Merge pull request #65 from rabbitmq/lukebakken/generate-direct-certs-in-one-intermediate

Add "direct" certs to one_intermediate

Author: michaelklishin

one_intermediate/README.md

@@ -1,10 +1,29 @@
 # Chained (With One Intermediate) Certificates
 
-This tls-gen variation generates a root CA, one intermediary CA and two
-certificate/key pairs signed by the intermediate CA:
+This tls-gen variation generates a root CA, one intermediary CA and four
+certificate/key pairs:
 
  * Chain 1: root CA => intermediate 1 => client certificate/key pair
  * Chain 2: root CA => intermediate 1 => server certificate/key pair
+ * Chain 3: root CA => client_direct certificate/key pair (no intermediate)
+ * Chain 4: root CA => server_direct certificate/key pair (no intermediate)
+
+## Certificate Chain Structure
+
+```
+Root CA
+    │
+    ├─→ Intermediate CA
+    │       │
+    │       ├─→ server_certificate.pem
+    │       └─→ client_certificate.pem
+    │
+    ├─→ server_direct_certificate.pem
+    └─→ client_direct_certificate.pem
+```
+
+All certificates share the same root CA, allowing you to test both intermediate
+and direct certificate chains with a single trusted root.
 
 ## Generating
 
@@ -15,10 +34,10 @@ make
 ls -lha ./result
 ```
 
-Generated CA certificate as well as client and server certificate and private keys will be
-under the `result` directory.
+Generated CA certificates as well as four certificate/key pairs (server, client,
+server_direct, and client_direct) will be under the `result` directory.
 
-It possible to use [ECC][ecc-intro] for intermediate and leaf keys:
+It is possible to use [ECC][ecc-intro] for intermediate and leaf keys:
 
 ```
 # pass a private key password using the PASSWORD variable if needed
@@ -46,15 +65,19 @@ The `regen` target accepts the same variables as `gen` (default target) above.
 
 ### Verification
 
-You can verify the generated client and server certificates against the generated CA one with
+You can verify the generated certificates against the CA chain with
 
 ``` shell
 make verify
 ```
 
+This verifies the intermediate-signed certificates (server and client) against
+the full CA chain. The direct certificates (server_direct and client_direct)
+can be verified directly against the root CA.
+
 ## Certificate Information
 
-To display client and server certificate information, use
+To display certificate information for all generated certificates, use
 
 ``` shell
 make info

one_intermediate/openssl.cnf

@@ -73,6 +73,25 @@ subjectAltName   = @server_alt_names
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid,issuer
 
+# The following sections are duplicates of the above, required because
+# OpenSSL's ca command looks for extensions named {peer}_extensions.
+# When generating certificates with peer names 'server_direct' and 'client_direct',
+# OpenSSL expects to find 'server_direct_extensions' and 'client_direct_extensions'.
+
+[ server_direct_extensions ]
+basicConstraints = CA:false
+keyUsage         = digitalSignature,keyEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName   = @server_alt_names
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+
+[ client_direct_extensions ]
+basicConstraints = CA:false
+keyUsage         = digitalSignature,keyEncipherment
+extendedKeyUsage = clientAuth
+subjectAltName   = @client_alt_names
+
 [ client_alt_names ]
 DNS.1 = $common_name
 DNS.2 = $client_alt_name

one_intermediate/profile.py

@@ -18,6 +18,8 @@ def _copy_artifacts_to_results():
     g.copy_root_ca_certificate_and_key_pair()
     g.copy_leaf_certificate_and_key_pair("server")
     g.copy_leaf_certificate_and_key_pair("client")
+    g.copy_leaf_certificate_and_key_pair("server_direct")
+    g.copy_leaf_certificate_and_key_pair("client_direct")
 
 
 def _concat_certificates():
@@ -48,6 +50,18 @@ def generate(opts):
     g.generate_client_certificate_and_key_pair(opts,
                                                parent_certificate_path=p.intermediate_ca_certificate_path("1"),
                                                parent_key_path=p.intermediate_ca_key_path("1"))
+    print("Will generate server certificate/key pair signed directly by the root CA")
+    g.generate_leaf_certificate_and_key_pair('server_direct', opts,
+                                             peer_path='server_direct',
+                                             parent_certificate_path=p.root_ca_certificate_path(),
+                                             parent_key_path=p.root_ca_key_path(),
+                                             parent_certs_path=p.root_ca_certs_path())
+    print("Will generate client certificate/key pair signed directly by the root CA")
+    g.generate_leaf_certificate_and_key_pair('client_direct', opts,
+                                             peer_path='client_direct',
+                                             parent_certificate_path=p.root_ca_certificate_path(),
+                                             parent_key_path=p.root_ca_key_path(),
+                                             parent_certs_path=p.root_ca_certs_path())
     _copy_artifacts_to_results()
     _concat_certificates()
     print("Done! Find generated certificates and private keys under ./result!")
@@ -58,7 +72,9 @@ def clean(opts):
               p.intermediate_ca_path("1"),
               p.result_path(),
               p.leaf_pair_path("server"),
-              p.leaf_pair_path("client")]:
+              p.leaf_pair_path("client"),
+              p.leaf_pair_path("server_direct"),
+              p.leaf_pair_path("client_direct")]:
         print("Removing {}".format(s))
         try:
             shutil.rmtree(s)
@@ -75,11 +91,16 @@ def verify(opts):
     print("Will verify generated certificates against the CA certificate chain...")
     v.verify_leaf_certificate_against_ca_chain("client")
     v.verify_leaf_certificate_against_ca_chain("server")
+    print("Will verify direct certificates against the root CA...")
+    v.verify_leaf_certificate_against_root_ca("client_direct")
+    v.verify_leaf_certificate_against_root_ca("server_direct")
 
 
 def info(opts):
     i.leaf_certificate_info("client")
     i.leaf_certificate_info("server")
+    i.leaf_certificate_info("client_direct")
+    i.leaf_certificate_info("server_direct")
 
 
 def alias_leaf_artifacts(opts):