-
Notifications
You must be signed in to change notification settings - Fork 694
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
test: add cert chain with mixed key sizes (#4433)
- Loading branch information
Showing
6 changed files
with
192 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
This folder contains "mixed key" cert chains. | ||
|
||
The `ecdsa` cert chain contains intermediate and leaf certs that are issued from a CA with a smaller key. | ||
``` | ||
leaf: P-384 key | ||
▲ | ||
│ signature: ECDSA with SHA384 | ||
│ | ||
intermediate: P-384 key | ||
▲ | ||
│ signature: ECDSA with SHA384 | ||
│ | ||
root: P-256 key | ||
▲ | ||
signature:ECDSA with SHA384 | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
-----BEGIN CERTIFICATE----- | ||
MIIBnzCCAUWgAwIBAgIUXI8F6k7vlX97S4ZpnR59noZbxrowCgYIKoZIzj0EAwMw | ||
HDELMAkGA1UEBhMCVVMxDTALBgNVBAMMBHJvb3QwIBcNMjQwMjIxMDQzMzA3WhgP | ||
MjIwMzA3MjkwNDMzMDdaMBwxCzAJBgNVBAYTAlVTMQ0wCwYDVQQDDARyb290MFkw | ||
EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAED9Xh6MZhQGw+p0V7rLGzBF3YPgwJFP+f | ||
Ee5D/XSaS76v/RiEWzqOGJ7hxUrsxvoNJUXPJJMASDwDRVvx8iB5kKNjMGEwHQYD | ||
VR0OBBYEFLLjtcK+eccZErEbdrRBGyjjyYc3MB8GA1UdIwQYMBaAFLLjtcK+eccZ | ||
ErEbdrRBGyjjyYc3MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMAoG | ||
CCqGSM49BAMDA0gAMEUCID6Svg9A9LmGqK5vJPguEsV0EggHPRmUT27bEPaO57Qh | ||
AiEAnmgHw9d3qWOGGVhkYEpb/tKnVU6wFyRLd4qOZn0vgnM= | ||
-----END CERTIFICATE----- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
-----BEGIN CERTIFICATE----- | ||
MIIB1DCCAVmgAwIBAgIUIqQpkU80sEjH8mxl5O46jWU3IskwCgYIKoZIzj0EAwMw | ||
HjELMAkGA1UEBhMCVVMxDzANBgNVBAMMBmJyYW5jaDAgFw0yNDAyMjEwNDMzMDda | ||
GA8yMjAzMDcyOTA0MzMwN1owHDELMAkGA1UEBhMCVVMxDTALBgNVBAMMBGxlYWYw | ||
djAQBgcqhkjOPQIBBgUrgQQAIgNiAAQIl3I7/xURYZY4mIYhQujKAv3W4me4QKnB | ||
0oinYiVzMpZ7/+I8YoeiOtzeuWER1TuoZ551mMTTSzPCfvgTwCyvbJdsWYIvcUD2 | ||
afa/+z5mWhq0rYkvH0fOwTP7BiJh5bCjWDBWMBQGA1UdEQQNMAuCCWxvY2FsaG9z | ||
dDAdBgNVHQ4EFgQUtyazibNdyEtNQl26ufEuq0Xi59AwHwYDVR0jBBgwFoAU4Adk | ||
/yc9lPlh8XfREeXYXnp/wxwwCgYIKoZIzj0EAwMDaQAwZgIxAJlqGLkZCoOCU+xu | ||
K6EAQBrcidmNaBqO5A+1hQnmJrGcZ9D7N5GigKQ5Tf1+RlLgkAIxANmxOoFKoaD6 | ||
7mSckr7+XN/s8IcZPJ/ZUvM5jeLT8qugb4lOm4d/9jJfECJPcHDNBg== | ||
-----END CERTIFICATE----- | ||
-----BEGIN CERTIFICATE----- | ||
MIIBvzCCAWSgAwIBAgIUQnk97VcKbYR3+vC1kvJW4WxMDk4wCgYIKoZIzj0EAwMw | ||
HDELMAkGA1UEBhMCVVMxDTALBgNVBAMMBHJvb3QwIBcNMjQwMjIxMDQzMzA3WhgP | ||
MjIwMzA3MjkwNDMzMDdaMB4xCzAJBgNVBAYTAlVTMQ8wDQYDVQQDDAZicmFuY2gw | ||
djAQBgcqhkjOPQIBBgUrgQQAIgNiAAThrJeng+kFLIMSVqzMMgK9z4+H7LzVfnau | ||
YtjU86NtFxwfFFVu4H5IS4sC+LV7bQXiGSWzptzmxHZLZBI6Os8hGG5BLqkMBFyp | ||
KfqzyjuTAYiIp/qIMOkzY/yHtIEnDm6jYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYD | ||
VR0PAQH/BAQDAgIEMB0GA1UdDgQWBBTgB2T/Jz2U+WHxd9ER5dheen/DHDAfBgNV | ||
HSMEGDAWgBSy47XCvnnHGRKxG3a0QRso48mHNzAKBggqhkjOPQQDAwNJADBGAiEA | ||
3y/BPqbHkj+7TWv2+9d/FREZX/sk9k7b/MKowj3LHZACIQDbeGLk0TVpdElzVYLl | ||
HBcgqJegl/ptFbAlNB36KqpYYA== | ||
-----END CERTIFICATE----- | ||
-----BEGIN CERTIFICATE----- | ||
MIIBnzCCAUWgAwIBAgIUXI8F6k7vlX97S4ZpnR59noZbxrowCgYIKoZIzj0EAwMw | ||
HDELMAkGA1UEBhMCVVMxDTALBgNVBAMMBHJvb3QwIBcNMjQwMjIxMDQzMzA3WhgP | ||
MjIwMzA3MjkwNDMzMDdaMBwxCzAJBgNVBAYTAlVTMQ0wCwYDVQQDDARyb290MFkw | ||
EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAED9Xh6MZhQGw+p0V7rLGzBF3YPgwJFP+f | ||
Ee5D/XSaS76v/RiEWzqOGJ7hxUrsxvoNJUXPJJMASDwDRVvx8iB5kKNjMGEwHQYD | ||
VR0OBBYEFLLjtcK+eccZErEbdrRBGyjjyYc3MB8GA1UdIwQYMBaAFLLjtcK+eccZ | ||
ErEbdrRBGyjjyYc3MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMAoG | ||
CCqGSM49BAMDA0gAMEUCID6Svg9A9LmGqK5vJPguEsV0EggHPRmUT27bEPaO57Qh | ||
AiEAnmgHw9d3qWOGGVhkYEpb/tKnVU6wFyRLd4qOZn0vgnM= | ||
-----END CERTIFICATE----- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
-----BEGIN PRIVATE KEY----- | ||
MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDCosm1okl1Efmyz4wtv | ||
paXDecqqo/7P7l6AE1+357MBHB1us6CM677L66a6rS1YcRKhZANiAAQIl3I7/xUR | ||
YZY4mIYhQujKAv3W4me4QKnB0oinYiVzMpZ7/+I8YoeiOtzeuWER1TuoZ551mMTT | ||
SzPCfvgTwCyvbJdsWYIvcUD2afa/+z5mWhq0rYkvH0fOwTP7BiJh5bA= | ||
-----END PRIVATE KEY----- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,119 @@ | ||
#!/usr/bin/env bash | ||
|
||
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. | ||
# SPDX-License-Identifier: Apache-2.0 | ||
|
||
# Usage: ./generate_certs.sh [clean] | ||
# Generates mixed-chain certs for testing | ||
# Use argument "clean" to remove all generated certs | ||
|
||
# immediately bail if any command fails | ||
set -e | ||
|
||
# Generates certs with given algorithms and bits in $1$2/, ex. ec384/ | ||
# $1: rsa or ec | ||
# $2: size of the key used by the leaf and intermediate | ||
# $3: size of the key used by the issuing CA | ||
# $4: digest using in the certificate signatures | ||
# $5: name of the output directory | ||
cert-gen () { | ||
key_family=$1 | ||
key_size=$2 | ||
ca_key_size=$3 | ||
digest=$4 | ||
dir_name=$5 | ||
|
||
echo -e "\n----- generating certs for ec $key_size with $digest $signature -----\n" | ||
|
||
# make directory for certs | ||
mkdir -p $dir_name | ||
cd $dir_name | ||
|
||
echo "generating CA private key and certificate" | ||
openssl req -new -noenc -x509 \ | ||
-newkey ec \ | ||
-pkeyopt ec_paramgen_curve:P-$ca_key_size \ | ||
-keyout ca-key.pem \ | ||
-out ca-cert.pem \ | ||
-days 65536 \ | ||
-$digest \ | ||
-subj "/C=US/CN=root" \ | ||
-addext "basicConstraints = critical,CA:true" \ | ||
-addext "keyUsage = critical,keyCertSign" | ||
|
||
echo "generating intermediate private key and CSR" | ||
openssl req -new -noenc \ | ||
-newkey ec \ | ||
-pkeyopt ec_paramgen_curve:P-$key_size \ | ||
-keyout intermediate-key.pem \ | ||
-out intermediate.csr \ | ||
-subj "/C=US/CN=branch" \ | ||
-addext "basicConstraints = critical,CA:true" \ | ||
-addext "keyUsage = critical,keyCertSign" | ||
|
||
echo "generating server private key and CSR" | ||
openssl req -new -noenc \ | ||
-newkey ec \ | ||
-pkeyopt ec_paramgen_curve:P-$key_size \ | ||
-keyout server-key.pem \ | ||
-out server.csr \ | ||
-subj "/C=US/CN=leaf" \ | ||
-addext "subjectAltName = DNS:localhost" | ||
|
||
echo "generating intermediate certificate and signing it" | ||
openssl x509 -days 65536 \ | ||
-req -in intermediate.csr \ | ||
-$digest \ | ||
-CA ca-cert.pem \ | ||
-CAkey ca-key.pem \ | ||
-CAcreateserial \ | ||
-out intermediate-cert.pem \ | ||
-copy_extensions=copyall | ||
|
||
echo "generating server certificate and signing it" | ||
openssl x509 -days 65536 \ | ||
-req -in server.csr \ | ||
-$digest \ | ||
-CA intermediate-cert.pem \ | ||
-CAkey intermediate-key.pem \ | ||
-CAcreateserial -out server-cert.pem \ | ||
-copy_extensions=copyall | ||
|
||
touch server-chain.pem | ||
cat server-cert.pem >> server-chain.pem | ||
cat intermediate-cert.pem >> server-chain.pem | ||
cat ca-cert.pem >> server-chain.pem | ||
|
||
echo "verifying server certificates" | ||
openssl verify -CAfile ca-cert.pem intermediate-cert.pem | ||
openssl verify -CAfile ca-cert.pem -untrusted intermediate-cert.pem server-cert.pem | ||
|
||
# certificate signing requests are never used after the certs are generated | ||
rm server.csr | ||
rm intermediate.csr | ||
|
||
# serial files are generated during the signing process, but are not used | ||
rm ca-cert.srl | ||
rm intermediate-cert.srl | ||
|
||
# the private keys of the CA and the intermediate CA are never needed after | ||
# signing | ||
rm ca-key.pem | ||
rm intermediate-key.pem | ||
|
||
# the intermediate and server certs are included in server-chain.pem, so | ||
# the individual files can be deleted | ||
rm intermediate-cert.pem | ||
rm server-cert.pem | ||
|
||
cd .. | ||
} | ||
|
||
if [[ $1 != "clean" ]] | ||
then | ||
# key key_size ca_key_size digest directory | ||
cert-gen ec 384 256 SHA384 ecdsa | ||
else | ||
echo "cleaning certs" | ||
rm -rf ecdsa* | ||
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters