Conversation
rajeev-0
force-pushed
the
add_MockTest_cert_generation
branch
3 times, most recently
from
359b5dc to
57c3c4b
Compare
|
DDvO
left a comment
DDvO
left a comment
There was a problem hiding this comment.
Nice.
Yet various small improvements.
|
|
||
| # This script generates the certificates needed for the CMP server and the signer | ||
|
|
||
| if [[ ! -f $mkcert_sh ]]; then |
There was a problem hiding this comment.
Is there a concrete use case for setting mkcert_sh externally?
Otherwise I suggest dropping the guard.
There was a problem hiding this comment.
I wanted to make the script flexible, but here I also don't see the benefit. I will drop the guard.
| # sever certificate algorithms | ||
| if [ -z "$server_rootca_keyalg" ]; then | ||
| server_rootca_keyalg="MLDSA65" | ||
| fi | ||
| if [ -z "$server_leaf_keyalg" ]; then | ||
| server_leaf_keyalg="SLH-DSA-SHAKE-192s" | ||
| fi | ||
| # rootCACert update test case | ||
| if [ -z "$new_rootca_keyalg" ]; then | ||
| new_rootca_keyalg="SLH-DSA-SHAKE-192s" | ||
| fi | ||
|
|
||
| # End-entity certificate algorithms | ||
| if [ -z "$signer_rootca_keyalg" ]; then | ||
| signer_rootca_keyalg="MLDSA65" | ||
| fi | ||
| if [ -z "$signer_interca_keyalg" ]; then | ||
| signer_interca_keyalg="MLDSA65" | ||
| fi | ||
| if [ -z "$signer_subinterca_keyalg" ]; then | ||
| signer_subinterca_keyalg="MLDSA65" | ||
| fi | ||
| if [ -z "$signer_leaf_keyalg" ]; then | ||
| signer_leaf_keyalg="SLH-DSA-SHAKE-192s" | ||
| fi |
There was a problem hiding this comment.
Please introduce and use a couple of script parameters, such that the script can be called
- for updating the hitherto test credentials with the same classical algorithms as before (RSA)
- for the given PQ tests with
MLDSA65andSLH-DSA-SHAKE-192s - for further ones, like KEM
There was a problem hiding this comment.
Added only one variable "Algo_used".
|
|
||
| remove_serverfiles() { | ||
| echo "Removing server files" | ||
| rm -f server.key server-crt trusted.crt server_root.crt |
There was a problem hiding this comment.
typo in a file name, and better use same order as above:
| rm -f server.key server-crt trusted.crt server_root.crt | |
| rm -f server_root.crt trusted.crt server.key server.crt |
|
|
||
| gen_servercert() { | ||
| remove_serverfiles | ||
| sleep 5 |
There was a problem hiding this comment.
why sleep? Please comment or remove.
| fi | ||
|
|
||
| gen_demoCAfolder | ||
| openssl ca -gencrl -keyfile signer_subinterCA-key.pem -cert signer_subinterCA-cert.pem -out signer_subinterCA-crl.pem -crldays 36525 \ |
There was a problem hiding this comment.
Please use $DAYS after adding early in the script:
if [ -z "$DAYS" ]; then
DAYS=36524 # 100 years, with 24 leap years per 100 years until 2400
fi
BTW, the 36525 in mkcert.sh typically means 1 day more than 100 years
because a leap year occurs every 4 years, but not every 100 years, but still every 400 years (i.e., in 2000, in 2400, ...)
| "database = ./demoCA/index.txt" "crlnumber = ./demoCA/crlnumber" "default_md = default") | ||
| cat signer_leaf-cert.pem signer_subinterCA-cert.pem signer_interCA-cert.pem > signer_chain.pem | ||
| cat signer_subinterCA-cert.pem signer_interCA-cert.pem signer_root-cert.pem > signer_fullchain.pem | ||
| openssl pkcs12 -export -out signer.p12 -inkey signer_leaf-key.pem -in signer_leaf-cert.pem -certfile signer_fullchain.pem -password pass:12345 |
There was a problem hiding this comment.
| openssl pkcs12 -export -out signer.p12 -inkey signer_leaf-key.pem -in signer_leaf-cert.pem -certfile signer_fullchain.pem -password pass:12345 | |
| openssl pkcs12 -export -out signer.p12 -inkey signer_leaf-key.pem -in signer_leaf-cert.pem -certfile signer_fullchain.pem -password file:12345.txt |
| openssl pkey -in new.key -out new_pass_12345.key -aes256 -passout pass:12345 | ||
| echo "12345" > 12345.txt |
There was a problem hiding this comment.
| openssl pkey -in new.key -out new_pass_12345.key -aes256 -passout pass:12345 | |
| echo "12345" > 12345.txt | |
| openssl pkey -in new.key -out new_pass_12345.key -aes256 -passout file:12345.txt |
| new_rootca_keyalg="SLH-DSA-SHAKE-192s" | ||
| fi | ||
|
|
||
| # End-entity certificate algorithms |
There was a problem hiding this comment.
| # End-entity certificate algorithms | |
| # algorithms for client certificate chain |
| gen_servercert | ||
| gen_signercert |
There was a problem hiding this comment.
| gen_servercert | |
| gen_signercert | |
| gen_server_chain | |
| gen_client_chain |
| @@ -0,0 +1,417 @@ | |||
| #! /bin/bash | |||
There was a problem hiding this comment.
Please mark in the file the part(s) adapted, or was an unchanged copy sufficient?
There was a problem hiding this comment.
Added comment in line 59, to enable PQ algorithms.
| openssl pkey -in new.key -out new_pass_12345.key -aes256 -passout pass:12345 | ||
| echo "12345" > 12345.txt | ||
| cp new.key signer.key | ||
| mv signer_leaf-cert.pem signer_only.crt |
There was a problem hiding this comment.
Please add a further signer cert with NULL-DN subject and without a subjectKeyIdentifier,
which will be needed in a new test case on senderKID.
If there is no simple way of using for this case mkcert_sh genee, you can also use:
openssl x509 -new -subj "/" -days $DAYS -extfile <(printf "subjectKeyIdentifier=none") -out signer_no_SKID.crt -key signer.key
|
Please also add a run of |
rajeev-0
force-pushed
the
add_MockTest_cert_generation
branch
from
57c3c4b to
ba840da
Compare
|
setup-Mock.sh: add files for rootCaCert test setup-mock.sh: option to set variables from cli
rajeev-0
force-pushed
the
add_MockTest_cert_generation
branch
from
ba840da to
963edeb
Compare
rajeev-0
force-pushed
the
add_MockTest_cert_generation
branch
from
c50937a to
e206092
Compare
rajeev-0
left a comment
rajeev-0
left a comment
There was a problem hiding this comment.
Updated as per comment.
|
|
||
| # This script generates the certificates needed for the CMP server and the signer | ||
|
|
||
| if [[ ! -f $mkcert_sh ]]; then |
There was a problem hiding this comment.
I wanted to make the script flexible, but here I also don't see the benefit. I will drop the guard.
| @@ -0,0 +1,417 @@ | |||
| #! /bin/bash | |||
There was a problem hiding this comment.
Added comment in line 59, to enable PQ algorithms.
| # CMP server certificate | ||
| rename_serverfiles() { | ||
| echo "Renaming server files" | ||
| rm server_root-key.pem server_root-pubkey.pem newWithNew-key.pem newWithNew-pubkey.pem |
There was a problem hiding this comment.
IMO, wherever possible its better to remove it a central location incase it is needed in future.
|
|
||
| gen_servercert() { | ||
| remove_serverfiles | ||
| sleep 5 |
| rm -f signer_root-key.pem signer_interCA-key.pem signer_interCA-cert.pem \ | ||
| signer_subinterCA-key.pem | ||
| mv signer_subinterCA-cert.pem issuing.crt | ||
| mv signer_subinterCA-crl.pem newcrl.pem |
There was a problem hiding this comment.
Updated it to crl.der
| gen_demoCAfolder | ||
| openssl ca -gencrl -keyfile signer_subinterCA-key.pem -cert signer_subinterCA-cert.pem -out signer_subinterCA-crl.pem -crldays 36525 \ | ||
| -config <(printf "[ca]\ndefault_ca= CA_default\n[CA_default]\n%s\n%s\n%s\n" \ | ||
| "database = ./demoCA/index.txt" "crlnumber = ./demoCA/crlnumber" "default_md = default") |
There was a problem hiding this comment.
It is part of client credentials and I don't like the idea of creating a function for one line command.
|
2 participants
Motivation
Script to generate Mock certificates and keys for testing.
Added OpenSSL-3.5 test to CI test.
Added Mock test with PQ algorithm (MLDSA & SLH-DSA) using OpenSSL-3.5.