keytypes/asymmetric: add code to generate test certificates

Author: mathstuf

src/keytypes/data/ca/.gitignore

@@ -0,0 +1,7 @@
+*.key
+*.crt
+*.csr
+*.pem
+
+certindex*
+serial*

src/keytypes/data/ca/Makefile

@@ -0,0 +1,37 @@
+PROJECT := rust-keyutils
+OPENSSL_CONF := openssl.cnf
+
+MAIN_CERT_NAME := ca-1
+MAIN_ROOT_CERT := $(MAIN_CERT_NAME).root.crt
+ROOT_CERTS := $(MAIN_ROOT_CERT) ca-2.root.crt
+INTERMEDIATE_CERTS := ca.intermediate.crt
+CA_CERTS := $(ROOT_CERTS) $(INTERMEDIATE_CERTS)
+SERVER_CERTS := intermediate.term.crt $(MAIN_CERT_NAME).term.crt self.term.crt
+
+SIGNING_BITS := certindex serial
+
+all: $(foreach cert,$(CA_CERTS) $(SERVER_CERTS),$(cert).der)
+
+certindex:
+	touch certindex
+
+serial:
+	echo 1000 > serial
+
+%.root.crt %.key: $(OPENSSL_CONF)
+	openssl req -config $< -new -subj "/CN=$(PROJECT) CA $*" -x509 -passout pass:$(PROJECT) -newkey rsa:4096 -keyout $*.key -out $@ -extensions v3_root_ca
+
+%.intermediate.crt %.key: $(OPENSSL_CONF) $(SIGNING_BITS) $(MAIN_ROOT_CERT)
+	openssl req -config $< -new -subj "/CN=$(PROJECT) Intermediate CA" -passout pass:$(PROJECT) -newkey rsa:4096 -keyout $*.key -out $@.csr -extensions v3_intermediate_ca
+	openssl ca -config $< -notext -passin pass:$(PROJECT) -batch -in $@.csr -out $@
+
+self.term.crt %.key: $(OPENSSL_CONF) $(SIGNING_BITS)
+	openssl req -config $< -new -subj "/CN=$(PROJECT) self-signed Certificate" -passout pass:$(PROJECT) -newkey rsa:4096 -keyout $*.term.key -out $@.csr -extensions v3_server_cert
+	openssl x509 -req -signkey $*.term.key -passin pass:$(PROJECT) -days 3650 -in $@.csr -out $@
+
+%.term.crt %.key: $(OPENSSL_CONF) $(SIGNING_BITS) $(CA_CERTS)
+	openssl req -config $< -new -subj "/CN=$(PROJECT) $*-signed Certificate" -passout pass:$(PROJECT) -newkey rsa:4096 -keyout $*.term.key -out $@.csr -extensions v3_server_cert
+	openssl ca -config $< -notext -passin pass:$(PROJECT) -batch -in $@.csr -out $@ -name $*
+
+%.crt.der: %.crt
+	openssl x509 -outform der -in $< -out $@

src/keytypes/data/ca/openssl.cnf

@@ -0,0 +1,75 @@
+[ca]
+default_ca = ca-1
+
+[ca_policy]
+
+[ca-1]
+dir = ./
+new_certs_dir = $dir
+certificate = $dir/ca-1.root.crt
+private_key = $dir/ca-1.key
+
+database = $dir/certindex
+serial = $dir/serial
+default_days = 3650
+default_md = sha512
+policy = ca_policy
+
+[intermediate]
+dir = ./
+new_certs_dir = $dir
+certificate = $dir/ca.intermediate.crt
+private_key = $dir/ca.key
+
+database = $dir/certindex
+serial = $dir/serial
+default_days = 3650
+default_md = sha512
+policy = ca_policy
+
+[self]
+dir = ./
+new_certs_dir = $dir
+#certificate = $dir/ca.intermediate.crt
+private_key = $dir/self.term.key
+
+database = $dir/certindex
+serial = $dir/serial
+default_days = 3650
+default_md = sha512
+policy = ca_policy
+
+[req]
+distinguished_name = req_distinguished_name
+prompt = no
+
+[req_distinguished_name]
+countryName = US
+stateOrProvinceName = New York
+localityName = Nowhere
+organizationName = Github
+emailAddress = mathstuf+keyutils@gmail.com
+
+[v3_root_ca]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[v3_intermediate_ca]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[v3_server_cert]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth