From 2d5c169f43c88c0abedf60990b1fd622e8261b49 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Felix=20D=C3=B6rre?= Date: Fri, 3 Apr 2015 23:11:37 +0200 Subject: [PATCH] UPD: better generation structure. Better 'time'-structure. --- CAs/assured | 1 + CAs/codesign | 1 + CAs/env | 1 + CAs/orga | 1 + CAs/orgaSign | 1 + CAs/unassured | 1 + all.sh | 12 +++++ clear.sh | 3 ++ commonFunctions | 35 +++++++++++++ generateInfra.sh | 71 ++++++++++++++++++++++++++ generateKeys.sh | 126 ++++------------------------------------------- generateTime.sh | 35 +++++++++++++ structure | 9 ++++ verify.sh | 46 +++++++++++++++++ 14 files changed, 226 insertions(+), 117 deletions(-) create mode 100755 CAs/assured create mode 100755 CAs/codesign create mode 100755 CAs/env create mode 100755 CAs/orga create mode 100755 CAs/orgaSign create mode 100755 CAs/unassured create mode 100755 all.sh create mode 100755 clear.sh create mode 100755 commonFunctions create mode 100755 generateInfra.sh create mode 100755 generateTime.sh create mode 100755 structure create mode 100755 verify.sh diff --git a/CAs/assured b/CAs/assured new file mode 100755 index 0000000..6750d88 --- /dev/null +++ b/CAs/assured @@ -0,0 +1 @@ +name="Assured" diff --git a/CAs/codesign b/CAs/codesign new file mode 100755 index 0000000..f7fcad0 --- /dev/null +++ b/CAs/codesign @@ -0,0 +1 @@ +name="Codesigning" diff --git a/CAs/env b/CAs/env new file mode 100755 index 0000000..8362e32 --- /dev/null +++ b/CAs/env @@ -0,0 +1 @@ +name="Environment" diff --git a/CAs/orga b/CAs/orga new file mode 100755 index 0000000..101a52d --- /dev/null +++ b/CAs/orga @@ -0,0 +1 @@ +name="Orga" diff --git a/CAs/orgaSign b/CAs/orgaSign new file mode 100755 index 0000000..82f9373 --- /dev/null +++ b/CAs/orgaSign @@ -0,0 +1 @@ +name="Orga sign" diff --git a/CAs/unassured b/CAs/unassured new file mode 100755 index 0000000..4c34e42 --- /dev/null +++ b/CAs/unassured @@ -0,0 +1 @@ +name="Unassured" diff --git a/all.sh b/all.sh new file mode 100755 index 0000000..8d647a8 --- /dev/null +++ b/all.sh @@ -0,0 +1,12 @@ +#!/bin/sh + +. ./clear.sh + +echo "========== Generating Root =======" +. ./generateKeys.sh +echo "========== Generating Year 2015 =======" +. ./generateTime.sh 2015 +echo "========== Generating Infra for Year 2015 =======" +. ./generateInfra.sh 2015 +echo "========== Verifying Year 2015 =======" +. ./verify.sh 2015 diff --git a/clear.sh b/clear.sh new file mode 100755 index 0000000..7e792dc --- /dev/null +++ b/clear.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +rm -Rf *.csr *.crt *.key *.pkcs12 *.ca *.crl 2015 diff --git a/commonFunctions b/commonFunctions new file mode 100755 index 0000000..5e1ffbf --- /dev/null +++ b/commonFunctions @@ -0,0 +1,35 @@ +. structure + +genKey(){ #subj, internalName + openssl genrsa -out $2.key ${KEYSIZE} + openssl req -new -key $2.key -out $2.csr -subj "$1/O=Test Environment CA Ltd./OU=Test Environment CAs" + +} + +genca(){ #subj, internalName + mkdir $2.ca + + genKey "$1" "$2.ca/key" + + mkdir $2.ca/newcerts + echo 01 > $2.ca/serial + touch $2.ca/db + echo unique_subject = no >$2.ca/db.attr + +} + +caSign(){ # csr,ca,config,start,end + start="$4" + end="$5" + [ "$start" != "" ] && start="-startdate $start" + [ "$end" != "" ] && end="-enddate $end" + [ "$start" == "" -a "$end" == "" ] && start="-days 366" + BASE="$PWD" + echo "Signing: $1 with $2" + echo "$start $end" + pushd $2.ca > /dev/null + openssl ca -cert key.crt -keyfile key.key -in "$BASE/$1.csr" -out "$BASE/$1.crt" -batch -config "$BASE/selfsign.config" -extfile "$BASE/$3" $start $end + popd > /dev/null + echo "Signed" +} + diff --git a/generateInfra.sh b/generateInfra.sh new file mode 100755 index 0000000..bcad077 --- /dev/null +++ b/generateInfra.sh @@ -0,0 +1,71 @@ +#!/bin/sh +# +set -e + +[ "$1" == "" ] && echo "Usage: $0 " && exit 1 +year=$1 + +. structure +. commonFunctions + +CRL=" +crlDistributionPoints=URI:http://g2.crl.cacert.org/g2/$year/env.crl +authorityInfoAccess = OCSP;URI:http://g2.ocsp.cacert.org,caIssuers;URI:http://g2.crt.cacert.org/$year/env.crt" + +cat < req.cnf +basicConstraints = critical,CA:false +keyUsage = keyEncipherment, digitalSignature +extendedKeyUsage=serverAuth +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +$CRL +TESTCA + +cat < reqClient.cnf +basicConstraints = critical,CA:false +keyUsage = keyEncipherment, digitalSignature +extendedKeyUsage=clientAuth +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +$CRL +TESTCA + +cat < reqMail.cnf +basicConstraints = critical,CA:false +keyUsage = keyEncipherment, digitalSignature +extendedKeyUsage=emailProtection +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +$CRL +TESTCA + +genserver(){ #key, subject, config + openssl genrsa -out $1.key ${KEYSIZE} + openssl req -new -key $1.key -out $1.csr -subj "$2" + caSign $1 $year/ca/env_${year}_1 "$3" + + openssl pkcs12 -inkey $1.key -in $1.crt -CAfile env.chain.crt -chain -name $1 -export -passout pass:changeit -out $1.pkcs12 + +} + +mkdir -p $year/keys + +cat $year/ca/env_${year}_1.ca/key.crt env.ca/key.crt root.ca/key.crt > env.chain.crt + +# generate environment-keys specific to gigi. +# first the server keys +genserver $year/keys/www "/CN=www.${DOMAIN}" req.cnf +genserver $year/keys/secure "/CN=secure.${DOMAIN}" req.cnf +genserver $year/keys/static "/CN=static.${DOMAIN}" req.cnf +genserver $year/keys/api "/CN=api.${DOMAIN}" req.cnf + +# then the email signing key +genserver $year/keys/mail "/emailAddress=support@${DOMAIN}" reqMail.cnf + +# then environment-keys for cassiopeia +genserver $year/keys/signer_client "/CN=CAcert signer handler 1" reqClient.cnf +genserver $year/keys/signer_server "/CN=CAcert signer 1" req.cnf + +rm req.cnf reqMail.cnf reqClient.cnf + +rm env.chain.crt diff --git a/generateKeys.sh b/generateKeys.sh index adde5df..27d86a7 100755 --- a/generateKeys.sh +++ b/generateKeys.sh @@ -1,13 +1,9 @@ #!/bin/sh # this script generates a set of sample keys -DOMAIN="cacert.local" -KEYSIZE=4096 -PRIVATEPW="changeit" +set -e -[ -f config ] && . ./config - - -rm -Rf *.csr *.crt *.key *.pkcs12 *.ca *.crl +. structure +. commonFunctions ####### create various extensions files for the various certificate types ###### @@ -27,128 +23,24 @@ crlDistributionPoints=URI:http://g2.crl.cacert.org/g2/root.crl authorityInfoAccess = OCSP;URI:http://g2.ocsp.cacert.org,caIssuers;URI:http://g2.crt.cacert.org/root.crt TESTCA -cat < req.cnf -basicConstraints = critical,CA:false -keyUsage = keyEncipherment, digitalSignature -extendedKeyUsage=serverAuth -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always,issuer:always -#crlDistributionPoints=URI:http://www.my.host/ca.crl -#authorityInfoAccess = OCSP;URI:http://ocsp.my.host/ -TESTCA - -cat < reqClient.cnf -basicConstraints = critical,CA:false -keyUsage = keyEncipherment, digitalSignature -extendedKeyUsage=clientAuth -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always,issuer:always -#crlDistributionPoints=URI:http://www.my.host/ca.crl -#authorityInfoAccess = OCSP;URI:http://ocsp.my.host/ -TESTCA - -cat < reqMail.cnf -basicConstraints = critical,CA:false -keyUsage = keyEncipherment, digitalSignature -extendedKeyUsage=emailProtection -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always,issuer:always -#crlDistributionPoints=URI:http://www.my.host/ca.crl -#authorityInfoAccess = OCSP;URI:http://ocsp.my.host/ -TESTCA - -genKey(){ #subj, internalName - openssl genrsa -out $2.key ${KEYSIZE} - openssl req -new -key $2.key -out $2.csr -subj "$1/O=Test Environment CA Ltd./OU=Test Environment CAs" - -} - -genca(){ #subj, internalName - mkdir $2.ca - - genKey "$1" "$2.ca/key" - - mkdir $2.ca/newcerts - echo 01 > $2.ca/serial - touch $2.ca/db - echo unique_subject = no >$2.ca/db.attr - -} - -caSign(){ # csr,ca,config - cd $2.ca - openssl ca -cert key.crt -keyfile key.key -in ../$1.csr -out ../$1.crt -days 365 -batch -config ../selfsign.config -extfile ../$3 - cd .. -} rootSign(){ # csr caSign "$1.ca/key" root subca.cnf } -genTimeCA(){ #csr,ca, - cat < timesubca.cnf -basicConstraints = CA:true -subjectKeyIdentifier = hash -keyUsage = keyCertSign, cRLSign -crlDistributionPoints=URI:http://g2.crl.cacert.org/g2/$2.crl -authorityInfoAccess = OCSP;URI:http://g2.ocsp.cacert.org,caIssuers;URI:http://g2.crt.cacert.org/$2.crt -TESTCA - caSign $1 $2 timesubca.cnf - rm timesubca.cnf -} - -genserver(){ #key, subject, config - openssl genrsa -out $1.key ${KEYSIZE} - openssl req -new -key $1.key -out $1.csr -subj "$2" - caSign $1 env15_1 "$3" - - openssl pkcs12 -inkey $1.key -in $1.crt -CAfile env.chain.crt -chain -name $1 -export -passout pass:changeit -out $1.pkcs12 - -} - # Generate the super Root CA genca "/CN=Cacert-gigi testCA" root openssl x509 -req -days 365 -in root.ca/key.csr -signkey root.ca/key.key -out root.ca/key.crt -extfile ca.cnf # generate the various sub-CAs -genca "/CN=Environment" env -rootSign env -genca "/CN=Unassured" unassured -rootSign unassured -genca "/CN=Assured" assured -rootSign assured -genca "/CN=Codesigning" codesign -rootSign codesign -genca "/CN=Orga" orga -rootSign orga -genca "/CN=Orga sign" orgaSign -rootSign orgaSign - -genca "/CN=Environment 2015-1" env15_1 -genTimeCA env15_1.ca/key env -genKey "/CN=Unassured 2015-1" unassured15_1 -genTimeCA unassured15_1 unassured - -cat env15_1.ca/key.crt env.ca/key.crt root.ca/key.crt > env.chain.crt - -# generate environment-keys specific to gigi. -# first the server keys -genserver www "/CN=www.${DOMAIN}" req.cnf -genserver secure "/CN=secure.${DOMAIN}" req.cnf -genserver static "/CN=static.${DOMAIN}" req.cnf -genserver api "/CN=api.${DOMAIN}" req.cnf +for ca in $STRUCT_CAS; do + . CAs/$ca + genca "/CN=$name" $ca + rootSign $ca +done -# then the email signing key -genserver mail "/emailAddress=support@${DOMAIN}" reqMail.cnf +rm ca.cnf subca.cnf -# then environment-keys for cassiopeia -genserver signer_client "/CN=CAcert signer handler 1" reqClient.cnf -genserver signer_server "/CN=CAcert signer 1" req.cnf -rm ca.cnf subca.cnf req.cnf reqMail.cnf reqClient.cnf -for local in www secure static api signer_client signer_server mail; do - openssl verify -CAfile root.ca/key.crt -untrusted env.chain.crt $local.crt -done -rm env.chain.crt diff --git a/generateTime.sh b/generateTime.sh new file mode 100755 index 0000000..d18c2ba --- /dev/null +++ b/generateTime.sh @@ -0,0 +1,35 @@ +#!/bin/sh + +. structure +. commonFunctions + +[ "$1" == "" ] && echo "Usage: $0 " && exit 1 +year=$1 + +genTimeCA(){ #csr,ca to sign with,start,end + cat < timesubca.cnf +basicConstraints = CA:true +subjectKeyIdentifier = hash +keyUsage = keyCertSign, cRLSign +crlDistributionPoints=URI:http://g2.crl.cacert.org/g2/$2.crl +authorityInfoAccess = OCSP;URI:http://g2.ocsp.cacert.org,caIssuers;URI:http://g2.crt.cacert.org/$2.crt +TESTCA + caSign $1 $2 timesubca.cnf "$3" "$4" + rm timesubca.cnf +} + +mkdir -p $year/ca + +STARTDATE="${year:2}0101000000Z" +ENDDATE="$((${year:2} + 2))0101000000Z" + +. CAs/env +genca "/CN=$name ${year}-1" $year/ca/env_${year}_1 +genTimeCA $year/ca/env_${year}_1.ca/key env "$STARTDATE" "$ENDDATE" + +for ca in $STRUCT_CAS; do + [ "$ca" == "env" ] && continue + . CAs/$ca + genKey "/CN=$name ${year}-1" $year/ca/${ca}_${year}_1 + genTimeCA $year/ca/${ca}_${year}_1 $ca "$STARTDATE" "$ENDDATE" +done diff --git a/structure b/structure new file mode 100755 index 0000000..3579257 --- /dev/null +++ b/structure @@ -0,0 +1,9 @@ +#!/bin/sh +DOMAIN="cacert.local" +KEYSIZE=4096 +PRIVATEPW="changeit" + +[ -f config ] && . ./config + +STRUCT_CAS="env unassured assured codesign orga orgaSign" +SERVER_KEYS="api secure www static signer_server signer_client" diff --git a/verify.sh b/verify.sh new file mode 100755 index 0000000..bb9ff0e --- /dev/null +++ b/verify.sh @@ -0,0 +1,46 @@ +#!/bin/sh +set -e +[ "$1" == "" ] && echo "Usage: $0 " && exit 1 +year=$1 + +. structure + +verify(){ # CAfile, crt + openssl verify -CAfile "$1" "$2" || error "$2 did not verify" +} + +error() { # message + echo $1 + exit -1 +} + +# Verify root +verify root.ca/key.crt root.ca/key.crt + +# Verify level-1 structure +for i in $STRUCT_CAS; do + verify root.ca/key.crt $i.ca/key.crt +done + +# Verify level-2 (time) structure +for i in $STRUCT_CAS; do + . CAs/$i + if [ "$i" == "env" ]; then + CA_FILE=$year/ca/${i}_${year}_1.ca/key.crt + else + CA_FILE=$year/ca/${i}_${year}_1.crt + fi + verify <(cat root.ca/key.crt $i.ca/key.crt) "$CA_FILE" + openssl x509 -in "$CA_FILE" -noout -text | grep "CA Issuers" | grep "/$i.crt" > /dev/null || error "CA Issuers field is wrong for $i" + openssl x509 -in "$CA_FILE" -noout -text | grep "Subject: " | grep "CN=$name" > /dev/null || error "Subject field did not verify" +done + +# Verify infra keys +cat root.ca/key.crt env.ca/key.crt $year/ca/env_${year}_1.ca/key.crt > envChain.crt + +for i in $SERVER_KEYS; do + verify envChain.crt ${year}/keys/$i.crt +done + +rm envChain.crt + -- 2.39.2