From 46d43d70b30ccecdf28149b6962a86df62c17f98 Mon Sep 17 00:00:00 2001 From: olszomal Date: Wed, 18 Aug 2021 11:40:53 +0200 Subject: [PATCH] Test certificates support requirements of openssl 3.0: - AES-256-CBC encryption algorithm for PKCS#12 files - required configuration file options Export LD_LIBRARY_PATH --- tests/certs/makecerts.sh | 114 +++++++++++++++------------ tests/certs/openssl_intermediate.cnf | 3 + tests/certs/openssl_root.cnf | 4 + tests/certs/openssltest.cnf | 61 -------------- 4 files changed, 70 insertions(+), 112 deletions(-) delete mode 100644 tests/certs/openssltest.cnf diff --git a/tests/certs/makecerts.sh b/tests/certs/makecerts.sh index c0d1b88..a9ee839 100755 --- a/tests/certs/makecerts.sh +++ b/tests/certs/makecerts.sh @@ -21,162 +21,178 @@ make_certs() { # OpenSSL settings CONF="${script_path}/openssl_intermediate.cnf" - TEMP_LD_LIBRARY_PATH=$LD_LIBRARY_PATH if test -n "$1" then OPENSSL="$1/bin/openssl" - LD_LIBRARY_PATH="$1/lib" + export LD_LIBRARY_PATH="$1/lib:$1/lib64" else OPENSSL=openssl fi mkdir "demoCA/" 2>> "makecerts.log" 1>&2 touch "demoCA/index.txt" - touch "demoCA/index.txt.attr" + echo -n "unique_subject = no" > "demoCA/index.txt.attr" echo 1000 > "demoCA/serial" date > "makecerts.log" - $OPENSSL version 2>> "makecerts.log" 1>&2 + "$OPENSSL" version 2>> "makecerts.log" 1>&2 echo -n "$password" > "password.txt" printf "\nGenerate root CA certificate\n" >> "makecerts.log" - $OPENSSL genrsa -out demoCA/CA.key \ + "$OPENSSL" genrsa -out demoCA/CA.key \ 2>> "makecerts.log" 1>&2 + test_result $? TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c ' script_path=$(pwd) - OPENSSL=openssl + OPENSSL="$0" + export LD_LIBRARY_PATH="$1" CONF="${script_path}/openssl_root.cnf" - $OPENSSL req -config $CONF -new -x509 -days 3600 -key demoCA/CA.key -out tmp/CACert.pem \ + "$OPENSSL" req -config "$CONF" -new -x509 -days 3600 -key demoCA/CA.key -out tmp/CACert.pem \ -subj "/C=PL/O=osslsigncode/OU=Certification Authority/CN=Root CA" \ - 2>> "makecerts.log" 1>&2' + 2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH" test_result $? printf "\nGenerate intermediate CA certificate\n" >> "makecerts.log" - $OPENSSL genrsa -out demoCA/intermediate.key \ + "$OPENSSL" genrsa -out demoCA/intermediate.key \ 2>> "makecerts.log" 1>&2 TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c ' script_path=$(pwd) - OPENSSL=openssl + OPENSSL="$0" + export LD_LIBRARY_PATH="$1" CONF="${script_path}/openssl_intermediate.cnf" - $OPENSSL req -config $CONF -new -key demoCA/intermediate.key -out demoCA/intermediate.csr \ + "$OPENSSL" req -config "$CONF" -new -key demoCA/intermediate.key -out demoCA/intermediate.csr \ -subj "/C=PL/O=osslsigncode/OU=Certification Authority/CN=Intermediate CA" \ - 2>> "makecerts.log" 1>&2' + 2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH" test_result $? TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c ' script_path=$(pwd) - OPENSSL=openssl + OPENSSL="$0" + export LD_LIBRARY_PATH="$1" CONF="${script_path}/openssl_root.cnf" - $OPENSSL ca -config $CONF -batch -in demoCA/intermediate.csr -out demoCA/intermediate.cer \ - 2>> "makecerts.log" 1>&2' + "$OPENSSL" ca -config "$CONF" -batch -in demoCA/intermediate.csr -out demoCA/intermediate.cer \ + 2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH" test_result $? - $OPENSSL x509 -in demoCA/intermediate.cer -out tmp/intermediate.pem \ + "$OPENSSL" x509 -in demoCA/intermediate.cer -out tmp/intermediate.pem \ 2>> "makecerts.log" 1>&2 + test_result $? printf "\nGenerate private RSA encrypted key\n" >> "makecerts.log" - $OPENSSL genrsa -des3 -out demoCA/private.key -passout pass:$password \ + "$OPENSSL" genrsa -des3 -out demoCA/private.key -passout pass:"$password" \ 2>> "makecerts.log" 1>&2 test_result $? cat demoCA/private.key >> tmp/keyp.pem 2>> "makecerts.log" + test_result $? printf "\nGenerate private RSA decrypted key\n" >> "makecerts.log" - $OPENSSL rsa -in demoCA/private.key -passin pass:$password -out tmp/key.pem \ + "$OPENSSL" rsa -in demoCA/private.key -passin pass:"$password" -out tmp/key.pem \ 2>> "makecerts.log" 1>&2 test_result $? printf "\nGenerate a certificate to revoke\n" >> "makecerts.log" - $OPENSSL req -config $CONF -new -key demoCA/private.key -passin pass:$password -out demoCA/revoked.csr \ + "$OPENSSL" req -config "$CONF" -new -key demoCA/private.key -passin pass:"$password" -out demoCA/revoked.csr \ -subj "/C=PL/O=osslsigncode/OU=CSP/CN=Revoked/emailAddress=osslsigncode@example.com" \ 2>> "makecerts.log" 1>&2 - $OPENSSL ca -config $CONF -batch -in demoCA/revoked.csr -out demoCA/revoked.cer \ + test_result $? + "$OPENSSL" ca -config "$CONF" -batch -in demoCA/revoked.csr -out demoCA/revoked.cer \ 2>> "makecerts.log" 1>&2 - $OPENSSL x509 -in demoCA/revoked.cer -out tmp/revoked.pem \ + test_result $? + "$OPENSSL" x509 -in demoCA/revoked.cer -out tmp/revoked.pem \ 2>> "makecerts.log" 1>&2 + test_result $? printf "\nRevoke above certificate\n" >> "makecerts.log" - $OPENSSL ca -config $CONF -revoke demoCA/1001.pem \ + "$OPENSSL" ca -config "$CONF" -revoke demoCA/revoked.cer \ 2>> "makecerts.log" 1>&2 + test_result $? printf "\nAttach intermediate certificate to revoked certificate\n" >> "makecerts.log" - cat tmp/intermediate.pem >> tmp/revoked.pem + cat tmp/intermediate.pem >> tmp/revoked.pem 2>> "makecerts.log" + test_result $? printf "\nGenerate CRL file\n" >> "makecerts.log" TZ=GMT faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' script_path=$(pwd) - OPENSSL=openssl + OPENSSL="$0" + export LD_LIBRARY_PATH="$1" CONF="${script_path}/openssl_intermediate.cnf" - $OPENSSL ca -config $CONF -gencrl -crldays 8766 -out tmp/CACertCRL.pem \ - 2>> "makecerts.log" 1>&2' + "$OPENSSL" ca -config "$CONF" -gencrl -crldays 8766 -out tmp/CACertCRL.pem \ + 2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH" + test_result $? printf "\nConvert revoked certificate to SPC format\n" >> "makecerts.log" - $OPENSSL crl2pkcs7 -in tmp/CACertCRL.pem -certfile tmp/revoked.pem -outform DER -out tmp/revoked.spc \ + "$OPENSSL" crl2pkcs7 -in tmp/CACertCRL.pem -certfile tmp/revoked.pem -outform DER -out tmp/revoked.spc \ 2>> "makecerts.log" 1>&2 test_result $? printf "\nGenerate CSP Cross-Certificate\n" >> "makecerts.log" - $OPENSSL genrsa -out demoCA/cross.key \ + "$OPENSSL" genrsa -out demoCA/cross.key \ 2>> "makecerts.log" 1>&2 TZ=GMT faketime -f '@2018-01-01 00:00:00' /bin/bash -c ' script_path=$(pwd) - OPENSSL=openssl + OPENSSL="$0" + export LD_LIBRARY_PATH="$1" CONF="${script_path}/openssl_intermediate.cnf" - $OPENSSL req -config $CONF -new -x509 -days 900 -key demoCA/cross.key -out tmp/crosscert.pem \ + "$OPENSSL" req -config "$CONF" -new -x509 -days 900 -key demoCA/cross.key -out tmp/crosscert.pem \ -subj "/C=PL/O=osslsigncode/OU=CSP/CN=crosscert/emailAddress=osslsigncode@example.com" \ - 2>> "makecerts.log" 1>&2' + 2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH" test_result $? printf "\nGenerate code signing certificate\n" >> "makecerts.log" - $OPENSSL req -config $CONF -new -key demoCA/private.key -passin pass:$password -out demoCA/cert.csr \ + "$OPENSSL" req -config "$CONF" -new -key demoCA/private.key -passin pass:"$password" -out demoCA/cert.csr \ -subj "/C=PL/ST=Mazovia Province/L=Warsaw/O=osslsigncode/OU=CSP/CN=Certificate/emailAddress=osslsigncode@example.com" \ 2>> "makecerts.log" 1>&2 test_result $? - $OPENSSL ca -config $CONF -batch -in demoCA/cert.csr -out demoCA/cert.cer \ + "$OPENSSL" ca -config "$CONF" -batch -in demoCA/cert.csr -out demoCA/cert.cer \ 2>> "makecerts.log" 1>&2 test_result $? - $OPENSSL x509 -in demoCA/cert.cer -out tmp/cert.pem \ + "$OPENSSL" x509 -in demoCA/cert.cer -out tmp/cert.pem \ 2>> "makecerts.log" 1>&2 test_result $? printf "\nConvert the key to DER format\n" >> "makecerts.log" - $OPENSSL rsa -in tmp/key.pem -outform DER -out tmp/key.der -passout pass:$password \ + "$OPENSSL" rsa -in tmp/key.pem -outform DER -out tmp/key.der -passout pass:"$password" \ 2>> "makecerts.log" 1>&2 test_result $? printf "\nConvert the key to PVK format\n" >> "makecerts.log" - $OPENSSL rsa -in tmp/key.pem -outform PVK -out tmp/key.pvk -pvk-none \ + "$OPENSSL" rsa -in tmp/key.pem -outform PVK -out tmp/key.pvk -pvk-none \ 2>> "makecerts.log" 1>&2 test_result $? printf "\nConvert the certificate to DER format\n" >> "makecerts.log" - $OPENSSL x509 -in tmp/cert.pem -outform DER -out tmp/cert.der \ + "$OPENSSL" x509 -in tmp/cert.pem -outform DER -out tmp/cert.der \ 2>> "makecerts.log" 1>&2 test_result $? printf "\nAttach intermediate certificate to code signing certificate\n" >> "makecerts.log" - cat tmp/intermediate.pem >> tmp/cert.pem + cat tmp/intermediate.pem >> tmp/cert.pem 2>> "makecerts.log" + test_result $? printf "\nConvert the certificate to SPC format\n" >> "makecerts.log" - $OPENSSL crl2pkcs7 -nocrl -certfile tmp/cert.pem -outform DER -out tmp/cert.spc \ + "$OPENSSL" crl2pkcs7 -nocrl -certfile tmp/cert.pem -outform DER -out tmp/cert.spc \ 2>> "makecerts.log" 1>&2 test_result $? printf "\nConvert the certificate and the key into a PKCS#12 container\n" >> "makecerts.log" - $OPENSSL pkcs12 -export -in tmp/cert.pem -inkey tmp/key.pem -out tmp/cert.p12 -passout pass:$password \ + "$OPENSSL" pkcs12 -export -in tmp/cert.pem -inkey tmp/key.pem -out tmp/cert.p12 -passout pass:"$password" \ + -keypbe aes-256-cbc -certpbe aes-256-cbc \ 2>> "makecerts.log" 1>&2 test_result $? printf "\nGenerate expired certificate\n" >> "makecerts.log" - $OPENSSL req -config $CONF -new -key demoCA/private.key -passin pass:$password -out demoCA/expired.csr \ + "$OPENSSL" req -config "$CONF" -new -key demoCA/private.key -passin pass:"$password" -out demoCA/expired.csr \ -subj "/C=PL/ST=Mazovia Province/L=Warsaw/O=osslsigncode/OU=CSP/CN=Expired/emailAddress=osslsigncode@example.com" \ 2>> "makecerts.log" 1>&2 test_result $? - $OPENSSL ca -config $CONF -enddate "190101000000Z" -batch -in demoCA/expired.csr -out demoCA/expired.cer \ + "$OPENSSL" ca -config "$CONF" -enddate "190101000000Z" -batch -in demoCA/expired.csr -out demoCA/expired.cer \ 2>> "makecerts.log" 1>&2 test_result $? - $OPENSSL x509 -in demoCA/expired.cer -out tmp/expired.pem \ + "$OPENSSL" x509 -in demoCA/expired.cer -out tmp/expired.pem \ 2>> "makecerts.log" 1>&2 test_result $? printf "\nAttach intermediate certificate to expired certificate\n" >> "makecerts.log" - cat tmp/intermediate.pem >> tmp/expired.pem + cat tmp/intermediate.pem >> tmp/expired.pem 2>> "makecerts.log" + test_result $? # copy new files if test -s tmp/intermediate.pem -a -s tmp/CACert.pem -a -s tmp/CACertCRL.pem \ @@ -187,7 +203,6 @@ make_certs() { cp tmp/* ./ printf "%s\n" "keys & certificates successfully generated" printf "%s\n" "makecerts.sh finished" - rm -f "makecerts.log" else printf "%s\n" "makecerts.sh failed" printf "%s\n" "error logs ${result_path}/makecerts.log" @@ -198,16 +213,13 @@ make_certs() { rm -rf "demoCA/" rm -rf "tmp/" -# restore settings - LD_LIBRARY_PATH=$TEMP_LD_LIBRARY_PATH - - exit $result + exit "$result" } # Tests requirement if test -n "$(command -v faketime)" then - make_certs $1 + make_certs "$1" result=$? else printf "%s\n" "faketime not found in \$PATH" @@ -215,4 +227,4 @@ if test -n "$(command -v faketime)" result=1 fi -exit $result +exit "$result" diff --git a/tests/certs/openssl_intermediate.cnf b/tests/certs/openssl_intermediate.cnf index 8456e9f..b99c777 100644 --- a/tests/certs/openssl_intermediate.cnf +++ b/tests/certs/openssl_intermediate.cnf @@ -11,6 +11,7 @@ crl_dir = $dir/demoCA new_certs_dir = $dir/demoCA database = $dir/demoCA/index.txt serial = $dir/demoCA/serial +rand_serial = yes private_key = $dir/demoCA/intermediate.key certificate = $dir/tmp/intermediate.pem crl_extensions = crl_ext @@ -20,6 +21,8 @@ policy = policy_loose default_startdate = 180101000000Z default_enddate = 241231000000Z x509_extensions = v3_req +email_in_dn = yes +default_days = 2200 [ req ] # Options for the `req` tool diff --git a/tests/certs/openssl_root.cnf b/tests/certs/openssl_root.cnf index 435dcb0..2622fb5 100644 --- a/tests/certs/openssl_root.cnf +++ b/tests/certs/openssl_root.cnf @@ -11,6 +11,7 @@ crl_dir = $dir/demoCA new_certs_dir = $dir/demoCA database = $dir/demoCA/index.txt serial = $dir/demoCA/serial +rand_serial = yes private_key = $dir/demoCA/CA.key certificate = $dir/tmp/CACert.pem crl_extensions = crl_ext @@ -20,6 +21,9 @@ policy = policy_match default_startdate = 180101000000Z default_enddate = 260101000000Z x509_extensions = v3_intermediate_ca +email_in_dn = yes +default_days = 3000 +unique_subject = no [ req ] # Options for the `req` tool diff --git a/tests/certs/openssltest.cnf b/tests/certs/openssltest.cnf deleted file mode 100644 index 347539c..0000000 --- a/tests/certs/openssltest.cnf +++ /dev/null @@ -1,61 +0,0 @@ -# OpenSSL root CA configuration file - -[ ca ] -default_ca = CA_default - -[ CA_default ] -# Directory and file locations. -dir = . -certs = $dir/demoCA -crl_dir = $dir/demoCA -new_certs_dir = $dir/demoCA -database = $dir/demoCA/index.txt -serial = $dir/demoCA/serial -crl_extensions = crl_ext -default_md = sha256 -preserve = no -policy = policy_match -x509_extensions = usr_cert -private_key = $dir/demoCA/CA.key -certificate = $dir/tmp/CACert.pem -default_startdate = 180101000000Z -default_enddate = 210101000000Z - -[ req ] -encrypt_key = no -default_bits = 2048 -default_md = sha256 -string_mask = utf8only -x509_extensions = ca_extensions -distinguished_name = req_distinguished_name - -[ crl_ext ] -authorityKeyIdentifier = keyid:always - -[ usr_cert ] -basicConstraints = CA:FALSE -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid, issuer -extendedKeyUsage = codeSigning - -[ ca_extensions ] -basicConstraints = critical, CA:true -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always,issuer -keyUsage = critical, digitalSignature, cRLSign, keyCertSign - -[ policy_match ] -countryName = match -organizationName = match -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -[ req_distinguished_name ] -countryName = Country Name (2 letter code) -stateOrProvinceName = State or Province Name -localityName = Locality Name -0.organizationName = Organization Name -organizationalUnitName = Organizational Unit Name -commonName = Common Name -emailAddress = Email Address