aheinecke@8: Testkeys were created with:
aheinecke@8:     openssl genrsa -out testkey-priv.pem 3072
aheinecke@8:     openssl rsa -in testkey-priv.pem -out testkey-pub.pem -outform PEM -pubout
aheinecke@8: 
aheinecke@8: 
aheinecke@8: Certificate List was created manually and contains:
aheinecke@8:     PCA-1-Verwaltung-08
aheinecke@8:     Intevation-Email-CA-2013
aheinecke@8:     Intevation-Server-CA-2010
aheinecke@8: 
aheinecke@42: Test files created with:
aheinecke@8: 
aheinecke@30:     echo -e S:$(openssl dgst -sha256 -sign testkey-priv.pem < list-valid.txt | base64 -w0)\\r > list-valid-signed.txt
aheinecke@8:     cat list-valid.txt >> list-valid-signed.txt
aheinecke@436:     echo -e S:$(openssl dgst -sha256 -sign testkey-priv.pem < list-valid-updated.txt | base64 -w0)\\r > list-valid-updated-signed.txt
aheinecke@436:     cat list-valid-updated.txt >> list-valid-updated-signed.txt
aheinecke@42:     echo -e S:$(openssl dgst -sha256 -sign testkey-other.pem < list-valid.txt | base64 -w0)\\r > list-valid-other-signature.txt
aheinecke@42:     cat list-valid.txt >> list-valid-other-signature.txt
aheinecke@42:     echo -e S:$(openssl dgst -sha1 -sign testkey-other.pem < list-valid.txt | base64 -w0)\\r > list-valid-sha1-signature.txt
aheinecke@42:     cat list-valid.txt >> list-valid-sha1-signature.txt
aheinecke@8:     cp list-valid-signed.txt list-invalid-signed.txt
aheinecke@8:     tail -1 list-valid.txt >> list-invalid-signed.txt
aheinecke@8: 
andre@359:     # To create test data for something you might want to release
andre@359: 
andre@359:     PRIVKEY=...
andre@359:     echo -e S:$(openssl dgst -sha256 -sign $PRIVKEY < list-valid.txt | base64 -w0)\\r > list-valid-signed-release.txt
andre@359:     cat list-valid.txt >> list-valid-signed-release.txt
andre@359: 
aheinecke@42: # List with 0 created manually by placing a \0 in the signature
aheinecke@42: 
aheinecke@43: # Test server certificate:
aheinecke@43: 
aheinecke@43:     gen_key type=ec ec_curve=brainpoolP256r1 filename=valid_ssl_bp.key
aheinecke@43:     cert_write issuer_name=CN=127.0.0.1,O=Intevation\\ Test,C=DE \
aheinecke@43:     selfsign=1 issuer_key=valid_ssl_bp.key \
aheinecke@43:     not_before=20130101000000 not_after=20301231235959 \
aheinecke@43:     is_ca=1 max_pathlen=0 output_file=valid_ssl_bp.pem
aheinecke@43:     cat valid_ssl_bp.key >> valid_ssl_bp.pem
aheinecke@43: 
aheinecke@43:     gen_key filename=valid_ssl_rsa.key
aheinecke@43:     cert_write issuer_name=CN=127.0.0.1,O=Do_Not_Trust_Test,C=DE \
aheinecke@43:     selfsign=1 issuer_key=valid_ssl_rsa.key \
aheinecke@43:     not_before=20130101000000 not_after=20151231235959 \
aheinecke@43:     is_ca=1 max_pathlen=0 output_file=valid_ssl_rsa.pem
aheinecke@49:     cat valid_ssl_rsa.key >> valid_ssl_rsa.pem
aheinecke@43: 
aheinecke@234: # Test list certificates (using the rsa key)
aheinecke@234: 
aheinecke@234: for i in {1..30}
aheinecke@234: do
aheinecke@234:     gen_key filename=valid_ssl_rsa.key
aheinecke@234:     cert_write issuer_name=CN=TestRootCA$i,O=Do_Not_Trust_Test,C=DE \
aheinecke@234:     selfsign=1 issuer_key=valid_ssl_rsa.key \
aheinecke@234:     not_before=20130101000000 not_after=20151231235959 \
aheinecke@234:     is_ca=1 max_pathlen=0 output_file=valid_ssl_rsa.pem
aheinecke@234:     CERT=$(cat valid_ssl_rsa.pem | grep -v "\-\-\-\-" | tr -d "\\n")
aheinecke@234:     echo -e I:${CERT}\\r >> list-valid.txt
aheinecke@234: done
aheinecke@234: 
aheinecke@234: for i in {1..15}
aheinecke@234: do
aheinecke@234:     gen_key filename=valid_ssl_rsa.key
aheinecke@234:     cert_write issuer_name=CN=TestRootCADelete$i,O=Do_Not_Trust_Test,C=DE \
aheinecke@234:     selfsign=1 issuer_key=valid_ssl_rsa.key \
aheinecke@234:     not_before=20130101000000 not_after=20151231235959 \
aheinecke@234:     is_ca=1 max_pathlen=0 output_file=valid_ssl_rsa.pem
aheinecke@234:     CERT=$(cat valid_ssl_rsa.pem | grep -v "\-\-\-\-" | tr -d "\\n")
aheinecke@234:     echo -e R:${CERT}\\r >> list-valid.txt
aheinecke@234: done
andre@300: 
aheinecke@435: cp list-valid.txt list-valid-updated.txt
aheinecke@435: for i in {1..5}
aheinecke@435: do
aheinecke@435:     gen_key filename=valid_ssl_rsa.key
aheinecke@435:     cert_write issuer_name=CN=New_Certificate_$i,O=Do_Not_Trust_Test,C=DE \
aheinecke@435:     selfsign=1 issuer_key=valid_ssl_rsa.key \
aheinecke@435:     not_before=20130101000000 not_after=20151231235959 \
aheinecke@435:     is_ca=1 max_pathlen=0 output_file=valid_ssl_rsa.pem
aheinecke@435:     CERT=$(cat valid_ssl_rsa.pem | grep -v "\-\-\-\-" | tr -d "\\n")
aheinecke@435:     echo -e I:${CERT}\\r >> list-valid-updated.txt
aheinecke@435: done
aheinecke@435: # Datum manuell angepasst und intevation root ca zu R: hinzugefuegt
aheinecke@435: 
aheinecke@435: 
andre@300: # NSS
andre@300: mkdir nss
andre@300: certutil -d nss -A -i valid_ssl_rsa.pem -n "test" -t c,C
andre@300: certutil -d nss -D -n "test"
aheinecke@569: 
aheinecke@569: # Code signing
aheinecke@569: mkdir codesign
aheinecke@569: cd codesign
aheinecke@569: # Root CA
aheinecke@569: gen_key filename=codesigning_root.key
aheinecke@569: cert_write issuer_name="CN=Public TrustBridge Test,O=Public secret do not trust this,C=DE" \
aheinecke@569: selfsign=1 issuer_key=codesigning_root.key \
aheinecke@569: not_before=20130101000000 not_after=20151231235959 \
aheinecke@569: is_ca=1 max_pathlen=0 output_file=codesigning_root.pem
aheinecke@569: 
aheinecke@569: # Codesign cert
andre@758: gen_key rsa_keysize=3072 filename=codesigning.key
aheinecke@569: cert_req filename=codesigning.key output_file=codesigning.csr \
aheinecke@569: subject_name="CN=Public TrustBridge codesigning test,O=Public secret do not trust this,C=DE" \
aheinecke@569: key_usage=digital_signature \
aheinecke@569: ns_cert_type=object_signing
aheinecke@569: 
aheinecke@569: # Sign it:
aheinecke@569: cert_write request_file=codesigning.csr issuer_crt=codesigning_root.pem \
aheinecke@569: issuer_key=codesigning_root.key output_file=codesigning.pem \
aheinecke@569: not_before=20130101000000 not_after=20151231235959 \
aheinecke@569: key_usage=digital_signature \
aheinecke@569: ns_cert_type=object_signing
aheinecke@569: 
aheinecke@569: osslsigncode sign -certs codesigning.pem -key codesigning.key \
aheinecke@569:       -n "TrustBridgeTest" -i https://wald.intevation.org/projects/trustbridge/ \
aheinecke@571:       -h sha256 \
aheinecke@569:       -in ~/ubuntu/src/m13-repo/build-windows/TrustBridge-0.6+21-aee3eb10bbba.exe \
aheinecke@569:       -out TrustBridge-0.6+21-aee3eb10bbba-signed.exe
andre@637: 
andre@637: # Different test certificates.
andre@758: gen_key rsa_keysize=3072 filename=codesigning-other.key
andre@637: cert_req filename=codesigning-other.key output_file=codesigning-other.csr \
andre@637: subject_name="CN=Public TrustBridge codesigning test,O=Public secret do not trust this,C=DE" \
andre@637: key_usage=digital_signature \
andre@637: ns_cert_type=object_signing
andre@637: 
andre@637: cert_write request_file=codesigning-other.csr issuer_crt=codesigning_root.pem \
andre@637: issuer_key=codesigning_root.key output_file=codesigning-other.pem \
andre@637: not_before=20130101000000 not_after=20151231235959 \
andre@637: key_usage=digital_signature \
andre@637: ns_cert_type=object_signing