From 1b78e3ba60f65c3451e224b9be1b6f767a35b028 Mon Sep 17 00:00:00 2001 From: Akos Frohner Date: Tue, 19 Oct 2004 00:58:09 +0000 Subject: [PATCH 1/1] ca certs --- bin/generate-test-certificates.sh | 74 ++++++++++++++++++++++++ config/ca_conf.cnf | 53 +++++++++++++++++ config/index.txt | 0 config/req_conf.cnf | 31 ++++++++++ config/req_proxy_conf.cnf | 33 +++++++++++ config/req_proxy_proxy_conf.cnf | 35 ++++++++++++ config/serial.txt | 1 + doc/README | 116 ++++++++++++++++++++++++++++++++++++++ 8 files changed, 343 insertions(+) create mode 100755 bin/generate-test-certificates.sh create mode 100644 config/ca_conf.cnf create mode 100644 config/index.txt create mode 100644 config/req_conf.cnf create mode 100644 config/req_proxy_conf.cnf create mode 100644 config/req_proxy_proxy_conf.cnf create mode 100644 config/serial.txt create mode 100644 doc/README diff --git a/bin/generate-test-certificates.sh b/bin/generate-test-certificates.sh new file mode 100755 index 0000000..43fc707 --- /dev/null +++ b/bin/generate-test-certificates.sh @@ -0,0 +1,74 @@ +#!/bin/bash + +# +# Copyright (c) Members of the EGEE Collaboration. 2004. +# See http://public.eu-egee.org/partners/ for details on +# the copyright holders. +# For license conditions see the license file or +# http://eu-egee.org/license.html +# +# Authors: +# Joni Hahkala +# Akos Frohner +# + +BASEDIR=$1 + +CONFIGDIR=$PWD/$(dirname $0)/../config +CONFIGFILES="index.txt serial.txt ca_conf.cnf req_conf.cnf req_proxy_conf.cnf req_proxy_proxy_conf.cnf" +export PASSWORD='changeit' +CATYPES='trusted fake big expired' + +function create_ca { + catype=$1 + CADIR=ca-${catype} + if [ ! -f ${CADIR}/serial.txt ]; then + mkdir -p ${CADIR} + cd ${CADIR} + for config in ${CONFIGFILES}; do + cp $CONFIGDIR/$config . + done + + if [ "$catype" = "big" ]; then + export BITS=4096 + else + export BITS=1024 + fi + + if [ "$catype" = "expired" ]; then + DAYS='-days -1' + else + DAYS='-days 10000' + fi + + export CN="the $catype CA" + openssl req -new -x509 -out ca-${catype}.cert $DAYS -nodes \ + -keyout ca-${catype}.priv -config req_conf.cnf + openssl pkcs12 -export -in ca-${catype}.cert -inkey ca-${catype}.priv \ + -out ca-${catype}.p12 -passin "pass:$PASSWORD" -passout "pass:$PASSWORD" + echo -n "Generated CA certificate with " + openssl x509 -noout -subject -in ca-${catype}.cert + fi +} + +############################## main ################################ + + +if [ ! -d "$BASEDIR" ]; then + echo "Error: no basedir is given!" + exit -1 +fi + +BASEDIR="$BASEDIR/share/test/glite-security-test-utils" +mkdir -p $BASEDIR +cd $BASEDIR +ABSBASEDIR=$(pwd) + +for catype in $CATYPES; do + echo "+-----------------------" + echo "| $catype" + echo "+-----------------------" + create_ca $catype + cd $ABSBASEDIR +done + diff --git a/config/ca_conf.cnf b/config/ca_conf.cnf new file mode 100644 index 0000000..ec4ed3e --- /dev/null +++ b/config/ca_conf.cnf @@ -0,0 +1,53 @@ +[ca] +default_ca = CA_default + +[CA_default] +dir = $ENV::CA_DIR +database = $dir/index.txt +serial = $dir/serial.txt + +certificate = $dir/$ENV::CA_DIR.cert +private_key = $dir/$ENV::CA_DIR.priv + +policy = policy_any + +[policy_any] +countryName = supplied +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ ca_cert ] +basicConstraints=CA:TRUE + + +[ ca_server ] +# This is OK for an SSL server. +nsCertType = server +nsComment = "OpenSSL Generated Server Certificate" + +# For an object signing certificate this would be used. +# nsCertType = objsign + +[ ca_client ] +# For normal client use this is typical +nsCertType = client, email +nsComment = "OpenSSL Generated Client Certificate" + +[ ca_clientserver ] +# For normal client use this is typical +nsCertType = server, client, email +nsComment = "OpenSSL Generated Client Server Certificate" + +# and for everything including object signing: +# nsCertType = client, email, objsign + +[ ca_client_flags ] +# This is typical in keyUsage for a client certificate. +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Client Certificate with Flags" diff --git a/config/index.txt b/config/index.txt new file mode 100644 index 0000000..e69de29 diff --git a/config/req_conf.cnf b/config/req_conf.cnf new file mode 100644 index 0000000..28ea218 --- /dev/null +++ b/config/req_conf.cnf @@ -0,0 +1,31 @@ +[ req ] +default_bits = $ENV::BITS +default_keyfile = keyfile.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +prompt = no +output_password = $ENV::PASSWORD +ca_cert = CA_cert + +[ req_distinguished_name ] +countryName = UG + +#stateOrProvinceName = South area + +localityName = Tropic + +organizationName = Utopia + +organizationalUnitName = Relaxation + +commonName = $ENV::CN + +#emailAddress = Email Address + +[ req_attributes ] +#challengePassword = $ENV::PASSWORD + +[ CA_cert] +basicConstraints = CA:true +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always diff --git a/config/req_proxy_conf.cnf b/config/req_proxy_conf.cnf new file mode 100644 index 0000000..54d9e4d --- /dev/null +++ b/config/req_proxy_conf.cnf @@ -0,0 +1,33 @@ +[ req ] +default_bits = 1024 +default_keyfile = keyfile.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +prompt = no +output_password = $ENV::PASSWORD +ca_cert = CA_cert + +[ req_distinguished_name ] +countryName = UG + +#stateOrProvinceName = South area + +localityName = Tropic + +organizationName = Utopia + +organizationalUnitName = Relaxation + +0.commonName = $ENV::CN + +1.commonName = $ENV::PROXYNAME + +#emailAddress = Email Address + +[ req_attributes ] +#challengePassword = $ENV::PASSWORD + +[ CA_cert] +basicConstraints = CA:true +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always diff --git a/config/req_proxy_proxy_conf.cnf b/config/req_proxy_proxy_conf.cnf new file mode 100644 index 0000000..5f2fe0a --- /dev/null +++ b/config/req_proxy_proxy_conf.cnf @@ -0,0 +1,35 @@ +[ req ] +default_bits = 1024 +default_keyfile = keyfile.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +prompt = no +output_password = $ENV::PASSWORD +ca_cert = CA_cert + +[ req_distinguished_name ] +countryName = UG + +#stateOrProvinceName = South area + +localityName = Tropic + +organizationName = Utopia + +organizationalUnitName = Relaxation + +0.commonName = $ENV::CN + +1.commonName = $ENV::PROXYNAME + +2.commonName = $ENV::PROXYPROXYNAME + +#emailAddress = Email Address + +[ req_attributes ] +#challengePassword = $ENV::PASSWORD + +[ CA_cert] +basicConstraints = CA:true +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always diff --git a/config/serial.txt b/config/serial.txt new file mode 100644 index 0000000..3dcc795 --- /dev/null +++ b/config/serial.txt @@ -0,0 +1 @@ +0176 diff --git a/doc/README b/doc/README new file mode 100644 index 0000000..9bb59c1 --- /dev/null +++ b/doc/README @@ -0,0 +1,116 @@ +Untrusted Test Certificates +=========================== + +This module will create a hierarchy under /share/test/certificates +path containing CA, user and host certificates. + +It will also set up structures for testing host and user configurations +inside this base directory: + home/.globus/ + usercert.pem + userkey.pem + tmp/ + x509_ + etc/grid-security/ + hostcert.pem + hostkey.pem + certificates/ + .0 + .0 + .0 + # but not ca-fake.0 ! + +For the 'stage' target is /stage, thus depending +modules can pick it up during their build process. The certificates +will be valid for 10 days. + +The module also has a 'dist' target, which will produce a binary +distribution containing a set of certificates and keys valid for +10 years after the build time. + +CA Certificates +--------------- + ca-real: a working CA + ca-expired: the CA certificate has an expiration day in the past + ca-big: the CA certificate has a long key (4096 bits) + ca-fake: the CA certificate is not installed anywhere, thus every + certificate depending on this would be fake + + Host and user certificates are placed under the coresponding CA's + base directory in the 'certs' subdirectory. + +Host Certificates +----------------- + For each CA there would be a similar set of host certificate generated. + +User Certificates +----------------- + For each CA there would be a similar set of user certificates generated. + +Lifetime +-------- + The default lifetime of these certificates is 30 days from the generation + date. This should be sufficient for any testing purposes, since everything + can be easily regenerated running a simple script. + +VOMS credentials +---------------- + VOMS credentials are not included in this testing framework (yet). + +Example Layout +-------------- + +share/ +`-- test + `-- certificates + |-- ca-big + | |-- cacert.pem + | |-- certs + | |-- crls + | |-- index.txt + | |-- newcerts + | |-- private + | | `-- cakey.pem + | `-- serial + |-- ca-expired + | |-- cacert.pem + | |-- certs + | |-- crls + | |-- index.txt + | |-- newcerts + | |-- private + | | `-- cakey.pem + | `-- serial + |-- ca-fake + | |-- cacert.pem + | |-- certs + | |-- crls + | |-- index.txt + | |-- newcerts + | |-- private + | | `-- cakey.pem + | `-- serial + |-- ca-real + | |-- cacert.pem + | |-- certs + | |-- crls + | |-- index.txt + | |-- newcerts + | |-- private + | | `-- cakey.pem + | `-- serial + |-- etc + | `-- grid-security + | |-- certificates + | | |-- ca-big.pem + | | |-- ca-expired.pem + | | |-- ca-fake.pem + | | `-- ca-real.pem + | |-- hostcert.pem + | `-- hostkey.pem + |-- home + | `-- .globus + | |-- usercert.pem + | `-- userkey.pem + `-- tmp + `-- x509_1000 -- 1.8.2.3