rpms / krb5

Clone
Source Code
GIT

Blame SOURCES/Add-test-cert-generation-to-make-certs.sh.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c9 c9-beta
  1.   fb3c090e524a7be0b4f07b0d3a6e1aea6a3e195f
  2.   SOURCES
  3.   Add-test-cert-generation-to-make-certs.sh.patch
Blob History Raw
e58a44 
From fd8ce9e1ed7a8d6cf5ac7d27d6acf40b0453c45e Mon Sep 17 00:00:00 2001
e58a44 
From: Robbie Harwood <rharwood@redhat.com>
e58a44 
Date: Tue, 5 Sep 2017 15:54:31 -0400
e58a44 
Subject: [PATCH] Add test cert generation to make-certs.sh
e58a44
e58a44 
Based on commit 5a1d0388ba2e4ec510ed715ce5fbc7f748941425 but missing
e58a44 
everything but the make-certs change since infrastructure cannot patch
e58a44 
binaries.  Plan to run make-certs during build, but this will only
e58a44 
work with openssl < 1.1.
e58a44 
---
665228 
 src/tests/dejagnu/pkinit-certs/make-certs.sh | 53 +++++++++++++++++++-
e58a44 
 1 file changed, 52 insertions(+), 1 deletion(-)
e58a44
e58a44 
diff --git a/src/tests/dejagnu/pkinit-certs/make-certs.sh b/src/tests/dejagnu/pkinit-certs/make-certs.sh
e58a44 
index b82ef6f83..0f07709b0 100755
e58a44 
--- a/src/tests/dejagnu/pkinit-certs/make-certs.sh
e58a44 
+++ b/src/tests/dejagnu/pkinit-certs/make-certs.sh
e58a44 
@@ -4,7 +4,9 @@ NAMETYPE=1
e58a44 
 KEYSIZE=2048
e58a44 
 DAYS=4000
e58a44 
 REALM=KRBTEST.COM
e58a44 
+LOWREALM=krbtest.com
e58a44 
 KRB5_PRINCIPAL_SAN=1.3.6.1.5.2.2
e58a44 
+KRB5_UPN_SAN=1.3.6.1.4.1.311.20.2.3
e58a44 
 PKINIT_KDC_EKU=1.3.6.1.5.2.3.5
e58a44 
 PKINIT_CLIENT_EKU=1.3.6.1.5.2.3.4
e58a44 
 TLS_SERVER_EKU=1.3.6.1.5.5.7.3.1
e58a44 
@@ -85,6 +87,30 @@ keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
e58a44 
 basicConstraints = critical,CA:FALSE
e58a44 
 subjectAltName = otherName:$KRB5_PRINCIPAL_SAN;SEQUENCE:krb5princ_client
e58a44 
 extendedKeyUsage = $CLIENT_EKU_LIST
e58a44 
+
e58a44 
+[exts_upn_client]
e58a44 
+subjectKeyIdentifier = hash
e58a44 
+authorityKeyIdentifier = keyid:always,issuer:always
e58a44 
+keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
e58a44 
+basicConstraints = critical,CA:FALSE
e58a44 
+subjectAltName = otherName:$KRB5_UPN_SAN;UTF8:user@$LOWREALM
e58a44 
+extendedKeyUsage = $CLIENT_EKU_LIST
e58a44 
+
e58a44 
+[exts_upn2_client]
e58a44 
+subjectKeyIdentifier = hash
e58a44 
+authorityKeyIdentifier = keyid:always,issuer:always
e58a44 
+keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
e58a44 
+basicConstraints = critical,CA:FALSE
e58a44 
+subjectAltName = otherName:$KRB5_UPN_SAN;UTF8:user
e58a44 
+extendedKeyUsage = $CLIENT_EKU_LIST
e58a44 
+
e58a44 
+[exts_upn3_client]
e58a44 
+subjectKeyIdentifier = hash
e58a44 
+authorityKeyIdentifier = keyid:always,issuer:always
e58a44 
+keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
e58a44 
+basicConstraints = critical,CA:FALSE
e58a44 
+subjectAltName = otherName:$KRB5_UPN_SAN;UTF8:user@$REALM
e58a44 
+extendedKeyUsage = $CLIENT_EKU_LIST
e58a44 
 EOF
e58a44
e58a44 
 # Generate a private key.
e58a44 
@@ -113,5 +139,30 @@ openssl pkcs12 -export -in user.pem -inkey privkey.pem -out user.p12 \
e58a44 
 openssl pkcs12 -export -in user.pem -inkey privkey.pem -out user-enc.p12 \
e58a44 
     -passout pass:encrypted
e58a44
e58a44 
+# Generate a client certificate and PKCS#12 bundles with a UPN SAN.
e58a44 
+SUBJECT=user openssl req -config openssl.cnf -new -subj /CN=user \
e58a44 
+    -key privkey.pem -out user-upn.csr
e58a44 
+SUBJECT=user openssl x509 -extfile openssl.cnf -extensions exts_upn_client \
e58a44 
+    -set_serial 4 -days $DAYS -req -CA ca.pem -CAkey privkey.pem \
e58a44 
+    -out user-upn.pem -in user-upn.csr
e58a44 
+openssl pkcs12 -export -in user-upn.pem -inkey privkey.pem -out user-upn.p12 \
e58a44 
+    -passout pass:
e58a44 
+
e58a44 
+SUBJECT=user openssl req -config openssl.cnf -new -subj /CN=user \
e58a44 
+    -key privkey.pem -out user-upn2.csr
e58a44 
+SUBJECT=user openssl x509 -extfile openssl.cnf -extensions exts_upn2_client \
e58a44 
+    -set_serial 5 -days $DAYS -req -CA ca.pem -CAkey privkey.pem \
e58a44 
+    -out user-upn2.pem -in user-upn2.csr
e58a44 
+openssl pkcs12 -export -in user-upn2.pem -inkey privkey.pem \
e58a44 
+     -out user-upn2.p12 -passout pass:
e58a44 
+
e58a44 
+SUBJECT=user openssl req -config openssl.cnf -new -subj /CN=user \
e58a44 
+    -key privkey.pem -out user-upn3.csr
e58a44 
+SUBJECT=user openssl x509 -extfile openssl.cnf -extensions exts_upn3_client \
e58a44 
+    -set_serial 6 -days $DAYS -req -CA ca.pem -CAkey privkey.pem \
e58a44 
+    -out user-upn3.pem -in user-upn3.csr
e58a44 
+openssl pkcs12 -export -in user-upn3.pem -inkey privkey.pem \
e58a44 
+     -out user-upn3.p12 -passout pass:
e58a44 
+
e58a44 
 # Clean up.
e58a44 
-rm -f openssl.cnf kdc.csr user.csr
e58a44 
+rm -f openssl.cnf kdc.csr user.csr user-upn.csr user-upn2.csr user-upn3.csr

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation