From 6561afff3afdf74e3c9c7b0ecaad4b141275431f Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Mon, 24 Dec 2018 07:10:18 +0000
Subject: [PATCH] hx509: update gen_req.sh for OpenSSL 1.1 (#392)

OpenSSL 1.1 has the pkInitKDC OID built in, which breaks as it was redefined by
openssl.cnf in Heimdal. Try to determine if OpenSSL >= 1.1 and if so, use a
configuration file that omits this OID definition. The implementation is not
robust but as this is simply an example (not run by the test suites), it should
be adequete.
---
 lib/hx509/Makefile.am                         |   3 +-
 lib/hx509/data/gen-req.sh                     |  19 +-
 .../data/{openssl.cnf => openssl.1.0.cnf}     |   0
 lib/hx509/data/openssl.1.1.cnf                | 185 ++++++++++++++++++
 4 files changed, 200 insertions(+), 7 deletions(-)
 rename lib/hx509/data/{openssl.cnf => openssl.1.0.cnf} (100%)
 create mode 100644 lib/hx509/data/openssl.1.1.cnf

diff --git a/lib/hx509/Makefile.am b/lib/hx509/Makefile.am
index 09643c43a..b21d85202 100644
--- a/lib/hx509/Makefile.am
+++ b/lib/hx509/Makefile.am
@@ -392,7 +392,8 @@ EXTRA_DIST = \
 	data/ocsp-resp2.der \
 	data/ocsp-responder.crt \
 	data/ocsp-responder.key \
-	data/openssl.cnf \
+	data/openssl.1.0.cnf \
+	data/openssl.1.1.cnf \
 	data/pkinit-proxy-chain.crt \
 	data/pkinit-proxy.crt \
 	data/pkinit-proxy.key \
diff --git a/lib/hx509/data/gen-req.sh b/lib/hx509/data/gen-req.sh
index b832a43d9..20b5d98d4 100644
--- a/lib/hx509/data/gen-req.sh
+++ b/lib/hx509/data/gen-req.sh
@@ -7,13 +7,20 @@
 
 openssl=openssl
 
+# workaround until openssl -objects lands
+if ${openssl} version | grep '^OpenSSL 1\.[1-9]' >/dev/null ; then
+    config=openssl.1.1.cnf
+else
+    config=openssl.1.0.cnf
+fi
+
 gen_cert()
 {
 	keytype=${6:-rsa:1024}
 	${openssl} req \
 		-new \
 		-subj "$1" \
-		-config openssl.cnf \
+		-config ${config} \
 		-newkey $keytype \
 		-sha1 \
 		-nodes \
@@ -25,7 +32,7 @@ gen_cert()
 		-req \
 		-days 3650 \
 		-in cert.req \
-		-extfile openssl.cnf \
+		-extfile ${config} \
 		-extensions $4 \
                 -signkey out.key \
 		-out cert.crt
@@ -44,7 +51,7 @@ gen_cert()
 		-CA $2.crt \
 		-CAkey $2.key \
 		-CAcreateserial \
-		-extfile openssl.cnf \
+		-extfile ${config} \
 		-extensions $4
 
 		name=$5
@@ -59,7 +66,7 @@ gen_cert()
 		-out cert.crt \
 		-outdir . \
 		-batch \
-		-config openssl.cnf 
+		-config ${config} 
 
 		name=$3
 	fi
@@ -109,7 +116,7 @@ ${openssl} ca \
     -cert ca.crt \
     -keyfile ca.key \
     -revoke revoke.crt \
-    -config openssl.cnf 
+    -config ${config} 
 
 ${openssl} pkcs12 \
     -export \
@@ -348,6 +355,6 @@ ${openssl} ca \
     -cert ca.crt \
     -crl_reason superseded \
     -out crl1.crl \
-    -config openssl.cnf 
+    -config ${config} 
 
 ${openssl} crl -in crl1.crl -outform der -out crl1.der
diff --git a/lib/hx509/data/openssl.cnf b/lib/hx509/data/openssl.1.0.cnf
similarity index 100%
rename from lib/hx509/data/openssl.cnf
rename to lib/hx509/data/openssl.1.0.cnf
diff --git a/lib/hx509/data/openssl.1.1.cnf b/lib/hx509/data/openssl.1.1.cnf
new file mode 100644
index 000000000..c2f760f1e
--- /dev/null
+++ b/lib/hx509/data/openssl.1.1.cnf
@@ -0,0 +1,185 @@
+[ca]
+
+default_ca = user
+
+[usr]
+database	= index.txt
+serial		= serial
+x509_extensions = usr_cert
+default_md=sha1
+policy		= policy_match
+email_in_dn	= no
+certs		= .
+
+[ocsp]
+database	= index.txt
+serial		= serial
+x509_extensions = ocsp_cert
+default_md=sha1
+policy		= policy_match
+email_in_dn	= no
+certs		= .
+
+[usr_ke]
+database	= index.txt
+serial		= serial
+x509_extensions = usr_cert_ke
+default_md=sha1
+policy		= policy_match
+email_in_dn	= no
+certs		= .
+
+[usr_ds]
+database	= index.txt
+serial		= serial
+x509_extensions = usr_cert_ds
+default_md=sha1
+policy		= policy_match
+email_in_dn	= no
+certs		= .
+
+[pkinit_client]
+database	= index.txt
+serial		= serial
+x509_extensions = pkinit_client_cert
+default_md=sha1
+policy		= policy_match
+email_in_dn	= no
+certs		= .
+
+[pkinit_kdc]
+database	= index.txt
+serial		= serial
+x509_extensions = pkinit_kdc_cert
+default_md=sha1
+policy		= policy_match
+email_in_dn	= no
+certs		= .
+
+[https]
+database	= index.txt
+serial		= serial
+x509_extensions = https_cert
+default_md=sha1
+policy		= policy_match
+email_in_dn	= no
+certs		= .
+
+[subca]
+database	= index.txt
+serial		= serial
+x509_extensions = v3_ca
+default_md=sha1
+policy		= policy_match
+email_in_dn	= no
+certs		= .
+
+
+[req]
+distinguished_name	= req_distinguished_name
+x509_extensions		= v3_ca	# The extensions to add to the self signed cert
+
+string_mask = utf8only
+
+[v3_ca]
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = CA:true
+keyUsage = cRLSign, keyCertSign, keyEncipherment, nonRepudiation, digitalSignature
+
+[usr_cert]
+basicConstraints=CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectKeyIdentifier	= hash
+
+[usr_cert_ke]
+basicConstraints=CA:FALSE
+keyUsage = nonRepudiation, keyEncipherment
+subjectKeyIdentifier	= hash
+
+[proxy_cert]
+basicConstraints=CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectKeyIdentifier	= hash
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:0,policy:text:foo
+
+[pkinitc_principals] 
+princ1 = GeneralString:bar
+
+[pkinitc_principal_seq] 
+name_type = EXP:0,INTEGER:1 
+name_string = EXP:1,SEQUENCE:pkinitc_principals
+
+[pkinitc_princ_name] 
+realm = EXP:0,GeneralString:TEST.H5L.SE
+principal_name = EXP:1,SEQUENCE:pkinitc_principal_seq
+
+[pkinit_client_cert]
+basicConstraints=CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectKeyIdentifier	= hash
+subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:pkinitc_princ_name
+
+[https_cert]
+basicConstraints=CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+#extendedKeyUsage = https-server XXX
+subjectKeyIdentifier	= hash
+
+[pkinit_kdc_cert]
+basicConstraints=CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = pkkdcekuoid
+subjectKeyIdentifier	= hash
+subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:pkinitkdc_princ_name 
+
+[pkinitkdc_princ_name] 
+realm = EXP:0,GeneralString:TEST.H5L.SE
+principal_name = EXP:1,SEQUENCE:pkinitkdc_principal_seq
+
+[pkinitkdc_principal_seq] 
+name_type = EXP:0,INTEGER:1 
+name_string = EXP:1,SEQUENCE:pkinitkdc_principals
+
+[pkinitkdc_principals] 
+princ1 = GeneralString:krbtgt
+princ2 = GeneralString:TEST.H5L.SE
+
+[proxy10_cert]
+basicConstraints=CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectKeyIdentifier	= hash
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:10,policy:text:foo
+
+[usr_cert_ds]
+basicConstraints=CA:FALSE
+keyUsage = nonRepudiation, digitalSignature
+subjectKeyIdentifier	= hash
+
+[ocsp_cert]
+basicConstraints=CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+# ocsp-nocheck and kp-OCSPSigning
+extendedKeyUsage	= 1.3.6.1.5.5.7.48.1.5, 1.3.6.1.5.5.7.3.9
+subjectKeyIdentifier	= hash
+
+[req_distinguished_name]
+countryName			= Country Name (2 letter code)
+countryName_default		= SE
+countryName_min			= 2
+countryName_max			= 2
+
+organizationalName		= Organizational Unit Name (eg, section)
+
+commonName			= Common Name (eg, YOUR name)
+commonName_max			= 64
+
+#[req_attributes]
+#challengePassword              = A challenge password
+#challengePassword_min          = 4
+#challengePassword_max          = 20
+
+[policy_match]
+countryName		= match
+commonName		= supplied