Mercurial > hg > freeDiameter
changeset 327:0f43f42669be
Reorganized the contrib/ directory
author | Sebastien Decugis <sdecugis@nict.go.jp> |
---|---|
date | Fri, 28 May 2010 14:09:51 +0900 |
parents | 230158150ac9 |
children | 90294e7e986c |
files | contrib/OpenWRT/HOWTO contrib/PKI/ca_script/Makefile contrib/PKI/ca_script/openssl.cnf contrib/PKI/ca_script2/Makefile contrib/PKI/ca_script2/openssl.cnf contrib/PKI/phpki-0.82.patch contrib/README contrib/ca_script/Makefile contrib/ca_script/openssl.cnf contrib/ca_script2/Makefile contrib/ca_script2/openssl.cnf contrib/phpki-0.82.patch |
diffstat | 11 files changed, 1060 insertions(+), 1025 deletions(-) [+] |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/contrib/PKI/ca_script/Makefile Fri May 28 14:09:51 2010 +0900 @@ -0,0 +1,150 @@ +#!/usr/bin/make -s +# +# This file is designed to automatize the CA tasks such as: +# -> init : create the initial CA tree and the CA root certificate. +# -> newcsr: create a new private key and csr. $name and $email must be set. C, ST, L, O, OU may be overwitten (exemple: make newcsr C=FR) +# -> cert : sign a pending CSR and generate the certificate. $name must be provided. +# -> revoke: revoke a certificate. $name must be provided. +# -> gencrl: update/create the CRL. +# +# The file should be located in the directory STATIC_DIR as defined below. +# The DIR directory will contain the data of the CA. It might be placed in /var. +# The DIR should also be configured in openssl.cnf file under [ CA_default ]->dir. +# +# Here are the steps to install the CA scripts in default environment: +## mkdir /etc/openssl-ca.static +## cp Makefile openssl.cnf /etc/openssl-ca.static +# ( configure the default parameters of your CA in /etc/openssl-ca/openssl.cnf ) ## +## mkdir /etc/openssl-ca +## make -f /etc/openssl-ca.static/Makefile destroy force=y +## cd /etc/openssl-ca +## make init +## make help + +DIR = /home/thedoc/testbed.aaa/ca +STATIC_DIR = /home/thedoc/testbed.aaa/ca +CONFIG = -config $(DIR)/openssl.cnf + +#Defaults for new CSR +C = JP +ST = Tokyo +L = Koganei +O = WIDE +OU = "AAA WG" + +#Default lifetime +DAYS = 365 + +#Values for the CA +CA_CN = mgr.testbed.aaa +CA_mail = sdecugis@nict.go.jp + +#Disable "make destroy" +force = + + +# Default: print the help +all: help + +# Help message +help: + @echo "\n\ +Default values (can be overwritten on command-line):\n\ + [C=$(C)] [ST=$(ST)] [L=$(L)] [O=$(O)] [OU=$(OU)]\n\ + [CA_CN=$(CA_CN)] [CA_mail=$(CA_mail)]\n\n\ +Available commands:\n\ + make init\n\ + Creates the initial CA structure in $(DIR)\n\ + make gencrl\n\ + Regenerates the CRL. Should be run at least once a month.\n\ + make newcsr name=foo email=b@r [type=ca]\n\ + Create private key and csr in clients subdir (named foo.*)\n\ + make cert name=foo\n\ + Signs the CSR foo.csr and creates the certificate foo.cert.\n\ + make revoke name=foo\n\ + Revokes the certificate foo.cert and regenerates the CRL.\n\ +\n\ +Notes:\n\ + Content from public-www should be available from Internet. \n\ + The URL to CRL should be set in openssl.cnf.\n\ + A cron job should execute make gencrl once a month.\n\ +"; + +# Destroy the CA completly. Use with care. +destroy: + @if [ -z "$(force)" ]; then echo "Restart disabled, use: make destroy force=y"; exit 1; fi + @if [ ! -d $(STATIC_DIR) ]; then echo "Error in setup"; exit 1; fi + @echo "Removing everything (for debug purpose)..." + @rm -rf $(DIR)/* + @ln -sf $(STATIC_DIR)/Makefile $(DIR) + @ln -sf $(STATIC_DIR)/openssl.cnf $(DIR) + + +# Initialize the CA structure and keys. +init: + @if [ -d $(DIR)/private ]; then echo "CA already initialized."; exit 1; fi + @echo "Creating CA structure..." + @mkdir $(DIR)/crl + @mkdir $(DIR)/certs + @mkdir $(DIR)/newcerts + @mkdir $(DIR)/public-www + @mkdir $(DIR)/private + @chmod 700 $(DIR)/private + @mkdir $(DIR)/clients + @mkdir $(DIR)/clients/privkeys + @mkdir $(DIR)/clients/csr + @mkdir $(DIR)/clients/certs + @echo "01" > $(DIR)/serial + @touch $(DIR)/index.txt + @openssl req $(CONFIG) -new -batch -x509 -days 3650 -nodes -newkey rsa:2048 -out $(DIR)/public-www/cacert.pem \ + -keyout $(DIR)/private/cakey.pem -subj /C=$(C)/ST=$(ST)/L=$(L)/O=$(O)/OU=$(OU)/CN=$(CA_CN)/emailAddress=$(CA_mail) + @ln -s $(DIR)/public-www/cacert.pem $(DIR)/certs/`openssl x509 -noout -hash < $(DIR)/public-www/cacert.pem`.0 + @$(MAKE) -f $(DIR)/Makefile gencrl + +# Regenerate the Certificate Revocation List. +# This list should be available publicly +gencrl: + @openssl ca $(CONFIG) -gencrl -out $(DIR)/public-www/crl.pem + @ln -sf $(DIR)/public-www/crl.pem $(DIR)/crl/`openssl crl -noout -hash < $(DIR)/public-www/crl.pem`.r0 + +# Create a new private key and a CSR, in case the client does not provide the CSR by another mean. +# Usage is: make newcsr name=peer.client.fqdn email=admin@client.fqdn +newcsr: + @if [ -z "$(name)" -o -z "$(email)" ]; then echo "Please provide certificate name and email address: make newcsr name=mn.nautilus.org email=you@mail.com"; exit 1; fi + @if [ -e $(DIR)/clients/csr/$(name).csr ]; then echo "There is already a pending csr for this name."; exit 1; fi + @if [ ! -e $(DIR)/clients/privkeys/$(name).key.pem ]; \ + then echo "Generating a private key for $(name) ..."; \ + openssl genrsa -out $(DIR)/clients/privkeys/$(name).key.pem 1024; \ + fi; + @echo "Creating the CSR in $(DIR)/clients/csr/$(name).csr"; + @openssl req $(CONFIG) -new -batch -out $(DIR)/clients/csr/$(name).csr \ + -key $(DIR)/clients/privkeys/$(name).key.pem \ + -subj /C=$(C)/ST=$(ST)/L=$(L)/O=$(O)/OU=$(OU)/CN=$(name)/emailAddress=$(email) + +# Process a CSR to create a x509 certificate. The certificate is valid for 1 year. +# It should be sent to the client by any mean. +cert: + @if [ -z "$(name)" ]; then echo "name must be provided: make cert name=mn.n6.org"; exit 1; fi + @if [ ! -e $(DIR)/clients/csr/$(name).csr ]; then echo "Could not find CSR in $(DIR)/clients/csr/$(name).csr."; exit 1; fi + @if [ -e $(DIR)/clients/certs/$(name).cert ]; \ + then echo "Revoking old certificate..."; \ + $(MAKE) revoke name=$(name); \ + fi; + @openssl ca $(CONFIG) -in $(DIR)/clients/csr/$(name).csr \ + -out $(DIR)/clients/certs/$(name).cert \ + -days $(DAYS) \ + -batch + @ln -s $(DIR)/clients/certs/$(name).cert $(DIR)/certs/`openssl x509 -noout -hash < $(DIR)/clients/certs/$(name).cert`.0 + +# Revoke a certificate. +revoke: + @if [ -z "$(name)" ]; then echo "name must be provided: make revoke name=mn.n6.org"; exit 1; fi + @if [ ! -e $(DIR)/clients/certs/$(name).cert ]; \ + then echo "$(DIR)/clients/certs/$(name).cert not found"; \ + exit 1; \ + fi; + @openssl ca $(CONFIG) -revoke $(DIR)/clients/certs/$(name).cert; + @rm -f $(DIR)/certs/`openssl x509 -noout -hash < $(DIR)/clients/certs/$(name).cert`.0 + @$(MAKE) gencrl + +# End of file...
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/contrib/PKI/ca_script/openssl.cnf Fri May 28 14:09:51 2010 +0900 @@ -0,0 +1,315 @@ +# +# OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd + +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca' and 'req'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = /etc/openssl-ca # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +#unique_subject = no # Set to 'no' to allow creation of + # several ctificates with same subject. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/public-www/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +# crlnumber = $dir/crlnumber # the current crl number + # must be commented out to leave a V1 CRL +crl = $dir/public-www/crl.pem # The current CRL +private_key = $dir/private/cakey.pem# The private key +RANDFILE = $dir/private/.rand # private random number file + +x509_extensions = usr_cert # The extentions to add to the cert + +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +# copy_extensions = copy + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 365 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = sha1 # which md to use. +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +# policy = policy_match +policy = policy_anything + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = 1024 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extentions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = fdsecret +# output_password = fdsecret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString. +# utf8only: only UTF8Strings. +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings +# so use this option with caution! +string_mask = utf8only + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = JP +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Tokyo + +localityName = Locality Name (eg, city) +localityName_default = Koganei + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = WIDE + +# we can do this but it is not needed normally :-) +1.organizationName = Second Organization Name (eg, company) +1.organizationName_default = NICT + +organizationalUnitName = Organizational Unit Name (eg, section) +organizationalUnitName_default = AAA WG + +commonName = Common Name (i.e. Diameter Agent hostname) +commonName_max = 64 + +emailAddress = Email Address (i.e. Diameter agent administrator) +emailAddress_max = 64 + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 0 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer:always + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Some might want this also +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always,issuer:always + +[ proxy_cert_ext ] +# These extensions should be added when creating a proxy certificate + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This really needs to be in place for it to be a proxy certificate. +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/contrib/PKI/ca_script2/Makefile Fri May 28 14:09:51 2010 +0900 @@ -0,0 +1,156 @@ +#!/usr/bin/make -s +# +# This file is inspired from freeDiameter's contrib/ca_script and +# improved to handle multiple CA in a hierarchical fashion. +# Warning: the directory structure is flat, does not reflect the CA hierarchy + +SCRIPT_DIR = . +DATA_DIR = ./ca_data + +CONFIG = -config $(SCRIPT_DIR)/openssl.cnf +REMAKE = $(MAKE) -f $(SCRIPT_DIR)/Makefile + +#Disable "make destroy" -- overwrite on command line +force = + +#RSA key sizes, can be overwritten on command line +cakeysize = 2048 +keysize = 1024 + +# Save current date +DATE=`date +%Y%m%d-%H%M%S` + +# Default: print the help +all: help + +# Help message +help: + @echo "\n\ +Available commands:\n\ + make init topca=name\n\ + Creates the initial top-level CA structure\n\ + make newca name=newcaname ca=parentca\n\ + Creates a new sub-CA that can be used for certificates later.\n\ + make newcert name=foo ca=parentca\n\ + Create private key and csr, then issue the certificate (named foo.*)\n\ + make revoke name=foo ca=parentca\n\ + Revokes the certificate foo.cert issued by parentca and regenerates the CRL.\n\ + make gencrl ca=caname\n\ + Regenerates the CRL of CA caname. Should be run periodically.\n\ +\n\ +"; + +# Destroy the CA hierarchy completly. Use with care. +destroy: + @if [ -z "$(force)" ]; then echo "Destroy disabled, use: make destroy force=y"; exit 1; fi + @if [ ! -d $(SCRIPT_DIR) ]; then echo "Error in setup"; exit 1; fi + @echo "Removing everything (for debug purpose)..." + @rm -rf $(DATA_DIR)/* + +# Initialize the CA structure +structure: + @if [ -z "$(caname)" ]; then echo "Internal error: caname is missing"; exit 1; fi + @if [ -d $(DATA_DIR)/$(caname) ]; then echo "CA $(caname) already exists."; exit 1; fi + # Creating CA structure + @mkdir -p $(DATA_DIR)/$(caname) + @mkdir $(DATA_DIR)/$(caname)/public + @mkdir $(DATA_DIR)/$(caname)/public/crl + @mkdir $(DATA_DIR)/$(caname)/private + @chmod 700 $(DATA_DIR)/$(caname)/private + @mkdir $(DATA_DIR)/$(caname)/clients + @echo "01" > $(DATA_DIR)/$(caname)/serial + @echo "01" > $(DATA_DIR)/$(caname)/crlnumber + @touch $(DATA_DIR)/$(caname)/index.txt + +# Initialize the top-level CA structure and keys. +init: + @if [ -z "$(topca)" ]; then echo "Please specify the name of the root CA. Ex: make init topca=rootca.testbed.aaa"; exit 1; fi + # Create the folder hierarchy + @$(REMAKE) structure caname=$(topca) + # Generate the self-signed certificate + @CA_ROOT_DIR=$(DATA_DIR)/$(topca) openssl req $(CONFIG) -new -batch -x509 -days 3650 -nodes -newkey rsa:$(cakeysize) -out $(DATA_DIR)/$(topca)/public/cacert.pem \ + -keyout $(DATA_DIR)/$(topca)/private/cakey.pem -extensions ca_cert -subj /CN=$(topca) + @ln -s cacert.pem $(DATA_DIR)/$(topca)/public/`openssl x509 -noout -hash < $(DATA_DIR)/$(topca)/public/cacert.pem`.0 + @touch $(DATA_DIR)/$(topca)/public/cachain.pem + @ln -s ../../$(topca)/public/cacert.pem $(DATA_DIR)/$(topca)/public/caroot.pem + @$(REMAKE) gencrl ca=$(topca) + +# Create a secondary CA +newca: + @if [ -z "$(name)" -o -z "$(ca)" ]; then echo "Missing parameter. Ex: make newca name=subca.testbed.aaa ca=rootca.testbed.aaa"; exit 1; fi + @if [ ! -e $(DATA_DIR)/$(ca)/private/cakey.pem ]; then echo "The parent CA $(ca) does not exist."; exit 1; fi + @if [ ! -d $(DATA_DIR)/$(name) ]; then $(REMAKE) structure caname=$(name); fi + # Generate the private key and CSR for the new CA if needed + @if [ ! -e $(DATA_DIR)/$(name)/private/cakey.pem ]; then \ + openssl genrsa -out $(DATA_DIR)/$(name)/private/cakey.pem $(cakeysize) ; fi + @if [ ! -e $(DATA_DIR)/$(name)/private/cacsr.pem ]; then \ + CA_ROOT_DIR=$(DATA_DIR)/$(name) openssl req $(CONFIG) -new -batch -out $(DATA_DIR)/$(name)/private/cacsr.pem \ + -key $(DATA_DIR)/$(name)/private/cakey.pem \ + -subj /CN=$(name) -reqexts v3_req_ca; fi + # Revoke a previous certificate for this CA if any + @if [ -e $(DATA_DIR)/$(name)/public/cacert.pem ]; then \ + echo "Revoking previous certificate ..."; \ + $(REMAKE) revoke name=$(name) ca=$(ca); \ + mv $(DATA_DIR)/$(name)/public/cacert.pem $(DATA_DIR)/$(name)/public/cacert-$(DATE).pem; fi + # Issue the new CA certificate + @CA_ROOT_DIR=$(DATA_DIR)/$(ca) openssl ca $(CONFIG) -in $(DATA_DIR)/$(name)/private/cacsr.pem \ + -out $(DATA_DIR)/$(name)/public/cacert.pem \ + -batch -extensions ca_cert + # Hash and link to parent + @ln -s cacert.pem $(DATA_DIR)/$(ca)/public/`openssl x509 -noout -hash < $(DATA_DIR)/$(name)/public/cacert.pem`.0 + @rm -f $(DATA_DIR)/$(name)/parent + @ln -s ../$(ca) $(DATA_DIR)/$(name)/parent + @cat $(DATA_DIR)/$(name)/public/cacert.pem $(DATA_DIR)/$(ca)/public/cachain.pem > $(DATA_DIR)/$(name)/public/cachain.pem + @ln -s ../../$(ca)/public/caroot.pem $(DATA_DIR)/$(name)/public/caroot.pem + @for CRLFILE in `cd $(DATA_DIR)/$(ca)/public/crl && ls -1`; do ln -sf ../../../$(ca)/public/crl/$$CRLFILE $(DATA_DIR)/$(name)/public/crl/$$CRLFILE; done + @$(REMAKE) gencrl ca=$(name) + +# Create a new certificate for use in TLS communications and other terminal usages +newcert: + @if [ -z "$(name)" -o -z "$(ca)" ]; then echo "Missing parameter. Ex: make newcert name=service.testbed.aaa ca=ca.testbed.aaa"; exit 1; fi + @if [ ! -e $(DATA_DIR)/$(ca)/private/cakey.pem ]; then echo "The parent CA $(ca) does not exist."; exit 1; fi + @if [ ! -d $(DATA_DIR)/$(ca)/clients/$(name) ]; then mkdir $(DATA_DIR)/$(ca)/clients/$(name); fi + # Create a private key if needed + @if [ ! -e $(DATA_DIR)/$(ca)/clients/$(name)/privkey.pem ]; then \ + openssl genrsa -out $(DATA_DIR)/$(ca)/clients/$(name)/privkey.pem $(keysize); fi + # Create a CSR if needed + @if [ ! -e $(DATA_DIR)/$(ca)/clients/$(name)/csr.pem ]; then \ + CA_ROOT_DIR=$(DATA_DIR)/$(ca) openssl req $(CONFIG) -new -batch -out $(DATA_DIR)/$(ca)/clients/$(name)/csr.pem \ + -key $(DATA_DIR)/$(ca)/clients/$(name)/privkey.pem \ + -subj /CN=$(name); fi + # Revoke a previous certificate if any + @if [ -e $(DATA_DIR)/$(ca)/clients/$(name)/cert.pem ]; then \ + $(REMAKE) revoke name=$(name) ca=$(ca); \ + mv $(DATA_DIR)/$(ca)/clients/$(name)/cert.pem $(DATA_DIR)/$(ca)/clients/$(name)/cert-$(DATE).pem; fi + # Now sign the new certificate with the CA key + @CA_ROOT_DIR=$(DATA_DIR)/$(ca) openssl ca $(CONFIG) -in $(DATA_DIR)/$(ca)/clients/$(name)/csr.pem \ + -out $(DATA_DIR)/$(ca)/clients/$(name)/cert.pem \ + -batch + # Hash + @ln -sf `cat $(DATA_DIR)/$(ca)/serial.old`.pem $(DATA_DIR)/$(ca)/public/`openssl x509 -noout -hash < $(DATA_DIR)/$(ca)/clients/$(name)/cert.pem`.0 + # Compiled informations for the client + @cat $(DATA_DIR)/$(ca)/clients/$(name)/cert.pem $(DATA_DIR)/$(ca)/public/cachain.pem > $(DATA_DIR)/$(ca)/clients/$(name)/certchain.pem + @ln -sf ../../public/crl $(DATA_DIR)/$(ca)/clients/$(name)/crl + @ln -sf ../../public/caroot.pem $(DATA_DIR)/$(ca)/clients/$(name)/ca.pem + +# Revoke a certificate +revoke: + @if [ -z "$(name)" -o -z "$(ca)" ]; then echo "Missing parameter. Ex: make revoke name=service.testbed.aaa ca=ca.testbed.aaa"; exit 1; fi + @if [ ! -e $(DATA_DIR)/$(ca)/private/cakey.pem ]; then echo "The parent CA $(ca) does not exist."; exit 1; fi + @if [ ! -e $(DATA_DIR)/$(ca)/clients/$(name)/cert.pem ]; \ + then echo "$(DATA_DIR)/$(ca)/clients/$(name)/cert.pem not found"; \ + exit 1; \ + fi; + # Revoke the certificate + @CA_ROOT_DIR=$(DATA_DIR)/$(ca) openssl ca $(CONFIG) -revoke $(DATA_DIR)/$(ca)/clients/$(name)/cert.pem; + @$(REMAKE) gencrl ca=$(ca) + +# Regenerate the Certificate Revocation List. +gencrl: + @if [ -z "$(ca)" ]; then echo "Missing parameter. Ex: make gencrl ca=ca.testbed.aaa"; exit 1; fi + # Create the CRL + @CA_ROOT_DIR=$(DATA_DIR)/$(ca) openssl ca $(CONFIG) -gencrl -out $(DATA_DIR)/$(ca)/public/crl/$(ca).pem + @ln -s crl/$(ca).pem $(DATA_DIR)/$(ca)/public/local.pem + @ln -s local.pem $(DATA_DIR)/$(ca)/public/`openssl crl -noout -hash < $(DATA_DIR)/$(ca)/public/crl/$(ca).pem`.r0 + +# End of file...
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/contrib/PKI/ca_script2/openssl.cnf Fri May 28 14:09:51 2010 +0900 @@ -0,0 +1,120 @@ +# Note: for this file to be working, an environment var CA_ROOT_DIR = directory +# must be defined and pointing to the CA top-level directory. + +HOME = . +RANDFILE = $ENV::HOME/.rnd + +oid_section = new_oids + +[ new_oids ] + + +#################################################################### +[ req ] +default_bits = 1024 +# default_keyfile = privkey.pem +string_mask = utf8only + +distinguished_name = req_distinguished_name +attributes = req_attributes +req_extensions = v3_req # overwrite with -reqexts +x509_extensions = ca_cert # overwrite with -extensions; used for self-signed keys only + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = JP +countryName_min = 2 +countryName_max = 2 +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Tokyo +localityName = Locality Name (eg, city) +localityName_default = Koganei +0.organizationName = Organization Name (eg, company) +0.organizationName_default = WIDE +1.organizationName = Second Organization Name (eg, company) +1.organizationName_default = NICT +organizationalUnitName = Organizational Unit Name (eg, section) +organizationalUnitName_default = AAA WG testbed + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 0 +challengePassword_max = 20 +unstructuredName = An optional company name + +[ v3_req ] +# Extensions to add to a certificate request +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_req_ca ] +# Extensions to add to a certificate request for CA +basicConstraints = CA:TRUE + + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +[ CA_default ] + +dir = $ENV::CA_ROOT_DIR # Where everything is kept +certs = $dir/public # Where the issued certs are kept +crl_dir = $dir/public # Where the issued crl are kept +database = $dir/index.txt # database index file. +#unique_subject = no # Set to 'no' to allow creation of + # several ctificates with same subject. +new_certs_dir = $dir/public # default place for new certs. + +certificate = $dir/public/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # the current crl number +crl = $dir/public/local.pem # The current CRL +private_key = $dir/private/cakey.pem # The private key +x509_extensions = usr_cert # The extentions to add to the cert + # overwrite with -extensions +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options +crl_extensions = crl_ext + +default_days = 3650 # how long to certify for +default_crl_days= 365 # how long before next CRL +default_md = sha1 # which md to use. +preserve = no # keep passed DN ordering + +# We accept to sign anything, but a real deployment would limit to proper domain etc... +policy = policy_anything + +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ usr_cert ] +basicConstraints=CA:FALSE +# This is typical in keyUsage for a client certificate. +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +[ ca_cert ] +# Extensions for a typical CA +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always +basicConstraints = critical,CA:true # Remove "critical," in case of problems +keyUsage = cRLSign, keyCertSign +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +[ crl_ext ] +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always,issuer:always + +
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/contrib/PKI/phpki-0.82.patch Fri May 28 14:09:51 2010 +0900 @@ -0,0 +1,284 @@ +diff -Nur phpki-0.82/ca/main.php phpki-0.82-fD/ca/main.php +--- phpki-0.82/ca/main.php 2005-11-17 10:17:20.000000000 +0900 ++++ phpki-0.82-fD/ca/main.php 2010-05-27 17:04:44.000000000 +0900 +@@ -36,7 +36,7 @@ + else { + ?> + <font color=#ff0000> +- <h2>There was an error updating the Certificate Revocation List.</h2></font><br> ++ <h2>There was an error updating the Certificate Revocation List.</h2></font><br /> + <blockquote> + <h3>Debug Info:</h3> + <pre><?=$errtxt?></pre> +@@ -53,8 +53,11 @@ + default: + printHeader('ca'); + ?> +- <br> +- <br> ++ <br /> ++ <br /> ++ ++ <center><h3>For <span style="color: #FF0000;">freeDiameter</span> specific instructions, scroll down this page...</h3></center><br /> ++ + <center> + <table class=menu width=600><th class=menu colspan=2><big>CERTIFICATE MANAGEMENT MENU</big></th> + +@@ -89,7 +92,57 @@ + + </table> + </center> +- <br><br> ++ <br /><br /> ++ <center> ++ <table class=menu width=900><th class=menu colspan=2><big>FREEDIAMETER INSTRUCTIONS</big></th> ++ <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;"> ++ Create a new certificate</td> ++ ++ <td>Use the <strong><cite>Create a New Certificate</cite></strong> link in previous table to request a new certificate. Fill the form as follow: ++ <ul> ++ <li><strong>Common Name</strong>: use your new freeDiameter identity (usually the FQDN).</li> ++ <li><strong>E-mail Address</strong>: Provide your address so that you can be contacted in case of inquiry.</li> ++ <li><strong>Organization</strong>: use "freeDiameter testbed" for example.</li> ++ <li><strong>Certificate Password</strong>: Do not loose the password you provide, you'll need it in the next step. <br /> ++ The password must be >= 8 chars.</li> ++ <li>The other fields can be filled at your taste.</li> ++ </ul> ++ Once you have validated, you can check the values, and then proceed to download the new certificate and private key. ++ You will receive a file in PEM format. Let's call this file <em>mycertprotected.pem</em>. ++ It contains: ++ <ul> ++ <li>Your password-protected RSA private key.</li> ++ <li>Your certificate in PEM format.</li> ++ <li>The CA certificate.</li> ++ </ul></td></tr> ++ ++ <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;"> ++ Split the file</td> ++ ++ <td>In order to use the information with freeDiameter daemon, you must transform the data as follow: ++ <ul> ++ <li><strong>Decode the private key</strong>: <br /> ++ <code>openssl rsa -in <em>mycertprotected.pem</em> -out /etc/ssl/private/freeDiameter.key</code><br /> ++ OpenSSL will ask for the password you entered when creating the certificate.</li> ++ <li><strong>Extract your certificate</strong>: <br /> ++ <code>openssl x509 -in <em>mycertprotected.pem</em> > /etc/ssl/certs/freeDiameter.pem</code></li> ++ <li><strong>Get the CA certificate</strong>: <br /> ++ <code>wget --no-check-certificate "$config[base_url]index.php?stage=dl_root" -O /etc/ssl/certs/freeDiameter_testbed_CA.pem</code></li> ++ </ul> ++ Note: for the last step, you could also extract it directly from the PEM file you received.<br /> ++ Note: the CRL is also available from the website, but this feature is not tested yet.</td></tr> ++ ++ <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;"> ++ Configure freeDiameter</td> ++ ++ <td>Here is the configuration related to TLS that you should set in your <em>/etc/freeDiameter/freeDiameter.conf</em> file: ++ <blockquote>TLS_Cred = "/etc/ssl/certs/freeDiameter.pem", "/etc/ssl/private/freeDiameter.key";<br /> ++TLS_CA = "/etc/ssl/certs/freeDiameter_testbed_CA.pem";</blockquote></td></tr> ++ ++ ++ </table> ++ </center> ++ <br /><br /> + <? + printFooter(); + } +diff -Nur phpki-0.82/ca/request_cert.php phpki-0.82-fD/ca/request_cert.php +--- phpki-0.82/ca/request_cert.php 2007-01-04 14:45:09.000000000 +0900 ++++ phpki-0.82-fD/ca/request_cert.php 2010-05-27 16:59:16.000000000 +0900 +@@ -197,6 +197,7 @@ + + switch($cert_type) { + case 'server': ++ case 'freediameter': + upload(array("$config[private_dir]/$serial-key.pem","$config[new_certs_dir]/$serial.pem",$config['cacert_pem']), "$common_name ($email).pem",'application/pkix-cert'); + break; + case 'email': +@@ -225,7 +226,7 @@ + if (! $email) $email = ""; + if (! $expiry) $expiry = 1; + if (! $keysize) $keysize = 1024; +- if (! $cert_type) $cert_type = 'email'; ++ if (! $cert_type) $cert_type = 'freediameter'; + + printHeader(); + ?> +@@ -302,13 +303,14 @@ + <td>Certificate Use: </td> + <td><select name=cert_type> + <? +- print '<option value="email" '.($cert_type=='email'?'selected':'').'>E-mail, SSL Client</option>'; +- print '<option value="email_signing" '.($cert_type=='email_signing'?'selected':'').'>E-mail, SSL Client, Code Signing</option>'; +- print '<option value="server" '.($cert_type=='server'?'selected':'').'>SSL Server</option>'; +- print '<option value="vpn_client" '.($cert_type=='vpn_client'?'selected':'').'>VPN Client Only</option>'; +- print '<option value="vpn_server" '.($cert_type=='vpn_server'?'selected':'').'>VPN Server Only</option>'; +- print '<option value="vpn_client_server" '.($cert_type=='vpn_client_server'?'selected':'').'>VPN Client, VPN Server</option>'; +- print '<option value="time_stamping" '.($cert_type=='time_stamping'?'selected':'').'>Time Stamping</option>'; ++ print '<option value="email" disabled '.($cert_type=='email'?'selected':'').'>E-mail, SSL Client</option>'; ++ print '<option value="email_signing" disabled '.($cert_type=='email_signing'?'selected':'').'>E-mail, SSL Client, Code Signing</option>'; ++ print '<option value="server" disabled '.($cert_type=='server'?'selected':'').'>SSL Server</option>'; ++ print '<option value="freediameter" '.($cert_type=='freediameter'?'selected':'').'>freeDiameter node</option>'; ++ print '<option value="vpn_client" disabled '.($cert_type=='vpn_client'?'selected':'').'>VPN Client Only</option>'; ++ print '<option value="vpn_server" disabled '.($cert_type=='vpn_server'?'selected':'').'>VPN Server Only</option>'; ++ print '<option value="vpn_client_server" disabled '.($cert_type=='vpn_client_server'?'selected':'').'>VPN Client, VPN Server</option>'; ++ print '<option value="time_stamping" disabled '.($cert_type=='time_stamping'?'selected':'').'>Time Stamping</option>'; + ?> + </select></td> + </tr> +diff -Nur phpki-0.82/include/openssl_functions.php phpki-0.82-fD/include/openssl_functions.php +--- phpki-0.82/include/openssl_functions.php 2007-01-04 15:47:57.000000000 +0900 ++++ phpki-0.82-fD/include/openssl_functions.php 2010-05-27 16:59:57.000000000 +0900 +@@ -69,6 +69,13 @@ + default_days = 365 + policy = policy_supplied + ++[ freediameter_cert ] ++x509_extensions = freediameter_ext ++default_days = 730 ++policy = policy_supplied ++ ++ ++ + [ vpn_cert ] + x509_extensions = vpn_client_server_ext + default_days = 365 +@@ -152,6 +159,24 @@ + nsRevocationUrl = ns_revoke_query.php? + nsCaPolicyUrl = $config[base_url]policy.html + ++[ freediameter_ext ] ++basicConstraints = CA:false ++keyUsage = critical, digitalSignature, keyEncipherment ++extendedKeyUsage = critical, serverAuth, clientAuth ++nsCertType = critical, server, client ++subjectKeyIdentifier = hash ++authorityKeyIdentifier = keyid:always, issuer:always ++subjectAltName = DNS:$common_name,email:copy ++issuerAltName = issuer:copy ++crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl ++nsComment = \"PHPki/OpenSSL Generated Secure Certificate for freeDiameter\" ++nsBaseUrl = $config[base_url] ++nsRevocationUrl = ns_revoke_query.php? ++nsCaPolicyUrl = $config[base_url]policy.html ++ ++ ++ ++ + [ time_stamping_ext ] + basicConstraints = CA:false + keyUsage = critical, nonRepudiation, digitalSignature +diff -Nur phpki-0.82/openssl.cnf phpki-0.82-fD/openssl.cnf +--- phpki-0.82/openssl.cnf 2006-07-23 00:33:34.000000000 +0900 ++++ phpki-0.82-fD/openssl.cnf 2010-05-27 17:00:33.000000000 +0900 +@@ -39,6 +39,11 @@ + default_days = 365 + policy = policy_supplied + ++[ freediameter_cert ] ++x509_extensions = freediameter_ext ++default_days = 730 ++policy = policy_supplied ++ + [ vpn_cert ] + x509_extensions = vpn_client_server_ext + default_days = 365 +@@ -115,6 +120,23 @@ + nsRevocationUrl = ns_revoke_query.php? + nsCaPolicyUrl = http://www.somewhere.com/phpki/policy.html + ++[ freediameter_ext ] ++basicConstraints = CA:false ++keyUsage = critical, digitalSignature, keyEncipherment ++extendedKeyUsage = critical, serverAuth, clientAuth ++nsCertType = critical, server, client ++subjectKeyIdentifier = hash ++authorityKeyIdentifier = keyid:always, issuer:always ++subjectAltName = DNS:$common_name,email:copy ++issuerAltName = issuer:copy ++crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl ++nsComment = "PHPki/OpenSSL Generated Secure Certificate for freeDiameter" ++nsBaseUrl = $config[base_url] ++nsRevocationUrl = ns_revoke_query.php? ++nsCaPolicyUrl = $config[base_url]policy.html ++ ++ ++ + [ vpn_client_ext ] + basicConstraints = critical, CA:false + keyUsage = critical, digitalSignature +diff -Nur phpki-0.82/setup.php phpki-0.82-fD/setup.php +--- phpki-0.82/setup.php 2007-07-22 23:34:08.000000000 +0900 ++++ phpki-0.82-fD/setup.php 2010-05-27 17:01:41.000000000 +0900 +@@ -339,6 +339,11 @@ + default_days = 365 + policy = policy_supplied + ++[ freediameter_cert ] ++x509_extensions = freediameter_ext ++default_days = 730 ++policy = policy_supplied ++ + [ vpn_cert ] + x509_extensions = vpn_client_server_ext + default_days = 365 +@@ -418,6 +423,22 @@ + nsRevocationUrl = ns_revoke_query.php? + nsCaPolicyUrl = $config[base_url]policy.html + ++[ freediameter_ext ] ++basicConstraints = CA:false ++keyUsage = critical, digitalSignature, keyEncipherment ++extendedKeyUsage = critical, serverAuth, clientAuth ++nsCertType = critical, server, client ++subjectKeyIdentifier = hash ++authorityKeyIdentifier = keyid:always, issuer:always ++subjectAltName = DNS:$common_name,email:copy ++issuerAltName = issuer:copy ++crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl ++nsComment = "PHPki/OpenSSL Generated Secure Certificate for freeDiameter" ++nsBaseUrl = $config[base_url] ++nsRevocationUrl = ns_revoke_query.php? ++nsCaPolicyUrl = $config[base_url]policy.html ++ ++ + [ time_stamping_ext ] + basicConstraints = CA:false + keyUsage = critical, nonRepudiation, digitalSignature +diff -Nur phpki-0.82/setup.php-presetup phpki-0.82-fD/setup.php-presetup +--- phpki-0.82/setup.php-presetup 2007-07-22 23:34:08.000000000 +0900 ++++ phpki-0.82-fD/setup.php-presetup 2010-05-27 17:01:41.000000000 +0900 +@@ -339,6 +339,11 @@ + default_days = 365 + policy = policy_supplied + ++[ freediameter_cert ] ++x509_extensions = freediameter_ext ++default_days = 730 ++policy = policy_supplied ++ + [ vpn_cert ] + x509_extensions = vpn_client_server_ext + default_days = 365 +@@ -418,6 +423,22 @@ + nsRevocationUrl = ns_revoke_query.php? + nsCaPolicyUrl = $config[base_url]policy.html + ++[ freediameter_ext ] ++basicConstraints = CA:false ++keyUsage = critical, digitalSignature, keyEncipherment ++extendedKeyUsage = critical, serverAuth, clientAuth ++nsCertType = critical, server, client ++subjectKeyIdentifier = hash ++authorityKeyIdentifier = keyid:always, issuer:always ++subjectAltName = DNS:$common_name,email:copy ++issuerAltName = issuer:copy ++crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl ++nsComment = "PHPki/OpenSSL Generated Secure Certificate for freeDiameter" ++nsBaseUrl = $config[base_url] ++nsRevocationUrl = ns_revoke_query.php? ++nsCaPolicyUrl = $config[base_url]policy.html ++ ++ + [ time_stamping_ext ] + basicConstraints = CA:false + keyUsage = critical, nonRepudiation, digitalSignature
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/contrib/README Fri May 28 14:09:51 2010 +0900 @@ -0,0 +1,35 @@ +This file describes the content of the "contrib" directory. +For information about the freeDiameter project, please refer +to top-level README file. + +- update_copyright.sh : This script will simply update the copyright information + in all source files in the freeDiameter mercurial repository, based + on the last modification time. Thought I might share it if other people find + it useful for their own project... + +- PKI : This directory contains useful material related to establishing a + Public Key Infrastructure (PKI) for deploying x509 certificates + and use these for TLS authentication of the freeDiameter nodes. + + IMPORTANT: Please note that these solutions are NOT suitable + for use in a production environment! It allows easy deployment of + certificates for tests, and that is their sole purpose. + + The directory contains: + + - ca_script: a simple Makefile allowing you to generate a self-signed certificate (root) + and then issue new certificates and private keys for your users. + Run "make" without argument to get the help. + + - ca_script2: An evolution of the previous Makefile. This one allows you + to create a hierarchy of CA and certificates. + + - phpki-0.82.patch : This patch is to be applied to PHPki to customize the use for freeDiameter. + PHPki (http://sourceforge.net/projects/phpki/) is a PHP-based web interface + that provides more or less the same services as ca_script. + +- OpenWRT : This directory contains the scripts and documentation related to + the integration of freeDiameter RADIUS/Diameter gateway component in the openWRT + distribution (http://openwrt.org) -- the goal is to give the access point the + ability to "talk" Diameter instead of RADIUS. +
--- a/contrib/ca_script/Makefile Thu May 27 17:15:11 2010 +0900 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,150 +0,0 @@ -#!/usr/bin/make -s -# -# This file is designed to automatize the CA tasks such as: -# -> init : create the initial CA tree and the CA root certificate. -# -> newcsr: create a new private key and csr. $name and $email must be set. C, ST, L, O, OU may be overwitten (exemple: make newcsr C=FR) -# -> cert : sign a pending CSR and generate the certificate. $name must be provided. -# -> revoke: revoke a certificate. $name must be provided. -# -> gencrl: update/create the CRL. -# -# The file should be located in the directory STATIC_DIR as defined below. -# The DIR directory will contain the data of the CA. It might be placed in /var. -# The DIR should also be configured in openssl.cnf file under [ CA_default ]->dir. -# -# Here are the steps to install the CA scripts in default environment: -## mkdir /etc/openssl-ca.static -## cp Makefile openssl.cnf /etc/openssl-ca.static -# ( configure the default parameters of your CA in /etc/openssl-ca/openssl.cnf ) ## -## mkdir /etc/openssl-ca -## make -f /etc/openssl-ca.static/Makefile destroy force=y -## cd /etc/openssl-ca -## make init -## make help - -DIR = /home/thedoc/testbed.aaa/ca -STATIC_DIR = /home/thedoc/testbed.aaa/ca -CONFIG = -config $(DIR)/openssl.cnf - -#Defaults for new CSR -C = JP -ST = Tokyo -L = Koganei -O = WIDE -OU = "AAA WG" - -#Default lifetime -DAYS = 365 - -#Values for the CA -CA_CN = mgr.testbed.aaa -CA_mail = sdecugis@nict.go.jp - -#Disable "make destroy" -force = - - -# Default: print the help -all: help - -# Help message -help: - @echo "\n\ -Default values (can be overwritten on command-line):\n\ - [C=$(C)] [ST=$(ST)] [L=$(L)] [O=$(O)] [OU=$(OU)]\n\ - [CA_CN=$(CA_CN)] [CA_mail=$(CA_mail)]\n\n\ -Available commands:\n\ - make init\n\ - Creates the initial CA structure in $(DIR)\n\ - make gencrl\n\ - Regenerates the CRL. Should be run at least once a month.\n\ - make newcsr name=foo email=b@r [type=ca]\n\ - Create private key and csr in clients subdir (named foo.*)\n\ - make cert name=foo\n\ - Signs the CSR foo.csr and creates the certificate foo.cert.\n\ - make revoke name=foo\n\ - Revokes the certificate foo.cert and regenerates the CRL.\n\ -\n\ -Notes:\n\ - Content from public-www should be available from Internet. \n\ - The URL to CRL should be set in openssl.cnf.\n\ - A cron job should execute make gencrl once a month.\n\ -"; - -# Destroy the CA completly. Use with care. -destroy: - @if [ -z "$(force)" ]; then echo "Restart disabled, use: make destroy force=y"; exit 1; fi - @if [ ! -d $(STATIC_DIR) ]; then echo "Error in setup"; exit 1; fi - @echo "Removing everything (for debug purpose)..." - @rm -rf $(DIR)/* - @ln -sf $(STATIC_DIR)/Makefile $(DIR) - @ln -sf $(STATIC_DIR)/openssl.cnf $(DIR) - - -# Initialize the CA structure and keys. -init: - @if [ -d $(DIR)/private ]; then echo "CA already initialized."; exit 1; fi - @echo "Creating CA structure..." - @mkdir $(DIR)/crl - @mkdir $(DIR)/certs - @mkdir $(DIR)/newcerts - @mkdir $(DIR)/public-www - @mkdir $(DIR)/private - @chmod 700 $(DIR)/private - @mkdir $(DIR)/clients - @mkdir $(DIR)/clients/privkeys - @mkdir $(DIR)/clients/csr - @mkdir $(DIR)/clients/certs - @echo "01" > $(DIR)/serial - @touch $(DIR)/index.txt - @openssl req $(CONFIG) -new -batch -x509 -days 3650 -nodes -newkey rsa:2048 -out $(DIR)/public-www/cacert.pem \ - -keyout $(DIR)/private/cakey.pem -subj /C=$(C)/ST=$(ST)/L=$(L)/O=$(O)/OU=$(OU)/CN=$(CA_CN)/emailAddress=$(CA_mail) - @ln -s $(DIR)/public-www/cacert.pem $(DIR)/certs/`openssl x509 -noout -hash < $(DIR)/public-www/cacert.pem`.0 - @$(MAKE) -f $(DIR)/Makefile gencrl - -# Regenerate the Certificate Revocation List. -# This list should be available publicly -gencrl: - @openssl ca $(CONFIG) -gencrl -out $(DIR)/public-www/crl.pem - @ln -sf $(DIR)/public-www/crl.pem $(DIR)/crl/`openssl crl -noout -hash < $(DIR)/public-www/crl.pem`.r0 - -# Create a new private key and a CSR, in case the client does not provide the CSR by another mean. -# Usage is: make newcsr name=peer.client.fqdn email=admin@client.fqdn -newcsr: - @if [ -z "$(name)" -o -z "$(email)" ]; then echo "Please provide certificate name and email address: make newcsr name=mn.nautilus.org email=you@mail.com"; exit 1; fi - @if [ -e $(DIR)/clients/csr/$(name).csr ]; then echo "There is already a pending csr for this name."; exit 1; fi - @if [ ! -e $(DIR)/clients/privkeys/$(name).key.pem ]; \ - then echo "Generating a private key for $(name) ..."; \ - openssl genrsa -out $(DIR)/clients/privkeys/$(name).key.pem 1024; \ - fi; - @echo "Creating the CSR in $(DIR)/clients/csr/$(name).csr"; - @openssl req $(CONFIG) -new -batch -out $(DIR)/clients/csr/$(name).csr \ - -key $(DIR)/clients/privkeys/$(name).key.pem \ - -subj /C=$(C)/ST=$(ST)/L=$(L)/O=$(O)/OU=$(OU)/CN=$(name)/emailAddress=$(email) - -# Process a CSR to create a x509 certificate. The certificate is valid for 1 year. -# It should be sent to the client by any mean. -cert: - @if [ -z "$(name)" ]; then echo "name must be provided: make cert name=mn.n6.org"; exit 1; fi - @if [ ! -e $(DIR)/clients/csr/$(name).csr ]; then echo "Could not find CSR in $(DIR)/clients/csr/$(name).csr."; exit 1; fi - @if [ -e $(DIR)/clients/certs/$(name).cert ]; \ - then echo "Revoking old certificate..."; \ - $(MAKE) revoke name=$(name); \ - fi; - @openssl ca $(CONFIG) -in $(DIR)/clients/csr/$(name).csr \ - -out $(DIR)/clients/certs/$(name).cert \ - -days $(DAYS) \ - -batch - @ln -s $(DIR)/clients/certs/$(name).cert $(DIR)/certs/`openssl x509 -noout -hash < $(DIR)/clients/certs/$(name).cert`.0 - -# Revoke a certificate. -revoke: - @if [ -z "$(name)" ]; then echo "name must be provided: make revoke name=mn.n6.org"; exit 1; fi - @if [ ! -e $(DIR)/clients/certs/$(name).cert ]; \ - then echo "$(DIR)/clients/certs/$(name).cert not found"; \ - exit 1; \ - fi; - @openssl ca $(CONFIG) -revoke $(DIR)/clients/certs/$(name).cert; - @rm -f $(DIR)/certs/`openssl x509 -noout -hash < $(DIR)/clients/certs/$(name).cert`.0 - @$(MAKE) gencrl - -# End of file...
--- a/contrib/ca_script/openssl.cnf Thu May 27 17:15:11 2010 +0900 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,315 +0,0 @@ -# -# OpenSSL example configuration file. -# This is mostly being used for generation of certificate requests. -# - -# This definition stops the following lines choking if HOME isn't -# defined. -HOME = . -RANDFILE = $ENV::HOME/.rnd - -# Extra OBJECT IDENTIFIER info: -#oid_file = $ENV::HOME/.oid -oid_section = new_oids - -# To use this configuration file with the "-extfile" option of the -# "openssl x509" utility, name here the section containing the -# X.509v3 extensions to use: -# extensions = -# (Alternatively, use a configuration file that has only -# X.509v3 extensions in its main [= default] section.) - -[ new_oids ] - -# We can add new OIDs in here for use by 'ca' and 'req'. -# Add a simple OID like this: -# testoid1=1.2.3.4 -# Or use config file substitution like this: -# testoid2=${testoid1}.5.6 - -#################################################################### -[ ca ] -default_ca = CA_default # The default ca section - -#################################################################### -[ CA_default ] - -dir = /etc/openssl-ca # Where everything is kept -certs = $dir/certs # Where the issued certs are kept -crl_dir = $dir/crl # Where the issued crl are kept -database = $dir/index.txt # database index file. -#unique_subject = no # Set to 'no' to allow creation of - # several ctificates with same subject. -new_certs_dir = $dir/newcerts # default place for new certs. - -certificate = $dir/public-www/cacert.pem # The CA certificate -serial = $dir/serial # The current serial number -# crlnumber = $dir/crlnumber # the current crl number - # must be commented out to leave a V1 CRL -crl = $dir/public-www/crl.pem # The current CRL -private_key = $dir/private/cakey.pem# The private key -RANDFILE = $dir/private/.rand # private random number file - -x509_extensions = usr_cert # The extentions to add to the cert - -# Comment out the following two lines for the "traditional" -# (and highly broken) format. -name_opt = ca_default # Subject Name options -cert_opt = ca_default # Certificate field options - -# Extension copying option: use with caution. -# copy_extensions = copy - -# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs -# so this is commented out by default to leave a V1 CRL. -# crlnumber must also be commented out to leave a V1 CRL. -# crl_extensions = crl_ext - -default_days = 365 # how long to certify for -default_crl_days= 30 # how long before next CRL -default_md = sha1 # which md to use. -preserve = no # keep passed DN ordering - -# A few difference way of specifying how similar the request should look -# For type CA, the listed attributes must be the same, and the optional -# and supplied fields are just that :-) -# policy = policy_match -policy = policy_anything - -# For the CA policy -[ policy_match ] -countryName = match -stateOrProvinceName = match -organizationName = match -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -# For the 'anything' policy -# At this point in time, you must list all acceptable 'object' -# types. -[ policy_anything ] -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -#################################################################### -[ req ] -default_bits = 1024 -default_keyfile = privkey.pem -distinguished_name = req_distinguished_name -attributes = req_attributes -x509_extensions = v3_ca # The extentions to add to the self signed cert - -# Passwords for private keys if not present they will be prompted for -# input_password = fdsecret -# output_password = fdsecret - -# This sets a mask for permitted string types. There are several options. -# default: PrintableString, T61String, BMPString. -# pkix : PrintableString, BMPString. -# utf8only: only UTF8Strings. -# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). -# MASK:XXXX a literal mask value. -# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings -# so use this option with caution! -string_mask = utf8only - -# req_extensions = v3_req # The extensions to add to a certificate request - -[ req_distinguished_name ] -countryName = Country Name (2 letter code) -countryName_default = JP -countryName_min = 2 -countryName_max = 2 - -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Tokyo - -localityName = Locality Name (eg, city) -localityName_default = Koganei - -0.organizationName = Organization Name (eg, company) -0.organizationName_default = WIDE - -# we can do this but it is not needed normally :-) -1.organizationName = Second Organization Name (eg, company) -1.organizationName_default = NICT - -organizationalUnitName = Organizational Unit Name (eg, section) -organizationalUnitName_default = AAA WG - -commonName = Common Name (i.e. Diameter Agent hostname) -commonName_max = 64 - -emailAddress = Email Address (i.e. Diameter agent administrator) -emailAddress_max = 64 - -# SET-ex3 = SET extension number 3 - -[ req_attributes ] -challengePassword = A challenge password -challengePassword_min = 0 -challengePassword_max = 20 - -unstructuredName = An optional company name - -[ usr_cert ] - -# These extensions are added when 'ca' signs a request. - -# This goes against PKIX guidelines but some CAs do it and some software -# requires this to avoid interpreting an end user certificate as a CA. - -basicConstraints=CA:FALSE - -# Here are some examples of the usage of nsCertType. If it is omitted -# the certificate can be used for anything *except* object signing. - -# This is OK for an SSL server. -# nsCertType = server - -# For an object signing certificate this would be used. -# nsCertType = objsign - -# For normal client use this is typical -# nsCertType = client, email - -# and for everything including object signing: -# nsCertType = client, email, objsign - -# This is typical in keyUsage for a client certificate. -# keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -# This will be displayed in Netscape's comment listbox. -nsComment = "OpenSSL Generated Certificate" - -# PKIX recommendations harmless if included in all certificates. -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer - -# This stuff is for subjectAltName and issuerAltname. -# Import the email address. -# subjectAltName=email:copy -# An alternative to produce certificates that aren't -# deprecated according to PKIX. -# subjectAltName=email:move - -# Copy subject details -# issuerAltName=issuer:copy - -#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem -#nsBaseUrl -#nsRevocationUrl -#nsRenewalUrl -#nsCaPolicyUrl -#nsSslServerName - -[ v3_req ] - -# Extensions to add to a certificate request - -basicConstraints = CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -[ v3_ca ] - - -# Extensions for a typical CA - - -# PKIX recommendation. - -subjectKeyIdentifier=hash - -authorityKeyIdentifier=keyid:always,issuer:always - -# This is what PKIX recommends but some broken software chokes on critical -# extensions. -#basicConstraints = critical,CA:true -# So we do this instead. -basicConstraints = CA:true - -# Key usage: this is typical for a CA certificate. However since it will -# prevent it being used as an test self-signed certificate it is best -# left out by default. -# keyUsage = cRLSign, keyCertSign - -# Some might want this also -# nsCertType = sslCA, emailCA - -# Include email address in subject alt name: another PKIX recommendation -# subjectAltName=email:copy -# Copy issuer details -# issuerAltName=issuer:copy - -# DER hex encoding of an extension: beware experts only! -# obj=DER:02:03 -# Where 'obj' is a standard or added object -# You can even override a supported extension: -# basicConstraints= critical, DER:30:03:01:01:FF - -[ crl_ext ] - -# CRL extensions. -# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. - -# issuerAltName=issuer:copy -authorityKeyIdentifier=keyid:always,issuer:always - -[ proxy_cert_ext ] -# These extensions should be added when creating a proxy certificate - -# This goes against PKIX guidelines but some CAs do it and some software -# requires this to avoid interpreting an end user certificate as a CA. - -basicConstraints=CA:FALSE - -# Here are some examples of the usage of nsCertType. If it is omitted -# the certificate can be used for anything *except* object signing. - -# This is OK for an SSL server. -# nsCertType = server - -# For an object signing certificate this would be used. -# nsCertType = objsign - -# For normal client use this is typical -# nsCertType = client, email - -# and for everything including object signing: -# nsCertType = client, email, objsign - -# This is typical in keyUsage for a client certificate. -# keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -# This will be displayed in Netscape's comment listbox. -nsComment = "OpenSSL Generated Certificate" - -# PKIX recommendations harmless if included in all certificates. -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always - -# This stuff is for subjectAltName and issuerAltname. -# Import the email address. -# subjectAltName=email:copy -# An alternative to produce certificates that aren't -# deprecated according to PKIX. -# subjectAltName=email:move - -# Copy subject details -# issuerAltName=issuer:copy - -#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem -#nsBaseUrl -#nsRevocationUrl -#nsRenewalUrl -#nsCaPolicyUrl -#nsSslServerName - -# This really needs to be in place for it to be a proxy certificate. -proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
--- a/contrib/ca_script2/Makefile Thu May 27 17:15:11 2010 +0900 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,156 +0,0 @@ -#!/usr/bin/make -s -# -# This file is inspired from freeDiameter's contrib/ca_script and -# improved to handle multiple CA in a hierarchical fashion. -# Warning: the directory structure is flat, does not reflect the CA hierarchy - -SCRIPT_DIR = . -DATA_DIR = ./ca_data - -CONFIG = -config $(SCRIPT_DIR)/openssl.cnf -REMAKE = $(MAKE) -f $(SCRIPT_DIR)/Makefile - -#Disable "make destroy" -- overwrite on command line -force = - -#RSA key sizes, can be overwritten on command line -cakeysize = 2048 -keysize = 1024 - -# Save current date -DATE=`date +%Y%m%d-%H%M%S` - -# Default: print the help -all: help - -# Help message -help: - @echo "\n\ -Available commands:\n\ - make init topca=name\n\ - Creates the initial top-level CA structure\n\ - make newca name=newcaname ca=parentca\n\ - Creates a new sub-CA that can be used for certificates later.\n\ - make newcert name=foo ca=parentca\n\ - Create private key and csr, then issue the certificate (named foo.*)\n\ - make revoke name=foo ca=parentca\n\ - Revokes the certificate foo.cert issued by parentca and regenerates the CRL.\n\ - make gencrl ca=caname\n\ - Regenerates the CRL of CA caname. Should be run periodically.\n\ -\n\ -"; - -# Destroy the CA hierarchy completly. Use with care. -destroy: - @if [ -z "$(force)" ]; then echo "Destroy disabled, use: make destroy force=y"; exit 1; fi - @if [ ! -d $(SCRIPT_DIR) ]; then echo "Error in setup"; exit 1; fi - @echo "Removing everything (for debug purpose)..." - @rm -rf $(DATA_DIR)/* - -# Initialize the CA structure -structure: - @if [ -z "$(caname)" ]; then echo "Internal error: caname is missing"; exit 1; fi - @if [ -d $(DATA_DIR)/$(caname) ]; then echo "CA $(caname) already exists."; exit 1; fi - # Creating CA structure - @mkdir -p $(DATA_DIR)/$(caname) - @mkdir $(DATA_DIR)/$(caname)/public - @mkdir $(DATA_DIR)/$(caname)/public/crl - @mkdir $(DATA_DIR)/$(caname)/private - @chmod 700 $(DATA_DIR)/$(caname)/private - @mkdir $(DATA_DIR)/$(caname)/clients - @echo "01" > $(DATA_DIR)/$(caname)/serial - @echo "01" > $(DATA_DIR)/$(caname)/crlnumber - @touch $(DATA_DIR)/$(caname)/index.txt - -# Initialize the top-level CA structure and keys. -init: - @if [ -z "$(topca)" ]; then echo "Please specify the name of the root CA. Ex: make init topca=rootca.testbed.aaa"; exit 1; fi - # Create the folder hierarchy - @$(REMAKE) structure caname=$(topca) - # Generate the self-signed certificate - @CA_ROOT_DIR=$(DATA_DIR)/$(topca) openssl req $(CONFIG) -new -batch -x509 -days 3650 -nodes -newkey rsa:$(cakeysize) -out $(DATA_DIR)/$(topca)/public/cacert.pem \ - -keyout $(DATA_DIR)/$(topca)/private/cakey.pem -extensions ca_cert -subj /CN=$(topca) - @ln -s cacert.pem $(DATA_DIR)/$(topca)/public/`openssl x509 -noout -hash < $(DATA_DIR)/$(topca)/public/cacert.pem`.0 - @touch $(DATA_DIR)/$(topca)/public/cachain.pem - @ln -s ../../$(topca)/public/cacert.pem $(DATA_DIR)/$(topca)/public/caroot.pem - @$(REMAKE) gencrl ca=$(topca) - -# Create a secondary CA -newca: - @if [ -z "$(name)" -o -z "$(ca)" ]; then echo "Missing parameter. Ex: make newca name=subca.testbed.aaa ca=rootca.testbed.aaa"; exit 1; fi - @if [ ! -e $(DATA_DIR)/$(ca)/private/cakey.pem ]; then echo "The parent CA $(ca) does not exist."; exit 1; fi - @if [ ! -d $(DATA_DIR)/$(name) ]; then $(REMAKE) structure caname=$(name); fi - # Generate the private key and CSR for the new CA if needed - @if [ ! -e $(DATA_DIR)/$(name)/private/cakey.pem ]; then \ - openssl genrsa -out $(DATA_DIR)/$(name)/private/cakey.pem $(cakeysize) ; fi - @if [ ! -e $(DATA_DIR)/$(name)/private/cacsr.pem ]; then \ - CA_ROOT_DIR=$(DATA_DIR)/$(name) openssl req $(CONFIG) -new -batch -out $(DATA_DIR)/$(name)/private/cacsr.pem \ - -key $(DATA_DIR)/$(name)/private/cakey.pem \ - -subj /CN=$(name) -reqexts v3_req_ca; fi - # Revoke a previous certificate for this CA if any - @if [ -e $(DATA_DIR)/$(name)/public/cacert.pem ]; then \ - echo "Revoking previous certificate ..."; \ - $(REMAKE) revoke name=$(name) ca=$(ca); \ - mv $(DATA_DIR)/$(name)/public/cacert.pem $(DATA_DIR)/$(name)/public/cacert-$(DATE).pem; fi - # Issue the new CA certificate - @CA_ROOT_DIR=$(DATA_DIR)/$(ca) openssl ca $(CONFIG) -in $(DATA_DIR)/$(name)/private/cacsr.pem \ - -out $(DATA_DIR)/$(name)/public/cacert.pem \ - -batch -extensions ca_cert - # Hash and link to parent - @ln -s cacert.pem $(DATA_DIR)/$(ca)/public/`openssl x509 -noout -hash < $(DATA_DIR)/$(name)/public/cacert.pem`.0 - @rm -f $(DATA_DIR)/$(name)/parent - @ln -s ../$(ca) $(DATA_DIR)/$(name)/parent - @cat $(DATA_DIR)/$(name)/public/cacert.pem $(DATA_DIR)/$(ca)/public/cachain.pem > $(DATA_DIR)/$(name)/public/cachain.pem - @ln -s ../../$(ca)/public/caroot.pem $(DATA_DIR)/$(name)/public/caroot.pem - @for CRLFILE in `cd $(DATA_DIR)/$(ca)/public/crl && ls -1`; do ln -sf ../../../$(ca)/public/crl/$$CRLFILE $(DATA_DIR)/$(name)/public/crl/$$CRLFILE; done - @$(REMAKE) gencrl ca=$(name) - -# Create a new certificate for use in TLS communications and other terminal usages -newcert: - @if [ -z "$(name)" -o -z "$(ca)" ]; then echo "Missing parameter. Ex: make newcert name=service.testbed.aaa ca=ca.testbed.aaa"; exit 1; fi - @if [ ! -e $(DATA_DIR)/$(ca)/private/cakey.pem ]; then echo "The parent CA $(ca) does not exist."; exit 1; fi - @if [ ! -d $(DATA_DIR)/$(ca)/clients/$(name) ]; then mkdir $(DATA_DIR)/$(ca)/clients/$(name); fi - # Create a private key if needed - @if [ ! -e $(DATA_DIR)/$(ca)/clients/$(name)/privkey.pem ]; then \ - openssl genrsa -out $(DATA_DIR)/$(ca)/clients/$(name)/privkey.pem $(keysize); fi - # Create a CSR if needed - @if [ ! -e $(DATA_DIR)/$(ca)/clients/$(name)/csr.pem ]; then \ - CA_ROOT_DIR=$(DATA_DIR)/$(ca) openssl req $(CONFIG) -new -batch -out $(DATA_DIR)/$(ca)/clients/$(name)/csr.pem \ - -key $(DATA_DIR)/$(ca)/clients/$(name)/privkey.pem \ - -subj /CN=$(name); fi - # Revoke a previous certificate if any - @if [ -e $(DATA_DIR)/$(ca)/clients/$(name)/cert.pem ]; then \ - $(REMAKE) revoke name=$(name) ca=$(ca); \ - mv $(DATA_DIR)/$(ca)/clients/$(name)/cert.pem $(DATA_DIR)/$(ca)/clients/$(name)/cert-$(DATE).pem; fi - # Now sign the new certificate with the CA key - @CA_ROOT_DIR=$(DATA_DIR)/$(ca) openssl ca $(CONFIG) -in $(DATA_DIR)/$(ca)/clients/$(name)/csr.pem \ - -out $(DATA_DIR)/$(ca)/clients/$(name)/cert.pem \ - -batch - # Hash - @ln -sf `cat $(DATA_DIR)/$(ca)/serial.old`.pem $(DATA_DIR)/$(ca)/public/`openssl x509 -noout -hash < $(DATA_DIR)/$(ca)/clients/$(name)/cert.pem`.0 - # Compiled informations for the client - @cat $(DATA_DIR)/$(ca)/clients/$(name)/cert.pem $(DATA_DIR)/$(ca)/public/cachain.pem > $(DATA_DIR)/$(ca)/clients/$(name)/certchain.pem - @ln -sf ../../public/crl $(DATA_DIR)/$(ca)/clients/$(name)/crl - @ln -sf ../../public/caroot.pem $(DATA_DIR)/$(ca)/clients/$(name)/ca.pem - -# Revoke a certificate -revoke: - @if [ -z "$(name)" -o -z "$(ca)" ]; then echo "Missing parameter. Ex: make revoke name=service.testbed.aaa ca=ca.testbed.aaa"; exit 1; fi - @if [ ! -e $(DATA_DIR)/$(ca)/private/cakey.pem ]; then echo "The parent CA $(ca) does not exist."; exit 1; fi - @if [ ! -e $(DATA_DIR)/$(ca)/clients/$(name)/cert.pem ]; \ - then echo "$(DATA_DIR)/$(ca)/clients/$(name)/cert.pem not found"; \ - exit 1; \ - fi; - # Revoke the certificate - @CA_ROOT_DIR=$(DATA_DIR)/$(ca) openssl ca $(CONFIG) -revoke $(DATA_DIR)/$(ca)/clients/$(name)/cert.pem; - @$(REMAKE) gencrl ca=$(ca) - -# Regenerate the Certificate Revocation List. -gencrl: - @if [ -z "$(ca)" ]; then echo "Missing parameter. Ex: make gencrl ca=ca.testbed.aaa"; exit 1; fi - # Create the CRL - @CA_ROOT_DIR=$(DATA_DIR)/$(ca) openssl ca $(CONFIG) -gencrl -out $(DATA_DIR)/$(ca)/public/crl/$(ca).pem - @ln -s crl/$(ca).pem $(DATA_DIR)/$(ca)/public/local.pem - @ln -s local.pem $(DATA_DIR)/$(ca)/public/`openssl crl -noout -hash < $(DATA_DIR)/$(ca)/public/crl/$(ca).pem`.r0 - -# End of file...
--- a/contrib/ca_script2/openssl.cnf Thu May 27 17:15:11 2010 +0900 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,120 +0,0 @@ -# Note: for this file to be working, an environment var CA_ROOT_DIR = directory -# must be defined and pointing to the CA top-level directory. - -HOME = . -RANDFILE = $ENV::HOME/.rnd - -oid_section = new_oids - -[ new_oids ] - - -#################################################################### -[ req ] -default_bits = 1024 -# default_keyfile = privkey.pem -string_mask = utf8only - -distinguished_name = req_distinguished_name -attributes = req_attributes -req_extensions = v3_req # overwrite with -reqexts -x509_extensions = ca_cert # overwrite with -extensions; used for self-signed keys only - -[ req_distinguished_name ] -countryName = Country Name (2 letter code) -countryName_default = JP -countryName_min = 2 -countryName_max = 2 -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Tokyo -localityName = Locality Name (eg, city) -localityName_default = Koganei -0.organizationName = Organization Name (eg, company) -0.organizationName_default = WIDE -1.organizationName = Second Organization Name (eg, company) -1.organizationName_default = NICT -organizationalUnitName = Organizational Unit Name (eg, section) -organizationalUnitName_default = AAA WG testbed - -[ req_attributes ] -challengePassword = A challenge password -challengePassword_min = 0 -challengePassword_max = 20 -unstructuredName = An optional company name - -[ v3_req ] -# Extensions to add to a certificate request -basicConstraints = CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -[ v3_req_ca ] -# Extensions to add to a certificate request for CA -basicConstraints = CA:TRUE - - -#################################################################### -[ ca ] -default_ca = CA_default # The default ca section - -[ CA_default ] - -dir = $ENV::CA_ROOT_DIR # Where everything is kept -certs = $dir/public # Where the issued certs are kept -crl_dir = $dir/public # Where the issued crl are kept -database = $dir/index.txt # database index file. -#unique_subject = no # Set to 'no' to allow creation of - # several ctificates with same subject. -new_certs_dir = $dir/public # default place for new certs. - -certificate = $dir/public/cacert.pem # The CA certificate -serial = $dir/serial # The current serial number -crlnumber = $dir/crlnumber # the current crl number -crl = $dir/public/local.pem # The current CRL -private_key = $dir/private/cakey.pem # The private key -x509_extensions = usr_cert # The extentions to add to the cert - # overwrite with -extensions -name_opt = ca_default # Subject Name options -cert_opt = ca_default # Certificate field options -crl_extensions = crl_ext - -default_days = 3650 # how long to certify for -default_crl_days= 365 # how long before next CRL -default_md = sha1 # which md to use. -preserve = no # keep passed DN ordering - -# We accept to sign anything, but a real deployment would limit to proper domain etc... -policy = policy_anything - -[ policy_anything ] -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -[ usr_cert ] -basicConstraints=CA:FALSE -# This is typical in keyUsage for a client certificate. -keyUsage = nonRepudiation, digitalSignature, keyEncipherment -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer - -[ ca_cert ] -# Extensions for a typical CA -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid:always,issuer:always -basicConstraints = critical,CA:true # Remove "critical," in case of problems -keyUsage = cRLSign, keyCertSign -# subjectAltName=email:copy -# Copy issuer details -# issuerAltName=issuer:copy - -[ crl_ext ] -# CRL extensions. -# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. -# issuerAltName=issuer:copy -authorityKeyIdentifier=keyid:always,issuer:always - -
--- a/contrib/phpki-0.82.patch Thu May 27 17:15:11 2010 +0900 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,284 +0,0 @@ -diff -Nur phpki-0.82/ca/main.php phpki-0.82-fD/ca/main.php ---- phpki-0.82/ca/main.php 2005-11-17 10:17:20.000000000 +0900 -+++ phpki-0.82-fD/ca/main.php 2010-05-27 17:04:44.000000000 +0900 -@@ -36,7 +36,7 @@ - else { - ?> - <font color=#ff0000> -- <h2>There was an error updating the Certificate Revocation List.</h2></font><br> -+ <h2>There was an error updating the Certificate Revocation List.</h2></font><br /> - <blockquote> - <h3>Debug Info:</h3> - <pre><?=$errtxt?></pre> -@@ -53,8 +53,11 @@ - default: - printHeader('ca'); - ?> -- <br> -- <br> -+ <br /> -+ <br /> -+ -+ <center><h3>For <span style="color: #FF0000;">freeDiameter</span> specific instructions, scroll down this page...</h3></center><br /> -+ - <center> - <table class=menu width=600><th class=menu colspan=2><big>CERTIFICATE MANAGEMENT MENU</big></th> - -@@ -89,7 +92,57 @@ - - </table> - </center> -- <br><br> -+ <br /><br /> -+ <center> -+ <table class=menu width=900><th class=menu colspan=2><big>FREEDIAMETER INSTRUCTIONS</big></th> -+ <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;"> -+ Create a new certificate</td> -+ -+ <td>Use the <strong><cite>Create a New Certificate</cite></strong> link in previous table to request a new certificate. Fill the form as follow: -+ <ul> -+ <li><strong>Common Name</strong>: use your new freeDiameter identity (usually the FQDN).</li> -+ <li><strong>E-mail Address</strong>: Provide your address so that you can be contacted in case of inquiry.</li> -+ <li><strong>Organization</strong>: use "freeDiameter testbed" for example.</li> -+ <li><strong>Certificate Password</strong>: Do not loose the password you provide, you'll need it in the next step. <br /> -+ The password must be >= 8 chars.</li> -+ <li>The other fields can be filled at your taste.</li> -+ </ul> -+ Once you have validated, you can check the values, and then proceed to download the new certificate and private key. -+ You will receive a file in PEM format. Let's call this file <em>mycertprotected.pem</em>. -+ It contains: -+ <ul> -+ <li>Your password-protected RSA private key.</li> -+ <li>Your certificate in PEM format.</li> -+ <li>The CA certificate.</li> -+ </ul></td></tr> -+ -+ <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;"> -+ Split the file</td> -+ -+ <td>In order to use the information with freeDiameter daemon, you must transform the data as follow: -+ <ul> -+ <li><strong>Decode the private key</strong>: <br /> -+ <code>openssl rsa -in <em>mycertprotected.pem</em> -out /etc/ssl/private/freeDiameter.key</code><br /> -+ OpenSSL will ask for the password you entered when creating the certificate.</li> -+ <li><strong>Extract your certificate</strong>: <br /> -+ <code>openssl x509 -in <em>mycertprotected.pem</em> > /etc/ssl/certs/freeDiameter.pem</code></li> -+ <li><strong>Get the CA certificate</strong>: <br /> -+ <code>wget --no-check-certificate "$config[base_url]index.php?stage=dl_root" -O /etc/ssl/certs/freeDiameter_testbed_CA.pem</code></li> -+ </ul> -+ Note: for the last step, you could also extract it directly from the PEM file you received.<br /> -+ Note: the CRL is also available from the website, but this feature is not tested yet.</td></tr> -+ -+ <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;"> -+ Configure freeDiameter</td> -+ -+ <td>Here is the configuration related to TLS that you should set in your <em>/etc/freeDiameter/freeDiameter.conf</em> file: -+ <blockquote>TLS_Cred = "/etc/ssl/certs/freeDiameter.pem", "/etc/ssl/private/freeDiameter.key";<br /> -+TLS_CA = "/etc/ssl/certs/freeDiameter_testbed_CA.pem";</blockquote></td></tr> -+ -+ -+ </table> -+ </center> -+ <br /><br /> - <? - printFooter(); - } -diff -Nur phpki-0.82/ca/request_cert.php phpki-0.82-fD/ca/request_cert.php ---- phpki-0.82/ca/request_cert.php 2007-01-04 14:45:09.000000000 +0900 -+++ phpki-0.82-fD/ca/request_cert.php 2010-05-27 16:59:16.000000000 +0900 -@@ -197,6 +197,7 @@ - - switch($cert_type) { - case 'server': -+ case 'freediameter': - upload(array("$config[private_dir]/$serial-key.pem","$config[new_certs_dir]/$serial.pem",$config['cacert_pem']), "$common_name ($email).pem",'application/pkix-cert'); - break; - case 'email': -@@ -225,7 +226,7 @@ - if (! $email) $email = ""; - if (! $expiry) $expiry = 1; - if (! $keysize) $keysize = 1024; -- if (! $cert_type) $cert_type = 'email'; -+ if (! $cert_type) $cert_type = 'freediameter'; - - printHeader(); - ?> -@@ -302,13 +303,14 @@ - <td>Certificate Use: </td> - <td><select name=cert_type> - <? -- print '<option value="email" '.($cert_type=='email'?'selected':'').'>E-mail, SSL Client</option>'; -- print '<option value="email_signing" '.($cert_type=='email_signing'?'selected':'').'>E-mail, SSL Client, Code Signing</option>'; -- print '<option value="server" '.($cert_type=='server'?'selected':'').'>SSL Server</option>'; -- print '<option value="vpn_client" '.($cert_type=='vpn_client'?'selected':'').'>VPN Client Only</option>'; -- print '<option value="vpn_server" '.($cert_type=='vpn_server'?'selected':'').'>VPN Server Only</option>'; -- print '<option value="vpn_client_server" '.($cert_type=='vpn_client_server'?'selected':'').'>VPN Client, VPN Server</option>'; -- print '<option value="time_stamping" '.($cert_type=='time_stamping'?'selected':'').'>Time Stamping</option>'; -+ print '<option value="email" disabled '.($cert_type=='email'?'selected':'').'>E-mail, SSL Client</option>'; -+ print '<option value="email_signing" disabled '.($cert_type=='email_signing'?'selected':'').'>E-mail, SSL Client, Code Signing</option>'; -+ print '<option value="server" disabled '.($cert_type=='server'?'selected':'').'>SSL Server</option>'; -+ print '<option value="freediameter" '.($cert_type=='freediameter'?'selected':'').'>freeDiameter node</option>'; -+ print '<option value="vpn_client" disabled '.($cert_type=='vpn_client'?'selected':'').'>VPN Client Only</option>'; -+ print '<option value="vpn_server" disabled '.($cert_type=='vpn_server'?'selected':'').'>VPN Server Only</option>'; -+ print '<option value="vpn_client_server" disabled '.($cert_type=='vpn_client_server'?'selected':'').'>VPN Client, VPN Server</option>'; -+ print '<option value="time_stamping" disabled '.($cert_type=='time_stamping'?'selected':'').'>Time Stamping</option>'; - ?> - </select></td> - </tr> -diff -Nur phpki-0.82/include/openssl_functions.php phpki-0.82-fD/include/openssl_functions.php ---- phpki-0.82/include/openssl_functions.php 2007-01-04 15:47:57.000000000 +0900 -+++ phpki-0.82-fD/include/openssl_functions.php 2010-05-27 16:59:57.000000000 +0900 -@@ -69,6 +69,13 @@ - default_days = 365 - policy = policy_supplied - -+[ freediameter_cert ] -+x509_extensions = freediameter_ext -+default_days = 730 -+policy = policy_supplied -+ -+ -+ - [ vpn_cert ] - x509_extensions = vpn_client_server_ext - default_days = 365 -@@ -152,6 +159,24 @@ - nsRevocationUrl = ns_revoke_query.php? - nsCaPolicyUrl = $config[base_url]policy.html - -+[ freediameter_ext ] -+basicConstraints = CA:false -+keyUsage = critical, digitalSignature, keyEncipherment -+extendedKeyUsage = critical, serverAuth, clientAuth -+nsCertType = critical, server, client -+subjectKeyIdentifier = hash -+authorityKeyIdentifier = keyid:always, issuer:always -+subjectAltName = DNS:$common_name,email:copy -+issuerAltName = issuer:copy -+crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl -+nsComment = \"PHPki/OpenSSL Generated Secure Certificate for freeDiameter\" -+nsBaseUrl = $config[base_url] -+nsRevocationUrl = ns_revoke_query.php? -+nsCaPolicyUrl = $config[base_url]policy.html -+ -+ -+ -+ - [ time_stamping_ext ] - basicConstraints = CA:false - keyUsage = critical, nonRepudiation, digitalSignature -diff -Nur phpki-0.82/openssl.cnf phpki-0.82-fD/openssl.cnf ---- phpki-0.82/openssl.cnf 2006-07-23 00:33:34.000000000 +0900 -+++ phpki-0.82-fD/openssl.cnf 2010-05-27 17:00:33.000000000 +0900 -@@ -39,6 +39,11 @@ - default_days = 365 - policy = policy_supplied - -+[ freediameter_cert ] -+x509_extensions = freediameter_ext -+default_days = 730 -+policy = policy_supplied -+ - [ vpn_cert ] - x509_extensions = vpn_client_server_ext - default_days = 365 -@@ -115,6 +120,23 @@ - nsRevocationUrl = ns_revoke_query.php? - nsCaPolicyUrl = http://www.somewhere.com/phpki/policy.html - -+[ freediameter_ext ] -+basicConstraints = CA:false -+keyUsage = critical, digitalSignature, keyEncipherment -+extendedKeyUsage = critical, serverAuth, clientAuth -+nsCertType = critical, server, client -+subjectKeyIdentifier = hash -+authorityKeyIdentifier = keyid:always, issuer:always -+subjectAltName = DNS:$common_name,email:copy -+issuerAltName = issuer:copy -+crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl -+nsComment = "PHPki/OpenSSL Generated Secure Certificate for freeDiameter" -+nsBaseUrl = $config[base_url] -+nsRevocationUrl = ns_revoke_query.php? -+nsCaPolicyUrl = $config[base_url]policy.html -+ -+ -+ - [ vpn_client_ext ] - basicConstraints = critical, CA:false - keyUsage = critical, digitalSignature -diff -Nur phpki-0.82/setup.php phpki-0.82-fD/setup.php ---- phpki-0.82/setup.php 2007-07-22 23:34:08.000000000 +0900 -+++ phpki-0.82-fD/setup.php 2010-05-27 17:01:41.000000000 +0900 -@@ -339,6 +339,11 @@ - default_days = 365 - policy = policy_supplied - -+[ freediameter_cert ] -+x509_extensions = freediameter_ext -+default_days = 730 -+policy = policy_supplied -+ - [ vpn_cert ] - x509_extensions = vpn_client_server_ext - default_days = 365 -@@ -418,6 +423,22 @@ - nsRevocationUrl = ns_revoke_query.php? - nsCaPolicyUrl = $config[base_url]policy.html - -+[ freediameter_ext ] -+basicConstraints = CA:false -+keyUsage = critical, digitalSignature, keyEncipherment -+extendedKeyUsage = critical, serverAuth, clientAuth -+nsCertType = critical, server, client -+subjectKeyIdentifier = hash -+authorityKeyIdentifier = keyid:always, issuer:always -+subjectAltName = DNS:$common_name,email:copy -+issuerAltName = issuer:copy -+crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl -+nsComment = "PHPki/OpenSSL Generated Secure Certificate for freeDiameter" -+nsBaseUrl = $config[base_url] -+nsRevocationUrl = ns_revoke_query.php? -+nsCaPolicyUrl = $config[base_url]policy.html -+ -+ - [ time_stamping_ext ] - basicConstraints = CA:false - keyUsage = critical, nonRepudiation, digitalSignature -diff -Nur phpki-0.82/setup.php-presetup phpki-0.82-fD/setup.php-presetup ---- phpki-0.82/setup.php-presetup 2007-07-22 23:34:08.000000000 +0900 -+++ phpki-0.82-fD/setup.php-presetup 2010-05-27 17:01:41.000000000 +0900 -@@ -339,6 +339,11 @@ - default_days = 365 - policy = policy_supplied - -+[ freediameter_cert ] -+x509_extensions = freediameter_ext -+default_days = 730 -+policy = policy_supplied -+ - [ vpn_cert ] - x509_extensions = vpn_client_server_ext - default_days = 365 -@@ -418,6 +423,22 @@ - nsRevocationUrl = ns_revoke_query.php? - nsCaPolicyUrl = $config[base_url]policy.html - -+[ freediameter_ext ] -+basicConstraints = CA:false -+keyUsage = critical, digitalSignature, keyEncipherment -+extendedKeyUsage = critical, serverAuth, clientAuth -+nsCertType = critical, server, client -+subjectKeyIdentifier = hash -+authorityKeyIdentifier = keyid:always, issuer:always -+subjectAltName = DNS:$common_name,email:copy -+issuerAltName = issuer:copy -+crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl -+nsComment = "PHPki/OpenSSL Generated Secure Certificate for freeDiameter" -+nsBaseUrl = $config[base_url] -+nsRevocationUrl = ns_revoke_query.php? -+nsCaPolicyUrl = $config[base_url]policy.html -+ -+ - [ time_stamping_ext ] - basicConstraints = CA:false - keyUsage = critical, nonRepudiation, digitalSignature