stan/jdk-24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8a1f9f0a32
jdk-24/test/jdk/sun/security/x509/DNSName/certs/generate-certs.sh
Ben Perez bfaf5704e7 8311546: Certificate name constraints improperly validated with leading period 
Reviewed-by: mullan
2023-11-01 16:49:50 +00:00

91 lines
2.2 KiB
Bash
Raw Blame History

#!/usr/bin/env bash
set -e
###############################################################
# CA with a leading period in the name constraint #
###############################################################
mkdir -p withLeadingPeriod
openssl req \
-newkey rsa:1024 \
-keyout withLeadingPeriod/ca.key \
-out withLeadingPeriod/ca.csr \
-subj "/C=US/O=Example/CN=Example CA with period" \
-nodes
openssl x509 \
-req \
-in withLeadingPeriod/ca.csr \
-extfile openssl.cnf \
-extensions withLeadingPeriod \
-signkey withLeadingPeriod/ca.key \
-out withLeadingPeriod/ca.pem
# leaf certificate
openssl req \
-newkey rsa:1024 \
-keyout withLeadingPeriod/leaf.key \
-out withLeadingPeriod/leaf.csr \
-subj '/CN=demo.example.com' \
-addext 'subjectAltName = DNS:demo.example.com' \
-nodes
openssl x509 \
-req \
-in withLeadingPeriod/leaf.csr \
-CAcreateserial \
-CA withLeadingPeriod/ca.pem \
-CAkey withLeadingPeriod/ca.key \
-out withLeadingPeriod/leaf.pem
# ##################################################################
# # CA without a leading period in the name contraint #
# ##################################################################
mkdir -p withoutLeadingPeriod
openssl req \
-newkey rsa:1024 \
-keyout withoutLeadingPeriod/ca.key \
-out withoutLeadingPeriod/ca.csr \
-subj "/C=US/O=Example/CN=Example CA without period" \
-nodes
openssl x509 \
-req \
-in withoutLeadingPeriod/ca.csr \
-extfile openssl.cnf \
-extensions withoutLeadingPeriod \
-signkey withoutLeadingPeriod/ca.key \
-out withoutLeadingPeriod/ca.pem
# leaf certificate
openssl req \
-newkey rsa:1024 \
-keyout withoutLeadingPeriod/leaf.key \
-out withoutLeadingPeriod/leaf.csr \
-subj '/CN=demo.example.com' \
-addext 'subjectAltName = DNS:demo.example.com' \
-nodes
openssl x509 \
-req \
-in withoutLeadingPeriod/leaf.csr \
-CAcreateserial \
-CA withoutLeadingPeriod/ca.pem \
-CAkey withoutLeadingPeriod/ca.key \
-out withoutLeadingPeriod/leaf.pem
# # Verify both leaf certificates
set +e
openssl verify \
-CAfile withLeadingPeriod/ca.pem \
withLeadingPeriod/leaf.pem
openssl verify \
-CAfile withoutLeadingPeriod/ca.pem \
withoutLeadingPeriod/leaf.pem
Reference in New Issue View Git Blame Copy Permalink