1
#!/bin/sh -e
2

3
PWD=`pwd`
4
NAMETYPE=1
5
KEYSIZE=2048
6
DAYS=4000
7
REALM=KRBTEST.COM
8
TLS_SERVER_EKU=1.3.6.1.5.5.7.3.1
9
PROXY_EKU_LIST=$TLS_SERVER_EKU
10

11
cat > openssl.cnf << EOF
12
[req]
13
prompt = no
14
distinguished_name = \$ENV::SUBJECT
15

16
[ca]
17
default_ca = test_ca
18

19
[test_ca]
20
new_certs_dir = $PWD
21
serial = $PWD/ca.srl
22
database = $PWD/ca.db
23
certificate = $PWD/ca.pem
24
private_key = $PWD/privkey.pem
25
default_days = $DAYS
26
x509_extensions = exts_proxy
27
policy = proxyname
28
default_md = sha256
29
unique_subject = no
30
email_in_dn = no
31

32
[signer]
33
CN = test CA certificate
34
C = US
35
ST = Massachusetts
36
L = Cambridge
37
O = MIT
38
OU = Insecure Kerberos test CA
39
CN = test suite CA; do not use otherwise
40

41
[proxy]
42
C = US
43
ST = Massachusetts
44
O = KRBTEST.COM
45
CN = PROXYinSubject
46

47
[localhost]
48
C = US
49
ST = Massachusetts
50
O = KRBTEST.COM
51
CN = localhost
52

53
[proxyname]
54
C = supplied
55
ST = supplied
56
O = supplied
57
CN = supplied
58

59
[exts_ca]
60
subjectKeyIdentifier = hash
61
authorityKeyIdentifier = keyid:always,issuer:always
62
keyUsage = nonRepudiation,digitalSignature,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign
63
basicConstraints = critical,CA:TRUE
64

65
[exts_proxy]
66
subjectKeyIdentifier = hash
67
authorityKeyIdentifier = keyid:always,issuer:always
68
keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
69
basicConstraints = critical,CA:FALSE
70
subjectAltName = DNS:proxyŠubjectÄltÑame,DNS:proxySubjectAltName,IP:127.0.0.1,IP:::1,DNS:localhost
71
extendedKeyUsage = $PROXY_EKU_LIST
72

73
[exts_proxy_no_san]
74
subjectKeyIdentifier = hash
75
authorityKeyIdentifier = keyid:always,issuer:always
76
keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
77
basicConstraints = critical,CA:FALSE
78
extendedKeyUsage = $PROXY_EKU_LIST
79
EOF
80

81
# Generate a private key.
82
openssl genrsa $KEYSIZE > privkey.pem
83

84
# Generate a "CA" certificate.
85
SUBJECT=signer openssl req -config openssl.cnf -new -x509 -extensions exts_ca \
86
    -set_serial 1 -days $DAYS -key privkey.pem -out ca.pem
87

88
# Generate proxy certificate signing requests.
89
SUBJECT=proxy openssl req -config openssl.cnf -new -key privkey.pem \
90
	-out proxy.csr
91
SUBJECT=localhost openssl req -config openssl.cnf -new -key privkey.pem \
92
	-out localhost.csr
93

94
# Issue the certificate with the right name in a subjectAltName.
95
echo 02 > ca.srl
96
cat /dev/null > ca.db
97
SUBJECT=proxy openssl ca  -config openssl.cnf -extensions exts_proxy \
98
    -batch -days $DAYS -notext -out tmp.pem -in proxy.csr
99
cat privkey.pem tmp.pem > proxy-san.pem
100

101
# Issue a certificate that only has the name in the subject field
102
SUBJECT=proxy openssl ca  -config openssl.cnf -extensions exts_proxy_no_san \
103
    -batch -days $DAYS -notext -out tmp.pem -in localhost.csr
104
cat privkey.pem tmp.pem > proxy-subject.pem
105

106
# Issue a certificate that doesn't include any matching name values.
107
SUBJECT=proxy openssl ca  -config openssl.cnf -extensions exts_proxy_no_san \
108
    -batch -days $DAYS -notext -out tmp.pem -in proxy.csr
109
cat privkey.pem tmp.pem > proxy-no-match.pem
110

111
# Issue a certificate that contains all matching name values.
112
SUBJECT=proxy openssl ca  -config openssl.cnf -extensions exts_proxy \
113
    -batch -days $DAYS -notext -out tmp.pem -in localhost.csr
114
cat privkey.pem tmp.pem > proxy-ideal.pem
115

116
# Corrupt the signature on the certificate.
117
SUBJECT=proxy openssl x509 -outform der -in proxy-ideal.pem -out bad.der
118
length=`od -Ad bad.der | tail -n 1 | awk '{print $1}'`
119
dd if=/dev/zero bs=1 of=bad.der count=16 seek=`expr $length - 16`
120
SUBJECT=proxy openssl x509 -inform der -in bad.der -out tmp.pem
121
cat privkey.pem tmp.pem > proxy-badsig.pem
122

123
# Clean up.
124
rm -f openssl.cnf proxy.csr localhost.csr privkey.pem ca.db ca.db.old ca.srl ca.srl.old ca.db.attr ca.db.attr.old 02.pem 03.pem 04.pem 05.pem tmp.pem bad.der
125

126