1#!/bin/sh -e 2 3PWD=`pwd` 4NAMETYPE=1 5KEYSIZE=2048 6DAYS=4000 7REALM=KRBTEST.COM 8TLS_SERVER_EKU=1.3.6.1.5.5.7.3.1 9PROXY_EKU_LIST=$TLS_SERVER_EKU 10 11cat > openssl.cnf << EOF 12[req] 13prompt = no 14distinguished_name = \$ENV::SUBJECT 15 16[ca] 17default_ca = test_ca 18 19[test_ca] 20new_certs_dir = $PWD 21serial = $PWD/ca.srl 22database = $PWD/ca.db 23certificate = $PWD/ca.pem 24private_key = $PWD/privkey.pem 25default_days = $DAYS 26x509_extensions = exts_proxy 27policy = proxyname 28default_md = sha256 29unique_subject = no 30email_in_dn = no 31 32[signer] 33CN = test CA certificate 34C = US 35ST = Massachusetts 36L = Cambridge 37O = MIT 38OU = Insecure Kerberos test CA 39CN = test suite CA; do not use otherwise 40 41[proxy] 42C = US 43ST = Massachusetts 44O = KRBTEST.COM 45CN = PROXYinSubject 46 47[localhost] 48C = US 49ST = Massachusetts 50O = KRBTEST.COM 51CN = localhost 52 53[proxyname] 54C = supplied 55ST = supplied 56O = supplied 57CN = supplied 58 59[exts_ca] 60subjectKeyIdentifier = hash 61authorityKeyIdentifier = keyid:always,issuer:always 62keyUsage = nonRepudiation,digitalSignature,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign 63basicConstraints = critical,CA:TRUE 64 65[exts_proxy] 66subjectKeyIdentifier = hash 67authorityKeyIdentifier = keyid:always,issuer:always 68keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement 69basicConstraints = critical,CA:FALSE 70subjectAltName = DNS:proxyŠubjectÄltÑame,DNS:proxySubjectAltName,IP:127.0.0.1,IP:::1,DNS:localhost 71extendedKeyUsage = $PROXY_EKU_LIST 72 73[exts_proxy_no_san] 74subjectKeyIdentifier = hash 75authorityKeyIdentifier = keyid:always,issuer:always 76keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement 77basicConstraints = critical,CA:FALSE 78extendedKeyUsage = $PROXY_EKU_LIST 79EOF 80 81# Generate a private key. 82openssl genrsa $KEYSIZE > privkey.pem 83 84# Generate a "CA" certificate. 85SUBJECT=signer openssl req -config openssl.cnf -new -x509 -extensions exts_ca \ 86 -set_serial 1 -days $DAYS -key privkey.pem -out ca.pem 87 88# Generate proxy certificate signing requests. 89SUBJECT=proxy openssl req -config openssl.cnf -new -key privkey.pem \ 90 -out proxy.csr 91SUBJECT=localhost openssl req -config openssl.cnf -new -key privkey.pem \ 92 -out localhost.csr 93 94# Issue the certificate with the right name in a subjectAltName. 95echo 02 > ca.srl 96cat /dev/null > ca.db 97SUBJECT=proxy openssl ca -config openssl.cnf -extensions exts_proxy \ 98 -batch -days $DAYS -notext -out tmp.pem -in proxy.csr 99cat privkey.pem tmp.pem > proxy-san.pem 100 101# Issue a certificate that only has the name in the subject field 102SUBJECT=proxy openssl ca -config openssl.cnf -extensions exts_proxy_no_san \ 103 -batch -days $DAYS -notext -out tmp.pem -in localhost.csr 104cat privkey.pem tmp.pem > proxy-subject.pem 105 106# Issue a certificate that doesn't include any matching name values. 107SUBJECT=proxy openssl ca -config openssl.cnf -extensions exts_proxy_no_san \ 108 -batch -days $DAYS -notext -out tmp.pem -in proxy.csr 109cat privkey.pem tmp.pem > proxy-no-match.pem 110 111# Issue a certificate that contains all matching name values. 112SUBJECT=proxy openssl ca -config openssl.cnf -extensions exts_proxy \ 113 -batch -days $DAYS -notext -out tmp.pem -in localhost.csr 114cat privkey.pem tmp.pem > proxy-ideal.pem 115 116# Corrupt the signature on the certificate. 117SUBJECT=proxy openssl x509 -outform der -in proxy-ideal.pem -out bad.der 118length=`od -Ad bad.der | tail -n 1 | awk '{print $1}'` 119dd if=/dev/zero bs=1 of=bad.der count=16 seek=`expr $length - 16` 120SUBJECT=proxy openssl x509 -inform der -in bad.der -out tmp.pem 121cat privkey.pem tmp.pem > proxy-badsig.pem 122 123# Clean up. 124rm -f openssl.cnf proxy.csr localhost.csr privkey.pem ca.db ca.db.old ca.srl ca.srl.old ca.db.attr ca.db.attr.old 02.pem 03.pem 04.pem 05.pem tmp.pem bad.der 125