huge cleanup of the openssl conf + tsa gen script

The OpenSSL configuration used for generating the test CA and test Time-Stamp authority was lazily copied from OpenSSL. There were a lot of useless items in it. Now the configuration is cleaner and only contains what is necessary for the TSA creation.
2017-06-20 19:58:47 +02:00 · 2017-06-20 19:58:47 +02:00 · 7f2d2cf4c1
parent 666584fba4
commit 7f2d2cf4c1
2 changed files with 40 additions and 150 deletions
--- a/tests/cfg/pki/CAtsa.cnf
+++ b/tests/cfg/pki/CAtsa.cnf
@ -1,86 +1,17 @@
 #
 # This config is used by the Time Stamp Authority tests.
 #
 RANDFILE		= ./.rnd
 # Extra OBJECT IDENTIFIER info:
 oid_section		= new_oids
 TSDNSECT		= ts_cert_dn
 INDEX			= 1
 [ new_oids ]
 # Policies used by the TSA tests.
 tsa_policy1 = 1.2.3.4.1
 tsa_policy2 = 1.2.3.4.5.6
 tsa_policy3 = 1.2.3.4.5.7
 #----------------------------------------------------------------------
-[ ca ]
+#
-default_ca	= CA_default		# The default ca section
+# Properties needed for a Time-Stamp Authority (TSA) certificates
-
+#
 [ CA_default ]
 dir		= ./demoCA
 certs		= $dir/certs		# Where the issued certs are kept
 database	= $dir/index.txt	# database index file.
 new_certs_dir	= $dir/newcerts		# default place for new certs.
 certificate	= $dir/cacert.pem 	# The CA certificate
 serial		= $dir/serial 		# The current serial number
 private_key	= $dir/private/cakey.pem# The private key
 RANDFILE	= $dir/private/.rand	# private random number file
 default_days	= 365			# how long to certify for
 default_md	= sha1			# which md to use.
 preserve	= no			# keep passed DN ordering
 policy		= policy_match
 # For the CA policy
 [ policy_match ]
 countryName		= supplied
 stateOrProvinceName	= supplied
 organizationName	= supplied
 organizationalUnitName	= optional
 commonName		= supplied
 emailAddress		= optional
 #----------------------------------------------------------------------
 [ req ]
 default_bits		= 4096
 default_md		= sha1
 distinguished_name	= $ENV::TSDNSECT
 encrypt_rsa_key		= no
 prompt 			= no
 # attributes		= req_attributes
 x509_extensions	= v3_ca	# The extentions to add to the self signed cert
 string_mask = nombstr
 [ ts_ca_dn ]
 countryName			= FR
 stateOrProvinceName		= Paris
 localityName			= Paris
 organizationName		= UTS-SERVER test
 commonName			= ca1
 [ ts_cert_dn ]
 countryName			= FR
 stateOrProvinceName		= Paris
 localityName			= Paris
 organizationName		= UTS-SERVER test
 commonName			= tsa$ENV::INDEX
 # Extensions required to a TSA certificate
 [ tsa_cert ]
-# TSA server cert is not a CA cert.
+# TSA server cert is not a CA cert, disabling CA role
 basicConstraints=CA:FALSE
-# The following key usage flags are needed for TSA server certificates.
+# The following key usage flags are mandatory for TSA server certificates.
 # This parameters set the main specificities of a TSA certificate
 keyUsage = nonRepudiation, digitalSignature
 extendedKeyUsage = critical,timeStamping
@ -88,76 +19,39 @@ extendedKeyUsage = critical,timeStamping
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer:always
 [ non_tsa_cert ]
-# This is not a CA cert and not a TSA cert, either (timeStamping usage missing)
+#----------------------------------------------------------------------
-basicConstraints=CA:FALSE
+#
 # Other Properties for the CA and non-tsa certificates
 #
 #----------------------------------------------------------------------
-# The following key usage flags are needed for TSA server certificates.
+# Common properties of all the certificates/CA (CN, OU, etc...)
-keyUsage = nonRepudiation, digitalSignature
+[ dn_section ]
-# timeStamping is not supported by this certificate
+countryName			= FR
-# extendedKeyUsage = critical,timeStamping
+stateOrProvinceName		= Paris
 localityName			= Paris
 organizationName		= UTS-SERVER test
-# PKIX recommendations harmless if included in all certificates.
+# CN is passed through environment variable "CN"
-subjectKeyIdentifier=hash
+commonName			= $ENV::CN
 authorityKeyIdentifier=keyid,issuer:always
 [ v3_req ]
-# Extensions to add to a certificate request
+# OpenSSL parameters for certificate requests generation
-basicConstraints = CA:FALSE
+[ req ]
-keyUsage = nonRepudiation, digitalSignature
+default_bits		= 4096
 default_md		= sha512
 distinguished_name	= dn_section
 encrypt_rsa_key		= no
 prompt 			= no
 # The extentions to add to the self signed cert
 x509_extensions	= v3_ca
 [ v3_ca ]
 # Extensions for a typical CA
 [ v3_ca ]
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid:always,issuer:always
 basicConstraints = critical,CA:true
 keyUsage = cRLSign, keyCertSign
 #----------------------------------------------------------------------
 [ tsa ]
 default_tsa = tsa_config1	# the default TSA section
 [ tsa_config1 ]
 # These are used by the TSA reply generation only.
 dir		= .			# TSA root directory
 serial		= $dir/tsa_serial	# The current serial number (mandatory)
 signer_cert	= $dir/tsa_cert1.pem 	# The TSA signing certificate
 					# (optional)
 certs		= $dir/tsaca.pem	# Certificate chain to include in reply
 					# (optional)
 signer_key	= $dir/tsa_key1.pem	# The TSA private key (optional)
 default_policy	= tsa_policy1		# Policy if request did not specify it
 					# (optional)
 other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
 digests		= md5, sha1		# Acceptable message digests (mandatory)
 accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
 ordering		= yes	# Is ordering defined for timestamps?
 				# (optional, default: no)
 tsa_name		= yes	# Must the TSA name be included in the reply?
 				# (optional, default: no)
 ess_cert_id_chain	= yes	# Must the ESS cert id chain be included?
 				# (optional, default: no)
 [ tsa_config2 ]
 # This configuration uses a certificate which doesn't have timeStamping usage.
 # These are used by the TSA reply generation only.
 dir		= .			# TSA root directory
 serial		= $dir/tsa_serial	# The current serial number (mandatory)
 signer_cert	= $dir/tsa_cert2.pem 	# The TSA signing certificate
 					# (optional)
 certs		= $dir/demoCA/cacert.pem# Certificate chain to include in reply
 					# (optional)
 signer_key	= $dir/tsa_key2.pem	# The TSA private key (optional)
 default_policy	= tsa_policy1		# Policy if request did not specify it
 					# (optional)
 other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
 digests		= md5, sha1		# Acceptable message digests (mandatory)
--- a/tests/cfg/pki/create_tsa_certs
+++ b/tests/cfg/pki/create_tsa_certs
@ -6,7 +6,6 @@ export OPENSSL_CONF="./CAtsa.cnf"
 cd `dirname $0`
 error () {
    echo "TSA test failed!" >&2
    exit 1
 }
@ -15,25 +14,22 @@ error () {
 create_ca () {
    echo "Creating a new CA for the TSA tests..."
-    TSDNSECT=ts_ca_dn
+    export CN="UTS-SERVER CA"
    export TSDNSECT   
    openssl req -new -x509 -nodes \
        -out tsaca.pem -keyout tsacakey.pem
    test $? != 0 && error
 }
 create_tsa_cert () {
-
+    EXT=$3
-    INDEX=$1
+    INDEX=$2
-    export INDEX
+    CN=$1; export CN
    EXT=$2
    TSDNSECT=ts_cert_dn
    export TSDNSECT
    openssl req -new \
        -out tsa_req${INDEX}.pem -keyout tsa_key${INDEX}.pem
    test $? != 0 && error
-echo Using extension $EXT
+
    echo Using extension $EXT
    openssl x509 -req \
        -in tsa_req${INDEX}.pem -out tsa_cert${INDEX}.pem \
        -CA tsaca.pem -CAkey tsacakey.pem -CAcreateserial \
@ -43,7 +39,7 @@ echo Using extension $EXT
 create_cert () {
-    INDEX=$1
+    INDEX=$2
    export INDEX
    TSDNSECT=ts_cert_dn
    export TSDNSECT
@ -63,12 +59,12 @@ echo "Creating CA for TSA tests..."
 create_ca
 echo "Creating tsa_cert1.pem TSA server cert..."
-create_tsa_cert 1 tsa_cert
+create_tsa_cert "TSA CERT 1" 1 tsa_cert
 echo "Creating tsa_cert2.pem TSA server cert..."
-create_tsa_cert 2 tsa_cert
+create_tsa_cert "TSA CERT 2" 2 tsa_cert
 echo "Creating ssl_keycerts1.pem for ssl"
-create_cert 1
+create_cert "uts-server.example.org" 1
 exit 0