From 30c37de51eab1bde9bba187cfd5f5308ac9b13d6 Mon Sep 17 00:00:00 2001
From: Francesco Giacomini <francesco.giacomini@cnaf.infn.it>
Date: Fri, 20 Dec 2024 18:04:32 +0100
Subject: [PATCH] Infrastructure to support throw-away certificates
The conf.d directory contains the configurations for the various
CA and EE certificates, starting from the x509-scripts repo.
---
t/certs/README.md | 4 ++--
t/conf.d/ephemeral_ca.conf | 34 +++++++++++++++++++++++++++++++++
t/conf.d/expired.conf | 26 +++++++++++++++++++++++++
t/conf.d/igi_test_ca.conf | 34 +++++++++++++++++++++++++++++++++
t/conf.d/igi_test_ca2.conf | 34 +++++++++++++++++++++++++++++++++
t/conf.d/revoked.conf | 26 +++++++++++++++++++++++++
t/conf.d/star_test_example.conf | 25 ++++++++++++++++++++++++
t/conf.d/test0.conf | 26 +++++++++++++++++++++++++
t/conf.d/test1.conf | 26 +++++++++++++++++++++++++
t/openssl.conf | 8 ++++++++
t/setup.sh | 27 ++++++++++++++++++++++++++
11 files changed, 268 insertions(+), 2 deletions(-)
create mode 100644 t/conf.d/ephemeral_ca.conf
create mode 100644 t/conf.d/expired.conf
create mode 100644 t/conf.d/igi_test_ca.conf
create mode 100644 t/conf.d/igi_test_ca2.conf
create mode 100644 t/conf.d/revoked.conf
create mode 100644 t/conf.d/star_test_example.conf
create mode 100644 t/conf.d/test0.conf
create mode 100644 t/conf.d/test1.conf
create mode 100644 t/openssl.conf
create mode 100755 t/setup.sh
diff --git a/t/certs/README.md b/t/certs/README.md
index cc7b034..9114ce6 100644
--- a/t/certs/README.md
+++ b/t/certs/README.md
@@ -22,7 +22,7 @@ The following certificates and proxy certificates are used in these tests:
* `0.pem`: long-lived proxy certificate, without any Attribute Certificate (AC). Obtained with:
```shell
- voms-proxy-init -cert t/certs/test0.p12 --valid 10000:0 --vomsdir t/vomsdir --certdir t/trust-anchors --vomses t/vomses
+ voms-proxy-init -cert t/certs/test0.p12 --valid 100:0
```
* `1.pem`: long-lived proxy certificate, with an expired AC. Obtained with:
@@ -40,7 +40,7 @@ The following certificates and proxy certificates are used in these tests:
* `3.pem`: long-lived proxy with valid VOMS attributes. Obtained with:
```shell
- $ VOMS_CLIENTS_JAVA_OPTIONS="-Dvoms.fake.vo=test.vo -Dvoms.fake=true -Dvoms.fake.aaCert=t/certs/star.test.example.cert.pem -Dvoms.fake.aaKey=t/certs/star.test.example.key.pem -Dvoms.fake.notAfter=2031-12-31T00:00:00 -Dvoms.fake.notBefore=2022-12-10T00:00:00 -Dvoms.fake.gas=nickname=sd,nickname=cnaf -Dvoms.fake.fqans=/test.vo/exp1,/test.vo/exp2,/test.vo/exp3/Role=PIPPO -Dvoms.fake.serial=123456" voms-proxy-init -voms test.vo -cert t/certs/test0.p12 --valid 10000:0 --vomsdir t/vomsdir --certdir t/trust-anchors --vomses t/vomses
+ $ VOMS_CLIENTS_JAVA_OPTIONS="-Dvoms.fake.vo=test.vo -Dvoms.fake=true -Dvoms.fake.aaCert=t/certs/star_test_example.cert.pem -Dvoms.fake.aaKey=t/certs/star_test_example.key.pem -Dvoms.fake.notAfter=2031-12-31T00:00:00 -Dvoms.fake.notBefore=2022-12-10T00:00:00 -Dvoms.fake.gas=nickname=sd,nickname=cnaf -Dvoms.fake.fqans=/test.vo/exp1,/test.vo/exp2,/test.vo/exp3/Role=PIPPO -Dvoms.fake.serial=123456" voms-proxy-init -voms test.vo -cert t/certs/test0.p12 --valid 10000:0 --vomsdir t/vomsdir --certdir t/trust-anchors --vomses t/vomses
```
* `4.pem`: long-lived proxy with VOMS generic attributes containing special characters. Obtained with:
diff --git a/t/conf.d/ephemeral_ca.conf b/t/conf.d/ephemeral_ca.conf
new file mode 100644
index 0000000..eb76c6e
--- /dev/null
+++ b/t/conf.d/ephemeral_ca.conf
@@ -0,0 +1,34 @@
+
+[ ephemeral_ca ]
+
+dir = ${ENV::CA_NAME}
+certs = $dir/certs
+database = $dir/index.txt
+serial = $dir/serial
+certificate = $dir/ca.crt
+private_key = $dir/private/ca.key
+default_crl_days = 30
+default_md = sha512
+
+[ ephemeral_ca_cert ]
+
+default_bits = 2048
+default_keyfile = ${ENV::CA_NAME}/private/ca.key
+distinguished_name = ${ENV::CA_NAME}_dn
+prompt = no
+encrypt_key = no
+default_md = sha512
+x509_extensions = ${ENV::CA_NAME}_extensions
+
+[ ephemeral_ca_dn ]
+
+C = IT
+O = IGI
+CN = Ephemeral CA
+
+[ ephemeral_ca_extensions ]
+
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always, issuer:always
+basicConstraints = critical, CA:true
+keyUsage = critical, cRLSign, keyCertSign
diff --git a/t/conf.d/expired.conf b/t/conf.d/expired.conf
new file mode 100644
index 0000000..e3d6431
--- /dev/null
+++ b/t/conf.d/expired.conf
@@ -0,0 +1,26 @@
+
+[ expired ]
+
+default_bits = 2048
+default_keyfile = ${ENV::CA_NAME}/certs/expired.key.pem
+distinguished_name = expired_dn
+prompt = no
+output_password = pass
+default_md = sha512
+x509_extensions = expired_extensions
+
+[ expired_dn ]
+
+C = IT
+O = IGI
+CN = Expired
+
+[ expired_extensions ]
+
+basicConstraints = critical,CA:FALSE
+subjectKeyIdentifier = hash
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+authorityKeyIdentifier = keyid, issuer
+subjectAltName = email:expired@cnaf.infn.it
+
+
diff --git a/t/conf.d/igi_test_ca.conf b/t/conf.d/igi_test_ca.conf
new file mode 100644
index 0000000..38bb870
--- /dev/null
+++ b/t/conf.d/igi_test_ca.conf
@@ -0,0 +1,34 @@
+
+[ igi_test_ca ]
+
+dir = ${ENV::CA_NAME}
+certs = $dir/certs
+database = $dir/index.txt
+serial = $dir/serial
+certificate = $dir/ca.crt
+private_key = $dir/private/ca.key
+default_crl_days = 30
+default_md = sha512
+
+[ igi_test_ca_cert ]
+
+default_bits = 2048
+default_keyfile = ${ENV::CA_NAME}/private/ca.key
+distinguished_name = ${ENV::CA_NAME}_dn
+prompt = no
+encrypt_key = no
+default_md = sha512
+x509_extensions = ${ENV::CA_NAME}_extensions
+
+[ igi_test_ca_dn ]
+
+C = IT
+O = IGI
+CN = Test CA
+
+[ igi_test_ca_extensions ]
+
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always, issuer:always
+basicConstraints = critical, CA:true
+keyUsage = critical, cRLSign, keyCertSign
diff --git a/t/conf.d/igi_test_ca2.conf b/t/conf.d/igi_test_ca2.conf
new file mode 100644
index 0000000..fa25b31
--- /dev/null
+++ b/t/conf.d/igi_test_ca2.conf
@@ -0,0 +1,34 @@
+
+[ igi_test_ca2 ]
+
+dir = ${ENV::CA_NAME}
+certs = $dir/certs
+database = $dir/index.txt
+serial = $dir/serial
+certificate = $dir/ca.crt
+private_key = $dir/private/ca.key
+default_crl_days = 30
+default_md = sha512
+
+[ igi_test_ca2_cert ]
+
+default_bits = 2048
+default_keyfile = ${ENV::CA_NAME}/private/ca.key
+distinguished_name = ${ENV::CA_NAME}_dn
+prompt = no
+encrypt_key = no
+default_md = sha512
+x509_extensions = ${ENV::CA_NAME}_extensions
+
+[ igi_test_ca2_dn ]
+
+C = IT
+O = IGI
+CN = Test CA 2
+
+[ igi_test_ca2_extensions ]
+
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always, issuer:always
+basicConstraints = critical, CA:true
+keyUsage = critical, cRLSign, keyCertSign
diff --git a/t/conf.d/revoked.conf b/t/conf.d/revoked.conf
new file mode 100644
index 0000000..7188f30
--- /dev/null
+++ b/t/conf.d/revoked.conf
@@ -0,0 +1,26 @@
+
+[ revoked ]
+
+default_bits = 2048
+default_keyfile = ${ENV::CA_NAME}/certs/revoked.key.pem
+distinguished_name = revoked_dn
+prompt = no
+output_password = pass
+default_md = sha512
+x509_extensions = revoked_extensions
+
+[ revoked_dn ]
+
+C = IT
+O = IGI
+CN = Revoked
+
+[ revoked_extensions ]
+
+basicConstraints = critical,CA:FALSE
+subjectKeyIdentifier = hash
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+authorityKeyIdentifier = keyid, issuer
+subjectAltName = email:revoked@cnaf.infn.it
+
+
diff --git a/t/conf.d/star_test_example.conf b/t/conf.d/star_test_example.conf
new file mode 100644
index 0000000..b6e92e0
--- /dev/null
+++ b/t/conf.d/star_test_example.conf
@@ -0,0 +1,25 @@
+
+[ star_test_example ]
+
+default_bits = 2048
+default_keyfile = ${ENV::CA_NAME}/certs/star_test_example.key.pem
+distinguished_name = star_test_example_dn
+prompt = no
+encrypt_key = no
+default_md = sha512
+x509_extensions = star_test_example_extensions
+
+[ star_test_example_dn ]
+
+C = IT
+O = IGI
+CN = *.test.example
+
+[ star_test_example_extensions ]
+
+basicConstraints = critical,CA:FALSE
+subjectKeyIdentifier = hash
+keyUsage = critical, digitalSignature
+extendedKeyUsage = serverAuth, clientAuth
+authorityKeyIdentifier = keyid, issuer
+subjectAltName = DNS:*.test.example
diff --git a/t/conf.d/test0.conf b/t/conf.d/test0.conf
new file mode 100644
index 0000000..7a11339
--- /dev/null
+++ b/t/conf.d/test0.conf
@@ -0,0 +1,26 @@
+
+[ test0 ]
+
+default_bits = 2048
+default_keyfile = ${ENV::CA_NAME}/certs/test0.key.pem
+distinguished_name = test0_dn
+prompt = no
+encrypt_key = no
+default_md = sha512
+x509_extensions = test0_extensions
+
+[ test0_dn ]
+
+C = IT
+O = IGI
+CN = Test0
+
+[ test0_extensions ]
+
+basicConstraints = critical,CA:FALSE
+subjectKeyIdentifier = hash
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+authorityKeyIdentifier = keyid, issuer
+subjectAltName = email:test0@cnaf.infn.it
+
+
diff --git a/t/conf.d/test1.conf b/t/conf.d/test1.conf
new file mode 100644
index 0000000..0955d18
--- /dev/null
+++ b/t/conf.d/test1.conf
@@ -0,0 +1,26 @@
+
+[ test1 ]
+
+default_bits = 2048
+default_keyfile = ${ENV::CA_NAME}/certs/test1.key.pem
+distinguished_name = test1_dn
+prompt = no
+encrypt_key = no
+default_md = sha512
+x509_extensions = test1_extensions
+
+[ test1_dn ]
+
+C = IT
+O = IGI
+CN = Test1
+
+[ test1_extensions ]
+
+basicConstraints = critical,CA:FALSE
+subjectKeyIdentifier = hash
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+authorityKeyIdentifier = keyid, issuer
+subjectAltName = email:test1@cnaf.infn.it
+
+
diff --git a/t/openssl.conf b/t/openssl.conf
new file mode 100644
index 0000000..7b147ea
--- /dev/null
+++ b/t/openssl.conf
@@ -0,0 +1,8 @@
+
+config_diagnostics = 1
+
+[ ca ]
+
+default_ca = ${ENV::CA_NAME}
+
+.include conf.d
diff --git a/t/setup.sh b/t/setup.sh
new file mode 100755
index 0000000..6f359e1
--- /dev/null
+++ b/t/setup.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+set -e
+
+env CA_NAME=igi_test_ca2 make_ca.sh
+env CA_NAME=igi_test_ca2 make_crl.sh
+install_ca.sh igi_test_ca2 trust-anchors
+
+export CA_NAME=igi_test_ca
+make_ca.sh
+
+make_cert.sh test0
+cp igi_test_ca/certs/test0.* certs
+
+make_cert.sh star_test_example
+cp igi_test_ca/certs/star_test_example.* certs
+
+# test 1
+echo | voms-proxy-init -cert certs/test0.p12 --valid 10:0 --out certs/0.pem --pwstdin
+awk '/BEGIN RSA PRIVATE KEY/,/END RSA PRIVATE KEY/' certs/0.pem > certs/0.key.pem
+awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/' certs/0.pem > certs/0.cert.pem
+
+# test 3
+cat certs/test0.cert.pem trust-anchors/igi_test_ca.pem > certs/test0+ca.pem
+
+make_crl.sh
+install_ca.sh igi_test_ca trust-anchors
--
GitLab