From: Joni Hahkala <joni.hahkala@cern.ch>
Date: Fri, 19 Mar 2010 01:06:06 +0000 (+0000)
Subject: add test certs for hierarchical CAs with CA chain, namespaces for the parent CAs
X-Git-Url: http://scientific.zcu.cz/git/?a=commitdiff_plain;h=99e2cc628bc5fbf6a82264fad6490293b758394d;p=glite-security-test-utils.git

add test certs for hierarchical CAs with CA chain, namespaces for the parent CAs
add parent CAs to the grid-security/certificates
---

diff --git a/bin/generate-test-certificates.sh b/bin/generate-test-certificates.sh
index 6d91f10..da0b75b 100755
--- a/bin/generate-test-certificates.sh
+++ b/bin/generate-test-certificates.sh
@@ -450,21 +450,85 @@ function add_ca_grid_sec {
     if [ ! -d 'grid-security/certificates' ]; then
         mkdir -p 'grid-security/certificates'
     fi
-    hash=$(openssl x509 -hash -noout -in $CA_DIR/${catype}.cert)
-    cp $CA_DIR/${catype}.cert grid-security/certificates/${hash}.0
-    cp $CA_DIR/${catype}.crl grid-security/certificates/${hash}.r0
+    hash=$(openssl x509 -hash -noout -in $1-ca/$1.cert)
+    cp $1-ca/$1.cert grid-security/certificates/${hash}.0
+    cp $1-ca/$1.crl grid-security/certificates/${hash}.r0
     # generating a signing_policy file
-    subject_name=$(openssl x509 -in $CA_DIR/${catype}.cert -subject -noout)
+    subject_name=$(openssl x509 -in $1-ca/$1.cert -subject -noout)
     cat <<EOF >grid-security/certificates/${hash}.signing_policy
 # Signing policy file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
 access_id_CA            X509    '${subject_name:9}'
 pos_rights              globus  CA:sign
 cond_subjects           globus  '"$(echo "${subject_name:9}" | sed -e 's#/CN=.*$##')/*"'
 EOF
+    cat <<EOF >grid-security/certificates/${hash}.namespaces
+##############################################################################
+#NAMESPACES-VERSION: 1.0
+# Namespaces file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
+TO Issuer "${subject_name:9}" \
+  PERMIT Subject "$(echo "${subject_name:9}" | sed -e 's#/CN=.*$##')/*"
+EOF
+#override root and sub namespaces
+    if [ "$1" = 'root' ]; then
+	cat <<EOF >grid-security/certificates/${hash}.namespaces
+##############################################################################
+#NAMESPACES-VERSION: 1.0
+# Namespaces file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
+TO Issuer "${subject_name:9}" \
+  PERMIT Subject "/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subca CA"
+EOF
+	cat <<EOF >grid-security/certificates/${hash}.signing_policy
+# Signing policy file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
+access_id_CA            X509    '${subject_name:9}'
+pos_rights              globus  CA:sign
+cond_subjects           globus  '"/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subca CA*"'
+EOF
+    fi
+    if [ "$1" = 'subca' ]; then
+	cat <<EOF >grid-security/certificates/${hash}.namespaces
+##############################################################################
+#NAMESPACES-VERSION: 1.0
+# Namespaces file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
+TO Issuer "${subject_name:9}" \
+  PERMIT Subject "/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subsubca CA"
+EOF
+	cat <<EOF >grid-security/certificates/${hash}.signing_policy
+# Signing policy file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
+access_id_CA            X509    '${subject_name:9}'
+pos_rights              globus  CA:sign
+cond_subjects           globus  '"/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subsubca CA"'
+EOF
+    fi
 
-
+	
 }
 
+function copy_ca {
+    echo copying CA from $1 to $2 current dir $PWD
+    # putting the CA certificate to the right place
+    if [ ! -d "$1" ]; then
+        echo "CA files are not found: $1"
+        echo "Did you run 'generate-ca-certificates-for-cvs.sh'?"
+        exit -1
+    fi
+    if [ -d "$2" ]; then
+        echo "CA directory already exists: $2"
+    else
+        CMD="cp -a $1 $2"
+	echo $CMD
+	$CMD
+	
+        result=$?
+        if [ $result -ne 0 ];then
+            echo "The copying of CA from $1 failed with error code $result"
+            exit -1
+        fi
+        # remove the CVS dir, if it was copied...
+        if [ -d "$2/CVS" ]; then
+            rm -rf "$2/CVS"
+        fi
+    fi
+}
 
 # create all certificates
 function create_all {
@@ -753,18 +817,40 @@ function create_all {
 	
     fi
 
+    if [ $catype == "subsubca" ]; then
+	CACHAIN="$CERT_DIR/tmp.tmp"
+	openssl x509 -in subsubca-ca/subsubca.cert > ${CACHAIN}
+	openssl x509 -in subca-ca/subca.cert >> ${CACHAIN}
+	
+	cp $CERT_DIR/subsubca_client.proxy.grid_proxy $CERT_DIR/subsubca_fullchainclient.proxy.grid_proxy
+	cat $CACHAIN >> $CERT_DIR/subsubca_fullchainclient.proxy.grid_proxy
+	cp $CERT_DIR/subsubca_client.proxy.proxy.grid_proxy $CERT_DIR/subsubca_fullchainclient.proxy.proxy.gridproxy
+	cat $CACHAIN >> $CERT_DIR/subsubca_fullchainclient.proxy.proxy.grid_proxy
+    fi
+
     # generating CRL
-    openssl ca -gencrl -crldays 10000 -out $CA_DIR/${catype}.crl -config $REQ_CONFIG_FILE
+    openssl ca -gencrl -crldays $DAYS -out $CA_DIR/${catype}.crl -config $REQ_CONFIG_FILE
 
     # If we have the trusted CA, then generate a user cert/key pair
     # And also a host cert/key pair.
 
+    echo adding CA $catype to grid-security 
+
     if [ "$catype" == "trusted" ]; then
         create_some
     else
 	# othewise if the ca is not the fake one, add them to the grid-security/certificates directory
 	if [ "$catype" != "fake" ]; then
+	    echo really adding the CA $catype
 	    add_ca_grid_sec $catype
+	    if [ "$catype" = 'subsubca' ]; then
+                # generating CRL
+		openssl ca -gencrl -crldays $DAYS -out root-ca/root.crl -config root-ca/req_conf.cnf
+		openssl ca -gencrl -crldays $DAYS -out subca-ca/subca.crl -config subca-ca/req_conf.cnf
+		echo subsub ca, add root and subca
+		add_ca_grid_sec root
+		add_ca_grid_sec subca
+	    fi
 	fi
     fi
 
@@ -877,24 +963,11 @@ for catype in $CATYPES; do
     export CASROOT=./
 
     # putting the CA certificate to the right place
-    if [ ! -d "$CONFIGDIR/${catype}-ca" ]; then
-        echo "CA files are not found: $CONFIGDIR/${catype}-ca"
-        echo "Did you run 'generate-ca-certificates-for-cvs.sh'?"
-        continue
-    fi
-    if [ -d "$CA_DIR" ]; then
-        echo "CA directory already exists: $CA_DIR"
-    else
-        cp -a $CONFIGDIR/${catype}-ca $CA_DIR
-        result=$?
-        if [ $result -ne 0 ];then
-            echo "The copying of CA ${catype} failed with error code $result"
-            exit -1
-        fi
-        # remove the CVS dir, if it was copied...
-        if [ -d "$CA_DIR/CVS" ]; then
-            rm -rf "$CA_DIR/CVS"
-        fi
+    copy_ca "$CONFIGDIR/${catype}-ca" "$CA_DIR"
+    # if the CA is subsubca, copy also the parents
+    if [ "$catype" = "subsubca" ]; then
+	copy_ca "$CONFIGDIR/subca-ca" "subca-ca"
+	copy_ca "$CONFIGDIR/root-ca" "root-ca"
     fi
 
     mkdir -p $CERT_DIR