diff options
-rw-r--r-- | ChangeLog | 9 | ||||
-rwxr-xr-x | examples/ca/gen_cert.rb | 23 | ||||
-rwxr-xr-x | examples/ca/init_ca.rb | 21 | ||||
-rwxr-xr-x | examples/ca/init_sub_ca.rb | 51 |
4 files changed, 96 insertions, 8 deletions
@@ -1,3 +1,12 @@ +Sun, 09 Jul 2003 01:20:56 +0900 -- NAKAMURA, Hiroshi <nahi@ruby-lang.org> + * examples/ca/gen_cert.rb: Add some options. --noakid is an option + worthy to mention. For cross certification, with OpenSSL, akid seems + to block to find a cross-cert path. --noakid is for removing + authorityKeyIdentifier extension. RFC2510 defines this field as a + 'MUST' field so use this option carefully. + * examples/ca/init_sub_ca.rb: Added. + * examples/ca/init_ca.rb: Add an option to specify CN. + Sun, 09 Jul 2003 01:05:55 +0900 -- NAKAMURA, Hiroshi <nahi@ruby-lang.org> * ossl_x509cert.c, ossl_x509crl.c: Add (Certificate|CRL)#signature_algorithm. diff --git a/examples/ca/gen_cert.rb b/examples/ca/gen_cert.rb index 4063c9b..e496f90 100755 --- a/examples/ca/gen_cert.rb +++ b/examples/ca/gen_cert.rb @@ -9,14 +9,14 @@ include OpenSSL def usage myname = File::basename($0) - $stderr.puts "Usage: #{myname} [--type (client|server|ca|ocsp)] csr_file" + $stderr.puts "Usage: #{myname} [--type (client|server|ca|ocsp)] [--out certfile] csr_file" exit end -getopts nil, 'type:client' +getopts nil, 'type:client', 'out:', 'force', 'noakid' cert_type = $OPT_type -p cert_type +out_file = $OPT_out || 'cert.pem' csr_file = ARGV.shift or usage ARGV.empty? or usage @@ -31,7 +31,9 @@ if csr.public_key.n.num_bits > CAConfig::CERT_KEY_LENGTH_MAX raise "Key length too long" end if csr.subject.to_a[0, CAConfig::NAME.size] != CAConfig::NAME - iraise "DN does not match" + unless $OPT_force + raise "DN does not match" + end end # Only checks signature here. You must verify CSR according to your CP/CPS. @@ -70,6 +72,9 @@ key_usage = [] ext_key_usage = [] case cert_type when "ca" + basic_constraint = "CA:TRUE" + key_usage << "cRLSign" << "keyCertSign" +when "terminalsubca" basic_constraint = "CA:TRUE,pathlen:0" key_usage << "cRLSign" << "keyCertSign" when "server" @@ -99,7 +104,13 @@ ex << ef.create_extension("nsComment","Ruby/OpenSSL Generated Certificate") ex << ef.create_extension("subjectKeyIdentifier", "hash") #ex << ef.create_extension("nsCertType", "client,email") ex << ef.create_extension("keyUsage", key_usage.join(",")) unless key_usage.empty? -ex << ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always") +if $OPT_noakid + # For cross certification, with OpenSSL, akid seems to block to find a + # cross-cert path. RFC2510 defines this field as a 'MUST' field so use this + # option carefully. +else + ex << ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always") +end ex << ef.create_extension("extendedKeyUsage", ext_key_usage.join(",")) unless ext_key_usage.empty? ex << ef.create_extension("crlDistributionPoints", CAConfig::CDP_LOCATION) if CAConfig::CDP_LOCATION @@ -115,6 +126,6 @@ File.open(cert_file, "w", 0644) do |f| end puts "Writing cert.pem..." -FileUtils.copy(cert_file, "cert.pem") +FileUtils.copy(cert_file, out_file) puts "DONE. (Generated certificate for '#{cert.subject}')" diff --git a/examples/ca/init_ca.rb b/examples/ca/init_ca.rb index d9309ed..6e9fa1f 100755 --- a/examples/ca/init_ca.rb +++ b/examples/ca/init_ca.rb @@ -7,12 +7,29 @@ include OpenSSL $stdout.sync = true +cn = ARGV.shift || 'CA' + +unless FileTest.exist?('private') + Dir.mkdir('private', 0700) +end +unless FileTest.exist?('newcerts') + Dir.mkdir('newcerts') +end +unless FileTest.exist?('crl') + Dir.mkdir('crl') +end +unless FileTest.exist?('serial') + File.open('serial', 'w') do |f| + f << '1' + end +end + print "Generating CA keypair: " keypair = PKey::RSA.new(CAConfig::CA_RSA_KEY_LENGTH) { putc "." } putc "\n" cert = X509::Certificate.new -name = CAConfig::NAME.dup << ['CN','CA'] +name = CAConfig::NAME.dup << ['CN', cn] cert.subject = cert.issuer = X509::Name.new(name) cert.not_before = Time.now cert.not_after = Time.now + CAConfig::CA_CERT_DAYS * 24 * 60 * 60 @@ -34,7 +51,7 @@ cert.add_extension(ext0) cert.sign(keypair, Digest::SHA1.new) keypair_file = CAConfig::KEYPAIR_FILE -puts "Writing #{keypair}." +puts "Writing keypair." File.open(keypair_file, "w", 0400) do |f| f << keypair.export(Cipher::DES.new(:EDE3, :CBC), &CAConfig::PASSWD_CB) end diff --git a/examples/ca/init_sub_ca.rb b/examples/ca/init_sub_ca.rb new file mode 100755 index 0000000..6cb27d3 --- /dev/null +++ b/examples/ca/init_sub_ca.rb @@ -0,0 +1,51 @@ +#!/usr/bin/env ruby + +require 'openssl' +require 'ca_config' +require 'getopts' + +include OpenSSL + +$stdout.sync = true + +getopts nil, "csrout:" +csrout = $OPT_csrout || "csr.pem" + +unless FileTest.exist?('private') + Dir.mkdir('private', 0700) +end +unless FileTest.exist?('newcerts') + Dir.mkdir('newcerts') +end +unless FileTest.exist?('crl') + Dir.mkdir('crl') +end +unless FileTest.exist?('serial') + File.open('serial', 'w') do |f| + f << '1' + end +end + +print "Generating CA keypair: " +keypair = PKey::RSA.new(CAConfig::CA_RSA_KEY_LENGTH) { putc "." } +putc "\n" + +keypair_file = CAConfig::KEYPAIR_FILE +puts "Writing keypair." +File.open(keypair_file, "w", 0400) do |f| + f << keypair.export(Cipher::DES.new(:EDE3, :CBC), &CAConfig::PASSWD_CB) +end + +name = CAConfig::NAME.dup << ['CN','Sub CA'] + +puts "Generating CSR for #{name.inspect}" + +req = X509::Request.new +req.subject = X509::Name.new(name) +req.public_key = keypair.public_key +req.sign(keypair, Digest::SHA1.new) + +puts "Writing #{csrout}..." +File.open(csrout, "w") do |f| + f << req.to_pem +end |