Scripts for generating test certificates

appveyor.yml

@@ -23,6 +23,12 @@ build: off
 
 test_script:
   - ps: if ($env:PLATFORM -eq "x86") { $addr_model = "32" } else { $addr_model = "64" }
+  - ps: cd libs\certify\tools\certs
+  - bash -c './gen_cert.sh'
+  - ps: ( Get-ChildItem -Path rootCA.crt) | Import-Certificate -CertStoreLocation cert:\LocalMachine\Root
+  - ps: cp example.org.crt $env:APPVEYOR_BUILD_FOLDER\..\boost-root\libs\certify\tests\res\success_chains
+  - ps: cp revoked.org.crt $env:APPVEYOR_BUILD_FOLDER\..\boost-root\libs\certify\tests\res\fail_chains
+  - ps: cd $env:APPVEYOR_BUILD_FOLDER\..\boost-root
   - ps: .\b2.exe variant=debug,release toolset=msvc cxxstd=11,14,17 address-model=$addr_model libs\certify\tests libs\certify\examples
   - ps: .\b2.exe variant=debug,release toolset=msvc cxxstd=11,14,17 address-model=$addr_model libs\certify\tools
 

tools/certs/ca.cnf

@@ -0,0 +1,70 @@
+dir                          = .
+
+[ ca ]
+default_ca                   = CA_default
+
+[ CA_default ]
+serial                       = $dir/serial
+database                     = $dir/index.txt
+new_certs_dir                = $dir/newcerts
+certificate                  = $dir/rootCA.crt
+private_key                  = $dir/private/rootCA.key
+x509_extensions              = usr_cert
+default_days                 = 730
+default_crl_days             = 30
+default_md                   = sha256
+preserve                     = no
+email_in_dn                  = no
+nameopt                      = default_ca
+certopt                      = default_ca
+policy                       = policy_match
+
+[ policy_match ]
+countryName                  = match
+stateOrProvinceName          = optional
+organizationName             = optional
+organizationalUnitName       = optional
+commonName                   = supplied
+emailAddress                 = optional
+
+[ req ]
+prompt = no
+default_bits                 = 4096                  # Size of keys
+default_keyfile              = rootCA.key            # name of generated keys
+default_md                   = sha256                # message digest algorithm
+string_mask                  = nombstr               # permitted characters
+distinguished_name           = req_distinguished_name
+req_extensions               = v3_req
+
+[ req_distinguished_name ]
+# Variable name                Prompt string
+#---------------------------   ------------------------------
+countryName                 = PL
+stateOrProvinceName         = Dolnośląskie
+localityName               = Wrocław
+organizationName           = OrganizationCA
+commonName                 = rootCA.org
+
+
+[ v3_ca ]
+basicConstraints             = CA:TRUE
+subjectKeyIdentifier         = hash
+authorityKeyIdentifier       = keyid:always,issuer:always
+
+[ v3_req ]
+basicConstraints             = CA:FALSE
+subjectKeyIdentifier         = hash
+
+[ crl_ext ]
+authorityKeyIdentifier       = keyid:always,issuer:always
+
+# [ v3_OCSP ]
+# basicConstraints             = CA:FALSE
+# keyUsage                     = nonRepudiation, digitalSignature, keyEncipherment
+# extendedKeyUsage             = OCSPSigning
+
+[ usr_cert ]
+basicConstraints             = CA:FALSE
+subjectKeyIdentifier         = hash
+authorityKeyIdentifier       = keyid,issuer:always
+# authorityInfoAccess          = OCSP;URI:http://127.0.0.1:8080

tools/certs/gen_cert.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+mkdir private newcerts
+touch index.txt
+touch index.txt.attr
+
+openssl genrsa -out private/rootCA.key 4096
+openssl req -x509 -new -nodes -key private/rootCA.key -sha256 -days 1024 -out rootCA.crt -config ca.cnf
+# openssl pkcs12 -nodes -password pass:password -in rootCA.crt -export -nokeys -out rootCA.pfx
+
+openssl genrsa -out example.org.key 2048
+openssl req -new -key example.org.key -out example.org.csr -config san.cnf
+openssl ca -batch -config ca.cnf -in example.org.csr -out example.org.crt -create_serial
+
+openssl genrsa -out revoked.org.key 2048
+openssl req -new -key revoked.org.key -out revoked.org.csr -config revoked.cnf
+
+openssl ca -batch -config ca.cnf -in revoked.org.csr -out revoked.org.crt -create_serial
+
+openssl ca -revoke revoked.org.crt -config ca.cnf
+
+rm *.csr
+rm *.old
+
+# Append the issuer cert to make it a valid chain for use in tests
+cat rootCA.crt >> example.org.crt
+cat rootCA.crt >> revoked.org.crt

tools/certs/ocsp_server.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+openssl ocsp -index index.txt -port 8080 -rsigner rootCA.crt -rkey private/rootCA.key -CA rootCA.crt -text -out log.txt

tools/certs/revoked.cnf

@@ -0,0 +1,17 @@
+[ req ]
+prompt = no
+default_bits       = 2048
+distinguished_name = req_distinguished_name
+req_extensions     = req_ext
+[ req_distinguished_name ]
+countryName                 = PL
+stateOrProvinceName         = Dolnośląskie
+localityName               = Wrocław
+organizationName           = SomeOrganization
+commonName                 = revoked.org
+
+[ req_ext ]
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1   = *.revoked.org

tools/certs/san.cnf

@@ -0,0 +1,17 @@
+[ req ]
+prompt = no
+default_bits       = 2048
+distinguished_name = req_distinguished_name
+req_extensions     = req_ext
+[ req_distinguished_name ]
+countryName                 = PL
+stateOrProvinceName         = Dolnośląskie
+localityName               = Wrocław
+organizationName           = SomeOrganization
+commonName                 = example.org
+
+[ req_ext ]
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1   = *.example.org