#! /usr/bin/env bash

# Create a root CA, signing a leaf cert with a KDC principal otherName SAN, and
# also a non-UTF8 smtpUtf8Mailbox SAN followed by an rfc822Name SAN and a DNS
# name SAN.  In the vulnerable EAI code, the KDC principal `otherName` should
# trigger ASAN errors in DNS name checks, while the non-UTF8 `smtpUtf8Mailbox`
# should likewise lead to ASAN issues with email name checks.

rm -f root-key.pem root-cert.pem
openssl req -nodes -new -newkey rsa:2048 -keyout kdc-root-key.pem \
        -x509 -subj /CN=Root -days 36524 -out kdc-root-cert.pem

exts=$(
    printf "%s\n%s\n%s\n%s = " \
        "subjectKeyIdentifier = hash" \
        "authorityKeyIdentifier = keyid" \
        "basicConstraints = CA:false" \
        "subjectAltName"
    printf "%s, " "otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name"
    printf "%s, " "otherName:1.3.6.1.5.5.7.8.9;IA5:moe@example.com"
    printf "%s, " "email:joe@example.com"
    printf "%s\n" "DNS:mx1.example.com"
    printf "[kdc_princ_name]\n"
    printf "realm = EXP:0, GeneralString:TEST.EXAMPLE\n"
    printf "principal_name = EXP:1, SEQUENCE:kdc_principal_seq\n"
    printf "[kdc_principal_seq]\n"
    printf "name_type = EXP:0, INTEGER:1\n"
    printf "name_string = EXP:1, SEQUENCE:kdc_principal_components\n"
    printf "[kdc_principal_components]\n"
    printf "princ1 = GeneralString:krbtgt\n"
    printf "princ2 = GeneralString:TEST.EXAMPLE\n"
    )

printf "%s\n" "$exts"

openssl req -nodes -new -newkey rsa:2048 -keyout kdc-key.pem \
    -subj "/CN=TEST.EXAMPLE" |
    openssl x509 -req -out kdc-cert.pem \
        -CA "kdc-root-cert.pem" -CAkey "kdc-root-key.pem" \
        -set_serial 2 -days 36524 \
        -extfile <(printf "%s\n" "$exts")