xref: /freebsd/crypto/openssl/test/recipes/25-test_eai_data/kdc.sh (revision a64729f5077d77e13b9497cb33ecb3c82e606ee8)
1#! /usr/bin/env bash
2
3# Create a root CA, signing a leaf cert with a KDC principal otherName SAN, and
4# also a non-UTF8 smtpUtf8Mailbox SAN followed by an rfc822Name SAN and a DNS
5# name SAN.  In the vulnerable EAI code, the KDC principal `otherName` should
6# trigger ASAN errors in DNS name checks, while the non-UTF8 `smtpUtf8Mailbox`
7# should likewise lead to ASAN issues with email name checks.
8
9rm -f root-key.pem root-cert.pem
10openssl req -nodes -new -newkey rsa:2048 -keyout kdc-root-key.pem \
11        -x509 -subj /CN=Root -days 36524 -out kdc-root-cert.pem
12
13exts=$(
14    printf "%s\n%s\n%s\n%s = " \
15        "subjectKeyIdentifier = hash" \
16        "authorityKeyIdentifier = keyid" \
17        "basicConstraints = CA:false" \
18        "subjectAltName"
19    printf "%s, " "otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name"
20    printf "%s, " "otherName:1.3.6.1.5.5.7.8.9;IA5:moe@example.com"
21    printf "%s, " "email:joe@example.com"
22    printf "%s\n" "DNS:mx1.example.com"
23    printf "[kdc_princ_name]\n"
24    printf "realm = EXP:0, GeneralString:TEST.EXAMPLE\n"
25    printf "principal_name = EXP:1, SEQUENCE:kdc_principal_seq\n"
26    printf "[kdc_principal_seq]\n"
27    printf "name_type = EXP:0, INTEGER:1\n"
28    printf "name_string = EXP:1, SEQUENCE:kdc_principal_components\n"
29    printf "[kdc_principal_components]\n"
30    printf "princ1 = GeneralString:krbtgt\n"
31    printf "princ2 = GeneralString:TEST.EXAMPLE\n"
32    )
33
34printf "%s\n" "$exts"
35
36openssl req -nodes -new -newkey rsa:2048 -keyout kdc-key.pem \
37    -subj "/CN=TEST.EXAMPLE" |
38    openssl x509 -req -out kdc-cert.pem \
39        -CA "kdc-root-cert.pem" -CAkey "kdc-root-key.pem" \
40        -set_serial 2 -days 36524 \
41        -extfile <(printf "%s\n" "$exts")
42