Make it possible to generate proxy certs with test/certs/mkcert.sh

This extends 'req' to take more than one DN component, and to take
them as full DN components and not just CN values.  All other commands
are changed to pass "CN = $cn" instead of just a CN value.

This adds 'genpc', which differs from the other 'gen*' commands by not
calling 'req', and expect the result from 'req' to come through stdin.

Finally, test/certs/setup.sh gets the commands needed to generate a
few proxy certificates.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>

test/certs/mkcert.sh

@@ -49,17 +49,18 @@ key() {
     fi
 }
 
+# Usage: $0 req keyname dn1 dn2 ...
 req() {
     local key=$1; shift
-    local cn=$1; shift
 
     key "$key"
     local errs
 
     stderr_onerror \
         openssl req -new -"${OPENSSL_SIGALG}" -key "${key}.pem" \
-            -config <(printf "[req]\n%s\n%s\n[dn]\nCN=%s\n" \
+            -config <(printf "[req]\n%s\n%s\n[dn]\n" \
-		      "prompt = no" "distinguished_name = dn" "${cn}")
+		      "prompt = no" "distinguished_name = dn" "${dn}"
+                      for dn in "$@"; do echo "$dn"; done)
 }
 
 req_nocn() {
@@ -93,7 +94,7 @@ genroot() {
     do
         exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku")
     done
-    csr=$(req "$key" "$cn") || return 1
+    csr=$(req "$key" "CN = $cn") || return 1
     echo "$csr" |
        cert "$cert" "$exts" -signkey "${key}.pem" -set_serial 1 -days "${DAYS}"
 }
@@ -112,7 +113,7 @@ genca() {
     do
         exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku")
     done
-    csr=$(req "$key" "$cn") || return 1
+    csr=$(req "$key" "CN = $cn") || return 1
     echo "$csr" |
         cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \
 	    -set_serial 2 -days "${DAYS}"
@@ -133,12 +134,34 @@ gen_nonbc_ca() {
     do
         exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku")
     done
-    csr=$(req "$key" "$cn") || return 1
+    csr=$(req "$key" "CN = $cn") || return 1
     echo "$csr" |
         cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \
 	    -set_serial 2 -days "${DAYS}"
 }
 
+# Usage: $0 genpc keyname certname eekeyname eecertname pcext1 pcext2 ...
+#
+# Note: takes csr on stdin, so must be used with $0 req like this:
+#
+# $0 req keyname dn | $0 genpc keyname certname eekeyname eecertname pcext ...
+genpc() {
+    local key=$1; shift
+    local cert=$1; shift
+    local cakey=$1; shift
+    local ca=$1; shift
+
+    exts=$(printf "%s\n%s\n%s\n%s\n" \
+	    "subjectKeyIdentifier = hash" \
+	    "authorityKeyIdentifier = keyid, issuer:always" \
+	    "basicConstraints = CA:false" \
+	    "proxyCertInfo = critical, @pcexts";
+           echo "[pcexts]";
+           for x in "$@"; do echo $x; done)
+    cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
+	 -set_serial 2 -days "${DAYS}"
+}
+
 genee() {
     local OPTIND=1
     local purpose=serverAuth
@@ -165,7 +188,7 @@ genee() {
 	    "basicConstraints = CA:false" \
 	    "extendedKeyUsage = $purpose" \
 	    "subjectAltName = @alts" "DNS=${cn}")
-    csr=$(req "$key" "$cn") || return 1
+    csr=$(req "$key" "CN = $cn") || return 1
     echo "$csr" |
 	cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
 	    -set_serial 2 -days "${DAYS}" "$@"
@@ -182,7 +205,7 @@ genss() {
 	    "basicConstraints = CA:false" \
 	    "extendedKeyUsage = serverAuth" \
 	    "subjectAltName = @alts" "DNS=${cn}")
-    csr=$(req "$key" "$cn") || return 1
+    csr=$(req "$key" "CN = $cn") || return 1
     echo "$csr" |
         cert "$cert" "$exts" -signkey "${key}.pem" \
             -set_serial 1 -days "${DAYS}" "$@"

test/certs/setup.sh

@@ -182,3 +182,29 @@ OPENSSL_SIGALG=md5 \
 # 768-bit leaf key
 OPENSSL_KEYBITS=768 \
 ./mkcert.sh genee server.example ee-key-768 ee-cert-768 ca-key ca-cert
+
+# Proxy certificates, off of ee-client
+# Start with some good ones
+./mkcert.sh req pc1-key "0.CN = server.example" "1.CN = proxy 1" | \
+    ./mkcert.sh genpc pc1-key pc1-cert ee-key ee-client \
+                "language = id-ppl-anyLanguage" "pathlen = 1" "policy = text:AB"
+./mkcert.sh req pc2-key "0.CN = server.example" "1.CN = proxy 1" "2.CN = proxy 2" | \
+    ./mkcert.sh genpc pc2-key pc2-cert pc1-key pc1-cert \
+                "language = id-ppl-anyLanguage" "pathlen = 0" "policy = text:AB"
+# And now a couple of bad ones
+# pc3: incorrect CN
+./mkcert.sh req bad-pc3-key "0.CN = server.example" "1.CN = proxy 3" | \
+    ./mkcert.sh genpc bad-pc3-key bad-pc3-cert pc1-key pc1-cert \
+                "language = id-ppl-anyLanguage" "pathlen = 0" "policy = text:AB"
+# pc4: incorrect pathlen
+./mkcert.sh req bad-pc4-key "0.CN = server.example" "1.CN = proxy 1" "2.CN = proxy 4" | \
+    ./mkcert.sh genpc bad-pc4-key bad-pc4-cert pc1-key pc1-cert \
+                "language = id-ppl-anyLanguage" "pathlen = 1" "policy = text:AB"
+# pc5: no policy
+./mkcert.sh req pc5-key "0.CN = server.example" "1.CN = proxy 1" "2.CN = proxy 5" | \
+    ./mkcert.sh genpc pc5-key pc5-cert pc1-key pc1-cert \
+                "language = id-ppl-anyLanguage" "pathlen = 0"
+# pc6: incorrect CN (made into a component of a multivalue RDN)
+./mkcert.sh req bad-pc6-key "0.CN = server.example" "1.CN = proxy 1" "2.+CN = proxy 6" | \
+    ./mkcert.sh genpc bad-pc6-key bad-pc6-cert pc1-key pc1-cert \
+                "language = id-ppl-anyLanguage" "pathlen = 0" "policy = text:AB"