From 082fa6fae82798ca6286a3f1203636a5d5b45d66 Mon Sep 17 00:00:00 2001 From: Joni Hahkala Date: Tue, 12 Oct 2010 16:44:42 +0000 Subject: [PATCH] fix slash client, the openssl can't parse dn with slashes without escaping the slashes and getting them through evaluated sed string was complicated --- bin/generate-test-certificates.sh | 12 ++++++------ config/req_conf.cnf | 9 +++++++++ 2 files changed, 15 insertions(+), 6 deletions(-) diff --git a/bin/generate-test-certificates.sh b/bin/generate-test-certificates.sh index d703307..e9a235a 100755 --- a/bin/generate-test-certificates.sh +++ b/bin/generate-test-certificates.sh @@ -44,7 +44,7 @@ function create_cert { # if we are in a state where we are generating proxies (${CA_DIR}/serial_proxy.txt exists) # then let's transfer the serial number of the last proxy to the serial.txt file for the # next new certificate... - CMD="openssl req -out $filebase.req -newkey rsa:$bits -new -keyout $filebase.priv -config $REQ_CONFIG_FILE -subj \"$dn\" -passout pass:$PASSWORD" + CMD="openssl req -out $filebase.req -newkey rsa:$bits -new -keyout $filebase.priv -config $REQ_CONFIG_FILE -passout pass:$PASSWORD" case $flags in clientserial) @@ -80,13 +80,13 @@ function create_cert { clientfuture) echo future user cert $flags flags="client" - CMD="$CMD " + CMD="$CMD -subj \"$dn\"" castring=" -startdate 350101000000Z" ;; client_slash) - echo future user cert $flags + echo user cert with slash and dots in DN$flags flags="client" - CMD="$CMD -subj \"`echo $dn | sed 's/Utopia/http:\/\/slash.slash.edu:7656\/testing/'`\"" + CMD="$CMD -subj \"$(echo $dn | sed 's/Utopia/http:\\\/\\\/slash.slash.edu:7656\\\/testing/')\"" ;; *) echo normal cert $flags @@ -151,7 +151,7 @@ function create_cert_proxy { if [ x$ident == "xproxy_dnerror2" ]; then dn="`openssl x509 -in ${X509_SIGNING_CERT} -subject -noout| sed 's/^subject= //'` dnerror2/CN=$4" else - dn="`openssl x509 -in ${X509_SIGNING_CERT} -subject -noout| sed 's/^subject= //'`/CN=$4" + dn="$(openssl x509 -in ${X509_SIGNING_CERT} -subject -noout| sed 's/^subject= //' |sed 's/http:\/\/slash.slash.edu:7656\/testing/http:\\\/\\\/slash.slash.edu:7656\\\/testing/')/CN=$4" fi echo "Creating a proxy cert ${X509_PROX_CERT} for '$dn" @@ -788,7 +788,6 @@ function create_all { create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy - openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $REQ_CONFIG_FILE if [ $catype == "trusted" ]; then @@ -1009,6 +1008,7 @@ function create_all { # generating CRL openssl ca -gencrl -crldays $DAYS -out $CA_DIR/${catype}.crl -config $REQ_CONFIG_FILE +# openssl ca -gencrl -crldays $DAYS -out $CA_DIR/${catype}.crl -config $REQ_CONFIG_FILE -crlexts crl_some_reasons -ver # If we have the trusted CA, then generate a user cert/key pair # And also a host cert/key pair. diff --git a/config/req_conf.cnf b/config/req_conf.cnf index 9e34fd8..e874a11 100644 --- a/config/req_conf.cnf +++ b/config/req_conf.cnf @@ -110,3 +110,12 @@ proxyCertInfo=critical,language:id-ppl-independent,pathlen:1 [ proxy_rfc_limited ] proxyCertInfo=critical,language:limitedProxyOid + +[ crl_some_reasons ] +crlDistributionPoints=crldp1_section + +[crldp1_section] +fullname=URI:http://myhost.com/myca.crl +CRLissuer=dirName:issuer_sect +reasons=keyCompromise, CACompromise + -- 1.8.2.3