1 #! /usr/bin/env bash 2 3 # Create a root CA, signing a leaf cert with a KDC principal otherName SAN, and 4 # also a non-UTF8 smtpUtf8Mailbox SAN followed by an rfc822Name SAN and a DNS 5 # name SAN. In the vulnerable EAI code, the KDC principal `otherName` should 6 # trigger ASAN errors in DNS name checks, while the non-UTF8 `smtpUtf8Mailbox` 7 # should likewise lead to ASAN issues with email name checks. 8 9 rm -f root-key.pem root-cert.pem 10 openssl req -nodes -new -newkey rsa:2048 -keyout kdc-root-key.pem \ 11 -x509 -subj /CN=Root -days 36524 -out kdc-root-cert.pem 12 13 exts=$( 14 printf "%s\n%s\n%s\n%s = " \ 15 "subjectKeyIdentifier = hash" \ 16 "authorityKeyIdentifier = keyid" \ 17 "basicConstraints = CA:false" \ 18 "subjectAltName" 19 printf "%s, " "otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name" 20 printf "%s, " "otherName:1.3.6.1.5.5.7.8.9;IA5:moe (at] example.com" 21 printf "%s, " "email:joe (at] example.com" 22 printf "%s\n" "DNS:mx1.example.com" 23 printf "[kdc_princ_name]\n" 24 printf "realm = EXP:0, GeneralString:TEST.EXAMPLE\n" 25 printf "principal_name = EXP:1, SEQUENCE:kdc_principal_seq\n" 26 printf "[kdc_principal_seq]\n" 27 printf "name_type = EXP:0, INTEGER:1\n" 28 printf "name_string = EXP:1, SEQUENCE:kdc_principal_components\n" 29 printf "[kdc_principal_components]\n" 30 printf "princ1 = GeneralString:krbtgt\n" 31 printf "princ2 = GeneralString:TEST.EXAMPLE\n" 32 ) 33 34 printf "%s\n" "$exts" 35 36 openssl req -nodes -new -newkey rsa:2048 -keyout kdc-key.pem \ 37 -subj "/CN=TEST.EXAMPLE" | 38 openssl x509 -req -out kdc-cert.pem \ 39 -CA "kdc-root-cert.pem" -CAkey "kdc-root-key.pem" \ 40 -set_serial 2 -days 36524 \ 41 -extfile <(printf "%s\n" "$exts") 42
Indexes created Sat Feb 28 05:31:39 UTC 2026