marking extensions critical, adding CPS-identifiers, adding Country

author Felix Dörre <felix@dogcraft.de>

Sat, 3 Oct 2015 10:17:28 +0000 (12:17 +0200)

committer Felix Dörre <felix@dogcraft.de>

Sat, 3 Oct 2015 10:23:10 +0000 (12:23 +0200)
author Felix Dörre <felix@dogcraft.de>
Sat, 3 Oct 2015 10:17:28 +0000 (12:17 +0200)
committer Felix Dörre <felix@dogcraft.de>
Sat, 3 Oct 2015 10:23:10 +0000 (12:23 +0200)
diff --git a/CAs/assured b/CAs/assured

index 6750d88dadf02203e4b4e6e0665cee01749562cc..5f99e4141594643d764f1f16636a0bba44d6b4f9 100644 (file)
--- a/CAs/assured
+++ b/CAs/assured
@@ -1 +1,2 @@
  name="Assured"
+CPSID=2
diff --git a/CAs/codesign b/CAs/codesign

index f7fcad09d35229b676c3d0725614787f57e34e27..4c87677e904dd93b29e0c37a652123a166f506f4 100644 (file)
--- a/CAs/codesign
+++ b/CAs/codesign
@@ -1 +1,2 @@
  name="Codesigning"
+CPSID=3
diff --git a/CAs/env b/CAs/env

index 8362e3269991e525921664b1f9c254be9c15df08..905fb1a95df6105b611e8c5146cf1a7b3e2813a5 100644 (file)
--- a/CAs/env
+++ b/CAs/env
@@ -1 +1,2 @@
  name="Environment"
+CPSID=4
diff --git a/CAs/orga b/CAs/orga

index 101a52d60803b2f758a0f2891c4e7bcd833e4a79..f415609102244fc2361aed036df0cae75e7bd27c 100644 (file)
--- a/CAs/orga
+++ b/CAs/orga
@@ -1 +1,2 @@
  name="Orga"
+CPSID=5
diff --git a/CAs/orgaSign b/CAs/orgaSign

index 82f9373c745213d6b63bf44b8740b789e09c7fbf..265f16477da3e685b121d290529da528a5a14a17 100644 (file)
--- a/CAs/orgaSign
+++ b/CAs/orgaSign
@@ -1 +1,2 @@
  name="Orga sign"
+CPSID=6
diff --git a/CAs/unassured b/CAs/unassured

index 4c34e423776d9a4e8e358059314c7cd7be59e5c8..8b2d5b97169ae60b2c886ab5228c3b9ef0dad97f 100644 (file)
--- a/CAs/unassured
+++ b/CAs/unassured
@@ -1 +1,2 @@
  name="Unassured"
+CPSID=1
diff --git a/clear.sh b/clear.sh

index 115cfd9d7826b036725d7abd5dc7f5d72ea544c0..bd5a6f737dbb2055029a18001b8447bfea877f27 100755 (executable)
--- a/clear.sh
+++ b/clear.sh
@@ -1,4 +1,4 @@
  #!/bin/sh
  
-rm -R generated
+rm -fR generated
  
diff --git a/commonFunctions b/commonFunctions

index 168c610e03d8fa782e1ca45b02559647e3f3bc31..f46505b445d912f2d311f7f03bc6474003c616df 100644 (file)
--- a/commonFunctions
+++ b/commonFunctions
@@ -3,7 +3,7 @@
  
  genKey(){ #subj, internalName
      openssl genrsa -out $2.key ${KEYSIZE}
-    openssl req -new -key $2.key -out $2.csr -subj "$1/O=Test Environment CA Ltd./OU=Test Environment CAs"
+    openssl req -new -key $2.key -out $2.csr -subj "$1/O=Test Environment CA Ltd./OU=Test Environment CAs/C=AU"
  
  }
  
diff --git a/generateKeys.sh b/generateKeys.sh

index d5d4750d30cb57d6f43f66f86b418a199395ac7d..d032a7b6aa832a6810acf28d41bda1af02cdfd9e 100755 (executable)
--- a/generateKeys.sh
+++ b/generateKeys.sh
@@ -10,8 +10,8 @@ cd generated
  
  ####### create various extensions files for the various certificate types ######
  cat <<TESTCA > ca.cnf
-basicConstraints = CA:true
-keyUsage = keyCertSign, cRLSign
+basicConstraints = critical,CA:true
+keyUsage =critical, keyCertSign, cRLSign
  
  subjectKeyIdentifier = hash
  authorityKeyIdentifier = keyid:always
@@ -20,20 +20,33 @@ crlDistributionPoints=URI:http://g2.crl.${DOMAIN}/g2/root.crl
  authorityInfoAccess = OCSP;URI:http://g2.ocsp.${DOMAIN},caIssuers;URI:http://g2.crt.${DOMAIN}/g2/root.crt
  TESTCA
  
-cat <<TESTCA > subca.cnf
-basicConstraints = CA:true
-keyUsage = keyCertSign, cRLSign
+
+rootSign(){ # csr
+    POLICY=ca.cnf
+    if [[ "$1" != "root" ]] ; then
+       KNAME=$1
+       POLICY=subca.cnf
+       . ../CAs/${KNAME}
+       cat <<TESTCA > subca.cnf
+
+basicConstraints =critical, CA:true
+keyUsage =critical, keyCertSign, cRLSign
  
  subjectKeyIdentifier = hash
  authorityKeyIdentifier = keyid:always
  
  crlDistributionPoints=URI:http://g2.crl.${DOMAIN}/g2/root.crl
  authorityInfoAccess = OCSP;URI:http://g2.ocsp.${DOMAIN},caIssuers;URI:http://g2.crt.${DOMAIN}/g2/root.crt
-TESTCA
  
+certificatePolicies=@polsect
  
-rootSign(){ # csr
-    caSign "$1.ca/key" root subca.cnf
+[polsect]
+policyIdentifier = 1.3.6.1.4.1.18506.9.${CPSID}
+CPS.1="http://g2.cps.${DOMAIN}/g2/${KNAME}.cps"
+
+TESTCA
+    fi
+    caSign "$1.ca/key" root $POLICY
  }
  
  
diff --git a/generateTime.sh b/generateTime.sh

index 300d823857f7c2ab8a3eaae120fb926b7d99f4c7..26f3cdf06abb611f63284f606d1f991d6fcd5296 100755 (executable)
--- a/generateTime.sh
+++ b/generateTime.sh
@@ -9,15 +9,24 @@ year=$1
  cd generated
  
  genTimeCA(){ #csr,ca to sign with,start,end
+    KNAME=$2
+    . ../CAs/${KNAME}
      cat <<TESTCA > timesubca.cnf
-basicConstraints = CA:true
-keyUsage = keyCertSign, cRLSign
+basicConstraints=critical,CA:true
+keyUsage=critical,keyCertSign, cRLSign
  
  subjectKeyIdentifier = hash
  authorityKeyIdentifier = keyid:always
  
  crlDistributionPoints=URI:http://g2.crl.${DOMAIN}/g2/$2.crl
  authorityInfoAccess = OCSP;URI:http://g2.ocsp.${DOMAIN},caIssuers;URI:http://g2.crt.${DOMAIN}/g2/$2.crt
+
+certificatePolicies=@polsect
+
+[polsect]
+policyIdentifier = 1.3.6.1.4.1.18506.9.${CPSID}
+CPS.1="http://g2.cps.${DOMAIN}/g2/${KNAME}.cps"
+
  TESTCA
      caSign $1 $2 timesubca.cnf "$3" "$4"
      rm timesubca.cnf
author	Felix Dörre <felix@dogcraft.de>
	Sat, 3 Oct 2015 10:17:28 +0000 (12:17 +0200)
committer	Felix Dörre <felix@dogcraft.de>
	Sat, 3 Oct 2015 10:23:10 +0000 (12:23 +0200)
CAs/assured		patch \| blob \| history
CAs/codesign		patch \| blob \| history
CAs/env		patch \| blob \| history
CAs/orga		patch \| blob \| history
CAs/orgaSign		patch \| blob \| history
CAs/unassured		patch \| blob \| history
clear.sh		patch \| blob \| history
commonFunctions		patch \| blob \| history
generateKeys.sh		patch \| blob \| history
generateTime.sh		patch \| blob \| history