Infrastructure to support throw-away certificates

The conf.d directory contains the configurations for the various CA and EE certificates, starting from the x509-scripts repo.

Infrastructure to support throw-away certificates
30c37de5 · Francesco Giacomini · d86dc663 · 30c37de5 · 30c37de5 · 30c37de5
Commit 30c37de5 authored 2 months ago by Francesco Giacomini
--- a/t/certs/README.md
+++ b/t/certs/README.md
@@ -22,7 +22,7 @@ The following certificates and proxy certificates are used in these tests:
 * `0.pem`: long-lived proxy certificate, without any Attribute Certificate (AC). Obtained with:

  ```shell
-  voms-proxy-init -cert t/certs/test0.p12 --valid 10000:0 --vomsdir t/vomsdir --certdir t/trust-anchors --vomses t/vomses
+  voms-proxy-init -cert t/certs/test0.p12 --valid 100:0
  ```

 * `1.pem`: long-lived proxy certificate, with an expired AC. Obtained with:
@@ -40,7 +40,7 @@ The following certificates and proxy certificates are used in these tests:
 * `3.pem`: long-lived proxy with valid VOMS attributes. Obtained with:

  ```shell
-  $ VOMS_CLIENTS_JAVA_OPTIONS="-Dvoms.fake.vo=test.vo -Dvoms.fake=true -Dvoms.fake.aaCert=t/certs/star.test.example.cert.pem -Dvoms.fake.aaKey=t/certs/star.test.example.key.pem -Dvoms.fake.notAfter=2031-12-31T00:00:00 -Dvoms.fake.notBefore=2022-12-10T00:00:00 -Dvoms.fake.gas=nickname=sd,nickname=cnaf -Dvoms.fake.fqans=/test.vo/exp1,/test.vo/exp2,/test.vo/exp3/Role=PIPPO -Dvoms.fake.serial=123456" voms-proxy-init -voms test.vo -cert t/certs/test0.p12 --valid 10000:0 --vomsdir t/vomsdir --certdir t/trust-anchors --vomses t/vomses
+  $ VOMS_CLIENTS_JAVA_OPTIONS="-Dvoms.fake.vo=test.vo -Dvoms.fake=true -Dvoms.fake.aaCert=t/certs/star_test_example.cert.pem -Dvoms.fake.aaKey=t/certs/star_test_example.key.pem -Dvoms.fake.notAfter=2031-12-31T00:00:00 -Dvoms.fake.notBefore=2022-12-10T00:00:00 -Dvoms.fake.gas=nickname=sd,nickname=cnaf -Dvoms.fake.fqans=/test.vo/exp1,/test.vo/exp2,/test.vo/exp3/Role=PIPPO -Dvoms.fake.serial=123456" voms-proxy-init -voms test.vo -cert t/certs/test0.p12 --valid 10000:0 --vomsdir t/vomsdir --certdir t/trust-anchors --vomses t/vomses
  ```

 * `4.pem`: long-lived proxy with VOMS generic attributes containing special characters. Obtained with:

--- a/t/conf.d/ephemeral_ca.conf
+++ b/t/conf.d/ephemeral_ca.conf
+
+[ ephemeral_ca ]
+
+dir                    = ${ENV::CA_NAME}
+certs                  = $dir/certs
+database               = $dir/index.txt
+serial                 = $dir/serial
+certificate            = $dir/ca.crt
+private_key            = $dir/private/ca.key
+default_crl_days       = 30
+default_md             = sha512
+
+[ ephemeral_ca_cert ]
+
+default_bits           = 2048
+default_keyfile        = ${ENV::CA_NAME}/private/ca.key
+distinguished_name     = ${ENV::CA_NAME}_dn
+prompt                 = no
+encrypt_key            = no
+default_md             = sha512
+x509_extensions        = ${ENV::CA_NAME}_extensions
+
+[ ephemeral_ca_dn ]
+
+C                      = IT
+O                      = IGI
+CN                     = Ephemeral CA
+
+[ ephemeral_ca_extensions ]
+
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid:always, issuer:always
+basicConstraints       = critical, CA:true
+keyUsage               = critical, cRLSign, keyCertSign
--- a/t/conf.d/expired.conf
+++ b/t/conf.d/expired.conf
+
+[ expired ]
+
+default_bits           = 2048
+default_keyfile        = ${ENV::CA_NAME}/certs/expired.key.pem
+distinguished_name     = expired_dn
+prompt                 = no
+output_password        = pass
+default_md             = sha512
+x509_extensions        = expired_extensions
+
+[ expired_dn ]
+
+C                      = IT
+O                      = IGI
+CN                     = Expired
+
+[ expired_extensions ]
+
+basicConstraints       = critical,CA:FALSE
+subjectKeyIdentifier   = hash
+keyUsage               = critical, nonRepudiation, digitalSignature, keyEncipherment
+authorityKeyIdentifier = keyid, issuer
+subjectAltName         = email:expired@cnaf.infn.it
+
+
--- a/t/conf.d/igi_test_ca.conf
+++ b/t/conf.d/igi_test_ca.conf
+
+[ igi_test_ca ]
+
+dir                    = ${ENV::CA_NAME}
+certs                  = $dir/certs
+database               = $dir/index.txt
+serial                 = $dir/serial
+certificate            = $dir/ca.crt
+private_key            = $dir/private/ca.key
+default_crl_days       = 30
+default_md             = sha512
+
+[ igi_test_ca_cert ]
+
+default_bits           = 2048
+default_keyfile        = ${ENV::CA_NAME}/private/ca.key
+distinguished_name     = ${ENV::CA_NAME}_dn
+prompt                 = no
+encrypt_key            = no
+default_md             = sha512
+x509_extensions        = ${ENV::CA_NAME}_extensions
+
+[ igi_test_ca_dn ]
+
+C                      = IT
+O                      = IGI
+CN                     = Test CA
+
+[ igi_test_ca_extensions ]
+
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid:always, issuer:always
+basicConstraints       = critical, CA:true
+keyUsage               = critical, cRLSign, keyCertSign
--- a/t/conf.d/igi_test_ca2.conf
+++ b/t/conf.d/igi_test_ca2.conf
+
+[ igi_test_ca2 ]
+
+dir                    = ${ENV::CA_NAME}
+certs                  = $dir/certs
+database               = $dir/index.txt
+serial                 = $dir/serial
+certificate            = $dir/ca.crt
+private_key            = $dir/private/ca.key
+default_crl_days       = 30
+default_md             = sha512
+
+[ igi_test_ca2_cert ]
+
+default_bits           = 2048
+default_keyfile        = ${ENV::CA_NAME}/private/ca.key
+distinguished_name     = ${ENV::CA_NAME}_dn
+prompt                 = no
+encrypt_key            = no
+default_md             = sha512
+x509_extensions        = ${ENV::CA_NAME}_extensions
+
+[ igi_test_ca2_dn ]
+
+C                      = IT
+O                      = IGI
+CN                     = Test CA 2
+
+[ igi_test_ca2_extensions ]
+
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid:always, issuer:always
+basicConstraints       = critical, CA:true
+keyUsage               = critical, cRLSign, keyCertSign
--- a/t/conf.d/revoked.conf
+++ b/t/conf.d/revoked.conf
+
+[ revoked ]
+
+default_bits           = 2048
+default_keyfile        = ${ENV::CA_NAME}/certs/revoked.key.pem
+distinguished_name     = revoked_dn
+prompt                 = no
+output_password        = pass
+default_md             = sha512
+x509_extensions        = revoked_extensions
+
+[ revoked_dn ]
+
+C                      = IT
+O                      = IGI
+CN                     = Revoked
+
+[ revoked_extensions ]
+
+basicConstraints       = critical,CA:FALSE
+subjectKeyIdentifier   = hash
+keyUsage               = critical, nonRepudiation, digitalSignature, keyEncipherment
+authorityKeyIdentifier = keyid, issuer
+subjectAltName         = email:revoked@cnaf.infn.it
+
+
--- a/t/conf.d/star_test_example.conf
+++ b/t/conf.d/star_test_example.conf
+
+[ star_test_example ]
+
+default_bits           = 2048
+default_keyfile        = ${ENV::CA_NAME}/certs/star_test_example.key.pem
+distinguished_name     = star_test_example_dn
+prompt                 = no
+encrypt_key            = no
+default_md             = sha512
+x509_extensions        = star_test_example_extensions
+
+[ star_test_example_dn ]
+
+C                      = IT
+O                      = IGI
+CN                     = *.test.example
+
+[ star_test_example_extensions ]
+
+basicConstraints       = critical,CA:FALSE
+subjectKeyIdentifier   = hash
+keyUsage               = critical, digitalSignature
+extendedKeyUsage       = serverAuth, clientAuth
+authorityKeyIdentifier = keyid, issuer
+subjectAltName         = DNS:*.test.example
--- a/t/conf.d/test0.conf
+++ b/t/conf.d/test0.conf
+
+[ test0 ]
+
+default_bits           = 2048
+default_keyfile        = ${ENV::CA_NAME}/certs/test0.key.pem
+distinguished_name     = test0_dn
+prompt                 = no
+encrypt_key            = no
+default_md             = sha512
+x509_extensions        = test0_extensions
+
+[ test0_dn ]
+
+C                      = IT
+O                      = IGI
+CN                     = Test0
+
+[ test0_extensions ]
+
+basicConstraints       = critical,CA:FALSE
+subjectKeyIdentifier   = hash
+keyUsage               = critical, nonRepudiation, digitalSignature, keyEncipherment
+authorityKeyIdentifier = keyid, issuer
+subjectAltName         = email:test0@cnaf.infn.it
+
+
--- a/t/conf.d/test1.conf
+++ b/t/conf.d/test1.conf
+
+[ test1 ]
+
+default_bits           = 2048
+default_keyfile        = ${ENV::CA_NAME}/certs/test1.key.pem
+distinguished_name     = test1_dn
+prompt                 = no
+encrypt_key            = no
+default_md             = sha512
+x509_extensions        = test1_extensions
+
+[ test1_dn ]
+
+C                      = IT
+O                      = IGI
+CN                     = Test1
+
+[ test1_extensions ]
+
+basicConstraints       = critical,CA:FALSE
+subjectKeyIdentifier   = hash
+keyUsage               = critical, nonRepudiation, digitalSignature, keyEncipherment
+authorityKeyIdentifier = keyid, issuer
+subjectAltName         = email:test1@cnaf.infn.it
+
+
--- a/t/openssl.conf
+++ b/t/openssl.conf
+
+config_diagnostics     = 1
+
+[ ca ]
+
+default_ca             = ${ENV::CA_NAME}
+
+.include conf.d
--- a/t/setup.sh
+++ b/t/setup.sh
+#!/bin/bash
+
+set -e
+
+env CA_NAME=igi_test_ca2 make_ca.sh
+env CA_NAME=igi_test_ca2 make_crl.sh
+install_ca.sh igi_test_ca2 trust-anchors
+
+export CA_NAME=igi_test_ca
+make_ca.sh
+
+make_cert.sh test0
+cp igi_test_ca/certs/test0.* certs
+
+make_cert.sh star_test_example
+cp igi_test_ca/certs/star_test_example.* certs
+
+# test 1
+echo | voms-proxy-init -cert certs/test0.p12 --valid 10:0 --out certs/0.pem --pwstdin
+awk '/BEGIN RSA PRIVATE KEY/,/END RSA PRIVATE KEY/' certs/0.pem > certs/0.key.pem
+awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/' certs/0.pem > certs/0.cert.pem
+
+# test 3
+cat certs/test0.cert.pem trust-anchors/igi_test_ca.pem > certs/test0+ca.pem
+
+make_crl.sh
+install_ca.sh igi_test_ca trust-anchors