From 0168f18229402b299a3fb3bb6fe3edb8e3ffa7fc Mon Sep 17 00:00:00 2001
From: Rasmus Dahlberg <rasmus.dahlberg@kau.se>
Date: Tue, 3 Nov 2020 20:01:08 +0100
Subject: added chain processing with intermediate certificates

Basic test chains can be generated manually with openssl, see details in
server/testdata/x509/README.md.
---
 server/testdata/x509/.rand            |  0
 server/testdata/x509/README.md        | 35 +++++++++++++++++++++
 server/testdata/x509/ca.conf          | 59 +++++++++++++++++++++++++++++++++++
 server/testdata/x509/chain.pem        | 23 ++++++++++++++
 server/testdata/x509/end-entity.key   |  3 ++
 server/testdata/x509/end-entity.pem   | 10 ++++++
 server/testdata/x509/intermediate.key |  3 ++
 server/testdata/x509/intermediate.pem | 13 ++++++++
 server/testdata/x509/root.key         |  3 ++
 server/testdata/x509/root.pem         | 13 ++++++++
 10 files changed, 162 insertions(+)
 create mode 100644 server/testdata/x509/.rand
 create mode 100644 server/testdata/x509/README.md
 create mode 100644 server/testdata/x509/ca.conf
 create mode 100644 server/testdata/x509/chain.pem
 create mode 100644 server/testdata/x509/end-entity.key
 create mode 100644 server/testdata/x509/end-entity.pem
 create mode 100644 server/testdata/x509/intermediate.key
 create mode 100644 server/testdata/x509/intermediate.pem
 create mode 100644 server/testdata/x509/root.key
 create mode 100644 server/testdata/x509/root.pem

(limited to 'server/testdata/x509')

diff --git a/server/testdata/x509/.rand b/server/testdata/x509/.rand
new file mode 100644
index 0000000..e69de29
diff --git a/server/testdata/x509/README.md b/server/testdata/x509/README.md
new file mode 100644
index 0000000..c9f03de
--- /dev/null
+++ b/server/testdata/x509/README.md
@@ -0,0 +1,35 @@
+# Create new certificate chains
+## Initial setup
+```
+$ touch index
+$ echo 1000 > serial
+```
+
+## Root certificate
+```
+$ openssl genpkey -algorithm ed25519 -out root.key
+$ openssl req -new -x509 -config ca.conf -extensions v3_ca -days 4096 -key root.key -out root.pem
+$ openssl x509 -in root.pem -text -noout
+```
+
+## Intermediate certificate
+```
+$ openssl genpkey -algorithm ed25519 -out intermediate.key
+$ openssl req -new -config ca.conf -extensions v3_intermediate_ca -key intermediate.key -out intermediate.csr
+$ openssl ca -config ca.conf -extensions v3_intermediate_ca -days 4096 -in intermediate.csr -notext -out intermediate.pem
+$ openssl x509 -in intermediate.pem -text -noout
+```
+
+## End-entity certificate
+```
+$ openssl genpkey -algorithm ed25519 -out end-entity.key
+$ openssl req -new -key end-entity.key -out end-entity.csr
+$ openssl x509 -req -days 4096 -CA intermediate.pem -CAkey intermediate.key -CAcreateserial -in end-entity.csr -out end-entity.pem
+$ openssl x509 -in end-entity.pem -text -noout
+```
+
+## Make chain
+```
+$ cat end-entity.pem > chain.pem
+$ cat intermediate.pem >> chain.pem
+```
diff --git a/server/testdata/x509/ca.conf b/server/testdata/x509/ca.conf
new file mode 100644
index 0000000..7889331
--- /dev/null
+++ b/server/testdata/x509/ca.conf
@@ -0,0 +1,59 @@
+[ca]
+default_ca = ca_settings
+
+[ ca_settings ]
+dir = .
+certs             = $dir
+crl_dir           = $dir
+new_certs_dir     = $dir
+database          = $dir/index
+serial            = $dir/serial
+
+private_key       = $dir/root.key
+certificate       = $dir/root.pem
+
+policy = ca_policy
+
+[ ca_policy ]
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+# Options for the `req` tool, `man req`
+[ req ]
+distinguished_name  = req_distinguished_name
+
+# Extensions for a typical CA, see `man x509v3_config`
+[ v3_ca ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, keyCertSign
+
+# Extensions for a typical intermediate CA, see `man x509v3_config`
+[ v3_intermediate_ca ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, keyCertSign
+
+[ req_distinguished_name ]
+countryName            = Country Name (2 letter code)
+stateOrProvinceName    = State or Province Name
+localityName           = Locality Name
+0.organizationName     = Organization Name
+organizationalUnitName = Organizational Unit Name
+commonName             = Common Name
+emailAddress           = Email Address
+
+countryName_default            = NA
+stateOrProvinceName_default    = NA
+localityName_default           = NA
+0.organizationName_default     = NA
+organizationalUnitName_default = NA
+emailAddress_default           = NA
+commonName_default             = stfe testdata
diff --git a/server/testdata/x509/chain.pem b/server/testdata/x509/chain.pem
new file mode 100644
index 0000000..0ac66a0
--- /dev/null
+++ b/server/testdata/x509/chain.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIBbDCCAR4CFDfeuu6XURfn7AE4WShuwZBHEaLIMAUGAytlcDBsMQswCQYDVQQG
+EwJOQTELMAkGA1UECAwCTkExCzAJBgNVBAcMAk5BMQswCQYDVQQKDAJOQTELMAkG
+A1UECwwCTkExFjAUBgNVBAMMDXN0ZmUgdGVzdGRhdGExETAPBgkqhkiG9w0BCQEW
+Ak5BMB4XDTIwMTEwMzE4MzI0MFoXDTMyMDEyMTE4MzI0MFowRTELMAkGA1UEBhMC
+QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp
+dHMgUHR5IEx0ZDAqMAUGAytlcAMhAJvk390ZvwULplBri03Od4LLz+Sf/OUHu+20
+wik+T9y5MAUGAytlcANBANekliXq4ttoClBJDZoktIQxyHHNcWyXFrj1HlOaT5bC
+I3GIqqZ60Ua3jKytnEsKsD2rLMPItDwmG6wYSecy2ws=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB7jCCAaCgAwIBAgICEAAwBQYDK2VwMGwxCzAJBgNVBAYTAk5BMQswCQYDVQQI
+DAJOQTELMAkGA1UEBwwCTkExCzAJBgNVBAoMAk5BMQswCQYDVQQLDAJOQTEWMBQG
+A1UEAwwNc3RmZSB0ZXN0ZGF0YTERMA8GCSqGSIb3DQEJARYCTkEwHhcNMjAxMTAz
+MTgzMjE4WhcNMzIwMTIxMTgzMjE4WjBsMQswCQYDVQQGEwJOQTELMAkGA1UECAwC
+TkExCzAJBgNVBAcMAk5BMQswCQYDVQQKDAJOQTELMAkGA1UECwwCTkExFjAUBgNV
+BAMMDXN0ZmUgdGVzdGRhdGExETAPBgkqhkiG9w0BCQEWAk5BMCowBQYDK2VwAyEA
+F1yPPpjHKDAKN73pBFGXzAvIjdkLLimydu2y1HLMOiKjZjBkMB0GA1UdDgQWBBQ6
+P7JQ7yXtrTh7YkVU0I78P9A+nDAfBgNVHSMEGDAWgBQBvsxROtKU6zmr/SxcfTMD
+sAQcMTASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIChDAFBgMrZXAD
+QQBm1GMV0ADPnXRWnelCW9tcyTh0p9hKefuSy/MNx7/XLHKnM5fX+yHqD84QOxES
+Vc510vi4dM8I+e/vcoBsmMQP
+-----END CERTIFICATE-----
diff --git a/server/testdata/x509/end-entity.key b/server/testdata/x509/end-entity.key
new file mode 100644
index 0000000..da83f09
--- /dev/null
+++ b/server/testdata/x509/end-entity.key
@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIDme3WaCwW2/FX095yh02yIIsn0D3vbvN5NsJzcdUwq1
+-----END PRIVATE KEY-----
diff --git a/server/testdata/x509/end-entity.pem b/server/testdata/x509/end-entity.pem
new file mode 100644
index 0000000..52b99f6
--- /dev/null
+++ b/server/testdata/x509/end-entity.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBbDCCAR4CFDfeuu6XURfn7AE4WShuwZBHEaLIMAUGAytlcDBsMQswCQYDVQQG
+EwJOQTELMAkGA1UECAwCTkExCzAJBgNVBAcMAk5BMQswCQYDVQQKDAJOQTELMAkG
+A1UECwwCTkExFjAUBgNVBAMMDXN0ZmUgdGVzdGRhdGExETAPBgkqhkiG9w0BCQEW
+Ak5BMB4XDTIwMTEwMzE4MzI0MFoXDTMyMDEyMTE4MzI0MFowRTELMAkGA1UEBhMC
+QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp
+dHMgUHR5IEx0ZDAqMAUGAytlcAMhAJvk390ZvwULplBri03Od4LLz+Sf/OUHu+20
+wik+T9y5MAUGAytlcANBANekliXq4ttoClBJDZoktIQxyHHNcWyXFrj1HlOaT5bC
+I3GIqqZ60Ua3jKytnEsKsD2rLMPItDwmG6wYSecy2ws=
+-----END CERTIFICATE-----
diff --git a/server/testdata/x509/intermediate.key b/server/testdata/x509/intermediate.key
new file mode 100644
index 0000000..26721e4
--- /dev/null
+++ b/server/testdata/x509/intermediate.key
@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIEiZEO5PnjkbN4A+5r9LVTIZeVdPq/on5AzwnetZjszE
+-----END PRIVATE KEY-----
diff --git a/server/testdata/x509/intermediate.pem b/server/testdata/x509/intermediate.pem
new file mode 100644
index 0000000..0f893b8
--- /dev/null
+++ b/server/testdata/x509/intermediate.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB7jCCAaCgAwIBAgICEAAwBQYDK2VwMGwxCzAJBgNVBAYTAk5BMQswCQYDVQQI
+DAJOQTELMAkGA1UEBwwCTkExCzAJBgNVBAoMAk5BMQswCQYDVQQLDAJOQTEWMBQG
+A1UEAwwNc3RmZSB0ZXN0ZGF0YTERMA8GCSqGSIb3DQEJARYCTkEwHhcNMjAxMTAz
+MTgzMjE4WhcNMzIwMTIxMTgzMjE4WjBsMQswCQYDVQQGEwJOQTELMAkGA1UECAwC
+TkExCzAJBgNVBAcMAk5BMQswCQYDVQQKDAJOQTELMAkGA1UECwwCTkExFjAUBgNV
+BAMMDXN0ZmUgdGVzdGRhdGExETAPBgkqhkiG9w0BCQEWAk5BMCowBQYDK2VwAyEA
+F1yPPpjHKDAKN73pBFGXzAvIjdkLLimydu2y1HLMOiKjZjBkMB0GA1UdDgQWBBQ6
+P7JQ7yXtrTh7YkVU0I78P9A+nDAfBgNVHSMEGDAWgBQBvsxROtKU6zmr/SxcfTMD
+sAQcMTASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIChDAFBgMrZXAD
+QQBm1GMV0ADPnXRWnelCW9tcyTh0p9hKefuSy/MNx7/XLHKnM5fX+yHqD84QOxES
+Vc510vi4dM8I+e/vcoBsmMQP
+-----END CERTIFICATE-----
diff --git a/server/testdata/x509/root.key b/server/testdata/x509/root.key
new file mode 100644
index 0000000..c2dd558
--- /dev/null
+++ b/server/testdata/x509/root.key
@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIPJGy4Tf9SwDv44lLCmVyEjsbUmwfTg+j/Xoyaunf1rx
+-----END PRIVATE KEY-----
diff --git a/server/testdata/x509/root.pem b/server/testdata/x509/root.pem
new file mode 100644
index 0000000..1fc802b
--- /dev/null
+++ b/server/testdata/x509/root.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB/TCCAa+gAwIBAgIUDYJzaC5VSkKwiLVAxO5MyphAkN8wBQYDK2VwMGwxCzAJ
+BgNVBAYTAk5BMQswCQYDVQQIDAJOQTELMAkGA1UEBwwCTkExCzAJBgNVBAoMAk5B
+MQswCQYDVQQLDAJOQTEWMBQGA1UEAwwNc3RmZSB0ZXN0ZGF0YTERMA8GCSqGSIb3
+DQEJARYCTkEwHhcNMjAxMTAzMTgzMTMxWhcNMzIwMTIxMTgzMTMxWjBsMQswCQYD
+VQQGEwJOQTELMAkGA1UECAwCTkExCzAJBgNVBAcMAk5BMQswCQYDVQQKDAJOQTEL
+MAkGA1UECwwCTkExFjAUBgNVBAMMDXN0ZmUgdGVzdGRhdGExETAPBgkqhkiG9w0B
+CQEWAk5BMCowBQYDK2VwAyEAJ1IiXCB4YHwdWka9MM0bc7LvKAtksmtIo8IhkuEB
+uzGjYzBhMB0GA1UdDgQWBBQBvsxROtKU6zmr/SxcfTMDsAQcMTAfBgNVHSMEGDAW
+gBQBvsxROtKU6zmr/SxcfTMDsAQcMTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB
+/wQEAwIChDAFBgMrZXADQQCXh6kDnE5giTjcLET2S94qTwnHVAj57DJcR/rf9Jy8
+NMGbtzTL0/V0B8DHuJFA/islbZJbN7rSvqddEKL8N2gI
+-----END CERTIFICATE-----
-- 
cgit v1.2.3