From fe9c2ee49c95fad3941d46d9e3deb69d6463a5bf Mon Sep 17 00:00:00 2001 From: kakwa Date: Tue, 20 Jun 2017 19:58:47 +0200 Subject: [PATCH] huge cleanup of the openssl conf + tsa gen script The OpenSSL configuration used for generating the test CA and test Time-Stamp authority was lazily copied from OpenSSL. There were a lot of useless items in it. Now the configuration is cleaner and only contains what is necessary for the TSA creation. --- tests/cfg/pki/CAtsa.cnf | 166 ++++++--------------------------- tests/cfg/pki/create_tsa_certs | 24 ++--- 2 files changed, 40 insertions(+), 150 deletions(-) diff --git a/tests/cfg/pki/CAtsa.cnf b/tests/cfg/pki/CAtsa.cnf index b23536b..7aeca78 100644 --- a/tests/cfg/pki/CAtsa.cnf +++ b/tests/cfg/pki/CAtsa.cnf @@ -1,86 +1,17 @@ - -# -# This config is used by the Time Stamp Authority tests. -# - -RANDFILE = ./.rnd - -# Extra OBJECT IDENTIFIER info: -oid_section = new_oids - -TSDNSECT = ts_cert_dn -INDEX = 1 - -[ new_oids ] - -# Policies used by the TSA tests. -tsa_policy1 = 1.2.3.4.1 -tsa_policy2 = 1.2.3.4.5.6 -tsa_policy3 = 1.2.3.4.5.7 - #---------------------------------------------------------------------- -[ ca ] -default_ca = CA_default # The default ca section - -[ CA_default ] - -dir = ./demoCA -certs = $dir/certs # Where the issued certs are kept -database = $dir/index.txt # database index file. -new_certs_dir = $dir/newcerts # default place for new certs. - -certificate = $dir/cacert.pem # The CA certificate -serial = $dir/serial # The current serial number -private_key = $dir/private/cakey.pem# The private key -RANDFILE = $dir/private/.rand # private random number file - -default_days = 365 # how long to certify for -default_md = sha1 # which md to use. -preserve = no # keep passed DN ordering - -policy = policy_match - -# For the CA policy -[ policy_match ] -countryName = supplied -stateOrProvinceName = supplied -organizationName = supplied -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - +# +# Properties needed for a Time-Stamp Authority (TSA) certificates +# #---------------------------------------------------------------------- -[ req ] -default_bits = 4096 -default_md = sha1 -distinguished_name = $ENV::TSDNSECT -encrypt_rsa_key = no -prompt = no -# attributes = req_attributes -x509_extensions = v3_ca # The extentions to add to the self signed cert - -string_mask = nombstr - -[ ts_ca_dn ] -countryName = FR -stateOrProvinceName = Paris -localityName = Paris -organizationName = UTS-SERVER test -commonName = ca1 - -[ ts_cert_dn ] -countryName = FR -stateOrProvinceName = Paris -localityName = Paris -organizationName = UTS-SERVER test -commonName = tsa$ENV::INDEX +# Extensions required to a TSA certificate [ tsa_cert ] -# TSA server cert is not a CA cert. +# TSA server cert is not a CA cert, disabling CA role basicConstraints=CA:FALSE -# The following key usage flags are needed for TSA server certificates. +# The following key usage flags are mandatory for TSA server certificates. +# This parameters set the main specificities of a TSA certificate keyUsage = nonRepudiation, digitalSignature extendedKeyUsage = critical,timeStamping @@ -88,76 +19,39 @@ extendedKeyUsage = critical,timeStamping subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always -[ non_tsa_cert ] -# This is not a CA cert and not a TSA cert, either (timeStamping usage missing) -basicConstraints=CA:FALSE +#---------------------------------------------------------------------- +# +# Other Properties for the CA and non-tsa certificates +# +#---------------------------------------------------------------------- -# The following key usage flags are needed for TSA server certificates. -keyUsage = nonRepudiation, digitalSignature -# timeStamping is not supported by this certificate -# extendedKeyUsage = critical,timeStamping +# Common properties of all the certificates/CA (CN, OU, etc...) +[ dn_section ] +countryName = FR +stateOrProvinceName = Paris +localityName = Paris +organizationName = UTS-SERVER test -# PKIX recommendations harmless if included in all certificates. -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always +# CN is passed through environment variable "CN" +commonName = $ENV::CN -[ v3_req ] -# Extensions to add to a certificate request -basicConstraints = CA:FALSE -keyUsage = nonRepudiation, digitalSignature +# OpenSSL parameters for certificate requests generation +[ req ] +default_bits = 4096 +default_md = sha512 +distinguished_name = dn_section +encrypt_rsa_key = no +prompt = no +# The extentions to add to the self signed cert +x509_extensions = v3_ca -[ v3_ca ] # Extensions for a typical CA +[ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always basicConstraints = critical,CA:true keyUsage = cRLSign, keyCertSign - -#---------------------------------------------------------------------- -[ tsa ] - -default_tsa = tsa_config1 # the default TSA section - -[ tsa_config1 ] - -# These are used by the TSA reply generation only. -dir = . # TSA root directory -serial = $dir/tsa_serial # The current serial number (mandatory) -signer_cert = $dir/tsa_cert1.pem # The TSA signing certificate - # (optional) -certs = $dir/tsaca.pem # Certificate chain to include in reply - # (optional) -signer_key = $dir/tsa_key1.pem # The TSA private key (optional) - -default_policy = tsa_policy1 # Policy if request did not specify it - # (optional) -other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) -digests = md5, sha1 # Acceptable message digests (mandatory) -accuracy = secs:1, millisecs:500, microsecs:100 # (optional) -ordering = yes # Is ordering defined for timestamps? - # (optional, default: no) -tsa_name = yes # Must the TSA name be included in the reply? - # (optional, default: no) -ess_cert_id_chain = yes # Must the ESS cert id chain be included? - # (optional, default: no) - -[ tsa_config2 ] - -# This configuration uses a certificate which doesn't have timeStamping usage. -# These are used by the TSA reply generation only. -dir = . # TSA root directory -serial = $dir/tsa_serial # The current serial number (mandatory) -signer_cert = $dir/tsa_cert2.pem # The TSA signing certificate - # (optional) -certs = $dir/demoCA/cacert.pem# Certificate chain to include in reply - # (optional) -signer_key = $dir/tsa_key2.pem # The TSA private key (optional) - -default_policy = tsa_policy1 # Policy if request did not specify it - # (optional) -other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) -digests = md5, sha1 # Acceptable message digests (mandatory) diff --git a/tests/cfg/pki/create_tsa_certs b/tests/cfg/pki/create_tsa_certs index e7416ca..9c89710 100755 --- a/tests/cfg/pki/create_tsa_certs +++ b/tests/cfg/pki/create_tsa_certs @@ -6,7 +6,6 @@ export OPENSSL_CONF="./CAtsa.cnf" cd `dirname $0` error () { - echo "TSA test failed!" >&2 exit 1 } @@ -15,25 +14,22 @@ error () { create_ca () { echo "Creating a new CA for the TSA tests..." - TSDNSECT=ts_ca_dn - export TSDNSECT + export CN="UTS-SERVER CA" openssl req -new -x509 -nodes \ -out tsaca.pem -keyout tsacakey.pem test $? != 0 && error } create_tsa_cert () { - - INDEX=$1 - export INDEX - EXT=$2 - TSDNSECT=ts_cert_dn - export TSDNSECT + EXT=$3 + INDEX=$2 + CN=$1; export CN openssl req -new \ -out tsa_req${INDEX}.pem -keyout tsa_key${INDEX}.pem test $? != 0 && error -echo Using extension $EXT + + echo Using extension $EXT openssl x509 -req \ -in tsa_req${INDEX}.pem -out tsa_cert${INDEX}.pem \ -CA tsaca.pem -CAkey tsacakey.pem -CAcreateserial \ @@ -43,7 +39,7 @@ echo Using extension $EXT create_cert () { - INDEX=$1 + INDEX=$2 export INDEX TSDNSECT=ts_cert_dn export TSDNSECT @@ -63,12 +59,12 @@ echo "Creating CA for TSA tests..." create_ca echo "Creating tsa_cert1.pem TSA server cert..." -create_tsa_cert 1 tsa_cert +create_tsa_cert "TSA CERT 1" 1 tsa_cert echo "Creating tsa_cert2.pem TSA server cert..." -create_tsa_cert 2 tsa_cert +create_tsa_cert "TSA CERT 2" 2 tsa_cert echo "Creating ssl_keycerts1.pem for ssl" -create_cert 1 +create_cert "uts-server.example.org" 1 exit 0