Last active
August 29, 2015 14:21
-
-
Save kinichiro/caef4b22bed0a5039adc to your computer and use it in GitHub Desktop.
ca-spkac.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# | |
# ca-spkac.sh | |
# | |
openssl_bin=../apps/openssl | |
if [ -e ../apps/openssl.exe ]; then | |
openssl_bin=../apps/openssl.exe | |
fi | |
uname_s=`uname -s | grep 'MINGW'` | |
if [ "$uname_s" = "" ] ; then | |
mingw=0 | |
else | |
mingw=1 | |
fi | |
function section_message { | |
echo "" | |
echo "#---------#---------#---------#---------#---------#---------#---------#--------" | |
echo "===" | |
echo "=== (Section) $1 `date +'%Y/%m/%d %H:%M:%S'`" | |
echo "===" | |
} | |
function start_message { | |
echo "" | |
echo "[TEST] $1" | |
} | |
function check_exit_status { | |
status=$1 | |
if [ $status -ne 0 ] ; then | |
echo ":-< error occurs, exit status = [ $status ]" | |
exit $status | |
else | |
echo $2 ":-) success. " | |
fi | |
} | |
#---------#---------#---------#---------#---------#---------#---------#--------- | |
# | |
# create ssldir, and all files generated by this script goes under this dir. | |
# | |
ssldir="test_ca_spkac" | |
if [ -d $ssldir ] ; then | |
echo "directory [ $ssldir ] exists, this script deletes this directory ..." | |
/bin/rm -rf $ssldir | |
fi | |
mkdir -p $ssldir | |
export OPENSSL_CONF=$ssldir/openssl.cnf | |
touch $OPENSSL_CONF | |
key_dir=$ssldir/key | |
mkdir -p $key_dir | |
#---------#---------#---------#---------#---------#---------#---------#--------- | |
section_message "generate RSA key" | |
# RSA by GENPKEY | |
genpkey_rsa=$key_dir/genpkey_rsa.pem | |
$openssl_bin genpkey -algorithm RSA -out $genpkey_rsa \ | |
-pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3 | |
check_exit_status $? | |
#---------#---------#---------#---------#---------#---------#---------#--------- | |
section_message "setup local CA" | |
# | |
# prepare test openssl.cnf | |
# | |
ca_dir=$ssldir/testCA | |
server_dir=$ssldir/server | |
cat << __EOF__ > $ssldir/openssl.cnf | |
oid_section = new_oids | |
[ new_oids ] | |
tsa_policy1 = 1.2.3.4.1 | |
tsa_policy2 = 1.2.3.4.5.6 | |
tsa_policy3 = 1.2.3.4.5.7 | |
[ ca ] | |
default_ca = CA_default | |
[ CA_default ] | |
dir = ./$ca_dir | |
crl_dir = \$dir/crl | |
database = \$dir/index.txt | |
new_certs_dir = \$dir/newcerts | |
serial = \$dir/serial | |
crlnumber = \$dir/crlnumber | |
default_days = 1 | |
default_md = default | |
policy = policy_match | |
[ policy_match ] | |
countryName = match | |
stateOrProvinceName = match | |
organizationName = match | |
organizationalUnitName = optional | |
commonName = supplied | |
emailAddress = optional | |
[ req ] | |
distinguished_name = req_distinguished_name | |
[ req_distinguished_name ] | |
countryName = Country Name | |
countryName_default = JP | |
countryName_min = 2 | |
countryName_max = 2 | |
stateOrProvinceName = State or Province Name | |
stateOrProvinceName_default = Tokyo | |
organizationName = Organization Name | |
organizationName_default = TEST_DUMMY_COMPANY | |
commonName = Common Name | |
__EOF__ | |
#---------#---------#---------#---------#---------#---------#---------#--------- | |
# | |
# setup test CA | |
# | |
mkdir -p $ca_dir | |
mkdir -p $server_dir | |
mkdir -p $ca_dir/certs | |
mkdir -p $ca_dir/private | |
mkdir -p $ca_dir/crl | |
mkdir -p $ca_dir/newcerts | |
chmod 700 $ca_dir/private | |
echo "01" > $ca_dir/serial | |
touch $ca_dir/index.txt | |
touch $ca_dir/crlnumber | |
echo "01" > $ca_dir/crlnumber | |
#---------#---------#---------#---------#---------#---------#---------#--------- | |
# --- CA initiate (generate CA key and cert) --- | |
start_message "req ... generate CA key and self signed cert" | |
ca_cert=$ca_dir/ca_cert.pem | |
ca_key=$ca_dir/private/ca_key.pem ca_pass=test-ca-pass | |
if [ $mingw = 0 ] ; then | |
subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testCA.test_dummy.com/' | |
else | |
subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testCA.test_dummy.com\' | |
fi | |
$openssl_bin req -new -x509 -newkey rsa:2048 -out $ca_cert -keyout $ca_key \ | |
-days 1 -passout pass:$ca_pass -batch -subj $subj | |
check_exit_status $? | |
#---------#---------#---------#---------#---------#---------#---------#--------- | |
# --- Netscape SPKAC operations --- | |
section_message "Netscape SPKAC operations" | |
# server-admin generates SPKAC | |
start_message "spkac" | |
spkacfile=$server_dir/spkac.file | |
$openssl_bin spkac -key $genpkey_rsa -challenge hello -out $spkacfile | |
check_exit_status $? | |
$openssl_bin spkac -in $spkacfile -verify -out $spkacfile.out | |
check_exit_status $? | |
spkacreq=$server_dir/spkac.req | |
cat << __EOF__ > $spkacreq | |
countryName = JP | |
stateOrProvinceName = Tokyo | |
organizationName = TEST_DUMMY_COMPANY | |
commonName = spkac.test_dummy.com | |
__EOF__ | |
cat $spkacfile >> $spkacreq | |
# CA signs SPKAC | |
start_message "ca ... CA signs SPKAC csr" | |
spkaccert=$server_dir/spkac.cert | |
$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ | |
-spkac $spkacreq -out $spkaccert | |
check_exit_status $? | |
start_message "x509 ... convert DER format SPKAC cert to PEM" | |
spkacpem=$server_dir/spkac.pem | |
$openssl_bin x509 -in $spkaccert -inform DER -out $spkacpem -outform PEM | |
check_exit_status $? | |
# parse cert | |
start_message "asn1parse DER format SPKAC cert" | |
$openssl_bin asn1parse -in $spkaccert -inform DER -i | |
check_exit_status $? | |
# server-admin cert verify | |
start_message "nseq" | |
$openssl_bin nseq -in $spkacpem -toseq -out $spkacpem.nseq | |
check_exit_status $? |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ ./ca-spkac.sh | |
directory [ test_ca_spkac ] exists, this script deletes this directory ... | |
#---------#---------#---------#---------#---------#---------#---------#-------- | |
=== | |
=== (Section) generate RSA key 2015/05/26 23:35:06 | |
=== | |
.........................................................+++ | |
..............................................................+++ | |
:-) success. | |
#---------#---------#---------#---------#---------#---------#---------#-------- | |
=== | |
=== (Section) setup local CA 2015/05/26 23:35:06 | |
=== | |
[TEST] req ... generate CA key and self signed cert | |
Generating a 2048 bit RSA private key | |
.........+++ | |
........................+++ | |
writing new private key to 'test_ca_spkac/testCA/private/ca_key.pem' | |
----- | |
:-) success. | |
#---------#---------#---------#---------#---------#---------#---------#-------- | |
=== | |
=== (Section) Netscape SPKAC operations 2015/05/26 23:35:06 | |
=== | |
[TEST] spkac | |
:-) success. | |
Signature OK | |
:-) success. | |
[TEST] ca ... CA signs SPKAC csr | |
Using configuration from test_ca_spkac/openssl.cnf | |
Check that the SPKAC request matches the signature | |
Signature ok | |
The Subject's Distinguished Name is as follows | |
countryName :PRINTABLE:'JP' | |
stateOrProvinceName :ASN.1 12:'Tokyo' | |
organizationName :ASN.1 12:'TEST_DUMMY_COMPANY' | |
commonName :ASN.1 12:'spkac.test_dummy.com' | |
Certificate is to be certified until May 27 14:35:06 2015 GMT (1 days) | |
Write out database with 1 new entries | |
Data Base Updated | |
:-) success. | |
[TEST] x509 ... convert DER format SPKAC cert to PEM | |
:-) success. | |
[TEST] asn1parse DER format SPKAC cert | |
0:d=0 hl=4 l= 805 cons: SEQUENCE | |
4:d=1 hl=4 l= 525 cons: SEQUENCE | |
8:d=2 hl=2 l= 1 prim: INTEGER :01 | |
11:d=2 hl=2 l= 13 cons: SEQUENCE | |
13:d=3 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption | |
24:d=3 hl=2 l= 0 prim: NULL | |
26:d=2 hl=2 l= 90 cons: SEQUENCE | |
28:d=3 hl=2 l= 11 cons: SET | |
30:d=4 hl=2 l= 9 cons: SEQUENCE | |
32:d=5 hl=2 l= 3 prim: OBJECT :countryName | |
37:d=5 hl=2 l= 2 prim: PRINTABLESTRING :JP | |
41:d=3 hl=2 l= 14 cons: SET | |
43:d=4 hl=2 l= 12 cons: SEQUENCE | |
45:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName | |
50:d=5 hl=2 l= 5 prim: UTF8STRING :Tokyo | |
57:d=3 hl=2 l= 27 cons: SET | |
59:d=4 hl=2 l= 25 cons: SEQUENCE | |
61:d=5 hl=2 l= 3 prim: OBJECT :organizationName | |
66:d=5 hl=2 l= 18 prim: UTF8STRING :TEST_DUMMY_COMPANY | |
86:d=3 hl=2 l= 30 cons: SET | |
88:d=4 hl=2 l= 28 cons: SEQUENCE | |
90:d=5 hl=2 l= 3 prim: OBJECT :commonName | |
95:d=5 hl=2 l= 21 prim: UTF8STRING :testCA.test_dummy.com | |
118:d=2 hl=2 l= 30 cons: SEQUENCE | |
120:d=3 hl=2 l= 13 prim: UTCTIME :150526143506Z | |
135:d=3 hl=2 l= 13 prim: UTCTIME :150527143506Z | |
150:d=2 hl=2 l= 89 cons: SEQUENCE | |
152:d=3 hl=2 l= 11 cons: SET | |
154:d=4 hl=2 l= 9 cons: SEQUENCE | |
156:d=5 hl=2 l= 3 prim: OBJECT :countryName | |
161:d=5 hl=2 l= 2 prim: PRINTABLESTRING :JP | |
165:d=3 hl=2 l= 14 cons: SET | |
167:d=4 hl=2 l= 12 cons: SEQUENCE | |
169:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName | |
174:d=5 hl=2 l= 5 prim: UTF8STRING :Tokyo | |
181:d=3 hl=2 l= 27 cons: SET | |
183:d=4 hl=2 l= 25 cons: SEQUENCE | |
185:d=5 hl=2 l= 3 prim: OBJECT :organizationName | |
190:d=5 hl=2 l= 18 prim: UTF8STRING :TEST_DUMMY_COMPANY | |
210:d=3 hl=2 l= 29 cons: SET | |
212:d=4 hl=2 l= 27 cons: SEQUENCE | |
214:d=5 hl=2 l= 3 prim: OBJECT :commonName | |
219:d=5 hl=2 l= 20 prim: UTF8STRING :spkac.test_dummy.com | |
241:d=2 hl=4 l= 288 cons: SEQUENCE | |
245:d=3 hl=2 l= 13 cons: SEQUENCE | |
247:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption | |
258:d=4 hl=2 l= 0 prim: NULL | |
260:d=3 hl=4 l= 269 prim: BIT STRING | |
533:d=1 hl=2 l= 13 cons: SEQUENCE | |
535:d=2 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption | |
546:d=2 hl=2 l= 0 prim: NULL | |
548:d=1 hl=4 l= 257 prim: BIT STRING | |
:-) success. | |
[TEST] nseq | |
:-) success. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
... | |
[TEST] x509 ... convert DER format SPKAC cert to PEM | |
unable to load certificate | |
2197282891:error:0D06B08E:asn1 encoding routines:ASN1_D2I_READ_BIO:not enough data:asn1/a_d2i_fp.c:238: | |
:-< error occurs, exit status = [ 1 ] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment