Add Restricted PSS certificate and key
Create a PSS certificate with parameter restrictions
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9553)
(cherry picked from commit 39d9ea5e50
)
This commit is contained in:
parent
7467c87c6e
commit
fc009331ab
4 changed files with 85 additions and 0 deletions
|
@ -233,6 +233,35 @@ genee() {
|
||||||
-set_serial 2 -days "${DAYS}" "$@"
|
-set_serial 2 -days "${DAYS}" "$@"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
geneenocsr() {
|
||||||
|
local OPTIND=1
|
||||||
|
local purpose=serverAuth
|
||||||
|
|
||||||
|
while getopts p: o
|
||||||
|
do
|
||||||
|
case $o in
|
||||||
|
p) purpose="$OPTARG";;
|
||||||
|
*) echo "Usage: $0 genee [-p EKU] cn certname cakeyname cacertname" >&2
|
||||||
|
return 1;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
shift $((OPTIND - 1))
|
||||||
|
local cn=$1; shift
|
||||||
|
local cert=$1; shift
|
||||||
|
local cakey=$1; shift
|
||||||
|
local ca=$1; shift
|
||||||
|
|
||||||
|
exts=$(printf "%s\n%s\n%s\n%s\n%s\n[alts]\n%s\n" \
|
||||||
|
"subjectKeyIdentifier = hash" \
|
||||||
|
"authorityKeyIdentifier = keyid, issuer" \
|
||||||
|
"basicConstraints = CA:false" \
|
||||||
|
"extendedKeyUsage = $purpose" \
|
||||||
|
"subjectAltName = @alts" "DNS=${cn}")
|
||||||
|
cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
|
||||||
|
-set_serial 2 -days "${DAYS}" "$@"
|
||||||
|
}
|
||||||
|
|
||||||
genss() {
|
genss() {
|
||||||
local cn=$1; shift
|
local cn=$1; shift
|
||||||
local key=$1; shift
|
local key=$1; shift
|
||||||
|
|
21
test/certs/server-pss-restrict-cert.pem
Normal file
21
test/certs/server-pss-restrict-cert.pem
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDYjCCAkqgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
|
||||||
|
IENBMCAXDTE5MDgwODEwNDMxMFoYDzIxMTkwODA5MTA0MzEwWjAUMRIwEAYDVQQD
|
||||||
|
DAlsb2NhbGhvc3QwggFSMD0GCSqGSIb3DQEBCjAwoA0wCwYJYIZIAWUDBAIBoRow
|
||||||
|
GAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIDAgEgA4IBDwAwggEKAoIBAQDDlygk
|
||||||
|
sUEAajpdVquo9XIAyTd9ZJ+55hNmhBfhn3lHz3ryPD+0XlgCE9qsKwfR7iYaqmnN
|
||||||
|
ilQnsxWpMGXAgOlC1+w5zh8qHvrI5wX+A6U9N8leIOSgFuFNP0FMMG7I677QzRxG
|
||||||
|
FqKX1o4V73JWqnHCfnfHRyZY9xM0tYbJKNbRO7Hy4jKBPl3ptPHUoTltr4WYTOpg
|
||||||
|
stcEamdiiif+0U4bQvVltNg9pzFEjkAktTUGn92W5CgLnsbPXxBo6a/kUlHcgmhY
|
||||||
|
bpOXEjCPufZLgsQo8iF2Bq8eWMEsByjr0chQjzrfZAUVtD8Hmh2uMVAPQFAHUkaL
|
||||||
|
j2tHukL+s9tAaWKNAgMBAAGjgY4wgYswHQYDVR0OBBYEFLqlLFaNrS8hbX6voiGi
|
||||||
|
AfMYfsivMB8GA1UdIwQYMBaAFHB/Lq6DaFmYBCMqzes+F80k3QFJMAkGA1UdEwQC
|
||||||
|
MAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwKQYDVR0RBCIwIIIeU2VydmVyIFJTQS1Q
|
||||||
|
U1MgcmVzdHJpY3RlZCBjZXJ0MA0GCSqGSIb3DQEBCwUAA4IBAQAEhm9Skn2XfEZo
|
||||||
|
Q+YMu6HIQZovRT3IljHvesjIby7KfS86SU4r+CG7qaPLw7jeIR92YMnihnaXRGGJ
|
||||||
|
POixpHY6gapEzR2Sqg7c0ApGenDZ3uKnBUjf9LEorPmhrEHUsnHREXoPx5Lt5Nh/
|
||||||
|
7WRNB/GKvbnAby+5HQBOvU6P8t37/zK1JjJhGNv0uvaYthQGk3r6nEhQG+O6JBSw
|
||||||
|
H/auU4ClIB4fg8GWaMuupN5VMNP9mxpL9tONH8QRKs+KIQWMOsr83rOKwSHrrkIL
|
||||||
|
/vDI5hPj9RHvjjta6FQx140wA6c8ZB59x9YIv1alJWf6s3+TM8bv70L/aBBT8+IM
|
||||||
|
vwjUz9Gp
|
||||||
|
-----END CERTIFICATE-----
|
29
test/certs/server-pss-restrict-key.pem
Normal file
29
test/certs/server-pss-restrict-key.pem
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
-----BEGIN PRIVATE KEY-----
|
||||||
|
MIIE7wIBADA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3
|
||||||
|
DQEBCDALBglghkgBZQMEAgGiAwIBIASCBKkwggSlAgEAAoIBAQDDlygksUEAajpd
|
||||||
|
Vquo9XIAyTd9ZJ+55hNmhBfhn3lHz3ryPD+0XlgCE9qsKwfR7iYaqmnNilQnsxWp
|
||||||
|
MGXAgOlC1+w5zh8qHvrI5wX+A6U9N8leIOSgFuFNP0FMMG7I677QzRxGFqKX1o4V
|
||||||
|
73JWqnHCfnfHRyZY9xM0tYbJKNbRO7Hy4jKBPl3ptPHUoTltr4WYTOpgstcEamdi
|
||||||
|
iif+0U4bQvVltNg9pzFEjkAktTUGn92W5CgLnsbPXxBo6a/kUlHcgmhYbpOXEjCP
|
||||||
|
ufZLgsQo8iF2Bq8eWMEsByjr0chQjzrfZAUVtD8Hmh2uMVAPQFAHUkaLj2tHukL+
|
||||||
|
s9tAaWKNAgMBAAECggEBAIzgfwWOtmb6HHfGSXY085wlUlZ696EKWsboNdtI5i4W
|
||||||
|
/1Mimi/sFC/K5SJFDCjlA4UJYZOuItdFYkCun1t8foaqx3cLQ98u2SuDWwmOzqG9
|
||||||
|
YMjvoDy+viDJgtrBt8n4I0R5t/ezrgD3hPe/s/dAZRfVx6g9Ux2ZOLgqV57kT3X7
|
||||||
|
6paEz3jrIMvuoXQCsi9Qh+eJQ23/sAcc7OHQ7uD8QJVudEBnSHQ+ttvOPXhr7tba
|
||||||
|
8NuNVa6E/KewkKHRAZqBTJolCVyPtWmvfaDwdJtunCvyR1w3Rv1adZLK4YRFz+vc
|
||||||
|
sOMK+K1c2aojA+/Fnba19inNq13j6Dwqmq8Ho7MZwHECgYEA6aSx7/93S1VGpxQ9
|
||||||
|
KqFE4Fy9ylliC/hanc9qOcfEIo0tDus9lfpuPp+aOXML0msVkIfhCnaru32qtnaI
|
||||||
|
AQkIbPhSZFvC/i6BibpArXINbDzTS/46zZHehXskjWFGw+iRm/YI7MBuCmWzSnFO
|
||||||
|
YUwSKRIPKZKyXswFzP8RsQO/QbsCgYEA1k5SamQheuKdo/X40ShWTTOoDlpL4Sir
|
||||||
|
b2zTnEqlHyMv8c7w880hPf4P+0pqrKyf7jmEykJvp1qSAmyMUCWzrKTr8gQ2sMyb
|
||||||
|
zj90cEm++M5YIQh5lPJy4pGqmCliJXqkt+zT1xmnRASwMNQOnU2bBmXkve/ofb4M
|
||||||
|
dEwyig/nZFcCgYBLWPilTD6dhce+NBGxwMZkkKQIMKEk+RfIEs7QCXNgLSUdzZFT
|
||||||
|
36pT+caTxl1Go5AVxyw04qZpVZKLO1iK9O3Jrp9rjAgrTrYpw23+QWzAvjDqLfeq
|
||||||
|
ueMIKvlTus5GeacTo9mm+DvEkJ2sYTQEvrKQmilXn950IdmxDYUYD/xK5wKBgQDQ
|
||||||
|
5ON9BUGFUSQsUHVLG7CT7EhiRS41ubjyEfhrHm+53Ei9weQpIcjHbsERR8aXrmTu
|
||||||
|
h26i4QOI88XjSv+ymC19mfzLmcPdrnQpJL1RPvFCAZDyEhrBT1sg8rCBRcV/lv68
|
||||||
|
scMEpuLecFt2HR5pwt3b7LJ9Wj8bYoctTaDt5va8XQKBgQDCr4hZB5haAcKmNm/g
|
||||||
|
PjlaLdrDEIuuBjxMzX1t3PXwsEene1cE731v6fbmrDUa8AuJyMY80xhGrTTDQfS3
|
||||||
|
QOu/6wtcUv/JC/06OwEaUlT/kdYek+zYfBm3b1sKP3HVKSxCLTcPcC4aQoAFqbEy
|
||||||
|
3kuSVh03vVBdaP//qMPyeue17w==
|
||||||
|
-----END PRIVATE KEY-----
|
|
@ -369,3 +369,9 @@ REQMASK=MASK:0x800 ./mkcert.sh req badalt7-key "O = Bad NC Test Certificate 7" \
|
||||||
OPENSSL_KEYALG=ec OPENSSL_KEYBITS=brainpoolP256r1 ./mkcert.sh genee \
|
OPENSSL_KEYALG=ec OPENSSL_KEYBITS=brainpoolP256r1 ./mkcert.sh genee \
|
||||||
"Server ECDSA brainpoolP256r1 cert" server-ecdsa-brainpoolP256r1-key \
|
"Server ECDSA brainpoolP256r1 cert" server-ecdsa-brainpoolP256r1-key \
|
||||||
server-ecdsa-brainpoolP256r1-cert rootkey rootcert
|
server-ecdsa-brainpoolP256r1-cert rootkey rootcert
|
||||||
|
|
||||||
|
openssl req -new -nodes -subj "/CN=localhost" \
|
||||||
|
-newkey rsa-pss -keyout server-pss-restrict-key.pem \
|
||||||
|
-pkeyopt rsa_pss_keygen_md:sha256 -pkeyopt rsa_pss_keygen_saltlen:32 | \
|
||||||
|
./mkcert.sh geneenocsr "Server RSA-PSS restricted cert" \
|
||||||
|
server-pss-restrict-cert rootkey rootcert
|
||||||
|
|
Loading…
Reference in a new issue