tests: add a simple test for CSR signing

tpm2-software · Nov 11, 2023 · 1e097de · 1e097de
1 parent a1dd78d
commit 1e097de
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 1 deletion.
diff --git a/Makefile.am b/Makefile.am
@@ -92,6 +92,7 @@ TESTS_SHELL = test/list.sh \
               test/rsa_genpkey_x509_cert.sh \
               test/rsa_genpkey_x509_cmp.sh \
               test/rsa_genpkey_x509_cms.sh \
+              test/rsa_genpkey_x509_csr.sh \
               test/rsa_genpkey_tls_server.sh \
               test/rsa_createak_x509_csr.sh \
               test/rsapss_genpkey_sign_rawin.sh \

diff --git a/test/ec_genpkey_x509_csr.c b/test/ec_genpkey_x509_csr.c
@@ -42,7 +42,7 @@ int generate_csr(const char *password, const char *filename)
 
     name = X509_REQ_get_subject_name(x509);
     if (!X509_NAME_add_entry_by_NID(name, NID_countryName, MBSTRING_ASC, (unsigned char *)"CZ", -1, -1, 0)
-            || !X509_NAME_add_entry_by_NID(name, NID_commonName, MBSTRING_ASC, "www.example.com", -1, -1, 0))
+            || !X509_NAME_add_entry_by_NID(name, NID_commonName, MBSTRING_ASC, (const unsigned char *)"www.example.com", -1, -1, 0))
         goto error1;
 
     // set requested extensions

diff --git a/test/rsa_genpkey_x509_csr.sh b/test/rsa_genpkey_x509_csr.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: BSD-3-Clause
+set -eufx
+
+# create a TPM based private key
+openssl genpkey -provider tpm2 -algorithm RSA -pkeyopt bits:2048 -out rootca.key
+
+# create a self-signed CA certificate
+openssl req -provider tpm2 -provider default -propquery '?provider=tpm2' \
+    -x509 -new -key rootca.key -subj '/CN=My CA/C=TH/ST=Phuket/L=Phuket/O=Example' -out rootca.crt
+# check the certificate
+openssl x509 -in rootca.crt -text -noout
+
+# create a (non TPM) key and certificate request
+openssl req -new -newkey rsa:2048 -subj '/CN=My Server/C=TH/ST=Phuket/L=Phuket/O=Example' -noenc -keyout server.key -out server.csr
+# check the CSR
+openssl req -verify -in server.csr -text -noout
+
+# issue the certificate by the TPM-based CA
+openssl x509 -provider tpm2 -provider default -propquery '?provider=tpm2' \
+    -req -in server.csr -CAkey rootca.key -CA rootca.crt -CAcreateserial -out server.crt
+# check the certificate
+openssl x509 -in server.crt -text -noout
+
+rm rootca.key rootca.crt server.key server.csr server.crt