view ui/tests/data/NOTES @ 1375:341f79090de2

Notes about using a different certificate for codesigning
author Andre Heinecke <andre.heinecke@intevation.de>
date Thu, 04 Dec 2014 13:19:11 +0100
parents 4a3a482dc337
children
line wrap: on
line source
Testkeys were created with:
    openssl genrsa -out testkey-priv.pem 3072
    openssl rsa -in testkey-priv.pem -out testkey-pub.pem -outform PEM -pubout


Certificate List was created manually and contains:
    PCA-1-Verwaltung-08
    Intevation-Email-CA-2013
    Intevation-Server-CA-2010

Test files created with:

    echo -e S:$(openssl dgst -sha256 -sign testkey-priv.pem < list-valid.txt | base64 -w0)\\r > list-valid-signed.txt
    cat list-valid.txt >> list-valid-signed.txt
    echo -e S:$(openssl dgst -sha256 -sign testkey-priv.pem < list-valid-updated.txt | base64 -w0)\\r > list-valid-updated-signed.txt
    cat list-valid-updated.txt >> list-valid-updated-signed.txt
    echo -e S:$(openssl dgst -sha256 -sign testkey-other.pem < list-valid.txt | base64 -w0)\\r > list-valid-other-signature.txt
    cat list-valid.txt >> list-valid-other-signature.txt
    echo -e S:$(openssl dgst -sha1 -sign testkey-other.pem < list-valid.txt | base64 -w0)\\r > list-valid-sha1-signature.txt
    cat list-valid.txt >> list-valid-sha1-signature.txt
    cp list-valid-signed.txt list-invalid-signed.txt
    tail -1 list-valid.txt >> list-invalid-signed.txt

    # To create test data for something you might want to release

    PRIVKEY=...
    echo -e S:$(openssl dgst -sha256 -sign $PRIVKEY < list-valid.txt | base64 -w0)\\r > list-valid-signed-release.txt
    cat list-valid.txt >> list-valid-signed-release.txt

# List with 0 created manually by placing a \0 in the signature

# Test server certificate:

    gen_key type=ec ec_curve=brainpoolP256r1 filename=valid_ssl_bp.key
    cert_write issuer_name=CN=127.0.0.1,O=Intevation\\ Test,C=DE \
    selfsign=1 issuer_key=valid_ssl_bp.key \
    not_before=20130101000000 not_after=20301231235959 \
    is_ca=1 max_pathlen=0 output_file=valid_ssl_bp.pem
    cat valid_ssl_bp.key >> valid_ssl_bp.pem

    gen_key filename=valid_ssl_rsa.key
    cert_write issuer_name=CN=127.0.0.1,O=Do_Not_Trust_Test,C=DE \
    selfsign=1 issuer_key=valid_ssl_rsa.key \
    not_before=20130101000000 not_after=20151231235959 \
    is_ca=1 max_pathlen=0 output_file=valid_ssl_rsa.pem
    cat valid_ssl_rsa.key >> valid_ssl_rsa.pem

# Test list certificates (using the rsa key)

for i in {1..30}
do
    gen_key filename=valid_ssl_rsa.key
    cert_write issuer_name=CN=TestRootCA$i,O=Do_Not_Trust_Test,C=DE \
    selfsign=1 issuer_key=valid_ssl_rsa.key \
    not_before=20130101000000 not_after=20151231235959 \
    is_ca=1 max_pathlen=0 output_file=valid_ssl_rsa.pem
    CERT=$(cat valid_ssl_rsa.pem | grep -v "\-\-\-\-" | tr -d "\\n")
    echo -e I:${CERT}\\r >> list-valid.txt
done

for i in {1..15}
do
    gen_key filename=valid_ssl_rsa.key
    cert_write issuer_name=CN=TestRootCADelete$i,O=Do_Not_Trust_Test,C=DE \
    selfsign=1 issuer_key=valid_ssl_rsa.key \
    not_before=20130101000000 not_after=20151231235959 \
    is_ca=1 max_pathlen=0 output_file=valid_ssl_rsa.pem
    CERT=$(cat valid_ssl_rsa.pem | grep -v "\-\-\-\-" | tr -d "\\n")
    echo -e R:${CERT}\\r >> list-valid.txt
done

cp list-valid.txt list-valid-updated.txt
for i in {1..5}
do
    gen_key filename=valid_ssl_rsa.key
    cert_write issuer_name=CN=New_Certificate_$i,O=Do_Not_Trust_Test,C=DE \
    selfsign=1 issuer_key=valid_ssl_rsa.key \
    not_before=20130101000000 not_after=20151231235959 \
    is_ca=1 max_pathlen=0 output_file=valid_ssl_rsa.pem
    CERT=$(cat valid_ssl_rsa.pem | grep -v "\-\-\-\-" | tr -d "\\n")
    echo -e I:${CERT}\\r >> list-valid-updated.txt
done
# Datum manuell angepasst und intevation root ca zu R: hinzugefuegt


# NSS
mkdir nss
certutil -d nss -A -i valid_ssl_rsa.pem -n "test" -t c,C
certutil -d nss -D -n "test"

# Code signing
mkdir codesign
cd codesign
# Root CA
gen_key filename=codesigning_root.key
cert_write issuer_name="CN=Public TrustBridge Test,O=Public secret do not trust this,C=DE" \
selfsign=1 issuer_key=codesigning_root.key \
not_before=20130101000000 not_after=20151231235959 \
is_ca=1 max_pathlen=0 output_file=codesigning_root.pem

# Codesign cert
gen_key rsa_keysize=3072 filename=codesigning.key
cert_req filename=codesigning.key output_file=codesigning.csr \
subject_name="CN=Public TrustBridge codesigning test,O=Public secret do not trust this,C=DE" \
key_usage=digital_signature \
ns_cert_type=object_signing

# Sign it:
cert_write request_file=codesigning.csr issuer_crt=codesigning_root.pem \
issuer_key=codesigning_root.key output_file=codesigning.pem \
not_before=20130101000000 not_after=20151231235959 \
key_usage=digital_signature \
ns_cert_type=object_signing

osslsigncode sign -certs codesigning.pem -key codesigning.key \
      -n "TrustBridgeTest" -i https://wald.intevation.org/projects/trustbridge/ \
      -h sha256 \
      -in ~/ubuntu/src/m13-repo/build-windows/TrustBridge-0.6+21-aee3eb10bbba.exe \
      -out TrustBridge-0.6+21-aee3eb10bbba-signed.exe

# Different test certificates.
gen_key rsa_keysize=3072 filename=codesigning-other.key
cert_req filename=codesigning-other.key output_file=codesigning-other.csr \
subject_name="CN=Public TrustBridge codesigning test,O=Public secret do not trust this,C=DE" \
key_usage=digital_signature \
ns_cert_type=object_signing

cert_write request_file=codesigning-other.csr issuer_crt=codesigning_root.pem \
issuer_key=codesigning_root.key output_file=codesigning-other.pem \
not_before=20130101000000 not_after=20151231235959 \
key_usage=digital_signature \
ns_cert_type=object_signing

# Testserver mit hiawatha
apt-get install build-essential cmake libxslt-dev libxml2-dev libz-dev

    curl -O https://www.hiawatha-webserver.org/files/hiawatha-9.7.tar.gz
    sha256sum hiawatha-9.7.tar.gz

e8581336883b7b963f38572f6396f8c47b43e5bedd3147d052fa3652e6c0ed86 hiawatha-9.7.tar.gz

    mkdir hiawatha-prefix
    tar -xf hiawatha-9.7.tar.gz
    cd hiawatha-9.7
    mkdir build
    cd build
    cmake .. -DCMAKE_INSTALL_PREFIX=/home/intevation/hiawatha-prefix
    make && make install

# Root CA
    gen_key filename=ssl_root.key
    cert_write issuer_name="CN=TrustBridge SSL Test CA,O=Public secret do not trust this,C=DE" \
    selfsign=1 issuer_key=ssl_root.key \
    not_before=20130101000000 not_after=20151231235959 \
    is_ca=1 max_pathlen=0 output_file=ssl_root.pem

# SSL cert
    gen_key type=ec ec_curve=brainpoolP256r1 filename=ssl-test.key
    cert_req filename=ssl-test.key output_file=ssl-test.csr \
    subject_name="CN=tb-devel.intevation.de,O=Public secret do not trust this,C=DE" \
    ns_cert_type=ssl_server

# Sign it
    cert_write request_file=ssl-test.csr issuer_crt=ssl_root.pem \
    issuer_key=ssl_root.key output_file=ssl-test.pem \
    not_before=20130101000000 not_after=20151231235959 \
    ns_cert_type=ssl_server

    cat ssl-test.pem ssl-test.key > ssl-test-combined.pem

# Kopieren des Zertifikats nach /home/intevation auf dem testserver
# Editieren von /home/intevation/hiawatha-prefix/etc/hiawatha

# Binding settings:
    Port = 44413
    SSLcertFile = /home/intevation/ssl-test-combined.pem

# Default website settings
    Hostname = thetis.intevation.de:44413
    WebsiteRoot = /home/intevation/m13-files
    StartFile = index.html

# Trustbridge download ordner nach /home/intevation/m13-files kopieren.

    screen -R server
    /home/intevation/hiawatha-prefix/sbin/hiawatha -d


# Bestimmten schlüssel für codesigning verwenden:
    cd ui/tests/data/codesign
# Auch angenommen das er unter codesigning.key abgelegt ist ansonsten
# muss man noch in der Test CMakeList und den Buildscripten zur signatur
# den Pfad ändern.

# Request mit externem schluessel
    cert_req filename=codesigning.key output_file=codesigning-ext.csr \
    subject_name="CN=TrustBridge codesigning ext test,O=Do not trust this,C=DE" \
    key_usage=digital_signature \
    ns_cert_type=object_signing

# Sign it:
    cert_write request_file=codesigning-ext.csr issuer_crt=codesigning_root.pem \
    issuer_key=codesigning_root.key output_file=codesigning.pem \
    not_before=20130101000000 not_after=20151231235959 \
    key_usage=digital_signature \
    ns_cert_type=object_signing

    cat codesigning.pem codesigning-ext.key > codesigning-combined.pem

    common/pubkey-test.pem anpassen mit ensprechendem zertifikat.
    --> Reinkopieren und markieren(inklusive begin und end zeile): :!wc
    --> Als size eintragen
    --> :'<,'>s/^/"/
    --> :'<,'>s/$/\\n"/
    --> make && make test

http://wald.intevation.org/projects/trustbridge/