Mercurial > trustbridge
view ui/tests/data/NOTES @ 758:f56c4869aa18
Switch to 3072 bit RSA keys for codesigning as specified.
| author | Andre Heinecke <andre.heinecke@intevation.de> |
|---|---|
| date | Mon, 07 Jul 2014 18:34:55 +0200 |
| parents | be30d50bc4f0 |
| children | 7191addd8a53 |
line wrap: on
line source
Testkeys were created with: openssl genrsa -out testkey-priv.pem 3072 openssl rsa -in testkey-priv.pem -out testkey-pub.pem -outform PEM -pubout Certificate List was created manually and contains: PCA-1-Verwaltung-08 Intevation-Email-CA-2013 Intevation-Server-CA-2010 Test files created with: echo -e S:$(openssl dgst -sha256 -sign testkey-priv.pem < list-valid.txt | base64 -w0)\\r > list-valid-signed.txt cat list-valid.txt >> list-valid-signed.txt echo -e S:$(openssl dgst -sha256 -sign testkey-priv.pem < list-valid-updated.txt | base64 -w0)\\r > list-valid-updated-signed.txt cat list-valid-updated.txt >> list-valid-updated-signed.txt echo -e S:$(openssl dgst -sha256 -sign testkey-other.pem < list-valid.txt | base64 -w0)\\r > list-valid-other-signature.txt cat list-valid.txt >> list-valid-other-signature.txt echo -e S:$(openssl dgst -sha1 -sign testkey-other.pem < list-valid.txt | base64 -w0)\\r > list-valid-sha1-signature.txt cat list-valid.txt >> list-valid-sha1-signature.txt cp list-valid-signed.txt list-invalid-signed.txt tail -1 list-valid.txt >> list-invalid-signed.txt # To create test data for something you might want to release PRIVKEY=... echo -e S:$(openssl dgst -sha256 -sign $PRIVKEY < list-valid.txt | base64 -w0)\\r > list-valid-signed-release.txt cat list-valid.txt >> list-valid-signed-release.txt # List with 0 created manually by placing a \0 in the signature # Test server certificate: gen_key type=ec ec_curve=brainpoolP256r1 filename=valid_ssl_bp.key cert_write issuer_name=CN=127.0.0.1,O=Intevation\\ Test,C=DE \ selfsign=1 issuer_key=valid_ssl_bp.key \ not_before=20130101000000 not_after=20301231235959 \ is_ca=1 max_pathlen=0 output_file=valid_ssl_bp.pem cat valid_ssl_bp.key >> valid_ssl_bp.pem gen_key filename=valid_ssl_rsa.key cert_write issuer_name=CN=127.0.0.1,O=Do_Not_Trust_Test,C=DE \ selfsign=1 issuer_key=valid_ssl_rsa.key \ not_before=20130101000000 not_after=20151231235959 \ is_ca=1 max_pathlen=0 output_file=valid_ssl_rsa.pem cat valid_ssl_rsa.key >> valid_ssl_rsa.pem # Test list certificates (using the rsa key) for i in {1..30} do gen_key filename=valid_ssl_rsa.key cert_write issuer_name=CN=TestRootCA$i,O=Do_Not_Trust_Test,C=DE \ selfsign=1 issuer_key=valid_ssl_rsa.key \ not_before=20130101000000 not_after=20151231235959 \ is_ca=1 max_pathlen=0 output_file=valid_ssl_rsa.pem CERT=$(cat valid_ssl_rsa.pem | grep -v "\-\-\-\-" | tr -d "\\n") echo -e I:${CERT}\\r >> list-valid.txt done for i in {1..15} do gen_key filename=valid_ssl_rsa.key cert_write issuer_name=CN=TestRootCADelete$i,O=Do_Not_Trust_Test,C=DE \ selfsign=1 issuer_key=valid_ssl_rsa.key \ not_before=20130101000000 not_after=20151231235959 \ is_ca=1 max_pathlen=0 output_file=valid_ssl_rsa.pem CERT=$(cat valid_ssl_rsa.pem | grep -v "\-\-\-\-" | tr -d "\\n") echo -e R:${CERT}\\r >> list-valid.txt done cp list-valid.txt list-valid-updated.txt for i in {1..5} do gen_key filename=valid_ssl_rsa.key cert_write issuer_name=CN=New_Certificate_$i,O=Do_Not_Trust_Test,C=DE \ selfsign=1 issuer_key=valid_ssl_rsa.key \ not_before=20130101000000 not_after=20151231235959 \ is_ca=1 max_pathlen=0 output_file=valid_ssl_rsa.pem CERT=$(cat valid_ssl_rsa.pem | grep -v "\-\-\-\-" | tr -d "\\n") echo -e I:${CERT}\\r >> list-valid-updated.txt done # Datum manuell angepasst und intevation root ca zu R: hinzugefuegt # NSS mkdir nss certutil -d nss -A -i valid_ssl_rsa.pem -n "test" -t c,C certutil -d nss -D -n "test" # Code signing mkdir codesign cd codesign # Root CA gen_key filename=codesigning_root.key cert_write issuer_name="CN=Public TrustBridge Test,O=Public secret do not trust this,C=DE" \ selfsign=1 issuer_key=codesigning_root.key \ not_before=20130101000000 not_after=20151231235959 \ is_ca=1 max_pathlen=0 output_file=codesigning_root.pem # Codesign cert gen_key rsa_keysize=3072 filename=codesigning.key cert_req filename=codesigning.key output_file=codesigning.csr \ subject_name="CN=Public TrustBridge codesigning test,O=Public secret do not trust this,C=DE" \ key_usage=digital_signature \ ns_cert_type=object_signing # Sign it: cert_write request_file=codesigning.csr issuer_crt=codesigning_root.pem \ issuer_key=codesigning_root.key output_file=codesigning.pem \ not_before=20130101000000 not_after=20151231235959 \ key_usage=digital_signature \ ns_cert_type=object_signing osslsigncode sign -certs codesigning.pem -key codesigning.key \ -n "TrustBridgeTest" -i https://wald.intevation.org/projects/trustbridge/ \ -h sha256 \ -in ~/ubuntu/src/m13-repo/build-windows/TrustBridge-0.6+21-aee3eb10bbba.exe \ -out TrustBridge-0.6+21-aee3eb10bbba-signed.exe # Different test certificates. gen_key rsa_keysize=3072 filename=codesigning-other.key cert_req filename=codesigning-other.key output_file=codesigning-other.csr \ subject_name="CN=Public TrustBridge codesigning test,O=Public secret do not trust this,C=DE" \ key_usage=digital_signature \ ns_cert_type=object_signing cert_write request_file=codesigning-other.csr issuer_crt=codesigning_root.pem \ issuer_key=codesigning_root.key output_file=codesigning-other.pem \ not_before=20130101000000 not_after=20151231235959 \ key_usage=digital_signature \ ns_cert_type=object_signing