Add Restricted PSS certificate and key
Create a PSS certificate with parameter restrictions Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9553)
This commit is contained in:
Matt Caswell
parent
9bcc9f973b
commit
39d9ea5e50
4 changed files with 85 additions and 0 deletions
|
|
@ -233,6 +233,35 @@ genee() {
|
|||
-set_serial 2 -days "${DAYS}" "$@"
|
||||
}
|
||||
|
||||
geneenocsr() {
|
||||
local OPTIND=1
|
||||
local purpose=serverAuth
|
||||
|
||||
while getopts p: o
|
||||
do
|
||||
case $o in
|
||||
p) purpose="$OPTARG";;
|
||||
*) echo "Usage: $0 genee [-p EKU] cn certname cakeyname cacertname" >&2
|
||||
return 1;;
|
||||
esac
|
||||
done
|
||||
|
||||
shift $((OPTIND - 1))
|
||||
local cn=$1; shift
|
||||
local cert=$1; shift
|
||||
local cakey=$1; shift
|
||||
local ca=$1; shift
|
||||
|
||||
exts=$(printf "%s\n%s\n%s\n%s\n%s\n[alts]\n%s\n" \
|
||||
"subjectKeyIdentifier = hash" \
|
||||
"authorityKeyIdentifier = keyid, issuer" \
|
||||
"basicConstraints = CA:false" \
|
||||
"extendedKeyUsage = $purpose" \
|
||||
"subjectAltName = @alts" "DNS=${cn}")
|
||||
cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
|
||||
-set_serial 2 -days "${DAYS}" "$@"
|
||||
}
|
||||
|
||||
genss() {
|
||||
local cn=$1; shift
|
||||
local key=$1; shift
|
||||
|
|
|
|||
21
test/certs/server-pss-restrict-cert.pem
Normal file
21
test/certs/server-pss-restrict-cert.pem
Normal file
|
|
@ -0,0 +1,21 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDYjCCAkqgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
|
||||
IENBMCAXDTE5MDgwODEwNDMxMFoYDzIxMTkwODA5MTA0MzEwWjAUMRIwEAYDVQQD
|
||||
DAlsb2NhbGhvc3QwggFSMD0GCSqGSIb3DQEBCjAwoA0wCwYJYIZIAWUDBAIBoRow
|
||||
GAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIDAgEgA4IBDwAwggEKAoIBAQDDlygk
|
||||
sUEAajpdVquo9XIAyTd9ZJ+55hNmhBfhn3lHz3ryPD+0XlgCE9qsKwfR7iYaqmnN
|
||||
ilQnsxWpMGXAgOlC1+w5zh8qHvrI5wX+A6U9N8leIOSgFuFNP0FMMG7I677QzRxG
|
||||
FqKX1o4V73JWqnHCfnfHRyZY9xM0tYbJKNbRO7Hy4jKBPl3ptPHUoTltr4WYTOpg
|
||||
stcEamdiiif+0U4bQvVltNg9pzFEjkAktTUGn92W5CgLnsbPXxBo6a/kUlHcgmhY
|
||||
bpOXEjCPufZLgsQo8iF2Bq8eWMEsByjr0chQjzrfZAUVtD8Hmh2uMVAPQFAHUkaL
|
||||
j2tHukL+s9tAaWKNAgMBAAGjgY4wgYswHQYDVR0OBBYEFLqlLFaNrS8hbX6voiGi
|
||||
AfMYfsivMB8GA1UdIwQYMBaAFHB/Lq6DaFmYBCMqzes+F80k3QFJMAkGA1UdEwQC
|
||||
MAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwKQYDVR0RBCIwIIIeU2VydmVyIFJTQS1Q
|
||||
U1MgcmVzdHJpY3RlZCBjZXJ0MA0GCSqGSIb3DQEBCwUAA4IBAQAEhm9Skn2XfEZo
|
||||
Q+YMu6HIQZovRT3IljHvesjIby7KfS86SU4r+CG7qaPLw7jeIR92YMnihnaXRGGJ
|
||||
POixpHY6gapEzR2Sqg7c0ApGenDZ3uKnBUjf9LEorPmhrEHUsnHREXoPx5Lt5Nh/
|
||||
7WRNB/GKvbnAby+5HQBOvU6P8t37/zK1JjJhGNv0uvaYthQGk3r6nEhQG+O6JBSw
|
||||
H/auU4ClIB4fg8GWaMuupN5VMNP9mxpL9tONH8QRKs+KIQWMOsr83rOKwSHrrkIL
|
||||
/vDI5hPj9RHvjjta6FQx140wA6c8ZB59x9YIv1alJWf6s3+TM8bv70L/aBBT8+IM
|
||||
vwjUz9Gp
|
||||
-----END CERTIFICATE-----
|
||||
29
test/certs/server-pss-restrict-key.pem
Normal file
29
test/certs/server-pss-restrict-key.pem
Normal file
|
|
@ -0,0 +1,29 @@
|
|||
-----BEGIN PRIVATE KEY-----
|
||||
MIIE7wIBADA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3
|
||||
DQEBCDALBglghkgBZQMEAgGiAwIBIASCBKkwggSlAgEAAoIBAQDDlygksUEAajpd
|
||||
Vquo9XIAyTd9ZJ+55hNmhBfhn3lHz3ryPD+0XlgCE9qsKwfR7iYaqmnNilQnsxWp
|
||||
MGXAgOlC1+w5zh8qHvrI5wX+A6U9N8leIOSgFuFNP0FMMG7I677QzRxGFqKX1o4V
|
||||
73JWqnHCfnfHRyZY9xM0tYbJKNbRO7Hy4jKBPl3ptPHUoTltr4WYTOpgstcEamdi
|
||||
iif+0U4bQvVltNg9pzFEjkAktTUGn92W5CgLnsbPXxBo6a/kUlHcgmhYbpOXEjCP
|
||||
ufZLgsQo8iF2Bq8eWMEsByjr0chQjzrfZAUVtD8Hmh2uMVAPQFAHUkaLj2tHukL+
|
||||
s9tAaWKNAgMBAAECggEBAIzgfwWOtmb6HHfGSXY085wlUlZ696EKWsboNdtI5i4W
|
||||
/1Mimi/sFC/K5SJFDCjlA4UJYZOuItdFYkCun1t8foaqx3cLQ98u2SuDWwmOzqG9
|
||||
YMjvoDy+viDJgtrBt8n4I0R5t/ezrgD3hPe/s/dAZRfVx6g9Ux2ZOLgqV57kT3X7
|
||||
6paEz3jrIMvuoXQCsi9Qh+eJQ23/sAcc7OHQ7uD8QJVudEBnSHQ+ttvOPXhr7tba
|
||||
8NuNVa6E/KewkKHRAZqBTJolCVyPtWmvfaDwdJtunCvyR1w3Rv1adZLK4YRFz+vc
|
||||
sOMK+K1c2aojA+/Fnba19inNq13j6Dwqmq8Ho7MZwHECgYEA6aSx7/93S1VGpxQ9
|
||||
KqFE4Fy9ylliC/hanc9qOcfEIo0tDus9lfpuPp+aOXML0msVkIfhCnaru32qtnaI
|
||||
AQkIbPhSZFvC/i6BibpArXINbDzTS/46zZHehXskjWFGw+iRm/YI7MBuCmWzSnFO
|
||||
YUwSKRIPKZKyXswFzP8RsQO/QbsCgYEA1k5SamQheuKdo/X40ShWTTOoDlpL4Sir
|
||||
b2zTnEqlHyMv8c7w880hPf4P+0pqrKyf7jmEykJvp1qSAmyMUCWzrKTr8gQ2sMyb
|
||||
zj90cEm++M5YIQh5lPJy4pGqmCliJXqkt+zT1xmnRASwMNQOnU2bBmXkve/ofb4M
|
||||
dEwyig/nZFcCgYBLWPilTD6dhce+NBGxwMZkkKQIMKEk+RfIEs7QCXNgLSUdzZFT
|
||||
36pT+caTxl1Go5AVxyw04qZpVZKLO1iK9O3Jrp9rjAgrTrYpw23+QWzAvjDqLfeq
|
||||
ueMIKvlTus5GeacTo9mm+DvEkJ2sYTQEvrKQmilXn950IdmxDYUYD/xK5wKBgQDQ
|
||||
5ON9BUGFUSQsUHVLG7CT7EhiRS41ubjyEfhrHm+53Ei9weQpIcjHbsERR8aXrmTu
|
||||
h26i4QOI88XjSv+ymC19mfzLmcPdrnQpJL1RPvFCAZDyEhrBT1sg8rCBRcV/lv68
|
||||
scMEpuLecFt2HR5pwt3b7LJ9Wj8bYoctTaDt5va8XQKBgQDCr4hZB5haAcKmNm/g
|
||||
PjlaLdrDEIuuBjxMzX1t3PXwsEene1cE731v6fbmrDUa8AuJyMY80xhGrTTDQfS3
|
||||
QOu/6wtcUv/JC/06OwEaUlT/kdYek+zYfBm3b1sKP3HVKSxCLTcPcC4aQoAFqbEy
|
||||
3kuSVh03vVBdaP//qMPyeue17w==
|
||||
-----END PRIVATE KEY-----
|
||||
|
|
@ -369,3 +369,9 @@ REQMASK=MASK:0x800 ./mkcert.sh req badalt7-key "O = Bad NC Test Certificate 7" \
|
|||
OPENSSL_KEYALG=ec OPENSSL_KEYBITS=brainpoolP256r1 ./mkcert.sh genee \
|
||||
"Server ECDSA brainpoolP256r1 cert" server-ecdsa-brainpoolP256r1-key \
|
||||
server-ecdsa-brainpoolP256r1-cert rootkey rootcert
|
||||
|
||||
openssl req -new -nodes -subj "/CN=localhost" \
|
||||
-newkey rsa-pss -keyout server-pss-restrict-key.pem \
|
||||
-pkeyopt rsa_pss_keygen_md:sha256 -pkeyopt rsa_pss_keygen_saltlen:32 | \
|
||||
./mkcert.sh geneenocsr "Server RSA-PSS restricted cert" \
|
||||
server-pss-restrict-cert rootkey rootcert
|
||||
|
|
|
|||
Loading…
Reference in a new issue