nhyatt/osslsigncode
1
0
Fork 0
mirror of https://github.com/mtrojnar/osslsigncode.git synced 2025-04-04 17:00:11 -05:00
Code Issues Projects Releases Wiki Activity

Tests: use TSA-CRLfile

Browse Source
This commit is contained in:
olszomal 2023-04-04 14:52:30 +02:00 committed by Michał Trojnara
parent 3d7b8d2a21
commit edcb18d63f
4 changed files with 66 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
cmake/CMakeTest.cmake
View File

@ -59,6 +59,7 @@ string(SUBSTRING ${sha256sum} 0 64 leafhash)
set(verify_opt "-CAfile" "${CERTS}/CACert.pem" set(verify_opt "-CAfile" "${CERTS}/CACert.pem"
"-CRLfile" "${CERTS}/CACertCRL.pem" "-CRLfile" "${CERTS}/CACertCRL.pem"
"-TSA-CAfile" "${CERTS}/TSACA.pem" "-TSA-CAfile" "${CERTS}/TSACA.pem"
"-TSA-CRLfile" "${CERTS}/TSACertCRL.pem"
) )
# TODO "cat" extension # TODO "cat" extension
set(extensions_4 "exe" "ex_" "msi" "cat") set(extensions_4 "exe" "ex_" "msi" "cat")

60
tests/conf/makecerts.sh
View File

@ -54,14 +54,14 @@ make_certs() {
test_result $? test_result $?
printf "\nGenerate intermediate CA certificate\n" >> "makecerts.log" printf "\nGenerate intermediate CA certificate\n" >> "makecerts.log"
"$OPENSSL" genrsa -out CA/intermediate.key \ "$OPENSSL" genrsa -out CA/intermediateCA.key \
2>> "makecerts.log" 1>&2 2>> "makecerts.log" 1>&2
TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c ' TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c '
script_path=$(pwd) script_path=$(pwd)
OPENSSL="$0" OPENSSL="$0"
export LD_LIBRARY_PATH="$1" export LD_LIBRARY_PATH="$1"
CONF="${script_path}/openssl_intermediate.cnf" CONF="${script_path}/openssl_intermediate.cnf"
"$OPENSSL" req -config "$CONF" -new -key CA/intermediate.key -out CA/intermediate.csr \ "$OPENSSL" req -config "$CONF" -new -key CA/intermediateCA.key -out CA/intermediateCA.csr \
-subj "/C=PL/O=osslsigncode/OU=Certification Authority/CN=Intermediate CA" \ -subj "/C=PL/O=osslsigncode/OU=Certification Authority/CN=Intermediate CA" \
2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH" 2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
test_result $? test_result $?
@ -70,10 +70,10 @@ make_certs() {
OPENSSL="$0" OPENSSL="$0"
export LD_LIBRARY_PATH="$1" export LD_LIBRARY_PATH="$1"
CONF="${script_path}/openssl_root.cnf" CONF="${script_path}/openssl_root.cnf"
"$OPENSSL" ca -config "$CONF" -batch -in CA/intermediate.csr -out CA/intermediate.cer \ "$OPENSSL" ca -config "$CONF" -batch -in CA/intermediateCA.csr -out CA/intermediateCA.cer \
2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH" 2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
test_result $? test_result $?
"$OPENSSL" x509 -in CA/intermediate.cer -out tmp/intermediate.pem \ "$OPENSSL" x509 -in CA/intermediateCA.cer -out tmp/intermediateCA.pem \
2>> "makecerts.log" 1>&2 2>> "makecerts.log" 1>&2
test_result $? test_result $?
@ -107,7 +107,7 @@ make_certs() {
test_result $? test_result $?
printf "\nAttach intermediate certificate to revoked certificate\n" >> "makecerts.log" printf "\nAttach intermediate certificate to revoked certificate\n" >> "makecerts.log"
cat tmp/intermediate.pem >> tmp/revoked.pem 2>> "makecerts.log" cat tmp/intermediateCA.pem >> tmp/revoked.pem 2>> "makecerts.log"
test_result $? test_result $?
printf "\nGenerate CRL file\n" >> "makecerts.log" printf "\nGenerate CRL file\n" >> "makecerts.log"
@ -120,6 +120,11 @@ make_certs() {
2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH" 2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
test_result $? test_result $?
printf "\nConvert a CRL file from PEM to DER\n" >> "makecerts.log"
"$OPENSSL" crl -in tmp/CACertCRL.pem -inform PEM -out tmp/CACertCRL.der -outform DER \
2>> "makecerts.log" 1>&2
test_result $?
printf "\nConvert revoked certificate to SPC format\n" >> "makecerts.log" printf "\nConvert revoked certificate to SPC format\n" >> "makecerts.log"
"$OPENSSL" crl2pkcs7 -in tmp/CACertCRL.pem -certfile tmp/revoked.pem -outform DER -out tmp/revoked.spc \ "$OPENSSL" crl2pkcs7 -in tmp/CACertCRL.pem -certfile tmp/revoked.pem -outform DER -out tmp/revoked.spc \
2>> "makecerts.log" 1>&2 2>> "makecerts.log" 1>&2
@ -166,7 +171,7 @@ make_certs() {
test_result $? test_result $?
printf "\nAttach intermediate certificate to code signing certificate\n" >> "makecerts.log" printf "\nAttach intermediate certificate to code signing certificate\n" >> "makecerts.log"
cat tmp/intermediate.pem >> tmp/cert.pem 2>> "makecerts.log" cat tmp/intermediateCA.pem >> tmp/cert.pem 2>> "makecerts.log"
test_result $? test_result $?
printf "\nConvert the certificate to SPC format\n" >> "makecerts.log" printf "\nConvert the certificate to SPC format\n" >> "makecerts.log"
@ -211,7 +216,7 @@ make_certs() {
test_result $? test_result $?
printf "\nAttach intermediate certificate to expired certificate\n" >> "makecerts.log" printf "\nAttach intermediate certificate to expired certificate\n" >> "makecerts.log"
cat tmp/intermediate.pem >> tmp/expired.pem 2>> "makecerts.log" cat tmp/intermediateCA.pem >> tmp/expired.pem 2>> "makecerts.log"
test_result $? test_result $?
printf "\nGenerate Root CA TSA certificate\n" >> "makecerts.log" printf "\nGenerate Root CA TSA certificate\n" >> "makecerts.log"
@ -226,6 +231,40 @@ make_certs() {
2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH" 2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
test_result $? test_result $?
printf "\nGenerate TSA certificate to revoke\n" >> "makecerts.log"
CONF="${script_path}/openssl_tsa_root.cnf"
"$OPENSSL" req -config "$CONF" -new -nodes -keyout tmp/TSA_revoked.key -out CA/TSA_revoked.csr \
-subj "/C=PL/O=osslsigncode/OU=TSA/CN=Revoked/emailAddress=osslsigncode@example.com" \
2>> "makecerts.log" 1>&2
test_result $?
CONF="${script_path}/openssl_tsa_root.cnf"
"$OPENSSL" ca -config "$CONF" -batch -in CA/TSA_revoked.csr -out CA/TSA_revoked.cer \
2>> "makecerts.log" 1>&2
test_result $?
"$OPENSSL" x509 -in CA/TSA_revoked.cer -out tmp/TSA_revoked.pem \
2>> "makecerts.log" 1>&2
test_result $?
printf "\nRevoke above certificate\n" >> "makecerts.log"
"$OPENSSL" ca -config "$CONF" -revoke CA/TSA_revoked.cer \
2>> "makecerts.log" 1>&2
test_result $?
printf "\nGenerate TSA CRL file\n" >> "makecerts.log"
TZ=GMT faketime -f '@2019-01-01 00:00:00' /bin/bash -c '
script_path=$(pwd)
OPENSSL="$0"
export LD_LIBRARY_PATH="$1"
CONF="${script_path}/openssl_tsa_root.cnf"
"$OPENSSL" ca -config "$CONF" -gencrl -crldays 8766 -out tmp/TSACertCRL.pem \
2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
test_result $?
printf "\nConvert TSA CRL file from PEM to DER\n" >> "makecerts.log"
"$OPENSSL" crl -in tmp/TSACertCRL.pem -inform PEM -out tmp/TSACertCRL.der -outform DER \
2>> "makecerts.log" 1>&2
test_result $?
printf "\nGenerate TSA certificate\n" >> "makecerts.log" printf "\nGenerate TSA certificate\n" >> "makecerts.log"
CONF="${script_path}/openssl_tsa.cnf" CONF="${script_path}/openssl_tsa.cnf"
"$OPENSSL" req -config "$CONF" -new -nodes -keyout tmp/TSA.key -out CA/TSA.csr \ "$OPENSSL" req -config "$CONF" -new -nodes -keyout tmp/TSA.key -out CA/TSA.csr \
@ -243,10 +282,13 @@ make_certs() {
cat tmp/TSA.pem tmp/TSACA.pem > tmp/tsa-chain.pem 2>> "makecerts.log" cat tmp/TSA.pem tmp/TSACA.pem > tmp/tsa-chain.pem 2>> "makecerts.log"
# copy new files # copy new files
if test -s tmp/intermediate.pem -a -s tmp/CACert.pem -a -s tmp/CACertCRL.pem \ if test -s tmp/intermediateCA.pem -a -s tmp/CACert.pem \
-a -s tmp/CACertCRL.pem -a -s tmp/CACertCRL.der \
-a -s tmp/TSACertCRL.pem -a -s tmp/TSACertCRL.der \
-a -s tmp/key.pem -a -s tmp/keyp.pem -a -s tmp/key.der -a -s tmp/key.pvk \ -a -s tmp/key.pem -a -s tmp/keyp.pem -a -s tmp/key.der -a -s tmp/key.pvk \
-a -s tmp/cert.pem -a -s tmp/cert.p12 -a -s tmp/cert.der -a -s tmp/cert.spc \ -a -s tmp/cert.pem -a -s tmp/cert.p12 -a -s tmp/cert.der -a -s tmp/cert.spc \
-a -s tmp/crosscert.pem -a -s tmp/expired.pem -a -s tmp/revoked.pem -a -s tmp/revoked.spc \ -a -s tmp/crosscert.pem -a -s tmp/expired.pem -a -s tmp/revoked.pem \
-a -s tmp/revoked.spc -a -s tmp/TSA_revoked.pem \
-a -s tmp/TSA.pem -a -s tmp/TSA.key -a -s tmp/tsa-chain.pem -a -s tmp/legacy.p12 -a -s tmp/TSA.pem -a -s tmp/TSA.key -a -s tmp/tsa-chain.pem -a -s tmp/legacy.p12
then then
mkdir -p "../certs" mkdir -p "../certs"

8
tests/conf/openssl_intermediate.cnf
View File

@ -1,8 +1,9 @@
# OpenSSL intermediate CA configuration file # OpenSSL intermediate CA configuration file
[ default ] [ default ]
name = intermediate name = intermediateCA
default_ca = CA_default default_ca = CA_default
crl_url = http://127.0.0.1:8080/$name
[ CA_default ] [ CA_default ]
# Directory and file locations # Directory and file locations
@ -15,6 +16,7 @@ serial = $dir/CA/serial
rand_serial = yes rand_serial = yes
private_key = $dir/CA/$name.key private_key = $dir/CA/$name.key
certificate = $dir/tmp/$name.pem certificate = $dir/tmp/$name.pem
crlnumber = $dir/CA/crlnumber
crl_extensions = crl_ext crl_extensions = crl_ext
default_md = sha256 default_md = sha256
preserve = no preserve = no
@ -50,6 +52,10 @@ basicConstraints = CA:FALSE
subjectKeyIdentifier = hash subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer authorityKeyIdentifier = keyid, issuer
extendedKeyUsage = codeSigning extendedKeyUsage = codeSigning
crlDistributionPoints = @crl_info
[ crl_info ]
URI.0 = $crl_url
[ policy_loose ] [ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates. # Allow the intermediate CA to sign a more diverse range of certificates.

16
tests/conf/openssl_tsa_root.cnf
View File

@ -2,10 +2,8 @@
[ default ] [ default ]
name = TSACA name = TSACA
domain_suffix = timestampauthority.com domain_suffix = timestampauthority
aia_url = http://$name.$domain_suffix/$name.crt crl_url = http://127.0.0.1:8080/$name
crl_url = http://$name.$domain_suffix/$name.crl
ocsp_url = http://ocsp.$name.$domain_suffix:9080
name_opt = utf8, esc_ctrl, multiline, lname, align name_opt = utf8, esc_ctrl, multiline, lname, align
default_ca = CA_default default_ca = CA_default
@ -17,6 +15,7 @@ new_certs_dir = $dir/CA
database = $dir/CA/index.txt database = $dir/CA/index.txt
serial = $dir/CA/serial serial = $dir/CA/serial
crlnumber = $dir/CA/crlnumber crlnumber = $dir/CA/crlnumber
crl_extensions = crl_ext
rand_serial = yes rand_serial = yes
private_key = $dir/CA/$name.key private_key = $dir/CA/$name.key
certificate = $dir/tmp/$name.pem certificate = $dir/tmp/$name.pem
@ -43,17 +42,16 @@ basicConstraints = critical, CA:false
extendedKeyUsage = critical, timeStamping extendedKeyUsage = critical, timeStamping
subjectKeyIdentifier = hash subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always authorityKeyIdentifier = keyid:always
authorityInfoAccess = @issuer_info
crlDistributionPoints = @crl_info crlDistributionPoints = @crl_info
nameConstraints = @name_constraints nameConstraints = @name_constraints
[ issuer_info ]
caIssuers;URI.0 = $aia_url
OCSP;URI.0 = $ocsp_url
[ crl_info ] [ crl_info ]
URI.0 = $crl_url URI.0 = $crl_url
[ crl_ext ]
# Extension for CRLs
authorityKeyIdentifier = keyid:always
[ name_constraints ] [ name_constraints ]
permitted;DNS.0=test.com permitted;DNS.0=test.com
permitted;DNS.1=test.org permitted;DNS.1=test.org