Make it possible to generate proxy certs with test/certs/mkcert.sh

This extends 'req' to take more than one DN component, and to take
them as full DN components and not just CN values.  All other commands
are changed to pass "CN = $cn" instead of just a CN value.

This adds 'genpc', which differs from the other 'gen*' commands by not
calling 'req', and expect the result from 'req' to come through stdin.

Finally, test/certs/setup.sh gets the commands needed to generate a
few proxy certificates.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>

diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh
index daa0679ee8d2ff0f8e1c23bec4f8265edc73700c..39e3a1e28c3f6c7c382f0d13c82b28a9a9b48185 100755 (executable)
--- a/test/certs/mkcert.sh
+++ b/test/certs/mkcert.sh
@@ -49,17 +49,18 @@ key() {
     fi
 }
 
+# Usage: $0 req keyname dn1 dn2 ...
 req() {
     local key=$1; shift
-    local cn=$1; shift
 
     key "$key"
     local errs
 
     stderr_onerror \
         openssl req -new -"${OPENSSL_SIGALG}" -key "${key}.pem" \
-            -config <(printf "[req]\n%s\n%s\n[dn]\nCN=%s\n" \
-                     "prompt = no" "distinguished_name = dn" "${cn}")
+            -config <(printf "[req]\n%s\n%s\n[dn]\n" \
+                     "prompt = no" "distinguished_name = dn" "${dn}"
+                      for dn in "$@"; do echo "$dn"; done)
 }
 
 req_nocn() {
@@ -93,7 +94,7 @@ genroot() {
     do
         exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku")
     done
-    csr=$(req "$key" "$cn") || return 1
+    csr=$(req "$key" "CN = $cn") || return 1
     echo "$csr" |
        cert "$cert" "$exts" -signkey "${key}.pem" -set_serial 1 -days "${DAYS}"
 }
@@ -112,7 +113,7 @@ genca() {
     do
         exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku")
     done
-    csr=$(req "$key" "$cn") || return 1
+    csr=$(req "$key" "CN = $cn") || return 1
     echo "$csr" |
         cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \
            -set_serial 2 -days "${DAYS}"
@@ -133,12 +134,34 @@ gen_nonbc_ca() {
     do
         exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku")
     done
-    csr=$(req "$key" "$cn") || return 1
+    csr=$(req "$key" "CN = $cn") || return 1
     echo "$csr" |
         cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \
            -set_serial 2 -days "${DAYS}"
 }
 
+# Usage: $0 genpc keyname certname eekeyname eecertname pcext1 pcext2 ...
+#
+# Note: takes csr on stdin, so must be used with $0 req like this:
+#
+# $0 req keyname dn | $0 genpc keyname certname eekeyname eecertname pcext ...
+genpc() {
+    local key=$1; shift
+    local cert=$1; shift
+    local cakey=$1; shift
+    local ca=$1; shift
+
+    exts=$(printf "%s\n%s\n%s\n%s\n" \
+           "subjectKeyIdentifier = hash" \
+           "authorityKeyIdentifier = keyid, issuer:always" \
+           "basicConstraints = CA:false" \
+           "proxyCertInfo = critical, @pcexts";
+           echo "[pcexts]";
+           for x in "$@"; do echo $x; done)
+    cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
+        -set_serial 2 -days "${DAYS}"
+}
+
 genee() {
     local OPTIND=1
     local purpose=serverAuth
@@ -165,7 +188,7 @@ genee() {
            "basicConstraints = CA:false" \
            "extendedKeyUsage = $purpose" \
            "subjectAltName = @alts" "DNS=${cn}")
-    csr=$(req "$key" "$cn") || return 1
+    csr=$(req "$key" "CN = $cn") || return 1
     echo "$csr" |
        cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
            -set_serial 2 -days "${DAYS}" "$@"
@@ -182,7 +205,7 @@ genss() {
            "basicConstraints = CA:false" \
            "extendedKeyUsage = serverAuth" \
            "subjectAltName = @alts" "DNS=${cn}")
-    csr=$(req "$key" "$cn") || return 1
+    csr=$(req "$key" "CN = $cn") || return 1
     echo "$csr" |
         cert "$cert" "$exts" -signkey "${key}.pem" \
             -set_serial 1 -days "${DAYS}" "$@"

diff --git a/test/certs/setup.sh b/test/certs/setup.sh
index f34104613fb0ea4945a9e5473ec46b2107f00efb..4eaf511ef44275da2f1341362754b2227ec25613 100755 (executable)
--- a/test/certs/setup.sh
+++ b/test/certs/setup.sh
@@ -182,3 +182,29 @@ OPENSSL_SIGALG=md5 \
 # 768-bit leaf key
 OPENSSL_KEYBITS=768 \
 ./mkcert.sh genee server.example ee-key-768 ee-cert-768 ca-key ca-cert
+
+# Proxy certificates, off of ee-client
+# Start with some good ones
+./mkcert.sh req pc1-key "0.CN = server.example" "1.CN = proxy 1" | \
+    ./mkcert.sh genpc pc1-key pc1-cert ee-key ee-client \
+                "language = id-ppl-anyLanguage" "pathlen = 1" "policy = text:AB"
+./mkcert.sh req pc2-key "0.CN = server.example" "1.CN = proxy 1" "2.CN = proxy 2" | \
+    ./mkcert.sh genpc pc2-key pc2-cert pc1-key pc1-cert \
+                "language = id-ppl-anyLanguage" "pathlen = 0" "policy = text:AB"
+# And now a couple of bad ones
+# pc3: incorrect CN
+./mkcert.sh req bad-pc3-key "0.CN = server.example" "1.CN = proxy 3" | \
+    ./mkcert.sh genpc bad-pc3-key bad-pc3-cert pc1-key pc1-cert \
+                "language = id-ppl-anyLanguage" "pathlen = 0" "policy = text:AB"
+# pc4: incorrect pathlen
+./mkcert.sh req bad-pc4-key "0.CN = server.example" "1.CN = proxy 1" "2.CN = proxy 4" | \
+    ./mkcert.sh genpc bad-pc4-key bad-pc4-cert pc1-key pc1-cert \
+                "language = id-ppl-anyLanguage" "pathlen = 1" "policy = text:AB"
+# pc5: no policy
+./mkcert.sh req pc5-key "0.CN = server.example" "1.CN = proxy 1" "2.CN = proxy 5" | \
+    ./mkcert.sh genpc pc5-key pc5-cert pc1-key pc1-cert \
+                "language = id-ppl-anyLanguage" "pathlen = 0"
+# pc6: incorrect CN (made into a component of a multivalue RDN)
+./mkcert.sh req bad-pc6-key "0.CN = server.example" "1.CN = proxy 1" "2.+CN = proxy 6" | \
+    ./mkcert.sh genpc bad-pc6-key bad-pc6-cert pc1-key pc1-cert \
+                "language = id-ppl-anyLanguage" "pathlen = 0" "policy = text:AB"