From bcd92754d56abbcecc207d9f8c1624b7c9bb2b07 Mon Sep 17 00:00:00 2001 From: James Muir Date: Sat, 23 Dec 2023 17:03:21 -0500 Subject: [PATCH] demos: fix cert scripts set LD_LIBRARY_PATH so the correct libs can be found. Testing: cd demos/certs && sh mkcerts.sh cd demos/certs/apps && sh -x mkacerts.sh Reviewed-by: Neil Horman Reviewed-by: Paul Yang Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/23142) --- demos/certs/apps/mkacerts.sh | 32 +++++++++++--------- demos/certs/apps/mkxcerts.sh | 22 +++++++++----- demos/certs/mkcerts.sh | 57 ++++++++++++++++++++---------------- demos/certs/ocspquery.sh | 17 +++++++---- demos/certs/ocsprun.sh | 11 +++++-- 5 files changed, 84 insertions(+), 55 deletions(-) diff --git a/demos/certs/apps/mkacerts.sh b/demos/certs/apps/mkacerts.sh index 70984969f44b4..996747f2cd901 100644 --- a/demos/certs/apps/mkacerts.sh +++ b/demos/certs/apps/mkacerts.sh @@ -2,38 +2,42 @@ # Recreate the demo certificates in the apps directory. -OPENSSL=openssl +opensslcmd() { + LD_LIBRARY_PATH=../../.. ../../../apps/openssl $@ +} + +opensslcmd version # Root CA: create certificate directly -CN="OpenSSL Test Root CA" $OPENSSL req -config apps.cnf -x509 -nodes \ +CN="OpenSSL Test Root CA" opensslcmd req -config apps.cnf -x509 -nodes \ -keyout root.pem -out root.pem -key rootkey.pem -new -days 3650 # Intermediate CA: request first -CN="OpenSSL Test Intermediate CA" $OPENSSL req -config apps.cnf -nodes \ +CN="OpenSSL Test Intermediate CA" opensslcmd req -config apps.cnf -nodes \ -key intkey.pem -out intreq.pem -new # Sign request: CA extensions -$OPENSSL x509 -req -in intreq.pem -CA root.pem -CAkey rootkey.pem -days 3630 \ +opensslcmd x509 -req -in intreq.pem -CA root.pem -CAkey rootkey.pem -days 3630 \ -extfile apps.cnf -extensions v3_ca -CAcreateserial -out intca.pem # Client certificate: request first -CN="Test Client Cert" $OPENSSL req -config apps.cnf -nodes \ +CN="Test Client Cert" opensslcmd req -config apps.cnf -nodes \ -key ckey.pem -out creq.pem -new # Sign using intermediate CA -$OPENSSL x509 -req -in creq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ +opensslcmd x509 -req -in creq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ -extfile apps.cnf -extensions usr_cert -CAcreateserial | \ - $OPENSSL x509 -nameopt oneline -subject -issuer >client.pem + opensslcmd x509 -nameopt oneline -subject -issuer >client.pem # Server certificate: request first -CN="Test Server Cert" $OPENSSL req -config apps.cnf -nodes \ +CN="Test Server Cert" opensslcmd req -config apps.cnf -nodes \ -key skey.pem -out sreq.pem -new # Sign using intermediate CA -$OPENSSL x509 -req -in sreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ +opensslcmd x509 -req -in sreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ -extfile apps.cnf -extensions usr_cert -CAcreateserial | \ - $OPENSSL x509 -nameopt oneline -subject -issuer >server.pem + opensslcmd x509 -nameopt oneline -subject -issuer >server.pem # Server certificate #2: request first -CN="Test Server Cert #2" $OPENSSL req -config apps.cnf -nodes \ +CN="Test Server Cert #2" opensslcmd req -config apps.cnf -nodes \ -key skey2.pem -out sreq2.pem -new # Sign using intermediate CA -$OPENSSL x509 -req -in sreq2.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ +opensslcmd x509 -req -in sreq2.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ -extfile apps.cnf -extensions usr_cert -CAcreateserial | \ - $OPENSSL x509 -nameopt oneline -subject -issuer >server2.pem + opensslcmd x509 -nameopt oneline -subject -issuer >server2.pem # Append keys to file. @@ -41,5 +45,5 @@ cat skey.pem >>server.pem cat skey2.pem >>server2.pem cat ckey.pem >>client.pem -$OPENSSL verify -CAfile root.pem -untrusted intca.pem \ +opensslcmd verify -CAfile root.pem -untrusted intca.pem \ server2.pem server.pem client.pem diff --git a/demos/certs/apps/mkxcerts.sh b/demos/certs/apps/mkxcerts.sh index ebe1920432be2..39d45605e1fe6 100644 --- a/demos/certs/apps/mkxcerts.sh +++ b/demos/certs/apps/mkxcerts.sh @@ -1,29 +1,35 @@ +#!/bin/sh # Create certificates using various algorithms to test multi-certificate # functionality. -OPENSSL=../../../apps/openssl -CN="OpenSSL Test RSA SHA-1 cert" $OPENSSL req \ +opensslcmd() { + LD_LIBRARY_PATH=../../.. ../../../apps/openssl $@ +} + +opensslcmd version + +CN="OpenSSL Test RSA SHA-1 cert" opensslcmd req \ -config apps.cnf -extensions usr_cert -x509 -nodes \ -keyout tsha1.pem -out tsha1.pem -new -days 3650 -sha1 -CN="OpenSSL Test RSA SHA-256 cert" $OPENSSL req \ +CN="OpenSSL Test RSA SHA-256 cert" opensslcmd req \ -config apps.cnf -extensions usr_cert -x509 -nodes \ -keyout tsha256.pem -out tsha256.pem -new -days 3650 -sha256 -CN="OpenSSL Test RSA SHA-512 cert" $OPENSSL req \ +CN="OpenSSL Test RSA SHA-512 cert" opensslcmd req \ -config apps.cnf -extensions usr_cert -x509 -nodes \ -keyout tsha512.pem -out tsha512.pem -new -days 3650 -sha512 # Create EC parameters -$OPENSSL ecparam -name P-256 -out ecp256.pem -$OPENSSL ecparam -name P-384 -out ecp384.pem +opensslcmd ecparam -name P-256 -out ecp256.pem +opensslcmd ecparam -name P-384 -out ecp384.pem -CN="OpenSSL Test P-256 SHA-256 cert" $OPENSSL req \ +CN="OpenSSL Test P-256 SHA-256 cert" opensslcmd req \ -config apps.cnf -extensions ec_cert -x509 -nodes \ -nodes -keyout tecp256.pem -out tecp256.pem -newkey ec:ecp256.pem \ -days 3650 -sha256 -CN="OpenSSL Test P-384 SHA-384 cert" $OPENSSL req \ +CN="OpenSSL Test P-384 SHA-384 cert" opensslcmd req \ -config apps.cnf -extensions ec_cert -x509 -nodes \ -nodes -keyout tecp384.pem -out tecp384.pem -newkey ec:ecp384.pem \ -days 3650 -sha384 diff --git a/demos/certs/mkcerts.sh b/demos/certs/mkcerts.sh index 2d14a95989e81..1825607fa33c4 100644 --- a/demos/certs/mkcerts.sh +++ b/demos/certs/mkcerts.sh @@ -1,73 +1,78 @@ #!/bin/sh -OPENSSL=../../apps/openssl +opensslcmd() { + LD_LIBRARY_PATH=../.. ../../apps/openssl $@ +} + OPENSSL_CONF=../../apps/openssl.cnf export OPENSSL_CONF +opensslcmd version + # Root CA: create certificate directly -CN="Test Root CA" $OPENSSL req -config ca.cnf -x509 -nodes \ +CN="Test Root CA" opensslcmd req -config ca.cnf -x509 -nodes \ -keyout root.pem -out root.pem -newkey rsa:2048 -days 3650 # Intermediate CA: request first -CN="Test Intermediate CA" $OPENSSL req -config ca.cnf -nodes \ +CN="Test Intermediate CA" opensslcmd req -config ca.cnf -nodes \ -keyout intkey.pem -out intreq.pem -newkey rsa:2048 # Sign request: CA extensions -$OPENSSL x509 -req -in intreq.pem -CA root.pem -days 3600 \ +opensslcmd x509 -req -in intreq.pem -CA root.pem -days 3600 \ -extfile ca.cnf -extensions v3_ca -CAcreateserial -out intca.pem # Server certificate: create request first -CN="Test Server Cert" $OPENSSL req -config ca.cnf -nodes \ +CN="Test Server Cert" opensslcmd req -config ca.cnf -nodes \ -keyout skey.pem -out req.pem -newkey rsa:1024 # Sign request: end entity extensions -$OPENSSL x509 -req -in req.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ +opensslcmd x509 -req -in req.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ -extfile ca.cnf -extensions usr_cert -CAcreateserial -out server.pem # Client certificate: request first -CN="Test Client Cert" $OPENSSL req -config ca.cnf -nodes \ +CN="Test Client Cert" opensslcmd req -config ca.cnf -nodes \ -keyout ckey.pem -out creq.pem -newkey rsa:1024 # Sign using intermediate CA -$OPENSSL x509 -req -in creq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ +opensslcmd x509 -req -in creq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ -extfile ca.cnf -extensions usr_cert -CAcreateserial -out client.pem # Revoked certificate: request first -CN="Test Revoked Cert" $OPENSSL req -config ca.cnf -nodes \ +CN="Test Revoked Cert" opensslcmd req -config ca.cnf -nodes \ -keyout revkey.pem -out rreq.pem -newkey rsa:1024 # Sign using intermediate CA -$OPENSSL x509 -req -in rreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ +opensslcmd x509 -req -in rreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ -extfile ca.cnf -extensions usr_cert -CAcreateserial -out rev.pem # OCSP responder certificate: request first -CN="Test OCSP Responder Cert" $OPENSSL req -config ca.cnf -nodes \ +CN="Test OCSP Responder Cert" opensslcmd req -config ca.cnf -nodes \ -keyout respkey.pem -out respreq.pem -newkey rsa:1024 # Sign using intermediate CA and responder extensions -$OPENSSL x509 -req -in respreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ +opensslcmd x509 -req -in respreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ -extfile ca.cnf -extensions ocsp_cert -CAcreateserial -out resp.pem # Example creating a PKCS#3 DH certificate. # First DH parameters -[ -f dhp.pem ] || $OPENSSL genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dhp.pem +[ -f dhp.pem ] || opensslcmd genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dhp.pem # Now a DH private key -$OPENSSL genpkey -paramfile dhp.pem -out dhskey.pem +opensslcmd genpkey -paramfile dhp.pem -out dhskey.pem # Create DH public key file -$OPENSSL pkey -in dhskey.pem -pubout -out dhspub.pem +opensslcmd pkey -in dhskey.pem -pubout -out dhspub.pem # Certificate request, key just reuses old one as it is ignored when the # request is signed. -CN="Test Server DH Cert" $OPENSSL req -config ca.cnf -new \ +CN="Test Server DH Cert" opensslcmd req -config ca.cnf -new \ -key skey.pem -out dhsreq.pem # Sign request: end entity DH extensions -$OPENSSL x509 -req -in dhsreq.pem -CA root.pem -days 3600 \ +opensslcmd x509 -req -in dhsreq.pem -CA root.pem -days 3600 \ -force_pubkey dhspub.pem \ -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhserver.pem # DH client certificate -$OPENSSL genpkey -paramfile dhp.pem -out dhckey.pem -$OPENSSL pkey -in dhckey.pem -pubout -out dhcpub.pem -CN="Test Client DH Cert" $OPENSSL req -config ca.cnf -new \ +opensslcmd genpkey -paramfile dhp.pem -out dhckey.pem +opensslcmd pkey -in dhckey.pem -pubout -out dhcpub.pem +CN="Test Client DH Cert" opensslcmd req -config ca.cnf -new \ -key skey.pem -out dhcreq.pem -$OPENSSL x509 -req -in dhcreq.pem -CA root.pem -days 3600 \ +opensslcmd x509 -req -in dhcreq.pem -CA root.pem -days 3600 \ -force_pubkey dhcpub.pem \ -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhclient.pem @@ -78,19 +83,19 @@ $OPENSSL x509 -req -in dhcreq.pem -CA root.pem -days 3600 \ # Create initial crl number file echo 01 >crlnum.txt # Add entries for server and client certs -$OPENSSL ca -valid server.pem -keyfile root.pem -cert root.pem \ +opensslcmd ca -valid server.pem -keyfile root.pem -cert root.pem \ -config ca.cnf -md sha1 -$OPENSSL ca -valid client.pem -keyfile root.pem -cert root.pem \ +opensslcmd ca -valid client.pem -keyfile root.pem -cert root.pem \ -config ca.cnf -md sha1 -$OPENSSL ca -valid rev.pem -keyfile root.pem -cert root.pem \ +opensslcmd ca -valid rev.pem -keyfile root.pem -cert root.pem \ -config ca.cnf -md sha1 # Generate a CRL. -$OPENSSL ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \ +opensslcmd ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \ -md sha1 -crldays 1 -out crl1.pem # Revoke a certificate openssl ca -revoke rev.pem -crl_reason superseded \ -keyfile root.pem -cert root.pem -config ca.cnf -md sha1 # Generate another CRL -$OPENSSL ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \ +opensslcmd ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \ -md sha1 -crldays 1 -out crl2.pem diff --git a/demos/certs/ocspquery.sh b/demos/certs/ocspquery.sh index f664113305698..7cb8e76423bbc 100644 --- a/demos/certs/ocspquery.sh +++ b/demos/certs/ocspquery.sh @@ -1,21 +1,28 @@ +#!/bin/sh + # Example querying OpenSSL test responder. Assumes ocsprun.sh has been # called. -OPENSSL=../../apps/openssl +opensslcmd() { + LD_LIBRARY_PATH=../.. ../../apps/openssl $@ +} + OPENSSL_CONF=../../apps/openssl.cnf export OPENSSL_CONF +opensslcmd version + # Send responder queries for each certificate. echo "Requesting OCSP status for each certificate" -$OPENSSL ocsp -issuer intca.pem -cert client.pem -CAfile root.pem \ +opensslcmd ocsp -issuer intca.pem -cert client.pem -CAfile root.pem \ -url http://127.0.0.1:8888/ -$OPENSSL ocsp -issuer intca.pem -cert server.pem -CAfile root.pem \ +opensslcmd ocsp -issuer intca.pem -cert server.pem -CAfile root.pem \ -url http://127.0.0.1:8888/ -$OPENSSL ocsp -issuer intca.pem -cert rev.pem -CAfile root.pem \ +opensslcmd ocsp -issuer intca.pem -cert rev.pem -CAfile root.pem \ -url http://127.0.0.1:8888/ # One query for all three certificates. echo "Requesting OCSP status for three certificates in one request" -$OPENSSL ocsp -issuer intca.pem \ +opensslcmd ocsp -issuer intca.pem \ -cert client.pem -cert server.pem -cert rev.pem \ -CAfile root.pem -url http://127.0.0.1:8888/ diff --git a/demos/certs/ocsprun.sh b/demos/certs/ocsprun.sh index a65e5f2fd1719..77fd62fcf1bb6 100644 --- a/demos/certs/ocsprun.sh +++ b/demos/certs/ocsprun.sh @@ -1,14 +1,21 @@ +#!/bin/sh + +opensslcmd() { + LD_LIBRARY_PATH=../.. ../../apps/openssl $@ +} + # Example of running an querying OpenSSL test OCSP responder. # This assumes "mkcerts.sh" or similar has been run to set up the # necessary file structure. -OPENSSL=../../apps/openssl OPENSSL_CONF=../../apps/openssl.cnf export OPENSSL_CONF +opensslcmd version + # Run OCSP responder. PORT=8888 -$OPENSSL ocsp -port $PORT -index index.txt -CA intca.pem \ +opensslcmd ocsp -port $PORT -index index.txt -CA intca.pem \ -rsigner resp.pem -rkey respkey.pem -rother intca.pem $*