}
+function create_bad {
+
+ # generating client certificate
+ create_cert $CERT_DIR/${catype}_client00 "$LOGNAME" client $DAYS
+
+ # create cert with mismatched signing_policy
+ export CN="bad policy client"
+ CMD="openssl req -out $CERT_DIR/bad_policy.req -newkey rsa:$bits -new -keyout $CERT_DIR/bad_policy.priv -config $CA_DIR/req_conf_policy.cnf"
+ echo $CMD; $CMD
+ CMD="openssl ca -in $CERT_DIR/bad_policy.req -out $CERT_DIR/bad_policy.cert -outdir $tmpdir -md md5 -config $CA_CONF -batch -days $DAYS"
+ echo $CMD; $CMD
+
+ # create a cert which is not vaild yet
+ export CN="bad future client"
+ theyear=`date +%Y`
+ let "theyear += 1 "
+ valid=${theyear:2}`date +%m%d`000000Z
+ CMD="openssl req -out $CERT_DIR/bad_future.req -newkey rsa:$bits -new -keyout $CERT_DIR/bad_future.priv -config $CA_DIR/req_conf_future.cnf"
+ echo $CMD; eval $CMD
+ CMD="openssl ca -in $CERT_DIR/bad_future.req -out $CERT_DIR/bad_future.cert -outdir $tmpdir -md md5 -config $CA_CONF -batch -startdate $valid -days $DAYS"
+ echo $CMD; $CMD
+
+ # create host cert with mismatched signing_policy
+ export CN="$HOSTNAME"
+ CMD="openssl req -out $CERT_DIR/bad_policy_host.req -newkey rsa:$bits -new -keyout $CERT_DIR/bad_policy_host.priv -config $CA_DIR/req_conf_policy.cnf"
+ echo $CMD; $CMD
+ CMD="openssl ca -in $CERT_DIR/bad_policy_host.req -out $CERT_DIR/bad_policy_host.cert -outdir $tmpdir -md md5 -config $CA_CONF -batch -days $DAYS"
+ echo $CMD; $CMD
+
+ # create revoked host cert
+ export CN="$HOSTNAME"
+ CMD="openssl req -out $CERT_DIR/bad_revoked_host.req -newkey rsa:$bits -new -keyout $CERT_DIR/bad_revoked_host.priv -config $CA_DIR/req_conf.cnf"
+ echo $CMD; $CMD
+ CMD="openssl ca -in $CERT_DIR/bad_revoked_host.req -out $CERT_DIR/bad_revoked_host.cert -outdir $tmpdir -md md5 -config $CA_CONF -batch -days $DAYS"
+ echo $CMD; $CMD
+
+ openssl ca -revoke $CERT_DIR/bad_revoked_host.cert -config $CA_CONF
+
+ # create expired host cert
+ export CN="$HOSTNAME"
+ CMD="openssl req -out $CERT_DIR/bad_expired_host.req -newkey rsa:$bits -new -keyout $CERT_DIR/bad_expired_host.priv -config $CA_DIR/req_conf.cnf"
+ echo $CMD; $CMD
+ CMD="openssl ca -in $CERT_DIR/bad_expired_host.req -out $CERT_DIR/bad_expired_host.cert -outdir $tmpdir -md md5 -config $CA_CONF -batch -days -1"
+ echo $CMD; $CMD
+
+
+ # generating CRL
+ openssl ca -gencrl -crldays 10000 -out $CA_DIR/${catype}.crl -config $CA_CONF
+
+ # generating a signing_policy file
+ subject_name=$(openssl x509 -in $CA_DIR/${catype}.cert -subject -noout)
+ cat <<EOF > $CA_DIR/${catype}.signing_policy
+# Signing policy file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
+access_id_CA X509 '${subject_name:9}'
+pos_rights globus CA:sign
+cond_subjects globus '"$(echo "${subject_name:9}" | sed -e 's#/CN=.*$##')/*"'
+EOF
+
+ cat <<EOF > $CA_DIR/${catype}.namespaces
+# Namespace for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
+TO Issuer "${subject_name:9} \\"
+ PERMIT Subject "$(echo "${subject_name:9}" | sed -e 's#/CN=.*$##')/*"
+
+EOF
+
+}
+
+
# create all certificates
function create_all {
case "$1" in
-a|--all)
ALL='yes'
- CATYPES='trusted fake big expired'
+ CATYPES='trusted fake big expired bad'
shift
;;
-s|--some)
fi
mkdir -p $CERT_DIR
-
- if [ "$ALL" = "yes" ]; then
- create_all
+
+ if [ $catype = "bad" ] ; then
+ #Create a CA with bad certificates (namespaces, signing policies etc.)
+ create_bad
else
- create_some
+
+ if [ "$ALL" = "yes" ]; then
+ create_all
+ else
+ create_some
+ fi
fi
done
+
[ "$ONLYENV" = 'yes' ] || echo "Easy usage environmental variable settings:"
echo "export X509_CERT_DIR=$TARGETDIR/grid-security/certificates"
echo "export X509_USER_CERT=$TARGETDIR/home/usercert.pem"
git://scientific.zcu.cz / glite-security-test-utils.git / commitdiff