1
0
mirror of https://github.com/kakwa/uts-server synced 2024-12-04 23:15:54 +01:00

huge cleanup of the openssl conf + tsa gen script

The OpenSSL configuration used for generating the test CA and test
Time-Stamp authority was lazily copied from OpenSSL. There were a lot
of useless items in it. Now the configuration is cleaner and only
contains what is necessary for the TSA creation.
This commit is contained in:
kakwa 2017-06-20 19:58:47 +02:00
parent 666584fba4
commit 7f2d2cf4c1
2 changed files with 40 additions and 150 deletions

View File

@ -1,86 +1,17 @@
#
# This config is used by the Time Stamp Authority tests.
#
RANDFILE = ./.rnd
# Extra OBJECT IDENTIFIER info:
oid_section = new_oids
TSDNSECT = ts_cert_dn
INDEX = 1
[ new_oids ]
# Policies used by the TSA tests.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
#----------------------------------------------------------------------
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = ./demoCA
certs = $dir/certs # Where the issued certs are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
default_days = 365 # how long to certify for
default_md = sha1 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = supplied
stateOrProvinceName = supplied
organizationName = supplied
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
#
# Properties needed for a Time-Stamp Authority (TSA) certificates
#
#----------------------------------------------------------------------
[ req ]
default_bits = 4096
default_md = sha1
distinguished_name = $ENV::TSDNSECT
encrypt_rsa_key = no
prompt = no
# attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = nombstr
[ ts_ca_dn ]
countryName = FR
stateOrProvinceName = Paris
localityName = Paris
organizationName = UTS-SERVER test
commonName = ca1
[ ts_cert_dn ]
countryName = FR
stateOrProvinceName = Paris
localityName = Paris
organizationName = UTS-SERVER test
commonName = tsa$ENV::INDEX
# Extensions required to a TSA certificate
[ tsa_cert ]
# TSA server cert is not a CA cert.
# TSA server cert is not a CA cert, disabling CA role
basicConstraints=CA:FALSE
# The following key usage flags are needed for TSA server certificates.
# The following key usage flags are mandatory for TSA server certificates.
# This parameters set the main specificities of a TSA certificate
keyUsage = nonRepudiation, digitalSignature
extendedKeyUsage = critical,timeStamping
@ -88,76 +19,39 @@ extendedKeyUsage = critical,timeStamping
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
[ non_tsa_cert ]
# This is not a CA cert and not a TSA cert, either (timeStamping usage missing)
basicConstraints=CA:FALSE
#----------------------------------------------------------------------
#
# Other Properties for the CA and non-tsa certificates
#
#----------------------------------------------------------------------
# The following key usage flags are needed for TSA server certificates.
keyUsage = nonRepudiation, digitalSignature
# timeStamping is not supported by this certificate
# extendedKeyUsage = critical,timeStamping
# Common properties of all the certificates/CA (CN, OU, etc...)
[ dn_section ]
countryName = FR
stateOrProvinceName = Paris
localityName = Paris
organizationName = UTS-SERVER test
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
# CN is passed through environment variable "CN"
commonName = $ENV::CN
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature
# OpenSSL parameters for certificate requests generation
[ req ]
default_bits = 4096
default_md = sha512
distinguished_name = dn_section
encrypt_rsa_key = no
prompt = no
# The extentions to add to the self signed cert
x509_extensions = v3_ca
[ v3_ca ]
# Extensions for a typical CA
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = critical,CA:true
keyUsage = cRLSign, keyCertSign
#----------------------------------------------------------------------
[ tsa ]
default_tsa = tsa_config1 # the default TSA section
[ tsa_config1 ]
# These are used by the TSA reply generation only.
dir = . # TSA root directory
serial = $dir/tsa_serial # The current serial number (mandatory)
signer_cert = $dir/tsa_cert1.pem # The TSA signing certificate
# (optional)
certs = $dir/tsaca.pem # Certificate chain to include in reply
# (optional)
signer_key = $dir/tsa_key1.pem # The TSA private key (optional)
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = md5, sha1 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
ordering = yes # Is ordering defined for timestamps?
# (optional, default: no)
tsa_name = yes # Must the TSA name be included in the reply?
# (optional, default: no)
ess_cert_id_chain = yes # Must the ESS cert id chain be included?
# (optional, default: no)
[ tsa_config2 ]
# This configuration uses a certificate which doesn't have timeStamping usage.
# These are used by the TSA reply generation only.
dir = . # TSA root directory
serial = $dir/tsa_serial # The current serial number (mandatory)
signer_cert = $dir/tsa_cert2.pem # The TSA signing certificate
# (optional)
certs = $dir/demoCA/cacert.pem# Certificate chain to include in reply
# (optional)
signer_key = $dir/tsa_key2.pem # The TSA private key (optional)
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = md5, sha1 # Acceptable message digests (mandatory)

View File

@ -6,7 +6,6 @@ export OPENSSL_CONF="./CAtsa.cnf"
cd `dirname $0`
error () {
echo "TSA test failed!" >&2
exit 1
}
@ -15,24 +14,21 @@ error () {
create_ca () {
echo "Creating a new CA for the TSA tests..."
TSDNSECT=ts_ca_dn
export TSDNSECT
export CN="UTS-SERVER CA"
openssl req -new -x509 -nodes \
-out tsaca.pem -keyout tsacakey.pem
test $? != 0 && error
}
create_tsa_cert () {
INDEX=$1
export INDEX
EXT=$2
TSDNSECT=ts_cert_dn
export TSDNSECT
EXT=$3
INDEX=$2
CN=$1; export CN
openssl req -new \
-out tsa_req${INDEX}.pem -keyout tsa_key${INDEX}.pem
test $? != 0 && error
echo Using extension $EXT
openssl x509 -req \
-in tsa_req${INDEX}.pem -out tsa_cert${INDEX}.pem \
@ -43,7 +39,7 @@ echo Using extension $EXT
create_cert () {
INDEX=$1
INDEX=$2
export INDEX
TSDNSECT=ts_cert_dn
export TSDNSECT
@ -63,12 +59,12 @@ echo "Creating CA for TSA tests..."
create_ca
echo "Creating tsa_cert1.pem TSA server cert..."
create_tsa_cert 1 tsa_cert
create_tsa_cert "TSA CERT 1" 1 tsa_cert
echo "Creating tsa_cert2.pem TSA server cert..."
create_tsa_cert 2 tsa_cert
create_tsa_cert "TSA CERT 2" 2 tsa_cert
echo "Creating ssl_keycerts1.pem for ssl"
create_cert 1
create_cert "uts-server.example.org" 1
exit 0