From: John White Date: Fri, 5 Nov 2004 14:40:38 +0000 (+0000) Subject: Update to the test proxy generation routines. X-Git-Tag: GLITE_RELEASE_1_2~22 X-Git-Url: http://scientific.zcu.cz/git/?a=commitdiff_plain;h=6f11e4091fd3a06699c2f475eb2117c3724f1983;p=glite-security-test-utils.git Update to the test proxy generation routines. --- diff --git a/bin/generate-ca-certificates-for-cvs.sh b/bin/generate-ca-certificates-for-cvs.sh index 0c429cc..1f34893 100755 --- a/bin/generate-ca-certificates-for-cvs.sh +++ b/bin/generate-ca-certificates-for-cvs.sh @@ -15,9 +15,11 @@ CONFIGDIR=$PWD/$(dirname $0)/../config BASEDIR=$PWD/$(dirname $0)/../test -CONFIGFILES="index.txt serial.txt ca_conf.cnf req_conf.cnf req_proxy_conf.cnf req_proxy_proxy_conf.cnf" +CONFIGFILES="index.txt serial.txt ca_conf.cnf ca_proxy_conf.cnf req_conf.cnf req_proxy_conf.cnf req_proxy_proxy_conf.cnf" export PASSWORD='changeit' CATYPES='trusted fake big expired' +BIG_BITS=4096 +SMALL_BITS=1024 function create_ca { catype=$1 @@ -30,9 +32,9 @@ function create_ca { done if [ "$catype" = "big" ]; then - export BITS=4096 + export BITS=$BIG_BITS else - export BITS=1024 + export BITS=$SMALL_BITS fi if [ "$catype" = "expired" ]; then @@ -48,6 +50,8 @@ function create_ca { -out ${catype}.p12 -passin "pass:$PASSWORD" -passout "pass:$PASSWORD" echo -n "Generated CA certificate with " openssl x509 -noout -subject -in ${catype}.cert + else + echo "${CADIR}/serial.txt exists!" fi } diff --git a/bin/generate-test-certificates.sh b/bin/generate-test-certificates.sh index db05a5f..0859142 100755 --- a/bin/generate-test-certificates.sh +++ b/bin/generate-test-certificates.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh # # Copyright (c) Members of the EGEE Collaboration. 2004. @@ -79,50 +79,246 @@ function create_cert { } function create_cert_proxy { + + echo "create_cert_proxy Start" + filebase=$1 export FILEBASE=${filebase} export CN=$2 - ending=$3 + ident=$3 export PROXYNAME=$4 validity=$5 - echo "Creating a proxy cert for '$CN/CN=$PROXYNAME'" - echo " in files named $filebase$ending.(cert|priv)" + +# create_cert_proxy $CERT_DIR/${catype}_client "$catype client" proxy "proxy" 1 +# create_cert_proxy $CERT_DIR/${catype}_client "$catype client" proxy_exp "expired proxy" -1 + + ending="grid_proxy" + export BITS=512 + + # This really depends on if we make a proxy or a proxy-proxy + X509_SIGNING_CERT=${filebase}.cert + X509_SIGNING_KEY=${filebase}.priv + + X509_PROX_CERT=${filebase}.${ident}.cert + X509_PROX_KEY=${filebase}.${ident}.priv + X509_PROX_REQ=${filebase}.${ident}.req + X509_PROX_GRID=${filebase}.${ident}.${ending} + + echo "Creating a proxy cert ${X509_PROX_CERT} for '$CN/CN=$PROXYNAME'" + echo " in files named $filebase.(cert|priv)" echo " with $validity days validity time" - CMD="openssl req -out ${filebase}.proxy.req -new -keyout ${filebase}.proxy.priv \ + # Get the serial number of the certificate that will eventually sign the proxy. + # Put it into a temporary file to be read by the ca command later. + SERIAL="`openssl x509 -in ${filebase}.cert -noout -serial | sed 's/^serial=//'`" + echo ${SERIAL} > ${CA_DIR}/serial_proxy.txt + + # Have to 'edit' the ca database to remove the entry for the signing certificate. + # maybe no need... make a dummy database, touch and then delete afterwards... + touch ${CA_DIR}/index_proxy.txt + + CMD="openssl genrsa -f4 -out ${X509_PROX_KEY} ${BITS}; chmod 400 ${filebase}.proxy.priv" + echo $CMD; $CMD + + # Create the certificate request. + CMD="openssl req -new -out ${X509_PROX_REQ} \ + -key ${X509_PROX_KEY} \ -config ${REQ_PROXY_CONFIG_FILE}" echo $CMD; $CMD - CMD="openssl ca -in ${filebase}.proxy.req -cert ${filebase}.cert \ - -keyfile ${filebase}.priv \ - -out ${filebase}.proxy.cert \ + + # Sign the cert request with the user cert and key. Set the serial number here! + + CMD="openssl ca -in ${X509_PROX_REQ} \ + -cert ${X509_SIGNING_CERT} \ + -keyfile ${X509_SIGNING_KEY} \ + -out ${X509_PROX_CERT} \ -outdir . \ - -config ${CA_CONF} -md md5 -days 2 -batch \ - -verbose -passin pass:${PASSWORD}" + -config ${CA_PROXY_CONF} -md md5 -days ${validity} -batch \ + -verbose -passin pass:${PASSWORD} -notext \ + -extensions proxy_none " echo $CMD; $CMD - openssl x509 -in ${filebase}.proxy.cert -text > ${filebase}.proxy.cert.tmp - cp ${filebase}.proxy.cert.tmp ${filebase}.proxy.cert - openssl pkcs12 -in ${filebase}.proxy.cert.tmp -out ${filebase}.proxy.p12 -export \ - -inkey ${filebase}.proxy.priv -passin pass:$PASSWORD -passout pass:$PASSWORD \ + # Add the user and proxy certs and the proxy private key to the keystore + openssl pkcs12 -in ${X509_PROX_CERT} \ + -out ${filebase}.proxy.p12 -export \ + -inkey ${X509_PROX_KEY} \ + -passin pass:${PASSWORD} -passout pass:${PASSWORD} \ -name "${catype} proxy certificate" -certfile ${filebase}.cert - cp ${filebase}.proxy.cert ${filebase}.grid_proxy - openssl rsa -in ${filebase}.proxy.priv -passin pass:$PASSWORD >> ${filebase}.grid_proxy - cat ${filebase}.cert >> ${filebase}.grid_proxy + # Create a grid proxy file... + # Copy the proxy cert to the grid proxy file. + cp ${X509_PROX_CERT} ${X509_PROX_GRID} + + # Now add the proxy private key to the grid proxy file. + openssl rsa -in ${X509_PROX_KEY} -passin pass:${PASSWORD} >> ${X509_PROX_GRID} + + # Now add the original certificate used to sign the request to the proxy file. + # This should be the certificate issued by the CA to the 'user'. + openssl x509 -in ${X509_SIGNING_CERT} >> ${X509_PROX_GRID} + chmod 600 ${X509_PROX_GRID} + + # Clean up stuff + rm ${CA_DIR}/serial_proxy.txt ${CA_DIR}/index_proxy.txt } + function create_cert_proxy_proxy { + + echo "create_cert_proxy_proxy Start" + filebase=$1 + export FILEBASE=${filebase} + export CN=$2 + ident=$3 + export PROXYNAME=$4 + validity=$5 + signing_pair=$6 + + ending="grid_proxy_proxy" + export BITS=512 + + # This really depends on if we make a proxy or a proxy-proxy + X509_SIGNING_CERT=${filebase}.${signing_pair}.cert # eg. trusted_client.proxy_exp.cert + echo $X509_SIGNING_CERT + X509_SIGNING_KEY=${filebase}.${signing_pair}.priv + + X509_PROX_CERT=${filebase}.${ident}.proxy.cert + X509_PROX_KEY=${filebase}.${ident}.proxy.priv + X509_PROX_REQ=${filebase}.${ident}.proxy.req + X509_PROX_GRID=${filebase}.${ident}.proxy.${ending} + + # Get the serial number of the certificate that will eventually sign the proxy. + # Put it into a temporary file to be read by the ca command later. + SERIAL="`openssl x509 -in ${X509_SIGNING_CERT} -noout -serial | sed 's/^serial=//'`" + echo ${SERIAL} > ${CA_DIR}/serial_proxy.txt + + # Have to 'edit' the ca database to remove the entry for the signing certificate. + # maybe no need... make a dummy database, touch and then delete afterwards... + touch ${CA_DIR}/index_proxy.txt + + CMD="openssl genrsa -f4 -out ${X509_PROX_KEY} ${BITS}; chmod 400 ${filebase}.proxy.proxy.priv" + echo $CMD; $CMD + + # Create the certificate request. + CMD="openssl req -new -out ${X509_PROX_REQ} \ + -key ${X509_PROX_KEY} \ + -config ${REQ_PROXY_PROXY_CONFIG_FILE}" + echo $CMD; $CMD + + # Sign the cert request with the user cert and key. Set the serial number here! + + CMD="openssl ca -in ${X509_PROX_REQ} \ + -cert ${X509_SIGNING_CERT} \ + -keyfile ${X509_SIGNING_KEY} \ + -out ${X509_PROX_CERT} \ + -outdir . \ + -config ${CA_PROXY_CONF} -md md5 -days ${validity} -batch \ + -verbose \ + -passin pass:${PASSWORD} -notext \ + -extensions proxy_none " + echo $CMD; $CMD + + # Add the user and proxy certs and the proxy private key to the keystore + openssl pkcs12 -in ${X509_PROX_CERT} \ + -out ${filebase}.proxy.proxy.p12 -export \ + -inkey ${X509_PROX_KEY} \ + -passin pass:${PASSWORD} -passout pass:${PASSWORD} \ + -name "${catype} proxy certificate" -certfile ${X509_SIGNING_CERT} + + # Create a grid proxy file... + # Copy the proxy cert to the grid proxy file. + cp ${X509_PROX_CERT} ${X509_PROX_GRID} + + # Now add the proxy private key to the grid proxy file. + openssl rsa -in ${X509_PROX_KEY} -passin pass:${PASSWORD} >> ${X509_PROX_GRID} + + # Now add the original certificate used to sign the request to the proxy file. + # This should be the certificate issued by the CA to the 'user'. + openssl x509 -in ${X509_SIGNING_CERT} >> ${filebase}.${ending} + chmod 600 ${X509_PROX_GRID} + + # Clean up stuff + rm ${CA_DIR}/serial_proxy.txt ${CA_DIR}/index_proxy.txt \ + ${X509_PROX_REQ} ${X509_PROX_CERT} ${X509_PROX_KEY} \ + ## ${filebase}.proxy.priv ${filebase}.proxy.cert +} + +function create_cert_proxy_proxy_old { + filebase=$1 + export FILEBASE=${filebase} export CN=$2 ending=$3 export PROXYNAME=$4 validity=$5 - echo "Creating a proxy cert for '$CN/CN=$PROXYNAME'" - echo " in files named $filebase$ending.(cert|priv)" + signing_pair=$6 + + export BITS=512 + X509_SIGNING_CERT=${filebase}.proxy.cert + X509_SIGNING_KEY=${filebase}.proxy.priv + + X509_PROX_CERT=${filebase}.proxy.proxy.cert + X509_PROX_KEY=${filebase}.proxy.proxy.priv + X509_PROX_REQ=${filebase}.proxy.proxy.req + + echo "Creating a proxy proxy cert for '$CN/CN=$PROXYNAME'" + echo " in files named $filebase.(cert|priv)" echo " with $validity days validity time" - #TODO: write the body + # Get the serial number of the certificate that will eventually sign the proxy. + # Put it into a temporary file to be read by the ca command later. + SERIAL="`openssl x509 -in ${X509_SIGNING_CERT} -noout -serial | sed 's/^serial=//'`" + echo ${SERIAL} > ${CA_DIR}/serial_proxy.txt + + # Have to 'edit' the ca database to remove the entry for the signing certificate. + # maybe no need... make a dummy database, touch and then delete afterwards... + touch ${CA_DIR}/index_proxy.txt + + CMD="openssl genrsa -f4 -out ${X509_PROX_KEY} ${BITS}; chmod 400 ${filebase}.proxy.proxy.priv" + echo $CMD; $CMD + + # Create the certificate request. + CMD="openssl req -new -out ${X509_PROX_REQ} \ + -key ${X509_PROX_KEY} \ + -config ${REQ_PROXY_PROXY_CONFIG_FILE}" + echo $CMD; $CMD + + # Sign the cert request with the user cert and key. Set the serial number here! + + CMD="openssl ca -in ${X509_PROX_REQ} \ + -cert ${X509_SIGNING_CERT} \ + -keyfile ${X509_SIGNING_KEY} \ + -out ${X509_PROX_CERT} \ + -outdir . \ + -config ${CA_PROXY_CONF} -md md5 -days ${validity} -batch \ + -verbose \ + -passin pass:${PASSWORD} -notext \ + -extensions proxy_none " + echo $CMD; $CMD + + # Add the user and proxy certs and the proxy private key to the keystore + openssl pkcs12 -in ${X509_PROX_CERT} \ + -out ${filebase}.proxy.proxy.p12 -export \ + -inkey ${X509_PROX_KEY} \ + -passin pass:${PASSWORD} -passout pass:${PASSWORD} \ + -name "${catype} proxy certificate" -certfile ${X509_SIGNING_CERT} + + # Create a grid proxy file... + # Copy the proxy cert to the grid proxy file. + cp ${X509_PROX_CERT} ${X509_PROX_GRID} + + # Now add the proxy private key to the grid proxy file. + openssl rsa -in ${X509_PROX_KEY} -passin pass:${PASSWORD} >> ${X509_PROX_GRID} + + # Now add the original certificate used to sign the request to the proxy file. + # This should be the certificate issued by the CA to the 'user'. + openssl x509 -in ${X509_SIGNING_CERT} >> ${filebase}.${ending} + chmod 600 ${X509_PROX_GRID} + + # Clean up stuff + rm ${CA_DIR}/serial_proxy.txt ${CA_DIR}/index_proxy.txt \ + ${X509_PROX_REQ} ${X509_PROX_CERT} ${X509_PROX_KEY} \ + ## ${filebase}.proxy.priv ${filebase}.proxy.cert } # create some certificates and copy them to convenient locations @@ -164,17 +360,23 @@ function create_all { create_cert $CERT_DIR/${catype}_client "$LOGNAME" client $DAYS create_cert $CERT_DIR/${catype}_server "$HOSTNAME" server $DAYS # And put them in the stage directory. - cp $CERT_DIR/${catype}_client.cert ../../../usercert.pem - cp $CERT_DIR/${catype}_client.priv ../../../userkey.pem - cp $CERT_DIR/${catype}_server.cert ../../../hostcert.pem - cp $CERT_DIR/${catype}_server.priv ../../../hostkey.pem + mv $CERT_DIR/${catype}_client.cert ../../../usercert.pem + mv $CERT_DIR/${catype}_client.priv ../../../userkey.pem + mv $CERT_DIR/${catype}_server.cert ../../../hostcert.pem + mv $CERT_DIR/${catype}_server.priv ../../../hostkey.pem fi # create valid certs with proxies create_cert $CERT_DIR/${catype}_client "$catype client" client $DAYS - create_cert_proxy $CERT_DIR/${catype}_client "$catype client" _proxy "proxy" $DAYS - create_cert_proxy $CERT_DIR/${catype}_client "$catype client" _proxy_exp "expired proxy" -1 + create_cert_proxy $CERT_DIR/${catype}_client "$catype client" proxy "proxy" 1 + create_cert_proxy $CERT_DIR/${catype}_client "$catype client" proxy_exp "expired proxy" -1 + + create_cert_proxy_proxy $CERT_DIR/${catype}_client "$catype client" proxy_proxy "proxy" 1 proxy + create_cert_proxy_proxy $CERT_DIR/${catype}_client "$catype client" proxy_proxy_exp "expired proxy" -1 proxy_exp + break; + + # These below have to be fixed to the new method of calling. create_cert $CERT_DIR/${catype}_fclient "$catype flag client" fclient $DAYS create_cert_proxy $CERT_DIR/${catype}_fclient "$catype flag client" _proxy "proxy" $DAYS create_cert_proxy $CERT_DIR/${catype}_fclient "$catype flag client" _proxy_exp "expired proxy" -1 @@ -230,15 +432,37 @@ function create_all { openssl ca -revoke $CERT_DIR/${catype}_none_rev.cert -config $CA_CONF # some extra certificates - create_cert_proxy $CERT_DIR/${catype}_client "$catype client dnerror" _proxy_dnerror "proxy" $DAYS - create_cert_proxy_proxy $CERT_DIR/${catype}_client_proxy "$catype client" _proxy "proxy" "proxy" $DAYS - create_cert_proxy_proxy $CERT_DIR/${catype}_client_proxy "$catype client" _proxy_dnerror "proxy dnerror" "proxy" $DAYS + # create_cert_proxy $CERT_DIR/${catype}_client "$catype client dnerror" _proxy_dnerror "proxy" $DAYS # generating CRL openssl ca -gencrl -crldays 10000 -out $CA_DIR/${catype}.crl -config $CA_CONF } +function create_all_test { + + # If we have the trusted CA, then generate a user cert/key pair + # And also a host cert/key pair. + + if [ "$catype" == "trusted" ]; then + # Create a user and host certificate + create_cert $CERT_DIR/${catype}_client "$LOGNAME" client $DAYS + create_cert $CERT_DIR/${catype}_server "$HOSTNAME" server $DAYS + # And put them in the stage directory. + mv $CERT_DIR/${catype}_client.cert ../../../usercert.pem + mv $CERT_DIR/${catype}_client.priv ../../../userkey.pem + mv $CERT_DIR/${catype}_server.cert ../../../hostcert.pem + mv $CERT_DIR/${catype}_server.priv ../../../hostkey.pem + fi + + # create valid certs with proxies + create_cert $CERT_DIR/${catype}_client "$catype client" client $DAYS + DAYS=1 + create_cert_proxy $CERT_DIR/${catype}_client "$catype client" grid_proxy "proxy" $DAYS + create_cert_proxy_proxy $CERT_DIR/${catype}_client "$catype client" grid_proxy_proxy "proxy" $DAYS + +} + ############################## main ################################ if [ -z "$BASEDIR" ]; then @@ -263,6 +487,7 @@ for catype in $CATYPES; do export CA_DIR=${catype}-ca export CERT_DIR=${catype}-certs export CA_CONF=$CA_DIR/ca_conf.cnf + export CA_PROXY_CONF=$CA_DIR/ca_proxy_conf.cnf export REQ_CONFIG_FILE=$CA_DIR/req_conf.cnf export REQ_PROXY_CONFIG_FILE=$CA_DIR/req_proxy_conf.cnf export REQ_PROXY_PROXY_CONFIG_FILE=$CA_DIR/req_proxy_proxy_conf.cnf @@ -288,6 +513,7 @@ for catype in $CATYPES; do if [ -n "$ALL" ]; then create_all + ## create_all_test else create_some fi diff --git a/config/ca_conf.cnf b/config/ca_conf.cnf index 9db14c7..c9174e6 100644 --- a/config/ca_conf.cnf +++ b/config/ca_conf.cnf @@ -53,4 +53,7 @@ keyUsage = nonRepudiation, digitalSignature, keyEncipherment nsComment = "OpenSSL Generated Client Certificate with Flags" [ ca_none ] -# A new entry? +nsComment = "OpenSSL Generated Client Certificate with Flags" + +[ proxy_none ] +keyUsage=critical,digitalSignature,keyEncipherment diff --git a/config/req_conf.cnf b/config/req_conf.cnf index 28ea218..7c30db9 100644 --- a/config/req_conf.cnf +++ b/config/req_conf.cnf @@ -25,7 +25,9 @@ commonName = $ENV::CN [ req_attributes ] #challengePassword = $ENV::PASSWORD -[ CA_cert] +[ CA_cert ] basicConstraints = CA:true subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always + +[ proxy_none ] diff --git a/config/req_proxy_conf.cnf b/config/req_proxy_conf.cnf index 54d9e4d..61a1812 100644 --- a/config/req_proxy_conf.cnf +++ b/config/req_proxy_conf.cnf @@ -1,13 +1,26 @@ +[ca] +default_ca = CA_default + +[CA_default] +dir = $ENV::CA_DIR +database = $dir/index.txt +serial = $dir/serial.txt + +certificate = $dir/$ENV::CATYPE.cert +private_key = $dir/$ENV::CATYPE.priv + [ req ] + default_bits = 1024 default_keyfile = keyfile.pem distinguished_name = req_distinguished_name attributes = req_attributes prompt = no output_password = $ENV::PASSWORD -ca_cert = CA_cert +# ca_cert = CA_cert [ req_distinguished_name ] + countryName = UG #stateOrProvinceName = South area @@ -25,9 +38,9 @@ organizationalUnitName = Relaxation #emailAddress = Email Address [ req_attributes ] -#challengePassword = $ENV::PASSWORD [ CA_cert] + basicConstraints = CA:true subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always diff --git a/config/req_proxy_proxy_conf.cnf b/config/req_proxy_proxy_conf.cnf index 5f2fe0a..f95b0ca 100644 --- a/config/req_proxy_proxy_conf.cnf +++ b/config/req_proxy_proxy_conf.cnf @@ -22,7 +22,7 @@ organizationalUnitName = Relaxation 1.commonName = $ENV::PROXYNAME -2.commonName = $ENV::PROXYPROXYNAME +2.commonName = $ENV::PROXYNAME #emailAddress = Email Address