From a1e6bd7f1126b7936e53a7765f7134717ec1220f Mon Sep 17 00:00:00 2001 From: Damian Jarek Date: Thu, 14 Mar 2019 03:42:16 +0100 Subject: [PATCH] Scripts for generating test certificates Add scripts that can generate certificate chains that can be imported into the native store for testing of chain verification. Signed-off-by: Damian Jarek --- appveyor.yml | 6 ++++ tools/certs/ca.cnf | 70 ++++++++++++++++++++++++++++++++++++++ tools/certs/gen_cert.sh | 26 ++++++++++++++ tools/certs/ocsp_server.sh | 2 ++ tools/certs/revoked.cnf | 17 +++++++++ tools/certs/san.cnf | 17 +++++++++ 6 files changed, 138 insertions(+) create mode 100644 tools/certs/ca.cnf create mode 100755 tools/certs/gen_cert.sh create mode 100755 tools/certs/ocsp_server.sh create mode 100644 tools/certs/revoked.cnf create mode 100644 tools/certs/san.cnf diff --git a/appveyor.yml b/appveyor.yml index b21ebe0..e9b1851 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -23,6 +23,12 @@ build: off test_script: - ps: if ($env:PLATFORM -eq "x86") { $addr_model = "32" } else { $addr_model = "64" } + - ps: cd libs\certify\tools\certs + - bash -c './gen_cert.sh' + - ps: ( Get-ChildItem -Path rootCA.crt) | Import-Certificate -CertStoreLocation cert:\LocalMachine\Root + - ps: cp example.org.crt $env:APPVEYOR_BUILD_FOLDER\..\boost-root\libs\certify\tests\res\success_chains + - ps: cp revoked.org.crt $env:APPVEYOR_BUILD_FOLDER\..\boost-root\libs\certify\tests\res\fail_chains + - ps: cd $env:APPVEYOR_BUILD_FOLDER\..\boost-root - ps: .\b2.exe variant=debug,release toolset=msvc cxxstd=11,14,17 address-model=$addr_model libs\certify\tests libs\certify\examples - ps: .\b2.exe variant=debug,release toolset=msvc cxxstd=11,14,17 address-model=$addr_model libs\certify\tools diff --git a/tools/certs/ca.cnf b/tools/certs/ca.cnf new file mode 100644 index 0000000..cea3e1f --- /dev/null +++ b/tools/certs/ca.cnf @@ -0,0 +1,70 @@ +dir = . + +[ ca ] +default_ca = CA_default + +[ CA_default ] +serial = $dir/serial +database = $dir/index.txt +new_certs_dir = $dir/newcerts +certificate = $dir/rootCA.crt +private_key = $dir/private/rootCA.key +x509_extensions = usr_cert +default_days = 730 +default_crl_days = 30 +default_md = sha256 +preserve = no +email_in_dn = no +nameopt = default_ca +certopt = default_ca +policy = policy_match + +[ policy_match ] +countryName = match +stateOrProvinceName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +prompt = no +default_bits = 4096 # Size of keys +default_keyfile = rootCA.key # name of generated keys +default_md = sha256 # message digest algorithm +string_mask = nombstr # permitted characters +distinguished_name = req_distinguished_name +req_extensions = v3_req + +[ req_distinguished_name ] +# Variable name Prompt string +#--------------------------- ------------------------------ +countryName = PL +stateOrProvinceName = Dolnośląskie +localityName = Wrocław +organizationName = OrganizationCA +commonName = rootCA.org + + +[ v3_ca ] +basicConstraints = CA:TRUE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always + +[ v3_req ] +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash + +[ crl_ext ] +authorityKeyIdentifier = keyid:always,issuer:always + +# [ v3_OCSP ] +# basicConstraints = CA:FALSE +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment +# extendedKeyUsage = OCSPSigning + +[ usr_cert ] +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +# authorityInfoAccess = OCSP;URI:http://127.0.0.1:8080 diff --git a/tools/certs/gen_cert.sh b/tools/certs/gen_cert.sh new file mode 100755 index 0000000..9a5b632 --- /dev/null +++ b/tools/certs/gen_cert.sh @@ -0,0 +1,26 @@ +#!/bin/bash +mkdir private newcerts +touch index.txt +touch index.txt.attr + +openssl genrsa -out private/rootCA.key 4096 +openssl req -x509 -new -nodes -key private/rootCA.key -sha256 -days 1024 -out rootCA.crt -config ca.cnf +# openssl pkcs12 -nodes -password pass:password -in rootCA.crt -export -nokeys -out rootCA.pfx + +openssl genrsa -out example.org.key 2048 +openssl req -new -key example.org.key -out example.org.csr -config san.cnf +openssl ca -batch -config ca.cnf -in example.org.csr -out example.org.crt -create_serial + +openssl genrsa -out revoked.org.key 2048 +openssl req -new -key revoked.org.key -out revoked.org.csr -config revoked.cnf + +openssl ca -batch -config ca.cnf -in revoked.org.csr -out revoked.org.crt -create_serial + +openssl ca -revoke revoked.org.crt -config ca.cnf + +rm *.csr +rm *.old + +# Append the issuer cert to make it a valid chain for use in tests +cat rootCA.crt >> example.org.crt +cat rootCA.crt >> revoked.org.crt diff --git a/tools/certs/ocsp_server.sh b/tools/certs/ocsp_server.sh new file mode 100755 index 0000000..6f83fac --- /dev/null +++ b/tools/certs/ocsp_server.sh @@ -0,0 +1,2 @@ +#!/bin/bash +openssl ocsp -index index.txt -port 8080 -rsigner rootCA.crt -rkey private/rootCA.key -CA rootCA.crt -text -out log.txt diff --git a/tools/certs/revoked.cnf b/tools/certs/revoked.cnf new file mode 100644 index 0000000..f3d0e96 --- /dev/null +++ b/tools/certs/revoked.cnf @@ -0,0 +1,17 @@ +[ req ] +prompt = no +default_bits = 2048 +distinguished_name = req_distinguished_name +req_extensions = req_ext +[ req_distinguished_name ] +countryName = PL +stateOrProvinceName = Dolnośląskie +localityName = Wrocław +organizationName = SomeOrganization +commonName = revoked.org + +[ req_ext ] +subjectAltName = @alt_names + +[alt_names] +DNS.1 = *.revoked.org diff --git a/tools/certs/san.cnf b/tools/certs/san.cnf new file mode 100644 index 0000000..a01d772 --- /dev/null +++ b/tools/certs/san.cnf @@ -0,0 +1,17 @@ +[ req ] +prompt = no +default_bits = 2048 +distinguished_name = req_distinguished_name +req_extensions = req_ext +[ req_distinguished_name ] +countryName = PL +stateOrProvinceName = Dolnośląskie +localityName = Wrocław +organizationName = SomeOrganization +commonName = example.org + +[ req_ext ] +subjectAltName = @alt_names + +[alt_names] +DNS.1 = *.example.org