From fd8ce9e1ed7a8d6cf5ac7d27d6acf40b0453c45e Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 5 Sep 2017 15:54:31 -0400 Subject: [PATCH] Add test cert generation to make-certs.sh Based on commit 5a1d0388ba2e4ec510ed715ce5fbc7f748941425 but missing everything but the make-certs change since infrastructure cannot patch binaries. Plan to run make-certs during build, but this will only work with openssl < 1.1. --- src/tests/dejagnu/pkinit-certs/make-certs.sh | 53 +++++++++++++++++++++++++++- 1 file changed, 52 insertions(+), 1 deletion(-) diff --git a/src/tests/dejagnu/pkinit-certs/make-certs.sh b/src/tests/dejagnu/pkinit-certs/make-certs.sh index b82ef6f83..0f07709b0 100755 --- a/src/tests/dejagnu/pkinit-certs/make-certs.sh +++ b/src/tests/dejagnu/pkinit-certs/make-certs.sh @@ -4,7 +4,9 @@ NAMETYPE=1 KEYSIZE=2048 DAYS=4000 REALM=KRBTEST.COM +LOWREALM=krbtest.com KRB5_PRINCIPAL_SAN=1.3.6.1.5.2.2 +KRB5_UPN_SAN=1.3.6.1.4.1.311.20.2.3 PKINIT_KDC_EKU=1.3.6.1.5.2.3.5 PKINIT_CLIENT_EKU=1.3.6.1.5.2.3.4 TLS_SERVER_EKU=1.3.6.1.5.5.7.3.1 @@ -85,6 +87,30 @@ keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement basicConstraints = critical,CA:FALSE subjectAltName = otherName:$KRB5_PRINCIPAL_SAN;SEQUENCE:krb5princ_client extendedKeyUsage = $CLIENT_EKU_LIST + +[exts_upn_client] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement +basicConstraints = critical,CA:FALSE +subjectAltName = otherName:$KRB5_UPN_SAN;UTF8:user@$LOWREALM +extendedKeyUsage = $CLIENT_EKU_LIST + +[exts_upn2_client] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement +basicConstraints = critical,CA:FALSE +subjectAltName = otherName:$KRB5_UPN_SAN;UTF8:user +extendedKeyUsage = $CLIENT_EKU_LIST + +[exts_upn3_client] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement +basicConstraints = critical,CA:FALSE +subjectAltName = otherName:$KRB5_UPN_SAN;UTF8:user@$REALM +extendedKeyUsage = $CLIENT_EKU_LIST EOF # Generate a private key. @@ -113,5 +139,30 @@ openssl pkcs12 -export -in user.pem -inkey privkey.pem -out user.p12 \ openssl pkcs12 -export -in user.pem -inkey privkey.pem -out user-enc.p12 \ -passout pass:encrypted +# Generate a client certificate and PKCS#12 bundles with a UPN SAN. +SUBJECT=user openssl req -config openssl.cnf -new -subj /CN=user \ + -key privkey.pem -out user-upn.csr +SUBJECT=user openssl x509 -extfile openssl.cnf -extensions exts_upn_client \ + -set_serial 4 -days $DAYS -req -CA ca.pem -CAkey privkey.pem \ + -out user-upn.pem -in user-upn.csr +openssl pkcs12 -export -in user-upn.pem -inkey privkey.pem -out user-upn.p12 \ + -passout pass: + +SUBJECT=user openssl req -config openssl.cnf -new -subj /CN=user \ + -key privkey.pem -out user-upn2.csr +SUBJECT=user openssl x509 -extfile openssl.cnf -extensions exts_upn2_client \ + -set_serial 5 -days $DAYS -req -CA ca.pem -CAkey privkey.pem \ + -out user-upn2.pem -in user-upn2.csr +openssl pkcs12 -export -in user-upn2.pem -inkey privkey.pem \ + -out user-upn2.p12 -passout pass: + +SUBJECT=user openssl req -config openssl.cnf -new -subj /CN=user \ + -key privkey.pem -out user-upn3.csr +SUBJECT=user openssl x509 -extfile openssl.cnf -extensions exts_upn3_client \ + -set_serial 6 -days $DAYS -req -CA ca.pem -CAkey privkey.pem \ + -out user-upn3.pem -in user-upn3.csr +openssl pkcs12 -export -in user-upn3.pem -inkey privkey.pem \ + -out user-upn3.p12 -passout pass: + # Clean up. -rm -f openssl.cnf kdc.csr user.csr +rm -f openssl.cnf kdc.csr user.csr user-upn.csr user-upn2.csr user-upn3.csr