kinichiro/ca-spkac.sh

## ca-spkac.sh
#!/bin/sh
#
# ca-spkac.sh
#

openssl_bin=../apps/openssl
if [ -e ../apps/openssl.exe ]; then
    openssl_bin=../apps/openssl.exe
fi

uname_s=`uname -s | grep 'MINGW'`
if [ "$uname_s" = "" ] ; then
    mingw=0
else
    mingw=1
fi

function section_message {
    echo ""
    echo "#---------#---------#---------#---------#---------#---------#---------#--------"
    echo "==="
    echo "=== (Section) $1 `date +'%Y/%m/%d %H:%M:%S'`"
    echo "==="
}

function start_message {
    echo ""
    echo "[TEST] $1"
}

function check_exit_status {
    status=$1
    if [ $status -ne 0 ] ; then
        echo ":-< error occurs, exit status = [ $status ]"
        exit $status
    else
        echo $2 ":-) success. "
    fi
}

#---------#---------#---------#---------#---------#---------#---------#---------

#
# create ssldir, and all files generated by this script goes under this dir.
#
ssldir="test_ca_spkac"

if [ -d $ssldir ] ; then
    echo "directory [ $ssldir ] exists, this script deletes this directory ..."
    /bin/rm -rf $ssldir
fi

mkdir -p $ssldir

export OPENSSL_CONF=$ssldir/openssl.cnf
touch $OPENSSL_CONF

key_dir=$ssldir/key
mkdir -p $key_dir

#---------#---------#---------#---------#---------#---------#---------#---------

section_message "generate RSA key"

# RSA by GENPKEY

genpkey_rsa=$key_dir/genpkey_rsa.pem
$openssl_bin genpkey -algorithm RSA -out $genpkey_rsa \
    -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3
check_exit_status $?

#---------#---------#---------#---------#---------#---------#---------#---------

section_message "setup local CA"

#
# prepare test openssl.cnf
#

ca_dir=$ssldir/testCA
server_dir=$ssldir/server

cat << __EOF__ > $ssldir/openssl.cnf
oid_section             = new_oids
[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
[ ca ]
default_ca    = CA_default
[ CA_default ]
dir           = ./$ca_dir
crl_dir       = \$dir/crl
database      = \$dir/index.txt
new_certs_dir = \$dir/newcerts
serial        = \$dir/serial
crlnumber     = \$dir/crlnumber
default_days  = 1
default_md    = default
policy        = policy_match
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
[ req ]
distinguished_name      = req_distinguished_name
[ req_distinguished_name ]
countryName                     = Country Name
countryName_default             = JP
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = State or Province Name
stateOrProvinceName_default     = Tokyo
organizationName                = Organization Name
organizationName_default        = TEST_DUMMY_COMPANY
commonName                      = Common Name
__EOF__

#---------#---------#---------#---------#---------#---------#---------#---------

#
# setup test CA
#

mkdir -p $ca_dir
mkdir -p $server_dir

mkdir -p $ca_dir/certs
mkdir -p $ca_dir/private
mkdir -p $ca_dir/crl
mkdir -p $ca_dir/newcerts
chmod 700 $ca_dir/private
echo "01" > $ca_dir/serial
touch $ca_dir/index.txt
touch $ca_dir/crlnumber
echo "01" > $ca_dir/crlnumber

#---------#---------#---------#---------#---------#---------#---------#---------

# --- CA initiate (generate CA key and cert) ---

start_message "req ... generate CA key and self signed cert"

ca_cert=$ca_dir/ca_cert.pem
ca_key=$ca_dir/private/ca_key.pem ca_pass=test-ca-pass

if [ $mingw = 0 ] ; then
    subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testCA.test_dummy.com/'
else
    subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testCA.test_dummy.com\'
fi

$openssl_bin req -new -x509 -newkey rsa:2048 -out $ca_cert -keyout $ca_key \
    -days 1 -passout pass:$ca_pass -batch -subj $subj
check_exit_status $?

#---------#---------#---------#---------#---------#---------#---------#---------

# --- Netscape SPKAC operations ---
section_message "Netscape SPKAC operations"

# server-admin generates SPKAC

start_message "spkac"
spkacfile=$server_dir/spkac.file

$openssl_bin spkac -key $genpkey_rsa -challenge hello -out $spkacfile
check_exit_status $?

$openssl_bin spkac -in $spkacfile -verify -out $spkacfile.out
check_exit_status $?

spkacreq=$server_dir/spkac.req
cat << __EOF__ > $spkacreq
countryName = JP
stateOrProvinceName = Tokyo
organizationName = TEST_DUMMY_COMPANY
commonName = spkac.test_dummy.com
__EOF__
cat $spkacfile >> $spkacreq

# CA signs SPKAC
start_message "ca ... CA signs SPKAC csr"
spkaccert=$server_dir/spkac.cert
$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \
    -spkac $spkacreq -out $spkaccert
check_exit_status $?

start_message "x509 ... convert DER format SPKAC cert to PEM"
spkacpem=$server_dir/spkac.pem
$openssl_bin x509 -in $spkaccert -inform DER -out $spkacpem -outform PEM
check_exit_status $?

# parse cert

start_message "asn1parse DER format SPKAC cert"
$openssl_bin asn1parse -in $spkaccert -inform DER -i
check_exit_status $?

# server-admin cert verify

start_message "nseq"
$openssl_bin nseq -in $spkacpem -toseq -out $spkacpem.nseq
check_exit_status $?

## cygwin64.log
$ ./ca-spkac.sh
directory [ test_ca_spkac ] exists, this script deletes this directory ...

#---------#---------#---------#---------#---------#---------#---------#--------
===
=== (Section) generate RSA key 2015/05/26 23:35:06
===
.........................................................+++
..............................................................+++
:-) success.

#---------#---------#---------#---------#---------#---------#---------#--------
===
=== (Section) setup local CA 2015/05/26 23:35:06
===

[TEST] req ... generate CA key and self signed cert
Generating a 2048 bit RSA private key
.........+++
........................+++
writing new private key to 'test_ca_spkac/testCA/private/ca_key.pem'
-----
:-) success.

#---------#---------#---------#---------#---------#---------#---------#--------
===
=== (Section) Netscape SPKAC operations 2015/05/26 23:35:06
===

[TEST] spkac
:-) success.
Signature OK
:-) success.

[TEST] ca ... CA signs SPKAC csr
Using configuration from test_ca_spkac/openssl.cnf
Check that the SPKAC request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'JP'
stateOrProvinceName   :ASN.1 12:'Tokyo'
organizationName      :ASN.1 12:'TEST_DUMMY_COMPANY'
commonName            :ASN.1 12:'spkac.test_dummy.com'
Certificate is to be certified until May 27 14:35:06 2015 GMT (1 days)

Write out database with 1 new entries
Data Base Updated
:-) success.

[TEST] x509 ... convert DER format SPKAC cert to PEM
:-) success.

[TEST] asn1parse DER format SPKAC cert
    0:d=0  hl=4 l= 805 cons: SEQUENCE
    4:d=1  hl=4 l= 525 cons:  SEQUENCE
    8:d=2  hl=2 l=   1 prim:   INTEGER           :01
   11:d=2  hl=2 l=  13 cons:   SEQUENCE
   13:d=3  hl=2 l=   9 prim:    OBJECT            :sha1WithRSAEncryption
   24:d=3  hl=2 l=   0 prim:    NULL
   26:d=2  hl=2 l=  90 cons:   SEQUENCE
   28:d=3  hl=2 l=  11 cons:    SET
   30:d=4  hl=2 l=   9 cons:     SEQUENCE
   32:d=5  hl=2 l=   3 prim:      OBJECT            :countryName
   37:d=5  hl=2 l=   2 prim:      PRINTABLESTRING   :JP
   41:d=3  hl=2 l=  14 cons:    SET
   43:d=4  hl=2 l=  12 cons:     SEQUENCE
   45:d=5  hl=2 l=   3 prim:      OBJECT            :stateOrProvinceName
   50:d=5  hl=2 l=   5 prim:      UTF8STRING        :Tokyo
   57:d=3  hl=2 l=  27 cons:    SET
   59:d=4  hl=2 l=  25 cons:     SEQUENCE
   61:d=5  hl=2 l=   3 prim:      OBJECT            :organizationName
   66:d=5  hl=2 l=  18 prim:      UTF8STRING        :TEST_DUMMY_COMPANY
   86:d=3  hl=2 l=  30 cons:    SET
   88:d=4  hl=2 l=  28 cons:     SEQUENCE
   90:d=5  hl=2 l=   3 prim:      OBJECT            :commonName
   95:d=5  hl=2 l=  21 prim:      UTF8STRING        :testCA.test_dummy.com
  118:d=2  hl=2 l=  30 cons:   SEQUENCE
  120:d=3  hl=2 l=  13 prim:    UTCTIME           :150526143506Z
  135:d=3  hl=2 l=  13 prim:    UTCTIME           :150527143506Z
  150:d=2  hl=2 l=  89 cons:   SEQUENCE
  152:d=3  hl=2 l=  11 cons:    SET
  154:d=4  hl=2 l=   9 cons:     SEQUENCE
  156:d=5  hl=2 l=   3 prim:      OBJECT            :countryName
  161:d=5  hl=2 l=   2 prim:      PRINTABLESTRING   :JP
  165:d=3  hl=2 l=  14 cons:    SET
  167:d=4  hl=2 l=  12 cons:     SEQUENCE
  169:d=5  hl=2 l=   3 prim:      OBJECT            :stateOrProvinceName
  174:d=5  hl=2 l=   5 prim:      UTF8STRING        :Tokyo
  181:d=3  hl=2 l=  27 cons:    SET
  183:d=4  hl=2 l=  25 cons:     SEQUENCE
  185:d=5  hl=2 l=   3 prim:      OBJECT            :organizationName
  190:d=5  hl=2 l=  18 prim:      UTF8STRING        :TEST_DUMMY_COMPANY
  210:d=3  hl=2 l=  29 cons:    SET
  212:d=4  hl=2 l=  27 cons:     SEQUENCE
  214:d=5  hl=2 l=   3 prim:      OBJECT            :commonName
  219:d=5  hl=2 l=  20 prim:      UTF8STRING        :spkac.test_dummy.com
  241:d=2  hl=4 l= 288 cons:   SEQUENCE
  245:d=3  hl=2 l=  13 cons:    SEQUENCE
  247:d=4  hl=2 l=   9 prim:     OBJECT            :rsaEncryption
  258:d=4  hl=2 l=   0 prim:     NULL
  260:d=3  hl=4 l= 269 prim:    BIT STRING
  533:d=1  hl=2 l=  13 cons:  SEQUENCE
  535:d=2  hl=2 l=   9 prim:   OBJECT            :sha1WithRSAEncryption
  546:d=2  hl=2 l=   0 prim:   NULL
  548:d=1  hl=4 l= 257 prim:  BIT STRING
:-) success.

[TEST] nseq
:-) success.

## mingw64.log
...
[TEST] x509 ... convert DER format SPKAC cert to PEM
unable to load certificate
2197282891:error:0D06B08E:asn1 encoding routines:ASN1_D2I_READ_BIO:not enough data:asn1/a_d2i_fp.c:238:
:-< error occurs, exit status = [ 1 ]
	#!/bin/sh
	#
	# ca-spkac.sh
	#

	openssl_bin=../apps/openssl
	if [ -e ../apps/openssl.exe ]; then
	openssl_bin=../apps/openssl.exe
	fi

	uname_s=`uname -s \| grep 'MINGW'`
	if [ "$uname_s" = "" ] ; then
	mingw=0
	else
	mingw=1
	fi

	function section_message {
	echo ""
	echo "#---------#---------#---------#---------#---------#---------#---------#--------"
	echo "==="
	echo "=== (Section) $1 `date +'%Y/%m/%d %H:%M:%S'`"
	echo "==="
	}

	function start_message {
	echo ""
	echo "[TEST] $1"
	}

	function check_exit_status {
	status=$1
	if [ $status -ne 0 ] ; then
	echo ":-< error occurs, exit status = [ $status ]"
	exit $status
	else
	echo $2 ":-) success. "
	fi
	}

	#---------#---------#---------#---------#---------#---------#---------#---------

	#
	# create ssldir, and all files generated by this script goes under this dir.
	#
	ssldir="test_ca_spkac"

	if [ -d $ssldir ] ; then
	echo "directory [ $ssldir ] exists, this script deletes this directory ..."
	/bin/rm -rf $ssldir
	fi

	mkdir -p $ssldir

	export OPENSSL_CONF=$ssldir/openssl.cnf
	touch $OPENSSL_CONF

	key_dir=$ssldir/key
	mkdir -p $key_dir

	#---------#---------#---------#---------#---------#---------#---------#---------

	section_message "generate RSA key"

	# RSA by GENPKEY

	genpkey_rsa=$key_dir/genpkey_rsa.pem
	$openssl_bin genpkey -algorithm RSA -out $genpkey_rsa \
	-pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3
	check_exit_status $?

	#---------#---------#---------#---------#---------#---------#---------#---------

	section_message "setup local CA"

	#
	# prepare test openssl.cnf
	#

	ca_dir=$ssldir/testCA
	server_dir=$ssldir/server

	cat << __EOF__ > $ssldir/openssl.cnf
	oid_section = new_oids
	[ new_oids ]
	tsa_policy1 = 1.2.3.4.1
	tsa_policy2 = 1.2.3.4.5.6
	tsa_policy3 = 1.2.3.4.5.7
	[ ca ]
	default_ca = CA_default
	[ CA_default ]
	dir = ./$ca_dir
	crl_dir = \$dir/crl
	database = \$dir/index.txt
	new_certs_dir = \$dir/newcerts
	serial = \$dir/serial
	crlnumber = \$dir/crlnumber
	default_days = 1
	default_md = default
	policy = policy_match
	[ policy_match ]
	countryName = match
	stateOrProvinceName = match
	organizationName = match
	organizationalUnitName = optional
	commonName = supplied
	emailAddress = optional
	[ req ]
	distinguished_name = req_distinguished_name
	[ req_distinguished_name ]
	countryName = Country Name
	countryName_default = JP
	countryName_min = 2
	countryName_max = 2
	stateOrProvinceName = State or Province Name
	stateOrProvinceName_default = Tokyo
	organizationName = Organization Name
	organizationName_default = TEST_DUMMY_COMPANY
	commonName = Common Name
	__EOF__

	#---------#---------#---------#---------#---------#---------#---------#---------

	#
	# setup test CA
	#

	mkdir -p $ca_dir
	mkdir -p $server_dir

	mkdir -p $ca_dir/certs
	mkdir -p $ca_dir/private
	mkdir -p $ca_dir/crl
	mkdir -p $ca_dir/newcerts
	chmod 700 $ca_dir/private
	echo "01" > $ca_dir/serial
	touch $ca_dir/index.txt
	touch $ca_dir/crlnumber
	echo "01" > $ca_dir/crlnumber

	#---------#---------#---------#---------#---------#---------#---------#---------

	# --- CA initiate (generate CA key and cert) ---

	start_message "req ... generate CA key and self signed cert"

	ca_cert=$ca_dir/ca_cert.pem
	ca_key=$ca_dir/private/ca_key.pem ca_pass=test-ca-pass

	if [ $mingw = 0 ] ; then
	subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testCA.test_dummy.com/'
	else
	subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testCA.test_dummy.com\'
	fi

	$openssl_bin req -new -x509 -newkey rsa:2048 -out $ca_cert -keyout $ca_key \
	-days 1 -passout pass:$ca_pass -batch -subj $subj
	check_exit_status $?

	#---------#---------#---------#---------#---------#---------#---------#---------

	# --- Netscape SPKAC operations ---
	section_message "Netscape SPKAC operations"

	# server-admin generates SPKAC

	start_message "spkac"
	spkacfile=$server_dir/spkac.file

	$openssl_bin spkac -key $genpkey_rsa -challenge hello -out $spkacfile
	check_exit_status $?

	$openssl_bin spkac -in $spkacfile -verify -out $spkacfile.out
	check_exit_status $?

	spkacreq=$server_dir/spkac.req
	cat << __EOF__ > $spkacreq
	countryName = JP
	stateOrProvinceName = Tokyo
	organizationName = TEST_DUMMY_COMPANY
	commonName = spkac.test_dummy.com
	__EOF__
	cat $spkacfile >> $spkacreq

	# CA signs SPKAC
	start_message "ca ... CA signs SPKAC csr"
	spkaccert=$server_dir/spkac.cert
	$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \
	-spkac $spkacreq -out $spkaccert
	check_exit_status $?

	start_message "x509 ... convert DER format SPKAC cert to PEM"
	spkacpem=$server_dir/spkac.pem
	$openssl_bin x509 -in $spkaccert -inform DER -out $spkacpem -outform PEM
	check_exit_status $?

	# parse cert

	start_message "asn1parse DER format SPKAC cert"
	$openssl_bin asn1parse -in $spkaccert -inform DER -i
	check_exit_status $?

	# server-admin cert verify

	start_message "nseq"
	$openssl_bin nseq -in $spkacpem -toseq -out $spkacpem.nseq
	check_exit_status $?
	$ ./ca-spkac.sh
	directory [ test_ca_spkac ] exists, this script deletes this directory ...

	#---------#---------#---------#---------#---------#---------#---------#--------
	===
	=== (Section) generate RSA key 2015/05/26 23:35:06
	===
	.........................................................+++
	..............................................................+++
	:-) success.

	#---------#---------#---------#---------#---------#---------#---------#--------
	===
	=== (Section) setup local CA 2015/05/26 23:35:06
	===

	[TEST] req ... generate CA key and self signed cert
	Generating a 2048 bit RSA private key
	.........+++
	........................+++
	writing new private key to 'test_ca_spkac/testCA/private/ca_key.pem'
	-----
	:-) success.

	#---------#---------#---------#---------#---------#---------#---------#--------
	===
	=== (Section) Netscape SPKAC operations 2015/05/26 23:35:06
	===

	[TEST] spkac
	:-) success.
	Signature OK
	:-) success.

	[TEST] ca ... CA signs SPKAC csr
	Using configuration from test_ca_spkac/openssl.cnf
	Check that the SPKAC request matches the signature
	Signature ok
	The Subject's Distinguished Name is as follows
	countryName :PRINTABLE:'JP'
	stateOrProvinceName :ASN.1 12:'Tokyo'
	organizationName :ASN.1 12:'TEST_DUMMY_COMPANY'
	commonName :ASN.1 12:'spkac.test_dummy.com'
	Certificate is to be certified until May 27 14:35:06 2015 GMT (1 days)

	Write out database with 1 new entries
	Data Base Updated
	:-) success.

	[TEST] x509 ... convert DER format SPKAC cert to PEM
	:-) success.

	[TEST] asn1parse DER format SPKAC cert
	0:d=0 hl=4 l= 805 cons: SEQUENCE
	4:d=1 hl=4 l= 525 cons: SEQUENCE
	8:d=2 hl=2 l= 1 prim: INTEGER :01
	11:d=2 hl=2 l= 13 cons: SEQUENCE
	13:d=3 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption
	24:d=3 hl=2 l= 0 prim: NULL
	26:d=2 hl=2 l= 90 cons: SEQUENCE
	28:d=3 hl=2 l= 11 cons: SET
	30:d=4 hl=2 l= 9 cons: SEQUENCE
	32:d=5 hl=2 l= 3 prim: OBJECT :countryName
	37:d=5 hl=2 l= 2 prim: PRINTABLESTRING :JP
	41:d=3 hl=2 l= 14 cons: SET
	43:d=4 hl=2 l= 12 cons: SEQUENCE
	45:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName
	50:d=5 hl=2 l= 5 prim: UTF8STRING :Tokyo
	57:d=3 hl=2 l= 27 cons: SET
	59:d=4 hl=2 l= 25 cons: SEQUENCE
	61:d=5 hl=2 l= 3 prim: OBJECT :organizationName
	66:d=5 hl=2 l= 18 prim: UTF8STRING :TEST_DUMMY_COMPANY
	86:d=3 hl=2 l= 30 cons: SET
	88:d=4 hl=2 l= 28 cons: SEQUENCE
	90:d=5 hl=2 l= 3 prim: OBJECT :commonName
	95:d=5 hl=2 l= 21 prim: UTF8STRING :testCA.test_dummy.com
	118:d=2 hl=2 l= 30 cons: SEQUENCE
	120:d=3 hl=2 l= 13 prim: UTCTIME :150526143506Z
	135:d=3 hl=2 l= 13 prim: UTCTIME :150527143506Z
	150:d=2 hl=2 l= 89 cons: SEQUENCE
	152:d=3 hl=2 l= 11 cons: SET
	154:d=4 hl=2 l= 9 cons: SEQUENCE
	156:d=5 hl=2 l= 3 prim: OBJECT :countryName
	161:d=5 hl=2 l= 2 prim: PRINTABLESTRING :JP
	165:d=3 hl=2 l= 14 cons: SET
	167:d=4 hl=2 l= 12 cons: SEQUENCE
	169:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName
	174:d=5 hl=2 l= 5 prim: UTF8STRING :Tokyo
	181:d=3 hl=2 l= 27 cons: SET
	183:d=4 hl=2 l= 25 cons: SEQUENCE
	185:d=5 hl=2 l= 3 prim: OBJECT :organizationName
	190:d=5 hl=2 l= 18 prim: UTF8STRING :TEST_DUMMY_COMPANY
	210:d=3 hl=2 l= 29 cons: SET
	212:d=4 hl=2 l= 27 cons: SEQUENCE
	214:d=5 hl=2 l= 3 prim: OBJECT :commonName
	219:d=5 hl=2 l= 20 prim: UTF8STRING :spkac.test_dummy.com
	241:d=2 hl=4 l= 288 cons: SEQUENCE
	245:d=3 hl=2 l= 13 cons: SEQUENCE
	247:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
	258:d=4 hl=2 l= 0 prim: NULL
	260:d=3 hl=4 l= 269 prim: BIT STRING
	533:d=1 hl=2 l= 13 cons: SEQUENCE
	535:d=2 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption
	546:d=2 hl=2 l= 0 prim: NULL
	548:d=1 hl=4 l= 257 prim: BIT STRING
	:-) success.

	[TEST] nseq
	:-) success.
	...
	[TEST] x509 ... convert DER format SPKAC cert to PEM
	unable to load certificate
	2197282891:error:0D06B08E:asn1 encoding routines:ASN1_D2I_READ_BIO:not enough data:asn1/a_d2i_fp.c:238:
	:-< error occurs, exit status = [ 1 ]