From edc35b218e4f367f9fbb1183ba3a00539b605b18 Mon Sep 17 00:00:00 2001
From: Joni Hahkala <joni.hahkala@cern.ch>
Date: Thu, 25 Jun 2009 15:42:54 +0000
Subject: [PATCH] add kalle's bad CA

---
 bin/generate-ca-certificates-for-cvs.sh |  2 +-
 bin/generate-test-certificates.sh       | 85 +++++++++++++++++++++++++++++++--
 2 files changed, 81 insertions(+), 6 deletions(-)

diff --git a/bin/generate-ca-certificates-for-cvs.sh b/bin/generate-ca-certificates-for-cvs.sh
index 62d983a..3a2ed66 100755
--- a/bin/generate-ca-certificates-for-cvs.sh
+++ b/bin/generate-ca-certificates-for-cvs.sh
@@ -17,7 +17,7 @@ CONFIGDIR=$PWD/$(dirname $0)/../config
 BASEDIR=$PWD/$(dirname $0)/../test
 CONFIGFILES="index.txt serial.txt ca_conf.cnf ca_proxy_conf.cnf req_conf.cnf req_proxy_conf.cnf req_proxy_proxy_conf.cnf"
 export PASSWORD='changeit'
-CATYPES='trusted fake big expired'
+CATYPES='trusted fake big expired bad'
 BIG_BITS=8192
 SMALL_BITS=1024
 
diff --git a/bin/generate-test-certificates.sh b/bin/generate-test-certificates.sh
index 1bdaa5d..18fcc7d 100755
--- a/bin/generate-test-certificates.sh
+++ b/bin/generate-test-certificates.sh
@@ -440,6 +440,74 @@ EOF
 }
 
 
+function create_bad {
+
+    # generating client certificate
+    create_cert $CERT_DIR/${catype}_client00 "$LOGNAME" client $DAYS
+
+    # create cert with mismatched signing_policy
+    export CN="bad policy client"
+    CMD="openssl req -out $CERT_DIR/bad_policy.req -newkey rsa:$bits -new -keyout $CERT_DIR/bad_policy.priv -config $CA_DIR/req_conf_policy.cnf"
+    echo $CMD; $CMD
+    CMD="openssl ca -in $CERT_DIR/bad_policy.req -out $CERT_DIR/bad_policy.cert -outdir $tmpdir -md md5 -config $CA_CONF -batch -days $DAYS"
+    echo $CMD; $CMD
+
+    # create a cert which is not vaild yet
+    export CN="bad future client"
+    theyear=`date +%Y` 
+    let "theyear += 1 "
+    valid=${theyear:2}`date +%m%d`000000Z
+    CMD="openssl req -out $CERT_DIR/bad_future.req -newkey rsa:$bits -new -keyout $CERT_DIR/bad_future.priv -config $CA_DIR/req_conf_future.cnf"
+    echo $CMD; eval $CMD
+    CMD="openssl ca -in $CERT_DIR/bad_future.req -out $CERT_DIR/bad_future.cert -outdir $tmpdir -md md5 -config $CA_CONF -batch -startdate $valid -days $DAYS"
+    echo $CMD; $CMD
+ 
+    # create host cert with mismatched signing_policy
+    export CN="$HOSTNAME"
+    CMD="openssl req -out $CERT_DIR/bad_policy_host.req -newkey rsa:$bits -new -keyout $CERT_DIR/bad_policy_host.priv -config $CA_DIR/req_conf_policy.cnf"
+    echo $CMD; $CMD
+    CMD="openssl ca -in $CERT_DIR/bad_policy_host.req -out $CERT_DIR/bad_policy_host.cert -outdir $tmpdir -md md5 -config $CA_CONF -batch -days $DAYS"
+    echo $CMD; $CMD
+
+    # create revoked host cert 
+    export CN="$HOSTNAME"
+    CMD="openssl req -out $CERT_DIR/bad_revoked_host.req -newkey rsa:$bits -new -keyout $CERT_DIR/bad_revoked_host.priv -config $CA_DIR/req_conf.cnf"
+    echo $CMD; $CMD
+    CMD="openssl ca -in $CERT_DIR/bad_revoked_host.req -out $CERT_DIR/bad_revoked_host.cert -outdir $tmpdir -md md5 -config $CA_CONF -batch -days $DAYS"
+    echo $CMD; $CMD
+
+    openssl ca -revoke $CERT_DIR/bad_revoked_host.cert -config $CA_CONF
+
+    # create expired host cert 
+    export CN="$HOSTNAME"
+    CMD="openssl req -out $CERT_DIR/bad_expired_host.req -newkey rsa:$bits -new -keyout $CERT_DIR/bad_expired_host.priv -config $CA_DIR/req_conf.cnf"
+    echo $CMD; $CMD
+    CMD="openssl ca -in $CERT_DIR/bad_expired_host.req -out $CERT_DIR/bad_expired_host.cert -outdir $tmpdir -md md5 -config $CA_CONF -batch -days -1"
+    echo $CMD; $CMD
+
+
+    # generating CRL
+    openssl ca -gencrl -crldays 10000 -out $CA_DIR/${catype}.crl -config $CA_CONF
+
+    # generating a signing_policy file
+    subject_name=$(openssl x509 -in $CA_DIR/${catype}.cert -subject -noout)
+    cat <<EOF > $CA_DIR/${catype}.signing_policy
+# Signing policy file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
+access_id_CA            X509    '${subject_name:9}'
+pos_rights              globus  CA:sign
+cond_subjects           globus  '"$(echo "${subject_name:9}" | sed -e 's#/CN=.*$##')/*"'
+EOF
+
+    cat <<EOF > $CA_DIR/${catype}.namespaces
+# Namespace for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
+TO Issuer "${subject_name:9} \\"
+  PERMIT Subject "$(echo "${subject_name:9}" | sed -e 's#/CN=.*$##')/*"
+ 
+EOF
+    
+}
+
+
 
 # create all certificates
 function create_all {
@@ -689,7 +757,7 @@ while true; do
     case "$1" in
         -a|--all)
             ALL='yes'
-            CATYPES='trusted fake big expired'
+            CATYPES='trusted fake big expired bad'
             shift
             ;;
         -s|--some)
@@ -804,15 +872,22 @@ for catype in $CATYPES; do
     fi
 
     mkdir -p $CERT_DIR
-
-    if [ "$ALL" = "yes" ]; then
-        create_all
+    
+    if [ $catype = "bad" ] ; then 
+        #Create a CA with bad certificates (namespaces, signing policies etc.)
+        create_bad
     else
-        create_some
+
+        if [ "$ALL" = "yes" ]; then
+            create_all
+        else
+            create_some
+        fi
     fi
 done
 
 
+
 [ "$ONLYENV" = 'yes' ] || echo "Easy usage environmental variable settings:"
 echo "export X509_CERT_DIR=$TARGETDIR/grid-security/certificates"
 echo "export X509_USER_CERT=$TARGETDIR/home/usercert.pem"
-- 
1.8.2.3