--- /dev/null
+name="Assured"
--- /dev/null
+name="Codesigning"
--- /dev/null
+name="Environment"
--- /dev/null
+name="Orga"
--- /dev/null
+name="Orga sign"
--- /dev/null
+name="Unassured"
--- /dev/null
+#!/bin/sh
+
+. ./clear.sh
+
+echo "========== Generating Root ======="
+. ./generateKeys.sh
+echo "========== Generating Year 2015 ======="
+. ./generateTime.sh 2015
+echo "========== Generating Infra for Year 2015 ======="
+. ./generateInfra.sh 2015
+echo "========== Verifying Year 2015 ======="
+. ./verify.sh 2015
--- /dev/null
+#!/bin/sh
+
+rm -Rf *.csr *.crt *.key *.pkcs12 *.ca *.crl 2015
--- /dev/null
+. structure
+
+genKey(){ #subj, internalName
+ openssl genrsa -out $2.key ${KEYSIZE}
+ openssl req -new -key $2.key -out $2.csr -subj "$1/O=Test Environment CA Ltd./OU=Test Environment CAs"
+
+}
+
+genca(){ #subj, internalName
+ mkdir $2.ca
+
+ genKey "$1" "$2.ca/key"
+
+ mkdir $2.ca/newcerts
+ echo 01 > $2.ca/serial
+ touch $2.ca/db
+ echo unique_subject = no >$2.ca/db.attr
+
+}
+
+caSign(){ # csr,ca,config,start,end
+ start="$4"
+ end="$5"
+ [ "$start" != "" ] && start="-startdate $start"
+ [ "$end" != "" ] && end="-enddate $end"
+ [ "$start" == "" -a "$end" == "" ] && start="-days 366"
+ BASE="$PWD"
+ echo "Signing: $1 with $2"
+ echo "$start $end"
+ pushd $2.ca > /dev/null
+ openssl ca -cert key.crt -keyfile key.key -in "$BASE/$1.csr" -out "$BASE/$1.crt" -batch -config "$BASE/selfsign.config" -extfile "$BASE/$3" $start $end
+ popd > /dev/null
+ echo "Signed"
+}
+
--- /dev/null
+#!/bin/sh
+#
+set -e
+
+[ "$1" == "" ] && echo "Usage: $0 <year>" && exit 1
+year=$1
+
+. structure
+. commonFunctions
+
+CRL="
+crlDistributionPoints=URI:http://g2.crl.cacert.org/g2/$year/env.crl
+authorityInfoAccess = OCSP;URI:http://g2.ocsp.cacert.org,caIssuers;URI:http://g2.crt.cacert.org/$year/env.crt"
+
+cat <<TESTCA > req.cnf
+basicConstraints = critical,CA:false
+keyUsage = keyEncipherment, digitalSignature
+extendedKeyUsage=serverAuth
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+$CRL
+TESTCA
+
+cat <<TESTCA > reqClient.cnf
+basicConstraints = critical,CA:false
+keyUsage = keyEncipherment, digitalSignature
+extendedKeyUsage=clientAuth
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+$CRL
+TESTCA
+
+cat <<TESTCA > reqMail.cnf
+basicConstraints = critical,CA:false
+keyUsage = keyEncipherment, digitalSignature
+extendedKeyUsage=emailProtection
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+$CRL
+TESTCA
+
+genserver(){ #key, subject, config
+ openssl genrsa -out $1.key ${KEYSIZE}
+ openssl req -new -key $1.key -out $1.csr -subj "$2"
+ caSign $1 $year/ca/env_${year}_1 "$3"
+
+ openssl pkcs12 -inkey $1.key -in $1.crt -CAfile env.chain.crt -chain -name $1 -export -passout pass:changeit -out $1.pkcs12
+
+}
+
+mkdir -p $year/keys
+
+cat $year/ca/env_${year}_1.ca/key.crt env.ca/key.crt root.ca/key.crt > env.chain.crt
+
+# generate environment-keys specific to gigi.
+# first the server keys
+genserver $year/keys/www "/CN=www.${DOMAIN}" req.cnf
+genserver $year/keys/secure "/CN=secure.${DOMAIN}" req.cnf
+genserver $year/keys/static "/CN=static.${DOMAIN}" req.cnf
+genserver $year/keys/api "/CN=api.${DOMAIN}" req.cnf
+
+# then the email signing key
+genserver $year/keys/mail "/emailAddress=support@${DOMAIN}" reqMail.cnf
+
+# then environment-keys for cassiopeia
+genserver $year/keys/signer_client "/CN=CAcert signer handler 1" reqClient.cnf
+genserver $year/keys/signer_server "/CN=CAcert signer 1" req.cnf
+
+rm req.cnf reqMail.cnf reqClient.cnf
+
+rm env.chain.crt
#!/bin/sh
# this script generates a set of sample keys
-DOMAIN="cacert.local"
-KEYSIZE=4096
-PRIVATEPW="changeit"
+set -e
-[ -f config ] && . ./config
-
-
-rm -Rf *.csr *.crt *.key *.pkcs12 *.ca *.crl
+. structure
+. commonFunctions
####### create various extensions files for the various certificate types ######
authorityInfoAccess = OCSP;URI:http://g2.ocsp.cacert.org,caIssuers;URI:http://g2.crt.cacert.org/root.crt
TESTCA
-cat <<TESTCA > req.cnf
-basicConstraints = critical,CA:false
-keyUsage = keyEncipherment, digitalSignature
-extendedKeyUsage=serverAuth
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always,issuer:always
-#crlDistributionPoints=URI:http://www.my.host/ca.crl
-#authorityInfoAccess = OCSP;URI:http://ocsp.my.host/
-TESTCA
-
-cat <<TESTCA > reqClient.cnf
-basicConstraints = critical,CA:false
-keyUsage = keyEncipherment, digitalSignature
-extendedKeyUsage=clientAuth
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always,issuer:always
-#crlDistributionPoints=URI:http://www.my.host/ca.crl
-#authorityInfoAccess = OCSP;URI:http://ocsp.my.host/
-TESTCA
-
-cat <<TESTCA > reqMail.cnf
-basicConstraints = critical,CA:false
-keyUsage = keyEncipherment, digitalSignature
-extendedKeyUsage=emailProtection
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always,issuer:always
-#crlDistributionPoints=URI:http://www.my.host/ca.crl
-#authorityInfoAccess = OCSP;URI:http://ocsp.my.host/
-TESTCA
-
-genKey(){ #subj, internalName
- openssl genrsa -out $2.key ${KEYSIZE}
- openssl req -new -key $2.key -out $2.csr -subj "$1/O=Test Environment CA Ltd./OU=Test Environment CAs"
-
-}
-
-genca(){ #subj, internalName
- mkdir $2.ca
-
- genKey "$1" "$2.ca/key"
-
- mkdir $2.ca/newcerts
- echo 01 > $2.ca/serial
- touch $2.ca/db
- echo unique_subject = no >$2.ca/db.attr
-
-}
-
-caSign(){ # csr,ca,config
- cd $2.ca
- openssl ca -cert key.crt -keyfile key.key -in ../$1.csr -out ../$1.crt -days 365 -batch -config ../selfsign.config -extfile ../$3
- cd ..
-}
rootSign(){ # csr
caSign "$1.ca/key" root subca.cnf
}
-genTimeCA(){ #csr,ca,
- cat <<TESTCA > timesubca.cnf
-basicConstraints = CA:true
-subjectKeyIdentifier = hash
-keyUsage = keyCertSign, cRLSign
-crlDistributionPoints=URI:http://g2.crl.cacert.org/g2/$2.crl
-authorityInfoAccess = OCSP;URI:http://g2.ocsp.cacert.org,caIssuers;URI:http://g2.crt.cacert.org/$2.crt
-TESTCA
- caSign $1 $2 timesubca.cnf
- rm timesubca.cnf
-}
-
-genserver(){ #key, subject, config
- openssl genrsa -out $1.key ${KEYSIZE}
- openssl req -new -key $1.key -out $1.csr -subj "$2"
- caSign $1 env15_1 "$3"
-
- openssl pkcs12 -inkey $1.key -in $1.crt -CAfile env.chain.crt -chain -name $1 -export -passout pass:changeit -out $1.pkcs12
-
-}
-
# Generate the super Root CA
genca "/CN=Cacert-gigi testCA" root
openssl x509 -req -days 365 -in root.ca/key.csr -signkey root.ca/key.key -out root.ca/key.crt -extfile ca.cnf
# generate the various sub-CAs
-genca "/CN=Environment" env
-rootSign env
-genca "/CN=Unassured" unassured
-rootSign unassured
-genca "/CN=Assured" assured
-rootSign assured
-genca "/CN=Codesigning" codesign
-rootSign codesign
-genca "/CN=Orga" orga
-rootSign orga
-genca "/CN=Orga sign" orgaSign
-rootSign orgaSign
-
-genca "/CN=Environment 2015-1" env15_1
-genTimeCA env15_1.ca/key env
-genKey "/CN=Unassured 2015-1" unassured15_1
-genTimeCA unassured15_1 unassured
-
-cat env15_1.ca/key.crt env.ca/key.crt root.ca/key.crt > env.chain.crt
-
-# generate environment-keys specific to gigi.
-# first the server keys
-genserver www "/CN=www.${DOMAIN}" req.cnf
-genserver secure "/CN=secure.${DOMAIN}" req.cnf
-genserver static "/CN=static.${DOMAIN}" req.cnf
-genserver api "/CN=api.${DOMAIN}" req.cnf
+for ca in $STRUCT_CAS; do
+ . CAs/$ca
+ genca "/CN=$name" $ca
+ rootSign $ca
+done
-# then the email signing key
-genserver mail "/emailAddress=support@${DOMAIN}" reqMail.cnf
+rm ca.cnf subca.cnf
-# then environment-keys for cassiopeia
-genserver signer_client "/CN=CAcert signer handler 1" reqClient.cnf
-genserver signer_server "/CN=CAcert signer 1" req.cnf
-rm ca.cnf subca.cnf req.cnf reqMail.cnf reqClient.cnf
-for local in www secure static api signer_client signer_server mail; do
- openssl verify -CAfile root.ca/key.crt -untrusted env.chain.crt $local.crt
-done
-rm env.chain.crt
--- /dev/null
+#!/bin/sh
+
+. structure
+. commonFunctions
+
+[ "$1" == "" ] && echo "Usage: $0 <year>" && exit 1
+year=$1
+
+genTimeCA(){ #csr,ca to sign with,start,end
+ cat <<TESTCA > timesubca.cnf
+basicConstraints = CA:true
+subjectKeyIdentifier = hash
+keyUsage = keyCertSign, cRLSign
+crlDistributionPoints=URI:http://g2.crl.cacert.org/g2/$2.crl
+authorityInfoAccess = OCSP;URI:http://g2.ocsp.cacert.org,caIssuers;URI:http://g2.crt.cacert.org/$2.crt
+TESTCA
+ caSign $1 $2 timesubca.cnf "$3" "$4"
+ rm timesubca.cnf
+}
+
+mkdir -p $year/ca
+
+STARTDATE="${year:2}0101000000Z"
+ENDDATE="$((${year:2} + 2))0101000000Z"
+
+. CAs/env
+genca "/CN=$name ${year}-1" $year/ca/env_${year}_1
+genTimeCA $year/ca/env_${year}_1.ca/key env "$STARTDATE" "$ENDDATE"
+
+for ca in $STRUCT_CAS; do
+ [ "$ca" == "env" ] && continue
+ . CAs/$ca
+ genKey "/CN=$name ${year}-1" $year/ca/${ca}_${year}_1
+ genTimeCA $year/ca/${ca}_${year}_1 $ca "$STARTDATE" "$ENDDATE"
+done
--- /dev/null
+#!/bin/sh
+DOMAIN="cacert.local"
+KEYSIZE=4096
+PRIVATEPW="changeit"
+
+[ -f config ] && . ./config
+
+STRUCT_CAS="env unassured assured codesign orga orgaSign"
+SERVER_KEYS="api secure www static signer_server signer_client"
--- /dev/null
+#!/bin/sh
+set -e
+[ "$1" == "" ] && echo "Usage: $0 <year>" && exit 1
+year=$1
+
+. structure
+
+verify(){ # CAfile, crt
+ openssl verify -CAfile "$1" "$2" || error "$2 did not verify"
+}
+
+error() { # message
+ echo $1
+ exit -1
+}
+
+# Verify root
+verify root.ca/key.crt root.ca/key.crt
+
+# Verify level-1 structure
+for i in $STRUCT_CAS; do
+ verify root.ca/key.crt $i.ca/key.crt
+done
+
+# Verify level-2 (time) structure
+for i in $STRUCT_CAS; do
+ . CAs/$i
+ if [ "$i" == "env" ]; then
+ CA_FILE=$year/ca/${i}_${year}_1.ca/key.crt
+ else
+ CA_FILE=$year/ca/${i}_${year}_1.crt
+ fi
+ verify <(cat root.ca/key.crt $i.ca/key.crt) "$CA_FILE"
+ openssl x509 -in "$CA_FILE" -noout -text | grep "CA Issuers" | grep "/$i.crt" > /dev/null || error "CA Issuers field is wrong for $i"
+ openssl x509 -in "$CA_FILE" -noout -text | grep "Subject: " | grep "CN=$name" > /dev/null || error "Subject field did not verify"
+done
+
+# Verify infra keys
+cat root.ca/key.crt env.ca/key.crt $year/ca/env_${year}_1.ca/key.crt > envChain.crt
+
+for i in $SERVER_KEYS; do
+ verify envChain.crt ${year}/keys/$i.crt
+done
+
+rm envChain.crt
+