1*7f2fe78bSCy Schubert#!/bin/sh -e 2*7f2fe78bSCy Schubert 3*7f2fe78bSCy SchubertPWD=`pwd` 4*7f2fe78bSCy SchubertNAMETYPE=1 5*7f2fe78bSCy SchubertKEYSIZE=2048 6*7f2fe78bSCy SchubertDAYS=4000 7*7f2fe78bSCy SchubertREALM=KRBTEST.COM 8*7f2fe78bSCy SchubertTLS_SERVER_EKU=1.3.6.1.5.5.7.3.1 9*7f2fe78bSCy SchubertPROXY_EKU_LIST=$TLS_SERVER_EKU 10*7f2fe78bSCy Schubert 11*7f2fe78bSCy Schubertcat > openssl.cnf << EOF 12*7f2fe78bSCy Schubert[req] 13*7f2fe78bSCy Schubertprompt = no 14*7f2fe78bSCy Schubertdistinguished_name = \$ENV::SUBJECT 15*7f2fe78bSCy Schubert 16*7f2fe78bSCy Schubert[ca] 17*7f2fe78bSCy Schubertdefault_ca = test_ca 18*7f2fe78bSCy Schubert 19*7f2fe78bSCy Schubert[test_ca] 20*7f2fe78bSCy Schubertnew_certs_dir = $PWD 21*7f2fe78bSCy Schubertserial = $PWD/ca.srl 22*7f2fe78bSCy Schubertdatabase = $PWD/ca.db 23*7f2fe78bSCy Schubertcertificate = $PWD/ca.pem 24*7f2fe78bSCy Schubertprivate_key = $PWD/privkey.pem 25*7f2fe78bSCy Schubertdefault_days = $DAYS 26*7f2fe78bSCy Schubertx509_extensions = exts_proxy 27*7f2fe78bSCy Schubertpolicy = proxyname 28*7f2fe78bSCy Schubertdefault_md = sha256 29*7f2fe78bSCy Schubertunique_subject = no 30*7f2fe78bSCy Schubertemail_in_dn = no 31*7f2fe78bSCy Schubert 32*7f2fe78bSCy Schubert[signer] 33*7f2fe78bSCy SchubertCN = test CA certificate 34*7f2fe78bSCy SchubertC = US 35*7f2fe78bSCy SchubertST = Massachusetts 36*7f2fe78bSCy SchubertL = Cambridge 37*7f2fe78bSCy SchubertO = MIT 38*7f2fe78bSCy SchubertOU = Insecure Kerberos test CA 39*7f2fe78bSCy SchubertCN = test suite CA; do not use otherwise 40*7f2fe78bSCy Schubert 41*7f2fe78bSCy Schubert[proxy] 42*7f2fe78bSCy SchubertC = US 43*7f2fe78bSCy SchubertST = Massachusetts 44*7f2fe78bSCy SchubertO = KRBTEST.COM 45*7f2fe78bSCy SchubertCN = PROXYinSubject 46*7f2fe78bSCy Schubert 47*7f2fe78bSCy Schubert[localhost] 48*7f2fe78bSCy SchubertC = US 49*7f2fe78bSCy SchubertST = Massachusetts 50*7f2fe78bSCy SchubertO = KRBTEST.COM 51*7f2fe78bSCy SchubertCN = localhost 52*7f2fe78bSCy Schubert 53*7f2fe78bSCy Schubert[proxyname] 54*7f2fe78bSCy SchubertC = supplied 55*7f2fe78bSCy SchubertST = supplied 56*7f2fe78bSCy SchubertO = supplied 57*7f2fe78bSCy SchubertCN = supplied 58*7f2fe78bSCy Schubert 59*7f2fe78bSCy Schubert[exts_ca] 60*7f2fe78bSCy SchubertsubjectKeyIdentifier = hash 61*7f2fe78bSCy SchubertauthorityKeyIdentifier = keyid:always,issuer:always 62*7f2fe78bSCy SchubertkeyUsage = nonRepudiation,digitalSignature,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign 63*7f2fe78bSCy SchubertbasicConstraints = critical,CA:TRUE 64*7f2fe78bSCy Schubert 65*7f2fe78bSCy Schubert[exts_proxy] 66*7f2fe78bSCy SchubertsubjectKeyIdentifier = hash 67*7f2fe78bSCy SchubertauthorityKeyIdentifier = keyid:always,issuer:always 68*7f2fe78bSCy SchubertkeyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement 69*7f2fe78bSCy SchubertbasicConstraints = critical,CA:FALSE 70*7f2fe78bSCy SchubertsubjectAltName = DNS:proxyŠubjectÄltÑame,DNS:proxySubjectAltName,IP:127.0.0.1,IP:::1,DNS:localhost 71*7f2fe78bSCy SchubertextendedKeyUsage = $PROXY_EKU_LIST 72*7f2fe78bSCy Schubert 73*7f2fe78bSCy Schubert[exts_proxy_no_san] 74*7f2fe78bSCy SchubertsubjectKeyIdentifier = hash 75*7f2fe78bSCy SchubertauthorityKeyIdentifier = keyid:always,issuer:always 76*7f2fe78bSCy SchubertkeyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement 77*7f2fe78bSCy SchubertbasicConstraints = critical,CA:FALSE 78*7f2fe78bSCy SchubertextendedKeyUsage = $PROXY_EKU_LIST 79*7f2fe78bSCy SchubertEOF 80*7f2fe78bSCy Schubert 81*7f2fe78bSCy Schubert# Generate a private key. 82*7f2fe78bSCy Schubertopenssl genrsa $KEYSIZE > privkey.pem 83*7f2fe78bSCy Schubert 84*7f2fe78bSCy Schubert# Generate a "CA" certificate. 85*7f2fe78bSCy SchubertSUBJECT=signer openssl req -config openssl.cnf -new -x509 -extensions exts_ca \ 86*7f2fe78bSCy Schubert -set_serial 1 -days $DAYS -key privkey.pem -out ca.pem 87*7f2fe78bSCy Schubert 88*7f2fe78bSCy Schubert# Generate proxy certificate signing requests. 89*7f2fe78bSCy SchubertSUBJECT=proxy openssl req -config openssl.cnf -new -key privkey.pem \ 90*7f2fe78bSCy Schubert -out proxy.csr 91*7f2fe78bSCy SchubertSUBJECT=localhost openssl req -config openssl.cnf -new -key privkey.pem \ 92*7f2fe78bSCy Schubert -out localhost.csr 93*7f2fe78bSCy Schubert 94*7f2fe78bSCy Schubert# Issue the certificate with the right name in a subjectAltName. 95*7f2fe78bSCy Schubertecho 02 > ca.srl 96*7f2fe78bSCy Schubertcat /dev/null > ca.db 97*7f2fe78bSCy SchubertSUBJECT=proxy openssl ca -config openssl.cnf -extensions exts_proxy \ 98*7f2fe78bSCy Schubert -batch -days $DAYS -notext -out tmp.pem -in proxy.csr 99*7f2fe78bSCy Schubertcat privkey.pem tmp.pem > proxy-san.pem 100*7f2fe78bSCy Schubert 101*7f2fe78bSCy Schubert# Issue a certificate that only has the name in the subject field 102*7f2fe78bSCy SchubertSUBJECT=proxy openssl ca -config openssl.cnf -extensions exts_proxy_no_san \ 103*7f2fe78bSCy Schubert -batch -days $DAYS -notext -out tmp.pem -in localhost.csr 104*7f2fe78bSCy Schubertcat privkey.pem tmp.pem > proxy-subject.pem 105*7f2fe78bSCy Schubert 106*7f2fe78bSCy Schubert# Issue a certificate that doesn't include any matching name values. 107*7f2fe78bSCy SchubertSUBJECT=proxy openssl ca -config openssl.cnf -extensions exts_proxy_no_san \ 108*7f2fe78bSCy Schubert -batch -days $DAYS -notext -out tmp.pem -in proxy.csr 109*7f2fe78bSCy Schubertcat privkey.pem tmp.pem > proxy-no-match.pem 110*7f2fe78bSCy Schubert 111*7f2fe78bSCy Schubert# Issue a certificate that contains all matching name values. 112*7f2fe78bSCy SchubertSUBJECT=proxy openssl ca -config openssl.cnf -extensions exts_proxy \ 113*7f2fe78bSCy Schubert -batch -days $DAYS -notext -out tmp.pem -in localhost.csr 114*7f2fe78bSCy Schubertcat privkey.pem tmp.pem > proxy-ideal.pem 115*7f2fe78bSCy Schubert 116*7f2fe78bSCy Schubert# Corrupt the signature on the certificate. 117*7f2fe78bSCy SchubertSUBJECT=proxy openssl x509 -outform der -in proxy-ideal.pem -out bad.der 118*7f2fe78bSCy Schubertlength=`od -Ad bad.der | tail -n 1 | awk '{print $1}'` 119*7f2fe78bSCy Schubertdd if=/dev/zero bs=1 of=bad.der count=16 seek=`expr $length - 16` 120*7f2fe78bSCy SchubertSUBJECT=proxy openssl x509 -inform der -in bad.der -out tmp.pem 121*7f2fe78bSCy Schubertcat privkey.pem tmp.pem > proxy-badsig.pem 122*7f2fe78bSCy Schubert 123*7f2fe78bSCy Schubert# Clean up. 124*7f2fe78bSCy Schubertrm -f openssl.cnf proxy.csr localhost.csr privkey.pem ca.db ca.db.old ca.srl ca.srl.old ca.db.attr ca.db.attr.old 02.pem 03.pem 04.pem 05.pem tmp.pem bad.der 125