if [ ! -d 'grid-security/certificates' ]; then
mkdir -p 'grid-security/certificates'
fi
+ if [ ! -d 'grid-security/certificates-withoutCrl' ]; then
+ mkdir -p 'grid-security/certificates-withoutCrl'
+ fi
+ if [ ! -d 'grid-security/certificates-rootwithpolicy' ]; then
+ mkdir -p 'grid-security/certificates-rootwithpolicy'
+ fi
+ if [ ! -d 'grid-security/certificates-rootallowsubsubdeny' ]; then
+ mkdir -p 'grid-security/certificates-rootallowsubsubdeny'
+ fi
+ if [ ! -d 'grid-security/certificates-subcawithpolicy' ]; then
+ mkdir -p 'grid-security/certificates-subcawithpolicy'
+ fi
hash=$(openssl x509 -hash -noout -in $1-ca/$1.cert)
cp $1-ca/$1.cert grid-security/certificates/${hash}.0
cp $1-ca/$1.crl grid-security/certificates/${hash}.r0
TO Issuer "${subject_name:9}" \
PERMIT Subject "$(echo "${subject_name:9}" | sed -e 's#/CN=.*$##')/*"
EOF
+ cp grid-security/certificates/${hash}.* grid-security/certificates-rootwithpolicy
+ cp grid-security/certificates/${hash}.* grid-security/certificates-rootallowsubsubdeny
+ cp grid-security/certificates/${hash}.* grid-security/certificates-subcawithpolicy
+
#override root and sub namespaces
if [ "$1" = 'root' ]; then
cat <<EOF >grid-security/certificates/${hash}.namespaces
# Signing policy file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
access_id_CA X509 '${subject_name:9}'
pos_rights globus CA:sign
+cond_subjects globus '"/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subca CA"'
+EOF
+ cat <<EOF >grid-security/certificates-rootwithpolicy/${hash}.namespaces
+##############################################################################
+#NAMESPACES-VERSION: 1.0
+# Namespaces file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
+TO Issuer "${subject_name:9}" \
+ PERMIT Subject "/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subca CA"
+TO Issuer "/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subca CA" \
+ PERMIT Subject "/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subsubca CA"
+TO Issuer "/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subsubca CA" \
+ PERMIT Subject "/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=*"
+EOF
+ cat <<EOF >grid-security/certificates-rootwithpolicy/${hash}.signing_policy
+# Signing policy file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
+access_id_CA X509 '${subject_name:9}'
+pos_rights globus CA:sign
+cond_subjects globus '"/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subca CA"'
+access_id_CA X509 '/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subca CA'
+pos_rights globus CA:sign
+cond_subjects globus '"/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subsubca CA"'
+access_id_CA X509 '/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subsubca CA'
+pos_rights globus CA:sign
+cond_subjects globus '"/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=*"'
+EOF
+ cat <<EOF >grid-security/certificates-rootallowsubsubdeny/${hash}.namespaces
+##############################################################################
+#NAMESPACES-VERSION: 1.0
+# Namespaces file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
+TO Issuer "${subject_name:9}" \
+ PERMIT Subject "/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subca CA"
+TO Issuer "/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subca CA" \
+ PERMIT Subject "/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subsubca CA"
+TO Issuer "/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subsubca CA" \
+ PERMIT Subject "/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=*"
+EOF
+ cat <<EOF >grid-security/certificates-rootallowsubsubdeny/${hash}.signing_policy
+# Signing policy file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
+access_id_CA X509 '${subject_name:9}'
+pos_rights globus CA:sign
cond_subjects globus '"/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subca CA*"'
+access_id_CA X509 '/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subca CA'
+pos_rights globus CA:sign
+cond_subjects globus '"/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subsubca CA"'
+access_id_CA X509 '/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subsubca CA'
+pos_rights globus CA:sign
+cond_subjects globus '"/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=*"'
EOF
+ rm grid-security/certificates-subcawithpolicy/${hash}.{namespaces,signing_policy}
fi
if [ "$1" = 'subca' ]; then
cat <<EOF >grid-security/certificates/${hash}.namespaces
pos_rights globus CA:sign
cond_subjects globus '"/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subsubca CA"'
EOF
+ rm grid-security/certificates-rootwithpolicy/${hash}.{namespaces,signing_policy}
+ cat <<EOF >grid-security/certificates-rootallowsubsubdeny/${hash}.namespaces
+##############################################################################
+#NAMESPACES-VERSION: 1.0
+# Namespaces file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
+TO Issuer "${subject_name:9}" \
+ PERMIT Subject "/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subsubca CA"
+EOF
+ rm grid-security/certificates-rootallowsubsubdeny/${hash}.{signing_policy,namespaces}
+ cat <<EOF >grid-security/certificates-subcawithpolicy/${hash}.namespaces
+##############################################################################
+#NAMESPACES-VERSION: 1.0
+# Namespaces file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
+TO Issuer "${subject_name:9}" \
+ PERMIT Subject "/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subsubca CA"
+TO Issuer "/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subsubca CA" \
+ PERMIT Subject "/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=*"
+EOF
+ cat <<EOF >grid-security/certificates-subcawithpolicy/${hash}.signing_policy
+# Signing policy file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
+access_id_CA X509 '${subject_name:9}'
+pos_rights globus CA:sign
+cond_subjects globus '"/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subsubca CA"'
+access_id_CA X509 '/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subsubca CA'
+pos_rights globus CA:sign
+cond_subjects globus '"/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=*"'
+EOF
+ fi
+ if [ "$1" = 'subsubca' ]; then
+ cat <<EOF >grid-security/certificates/${hash}.namespaces
+##############################################################################
+#NAMESPACES-VERSION: 1.0
+# Namespaces file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
+TO Issuer "${subject_name:9}" \
+ PERMIT Subject "/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=*"
+EOF
+ cat <<EOF >grid-security/certificates/${hash}.signing_policy
+# Signing policy file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
+access_id_CA X509 '${subject_name:9}'
+pos_rights globus CA:sign
+cond_subjects globus '"/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=*"'
+EOF
+ rm grid-security/certificates-rootwithpolicy/${hash}.{namespaces,signing_policy}
+ cat <<EOF >grid-security/certificates-rootallowsubsubdeny/${hash}.namespaces
+##############################################################################
+#NAMESPACES-VERSION: 1.0
+# Namespaces file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
+TO Issuer "${subject_name:9}" \
+ PERMIT Subject "/C=UG/L=Tropic/O=Utopia-not/OU=Relaxation/CN=*"
+EOF
+ cat <<EOF >grid-security/certificates-rootallowsubsubdeny/${hash}.signing_policy
+# Signing policy file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
+access_id_CA X509 '${subject_name:9}'
+pos_rights globus CA:sign
+cond_subjects globus '"/C=UG/L=Tropic/O=Utopia-not/OU=Relaxation/CN=*"'
+EOF
+ rm grid-security/certificates-subcawithpolicy/${hash}.{namespaces,signing_policy}
fi
+ cp grid-security/certificates/${hash}.* grid-security/certificates-withoutCrl
+ rm grid-security/certificates-withoutCrl/*.r0
}
create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1
create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy
create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 proxy
-
+
+ TYPE="client_exp"
+ CTYPE="client expired"
+ TYPE2="client"
+
+ create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} -1
+ create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
+ create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy
+
+ TYPE="client_rev"
+ CTYPE="client revoked"
+ TYPE2="client"
+
+ create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} $DAYS
+ create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
+ create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy
+ openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $REQ_CONFIG_FILE
+
if [ $catype == "trusted" ]; then
TYPE="clientserial"
# create certs with valid proxies, but expired user certs
- TYPE="client_exp"
- CTYPE="client expired"
- TYPE2="client"
-
- create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} -1
- create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
- create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy
-
TYPE="fclient_exp"
CTYPE="flag client expired"
TYPE2="fclient"
# Create revoked certificates with otherwise valid proxies
- TYPE="client_rev"
- CTYPE="client revoked"
- TYPE2="client"
-
- create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} $DAYS
- create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
- create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy
- openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $REQ_CONFIG_FILE
-
TYPE="fclient_rev"
CTYPE="flag client revoked"
TYPE2="fclient"
cp $CERT_DIR/subsubca_client.proxy.grid_proxy $CERT_DIR/subsubca_fullchainclient.proxy.grid_proxy
cat $CACHAIN >> $CERT_DIR/subsubca_fullchainclient.proxy.grid_proxy
- cp $CERT_DIR/subsubca_client.proxy.proxy.grid_proxy $CERT_DIR/subsubca_fullchainclient.proxy.proxy.gridproxy
+ cp $CERT_DIR/subsubca_client.proxy.proxy.grid_proxy $CERT_DIR/subsubca_fullchainclient.proxy.proxy.grid_proxy
cat $CACHAIN >> $CERT_DIR/subsubca_fullchainclient.proxy.proxy.grid_proxy
fi
-a|--all)
ALL='yes'
CATYPES='trusted fake big expired nokeyusage subsubca'
+# CATYPES='subsubca'
shift
;;
-s|--some)
git://scientific.zcu.cz / glite-security-test-utils.git / commitdiff