Add test server cert with OCSP and CDP extensions

12 years ago · 6a93c73164
parent ae306f3b0b
commit 6a93c73164
4 changed files with 50 additions and 10 deletions
--- a/.gitignore
+++ b/.gitignore
@ -15,5 +15,8 @@
 /extra/pki/rsa.pem
 /extra/pki/rsa.crt
 /extra/pki/rsa.key
+/extra/pki/server.pem
+/extra/pki/server.crt
+/extra/pki/server.key
 /extra/pki/session.pem
 /extra/pki/targets/*
--- a/4
+++ b/4
@ -264,10 +264,10 @@ $(TARGET): $(OBJS)

 version.o: version.c version.h GNUmakefile $(VFILE) FORCE

-extra/pki/rsa.pem:
+extra/pki/%.pem:
 	$(MAKE) -C extra/pki

-test: extra/pki/rsa.pem $(TARGET).test
+test: extra/pki/rsa.pem extra/pki/server.pem $(TARGET).test
 	$(RM) extra/pki/session.pem
 	$(MAKE) -C extra/pki session
 	./$(TARGET).test
--- a/extra/pki/GNUmakefile
+++ b/extra/pki/GNUmakefile
@ -4,12 +4,15 @@ OPENSSL?=	openssl
 MKDIR?=		mkdir

 # OpenSSL settings
-CA_SUBJECT?=	'/O=SSLsplit Root CA/CN=SSLsplit Root CA/'
+CA_SUBJECT?=	'/C=CH/O=SSLsplit Root CA/CN=SSLsplit Root CA/'
 CA_DAYS?=	3650
+CA_EXT:=	v3_ca
+CRT_SUBJECT?=	'/C=CH/O=SSLsplit Test Certificate/CN=daniel.roe.ch/'
+CRT_DAYS?=	365
+CRT_EXT:=	v3_crt
 CONFIG:=	x509v3ca.cnf
-CONFIG_EXT:=	v3_ca

-all: rsa dsa ec targets
+all: rsa dsa ec targets server

 session: session.pem

@ -21,6 +24,8 @@ dsa: dsa.pem

 ec: ec.pem

+server: server.pem
+
 dh512.param:
 	$(OPENSSL) dhparam -out $@ -2 512

@ -44,10 +49,19 @@ ec.key:

 %.crt: %.key
 	$(OPENSSL) req -new -nodes -x509 -sha1 -out $@ -key $< \
-		-config $(CONFIG) -extensions $(CONFIG_EXT) \
+		-config $(CONFIG) -extensions $(CA_EXT) \
 		-subj $(CA_SUBJECT) \
 		-set_serial 0 -days $(CA_DAYS)

+server.key:
+	$(OPENSSL) genrsa -out $@ 1024
+
+server.crt: server.key
+	$(OPENSSL) req -new -nodes -x509 -sha1 -out $@ -key $< \
+		-config $(CONFIG) -extensions $(CRT_EXT) \
+		-subj $(CRT_SUBJECT) \
+		-set_serial 42 -days $(CRT_DAYS)
+
 %.pem: %.crt %.key
 	cat $^ >$@

@ -88,7 +102,7 @@ session.pem:
 	test -r $@

 clean:
-	rm -rf rsa.* dsa.* ec.* dh*.param targets *.srl session.pem
+	rm -rf rsa.* dsa.* ec.* dh*.param targets *.srl session.pem server.*

 .PHONY: all clean rsa dsa ec dh dhall session

--- a/extra/pki/x509v3ca.cnf
+++ b/extra/pki/x509v3ca.cnf
@ -4,6 +4,29 @@ distinguished_name = reqdn
 [ reqdn ]

 [ v3_ca ]
-basicConstraints                        = CA:TRUE
-subjectKeyIdentifier                    = hash
-authorityKeyIdentifier                  = keyid:always,issuer:always
+basicConstraints                = CA:TRUE
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid:always,issuer:always
+
+[ v3_crt ]
+basicConstraints                = CA:FALSE
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid:always,issuer:always
+authorityInfoAccess             = OCSP;URI:http://daniel.roe.ch/test/ocsp
+crlDistributionPoints           = URI:http://daniel.roe.ch/test/crl1,crl2
+subjectAltName                  = dirName:s1n,DNS:daniel.roe.ch,IP:127.0.0.1,email:daniel@roe.ch,DNS:www.roe.ch,DNS:*.roe.ch
+
+[ s1n ]
+C=CH
+O=SSLsplit Test Certificate
+CN=daniel.roe.ch
+
+[ crl2 ]
+fullname                        = URI:http://daniel.roe.ch/test/crl2
+CRLissuer                       = URI:dirName:crl2issuer
+reasons                         = keyCompromise, CACompromise
+
+[ crl2issuer ]
+C=CH
+O=SSLsplit Root CA
+CN=SSLsplit Root CA