From: Dr. David von Oheimb Date: Thu, 25 Aug 2022 16:09:09 +0000 (+0200) Subject: test/smime-certs/{mksmime-certs.sh,ca.cnf}: simplify and speed up cert generation X-Git-Tag: openssl-3.2.0-alpha1~1183 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b7cc2d2f295efc342cd46e7e59f93e0ac0472dc0;p=thirdparty%2Fopenssl.git test/smime-certs/{mksmime-certs.sh,ca.cnf}: simplify and speed up cert generation Also remove inconsistent key usages from non-RSA certs. Reviewed-by: Tomas Mraz Reviewed-by: Dmitry Belyavskiy Reviewed-by: David von Oheimb (Merged from https://github.com/openssl/openssl/pull/19076) --- diff --git a/test/smime-certs/ca.cnf b/test/smime-certs/ca.cnf index 9e6f8a917eb..1bdffadf672 100644 --- a/test/smime-certs/ca.cnf +++ b/test/smime-certs/ca.cnf @@ -12,6 +12,7 @@ CN = "Not Defined" default_ca = ca #################################################################### + [ req ] default_bits = 2048 default_keyfile = privkey.pem @@ -30,7 +31,7 @@ organizationName = OpenSSL Group # Take CN from environment so it can come from a script. commonName = $ENV::CN -[ usr_cert ] +[ usr_rsa_cert ] # These extensions are added when 'ca' signs a request for a normal end-entity # certificate with key usage restrictions compatible with RSA keys @@ -44,6 +45,11 @@ keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment # subjectKeyIdentifier = hash # authorityKeyIdentifier = keyid, issuer +[ signer_cert ] + +basicConstraints = CA:FALSE +keyUsage = critical, digitalSignature + [ dh_cert ] # These extensions are added when 'ca' signs a request for an end-entity diff --git a/test/smime-certs/mksmime-certs.sh b/test/smime-certs/mksmime-certs.sh index a4de65b967c..6396f6f7044 100644 --- a/test/smime-certs/mksmime-certs.sh +++ b/test/smime-certs/mksmime-certs.sh @@ -6,7 +6,6 @@ # in the file LICENSE in the source distribution or at # https://www.openssl.org/source/license.html - # Utility to recreate S/MIME certificates OPENSSL=../../apps/openssl @@ -15,85 +14,57 @@ export OPENSSL_CONF # Root CA: create certificate directly CN="Test S/MIME RSA Root" $OPENSSL req -config ca.cnf -x509 -noenc \ - -keyout smroot.pem -out smroot.pem -newkey rsa:2048 -days 36501 - -# EE RSA certificates: create request first -CN="Test S/MIME EE RSA #1" $OPENSSL req -config ca.cnf -noenc \ - -keyout smrsa1.pem -out req.pem -newkey rsa:2048 -# Sign request: end entity extensions -$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ - -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa1.pem - -CN="Test S/MIME EE RSA #2" $OPENSSL req -config ca.cnf -noenc \ - -keyout smrsa2.pem -out req.pem -newkey rsa:2048 -$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ - -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa2.pem - -CN="Test S/MIME EE RSA #3" $OPENSSL req -config ca.cnf -noenc \ - -keyout smrsa3.pem -out req.pem -newkey rsa:2048 -$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ - -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa3.pem - -CN="Test S/MIME EE RSA 1024" $OPENSSL req -config ca.cnf -noenc \ - -keyout smrsa1024.pem -out req.pem -newkey rsa:1024 -$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ - -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa1024.pem - -# Create DSA parameters - -$OPENSSL dsaparam -out dsap.pem 2048 + -keyout smroot.pem -out smroot.pem -key ../certs/ca-key.pem -days 36524 + +# EE RSA certificates with respective extensions +cp ../certs/ee-key.pem smrsa1.pem +$OPENSSL x509 -new -key smrsa1.pem -subj "/CN=Test SMIME EE RSA #1" -days 36524 \ + -CA smroot.pem -extfile ca.cnf -extensions usr_rsa_cert >>smrsa1.pem +cp ../certs/ee-key-3072.pem smrsa2.pem +$OPENSSL x509 -new -key smrsa2.pem -subj "/CN=Test SMIME EE RSA #2" -days 36524 \ + -CA smroot.pem -extfile ca.cnf -extensions usr_rsa_cert >>smrsa2.pem +cp ../certs/ee-key-4096.pem smrsa3.pem +$OPENSSL x509 -new -key smrsa3.pem -subj "/CN=Test SMIME EE RSA #3" -days 36524 \ + -CA smroot.pem -extfile ca.cnf -extensions usr_rsa_cert >>smrsa3.pem + +# Create DSA certificates with respective extensions + +cp ../certs/server-dsa-key.pem smdsa1.pem +$OPENSSL x509 -new -key smdsa1.pem -subj "/CN=Test SMIME EE DSA #1" -days 36524 \ + -CA smroot.pem -extfile ca.cnf -extensions signer_cert >>smdsa1.pem +cp ../certs/server-dsa-key.pem smdsa2.pem +$OPENSSL x509 -new -key smdsa2.pem -subj "/CN=Test SMIME EE DSA #1" -days 36524 \ + -CA smroot.pem -extfile ca.cnf -extensions signer_cert >>smdsa2.pem +cp ../certs/server-dsa-key.pem smdsa3.pem +$OPENSSL x509 -new -key smdsa3.pem -subj "/CN=Test SMIME EE DSA #1" -days 36524 \ + -CA smroot.pem -extfile ca.cnf -extensions signer_cert >>smdsa3.pem + +# Create EC certificates with respective extensions + +cp ../certs/ee-ecdsa-key.pem smec1.pem +$OPENSSL x509 -new -key smec1.pem -subj "/CN=Test SMIME EE EC #1" -days 36524 \ + -CA smroot.pem -extfile ca.cnf -extensions signer_cert >>smec1.pem +cp ../certs/server-ecdsa-key.pem smec2.pem +$OPENSSL x509 -new -key smec2.pem -subj "/CN=Test SMIME EE EC #2" -days 36524 \ + -CA smroot.pem -extfile ca.cnf -extensions signer_cert >>smec2.pem -CN="Test S/MIME EE DSA #1" $OPENSSL req -config ca.cnf -noenc \ - -keyout smdsa1.pem -out req.pem -newkey dsa:dsap.pem -$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ - -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa1.pem -CN="Test S/MIME EE DSA #2" $OPENSSL req -config ca.cnf -noenc \ - -keyout smdsa2.pem -out req.pem -newkey dsa:dsap.pem -$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ - -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa2.pem -CN="Test S/MIME EE DSA #3" $OPENSSL req -config ca.cnf -noenc \ - -keyout smdsa3.pem -out req.pem -newkey dsa:dsap.pem -$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ - -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa3.pem - -# Create EC parameters - -$OPENSSL ecparam -out ecp.pem -name P-256 -$OPENSSL ecparam -out ecp2.pem -name K-283 - -CN="Test S/MIME EE EC #1" $OPENSSL req -config ca.cnf -noenc \ - -keyout smec1.pem -out req.pem -newkey ec:ecp.pem -$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ - -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec1.pem -CN="Test S/MIME EE EC #2" $OPENSSL req -config ca.cnf -noenc \ - -keyout smec2.pem -out req.pem -newkey ec:ecp2.pem -$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ - -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec2.pem # Do not renew this cert as it is used for legacy data decrypt test +#$OPENSSL ecparam -out ecp.pem -name P-256 #CN="Test S/MIME EE EC #3" $OPENSSL req -config ca.cnf -noenc \ # -keyout smec3.pem -out req.pem -newkey ec:ecp.pem -#$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ -# -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec3.pem -# Create X9.42 DH parameters. +#$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36524 \ +# -extfile ca.cnf -extensions signer_cert -CAcreateserial >>smec3.pem +#rm ecp.pem req.pem + +# Create X9.42 DH parameters and key. $OPENSSL genpkey -genparam -algorithm DHX -out dhp.pem -# Generate X9.42 DH key. $OPENSSL genpkey -paramfile dhp.pem -out smdh.pem -$OPENSSL pkey -pubout -in smdh.pem -out dhpub.pem -# Generate dummy request. -CN="Test S/MIME EE DH #1" $OPENSSL req -config ca.cnf -noenc \ - -keyout smtmp.pem -out req.pem -newkey rsa:2048 -# Sign request but force public key to DH -$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ - -force_pubkey dhpub.pem \ - -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdh.pem - -# EE RSA code signing certificates: create request first -CN="Test CodeSign EE RSA #1" $OPENSSL req -config ca.cnf -noenc \ - -new -out req.pem -key ../certs/ee-key.pem -cat ../certs/ee-key.pem > csrsa1.pem -# Sign request: end entity extensions -$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36524 -extfile ca.cnf \ - -extensions codesign_cert >>csrsa1.pem - -# Remove temp files. -rm -f req.pem ecp.pem ecp2.pem dsap.pem dhp.pem dhpub.pem smtmp.pem smroot.srl +rm dhp.pem +# Create X9.42 DH certificate with respective extensions +$OPENSSL x509 -new -key smdh.pem -subj "/CN=Test SMIME EE DH" -days 36524 \ + -CA smroot.pem -extfile ca.cnf -extensions dh_cert >>smdh.pem + +# EE RSA code signing end entity certificate with respective extensions +cp ../certs/ee-key.pem csrsa1.pem +$OPENSSL x509 -new -key csrsa1.pem -subj "/CN=Test CodeSign EE RSA" -days 36524 \ + -CA smroot.pem -extfile ca.cnf -extensions codesign_cert >>csrsa1.pem