From 8959f2a060d50516711d2c9677ec83f297f44f35 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Felix=20D=C3=B6rre?= Date: Tue, 5 Aug 2014 02:18:59 +0200 Subject: [PATCH] [Keys] a certificate structure that looks like the planned future. Therefore updated: - signer to take same default ca - trustore generation - privateKeys pkcs12 generatien. (for including the cert chain) ... --- keys/.gitignore | 8 +- keys/generateKeys.sh | 122 ++++++++++++++++---- keys/generateTruststore.sh | 13 ++- keys/selfsign.config | 11 +- util/org/cacert/gigi/util/SimpleSigner.java | 34 +++--- 5 files changed, 142 insertions(+), 46 deletions(-) diff --git a/keys/.gitignore b/keys/.gitignore index 9fe39e3e..9d5b0c26 100644 --- a/keys/.gitignore +++ b/keys/.gitignore @@ -1,9 +1,13 @@ +#generated keys *.crt *.csr *.key *.pkcs12 -testca +*.ca +*.crl csr crt -testca.crl + +# user specific generation config config + diff --git a/keys/generateKeys.sh b/keys/generateKeys.sh index f0c26492..e316cb60 100755 --- a/keys/generateKeys.sh +++ b/keys/generateKeys.sh @@ -2,36 +2,118 @@ # this script generates a set of sample keys DOMAIN="cacert.local" KEYSIZE=4096 +PRIVATEPW="changeit" + [ -f config ] && . config -rm -Rf *.csr *.crt *.key *.pkcs12 testca +rm -Rf *.csr *.crt *.key *.pkcs12 *.ca *.crl + + +####### create various extensions files for the various certificate types ###### +cat < test_ca.cnf +subjectKeyIdentifier = hash +#extendedKeyUsage = critical +basicConstraints = CA:true +keyUsage = digitalSignature, nonRepudiation, keyCertSign, cRLSign +TESTCA + +cat < test_subca.cnf +subjectKeyIdentifier = hash +#extendedKeyUsage = critical, +basicConstraints = CA:true +keyUsage = digitalSignature, nonRepudiation, keyCertSign, cRLSign +TESTCA -openssl genrsa -out testca.key ${KEYSIZE} -openssl req -new -key testca.key -out testca.csr -subj "/CN=local cacert-gigi testCA" -config selfsign.config -openssl x509 -req -days 365 -in testca.csr -signkey testca.key -out testca.crt +cat < test_req.cnf +basicConstraints = critical,CA:false +keyUsage = keyEncipherment, digitalSignature +extendedKeyUsage=serverAuth +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +#crlDistributionPoints=URI:http://www.my.host/ca.crl +#authorityInfoAccess = OCSP;URI:http://ocsp.my.host/ +TESTCA -mkdir testca -mkdir testca/newcerts -echo 01 > testca/serial -touch testca/db -echo unique_subject = no >testca/db.attr +cat < test_reqMail.cnf +basicConstraints = critical,CA:false +keyUsage = keyEncipherment, digitalSignature +extendedKeyUsage=emailProtection +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +#crlDistributionPoints=URI:http://www.my.host/ca.crl +#authorityInfoAccess = OCSP;URI:http://ocsp.my.host/ +TESTCA -genserver(){ -openssl genrsa -out $1.key ${KEYSIZE} -openssl req -new -key $1.key -out $1.csr -subj "/CN=$1.${DOMAIN}" -config selfsign.config -openssl ca -cert testca.crt -keyfile testca.key -in $1.csr -out $1.crt -days 356 -batch -config selfsign.config +function genca(){ #subj, internalName -openssl pkcs12 -inkey $1.key -in $1.crt -name $1 -export -passout pass:changeit -out $1.pkcs12 + openssl genrsa -out $2.key ${KEYSIZE} + openssl req -new -key $2.key -out $2.csr -subj "$1/O=Test Environment CA Ltd./OU=Test Environment CAs" + + mkdir $2.ca + mkdir $2.ca/newcerts + echo 01 > $2.ca/serial + touch $2.ca/db + echo unique_subject = no >$2.ca/db.attr + +} + +function caSign(){ # key,ca,config + pushd $2.ca + openssl ca -cert ../$2.crt -keyfile ../$2.key -in ../$1.csr -out ../$1.crt -days 365 -batch -config ../selfsign.config -extfile ../$3 + popd +} -keytool -importkeystore -noprompt -srckeystore $1.pkcs12 -destkeystore ../config/keystore.pkcs12 -srcstoretype pkcs12 -deststoretype pkcs12 -srcstorepass "changeit" -deststorepass "changeit" +function rootSign(){ # key + caSign $1 root test_subca.cnf +} +function genserver(){ #key, subject, config + openssl genrsa -out $1.key ${KEYSIZE} + openssl req -new -key $1.key -out $1.csr -subj "$2" -config selfsign.config + caSign $1 env "$3" + + openssl pkcs12 -inkey $1.key -in $1.crt -CAfile env.chain.crt -chain -name $1 -export -passout pass:changeit -out $1.pkcs12 + + keytool -importkeystore -noprompt -srckeystore $1.pkcs12 -destkeystore ../config/keystore.pkcs12 -srcstoretype pkcs12 -deststoretype pkcs12 -srcstorepass "changeit" -deststorepass "$PRIVATEPW" } -genserver www -genserver secure -genserver static -genserver api -keytool -list -keystore ../config/keystore.pkcs12 -storetype pkcs12 -storepass "changeit" +# Generate the super Root CA +genca "/CN=Cacert-gigi testCA" root +openssl x509 -req -days 365 -in root.csr -signkey root.key -out root.crt -extfile test_ca.cnf + +# generate the various sub-CAs +genca "/CN=Environment" env +rootSign env +genca "/CN=Unassured" unassured +rootSign unassured +genca "/CN=Assured" assured +rootSign assured +genca "/CN=Codesigning" codesign +rootSign codesign +genca "/CN=Timestamping" timestamp +rootSign timestamp +genca "/CN=Orga" orga +rootSign orga +genca "/CN=Orga sign" orgaSign +rootSign orgaSign + + +cat env.crt root.crt > env.chain.crt + +# generate orga-keys specific to gigi. +# first the server keys +genserver www "/CN=www.${DOMAIN}" test_req.cnf +genserver secure "/CN=secure.${DOMAIN}" test_req.cnf +genserver static "/CN=static.${DOMAIN}" test_req.cnf +genserver api "/CN=api.${DOMAIN}" test_req.cnf + +# then the email signing key +genserver mail "/emailAddress=support@${DOMAIN}" test_reqMail.cnf + +keytool -list -keystore ../config/keystore.pkcs12 -storetype pkcs12 -storepass "$PRIVATEPW" + +rm test_ca.cnf test_subca.cnf test_req.cnf test_reqMail.cnf +rm env.chain.crt diff --git a/keys/generateTruststore.sh b/keys/generateTruststore.sh index a51481de..0c5aedc2 100755 --- a/keys/generateTruststore.sh +++ b/keys/generateTruststore.sh @@ -1,11 +1,20 @@ -#!/bin/sh +#!/bin/bash # this script imports the cacert root certs +rm -f ../config/cacerts.jks + #wget -N http://www.cacert.org/certs/root.crt #wget -N http://www.cacert.org/certs/class3.crt #keytool -importcert -keystore ../config/cacerts.jks -file root.crt -alias root -storepass "changeit" $1 #keytool -importcert -keystore ../config/cacerts.jks -file class3.crt -alias class3 -storepass "changeit" $1 -keytool -importcert -keystore ../config/cacerts.jks -file testca.crt -alias own -storepass "changeit" $1 + +function import(){ + keytool -importcert -keystore ../config/cacerts.jks -file "$1.crt" -alias own -storepass "changeit" -alias "$1" $2 +} + +import root -noprompt +import assured +import unassured keytool -list -keystore ../config/cacerts.jks -storepass "changeit" diff --git a/keys/selfsign.config b/keys/selfsign.config index 1b98363a..2e3ea576 100644 --- a/keys/selfsign.config +++ b/keys/selfsign.config @@ -3,8 +3,6 @@ distinguished_name=dn #req_extensions=ext [dn] -commonName = cn - [ext] subjectAltName= @@ -12,9 +10,9 @@ subjectAltName= default_ca=ca1 [ca1] -new_certs_dir=testca/newcerts -database=testca/db -serial=testca/serial +new_certs_dir=newcerts +database=db +serial=serial default_md=sha256 email_in_dn=salat policy=ca1_pol @@ -33,3 +31,6 @@ extendedKeyUsage = clientAuth, serverAuth, nsSGC, msSGC [ca1_pol] commonName = optional subjectAltName = optional +organizationName = optional +organizationalUnitName = optional +emailAddress = optional \ No newline at end of file diff --git a/util/org/cacert/gigi/util/SimpleSigner.java b/util/org/cacert/gigi/util/SimpleSigner.java index 5144e572..9752dbf3 100644 --- a/util/org/cacert/gigi/util/SimpleSigner.java +++ b/util/org/cacert/gigi/util/SimpleSigner.java @@ -123,17 +123,17 @@ public class SimpleSigner { String[] call = new String[] { "openssl", "ca",// "-cert", - "testca.crt",// + "../unassured.crt",// "-keyfile", - "testca.key",// + "../unassured.key",// "-revoke", - "../" + crt.getPath(),// + "../../" + crt.getPath(),// "-batch",// "-config", - "selfsign.config" + "../selfsign.config" }; - Process p1 = Runtime.getRuntime().exec(call, null, new File("keys")); + Process p1 = Runtime.getRuntime().exec(call, null, new File("keys/unassured.ca")); System.out.println("revoking: " + crt.getPath()); if (p1.waitFor() == 0) { worked = true; @@ -154,19 +154,19 @@ public class SimpleSigner { String[] call = new String[] { "openssl", "ca",// "-cert", - "testca.crt",// + "../unassured.crt",// "-keyfile", - "testca.key",// + "../unassured.key",// "-gencrl",// "-crlhours",// "12",// "-out", - "testca.crl",// + "../unassured.crl",// "-config", - "selfsign.config" + "../selfsign.config" }; - Process p1 = Runtime.getRuntime().exec(call, null, new File("keys")); + Process p1 = Runtime.getRuntime().exec(call, null, new File("keys/unassured.ca")); if (p1.waitFor() != 0) { System.out.println("Error while generating crl."); } @@ -211,31 +211,31 @@ public class SimpleSigner { String[] call = new String[] { "openssl", "ca",// "-in", - "../" + csrname,// + "../../" + csrname,// "-cert", - "testca.crt",// + "../unassured.crt",// "-keyfile", - "testca.key",// + "../unassured.key",// "-out", - "../" + crt.getPath(),// + "../../" + crt.getPath(),// "-days", "356",// "-batch",// "-md", rs.getString("md"),// "-extfile", - f.getName(),// + "../" + f.getName(),// "-subj", rs.getString("subject"),// "-config", - "selfsign.config"// + "../selfsign.config"// }; if (ct == CSRType.SPKAC) { call[2] = "-spkac"; } - Process p1 = Runtime.getRuntime().exec(call, null, new File("keys")); + Process p1 = Runtime.getRuntime().exec(call, null, new File("keys/unassured.ca")); int waitFor = p1.waitFor(); f.delete(); -- 2.39.2