if [ "$1" == "--all" ]; then
CATYPES='trusted'
- ## CATYPES='trusted fake big expired'
+ CATYPES='fake'
+ CATYPES='big'
+ CATYPES='expired'
+ CATYPES='trusted fake big expired'
ALL='yes'
shift
else
return
fi
- CMD="openssl req -out $filebase.req -new -keyout $filebase.priv -config $REQ_CONFIG_FILE"
+ CMD="openssl req -out $filebase.req -newkey rsa:1024 -new -keyout $filebase.priv -config $REQ_CONFIG_FILE"
echo $CMD; $CMD;
case $flags in
# create_cert_proxy $CERT_DIR/${catype}_client "$catype client" proxy_exp "expired proxy" -1
ending="grid_proxy"
- export BITS=512
# This really depends on if we make a proxy or a proxy-proxy
X509_SIGNING_CERT=${filebase}.cert
# maybe no need... make a dummy database, touch and then delete afterwards...
touch ${CA_DIR}/index_proxy.txt
- CMD="openssl genrsa -f4 -out ${X509_PROX_KEY} ${BITS}; chmod 400 ${filebase}.proxy.priv"
+ CMD="openssl genrsa -f4 -out ${X509_PROX_KEY} ${PROXY_BITS}; chmod 400 ${filebase}.proxy.priv"
echo $CMD; $CMD
# Create the certificate request.
# Clean up stuff
rm ${CA_DIR}/serial_proxy.txt ${CA_DIR}/index_proxy.txt
-
+ # most of the cleanup should be done in the create_cert_proxy_proxy function
+ # since some files need to be kept for signing purposes later!
}
export CN=$2
ident=$3
export PROXYNAME=$4
+ export PROXYPROXYNAME=$4
validity=$5
signing_pair=$6
ending="grid_proxy_proxy"
- export BITS=512
# This really depends on if we make a proxy or a proxy-proxy
X509_SIGNING_CERT=${filebase}.${signing_pair}.cert # eg. trusted_client.proxy_exp.cert
echo $X509_SIGNING_CERT
X509_SIGNING_KEY=${filebase}.${signing_pair}.priv
+ X509_SIGNING_REQ=${filebase}.${signing_pair}.req
X509_PROX_CERT=${filebase}.${ident}.proxy.cert
X509_PROX_KEY=${filebase}.${ident}.proxy.priv
X509_PROX_REQ=${filebase}.${ident}.proxy.req
- X509_PROX_GRID=${filebase}.${ident}.proxy.${ending}
-
- # Get the serial number of the certificate that will eventually sign the proxy.
- # Put it into a temporary file to be read by the ca command later.
- SERIAL="`openssl x509 -in ${X509_SIGNING_CERT} -noout -serial | sed 's/^serial=//'`"
- echo ${SERIAL} > ${CA_DIR}/serial_proxy.txt
-
- # Have to 'edit' the ca database to remove the entry for the signing certificate.
- # maybe no need... make a dummy database, touch and then delete afterwards...
- touch ${CA_DIR}/index_proxy.txt
-
- CMD="openssl genrsa -f4 -out ${X509_PROX_KEY} ${BITS}; chmod 400 ${filebase}.proxy.proxy.priv"
- echo $CMD; $CMD
-
- # Create the certificate request.
- CMD="openssl req -new -out ${X509_PROX_REQ} \
- -key ${X509_PROX_KEY} \
- -config ${REQ_PROXY_PROXY_CONFIG_FILE}"
- echo $CMD; $CMD
-
- # Sign the cert request with the user cert and key. Set the serial number here!
-
- CMD="openssl ca -in ${X509_PROX_REQ} \
- -cert ${X509_SIGNING_CERT} \
- -keyfile ${X509_SIGNING_KEY} \
- -out ${X509_PROX_CERT} \
- -outdir . \
- -config ${CA_PROXY_CONF} -md md5 -days ${validity} -batch \
- -verbose \
- -passin pass:${PASSWORD} -notext \
- -extensions proxy_none "
- echo $CMD; $CMD
-
- # Add the user and proxy certs and the proxy private key to the keystore
- openssl pkcs12 -in ${X509_PROX_CERT} \
- -out ${filebase}.proxy.proxy.p12 -export \
- -inkey ${X509_PROX_KEY} \
- -passin pass:${PASSWORD} -passout pass:${PASSWORD} \
- -name "${catype} proxy certificate" -certfile ${X509_SIGNING_CERT}
-
- # Create a grid proxy file...
- # Copy the proxy cert to the grid proxy file.
- cp ${X509_PROX_CERT} ${X509_PROX_GRID}
-
- # Now add the proxy private key to the grid proxy file.
- openssl rsa -in ${X509_PROX_KEY} -passin pass:${PASSWORD} >> ${X509_PROX_GRID}
-
- # Now add the original certificate used to sign the request to the proxy file.
- # This should be the certificate issued by the CA to the 'user'.
- openssl x509 -in ${X509_SIGNING_CERT} >> ${filebase}.${ending}
- chmod 600 ${X509_PROX_GRID}
-
- # Clean up stuff
- rm ${CA_DIR}/serial_proxy.txt ${CA_DIR}/index_proxy.txt \
- ${X509_PROX_REQ} ${X509_PROX_CERT} ${X509_PROX_KEY} \
- ## ${filebase}.proxy.priv ${filebase}.proxy.cert
-}
-
-function create_cert_proxy_proxy_old {
-
- filebase=$1
- export FILEBASE=${filebase}
- export CN=$2
- ending=$3
- export PROXYNAME=$4
- validity=$5
- signing_pair=$6
-
- export BITS=512
- X509_SIGNING_CERT=${filebase}.proxy.cert
- X509_SIGNING_KEY=${filebase}.proxy.priv
-
- X509_PROX_CERT=${filebase}.proxy.proxy.cert
- X509_PROX_KEY=${filebase}.proxy.proxy.priv
- X509_PROX_REQ=${filebase}.proxy.proxy.req
-
- echo "Creating a proxy proxy cert for '$CN/CN=$PROXYNAME'"
- echo " in files named $filebase.(cert|priv)"
- echo " with $validity days validity time"
+ X509_PROX_GRID=${filebase}.${ident}.${ending}
# Get the serial number of the certificate that will eventually sign the proxy.
# Put it into a temporary file to be read by the ca command later.
# maybe no need... make a dummy database, touch and then delete afterwards...
touch ${CA_DIR}/index_proxy.txt
- CMD="openssl genrsa -f4 -out ${X509_PROX_KEY} ${BITS}; chmod 400 ${filebase}.proxy.proxy.priv"
+ CMD="openssl genrsa -f4 -out ${X509_PROX_KEY} ${PROXY_BITS}; chmod 400 ${X509_PROX_KEY}"
echo $CMD; $CMD
# Create the certificate request.
# Now add the original certificate used to sign the request to the proxy file.
# This should be the certificate issued by the CA to the 'user'.
- openssl x509 -in ${X509_SIGNING_CERT} >> ${filebase}.${ending}
+ openssl x509 -in ${X509_SIGNING_CERT} >> ${X509_PROX_GRID}
chmod 600 ${X509_PROX_GRID}
# Clean up stuff
rm ${CA_DIR}/serial_proxy.txt ${CA_DIR}/index_proxy.txt \
${X509_PROX_REQ} ${X509_PROX_CERT} ${X509_PROX_KEY} \
- ## ${filebase}.proxy.priv ${filebase}.proxy.cert
+ ${X509_SIGNING_CERT} ${X509_SIGNING_KEY} ${X509_SIGNING_REQ}
}
# create some certificates and copy them to convenient locations
fi
# create valid certs with proxies
- create_cert $CERT_DIR/${catype}_client "$catype client" client $DAYS
- create_cert_proxy $CERT_DIR/${catype}_client "$catype client" proxy "proxy" 1
- create_cert_proxy $CERT_DIR/${catype}_client "$catype client" proxy_exp "expired proxy" -1
+ PROXY_VALIDITY_1=1
+
+ TYPE="client"
+ CTYPE="client"
+
+ create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS
+
+ create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" 1
+ create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1
+
+ create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" 1 proxy
+ create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp
- create_cert_proxy_proxy $CERT_DIR/${catype}_client "$catype client" proxy_proxy "proxy" 1 proxy
- create_cert_proxy_proxy $CERT_DIR/${catype}_client "$catype client" proxy_proxy_exp "expired proxy" -1 proxy_exp
- break;
+ TYPE="fclient"
+ CTYPE="flag client"
- # These below have to be fixed to the new method of calling.
- create_cert $CERT_DIR/${catype}_fclient "$catype flag client" fclient $DAYS
- create_cert_proxy $CERT_DIR/${catype}_fclient "$catype flag client" _proxy "proxy" $DAYS
- create_cert_proxy $CERT_DIR/${catype}_fclient "$catype flag client" _proxy_exp "expired proxy" -1
+ create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS
- create_cert $CERT_DIR/${catype}_server "$catype server" server $DAYS
- create_cert_proxy $CERT_DIR/${catype}_server "$catype server" _proxy "proxy" $DAYS
- create_cert_proxy $CERT_DIR/${catype}_server "$catype server" _proxy_exp "expired proxy" -1
+ create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" 1
+ create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1
- create_cert $CERT_DIR/${catype}_clientserver "$catype clientserver" clientserver $DAYS
- create_cert_proxy $CERT_DIR/${catype}_clientserver "$catype clientserver" _proxy "proxy" $DAYS
- create_cert_proxy $CERT_DIR/${catype}_clientserver "$catype clientserver" _proxy_exp "expired proxy" -1
+ create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" 1 proxy
+ create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp
- create_cert $CERT_DIR/${catype}_none "$catype none" none $DAYS
- create_cert_proxy $CERT_DIR/${catype}_none "$catype none" _proxy "proxy" $DAYS
- create_cert_proxy $CERT_DIR/${catype}_none "$catype none" _proxy_exp "expired proxy" -1
+ TYPE="server"
+ CTYPE="server"
+
+ create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS
+
+ create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" 1
+ create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1
+
+ create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" 1 proxy
+ create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp
+
+ TYPE="clientserver"
+ CTYPE="clientserver"
+
+ create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS
+
+ create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" 1
+ create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1
+
+ create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" 1 proxy
+ create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp
+
+ TYPE="none"
+ CTYPE="none"
+
+ create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS
+
+ create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" 1
+ create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1
+
+ create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" 1 proxy
+ create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp
# create certs with valid proxies, but expired user certs
- create_cert $CERT_DIR/${catype}_client_exp "$catype client expired" client -1
- create_cert_proxy $CERT_DIR/${catype}_client_exp "$catype client expired" _proxy "proxy" $DAYS
- create_cert $CERT_DIR/${catype}_fclient_exp "$catype flag client expired" fclient -1
- create_cert_proxy $CERT_DIR/${catype}_fclient_exp "$catype flag client expired" _proxy "proxy" $DAYS
+ TYPE="client_exp"
+ CTYPE="client expired"
+ TYPE2="client"
+
+ create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} -1
+ create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" 1
+ create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" 1 proxy
- create_cert $CERT_DIR/${catype}_server_exp "$catype server expired" server -1
- create_cert_proxy $CERT_DIR/${catype}_server_exp "$catype server expired" _proxy "proxy" $DAYS
+ TYPE="fclient_exp"
+ CTYPE="flag client expired"
+ TYPE2="fclient"
- create_cert $CERT_DIR/${catype}_clientserver_exp "$catype clientserver expired" clientserver -1
- create_cert_proxy $CERT_DIR/${catype}_clientserver_exp "$catype clientserver expired" _proxy "proxy" $DAYS
+ create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} -1
+ create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" 1
+ create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" 1 proxy
- create_cert $CERT_DIR/${catype}_none_exp "$catype none expired" none -1
- create_cert_proxy $CERT_DIR/${catype}_none_exp "$catype none expired" _proxy "proxy" $DAYS
+ TYPE="server_exp"
+ CTYPE="flag server expired"
+ TYPE2="server"
- # create revoked certs
- create_cert $CERT_DIR/${catype}_client_rev "$catype client revoked" client $DAYS
- create_cert_proxy $CERT_DIR/${catype}_client_rev "$catype client revoked" _proxy "proxy" $DAYS
+ create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} -1
+ create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" 1
+ create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" 1 proxy
- create_cert $CERT_DIR/${catype}_fclient_rev "$catype flag client revoked" fclient $DAYS
- create_cert_proxy $CERT_DIR/${catype}_fclient_rev "$catype flag client revoked" _proxy "proxy" $DAYS
+ TYPE="clientserver_exp"
+ CTYPE="clientserver expired"
+ TYPE2="clientserver"
- create_cert $CERT_DIR/${catype}_server_rev "$catype server revoked" server $DAYS
- create_cert_proxy $CERT_DIR/${catype}_server_rev "$catype server revoked" _proxy "proxy" $DAYS
+ create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} -1
+ create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" 1
+ create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" 1 proxy
- create_cert $CERT_DIR/${catype}_clientserver_rev "$catype clientserver revoked" clientserver $DAYS
- create_cert_proxy $CERT_DIR/${catype}_clientserver_rev "$catype clientserver revoked" _proxy "proxy" $DAYS
+ TYPE="none_exp"
+ CTYPE="none expired"
+ TYPE2="none"
- create_cert $CERT_DIR/${catype}_none_rev "$catype none revoked" none $DAYS
- create_cert_proxy $CERT_DIR/${catype}_none_rev "$catype none revoked" _proxy "proxy" $DAYS
+ create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} -1
+ create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" 1
+ create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" 1 proxy
- openssl ca -revoke $CERT_DIR/${catype}_client_rev.cert -config $CA_CONF
- openssl ca -revoke $CERT_DIR/${catype}_fclient_rev.cert -config $CA_CONF
- openssl ca -revoke $CERT_DIR/${catype}_server_rev.cert -config $CA_CONF
- openssl ca -revoke $CERT_DIR/${catype}_clientserver_rev.cert -config $CA_CONF
- openssl ca -revoke $CERT_DIR/${catype}_none_rev.cert -config $CA_CONF
+# Create revoked certificates
+
+ TYPE="client_rev"
+ CTYPE="client revoked"
+ TYPE2="client"
+
+ create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} -1
+ create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" 1
+ create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" 1 proxy
+ openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $CA_CONF
+
+ TYPE="fclient_rev"
+ CTYPE="flag client revoked"
+ TYPE2="fclient"
+
+ create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} -1
+ create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" 1
+ create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" 1 proxy
+ openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $CA_CONF
+
+ TYPE="server_rev"
+ CTYPE="server revoked"
+ TYPE2="server"
+
+ create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} -1
+ create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" 1
+ create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" 1 proxy
+ openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $CA_CONF
+
+ TYPE="clientserver_rev"
+ CTYPE="clientserver revoked"
+ TYPE2="clientserver"
+
+ create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} -1
+ create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" 1
+ create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" 1 proxy
+ openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $CA_CONF
+
+ TYPE="none_rev"
+ CTYPE="none revoked"
+ TYPE2="none"
+
+ create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} -1
+ create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" 1
+ create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" 1 proxy
+ openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $CA_CONF
# some extra certificates
- # create_cert_proxy $CERT_DIR/${catype}_client "$catype client dnerror" _proxy_dnerror "proxy" $DAYS
+
+ TYPE="client"
+ CTYPE="client dnerror"
+ TYPE2="_proxy_dnerror"
+ create_cert_proxy $CERT_DIR/${catype}_client "$catype client dnerror" ${TYPE2} "proxy" $DAYS
# generating CRL
openssl ca -gencrl -crldays 10000 -out $CA_DIR/${catype}.crl -config $CA_CONF
export REQ_CONFIG_FILE=$CA_DIR/req_conf.cnf
export REQ_PROXY_CONFIG_FILE=$CA_DIR/req_proxy_conf.cnf
export REQ_PROXY_PROXY_CONFIG_FILE=$CA_DIR/req_proxy_proxy_conf.cnf
+ export PROXY_BITScvs commit=512
+
if [ "$catype" = "big" ]; then
export BITS=4096
else
git://scientific.zcu.cz / glite-security-test-utils.git / commitdiff