diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2021-03-02 13:16:30 +0100 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2021-05-05 09:51:39 +0200 |
commit | 4f449d90ddf3f523c2fca7053e8437342738cef5 (patch) | |
tree | ddd6320a0f8f08a3750540910c2b8d9414a4d85d /test/certs | |
parent | a485561b2efd17e3ff9a4df2013b636467dee59f (diff) | |
download | openssl-new-4f449d90ddf3f523c2fca7053e8437342738cef5.tar.gz |
test/certs/setup.sh: structural cleanup
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14413)
Diffstat (limited to 'test/certs')
-rwxr-xr-x | test/certs/setup.sh | 73 |
1 files changed, 32 insertions, 41 deletions
diff --git a/test/certs/setup.sh b/test/certs/setup.sh index 07b9007674..43f773e6b4 100755 --- a/test/certs/setup.sh +++ b/test/certs/setup.sh @@ -1,14 +1,13 @@ #! /bin/bash # Primary root: root-cert -# root cert variants: CA:false, key2, DN2 -# trust variants: +serverAuth -serverAuth +clientAuth -clientAuth +anyEKU -anyEKU -# ./mkcert.sh genroot "Root CA" root-key root-cert +# root cert variants: CA:false, key2, DN2, expired ./mkcert.sh genss "Root CA" root-key root-nonca ./mkcert.sh genroot "Root CA" root-key2 root-cert2 ./mkcert.sh genroot "Root Cert 2" root-key root-name2 -# +DAYS=-1 ./mkcert.sh genroot "Root CA" root-key root-expired +# trust variants: +serverAuth -serverAuth +clientAuth -clientAuth, openssl x509 -in root-cert.pem -trustout \ -addtrust serverAuth -out root+serverAuth.pem openssl x509 -in root-cert.pem -trustout \ @@ -17,16 +16,19 @@ openssl x509 -in root-cert.pem -trustout \ -addtrust clientAuth -out root+clientAuth.pem openssl x509 -in root-cert.pem -trustout \ -addreject clientAuth -out root-clientAuth.pem -openssl x509 -in root-cert.pem -trustout \ - -addreject anyExtendedKeyUsage -out root-anyEKU.pem +# trust variants: +anyEKU -anyEKU openssl x509 -in root-cert.pem -trustout \ -addtrust anyExtendedKeyUsage -out root+anyEKU.pem +openssl x509 -in root-cert.pem -trustout \ + -addreject anyExtendedKeyUsage -out root-anyEKU.pem +# root-cert2 trust variants: +serverAuth -serverAuth +clientAuth openssl x509 -in root-cert2.pem -trustout \ -addtrust serverAuth -out root2+serverAuth.pem openssl x509 -in root-cert2.pem -trustout \ -addreject serverAuth -out root2-serverAuth.pem openssl x509 -in root-cert2.pem -trustout \ -addtrust clientAuth -out root2+clientAuth.pem +# root-nonca trust variants: +serverAuth +anyEKU openssl x509 -in root-nonca.pem -trustout \ -addtrust serverAuth -out nroot+serverAuth.pem openssl x509 -in root-nonca.pem -trustout \ @@ -41,10 +43,8 @@ OPENSSL_KEYBITS=768 \ ./mkcert.sh genroot "Root CA" root-key-768 root-cert-768 # primary client-EKU root: croot-cert -# trust variants: +serverAuth -serverAuth +clientAuth +anyEKU -anyEKU -# ./mkcert.sh genroot "Root CA" root-key croot-cert clientAuth -# +# trust variants: +serverAuth -serverAuth +clientAuth +anyEKU -anyEKU openssl x509 -in croot-cert.pem -trustout \ -addtrust serverAuth -out croot+serverAuth.pem openssl x509 -in croot-cert.pem -trustout \ @@ -54,15 +54,13 @@ openssl x509 -in croot-cert.pem -trustout \ openssl x509 -in croot-cert.pem -trustout \ -addreject clientAuth -out croot-clientAuth.pem openssl x509 -in croot-cert.pem -trustout \ - -addreject anyExtendedKeyUsage -out croot-anyEKU.pem -openssl x509 -in croot-cert.pem -trustout \ -addtrust anyExtendedKeyUsage -out croot+anyEKU.pem +openssl x509 -in croot-cert.pem -trustout \ + -addreject anyExtendedKeyUsage -out croot-anyEKU.pem # primary server-EKU root: sroot-cert -# trust variants: +serverAuth -serverAuth +clientAuth +anyEKU -anyEKU -# ./mkcert.sh genroot "Root CA" root-key sroot-cert serverAuth -# +# trust variants: +serverAuth -serverAuth +clientAuth -clientAuth +anyEKU -anyEKU openssl x509 -in sroot-cert.pem -trustout \ -addtrust serverAuth -out sroot+serverAuth.pem openssl x509 -in sroot-cert.pem -trustout \ @@ -72,23 +70,20 @@ openssl x509 -in sroot-cert.pem -trustout \ openssl x509 -in sroot-cert.pem -trustout \ -addreject clientAuth -out sroot-clientAuth.pem openssl x509 -in sroot-cert.pem -trustout \ - -addreject anyExtendedKeyUsage -out sroot-anyEKU.pem -openssl x509 -in sroot-cert.pem -trustout \ -addtrust anyExtendedKeyUsage -out sroot+anyEKU.pem +openssl x509 -in sroot-cert.pem -trustout \ + -addreject anyExtendedKeyUsage -out sroot-anyEKU.pem # Primary intermediate ca: ca-cert -# ca variants: CA:false, key2, DN2, issuer2, expired -# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth, -anyEKU, +anyEKU -# ./mkcert.sh genca "CA" ca-key ca-cert root-key root-cert -DAYS=-1 ./mkcert.sh genroot "Root CA" root-key root-expired +# ca variants: CA:false, key2, DN2, issuer2, expired ./mkcert.sh genee "CA" ca-key ca-nonca root-key root-cert ./mkcert.sh gen_nonbc_ca "CA" ca-key ca-nonbc root-key root-cert ./mkcert.sh genca "CA" ca-key2 ca-cert2 root-key root-cert ./mkcert.sh genca "CA2" ca-key ca-name2 root-key root-cert ./mkcert.sh genca "CA" ca-key ca-root2 root-key2 root-cert2 DAYS=-1 ./mkcert.sh genca "CA" ca-key ca-expired root-key root-cert -# +# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth openssl x509 -in ca-cert.pem -trustout \ -addtrust serverAuth -out ca+serverAuth.pem openssl x509 -in ca-cert.pem -trustout \ @@ -97,10 +92,12 @@ openssl x509 -in ca-cert.pem -trustout \ -addtrust clientAuth -out ca+clientAuth.pem openssl x509 -in ca-cert.pem -trustout \ -addreject clientAuth -out ca-clientAuth.pem -openssl x509 -in ca-cert.pem -trustout \ - -addreject anyExtendedKeyUsage -out ca-anyEKU.pem +# trust variants: +anyEKU, -anyEKU openssl x509 -in ca-cert.pem -trustout \ -addtrust anyExtendedKeyUsage -out ca+anyEKU.pem +openssl x509 -in ca-cert.pem -trustout \ + -addreject anyExtendedKeyUsage -out ca-anyEKU.pem +# ca-nonca trust variants: +serverAuth, -serverAuth openssl x509 -in ca-nonca.pem -trustout \ -addtrust serverAuth -out nca+serverAuth.pem openssl x509 -in ca-nonca.pem -trustout \ @@ -123,10 +120,8 @@ OPENSSL_KEYBITS=768 \ ./mkcert.sh genca "CA" ca-key-ec-named ca-cert-ec-named root-key root-cert # client intermediate ca: cca-cert -# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth -# ./mkcert.sh genca -p clientAuth "CA" ca-key cca-cert root-key root-cert -# +# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth, +anyEKU, -anyEKU openssl x509 -in cca-cert.pem -trustout \ -addtrust serverAuth -out cca+serverAuth.pem openssl x509 -in cca-cert.pem -trustout \ @@ -136,15 +131,13 @@ openssl x509 -in cca-cert.pem -trustout \ openssl x509 -in cca-cert.pem -trustout \ -addtrust clientAuth -out cca-clientAuth.pem openssl x509 -in cca-cert.pem -trustout \ - -addreject anyExtendedKeyUsage -out cca-anyEKU.pem -openssl x509 -in cca-cert.pem -trustout \ -addtrust anyExtendedKeyUsage -out cca+anyEKU.pem +openssl x509 -in cca-cert.pem -trustout \ + -addreject anyExtendedKeyUsage -out cca-anyEKU.pem # server intermediate ca: sca-cert -# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth, -anyEKU, +anyEKU -# ./mkcert.sh genca -p serverAuth "CA" ca-key sca-cert root-key root-cert -# +# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth, +anyEKU, -anyEKU openssl x509 -in sca-cert.pem -trustout \ -addtrust serverAuth -out sca+serverAuth.pem openssl x509 -in sca-cert.pem -trustout \ @@ -154,23 +147,21 @@ openssl x509 -in sca-cert.pem -trustout \ openssl x509 -in sca-cert.pem -trustout \ -addreject clientAuth -out sca-clientAuth.pem openssl x509 -in sca-cert.pem -trustout \ - -addreject anyExtendedKeyUsage -out sca-anyEKU.pem -openssl x509 -in sca-cert.pem -trustout \ -addtrust anyExtendedKeyUsage -out sca+anyEKU.pem +openssl x509 -in sca-cert.pem -trustout \ + -addreject anyExtendedKeyUsage -out sca-anyEKU.pem -# Primary leaf cert: ee-cert -# ee variants: expired, issuer-key2, issuer-name2, bad-pathlen -# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth -# purpose variants: client -# +# Primary leaf cert: ee-cert with default purpose: serverAuth ./mkcert.sh genee server.example ee-key ee-cert ca-key ca-cert +# ee variants: expired, issuer-key2, issuer-name2, bad-pathlen ./mkcert.sh genee server.example ee-key ee-expired ca-key ca-cert -days -1 ./mkcert.sh genee server.example ee-key ee-cert2 ca-key2 ca-cert2 ./mkcert.sh genee server.example ee-key ee-name2 ca-key ca-name2 -./mkcert.sh genee -p clientAuth server.example ee-key ee-client ca-key ca-cert ./mkcert.sh genee server.example ee-key ee-pathlen ca-key ca-cert \ - -extfile <(echo "basicConstraints=CA:FALSE,pathlen:0") # bash needed here -# + -extfile <(echo "basicConstraints=CA:false,pathlen:0") # bash needed here +# purpose variants: clientAuth +./mkcert.sh genee -p clientAuth server.example ee-key ee-client ca-key ca-cert +# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth openssl x509 -in ee-cert.pem -trustout \ -addtrust serverAuth -out ee+serverAuth.pem openssl x509 -in ee-cert.pem -trustout \ |