9 KRB5_PRINCIPAL_SAN=1.3.6.1.5.2.2
10 KRB5_UPN_SAN=1.3.6.1.4.1.311.20.2.3
11 PKINIT_KDC_EKU=1.3.6.1.5.2.3.5
12 PKINIT_CLIENT_EKU=1.3.6.1.5.2.3.4
13 TLS_SERVER_EKU=1.3.6.1.5.5.7.3.1
14 TLS_CLIENT_EKU=1.3.6.1.5.5.7.3.2
15 EMAIL_PROTECTION_EKU=1.3.6.1.5.5.7.3.4
16 # Add TLS EKUs to these if we're testing with NSS and we still have to
17 # piggy-back on the TLS trust settings.
18 KDC_EKU_LIST=$PKINIT_KDC_EKU
19 CLIENT_EKU_LIST=$PKINIT_CLIENT_EKU
21 cat > openssl.cnf << EOF
24 distinguished_name = \$ENV::SUBJECT
27 CN = test CA certificate
32 OU = Insecure PKINIT Kerberos test CA
33 CN = pkinit test suite CA; do not use otherwise
48 subjectKeyIdentifier = hash
49 authorityKeyIdentifier = keyid:always,issuer:always
50 keyUsage = nonRepudiation,digitalSignature,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign
51 basicConstraints = critical,CA:TRUE
54 0.component=GeneralString:krbtgt
55 1.component=GeneralString:$REALM
58 nametype=EXPLICIT:0,INTEGER:$KRBTGT_NAMETYPE
59 components=EXPLICIT:1,SEQUENCE:components_kdc
62 realm=EXPLICIT:0,GeneralString:$REALM
63 princ=EXPLICIT:1,SEQUENCE:princ_kdc
66 subjectKeyIdentifier = hash
67 authorityKeyIdentifier = keyid:always,issuer:always
68 keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
69 basicConstraints = critical,CA:FALSE
70 subjectAltName = otherName:$KRB5_PRINCIPAL_SAN;SEQUENCE:krb5princ_kdc
71 extendedKeyUsage = $KDC_EKU_LIST
74 component=GeneralString:user
77 nametype=EXPLICIT:0,INTEGER:$NAMETYPE
78 components=EXPLICIT:1,SEQUENCE:components_client
81 realm=EXPLICIT:0,GeneralString:$REALM
82 princ=EXPLICIT:1,SEQUENCE:princ_client
85 subjectKeyIdentifier = hash
86 authorityKeyIdentifier = keyid:always,issuer:always
87 keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
88 basicConstraints = critical,CA:FALSE
89 subjectAltName = otherName:$KRB5_PRINCIPAL_SAN;SEQUENCE:krb5princ_client
90 extendedKeyUsage = $CLIENT_EKU_LIST
93 subjectKeyIdentifier = hash
94 authorityKeyIdentifier = keyid:always,issuer:always
95 keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
96 basicConstraints = critical,CA:FALSE
97 subjectAltName = otherName:$KRB5_UPN_SAN;UTF8:user@$LOWREALM
98 extendedKeyUsage = $CLIENT_EKU_LIST
101 subjectKeyIdentifier = hash
102 authorityKeyIdentifier = keyid:always,issuer:always
103 keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
104 basicConstraints = critical,CA:FALSE
105 subjectAltName = otherName:$KRB5_UPN_SAN;UTF8:user
106 extendedKeyUsage = $CLIENT_EKU_LIST
109 subjectKeyIdentifier = hash
110 authorityKeyIdentifier = keyid:always,issuer:always
111 keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
112 basicConstraints = critical,CA:FALSE
113 subjectAltName = otherName:$KRB5_UPN_SAN;UTF8:user@$REALM
114 extendedKeyUsage = $CLIENT_EKU_LIST
119 # Generate a private key.
120 openssl genrsa $KEYSIZE > privkey.pem
121 openssl rsa -in privkey.pem -out privkey-enc.pem -des3 -passout pass:encrypted
123 # Generate a "CA" certificate.
124 SUBJECT=ca openssl req -config openssl.cnf -new -x509 -extensions exts_ca \
125 -set_serial 1 -days $DAYS -key privkey.pem -out ca.pem
129 SUBJECT=$1 openssl req -config openssl.cnf -new -key privkey.pem -out csr
130 SUBJECT=$1 openssl x509 -extfile openssl.cnf -extensions $2 \
131 -set_serial $serial -days $DAYS -req -CA ca.pem -CAkey privkey.pem \
133 serial=$((serial + 1))
138 # Use -descert to make OpenSSL 1.1 generate files OpenSSL 3.0 can
139 # read (the default uses RC2, which is only available in the
140 # legacy provider in OpenSSL 3). This option causes an algorithm
141 # downgrade with OpenSSL 3.0 (AES to DES3), but that isn't
142 # important for test certs.
143 openssl pkcs12 -export -descert -in "$1" -inkey privkey.pem -out "$2" \
147 # Generate a KDC certificate.
148 gen_cert kdc exts_kdc kdc.pem
150 # Generate a client certificate and PKCS#12 bundles.
151 gen_cert user exts_client user.pem
152 gen_pkcs12 user.pem user.p12
153 gen_pkcs12 user.pem user-enc.p12 encrypted
155 # Generate a client certificate and PKCS#12 bundle with a UPN SAN.
156 gen_cert user exts_upn_client user-upn.pem
157 gen_pkcs12 user-upn.pem user-upn.p12
159 # Same, but with no realm in the UPN SAN.
160 gen_cert user exts_upn2_client user-upn2.pem
161 gen_pkcs12 user-upn2.pem user-upn2.p12
163 # Same, but with an uppercase realm in the UPN SAN.
164 gen_cert user exts_upn3_client user-upn3.pem
165 gen_pkcs12 user-upn3.pem user-upn3.p12
167 # Generate a client certificate and PKCS#12 bundle with no PKINIT extensions.
168 gen_cert user exts_none generic.pem
169 gen_pkcs12 generic.pem generic.p12