From cb0585c2cb5f3bdc7fe94cfcdc2cef6a9b2810c2 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 26 Aug 2015 12:20:32 +0100 Subject: [PATCH] Create DSA and ECDSA certificates. If supported create DSA and ECDSA certificates and test them. Reviewed-by: Matt Caswell --- test/Uss.cnf | 33 +++++++++++++++++++-------------- test/testss | 43 ++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 61 insertions(+), 15 deletions(-) diff --git a/test/Uss.cnf b/test/Uss.cnf index 58ac0ca54d..f655e7448d 100644 --- a/test/Uss.cnf +++ b/test/Uss.cnf @@ -4,6 +4,7 @@ # RANDFILE = ./.rnd +CN2 = Brother 2 #################################################################### [ req ] @@ -11,26 +12,30 @@ default_bits = 2048 default_keyfile = keySS.pem distinguished_name = req_distinguished_name encrypt_rsa_key = no -default_md = sha256 +default_md = sha256 +prompt = no [ req_distinguished_name ] -countryName = Country Name (2 letter code) -countryName_default = AU -countryName_value = AU - -organizationName = Organization Name (eg, company) -organizationName_value = Dodgy Brothers - -0.commonName = Common Name (eg, YOUR name) -0.commonName_value = Brother 1 - -1.commonName = Common Name (eg, YOUR name) -1.commonName_value = Brother 2 +countryName = AU +organizationName = Dodgy Brothers +0.commonName = Brother 1 +1.commonName = $ENV::CN2 [ v3_ee ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always basicConstraints = CA:false keyUsage = nonRepudiation, digitalSignature, keyEncipherment -issuerAltName=issuer:copy + +[ v3_ee_dsa ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always +basicConstraints = CA:false +keyUsage = nonRepudiation, digitalSignature + +[ v3_ee_ec ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always +basicConstraints = CA:false +keyUsage = nonRepudiation, digitalSignature, keyAgreement diff --git a/test/testss b/test/testss index 5c5389b462..45aedc859d 100644 --- a/test/testss +++ b/test/testss @@ -18,6 +18,14 @@ Ukey="keyU.ss" Ureq="reqU.ss" Ucert="certU.ss" +Dkey="keyD.ss" +Dreq="reqD.ss" +Dcert="certD.ss" + +Ekey="keyE.ss" +Ereq="reqE.ss" +Ecert="certE.ss" + P1conf="P1ss.cnf" P1key="keyP1.ss" P1req="reqP1.ss" @@ -33,8 +41,10 @@ P2intermediate="tmp_intP2.ss" echo string to make the random number generator think it has entropy >> ./.rnd +req_dsa='-newkey dsa:../apps/dsa1024.pem' + if ../util/shlib_wrap.sh ../apps/openssl no-rsa >/dev/null; then - req_new='-newkey dsa:../apps/dsa512.pem' + req_new=$req_dsa else req_new='-new' fi @@ -67,6 +77,37 @@ $verifycmd -CAfile $CAcert $Ucert || exit 1 echo Certificate details $x509cmd -subject -issuer -startdate -enddate -noout -in $Ucert || exit 1 +if ../util/shlib_wrap.sh ../apps/openssl no-dsa >/dev/null; then + echo skipping DSA certificate creation +else + echo make a DSA user cert request + CN2="DSA Certificate" $reqcmd -config $Uconf -out $Dreq -keyout $Dkey $req_dsa >err.ss || exit 1 + + echo sign DSA user cert request + $x509cmd -CAcreateserial -in $Dreq -days 30 -req -out $Dcert -CA $CAcert -CAkey $CAkey -CAserial $CAserial -extfile $Uconf -extensions v3_ee_dsa >err.ss || exit 1 + $verifycmd -CAfile $CAcert $Dcert || exit 1 + + echo DSA Certificate details + $x509cmd -subject -issuer -startdate -enddate -noout -in $Dcert || exit 1 + +fi + +if ../util/shlib_wrap.sh ../apps/openssl no-ec >/dev/null; then + echo skipping ECDSA/ECDH certificate creation +else + echo make an ECDSA/ECDH user cert request + ../util/shlib_wrap.sh ../apps/openssl ecparam -name P-256 -out ecp.ss || exit 1 + CN2="ECDSA Certificate" $reqcmd -config $Uconf -out $Ereq -keyout $Ekey -newkey ec:ecp.ss >err.ss || exit 1 + + echo sign ECDSA/ECDH user cert request + $x509cmd -CAcreateserial -in $Ereq -days 30 -req -out $Ecert -CA $CAcert -CAkey $CAkey -CAserial $CAserial -extfile $Uconf -extensions v3_ee_ec >err.ss || exit 1 + $verifycmd -CAfile $CAcert $Ecert || exit 1 + + echo ECDSA Certificate details + $x509cmd -subject -issuer -startdate -enddate -noout -in $Ecert || exit 1 + +fi + echo make a proxy cert request $reqcmd -config $P1conf -out $P1req -keyout $P1key $req_new >err.ss || exit 1 -- 2.25.1