robsd-exec: timeout 3600s + . /usr/local/libexec/robsd/util-regress.sh + config_load + << "EOF" + _err=0 + _env=REGRESS_FAIL_EARLY=no + config_value regress-lib/libcrypto/CA-env + 2> /dev/null + _env=REGRESS_FAIL_EARLY=no GOCACHE=/tmp + _make=make -C /home/src/regress/lib/libcrypto/CA REGRESS_FAIL_EARLY=no GOCACHE=/tmp + config_value regress-lib/libcrypto/CA-targets + regress_root lib/libcrypto/CA + export SUDO + unpriv -c staff build exec make -C /home/src/regress/lib/libcrypto/CA REGRESS_FAIL_EARLY=no GOCACHE=/tmp regress ==== clean ==== rm -f a.out [Ee]rrs mklog *.core y.tab.h *.pem *.serial *.txt *.attr *.old stamp-clean stamp-root.serial stamp-intermediate.serial stamp-root.txt stamp-intermediate.txt ==== root.serial ==== echo 1000 >root.serial ==== intermediate.serial ==== echo 1000 >intermediate.serial ==== root.txt ==== true >root.txt ==== intermediate.txt ==== true >intermediate.txt ==== run-verify-intermediate ==== # generate root rsa 4096 key openssl genrsa -out root.key.pem 4096 Generating RSA private key, 4096 bit long modulus ................................... ......................................................................................................................... e is 65537 (0x010001) # generate root cert openssl req -batch -config /home/src/regress/lib/libcrypto/CA/root.cnf -key root.key.pem -new -x509 -days 365 -sha256 -extensions v3_ca -out root.cert.pem # generate intermediate rsa 2048 key openssl genrsa -out intermediate.key.pem 2048 Generating RSA private key, 2048 bit long modulus ................................................................................................................ ............................................................. e is 65537 (0x010001) # generate intermediate req openssl req -batch -config /home/src/regress/lib/libcrypto/CA/intermediate.cnf -new -sha256 -key intermediate.key.pem -out intermediate.csr.pem # sign intermediate openssl ca -batch -config /home/src/regress/lib/libcrypto/CA/root.cnf -extensions v3_intermediate_ca -days 10 -notext -md sha256 -in intermediate.csr.pem -out intermediate.cert.pem Using configuration from /home/src/regress/lib/libcrypto/CA/root.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 4096 (0x1000) Validity Not Before: Nov 12 01:23:43 2024 GMT Not After : Nov 22 01:23:43 2024 GMT Subject: countryName = CA stateOrProvinceName = Alberta organizationName = OpenBSD organizationalUnitName = So and Sos commonName = Regress Intermediate CA emailAddress = evilsoandsos@openbsd.org X509v3 extensions: X509v3 Subject Key Identifier: 52:DB:C3:B8:9E:50:BF:CD:76:9E:3A:70:BC:1C:B6:79:65:CF:1E:CB X509v3 Authority Key Identifier: keyid:A1:7A:D8:47:28:8F:E5:30:9D:CC:9E:9A:98:0B:97:C1:64:EE:68:A7 X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign X509v3 Name Constraints: critical Permitted: DNS:.openbsd.org DNS:client email:openbsd.org email:@test.openbsd.org URI:.openbsd.org DirName: C = CA, O = OpenBSD othername: Excluded: IP:0.0.0.0/0.0.0.0 IP:0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0 Certificate is to be certified until Nov 22 01:23:43 2024 GMT (10 days) Write out database with 1 new entries Data Base Updated # validate intermediate CA openssl verify -CAfile root.cert.pem intermediate.cert.pem intermediate.cert.pem: OK ==== run-verify-server ==== cat intermediate.cert.pem root.cert.pem > chain.pem # genrsa server openssl genrsa -out server.key.pem 2048 Generating RSA private key, 2048 bit long modulus .......................................................................... ....................................................................... e is 65537 (0x010001) # server req openssl req -batch -config /home/src/regress/lib/libcrypto/CA/intermediate.cnf -new -sha256 -subj '/CN=server.openbsd.org/OU=So and Sos/O=OpenBSD/C=CA' -key server.key.pem -out server.csr.pem # server sign openssl ca -batch -config /home/src/regress/lib/libcrypto/CA/intermediate.cnf -extensions server_cert -days 5 -notext -md sha256 -in server.csr.pem -out server.cert.pem Using configuration from /home/src/regress/lib/libcrypto/CA/intermediate.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 4096 (0x1000) Validity Not Before: Nov 12 01:23:45 2024 GMT Not After : Nov 17 01:23:45 2024 GMT Subject: countryName = CA organizationName = OpenBSD organizationalUnitName = So and Sos commonName = server.openbsd.org X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Netscape Comment: OpenSSL Generated Server Certificate X509v3 Subject Key Identifier: 23:0D:44:5F:4A:6B:1E:90:6F:9C:CC:8F:A2:EA:BD:1E:A8:62:F2:D7 X509v3 Authority Key Identifier: keyid:52:DB:C3:B8:9E:50:BF:CD:76:9E:3A:70:BC:1C:B6:79:65:CF:1E:CB DirName:/C=CA/ST=Alberta/L=Edmonton/O=OpenBSD/OU=So and Sos/CN=Regress Root CA/emailAddress=evilsoandsos@openbsd.org serial:10:00 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication Certificate is to be certified until Nov 17 01:23:45 2024 GMT (5 days) Write out database with 1 new entries Data Base Updated # validate server cert openssl verify -purpose sslserver -CAfile chain.pem server.cert.pem server.cert.pem: OK ==== run-verify-client ==== # genrsa client openssl genrsa -out client.key.pem 2048 Generating RSA private key, 2048 bit long modulus ................ .................................. e is 65537 (0x010001) # client req openssl req -batch -config /home/src/regress/lib/libcrypto/CA/intermediate.cnf -new -sha256 -subj '/CN=client/OU=So and Sos/O=OpenBSD/C=CA' -key client.key.pem -out client.csr.pem # client sign openssl ca -batch -config /home/src/regress/lib/libcrypto/CA/intermediate.cnf -extensions usr_cert -days 5 -notext -md sha256 -in client.csr.pem -out client.cert.pem Using configuration from /home/src/regress/lib/libcrypto/CA/intermediate.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 4097 (0x1001) Validity Not Before: Nov 12 01:23:46 2024 GMT Not After : Nov 17 01:23:46 2024 GMT Subject: countryName = CA organizationName = OpenBSD organizationalUnitName = So and Sos commonName = client X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME Netscape Comment: OpenSSL Generated Client Certificate X509v3 Subject Key Identifier: 70:0A:21:80:00:E6:6B:9C:28:72:CD:BC:88:35:E5:13:78:FA:F4:10 X509v3 Authority Key Identifier: keyid:52:DB:C3:B8:9E:50:BF:CD:76:9E:3A:70:BC:1C:B6:79:65:CF:1E:CB X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection X509v3 Subject Alternative Name: critical email:evilsoandsos@test.openbsd.org Certificate is to be certified until Nov 17 01:23:46 2024 GMT (5 days) Write out database with 1 new entries Data Base Updated # validate client cert openssl verify -purpose sslclient -CAfile chain.pem client.cert.pem client.cert.pem: OK