[Keys] a certificate structure that looks like the planned future.

Therefore updated:
- signer to take same default ca
- trustore generation
- privateKeys pkcs12 generatien. (for including the cert chain)
...

diff --git a/keys/.gitignore b/keys/.gitignore
index 9fe39e3e7a858d3d62aaedd2d6d4ac9d695cba2d..9d5b0c261b0dd0f55976ea3dda4e732ef5ecd6e7 100644 (file)
--- a/keys/.gitignore
+++ b/keys/.gitignore
@@ -1,9 +1,13 @@
+#generated keys

 *.crt
 *.csr
 *.key
 *.pkcs12
 *.crt
 *.csr
 *.key
 *.pkcs12

-testca
+*.ca
+*.crl

 csr
 crt
 csr
 crt

-testca.crl
+
+# user specific generation config

 config
 config

+

diff --git a/keys/generateKeys.sh b/keys/generateKeys.sh
index f0c2649220048f0efa8cf0f712bf1ef890d7c256..e316cb6087f98a792a7d84417e96fa3c590da03c 100755 (executable)
--- a/keys/generateKeys.sh
+++ b/keys/generateKeys.sh
@@ -2,36 +2,118 @@
 # this script generates a set of sample keys
 DOMAIN="cacert.local"
 KEYSIZE=4096
 # this script generates a set of sample keys
 DOMAIN="cacert.local"
 KEYSIZE=4096

+PRIVATEPW="changeit"
+

 [ -f config ] && . config
 
 
 [ -f config ] && . config
 
 

-rm -Rf *.csr *.crt *.key *.pkcs12 testca
+rm -Rf *.csr *.crt *.key *.pkcs12 *.ca *.crl
+
+
+####### create various extensions files for the various certificate types ######
+cat <<TESTCA > test_ca.cnf
+subjectKeyIdentifier = hash
+#extendedKeyUsage = critical
+basicConstraints = CA:true
+keyUsage = digitalSignature, nonRepudiation, keyCertSign, cRLSign
+TESTCA
+
+cat <<TESTCA > test_subca.cnf
+subjectKeyIdentifier = hash
+#extendedKeyUsage = critical,
+basicConstraints = CA:true
+keyUsage = digitalSignature, nonRepudiation, keyCertSign, cRLSign
+TESTCA

 
 

-openssl genrsa -out testca.key ${KEYSIZE}
-openssl req -new -key testca.key -out testca.csr -subj "/CN=local cacert-gigi testCA" -config selfsign.config
-openssl x509 -req -days 365 -in testca.csr -signkey testca.key -out testca.crt
+cat <<TESTCA > test_req.cnf
+basicConstraints = critical,CA:false
+keyUsage = keyEncipherment, digitalSignature
+extendedKeyUsage=serverAuth
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+#crlDistributionPoints=URI:http://www.my.host/ca.crl
+#authorityInfoAccess = OCSP;URI:http://ocsp.my.host/
+TESTCA

 
 

-mkdir testca
-mkdir testca/newcerts
-echo 01 > testca/serial
-touch testca/db
-echo unique_subject = no >testca/db.attr
+cat <<TESTCA > test_reqMail.cnf
+basicConstraints = critical,CA:false
+keyUsage = keyEncipherment, digitalSignature
+extendedKeyUsage=emailProtection
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+#crlDistributionPoints=URI:http://www.my.host/ca.crl
+#authorityInfoAccess = OCSP;URI:http://ocsp.my.host/
+TESTCA

 
 

-genserver(){

 
 

-openssl genrsa -out $1.key ${KEYSIZE}
-openssl req -new -key $1.key -out $1.csr -subj "/CN=$1.${DOMAIN}" -config selfsign.config
-openssl ca -cert testca.crt -keyfile testca.key -in $1.csr -out $1.crt -days 356 -batch -config selfsign.config
+function genca(){ #subj, internalName

 
 

-openssl pkcs12 -inkey $1.key -in $1.crt -name $1 -export -passout pass:changeit -out $1.pkcs12
+    openssl genrsa -out $2.key ${KEYSIZE}
+    openssl req -new -key $2.key -out $2.csr -subj "$1/O=Test Environment CA Ltd./OU=Test Environment CAs"
+    
+    mkdir $2.ca
+    mkdir $2.ca/newcerts
+    echo 01 > $2.ca/serial
+    touch $2.ca/db
+    echo unique_subject = no >$2.ca/db.attr
+
+}
+
+function caSign(){ # key,ca,config
+    pushd $2.ca
+    openssl ca -cert ../$2.crt -keyfile ../$2.key -in ../$1.csr -out ../$1.crt -days 365 -batch -config ../selfsign.config -extfile ../$3
+    popd
+}

 
 

-keytool -importkeystore -noprompt -srckeystore $1.pkcs12 -destkeystore         ../config/keystore.pkcs12 -srcstoretype pkcs12 -deststoretype pkcs12 -srcstorepass "changeit" -deststorepass "changeit"
+function rootSign(){ # key
+    caSign $1 root test_subca.cnf
+}

 
 

+function genserver(){ #key, subject, config
+    openssl genrsa -out $1.key ${KEYSIZE}
+    openssl req -new -key $1.key -out $1.csr -subj "$2" -config selfsign.config
+    caSign $1 env "$3"
+    
+    openssl pkcs12 -inkey $1.key -in $1.crt -CAfile env.chain.crt -chain -name $1 -export -passout pass:changeit -out $1.pkcs12
+    
+    keytool -importkeystore -noprompt -srckeystore $1.pkcs12 -destkeystore ../config/keystore.pkcs12 -srcstoretype pkcs12 -deststoretype pkcs12 -srcstorepass "changeit" -deststorepass "$PRIVATEPW"

 }
 
 }
 

-genserver www
-genserver secure
-genserver static
-genserver api

 
 

-keytool -list -keystore ../config/keystore.pkcs12 -storetype pkcs12 -storepass "changeit"
+# Generate the super Root CA
+genca "/CN=Cacert-gigi testCA" root
+openssl x509 -req -days 365 -in root.csr -signkey root.key -out root.crt -extfile test_ca.cnf
+
+# generate the various sub-CAs
+genca "/CN=Environment" env
+rootSign env
+genca "/CN=Unassured" unassured
+rootSign unassured
+genca "/CN=Assured" assured
+rootSign assured
+genca "/CN=Codesigning" codesign
+rootSign codesign
+genca "/CN=Timestamping" timestamp
+rootSign timestamp
+genca "/CN=Orga" orga
+rootSign orga
+genca "/CN=Orga sign" orgaSign
+rootSign orgaSign
+
+
+cat env.crt root.crt > env.chain.crt
+
+# generate orga-keys specific to gigi.
+# first the server keys
+genserver www "/CN=www.${DOMAIN}" test_req.cnf
+genserver secure "/CN=secure.${DOMAIN}" test_req.cnf
+genserver static "/CN=static.${DOMAIN}" test_req.cnf
+genserver api "/CN=api.${DOMAIN}" test_req.cnf
+
+# then the email signing key
+genserver mail "/emailAddress=support@${DOMAIN}" test_reqMail.cnf
+
+keytool -list -keystore ../config/keystore.pkcs12 -storetype pkcs12 -storepass "$PRIVATEPW"
+
+rm test_ca.cnf test_subca.cnf test_req.cnf test_reqMail.cnf
+rm env.chain.crt

diff --git a/keys/generateTruststore.sh b/keys/generateTruststore.sh
index a51481de3d8130058bbff0fef857ad947a5e6e67..0c5aedc2c2d575b8b5e2b501ffb6a928200dcbb0 100755 (executable)
--- a/keys/generateTruststore.sh
+++ b/keys/generateTruststore.sh
@@ -1,11 +1,20 @@
-#!/bin/sh
+#!/bin/bash

 # this script imports the cacert root certs
 
 # this script imports the cacert root certs
 

+rm -f ../config/cacerts.jks
+

 #wget -N http://www.cacert.org/certs/root.crt
 #wget -N http://www.cacert.org/certs/class3.crt
 
 #keytool -importcert -keystore ../config/cacerts.jks -file root.crt -alias root -storepass "changeit" $1
 #keytool -importcert -keystore ../config/cacerts.jks -file class3.crt -alias class3 -storepass "changeit" $1
 #wget -N http://www.cacert.org/certs/root.crt
 #wget -N http://www.cacert.org/certs/class3.crt
 
 #keytool -importcert -keystore ../config/cacerts.jks -file root.crt -alias root -storepass "changeit" $1
 #keytool -importcert -keystore ../config/cacerts.jks -file class3.crt -alias class3 -storepass "changeit" $1

-keytool -importcert -keystore ../config/cacerts.jks -file testca.crt -alias own -storepass "changeit" $1
+
+function import(){
+  keytool -importcert -keystore ../config/cacerts.jks -file "$1.crt" -alias own -storepass "changeit" -alias "$1" $2
+}
+
+import root -noprompt
+import assured
+import unassured

 
 keytool -list -keystore ../config/cacerts.jks -storepass "changeit"
 
 keytool -list -keystore ../config/cacerts.jks -storepass "changeit"

diff --git a/keys/selfsign.config b/keys/selfsign.config
index 1b98363a30c5f2c644c81c8dffb0e6f918abe3cf..2e3ea576c5008bf0dc038babd9e4cd601a9d2cab 100644 (file)
--- a/keys/selfsign.config
+++ b/keys/selfsign.config
@@ -3,8 +3,6 @@ distinguished_name=dn
 #req_extensions=ext
 
 [dn]
 #req_extensions=ext
 
 [dn]

-commonName = cn
-

 [ext]
 subjectAltName=
 
 [ext]
 subjectAltName=
 


@@ -12,9 +10,9 @@ subjectAltName=
 default_ca=ca1
 
 [ca1]
 default_ca=ca1
 
 [ca1]

-new_certs_dir=testca/newcerts
-database=testca/db
-serial=testca/serial
+new_certs_dir=newcerts
+database=db
+serial=serial

 default_md=sha256
 email_in_dn=salat
 policy=ca1_pol
 default_md=sha256
 email_in_dn=salat
 policy=ca1_pol


@@ -33,3 +31,6 @@ extendedKeyUsage        = clientAuth, serverAuth, nsSGC, msSGC
 [ca1_pol]
 commonName              = optional
 subjectAltName          = optional
 [ca1_pol]
 commonName              = optional
 subjectAltName          = optional

+organizationName       = optional
+organizationalUnitName = optional
+emailAddress           = optional
\ No newline at end of file

diff --git a/util/org/cacert/gigi/util/SimpleSigner.java b/util/org/cacert/gigi/util/SimpleSigner.java
index 5144e5724db7f09635b3b21aa7c9d81e7adc8ef5..9752dbf3d1c137271ac47cfb97fd865335e6e3ab 100644 (file)
--- a/util/org/cacert/gigi/util/SimpleSigner.java
+++ b/util/org/cacert/gigi/util/SimpleSigner.java
@@ -123,17 +123,17 @@ public class SimpleSigner {
             String[] call = new String[] {
                     "openssl", "ca",//
                     "-cert",
             String[] call = new String[] {
                     "openssl", "ca",//
                     "-cert",

-                    "testca.crt",//
+                    "../unassured.crt",//

                     "-keyfile",
                     "-keyfile",

-                    "testca.key",//
+                    "../unassured.key",//

                     "-revoke",
                     "-revoke",

-                    "../" + crt.getPath(),//
+                    "../../" + crt.getPath(),//

                     "-batch",//
                     "-config",
                     "-batch",//
                     "-config",

-                    "selfsign.config"
+                    "../selfsign.config"

 
             };
 
             };

-            Process p1 = Runtime.getRuntime().exec(call, null, new File("keys"));
+            Process p1 = Runtime.getRuntime().exec(call, null, new File("keys/unassured.ca"));

             System.out.println("revoking: " + crt.getPath());
             if (p1.waitFor() == 0) {
                 worked = true;
             System.out.println("revoking: " + crt.getPath());
             if (p1.waitFor() == 0) {
                 worked = true;


@@ -154,19 +154,19 @@ public class SimpleSigner {
         String[] call = new String[] {
                 "openssl", "ca",//
                 "-cert",
         String[] call = new String[] {
                 "openssl", "ca",//
                 "-cert",

-                "testca.crt",//
+                "../unassured.crt",//

                 "-keyfile",
                 "-keyfile",

-                "testca.key",//
+                "../unassured.key",//

                 "-gencrl",//
                 "-crlhours",//
                 "12",//
                 "-out",
                 "-gencrl",//
                 "-crlhours",//
                 "12",//
                 "-out",

-                "testca.crl",//
+                "../unassured.crl",//

                 "-config",
                 "-config",

-                "selfsign.config"
+                "../selfsign.config"

 
         };
 
         };

-        Process p1 = Runtime.getRuntime().exec(call, null, new File("keys"));
+        Process p1 = Runtime.getRuntime().exec(call, null, new File("keys/unassured.ca"));

         if (p1.waitFor() != 0) {
             System.out.println("Error while generating crl.");
         }
         if (p1.waitFor() != 0) {
             System.out.println("Error while generating crl.");
         }


@@ -211,31 +211,31 @@ public class SimpleSigner {
             String[] call = new String[] {
                     "openssl", "ca",//
                     "-in",
             String[] call = new String[] {
                     "openssl", "ca",//
                     "-in",

-                    "../" + csrname,//
+                    "../../" + csrname,//

                     "-cert",
                     "-cert",

-                    "testca.crt",//
+                    "../unassured.crt",//

                     "-keyfile",
                     "-keyfile",

-                    "testca.key",//
+                    "../unassured.key",//

                     "-out",
                     "-out",

-                    "../" + crt.getPath(),//
+                    "../../" + crt.getPath(),//

                     "-days",
                     "356",//
                     "-batch",//
                     "-md",
                     rs.getString("md"),//
                     "-extfile",
                     "-days",
                     "356",//
                     "-batch",//
                     "-md",
                     rs.getString("md"),//
                     "-extfile",

-                    f.getName(),//
+                    "../" + f.getName(),//

 
                     "-subj",
                     rs.getString("subject"),//
                     "-config",
 
                     "-subj",
                     rs.getString("subject"),//
                     "-config",

-                    "selfsign.config"//
+                    "../selfsign.config"//

 
             };
             if (ct == CSRType.SPKAC) {
                 call[2] = "-spkac";
             }
 
             };
             if (ct == CSRType.SPKAC) {
                 call[2] = "-spkac";
             }

-            Process p1 = Runtime.getRuntime().exec(call, null, new File("keys"));
+            Process p1 = Runtime.getRuntime().exec(call, null, new File("keys/unassured.ca"));

 
             int waitFor = p1.waitFor();
             f.delete();
 
             int waitFor = p1.waitFor();
             f.delete();