tests: add a simple test for CSR signing

tpm2-software · Nov 11, 2023 · b696679 · b696679
1 parent a1dd78d
commit b696679
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 0 deletions.
diff --git a/Makefile.am b/Makefile.am
@@ -92,6 +92,7 @@ TESTS_SHELL = test/list.sh \
               test/rsa_genpkey_x509_cert.sh \
               test/rsa_genpkey_x509_cmp.sh \
               test/rsa_genpkey_x509_cms.sh \
+              test/rsa_genpkey_x509_csr.sh \
               test/rsa_genpkey_tls_server.sh \
               test/rsa_createak_x509_csr.sh \
               test/rsapss_genpkey_sign_rawin.sh \

diff --git a/test/rsa_genpkey_x509_csr.sh b/test/rsa_genpkey_x509_csr.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: BSD-3-Clause
+set -eufx
+
+# create a TPM based private key
+openssl genpkey -provider tpm2 -algorithm RSA -pkeyopt bits:2048 -out rootca.key
+
+# create a self-signed CA certificate
+openssl req -provider tpm2 -provider default -propquery '?provider=tpm2' \
+    -x509 -new -key rootca.key -subj '/CN=My CA/C=TH/ST=Phuket/L=Phuket/O=Example' -out rootca.crt
+# check the certificate
+openssl x509 -in rootca.crt -text -noout
+
+# create a (non TPM) key and certificate request
+openssl req -new -newkey rsa:2048 -subj '/CN=My Server/C=TH/ST=Phuket/L=Phuket/O=Example' -noenc -keyout server.key -out server.csr
+# check the CSR
+openssl req -verify -in server.csr -text -noout
+
+# issue the certificate by the TPM-based CA
+openssl x509 -provider tpm2 -provider default -propquery '?provider=tpm2' \
+    -req -in server.csr -CAkey rootca.key -CA rootca.crt -CAcreateserial -out server.crt
+# check the certificate
+openssl x509 -in server.crt -text -noout
+
+rm rootca.key rootca.crt server.key server.csr server.crt