This goes from being a single set of keys for ECDSA (with a
purposeful mix of curves) to a set of keys per curve.
That means we can avoid P521 chains in tests when it is not supported.
In those tests, reflect this as additional `KeyType` variants.
Previously the test-ca `build-a-pki.sh` script would revoke each key
type's client certificate to produce a `client.revoked.crl.pem` CRL.
In this commit we update the script to do the same for each key type's
intermediate cert (`inter.cert`) to produce a `inter.revoked.crl.pem`,
as well as the server ee cert (`end.cert`) to produce
a `end.revoked.crl.pem` file. This will be useful for testing the chain
depth revocation controls, and the server verifier CRL support.
This commit updates the `build-a-pki.sh` script to generate example
certificate revocation lists (CRLs) that mark each of the client
certificates as revoked. These can be used by server tests to ensure CRL
validation works as expected.
The process of generating CRLs using `openssl` is... well... not
great...
It can't be done without using `openssl ca`, which in turn requires
using an `openssl.cnf` with all the associated warts. I've done my best
to create the absolute minimum configuration that can be used for our
purposes.
Using `openssl ca` also requires writing some intermediate state. The
script is updated to create/delete this state through the process of
generating the CRLs. This should be sufficient for our needs. Blech.
Prior to this commit some helper scripts used hardcoded paths to
`/bin/sh` and `/bin/bash` in script shebangs. This will error on systems
that don't place `bash` in `/bin/` (e.g. NixOS).
This commit updates the scripts to use `/usr/bin/env` to find `bash`
based on the user's `$PATH`. This has better portability and allows the
scripts to run without err (or specifying an interpreter explicitly) on
systems with atypical `bash` installs.