recipes/25-test_eai_data/kdc.sh

e1051a39Sopenharmony_ci#! /usr/bin/env bash
e1051a39Sopenharmony_ci
e1051a39Sopenharmony_ci# Create a root CA, signing a leaf cert with a KDC principal otherName SAN, and
e1051a39Sopenharmony_ci# also a non-UTF8 smtpUtf8Mailbox SAN followed by an rfc822Name SAN and a DNS
e1051a39Sopenharmony_ci# name SAN.  In the vulnerable EAI code, the KDC principal `otherName` should
e1051a39Sopenharmony_ci# trigger ASAN errors in DNS name checks, while the non-UTF8 `smtpUtf8Mailbox`
e1051a39Sopenharmony_ci# should likewise lead to ASAN issues with email name checks.
e1051a39Sopenharmony_ci
e1051a39Sopenharmony_cirm -f root-key.pem root-cert.pem
e1051a39Sopenharmony_ciopenssl req -nodes -new -newkey rsa:2048 -keyout kdc-root-key.pem \
e1051a39Sopenharmony_ci        -x509 -subj /CN=Root -days 36524 -out kdc-root-cert.pem
e1051a39Sopenharmony_ci
e1051a39Sopenharmony_ciexts=$(
e1051a39Sopenharmony_ci    printf "%s\n%s\n%s\n%s = " \
e1051a39Sopenharmony_ci        "subjectKeyIdentifier = hash" \
e1051a39Sopenharmony_ci        "authorityKeyIdentifier = keyid" \
e1051a39Sopenharmony_ci        "basicConstraints = CA:false" \
e1051a39Sopenharmony_ci        "subjectAltName"
e1051a39Sopenharmony_ci    printf "%s, " "otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name"
e1051a39Sopenharmony_ci    printf "%s, " "otherName:1.3.6.1.5.5.7.8.9;IA5:moe@example.com"
e1051a39Sopenharmony_ci    printf "%s, " "email:joe@example.com"
e1051a39Sopenharmony_ci    printf "%s\n" "DNS:mx1.example.com"
e1051a39Sopenharmony_ci    printf "[kdc_princ_name]\n"
e1051a39Sopenharmony_ci    printf "realm = EXP:0, GeneralString:TEST.EXAMPLE\n"
e1051a39Sopenharmony_ci    printf "principal_name = EXP:1, SEQUENCE:kdc_principal_seq\n"
e1051a39Sopenharmony_ci    printf "[kdc_principal_seq]\n"
e1051a39Sopenharmony_ci    printf "name_type = EXP:0, INTEGER:1\n"
e1051a39Sopenharmony_ci    printf "name_string = EXP:1, SEQUENCE:kdc_principal_components\n"
e1051a39Sopenharmony_ci    printf "[kdc_principal_components]\n"
e1051a39Sopenharmony_ci    printf "princ1 = GeneralString:krbtgt\n"
e1051a39Sopenharmony_ci    printf "princ2 = GeneralString:TEST.EXAMPLE\n"
e1051a39Sopenharmony_ci    )
e1051a39Sopenharmony_ci
e1051a39Sopenharmony_ciprintf "%s\n" "$exts"
e1051a39Sopenharmony_ci
e1051a39Sopenharmony_ciopenssl req -nodes -new -newkey rsa:2048 -keyout kdc-key.pem \
e1051a39Sopenharmony_ci    -subj "/CN=TEST.EXAMPLE" |
e1051a39Sopenharmony_ci    openssl x509 -req -out kdc-cert.pem \
e1051a39Sopenharmony_ci        -CA "kdc-root-cert.pem" -CAkey "kdc-root-key.pem" \
e1051a39Sopenharmony_ci        -set_serial 2 -days 36524 \
e1051a39Sopenharmony_ci        -extfile <(printf "%s\n" "$exts")