyEKU -anyEKU
#
./mkcert.sh genroot "Root CA" root-key sroot-cert serverAuth
#
openssl x509 -in sroot-cert.pem -trustout \
-addtrust serverAuth -out sroot+serverAuth.pem
openssl x509 -in sroot-cert.pem -trustout \
-addreject serverAuth -out sroot-serverAuth.pem
openssl x509 -in sroot-cert.pem -trustout \
-addtrust clientAuth -out sroot+clientAuth.pem
openssl x509 -in sroot-cert.pem -trustout \
-addreject clientAuth -out sroot-clientAuth.pem
openssl x509 -in sroot-cert.pem -trustout \
-addreject anyExtendedKeyUsage -out sroot-anyEKU.pem
openssl x509 -in sroot-cert.pem -trustout \
-addtrust anyExtendedKeyUsage -out sroot+anyEKU.pem
# Primary intermediate ca: ca-cert
# ca variants: CA:false, key2, DN2, issuer2, expired
# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth, -anyEKU, +anyEKU
#
./mkcert.sh genca "CA" ca-key ca-cert root-key root-cert
./mkcert.sh genee "CA" ca-key ca-nonca root-key root-cert
./mkcert.sh genca "CA" ca-key2 ca-cert2 root-key root-cert
./mkcert.sh genca "CA2" ca-key ca-name2 root-key root-cert
./mkcert.sh genca "CA" ca-key ca-root2 root-key2 root-cert2
./mkcert.sh genca "CA" ca-key ca-expired root-key root-cert -days -1
#
openssl x509 -in ca-cert.pem -trustout \
-addtrust serverAuth -out ca+serverAuth.pem
openssl x509 -in ca-cert.pem -trustout \
-addreject serverAuth -out ca-serverAuth.pem
openssl x509 -in ca-cert.pem -trustout \
-addtrust clientAuth -out ca+clientAuth.pem
openssl x509 -in ca-cert.pem -trustout \
-addreject clientAuth -out ca-clientAuth.pem
openssl x509 -in ca-cert.pem -trustout \
-addreject anyExtendedKeyUsage -out ca-anyEKU.pem
openssl x509 -in ca-cert.pem -trustout \
-addtrust anyExtendedKeyUsage -out ca+anyEKU.pem
# client intermediate ca: cca-cert
# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth
#
./mkcert.sh genca "CA" ca-key cca-cert root-key root-cert clientAuth
#
openssl x509 -in cca-cert.pem -trustout \
-addtrust serverAuth -out cca+serverAuth.pem
openssl x509 -in cca-cert.pem -trustout \
-addreject serverAuth -out cca-serverAuth.pem
openssl x509 -in cca-cert.pem -trustout \
-addtrust clientAuth -out cca+clientAuth.pem
openssl x509 -in cca-cert.pem -trustout \
-addtrust clientAuth -out cca-clientAuth.pem
openssl x509 -in cca-cert.pem -trustout \
-addreject anyExtendedKeyUsage -out cca-anyEKU.pem
openssl x509 -in cca-cert.pem -trustout \
-addtrust anyExtendedKeyUsage -out cca+anyEKU.pem
# server intermediate ca: sca-cert
# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth, -anyEKU, +anyEKU
#
./mkcert.sh genca "CA" ca-key sca-cert root-key root-cert serverAuth
#
openssl x509 -in sca-cert.pem -trustout \
-addtrust serverAuth -out sca+serverAuth.pem
openssl x509 -in sca-cert.pem -trustout \
-addreject serverAuth -out sca-serverAuth.pem
openssl x509 -in sca-cert.pem -trustout \
-addtrust clientAuth -out sca+clientAuth.pem
openssl x509 -in sca-cert.pem -trustout \
-addreject clientAuth -out sca-clientAuth.pem
openssl x509 -in sca-cert.pem -trustout \
-addreject anyExtendedKeyUsage -out sca-anyEKU.pem
openssl x509 -in sca-cert.pem -trustout \
-addtrust anyExtendedKeyUsage -out sca+anyEKU.pem
# Primary leaf cert: ee-cert
# ee variants: expired, issuer-key2, issuer-name2
# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth
# purpose variants: client
#
./mkcert.sh genee server.example ee-key ee-cert ca-key ca-cert
./mkcert.sh genee server.example ee-key ee-expired ca-key ca-cert -days -1
./mkcert.sh genee server.example ee-key ee-cert2 ca-key2 ca-cert2
./mkcert.sh genee server.example ee-key ee-name2 ca-key ca-name2
./mkcert.sh genee -p clientAuth server.example ee-key ee-client ca-key ca-cert
#
openssl x509 -in ee-cert.pem -trustout \
-addtrust serverAuth -out ee+serverAuth.pem
openssl x509 -in ee-cert.pem -trustout \
-addreject serverAuth -out ee-serverAuth.pem
openssl x509 -in ee-client.pem -trustout \
-addtrust clientAuth -out ee+clientAuth.pem
openssl x509 -in ee-client.pem -trustout \
-addreject clientAuth -out ee-clientAuth.pem
Reference in New Issue View Git Blame Copy Permalink