From f519291652ac4beea85575f71bfa4533f965c816 Mon Sep 17 00:00:00 2001
From: Henri Manson <hfmanson@gmail.com>
Date: Wed, 3 Apr 2019 17:39:45 +0000
Subject: [PATCH] improved certificates

---
 testdata/Makefile                              |   18 +++++++++---------
 testdata/tlspool-test-ca-cert.template         |    2 +-
 testdata/tlspool-test-playground-cert.template |   13 ++-----------
 testdata/tlspool-test-webhost-cert.template    |   13 ++-----------
 4 files changed, 14 insertions(+), 32 deletions(-)

diff --git a/testdata/Makefile b/testdata/Makefile
index a384cd4..00ba757 100644
--- a/testdata/Makefile
+++ b/testdata/Makefile
@@ -41,7 +41,7 @@ PGPRSABITS ?= 2048
 # The directory with tools, defaulting to ../tool in the git base
 # Note that testdata is meant for developers, so assuming git is usually the best
 #
-TOOLDIR ?= $(shell pwd)/../tool
+TOOLDIR ?= $(shell pwd)/../build/tool
 
 #
 # Load a few things from tlspool.conf; these are assumed present while testing
@@ -252,15 +252,15 @@ tlspool-test-server-pubkey.pgp:
 	$(CERTTOOL) --pgp-certificate-info --infile $@ --inraw --outfile $(@:.pgp=.asc)
 
 # Key 3: X.509 Client Certificate
-tlspool-test-client-cert.der: tlspool-test-client-cert.template
+tlspool-test-client-cert.der: tlspool-test-client-cert.template tlspool-test-ca-cert.der
 	echo Using PRIVKEY3, '$(PRIVKEY3)'
-	$(CERTTOOL) --outfile $@ --outder --generate-self-signed --load-privkey='$(PRIVKEY3)' --template=$<
+	$(CERTTOOL) --outfile $@ --outder --generate-certificate --load-ca-certificate=tlspool-test-ca-cert.pem --load-ca-privkey='$(PRIVKEY5)' --load-privkey='$(PRIVKEY3)' --template=$<
 	$(CERTTOOL) --certificate-info --infile $@ --inder --outfile $(@:.der=.pem)
 
 # Key 4: X.509 Server Certificate with user@ domain name
-tlspool-test-server-cert.der: tlspool-test-server-cert.template
+tlspool-test-server-cert.der: tlspool-test-server-cert.template tlspool-test-ca-cert.der
 	echo Using PRIVKEY4, '$(PRIVKEY4)'
-	$(CERTTOOL) --outfile $@ --outder --generate-self-signed --load-privkey='$(PRIVKEY4)' --template=$<
+	$(CERTTOOL) --outfile $@ --outder --generate-certificate --load-ca-certificate=tlspool-test-ca-cert.pem --load-ca-privkey='$(PRIVKEY5)' --load-privkey='$(PRIVKEY4)' --template=$<
 	$(CERTTOOL) --certificate-info --infile $@ --inder --outfile $(@:.der=.pem)
 
 # Key 5: Test CA (for chained certificates)
@@ -281,14 +281,14 @@ tlspool-test-flying-signer.der: tlspool-test-flying-signer.template
 	$(CERTTOOL) --certificate-info --infile $@ --inder --outfile $(@:.der=.pem)
 
 # Key 7: X.509 Server Certificate with just a host name
-tlspool-test-webhost-cert.der: tlspool-test-webhost-cert.template
+tlspool-test-webhost-cert.der: tlspool-test-webhost-cert.template tlspool-test-ca-cert.der
 	echo Using PRIVKEY7, '$(PRIVKEY7)'
-	$(CERTTOOL) --outfile $@ --outder --generate-self-signed --load-privkey='$(PRIVKEY7)' --template=$<
+	$(CERTTOOL) --outfile $@ --outder --generate-certificate --load-ca-certificate=tlspool-test-ca-cert.pem --load-ca-privkey='$(PRIVKEY5)' --load-privkey='$(PRIVKEY7)' --template=$<
 
 # Key 8: X.509 Server Certificate with just a host name
-tlspool-test-playground-cert.der: tlspool-test-playground-cert.template
+tlspool-test-playground-cert.der: tlspool-test-playground-cert.template tlspool-test-ca-cert.der
 	echo Using PRIVKEY8, '$(PRIVKEY8)'
-	$(CERTTOOL) --outfile $@ --outder --generate-self-signed --load-privkey='$(PRIVKEY8)' --template=$<
+	$(CERTTOOL) --outfile $@ --outder --generate-certificate --load-ca-certificate=tlspool-test-ca-cert.pem --load-ca-privkey='$(PRIVKEY5)' --load-privkey='$(PRIVKEY8)' --template=$<
 
 
 # Turn a .der into a .keyid
diff --git a/testdata/tlspool-test-ca-cert.template b/testdata/tlspool-test-ca-cert.template
index bfbb743..0c9cfda 100644
--- a/testdata/tlspool-test-ca-cert.template
+++ b/testdata/tlspool-test-ca-cert.template
@@ -135,7 +135,7 @@ crl_signing_key
 #code_signing_key
 
 # Whether this key will be used to sign OCSP data.
-ocsp_signing_key
+#ocsp_signing_key
 
 # Whether this key will be used for time stamping.
 #time_stamping_key
diff --git a/testdata/tlspool-test-playground-cert.template b/testdata/tlspool-test-playground-cert.template
index 8c32649..2d119d9 100644
--- a/testdata/tlspool-test-playground-cert.template
+++ b/testdata/tlspool-test-playground-cert.template
@@ -18,7 +18,7 @@ state = "Freedom"
 # country = GR
 
 # The common name of the certificate owner.
-cn = "TLS Pool Test X.509 Server"
+cn = "TLS Pool Test X.509 Playground Server"
 
 # A user id of the certificate owner.
 #uid = "clauper"
@@ -118,15 +118,6 @@ encryption_key
 # Whether this certificate will be used for a TLS server
 tls_www_server
 
-# Whether this certificate will be used to sign data (needed
-# in TLS DHE ciphersuites).
-signing_key
-
-# Whether this certificate will be used to encrypt data (needed
-# in TLS RSA ciphersuites). Note that it is preferred to use different
-# keys for encryption and signing.
-encryption_key
-
 # Whether this key will be used to sign other certificates.
 # cert_signing_key
 
@@ -137,7 +128,7 @@ crl_signing_key
 #code_signing_key
 
 # Whether this key will be used to sign OCSP data.
-ocsp_signing_key
+#ocsp_signing_key
 
 # Whether this key will be used for time stamping.
 #time_stamping_key
diff --git a/testdata/tlspool-test-webhost-cert.template b/testdata/tlspool-test-webhost-cert.template
index 2ce2b46..afae673 100644
--- a/testdata/tlspool-test-webhost-cert.template
+++ b/testdata/tlspool-test-webhost-cert.template
@@ -18,7 +18,7 @@ state = "Freedom"
 # country = GR
 
 # The common name of the certificate owner.
-cn = "TLS Pool Test X.509 Server"
+cn = "TLS Pool Test X.509 Webhost Server"
 
 # A user id of the certificate owner.
 #uid = "clauper"
@@ -118,15 +118,6 @@ encryption_key
 # Whether this certificate will be used for a TLS server
 tls_www_server
 
-# Whether this certificate will be used to sign data (needed
-# in TLS DHE ciphersuites).
-signing_key
-
-# Whether this certificate will be used to encrypt data (needed
-# in TLS RSA ciphersuites). Note that it is preferred to use different
-# keys for encryption and signing.
-encryption_key
-
 # Whether this key will be used to sign other certificates.
 # cert_signing_key
 
@@ -137,7 +128,7 @@ crl_signing_key
 #code_signing_key
 
 # Whether this key will be used to sign OCSP data.
-ocsp_signing_key
+#ocsp_signing_key
 
 # Whether this key will be used for time stamping.
 #time_stamping_key
-- 
1.7.10.4