Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[v10.x backport] generate more certs, and more test coverage using them #25501

Closed
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
222 changes: 208 additions & 14 deletions test/fixtures/keys/Makefile
Original file line number Diff line number Diff line change
@@ -1,4 +1,41 @@
all: agent1-cert.pem agent1-pfx.pem agent2-cert.pem agent3-cert.pem agent4-cert.pem agent5-cert.pem agent6-cert.pem agent7-cert.pem agent8-cert.pem agent9-cert.pem ca1-cert.pem ca2-crl.pem ca3-cert.pem ec-cert.pem dh512.pem dh1024.pem dh2048.pem dsa1025.pem dsa_private_1025.pem dsa_public_1025.pem rsa_private_1024.pem rsa_private_2048.pem rsa_private_4096.pem rsa_public_1024.pem rsa_public_2048.pem rsa_public_4096.pem ec-pfx.pem
all: \
ca1-cert.pem \
ca2-cert.pem \
ca2-crl.pem \
ca3-cert.pem \
ca4-cert.pem \
ca5-cert.pem \
ca6-cert.pem \
agent1-cert.pem \
agent1.pfx \
agent2-cert.pem \
agent3-cert.pem \
agent4-cert.pem \
agent5-cert.pem \
agent6-cert.pem \
agent6.pfx \
agent7-cert.pem \
agent8-cert.pem \
agent9-cert.pem \
agent10-cert.pem \
agent10.pfx \
ec10-cert.pem \
ec10.pfx \
dh512.pem \
dh1024.pem \
dh2048.pem \
dsa1025.pem \
dsa_private_1025.pem \
dsa_public_1025.pem \
ec-cert.pem \
ec.pfx \
fake-cnnic-root-cert.pem \
rsa_private_1024.pem \
rsa_private_2048.pem \
rsa_private_4096.pem \
rsa_public_1024.pem \
rsa_public_2048.pem \
rsa_public_4096.pem \

#
# Create Certificate Authority: ca1
Expand All @@ -17,7 +54,7 @@ ca2-cert.pem: ca2.cnf
touch ca2-database.txt

#
# Create Subordinate Certificate Authority: ca3
# Create Subordinate Certificate Authority: ca3 issued by ca1
# ('password' is used for the CA password.)
#
ca3-key.pem:
Expand All @@ -42,6 +79,81 @@ ca3-cert.pem: ca3-csr.pem ca3-key.pem ca3.cnf ca1-cert.pem ca1-key.pem
-CAcreateserial \
-out ca3-cert.pem

#
# Create Subordinate Certificate Authority: ca4 issued by ca2
# ('password' is used for the CA password.)
#
ca4-key.pem:
openssl genrsa -out ca4-key.pem 1024

ca4-csr.pem: ca4.cnf ca4-key.pem
openssl req -new \
-extensions v3_ca \
-config ca4.cnf \
-key ca4-key.pem \
-out ca4-csr.pem

ca4-cert.pem: ca4-csr.pem ca4-key.pem ca4.cnf ca2-cert.pem ca2-key.pem
openssl x509 -req \
-extfile ca4.cnf \
-extensions v3_ca \
-days 99999 \
-passin "pass:password" \
-in ca4-csr.pem \
-CA ca2-cert.pem \
-CAkey ca2-key.pem \
-CAcreateserial \
-out ca4-cert.pem

#
# Create Certificate Authority: ca5 with ECC
# ('password' is used for the CA password.)
#
ca5-key.pem:
openssl ecparam -genkey -out ca5-key.pem -name prime256v1

ca5-csr.pem: ca5.cnf ca5-key.pem
openssl req -new \
-config ca5.cnf \
-key ca5-key.pem \
-out ca5-csr.pem

ca5-cert.pem: ca5.cnf ca5-key.pem ca5-csr.pem
openssl x509 -req \
-extfile ca5.cnf \
-extensions v3_ca \
-days 99999 \
-passin "pass:password" \
-in ca5-csr.pem \
-signkey ca5-key.pem \
-out ca5-cert.pem

#
# Create Subordinate Certificate Authority: ca6 issued by ca5 with ECC
# ('password' is used for the CA password.)
#
ca6-key.pem:
openssl ecparam -genkey -out ca6-key.pem -name prime256v1

ca6-csr.pem: ca6.cnf ca6-key.pem
openssl req -new \
-extensions v3_ca \
-config ca6.cnf \
-key ca6-key.pem \
-out ca6-csr.pem

ca6-cert.pem: ca6-csr.pem ca6-key.pem ca6.cnf ca5-cert.pem ca5-key.pem
openssl x509 -req \
-extfile ca6.cnf \
-extensions v3_ca \
-days 99999 \
-passin "pass:password" \
-in ca6-csr.pem \
-CA ca5-cert.pem \
-CAkey ca5-key.pem \
-CAcreateserial \
-out ca6-cert.pem

#
# Create Fake CNNIC Root Certificate Authority: fake-cnnic-root
#
Expand Down Expand Up @@ -92,13 +204,13 @@ agent1-cert.pem: agent1-csr.pem ca1-cert.pem ca1-key.pem
-CAcreateserial \
-out agent1-cert.pem

agent1-pfx.pem: agent1-cert.pem agent1-key.pem ca1-cert.pem
agent1.pfx: agent1-cert.pem agent1-key.pem ca1-cert.pem
openssl pkcs12 -export \
-descert \
-in agent1-cert.pem \
-inkey agent1-key.pem \
-certfile ca1-cert.pem \
-out agent1-pfx.pem \
-out agent1.pfx \
-password pass:sample

agent1-verify: agent1-cert.pem ca1-cert.pem
Expand Down Expand Up @@ -179,7 +291,7 @@ agent4-verify: agent4-cert.pem ca2-cert.pem
#
# Make CRL with agent4 being rejected
#
ca2-crl.pem: ca2-key.pem ca2-cert.pem ca2.cnf
ca2-crl.pem: ca2-key.pem ca2-cert.pem ca2.cnf agent4-cert.pem
openssl ca -revoke agent4-cert.pem \
-keyfile ca2-key.pem \
-cert ca2-cert.pem \
Expand Down Expand Up @@ -219,7 +331,7 @@ agent5-verify: agent5-cert.pem ca2-cert.pem
openssl verify -CAfile ca2-cert.pem agent5-cert.pem

#
# agent6 is signed by ca3
# agent6 is a client RSA cert signed by ca3
#

agent6-key.pem:
Expand All @@ -240,8 +352,17 @@ agent6-cert.pem: agent6-csr.pem ca3-cert.pem ca3-key.pem
-out agent6-cert.pem
cat ca3-cert.pem >> agent6-cert.pem

agent6-verify: agent6-cert.pem ca3-cert.pem
openssl verify -CAfile ca3-cert.pem agent6-cert.pem
agent6-verify: agent6-cert.pem ca3-cert.pem ca1-cert.pem
openssl verify -trusted ca1-cert.pem -untrusted ca3-cert.pem agent6-cert.pem

agent6.pfx: agent6-cert.pem agent6-key.pem ca1-cert.pem
openssl pkcs12 -export \
-descert \
-in agent6-cert.pem \
-inkey agent6-key.pem \
-certfile ca1-cert.pem \
-out agent6.pfx \
-password pass:sample

#
# agent7 is signed by fake-cnnic-root.
Expand Down Expand Up @@ -318,9 +439,80 @@ agent9-cert.pem: agent9-csr.pem
-days 99999 \
-passin "pass:password" \
-in agent9-csr.pem \
-startdate 161021000001Z \
-startdate 20161021000001Z \
-notext -out agent9-cert.pem

# agent10 is a server RSA cert signed by ca4 for agent10.example.com
#

agent10-key.pem:
openssl genrsa -out agent10-key.pem 1024

agent10-csr.pem: agent10.cnf agent10-key.pem
openssl req -new -config agent10.cnf -key agent10-key.pem -out agent10-csr.pem

agent10-cert.pem: agent10-csr.pem ca4-cert.pem ca4-key.pem
openssl x509 -req \
-days 99999 \
-passin "pass:password" \
-in agent10-csr.pem \
-CA ca4-cert.pem \
-CAkey ca4-key.pem \
-CAcreateserial \
-extfile agent10.cnf \
-out agent10-cert.pem
cat ca4-cert.pem >> agent10-cert.pem

agent10-verify: agent10-cert.pem ca4-cert.pem ca2-cert.pem
openssl verify -trusted ca2-cert.pem -untrusted ca4-cert.pem agent10-cert.pem

agent10.pfx: agent10-cert.pem agent10-key.pem ca1-cert.pem
openssl pkcs12 -export \
-descert \
-in agent10-cert.pem \
-inkey agent10-key.pem \
-certfile ca1-cert.pem \
-out agent10.pfx \
-password pass:sample

#
# ec10 is a server EC cert signed by ca6 for agent10.example.com
#

ec10-key.pem:
openssl ecparam -genkey -out ec10-key.pem -name prime256v1

ec10-csr.pem: ec10-key.pem
openssl req -new -config agent10.cnf -key ec10-key.pem -out ec10-csr.pem

ec10-cert.pem: ec10-csr.pem ca6-cert.pem ca6-key.pem
openssl x509 -req \
-days 99999 \
-passin "pass:password" \
-in ec10-csr.pem \
-CA ca6-cert.pem \
-CAkey ca6-key.pem \
-CAcreateserial \
-extfile agent10.cnf \
-out ec10-cert.pem
cat ca6-cert.pem >> ec10-cert.pem

ec10-verify: ec10-cert.pem ca6-cert.pem ca5-cert.pem
openssl verify -trusted ca5-cert.pem -untrusted ca6-cert.pem ec10-cert.pem

ec10.pfx: ec10-cert.pem ec10-key.pem ca6-cert.pem
openssl pkcs12 -export \
-descert \
-in ec10-cert.pem \
-inkey ec10-key.pem \
-certfile ca6-cert.pem \
-out ec10.pfx \
-password pass:sample


#
# ec is a self-signed EC cert for CN "agent2"
#
ec-key.pem:
openssl ecparam -genkey -out ec-key.pem -name prime256v1

Expand All @@ -334,12 +526,12 @@ ec-cert.pem: ec-csr.pem ec-key.pem
-signkey ec-key.pem \
-out ec-cert.pem

ec-pfx.pem: ec-cert.pem ec-key.pem
ec.pfx: ec-cert.pem ec-key.pem
openssl pkcs12 -export \
-descert \
-in ec-cert.pem \
-inkey ec-key.pem \
-out ec-pfx.pem \
-out ec.pfx \
-password pass:

dh512.pem:
Expand Down Expand Up @@ -379,10 +571,12 @@ rsa_public_4096.pem: rsa_private_4096.pem
openssl rsa -in rsa_private_4096.pem -pubout -out rsa_public_4096.pem

clean:
rm -f *.pem *.srl ca2-database.txt ca2-serial fake-startcom-root-serial
rm -f *.pfx *.pem *.srl ca2-database.txt ca2-serial fake-startcom-root-serial *.print *.old fake-startcom-root-issued-certs/*.pem
@> fake-startcom-root-database.txt

test: agent1-verify agent2-verify agent3-verify agent4-verify agent5-verify
test: agent1-verify agent2-verify agent3-verify agent4-verify agent5-verify agent6-verify agent7-verify agent8-verify agent10-verify ec10-verify

%-cert.pem.print: %-cert.pem
openssl x509 -in $< -text -noout > $@

.PHONY: all clean test agent1-verify agent2-verify agent3-verify agent4-verify agent5-verify
.PHONY: all clean test agent1-verify agent2-verify agent3-verify agent4-verify agent5-verify agent6-verify agent7-verify agent8-verify agent10-verify ec10-verify
22 changes: 11 additions & 11 deletions test/fixtures/keys/agent1-cert.pem
Original file line number Diff line number Diff line change
@@ -1,18 +1,18 @@
-----BEGIN CERTIFICATE-----
MIIC2DCCAkGgAwIBAgIJAPrVDMagf1FsMA0GCSqGSIb3DQEBBQUAMHoxCzAJBgNV
MIIC2DCCAkGgAwIBAgIJAOzJuFYnDamoMA0GCSqGSIb3DQEBCwUAMHoxCzAJBgNV
BAYTAlVTMQswCQYDVQQIDAJDQTELMAkGA1UEBwwCU0YxDzANBgNVBAoMBkpveWVu
dDEQMA4GA1UECwwHTm9kZS5qczEMMAoGA1UEAwwDY2ExMSAwHgYJKoZIhvcNAQkB
FhFyeUB0aW55Y2xvdWRzLm9yZzAgFw0xODA4MDgwMTE2NTVaGA8yMjkyMDUyMjAx
MTY1NVowfTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQHDAJTRjEP
FhFyeUB0aW55Y2xvdWRzLm9yZzAgFw0xODExMTYxODQyMjFaGA8yMjkyMDgzMDE4
NDIyMVowfTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQHDAJTRjEP
MA0GA1UECgwGSm95ZW50MRAwDgYDVQQLDAdOb2RlLmpzMQ8wDQYDVQQDDAZhZ2Vu
dDExIDAeBgkqhkiG9w0BCQEWEXJ5QHRpbnljbG91ZHMub3JnMIGfMA0GCSqGSIb3
DQEBAQUAA4GNADCBiQKBgQDnXT3od/PORzybLaYoAhqwa87601hrKbOrcJH9XGVX
TqFoSqkVZCbFFHDDlambsucH0jejao7cKFm7UKyMhlOxSYaynD2o28nS1ZBRwybV
zOGsIhF2sPc3TY6+P2EQWhe1F9tZsUcoOSXihwx78V0HLVde3UoXmtDVwD8ASlRu
vQIDAQABo2EwXzBdBggrBgEFBQcBAQRRME8wIwYIKwYBBQUHMAGGF2h0dHA6Ly9v
DQEBAQUAA4GNADCBiQKBgQDvVEBwFjfiirsDjlZB+CjYNMNCqdJe27hqK/b72AnL
jgN6mLcXCOABJC5N61TGFkiF9Zndh6IyFXRZVb4gQX4zxNDRuAydo95BmiYHGV0v
t1ZXsLv7XrfQu6USLRtpZMe1cNULjsAB7raN+1hEN1CPMSmSjWc7MKPgv09QYJ5j
cQIDAQABo2EwXzBdBggrBgEFBQcBAQRRME8wIwYIKwYBBQUHMAGGF2h0dHA6Ly9v
Y3NwLm5vZGVqcy5vcmcvMCgGCCsGAQUFBzAChhxodHRwOi8vY2Eubm9kZWpzLm9y
Zy9jYS5jZXJ0MA0GCSqGSIb3DQEBBQUAA4GBAIi44Hk6phewUYEEmSSuuS4pViPZ
Eu/uCDtDAdn/Qz/q2lFHRsaia9ov7xfncYpgV7/vq5MAHigas4ZGUoutwCzwnaAI
l9wxkLG3G8wPN3x4wDGoLxpqaH5nqJIo6iWady9WM9PDaVHn+6ibrP9p55T65o+O
BaF2ovk9NzkxpMPM
Zy9jYS5jZXJ0MA0GCSqGSIb3DQEBCwUAA4GBAHrKvx2Z4fsF7b3VRgiIbdbFCfxY
ICvoJ0+BObYPjqIZZm9+/5c36SpzKzGO9CN9qUEj3KxPmijnb+Zjsm1CSCrG1m04
C73+AjAIPnQ+eWZnF1K4L2kuEDTpv8nQzYKYiGxsmW58PSMeAq1TmaFwtSW3TxHX
7ROnqBX0uXQlOo1m
-----END CERTIFICATE-----
16 changes: 8 additions & 8 deletions test/fixtures/keys/agent1-csr.pem
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,12 @@
MIIB4jCCAUsCAQAwfTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQH
DAJTRjEPMA0GA1UECgwGSm95ZW50MRAwDgYDVQQLDAdOb2RlLmpzMQ8wDQYDVQQD
DAZhZ2VudDExIDAeBgkqhkiG9w0BCQEWEXJ5QHRpbnljbG91ZHMub3JnMIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDnXT3od/PORzybLaYoAhqwa87601hrKbOr
cJH9XGVXTqFoSqkVZCbFFHDDlambsucH0jejao7cKFm7UKyMhlOxSYaynD2o28nS
1ZBRwybVzOGsIhF2sPc3TY6+P2EQWhe1F9tZsUcoOSXihwx78V0HLVde3UoXmtDV
wD8ASlRuvQIDAQABoCUwIwYJKoZIhvcNAQkHMRYMFEEgY2hhbGxlbmdlIHBhc3N3
b3JkMA0GCSqGSIb3DQEBCwUAA4GBAMFbLKd2LbXJ3DPnwzYPcToOYZbwirgZicQX
AGyU93YrwnTwITgz8bfYlMDDm+tL8w8tLjUTZQNpYqAC7WrUeBw6HuxluQ3MNJz3
1X9e0SXgeiuNXZjjBRP7zgXvjeZ+ArOC7KZJbswsFGAC/c3ZUpkGG0trcRULcYTA
+wjl1ERh
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDvVEBwFjfiirsDjlZB+CjYNMNCqdJe27hq
K/b72AnLjgN6mLcXCOABJC5N61TGFkiF9Zndh6IyFXRZVb4gQX4zxNDRuAydo95B
miYHGV0vt1ZXsLv7XrfQu6USLRtpZMe1cNULjsAB7raN+1hEN1CPMSmSjWc7MKPg
v09QYJ5jcQIDAQABoCUwIwYJKoZIhvcNAQkHMRYMFEEgY2hhbGxlbmdlIHBhc3N3
b3JkMA0GCSqGSIb3DQEBCwUAA4GBAN3UIAdShj7eA91fH8m8UQBJndgigNwt88qk
S2kS3XfZqkEawMu2HF/y5yWX7EyGs7OkRXZxJSR67GlgdrTi82qCBC3H2xF7fKXr
s5b6ges5NZFjEA9JTvX5PFSAfo5APbXuuhRWBdxvagi00szTnYiaKgGU4C/dZWAz
E0/tTFT4
-----END CERTIFICATE REQUEST-----
26 changes: 13 additions & 13 deletions test/fixtures/keys/agent1-key.pem
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
-----BEGIN RSA PRIVATE KEY-----
MIICXwIBAAKBgQDnXT3od/PORzybLaYoAhqwa87601hrKbOrcJH9XGVXTqFoSqkV
ZCbFFHDDlambsucH0jejao7cKFm7UKyMhlOxSYaynD2o28nS1ZBRwybVzOGsIhF2
sPc3TY6+P2EQWhe1F9tZsUcoOSXihwx78V0HLVde3UoXmtDVwD8ASlRuvQIDAQAB
AoGBAMaeCBh6aWWrR/8beCmebNUJJ/2x05TjjuddUybC3AjQasYCWhcQDCxh+NAe
uiT8t1LCh5sVTiD3zth8UDSu2EaWrL6gpOHqTHx1SgrVL1D99ha0QnDyBQ+GWBkh
0NoNHOF47mbmn7+gJpVNgiFtfTeOUyK3HUDlaa+/qJwdwEQNAkEA/9dzyExaFUzz
E6p1UGN0rvjTdC48Bak2D33Ut6FiABdBn1smAVIlroVv8nb+Tfvq7vgsgPXYTJcy
W2VN9f/tGwJBAOeB6QJLG7wUYRuKHndnXAPIJT6GW7TKuVQzNtRvB2wcqOZ3cF50
gYi6dYmiV0SWEMr2IcYisgEnyE7uKh3tCQcCQQCB9OVBV1di/oVy9eFFhl+dCZQP
rfSbQ4rMb7R/2qA3P5j744b4oMu3TNzCoyMmZdK+tJ2WnErVDPBtcJYbYXcFAkEA
mTejbP8kle+u7TkWPNRNU7ts2tq1awwYaB+VFDd/ZA/7wLwfxIO7DzDIhZTJyPzA
lHMdmzJvONCJg6OggDnWlQJBAPpS05NSnr/gzoccnVfDkf0bqBe7ATAEJ8F7PS/z
kauA/tWM/Pec0unSdrAJKV9CLfKUvKBXwOIS3GPLTsYHTvc=
MIICXQIBAAKBgQDvVEBwFjfiirsDjlZB+CjYNMNCqdJe27hqK/b72AnLjgN6mLcX
COABJC5N61TGFkiF9Zndh6IyFXRZVb4gQX4zxNDRuAydo95BmiYHGV0vt1ZXsLv7
XrfQu6USLRtpZMe1cNULjsAB7raN+1hEN1CPMSmSjWc7MKPgv09QYJ5jcQIDAQAB
AoGAbqk3TlyHpKFfDarf6Yr0X9wtuQJK+n+ACt+fSR3AkbVtmF9KsUTyRrTTEEZT
IXCmQgKpDYysi5nt/WyvB70gu6xGYbT6PzZaf1RmcpWd1pLcdyBOppY6y7nTMZA3
BVFfmIPSmAvtCuzZwQFFnNoKH3d6cqna+ZQJ0zvCLCSLcw0CQQD6tswNlhCIfguh
tvhw7hJB5vZPWWEzyTQl8nVdY6SbxAT8FTx0UjxsKgOiJFzAGAVoCi40oRKIHhrw
pKwHsEqTAkEA9GABbi2xqAmhPn66e0AiU8t2uv69PISBSt2tXbUAburJFj+4rYZW
71QIbSKEYceveb7wm0NP+adgZqJlxn7oawJBAOjfK4+fCIJPWWx+8Cqs5yZxae1w
HrokNBzfJSZ2bCoGm36uFvYQgHETYUaUsdX3OeZWNm7KAdWO6QUGX4fQtqMCQGXv
OgmEY+utAKZ55D2PFgKQB1me8r6wouHgr/U7kA+0Peba86TmOZMhIVaspD3JNqf4
/pI1NMH1kF+fdAalXzsCQQCelwr9I3FWhx336CWrfAY20xbiMOWMyAhrjVrexgUD
53Y6AhSaRC725pZTgO2PQ4AjkGLIP61sZKgTrXS85KmJ
-----END RSA PRIVATE KEY-----
Binary file removed test/fixtures/keys/agent1-pfx.pem
Binary file not shown.
Binary file added test/fixtures/keys/agent1.pfx
Binary file not shown.
Loading