openssl/test/smime-certs/mksmime-certs.sh

#!/bin/sh
# Copyright 2013-2021 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License").  You may not use
# this file except in compliance with the License.  You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html

# Utility to recreate S/MIME certificates

OPENSSL=../../apps/openssl
OPENSSL_CONF=./ca.cnf
export OPENSSL_CONF

# Root CA: create certificate directly
CN="Test S/MIME RSA Root" $OPENSSL req -config ca.cnf -x509 -noenc \
	-keyout smroot.pem -out smroot.pem -key ../certs/ca-key.pem -days 36524

# EE RSA certificates with respective extensions
cp ../certs/ee-key.pem smrsa1.pem
$OPENSSL x509 -new -key smrsa1.pem -subj "/CN=Test SMIME EE RSA #1" -days 36524 \
         -CA smroot.pem	-extfile ca.cnf -extensions usr_rsa_cert >>smrsa1.pem
cp ../certs/ee-key-3072.pem smrsa2.pem
$OPENSSL x509 -new -key smrsa2.pem -subj "/CN=Test SMIME EE RSA #2" -days 36524 \
         -CA smroot.pem	-extfile ca.cnf -extensions usr_rsa_cert >>smrsa2.pem
cp ../certs/ee-key-4096.pem smrsa3.pem
$OPENSSL x509 -new -key smrsa3.pem -subj "/CN=Test SMIME EE RSA #3" -days 36524 \
         -CA smroot.pem	-extfile ca.cnf -extensions usr_rsa_cert >>smrsa3.pem

# Create DSA certificates with respective extensions

cp ../certs/server-dsa-key.pem smdsa1.pem
$OPENSSL x509 -new -key smdsa1.pem -subj "/CN=Test SMIME EE DSA #1" -days 36524 \
         -CA smroot.pem	-extfile ca.cnf -extensions signer_cert >>smdsa1.pem
cp ../certs/server-dsa-key.pem smdsa2.pem
$OPENSSL x509 -new -key smdsa2.pem -subj "/CN=Test SMIME EE DSA #1" -days 36524 \
         -CA smroot.pem	-extfile ca.cnf -extensions signer_cert >>smdsa2.pem
cp ../certs/server-dsa-key.pem smdsa3.pem
$OPENSSL x509 -new -key smdsa3.pem -subj "/CN=Test SMIME EE DSA #1" -days 36524 \
         -CA smroot.pem	-extfile ca.cnf -extensions signer_cert >>smdsa3.pem

# Create EC certificates with respective extensions

cp ../certs/ee-ecdsa-key.pem smec1.pem
$OPENSSL x509 -new -key smec1.pem -subj "/CN=Test SMIME EE EC #1" -days 36524 \
         -CA smroot.pem -extfile ca.cnf -extensions signer_cert >>smec1.pem
cp ../certs/server-ecdsa-key.pem smec2.pem
$OPENSSL x509 -new -key smec2.pem -subj "/CN=Test SMIME EE EC #2" -days 36524 \
         -CA smroot.pem -extfile ca.cnf -extensions signer_cert >>smec2.pem

# Do not renew this cert as it is used for legacy data decrypt test
#$OPENSSL ecparam -out ecp.pem -name P-256
#CN="Test S/MIME EE EC #3" $OPENSSL req -config ca.cnf -noenc \
#	-keyout smec3.pem -out req.pem -newkey ec:ecp.pem
#$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36524 \
#	-extfile ca.cnf -extensions signer_cert -CAcreateserial >>smec3.pem
#rm ecp.pem req.pem

# Create X9.42 DH parameters and key.
$OPENSSL genpkey -genparam -algorithm DHX -out dhp.pem
$OPENSSL genpkey -paramfile dhp.pem -out smdh.pem
rm dhp.pem
# Create X9.42 DH certificate with respective extensions
$OPENSSL x509 -new -key smdh.pem -subj "/CN=Test SMIME EE DH" -days 36524 \
         -CA smroot.pem	-extfile ca.cnf -extensions dh_cert >>smdh.pem

# EE RSA code signing end entity certificate with respective extensions
cp ../certs/ee-key.pem csrsa1.pem
$OPENSSL x509 -new -key csrsa1.pem -subj "/CN=Test CodeSign EE RSA" -days 36524 \
         -CA smroot.pem -extfile ca.cnf -extensions codesign_cert >>csrsa1.pem
Scripts to recreate S/MIME test certificates. Add a script to generate keys and certificates for the S/MIME and CMS tests. Update certificates and add EC examples. 2013-07-17 23:30:04 +08:00			`#!/bin/sh`
Update copyright year Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13999) 2021-01-28 20:54:57 +08:00			`# Copyright 2013-2021 The OpenSSL Project Authors. All Rights Reserved.`
Add final(?) set of copyrights. Add copyright to missing assembler files. Add copyrights to missing test/* files. Add copyrights Various source and misc files. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-06-01 23:26:40 +08:00			`#`
Following the license change, modify the boilerplates in test/ Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7767) 2018-12-06 20:05:25 +08:00			`# Licensed under the Apache License 2.0 (the "License"). You may not use`
Add final(?) set of copyrights. Add copyright to missing assembler files. Add copyrights to missing test/* files. Add copyrights Various source and misc files. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-06-01 23:26:40 +08:00			`# this file except in compliance with the License. You can obtain a copy`
			`# in the file LICENSE in the source distribution or at`
			`# https://www.openssl.org/source/license.html`

Scripts to recreate S/MIME test certificates. Add a script to generate keys and certificates for the S/MIME and CMS tests. Update certificates and add EC examples. 2013-07-17 23:30:04 +08:00			`# Utility to recreate S/MIME certificates`

			`OPENSSL=../../apps/openssl`
			`OPENSSL_CONF=./ca.cnf`
			`export OPENSSL_CONF`

			`# Root CA: create certificate directly`
Deprecate -nodes in favor of -noenc in pkcs12 and req app Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12495) 2020-05-11 21:41:08 +08:00			`CN="Test S/MIME RSA Root" $OPENSSL req -config ca.cnf -x509 -noenc \`
test/smime-certs/{mksmime-certs.sh,ca.cnf}: simplify and speed up cert generation Also remove inconsistent key usages from non-RSA certs. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/19076) 2022-08-26 00:09:09 +08:00			`-keyout smroot.pem -out smroot.pem -key ../certs/ca-key.pem -days 36524`

			`# EE RSA certificates with respective extensions`
			`cp ../certs/ee-key.pem smrsa1.pem`
			`$OPENSSL x509 -new -key smrsa1.pem -subj "/CN=Test SMIME EE RSA #1" -days 36524 \`
			`-CA smroot.pem -extfile ca.cnf -extensions usr_rsa_cert >>smrsa1.pem`
			`cp ../certs/ee-key-3072.pem smrsa2.pem`
			`$OPENSSL x509 -new -key smrsa2.pem -subj "/CN=Test SMIME EE RSA #2" -days 36524 \`
			`-CA smroot.pem -extfile ca.cnf -extensions usr_rsa_cert >>smrsa2.pem`
			`cp ../certs/ee-key-4096.pem smrsa3.pem`
			`$OPENSSL x509 -new -key smrsa3.pem -subj "/CN=Test SMIME EE RSA #3" -days 36524 \`
			`-CA smroot.pem -extfile ca.cnf -extensions usr_rsa_cert >>smrsa3.pem`

			`# Create DSA certificates with respective extensions`

			`cp ../certs/server-dsa-key.pem smdsa1.pem`
			`$OPENSSL x509 -new -key smdsa1.pem -subj "/CN=Test SMIME EE DSA #1" -days 36524 \`
			`-CA smroot.pem -extfile ca.cnf -extensions signer_cert >>smdsa1.pem`
			`cp ../certs/server-dsa-key.pem smdsa2.pem`
			`$OPENSSL x509 -new -key smdsa2.pem -subj "/CN=Test SMIME EE DSA #1" -days 36524 \`
			`-CA smroot.pem -extfile ca.cnf -extensions signer_cert >>smdsa2.pem`
			`cp ../certs/server-dsa-key.pem smdsa3.pem`
			`$OPENSSL x509 -new -key smdsa3.pem -subj "/CN=Test SMIME EE DSA #1" -days 36524 \`
			`-CA smroot.pem -extfile ca.cnf -extensions signer_cert >>smdsa3.pem`

			`# Create EC certificates with respective extensions`

			`cp ../certs/ee-ecdsa-key.pem smec1.pem`
			`$OPENSSL x509 -new -key smec1.pem -subj "/CN=Test SMIME EE EC #1" -days 36524 \`
			`-CA smroot.pem -extfile ca.cnf -extensions signer_cert >>smec1.pem`
			`cp ../certs/server-ecdsa-key.pem smec2.pem`
			`$OPENSSL x509 -new -key smec2.pem -subj "/CN=Test SMIME EE EC #2" -days 36524 \`
			`-CA smroot.pem -extfile ca.cnf -extensions signer_cert >>smec2.pem`
Scripts to recreate S/MIME test certificates. Add a script to generate keys and certificates for the S/MIME and CMS tests. Update certificates and add EC examples. 2013-07-17 23:30:04 +08:00
Update further expiring certificates that affect tests Namely the smime certificates used in test_cms and the SM2 certificates will expire soon and affect tests. Fixes #15179 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18467) 2022-06-03 00:12:05 +08:00			`# Do not renew this cert as it is used for legacy data decrypt test`
test/smime-certs/{mksmime-certs.sh,ca.cnf}: simplify and speed up cert generation Also remove inconsistent key usages from non-RSA certs. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/19076) 2022-08-26 00:09:09 +08:00			`#$OPENSSL ecparam -out ecp.pem -name P-256`
Update further expiring certificates that affect tests Namely the smime certificates used in test_cms and the SM2 certificates will expire soon and affect tests. Fixes #15179 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18467) 2022-06-03 00:12:05 +08:00			`#CN="Test S/MIME EE EC #3" $OPENSSL req -config ca.cnf -noenc \`
			`# -keyout smec3.pem -out req.pem -newkey ec:ecp.pem`
test/smime-certs/{mksmime-certs.sh,ca.cnf}: simplify and speed up cert generation Also remove inconsistent key usages from non-RSA certs. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/19076) 2022-08-26 00:09:09 +08:00			`#$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36524 \`
			`# -extfile ca.cnf -extensions signer_cert -CAcreateserial >>smec3.pem`
			`#rm ecp.pem req.pem`

			`# Create X9.42 DH parameters and key.`
Make the smdh.pem test certificate usable with fips provider Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13869) 2021-01-15 18:12:09 +08:00			`$OPENSSL genpkey -genparam -algorithm DHX -out dhp.pem`
Add X9.42 DH certificate to S/MIME test 2013-08-02 22:51:46 +08:00			`$OPENSSL genpkey -paramfile dhp.pem -out smdh.pem`
test/smime-certs/{mksmime-certs.sh,ca.cnf}: simplify and speed up cert generation Also remove inconsistent key usages from non-RSA certs. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/19076) 2022-08-26 00:09:09 +08:00			`rm dhp.pem`
			`# Create X9.42 DH certificate with respective extensions`
			`$OPENSSL x509 -new -key smdh.pem -subj "/CN=Test SMIME EE DH" -days 36524 \`
			`-CA smroot.pem -extfile ca.cnf -extensions dh_cert >>smdh.pem`

			`# EE RSA code signing end entity certificate with respective extensions`
			`cp ../certs/ee-key.pem csrsa1.pem`
			`$OPENSSL x509 -new -key csrsa1.pem -subj "/CN=Test CodeSign EE RSA" -days 36524 \`
			`-CA smroot.pem -extfile ca.cnf -extensions codesign_cert >>csrsa1.pem`