Mercurial > trustbridge
view ui/tests/data/NOTES @ 648:e41a2537b84d
Implement root installation
We now iterate over all users that do not obviously have their
login shell disabled and look for NSS directories in their home
directory, dropping our privileges to do so.
| author | Andre Heinecke <andre.heinecke@intevation.de> |
|---|---|
| date | Wed, 25 Jun 2014 12:44:47 +0200 |
| parents | be30d50bc4f0 |
| children | f56c4869aa18 |
line wrap: on
line source
Testkeys were created with: openssl genrsa -out testkey-priv.pem 3072 openssl rsa -in testkey-priv.pem -out testkey-pub.pem -outform PEM -pubout Certificate List was created manually and contains: PCA-1-Verwaltung-08 Intevation-Email-CA-2013 Intevation-Server-CA-2010 Test files created with: echo -e S:$(openssl dgst -sha256 -sign testkey-priv.pem < list-valid.txt | base64 -w0)\\r > list-valid-signed.txt cat list-valid.txt >> list-valid-signed.txt echo -e S:$(openssl dgst -sha256 -sign testkey-priv.pem < list-valid-updated.txt | base64 -w0)\\r > list-valid-updated-signed.txt cat list-valid-updated.txt >> list-valid-updated-signed.txt echo -e S:$(openssl dgst -sha256 -sign testkey-other.pem < list-valid.txt | base64 -w0)\\r > list-valid-other-signature.txt cat list-valid.txt >> list-valid-other-signature.txt echo -e S:$(openssl dgst -sha1 -sign testkey-other.pem < list-valid.txt | base64 -w0)\\r > list-valid-sha1-signature.txt cat list-valid.txt >> list-valid-sha1-signature.txt cp list-valid-signed.txt list-invalid-signed.txt tail -1 list-valid.txt >> list-invalid-signed.txt # To create test data for something you might want to release PRIVKEY=... echo -e S:$(openssl dgst -sha256 -sign $PRIVKEY < list-valid.txt | base64 -w0)\\r > list-valid-signed-release.txt cat list-valid.txt >> list-valid-signed-release.txt # List with 0 created manually by placing a \0 in the signature # Test server certificate: gen_key type=ec ec_curve=brainpoolP256r1 filename=valid_ssl_bp.key cert_write issuer_name=CN=127.0.0.1,O=Intevation\\ Test,C=DE \ selfsign=1 issuer_key=valid_ssl_bp.key \ not_before=20130101000000 not_after=20301231235959 \ is_ca=1 max_pathlen=0 output_file=valid_ssl_bp.pem cat valid_ssl_bp.key >> valid_ssl_bp.pem gen_key filename=valid_ssl_rsa.key cert_write issuer_name=CN=127.0.0.1,O=Do_Not_Trust_Test,C=DE \ selfsign=1 issuer_key=valid_ssl_rsa.key \ not_before=20130101000000 not_after=20151231235959 \ is_ca=1 max_pathlen=0 output_file=valid_ssl_rsa.pem cat valid_ssl_rsa.key >> valid_ssl_rsa.pem # Test list certificates (using the rsa key) for i in {1..30} do gen_key filename=valid_ssl_rsa.key cert_write issuer_name=CN=TestRootCA$i,O=Do_Not_Trust_Test,C=DE \ selfsign=1 issuer_key=valid_ssl_rsa.key \ not_before=20130101000000 not_after=20151231235959 \ is_ca=1 max_pathlen=0 output_file=valid_ssl_rsa.pem CERT=$(cat valid_ssl_rsa.pem | grep -v "\-\-\-\-" | tr -d "\\n") echo -e I:${CERT}\\r >> list-valid.txt done for i in {1..15} do gen_key filename=valid_ssl_rsa.key cert_write issuer_name=CN=TestRootCADelete$i,O=Do_Not_Trust_Test,C=DE \ selfsign=1 issuer_key=valid_ssl_rsa.key \ not_before=20130101000000 not_after=20151231235959 \ is_ca=1 max_pathlen=0 output_file=valid_ssl_rsa.pem CERT=$(cat valid_ssl_rsa.pem | grep -v "\-\-\-\-" | tr -d "\\n") echo -e R:${CERT}\\r >> list-valid.txt done cp list-valid.txt list-valid-updated.txt for i in {1..5} do gen_key filename=valid_ssl_rsa.key cert_write issuer_name=CN=New_Certificate_$i,O=Do_Not_Trust_Test,C=DE \ selfsign=1 issuer_key=valid_ssl_rsa.key \ not_before=20130101000000 not_after=20151231235959 \ is_ca=1 max_pathlen=0 output_file=valid_ssl_rsa.pem CERT=$(cat valid_ssl_rsa.pem | grep -v "\-\-\-\-" | tr -d "\\n") echo -e I:${CERT}\\r >> list-valid-updated.txt done # Datum manuell angepasst und intevation root ca zu R: hinzugefuegt # NSS mkdir nss certutil -d nss -A -i valid_ssl_rsa.pem -n "test" -t c,C certutil -d nss -D -n "test" # Code signing mkdir codesign cd codesign # Root CA gen_key filename=codesigning_root.key cert_write issuer_name="CN=Public TrustBridge Test,O=Public secret do not trust this,C=DE" \ selfsign=1 issuer_key=codesigning_root.key \ not_before=20130101000000 not_after=20151231235959 \ is_ca=1 max_pathlen=0 output_file=codesigning_root.pem # Codesign cert gen_key filename=codesigning.key cert_req filename=codesigning.key output_file=codesigning.csr \ subject_name="CN=Public TrustBridge codesigning test,O=Public secret do not trust this,C=DE" \ key_usage=digital_signature \ ns_cert_type=object_signing # Sign it: cert_write request_file=codesigning.csr issuer_crt=codesigning_root.pem \ issuer_key=codesigning_root.key output_file=codesigning.pem \ not_before=20130101000000 not_after=20151231235959 \ key_usage=digital_signature \ ns_cert_type=object_signing osslsigncode sign -certs codesigning.pem -key codesigning.key \ -n "TrustBridgeTest" -i https://wald.intevation.org/projects/trustbridge/ \ -h sha256 \ -in ~/ubuntu/src/m13-repo/build-windows/TrustBridge-0.6+21-aee3eb10bbba.exe \ -out TrustBridge-0.6+21-aee3eb10bbba-signed.exe # Different test certificates. gen_key filename=codesigning-other.key cert_req filename=codesigning-other.key output_file=codesigning-other.csr \ subject_name="CN=Public TrustBridge codesigning test,O=Public secret do not trust this,C=DE" \ key_usage=digital_signature \ ns_cert_type=object_signing cert_write request_file=codesigning-other.csr issuer_crt=codesigning_root.pem \ issuer_key=codesigning_root.key output_file=codesigning-other.pem \ not_before=20130101000000 not_after=20151231235959 \ key_usage=digital_signature \ ns_cert_type=object_signing