adding general (simple) structure and profiles

diff --git a/.gitignore b/.gitignore
new file mode 100755 (executable)
index 0000000..e3f159d
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,11 @@
+*.csr\r
+*.crt\r
+*.key\r
+*.pkcs12\r
+*.ca\r
+*.crl\r
+config\r
+\r
+\r
+# Editor files\r
+*~\r

diff --git a/generateKeys.sh b/generateKeys.sh
new file mode 100755 (executable)
index 0000000..adde5df
--- /dev/null
+++ b/generateKeys.sh
@@ -0,0 +1,154 @@
+#!/bin/sh
+# this script generates a set of sample keys
+DOMAIN="cacert.local"
+KEYSIZE=4096
+PRIVATEPW="changeit"
+
+[ -f config ] && . ./config
+
+
+rm -Rf *.csr *.crt *.key *.pkcs12 *.ca *.crl
+
+
+####### create various extensions files for the various certificate types ######
+cat <<TESTCA > ca.cnf
+basicConstraints = CA:true
+subjectKeyIdentifier = hash
+keyUsage = keyCertSign, cRLSign
+crlDistributionPoints=URI:http://g2.crl.cacert.org/g2/root.crl
+authorityInfoAccess = OCSP;URI:http://g2.ocsp.cacert.org,caIssuers;URI:http://g2.crt.cacert.org/root.crt
+TESTCA
+
+cat <<TESTCA > subca.cnf
+basicConstraints = CA:true
+subjectKeyIdentifier = hash
+keyUsage = keyCertSign, cRLSign
+crlDistributionPoints=URI:http://g2.crl.cacert.org/g2/root.crl
+authorityInfoAccess = OCSP;URI:http://g2.ocsp.cacert.org,caIssuers;URI:http://g2.crt.cacert.org/root.crt
+TESTCA
+
+cat <<TESTCA > req.cnf
+basicConstraints = critical,CA:false
+keyUsage = keyEncipherment, digitalSignature
+extendedKeyUsage=serverAuth
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+#crlDistributionPoints=URI:http://www.my.host/ca.crl
+#authorityInfoAccess = OCSP;URI:http://ocsp.my.host/
+TESTCA
+
+cat <<TESTCA > reqClient.cnf
+basicConstraints = critical,CA:false
+keyUsage = keyEncipherment, digitalSignature
+extendedKeyUsage=clientAuth
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+#crlDistributionPoints=URI:http://www.my.host/ca.crl
+#authorityInfoAccess = OCSP;URI:http://ocsp.my.host/
+TESTCA
+
+cat <<TESTCA > reqMail.cnf
+basicConstraints = critical,CA:false
+keyUsage = keyEncipherment, digitalSignature
+extendedKeyUsage=emailProtection
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+#crlDistributionPoints=URI:http://www.my.host/ca.crl
+#authorityInfoAccess = OCSP;URI:http://ocsp.my.host/
+TESTCA
+
+genKey(){ #subj, internalName
+    openssl genrsa -out $2.key ${KEYSIZE}
+    openssl req -new -key $2.key -out $2.csr -subj "$1/O=Test Environment CA Ltd./OU=Test Environment CAs"
+
+}
+
+genca(){ #subj, internalName
+    mkdir $2.ca
+
+    genKey "$1" "$2.ca/key"
+    
+    mkdir $2.ca/newcerts
+    echo 01 > $2.ca/serial
+    touch $2.ca/db
+    echo unique_subject = no >$2.ca/db.attr
+
+}
+
+caSign(){ # csr,ca,config
+    cd $2.ca
+    openssl ca -cert key.crt -keyfile key.key -in ../$1.csr -out ../$1.crt -days 365 -batch -config ../selfsign.config -extfile ../$3
+    cd ..
+}
+
+rootSign(){ # csr
+    caSign "$1.ca/key" root subca.cnf
+}
+
+genTimeCA(){ #csr,ca,
+    cat <<TESTCA > timesubca.cnf
+basicConstraints = CA:true
+subjectKeyIdentifier = hash
+keyUsage = keyCertSign, cRLSign
+crlDistributionPoints=URI:http://g2.crl.cacert.org/g2/$2.crl
+authorityInfoAccess = OCSP;URI:http://g2.ocsp.cacert.org,caIssuers;URI:http://g2.crt.cacert.org/$2.crt
+TESTCA
+    caSign $1 $2 timesubca.cnf
+    rm timesubca.cnf
+}
+
+genserver(){ #key, subject, config
+    openssl genrsa -out $1.key ${KEYSIZE}
+    openssl req -new -key $1.key -out $1.csr -subj "$2"
+    caSign $1 env15_1 "$3"
+    
+    openssl pkcs12 -inkey $1.key -in $1.crt -CAfile env.chain.crt -chain -name $1 -export -passout pass:changeit -out $1.pkcs12
+    
+}
+
+
+# Generate the super Root CA
+genca "/CN=Cacert-gigi testCA" root
+openssl x509 -req -days 365 -in root.ca/key.csr -signkey root.ca/key.key -out root.ca/key.crt -extfile ca.cnf
+
+# generate the various sub-CAs
+genca "/CN=Environment" env
+rootSign env
+genca "/CN=Unassured" unassured
+rootSign unassured
+genca "/CN=Assured" assured
+rootSign assured
+genca "/CN=Codesigning" codesign
+rootSign codesign
+genca "/CN=Orga" orga
+rootSign orga
+genca "/CN=Orga sign" orgaSign
+rootSign orgaSign
+
+genca "/CN=Environment 2015-1" env15_1
+genTimeCA env15_1.ca/key env
+genKey "/CN=Unassured 2015-1" unassured15_1
+genTimeCA unassured15_1 unassured
+
+cat env15_1.ca/key.crt env.ca/key.crt root.ca/key.crt > env.chain.crt
+
+# generate environment-keys specific to gigi.
+# first the server keys
+genserver www "/CN=www.${DOMAIN}" req.cnf
+genserver secure "/CN=secure.${DOMAIN}" req.cnf
+genserver static "/CN=static.${DOMAIN}" req.cnf
+genserver api "/CN=api.${DOMAIN}" req.cnf
+
+# then the email signing key
+genserver mail "/emailAddress=support@${DOMAIN}" reqMail.cnf
+
+# then environment-keys for cassiopeia
+genserver signer_client "/CN=CAcert signer handler 1" reqClient.cnf
+genserver signer_server "/CN=CAcert signer 1" req.cnf
+
+rm ca.cnf subca.cnf req.cnf reqMail.cnf reqClient.cnf
+
+for local in www secure static api signer_client signer_server mail; do
+  openssl verify -CAfile root.ca/key.crt -untrusted env.chain.crt $local.crt
+done
+rm env.chain.crt

diff --git a/profiles/0001-client.cfg b/profiles/0001-client.cfg
new file mode 100644 (file)
index 0000000..6e88e3a
--- /dev/null
+++ b/profiles/0001-client.cfg
@@ -0,0 +1,4 @@
+ca=unassured
+ku=digitalSignature, keyEncipherment, keyAgreement
+eku=clientAuth
+days=732

diff --git a/profiles/0002-mail.cfg b/profiles/0002-mail.cfg
new file mode 100644 (file)
index 0000000..8a2cdff
--- /dev/null
+++ b/profiles/0002-mail.cfg
@@ -0,0 +1,4 @@
+ca=unassured
+ku=digitalSignature, keyEncipherment, keyAgreement
+eku=emailProtection
+days=732

diff --git a/profiles/0003-client-mail.cfg b/profiles/0003-client-mail.cfg
new file mode 100644 (file)
index 0000000..861d069
--- /dev/null
+++ b/profiles/0003-client-mail.cfg
@@ -0,0 +1,4 @@
+ca=unassured
+ku=digitalSignature, keyEncipherment, keyAgreement
+eku=clientAuth, emailProtection
+days=732

diff --git a/profiles/0004-server.cfg b/profiles/0004-server.cfg
new file mode 100644 (file)
index 0000000..e8f931d
--- /dev/null
+++ b/profiles/0004-server.cfg
@@ -0,0 +1,4 @@
+ca=unassured
+ku=digitalSignature, keyEncipherment, keyAgreement
+eku=serverAuth
+days=732

diff --git a/profiles/0005-client-a.cfg b/profiles/0005-client-a.cfg
new file mode 100644 (file)
index 0000000..1d8cc2e
--- /dev/null
+++ b/profiles/0005-client-a.cfg
@@ -0,0 +1,4 @@
+ca=assured
+ku=digitalSignature, keyEncipherment, keyAgreement
+eku=clientAuth
+days=732

diff --git a/profiles/0006-mail-a.cfg b/profiles/0006-mail-a.cfg
new file mode 100644 (file)
index 0000000..911c3db
--- /dev/null
+++ b/profiles/0006-mail-a.cfg
@@ -0,0 +1,4 @@
+ca=assured
+ku=digitalSignature, keyEncipherment, keyAgreement
+eku=emailProtection
+days=732

diff --git a/profiles/0007-client-mail-a.cfg b/profiles/0007-client-mail-a.cfg
new file mode 100644 (file)
index 0000000..34a7e98
--- /dev/null
+++ b/profiles/0007-client-mail-a.cfg
@@ -0,0 +1,4 @@
+ca=assured
+ku=digitalSignature, keyEncipherment, keyAgreement
+eku=clientAuth, emailProtection
+days=732

diff --git a/profiles/0008-server-a.cfg b/profiles/0008-server-a.cfg
new file mode 100644 (file)
index 0000000..6bdb7c7
--- /dev/null
+++ b/profiles/0008-server-a.cfg
@@ -0,0 +1,4 @@
+ca=assured
+ku=digitalSignature, keyEncipherment, keyAgreement
+eku=serverAuth
+days=732

diff --git a/profiles/0009-code-a.cfg b/profiles/0009-code-a.cfg
new file mode 100644 (file)
index 0000000..39f3e48
--- /dev/null
+++ b/profiles/0009-code-a.cfg
@@ -0,0 +1,4 @@
+ca=codesign
+ku=digitalSignature, keyEncipherment, keyAgreement
+eku=codeSigning, msCodeInd, msCodeCom
+days=732

diff --git a/profiles/0010-client-orga.cfg b/profiles/0010-client-orga.cfg
new file mode 100644 (file)
index 0000000..85228bc
--- /dev/null
+++ b/profiles/0010-client-orga.cfg
@@ -0,0 +1,4 @@
+ca=orga
+ku=digitalSignature, keyEncipherment, keyAgreement
+eku=clientAuth
+days=732

diff --git a/profiles/0011-mail-orga.cfg b/profiles/0011-mail-orga.cfg
new file mode 100644 (file)
index 0000000..e2cd318
--- /dev/null
+++ b/profiles/0011-mail-orga.cfg
@@ -0,0 +1,4 @@
+ca=orga
+ku=digitalSignature, keyEncipherment, keyAgreement
+eku=emailProtection
+days=732

diff --git a/profiles/0012-client-mail-orga.cfg b/profiles/0012-client-mail-orga.cfg
new file mode 100644 (file)
index 0000000..9444004
--- /dev/null
+++ b/profiles/0012-client-mail-orga.cfg
@@ -0,0 +1,4 @@
+ca=orga
+ku=digitalSignature, keyEncipherment, keyAgreement
+eku=clientAuth, emailProtection
+days=732

diff --git a/profiles/0013-server-orga.cfg b/profiles/0013-server-orga.cfg
new file mode 100644 (file)
index 0000000..303c9c2
--- /dev/null
+++ b/profiles/0013-server-orga.cfg
@@ -0,0 +1,4 @@
+ca=orga
+ku=digitalSignature, keyEncipherment, keyAgreement
+eku=serverAuth
+days=732

diff --git a/profiles/0014-code-orga.cfg b/profiles/0014-code-orga.cfg
new file mode 100644 (file)
index 0000000..e1ddea2
--- /dev/null
+++ b/profiles/0014-code-orga.cfg
@@ -0,0 +1,4 @@
+ca=orgaSign
+ku=digitalSignature, keyEncipherment, keyAgreement
+eku=codeSigning, msCodeInd, msCodeCom
+days=732

diff --git a/selfsign.config b/selfsign.config
new file mode 100755 (executable)
index 0000000..e4d389f
--- /dev/null
+++ b/selfsign.config
@@ -0,0 +1,20 @@
+[ca]
+default_ca=ca1
+
+[ca1]
+new_certs_dir=newcerts
+database=db
+serial=serial
+default_md=sha256
+policy=ca1_pol
+
+
+[ca1_pol]
+commonName              = optional
+subjectAltName          = optional
+organizationName       = optional
+organizationalUnitName = optional
+emailAddress           = optional
+countryName            = optional
+stateOrProvinceName    = optional
+localityName           = optional