sl@0: # sl@0: # Copyright (c) 2005-2009 Nokia Corporation and/or its subsidiary(-ies). sl@0: # All rights reserved. sl@0: # This component and the accompanying materials are made available sl@0: # under the terms of the License "Eclipse Public License v1.0" sl@0: # which accompanies this distribution, and is available sl@0: # at the URL "http://www.eclipse.org/legal/epl-v10.html". sl@0: # sl@0: # Initial Contributors: sl@0: # Nokia Corporation - initial contribution. sl@0: # sl@0: # Contributors: sl@0: # sl@0: # Description: sl@0: # Generate certs for testing OCSP against OpenSSL implementation sl@0: # sl@0: sl@0: sl@0: # address of the Root5 responder, needed for Authority Info Access cert sl@0: my $ocspR5addr = "http://cam-ocsptest01.intra:19003"; sl@0: sl@0: # Address of the Apache server used for serving remote JAR files sl@0: my $apacheaddr = "cam-ocsptest01.intra"; sl@0: sl@0: sl@0: sub head(@) sl@0: { sl@0: my $src=shift(@_); sl@0: my $dest=shift(@_); sl@0: my $lines=shift(@_); sl@0: sl@0: open(IN,"< $src") or print("Can't open $src"); sl@0: open(OUT,"> $dest") or print("Can't open $dest"); sl@0: sl@0: for (my $count=0; $count < $lines; $count++) sl@0: { sl@0: my $fline=; sl@0: print OUT $fline; sl@0: } sl@0: close(IN); sl@0: close(OUT); sl@0: } sl@0: sl@0: sub createfile(@) sl@0: { sl@0: open(TOUCH,">shift(@_)"); sl@0: close(TOUCH); sl@0: } sl@0: sl@0: # Create ca files sl@0: sub mkcadirs(@) sl@0: { sl@0: my $cadir=shift(@_); sl@0: sl@0: unlink($cadir); sl@0: mkdir($cadir); sl@0: open(TOUCH,">$cadir\\index.txt"); sl@0: close(TOUCH); sl@0: system("echo 01 > $cadir\\serial"); sl@0: mkdir "$cadir\\private" ; sl@0: mkdir "$cadir\\certs"; sl@0: } sl@0: sl@0: sl@0: sl@0: sl@0: sl@0: # Trash existing data sl@0: sl@0: use File::Path; sl@0: sl@0: rmtree ("Root1",0,true); sl@0: rmtree ("Root2",0,true); sl@0: rmtree ("Root5",0,true); sl@0: rmtree ("OCSPSigningRoot",0,true); sl@0: rmtree ("Apache",0,true); sl@0: rmtree ("Certs",0,true); sl@0: mkdir "Certs"; sl@0: sl@0: sl@0: sl@0: ############################################################# sl@0: ## OCSP Certificates for testing sl@0: ## sl@0: ## There are three roots for testing OCSP, Root1, Root2 and Root5 sl@0: ## sl@0: ############################################################# sl@0: sl@0: sl@0: sl@0: # Root1 ########################################################################## sl@0: sl@0: mkcadirs("Root1"); sl@0: $cert_path = "$ENV{'SECURITYSOURCEDIR'}\\testframework\\testcertificates\\certman\\testcertificates"; sl@0: sl@0: # Generate root cert sl@0: system("openssl req -extensions NoOCSP_Ext -config openssl.config -x509 -newkey rsa:1024 -keyout Root1\\private\\ca.key.pem -out Root1\\Certs\\ca.pem -subj \"/O=Symbian Software Ltd/CN=Root1-RSA\" -days 3650 -nodes"); sl@0: system("openssl x509 -in $cert_path\\openssl\\Root1\\Certs\\ca.pem -outform DER -out $cert_path\\openssl\\Certs\\Root1-RSA.der"); sl@0: sl@0: # Generate Expired-R1 sl@0: system("openssl req -config openssl.config -newkey rsa:1024 -keyout $cert_path\\openssl\\Root1\\private\\Expired-R1.key.pem -out Root1\\Expired-R1.req.pem -subj \"/O=Symbian Software Ltd/CN=Expired-R1\" -days 3650 -nodes"); sl@0: system("openssl ca -out $cert_path\\openssl\\Root1\\Certs\\Expired-R1.pem -config openssl.config -name Root1 -in $cert_path\\openssl\\Root1\\Expired-R1.req.pem -batch -startdate 820203120000Z -enddate 820203120001Z"); sl@0: system("openssl x509 -in $cert_path\\openssl\\Root1\\Certs\\Expired-R1.pem -outform DER -out $cert_path\\openssl\\Certs\\Expired-R1.der"); sl@0: sl@0: # Generate Good-R1 sl@0: system("openssl req -config openssl.config -newkey rsa:1024 -keyout $cert_path\\openssl\\Root1\\private\\Good-R1.key.pem -out $cert_path\\openssl\\Root1\\Good-R1.req.pem -subj \"/O=Symbian Software Ltd/CN=Good-R1\" -days 3650 -nodes"); sl@0: system("openssl ca -config openssl.config -out $cert_path\\openssl\\Root1\\Certs\\Good-R1.pem -name Root1 -in Root1\\Good-R1.req.pem -batch -days 3650"); sl@0: system("openssl x509 -in $cert_path\\openssl\\Root1\\Certs\\Good-R1.pem -outform DER -out $cert_path\\openssl\\Certs\\Good-R1.der"); sl@0: sl@0: # Generate Revoked-R1 sl@0: system("openssl req -config openssl.config -newkey rsa:1024 -keyout $cert_path\\openssl\\Root1\\private\\Revoked-R1.key.pem -out $cert_path\\openssl\\Root1\\Revoked-R1.req.pem -subj \"/O=Symbian Software Ltd/CN=Revoked-R1\" -days 3650 -nodes"); sl@0: system("openssl ca -out $cert_path\\openssl\\Root1\\Certs\\Revoked-R1.pem -config openssl.config -name Root1 -in $cert_path\\openssl\\Root1\\Revoked-R1.req.pem -batch -days 3650"); sl@0: system("openssl x509 -in $cert_path\\openssl\\Root1\\Certs\\Revoked-R1.pem -outform DER -out $cert_path\\openssl\\Certs\\Revoked-R1.der"); sl@0: system("openssl ca -config openssl.config -name Root1 -revoke $cert_path\\openssl\\Root1\\Certs\\Revoked-R1.pem -crl_reason keyCompromise"); sl@0: sl@0: # Generate Unknown-R1 sl@0: system("openssl req -config openssl.config -newkey rsa:1024 -keyout $cert_path\\openssl\\Root1\\private\\Unknown-R1.key.pem -out $cert_path\\openssl\\Root1\\Unknown-R1.req.pem -subj \"/O=Symbian Software Ltd/CN=Unknown-R1\" -days 3650 -nodes"); sl@0: system("openssl ca -out $cert_path\\openssl\\Root1\\Certs\\Unknown-R1.pem -config openssl.config -name Root1 -in $cert_path\\openssl\\Root1\\Unknown-R1.req.pem -batch -days 3650"); sl@0: system("openssl x509 -in $cert_path\\openssl\\Root1\\Certs\\Unknown-R1.pem -outform DER -out $cert_path\\openssl\\Certs\\Unknown-R1.der"); sl@0: sl@0: # remove Unknown-R1 from the CA sl@0: rename("Root1\\index.txt","Root1\\index.txt.new"); sl@0: head("Root1\\index.txt.new","Root1\\index.txt",3); sl@0: unlink("Root1\\Certs\\Unknown-R1.pem.pem"); sl@0: unlink("Root1\\index.txt.new"); sl@0: sl@0: # Generate OCSPSigner-R1 sl@0: system("openssl req -extensions NoOCSP_Ext -config openssl.config -newkey rsa:1024 -keyout $cert_path\\openssl\\Root1\\private\\OCSPSigner-R1.key.pem -out $cert_path\\openssl\\Root1\\OCSPSigner-R1.req.pem -subj \"/O=Symbian Software Ltd/CN=OCSPSigner-R1\" -days 3650 -nodes"); sl@0: system("openssl ca -extensions NoOCSP_Ext -config openssl.config -name $cert_path\\openssl\\Root1 -in $cert_path\\openssl\\Root1\\OCSPSigner-R1.req.pem -batch -days 3650"); sl@0: system("openssl x509 -in $cert_path\\openssl\\Root1\\Certs\\05.pem -outform DER -out $cert_path\\openssl\\Certs\\OCSPSigner-R1.der"); sl@0: sl@0: sl@0: # Root2 ########################################################################## sl@0: sl@0: mkcadirs("Root2"); sl@0: sl@0: sl@0: system("openssl dsaparam -out Root2\\dsaparam.pem 1024"); sl@0: my $keyParams= "-newkey dsa:Root2\\dsaparam.pem"; sl@0: sl@0: # my $keyParams="-newkey rsa:1024"; sl@0: sl@0: sl@0: sl@0: # Generate root cert sl@0: system("openssl req -extensions NoOCSP_Ext -config openssl.config -x509 $keyParams -keyout $cert_path\\openssl\\Root2\\private\\ca.key.pem -out $cert_path\\openssl\\Root2\\Certs\\ca.pem -subj \"/O=Symbian Software Ltd/CN=Root2-DSA\" -days 6000 -nodes"); sl@0: system("openssl x509 -in $cert_path\\openssl\\Root2\\Certs\\ca.pem -outform DER -out $cert_path\\openssl\\Certs\\Root2-DSA.der"); sl@0: sl@0: # Generate Expired-R2 sl@0: system("openssl req -config openssl.config $keyParams -keyout $cert_path\\openssl\\Root2\\private\\Expired-R2.key.pem -out $cert_path\\openssl\\Root2\\Expired-R2.req.pem -subj \"/O=Symbian Software Ltd/CN=Expired-R2\" -days 3650 -nodes"); sl@0: system("openssl ca -config openssl.config -name Root2 -in $cert_path\\openssl\\Root2\\Expired-R2.req.pem -batch -out $cert_path\\openssl\\Root2\\Certs\\Expired-R2.pem -startdate 820203120000Z -enddate 820203120001Z"); sl@0: system("openssl x509 -in Root2\\Certs\\Expired-R2.pem -outform DER -out $cert_path\\openssl\\Certs\\Expired-R2.der"); sl@0: sl@0: # Generate Good-R2 sl@0: system("openssl req -config openssl.config $keyParams -keyout $cert_path\\openssl\\Root2\\private\\Good-R2.key.pem -out $cert_path\\openssl\\Root2\\Good-R2.req.pem -subj \"/O=Symbian Software Ltd/CN=Good-R2\" -days 3650 -nodes"); sl@0: system("openssl ca -config openssl.config -name Root2 -in $cert_path\\openssl\\Root2\\Good-R2.req.pem -batch -days 3650"); sl@0: system("openssl x509 -in $cert_path\\openssl\\Root2\\Certs\\02.pem -outform DER -out $cert_path\\openssl\\Certs\\Good-R2.der"); sl@0: sl@0: # Generate Revoked-R2 sl@0: system("openssl req -config openssl.config $keyParams -keyout $cert_path\\openssl\\Root2\\private\\Revoked-R2.key.pem -out $cert_path\\openssl\\Root2\\Revoked-R2.req.pem -subj \"/O=Symbian Software Ltd/CN=Revoked-R2\" -days 3650 -nodes"); sl@0: system("openssl ca -config openssl.config -name $cert_path\\openssl\\Root2 -in $cert_path\\openssl\\Root2\\Revoked-R2.req.pem -batch -days 3650"); sl@0: system("openssl x509 -in $cert_path\\openssl\\Root2\\Certs\\03.pem -outform DER -out $cert_path\\openssl\\Certs\\Revoked-R2.der"); sl@0: system("openssl ca -config openssl.config -name Root2 -revoke Root2\\Certs\\03.pem -crl_reason keyCompromise"); sl@0: sl@0: # Generate Unknown-R2 sl@0: system("openssl req -config openssl.config $keyParams -keyout $cert_path\\openssl\\Root2\\private\\Unknown-R2.key.pem -out Root2\\Unknown-R2.req.pem -subj \"/O=Symbian Software Ltd/CN=Unknown-R2\" -days 3650 -nodes"); sl@0: system("openssl ca -config openssl.config -name Root2 -in $cert_path\\openssl\\Root2\\Unknown-R2.req.pem -batch -days 3650"); sl@0: system("openssl x509 -in Root2\\Certs\\04.pem -outform DER -out $cert_path\\openssl\\Certs\\Unknown-R2.der"); sl@0: sl@0: # remove Unknown-R2 from the CA sl@0: rename("Root2\\index.txt","Root2\\index.txt.new"); sl@0: head("Root2\\index.txt.new","Root2\\index.txt",3); sl@0: unlink("Root2\\Certs\\04.pem"); sl@0: sl@0: sl@0: # Generate OCSPSigner-R2 sl@0: system("openssl req -extensions NoOCSP_Ext -config openssl.config $keyParams -keyout $cert_path\\openssl\\Root2\\private\\OCSPSigner-R2.key.pem -out $cert_path\\openssl\\Root2\\OCSPSigner-R2.req.pem -subj \"/O=Symbian Software Ltd/CN=OCSPSigner-R2\" -days 6000 -nodes"); sl@0: system("openssl ca -extensions NoOCSP_Ext -config openssl.config -name $cert_path\\openssl\\Root2 -in $cert_path\\openssl\\Root2\\OCSPSigner-R2.req.pem -batch -days 6000"); sl@0: system("openssl x509 -in $cert_path\\openssl\\Root2\\Certs\\05.pem -outform DER -out $cert_path\\openssl\\Certs\\OCSPSigner-R2.der"); sl@0: sl@0: sl@0: # Root5 ########################################################################## sl@0: sl@0: mkcadirs("Root5"); sl@0: sl@0: # Generate root cert sl@0: system("openssl req -extensions Root5_Root_Ext -config openssl.config -x509 -newkey rsa:1024 -keyout Root5\\private\\ca.key.pem -out Root5\\Certs\\ca.pem -subj \"/O=Symbian Software Ltd/CN=Root5-RSA\" -days 3650 -nodes"); sl@0: system("openssl x509 -in $cert_path\\openssl\\Root5\\Certs\\ca.pem -outform DER -out $cert_path\\openssl\\Certs\\Root5-RSA.der"); sl@0: sl@0: # Generate Expired-R5 sl@0: system("openssl req -config openssl.config -newkey rsa:1024 -keyout $cert_path\\openssl\\Root5\\private\\Expired-R5.key.pem -out Root5\\Expired-R5.req.pem -subj \"/O=Symbian Software Ltd/CN=Expired-R5\" -days 3650 -nodes"); sl@0: system("openssl ca -extensions Root5_Ext -config openssl.config -name Root5 -in Root5\\Expired-R5.req.pem -batch -startdate 820203120000Z -enddate 820203120001Z"); sl@0: system("openssl x509 -in Root5\\Certs\\01.pem -outform DER -out $cert_path\\openssl\\Certs\\Expired-R5.der"); sl@0: sl@0: # Generate Good-R5 sl@0: system("openssl req -config openssl.config -newkey rsa:1024 -keyout Root5\\private\\Good-R5.key.pem -out Root5\\Good-R5.req.pem -subj \"/O=Symbian Software Ltd/CN=Good-R5\" -days 3650 -nodes"); sl@0: system("openssl ca -extensions Root5_Ext -config openssl.config -name Root5 -in Root5\\Good-R5.req.pem -batch -days 3650"); sl@0: system("openssl x509 -in $cert_path\\openssl\\Root5\\Certs\\02.pem -outform DER -out $cert_path\\openssl\\Certs\\Good-R5.der"); sl@0: sl@0: # Generate Revoked-R5 sl@0: system("openssl req -config openssl.config -newkey rsa:1024 -keyout $cert_path\\openssl\\Root5\\private\\Revoked-R5.key.pem -out $cert_path\\openssl\\Root5\\Revoked-R5.req.pem -subj \"/O=Symbian Software Ltd/CN=Revoked-R5\" -days 3650 -nodes"); sl@0: system("openssl ca -extensions Root5_Ext -config openssl.config -name Root5 -in $cert_path\\openssl\\Root5\\Revoked-R5.req.pem -batch -days 3650"); sl@0: system("openssl x509 -in $cert_path\\openssl\\Root5\\Certs\\03.pem -outform DER -out $cert_path\\openssl\\Certs\\Revoked-R5.der"); sl@0: system("openssl ca -config openssl.config -name Root5 -revoke $cert_path\\openssl\\Root5\\Certs\\03.pem -crl_reason keyCompromise"); sl@0: sl@0: # Generate Unknown-R5 sl@0: system("openssl req -config openssl.config -newkey rsa:1024 -keyout $cert_path\\openssl\\Root5\\private\\Unknown-R5.key.pem -out $cert_path\\openssl\\Root5\\Unknown-R5.req.pem -subj \"/O=Symbian Software Ltd/CN=Unknown-R5\" -days 3650 -nodes"); sl@0: system("openssl ca -extensions Root5_Ext -config openssl.config -name Root5 -in $cert_path\\openssl\\Root5\\Unknown-R5.req.pem -batch -days 3650"); sl@0: system("openssl x509 -in $cert_path\\openssl\\Root5\\Certs\\04.pem -outform DER -out $cert_path\\openssl\\Certs\\Unknown-R5.der"); sl@0: sl@0: # remove Unknown-R5 from the CA sl@0: rename("Root5\\index.txt","Root5\\index.txt.new"); sl@0: head("Root5\\index.txt.new","Root5\\index.txt",3); sl@0: unlink("$cert_path\\openssl\\Root5\\Certs\\04.pem"); sl@0: sl@0: sl@0: # Generate Mid-R5 sl@0: system("openssl req -config openssl.config -newkey rsa:1024 -keyout $cert_path\\openssl\\Root5\\private\\Mid-R5.key.pem -out $cert_path\\openssl\\Root5\\Mid-R5.req.pem -subj \"/O=Symbian Software Ltd/CN=Mid-R5\" -days 3650 -nodes"); sl@0: system("openssl ca -extensions Root5_Mid -config openssl.config -name Root5 -in $cert_path\\openssl\\Root5\\Mid-R5.req.pem -batch -days 3650"); sl@0: system("openssl x509 -in $cert_path\\openssl\\Root5\\Certs\\05.pem -outform DER -out $cert_path\\openssl\\Certs\\Mid-R5.der"); sl@0: sl@0: use File::Copy; sl@0: sl@0: copy("$cert_path\\openssl\\Root5\\private\\ca.key.pem","$cert_path\\openssl\\Root5-Mid\\Private\\Mid-R5.key.pem"); sl@0: copy("$cert_path\\openssl\\Root5\\Certs\\05.pem","$cert_path\\openssl\\Root5-Mid\\Certs\\Mid-R5.pem"); sl@0: sl@0: system("openssl req -config openssl.config -extensions Root5_Mid_EE -newkey rsa:1024 -keyout $cert_path\\openssl\\Root5\\private\\Good-M5.key.pem -out $cert_path\\openssl\\Root5\\Good-M5.req.pem -subj \"/O=Symbian Software Ltd/CN=Good-M5\" -days 3650 -nodes"); sl@0: system("openssl x509 -extfile Good-M5.extensions -req -in $cert_path\\openssl\\Root5\\Good-M5.req.pem -CA $cert_path\\openssl\\Root5\\certs\\05.pem -CAkey $cert_path\\openssl\\Root5\\private\\Mid-R5.key.pem -out $cert_path\\openssl\\Root5\\private\\Good-M5.cert.pem -CAserial Root5\\serial"); sl@0: system("openssl x509 -in Root5\\private\\Good-M5.cert.pem -outform DER -out $cert_path\\openssl\\Certs\\Good-M5.der"); sl@0: sl@0: sl@0: # Generate OCSPSigner-R5 sl@0: system("openssl req -config openssl.config -newkey rsa:1024 -keyout $cert_path\\openssl\\Root5\\private\\OCSPSigner-R5.key.pem -out $cert_path\\openssl\\Root5\\OCSPSigner-R5.req.pem -subj \"/O=Symbian Software Ltd/CN=OCSPSigner-R5\" -days 6000 -nodes"); sl@0: system("openssl ca -extensions NoOCSP_Ext -config openssl.config -name $cert_path\\openssl\\Root5 -in $cert_path\\openssl\\Root5\\OCSPSigner-R5.req.pem -batch -days 6000"); sl@0: system("openssl x509 -in $cert_path\\openssl\\Root5\\Certs\\07.pem -outform DER -out $cert_path\\openssl\\Certs\\OCSPSigner-R5.der"); sl@0: sl@0: sl@0: #Generate GoodAIA-R5 cert, server specified in cert extension sl@0: open(AIAEXT,">GoodAIA-R5.extension"); sl@0: print AIAEXT "authorityInfoAccess = OCSP;URI:$ocspR5addr"; sl@0: close(AIAEXT); sl@0: sl@0: system("openssl req -config openssl.config -newkey rsa:1024 -keyout $cert_path\\openssl\\Root5\\private\\GoodAIA-R5.key.pem -out $cert_path\\openssl\\Root5\\GoodAIA-R5.req.pem -subj \"/O=Symbian Software Ltd/CN=GoodAIA-R5\" -days 3650 -nodes"); sl@0: system("openssl ca -extfile GoodAIA-R5.extension -config openssl.config -name Root5 -in $cert_path\\openssl\\Root5\\GoodAIA-R5.req.pem -batch -days 3650"); sl@0: system("openssl x509 -in $cert_path\\openssl\\Root5\\Certs\\08.pem -outform DER -out $cert_path\\openssl\\Certs\\GoodAIA-R5.der"); sl@0: sl@0: unlink "GoodAIA-R5.extension"; sl@0: sl@0: sl@0: # Apache certificate stuff sl@0: sl@0: mkdir("Apache"); sl@0: sl@0: sl@0: #Generate Apache-R5 cert, certificate used for SSL on apache server sl@0: system("openssl req -config openssl.config -newkey rsa:1024 -keyout $cert_path\\openssl\\Root5\\private\\Apache-R5.key.pem -out Root5\\Apache-R5.req.pem -subj \"/O=Symbian Software Ltd/CN=$apacheaddr\" -days 6000 -nodes"); sl@0: system("openssl ca -config openssl.config -name Root5 -in $cert_path\\openssl\\Root5\\Apache-R5.req.pem -batch -days 6000"); sl@0: system("openssl x509 -in $cert_path\\openssl\\Root5\\Certs\\09.pem -outform DER -out $cert_path\\openssl\\Certs\\Apache-R5.der"); sl@0: sl@0: copy("Root5\\Certs\\09.pem","$cert_path\\openssl\\Apache\\Apache-R5.pem"); sl@0: copy("Root5\\private\\$cert_path\\openssl\\Apache-R5.key.pem","$cert_path\\openssl\\Apache\\Apache-R5.key.pem"); sl@0: sl@0: copy("$cert_path\\openssl\\Root5\\Certs\ca.pem","$cert_path\\openssl\\Apache\\Root5-RSA.pem"); sl@0: sl@0: sl@0: # OCSPSigningRoot ########################################################################## sl@0: sl@0: mkcadirs("OCSPSigningRoot"); sl@0: sl@0: # Generate root cert sl@0: system("openssl req -config openssl.config -x509 -newkey rsa:1024 -keyout $cert_path\\openssl\\OCSPSigningRoot\\private\\ca.key.pem -out $cert_path\\openssl\\OCSPSigningRoot\\Certs\\ca.pem -subj \"/O=Symbian Software Ltd/CN=OCSPSigningRoot-RSA\" -days 3650 -nodes"); sl@0: system("openssl x509 -in $cert_path\\openssl\\OCSPSigningRoot\\Certs\\ca.pem -outform DER -out $cert_path\\openssl\\Certs\\OCSPSigningRoot-RSA.der"); sl@0: sl@0: # Generate Signer-OCSPR sl@0: system("openssl req -config openssl.config -newkey rsa:1024 -keyout $cert_path\\openssl\\OCSPSigningRoot\\private\\Signer-OCSPR.key.pem -out $cert_path\\openssl\\OCSPSigningRoot\\Signer-OCSPR.req.pem -subj \"/O=Symbian Software Ltd/CN=Signer-OCSPR\" -days 3650 -nodes"); sl@0: system("openssl ca -config openssl.config -name OCSPSigningRoot -in $cert_path\\openssl\\OCSPSigningRoot\\Signer-OCSPR.req.pem -batch -days 3650"); sl@0: system("openssl x509 -in $cert_path\\openssl\\OCSPSigningRoot\\Certs\\01.pem -outform DER -out $cert_path\\openssl\\Certs\\Signer-OCSPR.der"); sl@0: