diff --git a/tests/conf/makecerts.sh b/tests/conf/makecerts.sh index f5c980e..6c825f0 100755 --- a/tests/conf/makecerts.sh +++ b/tests/conf/makecerts.sh @@ -19,8 +19,10 @@ make_certs() { cd "${result_path}" mkdir "tmp/" +################################################################################ # OpenSSL settings - CONF="${script_path}/openssl_intermediate.cnf" +################################################################################ + if test -n "$1" then OPENSSL="$1/bin/openssl" @@ -39,6 +41,10 @@ make_certs() { "$OPENSSL" version 2>> "makecerts.log" 1>&2 echo -n "$password" > tmp/password.txt +################################################################################ +# Root CA certificate +################################################################################ + printf "\nGenerate root CA certificate\n" >> "makecerts.log" "$OPENSSL" genrsa -out CA/CA.key \ 2>> "makecerts.log" 1>&2 @@ -53,6 +59,38 @@ make_certs() { 2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH" test_result $? +################################################################################ +# Private RSA keys +################################################################################ + + printf "\nGenerate private RSA encrypted key\n" >> "makecerts.log" + "$OPENSSL" genrsa -des3 -out CA/private.key -passout pass:"$password" \ + 2>> "makecerts.log" 1>&2 + test_result $? + cat CA/private.key >> tmp/keyp.pem 2>> "makecerts.log" + test_result $? + + printf "\nGenerate private RSA decrypted key\n" >> "makecerts.log" + "$OPENSSL" rsa -in CA/private.key -passin pass:"$password" -out tmp/key.pem \ + 2>> "makecerts.log" 1>&2 + test_result $? + + printf "\nConvert the key to DER format\n" >> "makecerts.log" + "$OPENSSL" rsa -in tmp/key.pem -outform DER -out tmp/key.der -passout pass:"$password" \ + 2>> "makecerts.log" 1>&2 + test_result $? + + printf "\nConvert the key to PVK format\n" >> "makecerts.log" + "$OPENSSL" rsa -in tmp/key.pem -outform PVK -out tmp/key.pvk -pvk-none \ + 2>> "makecerts.log" 1>&2 + test_result $? + +################################################################################ +# Intermediate CA certificates +################################################################################ + + CONF="${script_path}/openssl_intermediate.cnf" + printf "\nGenerate intermediate CA certificate\n" >> "makecerts.log" "$OPENSSL" genrsa -out CA/intermediateCA.key \ 2>> "makecerts.log" 1>&2 @@ -77,18 +115,6 @@ make_certs() { 2>> "makecerts.log" 1>&2 test_result $? - printf "\nGenerate private RSA encrypted key\n" >> "makecerts.log" - "$OPENSSL" genrsa -des3 -out CA/private.key -passout pass:"$password" \ - 2>> "makecerts.log" 1>&2 - test_result $? - cat CA/private.key >> tmp/keyp.pem 2>> "makecerts.log" - test_result $? - - printf "\nGenerate private RSA decrypted key\n" >> "makecerts.log" - "$OPENSSL" rsa -in CA/private.key -passin pass:"$password" -out tmp/key.pem \ - 2>> "makecerts.log" 1>&2 - test_result $? - printf "\nGenerate a certificate to revoke\n" >> "makecerts.log" "$OPENSSL" req -config "$CONF" -new -key CA/private.key -passin pass:"$password" -out CA/revoked.csr \ -subj "/C=PL/O=osslsigncode/OU=CSP/CN=Revoked/emailAddress=osslsigncode@example.com" \ @@ -120,16 +146,6 @@ make_certs() { 2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH" test_result $? - printf "\nConvert a CRL file from PEM to DER\n" >> "makecerts.log" - "$OPENSSL" crl -in tmp/CACertCRL.pem -inform PEM -out tmp/CACertCRL.der -outform DER \ - 2>> "makecerts.log" 1>&2 - test_result $? - - printf "\nConvert revoked certificate to SPC format\n" >> "makecerts.log" - "$OPENSSL" crl2pkcs7 -in tmp/CACertCRL.pem -certfile tmp/revoked.pem -outform DER -out tmp/revoked.spc \ - 2>> "makecerts.log" 1>&2 - test_result $? - printf "\nGenerate CSP Cross-Certificate\n" >> "makecerts.log" "$OPENSSL" genrsa -out CA/cross.key \ 2>> "makecerts.log" 1>&2 @@ -155,16 +171,6 @@ make_certs() { 2>> "makecerts.log" 1>&2 test_result $? - printf "\nConvert the key to DER format\n" >> "makecerts.log" - "$OPENSSL" rsa -in tmp/key.pem -outform DER -out tmp/key.der -passout pass:"$password" \ - 2>> "makecerts.log" 1>&2 - test_result $? - - printf "\nConvert the key to PVK format\n" >> "makecerts.log" - "$OPENSSL" rsa -in tmp/key.pem -outform PVK -out tmp/key.pvk -pvk-none \ - 2>> "makecerts.log" 1>&2 - test_result $? - printf "\nConvert the certificate to DER format\n" >> "makecerts.log" "$OPENSSL" x509 -in tmp/cert.pem -outform DER -out tmp/cert.der \ 2>> "makecerts.log" 1>&2 @@ -219,6 +225,92 @@ make_certs() { cat tmp/intermediateCA.pem >> tmp/expired.pem 2>> "makecerts.log" test_result $? + +################################################################################ +# Intermediate CA certificates with CRL distribution point +################################################################################ + + CONF="${script_path}/openssl_intermediate_crldp.cnf" + + printf "\nGenerate intermediate CA certificate with CRL distribution point\n" >> "makecerts.log" + "$OPENSSL" genrsa -out CA/intermediateCA_crldp.key \ + 2>> "makecerts.log" 1>&2 + TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + OPENSSL="$0" + export LD_LIBRARY_PATH="$1" + CONF="${script_path}/openssl_intermediate_crldp.cnf" + "$OPENSSL" req -config "$CONF" -new -key CA/intermediateCA_crldp.key -out CA/intermediateCA_crldp.csr \ + -subj "/C=PL/O=osslsigncode/OU=Certification Authority/CN=Intermediate CA CRL DP" \ + 2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH" + test_result $? + TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + OPENSSL="$0" + export LD_LIBRARY_PATH="$1" + CONF="${script_path}/openssl_root.cnf" + "$OPENSSL" ca -config "$CONF" -batch -in CA/intermediateCA_crldp.csr -out CA/intermediateCA_crldp.cer \ + 2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH" + test_result $? + "$OPENSSL" x509 -in CA/intermediateCA_crldp.cer -out tmp/intermediateCA_crldp.pem \ + 2>> "makecerts.log" 1>&2 + test_result $? + + printf "\nGenerate a certificate with X509v3 CRL Distribution Points extension to revoke\n" >> "makecerts.log" + "$OPENSSL" req -config "$CONF" -new -key CA/private.key -passin pass:"$password" -out CA/revoked_crldp.csr \ + -subj "/C=PL/O=osslsigncode/OU=CSP/CN=Revoked X509v3 CRL DP/emailAddress=osslsigncode@example.com" \ + 2>> "makecerts.log" 1>&2 + test_result $? + "$OPENSSL" ca -config "$CONF" -batch -in CA/revoked_crldp.csr -out CA/revoked_crldp.cer \ + 2>> "makecerts.log" 1>&2 + test_result $? + "$OPENSSL" x509 -in CA/revoked_crldp.cer -out tmp/revoked_crldp.pem \ + 2>> "makecerts.log" 1>&2 + test_result $? + + printf "\nRevoke above certificate\n" >> "makecerts.log" + "$OPENSSL" ca -config "$CONF" -revoke CA/revoked_crldp.cer \ + 2>> "makecerts.log" 1>&2 + test_result $? + + printf "\nAttach intermediate certificate to revoked certificate\n" >> "makecerts.log" + cat tmp/intermediateCA_crldp.pem >> tmp/revoked_crldp.pem 2>> "makecerts.log" + test_result $? + + printf "\nGenerate CRL file\n" >> "makecerts.log" + TZ=GMT faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + OPENSSL="$0" + export LD_LIBRARY_PATH="$1" + CONF="${script_path}/openssl_intermediate_crldp.cnf" + "$OPENSSL" ca -config "$CONF" -gencrl -crldays 8766 -out tmp/CACertCRL_crldp.pem \ + 2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH" + test_result $? + + printf "\nConvert CRL file from PEM to DER (for CRL Distribution Points server to use) \n" >> "makecerts.log" + "$OPENSSL" crl -in tmp/CACertCRL_crldp.pem -inform PEM -out tmp/CACertCRL.der -outform DER \ + 2>> "makecerts.log" 1>&2 + test_result $? + + printf "\nGenerate code signing certificate with X509v3 CRL Distribution Points extension\n" >> "makecerts.log" + "$OPENSSL" req -config "$CONF" -new -key CA/private.key -passin pass:"$password" -out CA/cert_crldp.csr \ + -subj "/C=PL/ST=Mazovia Province/L=Warsaw/O=osslsigncode/OU=CSP/CN=Certificate X509v3 CRL DP/emailAddress=osslsigncode@example.com" \ + 2>> "makecerts.log" 1>&2 + test_result $? + "$OPENSSL" ca -config "$CONF" -batch -in CA/cert_crldp.csr -out CA/cert_crldp.cer \ + 2>> "makecerts.log" 1>&2 + test_result $? + "$OPENSSL" x509 -in CA/cert_crldp.cer -out tmp/cert_crldp.pem \ + 2>> "makecerts.log" 1>&2 + test_result $? + + printf "\nAttach intermediate certificate to code signing certificate\n" >> "makecerts.log" + cat tmp/intermediateCA_crldp.pem >> tmp/cert_crldp.pem 2>> "makecerts.log" + test_result $? + +################################################################################ +# Time Stamp Authority certificates +################################################################################ printf "\nGenerate Root CA TSA certificate\n" >> "makecerts.log" "$OPENSSL" genrsa -out CA/TSACA.key \ 2>> "makecerts.log" 1>&2 @@ -260,7 +352,7 @@ make_certs() { 2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH" test_result $? - printf "\nConvert TSA CRL file from PEM to DER\n" >> "makecerts.log" + printf "\nConvert TSA CRL file from PEM to DER (for CRL Distribution Points server to use)\n" >> "makecerts.log" "$OPENSSL" crl -in tmp/TSACertCRL.pem -inform PEM -out tmp/TSACertCRL.der -outform DER \ 2>> "makecerts.log" 1>&2 test_result $? @@ -281,15 +373,21 @@ make_certs() { printf "\nSave the chain to be included in the TSA response\n" >> "makecerts.log" cat tmp/TSA.pem tmp/TSACA.pem > tmp/tsa-chain.pem 2>> "makecerts.log" -# copy new files - if test -s tmp/intermediateCA.pem -a -s tmp/CACert.pem \ +################################################################################ +# Copy new files +################################################################################ + + if test -s tmp/CACert.pem \ + -a -s tmp/intermediateCA.pem -a -s tmp/intermediateCA_crldp.pem \ -a -s tmp/CACertCRL.pem -a -s tmp/CACertCRL.der \ -a -s tmp/TSACertCRL.pem -a -s tmp/TSACertCRL.der \ -a -s tmp/key.pem -a -s tmp/keyp.pem -a -s tmp/key.der -a -s tmp/key.pvk \ - -a -s tmp/cert.pem -a -s tmp/cert.p12 -a -s tmp/cert.der -a -s tmp/cert.spc \ - -a -s tmp/crosscert.pem -a -s tmp/expired.pem -a -s tmp/revoked.pem \ - -a -s tmp/revoked.spc -a -s tmp/TSA_revoked.pem \ - -a -s tmp/TSA.pem -a -s tmp/TSA.key -a -s tmp/tsa-chain.pem -a -s tmp/legacy.p12 + -a -s tmp/cert.pem -a -s tmp/cert.der -a -s tmp/cert.spc \ + -a -s tmp/cert.p12 -a -s tmp/legacy.p12 -a -s tmp/cert_crldp.pem\ + -a -s tmp/crosscert.pem -a -s tmp/expired.pem \ + -a -s tmp/revoked.pem -a -s tmp/revoked_crldp.pem \ + -a -s tmp/TSA_revoked.pem \ + -a -s tmp/TSA.pem -a -s tmp/TSA.key -a -s tmp/tsa-chain.pem then mkdir -p "../certs" cp tmp/* ../certs @@ -299,14 +397,21 @@ make_certs() { result=1 fi -# remove the working directory +################################################################################ +# Remove the working directory +################################################################################ + rm -rf "CA/" rm -rf "tmp/" exit "$result" } -# Tests requirement + +################################################################################ +# Tests requirement and make certs +################################################################################ + if test -n "$(command -v faketime)" then make_certs "$1" diff --git a/tests/conf/openssl_intermediate.cnf b/tests/conf/openssl_intermediate.cnf index d7359f8..bc5aed3 100644 --- a/tests/conf/openssl_intermediate.cnf +++ b/tests/conf/openssl_intermediate.cnf @@ -3,7 +3,6 @@ [ default ] name = intermediateCA default_ca = CA_default -crl_url = http://127.0.0.1:8080/$name [ CA_default ] # Directory and file locations @@ -52,10 +51,6 @@ basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid, issuer extendedKeyUsage = codeSigning -crlDistributionPoints = @crl_info - -[ crl_info ] -URI.0 = $crl_url [ policy_loose ] # Allow the intermediate CA to sign a more diverse range of certificates. diff --git a/tests/conf/openssl_intermediate_crldp.cnf b/tests/conf/openssl_intermediate_crldp.cnf new file mode 100644 index 0000000..def7343 --- /dev/null +++ b/tests/conf/openssl_intermediate_crldp.cnf @@ -0,0 +1,79 @@ +# OpenSSL intermediate CA configuration file + +[ default ] +name = intermediateCA +default_ca = CA_default +crl_url = http://127.0.0.1:19254/$name + +[ CA_default ] +# Directory and file locations +dir = . +certs = $dir/CA +crl_dir = $dir/CA +new_certs_dir = $dir/CA +database = $dir/CA/index.txt +serial = $dir/CA/serial +rand_serial = yes +private_key = $dir/CA/$name\_crldp.key +certificate = $dir/tmp/$name\_crldp.pem +crlnumber = $dir/CA/crlnumber +crl_extensions = crl_ext +default_md = sha256 +preserve = no +policy = policy_loose +default_startdate = 180101000000Z +default_enddate = 241231000000Z +x509_extensions = v3_req +email_in_dn = yes +default_days = 2200 + +[ req ] +# Options for the `req` tool +encrypt_key = no +default_bits = 2048 +default_md = sha256 +string_mask = utf8only +distinguished_name = req_distinguished_name +x509_extensions = usr_extensions + +[ crl_ext ] +# Extension for CRLs +authorityKeyIdentifier = keyid:always + +[ usr_extensions ] +# Extension to add when the -x509 option is used +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid, issuer +extendedKeyUsage = codeSigning + +[ v3_req ] +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid, issuer +extendedKeyUsage = codeSigning +crlDistributionPoints = @crl_info + +[ crl_info ] +# X509v3 CRL Distribution Points extension +URI.0 = $crl_url + +[ policy_loose ] +# Allow the intermediate CA to sign a more diverse range of certificates. +# See the POLICY FORMAT section of the `ca` man page. +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +stateOrProvinceName = State or Province Name +localityName = Locality Name +0.organizationName = Organization Name +organizationalUnitName = Organizational Unit Name +commonName = Common Name +emailAddress = Email Address diff --git a/tests/conf/openssl_tsa_root.cnf b/tests/conf/openssl_tsa_root.cnf index 1810275..61cffe5 100644 --- a/tests/conf/openssl_tsa_root.cnf +++ b/tests/conf/openssl_tsa_root.cnf @@ -3,7 +3,7 @@ [ default ] name = TSACA domain_suffix = timestampauthority -crl_url = http://127.0.0.1:8080/$name +crl_url = http://127.0.0.1:19254/$name name_opt = utf8, esc_ctrl, multiline, lname, align default_ca = CA_default @@ -46,6 +46,7 @@ crlDistributionPoints = @crl_info nameConstraints = @name_constraints [ crl_info ] +# X509v3 CRL Distribution Points extension URI.0 = $crl_url [ crl_ext ]