Extend the nsupdate system test with DoT-related checks

Add a simple test PKI based on the existing one in the doth test. Check ephemeral, forward-secrecy, and forward-secrecy-mutual-tls TLS configurations with different scenarios.
2022-09-21 13:15:50 +00:00
parent 60f1a73754
commit f2bb80d6ae
27 changed files with 1455 additions and 83 deletions
--- a/bin/tests/system/nsupdate/CA/CA.cfg
+++ b/bin/tests/system/nsupdate/CA/CA.cfg
@@ -0,0 +1,77 @@
+# See ../../doth/CA/ca.cfg for more information
+
+# certificate authority configuration
+[ca]
+default_ca      = CA_default               # The default ca section
+
+[CA_default]
+dir            = .
+new_certs_dir  = $dir/newcerts         # new certs dir (must be created)
+certificate    = $dir/CA.pem           # The CA cert
+private_key    = $dir/private/CA.key   # CA private key
+
+serial         = $dir/serial           # serial number file for the next certificate
+                                       # Update before issuing it:
+                                       # xxd -l 8 -u -ps /dev/urandom > ./serial
+database = $dir/index.txt                 # (must be created manually: touch ./index.txt)
+
+default_days   = 1                 # how long to certify for
+
+#default_crl_days = 30                 # the number of days before the
+default_crl_days = 10950               # next CRL is due. That is the
+                                       # days from now to place in the
+                                       # CRL nextUpdate field.  If CRL
+                                       # is expired, certificate
+                                       # verifications will fail even
+                                       # for otherwise valid
+                                       # certificates. Clients might
+                                       # cache the CRL, so the expiry
+                                       # period should normally be
+                                       # relatively short (default:
+                                       # 30) for production CAs.
+
+default_md     = sha256                # digest to use
+
+policy         = policy_default        # default policy
+email_in_dn    = no                    # Don't add the email into cert DN
+
+name_opt       = ca_default            # Subject name display option
+cert_opt       = ca_default            # Certificate display option
+
+# We need the following in order to copy Subject Alt Name(s) from a
+# request to the certificate.
+copy_extensions = copy                 # copy extensions from request
+
+[policy_default]
+countryName            = optional
+stateOrProvinceName    = optional
+organizationalUnitName = optional
+commonName             = supplied
+emailAddress           = optional
+
+# default certificate requests settings
+[req]
+# Options for the `req` tool (`man req`).
+default_bits        = 3072 # for RSA only
+distinguished_name  = req_default
+string_mask         = utf8only
+# SHA-1 is deprecated, so use SHA-256 instead.
+default_md          = sha256
+# do not encrypt the private key file
+encrypt_key         = no
+
+[req_default]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name (full name)
+localityName                    = Locality Name (e.g., city)
+0.organizationName              = Organization Name (e.g., company)
+organizationalUnitName          = Organizational Unit Name (e.g. department)
+commonName                      = Common Name (e.g. server FQDN or YOUR name)
+emailAddress                    = Email Address
+# defaults
+countryName_default                     = UA
+stateOrProvinceName_default             = Kharkiv Oblast
+localityName_default                    = Kharkiv
+0.organizationName_default              = ISC
+organizationalUnitName_default          = Software Engeneering (BIND 9)