MercurialSymaptic / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | raw | help
os/security/cryptoservices/certificateandkeymgmt/testcertificates/openssl/generateCerts.pl
author sl@SLION-WIN7.fritz.box
Fri, 15 Jun 2012 03:10:57 +0200
changeset 0 bde4ae8d615e
permissions -rw-r--r--
First public contribution. 
     1 #

     2 # Copyright (c) 2005-2009 Nokia Corporation and/or its subsidiary(-ies).

     3 # All rights reserved.

     4 # This component and the accompanying materials are made available

     5 # under the terms of the License "Eclipse Public License v1.0"

     6 # which accompanies this distribution, and is available

     7 # at the URL "http://www.eclipse.org/legal/epl-v10.html".

     8 #

     9 # Initial Contributors:

    10 # Nokia Corporation - initial contribution.

    11 #

    12 # Contributors:

    13 #

    14 # Description: 

    15 # Generate certs for testing OCSP against OpenSSL implementation

    16 #

    17 

    18 

    19 # address of the Root5 responder, needed for Authority Info Access cert

    20 my $ocspR5addr = "http://cam-ocsptest01.intra:19003"; 

    21 

    22 # Address of the Apache server used for serving remote JAR files

    23 my $apacheaddr = "cam-ocsptest01.intra";

    24 

    25 

    26 sub head(@)

    27 {

    28 	my $src=shift(@_);

    29 	my $dest=shift(@_);

    30 	my $lines=shift(@_);

    31 

    32 	open(IN,"< $src")  or print("Can't open $src");

    33 	open(OUT,"> $dest") or print("Can't open $dest");

    34 	 

    35 	for (my $count=0; $count < $lines; $count++)

    36 	{

    37 		my $fline=<IN>;

    38 		print OUT $fline;

    39 	}

    40 	close(IN);

    41 	close(OUT);

    42 }

    43 

    44 sub createfile(@)

    45 {

    46 	open(TOUCH,">shift(@_)");

    47 	close(TOUCH);

    48 }

    49 

    50 # Create ca files

    51 sub mkcadirs(@)

    52 {

    53 	my $cadir=shift(@_);

    54 

    55 	unlink($cadir);

    56 	mkdir($cadir);

    57 	open(TOUCH,">$cadir\\index.txt");

    58 	close(TOUCH);

    59 	system("echo 01 > $cadir\\serial");

    60 	mkdir "$cadir\\private" ;

    61 	mkdir "$cadir\\certs";

    62 }

    63 

    64 

    65 

    66 

    67 

    68 # Trash existing data

    69 

    70 use File::Path;

    71 

    72 rmtree ("Root1",0,true);

    73 rmtree ("Root2",0,true);

    74 rmtree ("Root5",0,true);

    75 rmtree ("OCSPSigningRoot",0,true);

    76 rmtree ("Apache",0,true);

    77 rmtree ("Certs",0,true);

    78 mkdir "Certs";

    79 

    80 	 

    81 

    82 #############################################################

    83 ## OCSP	Certificates for testing

    84 ##

    85 ## There are three roots for testing OCSP, Root1, Root2 and Root5

    86 ##

    87 #############################################################

    88 

    89 

    90 

    91 # Root1 ##########################################################################

    92 

    93 mkcadirs("Root1");

    94 $cert_path = "$ENV{'SECURITYSOURCEDIR'}\\testframework\\testcertificates\\certman\\testcertificates";

    95   

    96 # Generate root cert

    97 system("openssl req -extensions NoOCSP_Ext -config openssl.config -x509 -newkey rsa:1024 -keyout Root1\\private\\ca.key.pem -out Root1\\Certs\\ca.pem -subj \"/O=Symbian Software Ltd/CN=Root1-RSA\" -days 3650 -nodes"); 

    98 system("openssl x509 -in $cert_path\\openssl\\Root1\\Certs\\ca.pem -outform DER -out $cert_path\\openssl\\Certs\\Root1-RSA.der");

    99 

   100 # Generate Expired-R1

   101 system("openssl req -config openssl.config -newkey rsa:1024 -keyout $cert_path\\openssl\\Root1\\private\\Expired-R1.key.pem -out Root1\\Expired-R1.req.pem -subj \"/O=Symbian Software Ltd/CN=Expired-R1\" -days 3650 -nodes");

   102 system("openssl ca  -out $cert_path\\openssl\\Root1\\Certs\\Expired-R1.pem -config openssl.config -name Root1 -in $cert_path\\openssl\\Root1\\Expired-R1.req.pem -batch -startdate 820203120000Z -enddate 820203120001Z");

   103 system("openssl x509 -in $cert_path\\openssl\\Root1\\Certs\\Expired-R1.pem -outform DER -out $cert_path\\openssl\\Certs\\Expired-R1.der");

   104 

   105 # Generate Good-R1

   106 system("openssl req -config openssl.config -newkey rsa:1024 -keyout $cert_path\\openssl\\Root1\\private\\Good-R1.key.pem -out $cert_path\\openssl\\Root1\\Good-R1.req.pem -subj \"/O=Symbian Software Ltd/CN=Good-R1\" -days 3650 -nodes");

   107 system("openssl ca  -config openssl.config -out $cert_path\\openssl\\Root1\\Certs\\Good-R1.pem -name Root1 -in Root1\\Good-R1.req.pem -batch -days 3650");

   108 system("openssl x509 -in $cert_path\\openssl\\Root1\\Certs\\Good-R1.pem -outform DER -out $cert_path\\openssl\\Certs\\Good-R1.der");

   109 

   110 # Generate Revoked-R1

   111 system("openssl req -config openssl.config -newkey rsa:1024 -keyout $cert_path\\openssl\\Root1\\private\\Revoked-R1.key.pem -out $cert_path\\openssl\\Root1\\Revoked-R1.req.pem -subj \"/O=Symbian Software Ltd/CN=Revoked-R1\" -days 3650 -nodes");

   112 system("openssl ca  -out $cert_path\\openssl\\Root1\\Certs\\Revoked-R1.pem -config openssl.config -name Root1 -in $cert_path\\openssl\\Root1\\Revoked-R1.req.pem -batch -days 3650");

   113 system("openssl x509 -in $cert_path\\openssl\\Root1\\Certs\\Revoked-R1.pem -outform DER -out $cert_path\\openssl\\Certs\\Revoked-R1.der");

   114 system("openssl ca -config openssl.config -name Root1 -revoke $cert_path\\openssl\\Root1\\Certs\\Revoked-R1.pem -crl_reason keyCompromise");

   115 

   116 # Generate Unknown-R1

   117 system("openssl req -config openssl.config -newkey rsa:1024 -keyout $cert_path\\openssl\\Root1\\private\\Unknown-R1.key.pem -out $cert_path\\openssl\\Root1\\Unknown-R1.req.pem -subj \"/O=Symbian Software Ltd/CN=Unknown-R1\" -days 3650 -nodes");

   118 system("openssl ca  -out $cert_path\\openssl\\Root1\\Certs\\Unknown-R1.pem -config openssl.config -name Root1 -in $cert_path\\openssl\\Root1\\Unknown-R1.req.pem -batch -days 3650");

   119 system("openssl x509 -in $cert_path\\openssl\\Root1\\Certs\\Unknown-R1.pem -outform DER -out $cert_path\\openssl\\Certs\\Unknown-R1.der");

   120 

   121 # remove Unknown-R1 from the CA

   122 rename("Root1\\index.txt","Root1\\index.txt.new");

   123 head("Root1\\index.txt.new","Root1\\index.txt",3);

   124 unlink("Root1\\Certs\\Unknown-R1.pem.pem");

   125 unlink("Root1\\index.txt.new");

   126 

   127 # Generate OCSPSigner-R1

   128 system("openssl req -extensions NoOCSP_Ext -config openssl.config -newkey rsa:1024 -keyout $cert_path\\openssl\\Root1\\private\\OCSPSigner-R1.key.pem -out $cert_path\\openssl\\Root1\\OCSPSigner-R1.req.pem -subj \"/O=Symbian Software Ltd/CN=OCSPSigner-R1\" -days 3650 -nodes");

   129 system("openssl ca  -extensions NoOCSP_Ext -config openssl.config -name $cert_path\\openssl\\Root1 -in $cert_path\\openssl\\Root1\\OCSPSigner-R1.req.pem -batch -days 3650");

   130 system("openssl x509 -in $cert_path\\openssl\\Root1\\Certs\\05.pem -outform DER -out $cert_path\\openssl\\Certs\\OCSPSigner-R1.der");

   131 

   132 

   133 # Root2 ##########################################################################

   134 

   135 mkcadirs("Root2");

   136 

   137 

   138 system("openssl dsaparam -out Root2\\dsaparam.pem 1024");

   139 my $keyParams= "-newkey dsa:Root2\\dsaparam.pem";

   140 

   141 # my $keyParams="-newkey rsa:1024";

   142 

   143 

   144   

   145 # Generate root cert

   146 system("openssl req -extensions NoOCSP_Ext -config openssl.config -x509 $keyParams -keyout $cert_path\\openssl\\Root2\\private\\ca.key.pem -out $cert_path\\openssl\\Root2\\Certs\\ca.pem -subj \"/O=Symbian Software Ltd/CN=Root2-DSA\" -days 6000 -nodes"); 

   147 system("openssl x509 -in $cert_path\\openssl\\Root2\\Certs\\ca.pem -outform DER -out $cert_path\\openssl\\Certs\\Root2-DSA.der");

   148 

   149 # Generate Expired-R2

   150 system("openssl req -config openssl.config $keyParams -keyout $cert_path\\openssl\\Root2\\private\\Expired-R2.key.pem -out $cert_path\\openssl\\Root2\\Expired-R2.req.pem -subj \"/O=Symbian Software Ltd/CN=Expired-R2\" -days 3650 -nodes");

   151 system("openssl ca  -config openssl.config -name Root2 -in $cert_path\\openssl\\Root2\\Expired-R2.req.pem -batch -out $cert_path\\openssl\\Root2\\Certs\\Expired-R2.pem -startdate 820203120000Z -enddate 820203120001Z");

   152 system("openssl x509 -in Root2\\Certs\\Expired-R2.pem -outform DER -out $cert_path\\openssl\\Certs\\Expired-R2.der");

   153 

   154 # Generate Good-R2

   155 system("openssl req -config openssl.config $keyParams -keyout $cert_path\\openssl\\Root2\\private\\Good-R2.key.pem -out $cert_path\\openssl\\Root2\\Good-R2.req.pem -subj \"/O=Symbian Software Ltd/CN=Good-R2\" -days 3650 -nodes");

   156 system("openssl ca  -config openssl.config -name Root2 -in $cert_path\\openssl\\Root2\\Good-R2.req.pem -batch -days 3650");

   157 system("openssl x509 -in $cert_path\\openssl\\Root2\\Certs\\02.pem -outform DER -out $cert_path\\openssl\\Certs\\Good-R2.der");

   158 

   159 # Generate Revoked-R2

   160 system("openssl req -config openssl.config $keyParams -keyout $cert_path\\openssl\\Root2\\private\\Revoked-R2.key.pem -out $cert_path\\openssl\\Root2\\Revoked-R2.req.pem -subj \"/O=Symbian Software Ltd/CN=Revoked-R2\" -days 3650 -nodes");

   161 system("openssl ca  -config openssl.config -name $cert_path\\openssl\\Root2 -in $cert_path\\openssl\\Root2\\Revoked-R2.req.pem -batch -days 3650");

   162 system("openssl x509 -in $cert_path\\openssl\\Root2\\Certs\\03.pem -outform DER -out $cert_path\\openssl\\Certs\\Revoked-R2.der");

   163 system("openssl ca -config openssl.config -name Root2 -revoke Root2\\Certs\\03.pem -crl_reason keyCompromise");

   164 

   165 # Generate Unknown-R2

   166 system("openssl req -config openssl.config $keyParams -keyout $cert_path\\openssl\\Root2\\private\\Unknown-R2.key.pem -out Root2\\Unknown-R2.req.pem -subj \"/O=Symbian Software Ltd/CN=Unknown-R2\" -days 3650 -nodes");

   167 system("openssl ca  -config openssl.config -name Root2 -in $cert_path\\openssl\\Root2\\Unknown-R2.req.pem -batch -days 3650");

   168 system("openssl x509 -in Root2\\Certs\\04.pem -outform DER -out $cert_path\\openssl\\Certs\\Unknown-R2.der");

   169 

   170 # remove Unknown-R2 from the CA

   171 rename("Root2\\index.txt","Root2\\index.txt.new");

   172 head("Root2\\index.txt.new","Root2\\index.txt",3);

   173 unlink("Root2\\Certs\\04.pem");

   174 

   175 

   176 # Generate OCSPSigner-R2

   177 system("openssl req -extensions NoOCSP_Ext -config openssl.config $keyParams -keyout $cert_path\\openssl\\Root2\\private\\OCSPSigner-R2.key.pem -out $cert_path\\openssl\\Root2\\OCSPSigner-R2.req.pem -subj \"/O=Symbian Software Ltd/CN=OCSPSigner-R2\" -days 6000 -nodes");

   178 system("openssl ca  -extensions NoOCSP_Ext -config openssl.config -name $cert_path\\openssl\\Root2 -in $cert_path\\openssl\\Root2\\OCSPSigner-R2.req.pem -batch -days 6000");

   179 system("openssl x509 -in $cert_path\\openssl\\Root2\\Certs\\05.pem -outform DER -out $cert_path\\openssl\\Certs\\OCSPSigner-R2.der");

   180 

   181 

   182 # Root5 ##########################################################################

   183 

   184 mkcadirs("Root5");

   185   

   186 # Generate root cert

   187 system("openssl req -extensions Root5_Root_Ext -config openssl.config -x509 -newkey rsa:1024 -keyout Root5\\private\\ca.key.pem -out Root5\\Certs\\ca.pem -subj \"/O=Symbian Software Ltd/CN=Root5-RSA\" -days 3650 -nodes"); 

   188 system("openssl x509 -in $cert_path\\openssl\\Root5\\Certs\\ca.pem -outform DER -out $cert_path\\openssl\\Certs\\Root5-RSA.der");

   189 

   190 # Generate Expired-R5

   191 system("openssl req  -config openssl.config -newkey rsa:1024 -keyout $cert_path\\openssl\\Root5\\private\\Expired-R5.key.pem -out Root5\\Expired-R5.req.pem -subj \"/O=Symbian Software Ltd/CN=Expired-R5\" -days 3650 -nodes");

   192 system("openssl ca  -extensions Root5_Ext -config openssl.config -name Root5 -in Root5\\Expired-R5.req.pem -batch -startdate 820203120000Z -enddate 820203120001Z");

   193 system("openssl x509 -in Root5\\Certs\\01.pem -outform DER -out $cert_path\\openssl\\Certs\\Expired-R5.der");

   194 

   195 # Generate Good-R5

   196 system("openssl req -config openssl.config -newkey rsa:1024 -keyout Root5\\private\\Good-R5.key.pem -out Root5\\Good-R5.req.pem -subj \"/O=Symbian Software Ltd/CN=Good-R5\" -days 3650 -nodes");

   197 system("openssl ca  -extensions Root5_Ext -config openssl.config -name Root5 -in Root5\\Good-R5.req.pem -batch -days 3650");

   198 system("openssl x509 -in $cert_path\\openssl\\Root5\\Certs\\02.pem -outform DER -out $cert_path\\openssl\\Certs\\Good-R5.der");

   199 

   200 # Generate Revoked-R5

   201 system("openssl req -config openssl.config -newkey rsa:1024 -keyout $cert_path\\openssl\\Root5\\private\\Revoked-R5.key.pem -out $cert_path\\openssl\\Root5\\Revoked-R5.req.pem -subj \"/O=Symbian Software Ltd/CN=Revoked-R5\" -days 3650 -nodes");

   202 system("openssl ca  -extensions Root5_Ext -config openssl.config -name Root5 -in $cert_path\\openssl\\Root5\\Revoked-R5.req.pem -batch -days 3650");

   203 system("openssl x509 -in $cert_path\\openssl\\Root5\\Certs\\03.pem -outform DER -out $cert_path\\openssl\\Certs\\Revoked-R5.der");

   204 system("openssl ca -config openssl.config -name Root5 -revoke $cert_path\\openssl\\Root5\\Certs\\03.pem -crl_reason keyCompromise");

   205 

   206 # Generate Unknown-R5

   207 system("openssl req -config openssl.config -newkey rsa:1024 -keyout $cert_path\\openssl\\Root5\\private\\Unknown-R5.key.pem -out $cert_path\\openssl\\Root5\\Unknown-R5.req.pem -subj \"/O=Symbian Software Ltd/CN=Unknown-R5\" -days 3650 -nodes");

   208 system("openssl ca  -extensions Root5_Ext -config openssl.config -name Root5 -in $cert_path\\openssl\\Root5\\Unknown-R5.req.pem -batch -days 3650");

   209 system("openssl x509 -in $cert_path\\openssl\\Root5\\Certs\\04.pem -outform DER -out $cert_path\\openssl\\Certs\\Unknown-R5.der");

   210 

   211 # remove Unknown-R5 from the CA

   212 rename("Root5\\index.txt","Root5\\index.txt.new");

   213 head("Root5\\index.txt.new","Root5\\index.txt",3);

   214 unlink("$cert_path\\openssl\\Root5\\Certs\\04.pem");

   215 

   216 

   217 # Generate Mid-R5

   218 system("openssl req -config openssl.config -newkey rsa:1024 -keyout $cert_path\\openssl\\Root5\\private\\Mid-R5.key.pem -out $cert_path\\openssl\\Root5\\Mid-R5.req.pem -subj \"/O=Symbian Software Ltd/CN=Mid-R5\" -days 3650 -nodes");

   219 system("openssl ca  -extensions Root5_Mid -config openssl.config -name Root5 -in $cert_path\\openssl\\Root5\\Mid-R5.req.pem -batch -days 3650");

   220 system("openssl x509 -in $cert_path\\openssl\\Root5\\Certs\\05.pem -outform DER -out $cert_path\\openssl\\Certs\\Mid-R5.der");

   221 

   222 use File::Copy;

   223 

   224 copy("$cert_path\\openssl\\Root5\\private\\ca.key.pem","$cert_path\\openssl\\Root5-Mid\\Private\\Mid-R5.key.pem");

   225 copy("$cert_path\\openssl\\Root5\\Certs\\05.pem","$cert_path\\openssl\\Root5-Mid\\Certs\\Mid-R5.pem");

   226 

   227 system("openssl req -config openssl.config  -extensions Root5_Mid_EE -newkey rsa:1024 -keyout $cert_path\\openssl\\Root5\\private\\Good-M5.key.pem -out $cert_path\\openssl\\Root5\\Good-M5.req.pem -subj \"/O=Symbian Software Ltd/CN=Good-M5\" -days 3650 -nodes");

   228 system("openssl x509 -extfile Good-M5.extensions -req -in $cert_path\\openssl\\Root5\\Good-M5.req.pem -CA $cert_path\\openssl\\Root5\\certs\\05.pem -CAkey $cert_path\\openssl\\Root5\\private\\Mid-R5.key.pem -out $cert_path\\openssl\\Root5\\private\\Good-M5.cert.pem -CAserial Root5\\serial");

   229 system("openssl x509 -in Root5\\private\\Good-M5.cert.pem -outform DER -out $cert_path\\openssl\\Certs\\Good-M5.der");

   230 

   231 

   232 # Generate OCSPSigner-R5

   233 system("openssl req -config openssl.config -newkey rsa:1024 -keyout $cert_path\\openssl\\Root5\\private\\OCSPSigner-R5.key.pem -out $cert_path\\openssl\\Root5\\OCSPSigner-R5.req.pem -subj \"/O=Symbian Software Ltd/CN=OCSPSigner-R5\" -days 6000 -nodes");

   234 system("openssl ca  -extensions NoOCSP_Ext -config openssl.config -name $cert_path\\openssl\\Root5 -in $cert_path\\openssl\\Root5\\OCSPSigner-R5.req.pem -batch -days 6000");

   235 system("openssl x509 -in $cert_path\\openssl\\Root5\\Certs\\07.pem -outform DER -out $cert_path\\openssl\\Certs\\OCSPSigner-R5.der");

   236 

   237 

   238 #Generate GoodAIA-R5 cert, server specified in cert extension

   239 open(AIAEXT,">GoodAIA-R5.extension");

   240 print AIAEXT "authorityInfoAccess = OCSP;URI:$ocspR5addr";

   241 close(AIAEXT);

   242 

   243 system("openssl req -config openssl.config -newkey rsa:1024 -keyout $cert_path\\openssl\\Root5\\private\\GoodAIA-R5.key.pem -out $cert_path\\openssl\\Root5\\GoodAIA-R5.req.pem -subj \"/O=Symbian Software Ltd/CN=GoodAIA-R5\" -days 3650 -nodes");

   244 system("openssl ca  -extfile GoodAIA-R5.extension -config openssl.config -name Root5 -in $cert_path\\openssl\\Root5\\GoodAIA-R5.req.pem -batch -days 3650");

   245 system("openssl x509 -in $cert_path\\openssl\\Root5\\Certs\\08.pem -outform DER -out $cert_path\\openssl\\Certs\\GoodAIA-R5.der");

   246 

   247 unlink "GoodAIA-R5.extension";			

   248 

   249 

   250 # Apache certificate stuff

   251 

   252 mkdir("Apache");

   253 

   254 

   255 #Generate Apache-R5 cert, certificate used for SSL on apache server

   256 system("openssl req -config openssl.config -newkey rsa:1024 -keyout $cert_path\\openssl\\Root5\\private\\Apache-R5.key.pem -out Root5\\Apache-R5.req.pem -subj \"/O=Symbian Software Ltd/CN=$apacheaddr\" -days 6000 -nodes");

   257 system("openssl ca  -config openssl.config -name Root5 -in $cert_path\\openssl\\Root5\\Apache-R5.req.pem -batch -days 6000");

   258 system("openssl x509 -in $cert_path\\openssl\\Root5\\Certs\\09.pem -outform DER -out $cert_path\\openssl\\Certs\\Apache-R5.der");

   259 

   260 copy("Root5\\Certs\\09.pem","$cert_path\\openssl\\Apache\\Apache-R5.pem");

   261 copy("Root5\\private\\$cert_path\\openssl\\Apache-R5.key.pem","$cert_path\\openssl\\Apache\\Apache-R5.key.pem");

   262 

   263 copy("$cert_path\\openssl\\Root5\\Certs\ca.pem","$cert_path\\openssl\\Apache\\Root5-RSA.pem");

   264 

   265 

   266 # OCSPSigningRoot ##########################################################################

   267 

   268 mkcadirs("OCSPSigningRoot");

   269   

   270 # Generate root cert

   271 system("openssl req -config openssl.config -x509 -newkey rsa:1024 -keyout $cert_path\\openssl\\OCSPSigningRoot\\private\\ca.key.pem -out $cert_path\\openssl\\OCSPSigningRoot\\Certs\\ca.pem -subj \"/O=Symbian Software Ltd/CN=OCSPSigningRoot-RSA\" -days 3650 -nodes"); 

   272 system("openssl x509 -in $cert_path\\openssl\\OCSPSigningRoot\\Certs\\ca.pem -outform DER -out $cert_path\\openssl\\Certs\\OCSPSigningRoot-RSA.der");

   273 

   274 # Generate Signer-OCSPR

   275 system("openssl req -config openssl.config -newkey rsa:1024 -keyout $cert_path\\openssl\\OCSPSigningRoot\\private\\Signer-OCSPR.key.pem -out $cert_path\\openssl\\OCSPSigningRoot\\Signer-OCSPR.req.pem -subj \"/O=Symbian Software Ltd/CN=Signer-OCSPR\" -days 3650 -nodes");

   276 system("openssl ca  -config openssl.config -name OCSPSigningRoot -in $cert_path\\openssl\\OCSPSigningRoot\\Signer-OCSPR.req.pem -batch -days 3650");

   277 system("openssl x509 -in $cert_path\\openssl\\OCSPSigningRoot\\Certs\\01.pem -outform DER -out $cert_path\\openssl\\Certs\\Signer-OCSPR.der");

   278
Symaptic