本文主要是介绍openssl3.2/test/certs - 073 - CA-PSS,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
文章目录
- openssl3.2/test/certs - 073 - CA-PSS
- 概述
- 笔记
- setup073.sh
- setup073_sc1.sh
- setup073_sc2.sh
- setup073_sc3.sh
- setup073_sc4.sh
- setup073_sc5.sh
- END
openssl3.2/test/certs - 073 - CA-PSS
概述
openssl3.2 - 官方demo学习 - test - certs
这个官方脚本里面学到东西了, 看到了如何生成ECC证书.
也从这个脚本中看到, 官方的脚本中参数写错了导致证书生成由于openssl命令行错误没生成.
就不知道写的这么粗放的脚本, 官方是准备来干啥用的.
如果脚本因为错误没有生成, 也不知道退出报错, 让这个脚本的维护者知道自己写错了?
就这么哗哗的将大量的证书生成出来, 也不知道对错, 这让人感到浑身不适.
这几天学习这个setup.sh, 已经发现至少有7,8个证书因为参数错误无法生成.
如果生成的这些证书用于自动化测试, 证书都没生成, 咋能保证自动化测试靠谱呢?
笔记
将实验73的脚本整理出来如下
setup073.sh
#! /bin/bash# \file setup073.sh# openssl3.2/test/certs - 073 - CA-PSS# sc1
openssl -v
./mkcert.sh genca "CA-PSS" ca-pss-key ca-pss-cert root-key root-cert \-sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1# sc2
openssl -v
./mkcert.sh genee "EE-PSS" ee-key ee-pss-cert ca-pss-key ca-pss-cert \-sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1# sc3
openssl -v
# Should not have been possible to produce, see issue #13968: (https://github.com/openssl/openssl/pull/13968)
#./mkcert.sh genee "EE-PSS-wrong1.5" ee-key ee-pss-wrong1.5-cert ca-pss-key ca-pss-cert -sha256# sc4
openssl -v
OPENSSL_KEYALG=ec OPENSSL_KEYBITS=brainpoolP256r1 ./mkcert.sh genee \"Server ECDSA brainpoolP256r1 cert" server-ecdsa-brainpoolP256r1-key \server-ecdsa-brainpoolP256r1-cert rootkey rootcert# sc5
openssl -v
openssl req -new -noenc -subj "/CN=localhost" \-newkey rsa-pss -keyout server-pss-restrict-key.pem \-pkeyopt rsa_pss_keygen_md:sha256 -pkeyopt rsa_pss_keygen_saltlen:32 | \./mkcert.sh geneenocsr "Server RSA-PSS restricted cert" \server-pss-restrict-cert rootkey rootcert# sc5
openssl -v
openssl req -new -noenc -subj "/CN=Client-RSA-PSS" \-newkey rsa-pss -keyout client-pss-restrict-key.pem \-pkeyopt rsa_pss_keygen_md:sha256 -pkeyopt rsa_pss_keygen_saltlen:32 | \./mkcert.sh geneenocsr -p clientAuth "Client RSA-PSS restricted cert" \client-pss-restrict-cert rootkey rootcert官方脚本中有5步, 有2步参数都写错了.
分成了5个小实验来做.
setup073_sc1.sh
/*!
* \file D:\my_dev\my_local_git_prj\study\openSSL\test_certs\073\my_openssl_linux_doc_sc1.txt
* \note openssl3.2/test/certs - 073 - CA-PSS - sc1
*/// --------------------------------------------------------------------------------
// official bash script
// --------------------------------------------------------------------------------
#! /bin/bash# \file setup073_sc1.sh# openssl3.2/test/certs - 073 - CA-PSS# sc1./mkcert.sh genca "CA-PSS" ca-pss-key ca-pss-cert root-key root-cert \-sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1// --------------------------------------------------------------------------------
// openssl cmd line parse
// --------------------------------------------------------------------------------
// cmd 1
openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -out ca-pss-key.pem // cmd 2
// cfg_exp073_sc1_cmd2.txt
string_mask=utf8only
[req]
prompt = no
distinguished_name = dn
[dn]
CN = CA-PSSopenssl req -new -sha256 -key ca-pss-key.pem -config cfg_exp073_sc1_cmd2.txt -out req_exp073_sc1_cmd2.pem// cmd 3
// cfg_exp073_sc1_cmd3.txt
basicConstraints = critical,CA:true
keyUsage = keyCertSign,cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyidopenssl x509 -req -sha256 -out ca-pss-cert.pem -extfile cfg_exp073_sc1_cmd3.txt -CA root-cert.pem -CAkey root-key.pem -set_serial 2 -days 36525 -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -in req_exp073_sc1_cmd2.pem// 报错 : x509: Multiple digest or unknown options: -sha256 and -sha256
// 修正如下:openssl x509 -req -sha256 -out ca-pss-cert.pem -extfile cfg_exp073_sc1_cmd3.txt -CA root-cert.pem -CAkey root-key.pem -set_serial 2 -days 36525 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -in req_exp073_sc1_cmd2.pem// --------------------------------------------------------------------------------
// openssl log
// --------------------------------------------------------------------------------openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -out ca-pss-key.pem
openssl req -new -sha256 -key ca-pss-key.pem -config /dev/fd/63 -config /dev/fd/63 => /home/lostspeed/openssl/openssl-3.2.0_debian/test/certs/my_openssl_linux_log.txtstring_mask=utf8only
[req]
prompt = no
distinguished_name = dn
[dn]
CN = CA-PSS
openssl x509 -req -sha256 -out ca-pss-cert.pem -extfile /dev/fd/63 -CA root-cert.pem -CAkey root-key.pem -set_serial 2 -days 36525 -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -extfile /dev/fd/63 => /home/lostspeed/openssl/openssl-3.2.0_debian/test/certs/my_openssl_linux_log.txtbasicConstraints = critical,CA:true
keyUsage = keyCertSign,cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyidsetup073_sc2.sh
/*!
* \file D:\my_dev\my_local_git_prj\study\openSSL\test_certs\073\my_openssl_linux_doc_sc2.txt
* \note
*/// --------------------------------------------------------------------------------
// official bash script
// --------------------------------------------------------------------------------
#! /bin/bash# \file setup073_sc2.sh# openssl3.2/test/certs - 073 - CA-PSS# sc2
./mkcert.sh genee "EE-PSS" ee-key ee-pss-cert ca-pss-key ca-pss-cert \-sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1// --------------------------------------------------------------------------------
// openssl cmd line parse
// --------------------------------------------------------------------------------// cmd 1
openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -out ee-key.pem // cmd 2
// cfg_exp073_sc2_cmd2.txt
string_mask=utf8only
[req]
prompt = no
distinguished_name = dn
[dn]
CN = EE-PSSopenssl req -new -sha256 -key ee-key.pem -config cfg_exp073_sc2_cmd2.txt -out req_exp073_sc2_cmd2.pem// cmd 3
// cfg_exp073_sc2_cmd3.txt
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer
basicConstraints = CA:falseextendedKeyUsage = serverAuth
[alts]
subjectAltName = @alts
DNS=EE-PSS
[alts]openssl x509 -req -sha256 -out ee-pss-cert.pem -extfile cfg_exp073_sc2_cmd3.txt -CA ca-pss-cert.pem -CAkey ca-pss-key.pem -set_serial 2 -days 36525 -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -in req_exp073_sc2_cmd2.pem// 报错 : x509: Multiple digest or unknown options: -sha256 and -sha256
// 修正如下:
openssl x509 -req -sha256 -out ee-pss-cert.pem -extfile cfg_exp073_sc2_cmd3.txt -CA ca-pss-cert.pem -CAkey ca-pss-key.pem -set_serial 2 -days 36525 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -in req_exp073_sc2_cmd2.pem// --------------------------------------------------------------------------------
// openssl log
// --------------------------------------------------------------------------------openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -out ee-key.pem
openssl req -new -sha256 -key ee-key.pem -config /dev/fd/63 -config /dev/fd/63 => /home/lostspeed/openssl/openssl-3.2.0_debian/test/certs/my_openssl_linux_log.txtstring_mask=utf8only
[req]
prompt = no
distinguished_name = dn
[dn]
CN = EE-PSS
openssl x509 -req -sha256 -out ee-pss-cert.pem -extfile /dev/fd/63 -CA ca-pss-cert.pem -CAkey ca-pss-key.pem -set_serial 2 -days 36525 -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -extfile /dev/fd/63 => /home/lostspeed/openssl/openssl-3.2.0_debian/test/certs/my_openssl_linux_log.txtsubjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer
basicConstraints = CA:falseextendedKeyUsage = serverAuth
[alts]
subjectAltName = @alts
DNS=EE-PSS[alts]setup073_sc3.sh
/*!
\file D:\my_dev\my_local_git_prj\study\openSSL\test_certs\073\my_openssl_linux_doc_sc3.txt
\note
*/// --------------------------------------------------------------------------------
// official bash script
// --------------------------------------------------------------------------------
#! /bin/bash# \file setup073_sc3.sh# openssl3.2/test/certs - 073 - CA-PSS# sc3
# Should not have been possible to produce, see issue #13968: (https://github.com/openssl/openssl/pull/13968)
./mkcert.sh genee "EE-PSS-wrong1.5" ee-key ee-pss-wrong1.5-cert ca-pss-key ca-pss-cert -sha256// --------------------------------------------------------------------------------
// openssl cmd line parse
// --------------------------------------------------------------------------------// cmd 1
// cfg_exp073_sc3_cmd1.txt
string_mask=utf8only
[req]
prompt = no
distinguished_name = dn
[dn]
CN = EE-PSS-wrong1.5openssl req -new -sha256 -key ee-key.pem -config cfg_exp073_sc3_cmd1.txt -out req_exp073_sc3_cmd1.pem// cmd 2
// cfg_exp073_sc3_cmd2.txt
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer
basicConstraints = CA:falseextendedKeyUsage = serverAuth
[alts]
subjectAltName = @alts
DNS=EE-PSS-wrong1.5
[alts]openssl x509 -req -sha256 -out ee-pss-wrong1.5-cert.pem -extfile cfg_exp073_sc3_cmd2.txt -CA ca-pss-cert.pem -CAkey ca-pss-key.pem -set_serial 2 -days 36525 -sha256 -in req_exp073_sc3_cmd1.pem// 报错 : x509: Multiple digest or unknown options: -sha256 and -sha256
// 修正如下:
openssl x509 -req -sha256 -out ee-pss-wrong1.5-cert.pem -extfile cfg_exp073_sc3_cmd2.txt -CA ca-pss-cert.pem -CAkey ca-pss-key.pem -set_serial 2 -days 36525 -in req_exp073_sc3_cmd1.pem// 官方注释说, 这句脚本无法生成错误的证书, 但是生成了, 这啥情况?
// issue #13968 是 2021年的// --------------------------------------------------------------------------------
// openssl log
// --------------------------------------------------------------------------------
openssl req -new -sha256 -key ee-key.pem -config /dev/fd/63 -config /dev/fd/63 => /home/lostspeed/openssl/openssl-3.2.0_debian/test/certs/my_openssl_linux_log.txtstring_mask=utf8only
[req]
prompt = no
distinguished_name = dn
[dn]
CN = EE-PSS-wrong1.5
openssl x509 -req -sha256 -out ee-pss-wrong1.5-cert.pem -extfile /dev/fd/63 -CA ca-pss-cert.pem -CAkey ca-pss-key.pem -set_serial 2 -days 36525 -sha256 -extfile /dev/fd/63 => /home/lostspeed/openssl/openssl-3.2.0_debian/test/certs/my_openssl_linux_log.txtsubjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer
basicConstraints = CA:falseextendedKeyUsage = serverAuth
[alts]
subjectAltName = @alts
DNS=EE-PSS-wrong1.5[alts]setup073_sc4.sh
/*!
* \file D:\my_dev\my_local_git_prj\study\openSSL\test_certs\073\my_openssl_linux_doc_sc4.txt
*/// --------------------------------------------------------------------------------
// official bash script
// --------------------------------------------------------------------------------
#! /bin/bash# \file setup073_sc4.sh# openssl3.2/test/certs - 073 - CA-PSS# sc4
openssl -v
OPENSSL_KEYALG=ec OPENSSL_KEYBITS=brainpoolP256r1 ./mkcert.sh genee \"Server ECDSA brainpoolP256r1 cert" server-ecdsa-brainpoolP256r1-key \server-ecdsa-brainpoolP256r1-cert rootkey rootcert# 这句脚本后2个参数是指定CA证书, 但是写错了, 应该是 root-key root-cert
# 我没改脚本, 将证书root-cert.pem, root-key.pem拷贝成了rootcert.pem, rootkey.pem
# 官方这个脚本都写错了, 他们咋用生成的证书啊? 不可想象// --------------------------------------------------------------------------------
// openssl cmd line parse
// --------------------------------------------------------------------------------
// cmd 1
// 终于看到如何生成ECC的私钥了:P
openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:brainpoolP256r1 -pkeyopt ec_param_enc:named_curve -out server-ecdsa-brainpoolP256r1-key.pem // cmd 2
// cfg_exp073_sc4_cmd2.txt
string_mask=utf8only
[req]
prompt = no
distinguished_name = dn
[dn]
CN = Server ECDSA brainpoolP256r1 certopenssl req -new -sha256 -key server-ecdsa-brainpoolP256r1-key.pem -config cfg_exp073_sc4_cmd2.txt -out req_exp073_sc4_cmd3.pem// cmd 3
// cfg3_exp073_sc4_cmd3.txt
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer
basicConstraints = CA:falseextendedKeyUsage = serverAuth
[alts]
subjectAltName = @alts
DNS=Server ECDSA brainpoolP256r1 cert
[alts]// 能看出来证书采用哪种私钥种类, 是跟着证书请求文件走的
openssl x509 -req -sha256 -out server-ecdsa-brainpoolP256r1-cert.pem -extfile cfg3_exp073_sc4_cmd3.txt -CA rootcert.pem -CAkey rootkey.pem -set_serial 2 -days 36525 -in req_exp073_sc4_cmd3.pem// --------------------------------------------------------------------------------
// openssl log
// --------------------------------------------------------------------------------openssl -v
openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:brainpoolP256r1 -pkeyopt ec_param_enc:named_curve -out server-ecdsa-brainpoolP256r1-key.pem
openssl req -new -sha256 -key server-ecdsa-brainpoolP256r1-key.pem -config /dev/fd/63 -config /dev/fd/63 => /home/lostspeed/openssl/openssl-3.2.0_debian/test/certs/my_openssl_linux_log.txtstring_mask=utf8only
[req]
prompt = no
distinguished_name = dn
[dn]
CN = Server ECDSA brainpoolP256r1 cert
openssl x509 -req -sha256 -out server-ecdsa-brainpoolP256r1-cert.pem -extfile /dev/fd/63 -CA rootcert.pem -CAkey rootkey.pem -set_serial 2 -days 36525 -extfile /dev/fd/63 => /home/lostspeed/openssl/openssl-3.2.0_debian/test/certs/my_openssl_linux_log.txtsubjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer
basicConstraints = CA:falseextendedKeyUsage = serverAuth
[alts]
subjectAltName = @alts
DNS=Server ECDSA brainpoolP256r1 cert[alts]setup073_sc5.sh
/*!
* \file D:\my_dev\my_local_git_prj\study\openSSL\test_certs\073\my_openssl_linux_doc_sc5.txt
* \note
*/ // --------------------------------------------------------------------------------
// official bash script
// --------------------------------------------------------------------------------
#! /bin/bash# \file setup073_sc5.sh# openssl3.2/test/certs - 073 - CA-PSS# sc5
openssl req -new -noenc -subj "/CN=Client-RSA-PSS" \-newkey rsa-pss -keyout client-pss-restrict-key.pem \-pkeyopt rsa_pss_keygen_md:sha256 -pkeyopt rsa_pss_keygen_saltlen:32 | \./mkcert.sh geneenocsr -p clientAuth "Client RSA-PSS restricted cert" \client-pss-restrict-cert rootkey rootcert// --------------------------------------------------------------------------------
// openssl cmd line parse
// --------------------------------------------------------------------------------
// cmd 1
openssl req -new -noenc -subj /CN=Client-RSA-PSS -newkey rsa-pss -keyout client-pss-restrict-key.pem -pkeyopt rsa_pss_keygen_md:sha256 -pkeyopt rsa_pss_keygen_saltlen:32 -out req_exp073_sc5_cmd1.pem// cmd 2
// cfg_exp073_sc5_cmd2.txt
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer
basicConstraints = CA:false
extendedKeyUsage = clientAuth
subjectAltName = @alts
[alts]
DNS=Client RSA-PSS restricted certopenssl x509 -req -sha256 -out client-pss-restrict-cert.pem -extfile cfg_exp073_sc5_cmd2.txt -CA rootcert.pem -CAkey rootkey.pem -set_serial 2 -days 36525 -in req_exp073_sc5_cmd1.pem// --------------------------------------------------------------------------------
// openssl log
// --------------------------------------------------------------------------------openssl req -new -noenc -subj /CN=Client-RSA-PSS -newkey rsa-pss -keyout client-pss-restrict-key.pem -pkeyopt rsa_pss_keygen_md:sha256 -pkeyopt rsa_pss_keygen_saltlen:32
openssl x509 -req -sha256 -out client-pss-restrict-cert.pem -extfile /dev/fd/63 -CA rootcert.pem -CAkey rootkey.pem -set_serial 2 -days 36525 -extfile /dev/fd/63 => /home/lostspeed/openssl/openssl-3.2.0_debian/test/certs/my_openssl_linux_log.txtsubjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer
basicConstraints = CA:false
extendedKeyUsage = clientAuth
subjectAltName = @alts
[alts]
DNS=Client RSA-PSS restricted certEND
这篇关于openssl3.2/test/certs - 073 - CA-PSS的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
![[UVM]6.component driver monitor sequencer agent scoreboard env test](https://i-blog.csdnimg.cn/direct/d6155f8e9cb5494582087a4fa47916e2.png)
