CoCalc -- make-certs.sh

GitHub Repository: freebsd/freebsd-src
Path: blob/main/crypto/krb5/src/tests/pkinit-certs/make-certs.sh
³⁴⁸⁸⁹ views
1
#!/bin/sh -e
2

3
NAMETYPE=1
4
KRBTGT_NAMETYPE=2
5
KEYSIZE=2048
6
DAYS=4000
7
REALM=KRBTEST.COM
8
LOWREALM=krbtest.com
9
KRB5_PRINCIPAL_SAN=1.3.6.1.5.2.2
10
KRB5_UPN_SAN=1.3.6.1.4.1.311.20.2.3
11
PKINIT_KDC_EKU=1.3.6.1.5.2.3.5
12
PKINIT_CLIENT_EKU=1.3.6.1.5.2.3.4
13
TLS_SERVER_EKU=1.3.6.1.5.5.7.3.1
14
TLS_CLIENT_EKU=1.3.6.1.5.5.7.3.2
15
EMAIL_PROTECTION_EKU=1.3.6.1.5.5.7.3.4
16
# Add TLS EKUs to these if we're testing with NSS and we still have to
17
# piggy-back on the TLS trust settings.
18
KDC_EKU_LIST=$PKINIT_KDC_EKU
19
CLIENT_EKU_LIST=$PKINIT_CLIENT_EKU
20

21
cat > openssl.cnf << EOF
22
[req]
23
prompt = no
24
distinguished_name = \$ENV::SUBJECT
25

26
[ca]
27
CN = test CA certificate
28
C = US
29
ST = Massachusetts
30
L = Cambridge
31
O = MIT
32
OU = Insecure PKINIT Kerberos test CA
33
CN = pkinit test suite CA; do not use otherwise
34

35
[kdc]
36
C = US
37
ST = Massachusetts
38
O = KRBTEST.COM
39
CN = KDC
40

41
[user]
42
C = US
43
ST = Massachusetts
44
O = KRBTEST.COM
45
CN = user
46

47
[exts_ca]
48
subjectKeyIdentifier = hash
49
authorityKeyIdentifier = keyid:always,issuer:always
50
keyUsage = nonRepudiation,digitalSignature,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign
51
basicConstraints = critical,CA:TRUE
52

53
[components_kdc]
54
0.component=GeneralString:krbtgt
55
1.component=GeneralString:$REALM
56

57
[princ_kdc]
58
nametype=EXPLICIT:0,INTEGER:$KRBTGT_NAMETYPE
59
components=EXPLICIT:1,SEQUENCE:components_kdc
60

61
[krb5princ_kdc]
62
realm=EXPLICIT:0,GeneralString:$REALM
63
princ=EXPLICIT:1,SEQUENCE:princ_kdc
64

65
[exts_kdc]
66
subjectKeyIdentifier = hash
67
authorityKeyIdentifier = keyid:always,issuer:always
68
keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
69
basicConstraints = critical,CA:FALSE
70
subjectAltName = otherName:$KRB5_PRINCIPAL_SAN;SEQUENCE:krb5princ_kdc
71
extendedKeyUsage = $KDC_EKU_LIST
72

73
[components_client]
74
component=GeneralString:user
75

76
[princ_client]
77
nametype=EXPLICIT:0,INTEGER:$NAMETYPE
78
components=EXPLICIT:1,SEQUENCE:components_client
79

80
[krb5princ_client]
81
realm=EXPLICIT:0,GeneralString:$REALM
82
princ=EXPLICIT:1,SEQUENCE:princ_client
83

84
[exts_client]
85
subjectKeyIdentifier = hash
86
authorityKeyIdentifier = keyid:always,issuer:always
87
keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
88
basicConstraints = critical,CA:FALSE
89
subjectAltName = otherName:$KRB5_PRINCIPAL_SAN;SEQUENCE:krb5princ_client
90
extendedKeyUsage = $CLIENT_EKU_LIST
91

92
[exts_upn_client]
93
subjectKeyIdentifier = hash
94
authorityKeyIdentifier = keyid:always,issuer:always
95
keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
96
basicConstraints = critical,CA:FALSE
97
subjectAltName = otherName:$KRB5_UPN_SAN;UTF8:user@$LOWREALM
98
extendedKeyUsage = $CLIENT_EKU_LIST
99

100
[exts_upn2_client]
101
subjectKeyIdentifier = hash
102
authorityKeyIdentifier = keyid:always,issuer:always
103
keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
104
basicConstraints = critical,CA:FALSE
105
subjectAltName = otherName:$KRB5_UPN_SAN;UTF8:user
106
extendedKeyUsage = $CLIENT_EKU_LIST
107

108
[exts_upn3_client]
109
subjectKeyIdentifier = hash
110
authorityKeyIdentifier = keyid:always,issuer:always
111
keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
112
basicConstraints = critical,CA:FALSE
113
subjectAltName = otherName:$KRB5_UPN_SAN;UTF8:user@$REALM
114
extendedKeyUsage = $CLIENT_EKU_LIST
115

116
[exts_none]
117
EOF
118

119
# Generate an RSA private key and a password-protected PEM file for it..
120
openssl genrsa $KEYSIZE > privkey.pem
121
openssl rsa -in privkey.pem -out privkey-enc.pem -des3 -passout pass:encrypted
122

123
# Generate an EC private key.
124
openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 > eckey.pem
125

126
# Generate a "CA" certificate.
127
SUBJECT=ca openssl req -config openssl.cnf -new -x509 -extensions exts_ca \
128
    -set_serial 1 -days $DAYS -key privkey.pem -out ca.pem
129

130
serial=2
131
gen_cert() {
132
    keyfile=${4-privkey.pem}
133
    SUBJECT=$1 openssl req -config openssl.cnf -new -key $keyfile -out csr
134
    SUBJECT=$1 openssl x509 -extfile openssl.cnf -extensions $2 \
135
           -set_serial $serial -days $DAYS -req -CA ca.pem -CAkey privkey.pem \
136
           -in csr -out $3
137
    serial=$((serial + 1))
138
    rm -f csr
139
}
140

141
gen_pkcs12() {
142
    # Use -descert to make OpenSSL 1.1 generate files OpenSSL 3.0 can
143
    # read (the default uses RC2, which is only available in the
144
    # legacy provider in OpenSSL 3).  This option causes an algorithm
145
    # downgrade with OpenSSL 3.0 (AES to DES3), but that isn't
146
    # important for test certs.
147
    openssl pkcs12 -export -descert -in "$1" -inkey privkey.pem -out "$2" \
148
            -passout pass:"$3"
149
}
150

151
# Generate a KDC certificate.
152
gen_cert kdc exts_kdc kdc.pem
153

154
# Generate a client certificate and PKCS#12 bundles.
155
gen_cert user exts_client user.pem
156
gen_pkcs12 user.pem user.p12
157
gen_pkcs12 user.pem user-enc.p12 encrypted
158

159
# Generate an EC client certificate.
160
gen_cert user exts_client ecuser.pem eckey.pem
161

162
# Generate a client certificate and PKCS#12 bundle with a UPN SAN.
163
gen_cert user exts_upn_client user-upn.pem
164
gen_pkcs12 user-upn.pem user-upn.p12
165

166
# Same, but with no realm in the UPN SAN.
167
gen_cert user exts_upn2_client user-upn2.pem
168
gen_pkcs12 user-upn2.pem user-upn2.p12
169

170
# Same, but with an uppercase realm in the UPN SAN.
171
gen_cert user exts_upn3_client user-upn3.pem
172
gen_pkcs12 user-upn3.pem user-upn3.p12
173

174
# Generate a client certificate and PKCS#12 bundle with no PKINIT extensions.
175
gen_cert user exts_none generic.pem
176
gen_pkcs12 generic.pem generic.p12
177

178
# Clean up.
179
rm -f openssl.cnf
180

181
Product

Resources

Company
