--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIIDGzCCAgOgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg
+Fw0yMjA2MTUxNjM0MDNaGA8yMTIyMDYxNjE2MzQwM1owGTEXMBUGA1UEAwwOc2Vy
+dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY
+YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT
+5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l
+Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1
+U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5
+ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn
+iIQPYf55NB9KiR+3AgMBAAGjeDB2MB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi
+l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA
+MA4GA1UdDwEB/wQEAwIHgDAZBgNVHSUEEjAQBggrBgEFBQcDAwYEVR0lADANBgkq
+hkiG9w0BAQsFAAOCAQEASlEaV64VMZE4Kj8ITpm8Xb418tbiLmuDEHZiZXOc9gRg
+YNnxpP0ammixIlvDtGM9Liahg5yTwj78Hd6ejxcSLm5sckhA+WkhosAm2aelkVEA
+kG0uqo2JOYd7RHh6rzvSCYfLX8gg9eqzq8qWw7Lbg9wyfC5V1Q+zYkuEQ4bBc5WT
+iqh1Zad4Lp9yFsMTEbo8aKL3Ayu0ehR1OrKjRrHbk9q2XafZRoa41mjNEHvQ7KkW
+PGkczOapAXRJRm7pRzI5m3lj07ITwdWiliu9Uv8KRKxkOunmSIGVBkeNMf7gGBiA
+1k4+o8wcWcQZmsP6RxEvSm6k5610oHi0z0CVgijghw==
+-----END CERTIFICATE-----
--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIIDFTCCAf2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg
+Fw0yMjA2MTUxNjA1NDFaGA8yMTIyMDYxNjE2MDU0MVowGTEXMBUGA1UEAwwOc2Vy
+dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY
+YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT
+5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l
+Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1
+U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5
+ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn
+iIQPYf55NB9KiR+3AgMBAAGjcjBwMB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi
+l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA
+MA4GA1UdDwEB/wQEAwIBgjATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0B
+AQsFAAOCAQEAaFJ20GAgOe8aS9FOHzBwnQWT8m0tqrRysb/iAVmrK1z3o5Jz3vBw
+a5v1aMpWX19tp5tdIRqiGw0aAje8ZKBf4mK1Z9qZLmx+bat8Q4Re2s9wP67TUMfF
+SKvCYLNws5zcDnt31Ckpnu+kLm6GIxlYy7q+DBJxzuPCkVLZTSRhFJPs9pyn2jHt
+tGsQgkOAhOTKbldM9N66z+IqZJ3zXmmkrSVw45qDB50QpmaCJza1expIMderN/lh
+j/ijMGyZOZXH4KkNCGxROyw0iHB7nZ5IdXLbpDDycJkixmmUBNjBh5huxgfzwGHT
+ePW/iHQzvEzUWZJf3cx9GKRj5z2lJf9tPA==
+-----END CERTIFICATE-----
--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIIDFTCCAf2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg
+Fw0yMjA2MTUxNjA1NDFaGA8yMTIyMDYxNjE2MDU0MVowGTEXMBUGA1UEAwwOc2Vy
+dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY
+YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT
+5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l
+Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1
+U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5
+ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn
+iIQPYf55NB9KiR+3AgMBAAGjcjBwMB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi
+l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA
+MA4GA1UdDwEB/wQEAwIChDATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0B
+AQsFAAOCAQEAGdAVHnk43W8f69NaXm/uddssUCiHln+gWON5n2fSZ5DC8eaUs/kt
+hr+HonB4cl+MvEeLUKN5Zmt4BRpqf2tlncy4qhoIzl99LlQs01IO2hoIYkc9/gRW
+xcyOAvRACEO3AlOLlKO00VjYfSc4zyf40LSme/DQOz9CWaAjOdpjF/AlWK5lHyB4
+Ra2EscTBE4kgrPiTQp5WG4mbbZ+H7Rd8dFrFY6/ZdmhqMCn04MUCtjfWFtPk6zAl
+DY/MqhvkZNTfHfvI9+jmiUG3+dpcDmrjL/IgtBlZjFTKroOdXVjMj0j1oUvhSjWB
+s1OhZ5bfbu9ZfwqQ0FqW3vzmJFENHxZmXg==
+-----END CERTIFICATE-----
--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIIDEjCCAfqgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg
+Fw0yMjA2MTUxNDI0MDBaGA8yMTIyMDYxNjE0MjQwMFowGTEXMBUGA1UEAwwOc2Vy
+dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY
+YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT
+5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l
+Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1
+U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5
+ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn
+iIQPYf55NB9KiR+3AgMBAAGjbzBtMB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi
+l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA
+MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0BAQsF
+AAOCAQEAAIP8ClZRmnDKLnyPPizy2Cf9SS5pp+tYxp4WlRCbbsPyF97GTRDY64Uk
+dyoD91h+PEj6UW5N8ZbDkpRL8k3wCd3a2jSJEQl//o/L4ZwdewTQxXtyyQrsh3Or
+HdgPg3qQllkJqkB6dlLCv8TsUXCiRkYuzE8x3ul0DjAfAiczwoFnhe+gXLJw74Lz
+PQm41X56AMgkv+yVGhfLgsN03Tppd25blExT35DDlsJx0OkZcZibU9dNA2ZFaT4X
+fIS0GL+9Pb/nm8b4UCcJDcNBut/TQnDZR5DysgrXCh0dXBFH5XZCczetbw4pW87I
+vIgtz2if2ZzhbxAfWRBCa7razHVNIQ==
+-----END CERTIFICATE-----
--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIIDHzCCAgegAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg
+Fw0yMjA2MTUxNjA1NDFaGA8yMTIyMDYxNjE2MDU0MVowGTEXMBUGA1UEAwwOc2Vy
+dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY
+YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT
+5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l
+Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1
+U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5
+ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn
+iIQPYf55NB9KiR+3AgMBAAGjfDB6MB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi
+l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA
+MA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAwYIKwYBBQUHAwEw
+DQYJKoZIhvcNAQELBQADggEBACt152hE0idWgezHBdihPN9dm7fWysPt3WemRlEX
+pK/g5OxfmkgfdazyKJi1I6ym5eEaCV9HFnPBtZYli50Paztwm26tEyh0ud/Bnybq
+X83ejhqyb3GJUTW3fkucNkKRlRto8C6zKfohS7+iwdBkIsxcGCJGYROKYJOGUiSZ
+thOnVnVqglSLa37iS6oJOK2CQ1AHP4GTcgVMBL7W1fSFvrVj0GsgnifnsLWkCfLL
+qlK6WXdpiJnjfgYmKfetglLknhGa7TGb0HIULyJ8hF4iVw08KLSH+os5fINizKbt
+NjNoFebf6p842zU9EH8tF/m+CkCPAHpGOsrc1+bf77jpmX4=
+-----END CERTIFICATE-----
--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIIDFTCCAf2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg
+Fw0yMjA2MTUxNDIyMDZaGA8yMTIyMDYxNjE0MjIwNlowGTEXMBUGA1UEAwwOc2Vy
+dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY
+YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT
+5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l
+Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1
+U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5
+ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn
+iIQPYf55NB9KiR+3AgMBAAGjcjBwMB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi
+l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA
+MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0B
+AQsFAAOCAQEAcewR/upUpqoeTqgF/9c+kKBLee3hRBxWZciK0kkjb1y2jo+4yI9h
+0pe4Dk8mOVhR/r5pbFnz/MKzWkNXI/TMmpZDru1bM7ELBhwNoRE/pMriNA/0dopB
+7txO1DPkcEU0gsTOWbhUPlu1E87FsVzWQ1EmLy1GCwVf60AZmeQgo1nEopTZF5iq
+HNv9nkr3OB4MZCqk6UhWlwvWRDZnQuEoFDgg+HnmFJxfXavS3/q4q/YAlgfLbtPp
+AZDhOL2XxgSmkIDfQX5sO9BT594mvZS0u9dk2VwdLlaGGsaB4lxUcD1uekaI2ivO
+3sSdH6Ucc1agUAlQQWjXoPTcSEkti4kJaQ==
+-----END CERTIFICATE-----
genee() {
local OPTIND=1
local purpose=serverAuth
+ local ku=
- while getopts p: o
+ while getopts p:k: o
do
case $o in
p) purpose="$OPTARG";;
- *) echo "Usage: $0 genee [-p EKU] cn keyname certname cakeyname cacertname" >&2
+ k) ku="keyUsage = $OPTARG";;
+ *) echo "Usage: $0 genee [-k KU] [-p EKU] cn keyname certname cakeyname cacertname" >&2
return 1;;
esac
done
"subjectKeyIdentifier = hash" \
"authorityKeyIdentifier = keyid, issuer" \
"basicConstraints = CA:false" \
+ "$ku" \
"extendedKeyUsage = $purpose" \
"subjectAltName = @alts" "DNS=${cn}")
csr=$(req "$key" "CN = $cn") || return 1
./mkcert.sh genee -p timeStamping server.example ee-key ee-timestampsign-rfc3161-noncritxku ca-key ca-cert
./mkcert.sh genee -p critical,timeStamping -k digitalSignature server.example ee-key ee-timestampsign-rfc3161-digsig ca-key ca-cert
+# code signing certificate
+./mkcert.sh genee -p codeSigning -k critical,digitalSignature server.example ee-key ee-codesign ca-key ca-cert
+./mkcert.sh genee -p codeSigning,serverAuth -k critical,digitalSignature server.example ee-key ee-codesign-serverauth ca-key ca-cert
+./mkcert.sh genee -p codeSigning,2.5.29.37.0 -k critical,digitalSignature server.example ee-key ee-codesign-anyextkeyusage ca-key ca-cert
+./mkcert.sh genee -p codeSigning -k critical,digitalSignature,cRLSign server.example ee-key ee-codesign-crlsign ca-key ca-cert
+./mkcert.sh genee -p codeSigning -k critical,digitalSignature,keyCertSign server.example ee-key ee-codesign-keycertsign ca-key ca-cert
+./mkcert.sh genee -p codeSigning -k digitalSignature server.example ee-key ee-codesign-noncritical ca-key ca-cert
+
# Leaf cert security level variants
# MD5 issuer signature
OPENSSL_SIGALG=md5 \
run(app([@args]));
}
-plan tests => 172;
+plan tests => 182;
# Canonical success
ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
ok(verify("ee-timestampsign-rfc3161-digsig", "timestampsign", [qw(root-cert)], [qw(ca-cert)]),
"accept timestampsign according to RFC 3161 with digitalSignature");
+# EE variants wrt code signing
+ok(verify("ee-codesign", "codesign", [qw(root-cert)], [qw(ca-cert)]),
+ "accept codesign");
+ok(!verify("ee-codesign-serverauth", "codesign", [qw(root-cert)], [qw(ca-cert)]),
+ "fail codesign with additional serverAuth");
+ok(!verify("ee-codesign-anyextkeyusage", "codesign", [qw(root-cert)], [qw(ca-cert)]),
+ "fail codesign with additional anyExtendedKeyUsage");
+ok(!verify("ee-codesign-crlsign", "codesign", [qw(root-cert)], [qw(ca-cert)]),
+ "fail codesign with additional cRLSign");
+ok(!verify("ee-codesign-keycertsign", "codesign", [qw(root-cert)], [qw(ca-cert)]),
+ "fail codesign with additional keyCertSign");
+ok(!verify("ee-codesign-noncritical", "codesign", [qw(root-cert)], [qw(ca-cert)]),
+ "fail codesign without critical KU");
+ok(!verify("ee-cert", "codesign", [qw(root-cert)], [qw(ca-cert)]),
+ "fail sslserver as code sign");
+ok(!verify("ee-client", "codesign", [qw(root-cert)], [qw(ca-cert)]),
+ "fail sslclient as codesign");
+ok(!verify("ee-timestampsign-CABforum", "codesign", [qw(root-cert)], [qw(ca-cert)]),
+ "fail timestampsign according to CAB forum as codesign");
+ok(!verify("ee-timestampsign-rfc3161", "codesign", [qw(root-cert)], [qw(ca-cert)]),
+ "fail timestampsign according to RFC 3161 as codesign");
+
# Proxy certificates
ok(!verify("pc1-cert", "sslclient", [qw(root-cert)], [qw(ee-client ca-cert)]),
"fail to accept proxy cert without -allow_proxy_certs");
projects / thirdparty / openssl.git / commitdiff
