diff options
author | NAKAMURA Hiroshi <nahi@keynauts.com> | 2003-07-04 14:18:28 +0000 |
---|---|---|
committer | NAKAMURA Hiroshi <nahi@keynauts.com> | 2003-07-04 14:18:28 +0000 |
commit | d4e8bcd4ea3f2fe79b50b69288d49cb346a4cc79 (patch) | |
tree | 45a6c55a88ac1f214d2bcb0581097cebf837ef93 | |
parent | 9265dba3ad252fcc22cf218b5507e638b4206a74 (diff) | |
download | ruby-openssl-history-d4e8bcd4ea3f2fe79b50b69288d49cb346a4cc79.tar.gz |
examples/ca/gen_cert.rb: Follow examples/gen_cert.rb
-rwxr-xr-x | examples/ca/gen_cert.rb | 109 | ||||
-rwxr-xr-x | examples/ca/gen_clientee_from_csr.rb | 74 | ||||
-rwxr-xr-x | examples/ca/gen_clientee_from_scratch.rb | 83 |
3 files changed, 109 insertions, 157 deletions
diff --git a/examples/ca/gen_cert.rb b/examples/ca/gen_cert.rb new file mode 100755 index 0000000..ea5fe54 --- /dev/null +++ b/examples/ca/gen_cert.rb @@ -0,0 +1,109 @@ +#!/usr/bin/env ruby + +require 'openssl' +require 'ca_config' +require 'fileutils' +require 'getopts' + +include OpenSSL + +def usage + myname = File::basename($0) + $stderr.puts "Usage: #{myname} csr_file [--type (client|server|ca|ocsp)]" + exit +end + +getopts nil, 'type:client' + +cert_type = $OPT_type +csr_file = ARGV.shift or usage +ARGV.empty? or usage + +csr = X509::Request.new(File.open(csr_file).read) +unless csr.verify(csr.public_key) + raise "CSR sign verification failed." +end +# Only checks signature here. You must verify CSR according to your CP/CPS. + +$stdout.sync = true + +# CA setup + +ca_file = CAConfig::CERT_FILE +puts "Reading CA cert (from #{ca_file})" +ca = X509::Certificate.new(File.read(ca_file)) + +ca_keypair_file = CAConfig::KEYPAIR_FILE +puts "Reading CA keypair (from #{ca_keypair_file})" +ca_keypair = PKey::RSA.new(File.read(ca_keypair_file), &CAConfig::PASSWD_CB) + +serial = File.open(CAConfig::SERIAL_FILE, "r").read.chomp.hex +File.open(CAConfig::SERIAL_FILE, "w") do |f| + f << sprintf("%04X", serial + 1) +end + +# Generate new cert + +cert = X509::Certificate.new +from = Time.now # + 30 * 60 # Wait 30 minutes. +cert.subject = csr.subject +cert.issuer = ca.subject +cert.not_before = from +cert.not_after = from + CAConfig::CERT_DAYS * 24 * 60 * 60 +cert.public_key = csr.public_key +cert.serial = serial +cert.version = 2 # X509v3 + +basic_constraint = nil +key_usage = [] +ext_key_usage = [] +case cert_type +when "ca" + basic_constraint = "CA:TRUE,pathlen:0" + key_usage << "cRLSign" << "keyCertSign" +when "server" + basic_constraint = "CA:FALSE" + key_usage << "nonRepudiation" << "digitalSignature" << "keyEncipherment" + key_usage << "dataEncipherment" + ext_key_usage << "serverAuth" +when "ocsp" + basic_constraint = "CA:FALSE" + key_usage << "nonRepudiation" << "digitalSignature" << "keyEncipherment" + key_usage << "dataEncipherment" + ext_key_usage << "serverAuth" << "OCSPSigning" +when "client" + basic_constraint = "CA:FALSE" + key_usage << "nonRepudiation" << "digitalSignature" << "keyEncipherment" + ext_key_usage << "clientAuth" << "codeSigning" << "emailProtection" +else + raise "unknonw cert type \"#{cert_type}\" is specified." +end + +ef = X509::ExtensionFactory.new +ef.subject_certificate = cert +ef.issuer_certificate = ca +ex = [] +ex << ef.create_extension("basicConstraints", basic_constraint, true) +ex << ef.create_extension("nsComment","Ruby/OpenSSL Generated Certificate") +ex << ef.create_extension("subjectKeyIdentifier", "hash") +ex << ef.create_extension("nsCertType", "client,email") +ex << ef.create_extension("keyUsage", key_usage.join(",")) unless key_usage.empty? +ex << ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always") +ex << ef.create_extension("extendedKeyUsage", ext_key_usage.join(",")) unless ext_key_usage.empty? + +ex << ef.create_extension("crlDistributionPoints", CAConfig::CDP_LOCATION) if CAConfig::CDP_LOCATION +ex << ef.create_extension("authorityInfoAccess", "OCSP;" << CAConfig::OCSP_LOCATION) if CAConfig::OCSP_LOCATION +cert.extensions = ex +cert.sign(ca_keypair, Digest::SHA1.new) + +# For backup + +cert_file = CAConfig::NEW_CERTS_DIR + "/#{cert.serial}_cert.pem" +File.open(cert_file, "w", 0644) do |f| + f << cert.to_pem +end + +puts "Writing cert.pem..." +FileUtils.copy(cert_file, "cert.pem") + +puts "DONE. (Generated certificate for '#{cert.subject}')" diff --git a/examples/ca/gen_clientee_from_csr.rb b/examples/ca/gen_clientee_from_csr.rb deleted file mode 100755 index 60b87e3..0000000 --- a/examples/ca/gen_clientee_from_csr.rb +++ /dev/null @@ -1,74 +0,0 @@ -#!/usr/bin/env ruby - -require 'openssl' -require 'ca_config' -require 'fileutils' - -include OpenSSL - -def usage - myname = File::basename($0) - $stderr.puts "Usage: #{myname} csr_file" - exit -end - -csr_file = ARGV.shift or usage() -csr = X509::Request.new(File.open(csr_file).read) -unless csr.verify(csr.public_key) - raise "CSR sign verification failed." -end -# Only checks signature here. You must verify CSR according to your CP/CSP. - -$stdout.sync = true - -# CA setup - -ca_file = CAConfig::CERT_FILE -puts "Reading CA cert (from #{ca_file})" -ca = X509::Certificate.new(File.read(ca_file)) - -ca_keypair_file = CAConfig::KEYPAIR_FILE -puts "Reading CA keypair (from #{ca_keypair_file})" -ca_keypair = PKey::RSA.new(File.read(ca_keypair_file), &CAConfig::PASSWD_CB) - -serial = File.open(CAConfig::SERIAL_FILE, "r").read.chomp.hex -File.open(CAConfig::SERIAL_FILE, "w") do |f| - f << sprintf("%04X", serial + 1) -end - -# Generate new cert - -cert = X509::Certificate.new -from = Time.now # + 30 * 60 # Wait 30 minutes. -cert.subject = csr.subject -cert.issuer = ca.subject -cert.not_before = from -cert.not_after = from + CAConfig::CERT_DAYS * 24 * 60 * 60 -cert.public_key = csr.public_key -cert.serial = serial -cert.version = 2 # X509v3 - -# Should check CSR's attribute? -ef = X509::ExtensionFactory.new -ef.subject_certificate = cert -ef.issuer_certificate = ca -ext1 = ef.create_extension("basicConstraints","CA:FALSE") -ext2 = ef.create_extension("nsComment","Ruby/OpenSSL Generated Certificate") -ext3 = ef.create_extension("subjectKeyIdentifier", "hash") -ext4 = ef.create_extension("nsCertType", "client,email") -ext5 = ef.create_extension("keyUsage", "digitalSignature,keyEncipherment") -ext6 = ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always") -cert.extensions = [ext1, ext2, ext3, ext4, ext5, ext6] -cert.sign(ca_keypair, Digest::SHA1.new) - -# For backup - -cert_file = CAConfig::NEW_CERTS_DIR + "/#{cert.serial}_cert.pem" -File.open(cert_file, "w", 0644) do |f| - f << cert.to_pem -end - -puts "Writing cert.pem..." -FileUtils.copy(cert_file, "cert.pem") - -puts "DONE. (Generated certificate for '#{cert.subject}')" diff --git a/examples/ca/gen_clientee_from_scratch.rb b/examples/ca/gen_clientee_from_scratch.rb deleted file mode 100755 index 5869516..0000000 --- a/examples/ca/gen_clientee_from_scratch.rb +++ /dev/null @@ -1,83 +0,0 @@ -#!/usr/bin/env ruby - -require 'openssl' -require 'ca_config' -require 'fileutils' - -include OpenSSL - -def usage - myname = File::basename($0) - $stderr.puts "Usage: #{myname} name(cn) email(emailAddress)" - exit -end - -cn = ARGV.shift or usage() -email = ARGV.shift or usage() -name = CAConfig::NAME.dup << ['CN', cn] << ['emailAddress', email] - -$stdout.sync = true - -# CA setup - -ca_file = CAConfig::CERT_FILE -puts "Reading CA cert (from #{ca_file})" -ca = X509::Certificate.new(File.read(ca_file)) - -ca_keypair_file = CAConfig::KEYPAIR_FILE -puts "Reading CA keypair (from #{ca_keypair_file})" -ca_keypair = PKey::RSA.new(File.read(ca_keypair_file), &CAConfig::PASSWD_CB) - -serial = File.open(CAConfig::SERIAL_FILE, "r").read.chomp.hex -File.open(CAConfig::SERIAL_FILE, "w") do |f| - f << sprintf("%04X", serial + 1) -end - -# Generate keypair - -print "Generating RSA 1024 bit keypair: " -keypair = PKey::RSA.new(1024){ putc "." } -putc "\n" - -# Generate new cert - -cert = X509::Certificate.new -from = Time.now # + 30 * 60 # Wait 30 minutes. -cert.subject = X509::Name.new(name) -cert.issuer = ca.subject -cert.not_before = from -cert.not_after = from + CAConfig::CERT_DAYS * 24 * 60 * 60 -cert.public_key = keypair.public_key -cert.serial = serial -cert.version = 2 # X509v3 - -ef = X509::ExtensionFactory.new -ef.subject_certificate = cert -ef.issuer_certificate = ca -ext1 = ef.create_extension("basicConstraints","CA:FALSE") -ext2 = ef.create_extension("nsComment","Ruby/OpenSSL Generated Certificate") -ext3 = ef.create_extension("subjectKeyIdentifier", "hash") -ext4 = ef.create_extension("nsCertType", "client,email") -ext5 = ef.create_extension("keyUsage", "digitalSignature,keyEncipherment") -ext6 = ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always") -cert.extensions = [ext1, ext2, ext3, ext4, ext5, ext6] -cert.sign(ca_keypair, Digest::SHA1.new) - -# For backup - -cert_file = CAConfig::NEW_CERTS_DIR + "/#{cert.serial}_cert.pem" -File.open(cert_file, "w", 0644) do |f| - f << cert.to_pem -end - -keypair_file = CAConfig::NEW_KEYPAIR_DIR + "/#{cert.serial}_keypair.pem" -File.open(keypair_file, "w", 0400) do |f| - f << keypair.export(Cipher::DES.new(:EDE3, :CBC), &CAConfig::PASSWD_CB) -end - -puts "Writing cert.pem..." -FileUtils.copy(cert_file, "cert.pem") -puts "Writing keypair.pem..." -FileUtils.copy(keypair_file, "keypair.pem") - -puts "DONE. (Generated certificate for '#{cert.subject}')" |