src/tests/pkinit-certs/make-certs.sh

   1 #!/bin/sh -e
   2
   3 NAMETYPE=1
   4 KRBTGT_NAMETYPE=2
   5 KEYSIZE=2048
   6 DAYS=4000
   7 REALM=KRBTEST.COM
   8 LOWREALM=krbtest.com
   9 KRB5_PRINCIPAL_SAN=1.3.6.1.5.2.2
  10 KRB5_UPN_SAN=1.3.6.1.4.1.311.20.2.3
  11 PKINIT_KDC_EKU=1.3.6.1.5.2.3.5
  12 PKINIT_CLIENT_EKU=1.3.6.1.5.2.3.4
  13 TLS_SERVER_EKU=1.3.6.1.5.5.7.3.1
  14 TLS_CLIENT_EKU=1.3.6.1.5.5.7.3.2
  15 EMAIL_PROTECTION_EKU=1.3.6.1.5.5.7.3.4
  16 # Add TLS EKUs to these if we're testing with NSS and we still have to
  17 # piggy-back on the TLS trust settings.
  18 KDC_EKU_LIST=$PKINIT_KDC_EKU
  19 CLIENT_EKU_LIST=$PKINIT_CLIENT_EKU
  20
  21 cat > openssl.cnf << EOF
  22 [req]
  23 prompt = no
  24 distinguished_name = \$ENV::SUBJECT
  25
  26 [ca]
  27 CN = test CA certificate
  28 C = US
  29 ST = Massachusetts
  30 L = Cambridge
  31 O = MIT
  32 OU = Insecure PKINIT Kerberos test CA
  33 CN = pkinit test suite CA; do not use otherwise
  34
  35 [kdc]
  36 C = US
  37 ST = Massachusetts
  38 O = KRBTEST.COM
  39 CN = KDC
  40
  41 [user]
  42 C = US
  43 ST = Massachusetts
  44 O = KRBTEST.COM
  45 CN = user
  46
  47 [exts_ca]
  48 subjectKeyIdentifier = hash
  49 authorityKeyIdentifier = keyid:always,issuer:always
  50 keyUsage = nonRepudiation,digitalSignature,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign
  51 basicConstraints = critical,CA:TRUE
  52
  53 [components_kdc]
  54 0.component=GeneralString:krbtgt
  55 1.component=GeneralString:$REALM
  56
  57 [princ_kdc]
  58 nametype=EXPLICIT:0,INTEGER:$KRBTGT_NAMETYPE
  59 components=EXPLICIT:1,SEQUENCE:components_kdc
  60
  61 [krb5princ_kdc]
  62 realm=EXPLICIT:0,GeneralString:$REALM
  63 princ=EXPLICIT:1,SEQUENCE:princ_kdc
  64
  65 [exts_kdc]
  66 subjectKeyIdentifier = hash
  67 authorityKeyIdentifier = keyid:always,issuer:always
  68 keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
  69 basicConstraints = critical,CA:FALSE
  70 subjectAltName = otherName:$KRB5_PRINCIPAL_SAN;SEQUENCE:krb5princ_kdc
  71 extendedKeyUsage = $KDC_EKU_LIST
  72
  73 [components_client]
  74 component=GeneralString:user
  75
  76 [princ_client]
  77 nametype=EXPLICIT:0,INTEGER:$NAMETYPE
  78 components=EXPLICIT:1,SEQUENCE:components_client
  79
  80 [krb5princ_client]
  81 realm=EXPLICIT:0,GeneralString:$REALM
  82 princ=EXPLICIT:1,SEQUENCE:princ_client
  83
  84 [exts_client]
  85 subjectKeyIdentifier = hash
  86 authorityKeyIdentifier = keyid:always,issuer:always
  87 keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
  88 basicConstraints = critical,CA:FALSE
  89 subjectAltName = otherName:$KRB5_PRINCIPAL_SAN;SEQUENCE:krb5princ_client
  90 extendedKeyUsage = $CLIENT_EKU_LIST
  91
  92 [exts_upn_client]
  93 subjectKeyIdentifier = hash
  94 authorityKeyIdentifier = keyid:always,issuer:always
  95 keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
  96 basicConstraints = critical,CA:FALSE
  97 subjectAltName = otherName:$KRB5_UPN_SAN;UTF8:user@$LOWREALM
  98 extendedKeyUsage = $CLIENT_EKU_LIST
  99
 100 [exts_upn2_client]
 101 subjectKeyIdentifier = hash
 102 authorityKeyIdentifier = keyid:always,issuer:always
 103 keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
 104 basicConstraints = critical,CA:FALSE
 105 subjectAltName = otherName:$KRB5_UPN_SAN;UTF8:user
 106 extendedKeyUsage = $CLIENT_EKU_LIST
 107
 108 [exts_upn3_client]
 109 subjectKeyIdentifier = hash
 110 authorityKeyIdentifier = keyid:always,issuer:always
 111 keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
 112 basicConstraints = critical,CA:FALSE
 113 subjectAltName = otherName:$KRB5_UPN_SAN;UTF8:user@$REALM
 114 extendedKeyUsage = $CLIENT_EKU_LIST
 115
 116 [exts_none]
 117 EOF
 118
 119 # Generate a private key.
 120 openssl genrsa $KEYSIZE > privkey.pem
 121 openssl rsa -in privkey.pem -out privkey-enc.pem -des3 -passout pass:encrypted
 122
 123 # Generate a "CA" certificate.
 124 SUBJECT=ca openssl req -config openssl.cnf -new -x509 -extensions exts_ca \
 125     -set_serial 1 -days $DAYS -key privkey.pem -out ca.pem
 126
 127 serial=2
 128 gen_cert() {
 129     SUBJECT=$1 openssl req -config openssl.cnf -new -key privkey.pem -out csr
 130     SUBJECT=$1 openssl x509 -extfile openssl.cnf -extensions $2 \
 131            -set_serial $serial -days $DAYS -req -CA ca.pem -CAkey privkey.pem \
 132            -in csr -out $3
 133     serial=$((serial + 1))
 134     rm -f csr
 135 }
 136
 137 gen_pkcs12() {
 138     # Use -descert to make OpenSSL 1.1 generate files OpenSSL 3.0 can
 139     # read (the default uses RC2, which is only available in the
 140     # legacy provider in OpenSSL 3).  This option causes an algorithm
 141     # downgrade with OpenSSL 3.0 (AES to DES3), but that isn't
 142     # important for test certs.
 143     openssl pkcs12 -export -descert -in "$1" -inkey privkey.pem -out "$2" \
 144             -passout pass:"$3"
 145 }
 146
 147 # Generate a KDC certificate.
 148 gen_cert kdc exts_kdc kdc.pem
 149
 150 # Generate a client certificate and PKCS#12 bundles.
 151 gen_cert user exts_client user.pem
 152 gen_pkcs12 user.pem user.p12
 153 gen_pkcs12 user.pem user-enc.p12 encrypted
 154
 155 # Generate a client certificate and PKCS#12 bundle with a UPN SAN.
 156 gen_cert user exts_upn_client user-upn.pem
 157 gen_pkcs12 user-upn.pem user-upn.p12
 158
 159 # Same, but with no realm in the UPN SAN.
 160 gen_cert user exts_upn2_client user-upn2.pem
 161 gen_pkcs12 user-upn2.pem user-upn2.p12
 162
 163 # Same, but with an uppercase realm in the UPN SAN.
 164 gen_cert user exts_upn3_client user-upn3.pem
 165 gen_pkcs12 user-upn3.pem user-upn3.p12
 166
 167 # Generate a client certificate and PKCS#12 bundle with no PKINIT extensions.
 168 gen_cert user exts_none generic.pem
 169 gen_pkcs12 generic.pem generic.p12
 170
 171 # Clean up.
 172 rm -f openssl.cnf