diff options
| author | Daniel McCarney <daniel@binaryparadox.net> | 2024-03-15 14:24:56 -0400 |
|---|---|---|
| committer | Daniel McCarney <daniel@binaryparadox.net> | 2024-04-09 14:26:12 +0000 |
| commit | e65110e730158b4f6ac19f05ee0cc72b0aaeb1c0 (patch) | |
| tree | e1a41885e2a1b692d9820be42d1bb7f90c74d9d1 | |
| parent | c8aac1ba6948d8619708c1901e828151d48508fd (diff) | |
test-ca: remove legacy OpenSSL tooling/config
| -rwxr-xr-x | test-ca/build-a-pki.sh | 258 | ||||
| -rw-r--r-- | test-ca/crl-openssl.cnf | 13 | ||||
| -rw-r--r-- | test-ca/openssl.cnf | 27 |
3 files changed, 0 insertions, 298 deletions
diff --git a/test-ca/build-a-pki.sh b/test-ca/build-a-pki.sh deleted file mode 100755 index febe68a6..00000000 --- a/test-ca/build-a-pki.sh +++ /dev/null @@ -1,258 +0,0 @@ -#!/usr/bin/env bash - -set -xe - -rm -rf rsa/ ecdsa-p256/ ecdsa-p384/ ecdsa-p521/ eddsa/ -mkdir -p rsa/ ecdsa-p256/ ecdsa-p384/ ecdsa-p521/ eddsa/ - -openssl req -nodes \ - -x509 \ - -days 3650 \ - -newkey rsa:4096 \ - -keyout rsa/ca.key \ - -out rsa/ca.cert \ - -sha256 \ - -batch \ - -subj "/CN=ponytown RSA CA" - -openssl req -nodes \ - -newkey rsa:3072 \ - -keyout rsa/inter.key \ - -out rsa/inter.req \ - -sha256 \ - -batch \ - -subj "/CN=ponytown RSA level 2 intermediate" - -openssl req -nodes \ - -newkey rsa:2048 \ - -keyout rsa/end.key \ - -out rsa/end.req \ - -sha256 \ - -batch \ - -subj "/CN=testserver.com" - -openssl rsa \ - -in rsa/end.key \ - -out rsa/end.rsa - -openssl req -nodes \ - -newkey rsa:2048 \ - -keyout rsa/client.key \ - -out rsa/client.req \ - -sha256 \ - -batch \ - -subj "/CN=ponytown client" - -openssl rsa \ - -in rsa/client.key \ - -out rsa/client.rsa - -# ecdsa -for curve in p256 p384 p521 ; do - case $curve in - p256) - openssl ecparam -name prime256v1 -out ecdsa-$curve/curve.pem - ;; - p384) - openssl ecparam -name secp384r1 -out ecdsa-$curve/curve.pem - ;; - p521) - openssl ecparam -name secp521r1 -out ecdsa-$curve/curve.pem - ;; - esac - - openssl req -nodes \ - -x509 \ - -newkey ec:ecdsa-$curve/curve.pem \ - -keyout ecdsa-$curve/ca.key \ - -out ecdsa-$curve/ca.cert \ - -sha256 \ - -batch \ - -days 3650 \ - -subj "/CN=ponytown ECDSA $curve CA" - - openssl req -nodes \ - -newkey ec:ecdsa-$curve/curve.pem \ - -keyout ecdsa-$curve/inter.key \ - -out ecdsa-$curve/inter.req \ - -sha256 \ - -batch \ - -days 3000 \ - -subj "/CN=ponytown ECDSA $curve level 2 intermediate" - - openssl req -nodes \ - -newkey ec:ecdsa-$curve/curve.pem \ - -keyout ecdsa-$curve/end.key \ - -out ecdsa-$curve/end.req \ - -sha256 \ - -batch \ - -days 2000 \ - -subj "/CN=testserver.com" - - openssl req -nodes \ - -newkey ec:ecdsa-$curve/curve.pem \ - -keyout ecdsa-$curve/client.key \ - -out ecdsa-$curve/client.req \ - -sha256 \ - -batch \ - -days 2000 \ - -subj "/CN=ponytown client" -done - -# eddsa - -# TODO: add support for Ed448 -# openssl genpkey -algorithm Ed448 -out eddsa/ca.key -openssl genpkey -algorithm Ed25519 -out eddsa/ca.key - -openssl req -nodes \ - -x509 \ - -key eddsa/ca.key \ - -out eddsa/ca.cert \ - -sha256 \ - -batch \ - -days 3650 \ - -subj "/CN=ponytown EdDSA CA" - -openssl genpkey -algorithm Ed25519 -out eddsa/inter.key - -openssl req -nodes \ - -new \ - -key eddsa/inter.key \ - -out eddsa/inter.req \ - -sha256 \ - -batch \ - -subj "/CN=ponytown EdDSA level 2 intermediate" - -openssl genpkey -algorithm Ed25519 -out eddsa/end.key - -openssl req -nodes \ - -new \ - -key eddsa/end.key \ - -out eddsa/end.req \ - -sha256 \ - -batch \ - -subj "/CN=testserver.com" - -# TODO: add support for Ed448 -# openssl genpkey -algorithm Ed448 -out eddsa/client.key -openssl genpkey -algorithm Ed25519 -out eddsa/client.key - -openssl req -nodes \ - -new \ - -key eddsa/client.key \ - -out eddsa/client.req \ - -sha256 \ - -batch \ - -subj "/CN=ponytown client" - -# Generate a CRL revoking a specific certificate, signed by the specified issuer. -# Arguments: -# 1. the key type (e.g. "rsa") -# 2. signature hash algorithm (e.g. "sha256") -# 3. the name of the issuer (e.g. "inter") -# 4. the name of the certificate to revoke (e.g. "end") -function gen_crl { - local kt=$1 - local hash=$2 - local issuer_name=$3 - local revoked_cert_name=$4 - - # Overwrite the CA state for each revocation - this avoids an - # "already revoked" error since we're re-using serial numbers across - # key types. - echo -n '' > index.txt - echo '1000' > crlnumber - - # Revoke the certificate in the openssl CA index. This produces a CRL but - # doesn't include the revoked certificate in the CRL... - openssl ca \ - -config ./crl-openssl.cnf \ - -keyfile "$kt/$issuer_name.key" \ - -cert "$kt/$issuer_name.cert" \ - -gencrl \ - -md $hash \ - -crldays 7 \ - -revoke "$kt/$revoked_cert_name.cert" \ - -crl_reason keyCompromise \ - -out "$kt/$revoked_cert_name.revoked.crl.pem" - - # Run -gencrl again to actually include the revoked certificate in the CRL. - openssl ca \ - -config ./crl-openssl.cnf \ - -keyfile "$kt/$issuer_name.key" \ - -cert "$kt/$issuer_name.cert" \ - -md $hash \ - -gencrl \ - -crldays 7 \ - -out "$kt/$revoked_cert_name.revoked.crl.pem" -} - -for kt in rsa ecdsa-p256 ecdsa-p384 ecdsa-p521 eddsa ; do - case $kt in - rsa) - hash=sha256 - ;; - ecdsa-p256) - hash=sha256 - ;; - ecdsa-p384) - hash=sha384 - ;; - ecdsa-p521) - hash=sha512 - ;; - eddsa) - hash=sha512 - ;; - esac - - openssl x509 -req \ - -in $kt/inter.req \ - -out $kt/inter.cert \ - -CA $kt/ca.cert \ - -CAkey $kt/ca.key \ - -$hash \ - -days 3650 \ - -set_serial 123 \ - -extensions v3_inter -extfile openssl.cnf - - openssl x509 -req \ - -in $kt/end.req \ - -out $kt/end.cert \ - -CA $kt/inter.cert \ - -CAkey $kt/inter.key \ - -$hash \ - -days 2000 \ - -set_serial 456 \ - -extensions v3_end -extfile openssl.cnf - - openssl x509 -req \ - -in $kt/client.req \ - -out $kt/client.cert \ - -CA $kt/inter.cert \ - -CAkey $kt/inter.key \ - -$hash \ - -days 2000 \ - -set_serial 789 \ - -extensions v3_client -extfile openssl.cnf - - # Generate a CRL revoking the client certificate - gen_crl $kt $hash inter client - # Generate a CRL revoking the server certificate - gen_crl $kt $hash inter end - # Generate a CRL revoking the intermediate certificate - gen_crl $kt $hash ca inter - - cat $kt/inter.cert $kt/ca.cert > $kt/end.chain - cat $kt/end.cert $kt/inter.cert $kt/ca.cert > $kt/end.fullchain - - cat $kt/inter.cert $kt/ca.cert > $kt/client.chain - cat $kt/client.cert $kt/inter.cert $kt/ca.cert > $kt/client.fullchain - - openssl asn1parse -in $kt/ca.cert -out $kt/ca.der > /dev/null -done - -# Tidy up openssl CA state. -rm index.txt* || true -rm crlnumber* || true diff --git a/test-ca/crl-openssl.cnf b/test-ca/crl-openssl.cnf deleted file mode 100644 index 2dc3e2cd..00000000 --- a/test-ca/crl-openssl.cnf +++ /dev/null @@ -1,13 +0,0 @@ -# The bare minimum OpenSSL config required to issue CRLs with 'openssl ca' - -[ ca ] -default_ca = CA_default - -[ CA_default ] -database = ./index.txt -crlnumber = ./crlnumber -default_md = default -crl_extensions = crl_ext - -[ crl_ext ] -authorityKeyIdentifier=keyid:always diff --git a/test-ca/openssl.cnf b/test-ca/openssl.cnf deleted file mode 100644 index 549a5c48..00000000 --- a/test-ca/openssl.cnf +++ /dev/null @@ -1,27 +0,0 @@ - -[ v3_end ] -basicConstraints = critical,CA:false -keyUsage = nonRepudiation, digitalSignature -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always,issuer:always -subjectAltName = @alt_names - -[ v3_client ] -basicConstraints = critical,CA:false -keyUsage = nonRepudiation, digitalSignature -extendedKeyUsage = critical, clientAuth -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always,issuer:always - -[ v3_inter ] -subjectKeyIdentifier = hash -extendedKeyUsage = critical, serverAuth, clientAuth -basicConstraints = CA:true -keyUsage = cRLSign, keyCertSign, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign - -[ alt_names ] -DNS.1 = testserver.com -IP.1 = 198.51.100.1 -DNS.2 = second.testserver.com -IP.2 = 2001:db8::1 -DNS.3 = localhost |