diff options
| author | Richard Levitte <levitte@openssl.org> | 2016-06-19 10:56:09 +0200 |
|---|---|---|
| committer | Richard Levitte <levitte@openssl.org> | 2016-06-20 21:34:37 +0200 |
| commit | 71c8cd20852d43fa142ca3f6e89a33431c506baf (patch) | |
| tree | 9ef5cd2a1dfb1680b9c2c2249c9bec03699a446c /test/certs/mkcert.sh | |
| parent | make update (diff) | |
| download | openssl-71c8cd20852d43fa142ca3f6e89a33431c506baf.tar.xz openssl-71c8cd20852d43fa142ca3f6e89a33431c506baf.zip | |
Make it possible to generate proxy certs with test/certs/mkcert.sh
This extends 'req' to take more than one DN component, and to take
them as full DN components and not just CN values. All other commands
are changed to pass "CN = $cn" instead of just a CN value.
This adds 'genpc', which differs from the other 'gen*' commands by not
calling 'req', and expect the result from 'req' to come through stdin.
Finally, test/certs/setup.sh gets the commands needed to generate a
few proxy certificates.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
Diffstat (limited to 'test/certs/mkcert.sh')
| -rwxr-xr-x | test/certs/mkcert.sh | 39 |
1 files changed, 31 insertions, 8 deletions
diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh index daa0679ee8..39e3a1e28c 100755 --- a/test/certs/mkcert.sh +++ b/test/certs/mkcert.sh @@ -49,17 +49,18 @@ key() { fi } +# Usage: $0 req keyname dn1 dn2 ... req() { local key=$1; shift - local cn=$1; shift key "$key" local errs stderr_onerror \ openssl req -new -"${OPENSSL_SIGALG}" -key "${key}.pem" \ - -config <(printf "[req]\n%s\n%s\n[dn]\nCN=%s\n" \ - "prompt = no" "distinguished_name = dn" "${cn}") + -config <(printf "[req]\n%s\n%s\n[dn]\n" \ + "prompt = no" "distinguished_name = dn" "${dn}" + for dn in "$@"; do echo "$dn"; done) } req_nocn() { @@ -93,7 +94,7 @@ genroot() { do exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku") done - csr=$(req "$key" "$cn") || return 1 + csr=$(req "$key" "CN = $cn") || return 1 echo "$csr" | cert "$cert" "$exts" -signkey "${key}.pem" -set_serial 1 -days "${DAYS}" } @@ -112,7 +113,7 @@ genca() { do exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku") done - csr=$(req "$key" "$cn") || return 1 + csr=$(req "$key" "CN = $cn") || return 1 echo "$csr" | cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \ -set_serial 2 -days "${DAYS}" @@ -133,12 +134,34 @@ gen_nonbc_ca() { do exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku") done - csr=$(req "$key" "$cn") || return 1 + csr=$(req "$key" "CN = $cn") || return 1 echo "$csr" | cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \ -set_serial 2 -days "${DAYS}" } +# Usage: $0 genpc keyname certname eekeyname eecertname pcext1 pcext2 ... +# +# Note: takes csr on stdin, so must be used with $0 req like this: +# +# $0 req keyname dn | $0 genpc keyname certname eekeyname eecertname pcext ... +genpc() { + local key=$1; shift + local cert=$1; shift + local cakey=$1; shift + local ca=$1; shift + + exts=$(printf "%s\n%s\n%s\n%s\n" \ + "subjectKeyIdentifier = hash" \ + "authorityKeyIdentifier = keyid, issuer:always" \ + "basicConstraints = CA:false" \ + "proxyCertInfo = critical, @pcexts"; + echo "[pcexts]"; + for x in "$@"; do echo $x; done) + cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \ + -set_serial 2 -days "${DAYS}" +} + genee() { local OPTIND=1 local purpose=serverAuth @@ -165,7 +188,7 @@ genee() { "basicConstraints = CA:false" \ "extendedKeyUsage = $purpose" \ "subjectAltName = @alts" "DNS=${cn}") - csr=$(req "$key" "$cn") || return 1 + csr=$(req "$key" "CN = $cn") || return 1 echo "$csr" | cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \ -set_serial 2 -days "${DAYS}" "$@" @@ -182,7 +205,7 @@ genss() { "basicConstraints = CA:false" \ "extendedKeyUsage = serverAuth" \ "subjectAltName = @alts" "DNS=${cn}") - csr=$(req "$key" "$cn") || return 1 + csr=$(req "$key" "CN = $cn") || return 1 echo "$csr" | cert "$cert" "$exts" -signkey "${key}.pem" \ -set_serial 1 -days "${DAYS}" "$@" |