Mercurial > trustbridge
view ui/tests/data/NOTES @ 1070:f110a3f6e387
(issue114) Fine tune ACL propagation
using mkdir_p the ACL of the parent directories would
propagate to all subdirectories and objects in the directory.
Now we only use ACL propagation in the last directory to make
sure that files we might create in that directory inherit the
correct (resitricted) ACL
| author | Andre Heinecke <andre.heinecke@intevation.de> |
|---|---|
| date | Wed, 10 Sep 2014 16:41:36 +0200 |
| parents | f56c4869aa18 |
| children | 7191addd8a53 |
line wrap: on
line source
Testkeys were created with: openssl genrsa -out testkey-priv.pem 3072 openssl rsa -in testkey-priv.pem -out testkey-pub.pem -outform PEM -pubout Certificate List was created manually and contains: PCA-1-Verwaltung-08 Intevation-Email-CA-2013 Intevation-Server-CA-2010 Test files created with: echo -e S:$(openssl dgst -sha256 -sign testkey-priv.pem < list-valid.txt | base64 -w0)\\r > list-valid-signed.txt cat list-valid.txt >> list-valid-signed.txt echo -e S:$(openssl dgst -sha256 -sign testkey-priv.pem < list-valid-updated.txt | base64 -w0)\\r > list-valid-updated-signed.txt cat list-valid-updated.txt >> list-valid-updated-signed.txt echo -e S:$(openssl dgst -sha256 -sign testkey-other.pem < list-valid.txt | base64 -w0)\\r > list-valid-other-signature.txt cat list-valid.txt >> list-valid-other-signature.txt echo -e S:$(openssl dgst -sha1 -sign testkey-other.pem < list-valid.txt | base64 -w0)\\r > list-valid-sha1-signature.txt cat list-valid.txt >> list-valid-sha1-signature.txt cp list-valid-signed.txt list-invalid-signed.txt tail -1 list-valid.txt >> list-invalid-signed.txt # To create test data for something you might want to release PRIVKEY=... echo -e S:$(openssl dgst -sha256 -sign $PRIVKEY < list-valid.txt | base64 -w0)\\r > list-valid-signed-release.txt cat list-valid.txt >> list-valid-signed-release.txt # List with 0 created manually by placing a \0 in the signature # Test server certificate: gen_key type=ec ec_curve=brainpoolP256r1 filename=valid_ssl_bp.key cert_write issuer_name=CN=127.0.0.1,O=Intevation\\ Test,C=DE \ selfsign=1 issuer_key=valid_ssl_bp.key \ not_before=20130101000000 not_after=20301231235959 \ is_ca=1 max_pathlen=0 output_file=valid_ssl_bp.pem cat valid_ssl_bp.key >> valid_ssl_bp.pem gen_key filename=valid_ssl_rsa.key cert_write issuer_name=CN=127.0.0.1,O=Do_Not_Trust_Test,C=DE \ selfsign=1 issuer_key=valid_ssl_rsa.key \ not_before=20130101000000 not_after=20151231235959 \ is_ca=1 max_pathlen=0 output_file=valid_ssl_rsa.pem cat valid_ssl_rsa.key >> valid_ssl_rsa.pem # Test list certificates (using the rsa key) for i in {1..30} do gen_key filename=valid_ssl_rsa.key cert_write issuer_name=CN=TestRootCA$i,O=Do_Not_Trust_Test,C=DE \ selfsign=1 issuer_key=valid_ssl_rsa.key \ not_before=20130101000000 not_after=20151231235959 \ is_ca=1 max_pathlen=0 output_file=valid_ssl_rsa.pem CERT=$(cat valid_ssl_rsa.pem | grep -v "\-\-\-\-" | tr -d "\\n") echo -e I:${CERT}\\r >> list-valid.txt done for i in {1..15} do gen_key filename=valid_ssl_rsa.key cert_write issuer_name=CN=TestRootCADelete$i,O=Do_Not_Trust_Test,C=DE \ selfsign=1 issuer_key=valid_ssl_rsa.key \ not_before=20130101000000 not_after=20151231235959 \ is_ca=1 max_pathlen=0 output_file=valid_ssl_rsa.pem CERT=$(cat valid_ssl_rsa.pem | grep -v "\-\-\-\-" | tr -d "\\n") echo -e R:${CERT}\\r >> list-valid.txt done cp list-valid.txt list-valid-updated.txt for i in {1..5} do gen_key filename=valid_ssl_rsa.key cert_write issuer_name=CN=New_Certificate_$i,O=Do_Not_Trust_Test,C=DE \ selfsign=1 issuer_key=valid_ssl_rsa.key \ not_before=20130101000000 not_after=20151231235959 \ is_ca=1 max_pathlen=0 output_file=valid_ssl_rsa.pem CERT=$(cat valid_ssl_rsa.pem | grep -v "\-\-\-\-" | tr -d "\\n") echo -e I:${CERT}\\r >> list-valid-updated.txt done # Datum manuell angepasst und intevation root ca zu R: hinzugefuegt # NSS mkdir nss certutil -d nss -A -i valid_ssl_rsa.pem -n "test" -t c,C certutil -d nss -D -n "test" # Code signing mkdir codesign cd codesign # Root CA gen_key filename=codesigning_root.key cert_write issuer_name="CN=Public TrustBridge Test,O=Public secret do not trust this,C=DE" \ selfsign=1 issuer_key=codesigning_root.key \ not_before=20130101000000 not_after=20151231235959 \ is_ca=1 max_pathlen=0 output_file=codesigning_root.pem # Codesign cert gen_key rsa_keysize=3072 filename=codesigning.key cert_req filename=codesigning.key output_file=codesigning.csr \ subject_name="CN=Public TrustBridge codesigning test,O=Public secret do not trust this,C=DE" \ key_usage=digital_signature \ ns_cert_type=object_signing # Sign it: cert_write request_file=codesigning.csr issuer_crt=codesigning_root.pem \ issuer_key=codesigning_root.key output_file=codesigning.pem \ not_before=20130101000000 not_after=20151231235959 \ key_usage=digital_signature \ ns_cert_type=object_signing osslsigncode sign -certs codesigning.pem -key codesigning.key \ -n "TrustBridgeTest" -i https://wald.intevation.org/projects/trustbridge/ \ -h sha256 \ -in ~/ubuntu/src/m13-repo/build-windows/TrustBridge-0.6+21-aee3eb10bbba.exe \ -out TrustBridge-0.6+21-aee3eb10bbba-signed.exe # Different test certificates. gen_key rsa_keysize=3072 filename=codesigning-other.key cert_req filename=codesigning-other.key output_file=codesigning-other.csr \ subject_name="CN=Public TrustBridge codesigning test,O=Public secret do not trust this,C=DE" \ key_usage=digital_signature \ ns_cert_type=object_signing cert_write request_file=codesigning-other.csr issuer_crt=codesigning_root.pem \ issuer_key=codesigning_root.key output_file=codesigning-other.pem \ not_before=20130101000000 not_after=20151231235959 \ key_usage=digital_signature \ ns_cert_type=object_signing