-#!/bin/bash
+#!/bin/sh
#
# Copyright (c) Members of the EGEE Collaboration. 2004.
}
function create_cert_proxy {
+
+ echo "create_cert_proxy Start"
+
filebase=$1
export FILEBASE=${filebase}
export CN=$2
- ending=$3
+ ident=$3
export PROXYNAME=$4
validity=$5
- echo "Creating a proxy cert for '$CN/CN=$PROXYNAME'"
- echo " in files named $filebase$ending.(cert|priv)"
+
+# create_cert_proxy $CERT_DIR/${catype}_client "$catype client" proxy "proxy" 1
+# create_cert_proxy $CERT_DIR/${catype}_client "$catype client" proxy_exp "expired proxy" -1
+
+ ending="grid_proxy"
+ export BITS=512
+
+ # This really depends on if we make a proxy or a proxy-proxy
+ X509_SIGNING_CERT=${filebase}.cert
+ X509_SIGNING_KEY=${filebase}.priv
+
+ X509_PROX_CERT=${filebase}.${ident}.cert
+ X509_PROX_KEY=${filebase}.${ident}.priv
+ X509_PROX_REQ=${filebase}.${ident}.req
+ X509_PROX_GRID=${filebase}.${ident}.${ending}
+
+ echo "Creating a proxy cert ${X509_PROX_CERT} for '$CN/CN=$PROXYNAME'"
+ echo " in files named $filebase.(cert|priv)"
echo " with $validity days validity time"
- CMD="openssl req -out ${filebase}.proxy.req -new -keyout ${filebase}.proxy.priv \
+ # Get the serial number of the certificate that will eventually sign the proxy.
+ # Put it into a temporary file to be read by the ca command later.
+ SERIAL="`openssl x509 -in ${filebase}.cert -noout -serial | sed 's/^serial=//'`"
+ echo ${SERIAL} > ${CA_DIR}/serial_proxy.txt
+
+ # Have to 'edit' the ca database to remove the entry for the signing certificate.
+ # maybe no need... make a dummy database, touch and then delete afterwards...
+ touch ${CA_DIR}/index_proxy.txt
+
+ CMD="openssl genrsa -f4 -out ${X509_PROX_KEY} ${BITS}; chmod 400 ${filebase}.proxy.priv"
+ echo $CMD; $CMD
+
+ # Create the certificate request.
+ CMD="openssl req -new -out ${X509_PROX_REQ} \
+ -key ${X509_PROX_KEY} \
-config ${REQ_PROXY_CONFIG_FILE}"
echo $CMD; $CMD
- CMD="openssl ca -in ${filebase}.proxy.req -cert ${filebase}.cert \
- -keyfile ${filebase}.priv \
- -out ${filebase}.proxy.cert \
+
+ # Sign the cert request with the user cert and key. Set the serial number here!
+
+ CMD="openssl ca -in ${X509_PROX_REQ} \
+ -cert ${X509_SIGNING_CERT} \
+ -keyfile ${X509_SIGNING_KEY} \
+ -out ${X509_PROX_CERT} \
-outdir . \
- -config ${CA_CONF} -md md5 -days 2 -batch \
- -verbose -passin pass:${PASSWORD}"
+ -config ${CA_PROXY_CONF} -md md5 -days ${validity} -batch \
+ -verbose -passin pass:${PASSWORD} -notext \
+ -extensions proxy_none "
echo $CMD; $CMD
- openssl x509 -in ${filebase}.proxy.cert -text > ${filebase}.proxy.cert.tmp
- cp ${filebase}.proxy.cert.tmp ${filebase}.proxy.cert
- openssl pkcs12 -in ${filebase}.proxy.cert.tmp -out ${filebase}.proxy.p12 -export \
- -inkey ${filebase}.proxy.priv -passin pass:$PASSWORD -passout pass:$PASSWORD \
+ # Add the user and proxy certs and the proxy private key to the keystore
+ openssl pkcs12 -in ${X509_PROX_CERT} \
+ -out ${filebase}.proxy.p12 -export \
+ -inkey ${X509_PROX_KEY} \
+ -passin pass:${PASSWORD} -passout pass:${PASSWORD} \
-name "${catype} proxy certificate" -certfile ${filebase}.cert
- cp ${filebase}.proxy.cert ${filebase}.grid_proxy
- openssl rsa -in ${filebase}.proxy.priv -passin pass:$PASSWORD >> ${filebase}.grid_proxy
- cat ${filebase}.cert >> ${filebase}.grid_proxy
+ # Create a grid proxy file...
+ # Copy the proxy cert to the grid proxy file.
+ cp ${X509_PROX_CERT} ${X509_PROX_GRID}
+
+ # Now add the proxy private key to the grid proxy file.
+ openssl rsa -in ${X509_PROX_KEY} -passin pass:${PASSWORD} >> ${X509_PROX_GRID}
+
+ # Now add the original certificate used to sign the request to the proxy file.
+ # This should be the certificate issued by the CA to the 'user'.
+ openssl x509 -in ${X509_SIGNING_CERT} >> ${X509_PROX_GRID}
+ chmod 600 ${X509_PROX_GRID}
+
+ # Clean up stuff
+ rm ${CA_DIR}/serial_proxy.txt ${CA_DIR}/index_proxy.txt
}
+
function create_cert_proxy_proxy {
+
+ echo "create_cert_proxy_proxy Start"
+ filebase=$1
+ export FILEBASE=${filebase}
+ export CN=$2
+ ident=$3
+ export PROXYNAME=$4
+ validity=$5
+ signing_pair=$6
+
+ ending="grid_proxy_proxy"
+ export BITS=512
+
+ # This really depends on if we make a proxy or a proxy-proxy
+ X509_SIGNING_CERT=${filebase}.${signing_pair}.cert # eg. trusted_client.proxy_exp.cert
+ echo $X509_SIGNING_CERT
+ X509_SIGNING_KEY=${filebase}.${signing_pair}.priv
+
+ X509_PROX_CERT=${filebase}.${ident}.proxy.cert
+ X509_PROX_KEY=${filebase}.${ident}.proxy.priv
+ X509_PROX_REQ=${filebase}.${ident}.proxy.req
+ X509_PROX_GRID=${filebase}.${ident}.proxy.${ending}
+
+ # Get the serial number of the certificate that will eventually sign the proxy.
+ # Put it into a temporary file to be read by the ca command later.
+ SERIAL="`openssl x509 -in ${X509_SIGNING_CERT} -noout -serial | sed 's/^serial=//'`"
+ echo ${SERIAL} > ${CA_DIR}/serial_proxy.txt
+
+ # Have to 'edit' the ca database to remove the entry for the signing certificate.
+ # maybe no need... make a dummy database, touch and then delete afterwards...
+ touch ${CA_DIR}/index_proxy.txt
+
+ CMD="openssl genrsa -f4 -out ${X509_PROX_KEY} ${BITS}; chmod 400 ${filebase}.proxy.proxy.priv"
+ echo $CMD; $CMD
+
+ # Create the certificate request.
+ CMD="openssl req -new -out ${X509_PROX_REQ} \
+ -key ${X509_PROX_KEY} \
+ -config ${REQ_PROXY_PROXY_CONFIG_FILE}"
+ echo $CMD; $CMD
+
+ # Sign the cert request with the user cert and key. Set the serial number here!
+
+ CMD="openssl ca -in ${X509_PROX_REQ} \
+ -cert ${X509_SIGNING_CERT} \
+ -keyfile ${X509_SIGNING_KEY} \
+ -out ${X509_PROX_CERT} \
+ -outdir . \
+ -config ${CA_PROXY_CONF} -md md5 -days ${validity} -batch \
+ -verbose \
+ -passin pass:${PASSWORD} -notext \
+ -extensions proxy_none "
+ echo $CMD; $CMD
+
+ # Add the user and proxy certs and the proxy private key to the keystore
+ openssl pkcs12 -in ${X509_PROX_CERT} \
+ -out ${filebase}.proxy.proxy.p12 -export \
+ -inkey ${X509_PROX_KEY} \
+ -passin pass:${PASSWORD} -passout pass:${PASSWORD} \
+ -name "${catype} proxy certificate" -certfile ${X509_SIGNING_CERT}
+
+ # Create a grid proxy file...
+ # Copy the proxy cert to the grid proxy file.
+ cp ${X509_PROX_CERT} ${X509_PROX_GRID}
+
+ # Now add the proxy private key to the grid proxy file.
+ openssl rsa -in ${X509_PROX_KEY} -passin pass:${PASSWORD} >> ${X509_PROX_GRID}
+
+ # Now add the original certificate used to sign the request to the proxy file.
+ # This should be the certificate issued by the CA to the 'user'.
+ openssl x509 -in ${X509_SIGNING_CERT} >> ${filebase}.${ending}
+ chmod 600 ${X509_PROX_GRID}
+
+ # Clean up stuff
+ rm ${CA_DIR}/serial_proxy.txt ${CA_DIR}/index_proxy.txt \
+ ${X509_PROX_REQ} ${X509_PROX_CERT} ${X509_PROX_KEY} \
+ ## ${filebase}.proxy.priv ${filebase}.proxy.cert
+}
+
+function create_cert_proxy_proxy_old {
+
filebase=$1
+ export FILEBASE=${filebase}
export CN=$2
ending=$3
export PROXYNAME=$4
validity=$5
- echo "Creating a proxy cert for '$CN/CN=$PROXYNAME'"
- echo " in files named $filebase$ending.(cert|priv)"
+ signing_pair=$6
+
+ export BITS=512
+ X509_SIGNING_CERT=${filebase}.proxy.cert
+ X509_SIGNING_KEY=${filebase}.proxy.priv
+
+ X509_PROX_CERT=${filebase}.proxy.proxy.cert
+ X509_PROX_KEY=${filebase}.proxy.proxy.priv
+ X509_PROX_REQ=${filebase}.proxy.proxy.req
+
+ echo "Creating a proxy proxy cert for '$CN/CN=$PROXYNAME'"
+ echo " in files named $filebase.(cert|priv)"
echo " with $validity days validity time"
- #TODO: write the body
+ # Get the serial number of the certificate that will eventually sign the proxy.
+ # Put it into a temporary file to be read by the ca command later.
+ SERIAL="`openssl x509 -in ${X509_SIGNING_CERT} -noout -serial | sed 's/^serial=//'`"
+ echo ${SERIAL} > ${CA_DIR}/serial_proxy.txt
+
+ # Have to 'edit' the ca database to remove the entry for the signing certificate.
+ # maybe no need... make a dummy database, touch and then delete afterwards...
+ touch ${CA_DIR}/index_proxy.txt
+
+ CMD="openssl genrsa -f4 -out ${X509_PROX_KEY} ${BITS}; chmod 400 ${filebase}.proxy.proxy.priv"
+ echo $CMD; $CMD
+
+ # Create the certificate request.
+ CMD="openssl req -new -out ${X509_PROX_REQ} \
+ -key ${X509_PROX_KEY} \
+ -config ${REQ_PROXY_PROXY_CONFIG_FILE}"
+ echo $CMD; $CMD
+
+ # Sign the cert request with the user cert and key. Set the serial number here!
+
+ CMD="openssl ca -in ${X509_PROX_REQ} \
+ -cert ${X509_SIGNING_CERT} \
+ -keyfile ${X509_SIGNING_KEY} \
+ -out ${X509_PROX_CERT} \
+ -outdir . \
+ -config ${CA_PROXY_CONF} -md md5 -days ${validity} -batch \
+ -verbose \
+ -passin pass:${PASSWORD} -notext \
+ -extensions proxy_none "
+ echo $CMD; $CMD
+
+ # Add the user and proxy certs and the proxy private key to the keystore
+ openssl pkcs12 -in ${X509_PROX_CERT} \
+ -out ${filebase}.proxy.proxy.p12 -export \
+ -inkey ${X509_PROX_KEY} \
+ -passin pass:${PASSWORD} -passout pass:${PASSWORD} \
+ -name "${catype} proxy certificate" -certfile ${X509_SIGNING_CERT}
+
+ # Create a grid proxy file...
+ # Copy the proxy cert to the grid proxy file.
+ cp ${X509_PROX_CERT} ${X509_PROX_GRID}
+
+ # Now add the proxy private key to the grid proxy file.
+ openssl rsa -in ${X509_PROX_KEY} -passin pass:${PASSWORD} >> ${X509_PROX_GRID}
+
+ # Now add the original certificate used to sign the request to the proxy file.
+ # This should be the certificate issued by the CA to the 'user'.
+ openssl x509 -in ${X509_SIGNING_CERT} >> ${filebase}.${ending}
+ chmod 600 ${X509_PROX_GRID}
+
+ # Clean up stuff
+ rm ${CA_DIR}/serial_proxy.txt ${CA_DIR}/index_proxy.txt \
+ ${X509_PROX_REQ} ${X509_PROX_CERT} ${X509_PROX_KEY} \
+ ## ${filebase}.proxy.priv ${filebase}.proxy.cert
}
# create some certificates and copy them to convenient locations
create_cert $CERT_DIR/${catype}_client "$LOGNAME" client $DAYS
create_cert $CERT_DIR/${catype}_server "$HOSTNAME" server $DAYS
# And put them in the stage directory.
- cp $CERT_DIR/${catype}_client.cert ../../../usercert.pem
- cp $CERT_DIR/${catype}_client.priv ../../../userkey.pem
- cp $CERT_DIR/${catype}_server.cert ../../../hostcert.pem
- cp $CERT_DIR/${catype}_server.priv ../../../hostkey.pem
+ mv $CERT_DIR/${catype}_client.cert ../../../usercert.pem
+ mv $CERT_DIR/${catype}_client.priv ../../../userkey.pem
+ mv $CERT_DIR/${catype}_server.cert ../../../hostcert.pem
+ mv $CERT_DIR/${catype}_server.priv ../../../hostkey.pem
fi
# create valid certs with proxies
create_cert $CERT_DIR/${catype}_client "$catype client" client $DAYS
- create_cert_proxy $CERT_DIR/${catype}_client "$catype client" _proxy "proxy" $DAYS
- create_cert_proxy $CERT_DIR/${catype}_client "$catype client" _proxy_exp "expired proxy" -1
+ create_cert_proxy $CERT_DIR/${catype}_client "$catype client" proxy "proxy" 1
+ create_cert_proxy $CERT_DIR/${catype}_client "$catype client" proxy_exp "expired proxy" -1
+
+ create_cert_proxy_proxy $CERT_DIR/${catype}_client "$catype client" proxy_proxy "proxy" 1 proxy
+ create_cert_proxy_proxy $CERT_DIR/${catype}_client "$catype client" proxy_proxy_exp "expired proxy" -1 proxy_exp
+ break;
+
+ # These below have to be fixed to the new method of calling.
create_cert $CERT_DIR/${catype}_fclient "$catype flag client" fclient $DAYS
create_cert_proxy $CERT_DIR/${catype}_fclient "$catype flag client" _proxy "proxy" $DAYS
create_cert_proxy $CERT_DIR/${catype}_fclient "$catype flag client" _proxy_exp "expired proxy" -1
openssl ca -revoke $CERT_DIR/${catype}_none_rev.cert -config $CA_CONF
# some extra certificates
- create_cert_proxy $CERT_DIR/${catype}_client "$catype client dnerror" _proxy_dnerror "proxy" $DAYS
- create_cert_proxy_proxy $CERT_DIR/${catype}_client_proxy "$catype client" _proxy "proxy" "proxy" $DAYS
- create_cert_proxy_proxy $CERT_DIR/${catype}_client_proxy "$catype client" _proxy_dnerror "proxy dnerror" "proxy" $DAYS
+ # create_cert_proxy $CERT_DIR/${catype}_client "$catype client dnerror" _proxy_dnerror "proxy" $DAYS
# generating CRL
openssl ca -gencrl -crldays 10000 -out $CA_DIR/${catype}.crl -config $CA_CONF
}
+function create_all_test {
+
+ # If we have the trusted CA, then generate a user cert/key pair
+ # And also a host cert/key pair.
+
+ if [ "$catype" == "trusted" ]; then
+ # Create a user and host certificate
+ create_cert $CERT_DIR/${catype}_client "$LOGNAME" client $DAYS
+ create_cert $CERT_DIR/${catype}_server "$HOSTNAME" server $DAYS
+ # And put them in the stage directory.
+ mv $CERT_DIR/${catype}_client.cert ../../../usercert.pem
+ mv $CERT_DIR/${catype}_client.priv ../../../userkey.pem
+ mv $CERT_DIR/${catype}_server.cert ../../../hostcert.pem
+ mv $CERT_DIR/${catype}_server.priv ../../../hostkey.pem
+ fi
+
+ # create valid certs with proxies
+ create_cert $CERT_DIR/${catype}_client "$catype client" client $DAYS
+ DAYS=1
+ create_cert_proxy $CERT_DIR/${catype}_client "$catype client" grid_proxy "proxy" $DAYS
+ create_cert_proxy_proxy $CERT_DIR/${catype}_client "$catype client" grid_proxy_proxy "proxy" $DAYS
+
+}
+
############################## main ################################
if [ -z "$BASEDIR" ]; then
export CA_DIR=${catype}-ca
export CERT_DIR=${catype}-certs
export CA_CONF=$CA_DIR/ca_conf.cnf
+ export CA_PROXY_CONF=$CA_DIR/ca_proxy_conf.cnf
export REQ_CONFIG_FILE=$CA_DIR/req_conf.cnf
export REQ_PROXY_CONFIG_FILE=$CA_DIR/req_proxy_conf.cnf
export REQ_PROXY_PROXY_CONFIG_FILE=$CA_DIR/req_proxy_proxy_conf.cnf
if [ -n "$ALL" ]; then
create_all
+ ## create_all_test
else
create_some
fi
git://scientific.zcu.cz / glite-security-test-utils.git / commitdiff