aboutsummaryrefslogtreecommitdiffstats
path: root/tests/cert-extensions
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@debian.org>2021-02-22 03:30:32 +0100
committerGuilhem Moulin <guilhem@debian.org>2021-02-22 03:30:32 +0100
commitd1be19ea9484f4c48af2de54266465d49bb1281d (patch)
tree768da9388a9ea6ed42d8d818a6433a4871a1172e /tests/cert-extensions
parent847ae99fb1ed73fd77c6ffd30f2c554ab5892fde (diff)
parent3eba02ef820a393bd5781be9f8fcda1611ae7c3d (diff)
Merge tag 'v0.8.0' into debian/latest
Release version 0.8.0
Diffstat (limited to 'tests/cert-extensions')
-rw-r--r--tests/cert-extensions91
1 files changed, 91 insertions, 0 deletions
diff --git a/tests/cert-extensions b/tests/cert-extensions
new file mode 100644
index 0000000..a397ee5
--- /dev/null
+++ b/tests/cert-extensions
@@ -0,0 +1,91 @@
+# X509v3 certificate extension, cf. x509v3_config(5ssl)
+
+x509_check() {
+ local cert="$1" ext out
+ out="$(mktemp --tmpdir)"
+ ext="basicConstraints,subjectAltName,keyUsage,extendedKeyUsage,tlsfeature"
+ openssl x509 -noout -subject -ext "$ext" -nameopt compat <"$cert" >"$out"
+ diff --unified --color=auto -b --label="a/${cert#/}" --label="b/${cert#/}" -- - "$out"
+}
+
+# default settings (the ACME server adds a subjectAltName with the Common Name)
+openssl genpkey -algorithm RSA -out /etc/lacme/test1.key
+commonName="$(head -c10 /dev/urandom | base32 -w0 | tr "[A-Z]" "[a-z]").$DOMAINNAME"
+cat >"/etc/lacme/lacme-certs.conf.d/test1.conf" <<- EOF
+ [test1]
+ certificate-key = /etc/lacme/test1.key
+ certificate-chain = /etc/lacme/test1.crt
+ subject = /CN=$commonName
+EOF
+
+lacme newOrder test1
+test /etc/lacme/test1.crt -nt /etc/lacme/test1.key
+x509_check /etc/lacme/test1.crt <<-EOF
+ subject=/CN=$commonName
+ X509v3 Key Usage: critical
+ Digital Signature, Key Encipherment
+ X509v3 Extended Key Usage:
+ TLS Web Server Authentication, TLS Web Client Authentication
+ X509v3 Basic Constraints: critical
+ CA:FALSE
+ X509v3 Subject Alternative Name:
+ DNS:$commonName
+EOF
+
+# subjectAltName
+openssl genpkey -algorithm RSA -out /etc/lacme/test2.key
+commonName="$(head -c10 /dev/urandom | base32 -w0 | tr "[A-Z]" "[a-z]").$DOMAINNAME"
+subjectAltName=""
+for i in $(seq 1 8); do
+ subjectAltName="${subjectAltName:+"$subjectAltName "}$(head -c10 /dev/urandom | base32 -w0 | tr "[A-Z]" "[a-z]").$DOMAINNAME"
+done
+cat >"/etc/lacme/lacme-certs.conf.d/test2.conf" <<- EOF
+ [test2]
+ certificate-key = /etc/lacme/test2.key
+ certificate-chain = /etc/lacme/test2.crt
+ subject = /CN=$commonName
+ subjectAltName = DNS:$(echo "$subjectAltName" | sed -r "s/ /, DNS:/g")
+EOF
+
+lacme newOrder test2
+test /etc/lacme/test2.crt -nt /etc/lacme/test2.key
+x509_check /etc/lacme/test2.crt <<-EOF
+ subject=/CN=$commonName
+ X509v3 Key Usage: critical
+ Digital Signature, Key Encipherment
+ X509v3 Extended Key Usage:
+ TLS Web Server Authentication, TLS Web Client Authentication
+ X509v3 Basic Constraints: critical
+ CA:FALSE
+ X509v3 Subject Alternative Name:
+ DNS:$(echo "$commonName" "$subjectAltName" | tr " " "\\n" | sort -u | paste -sd" " | sed -r "s/ /, DNS:/g")
+EOF
+
+# tlsfeature
+openssl genpkey -algorithm RSA -out /etc/lacme/test3.key
+commonName="$(head -c10 /dev/urandom | base32 -w0 | tr "[A-Z]" "[a-z]").$DOMAINNAME"
+cat >"/etc/lacme/lacme-certs.conf.d/test3.conf" <<- EOF
+ [test3]
+ certificate-key = /etc/lacme/test3.key
+ certificate-chain = /etc/lacme/test3.crt
+ subject = /CN=$commonName
+ tlsfeature = status_request
+EOF
+
+lacme newOrder test3
+test /etc/lacme/test3.crt -nt /etc/lacme/test3.key
+x509_check /etc/lacme/test3.crt <<-EOF
+ subject=/CN=$commonName
+ X509v3 Key Usage: critical
+ Digital Signature, Key Encipherment
+ X509v3 Extended Key Usage:
+ TLS Web Server Authentication, TLS Web Client Authentication
+ X509v3 Basic Constraints: critical
+ CA:FALSE
+ X509v3 Subject Alternative Name:
+ DNS:$commonName
+ TLS Feature:
+ status_request
+EOF
+
+# vim: set filetype=sh :