From 1c29ab67ef2ac94492c020970d408da161c0eb06 Mon Sep 17 00:00:00 2001 From: John White Date: Fri, 28 Jan 2005 14:35:57 +0000 Subject: [PATCH] I have fixed the proxy serial number problem. The test proxies now have serial numbers different from one another. --- bin/generate-test-certificates.sh | 54 +++++++++++++++++++++++++++++---------- 1 file changed, 41 insertions(+), 13 deletions(-) diff --git a/bin/generate-test-certificates.sh b/bin/generate-test-certificates.sh index a824568..d0f7098 100755 --- a/bin/generate-test-certificates.sh +++ b/bin/generate-test-certificates.sh @@ -37,6 +37,11 @@ function create_cert { return fi + # if we are in a state where we are generating proxies (${CA_DIR}/serial_proxy.txt exists) + # then let's transfer the serial number of the last proxy to the serial.txt file for the + # next new certificate... + + CMD="openssl req -out $filebase.req -newkey rsa:1024 -new -keyout $filebase.priv -config $REQ_CONFIG_FILE" echo $CMD; $CMD; @@ -53,6 +58,13 @@ function create_cert { echo "No certificate is generated." esac + # Get the serial number of the certificate that will eventually sign the proxy. + # Put it into a temporary file to be read by the ca command later. + + SERIAL="`openssl x509 -in ${filebase}.cert -noout -serial | sed 's/^serial=//'`" + echo ${SERIAL} > ${CA_DIR}/serial_proxy.txt + # cat ${CA_DIR}/serial_proxy.txt + # some minor cleanup rm $filebase.req @@ -88,11 +100,6 @@ function create_cert_proxy { echo " in files named $filebase.(cert|priv)" echo " with $validity days validity time" - # Get the serial number of the certificate that will eventually sign the proxy. - # Put it into a temporary file to be read by the ca command later. - SERIAL="`openssl x509 -in ${filebase}.cert -noout -serial | sed 's/^serial=//'`" - echo ${SERIAL} > ${CA_DIR}/serial_proxy.txt - # Have to 'edit' the ca database to remove the entry for the signing certificate. # maybe no need... make a dummy database, touch and then delete afterwards... touch ${CA_DIR}/index_proxy.txt @@ -137,8 +144,10 @@ function create_cert_proxy { openssl x509 -in ${X509_SIGNING_CERT} >> ${X509_PROX_GRID} chmod 600 ${X509_PROX_GRID} + cp ${CA_DIR}/serial_proxy.txt ${CA_DIR}/serial.txt + # Clean up stuff - rm ${CA_DIR}/serial_proxy.txt ${CA_DIR}/index_proxy.txt + # rm ${CA_DIR}/serial_proxy.txt ${CA_DIR}/index_proxy.txt # most of the cleanup should be done in the create_cert_proxy_proxy function # since some files need to be kept for signing purposes later! } @@ -171,8 +180,8 @@ function create_cert_proxy_proxy { # Get the serial number of the certificate that will eventually sign the proxy. # Put it into a temporary file to be read by the ca command later. - SERIAL="`openssl x509 -in ${X509_SIGNING_CERT} -noout -serial | sed 's/^serial=//'`" - echo ${SERIAL} > ${CA_DIR}/serial_proxy.txt + # SERIAL="`openssl x509 -in ${X509_SIGNING_CERT} -noout -serial | sed 's/^serial=//'`" + # echo ${SERIAL} > ${CA_DIR}/serial_proxy.txt # Have to 'edit' the ca database to remove the entry for the signing certificate. # maybe no need... make a dummy database, touch and then delete afterwards... @@ -219,10 +228,12 @@ function create_cert_proxy_proxy { openssl x509 -in ${X509_SIGNING_CERT} >> ${X509_PROX_GRID} chmod 600 ${X509_PROX_GRID} + cp ${CA_DIR}/serial_proxy.txt ${CA_DIR}/serial.txt + # Clean up stuff - rm ${CA_DIR}/serial_proxy.txt ${CA_DIR}/index_proxy.txt \ - ${X509_PROX_REQ} ${X509_PROX_CERT} ${X509_PROX_KEY} \ - ${X509_SIGNING_CERT} ${X509_SIGNING_KEY} ${X509_SIGNING_REQ} + # rm ${CA_DIR}/serial_proxy.txt ${CA_DIR}/index_proxy.txt \ + # ${X509_PROX_REQ} ${X509_PROX_CERT} ${X509_PROX_KEY} \ + # ${X509_SIGNING_CERT} ${X509_SIGNING_KEY} ${X509_SIGNING_REQ} } # create some certificates and copy them to convenient locations @@ -268,6 +279,7 @@ function create_all { mv $CERT_DIR/${catype}_client.priv ../../../userkey.pem mv $CERT_DIR/${catype}_server.cert ../../../hostcert.pem mv $CERT_DIR/${catype}_server.priv ../../../hostkey.pem + rm ${CA_DIR}/serial_proxy.txt; # touch ${CA_DIR}/serial_proxy.txt fi # create valid certs with proxies @@ -277,23 +289,36 @@ function create_all { TYPE="client" CTYPE="client" + # i=0; + # let "i += 1"; echo "State : $i"; cat ${CA_DIR}/serial_proxy.txt; echo; + ls -l ${CA_DIR}/. + create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS + # let "i += 1"; echo "State : $i"; cat ${CA_DIR}/serial_proxy.txt; echo; create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" 1 + # let "i += 1"; echo "State : $i"; cat ${CA_DIR}/serial_proxy.txt; echo; create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1 + # let "i += 1"; echo "State : $i"; cat ${CA_DIR}/serial_proxy.txt; echo; create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" 1 proxy + # let "i += 1"; echo "State : $i"; cat ${CA_DIR}/serial_proxy.txt; echo; create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp TYPE="fclient" CTYPE="flag client" + # let "i += 1"; echo "State : $i"; cat ${CA_DIR}/serial_proxy.txt; echo; create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS - + # Is there a problem here? The serial # does not advance after writing the certificate. Check later. + # let "i += 1"; echo "State : $i"; cat ${CA_DIR}/serial_proxy.txt; echo; create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" 1 + # let "i += 1"; echo "State : $i"; cat ${CA_DIR}/serial_proxy.txt; echo; create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1 + # let "i += 1"; echo "State : $i"; cat ${CA_DIR}/serial_proxy.txt; echo; create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" 1 proxy + # let "i += 1"; echo "State : $i"; cat ${CA_DIR}/serial_proxy.txt; echo; create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp TYPE="server" @@ -428,6 +453,10 @@ function create_all { # generating CRL openssl ca -gencrl -crldays 10000 -out $CA_DIR/${catype}.crl -config $CA_CONF + # now do the clean-up? + + rm ${CA_DIR}/serial_proxy.txt ${CA_DIR}/index_proxy.txt + } function create_all_test { @@ -529,7 +558,6 @@ for catype in $CATYPES; do if [ -n "$ALL" ]; then create_all - ## create_all_test else create_some fi -- 1.8.2.3