fic/server
Archived
1
0
Fork 0
Code Issues Pull requests 10 Releases Wiki Activity

Add a Dockerfile for frontend test container; adapt code to simplify synchronization or Docker linkage

Browse source
This commit is contained in:
nemunaire 2014-11-21 15:55:38 +01:00
commit bca09af2e0
15 changed files with 329 additions and 218 deletions
Download patch file Download diff file Expand all files Collapse all files

145
misc/CA.sh
View file

@ -10,10 +10,15 @@ if [ -z "${OPENSSL_CONF}" ]; then
OPENSSL_CONF=openssl.cnf
fi
CAKEY=./cakey.key
CAREQ=./careq.csr
CACERT=./cacert.crt
CAKEY=${TOP_DIR}/private/cakey.key
CAREQ=${TOP_DIR}/careq.csr
CACRT=./shared/cacert.crt
SRVKEY=./shared/server.key
SRVREQ=./shared/server.csr
SRVCRT=./shared/server.crt
# Generate certificates valid for:
DAYS=2
if [ -z "$PS1" ]
@ -42,12 +47,13 @@ usage()
clean()
{
if [ "$1" = "ca" ]; then
rm -rf ${TOP_DIR}
rm -rf ${TOP_DIR} ./shared/*
mkdir -p ${TOP_DIR}/certs
mkdir -p ${TOP_DIR}/crl
mkdir -p ${TOP_DIR}/newcerts
mkdir -p ${TOP_DIR}/private
mkdir -p ${TOP_DIR}/pkcs
mkdir -p ./shared
echo "01" > ${TOP_DIR}/crlnumber
elif [ "$1" = "client" ]; then
rm -rf ${TOP_DIR}/${2}.key ${TOP_DIR}/${2}.csr
@ -57,10 +63,10 @@ clean()
gen_crl()
{
echo $ECHO_OPTS "${GREEN}Generate crl.pem${COLOR_RST}"
openssl ca -config ${OPENSSL_CONF} -gencrl -out ${TOP_DIR}/crl.pem > $OUTPUT 2>&1
if [ $? -ne 0 ]; then
echo $ECHO_OPTS "${RED}Generate crl.pem failed"
echo $ECHO_OPTS "${GREEN}Generate shared/crl.pem${COLOR_RST}"
if ! openssl ca -config ${OPENSSL_CONF} -gencrl -out shared/crl.pem > $OUTPUT 2>&1
then
echo $ECHO_OPTS "${RED}Generate shared/crl.pem failed"
cat $OUTPUT
exit 5
fi
@ -72,9 +78,7 @@ OUTPUT=$(mktemp)
case $1 in
"-newca" )
echo -n $ECHO_OPTS "${GREEN}Create the directories, take care this will delete"
echo $ECHO_OPTS " the old directories ${COLOR_RST}"
# sleep 1; echo -n "1 "; sleep 1; echo -n "2 "; sleep 1; echo "3"
echo $ECHO_OPTS "${GREEN}Create the directories, take care this will delete the old directories ${COLOR_RST}"
clean "ca"
touch ${TOP_DIR}/index.txt
@ -92,30 +96,30 @@ case $1 in
fi
pass=`pwgen -n -B -y 12 1`
openssl req -batch -new -keyout ${TOP_DIR}/private/${CAKEY} \
-out ${TOP_DIR}/${CAREQ} -passout pass:$pass \
-config $OPENSSL_CONF -extensions CORE_CA > $OUTPUT 2>&1
if [ $? -ne 0 ]; then
if ! openssl req -batch -new -keyout ${CAKEY} \
-out ${CAREQ} -passout pass:$pass \
-config ${OPENSSL_CONF} -extensions CORE_CA > $OUTPUT 2>&1
then
cat $OUTPUT
clean "ca"
exit 4
fi
# This line deleted the passphase for the FIC 2014 automatisation
openssl rsa -passin pass:$pass -in ${TOP_DIR}/private/${CAKEY} \
-out ${TOP_DIR}/private/${CAKEY} > $OUTPUT 2>&1
if [ $? -ne 0 ]; then
if ! openssl rsa -passin pass:$pass -in ${CAKEY} \
-out ${CAKEY} > $OUTPUT 2>&1
then
cat $OUTPUT
clean "ca"
exit 4
fi
echo $ECHO_OPTS "${GREEN}Self signes the CA certificate${COLOR_RST}"
openssl ca -batch -create_serial -out ${TOP_DIR}/${CACERT} \
-days ${DAYS} -keyfile ${TOP_DIR}/private/${CAKEY} \
-selfsign -extensions CORE_CA -config ${OPENSSL_CONF} \
-infiles ${TOP_DIR}/${CAREQ} > $OUTPUT 2>&1
if [ $? -ne 0 ]; then
if ! openssl ca -batch -create_serial -out ${CACRT} \
-days ${DAYS} -keyfile ${CAKEY} \
-selfsign -extensions CORE_CA -config ${OPENSSL_CONF} \
-infiles ${CAREQ} > $OUTPUT 2>&1
then
cat $OUTPUT
clean "ca"
exit 4
@ -124,46 +128,45 @@ case $1 in
"-newserver" )
echo $ECHO_OPTS "${GREEN}Making the Server key and cert${COLOR_RST}"
if ! [ -f ${TOP_DIR}/private/${CAKEY} ]; then
if ! [ -f ${CAKEY} ]; then
echo $ECHO_OPTS "${RED}Can not found the CA's key${COLOR_RST}"
exit 2
fi
sed -i 's/=.*#COMMONNAME/=10.226.3.70#COMMONNAME/' $OPENSSL_CONF
openssl req -batch -new -keyout server.key -out server.csr \
-days ${DAYS} -config ${OPENSSL_CONF} -extensions SERVER_SSL > $OUTPUT 2>&1
if [ $? -ne 0 ]; then
if ! openssl req -batch -new -keyout ${SRVKEY} -out ${SRVREQ} \
-days ${DAYS} -config ${OPENSSL_CONF} -extensions SERVER_SSL > $OUTPUT 2>&1
then
cat $OUTPUT
exit 4
fi
echo $ECHO_OPTS "${GREEN}Signing the Server crt${COLOR_RST}"
openssl ca -policy policy_match -config ${OPENSSL_CONF} \
-out server.crt -extensions SERVER_SSL -infiles server.csr
if [ $? -ne 0 ]; then
if ! openssl ca -policy policy_match -config ${OPENSSL_CONF} \
-out ${SRVCRT} -extensions SERVER_SSL -infiles ${SRVREQ}
then
echo $ECHO_OPTS "${RED}Signing failed for new server${COLOR_RST}"
rm -rf server.key server.crt server.csr
rm -f ${SRVKEY} ${SRVREQ} ${SRVCRT}
cat $OUTPUT
exit 3
else
rm server.csr # remove ?
echo $ECHO_OPTS "${GREEN}Signed certificate is in server.crt${COLOR_RST}"
rm ${SRVREQ}
echo $ECHO_OPTS "${GREEN}Signed certificate is in ${SRVCRT}${COLOR_RST}"
fi
;;
"-revokeserver" )
echo $ECHO_OPTS "${GREEN}Revocate server certificate${COLOR_RST}"
if ! [ -f ${TOP_DIR}/private/${CAKEY} ]; then
if ! [ -f ${CAKEY} ]; then
echo $ECHO_OPTS "${RED}Can not found the CA's key${COLOR_RST}"
exit 2
fi
openssl ca -revoke server.crt -config ${OPENSSL_CONF}\
-keyfile ${TOP_DIR}/private/${CAKEY} \
-cert ${TOP_DIR}/${CACERT} > $OUTPUT 2>&1
if [ $? -ne 0 ]; then
if ! openssl ca -revoke ${SRVCRT} -config ${OPENSSL_CONF} \
-keyfile ${CAKEY} -cert ${CACRT} > $OUTPUT 2>&1
then
echo $ECHO_OPTS "${RED}Server certificate revocation failed${COLOR_RST}"
cat $OUTPUT
exit 4
fi
rm server.crt server.key
rm ${SRVKEY} ${SRVCRT}
gen_crl
;;
@ -173,13 +176,20 @@ case $1 in
echo "Usage: $0 -newclient NAME"
exit 1
fi
CLTNAM=$2
CLTREQ=${TOP_DIR}/${CLTNAM}.csr
CLTCRT=${TOP_DIR}/${CLTNAM}.crt
CLTKEY=${TOP_DIR}/${CLTNAM}.key
CLTP12=${TOP_DIR}/pkcs/${CLTNAM}.p12
echo "=============================================================="
echo $ECHO_OPTS "${GREEN}Making the client key and csr of ${BOLD}${2}${END_BOLD}${COLOR_RST}"
ESCAPED=$(echo "${TOP_DIR}" | sed 's/[\/\.]/\\&/g')
sed -i "s/=.*#DIR/= ${ESCAPED} #DIR/" $OPENSSL_CONF
if ! [ -f ${TOP_DIR}/private/${CAKEY} ]; then
if ! [ -f ${CAKEY} ]; then
echo $ECHO_OPTS "${RED}Can not found the CA's key${COLOR_RST}"
exit 2
fi
@ -193,39 +203,39 @@ case $1 in
pass=`pwgen -n -B -y 12 1`
openssl req -batch -new -keyout ${TOP_DIR}/${2}.key -out ${TOP_DIR}/${2}.csr \
-config ${OPENSSL_CONF} -passout pass:$pass -days ${DAYS} -extensions CLIENT_SSL > $OUTPUT 2>&1
if [ $? -ne 0 ]; then
if ! openssl req -batch -new -keyout "${CLTKEY}" -out "${CLTREQ}" \
-config ${OPENSSL_CONF} -passout pass:$pass -days ${DAYS} -extensions CLIENT_SSL > $OUTPUT 2>&1
then
cat $OUTPUT
clean "client" $2
clean "client" ${CLTNAM}
exit 4
fi
echo $ECHO_OPTS "${GREEN}Signing the Client crt${COLOR_RST}"
openssl ca -batch -policy policy_match -out ${TOP_DIR}/${2}.crt \
-config ${OPENSSL_CONF} -extensions CLIENT_SSL -infiles ${TOP_DIR}/${2}.csr > $OUTPUT 2>&1
if [ $? -ne 0 ]; then
if ! openssl ca -batch -policy policy_match -out "${CLTCRT}" \
-config ${OPENSSL_CONF} -extensions CLIENT_SSL -infiles "${CLTREQ}" > $OUTPUT 2>&1
then
echo $ECHO_OPTS "${RED}Signing failed for $2 ${COLOR_RST}"
cat $OUTPUT
clean "client" $2
clean "client" ${CLTNAM}
exit 3
fi
echo $ECHO_OPTS "${GREEN}Export the Client files to pkcs12${COLOR_RST}"
openssl pkcs12 -export -inkey ${TOP_DIR}/${2}.key -in ${TOP_DIR}/${2}.crt -name ${2} \
-passin pass:$pass -out ${TOP_DIR}/pkcs/${2}.p12 \
-passout pass:$pass > $OUTPUT 2>&1
if [ $? -ne 0 ]; then
if ! openssl pkcs12 -export -inkey "${CLTKEY}" -in "${CLTCRT}" -name ${2} \
-passin pass:$pass -out "${CLTP12}" \
-passout pass:$pass > $OUTPUT 2>&1
then
echo $ECHO_OPTS "${RED}pkcs12 export failed for ${BOLD}$2${END_BOLD}${COLOR_RST}"
cat $OUTPUT
clean "client" $2
clean "client" ${CLTNAM}
exit 4
else
echo $ECHO_OPTS "Exported pkcs12 file is ${2}.p12"
echo $ECHO_OPTS "Exported pkcs12 file is ${CLTP12}"
fi
mv ${TOP_DIR}/${2}.crt ${TOP_DIR}/certs
echo "$2:$pass" >> ${TOP_DIR}/../teams.pass
echo "$pass"
clean "client" $2
mv ${CLTCRT} ${TOP_DIR}/certs
echo "$CLTNAM:$pass" >> ${TOP_DIR}/../teams.pass
echo "$CLTNAM:$pass"
clean "client" ${CLTNAM}
;;
"-revoke" )
@ -233,17 +243,20 @@ case $1 in
echo "Usage: $0 -revoke NAME"
exit 1
fi
echo $ECHO_OPTS "${GREEN}Revocate ${BOLD}${2}${END_BOLD}${COLOR_RST}"
openssl ca -revoke ${TOP_DIR}/certs/${2}.crt -config ${OPENSSL_CONF}\
-keyfile ${TOP_DIR}/private/${CAKEY} \
-cert ${TOP_DIR}/${CACERT} > $OUTPUT 2>&1
if [ $? -ne 0 ]; then
echo $ECHO_OPTS "${RED}Revocation failed for ${BOLD}${2}${END_BOLD}${COLOR_RST}"
CLTNAM=$2
CLTCRT=${TOP_DIR}/${CLTNAM}.crt
CLTP12=${TOP_DIR}/pkcs/${CLTNAM}.p12
echo $ECHO_OPTS "${GREEN}Revocate ${BOLD}${CLTNAM}${END_BOLD}${COLOR_RST}"
if ! openssl ca -revoke ${CLTCRT} -config ${OPENSSL_CONF}\
-keyfile ${CAKEY} -cert ${CACRT} > $OUTPUT 2>&1
then
echo $ECHO_OPTS "${RED}Revocation failed for ${BOLD}${CLTNAM}${END_BOLD}${COLOR_RST}"
cat $OUTPUT
exit 4
fi
rm ${TOP_DIR}/certs/${2}.crt
rm ${TOP_DIR}/pkcs/${2}.p12
rm "${CLTCRT}" "${CLTP12}"
gen_crl
;;

4
misc/openssl.cnf
View file

@ -47,11 +47,11 @@ database = $dir/index.txt # database index file.
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.crt # The CA certificate
certificate = $dir/../shared/cacert.crt # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
crl = $dir/../shared/crl.pem # The current CRL
private_key = $dir/private/cakey.key # The private key
RANDFILE = $dir/private/.rand # private random number file