235 lines
8.9 KiB
Bash
Executable File
235 lines
8.9 KiB
Bash
Executable File
#!/bin/sh
|
|
#
|
|
# make-test-certs.sh
|
|
#
|
|
# This source file is part of the FoundationDB open source project
|
|
#
|
|
# Copyright 2013-2022 Apple Inc. and the FoundationDB project authors
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
#
|
|
|
|
set -e
|
|
set -u
|
|
|
|
readonly SUBJECT="/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=FDB Team/CN=FDB LibTLS Plugin Test"
|
|
readonly SUBJECT_ALT="/C=AU/ST=New South Wales/L=Sydney/O=Apple Pty Limited/OU=FDB Team/CN=FDB LibTLS Plugin Test"
|
|
|
|
readonly TMPDIR=$(mktemp -d)
|
|
|
|
cleanup() {
|
|
rm -rf "${TMPDIR}"
|
|
}
|
|
|
|
trap cleanup EXIT INT
|
|
|
|
make_ca_bundle() {
|
|
local bundle_file=$1;
|
|
shift 1;
|
|
|
|
printf '' > "${bundle_file}"
|
|
for f in $@; do
|
|
openssl x509 -nameopt oneline -subject -issuer -noout -in "${TMPDIR}/${f}" >> "${bundle_file}"
|
|
cat "${TMPDIR}/${f}" >> "${bundle_file}"
|
|
done
|
|
}
|
|
|
|
make_bundle() {
|
|
local bundle_file=$1;
|
|
local key_file=$2;
|
|
shift 2;
|
|
|
|
printf '' > "${bundle_file}"
|
|
for f in $@; do
|
|
openssl x509 -nameopt oneline -subject -issuer -noout -in "${TMPDIR}/${f}" >> "${bundle_file}"
|
|
done
|
|
for f in $@; do
|
|
cat "${TMPDIR}/${f}" >> "${bundle_file}"
|
|
done
|
|
cat "${TMPDIR}/${key_file}" >> "${bundle_file}"
|
|
}
|
|
|
|
echo '100001' > "${TMPDIR}/certserial"
|
|
|
|
cat > "${TMPDIR}/openssl.cnf" <<EOF
|
|
[ca]
|
|
default_ca = fdb_test_ca
|
|
|
|
[req]
|
|
distinguished_name = req_distinguished_name
|
|
|
|
[req_distinguished_name]
|
|
|
|
[fdb_test_ca]
|
|
unique_subject = no
|
|
database = ${TMPDIR}/certindex
|
|
default_md = sha256
|
|
new_certs_dir = ${TMPDIR}/
|
|
policy = fdb_test_ca_policy
|
|
serial = ${TMPDIR}/certserial
|
|
|
|
[fdb_test_ca_policy]
|
|
|
|
[fdb_v3_ca]
|
|
subjectKeyIdentifier = hash
|
|
authorityKeyIdentifier = keyid:always,issuer
|
|
basicConstraints = critical, CA:true
|
|
keyUsage = critical, cRLSign, keyCertSign
|
|
|
|
[fdb_v3_other]
|
|
subjectKeyIdentifier = hash
|
|
authorityKeyIdentifier = keyid:always,issuer
|
|
basicConstraints = critical, CA:false
|
|
keyUsage = critical, digitalSignature
|
|
|
|
[fdb_v3_server_san]
|
|
subjectKeyIdentifier = hash
|
|
authorityKeyIdentifier = keyid:always,issuer
|
|
basicConstraints = critical, CA:false
|
|
keyUsage = critical, digitalSignature
|
|
subjectAltName = @fdb_v3_server_alt_names
|
|
|
|
[fdb_v3_server_alt_names]
|
|
DNS.1 = test.foundationdb.org
|
|
EOF
|
|
|
|
# Root CA 1.
|
|
openssl req -new -days 3650 -nodes -newkey rsa:2048 -sha256 -x509 \
|
|
-subj "${SUBJECT} Root CA 1" -keyout "${TMPDIR}/ca-root-1.key" \
|
|
-config "${TMPDIR}/openssl.cnf" -extensions fdb_v3_ca \
|
|
-out "${TMPDIR}/ca-root-1.crt"
|
|
|
|
# Root CA 2.
|
|
openssl req -new -days 3650 -nodes -newkey rsa:2048 -sha256 -x509 \
|
|
-subj "${SUBJECT_ALT} Root CA 2" -keyout "${TMPDIR}/ca-root-2.key" \
|
|
-config "${TMPDIR}/openssl.cnf" -extensions fdb_v3_ca \
|
|
-out "${TMPDIR}/ca-root-2.crt"
|
|
|
|
# Intermediate CA 1 (from CA 1).
|
|
openssl req -new -days 3650 -nodes -newkey rsa:2048 -sha256 \
|
|
-subj "${SUBJECT} Intermediate CA 1" -keyout "${TMPDIR}/ca-int-1.key" \
|
|
-out "${TMPDIR}/ca-int-1.csr"
|
|
openssl x509 -req -days 3650 -CA "${TMPDIR}/ca-root-1.crt" -CAkey "${TMPDIR}/ca-root-1.key" \
|
|
-extfile "${TMPDIR}/openssl.cnf" -extensions fdb_v3_ca -days 3650 \
|
|
-CAcreateserial -in "${TMPDIR}/ca-int-1.csr" -out "${TMPDIR}/ca-int-1.crt"
|
|
|
|
# Intermediate CA 2 (from CA 1).
|
|
openssl req -new -days 3650 -nodes -newkey rsa:2048 -sha256 \
|
|
-subj "${SUBJECT} Intermediate CA 2" -keyout "${TMPDIR}/ca-int-2.key" \
|
|
-out "${TMPDIR}/ca-int-2.csr"
|
|
openssl x509 -req -days 3650 -CA "${TMPDIR}/ca-root-1.crt" -CAkey "${TMPDIR}/ca-root-1.key" \
|
|
-extfile "${TMPDIR}/openssl.cnf" -extensions fdb_v3_ca -days 3650 \
|
|
-CAcreateserial -in "${TMPDIR}/ca-int-2.csr" -out "${TMPDIR}/ca-int-2.crt"
|
|
|
|
# Intermediate CA 3 (from CA 2).
|
|
openssl req -new -days 3650 -nodes -newkey rsa:2048 -sha256 \
|
|
-subj "${SUBJECT} Intermediate CA 3" -keyout "${TMPDIR}/ca-int-3.key" \
|
|
-out "${TMPDIR}/ca-int-3.csr"
|
|
openssl x509 -req -days 3650 -CA "${TMPDIR}/ca-root-2.crt" -CAkey "${TMPDIR}/ca-root-2.key" \
|
|
-extfile "${TMPDIR}/openssl.cnf" -extensions fdb_v3_ca -days 3650 \
|
|
-CAcreateserial -in "${TMPDIR}/ca-int-3.csr" -out "${TMPDIR}/ca-int-3.crt"
|
|
|
|
# Server 1.
|
|
openssl req -new -days 3650 -nodes -newkey rsa:2048 -sha256 \
|
|
-subj "${SUBJECT} Server 1" -keyout "${TMPDIR}/server-1.key" \
|
|
-out "${TMPDIR}/server-1.csr"
|
|
openssl x509 -req -days 3650 -CA "${TMPDIR}/ca-int-1.crt" -CAkey "${TMPDIR}/ca-int-1.key" \
|
|
-extfile "${TMPDIR}/openssl.cnf" -extensions fdb_v3_server_san -days 3650 \
|
|
-CAcreateserial -in "${TMPDIR}/server-1.csr" -out "${TMPDIR}/server-1.crt"
|
|
|
|
# Server 2.
|
|
openssl req -new -days 3650 -nodes -newkey rsa:2048 -sha256 \
|
|
-subj "$(printf "${SUBJECT_ALT} Server 2, \200 <\001+\002=\003>")" -keyout "${TMPDIR}/server-2.key" \
|
|
-out "${TMPDIR}/server-2.csr"
|
|
openssl x509 -req -days 3650 -CA "${TMPDIR}/ca-int-2.crt" -CAkey "${TMPDIR}/ca-int-2.key" \
|
|
-extfile "${TMPDIR}/openssl.cnf" -extensions fdb_v3_other \
|
|
-CAcreateserial -in "${TMPDIR}/server-2.csr" -out "${TMPDIR}/server-2.crt"
|
|
|
|
# Server 3 (expired).
|
|
openssl req -new -days 1 -nodes -newkey rsa:2048 -sha256 \
|
|
-subj "${SUBJECT} Server 3" -keyout "${TMPDIR}/server-3.key" \
|
|
-out "${TMPDIR}/server-3.csr"
|
|
cp /dev/null "${TMPDIR}/certindex"
|
|
printf "y\ny\n" | openssl ca -cert "${TMPDIR}/ca-int-1.crt" -keyfile "${TMPDIR}/ca-int-1.key" \
|
|
-startdate 20170101000000Z -enddate 20171231000000Z \
|
|
-config "${TMPDIR}/openssl.cnf" -notext \
|
|
-in "${TMPDIR}/server-3.csr" -out "${TMPDIR}/server-3.crt"
|
|
|
|
# Server 4.
|
|
openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -aes128 -pass pass:fdb123 \
|
|
-out "${TMPDIR}/server-4.key"
|
|
openssl req -new -days 3650 -sha256 -key "${TMPDIR}/server-4.key" -passin pass:fdb123 \
|
|
-subj "${SUBJECT} Server 4" -out "${TMPDIR}/server-4.csr"
|
|
openssl x509 -req -days 3650 -CA "${TMPDIR}/ca-int-3.crt" -CAkey "${TMPDIR}/ca-int-3.key" \
|
|
-extfile "${TMPDIR}/openssl.cnf" -extensions fdb_v3_other -days 3650 \
|
|
-CAcreateserial -in "${TMPDIR}/server-4.csr" -out "${TMPDIR}/server-4.crt"
|
|
|
|
# Client 1.
|
|
openssl req -new -days 3650 -nodes -newkey rsa:2048 -sha256 \
|
|
-subj "${SUBJECT} Client 1" -keyout "${TMPDIR}/client-1.key" \
|
|
-out "${TMPDIR}/client-1.csr"
|
|
openssl x509 -req -days 3650 -CA "${TMPDIR}/ca-int-1.crt" -CAkey "${TMPDIR}/ca-int-1.key" \
|
|
-extfile "${TMPDIR}/openssl.cnf" -extensions fdb_v3_other \
|
|
-CAcreateserial -in "${TMPDIR}/client-1.csr" -out "${TMPDIR}/client-1.crt"
|
|
|
|
# Client 2.
|
|
openssl req -new -days 3650 -nodes -newkey rsa:2048 -sha256 \
|
|
-subj "$(printf "${SUBJECT_ALT} Client 2, \200 <\001+\002=\003>")" -keyout "${TMPDIR}/client-2.key" \
|
|
-out "${TMPDIR}/client-2.csr"
|
|
openssl x509 -req -days 3650 -CA "${TMPDIR}/ca-int-2.crt" -CAkey "${TMPDIR}/ca-int-2.key" \
|
|
-extfile "${TMPDIR}/openssl.cnf" -extensions fdb_v3_other \
|
|
-CAcreateserial -in "${TMPDIR}/client-2.csr" -out "${TMPDIR}/client-2.crt"
|
|
|
|
# Client 3 (expired).
|
|
openssl req -new -days 1 -nodes -newkey rsa:2048 -sha256 \
|
|
-subj "${SUBJECT} Client 3" -keyout "${TMPDIR}/client-3.key" \
|
|
-out "${TMPDIR}/client-3.csr"
|
|
cp /dev/null "${TMPDIR}/certindex"
|
|
printf "y\ny\n" | openssl ca -cert "${TMPDIR}/ca-int-1.crt" -keyfile "${TMPDIR}/ca-int-1.key" \
|
|
-startdate 20170101000000Z -enddate 20171231000000Z \
|
|
-config "${TMPDIR}/openssl.cnf" \
|
|
-in "${TMPDIR}/client-3.csr" -out "${TMPDIR}/client-3.crt"
|
|
|
|
# Client 4.
|
|
openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -aes128 -pass pass:fdb321 \
|
|
-out "${TMPDIR}/client-4.key"
|
|
openssl req -new -days 3650 -sha256 -key "${TMPDIR}/client-4.key" -passin pass:fdb321 \
|
|
-subj "${SUBJECT} Client 4" -out "${TMPDIR}/client-4.csr"
|
|
openssl x509 -req -days 3650 -CA "${TMPDIR}/ca-int-3.crt" -CAkey "${TMPDIR}/ca-int-3.key" \
|
|
-extfile "${TMPDIR}/openssl.cnf" -extensions fdb_v3_other \
|
|
-CAcreateserial -in "${TMPDIR}/client-4.csr" -out "${TMPDIR}/client-4.crt"
|
|
|
|
#
|
|
# Test Bundles
|
|
#
|
|
|
|
make_ca_bundle 'test-ca-1.pem' 'ca-root-1.crt'
|
|
make_ca_bundle 'test-ca-2.pem' 'ca-root-2.crt'
|
|
make_ca_bundle 'test-ca-all.pem' 'ca-root-1.crt' 'ca-root-2.crt'
|
|
|
|
# Valid client/server from intermediate CA 1.
|
|
make_bundle 'test-client-1.pem' 'client-1.key' 'client-1.crt' 'ca-int-1.crt'
|
|
make_bundle 'test-server-1.pem' 'server-1.key' 'server-1.crt' 'ca-int-1.crt'
|
|
|
|
# Valid client/server from intermediate CA 2.
|
|
make_bundle 'test-client-2.pem' 'client-2.key' 'client-2.crt' 'ca-int-2.crt'
|
|
make_bundle 'test-server-2.pem' 'server-2.key' 'server-2.crt' 'ca-int-2.crt'
|
|
|
|
# Expired client/server from intermediate CA 1.
|
|
make_bundle 'test-client-3.pem' 'client-3.key' 'client-3.crt' 'ca-int-1.crt'
|
|
make_bundle 'test-server-3.pem' 'server-3.key' 'server-3.crt' 'ca-int-1.crt'
|
|
|
|
# Valid client/server from intermediate CA 3.
|
|
make_bundle 'test-client-4.pem' 'client-4.key' 'client-4.crt' 'ca-int-3.crt'
|
|
make_bundle 'test-server-4.pem' 'server-4.key' 'server-4.crt' 'ca-int-3.crt'
|