mariadb/mysql-test/lib/generate-ssl-certs.sh

#!/bin/sh

set -xe

# simply run me from mysql-test/
cd std_data/

# boilerplace for "openssl ca" and /etc/ssl/openssl.cnf
rm -rf demoCA
mkdir demoCA demoCA/newcerts
touch demoCA/index.txt
touch demoCA/index.txt.attr
echo 01 > demoCA/serial
echo 01 > demoCA/crlnumber

# Use rsa:3072 at minimum for all keys to be future compatible with next OpenSSL releases
# See level 3 in https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_set_security_level.html
# Following industry practice, jump directly to rsa:4096 instead of just rsa:3072.

# CA certificate, self-signed
openssl req -x509 -newkey rsa:4096 -keyout cakey.pem -out cacert.pem -days 7300 -nodes -subj '/CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB' -text

# server certificate signing request and private key. Note the very long subject (for MDEV-7859)
openssl req -newkey rsa:4096 -keyout server-key.pem -out demoCA/server-req.pem -days 7300 -nodes -subj '/CN=localhost/C=FI/ST=state or province within country, in other certificates in this file it is the same as L/L=location, usually an address but often ambiguously used/OU=organizational unit name, a division name within an organization/O=organization name, typically a company name'
# convert the key to yassl compatible format
openssl rsa -in server-key.pem -out server-key.pem
# sign the server certificate with CA certificate
openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out server-cert.pem -in demoCA/server-req.pem

# server certificate with different validity period (MDEV-16266)
openssl req -newkey rsa:4096 -keyout server-new-key.pem -out demoCA/server-new-req.pem -days 7301 -nodes -subj '/CN=server-new/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'
openssl rsa -in server-new-key.pem -out server-new-key.pem
openssl ca -keyfile cakey.pem -days 7301 -batch -cert cacert.pem -policy policy_anything -out server-new-cert.pem -in demoCA/server-new-req.pem

# 8K cert
openssl req -newkey rsa:8192 -keyout server8k-key.pem -out demoCA/server8k-req.pem -days 7300 -nodes -subj '/CN=server8k/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'
openssl rsa -in server8k-key.pem -out server8k-key.pem
openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out server8k-cert.pem -in demoCA/server8k-req.pem

# with SubjectAltName, only for OpenSSL 1.0.2+
cat > demoCA/sanext.conf <<EOF
subjectAltName=IP:127.0.0.1, DNS:localhost
EOF
openssl req -newkey rsa:4096 -keyout serversan-key.pem -out demoCA/serversan-req.pem -days 7300 -nodes -subj '/CN=server/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'
openssl ca -keyfile cakey.pem -extfile demoCA/sanext.conf -days 7300 -batch -cert cacert.pem -policy policy_anything -out serversan-cert.pem -in demoCA/serversan-req.pem

# client cert
openssl req -newkey rsa:4096 -keyout client-key.pem -out demoCA/client-req.pem -days 7300 -nodes -subj '/CN=client/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'
openssl rsa -in client-key.pem -out client-key.pem
openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out client-cert.pem -in demoCA/client-req.pem

# generate combined client cert and key file
cat client-cert.pem client-key.pem > client-certkey.pem

# generate crls
openssl ca -revoke server-cert.pem -keyfile cakey.pem -batch -cert cacert.pem
openssl ca -gencrl -keyfile cakey.pem -crldays 7300 -batch -cert cacert.pem -out server-cert.crl
# we only want to have one certificate per CRL. Un-revoke server-cert.crl
cp demoCA/index.txt.old demoCA/index.txt
openssl ca -revoke client-cert.pem -keyfile cakey.pem -batch -cert cacert.pem
openssl ca -gencrl -keyfile cakey.pem -crldays 7300 -batch -cert cacert.pem -out client-cert.crl

rm -fv crldir/*
cp -v client-cert.crl crldir/`openssl x509 -in client-cert.pem -noout -issuer_hash`.r0

rm -rf demoCA
regenerate SSL certificates again and make sure that private ca key is not deleted at the end of the procedure, so that we could generate additional certificates any time without regenerating everything 2017-04-25 22:55:27 +02:00			`#!/bin/sh`

			`set -xe`
recreate expired certificates for SSL tests added a script to regenerate certificates easily in the future (2035!) restored server8k-key.pem to actually be 8K key, as it was supposed to 2015-01-29 14:34:31 +01:00
			`# simply run me from mysql-test/`
			`cd std_data/`

			`# boilerplace for "openssl ca" and /etc/ssl/openssl.cnf`
			`rm -rf demoCA`
regenerate SSL certificates again and make sure that private ca key is not deleted at the end of the procedure, so that we could generate additional certificates any time without regenerating everything 2017-04-25 22:55:27 +02:00			`mkdir demoCA demoCA/newcerts`
recreate expired certificates for SSL tests added a script to regenerate certificates easily in the future (2035!) restored server8k-key.pem to actually be 8K key, as it was supposed to 2015-01-29 14:34:31 +01:00			`touch demoCA/index.txt`
MDEV-18019, MDEV-18135: Renew test OpenSSL certs at level 3 security Touch attribute file to fix errors like: Can't open ./demoCA/index.txt.attr for reading, No such file or directory 140553384993216:error:02001002:system library: fopen:No such file or directory:../crypto/bio/bss_file.c:72: fopen('./demoCA/index.txt.attr','r') 140553384993216:error:2006D080:BIO routines: BIO_new_file:no such file:../crypto/bio/bss_file.c:79: Check that the request matches the signature 2020-04-14 20:38:44 +03:00			`touch demoCA/index.txt.attr`
recreate expired certificates for SSL tests added a script to regenerate certificates easily in the future (2035!) restored server8k-key.pem to actually be 8K key, as it was supposed to 2015-01-29 14:34:31 +01:00			`echo 01 > demoCA/serial`
SSL test fixes * fix CRL tests to work * regenerate certificates to be at least 2048 bit (fixes buster and rhel8 in buildbot) * update generate-ssl-cert.sh to generate crl files * make all SSL tests to use certificates generated in generate-ssl-cert.sh, remove unused certificates Backport from 10.4 9c60535f8676 2019-02-20 15:15:34 +01:00			`echo 01 > demoCA/crlnumber`
recreate expired certificates for SSL tests added a script to regenerate certificates easily in the future (2035!) restored server8k-key.pem to actually be 8K key, as it was supposed to 2015-01-29 14:34:31 +01:00
MDEV-18019, MDEV-18135: Renew test OpenSSL certs at level 3 security Touch attribute file to fix errors like: Can't open ./demoCA/index.txt.attr for reading, No such file or directory 140553384993216:error:02001002:system library: fopen:No such file or directory:../crypto/bio/bss_file.c:72: fopen('./demoCA/index.txt.attr','r') 140553384993216:error:2006D080:BIO routines: BIO_new_file:no such file:../crypto/bio/bss_file.c:79: Check that the request matches the signature 2020-04-14 20:38:44 +03:00			`# Use rsa:3072 at minimum for all keys to be future compatible with next OpenSSL releases`
			`# See level 3 in https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_set_security_level.html`
			`# Following industry practice, jump directly to rsa:4096 instead of just rsa:3072.`

recreate expired certificates for SSL tests added a script to regenerate certificates easily in the future (2035!) restored server8k-key.pem to actually be 8K key, as it was supposed to 2015-01-29 14:34:31 +01:00			`# CA certificate, self-signed`
MDEV-18019, MDEV-18135: Renew test OpenSSL certs at level 3 security Touch attribute file to fix errors like: Can't open ./demoCA/index.txt.attr for reading, No such file or directory 140553384993216:error:02001002:system library: fopen:No such file or directory:../crypto/bio/bss_file.c:72: fopen('./demoCA/index.txt.attr','r') 140553384993216:error:2006D080:BIO routines: BIO_new_file:no such file:../crypto/bio/bss_file.c:79: Check that the request matches the signature 2020-04-14 20:38:44 +03:00			`openssl req -x509 -newkey rsa:4096 -keyout cakey.pem -out cacert.pem -days 7300 -nodes -subj '/CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB' -text`
recreate expired certificates for SSL tests added a script to regenerate certificates easily in the future (2035!) restored server8k-key.pem to actually be 8K key, as it was supposed to 2015-01-29 14:34:31 +01:00
MDEV-7859 SSL hostname verification fails for long subject names Don't use a fixed buffer for X509_NAME_oneline() in the client. Do as the server does - allocate it dynamically. For a test - regenerate certificates to have the server cert with a long subject. 2015-04-25 17:22:46 +02:00			`# server certificate signing request and private key. Note the very long subject (for MDEV-7859)`
MDEV-18019, MDEV-18135: Renew test OpenSSL certs at level 3 security Touch attribute file to fix errors like: Can't open ./demoCA/index.txt.attr for reading, No such file or directory 140553384993216:error:02001002:system library: fopen:No such file or directory:../crypto/bio/bss_file.c:72: fopen('./demoCA/index.txt.attr','r') 140553384993216:error:2006D080:BIO routines: BIO_new_file:no such file:../crypto/bio/bss_file.c:79: Check that the request matches the signature 2020-04-14 20:38:44 +03:00			`openssl req -newkey rsa:4096 -keyout server-key.pem -out demoCA/server-req.pem -days 7300 -nodes -subj '/CN=localhost/C=FI/ST=state or province within country, in other certificates in this file it is the same as L/L=location, usually an address but often ambiguously used/OU=organizational unit name, a division name within an organization/O=organization name, typically a company name'`
recreate expired certificates for SSL tests added a script to regenerate certificates easily in the future (2035!) restored server8k-key.pem to actually be 8K key, as it was supposed to 2015-01-29 14:34:31 +01:00			`# convert the key to yassl compatible format`
			`openssl rsa -in server-key.pem -out server-key.pem`
			`# sign the server certificate with CA certificate`
SSL test fixes * fix CRL tests to work * regenerate certificates to be at least 2048 bit (fixes buster and rhel8 in buildbot) * update generate-ssl-cert.sh to generate crl files * make all SSL tests to use certificates generated in generate-ssl-cert.sh, remove unused certificates Backport from 10.4 9c60535f8676 2019-02-20 15:15:34 +01:00			`openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out server-cert.pem -in demoCA/server-req.pem`
recreate expired certificates for SSL tests added a script to regenerate certificates easily in the future (2035!) restored server8k-key.pem to actually be 8K key, as it was supposed to 2015-01-29 14:34:31 +01:00
MDEV-31855 validate ssl certificates using client password if the client enabled --ssl-verify-server-cert, then the server certificate is verified as follows: * if --ssl-ca or --ssl-capath were specified, the cert must have a proper signature by the specified CA (or CA in the path) and the cert's hostname must match the server's hostname. If the cert isn't signed or a hostname is wrong - the connection is aborted. * if MARIADB_OPT_TLS_PEER_FP was used and the fingerprint matches, the connection is allowed, if it doesn't match - aborted. * If the connection uses unix socket or named pipes - it's allowed. (consistent with server's --require-secure-transport behavior) otherwise the cert is still in doubt, we don't know if we can trust it or there's an active MitM in progress. * If the user has provided no password or the server requested an authentication plugin that sends the password in cleartext - the connection is aborted. * Perform the authentication. If the server accepts the password, it'll send SHA2(scramble \|\| password hash \|\| cert fingerprint) with the OK packet. * Verify the SHA2 digest, if it matches - the connection is allowed, otherwise it's aborted. 2023-08-21 16:25:56 +02:00			`# server certificate with different validity period (MDEV-16266)`
MDEV-18019, MDEV-18135: Renew test OpenSSL certs at level 3 security Touch attribute file to fix errors like: Can't open ./demoCA/index.txt.attr for reading, No such file or directory 140553384993216:error:02001002:system library: fopen:No such file or directory:../crypto/bio/bss_file.c:72: fopen('./demoCA/index.txt.attr','r') 140553384993216:error:2006D080:BIO routines: BIO_new_file:no such file:../crypto/bio/bss_file.c:79: Check that the request matches the signature 2020-04-14 20:38:44 +03:00			`openssl req -newkey rsa:4096 -keyout server-new-key.pem -out demoCA/server-new-req.pem -days 7301 -nodes -subj '/CN=server-new/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'`
SSL test fixes * fix CRL tests to work * regenerate certificates to be at least 2048 bit (fixes buster and rhel8 in buildbot) * update generate-ssl-cert.sh to generate crl files * make all SSL tests to use certificates generated in generate-ssl-cert.sh, remove unused certificates Backport from 10.4 9c60535f8676 2019-02-20 15:15:34 +01:00			`openssl rsa -in server-new-key.pem -out server-new-key.pem`
			`openssl ca -keyfile cakey.pem -days 7301 -batch -cert cacert.pem -policy policy_anything -out server-new-cert.pem -in demoCA/server-new-req.pem`

			`# 8K cert`
MDEV-7859 SSL hostname verification fails for long subject names Don't use a fixed buffer for X509_NAME_oneline() in the client. Do as the server does - allocate it dynamically. For a test - regenerate certificates to have the server cert with a long subject. 2015-04-25 17:22:46 +02:00			`openssl req -newkey rsa:8192 -keyout server8k-key.pem -out demoCA/server8k-req.pem -days 7300 -nodes -subj '/CN=server8k/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'`
recreate expired certificates for SSL tests added a script to regenerate certificates easily in the future (2035!) restored server8k-key.pem to actually be 8K key, as it was supposed to 2015-01-29 14:34:31 +01:00			`openssl rsa -in server8k-key.pem -out server8k-key.pem`
SSL test fixes * fix CRL tests to work * regenerate certificates to be at least 2048 bit (fixes buster and rhel8 in buildbot) * update generate-ssl-cert.sh to generate crl files * make all SSL tests to use certificates generated in generate-ssl-cert.sh, remove unused certificates Backport from 10.4 9c60535f8676 2019-02-20 15:15:34 +01:00			`openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out server8k-cert.pem -in demoCA/server8k-req.pem`
recreate expired certificates for SSL tests added a script to regenerate certificates easily in the future (2035!) restored server8k-key.pem to actually be 8K key, as it was supposed to 2015-01-29 14:34:31 +01:00
MDEV-10594 SSL hostname verification fails for SubjectAltNames use X509_check_host for OpenSSL 1.0.2+ This adds: * support for subjectAltNames * wildcards * sub-domain matching 2017-04-25 23:00:58 +02:00			`# with SubjectAltName, only for OpenSSL 1.0.2+`
			`cat > demoCA/sanext.conf <<EOF`
MDEV-18131 MariaDB does not verify IP addresses from subject alternative names Added a call to X509_check_ip_asc() in case server_hostname represents an IP address. 2019-04-24 11:15:08 +02:00			`subjectAltName=IP:127.0.0.1, DNS:localhost`
MDEV-10594 SSL hostname verification fails for SubjectAltNames use X509_check_host for OpenSSL 1.0.2+ This adds: * support for subjectAltNames * wildcards * sub-domain matching 2017-04-25 23:00:58 +02:00			`EOF`
MDEV-18019, MDEV-18135: Renew test OpenSSL certs at level 3 security Touch attribute file to fix errors like: Can't open ./demoCA/index.txt.attr for reading, No such file or directory 140553384993216:error:02001002:system library: fopen:No such file or directory:../crypto/bio/bss_file.c:72: fopen('./demoCA/index.txt.attr','r') 140553384993216:error:2006D080:BIO routines: BIO_new_file:no such file:../crypto/bio/bss_file.c:79: Check that the request matches the signature 2020-04-14 20:38:44 +03:00			`openssl req -newkey rsa:4096 -keyout serversan-key.pem -out demoCA/serversan-req.pem -days 7300 -nodes -subj '/CN=server/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'`
SSL test fixes * fix CRL tests to work * regenerate certificates to be at least 2048 bit (fixes buster and rhel8 in buildbot) * update generate-ssl-cert.sh to generate crl files * make all SSL tests to use certificates generated in generate-ssl-cert.sh, remove unused certificates Backport from 10.4 9c60535f8676 2019-02-20 15:15:34 +01:00			`openssl ca -keyfile cakey.pem -extfile demoCA/sanext.conf -days 7300 -batch -cert cacert.pem -policy policy_anything -out serversan-cert.pem -in demoCA/serversan-req.pem`

			`# client cert`
MDEV-18019, MDEV-18135: Renew test OpenSSL certs at level 3 security Touch attribute file to fix errors like: Can't open ./demoCA/index.txt.attr for reading, No such file or directory 140553384993216:error:02001002:system library: fopen:No such file or directory:../crypto/bio/bss_file.c:72: fopen('./demoCA/index.txt.attr','r') 140553384993216:error:2006D080:BIO routines: BIO_new_file:no such file:../crypto/bio/bss_file.c:79: Check that the request matches the signature 2020-04-14 20:38:44 +03:00			`openssl req -newkey rsa:4096 -keyout client-key.pem -out demoCA/client-req.pem -days 7300 -nodes -subj '/CN=client/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'`
SSL test fixes * fix CRL tests to work * regenerate certificates to be at least 2048 bit (fixes buster and rhel8 in buildbot) * update generate-ssl-cert.sh to generate crl files * make all SSL tests to use certificates generated in generate-ssl-cert.sh, remove unused certificates Backport from 10.4 9c60535f8676 2019-02-20 15:15:34 +01:00			`openssl rsa -in client-key.pem -out client-key.pem`
			`openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out client-cert.pem -in demoCA/client-req.pem`

Added new file client-certkey.pem for testing CONC-386: client-certkey.pem contains both certificate and corresponding private key. 2019-06-02 13:12:39 +02:00			`# generate combined client cert and key file`
			`cat client-cert.pem client-key.pem > client-certkey.pem`

SSL test fixes * fix CRL tests to work * regenerate certificates to be at least 2048 bit (fixes buster and rhel8 in buildbot) * update generate-ssl-cert.sh to generate crl files * make all SSL tests to use certificates generated in generate-ssl-cert.sh, remove unused certificates Backport from 10.4 9c60535f8676 2019-02-20 15:15:34 +01:00			`# generate crls`
			`openssl ca -revoke server-cert.pem -keyfile cakey.pem -batch -cert cacert.pem`
			`openssl ca -gencrl -keyfile cakey.pem -crldays 7300 -batch -cert cacert.pem -out server-cert.crl`
			`# we only want to have one certificate per CRL. Un-revoke server-cert.crl`
			`cp demoCA/index.txt.old demoCA/index.txt`
			`openssl ca -revoke client-cert.pem -keyfile cakey.pem -batch -cert cacert.pem`
			`openssl ca -gencrl -keyfile cakey.pem -crldays 7300 -batch -cert cacert.pem -out client-cert.crl`

			`rm -fv crldir/*`
			cp -v client-cert.crl crldir/`openssl x509 -in client-cert.pem -noout -issuer_hash`.r0
MDEV-10594 SSL hostname verification fails for SubjectAltNames use X509_check_host for OpenSSL 1.0.2+ This adds: * support for subjectAltNames * wildcards * sub-domain matching 2017-04-25 23:00:58 +02:00
recreate expired certificates for SSL tests added a script to regenerate certificates easily in the future (2035!) restored server8k-key.pem to actually be 8K key, as it was supposed to 2015-01-29 14:34:31 +01:00			`rm -rf demoCA`