• David Howells's avatar
    PKCS#7: Provide a key type for testing PKCS#7 · 22d01afb
    David Howells authored
    Provide a key type for testing the PKCS#7 parser.  It is given a non-detached
    PKCS#7 message as payload:
    
    	keyctl padd pkcs7_test a @s <stuff.pkcs7
    
    The PKCS#7 wrapper is validated against the trusted certificates available and
    then stripped off.  If successful, the key can be read, which will give the
    data content of the PKCS#7 message.
    
    A suitable message can be created by running make on the attached Makefile.
    This will produce a file called stuff.pkcs7 for test loading.  The key3.x509
    file should be put into the kernel source tree before it is built and
    converted to DER form:
    
    	openssl x509 -in .../pkcs7/key3.x509 -outform DER -out key3.x509
    
    ###############################################################################
    #
    # Create a pkcs7 message and sign it twice
    #
    #	openssl x509 -text -inform PEM -noout -in key2.x509
    #
    ###############################################################################
    stuff.pkcs7: stuff.txt key2.priv key2.x509 key4.priv key4.x509 certs
    	$(RM) $@
    	openssl smime -sign \
    		-signer key2.x509 \
    		-inkey key2.priv \
    		-signer key4.x509 \
    		-inkey key4.priv \
    		-in stuff.txt \
    		-certfile certs \
    		-out $@ -binary -outform DER -nodetach
    	openssl pkcs7 -inform DER -in stuff.pkcs7  -print_certs -noout
    	openssl asn1parse -inform DER -in stuff.pkcs7  -i >out
    
    stuff.txt:
    	echo "The quick red fox jumped over the lazy brown dog" >stuff.txt
    
    certs: key1.x509 key2.x509 key3.x509 key4.x509
    	cat key{1,3}.x509 >$@
    
    ###############################################################################
    #
    # Generate a signed key
    #
    #	openssl x509 -text -inform PEM -noout -in key2.x509
    #
    ###############################################################################
    key2.x509: key2.x509_unsigned key1.priv key1.x509
    	openssl x509 \
    		-req -in key2.x509_unsigned \
    		-out key2.x509 \
    		-extfile key2.genkey -extensions myexts \
    		-CA key1.x509 \
    		-CAkey key1.priv \
    		-CAcreateserial
    
    key2.priv key2.x509_unsigned: key2.genkey
    	openssl req -new -nodes -utf8 -sha1 -days 36500 \
    		-batch -outform PEM \
    		-config key2.genkey \
    		-keyout key2.priv \
    		-out key2.x509_unsigned
    
    key2.genkey:
    	@echo Generating X.509 key generation config
    	@echo  >$@ "[ req ]"
    	@echo >>$@ "default_bits = 4096"
    	@echo >>$@ "distinguished_name = req_distinguished_name"
    	@echo >>$@ "prompt = no"
    	@echo >>$@ "string_mask = utf8only"
    	@echo >>$@ "x509_extensions = myexts"
    	@echo >>$@
    	@echo >>$@ "[ req_distinguished_name ]"
    	@echo >>$@ "O = Magrathea"
    	@echo >>$@ "CN = PKCS7 key 2"
    	@echo >>$@ "emailAddress = slartibartfast@magrathea.h2g2"
    	@echo >>$@
    	@echo >>$@ "[ myexts ]"
    	@echo >>$@ "basicConstraints=critical,CA:FALSE"
    	@echo >>$@ "keyUsage=digitalSignature"
    	@echo >>$@ "subjectKeyIdentifier=hash"
    	@echo >>$@ "authorityKeyIdentifier=keyid"
    
    ###############################################################################
    #
    # Generate a couple of signing keys
    #
    #	openssl x509 -text -inform PEM -noout -in key1.x509
    #
    ###############################################################################
    key1.x509: key1.x509_unsigned key4.priv key4.x509
    	openssl x509 \
    		-req -in key1.x509_unsigned \
    		-out key1.x509 \
    		-extfile key1.genkey -extensions myexts \
    		-CA key4.x509 \
    		-CAkey key4.priv \
    		-CAcreateserial
    
    key1.priv key1.x509_unsigned: key1.genkey
    	openssl req -new -nodes -utf8 -sha1 -days 36500 \
    		-batch -outform PEM \
    		-config key1.genkey \
    		-keyout key1.priv \
    		-out key1.x509_unsigned
    
    key1.genkey:
    	@echo Generating X.509 key generation config
    	@echo  >$@ "[ req ]"
    	@echo >>$@ "default_bits = 4096"
    	@echo >>$@ "distinguished_name = req_distinguished_name"
    	@echo >>$@ "prompt = no"
    	@echo >>$@ "string_mask = utf8only"
    	@echo >>$@ "x509_extensions = myexts"
    	@echo >>$@
    	@echo >>$@ "[ req_distinguished_name ]"
    	@echo >>$@ "O = Magrathea"
    	@echo >>$@ "CN = PKCS7 key 1"
    	@echo >>$@ "emailAddress = slartibartfast@magrathea.h2g2"
    	@echo >>$@
    	@echo >>$@ "[ myexts ]"
    	@echo >>$@ "basicConstraints=critical,CA:TRUE"
    	@echo >>$@ "keyUsage=digitalSignature,keyCertSign"
    	@echo >>$@ "subjectKeyIdentifier=hash"
    	@echo >>$@ "authorityKeyIdentifier=keyid"
    
    ###############################################################################
    #
    # Generate a signed key
    #
    #	openssl x509 -text -inform PEM -noout -in key4.x509
    #
    ###############################################################################
    key4.x509: key4.x509_unsigned key3.priv key3.x509
    	openssl x509 \
    		-req -in key4.x509_unsigned \
    		-out key4.x509 \
    		-extfile key4.genkey -extensions myexts \
    		-CA key3.x509 \
    		-CAkey key3.priv \
    		-CAcreateserial
    
    key4.priv key4.x509_unsigned: key4.genkey
    	openssl req -new -nodes -utf8 -sha1 -days 36500 \
    		-batch -outform PEM \
    		-config key4.genkey \
    		-keyout key4.priv \
    		-out key4.x509_unsigned
    
    key4.genkey:
    	@echo Generating X.509 key generation config
    	@echo  >$@ "[ req ]"
    	@echo >>$@ "default_bits = 4096"
    	@echo >>$@ "distinguished_name = req_distinguished_name"
    	@echo >>$@ "prompt = no"
    	@echo >>$@ "string_mask = utf8only"
    	@echo >>$@ "x509_extensions = myexts"
    	@echo >>$@
    	@echo >>$@ "[ req_distinguished_name ]"
    	@echo >>$@ "O = Magrathea"
    	@echo >>$@ "CN = PKCS7 key 4"
    	@echo >>$@ "emailAddress = slartibartfast@magrathea.h2g2"
    	@echo >>$@
    	@echo >>$@ "[ myexts ]"
    	@echo >>$@ "basicConstraints=critical,CA:TRUE"
    	@echo >>$@ "keyUsage=digitalSignature,keyCertSign"
    	@echo >>$@ "subjectKeyIdentifier=hash"
    	@echo >>$@ "authorityKeyIdentifier=keyid"
    
    ###############################################################################
    #
    # Generate a couple of signing keys
    #
    #	openssl x509 -text -inform PEM -noout -in key3.x509
    #
    ###############################################################################
    key3.priv key3.x509: key3.genkey
    	openssl req -new -nodes -utf8 -sha1 -days 36500 \
    		-batch -x509 -outform PEM \
    		-config key3.genkey \
    		-keyout key3.priv \
    		-out key3.x509
    
    key3.genkey:
    	@echo Generating X.509 key generation config
    	@echo  >$@ "[ req ]"
    	@echo >>$@ "default_bits = 4096"
    	@echo >>$@ "distinguished_name = req_distinguished_name"
    	@echo >>$@ "prompt = no"
    	@echo >>$@ "string_mask = utf8only"
    	@echo >>$@ "x509_extensions = myexts"
    	@echo >>$@
    	@echo >>$@ "[ req_distinguished_name ]"
    	@echo >>$@ "O = Magrathea"
    	@echo >>$@ "CN = PKCS7 key 3"
    	@echo >>$@ "emailAddress = slartibartfast@magrathea.h2g2"
    	@echo >>$@
    	@echo >>$@ "[ myexts ]"
    	@echo >>$@ "basicConstraints=critical,CA:TRUE"
    	@echo >>$@ "keyUsage=digitalSignature,keyCertSign"
    	@echo >>$@ "subjectKeyIdentifier=hash"
    	@echo >>$@ "authorityKeyIdentifier=keyid"
    
    clean:
    	$(RM) *~
    	$(RM) key1.* key2.* key3.* key4.* stuff.* out certs
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    22d01afb
Makefile 1.17 KB