aboutsummaryrefslogtreecommitdiffstats
path: root/test/smime-certs
diff options
context:
space:
mode:
authorDr. David von Oheimb <David.von.Oheimb@siemens.com>2022-08-25 18:09:09 +0200
committerDr. David von Oheimb <dev@ddvo.net>2023-03-14 17:26:49 +0100
commitb7cc2d2f295efc342cd46e7e59f93e0ac0472dc0 (patch)
tree4af2421e0b593f745f125308fa075c1c83ccd31b /test/smime-certs
parent091fef4936da93deee585dadd994144b330485d4 (diff)
downloadopenssl-b7cc2d2f295efc342cd46e7e59f93e0ac0472dc0.tar.gz
test/smime-certs/{mksmime-certs.sh,ca.cnf}: simplify and speed up cert generation
Also remove inconsistent key usages from non-RSA certs. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/19076)
Diffstat (limited to 'test/smime-certs')
-rw-r--r--test/smime-certs/ca.cnf8
-rw-r--r--test/smime-certs/mksmime-certs.sh125
2 files changed, 55 insertions, 78 deletions
diff --git a/test/smime-certs/ca.cnf b/test/smime-certs/ca.cnf
index 9e6f8a917e..1bdffadf67 100644
--- a/test/smime-certs/ca.cnf
+++ b/test/smime-certs/ca.cnf
@@ -12,6 +12,7 @@ CN = "Not Defined"
default_ca = ca
####################################################################
+
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
@@ -30,7 +31,7 @@ organizationName = OpenSSL Group
# Take CN from environment so it can come from a script.
commonName = $ENV::CN
-[ usr_cert ]
+[ usr_rsa_cert ]
# These extensions are added when 'ca' signs a request for a normal end-entity
# certificate with key usage restrictions compatible with RSA keys
@@ -44,6 +45,11 @@ keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
# subjectKeyIdentifier = hash
# authorityKeyIdentifier = keyid, issuer
+[ signer_cert ]
+
+basicConstraints = CA:FALSE
+keyUsage = critical, digitalSignature
+
[ dh_cert ]
# These extensions are added when 'ca' signs a request for an end-entity
diff --git a/test/smime-certs/mksmime-certs.sh b/test/smime-certs/mksmime-certs.sh
index a4de65b967..6396f6f704 100644
--- a/test/smime-certs/mksmime-certs.sh
+++ b/test/smime-certs/mksmime-certs.sh
@@ -6,7 +6,6 @@
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
-
# Utility to recreate S/MIME certificates
OPENSSL=../../apps/openssl
@@ -15,85 +14,57 @@ export OPENSSL_CONF
# Root CA: create certificate directly
CN="Test S/MIME RSA Root" $OPENSSL req -config ca.cnf -x509 -noenc \
- -keyout smroot.pem -out smroot.pem -newkey rsa:2048 -days 36501
-
-# EE RSA certificates: create request first
-CN="Test S/MIME EE RSA #1" $OPENSSL req -config ca.cnf -noenc \
- -keyout smrsa1.pem -out req.pem -newkey rsa:2048
-# Sign request: end entity extensions
-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
- -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa1.pem
-
-CN="Test S/MIME EE RSA #2" $OPENSSL req -config ca.cnf -noenc \
- -keyout smrsa2.pem -out req.pem -newkey rsa:2048
-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
- -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa2.pem
-
-CN="Test S/MIME EE RSA #3" $OPENSSL req -config ca.cnf -noenc \
- -keyout smrsa3.pem -out req.pem -newkey rsa:2048
-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
- -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa3.pem
-
-CN="Test S/MIME EE RSA 1024" $OPENSSL req -config ca.cnf -noenc \
- -keyout smrsa1024.pem -out req.pem -newkey rsa:1024
-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
- -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa1024.pem
-
-# Create DSA parameters
-
-$OPENSSL dsaparam -out dsap.pem 2048
+ -keyout smroot.pem -out smroot.pem -key ../certs/ca-key.pem -days 36524
+
+# EE RSA certificates with respective extensions
+cp ../certs/ee-key.pem smrsa1.pem
+$OPENSSL x509 -new -key smrsa1.pem -subj "/CN=Test SMIME EE RSA #1" -days 36524 \
+ -CA smroot.pem -extfile ca.cnf -extensions usr_rsa_cert >>smrsa1.pem
+cp ../certs/ee-key-3072.pem smrsa2.pem
+$OPENSSL x509 -new -key smrsa2.pem -subj "/CN=Test SMIME EE RSA #2" -days 36524 \
+ -CA smroot.pem -extfile ca.cnf -extensions usr_rsa_cert >>smrsa2.pem
+cp ../certs/ee-key-4096.pem smrsa3.pem
+$OPENSSL x509 -new -key smrsa3.pem -subj "/CN=Test SMIME EE RSA #3" -days 36524 \
+ -CA smroot.pem -extfile ca.cnf -extensions usr_rsa_cert >>smrsa3.pem
+
+# Create DSA certificates with respective extensions
+
+cp ../certs/server-dsa-key.pem smdsa1.pem
+$OPENSSL x509 -new -key smdsa1.pem -subj "/CN=Test SMIME EE DSA #1" -days 36524 \
+ -CA smroot.pem -extfile ca.cnf -extensions signer_cert >>smdsa1.pem
+cp ../certs/server-dsa-key.pem smdsa2.pem
+$OPENSSL x509 -new -key smdsa2.pem -subj "/CN=Test SMIME EE DSA #1" -days 36524 \
+ -CA smroot.pem -extfile ca.cnf -extensions signer_cert >>smdsa2.pem
+cp ../certs/server-dsa-key.pem smdsa3.pem
+$OPENSSL x509 -new -key smdsa3.pem -subj "/CN=Test SMIME EE DSA #1" -days 36524 \
+ -CA smroot.pem -extfile ca.cnf -extensions signer_cert >>smdsa3.pem
+
+# Create EC certificates with respective extensions
+
+cp ../certs/ee-ecdsa-key.pem smec1.pem
+$OPENSSL x509 -new -key smec1.pem -subj "/CN=Test SMIME EE EC #1" -days 36524 \
+ -CA smroot.pem -extfile ca.cnf -extensions signer_cert >>smec1.pem
+cp ../certs/server-ecdsa-key.pem smec2.pem
+$OPENSSL x509 -new -key smec2.pem -subj "/CN=Test SMIME EE EC #2" -days 36524 \
+ -CA smroot.pem -extfile ca.cnf -extensions signer_cert >>smec2.pem
-CN="Test S/MIME EE DSA #1" $OPENSSL req -config ca.cnf -noenc \
- -keyout smdsa1.pem -out req.pem -newkey dsa:dsap.pem
-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
- -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa1.pem
-CN="Test S/MIME EE DSA #2" $OPENSSL req -config ca.cnf -noenc \
- -keyout smdsa2.pem -out req.pem -newkey dsa:dsap.pem
-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
- -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa2.pem
-CN="Test S/MIME EE DSA #3" $OPENSSL req -config ca.cnf -noenc \
- -keyout smdsa3.pem -out req.pem -newkey dsa:dsap.pem
-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
- -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa3.pem
-
-# Create EC parameters
-
-$OPENSSL ecparam -out ecp.pem -name P-256
-$OPENSSL ecparam -out ecp2.pem -name K-283
-
-CN="Test S/MIME EE EC #1" $OPENSSL req -config ca.cnf -noenc \
- -keyout smec1.pem -out req.pem -newkey ec:ecp.pem
-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
- -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec1.pem
-CN="Test S/MIME EE EC #2" $OPENSSL req -config ca.cnf -noenc \
- -keyout smec2.pem -out req.pem -newkey ec:ecp2.pem
-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
- -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec2.pem
# Do not renew this cert as it is used for legacy data decrypt test
+#$OPENSSL ecparam -out ecp.pem -name P-256
#CN="Test S/MIME EE EC #3" $OPENSSL req -config ca.cnf -noenc \
# -keyout smec3.pem -out req.pem -newkey ec:ecp.pem
-#$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
-# -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec3.pem
-# Create X9.42 DH parameters.
+#$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36524 \
+# -extfile ca.cnf -extensions signer_cert -CAcreateserial >>smec3.pem
+#rm ecp.pem req.pem
+
+# Create X9.42 DH parameters and key.
$OPENSSL genpkey -genparam -algorithm DHX -out dhp.pem
-# Generate X9.42 DH key.
$OPENSSL genpkey -paramfile dhp.pem -out smdh.pem
-$OPENSSL pkey -pubout -in smdh.pem -out dhpub.pem
-# Generate dummy request.
-CN="Test S/MIME EE DH #1" $OPENSSL req -config ca.cnf -noenc \
- -keyout smtmp.pem -out req.pem -newkey rsa:2048
-# Sign request but force public key to DH
-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
- -force_pubkey dhpub.pem \
- -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdh.pem
-
-# EE RSA code signing certificates: create request first
-CN="Test CodeSign EE RSA #1" $OPENSSL req -config ca.cnf -noenc \
- -new -out req.pem -key ../certs/ee-key.pem
-cat ../certs/ee-key.pem > csrsa1.pem
-# Sign request: end entity extensions
-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36524 -extfile ca.cnf \
- -extensions codesign_cert >>csrsa1.pem
-
-# Remove temp files.
-rm -f req.pem ecp.pem ecp2.pem dsap.pem dhp.pem dhpub.pem smtmp.pem smroot.srl
+rm dhp.pem
+# Create X9.42 DH certificate with respective extensions
+$OPENSSL x509 -new -key smdh.pem -subj "/CN=Test SMIME EE DH" -days 36524 \
+ -CA smroot.pem -extfile ca.cnf -extensions dh_cert >>smdh.pem
+
+# EE RSA code signing end entity certificate with respective extensions
+cp ../certs/ee-key.pem csrsa1.pem
+$OPENSSL x509 -new -key csrsa1.pem -subj "/CN=Test CodeSign EE RSA" -days 36524 \
+ -CA smroot.pem -extfile ca.cnf -extensions codesign_cert >>csrsa1.pem
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-26 20:17:32 +0000