SystemSh0cker/gocsaf
1
0
Fork 0
mirror of https://github.com/gocsaf/csaf.git synced 2025-12-22 11:55:40 +01:00
Code Issues Releases Activity Actions
gocsaf/internal/certs/createTestCerts.sh
Bernhard E. Reiter c6bad42c24
Some checks failed
generate-markdown / auto-update-readme (push) Has been cancelled
Details
Go Test (oldstable) / build (push) Has been cancelled
Details
Go / build (push) Has been cancelled
Details
Go / run_modver (push) Has been cancelled
Details
Improve LoadCertificate unit test (#692) 
* fix `LoadCertificate` unit test

replaced certificate with invalid dns name, which is rejected by stdlib of Go version >=1.25.2.

Change in Go introduced by https://github.com/golang/go/issues/75715

* code review: add script to generate certificates, remove `greenbone` org entry

* code review: add license header

* rework cert creation and fix one filename

---------

Co-authored-by: Marius Goetze <marius.goetze@greenbone.net>
2025-10-22 16:57:00 +02:00

60 lines
1.9 KiB
Bash
Executable file
Raw Blame History

#!/bin/bash
#
# SPDX-License-Identifier: Apache-2.0
# SPDX-FileCopyrightText: 2025 German Federal Office for Information Security (BSI) <https://www.bsi.bund.de>
# Software-Engineering: 2025 Intevation GmbH <https://intevation.de>
# cab be used to generated the certificates for the go tests
# as the resulting files are in the repository, this script does not
# need to be run each time, its purpose is to document how the keys and
# certs were created
set -e
certtool --generate-privkey --outfile testserver-key.pem
echo '
organization = "CSAF"
unit = "CSAF Distribution"
country = "DE"
cn = "csaf.test"
dns_name = "csaf.test"
dns_name = "localhost"
dns_name = "*.csaf.test"
ip_address = "127.0.0.1"
ip_address = "::1"
tls_www_server
tls_www_client
ocsp_signing_key
encryption_key
signing_key
expiration_days = 36500
' > gnutls-certtool.testserver.template
certtool --generate-self-signed --load-privkey testserver-key.pem --outfile cert.crt --template gnutls-certtool.testserver.template --stdout | head -1
# for testing legacy code path, we use openssl's traditional mode to
# create a password protected variant after RFC 1423 that still can be read
# by https://pkg.go.dev/crypto/x509#DecryptPEMBlock. Citation:
# Legacy PEM encryption as specified in RFC 1423 is insecure by design.
# Since it does not authenticate the ciphertext, it is vulnerable
# to padding oracle attacks that can let an attacker recover the plaintext.
openssl rsa -in testserver-key.pem -out private.pem -aes256 -passout pass:qwer -traditional
echo '
organization = "CSAF Tools Development (internal)"
country = "DE"
cn = "Tester"
tls_www_client
encryption_key
signing_key
expiration_days = 36500
' > gnutls-certtool.testclientkey.template
certtool --generate-privkey --bits 3072 --outfile testclientkey.pem
certtool --generate-self-signed --load-privkey testclientkey.pem --template gnutls-certtool.testclientkey.template --outfile testclient.crt
View git blame Copy permalink