]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/certs/setup.sh
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
threads_pthread.c: change inline to ossl_inline
[thirdparty/openssl.git] / test / certs / setup.sh
CommitLineData
d7cdb8b6 1#! /bin/bash
84783517
VD		 2
3# Primary root: root-cert
84783517 4./mkcert.sh genroot "Root CA" root-key root-cert
4f449d90 5# root cert variants: CA:false, key2, DN2, expired
84783517
VD		 6./mkcert.sh genss "Root CA" root-key root-nonca
7./mkcert.sh genroot "Root CA" root-key2 root-cert2
8./mkcert.sh genroot "Root Cert 2" root-key root-name2
4f449d90 9DAYS=-1 ./mkcert.sh genroot "Root CA" root-key root-expired
305c77aa
VD		 10# cross root and root cross cert
11./mkcert.sh genroot "Cross Root" cross-key cross-root
12./mkcert.sh genca "Root CA" root-key root-cross-cert cross-key cross-root
a148a9b4 13# trust variants: +serverAuth -serverAuth +clientAuth -clientAuth
84783517
VD		 14openssl x509 -in root-cert.pem -trustout \
15 -addtrust serverAuth -out root+serverAuth.pem
16openssl x509 -in root-cert.pem -trustout \
17 -addreject serverAuth -out root-serverAuth.pem
18openssl x509 -in root-cert.pem -trustout \
19 -addtrust clientAuth -out root+clientAuth.pem
33cc5dde
VD		 20openssl x509 -in root-cert.pem -trustout \
21 -addreject clientAuth -out root-clientAuth.pem
4f449d90 22# trust variants: +anyEKU -anyEKU
0daccd4d
VD		 23openssl x509 -in root-cert.pem -trustout \
24 -addtrust anyExtendedKeyUsage -out root+anyEKU.pem
4f449d90
DDO		 25openssl x509 -in root-cert.pem -trustout \
26 -addreject anyExtendedKeyUsage -out root-anyEKU.pem
27# root-cert2 trust variants: +serverAuth -serverAuth +clientAuth
0daccd4d
VD		 28openssl x509 -in root-cert2.pem -trustout \
29 -addtrust serverAuth -out root2+serverAuth.pem
30openssl x509 -in root-cert2.pem -trustout \
31 -addreject serverAuth -out root2-serverAuth.pem
32openssl x509 -in root-cert2.pem -trustout \
33 -addtrust clientAuth -out root2+clientAuth.pem
4f449d90 34# root-nonca trust variants: +serverAuth +anyEKU
1d852772
VD		 35openssl x509 -in root-nonca.pem -trustout \
36 -addtrust serverAuth -out nroot+serverAuth.pem
37openssl x509 -in root-nonca.pem -trustout \
38 -addtrust anyExtendedKeyUsage -out nroot+anyEKU.pem
84783517 39
fbb82a60
VD		 40# Root CA security level variants:
41# MD5 self-signature
42OPENSSL_SIGALG=md5 \
43./mkcert.sh genroot "Root CA" root-key root-cert-md5
44# 768-bit key
45OPENSSL_KEYBITS=768 \
46./mkcert.sh genroot "Root CA" root-key-768 root-cert-768
47
33cc5dde 48# primary client-EKU root: croot-cert
33cc5dde 49./mkcert.sh genroot "Root CA" root-key croot-cert clientAuth
eca4826a 50# trust variants: +serverAuth -serverAuth +clientAuth -clientAuth +anyEKU -anyEKU
33cc5dde
VD		 51openssl x509 -in croot-cert.pem -trustout \
52 -addtrust serverAuth -out croot+serverAuth.pem
53openssl x509 -in croot-cert.pem -trustout \
54 -addreject serverAuth -out croot-serverAuth.pem
55openssl x509 -in croot-cert.pem -trustout \
56 -addtrust clientAuth -out croot+clientAuth.pem
57openssl x509 -in croot-cert.pem -trustout \
58 -addreject clientAuth -out croot-clientAuth.pem
33cc5dde
VD		 59openssl x509 -in croot-cert.pem -trustout \
60 -addtrust anyExtendedKeyUsage -out croot+anyEKU.pem
4f449d90
DDO		 61openssl x509 -in croot-cert.pem -trustout \
62 -addreject anyExtendedKeyUsage -out croot-anyEKU.pem
33cc5dde
VD		 63
64# primary server-EKU root: sroot-cert
33cc5dde 65./mkcert.sh genroot "Root CA" root-key sroot-cert serverAuth
4f449d90 66# trust variants: +serverAuth -serverAuth +clientAuth -clientAuth +anyEKU -anyEKU
33cc5dde
VD		 67openssl x509 -in sroot-cert.pem -trustout \
68 -addtrust serverAuth -out sroot+serverAuth.pem
69openssl x509 -in sroot-cert.pem -trustout \
70 -addreject serverAuth -out sroot-serverAuth.pem
71openssl x509 -in sroot-cert.pem -trustout \
72 -addtrust clientAuth -out sroot+clientAuth.pem
73openssl x509 -in sroot-cert.pem -trustout \
74 -addreject clientAuth -out sroot-clientAuth.pem
33cc5dde
VD		 75openssl x509 -in sroot-cert.pem -trustout \
76 -addtrust anyExtendedKeyUsage -out sroot+anyEKU.pem
4f449d90
DDO		 77openssl x509 -in sroot-cert.pem -trustout \
78 -addreject anyExtendedKeyUsage -out sroot-anyEKU.pem
33cc5dde 79
84783517 80# Primary intermediate ca: ca-cert
84783517 81./mkcert.sh genca "CA" ca-key ca-cert root-key root-cert
a148a9b4 82# ca variants: CA:false, no bc, key2, DN2, issuer2, expired
84783517 83./mkcert.sh genee "CA" ca-key ca-nonca root-key root-cert
4d9e33ac 84./mkcert.sh gen_nonbc_ca "CA" ca-key ca-nonbc root-key root-cert
84783517
VD		 85./mkcert.sh genca "CA" ca-key2 ca-cert2 root-key root-cert
86./mkcert.sh genca "CA2" ca-key ca-name2 root-key root-cert
87./mkcert.sh genca "CA" ca-key ca-root2 root-key2 root-cert2
b58614d7 88DAYS=-1 ./mkcert.sh genca "CA" ca-key ca-expired root-key root-cert
4f449d90 89# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth
84783517
VD		 90openssl x509 -in ca-cert.pem -trustout \
91 -addtrust serverAuth -out ca+serverAuth.pem
92openssl x509 -in ca-cert.pem -trustout \
93 -addreject serverAuth -out ca-serverAuth.pem
94openssl x509 -in ca-cert.pem -trustout \
95 -addtrust clientAuth -out ca+clientAuth.pem
33cc5dde
VD		 96openssl x509 -in ca-cert.pem -trustout \
97 -addreject clientAuth -out ca-clientAuth.pem
4f449d90 98# trust variants: +anyEKU, -anyEKU
33cc5dde
VD		 99openssl x509 -in ca-cert.pem -trustout \
100 -addtrust anyExtendedKeyUsage -out ca+anyEKU.pem
4f449d90
DDO		 101openssl x509 -in ca-cert.pem -trustout \
102 -addreject anyExtendedKeyUsage -out ca-anyEKU.pem
eca4826a 103# ca-nonca trust variants: +serverAuth, +anyEKU
1d852772
VD		 104openssl x509 -in ca-nonca.pem -trustout \
105 -addtrust serverAuth -out nca+serverAuth.pem
106openssl x509 -in ca-nonca.pem -trustout \
eca4826a 107 -addtrust anyExtendedKeyUsage -out nca+anyEKU.pem
33cc5dde 108
fbb82a60
VD		 109# Intermediate CA security variants:
110# MD5 issuer signature,
111OPENSSL_SIGALG=md5 \
112./mkcert.sh genca "CA" ca-key ca-cert-md5 root-key root-cert
113openssl x509 -in ca-cert-md5.pem -trustout \
114 -addtrust anyExtendedKeyUsage -out ca-cert-md5-any.pem
115# Issuer has 768-bit key
116./mkcert.sh genca "CA" ca-key ca-cert-768i root-key-768 root-cert-768
117# CA has 768-bit key
118OPENSSL_KEYBITS=768 \
119./mkcert.sh genca "CA" ca-key-768 ca-cert-768 root-key root-cert
cccf532f
TM		 120# EC cert with explicit curve
121./mkcert.sh genca "CA" ca-key-ec-explicit ca-cert-ec-explicit root-key root-cert
122# EC cert with named curve
123./mkcert.sh genca "CA" ca-key-ec-named ca-cert-ec-named root-key root-cert
fbb82a60 124
33cc5dde 125# client intermediate ca: cca-cert
199df4a9 126./mkcert.sh genca -p clientAuth "CA" ca-key cca-cert root-key root-cert
4f449d90 127# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth, +anyEKU, -anyEKU
33cc5dde
VD		 128openssl x509 -in cca-cert.pem -trustout \
129 -addtrust serverAuth -out cca+serverAuth.pem
130openssl x509 -in cca-cert.pem -trustout \
131 -addreject serverAuth -out cca-serverAuth.pem
132openssl x509 -in cca-cert.pem -trustout \
133 -addtrust clientAuth -out cca+clientAuth.pem
134openssl x509 -in cca-cert.pem -trustout \
eca4826a 135 -addreject clientAuth -out cca-clientAuth.pem
33cc5dde
VD		 136openssl x509 -in cca-cert.pem -trustout \
137 -addtrust anyExtendedKeyUsage -out cca+anyEKU.pem
4f449d90
DDO		 138openssl x509 -in cca-cert.pem -trustout \
139 -addreject anyExtendedKeyUsage -out cca-anyEKU.pem
33cc5dde
VD		 140
141# server intermediate ca: sca-cert
199df4a9 142./mkcert.sh genca -p serverAuth "CA" ca-key sca-cert root-key root-cert
4f449d90 143# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth, +anyEKU, -anyEKU
33cc5dde
VD		 144openssl x509 -in sca-cert.pem -trustout \
145 -addtrust serverAuth -out sca+serverAuth.pem
146openssl x509 -in sca-cert.pem -trustout \
147 -addreject serverAuth -out sca-serverAuth.pem
148openssl x509 -in sca-cert.pem -trustout \
149 -addtrust clientAuth -out sca+clientAuth.pem
150openssl x509 -in sca-cert.pem -trustout \
151 -addreject clientAuth -out sca-clientAuth.pem
33cc5dde
VD		 152openssl x509 -in sca-cert.pem -trustout \
153 -addtrust anyExtendedKeyUsage -out sca+anyEKU.pem
4f449d90
DDO		 154openssl x509 -in sca-cert.pem -trustout \
155 -addreject anyExtendedKeyUsage -out sca-anyEKU.pem
84783517 156
4f449d90 157# Primary leaf cert: ee-cert with default purpose: serverAuth
84783517 158./mkcert.sh genee server.example ee-key ee-cert ca-key ca-cert
4f449d90 159# ee variants: expired, issuer-key2, issuer-name2, bad-pathlen
84783517
VD		 160./mkcert.sh genee server.example ee-key ee-expired ca-key ca-cert -days -1
161./mkcert.sh genee server.example ee-key ee-cert2 ca-key2 ca-cert2
162./mkcert.sh genee server.example ee-key ee-name2 ca-key ca-name2
3cb55fe4 163./mkcert.sh genee server.example ee-key ee-pathlen ca-key ca-cert \
4f449d90
DDO		 164 -extfile <(echo "basicConstraints=CA:false,pathlen:0") # bash needed here
165# purpose variants: clientAuth
166./mkcert.sh genee -p clientAuth server.example ee-key ee-client ca-key ca-cert
167# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth
84783517
VD		 168openssl x509 -in ee-cert.pem -trustout \
169 -addtrust serverAuth -out ee+serverAuth.pem
170openssl x509 -in ee-cert.pem -trustout \
171 -addreject serverAuth -out ee-serverAuth.pem
172openssl x509 -in ee-client.pem -trustout \
173 -addtrust clientAuth -out ee+clientAuth.pem
174openssl x509 -in ee-client.pem -trustout \
175 -addreject clientAuth -out ee-clientAuth.pem
fbb82a60 176
386ab7f1
LJ		 177# time stamping certificates
178./mkcert.sh genee -p critical,timeStamping -k critical,digitalSignature server.example ee-key ee-timestampsign-CABforum ca-key ca-cert
179./mkcert.sh genee -p timeStamping -k critical,digitalSignature server.example ee-key ee-timestampsign-CABforum-noncritxku ca-key ca-cert
180./mkcert.sh genee -p critical,timeStamping,serverAuth -k critical,digitalSignature server.example ee-key ee-timestampsign-CABforum-serverauth ca-key ca-cert
181./mkcert.sh genee -p critical,timeStamping,2.5.29.37.0 -k critical,digitalSignature server.example ee-key ee-timestampsign-CABforum-anyextkeyusage ca-key ca-cert
182./mkcert.sh genee -p critical,timeStamping -k critical,digitalSignature,cRLSign server.example ee-key ee-timestampsign-CABforum-crlsign ca-key ca-cert
183./mkcert.sh genee -p critical,timeStamping -k critical,digitalSignature,keyCertSign server.example ee-key ee-timestampsign-CABforum-keycertsign ca-key ca-cert
184./mkcert.sh genee -p critical,timeStamping server.example ee-key ee-timestampsign-rfc3161 ca-key ca-cert
185./mkcert.sh genee -p timeStamping server.example ee-key ee-timestampsign-rfc3161-noncritxku ca-key ca-cert
186./mkcert.sh genee -p critical,timeStamping -k digitalSignature server.example ee-key ee-timestampsign-rfc3161-digsig ca-key ca-cert
187
61a97676
LJ		 188# code signing certificate
189./mkcert.sh genee -p codeSigning -k critical,digitalSignature server.example ee-key ee-codesign ca-key ca-cert
190./mkcert.sh genee -p codeSigning,serverAuth -k critical,digitalSignature server.example ee-key ee-codesign-serverauth ca-key ca-cert
191./mkcert.sh genee -p codeSigning,2.5.29.37.0 -k critical,digitalSignature server.example ee-key ee-codesign-anyextkeyusage ca-key ca-cert
192./mkcert.sh genee -p codeSigning -k critical,digitalSignature,cRLSign server.example ee-key ee-codesign-crlsign ca-key ca-cert
193./mkcert.sh genee -p codeSigning -k critical,digitalSignature,keyCertSign server.example ee-key ee-codesign-keycertsign ca-key ca-cert
194./mkcert.sh genee -p codeSigning -k digitalSignature server.example ee-key ee-codesign-noncritical ca-key ca-cert
195
fbb82a60
VD		 196# Leaf cert security level variants
197# MD5 issuer signature
198OPENSSL_SIGALG=md5 \
199./mkcert.sh genee server.example ee-key ee-cert-md5 ca-key ca-cert
200# 768-bit issuer key
201./mkcert.sh genee server.example ee-key ee-cert-768i ca-key-768 ca-cert-768
202# 768-bit leaf key
203OPENSSL_KEYBITS=768 \
204./mkcert.sh genee server.example ee-key-768 ee-cert-768 ca-key ca-cert
cccf532f
TM		 205# EC cert with explicit curve signed by named curve ca
206./mkcert.sh genee server.example ee-key-ec-explicit ee-cert-ec-explicit ca-key-ec-named ca-cert-ec-named
207# EC cert with named curve signed by explicit curve ca
627ddf7b
TM		 208./mkcert.sh genee server.example ee-key-ec-named-explicit \
209 ee-cert-ec-named-explicit ca-key-ec-explicit ca-cert-ec-explicit
cccf532f 210# EC cert with named curve signed by named curve ca
627ddf7b
TM		 211./mkcert.sh genee server.example ee-key-ec-named-named \
212 ee-cert-ec-named-named ca-key-ec-named ca-cert-ec-named
b6ae56fd
MC		 213# 1024-bit leaf key
214OPENSSL_KEYBITS=1024 \
215./mkcert.sh genee server.example ee-key-1024 ee-cert-1024 ca-key ca-cert
216# 3072-bit leaf key
217OPENSSL_KEYBITS=3072 \
218./mkcert.sh genee server.example ee-key-3072 ee-cert-3072 ca-key ca-cert
219# 4096-bit leaf key
220OPENSSL_KEYBITS=4096 \
221./mkcert.sh genee server.example ee-key-4096 ee-cert-4096 ca-key ca-cert
222# 8192-bit leaf key
223OPENSSL_KEYBITS=8192 \
224./mkcert.sh genee server.example ee-key-8192 ee-cert-8192 ca-key ca-cert
71c8cd20 225
0e7b1383 226# self-signed end-entity cert with explicit keyUsage not including KeyCertSign
d7cdb8b6 227openssl req -new -x509 -key ee-key.pem -subj /CN=ee-self-signed -out ee-self-signed.pem -addext keyUsage=digitalSignature -days 36525
0e7b1383 228
71c8cd20
RL		 229# Proxy certificates, off of ee-client
230# Start with some good ones
231./mkcert.sh req pc1-key "0.CN = server.example" "1.CN = proxy 1" | \
232 ./mkcert.sh genpc pc1-key pc1-cert ee-key ee-client \
233 "language = id-ppl-anyLanguage" "pathlen = 1" "policy = text:AB"
234./mkcert.sh req pc2-key "0.CN = server.example" "1.CN = proxy 1" "2.CN = proxy 2" | \
235 ./mkcert.sh genpc pc2-key pc2-cert pc1-key pc1-cert \
236 "language = id-ppl-anyLanguage" "pathlen = 0" "policy = text:AB"
237# And now a couple of bad ones
238# pc3: incorrect CN
239./mkcert.sh req bad-pc3-key "0.CN = server.example" "1.CN = proxy 3" | \
240 ./mkcert.sh genpc bad-pc3-key bad-pc3-cert pc1-key pc1-cert \
241 "language = id-ppl-anyLanguage" "pathlen = 0" "policy = text:AB"
242# pc4: incorrect pathlen
243./mkcert.sh req bad-pc4-key "0.CN = server.example" "1.CN = proxy 1" "2.CN = proxy 4" | \
244 ./mkcert.sh genpc bad-pc4-key bad-pc4-cert pc1-key pc1-cert \
245 "language = id-ppl-anyLanguage" "pathlen = 1" "policy = text:AB"
246# pc5: no policy
247./mkcert.sh req pc5-key "0.CN = server.example" "1.CN = proxy 1" "2.CN = proxy 5" | \
248 ./mkcert.sh genpc pc5-key pc5-cert pc1-key pc1-cert \
249 "language = id-ppl-anyLanguage" "pathlen = 0"
250# pc6: incorrect CN (made into a component of a multivalue RDN)
251./mkcert.sh req bad-pc6-key "0.CN = server.example" "1.CN = proxy 1" "2.+CN = proxy 6" | \
252 ./mkcert.sh genpc bad-pc6-key bad-pc6-cert pc1-key pc1-cert \
253 "language = id-ppl-anyLanguage" "pathlen = 0" "policy = text:AB"
d83b7e1a
DSH		 254
255# Name constraints test certificates.
256
257# NC CA1 only permits the host www.good.org and *.good.com email address
258# good@good.org and *@good.com and IP addresses 127.0.0.1 and
259# 192.168.0.0/16
260
261NC="permitted;DNS:www.good.org, permitted;DNS:good.com,"
262NC="$NC permitted;email:good@good.org, permitted;email:good.com,"
263NC="$NC permitted;IP:127.0.0.1/255.255.255.255, permitted;IP:192.168.0.0/255.255.0.0"
264
265NC=$NC ./mkcert.sh genca "Test NC CA 1" ncca1-key ncca1-cert root-key root-cert
266
267# NC CA2 allows anything apart from hosts www.bad.org and *.bad.com
268# and email addresses bad@bad.org and *@bad.com
269
270NC="excluded;DNS:www.bad.org, excluded;DNS:bad.com,"
271NC="$NC excluded;email:bad@bad.org, excluded;email:bad.com, "
272NC="$NC excluded;IP:10.0.0.0/255.0.0.0"
273
274NC=$NC ./mkcert.sh genca "Test NC CA 2" ncca2-key ncca2-cert root-key root-cert
275
276# Name constraints subordinate CA. Adds www.good.net (which should be
277# disallowed because parent CA doesn't permit it) adds ok.good.com
278# (which should be allowed because parent allows *.good.com
279# and now excludes bad.ok.good.com (allowed in permitted subtrees
280# but explicitly excluded).
281
282NC="permitted;DNS:www.good.net, permitted;DNS:ok.good.com, "
283NC="$NC excluded;DNS:bad.ok.good.com"
284NC=$NC ./mkcert.sh genca "Test NC sub CA" ncca3-key ncca3-cert \
285 ncca1-key ncca1-cert
286
d02d80b2 287# all subjectAltNames allowed by CA1. Some CNs are not!
d83b7e1a
DSH		 288
289./mkcert.sh req alt1-key "O = Good NC Test Certificate 1" \
d02d80b2 290 "1.CN=www.example.net" "2.CN=Joe Bloggs" | \
d83b7e1a
DSH		 291 ./mkcert.sh geneealt alt1-key alt1-cert ncca1-key ncca1-cert \
292 "DNS.1 = www.good.org" "DNS.2 = any.good.com" \
293 "email.1 = good@good.org" "email.2 = any@good.com" \
294 "IP = 127.0.0.1" "IP = 192.168.0.1"
295
d02d80b2
VD		 296# all DNS-like CNs allowed by CA1, no DNS SANs.
297
298./mkcert.sh req goodcn1-key "O = Good NC Test Certificate 1" \
299 "1.CN=www.good.org" "2.CN=any.good.com" \
300 "3.CN=not..dns" "4.CN=not@dns" "5.CN=not-.dns" "6.CN=not.dns." | \
301 ./mkcert.sh geneealt goodcn1-key goodcn1-cert ncca1-key ncca1-cert \
302 "IP = 127.0.0.1" "IP = 192.168.0.1"
303
3269c8bd
MC		 304# all DNS-like CNs allowed by CA1, no SANs
305
306./mkcert.sh req goodcn2-key "O = Good NC Test Certificate 1" \
307 "CN=www.good.org" | \
308 ./mkcert.sh geneeconfig goodcn2-key goodcn2-cert ncca1-key ncca1-cert
309
d02d80b2
VD		 310# Some DNS-like CNs not permitted by CA1, no DNS SANs.
311
312./mkcert.sh req badcn1-key "O = Good NC Test Certificate 1" \
313 "1.CN=www.good.org" "3.CN=bad.net" | \
314 ./mkcert.sh geneealt badcn1-key badcn1-cert ncca1-key ncca1-cert \
315 "IP = 127.0.0.1" "IP = 192.168.0.1"
316
d83b7e1a
DSH		 317# no subjectAltNames excluded by CA2.
318
319./mkcert.sh req alt2-key "O = Good NC Test Certificate 2" | \
320 ./mkcert.sh geneealt alt2-key alt2-cert ncca2-key ncca2-cert \
321 "DNS.1 = www.anything.org" "DNS.2 = any.other.com" \
322 "email.1 = other@bad.org" "email.2 = any@something.com"
323
324# hostname other.good.org which is not allowed by CA1.
325
326./mkcert.sh req badalt1-key "O = Bad NC Test Certificate 1" | \
327 ./mkcert.sh geneealt badalt1-key badalt1-cert ncca1-key ncca1-cert \
328 "DNS.1 = other.good.org" "DNS.2 = any.good.com" \
329 "email.1 = good@good.org" "email.2 = any@good.com"
330
331# any.bad.com is excluded by CA2.
332
333./mkcert.sh req badalt2-key 'O = Bad NC Test Certificate 2' | \
334 ./mkcert.sh geneealt badalt2-key badalt2-cert ncca2-key ncca2-cert \
335 "DNS.1 = www.good.org" "DNS.2 = any.bad.com" \
336 "email.1 = good@good.org" "email.2 = any@good.com"
337
338# other@good.org not permitted by CA1
339
340./mkcert.sh req badalt3-key "O = Bad NC Test Certificate 3" | \
341 ./mkcert.sh geneealt badalt3-key badalt1-cert ncca1-key ncca1-cert \
342 "DNS.1 = www.good.org" "DNS.2 = any.good.com" \
343 "email.1 = other@good.org" "email.2 = any@good.com"
344
345# all subject alt names OK but subject email address not allowed by CA1.
346
347./mkcert.sh req badalt4-key 'O = Bad NC Test Certificate 4' \
348 "emailAddress = any@other.com" | \
349 ./mkcert.sh geneealt badalt4-key badalt4-cert ncca1-key ncca1-cert \
350 "DNS.1 = www.good.org" "DNS.2 = any.good.com" \
351 "email.1 = good@good.org" "email.2 = any@good.com"
352
353# IP address not allowed by CA1
354./mkcert.sh req badalt5-key "O = Bad NC Test Certificate 5" | \
355 ./mkcert.sh geneealt badalt5-key badalt5-cert ncca1-key ncca1-cert \
356 "DNS.1 = www.good.org" "DNS.2 = any.good.com" \
357 "email.1 = good@good.org" "email.2 = any@good.com" \
358 "IP = 127.0.0.2"
359
d02d80b2 360# No DNS-ID SANs and subject CN not allowed by CA1.
d83b7e1a
DSH		 361./mkcert.sh req badalt6-key "O = Bad NC Test Certificate 6" \
362 "1.CN=other.good.org" "2.CN=Joe Bloggs" "3.CN=any.good.com" | \
363 ./mkcert.sh geneealt badalt6-key badalt6-cert ncca1-key ncca1-cert \
d83b7e1a
DSH		 364 "email.1 = good@good.org" "email.2 = any@good.com" \
365 "IP = 127.0.0.1" "IP = 192.168.0.1"
366
d02d80b2 367# No DNS-ID SANS and subject CN not allowed by CA1, BMPSTRING
d83b7e1a
DSH		 368REQMASK=MASK:0x800 ./mkcert.sh req badalt7-key "O = Bad NC Test Certificate 7" \
369 "1.CN=other.good.org" "2.CN=Joe Bloggs" "3.CN=any.good.com" | \
370 ./mkcert.sh geneealt badalt7-key badalt7-cert ncca1-key ncca1-cert \
d83b7e1a
DSH		 371 "email.1 = good@good.org" "email.2 = any@good.com" \
372 "IP = 127.0.0.1" "IP = 192.168.0.1"
373
374# all subjectAltNames allowed by chain
375
376./mkcert.sh req alt3-key "O = Good NC Test Certificate 3" \
377 "1.CN=www.ok.good.com" "2.CN=Joe Bloggs" | \
378 ./mkcert.sh geneealt alt3-key alt3-cert ncca3-key ncca3-cert \
379 "DNS.1 = www.ok.good.com" \
380 "email.1 = good@good.org" "email.2 = any@good.com" \
381 "IP = 127.0.0.1" "IP = 192.168.0.1"
382
383# www.good.net allowed by parent CA but not parent of parent
384
385./mkcert.sh req badalt8-key "O = Bad NC Test Certificate 8" \
386 "1.CN=www.good.com" "2.CN=Joe Bloggs" | \
387 ./mkcert.sh geneealt badalt8-key badalt8-cert ncca3-key ncca3-cert \
388 "DNS.1 = www.ok.good.com" "DNS.2 = www.good.net" \
389 "email.1 = good@good.org" "email.2 = any@good.com" \
390 "IP = 127.0.0.1" "IP = 192.168.0.1"
391
392# other.good.com not allowed by parent CA but allowed by parent of parent
393
394./mkcert.sh req badalt9-key "O = Bad NC Test Certificate 9" \
395 "1.CN=www.good.com" "2.CN=Joe Bloggs" | \
396 ./mkcert.sh geneealt badalt9-key badalt9-cert ncca3-key ncca3-cert \
397 "DNS.1 = www.good.com" "DNS.2 = other.good.com" \
398 "email.1 = good@good.org" "email.2 = any@good.com" \
399 "IP = 127.0.0.1" "IP = 192.168.0.1"
400
401# www.bad.net excluded by parent CA.
402
403./mkcert.sh req badalt10-key "O = Bad NC Test Certificate 10" \
404 "1.CN=www.ok.good.com" "2.CN=Joe Bloggs" | \
405 ./mkcert.sh geneealt badalt10-key badalt10-cert ncca3-key ncca3-cert \
406 "DNS.1 = www.ok.good.com" "DNS.2 = bad.ok.good.com" \
407 "email.1 = good@good.org" "email.2 = any@good.com" \
408 "IP = 127.0.0.1" "IP = 192.168.0.1"
9bf45ba4 409
96e77bd3
TM		 410# Certs for CVE-2022-4203 testcase
411
412NC="excluded;otherName:SRVName;UTF8STRING:foo@example.org" ./mkcert.sh genca \
413 "Test NC CA othername" nccaothername-key nccaothername-cert \
414 root-key root-cert
415
416./mkcert.sh req alt-email-key "O = NC email in othername Test Certificate" | \
417 ./mkcert.sh geneealt bad-othername-key bad-othername-cert \
418 nccaothername-key nccaothername-cert \
419 "otherName.1 = SRVName;UTF8STRING:foo@example.org"
420
9bf45ba4
DSH		 421# RSA-PSS signatures
422# SHA1
423./mkcert.sh genee PSS-SHA1 ee-key ee-pss-sha1-cert ca-key ca-cert \
424 -sha1 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:digest
199df4a9 425# EE SHA256
9bf45ba4 426./mkcert.sh genee PSS-SHA256 ee-key ee-pss-sha256-cert ca-key ca-cert \
199df4a9
DDO		 427 -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:digest
428# CA-PSS
429./mkcert.sh genca "CA-PSS" ca-pss-key ca-pss-cert root-key root-cert \
430 -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
431./mkcert.sh genee "EE-PSS" ee-key ee-pss-cert ca-pss-key ca-pss-cert \
432 -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
433# Should not have been possible to produce, see issue #13968:
434#./mkcert.sh genee "EE-PSS-wrong1.5" ee-key ee-pss-wrong1.5-cert ca-pss-key ca-pss-cert -sha256
83c81eeb
MC		 435
436OPENSSL_KEYALG=ec OPENSSL_KEYBITS=brainpoolP256r1 ./mkcert.sh genee \
437 "Server ECDSA brainpoolP256r1 cert" server-ecdsa-brainpoolP256r1-key \
438 server-ecdsa-brainpoolP256r1-cert rootkey rootcert
39d9ea5e 439
ef898017 440openssl req -new -noenc -subj "/CN=localhost" \
39d9ea5e
MC		 441 -newkey rsa-pss -keyout server-pss-restrict-key.pem \
442 -pkeyopt rsa_pss_keygen_md:sha256 -pkeyopt rsa_pss_keygen_saltlen:32 | \
443 ./mkcert.sh geneenocsr "Server RSA-PSS restricted cert" \
444 server-pss-restrict-cert rootkey rootcert
4d9e8c95 445
336d92eb
TM		 446openssl req -new -noenc -subj "/CN=Client-RSA-PSS" \
447 -newkey rsa-pss -keyout client-pss-restrict-key.pem \
448 -pkeyopt rsa_pss_keygen_md:sha256 -pkeyopt rsa_pss_keygen_saltlen:32 | \
449 ./mkcert.sh geneenocsr -p clientAuth "Client RSA-PSS restricted cert" \
450 client-pss-restrict-cert rootkey rootcert
451
4d9e8c95
KR		 452# CT entry
453./mkcert.sh genct server.example embeddedSCTs1-key embeddedSCTs1 embeddedSCTs1_issuer-key embeddedSCTs1_issuer ct-server-key
77c4d397 454
9495cfbc 455OPENSSL_SIGALG= OPENSSL_KEYALG=ed448 ./mkcert.sh genroot "Root Ed448" \
77c4d397
KR		 456 root-ed448-key root-ed448-cert
457OPENSSL_SIGALG=ED448 OPENSSL_KEYALG=ed448 ./mkcert.sh genee ed448 \
458 server-ed448-key server-ed448-cert root-ed448-key root-ed448-cert
cf61b97d 459
4ff993d7
DDO		 460# non-critical unknown extension
461./mkcert.sh geneeextra server.example ee-key ee-cert-noncrit-unknown-ext ca-key ca-cert "1.2.3.4=DER:05:00"
462
463# critical unknown extension
464./mkcert.sh geneeextra server.example ee-key ee-cert-crit-unknown-ext ca-key ca-cert "1.2.3.4=critical,DER:05:00"
465
466# critical id-pkix-ocsp-no-check extension
cf61b97d 467./mkcert.sh geneeextra server.example ee-key ee-cert-ocsp-nocheck ca-key ca-cert "1.3.6.1.5.5.7.48.1.5=critical,DER:05:00"
a4e72642
MC		 468
469# certificatePolicies extension
470./mkcert.sh genca -c "1.3.6.1.4.1.16604.998855.1" "CA" ca-key ca-pol-cert root-key root-cert
471./mkcert.sh geneeextra server.example ee-key ee-cert-policies ca-key ca-cert "certificatePolicies=1.3.6.1.4.1.16604.998855.1"
472# We can create a cert with a duplicate policy oid - but its actually invalid!
473./mkcert.sh geneeextra server.example ee-key ee-cert-policies-bad ca-key ca-cert "certificatePolicies=1.3.6.1.4.1.16604.998855.1,1.3.6.1.4.1.16604.998855.1"
fd27a7e4
MT		 474
475# EC cert signed by curve ca with SHA3-224, SHA3-256, SHA3-384, SHA3-512
476OPENSSL_SIGALG="sha3-224" ./mkcert.sh genee server.example ee-key-ec-named-named ee-cert-ec-sha3-224 ca-key-ec-named ca-cert-ec-named
477OPENSSL_SIGALG="sha3-256" ./mkcert.sh genee server.example ee-key-ec-named-named ee-cert-ec-sha3-256 ca-key-ec-named ca-cert-ec-named
478OPENSSL_SIGALG="sha3-384" ./mkcert.sh genee server.example ee-key-ec-named-named ee-cert-ec-sha3-384 ca-key-ec-named ca-cert-ec-named
479OPENSSL_SIGALG="sha3-512" ./mkcert.sh genee server.example ee-key-ec-named-named ee-cert-ec-sha3-512 ca-key-ec-named ca-cert-ec-named
A mirror of the official openssl repository