START	lib/libcrypto/CA	2025-01-08T18:54:45Z

==== clean ====
rm -f a.out [Ee]rrs mklog *.core y.tab.h       *.pem *.serial *.txt *.attr *.old   stamp-clean stamp-root.serial stamp-intermediate.serial stamp-root.txt stamp-intermediate.txt

==== root.serial ====
echo 1000 >root.serial

==== intermediate.serial ====
echo 1000 >intermediate.serial

==== root.txt ====
true >root.txt

==== intermediate.txt ====
true >intermediate.txt

==== run-verify-intermediate ====
# generate root rsa 4096 key
openssl genrsa -out root.key.pem 4096
Generating RSA private key, 4096 bit long modulus
...........................................................................
.......................................
e is 65537 (0x010001)
# generate root cert
openssl req -batch -config /usr/src/regress/lib/libcrypto/CA/root.cnf -key root.key.pem  -new -x509 -days 365 -sha256 -extensions v3_ca -out root.cert.pem
# generate intermediate rsa 2048 key
openssl genrsa -out intermediate.key.pem 2048
Generating RSA private key, 2048 bit long modulus
............................
...........................................................................
e is 65537 (0x010001)
# generate intermediate req
openssl req -batch -config /usr/src/regress/lib/libcrypto/CA/intermediate.cnf -new -sha256  -key intermediate.key.pem -out intermediate.csr.pem
# sign intermediate
openssl ca -batch -config /usr/src/regress/lib/libcrypto/CA/root.cnf  -extensions v3_intermediate_ca -days 10 -notext -md sha256  -in intermediate.csr.pem -out intermediate.cert.pem
Using configuration from /usr/src/regress/lib/libcrypto/CA/root.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4096 (0x1000)
        Validity
            Not Before: Jan  8 18:54:49 2025 GMT
            Not After : Jan 18 18:54:49 2025 GMT
        Subject:
            countryName               = CA
            stateOrProvinceName       = Alberta
            organizationName          = OpenBSD
            organizationalUnitName    = So and Sos
            commonName                = Regress Intermediate CA
            emailAddress              = evilsoandsos@openbsd.org
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                54:DC:7E:34:B4:99:C3:E7:7A:67:E1:F6:E1:F5:5A:A3:BC:DD:C5:02
            X509v3 Authority Key Identifier:
                keyid:A8:C2:33:8D:48:20:66:EF:00:1F:22:C2:CA:C2:56:E1:04:70:F9:42

            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Name Constraints: critical
                Permitted:
                  DNS:.openbsd.org
                  DNS:client
                  email:openbsd.org
                  email:@test.openbsd.org
                  URI:.openbsd.org
                  DirName: C = CA, O = OpenBSD
                  othername:<unsupported>
                Excluded:
                  IP:0.0.0.0/0.0.0.0
                  IP:0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0

Certificate is to be certified until Jan 18 18:54:49 2025 GMT (10 days)

Write out database with 1 new entries
Data Base Updated
# validate intermediate CA
openssl verify -CAfile root.cert.pem intermediate.cert.pem
intermediate.cert.pem: OK

==== run-verify-server ====
cat intermediate.cert.pem root.cert.pem > chain.pem
# genrsa server
openssl genrsa -out server.key.pem 2048
Generating RSA private key, 2048 bit long modulus
......
........
e is 65537 (0x010001)
# server req
openssl req -batch -config /usr/src/regress/lib/libcrypto/CA/intermediate.cnf -new -sha256  -subj '/CN=server.openbsd.org/OU=So and Sos/O=OpenBSD/C=CA'  -key server.key.pem -out server.csr.pem
# server sign
openssl ca -batch -config /usr/src/regress/lib/libcrypto/CA/intermediate.cnf  -extensions server_cert -days 5 -notext -md sha256  -in server.csr.pem -out server.cert.pem
Using configuration from /usr/src/regress/lib/libcrypto/CA/intermediate.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4096 (0x1000)
        Validity
            Not Before: Jan  8 18:54:49 2025 GMT
            Not After : Jan 13 18:54:49 2025 GMT
        Subject:
            countryName               = CA
            organizationName          = OpenBSD
            organizationalUnitName    = So and Sos
            commonName                = server.openbsd.org
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Server
            Netscape Comment:
                OpenSSL Generated Server Certificate
            X509v3 Subject Key Identifier:
                EA:C7:69:DB:5A:7D:80:88:AA:76:56:93:E8:85:71:19:4B:D5:FE:42
            X509v3 Authority Key Identifier:
                keyid:54:DC:7E:34:B4:99:C3:E7:7A:67:E1:F6:E1:F5:5A:A3:BC:DD:C5:02
                DirName:/C=CA/ST=Alberta/L=Edmonton/O=OpenBSD/OU=So and Sos/CN=Regress Root CA/emailAddress=evilsoandsos@openbsd.org
                serial:10:00

            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
Certificate is to be certified until Jan 13 18:54:49 2025 GMT (5 days)

Write out database with 1 new entries
Data Base Updated
# validate server cert
openssl verify -purpose sslserver -CAfile chain.pem server.cert.pem
server.cert.pem: OK

==== run-verify-client ====
# genrsa client
openssl genrsa -out client.key.pem 2048
Generating RSA private key, 2048 bit long modulus
...........................................................
...........................
e is 65537 (0x010001)
# client req
openssl req -batch -config /usr/src/regress/lib/libcrypto/CA/intermediate.cnf -new -sha256  -subj '/CN=client/OU=So and Sos/O=OpenBSD/C=CA'  -key client.key.pem -out client.csr.pem
# client sign
openssl ca -batch -config /usr/src/regress/lib/libcrypto/CA/intermediate.cnf  -extensions usr_cert -days 5 -notext -md sha256  -in client.csr.pem -out client.cert.pem
Using configuration from /usr/src/regress/lib/libcrypto/CA/intermediate.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4097 (0x1001)
        Validity
            Not Before: Jan  8 18:54:50 2025 GMT
            Not After : Jan 13 18:54:50 2025 GMT
        Subject:
            countryName               = CA
            organizationName          = OpenBSD
            organizationalUnitName    = So and Sos
            commonName                = client
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Client, S/MIME
            Netscape Comment:
                OpenSSL Generated Client Certificate
            X509v3 Subject Key Identifier:
                6B:F4:B5:EE:F2:BA:A2:3D:C7:59:39:64:84:9E:EA:7D:66:DE:BC:2E
            X509v3 Authority Key Identifier:
                keyid:54:DC:7E:34:B4:99:C3:E7:7A:67:E1:F6:E1:F5:5A:A3:BC:DD:C5:02

            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, E-mail Protection
            X509v3 Subject Alternative Name: critical
                email:evilsoandsos@test.openbsd.org
Certificate is to be certified until Jan 13 18:54:50 2025 GMT (5 days)

Write out database with 1 new entries
Data Base Updated
# validate client cert
openssl verify -purpose sslclient -CAfile chain.pem client.cert.pem
client.cert.pem: OK

PASS	lib/libcrypto/CA	Duration 0m04.53s