From ce3d155b789cab7f538b896dbb5c24449f27fdaa Mon Sep 17 00:00:00 2001 From: John White Date: Mon, 8 Nov 2004 13:45:42 +0000 Subject: [PATCH] Full set of proxy and proxy/proxy are now generated. Approx 500 certificates total. --- bin/generate-test-certificates.sh | 283 ++++++++++++++++++++------------------ 1 file changed, 149 insertions(+), 134 deletions(-) diff --git a/bin/generate-test-certificates.sh b/bin/generate-test-certificates.sh index 0859142..423d19b 100755 --- a/bin/generate-test-certificates.sh +++ b/bin/generate-test-certificates.sh @@ -14,7 +14,10 @@ if [ "$1" == "--all" ]; then CATYPES='trusted' - ## CATYPES='trusted fake big expired' + CATYPES='fake' + CATYPES='big' + CATYPES='expired' + CATYPES='trusted fake big expired' ALL='yes' shift else @@ -56,7 +59,7 @@ function create_cert { return fi - CMD="openssl req -out $filebase.req -new -keyout $filebase.priv -config $REQ_CONFIG_FILE" + CMD="openssl req -out $filebase.req -newkey rsa:1024 -new -keyout $filebase.priv -config $REQ_CONFIG_FILE" echo $CMD; $CMD; case $flags in @@ -93,7 +96,6 @@ function create_cert_proxy { # create_cert_proxy $CERT_DIR/${catype}_client "$catype client" proxy_exp "expired proxy" -1 ending="grid_proxy" - export BITS=512 # This really depends on if we make a proxy or a proxy-proxy X509_SIGNING_CERT=${filebase}.cert @@ -117,7 +119,7 @@ function create_cert_proxy { # maybe no need... make a dummy database, touch and then delete afterwards... touch ${CA_DIR}/index_proxy.txt - CMD="openssl genrsa -f4 -out ${X509_PROX_KEY} ${BITS}; chmod 400 ${filebase}.proxy.priv" + CMD="openssl genrsa -f4 -out ${X509_PROX_KEY} ${PROXY_BITS}; chmod 400 ${filebase}.proxy.priv" echo $CMD; $CMD # Create the certificate request. @@ -159,7 +161,8 @@ function create_cert_proxy { # Clean up stuff rm ${CA_DIR}/serial_proxy.txt ${CA_DIR}/index_proxy.txt - + # most of the cleanup should be done in the create_cert_proxy_proxy function + # since some files need to be kept for signing purposes later! } @@ -171,99 +174,22 @@ function create_cert_proxy_proxy { export CN=$2 ident=$3 export PROXYNAME=$4 + export PROXYPROXYNAME=$4 validity=$5 signing_pair=$6 ending="grid_proxy_proxy" - export BITS=512 # This really depends on if we make a proxy or a proxy-proxy X509_SIGNING_CERT=${filebase}.${signing_pair}.cert # eg. trusted_client.proxy_exp.cert echo $X509_SIGNING_CERT X509_SIGNING_KEY=${filebase}.${signing_pair}.priv + X509_SIGNING_REQ=${filebase}.${signing_pair}.req X509_PROX_CERT=${filebase}.${ident}.proxy.cert X509_PROX_KEY=${filebase}.${ident}.proxy.priv X509_PROX_REQ=${filebase}.${ident}.proxy.req - X509_PROX_GRID=${filebase}.${ident}.proxy.${ending} - - # Get the serial number of the certificate that will eventually sign the proxy. - # Put it into a temporary file to be read by the ca command later. - SERIAL="`openssl x509 -in ${X509_SIGNING_CERT} -noout -serial | sed 's/^serial=//'`" - echo ${SERIAL} > ${CA_DIR}/serial_proxy.txt - - # Have to 'edit' the ca database to remove the entry for the signing certificate. - # maybe no need... make a dummy database, touch and then delete afterwards... - touch ${CA_DIR}/index_proxy.txt - - CMD="openssl genrsa -f4 -out ${X509_PROX_KEY} ${BITS}; chmod 400 ${filebase}.proxy.proxy.priv" - echo $CMD; $CMD - - # Create the certificate request. - CMD="openssl req -new -out ${X509_PROX_REQ} \ - -key ${X509_PROX_KEY} \ - -config ${REQ_PROXY_PROXY_CONFIG_FILE}" - echo $CMD; $CMD - - # Sign the cert request with the user cert and key. Set the serial number here! - - CMD="openssl ca -in ${X509_PROX_REQ} \ - -cert ${X509_SIGNING_CERT} \ - -keyfile ${X509_SIGNING_KEY} \ - -out ${X509_PROX_CERT} \ - -outdir . \ - -config ${CA_PROXY_CONF} -md md5 -days ${validity} -batch \ - -verbose \ - -passin pass:${PASSWORD} -notext \ - -extensions proxy_none " - echo $CMD; $CMD - - # Add the user and proxy certs and the proxy private key to the keystore - openssl pkcs12 -in ${X509_PROX_CERT} \ - -out ${filebase}.proxy.proxy.p12 -export \ - -inkey ${X509_PROX_KEY} \ - -passin pass:${PASSWORD} -passout pass:${PASSWORD} \ - -name "${catype} proxy certificate" -certfile ${X509_SIGNING_CERT} - - # Create a grid proxy file... - # Copy the proxy cert to the grid proxy file. - cp ${X509_PROX_CERT} ${X509_PROX_GRID} - - # Now add the proxy private key to the grid proxy file. - openssl rsa -in ${X509_PROX_KEY} -passin pass:${PASSWORD} >> ${X509_PROX_GRID} - - # Now add the original certificate used to sign the request to the proxy file. - # This should be the certificate issued by the CA to the 'user'. - openssl x509 -in ${X509_SIGNING_CERT} >> ${filebase}.${ending} - chmod 600 ${X509_PROX_GRID} - - # Clean up stuff - rm ${CA_DIR}/serial_proxy.txt ${CA_DIR}/index_proxy.txt \ - ${X509_PROX_REQ} ${X509_PROX_CERT} ${X509_PROX_KEY} \ - ## ${filebase}.proxy.priv ${filebase}.proxy.cert -} - -function create_cert_proxy_proxy_old { - - filebase=$1 - export FILEBASE=${filebase} - export CN=$2 - ending=$3 - export PROXYNAME=$4 - validity=$5 - signing_pair=$6 - - export BITS=512 - X509_SIGNING_CERT=${filebase}.proxy.cert - X509_SIGNING_KEY=${filebase}.proxy.priv - - X509_PROX_CERT=${filebase}.proxy.proxy.cert - X509_PROX_KEY=${filebase}.proxy.proxy.priv - X509_PROX_REQ=${filebase}.proxy.proxy.req - - echo "Creating a proxy proxy cert for '$CN/CN=$PROXYNAME'" - echo " in files named $filebase.(cert|priv)" - echo " with $validity days validity time" + X509_PROX_GRID=${filebase}.${ident}.${ending} # Get the serial number of the certificate that will eventually sign the proxy. # Put it into a temporary file to be read by the ca command later. @@ -274,7 +200,7 @@ function create_cert_proxy_proxy_old { # maybe no need... make a dummy database, touch and then delete afterwards... touch ${CA_DIR}/index_proxy.txt - CMD="openssl genrsa -f4 -out ${X509_PROX_KEY} ${BITS}; chmod 400 ${filebase}.proxy.proxy.priv" + CMD="openssl genrsa -f4 -out ${X509_PROX_KEY} ${PROXY_BITS}; chmod 400 ${X509_PROX_KEY}" echo $CMD; $CMD # Create the certificate request. @@ -312,13 +238,13 @@ function create_cert_proxy_proxy_old { # Now add the original certificate used to sign the request to the proxy file. # This should be the certificate issued by the CA to the 'user'. - openssl x509 -in ${X509_SIGNING_CERT} >> ${filebase}.${ending} + openssl x509 -in ${X509_SIGNING_CERT} >> ${X509_PROX_GRID} chmod 600 ${X509_PROX_GRID} # Clean up stuff rm ${CA_DIR}/serial_proxy.txt ${CA_DIR}/index_proxy.txt \ ${X509_PROX_REQ} ${X509_PROX_CERT} ${X509_PROX_KEY} \ - ## ${filebase}.proxy.priv ${filebase}.proxy.cert + ${X509_SIGNING_CERT} ${X509_SIGNING_KEY} ${X509_SIGNING_REQ} } # create some certificates and copy them to convenient locations @@ -367,72 +293,159 @@ function create_all { fi # create valid certs with proxies - create_cert $CERT_DIR/${catype}_client "$catype client" client $DAYS - create_cert_proxy $CERT_DIR/${catype}_client "$catype client" proxy "proxy" 1 - create_cert_proxy $CERT_DIR/${catype}_client "$catype client" proxy_exp "expired proxy" -1 + PROXY_VALIDITY_1=1 + + TYPE="client" + CTYPE="client" + + create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS + + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" 1 + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1 + + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" 1 proxy + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp - create_cert_proxy_proxy $CERT_DIR/${catype}_client "$catype client" proxy_proxy "proxy" 1 proxy - create_cert_proxy_proxy $CERT_DIR/${catype}_client "$catype client" proxy_proxy_exp "expired proxy" -1 proxy_exp - break; + TYPE="fclient" + CTYPE="flag client" - # These below have to be fixed to the new method of calling. - create_cert $CERT_DIR/${catype}_fclient "$catype flag client" fclient $DAYS - create_cert_proxy $CERT_DIR/${catype}_fclient "$catype flag client" _proxy "proxy" $DAYS - create_cert_proxy $CERT_DIR/${catype}_fclient "$catype flag client" _proxy_exp "expired proxy" -1 + create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS - create_cert $CERT_DIR/${catype}_server "$catype server" server $DAYS - create_cert_proxy $CERT_DIR/${catype}_server "$catype server" _proxy "proxy" $DAYS - create_cert_proxy $CERT_DIR/${catype}_server "$catype server" _proxy_exp "expired proxy" -1 + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" 1 + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1 - create_cert $CERT_DIR/${catype}_clientserver "$catype clientserver" clientserver $DAYS - create_cert_proxy $CERT_DIR/${catype}_clientserver "$catype clientserver" _proxy "proxy" $DAYS - create_cert_proxy $CERT_DIR/${catype}_clientserver "$catype clientserver" _proxy_exp "expired proxy" -1 + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" 1 proxy + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp - create_cert $CERT_DIR/${catype}_none "$catype none" none $DAYS - create_cert_proxy $CERT_DIR/${catype}_none "$catype none" _proxy "proxy" $DAYS - create_cert_proxy $CERT_DIR/${catype}_none "$catype none" _proxy_exp "expired proxy" -1 + TYPE="server" + CTYPE="server" + + create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS + + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" 1 + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1 + + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" 1 proxy + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp + + TYPE="clientserver" + CTYPE="clientserver" + + create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS + + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" 1 + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1 + + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" 1 proxy + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp + + TYPE="none" + CTYPE="none" + + create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS + + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" 1 + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1 + + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" 1 proxy + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp # create certs with valid proxies, but expired user certs - create_cert $CERT_DIR/${catype}_client_exp "$catype client expired" client -1 - create_cert_proxy $CERT_DIR/${catype}_client_exp "$catype client expired" _proxy "proxy" $DAYS - create_cert $CERT_DIR/${catype}_fclient_exp "$catype flag client expired" fclient -1 - create_cert_proxy $CERT_DIR/${catype}_fclient_exp "$catype flag client expired" _proxy "proxy" $DAYS + TYPE="client_exp" + CTYPE="client expired" + TYPE2="client" + + create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} -1 + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" 1 + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" 1 proxy - create_cert $CERT_DIR/${catype}_server_exp "$catype server expired" server -1 - create_cert_proxy $CERT_DIR/${catype}_server_exp "$catype server expired" _proxy "proxy" $DAYS + TYPE="fclient_exp" + CTYPE="flag client expired" + TYPE2="fclient" - create_cert $CERT_DIR/${catype}_clientserver_exp "$catype clientserver expired" clientserver -1 - create_cert_proxy $CERT_DIR/${catype}_clientserver_exp "$catype clientserver expired" _proxy "proxy" $DAYS + create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} -1 + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" 1 + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" 1 proxy - create_cert $CERT_DIR/${catype}_none_exp "$catype none expired" none -1 - create_cert_proxy $CERT_DIR/${catype}_none_exp "$catype none expired" _proxy "proxy" $DAYS + TYPE="server_exp" + CTYPE="flag server expired" + TYPE2="server" - # create revoked certs - create_cert $CERT_DIR/${catype}_client_rev "$catype client revoked" client $DAYS - create_cert_proxy $CERT_DIR/${catype}_client_rev "$catype client revoked" _proxy "proxy" $DAYS + create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} -1 + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" 1 + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" 1 proxy - create_cert $CERT_DIR/${catype}_fclient_rev "$catype flag client revoked" fclient $DAYS - create_cert_proxy $CERT_DIR/${catype}_fclient_rev "$catype flag client revoked" _proxy "proxy" $DAYS + TYPE="clientserver_exp" + CTYPE="clientserver expired" + TYPE2="clientserver" - create_cert $CERT_DIR/${catype}_server_rev "$catype server revoked" server $DAYS - create_cert_proxy $CERT_DIR/${catype}_server_rev "$catype server revoked" _proxy "proxy" $DAYS + create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} -1 + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" 1 + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" 1 proxy - create_cert $CERT_DIR/${catype}_clientserver_rev "$catype clientserver revoked" clientserver $DAYS - create_cert_proxy $CERT_DIR/${catype}_clientserver_rev "$catype clientserver revoked" _proxy "proxy" $DAYS + TYPE="none_exp" + CTYPE="none expired" + TYPE2="none" - create_cert $CERT_DIR/${catype}_none_rev "$catype none revoked" none $DAYS - create_cert_proxy $CERT_DIR/${catype}_none_rev "$catype none revoked" _proxy "proxy" $DAYS + create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} -1 + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" 1 + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" 1 proxy - openssl ca -revoke $CERT_DIR/${catype}_client_rev.cert -config $CA_CONF - openssl ca -revoke $CERT_DIR/${catype}_fclient_rev.cert -config $CA_CONF - openssl ca -revoke $CERT_DIR/${catype}_server_rev.cert -config $CA_CONF - openssl ca -revoke $CERT_DIR/${catype}_clientserver_rev.cert -config $CA_CONF - openssl ca -revoke $CERT_DIR/${catype}_none_rev.cert -config $CA_CONF +# Create revoked certificates + + TYPE="client_rev" + CTYPE="client revoked" + TYPE2="client" + + create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} -1 + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" 1 + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" 1 proxy + openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $CA_CONF + + TYPE="fclient_rev" + CTYPE="flag client revoked" + TYPE2="fclient" + + create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} -1 + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" 1 + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" 1 proxy + openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $CA_CONF + + TYPE="server_rev" + CTYPE="server revoked" + TYPE2="server" + + create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} -1 + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" 1 + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" 1 proxy + openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $CA_CONF + + TYPE="clientserver_rev" + CTYPE="clientserver revoked" + TYPE2="clientserver" + + create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} -1 + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" 1 + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" 1 proxy + openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $CA_CONF + + TYPE="none_rev" + CTYPE="none revoked" + TYPE2="none" + + create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} -1 + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" 1 + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" 1 proxy + openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $CA_CONF # some extra certificates - # create_cert_proxy $CERT_DIR/${catype}_client "$catype client dnerror" _proxy_dnerror "proxy" $DAYS + + TYPE="client" + CTYPE="client dnerror" + TYPE2="_proxy_dnerror" + create_cert_proxy $CERT_DIR/${catype}_client "$catype client dnerror" ${TYPE2} "proxy" $DAYS # generating CRL openssl ca -gencrl -crldays 10000 -out $CA_DIR/${catype}.crl -config $CA_CONF @@ -491,6 +504,8 @@ for catype in $CATYPES; do export REQ_CONFIG_FILE=$CA_DIR/req_conf.cnf export REQ_PROXY_CONFIG_FILE=$CA_DIR/req_proxy_conf.cnf export REQ_PROXY_PROXY_CONFIG_FILE=$CA_DIR/req_proxy_proxy_conf.cnf + export PROXY_BITScvs commit=512 + if [ "$catype" = "big" ]; then export BITS=4096 else -- 1.8.2.3