File: basic-usage

package info (click to toggle)
easy-rsa 3.2.4-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 468 kB
  • sloc: sh: 5,074; makefile: 2
file content (145 lines) | stat: -rwxr-xr-x 4,239 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
 
#!/bin/sh
set -e -u

assert() {
	printf 'checking %s...' "${1:?}"
	shift
	if test "$@"
	then
		echo ''
	else
		echo " ! ($*)"
		rc=1
	fi
}

trap 'exit $((rc))' EXIT


CA_DIR=${AUTOPKGTEST_TMP:-/tmp}/easyrsa-cadir

# parameters
bits=2048
ca_days=3650
cert_days=365
ca_cn='My Example CA'
extended_cert_days=1095


make-cadir "${CA_DIR}"

export EASYRSA_BATCH=1

cd "${CA_DIR}"


# prepare PKI
./easyrsa init-pki

sed -i \
	-e "s/^#*\\(set_var EASYRSA_KEY_SIZE[[:space:]]*\\)[0-9]*$/\\1$((bits))/" \
	-e "s/^#*\\(set_var EASYRSA_CA_EXPIRE[[:space:]]*\\)[0-9]*$/\\1$((ca_days))/" \
	-e "s/^#*\\(set_var EASYRSA_CERT_EXPIRE[[:space:]]*\\)[0-9]*$/\\1$((cert_days))/" \
"${CA_DIR}/vars"


# create CA
./easyrsa --req-cn="${ca_cn}" build-ca nopass

test -s "${CA_DIR}/pki/ca.crt"


# create server certificates
./easyrsa build-server-full sample1.example.net nopass

test -s pki/private/sample1.example.net.key
test -s pki/issued/sample1.example.net.crt

./easyrsa --days=$((extended_cert_days)) --keysize=$((2 * bits)) build-server-full sample2.example.net nopass

test -s pki/private/sample2.example.net.key
test -s pki/issued/sample2.example.net.crt

./easyrsa --req-cn=sample3.example.net gen-req req-cn-test nopass
./easyrsa --days=365 sign-req server req-cn-test

test -s pki/private/req-cn-test.key
test -s pki/issued/req-cn-test.crt


# checks

cert_lifetime() {
	openssl x509 -dateopt iso_8601 -noout -dates -in "${1:?}" \
	| awk '
	  function toepoch(s,  cmd, r) {
		  cmd = "date -u -d \"" s "\" +%s"
		  cmd | getline r
		  close(cmd)
		  return r
	  }

	  /^notBefore=/ { not_before = toepoch(substr($0, index($0, "=")+1)) }
	  /^notAfter=/ { not_after = toepoch(substr($0, index($0, "=")+1)) }
          END { print ((not_after - not_before) / 86400) }
	  '
}
cert_pubkey_size() {
	openssl x509 -noout -text -in "${1:?}" \
	| sed -n -e '/Public-Key: /s/^[[:space:]]*Public-Key:[[:space:]]*(\([0-9]*\) bit)$/\1/p'
}

# The default value for the -nameopt option changed in OpenSSL 3.2 from
# `oneline' to `utf8'. The `oneline' option also included a space around
# the fields which is not the case for `utf8'. This means that
#         CN = domain.tld
# 
# changed to
# 
#         CN=domain.tld
# 
# and is now longer recognized, leading to test failure.
# This can be fixed by either going back to `oneline' or keeping `utf8'
# and adding additionally `space_eq'. Anoter way would be to teach the
# expect that the space is optional.
# 
# Add explicit -nameopt option with `utf8,space_eq' which is understood by
# by OpenSSL 3.2 and earlier to make it explicit.
# 
# Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
cert_subject() {
	openssl x509 -noout -nameopt utf8,space_eq -subject -in "${1:?}" | sed 's/^subject=//'
}


# check CA
assert 'CA public key length' \
	"$(cert_pubkey_size "${CA_DIR}/pki/ca.crt")" -eq $((bits))
assert 'CA subject' \
	"$(cert_subject "${CA_DIR}/pki/ca.crt")" = "CN = ${ca_cn}"
assert 'CA lifetime' \
	"$(cert_lifetime "${CA_DIR}/pki/ca.crt")" -eq $((ca_days))

# check sample1.example.net
assert 'sample1.example.net public key length' \
	"$(cert_pubkey_size "${CA_DIR}/pki/issued/sample1.example.net.crt")" -eq $((bits))
assert 'sample1.example.net subject' \
	"$(cert_subject "${CA_DIR}/pki/issued/sample1.example.net.crt")" = "CN = sample1.example.net"
assert 'sample1.example.net lifetime' \
	"$(cert_lifetime "${CA_DIR}/pki/issued/sample1.example.net.crt")" -eq $((cert_days))

# check sample2.example.net
assert 'sample2.example.net public key length' \
	"$(cert_pubkey_size "${CA_DIR}/pki/issued/sample2.example.net.crt")" -eq $((2 * bits))
assert 'sample2.example.net subject' \
	"$(cert_subject "${CA_DIR}/pki/issued/sample2.example.net.crt")" = "CN = sample2.example.net"
assert 'sample2.example.net lifetime' \
	"$(cert_lifetime "${CA_DIR}/pki/issued/sample2.example.net.crt")" -eq $((extended_cert_days))

# check req-cn-test
assert 'req-cn-test public key length' \
	"$(cert_pubkey_size "${CA_DIR}/pki/issued/req-cn-test.crt")" -eq $((bits))
assert 'req-cn-test subject' \
	"$(cert_subject "${CA_DIR}/pki/issued/req-cn-test.crt")" = "CN = sample3.example.net"
assert 'req-cn-test lifetime' \
	"$(cert_lifetime "${CA_DIR}/pki/issued/req-cn-test.crt")" -eq $((cert_days))