Initial commit

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-02-21 08:49:41 +00:00
commit 094aadde60
80 changed files with 11790 additions and 0 deletions
--- a/tests/fixtures/setup_fixtures.sh
+++ b/tests/fixtures/setup_fixtures.sh
@@ -0,0 +1,70 @@
+#!/usr/bin/env bash
+set -e
+
+SUBJ_CA="/C=US/ST=State/L=City/O=TestOrg/CN=TestRootCA"
+SUBJ_IM="/C=US/ST=State/L=City/O=TestOrg/CN=TestIntermediateCA"
+SUBJ_SRV="/CN=localhost"
+SUBJ_CLI="/C=US/ST=State/L=City/O=TestOrg/CN=TestClient"
+SUBJ_RSA_CA="/C=US/ST=State/L=City/O=TestOrg/CN=TestRsaRootCA"
+
+EXT_CA="basicConstraints=critical,CA:TRUE\nsubjectKeyIdentifier=hash\nauthorityKeyIdentifier=keyid:always"
+EXT_LEAF="basicConstraints=CA:FALSE\nsubjectKeyIdentifier=hash\nauthorityKeyIdentifier=keyid,issuer"
+
+# Root CA
+openssl ecparam -name prime256v1 -genkey -noout -out root-ca-key.pem
+openssl req -new -x509 -sha256 -key root-ca-key.pem -days 3650 -out root-ca.pem -subj "$SUBJ_CA"
+
+# Intermediate CA
+openssl ecparam -name prime256v1 -genkey -noout -out intermediate-ca-key.pem
+openssl req -new -sha256 -key intermediate-ca-key.pem -out _im.csr -subj "$SUBJ_IM"
+openssl x509 -req -in _im.csr -CA root-ca.pem -CAkey root-ca-key.pem \
+  -CAcreateserial -out intermediate-ca.pem -days 3650 -sha256 \
+  -extfile <(printf "$EXT_CA")
+rm _im.csr
+
+# Server leaf cert (signed by root CA)
+openssl ecparam -name prime256v1 -genkey -noout -out leaf-server-key.pem
+openssl req -new -sha256 -key leaf-server-key.pem -out _srv.csr -subj "$SUBJ_SRV"
+openssl x509 -req -in _srv.csr -CA root-ca.pem -CAkey root-ca-key.pem \
+  -CAcreateserial -out leaf-server.pem -days 3650 -sha256 \
+  -extfile <(printf "$EXT_LEAF")
+rm _srv.csr
+
+# Client leaf cert (signed by root CA)
+openssl ecparam -name prime256v1 -genkey -noout -out leaf-client-key.pem
+openssl req -new -sha256 -key leaf-client-key.pem -out _cli.csr -subj "$SUBJ_CLI"
+openssl x509 -req -in _cli.csr -CA root-ca.pem -CAkey root-ca-key.pem \
+  -CAcreateserial -out leaf-client.pem -days 3650 -sha256 \
+  -extfile <(printf "$EXT_LEAF")
+rm _cli.csr
+
+# Intermediate server cert + chain
+openssl ecparam -name prime256v1 -genkey -noout -out intermediate-server-key.pem
+openssl req -new -sha256 -key intermediate-server-key.pem -out _imsrv.csr -subj "$SUBJ_SRV"
+openssl x509 -req -in _imsrv.csr -CA intermediate-ca.pem -CAkey intermediate-ca-key.pem \
+  -CAcreateserial -out intermediate-server.pem -days 3650 -sha256 \
+  -extfile <(printf "$EXT_LEAF")
+rm _imsrv.csr
+cat intermediate-server.pem intermediate-ca.pem > chain.pem
+
+# RSA root CA
+openssl req -x509 -newkey rsa:2048 -keyout rsa-root-ca-key.pem -nodes \
+  -out rsa-root-ca.pem -sha256 -days 3650 -subj "$SUBJ_RSA_CA" \
+  -addext "basicConstraints=critical,CA:TRUE" \
+  -addext "subjectKeyIdentifier=hash"
+
+# RSA server cert
+openssl req -newkey rsa:2048 -keyout rsa-leaf-server-key.pem -nodes \
+  -out _rsasrv.csr -sha256 -subj "$SUBJ_SRV"
+openssl x509 -req -CA rsa-root-ca.pem -CAkey rsa-root-ca-key.pem \
+  -in _rsasrv.csr -out rsa-leaf-server.pem -days 3650 -sha256 -CAcreateserial \
+  -extfile <(printf "$EXT_LEAF")
+rm _rsasrv.csr
+
+# RSA client cert
+openssl req -newkey rsa:2048 -keyout rsa-leaf-client-key.pem -nodes \
+  -out _rsacli.csr -sha256 -subj "$SUBJ_CLI"
+openssl x509 -req -CA rsa-root-ca.pem -CAkey rsa-root-ca-key.pem \
+  -in _rsacli.csr -out rsa-leaf-client.pem -days 3650 -sha256 -CAcreateserial \
+  -extfile <(printf "$EXT_LEAF")
+rm _rsacli.csr