if [ ! -d 'grid-security/certificates' ]; then
mkdir -p 'grid-security/certificates'
fi
- hash=$(openssl x509 -hash -noout -in $CA_DIR/${catype}.cert)
- cp $CA_DIR/${catype}.cert grid-security/certificates/${hash}.0
- cp $CA_DIR/${catype}.crl grid-security/certificates/${hash}.r0
+ hash=$(openssl x509 -hash -noout -in $1-ca/$1.cert)
+ cp $1-ca/$1.cert grid-security/certificates/${hash}.0
+ cp $1-ca/$1.crl grid-security/certificates/${hash}.r0
# generating a signing_policy file
- subject_name=$(openssl x509 -in $CA_DIR/${catype}.cert -subject -noout)
+ subject_name=$(openssl x509 -in $1-ca/$1.cert -subject -noout)
cat <<EOF >grid-security/certificates/${hash}.signing_policy
# Signing policy file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
access_id_CA X509 '${subject_name:9}'
pos_rights globus CA:sign
cond_subjects globus '"$(echo "${subject_name:9}" | sed -e 's#/CN=.*$##')/*"'
EOF
+ cat <<EOF >grid-security/certificates/${hash}.namespaces
+##############################################################################
+#NAMESPACES-VERSION: 1.0
+# Namespaces file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
+TO Issuer "${subject_name:9}" \
+ PERMIT Subject "$(echo "${subject_name:9}" | sed -e 's#/CN=.*$##')/*"
+EOF
+#override root and sub namespaces
+ if [ "$1" = 'root' ]; then
+ cat <<EOF >grid-security/certificates/${hash}.namespaces
+##############################################################################
+#NAMESPACES-VERSION: 1.0
+# Namespaces file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
+TO Issuer "${subject_name:9}" \
+ PERMIT Subject "/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subca CA"
+EOF
+ cat <<EOF >grid-security/certificates/${hash}.signing_policy
+# Signing policy file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
+access_id_CA X509 '${subject_name:9}'
+pos_rights globus CA:sign
+cond_subjects globus '"/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subca CA*"'
+EOF
+ fi
+ if [ "$1" = 'subca' ]; then
+ cat <<EOF >grid-security/certificates/${hash}.namespaces
+##############################################################################
+#NAMESPACES-VERSION: 1.0
+# Namespaces file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
+TO Issuer "${subject_name:9}" \
+ PERMIT Subject "/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subsubca CA"
+EOF
+ cat <<EOF >grid-security/certificates/${hash}.signing_policy
+# Signing policy file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
+access_id_CA X509 '${subject_name:9}'
+pos_rights globus CA:sign
+cond_subjects globus '"/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subsubca CA"'
+EOF
+ fi
-
+
}
+function copy_ca {
+ echo copying CA from $1 to $2 current dir $PWD
+ # putting the CA certificate to the right place
+ if [ ! -d "$1" ]; then
+ echo "CA files are not found: $1"
+ echo "Did you run 'generate-ca-certificates-for-cvs.sh'?"
+ exit -1
+ fi
+ if [ -d "$2" ]; then
+ echo "CA directory already exists: $2"
+ else
+ CMD="cp -a $1 $2"
+ echo $CMD
+ $CMD
+
+ result=$?
+ if [ $result -ne 0 ];then
+ echo "The copying of CA from $1 failed with error code $result"
+ exit -1
+ fi
+ # remove the CVS dir, if it was copied...
+ if [ -d "$2/CVS" ]; then
+ rm -rf "$2/CVS"
+ fi
+ fi
+}
# create all certificates
function create_all {
fi
+ if [ $catype == "subsubca" ]; then
+ CACHAIN="$CERT_DIR/tmp.tmp"
+ openssl x509 -in subsubca-ca/subsubca.cert > ${CACHAIN}
+ openssl x509 -in subca-ca/subca.cert >> ${CACHAIN}
+
+ cp $CERT_DIR/subsubca_client.proxy.grid_proxy $CERT_DIR/subsubca_fullchainclient.proxy.grid_proxy
+ cat $CACHAIN >> $CERT_DIR/subsubca_fullchainclient.proxy.grid_proxy
+ cp $CERT_DIR/subsubca_client.proxy.proxy.grid_proxy $CERT_DIR/subsubca_fullchainclient.proxy.proxy.gridproxy
+ cat $CACHAIN >> $CERT_DIR/subsubca_fullchainclient.proxy.proxy.grid_proxy
+ fi
+
# generating CRL
- openssl ca -gencrl -crldays 10000 -out $CA_DIR/${catype}.crl -config $REQ_CONFIG_FILE
+ openssl ca -gencrl -crldays $DAYS -out $CA_DIR/${catype}.crl -config $REQ_CONFIG_FILE
# If we have the trusted CA, then generate a user cert/key pair
# And also a host cert/key pair.
+ echo adding CA $catype to grid-security
+
if [ "$catype" == "trusted" ]; then
create_some
else
# othewise if the ca is not the fake one, add them to the grid-security/certificates directory
if [ "$catype" != "fake" ]; then
+ echo really adding the CA $catype
add_ca_grid_sec $catype
+ if [ "$catype" = 'subsubca' ]; then
+ # generating CRL
+ openssl ca -gencrl -crldays $DAYS -out root-ca/root.crl -config root-ca/req_conf.cnf
+ openssl ca -gencrl -crldays $DAYS -out subca-ca/subca.crl -config subca-ca/req_conf.cnf
+ echo subsub ca, add root and subca
+ add_ca_grid_sec root
+ add_ca_grid_sec subca
+ fi
fi
fi
export CASROOT=./
# putting the CA certificate to the right place
- if [ ! -d "$CONFIGDIR/${catype}-ca" ]; then
- echo "CA files are not found: $CONFIGDIR/${catype}-ca"
- echo "Did you run 'generate-ca-certificates-for-cvs.sh'?"
- continue
- fi
- if [ -d "$CA_DIR" ]; then
- echo "CA directory already exists: $CA_DIR"
- else
- cp -a $CONFIGDIR/${catype}-ca $CA_DIR
- result=$?
- if [ $result -ne 0 ];then
- echo "The copying of CA ${catype} failed with error code $result"
- exit -1
- fi
- # remove the CVS dir, if it was copied...
- if [ -d "$CA_DIR/CVS" ]; then
- rm -rf "$CA_DIR/CVS"
- fi
+ copy_ca "$CONFIGDIR/${catype}-ca" "$CA_DIR"
+ # if the CA is subsubca, copy also the parents
+ if [ "$catype" = "subsubca" ]; then
+ copy_ca "$CONFIGDIR/subca-ca" "subca-ca"
+ copy_ca "$CONFIGDIR/root-ca" "root-ca"
fi
mkdir -p $CERT_DIR
git://scientific.zcu.cz / glite-security-test-utils.git / commitdiff