* examples/ca/gen_cert.rb: Add some options. --noakid is an option worthy to

  mention.  For cross certification, with OpenSSL, akid seems to block to find
  a cross-cert path.  --noakid is for removing authorityKeyIdentifier extension.
  RFC2510 defines this field as a 'MUST' field so use this option carefully.
* examples/ca/init_sub_ca.rb: Added.
* examples/ca/init_ca.rb: Add an option to specify CN.

4 files changed, 96 insertions, 8 deletions

diff --git a/ChangeLog b/ChangeLog
index 55705bb..b5c3939 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+Sun, 09 Jul 2003 01:20:56 +0900 -- NAKAMURA, Hiroshi <nahi@ruby-lang.org>
+	* examples/ca/gen_cert.rb: Add some options.  --noakid is an option
+	  worthy to mention.  For cross certification, with OpenSSL, akid seems
+	  to block to find a cross-cert path.  --noakid is for removing
+	  authorityKeyIdentifier extension.  RFC2510 defines this field as a
+	  'MUST' field so use this option carefully.
+	* examples/ca/init_sub_ca.rb: Added.
+	* examples/ca/init_ca.rb: Add an option to specify CN.
+
 Sun, 09 Jul 2003 01:05:55 +0900 -- NAKAMURA, Hiroshi <nahi@ruby-lang.org>
 	* ossl_x509cert.c, ossl_x509crl.c: Add
 	  (Certificate|CRL)#signature_algorithm.
diff --git a/examples/ca/gen_cert.rb b/examples/ca/gen_cert.rb
index 4063c9b..e496f90 100755
--- a/examples/ca/gen_cert.rb
+++ b/examples/ca/gen_cert.rb
@@ -9,14 +9,14 @@ include OpenSSL
 
 def usage
   myname = File::basename($0)
-  $stderr.puts "Usage: #{myname} [--type (client|server|ca|ocsp)] csr_file"
+  $stderr.puts "Usage: #{myname} [--type (client|server|ca|ocsp)] [--out certfile] csr_file"
   exit
 end
 
-getopts nil, 'type:client'
+getopts nil, 'type:client', 'out:', 'force', 'noakid'
 
 cert_type = $OPT_type
-p cert_type
+out_file = $OPT_out || 'cert.pem'
 csr_file = ARGV.shift or usage
 ARGV.empty? or usage
 
@@ -31,7 +31,9 @@ if csr.public_key.n.num_bits > CAConfig::CERT_KEY_LENGTH_MAX
   raise "Key length too long"
 end
 if csr.subject.to_a[0, CAConfig::NAME.size] != CAConfig::NAME
-  iraise "DN does not match"
+  unless $OPT_force
+    raise "DN does not match"
+  end
 end
 
 # Only checks signature here.  You must verify CSR according to your CP/CPS.
@@ -70,6 +72,9 @@ key_usage = []
 ext_key_usage = []
 case cert_type
 when "ca"
+  basic_constraint = "CA:TRUE"
+  key_usage << "cRLSign" << "keyCertSign"
+when "terminalsubca"
   basic_constraint = "CA:TRUE,pathlen:0"
   key_usage << "cRLSign" << "keyCertSign"
 when "server"
@@ -99,7 +104,13 @@ ex << ef.create_extension("nsComment","Ruby/OpenSSL Generated Certificate")
 ex << ef.create_extension("subjectKeyIdentifier", "hash")
 #ex << ef.create_extension("nsCertType", "client,email")
 ex << ef.create_extension("keyUsage", key_usage.join(",")) unless key_usage.empty?
-ex << ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always")
+if $OPT_noakid
+  # For cross certification, with OpenSSL, akid seems to block to find a
+  # cross-cert path.  RFC2510 defines this field as a 'MUST' field so use this
+  # option carefully.
+else
+  ex << ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always")
+end
 ex << ef.create_extension("extendedKeyUsage", ext_key_usage.join(",")) unless ext_key_usage.empty?
 
 ex << ef.create_extension("crlDistributionPoints", CAConfig::CDP_LOCATION) if CAConfig::CDP_LOCATION
@@ -115,6 +126,6 @@ File.open(cert_file, "w", 0644) do |f|
 end
 
 puts "Writing cert.pem..."
-FileUtils.copy(cert_file, "cert.pem")
+FileUtils.copy(cert_file, out_file)
 
 puts "DONE. (Generated certificate for '#{cert.subject}')"
diff --git a/examples/ca/init_ca.rb b/examples/ca/init_ca.rb
index d9309ed..6e9fa1f 100755
--- a/examples/ca/init_ca.rb
+++ b/examples/ca/init_ca.rb
@@ -7,12 +7,29 @@ include OpenSSL
 
 $stdout.sync = true
 
+cn = ARGV.shift || 'CA'
+
+unless FileTest.exist?('private')
+  Dir.mkdir('private', 0700)
+end
+unless FileTest.exist?('newcerts')
+  Dir.mkdir('newcerts')
+end
+unless FileTest.exist?('crl')
+  Dir.mkdir('crl')
+end
+unless FileTest.exist?('serial')
+  File.open('serial', 'w') do |f|
+    f << '1'
+  end
+end
+
 print "Generating CA keypair: "
 keypair = PKey::RSA.new(CAConfig::CA_RSA_KEY_LENGTH) { putc "." }
 putc "\n"
 
 cert = X509::Certificate.new
-name = CAConfig::NAME.dup << ['CN','CA']
+name = CAConfig::NAME.dup << ['CN', cn]
 cert.subject = cert.issuer = X509::Name.new(name)
 cert.not_before = Time.now
 cert.not_after = Time.now + CAConfig::CA_CERT_DAYS * 24 * 60 * 60
@@ -34,7 +51,7 @@ cert.add_extension(ext0)
 cert.sign(keypair, Digest::SHA1.new)
 
 keypair_file = CAConfig::KEYPAIR_FILE
-puts "Writing #{keypair}."
+puts "Writing keypair."
 File.open(keypair_file, "w", 0400) do |f|
   f << keypair.export(Cipher::DES.new(:EDE3, :CBC), &CAConfig::PASSWD_CB)
 end
diff --git a/examples/ca/init_sub_ca.rb b/examples/ca/init_sub_ca.rb
new file mode 100755
index 0000000..6cb27d3
--- /dev/null
+++ b/examples/ca/init_sub_ca.rb
@@ -0,0 +1,51 @@
+#!/usr/bin/env ruby
+
+require 'openssl'
+require 'ca_config'
+require 'getopts'
+
+include OpenSSL
+
+$stdout.sync = true
+
+getopts nil, "csrout:"
+csrout = $OPT_csrout || "csr.pem"
+
+unless FileTest.exist?('private')
+  Dir.mkdir('private', 0700)
+end
+unless FileTest.exist?('newcerts')
+  Dir.mkdir('newcerts')
+end
+unless FileTest.exist?('crl')
+  Dir.mkdir('crl')
+end
+unless FileTest.exist?('serial')
+  File.open('serial', 'w') do |f|
+    f << '1'
+  end
+end
+
+print "Generating CA keypair: "
+keypair = PKey::RSA.new(CAConfig::CA_RSA_KEY_LENGTH) { putc "." }
+putc "\n"
+
+keypair_file = CAConfig::KEYPAIR_FILE
+puts "Writing keypair."
+File.open(keypair_file, "w", 0400) do |f|
+  f << keypair.export(Cipher::DES.new(:EDE3, :CBC), &CAConfig::PASSWD_CB)
+end
+
+name = CAConfig::NAME.dup << ['CN','Sub CA']
+
+puts "Generating CSR for #{name.inspect}"
+
+req = X509::Request.new
+req.subject = X509::Name.new(name)
+req.public_key = keypair.public_key
+req.sign(keypair, Digest::SHA1.new)
+
+puts "Writing #{csrout}..."
+File.open(csrout, "w") do |f|
+  f << req.to_pem
+end