Add CryptoPkg/Library/BaseCryptLib/ and CryptoPkg/Library/OpensslLib/openssl-rebase-helper-start

4 files changed, 648 insertions, 0 deletions

diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/certs/embeddedSCTs1.sct b/CryptoPkg/Library/OpensslLib/openssl/test/certs/embeddedSCTs1.sct
new file mode 100644
index 00000000..59362dce
--- /dev/null
+++ b/CryptoPkg/Library/OpensslLib/openssl/test/certs/embeddedSCTs1.sct
@@ -0,0 +1,12 @@
+Signed Certificate Timestamp:
+    Version   : v1 (0x0)
+    Log ID    : DF:1C:2E:C1:15:00:94:52:47:A9:61:68:32:5D:DC:5C:
+                79:59:E8:F7:C6:D3:88:FC:00:2E:0B:BD:3F:74:D7:64
+    Timestamp : Apr  5 17:04:16.275 2013 GMT
+    Extensions: none
+    Signature : ecdsa-with-SHA256
+                30:45:02:20:48:2F:67:51:AF:35:DB:A6:54:36:BE:1F:
+                D6:64:0F:3D:BF:9A:41:42:94:95:92:45:30:28:8F:A3:
+                E5:E2:3E:06:02:21:00:E4:ED:C0:DB:3A:C5:72:B1:E2:
+                F5:E8:AB:6A:68:06:53:98:7D:CF:41:02:7D:FE:FF:A1:
+                05:51:9D:89:ED:BF:08
\ No newline at end of file
diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/certs/embeddedSCTs3.sct b/CryptoPkg/Library/OpensslLib/openssl/test/certs/embeddedSCTs3.sct
new file mode 100644
index 00000000..ad1ccf0f
--- /dev/null
+++ b/CryptoPkg/Library/OpensslLib/openssl/test/certs/embeddedSCTs3.sct
@@ -0,0 +1,36 @@
+Signed Certificate Timestamp:
+    Version   : v1 (0x0)
+    Log ID    : 68:F6:98:F8:1F:64:82:BE:3A:8C:EE:B9:28:1D:4C:FC:
+                71:51:5D:67:93:D4:44:D1:0A:67:AC:BB:4F:4F:FB:C4
+    Timestamp : Dec  1 13:31:25.961 2015 GMT
+    Extensions: none
+    Signature : ecdsa-with-SHA256
+                30:44:02:20:58:2D:0A:BE:78:41:8A:E7:89:A9:5E:66:
+                21:C5:6A:16:79:DF:33:85:8A:D3:F3:1D:71:AF:75:30:
+                FB:CC:4E:45:02:20:41:9C:89:B8:80:19:87:46:6C:1C:
+                3A:95:0B:BE:F4:98:75:D4:CA:49:97:FD:25:2E:E3:78:
+                B5:36:30:20:26:4D
+Signed Certificate Timestamp:
+    Version   : v1 (0x0)
+    Log ID    : 56:14:06:9A:2F:D7:C2:EC:D3:F5:E1:BD:44:B2:3E:C7:
+                46:76:B9:BC:99:11:5C:C0:EF:94:98:55:D6:89:D0:DD
+    Timestamp : Dec  1 13:31:25.352 2015 GMT
+    Extensions: none
+    Signature : ecdsa-with-SHA256
+                30:45:02:20:79:68:E9:70:38:5A:63:F3:A6:B1:97:0E:
+                7E:D0:C5:71:1B:76:06:CB:09:63:48:1E:E1:20:F3:A7:
+                EF:2A:4E:74:02:21:00:8E:B7:BB:ED:85:5D:85:1B:54:
+                5E:3C:C5:EC:F2:13:9C:09:D1:0A:01:C2:59:5F:7C:31:
+                19:A1:9D:E1:17:C7:1F
+Signed Certificate Timestamp:
+    Version   : v1 (0x0)
+    Log ID    : A4:B9:09:90:B4:18:58:14:87:BB:13:A2:CC:67:70:0A:
+                3C:35:98:04:F9:1B:DF:B8:E3:77:CD:0E:C8:0D:DC:10
+    Timestamp : Dec  1 13:31:25.980 2015 GMT
+    Extensions: none
+    Signature : ecdsa-with-SHA256
+                30:45:02:20:2B:06:42:0F:D9:71:BD:21:42:A5:F9:C5:
+                55:83:D2:9D:E5:A1:8D:B6:3D:A6:73:89:42:32:9C:91:
+                0F:3B:6A:74:02:21:00:86:EE:10:F9:10:E6:7B:17:65:
+                D9:2D:37:53:4A:3B:F0:AE:03:E4:21:76:37:EF:AF:B4:
+                44:2E:2B:F5:5C:C6:91
\ No newline at end of file
diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/certs/mkcert.sh b/CryptoPkg/Library/OpensslLib/openssl/test/certs/mkcert.sh
new file mode 100755
index 00000000..ee31bf00
--- /dev/null
+++ b/CryptoPkg/Library/OpensslLib/openssl/test/certs/mkcert.sh
@@ -0,0 +1,254 @@
+#! /bin/bash
+#
+# Copyright (c) 2016 Viktor Dukhovni <openssl-users@dukhovni.org>.
+# All rights reserved.
+#
+# Contributed to the OpenSSL project under the terms of the OpenSSL license
+# included with the version of the OpenSSL software that includes this module.
+
+# 100 years should be enough for now
+#
+if [ -z "$DAYS" ]; then
+    DAYS=36525
+fi
+
+if [ -z "$OPENSSL_SIGALG" ]; then
+    OPENSSL_SIGALG=sha256
+fi
+
+if [ -z "$REQMASK" ]; then
+    REQMASK=utf8only
+fi
+
+stderr_onerror() {
+    (
+        err=$("$@" >&3 2>&1) || {
+            printf "%s\n" "$err" >&2
+            exit 1
+        }
+    ) 3>&1
+}
+
+key() {
+    local key=$1; shift
+
+    local alg=rsa
+    if [ -n "$OPENSSL_KEYALG" ]; then
+        alg=$OPENSSL_KEYALG
+    fi
+
+    local bits=2048
+    if [ -n "$OPENSSL_KEYBITS" ]; then
+        bits=$OPENSSL_KEYBITS
+    fi
+
+    if [ ! -f "${key}.pem" ]; then
+        args=(-algorithm "$alg")
+        case $alg in
+        rsa) args=("${args[@]}" -pkeyopt rsa_keygen_bits:$bits );;
+        ec)  args=("${args[@]}" -pkeyopt "ec_paramgen_curve:$bits")
+               args=("${args[@]}" -pkeyopt ec_param_enc:named_curve);;
+        *) printf "Unsupported key algorithm: %s\n" "$alg" >&2; return 1;;
+        esac
+        stderr_onerror \
+            openssl genpkey "${args[@]}" -out "${key}.pem"
+    fi
+}
+
+# Usage: $0 req keyname dn1 dn2 ...
+req() {
+    local key=$1; shift
+
+    key "$key"
+    local errs
+
+    stderr_onerror \
+        openssl req -new -"${OPENSSL_SIGALG}" -key "${key}.pem" \
+            -config <(printf "string_mask=%s\n[req]\n%s\n%s\n[dn]\n" \
+              "$REQMASK" "prompt = no" "distinguished_name = dn"
+                      for dn in "$@"; do echo "$dn"; done)
+}
+
+req_nocn() {
+    local key=$1; shift
+
+    key "$key"
+    stderr_onerror \
+        openssl req -new -"${OPENSSL_SIGALG}" -subj / -key "${key}.pem" \
+            -config <(printf "[req]\n%s\n[dn]\nCN_default =\n" \
+		      "distinguished_name = dn")
+}
+
+cert() {
+    local cert=$1; shift
+    local exts=$1; shift
+
+    stderr_onerror \
+        openssl x509 -req -"${OPENSSL_SIGALG}" -out "${cert}.pem" \
+            -extfile <(printf "%s\n" "$exts") "$@"
+}
+
+genroot() {
+    local cn=$1; shift
+    local key=$1; shift
+    local cert=$1; shift
+    local skid="subjectKeyIdentifier = hash"
+    local akid="authorityKeyIdentifier = keyid"
+
+    exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = critical,CA:true")
+    for eku in "$@"
+    do
+        exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku")
+    done
+    csr=$(req "$key" "CN = $cn") || return 1
+    echo "$csr" |
+       cert "$cert" "$exts" -signkey "${key}.pem" -set_serial 1 -days "${DAYS}"
+}
+
+genca() {
+    local cn=$1; shift
+    local key=$1; shift
+    local cert=$1; shift
+    local cakey=$1; shift
+    local cacert=$1; shift
+    local skid="subjectKeyIdentifier = hash"
+    local akid="authorityKeyIdentifier = keyid"
+
+    exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = critical,CA:true")
+    for eku in "$@"
+    do
+        exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku")
+    done
+    if [ -n "$NC" ]; then
+        exts=$(printf "%s\nnameConstraints = %s\n" "$exts" "$NC")
+    fi
+    csr=$(req "$key" "CN = $cn") || return 1
+    echo "$csr" |
+        cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \
+	    -set_serial 2 -days "${DAYS}"
+}
+
+gen_nonbc_ca() {
+    local cn=$1; shift
+    local key=$1; shift
+    local cert=$1; shift
+    local cakey=$1; shift
+    local cacert=$1; shift
+    local skid="subjectKeyIdentifier = hash"
+    local akid="authorityKeyIdentifier = keyid"
+
+    exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid")
+    exts=$(printf "%s\nkeyUsage = %s\n" "$exts" "keyCertSign, cRLSign")
+    for eku in "$@"
+    do
+        exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku")
+    done
+    csr=$(req "$key" "CN = $cn") || return 1
+    echo "$csr" |
+        cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \
+	    -set_serial 2 -days "${DAYS}"
+}
+
+# Usage: $0 genpc keyname certname eekeyname eecertname pcext1 pcext2 ...
+#
+# Note: takes csr on stdin, so must be used with $0 req like this:
+#
+# $0 req keyname dn | $0 genpc keyname certname eekeyname eecertname pcext ...
+genpc() {
+    local key=$1; shift
+    local cert=$1; shift
+    local cakey=$1; shift
+    local ca=$1; shift
+
+    exts=$(printf "%s\n%s\n%s\n%s\n" \
+	    "subjectKeyIdentifier = hash" \
+	    "authorityKeyIdentifier = keyid, issuer:always" \
+	    "basicConstraints = CA:false" \
+	    "proxyCertInfo = critical, @pcexts";
+           echo "[pcexts]";
+           for x in "$@"; do echo $x; done)
+    cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
+	 -set_serial 2 -days "${DAYS}"
+}
+
+# Usage: $0 genalt keyname certname eekeyname eecertname alt1 alt2 ...
+#
+# Note: takes csr on stdin, so must be used with $0 req like this:
+#
+# $0 req keyname dn | $0 genalt keyname certname eekeyname eecertname alt ...
+geneealt() {
+    local key=$1; shift
+    local cert=$1; shift
+    local cakey=$1; shift
+    local ca=$1; shift
+
+    exts=$(printf "%s\n%s\n%s\n%s\n" \
+	    "subjectKeyIdentifier = hash" \
+	    "authorityKeyIdentifier = keyid" \
+	    "basicConstraints = CA:false" \
+	    "subjectAltName = @alts";
+           echo "[alts]";
+           for x in "$@"; do echo $x; done)
+    cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
+	 -set_serial 2 -days "${DAYS}"
+}
+
+genee() {
+    local OPTIND=1
+    local purpose=serverAuth
+
+    while getopts p: o
+    do
+        case $o in
+        p) purpose="$OPTARG";;
+        *) echo "Usage: $0 genee [-p EKU] cn keyname certname cakeyname cacertname" >&2
+           return 1;;
+        esac
+    done
+
+    shift $((OPTIND - 1))
+    local cn=$1; shift
+    local key=$1; shift
+    local cert=$1; shift
+    local cakey=$1; shift
+    local ca=$1; shift
+
+    exts=$(printf "%s\n%s\n%s\n%s\n%s\n[alts]\n%s\n" \
+	    "subjectKeyIdentifier = hash" \
+	    "authorityKeyIdentifier = keyid, issuer" \
+	    "basicConstraints = CA:false" \
+	    "extendedKeyUsage = $purpose" \
+	    "subjectAltName = @alts" "DNS=${cn}")
+    csr=$(req "$key" "CN = $cn") || return 1
+    echo "$csr" |
+	cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
+	    -set_serial 2 -days "${DAYS}" "$@"
+}
+
+genss() {
+    local cn=$1; shift
+    local key=$1; shift
+    local cert=$1; shift
+
+    exts=$(printf "%s\n%s\n%s\n%s\n%s\n[alts]\n%s\n" \
+	    "subjectKeyIdentifier   = hash" \
+	    "authorityKeyIdentifier = keyid, issuer" \
+	    "basicConstraints = CA:false" \
+	    "extendedKeyUsage = serverAuth" \
+	    "subjectAltName = @alts" "DNS=${cn}")
+    csr=$(req "$key" "CN = $cn") || return 1
+    echo "$csr" |
+        cert "$cert" "$exts" -signkey "${key}.pem" \
+            -set_serial 1 -days "${DAYS}" "$@"
+}
+
+gennocn() {
+    local key=$1; shift
+    local cert=$1; shift
+
+    csr=$(req_nocn "$key") || return 1
+    echo "$csr" |
+	cert "$cert" "" -signkey "${key}.pem" -set_serial 1 -days -1 "$@"
+}
+
+"$@"
diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/certs/setup.sh b/CryptoPkg/Library/OpensslLib/openssl/test/certs/setup.sh
new file mode 100755
index 00000000..7e1086a2
--- /dev/null
+++ b/CryptoPkg/Library/OpensslLib/openssl/test/certs/setup.sh
@@ -0,0 +1,346 @@
+#! /bin/sh
+
+# Primary root: root-cert
+# root cert variants: CA:false, key2, DN2
+# trust variants: +serverAuth -serverAuth +clientAuth -clientAuth +anyEKU -anyEKU
+#
+./mkcert.sh genroot "Root CA" root-key root-cert
+./mkcert.sh genss "Root CA" root-key root-nonca
+./mkcert.sh genroot "Root CA" root-key2 root-cert2
+./mkcert.sh genroot "Root Cert 2" root-key root-name2
+#
+openssl x509 -in root-cert.pem -trustout \
+    -addtrust serverAuth -out root+serverAuth.pem
+openssl x509 -in root-cert.pem -trustout \
+    -addreject serverAuth -out root-serverAuth.pem
+openssl x509 -in root-cert.pem -trustout \
+    -addtrust clientAuth -out root+clientAuth.pem
+openssl x509 -in root-cert.pem -trustout \
+    -addreject clientAuth -out root-clientAuth.pem
+openssl x509 -in root-cert.pem -trustout \
+    -addreject anyExtendedKeyUsage -out root-anyEKU.pem
+openssl x509 -in root-cert.pem -trustout \
+    -addtrust anyExtendedKeyUsage -out root+anyEKU.pem
+openssl x509 -in root-cert2.pem -trustout \
+    -addtrust serverAuth -out root2+serverAuth.pem
+openssl x509 -in root-cert2.pem -trustout \
+    -addreject serverAuth -out root2-serverAuth.pem
+openssl x509 -in root-cert2.pem -trustout \
+    -addtrust clientAuth -out root2+clientAuth.pem
+openssl x509 -in root-nonca.pem -trustout \
+    -addtrust serverAuth -out nroot+serverAuth.pem
+openssl x509 -in root-nonca.pem -trustout \
+    -addtrust anyExtendedKeyUsage -out nroot+anyEKU.pem
+
+# Root CA security level variants:
+# MD5 self-signature
+OPENSSL_SIGALG=md5 \
+./mkcert.sh genroot "Root CA" root-key root-cert-md5
+# 768-bit key
+OPENSSL_KEYBITS=768 \
+./mkcert.sh genroot "Root CA" root-key-768 root-cert-768
+
+# primary client-EKU root: croot-cert
+# trust variants: +serverAuth -serverAuth +clientAuth +anyEKU -anyEKU
+#
+./mkcert.sh genroot "Root CA" root-key croot-cert clientAuth
+#
+openssl x509 -in croot-cert.pem -trustout \
+    -addtrust serverAuth -out croot+serverAuth.pem
+openssl x509 -in croot-cert.pem -trustout \
+    -addreject serverAuth -out croot-serverAuth.pem
+openssl x509 -in croot-cert.pem -trustout \
+    -addtrust clientAuth -out croot+clientAuth.pem
+openssl x509 -in croot-cert.pem -trustout \
+    -addreject clientAuth -out croot-clientAuth.pem
+openssl x509 -in croot-cert.pem -trustout \
+    -addreject anyExtendedKeyUsage -out croot-anyEKU.pem
+openssl x509 -in croot-cert.pem -trustout \
+    -addtrust anyExtendedKeyUsage -out croot+anyEKU.pem
+
+# primary server-EKU root: sroot-cert
+# trust variants: +serverAuth -serverAuth +clientAuth +anyEKU -anyEKU
+#
+./mkcert.sh genroot "Root CA" root-key sroot-cert serverAuth
+#
+openssl x509 -in sroot-cert.pem -trustout \
+    -addtrust serverAuth -out sroot+serverAuth.pem
+openssl x509 -in sroot-cert.pem -trustout \
+    -addreject serverAuth -out sroot-serverAuth.pem
+openssl x509 -in sroot-cert.pem -trustout \
+    -addtrust clientAuth -out sroot+clientAuth.pem
+openssl x509 -in sroot-cert.pem -trustout \
+    -addreject clientAuth -out sroot-clientAuth.pem
+openssl x509 -in sroot-cert.pem -trustout \
+    -addreject anyExtendedKeyUsage -out sroot-anyEKU.pem
+openssl x509 -in sroot-cert.pem -trustout \
+    -addtrust anyExtendedKeyUsage -out sroot+anyEKU.pem
+
+# Primary intermediate ca: ca-cert
+# ca variants: CA:false, key2, DN2, issuer2, expired
+# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth, -anyEKU, +anyEKU
+#
+./mkcert.sh genca "CA" ca-key ca-cert root-key root-cert
+./mkcert.sh genee "CA" ca-key ca-nonca root-key root-cert
+./mkcert.sh gen_nonbc_ca "CA" ca-key ca-nonbc root-key root-cert
+./mkcert.sh genca "CA" ca-key2 ca-cert2 root-key root-cert
+./mkcert.sh genca "CA2" ca-key ca-name2 root-key root-cert
+./mkcert.sh genca "CA" ca-key ca-root2 root-key2 root-cert2
+DAYS=-1 ./mkcert.sh genca "CA" ca-key ca-expired root-key root-cert
+#
+openssl x509 -in ca-cert.pem -trustout \
+    -addtrust serverAuth -out ca+serverAuth.pem
+openssl x509 -in ca-cert.pem -trustout \
+    -addreject serverAuth -out ca-serverAuth.pem
+openssl x509 -in ca-cert.pem -trustout \
+    -addtrust clientAuth -out ca+clientAuth.pem
+openssl x509 -in ca-cert.pem -trustout \
+    -addreject clientAuth -out ca-clientAuth.pem
+openssl x509 -in ca-cert.pem -trustout \
+    -addreject anyExtendedKeyUsage -out ca-anyEKU.pem
+openssl x509 -in ca-cert.pem -trustout \
+    -addtrust anyExtendedKeyUsage -out ca+anyEKU.pem
+openssl x509 -in ca-nonca.pem -trustout \
+    -addtrust serverAuth -out nca+serverAuth.pem
+openssl x509 -in ca-nonca.pem -trustout \
+    -addtrust serverAuth -out nca+anyEKU.pem
+
+# Intermediate CA security variants:
+# MD5 issuer signature,
+OPENSSL_SIGALG=md5 \
+./mkcert.sh genca "CA" ca-key ca-cert-md5 root-key root-cert
+openssl x509 -in ca-cert-md5.pem -trustout \
+    -addtrust anyExtendedKeyUsage -out ca-cert-md5-any.pem
+# Issuer has 768-bit key
+./mkcert.sh genca "CA" ca-key ca-cert-768i root-key-768 root-cert-768
+# CA has 768-bit key
+OPENSSL_KEYBITS=768 \
+./mkcert.sh genca "CA" ca-key-768 ca-cert-768 root-key root-cert
+
+# client intermediate ca: cca-cert
+# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth
+#
+./mkcert.sh genca "CA" ca-key cca-cert root-key root-cert clientAuth
+#
+openssl x509 -in cca-cert.pem -trustout \
+    -addtrust serverAuth -out cca+serverAuth.pem
+openssl x509 -in cca-cert.pem -trustout \
+    -addreject serverAuth -out cca-serverAuth.pem
+openssl x509 -in cca-cert.pem -trustout \
+    -addtrust clientAuth -out cca+clientAuth.pem
+openssl x509 -in cca-cert.pem -trustout \
+    -addtrust clientAuth -out cca-clientAuth.pem
+openssl x509 -in cca-cert.pem -trustout \
+    -addreject anyExtendedKeyUsage -out cca-anyEKU.pem
+openssl x509 -in cca-cert.pem -trustout \
+    -addtrust anyExtendedKeyUsage -out cca+anyEKU.pem
+
+# server intermediate ca: sca-cert
+# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth, -anyEKU, +anyEKU
+#
+./mkcert.sh genca "CA" ca-key sca-cert root-key root-cert serverAuth
+#
+openssl x509 -in sca-cert.pem -trustout \
+    -addtrust serverAuth -out sca+serverAuth.pem
+openssl x509 -in sca-cert.pem -trustout \
+    -addreject serverAuth -out sca-serverAuth.pem
+openssl x509 -in sca-cert.pem -trustout \
+    -addtrust clientAuth -out sca+clientAuth.pem
+openssl x509 -in sca-cert.pem -trustout \
+    -addreject clientAuth -out sca-clientAuth.pem
+openssl x509 -in sca-cert.pem -trustout \
+    -addreject anyExtendedKeyUsage -out sca-anyEKU.pem
+openssl x509 -in sca-cert.pem -trustout \
+    -addtrust anyExtendedKeyUsage -out sca+anyEKU.pem
+
+# Primary leaf cert: ee-cert
+# ee variants: expired, issuer-key2, issuer-name2
+# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth
+# purpose variants: client
+#
+./mkcert.sh genee server.example ee-key ee-cert ca-key ca-cert
+./mkcert.sh genee server.example ee-key ee-expired ca-key ca-cert -days -1
+./mkcert.sh genee server.example ee-key ee-cert2 ca-key2 ca-cert2
+./mkcert.sh genee server.example ee-key ee-name2 ca-key ca-name2
+./mkcert.sh genee -p clientAuth server.example ee-key ee-client ca-key ca-cert
+#
+openssl x509 -in ee-cert.pem -trustout \
+    -addtrust serverAuth -out ee+serverAuth.pem
+openssl x509 -in ee-cert.pem -trustout \
+    -addreject serverAuth -out ee-serverAuth.pem
+openssl x509 -in ee-client.pem -trustout \
+    -addtrust clientAuth -out ee+clientAuth.pem
+openssl x509 -in ee-client.pem -trustout \
+    -addreject clientAuth -out ee-clientAuth.pem
+
+# Leaf cert security level variants
+# MD5 issuer signature
+OPENSSL_SIGALG=md5 \
+./mkcert.sh genee server.example ee-key ee-cert-md5 ca-key ca-cert
+# 768-bit issuer key
+./mkcert.sh genee server.example ee-key ee-cert-768i ca-key-768 ca-cert-768
+# 768-bit leaf key
+OPENSSL_KEYBITS=768 \
+./mkcert.sh genee server.example ee-key-768 ee-cert-768 ca-key ca-cert
+
+# Proxy certificates, off of ee-client
+# Start with some good ones
+./mkcert.sh req pc1-key "0.CN = server.example" "1.CN = proxy 1" | \
+    ./mkcert.sh genpc pc1-key pc1-cert ee-key ee-client \
+                "language = id-ppl-anyLanguage" "pathlen = 1" "policy = text:AB"
+./mkcert.sh req pc2-key "0.CN = server.example" "1.CN = proxy 1" "2.CN = proxy 2" | \
+    ./mkcert.sh genpc pc2-key pc2-cert pc1-key pc1-cert \
+                "language = id-ppl-anyLanguage" "pathlen = 0" "policy = text:AB"
+# And now a couple of bad ones
+# pc3: incorrect CN
+./mkcert.sh req bad-pc3-key "0.CN = server.example" "1.CN = proxy 3" | \
+    ./mkcert.sh genpc bad-pc3-key bad-pc3-cert pc1-key pc1-cert \
+                "language = id-ppl-anyLanguage" "pathlen = 0" "policy = text:AB"
+# pc4: incorrect pathlen
+./mkcert.sh req bad-pc4-key "0.CN = server.example" "1.CN = proxy 1" "2.CN = proxy 4" | \
+    ./mkcert.sh genpc bad-pc4-key bad-pc4-cert pc1-key pc1-cert \
+                "language = id-ppl-anyLanguage" "pathlen = 1" "policy = text:AB"
+# pc5: no policy
+./mkcert.sh req pc5-key "0.CN = server.example" "1.CN = proxy 1" "2.CN = proxy 5" | \
+    ./mkcert.sh genpc pc5-key pc5-cert pc1-key pc1-cert \
+                "language = id-ppl-anyLanguage" "pathlen = 0"
+# pc6: incorrect CN (made into a component of a multivalue RDN)
+./mkcert.sh req bad-pc6-key "0.CN = server.example" "1.CN = proxy 1" "2.+CN = proxy 6" | \
+    ./mkcert.sh genpc bad-pc6-key bad-pc6-cert pc1-key pc1-cert \
+                "language = id-ppl-anyLanguage" "pathlen = 0" "policy = text:AB"
+
+# Name constraints test certificates.
+
+# NC CA1 only permits the host www.good.org and *.good.com email address
+# good@good.org and *@good.com and IP addresses 127.0.0.1 and
+# 192.168.0.0/16
+
+NC="permitted;DNS:www.good.org, permitted;DNS:good.com,"
+NC="$NC permitted;email:good@good.org, permitted;email:good.com,"
+NC="$NC permitted;IP:127.0.0.1/255.255.255.255, permitted;IP:192.168.0.0/255.255.0.0"
+
+NC=$NC ./mkcert.sh genca "Test NC CA 1" ncca1-key ncca1-cert root-key root-cert
+
+# NC CA2 allows anything apart from hosts www.bad.org and *.bad.com
+# and email addresses bad@bad.org and *@bad.com
+
+NC="excluded;DNS:www.bad.org, excluded;DNS:bad.com,"
+NC="$NC excluded;email:bad@bad.org, excluded;email:bad.com, "
+NC="$NC excluded;IP:10.0.0.0/255.0.0.0"
+
+NC=$NC ./mkcert.sh genca "Test NC CA 2" ncca2-key ncca2-cert root-key root-cert
+
+# Name constraints subordinate CA. Adds www.good.net (which should be
+# disallowed because parent CA doesn't permit it) adds ok.good.com
+# (which should be allowed because parent allows *.good.com
+# and now excludes bad.ok.good.com (allowed in permitted subtrees
+# but explicitly excluded).
+
+NC="permitted;DNS:www.good.net, permitted;DNS:ok.good.com, "
+NC="$NC excluded;DNS:bad.ok.good.com"
+NC=$NC ./mkcert.sh genca "Test NC sub CA" ncca3-key ncca3-cert \
+        ncca1-key ncca1-cert
+
+# all subjectAltNames allowed by CA1.
+
+./mkcert.sh req alt1-key "O = Good NC Test Certificate 1" \
+    "1.CN=www.good.org" "2.CN=Joe Bloggs" "3.CN=any.good.com" | \
+    ./mkcert.sh geneealt alt1-key alt1-cert ncca1-key ncca1-cert \
+    "DNS.1 = www.good.org" "DNS.2 = any.good.com" \
+    "email.1 = good@good.org" "email.2 = any@good.com" \
+    "IP = 127.0.0.1" "IP = 192.168.0.1"
+
+# no subjectAltNames excluded by CA2.
+
+./mkcert.sh req alt2-key "O = Good NC Test Certificate 2" | \
+    ./mkcert.sh geneealt alt2-key alt2-cert ncca2-key ncca2-cert \
+    "DNS.1 = www.anything.org" "DNS.2 = any.other.com" \
+    "email.1 = other@bad.org" "email.2 = any@something.com"
+
+# hostname other.good.org which is not allowed by CA1.
+
+./mkcert.sh req badalt1-key "O = Bad NC Test Certificate 1" | \
+    ./mkcert.sh geneealt badalt1-key badalt1-cert ncca1-key ncca1-cert \
+    "DNS.1 = other.good.org" "DNS.2 = any.good.com" \
+    "email.1 = good@good.org" "email.2 = any@good.com"
+
+# any.bad.com is excluded by CA2.
+
+./mkcert.sh req badalt2-key 'O = Bad NC Test Certificate 2' | \
+    ./mkcert.sh geneealt badalt2-key badalt2-cert ncca2-key ncca2-cert \
+    "DNS.1 = www.good.org" "DNS.2 = any.bad.com" \
+    "email.1 = good@good.org" "email.2 = any@good.com"
+
+# other@good.org not permitted by CA1
+
+./mkcert.sh req badalt3-key "O = Bad NC Test Certificate 3" | \
+    ./mkcert.sh geneealt badalt3-key badalt1-cert ncca1-key ncca1-cert \
+    "DNS.1 = www.good.org" "DNS.2 = any.good.com" \
+    "email.1 = other@good.org" "email.2 = any@good.com"
+
+# all subject alt names OK but subject email address not allowed by CA1.
+
+./mkcert.sh req badalt4-key 'O = Bad NC Test Certificate 4' \
+    "emailAddress = any@other.com" | \
+    ./mkcert.sh geneealt badalt4-key badalt4-cert ncca1-key ncca1-cert \
+    "DNS.1 = www.good.org" "DNS.2 = any.good.com" \
+    "email.1 = good@good.org" "email.2 = any@good.com"
+
+# IP address not allowed by CA1
+./mkcert.sh req badalt5-key "O = Bad NC Test Certificate 5" | \
+    ./mkcert.sh geneealt badalt5-key badalt5-cert ncca1-key ncca1-cert \
+    "DNS.1 = www.good.org" "DNS.2 = any.good.com" \
+    "email.1 = good@good.org" "email.2 = any@good.com" \
+    "IP = 127.0.0.2"
+
+# all subject alt names OK but subject CN not allowed by CA1.
+./mkcert.sh req badalt6-key "O = Bad NC Test Certificate 6" \
+    "1.CN=other.good.org" "2.CN=Joe Bloggs" "3.CN=any.good.com" | \
+    ./mkcert.sh geneealt badalt6-key badalt6-cert ncca1-key ncca1-cert \
+    "DNS.1 = www.good.org" "DNS.2 = any.good.com" \
+    "email.1 = good@good.org" "email.2 = any@good.com" \
+    "IP = 127.0.0.1" "IP = 192.168.0.1"
+
+# all subject alt names OK but subject CN not allowed by CA1, BMPSTRING
+REQMASK=MASK:0x800 ./mkcert.sh req badalt7-key "O = Bad NC Test Certificate 7" \
+    "1.CN=other.good.org" "2.CN=Joe Bloggs" "3.CN=any.good.com" | \
+    ./mkcert.sh geneealt badalt7-key badalt7-cert ncca1-key ncca1-cert \
+    "DNS.1 = www.good.org" "DNS.2 = any.good.com" \
+    "email.1 = good@good.org" "email.2 = any@good.com" \
+    "IP = 127.0.0.1" "IP = 192.168.0.1"
+
+# all subjectAltNames allowed by chain
+
+./mkcert.sh req alt3-key "O = Good NC Test Certificate 3" \
+    "1.CN=www.ok.good.com" "2.CN=Joe Bloggs" | \
+    ./mkcert.sh geneealt alt3-key alt3-cert ncca3-key ncca3-cert \
+    "DNS.1 = www.ok.good.com" \
+    "email.1 = good@good.org" "email.2 = any@good.com" \
+    "IP = 127.0.0.1" "IP = 192.168.0.1"
+
+# www.good.net allowed by parent CA but not parent of parent
+
+./mkcert.sh req badalt8-key "O = Bad NC Test Certificate 8" \
+    "1.CN=www.good.com" "2.CN=Joe Bloggs" | \
+    ./mkcert.sh geneealt badalt8-key badalt8-cert ncca3-key ncca3-cert \
+    "DNS.1 = www.ok.good.com" "DNS.2 = www.good.net" \
+    "email.1 = good@good.org" "email.2 = any@good.com" \
+    "IP = 127.0.0.1" "IP = 192.168.0.1"
+
+# other.good.com not allowed by parent CA but allowed by parent of parent
+
+./mkcert.sh req badalt9-key "O = Bad NC Test Certificate 9" \
+    "1.CN=www.good.com" "2.CN=Joe Bloggs" | \
+    ./mkcert.sh geneealt badalt9-key badalt9-cert ncca3-key ncca3-cert \
+    "DNS.1 = www.good.com" "DNS.2 = other.good.com" \
+    "email.1 = good@good.org" "email.2 = any@good.com" \
+    "IP = 127.0.0.1" "IP = 192.168.0.1"
+
+# www.bad.net excluded by parent CA.
+
+./mkcert.sh req badalt10-key "O = Bad NC Test Certificate 10" \
+    "1.CN=www.ok.good.com" "2.CN=Joe Bloggs" | \
+    ./mkcert.sh geneealt badalt10-key badalt10-cert ncca3-key ncca3-cert \
+    "DNS.1 = www.ok.good.com" "DNS.2 = bad.ok.good.com" \
+    "email.1 = good@good.org" "email.2 = any@good.com" \
+    "IP = 127.0.0.1" "IP = 192.168.0.1"