--- /dev/null
+#!/bin/bash
+
+#
+# Copyright (c) Members of the EGEE Collaboration. 2004.
+# See http://public.eu-egee.org/partners/ for details on
+# the copyright holders.
+# For license conditions see the license file or
+# http://eu-egee.org/license.html
+#
+# Authors:
+# Joni Hahkala <Joni.Hahlaka@cern.ch>
+# Akos Frohner <Akos.Frohner@cern.ch>
+#
+
+BASEDIR=$1
+
+CONFIGDIR=$PWD/$(dirname $0)/../config
+CONFIGFILES="index.txt serial.txt ca_conf.cnf req_conf.cnf req_proxy_conf.cnf req_proxy_proxy_conf.cnf"
+export PASSWORD='changeit'
+CATYPES='trusted fake big expired'
+
+function create_ca {
+ catype=$1
+ CADIR=ca-${catype}
+ if [ ! -f ${CADIR}/serial.txt ]; then
+ mkdir -p ${CADIR}
+ cd ${CADIR}
+ for config in ${CONFIGFILES}; do
+ cp $CONFIGDIR/$config .
+ done
+
+ if [ "$catype" = "big" ]; then
+ export BITS=4096
+ else
+ export BITS=1024
+ fi
+
+ if [ "$catype" = "expired" ]; then
+ DAYS='-days -1'
+ else
+ DAYS='-days 10000'
+ fi
+
+ export CN="the $catype CA"
+ openssl req -new -x509 -out ca-${catype}.cert $DAYS -nodes \
+ -keyout ca-${catype}.priv -config req_conf.cnf
+ openssl pkcs12 -export -in ca-${catype}.cert -inkey ca-${catype}.priv \
+ -out ca-${catype}.p12 -passin "pass:$PASSWORD" -passout "pass:$PASSWORD"
+ echo -n "Generated CA certificate with "
+ openssl x509 -noout -subject -in ca-${catype}.cert
+ fi
+}
+
+############################## main ################################
+
+
+if [ ! -d "$BASEDIR" ]; then
+ echo "Error: no basedir is given!"
+ exit -1
+fi
+
+BASEDIR="$BASEDIR/share/test/glite-security-test-utils"
+mkdir -p $BASEDIR
+cd $BASEDIR
+ABSBASEDIR=$(pwd)
+
+for catype in $CATYPES; do
+ echo "+-----------------------"
+ echo "| $catype"
+ echo "+-----------------------"
+ create_ca $catype
+ cd $ABSBASEDIR
+done
+
--- /dev/null
+[ca]\r
+default_ca = CA_default\r
+\r
+[CA_default]\r
+dir = $ENV::CA_DIR\r
+database = $dir/index.txt\r
+serial = $dir/serial.txt\r
+\r
+certificate = $dir/$ENV::CA_DIR.cert\r
+private_key = $dir/$ENV::CA_DIR.priv\r
+\r
+policy = policy_any\r
+\r
+[policy_any]\r
+countryName = supplied\r
+stateOrProvinceName = optional\r
+localityName = optional\r
+organizationName = optional\r
+organizationalUnitName = optional\r
+commonName = supplied\r
+emailAddress = optional\r
+\r
+[ ca_cert ]\r
+basicConstraints=CA:TRUE\r
+\r
+\r
+[ ca_server ]\r
+# This is OK for an SSL server.\r
+nsCertType = server\r
+nsComment = "OpenSSL Generated Server Certificate"\r
+\r
+# For an object signing certificate this would be used.\r
+# nsCertType = objsign\r
+\r
+[ ca_client ]\r
+# For normal client use this is typical\r
+nsCertType = client, email\r
+nsComment = "OpenSSL Generated Client Certificate"\r
+\r
+[ ca_clientserver ]\r
+# For normal client use this is typical\r
+nsCertType = server, client, email\r
+nsComment = "OpenSSL Generated Client Server Certificate"\r
+\r
+# and for everything including object signing:\r
+# nsCertType = client, email, objsign\r
+\r
+[ ca_client_flags ]\r
+# This is typical in keyUsage for a client certificate.\r
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment\r
+\r
+# This will be displayed in Netscape's comment listbox.\r
+nsComment = "OpenSSL Generated Client Certificate with Flags"\r
--- /dev/null
+[ req ]\r
+default_bits = $ENV::BITS\r
+default_keyfile = keyfile.pem\r
+distinguished_name = req_distinguished_name\r
+attributes = req_attributes\r
+prompt = no\r
+output_password = $ENV::PASSWORD\r
+ca_cert = CA_cert\r
+\r
+[ req_distinguished_name ]\r
+countryName = UG\r
+\r
+#stateOrProvinceName = South area\r
+\r
+localityName = Tropic\r
+\r
+organizationName = Utopia\r
+\r
+organizationalUnitName = Relaxation\r
+\r
+commonName = $ENV::CN\r
+\r
+#emailAddress = Email Address\r
+\r
+[ req_attributes ]\r
+#challengePassword = $ENV::PASSWORD\r
+\r
+[ CA_cert]\r
+basicConstraints = CA:true\r
+subjectKeyIdentifier=hash\r
+authorityKeyIdentifier=keyid:always,issuer:always\r
--- /dev/null
+[ req ]
+default_bits = 1024
+default_keyfile = keyfile.pem
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+prompt = no
+output_password = $ENV::PASSWORD
+ca_cert = CA_cert
+
+[ req_distinguished_name ]
+countryName = UG
+
+#stateOrProvinceName = South area
+
+localityName = Tropic
+
+organizationName = Utopia
+
+organizationalUnitName = Relaxation
+
+0.commonName = $ENV::CN
+
+1.commonName = $ENV::PROXYNAME
+
+#emailAddress = Email Address
+
+[ req_attributes ]
+#challengePassword = $ENV::PASSWORD
+
+[ CA_cert]
+basicConstraints = CA:true
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
--- /dev/null
+[ req ]
+default_bits = 1024
+default_keyfile = keyfile.pem
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+prompt = no
+output_password = $ENV::PASSWORD
+ca_cert = CA_cert
+
+[ req_distinguished_name ]
+countryName = UG
+
+#stateOrProvinceName = South area
+
+localityName = Tropic
+
+organizationName = Utopia
+
+organizationalUnitName = Relaxation
+
+0.commonName = $ENV::CN
+
+1.commonName = $ENV::PROXYNAME
+
+2.commonName = $ENV::PROXYPROXYNAME
+
+#emailAddress = Email Address
+
+[ req_attributes ]
+#challengePassword = $ENV::PASSWORD
+
+[ CA_cert]
+basicConstraints = CA:true
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
--- /dev/null
+Untrusted Test Certificates
+===========================
+
+This module will create a hierarchy under <base>/share/test/certificates
+path containing CA, user and host certificates.
+
+It will also set up structures for testing host and user configurations
+inside this base directory:
+ home/.globus/
+ usercert.pem
+ userkey.pem
+ tmp/
+ x509_<uid>
+ etc/grid-security/
+ hostcert.pem
+ hostkey.pem
+ certificates/
+ <ca-big>.0
+ <ca-expired>.0
+ <ca-real>.0
+ # but not ca-fake.0 !
+
+For the 'stage' target <base> is <workspace>/stage, thus depending
+modules can pick it up during their build process. The certificates
+will be valid for 10 days.
+
+The module also has a 'dist' target, which will produce a binary
+distribution containing a set of certificates and keys valid for
+10 years after the build time.
+
+CA Certificates
+---------------
+ ca-real: a working CA
+ ca-expired: the CA certificate has an expiration day in the past
+ ca-big: the CA certificate has a long key (4096 bits)
+ ca-fake: the CA certificate is not installed anywhere, thus every
+ certificate depending on this would be fake
+
+ Host and user certificates are placed under the coresponding CA's
+ base directory in the 'certs' subdirectory.
+
+Host Certificates
+-----------------
+ For each CA there would be a similar set of host certificate generated.
+
+User Certificates
+-----------------
+ For each CA there would be a similar set of user certificates generated.
+
+Lifetime
+--------
+ The default lifetime of these certificates is 30 days from the generation
+ date. This should be sufficient for any testing purposes, since everything
+ can be easily regenerated running a simple script.
+
+VOMS credentials
+----------------
+ VOMS credentials are not included in this testing framework (yet).
+
+Example Layout
+--------------
+
+share/
+`-- test
+ `-- certificates
+ |-- ca-big
+ | |-- cacert.pem
+ | |-- certs
+ | |-- crls
+ | |-- index.txt
+ | |-- newcerts
+ | |-- private
+ | | `-- cakey.pem
+ | `-- serial
+ |-- ca-expired
+ | |-- cacert.pem
+ | |-- certs
+ | |-- crls
+ | |-- index.txt
+ | |-- newcerts
+ | |-- private
+ | | `-- cakey.pem
+ | `-- serial
+ |-- ca-fake
+ | |-- cacert.pem
+ | |-- certs
+ | |-- crls
+ | |-- index.txt
+ | |-- newcerts
+ | |-- private
+ | | `-- cakey.pem
+ | `-- serial
+ |-- ca-real
+ | |-- cacert.pem
+ | |-- certs
+ | |-- crls
+ | |-- index.txt
+ | |-- newcerts
+ | |-- private
+ | | `-- cakey.pem
+ | `-- serial
+ |-- etc
+ | `-- grid-security
+ | |-- certificates
+ | | |-- ca-big.pem
+ | | |-- ca-expired.pem
+ | | |-- ca-fake.pem
+ | | `-- ca-real.pem
+ | |-- hostcert.pem
+ | `-- hostkey.pem
+ |-- home
+ | `-- .globus
+ | |-- usercert.pem
+ | `-- userkey.pem
+ `-- tmp
+ `-- x509_1000
git://scientific.zcu.cz / glite-security-test-utils.git / commitdiff