view ui/tests/data/NOTES @ 1119:5349e2354c48

(issue54) Merge branch runafterinstall There is now an NSIS Plugin that executes the Software after installation using COM in the shell of the current user. With the way over the shell there is no inheritance / token management required. As it is impossible to drop all privileges of a token granted by UAC and still be able to reelevate the Token again with another RunAs call later this round trip over the Shell was necessary.
author Andre Heinecke <andre.heinecke@intevation.de>
date Tue, 16 Sep 2014 19:48:22 +0200
parents 7191addd8a53
children 4a3a482dc337
line wrap: on
line source
Testkeys were created with:
    openssl genrsa -out testkey-priv.pem 3072
    openssl rsa -in testkey-priv.pem -out testkey-pub.pem -outform PEM -pubout


Certificate List was created manually and contains:
    PCA-1-Verwaltung-08
    Intevation-Email-CA-2013
    Intevation-Server-CA-2010

Test files created with:

    echo -e S:$(openssl dgst -sha256 -sign testkey-priv.pem < list-valid.txt | base64 -w0)\\r > list-valid-signed.txt
    cat list-valid.txt >> list-valid-signed.txt
    echo -e S:$(openssl dgst -sha256 -sign testkey-priv.pem < list-valid-updated.txt | base64 -w0)\\r > list-valid-updated-signed.txt
    cat list-valid-updated.txt >> list-valid-updated-signed.txt
    echo -e S:$(openssl dgst -sha256 -sign testkey-other.pem < list-valid.txt | base64 -w0)\\r > list-valid-other-signature.txt
    cat list-valid.txt >> list-valid-other-signature.txt
    echo -e S:$(openssl dgst -sha1 -sign testkey-other.pem < list-valid.txt | base64 -w0)\\r > list-valid-sha1-signature.txt
    cat list-valid.txt >> list-valid-sha1-signature.txt
    cp list-valid-signed.txt list-invalid-signed.txt
    tail -1 list-valid.txt >> list-invalid-signed.txt

    # To create test data for something you might want to release

    PRIVKEY=...
    echo -e S:$(openssl dgst -sha256 -sign $PRIVKEY < list-valid.txt | base64 -w0)\\r > list-valid-signed-release.txt
    cat list-valid.txt >> list-valid-signed-release.txt

# List with 0 created manually by placing a \0 in the signature

# Test server certificate:

    gen_key type=ec ec_curve=brainpoolP256r1 filename=valid_ssl_bp.key
    cert_write issuer_name=CN=127.0.0.1,O=Intevation\\ Test,C=DE \
    selfsign=1 issuer_key=valid_ssl_bp.key \
    not_before=20130101000000 not_after=20301231235959 \
    is_ca=1 max_pathlen=0 output_file=valid_ssl_bp.pem
    cat valid_ssl_bp.key >> valid_ssl_bp.pem

    gen_key filename=valid_ssl_rsa.key
    cert_write issuer_name=CN=127.0.0.1,O=Do_Not_Trust_Test,C=DE \
    selfsign=1 issuer_key=valid_ssl_rsa.key \
    not_before=20130101000000 not_after=20151231235959 \
    is_ca=1 max_pathlen=0 output_file=valid_ssl_rsa.pem
    cat valid_ssl_rsa.key >> valid_ssl_rsa.pem

# Test list certificates (using the rsa key)

for i in {1..30}
do
    gen_key filename=valid_ssl_rsa.key
    cert_write issuer_name=CN=TestRootCA$i,O=Do_Not_Trust_Test,C=DE \
    selfsign=1 issuer_key=valid_ssl_rsa.key \
    not_before=20130101000000 not_after=20151231235959 \
    is_ca=1 max_pathlen=0 output_file=valid_ssl_rsa.pem
    CERT=$(cat valid_ssl_rsa.pem | grep -v "\-\-\-\-" | tr -d "\\n")
    echo -e I:${CERT}\\r >> list-valid.txt
done

for i in {1..15}
do
    gen_key filename=valid_ssl_rsa.key
    cert_write issuer_name=CN=TestRootCADelete$i,O=Do_Not_Trust_Test,C=DE \
    selfsign=1 issuer_key=valid_ssl_rsa.key \
    not_before=20130101000000 not_after=20151231235959 \
    is_ca=1 max_pathlen=0 output_file=valid_ssl_rsa.pem
    CERT=$(cat valid_ssl_rsa.pem | grep -v "\-\-\-\-" | tr -d "\\n")
    echo -e R:${CERT}\\r >> list-valid.txt
done

cp list-valid.txt list-valid-updated.txt
for i in {1..5}
do
    gen_key filename=valid_ssl_rsa.key
    cert_write issuer_name=CN=New_Certificate_$i,O=Do_Not_Trust_Test,C=DE \
    selfsign=1 issuer_key=valid_ssl_rsa.key \
    not_before=20130101000000 not_after=20151231235959 \
    is_ca=1 max_pathlen=0 output_file=valid_ssl_rsa.pem
    CERT=$(cat valid_ssl_rsa.pem | grep -v "\-\-\-\-" | tr -d "\\n")
    echo -e I:${CERT}\\r >> list-valid-updated.txt
done
# Datum manuell angepasst und intevation root ca zu R: hinzugefuegt


# NSS
mkdir nss
certutil -d nss -A -i valid_ssl_rsa.pem -n "test" -t c,C
certutil -d nss -D -n "test"

# Code signing
mkdir codesign
cd codesign
# Root CA
gen_key filename=codesigning_root.key
cert_write issuer_name="CN=Public TrustBridge Test,O=Public secret do not trust this,C=DE" \
selfsign=1 issuer_key=codesigning_root.key \
not_before=20130101000000 not_after=20151231235959 \
is_ca=1 max_pathlen=0 output_file=codesigning_root.pem

# Codesign cert
gen_key rsa_keysize=3072 filename=codesigning.key
cert_req filename=codesigning.key output_file=codesigning.csr \
subject_name="CN=Public TrustBridge codesigning test,O=Public secret do not trust this,C=DE" \
key_usage=digital_signature \
ns_cert_type=object_signing

# Sign it:
cert_write request_file=codesigning.csr issuer_crt=codesigning_root.pem \
issuer_key=codesigning_root.key output_file=codesigning.pem \
not_before=20130101000000 not_after=20151231235959 \
key_usage=digital_signature \
ns_cert_type=object_signing

osslsigncode sign -certs codesigning.pem -key codesigning.key \
      -n "TrustBridgeTest" -i https://wald.intevation.org/projects/trustbridge/ \
      -h sha256 \
      -in ~/ubuntu/src/m13-repo/build-windows/TrustBridge-0.6+21-aee3eb10bbba.exe \
      -out TrustBridge-0.6+21-aee3eb10bbba-signed.exe

# Different test certificates.
gen_key rsa_keysize=3072 filename=codesigning-other.key
cert_req filename=codesigning-other.key output_file=codesigning-other.csr \
subject_name="CN=Public TrustBridge codesigning test,O=Public secret do not trust this,C=DE" \
key_usage=digital_signature \
ns_cert_type=object_signing

cert_write request_file=codesigning-other.csr issuer_crt=codesigning_root.pem \
issuer_key=codesigning_root.key output_file=codesigning-other.pem \
not_before=20130101000000 not_after=20151231235959 \
key_usage=digital_signature \
ns_cert_type=object_signing

# Testserver mit hiawatha
apt-get install build-essential cmake libxslt-dev libxml2-dev libz-dev

    wget https://www.hiawatha-webserver.org/files/hiawatha-9.7.tar.gz
    sha256sum hiawatha-9.7.tar.gz

e8581336883b7b963f38572f6396f8c47b43e5bedd3147d052fa3652e6c0ed86 hiawatha-9.7.tar.gz

    mkdir hiawatha-prefix
    tar -xf hiawatha-9.7.tar.gz
    cd hiawatha-9.7
    mkdir build
    cd build
    cmake .. -DCMAKE_INSTALL_PREFIX=/home/intevation/hiawatha-prefix
    make && make install

# Root CA
    gen_key filename=ssl_root.key
    cert_write issuer_name="CN=TrustBridge SSL Test CA,O=Public secret do not trust this,C=DE" \
    selfsign=1 issuer_key=ssl_root.key \
    not_before=20130101000000 not_after=20151231235959 \
    is_ca=1 max_pathlen=0 output_file=ssl_root.pem

# SSL cert
    gen_key type=ec ec_curve=brainpoolP256r1 filename=ssl-test.key
    cert_req filename=ssl-test.key output_file=ssl-test.csr \
    subject_name="CN=tb-devel.intevation.de,O=Public secret do not trust this,C=DE" \
    ns_cert_type=ssl_server

# Sign it
    cert_write request_file=ssl-test.csr issuer_crt=ssl_root.pem \
    issuer_key=ssl_root.key output_file=ssl-test.pem \
    not_before=20130101000000 not_after=20151231235959 \
    ns_cert_type=ssl_server

    cat ssl-test.pem ssl-test.key > ssl-test-combined.pem

# Kopieren des Zertifikats nach /home/intevation auf dem testserver
# Editieren von /home/intevation/hiawatha-prefix/etc/hiawatha

# Binding settings:
    Port = 44413
    SSLcertFile = /home/intevation/ssl-test-combined.pem

# Default website settings
    Hostname = thetis.intevation.de:44413
    WebsiteRoot = /home/intevation/m13-files
    StartFile = index.html

# Trustbridge download ordner nach /home/intevation/m13-files kopieren.

    screen -R server
    /home/intevation/hiawatha-prefix/sbin/hiawatha -d

http://wald.intevation.org/projects/trustbridge/