-
Notifications
You must be signed in to change notification settings - Fork 30.1k
/
Makefile
825 lines (669 loc) Β· 23.9 KB
/
Makefile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
all: \
ca1-cert.pem \
ca2-cert.pem \
ca2-crl.pem \
ca3-cert.pem \
ca4-cert.pem \
ca5-cert.pem \
ca6-cert.pem \
agent1-cert.pem \
agent1.pfx \
agent2-cert.pem \
agent3-cert.pem \
agent4-cert.pem \
agent5-cert.pem \
agent6-cert.pem \
agent6.pfx \
agent7-cert.pem \
agent8-cert.pem \
agent9-cert.pem \
agent10-cert.pem \
agent10.pfx \
ec10-cert.pem \
ec10.pfx \
dh512.pem \
dh1024.pem \
dh2048.pem \
dh3072.pem \
dherror.pem \
dh_private.pem \
dh_public.pem \
dsa_params.pem \
dsa_private.pem \
dsa_private_encrypted.pem \
dsa_private_pkcs8.pem \
dsa_public.pem \
dsa1025.pem \
dsa_private_1025.pem \
dsa_private_encrypted_1025.pem \
dsa_public_1025.pem \
ec-cert.pem \
ec.pfx \
fake-cnnic-root-cert.pem \
rsa_private.pem \
rsa_private_encrypted.pem \
rsa_private_pkcs8.pem \
rsa_private_pkcs8_bad.pem \
rsa_public.pem \
rsa_ca.crt \
rsa_cert.crt \
rsa_cert.pfx \
rsa_public_sha1_signature_signedby_rsa_private.sha1 \
rsa_public_sha1_signature_signedby_rsa_private_pkcs8.sha1 \
rsa_private_b.pem \
I_AM_THE_WALRUS_sha256_signature_signedby_rsa_private_b.sha256 \
rsa_public_b.pem \
rsa_cert_foafssl_b.crt \
rsa_cert_foafssl_b.modulus \
rsa_cert_foafssl_b.exponent \
rsa_spkac.spkac \
rsa_spkac_invalid.spkac \
rsa_private_2048.pem \
rsa_private_4096.pem \
rsa_public_2048.pem \
rsa_public_4096.pem \
rsa_pss_private_2048.pem \
rsa_pss_private_2048_sha256_sha256_16.pem \
rsa_pss_private_2048_sha512_sha256_20.pem \
rsa_pss_private_2048_sha1_sha1_20.pem \
rsa_pss_public_2048.pem \
rsa_pss_public_2048_sha256_sha256_16.pem \
rsa_pss_public_2048_sha512_sha256_20.pem \
rsa_pss_public_2048_sha1_sha1_20.pem \
ed25519_private.pem \
ed25519_public.pem \
x25519_private.pem \
x25519_public.pem \
ed448_private.pem \
ed448_public.pem \
x448_private.pem \
x448_public.pem \
ec_p256_private.pem \
ec_p256_public.pem \
ec_p384_private.pem \
ec_p384_public.pem \
ec_p521_private.pem \
ec_p521_public.pem \
ec_secp256k1_private.pem \
ec_secp256k1_public.pem \
incorrect_san_correct_subject-cert.pem \
incorrect_san_correct_subject-key.pem \
irrelevant_san_correct_subject-cert.pem \
irrelevant_san_correct_subject-key.pem \
#
# Create Certificate Authority: ca1
# ('password' is used for the CA password.)
#
ca1-cert.pem: ca1.cnf
openssl req -new -x509 -days 99999 -config ca1.cnf -keyout ca1-key.pem -out ca1-cert.pem
#
# Create Certificate Authority: ca2
# ('password' is used for the CA password.)
#
ca2-cert.pem: ca2.cnf
openssl req -new -x509 -days 99999 -config ca2.cnf -keyout ca2-key.pem -out ca2-cert.pem
echo '01' > ca2-serial
touch ca2-database.txt
#
# Create Subordinate Certificate Authority: ca3 issued by ca1
# ('password' is used for the CA password.)
#
ca3-key.pem:
openssl genrsa -out ca3-key.pem 2048
ca3-csr.pem: ca3.cnf ca3-key.pem
openssl req -new \
-extensions v3_ca \
-config ca3.cnf \
-key ca3-key.pem \
-out ca3-csr.pem
ca3-cert.pem: ca3-csr.pem ca3-key.pem ca3.cnf ca1-cert.pem ca1-key.pem
openssl x509 -req \
-extfile ca3.cnf \
-extensions v3_ca \
-days 99999 \
-passin "pass:password" \
-in ca3-csr.pem \
-CA ca1-cert.pem \
-CAkey ca1-key.pem \
-CAcreateserial \
-out ca3-cert.pem
#
# Create Subordinate Certificate Authority: ca4 issued by ca2
# ('password' is used for the CA password.)
#
ca4-key.pem:
openssl genrsa -out ca4-key.pem 2048
ca4-csr.pem: ca4.cnf ca4-key.pem
openssl req -new \
-extensions v3_ca \
-config ca4.cnf \
-key ca4-key.pem \
-out ca4-csr.pem
ca4-cert.pem: ca4-csr.pem ca4-key.pem ca4.cnf ca2-cert.pem ca2-key.pem
openssl x509 -req \
-extfile ca4.cnf \
-extensions v3_ca \
-days 99999 \
-passin "pass:password" \
-in ca4-csr.pem \
-CA ca2-cert.pem \
-CAkey ca2-key.pem \
-CAcreateserial \
-out ca4-cert.pem
#
# Create Certificate Authority: ca5 with ECC
# ('password' is used for the CA password.)
#
ca5-key.pem:
openssl ecparam -genkey -out ca5-key.pem -name prime256v1
ca5-csr.pem: ca5.cnf ca5-key.pem
openssl req -new \
-config ca5.cnf \
-key ca5-key.pem \
-out ca5-csr.pem
ca5-cert.pem: ca5.cnf ca5-key.pem ca5-csr.pem
openssl x509 -req \
-extfile ca5.cnf \
-extensions v3_ca \
-days 99999 \
-passin "pass:password" \
-in ca5-csr.pem \
-signkey ca5-key.pem \
-out ca5-cert.pem
#
# Create Subordinate Certificate Authority: ca6 issued by ca5 with ECC
# ('password' is used for the CA password.)
#
ca6-key.pem:
openssl ecparam -genkey -out ca6-key.pem -name prime256v1
ca6-csr.pem: ca6.cnf ca6-key.pem
openssl req -new \
-extensions v3_ca \
-config ca6.cnf \
-key ca6-key.pem \
-out ca6-csr.pem
ca6-cert.pem: ca6-csr.pem ca6-key.pem ca6.cnf ca5-cert.pem ca5-key.pem
openssl x509 -req \
-extfile ca6.cnf \
-extensions v3_ca \
-days 99999 \
-passin "pass:password" \
-in ca6-csr.pem \
-CA ca5-cert.pem \
-CAkey ca5-key.pem \
-CAcreateserial \
-out ca6-cert.pem
#
# Create Fake CNNIC Root Certificate Authority: fake-cnnic-root
#
fake-cnnic-root-key.pem:
openssl genrsa -out fake-cnnic-root-key.pem 2048
fake-cnnic-root-cert.pem: fake-cnnic-root.cnf fake-cnnic-root-key.pem
openssl req -x509 -new \
-key fake-cnnic-root-key.pem \
-days 99999 \
-out fake-cnnic-root-cert.pem \
-config fake-cnnic-root.cnf
#
# Create Fake StartCom Root Certificate Authority: fake-startcom-root
#
fake-startcom-root-key.pem:
openssl genrsa -out fake-startcom-root-key.pem 2048
fake-startcom-root-cert.pem: fake-startcom-root.cnf \
fake-startcom-root-key.pem
openssl req -new -x509 -days 99999 -config \
fake-startcom-root.cnf -key fake-startcom-root-key.pem -out \
fake-startcom-root-cert.pem
echo '01' > fake-startcom-root-serial
touch fake-startcom-root-database.txt
#
# agent1 is signed by ca1.
#
agent1-key.pem:
openssl genrsa -out agent1-key.pem 2048
agent1-csr.pem: agent1.cnf agent1-key.pem
openssl req -new -config agent1.cnf -key agent1-key.pem -out agent1-csr.pem
agent1-cert.pem: agent1-csr.pem ca1-cert.pem ca1-key.pem
openssl x509 -req \
-extfile agent1.cnf \
-extensions v3_ca \
-days 99999 \
-passin "pass:password" \
-in agent1-csr.pem \
-CA ca1-cert.pem \
-CAkey ca1-key.pem \
-CAcreateserial \
-out agent1-cert.pem
agent1.pfx: agent1-cert.pem agent1-key.pem ca1-cert.pem
openssl pkcs12 -export \
-descert \
-in agent1-cert.pem \
-inkey agent1-key.pem \
-certfile ca1-cert.pem \
-out agent1.pfx \
-password pass:sample
agent1-verify: agent1-cert.pem ca1-cert.pem
openssl verify -CAfile ca1-cert.pem agent1-cert.pem
#
# agent2 has a self signed cert
#
# Generate new private key
agent2-key.pem:
openssl genrsa -out agent2-key.pem 2048
# Create a Certificate Signing Request for the key
agent2-csr.pem: agent2-key.pem agent2.cnf
openssl req -new -config agent2.cnf -key agent2-key.pem -out agent2-csr.pem
# Create a Certificate for the agent.
agent2-cert.pem: agent2-csr.pem agent2-key.pem
openssl x509 -req \
-days 99999 \
-in agent2-csr.pem \
-signkey agent2-key.pem \
-out agent2-cert.pem
agent2-verify: agent2-cert.pem
openssl verify -CAfile agent2-cert.pem agent2-cert.pem
#
# agent3 is signed by ca2.
#
agent3-key.pem:
openssl genrsa -out agent3-key.pem 2048
agent3-csr.pem: agent3.cnf agent3-key.pem
openssl req -new -config agent3.cnf -key agent3-key.pem -out agent3-csr.pem
agent3-cert.pem: agent3-csr.pem ca2-cert.pem ca2-key.pem
openssl x509 -req \
-days 99999 \
-passin "pass:password" \
-in agent3-csr.pem \
-CA ca2-cert.pem \
-CAkey ca2-key.pem \
-CAcreateserial \
-out agent3-cert.pem
agent3-verify: agent3-cert.pem ca2-cert.pem
openssl verify -CAfile ca2-cert.pem agent3-cert.pem
#
# agent4 is signed by ca2 (client cert)
#
agent4-key.pem:
openssl genrsa -out agent4-key.pem 2048
agent4-csr.pem: agent4.cnf agent4-key.pem
openssl req -new -config agent4.cnf -key agent4-key.pem -out agent4-csr.pem
agent4-cert.pem: agent4-csr.pem ca2-cert.pem ca2-key.pem
openssl x509 -req \
-days 99999 \
-passin "pass:password" \
-in agent4-csr.pem \
-CA ca2-cert.pem \
-CAkey ca2-key.pem \
-CAcreateserial \
-extfile agent4.cnf \
-extensions ext_key_usage \
-out agent4-cert.pem
agent4-verify: agent4-cert.pem ca2-cert.pem
openssl verify -CAfile ca2-cert.pem agent4-cert.pem
#
# Make CRL with agent4 being rejected
#
ca2-crl.pem: ca2-key.pem ca2-cert.pem ca2.cnf agent4-cert.pem
openssl ca -revoke agent4-cert.pem \
-keyfile ca2-key.pem \
-cert ca2-cert.pem \
-config ca2.cnf \
-passin 'pass:password'
openssl ca \
-keyfile ca2-key.pem \
-cert ca2-cert.pem \
-config ca2.cnf \
-gencrl \
-out ca2-crl.pem \
-passin 'pass:password'
#
# agent5 is signed by ca2 (client cert)
#
agent5-key.pem:
openssl genrsa -out agent5-key.pem 2048
agent5-csr.pem: agent5.cnf agent5-key.pem
openssl req -new -config agent5.cnf -key agent5-key.pem -out agent5-csr.pem
agent5-cert.pem: agent5-csr.pem ca2-cert.pem ca2-key.pem
openssl x509 -req \
-days 99999 \
-passin "pass:password" \
-in agent5-csr.pem \
-CA ca2-cert.pem \
-CAkey ca2-key.pem \
-CAcreateserial \
-extfile agent5.cnf \
-extensions ext_key_usage \
-out agent5-cert.pem
agent5-verify: agent5-cert.pem ca2-cert.pem
openssl verify -CAfile ca2-cert.pem agent5-cert.pem
#
# agent6 is a client RSA cert signed by ca3
#
agent6-key.pem:
openssl genrsa -out agent6-key.pem 2048
agent6-csr.pem: agent6.cnf agent6-key.pem
openssl req -new -config agent6.cnf -key agent6-key.pem -out agent6-csr.pem
agent6-cert.pem: agent6-csr.pem ca3-cert.pem ca3-key.pem
openssl x509 -req \
-days 99999 \
-passin "pass:password" \
-in agent6-csr.pem \
-CA ca3-cert.pem \
-CAkey ca3-key.pem \
-CAcreateserial \
-extfile agent6.cnf \
-out agent6-cert.pem
cat ca3-cert.pem >> agent6-cert.pem
agent6-verify: agent6-cert.pem ca3-cert.pem ca1-cert.pem
openssl verify -trusted ca1-cert.pem -untrusted ca3-cert.pem agent6-cert.pem
agent6.pfx: agent6-cert.pem agent6-key.pem ca1-cert.pem
openssl pkcs12 -export \
-descert \
-in agent6-cert.pem \
-inkey agent6-key.pem \
-certfile ca1-cert.pem \
-out agent6.pfx \
-password pass:sample
#
# agent7 is signed by fake-cnnic-root.
#
agent7-key.pem:
openssl genrsa -out agent7-key.pem 2048
agent7-csr.pem: agent1.cnf agent7-key.pem
openssl req -new -config agent7.cnf -key agent7-key.pem -out agent7-csr.pem
agent7-cert.pem: agent7-csr.pem fake-cnnic-root-cert.pem fake-cnnic-root-key.pem
openssl x509 -req \
-extfile agent7.cnf \
-days 99999 \
-passin "pass:password" \
-in agent7-csr.pem \
-CA fake-cnnic-root-cert.pem \
-CAkey fake-cnnic-root-key.pem \
-CAcreateserial \
-out agent7-cert.pem
agent7-verify: agent7-cert.pem fake-cnnic-root-cert.pem
openssl verify -CAfile fake-cnnic-root-cert.pem agent7-cert.pem
#
# agent8 is signed by fake-startcom-root with notBefore
# of Oct 20 23:59:59 2016 GMT
#
agent8-key.pem:
openssl genrsa -out agent8-key.pem 2048
agent8-csr.pem: agent8.cnf agent8-key.pem
openssl req -new -config agent8.cnf -key agent8-key.pem \
-out agent8-csr.pem
agent8-cert.pem: agent8-csr.pem fake-startcom-root-cert.pem fake-startcom-root-key.pem
openssl ca \
-config fake-startcom-root.cnf \
-keyfile fake-startcom-root-key.pem \
-cert fake-startcom-root-cert.pem \
-batch \
-days 99999 \
-passin "pass:password" \
-in agent8-csr.pem \
-startdate 161020235959Z \
-notext -out agent8-cert.pem
agent8-verify: agent8-cert.pem fake-startcom-root-cert.pem
openssl verify -CAfile fake-startcom-root-cert.pem \
agent8-cert.pem
#
# agent9 is signed by fake-startcom-root with notBefore
# of Oct 21 00:00:01 2016 GMT
#
agent9-key.pem:
openssl genrsa -out agent9-key.pem 2048
agent9-csr.pem: agent9.cnf agent9-key.pem
openssl req -new -config agent9.cnf -key agent9-key.pem \
-out agent9-csr.pem
agent9-cert.pem: agent9-csr.pem
openssl ca \
-config fake-startcom-root.cnf \
-keyfile fake-startcom-root-key.pem \
-cert fake-startcom-root-cert.pem \
-batch \
-days 99999 \
-passin "pass:password" \
-in agent9-csr.pem \
-startdate 20161021000001Z \
-notext -out agent9-cert.pem
# agent10 is a server RSA cert signed by ca4 for agent10.example.com
#
agent10-key.pem:
openssl genrsa -out agent10-key.pem 2048
agent10-csr.pem: agent10.cnf agent10-key.pem
openssl req -new -config agent10.cnf -key agent10-key.pem -out agent10-csr.pem
agent10-cert.pem: agent10-csr.pem ca4-cert.pem ca4-key.pem
openssl x509 -req \
-days 99999 \
-passin "pass:password" \
-in agent10-csr.pem \
-CA ca4-cert.pem \
-CAkey ca4-key.pem \
-CAcreateserial \
-extfile agent10.cnf \
-out agent10-cert.pem
cat ca4-cert.pem >> agent10-cert.pem
agent10-verify: agent10-cert.pem ca4-cert.pem ca2-cert.pem
openssl verify -trusted ca2-cert.pem -untrusted ca4-cert.pem agent10-cert.pem
agent10.pfx: agent10-cert.pem agent10-key.pem ca1-cert.pem
openssl pkcs12 -export \
-descert \
-in agent10-cert.pem \
-inkey agent10-key.pem \
-certfile ca1-cert.pem \
-out agent10.pfx \
-password pass:sample
#
# ec10 is a server EC cert signed by ca6 for agent10.example.com
#
ec10-key.pem:
openssl ecparam -genkey -out ec10-key.pem -name prime256v1
ec10-csr.pem: ec10-key.pem
openssl req -new -config agent10.cnf -key ec10-key.pem -out ec10-csr.pem
ec10-cert.pem: ec10-csr.pem ca6-cert.pem ca6-key.pem
openssl x509 -req \
-days 99999 \
-passin "pass:password" \
-in ec10-csr.pem \
-CA ca6-cert.pem \
-CAkey ca6-key.pem \
-CAcreateserial \
-extfile agent10.cnf \
-out ec10-cert.pem
cat ca6-cert.pem >> ec10-cert.pem
ec10-verify: ec10-cert.pem ca6-cert.pem ca5-cert.pem
openssl verify -trusted ca5-cert.pem -untrusted ca6-cert.pem ec10-cert.pem
ec10.pfx: ec10-cert.pem ec10-key.pem ca6-cert.pem
openssl pkcs12 -export \
-descert \
-in ec10-cert.pem \
-inkey ec10-key.pem \
-certfile ca6-cert.pem \
-out ec10.pfx \
-password pass:sample
#
# ec is a self-signed EC cert for CN "agent2"
#
ec-key.pem:
openssl ecparam -genkey -out ec-key.pem -name prime256v1
ec-csr.pem: ec-key.pem
openssl req -new -config ec.cnf -key ec-key.pem -out ec-csr.pem
ec-cert.pem: ec-csr.pem ec-key.pem
openssl x509 -req \
-days 99999 \
-in ec-csr.pem \
-signkey ec-key.pem \
-out ec-cert.pem
ec.pfx: ec-cert.pem ec-key.pem
openssl pkcs12 -export \
-descert \
-in ec-cert.pem \
-inkey ec-key.pem \
-out ec.pfx \
-password pass:
dh512.pem:
openssl dhparam -out dh512.pem 512
dh1024.pem:
openssl dhparam -out dh1024.pem 1024
dh2048.pem:
openssl dhparam -out dh2048.pem 2048
dh3072.pem:
openssl dhparam -out dh3072.pem 3072
dherror.pem: dh1024.pem
sed 's/^[^-].*/AAAAAAAAAA/g' dh1024.pem > dherror.pem
dh_private.pem:
openssl genpkey -algorithm dh -out dh_private.pem -pkeyopt dh_param:ffdhe2048
dh_public.pem: dh_private.pem
openssl pkey -in dh_private.pem -pubout -out dh_public.pem
dsa_params.pem:
openssl dsaparam -out dsa_params.pem 2048
dsa_private.pem: dsa_params.pem
openssl gendsa -out dsa_private.pem dsa_params.pem
dsa_private_encrypted.pem: dsa_private.pem
openssl dsa -aes256 -in dsa_private.pem -passout 'pass:password' -out dsa_private_encrypted.pem
dsa_private_pkcs8.pem: dsa_private.pem
openssl pkcs8 -topk8 -inform PEM -outform PEM -in dsa_private.pem -out dsa_private_pkcs8.pem -nocrypt
dsa_public.pem: dsa_private.pem
openssl dsa -in dsa_private.pem -pubout -out dsa_public.pem
dsa1025.pem:
openssl dsaparam -out dsa1025.pem 1025
dsa_private_1025.pem:
openssl gendsa -out dsa_private_1025.pem dsa1025.pem
dsa_private_encrypted_1025.pem:
openssl pkcs8 -in dsa_private_1025.pem -topk8 -passout 'pass:secret' -out dsa_private_encrypted_1025.pem
dsa_public_1025.pem:
openssl dsa -in dsa_private_1025.pem -pubout -out dsa_public_1025.pem
rsa_private.pem:
openssl genrsa -out rsa_private.pem 2048
rsa_private_encrypted.pem: rsa_private.pem
openssl rsa -aes256 -in rsa_private.pem -passout 'pass:password' -out rsa_private_encrypted.pem
rsa_private_pkcs8.pem: rsa_private.pem
openssl pkcs8 -topk8 -inform PEM -outform PEM -in rsa_private.pem -out rsa_private_pkcs8.pem -nocrypt
rsa_private_pkcs8_bad.pem: rsa_private_pkcs8.pem
sed 's/PRIVATE/RSA PRIVATE/g' rsa_private_pkcs8.pem > rsa_private_pkcs8_bad.pem
rsa_public.pem: rsa_private.pem
openssl rsa -in rsa_private.pem -pubout -out rsa_public.pem
rsa_cert.crt: rsa_private.pem
openssl req -new -x509 -days 99999 -key rsa_private.pem -config rsa_cert.cnf -out rsa_cert.crt
rsa_cert.pfx: rsa_cert.crt
openssl pkcs12 -export -descert -passout 'pass:sample' -inkey rsa_private.pem -in rsa_cert.crt -out rsa_cert.pfx
rsa_ca.crt: rsa_cert.crt
cp rsa_cert.crt rsa_ca.crt
rsa_public_sha1_signature_signedby_rsa_private.sha1: rsa_public.pem rsa_private.pem
openssl dgst -sha1 -sign rsa_private.pem -out rsa_public_sha1_signature_signedby_rsa_private.sha1 rsa_public.pem
rsa_public_sha1_signature_signedby_rsa_private_pkcs8.sha1: rsa_public.pem rsa_private_pkcs8.pem
openssl dgst -sha1 -sign rsa_private_pkcs8.pem -out rsa_public_sha1_signature_signedby_rsa_private_pkcs8.sha1 rsa_public.pem
rsa_private_b.pem:
openssl genrsa -out rsa_private_b.pem 2048
I_AM_THE_WALRUS_sha256_signature_signedby_rsa_private_b.sha256: rsa_private_b.pem
echo -n "I AM THE WALRUS" | openssl dgst -sha256 -sign rsa_private_b.pem -out I_AM_THE_WALRUS_sha256_signature_signedby_rsa_private_b.sha256
rsa_public_b.pem: rsa_private_b.pem
openssl rsa -in rsa_private_b.pem -pubout -out rsa_public_b.pem
# The following 'foafssl' cert is used in test/parallel/test-https-foafssl.js.
# It requires a SAN like 'http://example.com/#me'. More info here:
# https://www.w3.org/wiki/Foaf+ssl
rsa_cert_foafssl_b.crt: rsa_private_b.pem
openssl req -new -x509 -days 99999 -config rsa_cert_foafssl_b.cnf -key rsa_private_b.pem -out rsa_cert_foafssl_b.crt
# The 'modulus=' in the output must be stripped out
rsa_cert_foafssl_b.modulus: rsa_cert_foafssl_b.crt
openssl x509 -modulus -in rsa_cert_foafssl_b.crt -noout | cut -c 9- > rsa_cert_foafssl_b.modulus
# Have to parse out the hex exponent
rsa_cert_foafssl_b.exponent: rsa_cert_foafssl_b.crt
openssl x509 -in rsa_cert_foafssl_b.crt -text | grep -o 'Exponent:.*' | sed 's/\(.*(\|).*\)//g' > rsa_cert_foafssl_b.exponent
# openssl outputs `SPKAC=[SPKAC]`. That prefix needs to be removed to work with node
rsa_spkac.spkac: rsa_private.pem
openssl spkac -key rsa_private.pem -challenge this-is-a-challenge | cut -c 7- > rsa_spkac.spkac
# cutting characters from the start to invalidate the spkac
rsa_spkac_invalid.spkac: rsa_spkac.spkac
cat rsa_spkac.spkac | cut -c 5- > rsa_spkac_invalid.spkac
rsa_private_2048.pem:
openssl genrsa -out rsa_private_2048.pem 2048
rsa_private_4096.pem:
openssl genrsa -out rsa_private_4096.pem 4096
rsa_public_2048.pem: rsa_private_2048.pem
openssl rsa -in rsa_private_2048.pem -pubout -out rsa_public_2048.pem
rsa_public_4096.pem: rsa_private_4096.pem
openssl rsa -in rsa_private_4096.pem -pubout -out rsa_public_4096.pem
rsa_pss_private_2048.pem:
openssl genpkey -algorithm RSA-PSS -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537 -out rsa_pss_private_2048.pem
rsa_pss_private_2048_sha256_sha256_16.pem:
openssl genpkey -algorithm RSA-PSS -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537 -pkeyopt rsa_pss_keygen_md:sha256 -pkeyopt rsa_pss_keygen_mgf1_md:sha256 -pkeyopt rsa_pss_keygen_saltlen:16 -out rsa_pss_private_2048_sha256_sha256_16.pem
rsa_pss_private_2048_sha512_sha256_20.pem:
openssl genpkey -algorithm RSA-PSS -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537 -pkeyopt rsa_pss_keygen_md:sha512 -pkeyopt rsa_pss_keygen_mgf1_md:sha256 -pkeyopt rsa_pss_keygen_saltlen:20 -out rsa_pss_private_2048_sha512_sha256_20.pem
rsa_pss_private_2048_sha1_sha1_20.pem:
openssl genpkey -algorithm RSA-PSS -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537 -pkeyopt rsa_pss_keygen_md:sha1 -pkeyopt rsa_pss_keygen_mgf1_md:sha1 -pkeyopt rsa_pss_keygen_saltlen:20 -out rsa_pss_private_2048_sha1_sha1_20.pem
rsa_pss_public_2048.pem: rsa_pss_private_2048.pem
openssl pkey -in rsa_pss_private_2048.pem -pubout -out rsa_pss_public_2048.pem
rsa_pss_public_2048_sha256_sha256_16.pem: rsa_pss_private_2048_sha256_sha256_16.pem
openssl pkey -in rsa_pss_private_2048_sha256_sha256_16.pem -pubout -out rsa_pss_public_2048_sha256_sha256_16.pem
rsa_pss_public_2048_sha512_sha256_20.pem: rsa_pss_private_2048_sha512_sha256_20.pem
openssl pkey -in rsa_pss_private_2048_sha512_sha256_20.pem -pubout -out rsa_pss_public_2048_sha512_sha256_20.pem
rsa_pss_public_2048_sha1_sha1_20.pem: rsa_pss_private_2048_sha1_sha1_20.pem
openssl pkey -in rsa_pss_private_2048_sha1_sha1_20.pem -pubout -out rsa_pss_public_2048_sha1_sha1_20.pem
ed25519_private.pem:
openssl genpkey -algorithm ED25519 -out ed25519_private.pem
ed25519_public.pem: ed25519_private.pem
openssl pkey -in ed25519_private.pem -pubout -out ed25519_public.pem
x25519_private.pem:
openssl genpkey -algorithm x25519 -out x25519_private.pem
x25519_public.pem: x25519_private.pem
openssl pkey -in x25519_private.pem -pubout -out x25519_public.pem
ed448_private.pem:
openssl genpkey -algorithm ed448 -out ed448_private.pem
ed448_public.pem: ed448_private.pem
openssl pkey -in ed448_private.pem -pubout -out ed448_public.pem
x448_private.pem:
openssl genpkey -algorithm x448 -out x448_private.pem
x448_public.pem: x448_private.pem
openssl pkey -in x448_private.pem -pubout -out x448_public.pem
ec_p256_private.pem:
openssl ecparam -name prime256v1 -genkey -noout -out sec1_ec_p256_private.pem
openssl pkcs8 -topk8 -nocrypt -in sec1_ec_p256_private.pem -out ec_p256_private.pem
rm sec1_ec_p256_private.pem
ec_p256_public.pem: ec_p256_private.pem
openssl ec -in ec_p256_private.pem -pubout -out ec_p256_public.pem
ec_p384_private.pem:
openssl ecparam -name secp384r1 -genkey -noout -out sec1_ec_p384_private.pem
openssl pkcs8 -topk8 -nocrypt -in sec1_ec_p384_private.pem -out ec_p384_private.pem
rm sec1_ec_p384_private.pem
ec_p384_public.pem: ec_p384_private.pem
openssl ec -in ec_p384_private.pem -pubout -out ec_p384_public.pem
ec_p521_private.pem:
openssl ecparam -name secp521r1 -genkey -noout -out sec1_ec_p521_private.pem
openssl pkcs8 -topk8 -nocrypt -in sec1_ec_p521_private.pem -out ec_p521_private.pem
rm sec1_ec_p521_private.pem
ec_p521_public.pem: ec_p521_private.pem
openssl ec -in ec_p521_private.pem -pubout -out ec_p521_public.pem
ec_secp256k1_private.pem:
openssl ecparam -name secp256k1 -genkey -noout -out sec1_ec_secp256k1_private.pem
openssl pkcs8 -topk8 -nocrypt -in sec1_ec_secp256k1_private.pem -out ec_secp256k1_private.pem
rm sec1_ec_secp256k1_private.pem
ec_secp256k1_public.pem: ec_secp256k1_private.pem
openssl ec -in ec_secp256k1_private.pem -pubout -out ec_secp256k1_public.pem
incorrect_san_correct_subject-cert.pem: incorrect_san_correct_subject-key.pem
openssl req -x509 \
-key incorrect_san_correct_subject-key.pem \
-out incorrect_san_correct_subject-cert.pem \
-sha256 \
-days 3650 \
-subj "/CN=good.example.com" \
-addext "subjectAltName = DNS:evil.example.com"
incorrect_san_correct_subject-key.pem:
openssl ecparam -name prime256v1 -genkey -noout -out incorrect_san_correct_subject-key.pem
irrelevant_san_correct_subject-cert.pem: irrelevant_san_correct_subject-key.pem
openssl req -x509 \
-key irrelevant_san_correct_subject-key.pem \
-out irrelevant_san_correct_subject-cert.pem \
-sha256 \
-days 3650 \
-subj "/CN=good.example.com" \
-addext "subjectAltName = IP:1.2.3.4"
irrelevant_san_correct_subject-key.pem:
openssl ecparam -name prime256v1 -genkey -noout -out irrelevant_san_correct_subject-key.pem
clean:
rm -f *.pfx *.pem *.srl ca2-database.txt ca2-serial fake-startcom-root-serial *.print *.old fake-startcom-root-issued-certs/*.pem
@> fake-startcom-root-database.txt
test: agent1-verify agent2-verify agent3-verify agent4-verify agent5-verify agent6-verify agent7-verify agent8-verify agent10-verify ec10-verify
%-cert.pem.print: %-cert.pem
openssl x509 -in $< -text -noout > $@
.PHONY: all clean test agent1-verify agent2-verify agent3-verify agent4-verify agent5-verify agent6-verify agent7-verify agent8-verify agent10-verify ec10-verify