From: Joni Hahkala <joni.hahkala@cern.ch>
Date: Tue, 23 Mar 2010 00:10:20 +0000 (+0000)
Subject: add revoked certs to all CAs, not just trusted, new grid-cecurity/certificates* dirs... 
X-Git-Url: http://scientific.zcu.cz/git/?a=commitdiff_plain;h=d1baf64ee35d53c589987a50d5fc855bb7c9b150;p=glite-security-test-utils.git

add revoked certs to all CAs, not just trusted, new grid-cecurity/certificates* dirs for testing hierarchical CA namespaces,
full chain proxies for hierarchical CAs
---

diff --git a/bin/generate-test-certificates.sh b/bin/generate-test-certificates.sh
index da0b75b..4b61c8a 100755
--- a/bin/generate-test-certificates.sh
+++ b/bin/generate-test-certificates.sh
@@ -450,6 +450,18 @@ function add_ca_grid_sec {
     if [ ! -d 'grid-security/certificates' ]; then
         mkdir -p 'grid-security/certificates'
     fi
+    if [ ! -d 'grid-security/certificates-withoutCrl' ]; then
+        mkdir -p 'grid-security/certificates-withoutCrl'
+    fi
+    if [ ! -d 'grid-security/certificates-rootwithpolicy' ]; then
+        mkdir -p 'grid-security/certificates-rootwithpolicy'
+    fi
+    if [ ! -d 'grid-security/certificates-rootallowsubsubdeny' ]; then
+        mkdir -p 'grid-security/certificates-rootallowsubsubdeny'
+    fi
+    if [ ! -d 'grid-security/certificates-subcawithpolicy' ]; then
+        mkdir -p 'grid-security/certificates-subcawithpolicy'
+    fi
     hash=$(openssl x509 -hash -noout -in $1-ca/$1.cert)
     cp $1-ca/$1.cert grid-security/certificates/${hash}.0
     cp $1-ca/$1.crl grid-security/certificates/${hash}.r0
@@ -468,6 +480,10 @@ EOF
 TO Issuer "${subject_name:9}" \
   PERMIT Subject "$(echo "${subject_name:9}" | sed -e 's#/CN=.*$##')/*"
 EOF
+    cp grid-security/certificates/${hash}.* grid-security/certificates-rootwithpolicy
+    cp grid-security/certificates/${hash}.* grid-security/certificates-rootallowsubsubdeny
+    cp grid-security/certificates/${hash}.* grid-security/certificates-subcawithpolicy
+
 #override root and sub namespaces
     if [ "$1" = 'root' ]; then
 	cat <<EOF >grid-security/certificates/${hash}.namespaces
@@ -481,8 +497,55 @@ EOF
 # Signing policy file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
 access_id_CA            X509    '${subject_name:9}'
 pos_rights              globus  CA:sign
+cond_subjects           globus  '"/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subca CA"'
+EOF
+	cat <<EOF >grid-security/certificates-rootwithpolicy/${hash}.namespaces
+##############################################################################
+#NAMESPACES-VERSION: 1.0
+# Namespaces file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
+TO Issuer "${subject_name:9}" \
+  PERMIT Subject "/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subca CA"
+TO Issuer "/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subca CA" \
+  PERMIT Subject "/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subsubca CA"
+TO Issuer "/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subsubca CA" \
+  PERMIT Subject "/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=*"
+EOF
+	cat <<EOF >grid-security/certificates-rootwithpolicy/${hash}.signing_policy
+# Signing policy file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
+access_id_CA            X509    '${subject_name:9}'
+pos_rights              globus  CA:sign
+cond_subjects           globus  '"/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subca CA"'
+access_id_CA            X509    '/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subca CA'
+pos_rights              globus  CA:sign
+cond_subjects           globus  '"/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subsubca CA"'
+access_id_CA            X509    '/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subsubca CA'
+pos_rights              globus  CA:sign
+cond_subjects           globus  '"/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=*"'
+EOF
+	cat <<EOF >grid-security/certificates-rootallowsubsubdeny/${hash}.namespaces
+##############################################################################
+#NAMESPACES-VERSION: 1.0
+# Namespaces file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
+TO Issuer "${subject_name:9}" \
+  PERMIT Subject "/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subca CA"
+TO Issuer "/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subca CA" \
+  PERMIT Subject "/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subsubca CA"
+TO Issuer "/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subsubca CA" \
+  PERMIT Subject "/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=*"
+EOF
+	cat <<EOF >grid-security/certificates-rootallowsubsubdeny/${hash}.signing_policy
+# Signing policy file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
+access_id_CA            X509    '${subject_name:9}'
+pos_rights              globus  CA:sign
 cond_subjects           globus  '"/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subca CA*"'
+access_id_CA            X509    '/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subca CA'
+pos_rights              globus  CA:sign
+cond_subjects           globus  '"/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subsubca CA"'
+access_id_CA            X509    '/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subsubca CA'
+pos_rights              globus  CA:sign
+cond_subjects           globus  '"/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=*"'
 EOF
+	rm grid-security/certificates-subcawithpolicy/${hash}.{namespaces,signing_policy}
     fi
     if [ "$1" = 'subca' ]; then
 	cat <<EOF >grid-security/certificates/${hash}.namespaces
@@ -498,8 +561,67 @@ access_id_CA            X509    '${subject_name:9}'
 pos_rights              globus  CA:sign
 cond_subjects           globus  '"/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subsubca CA"'
 EOF
+	rm grid-security/certificates-rootwithpolicy/${hash}.{namespaces,signing_policy}
+	cat <<EOF >grid-security/certificates-rootallowsubsubdeny/${hash}.namespaces
+##############################################################################
+#NAMESPACES-VERSION: 1.0
+# Namespaces file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
+TO Issuer "${subject_name:9}" \
+  PERMIT Subject "/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subsubca CA"
+EOF
+	rm grid-security/certificates-rootallowsubsubdeny/${hash}.{signing_policy,namespaces}
+	cat <<EOF >grid-security/certificates-subcawithpolicy/${hash}.namespaces
+##############################################################################
+#NAMESPACES-VERSION: 1.0
+# Namespaces file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
+TO Issuer "${subject_name:9}" \
+  PERMIT Subject "/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subsubca CA"
+TO Issuer "/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subsubca CA" \
+  PERMIT Subject "/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=*"
+EOF
+	cat <<EOF >grid-security/certificates-subcawithpolicy/${hash}.signing_policy
+# Signing policy file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
+access_id_CA            X509    '${subject_name:9}'
+pos_rights              globus  CA:sign
+cond_subjects           globus  '"/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subsubca CA"'
+access_id_CA            X509    '/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subsubca CA'
+pos_rights              globus  CA:sign
+cond_subjects           globus  '"/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=*"'
+EOF
+    fi
+    if [ "$1" = 'subsubca' ]; then
+	cat <<EOF >grid-security/certificates/${hash}.namespaces
+##############################################################################
+#NAMESPACES-VERSION: 1.0
+# Namespaces file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
+TO Issuer "${subject_name:9}" \
+  PERMIT Subject "/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=*"
+EOF
+	cat <<EOF >grid-security/certificates/${hash}.signing_policy
+# Signing policy file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
+access_id_CA            X509    '${subject_name:9}'
+pos_rights              globus  CA:sign
+cond_subjects           globus  '"/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=*"'
+EOF
+	rm grid-security/certificates-rootwithpolicy/${hash}.{namespaces,signing_policy}
+	cat <<EOF >grid-security/certificates-rootallowsubsubdeny/${hash}.namespaces
+##############################################################################
+#NAMESPACES-VERSION: 1.0
+# Namespaces file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
+TO Issuer "${subject_name:9}" \
+  PERMIT Subject "/C=UG/L=Tropic/O=Utopia-not/OU=Relaxation/CN=*"
+EOF
+	cat <<EOF >grid-security/certificates-rootallowsubsubdeny/${hash}.signing_policy
+# Signing policy file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
+access_id_CA            X509    '${subject_name:9}'
+pos_rights              globus  CA:sign
+cond_subjects           globus  '"/C=UG/L=Tropic/O=Utopia-not/OU=Relaxation/CN=*"'
+EOF
+        rm grid-security/certificates-subcawithpolicy/${hash}.{namespaces,signing_policy}
     fi
 
+    cp grid-security/certificates/${hash}.* grid-security/certificates-withoutCrl
+    rm grid-security/certificates-withoutCrl/*.r0
 	
 }
 
@@ -599,7 +721,24 @@ function create_all {
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1
     create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy
     create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 proxy
-
+    
+    TYPE="client_exp"
+    CTYPE="client expired"
+    TYPE2="client"
+    
+    create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} -1
+    create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy
+    
+    TYPE="client_rev"
+    CTYPE="client revoked"
+    TYPE2="client"
+    
+    create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} $DAYS
+    create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy
+    openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $REQ_CONFIG_FILE
+    
     if [ $catype == "trusted" ]; then
 	
 	TYPE="clientserial"
@@ -728,14 +867,6 @@ function create_all {
 	
     # create certs with valid proxies, but expired user certs
 	
-	TYPE="client_exp"
-	CTYPE="client expired"
-	TYPE2="client"
-	
-	create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} -1
-	create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
-	create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy
-	
 	TYPE="fclient_exp"
 	CTYPE="flag client expired"
 	TYPE2="fclient"
@@ -770,15 +901,6 @@ function create_all {
 	
     # Create revoked certificates with otherwise valid proxies
 	
-	TYPE="client_rev"
-	CTYPE="client revoked"
-	TYPE2="client"
-	
-	create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} $DAYS
-	create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
-	create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy
-	openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $REQ_CONFIG_FILE
-    
 	TYPE="fclient_rev"
 	CTYPE="flag client revoked"
 	TYPE2="fclient"
@@ -824,7 +946,7 @@ function create_all {
 	
 	cp $CERT_DIR/subsubca_client.proxy.grid_proxy $CERT_DIR/subsubca_fullchainclient.proxy.grid_proxy
 	cat $CACHAIN >> $CERT_DIR/subsubca_fullchainclient.proxy.grid_proxy
-	cp $CERT_DIR/subsubca_client.proxy.proxy.grid_proxy $CERT_DIR/subsubca_fullchainclient.proxy.proxy.gridproxy
+	cp $CERT_DIR/subsubca_client.proxy.proxy.grid_proxy $CERT_DIR/subsubca_fullchainclient.proxy.proxy.grid_proxy
 	cat $CACHAIN >> $CERT_DIR/subsubca_fullchainclient.proxy.proxy.grid_proxy
     fi
 
@@ -882,6 +1004,7 @@ while true; do
         -a|--all)
             ALL='yes'
             CATYPES='trusted fake big expired nokeyusage subsubca'
+#            CATYPES='subsubca'
             shift
             ;;
         -s|--some)