openssl/test/certs/setup.sh

#! /bin/sh

# Primary root: root-cert
# root cert variants: CA:false, key2, DN2
# trust variants: +serverAuth -serverAuth +clientAuth -clientAuth +anyEKU -anyEKU
#
./mkcert.sh genroot "Root CA" root-key root-cert
./mkcert.sh genss "Root CA" root-key root-nonca
./mkcert.sh genroot "Root CA" root-key2 root-cert2
./mkcert.sh genroot "Root Cert 2" root-key root-name2
#
openssl x509 -in root-cert.pem -trustout \
    -addtrust serverAuth -out root+serverAuth.pem
openssl x509 -in root-cert.pem -trustout \
    -addreject serverAuth -out root-serverAuth.pem
openssl x509 -in root-cert.pem -trustout \
    -addtrust clientAuth -out root+clientAuth.pem
openssl x509 -in root-cert.pem -trustout \
    -addreject clientAuth -out root-clientAuth.pem
openssl x509 -in root-cert.pem -trustout \
    -addreject anyExtendedKeyUsage -out root-anyEKU.pem
openssl x509 -in root-cert.pem -trustout \
    -addtrust anyExtendedKeyUsage -out root+anyEKU.pem
openssl x509 -in root-cert2.pem -trustout \
    -addtrust serverAuth -out root2+serverAuth.pem
openssl x509 -in root-cert2.pem -trustout \
    -addreject serverAuth -out root2-serverAuth.pem
openssl x509 -in root-cert2.pem -trustout \
    -addtrust clientAuth -out root2+clientAuth.pem
openssl x509 -in root-nonca.pem -trustout \
    -addtrust serverAuth -out nroot+serverAuth.pem
openssl x509 -in root-nonca.pem -trustout \
    -addtrust anyExtendedKeyUsage -out nroot+anyEKU.pem

# Root CA security level variants:
# MD5 self-signature
OPENSSL_SIGALG=md5 \
./mkcert.sh genroot "Root CA" root-key root-cert-md5
# 768-bit key
OPENSSL_KEYBITS=768 \
./mkcert.sh genroot "Root CA" root-key-768 root-cert-768

# primary client-EKU root: croot-cert
# trust variants: +serverAuth -serverAuth +clientAuth +anyEKU -anyEKU
#
./mkcert.sh genroot "Root CA" root-key croot-cert clientAuth
#
openssl x509 -in croot-cert.pem -trustout \
    -addtrust serverAuth -out croot+serverAuth.pem
openssl x509 -in croot-cert.pem -trustout \
    -addreject serverAuth -out croot-serverAuth.pem
openssl x509 -in croot-cert.pem -trustout \
    -addtrust clientAuth -out croot+clientAuth.pem
openssl x509 -in croot-cert.pem -trustout \
    -addreject clientAuth -out croot-clientAuth.pem
openssl x509 -in croot-cert.pem -trustout \
    -addreject anyExtendedKeyUsage -out croot-anyEKU.pem
openssl x509 -in croot-cert.pem -trustout \
    -addtrust anyExtendedKeyUsage -out croot+anyEKU.pem

# primary server-EKU root: sroot-cert
# trust variants: +serverAuth -serverAuth +clientAuth +anyEKU -anyEKU
#
./mkcert.sh genroot "Root CA" root-key sroot-cert serverAuth
#
openssl x509 -in sroot-cert.pem -trustout \
    -addtrust serverAuth -out sroot+serverAuth.pem
openssl x509 -in sroot-cert.pem -trustout \
    -addreject serverAuth -out sroot-serverAuth.pem
openssl x509 -in sroot-cert.pem -trustout \
    -addtrust clientAuth -out sroot+clientAuth.pem
openssl x509 -in sroot-cert.pem -trustout \
    -addreject clientAuth -out sroot-clientAuth.pem
openssl x509 -in sroot-cert.pem -trustout \
    -addreject anyExtendedKeyUsage -out sroot-anyEKU.pem
openssl x509 -in sroot-cert.pem -trustout \
    -addtrust anyExtendedKeyUsage -out sroot+anyEKU.pem

# Primary intermediate ca: ca-cert
# ca variants: CA:false, key2, DN2, issuer2, expired
# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth, -anyEKU, +anyEKU
#
./mkcert.sh genca "CA" ca-key ca-cert root-key root-cert
./mkcert.sh genee "CA" ca-key ca-nonca root-key root-cert
./mkcert.sh gen_nonbc_ca "CA" ca-key ca-nonbc root-key root-cert
./mkcert.sh genca "CA" ca-key2 ca-cert2 root-key root-cert
./mkcert.sh genca "CA2" ca-key ca-name2 root-key root-cert
./mkcert.sh genca "CA" ca-key ca-root2 root-key2 root-cert2
DAYS=-1 ./mkcert.sh genca "CA" ca-key ca-expired root-key root-cert
#
openssl x509 -in ca-cert.pem -trustout \
    -addtrust serverAuth -out ca+serverAuth.pem
openssl x509 -in ca-cert.pem -trustout \
    -addreject serverAuth -out ca-serverAuth.pem
openssl x509 -in ca-cert.pem -trustout \
    -addtrust clientAuth -out ca+clientAuth.pem
openssl x509 -in ca-cert.pem -trustout \
    -addreject clientAuth -out ca-clientAuth.pem
openssl x509 -in ca-cert.pem -trustout \
    -addreject anyExtendedKeyUsage -out ca-anyEKU.pem
openssl x509 -in ca-cert.pem -trustout \
    -addtrust anyExtendedKeyUsage -out ca+anyEKU.pem
openssl x509 -in ca-nonca.pem -trustout \
    -addtrust serverAuth -out nca+serverAuth.pem
openssl x509 -in ca-nonca.pem -trustout \
    -addtrust serverAuth -out nca+anyEKU.pem

# Intermediate CA security variants:
# MD5 issuer signature,
OPENSSL_SIGALG=md5 \
./mkcert.sh genca "CA" ca-key ca-cert-md5 root-key root-cert
openssl x509 -in ca-cert-md5.pem -trustout \
    -addtrust anyExtendedKeyUsage -out ca-cert-md5-any.pem
# Issuer has 768-bit key
./mkcert.sh genca "CA" ca-key ca-cert-768i root-key-768 root-cert-768
# CA has 768-bit key
OPENSSL_KEYBITS=768 \
./mkcert.sh genca "CA" ca-key-768 ca-cert-768 root-key root-cert

# client intermediate ca: cca-cert
# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth
#
./mkcert.sh genca "CA" ca-key cca-cert root-key root-cert clientAuth
#
openssl x509 -in cca-cert.pem -trustout \
    -addtrust serverAuth -out cca+serverAuth.pem
openssl x509 -in cca-cert.pem -trustout \
    -addreject serverAuth -out cca-serverAuth.pem
openssl x509 -in cca-cert.pem -trustout \
    -addtrust clientAuth -out cca+clientAuth.pem
openssl x509 -in cca-cert.pem -trustout \
    -addtrust clientAuth -out cca-clientAuth.pem
openssl x509 -in cca-cert.pem -trustout \
    -addreject anyExtendedKeyUsage -out cca-anyEKU.pem
openssl x509 -in cca-cert.pem -trustout \
    -addtrust anyExtendedKeyUsage -out cca+anyEKU.pem

# server intermediate ca: sca-cert
# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth, -anyEKU, +anyEKU
#
./mkcert.sh genca "CA" ca-key sca-cert root-key root-cert serverAuth
#
openssl x509 -in sca-cert.pem -trustout \
    -addtrust serverAuth -out sca+serverAuth.pem
openssl x509 -in sca-cert.pem -trustout \
    -addreject serverAuth -out sca-serverAuth.pem
openssl x509 -in sca-cert.pem -trustout \
    -addtrust clientAuth -out sca+clientAuth.pem
openssl x509 -in sca-cert.pem -trustout \
    -addreject clientAuth -out sca-clientAuth.pem
openssl x509 -in sca-cert.pem -trustout \
    -addreject anyExtendedKeyUsage -out sca-anyEKU.pem
openssl x509 -in sca-cert.pem -trustout \
    -addtrust anyExtendedKeyUsage -out sca+anyEKU.pem

# Primary leaf cert: ee-cert
# ee variants: expired, issuer-key2, issuer-name2
# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth
# purpose variants: client
#
./mkcert.sh genee server.example ee-key ee-cert ca-key ca-cert
./mkcert.sh genee server.example ee-key ee-expired ca-key ca-cert -days -1
./mkcert.sh genee server.example ee-key ee-cert2 ca-key2 ca-cert2
./mkcert.sh genee server.example ee-key ee-name2 ca-key ca-name2
./mkcert.sh genee -p clientAuth server.example ee-key ee-client ca-key ca-cert
#
openssl x509 -in ee-cert.pem -trustout \
    -addtrust serverAuth -out ee+serverAuth.pem
openssl x509 -in ee-cert.pem -trustout \
    -addreject serverAuth -out ee-serverAuth.pem
openssl x509 -in ee-client.pem -trustout \
    -addtrust clientAuth -out ee+clientAuth.pem
openssl x509 -in ee-client.pem -trustout \
    -addreject clientAuth -out ee-clientAuth.pem

# Leaf cert security level variants
# MD5 issuer signature
OPENSSL_SIGALG=md5 \
./mkcert.sh genee server.example ee-key ee-cert-md5 ca-key ca-cert
# 768-bit issuer key
./mkcert.sh genee server.example ee-key ee-cert-768i ca-key-768 ca-cert-768
# 768-bit leaf key
OPENSSL_KEYBITS=768 \
./mkcert.sh genee server.example ee-key-768 ee-cert-768 ca-key ca-cert

# Proxy certificates, off of ee-client
# Start with some good ones
./mkcert.sh req pc1-key "0.CN = server.example" "1.CN = proxy 1" | \
    ./mkcert.sh genpc pc1-key pc1-cert ee-key ee-client \
                "language = id-ppl-anyLanguage" "pathlen = 1" "policy = text:AB"
./mkcert.sh req pc2-key "0.CN = server.example" "1.CN = proxy 1" "2.CN = proxy 2" | \
    ./mkcert.sh genpc pc2-key pc2-cert pc1-key pc1-cert \
                "language = id-ppl-anyLanguage" "pathlen = 0" "policy = text:AB"
# And now a couple of bad ones
# pc3: incorrect CN
./mkcert.sh req bad-pc3-key "0.CN = server.example" "1.CN = proxy 3" | \
    ./mkcert.sh genpc bad-pc3-key bad-pc3-cert pc1-key pc1-cert \
                "language = id-ppl-anyLanguage" "pathlen = 0" "policy = text:AB"
# pc4: incorrect pathlen
./mkcert.sh req bad-pc4-key "0.CN = server.example" "1.CN = proxy 1" "2.CN = proxy 4" | \
    ./mkcert.sh genpc bad-pc4-key bad-pc4-cert pc1-key pc1-cert \
                "language = id-ppl-anyLanguage" "pathlen = 1" "policy = text:AB"
# pc5: no policy
./mkcert.sh req pc5-key "0.CN = server.example" "1.CN = proxy 1" "2.CN = proxy 5" | \
    ./mkcert.sh genpc pc5-key pc5-cert pc1-key pc1-cert \
                "language = id-ppl-anyLanguage" "pathlen = 0"
# pc6: incorrect CN (made into a component of a multivalue RDN)
./mkcert.sh req bad-pc6-key "0.CN = server.example" "1.CN = proxy 1" "2.+CN = proxy 6" | \
    ./mkcert.sh genpc bad-pc6-key bad-pc6-cert pc1-key pc1-cert \
                "language = id-ppl-anyLanguage" "pathlen = 0" "policy = text:AB"
Scripts to generate verify test certs Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-01-15 08:48:27 +00:00			`#! /bin/sh`

			`# Primary root: root-cert`
Compat self-signed trust with reject-only aux data When auxiliary data contains only reject entries, continue to trust self-signed objects just as when no auxiliary data is present. This makes it possible to reject specific uses without changing what's accepted (and thus overring the underlying EKU). Added new supported certs and doubled test count from 38 to 76. Reviewed-by: Dr. Stephen Henson <steve@openssl.org> 2016-01-29 07:28:43 +00:00			`# root cert variants: CA:false, key2, DN2`
			`# trust variants: +serverAuth -serverAuth +clientAuth -clientAuth +anyEKU -anyEKU`
Scripts to generate verify test certs Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-01-15 08:48:27 +00:00			`#`
			`./mkcert.sh genroot "Root CA" root-key root-cert`
			`./mkcert.sh genss "Root CA" root-key root-nonca`
			`./mkcert.sh genroot "Root CA" root-key2 root-cert2`
			`./mkcert.sh genroot "Root Cert 2" root-key root-name2`
			`#`
			`openssl x509 -in root-cert.pem -trustout \`
			`-addtrust serverAuth -out root+serverAuth.pem`
			`openssl x509 -in root-cert.pem -trustout \`
			`-addreject serverAuth -out root-serverAuth.pem`
			`openssl x509 -in root-cert.pem -trustout \`
			`-addtrust clientAuth -out root+clientAuth.pem`
Compat self-signed trust with reject-only aux data When auxiliary data contains only reject entries, continue to trust self-signed objects just as when no auxiliary data is present. This makes it possible to reject specific uses without changing what's accepted (and thus overring the underlying EKU). Added new supported certs and doubled test count from 38 to 76. Reviewed-by: Dr. Stephen Henson <steve@openssl.org> 2016-01-29 07:28:43 +00:00			`openssl x509 -in root-cert.pem -trustout \`
			`-addreject clientAuth -out root-clientAuth.pem`
Check chain extensions also for trusted certificates This includes basic constraints, key usages, issuer EKUs and auxiliary trust OIDs (given a trust suitably related to the intended purpose). Added tests and updated documentation. Reviewed-by: Dr. Stephen Henson <steve@openssl.org> 2016-01-28 08:01:45 +00:00			`openssl x509 -in root-cert.pem -trustout \`
			`-addreject anyExtendedKeyUsage -out root-anyEKU.pem`
			`openssl x509 -in root-cert.pem -trustout \`
			`-addtrust anyExtendedKeyUsage -out root+anyEKU.pem`
			`openssl x509 -in root-cert2.pem -trustout \`
			`-addtrust serverAuth -out root2+serverAuth.pem`
			`openssl x509 -in root-cert2.pem -trustout \`
			`-addreject serverAuth -out root2-serverAuth.pem`
			`openssl x509 -in root-cert2.pem -trustout \`
			`-addtrust clientAuth -out root2+clientAuth.pem`
Add tests for non-ca trusted roots and intermediates Reviewed-by: Dr. Stephen Henson <steve@openssl.org> 2016-01-29 17:22:21 +00:00			`openssl x509 -in root-nonca.pem -trustout \`
			`-addtrust serverAuth -out nroot+serverAuth.pem`
			`openssl x509 -in root-nonca.pem -trustout \`
			`-addtrust anyExtendedKeyUsage -out nroot+anyEKU.pem`
Scripts to generate verify test certs Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-01-15 08:48:27 +00:00
Move peer chain security checks into x509_vfy.c A new X509_VERIFY_PARAM_set_auth_level() function sets the authentication security level. For verification of SSL peers, this is automatically set from the SSL security level. Otherwise, for now, the authentication security level remains at (effectively) 0 by default. The new "-auth_level" verify(1) option is available in all the command-line tools that support the standard verify(1) options. New verify(1) tests added to check enforcement of chain signature and public key security levels. Also added new tests of enforcement of the verify_depth limit. Updated documentation. Reviewed-by: Dr. Stephen Henson <steve@openssl.org> 2016-03-19 02:09:41 +00:00			`# Root CA security level variants:`
			`# MD5 self-signature`
			`OPENSSL_SIGALG=md5 \`
			`./mkcert.sh genroot "Root CA" root-key root-cert-md5`
			`# 768-bit key`
			`OPENSSL_KEYBITS=768 \`
			`./mkcert.sh genroot "Root CA" root-key-768 root-cert-768`

Compat self-signed trust with reject-only aux data When auxiliary data contains only reject entries, continue to trust self-signed objects just as when no auxiliary data is present. This makes it possible to reject specific uses without changing what's accepted (and thus overring the underlying EKU). Added new supported certs and doubled test count from 38 to 76. Reviewed-by: Dr. Stephen Henson <steve@openssl.org> 2016-01-29 07:28:43 +00:00			`# primary client-EKU root: croot-cert`
			`# trust variants: +serverAuth -serverAuth +clientAuth +anyEKU -anyEKU`
			`#`
			`./mkcert.sh genroot "Root CA" root-key croot-cert clientAuth`
			`#`
			`openssl x509 -in croot-cert.pem -trustout \`
			`-addtrust serverAuth -out croot+serverAuth.pem`
			`openssl x509 -in croot-cert.pem -trustout \`
			`-addreject serverAuth -out croot-serverAuth.pem`
			`openssl x509 -in croot-cert.pem -trustout \`
			`-addtrust clientAuth -out croot+clientAuth.pem`
			`openssl x509 -in croot-cert.pem -trustout \`
			`-addreject clientAuth -out croot-clientAuth.pem`
			`openssl x509 -in croot-cert.pem -trustout \`
			`-addreject anyExtendedKeyUsage -out croot-anyEKU.pem`
			`openssl x509 -in croot-cert.pem -trustout \`
			`-addtrust anyExtendedKeyUsage -out croot+anyEKU.pem`

			`# primary server-EKU root: sroot-cert`
			`# trust variants: +serverAuth -serverAuth +clientAuth +anyEKU -anyEKU`
			`#`
			`./mkcert.sh genroot "Root CA" root-key sroot-cert serverAuth`
			`#`
			`openssl x509 -in sroot-cert.pem -trustout \`
			`-addtrust serverAuth -out sroot+serverAuth.pem`
			`openssl x509 -in sroot-cert.pem -trustout \`
			`-addreject serverAuth -out sroot-serverAuth.pem`
			`openssl x509 -in sroot-cert.pem -trustout \`
			`-addtrust clientAuth -out sroot+clientAuth.pem`
			`openssl x509 -in sroot-cert.pem -trustout \`
			`-addreject clientAuth -out sroot-clientAuth.pem`
			`openssl x509 -in sroot-cert.pem -trustout \`
			`-addreject anyExtendedKeyUsage -out sroot-anyEKU.pem`
			`openssl x509 -in sroot-cert.pem -trustout \`
			`-addtrust anyExtendedKeyUsage -out sroot+anyEKU.pem`

Scripts to generate verify test certs Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-01-15 08:48:27 +00:00			`# Primary intermediate ca: ca-cert`
			`# ca variants: CA:false, key2, DN2, issuer2, expired`
Compat self-signed trust with reject-only aux data When auxiliary data contains only reject entries, continue to trust self-signed objects just as when no auxiliary data is present. This makes it possible to reject specific uses without changing what's accepted (and thus overring the underlying EKU). Added new supported certs and doubled test count from 38 to 76. Reviewed-by: Dr. Stephen Henson <steve@openssl.org> 2016-01-29 07:28:43 +00:00			`# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth, -anyEKU, +anyEKU`
Scripts to generate verify test certs Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-01-15 08:48:27 +00:00			`#`
			`./mkcert.sh genca "CA" ca-key ca-cert root-key root-cert`
			`./mkcert.sh genee "CA" ca-key ca-nonca root-key root-cert`
Require intermediate CAs to have basicConstraints CA:true. Previously, it was sufficient to have certSign in keyUsage when the basicConstraints extension was missing. That is still accepted in a trust anchor, but is no longer accepted in an intermediate CA. Reviewed-by: Rich Salz <rsalz@openssl.org> 2016-03-29 23:40:03 +00:00			`./mkcert.sh gen_nonbc_ca "CA" ca-key ca-nonbc root-key root-cert`
Scripts to generate verify test certs Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-01-15 08:48:27 +00:00			`./mkcert.sh genca "CA" ca-key2 ca-cert2 root-key root-cert`
			`./mkcert.sh genca "CA2" ca-key ca-name2 root-key root-cert`
			`./mkcert.sh genca "CA" ca-key ca-root2 root-key2 root-cert2`
Fix generation of expired CA certificate. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-06-22 17:09:42 +00:00			`DAYS=-1 ./mkcert.sh genca "CA" ca-key ca-expired root-key root-cert`
Scripts to generate verify test certs Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-01-15 08:48:27 +00:00			`#`
			`openssl x509 -in ca-cert.pem -trustout \`
			`-addtrust serverAuth -out ca+serverAuth.pem`
			`openssl x509 -in ca-cert.pem -trustout \`
			`-addreject serverAuth -out ca-serverAuth.pem`
			`openssl x509 -in ca-cert.pem -trustout \`
			`-addtrust clientAuth -out ca+clientAuth.pem`
Compat self-signed trust with reject-only aux data When auxiliary data contains only reject entries, continue to trust self-signed objects just as when no auxiliary data is present. This makes it possible to reject specific uses without changing what's accepted (and thus overring the underlying EKU). Added new supported certs and doubled test count from 38 to 76. Reviewed-by: Dr. Stephen Henson <steve@openssl.org> 2016-01-29 07:28:43 +00:00			`openssl x509 -in ca-cert.pem -trustout \`
			`-addreject clientAuth -out ca-clientAuth.pem`
			`openssl x509 -in ca-cert.pem -trustout \`
			`-addreject anyExtendedKeyUsage -out ca-anyEKU.pem`
			`openssl x509 -in ca-cert.pem -trustout \`
			`-addtrust anyExtendedKeyUsage -out ca+anyEKU.pem`
Add tests for non-ca trusted roots and intermediates Reviewed-by: Dr. Stephen Henson <steve@openssl.org> 2016-01-29 17:22:21 +00:00			`openssl x509 -in ca-nonca.pem -trustout \`
			`-addtrust serverAuth -out nca+serverAuth.pem`
			`openssl x509 -in ca-nonca.pem -trustout \`
			`-addtrust serverAuth -out nca+anyEKU.pem`
Compat self-signed trust with reject-only aux data When auxiliary data contains only reject entries, continue to trust self-signed objects just as when no auxiliary data is present. This makes it possible to reject specific uses without changing what's accepted (and thus overring the underlying EKU). Added new supported certs and doubled test count from 38 to 76. Reviewed-by: Dr. Stephen Henson <steve@openssl.org> 2016-01-29 07:28:43 +00:00
Move peer chain security checks into x509_vfy.c A new X509_VERIFY_PARAM_set_auth_level() function sets the authentication security level. For verification of SSL peers, this is automatically set from the SSL security level. Otherwise, for now, the authentication security level remains at (effectively) 0 by default. The new "-auth_level" verify(1) option is available in all the command-line tools that support the standard verify(1) options. New verify(1) tests added to check enforcement of chain signature and public key security levels. Also added new tests of enforcement of the verify_depth limit. Updated documentation. Reviewed-by: Dr. Stephen Henson <steve@openssl.org> 2016-03-19 02:09:41 +00:00			`# Intermediate CA security variants:`
			`# MD5 issuer signature,`
			`OPENSSL_SIGALG=md5 \`
			`./mkcert.sh genca "CA" ca-key ca-cert-md5 root-key root-cert`
			`openssl x509 -in ca-cert-md5.pem -trustout \`
			`-addtrust anyExtendedKeyUsage -out ca-cert-md5-any.pem`
			`# Issuer has 768-bit key`
			`./mkcert.sh genca "CA" ca-key ca-cert-768i root-key-768 root-cert-768`
			`# CA has 768-bit key`
			`OPENSSL_KEYBITS=768 \`
			`./mkcert.sh genca "CA" ca-key-768 ca-cert-768 root-key root-cert`

Compat self-signed trust with reject-only aux data When auxiliary data contains only reject entries, continue to trust self-signed objects just as when no auxiliary data is present. This makes it possible to reject specific uses without changing what's accepted (and thus overring the underlying EKU). Added new supported certs and doubled test count from 38 to 76. Reviewed-by: Dr. Stephen Henson <steve@openssl.org> 2016-01-29 07:28:43 +00:00			`# client intermediate ca: cca-cert`
			`# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth`
			`#`
			`./mkcert.sh genca "CA" ca-key cca-cert root-key root-cert clientAuth`
			`#`
			`openssl x509 -in cca-cert.pem -trustout \`
			`-addtrust serverAuth -out cca+serverAuth.pem`
			`openssl x509 -in cca-cert.pem -trustout \`
			`-addreject serverAuth -out cca-serverAuth.pem`
			`openssl x509 -in cca-cert.pem -trustout \`
			`-addtrust clientAuth -out cca+clientAuth.pem`
			`openssl x509 -in cca-cert.pem -trustout \`
			`-addtrust clientAuth -out cca-clientAuth.pem`
			`openssl x509 -in cca-cert.pem -trustout \`
			`-addreject anyExtendedKeyUsage -out cca-anyEKU.pem`
			`openssl x509 -in cca-cert.pem -trustout \`
			`-addtrust anyExtendedKeyUsage -out cca+anyEKU.pem`

			`# server intermediate ca: sca-cert`
			`# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth, -anyEKU, +anyEKU`
			`#`
			`./mkcert.sh genca "CA" ca-key sca-cert root-key root-cert serverAuth`
			`#`
			`openssl x509 -in sca-cert.pem -trustout \`
			`-addtrust serverAuth -out sca+serverAuth.pem`
			`openssl x509 -in sca-cert.pem -trustout \`
			`-addreject serverAuth -out sca-serverAuth.pem`
			`openssl x509 -in sca-cert.pem -trustout \`
			`-addtrust clientAuth -out sca+clientAuth.pem`
			`openssl x509 -in sca-cert.pem -trustout \`
			`-addreject clientAuth -out sca-clientAuth.pem`
			`openssl x509 -in sca-cert.pem -trustout \`
			`-addreject anyExtendedKeyUsage -out sca-anyEKU.pem`
			`openssl x509 -in sca-cert.pem -trustout \`
			`-addtrust anyExtendedKeyUsage -out sca+anyEKU.pem`
Scripts to generate verify test certs Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-01-15 08:48:27 +00:00
			`# Primary leaf cert: ee-cert`
			`# ee variants: expired, issuer-key2, issuer-name2`
			`# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth`
			`# purpose variants: client`
			`#`
			`./mkcert.sh genee server.example ee-key ee-cert ca-key ca-cert`
			`./mkcert.sh genee server.example ee-key ee-expired ca-key ca-cert -days -1`
			`./mkcert.sh genee server.example ee-key ee-cert2 ca-key2 ca-cert2`
			`./mkcert.sh genee server.example ee-key ee-name2 ca-key ca-name2`
			`./mkcert.sh genee -p clientAuth server.example ee-key ee-client ca-key ca-cert`
			`#`
			`openssl x509 -in ee-cert.pem -trustout \`
			`-addtrust serverAuth -out ee+serverAuth.pem`
			`openssl x509 -in ee-cert.pem -trustout \`
			`-addreject serverAuth -out ee-serverAuth.pem`
			`openssl x509 -in ee-client.pem -trustout \`
			`-addtrust clientAuth -out ee+clientAuth.pem`
			`openssl x509 -in ee-client.pem -trustout \`
			`-addreject clientAuth -out ee-clientAuth.pem`
Move peer chain security checks into x509_vfy.c A new X509_VERIFY_PARAM_set_auth_level() function sets the authentication security level. For verification of SSL peers, this is automatically set from the SSL security level. Otherwise, for now, the authentication security level remains at (effectively) 0 by default. The new "-auth_level" verify(1) option is available in all the command-line tools that support the standard verify(1) options. New verify(1) tests added to check enforcement of chain signature and public key security levels. Also added new tests of enforcement of the verify_depth limit. Updated documentation. Reviewed-by: Dr. Stephen Henson <steve@openssl.org> 2016-03-19 02:09:41 +00:00
			`# Leaf cert security level variants`
			`# MD5 issuer signature`
			`OPENSSL_SIGALG=md5 \`
			`./mkcert.sh genee server.example ee-key ee-cert-md5 ca-key ca-cert`
			`# 768-bit issuer key`
			`./mkcert.sh genee server.example ee-key ee-cert-768i ca-key-768 ca-cert-768`
			`# 768-bit leaf key`
			`OPENSSL_KEYBITS=768 \`
			`./mkcert.sh genee server.example ee-key-768 ee-cert-768 ca-key ca-cert`
Make it possible to generate proxy certs with test/certs/mkcert.sh This extends 'req' to take more than one DN component, and to take them as full DN components and not just CN values. All other commands are changed to pass "CN = $cn" instead of just a CN value. This adds 'genpc', which differs from the other 'gen*' commands by not calling 'req', and expect the result from 'req' to come through stdin. Finally, test/certs/setup.sh gets the commands needed to generate a few proxy certificates. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Stephen Henson <steve@openssl.org> 2016-06-19 08:56:09 +00:00
			`# Proxy certificates, off of ee-client`
			`# Start with some good ones`
			`./mkcert.sh req pc1-key "0.CN = server.example" "1.CN = proxy 1" \| \`
			`./mkcert.sh genpc pc1-key pc1-cert ee-key ee-client \`
			`"language = id-ppl-anyLanguage" "pathlen = 1" "policy = text:AB"`
			`./mkcert.sh req pc2-key "0.CN = server.example" "1.CN = proxy 1" "2.CN = proxy 2" \| \`
			`./mkcert.sh genpc pc2-key pc2-cert pc1-key pc1-cert \`
			`"language = id-ppl-anyLanguage" "pathlen = 0" "policy = text:AB"`
			`# And now a couple of bad ones`
			`# pc3: incorrect CN`
			`./mkcert.sh req bad-pc3-key "0.CN = server.example" "1.CN = proxy 3" \| \`
			`./mkcert.sh genpc bad-pc3-key bad-pc3-cert pc1-key pc1-cert \`
			`"language = id-ppl-anyLanguage" "pathlen = 0" "policy = text:AB"`
			`# pc4: incorrect pathlen`
			`./mkcert.sh req bad-pc4-key "0.CN = server.example" "1.CN = proxy 1" "2.CN = proxy 4" \| \`
			`./mkcert.sh genpc bad-pc4-key bad-pc4-cert pc1-key pc1-cert \`
			`"language = id-ppl-anyLanguage" "pathlen = 1" "policy = text:AB"`
			`# pc5: no policy`
			`./mkcert.sh req pc5-key "0.CN = server.example" "1.CN = proxy 1" "2.CN = proxy 5" \| \`
			`./mkcert.sh genpc pc5-key pc5-cert pc1-key pc1-cert \`
			`"language = id-ppl-anyLanguage" "pathlen = 0"`
			`# pc6: incorrect CN (made into a component of a multivalue RDN)`
			`./mkcert.sh req bad-pc6-key "0.CN = server.example" "1.CN = proxy 1" "2.+CN = proxy 6" \| \`
			`./mkcert.sh genpc bad-pc6-key bad-pc6-cert pc1-key pc1-cert \`
			`"language = id-ppl-anyLanguage" "pathlen = 0" "policy = text:AB"`