aheinecke@8: Testkeys were created with: aheinecke@8: openssl genrsa -out testkey-priv.pem 3072 aheinecke@8: openssl rsa -in testkey-priv.pem -out testkey-pub.pem -outform PEM -pubout aheinecke@8: aheinecke@8: aheinecke@8: Certificate List was created manually and contains: aheinecke@8: PCA-1-Verwaltung-08 aheinecke@8: Intevation-Email-CA-2013 aheinecke@8: Intevation-Server-CA-2010 aheinecke@8: aheinecke@42: Test files created with: aheinecke@8: aheinecke@30: echo -e S:$(openssl dgst -sha256 -sign testkey-priv.pem < list-valid.txt | base64 -w0)\\r > list-valid-signed.txt aheinecke@8: cat list-valid.txt >> list-valid-signed.txt aheinecke@436: echo -e S:$(openssl dgst -sha256 -sign testkey-priv.pem < list-valid-updated.txt | base64 -w0)\\r > list-valid-updated-signed.txt aheinecke@436: cat list-valid-updated.txt >> list-valid-updated-signed.txt aheinecke@42: echo -e S:$(openssl dgst -sha256 -sign testkey-other.pem < list-valid.txt | base64 -w0)\\r > list-valid-other-signature.txt aheinecke@42: cat list-valid.txt >> list-valid-other-signature.txt aheinecke@42: echo -e S:$(openssl dgst -sha1 -sign testkey-other.pem < list-valid.txt | base64 -w0)\\r > list-valid-sha1-signature.txt aheinecke@42: cat list-valid.txt >> list-valid-sha1-signature.txt aheinecke@8: cp list-valid-signed.txt list-invalid-signed.txt aheinecke@8: tail -1 list-valid.txt >> list-invalid-signed.txt aheinecke@8: andre@359: # To create test data for something you might want to release andre@359: andre@359: PRIVKEY=... andre@359: echo -e S:$(openssl dgst -sha256 -sign $PRIVKEY < list-valid.txt | base64 -w0)\\r > list-valid-signed-release.txt andre@359: cat list-valid.txt >> list-valid-signed-release.txt andre@359: aheinecke@42: # List with 0 created manually by placing a \0 in the signature aheinecke@42: aheinecke@43: # Test server certificate: aheinecke@43: aheinecke@43: gen_key type=ec ec_curve=brainpoolP256r1 filename=valid_ssl_bp.key aheinecke@43: cert_write issuer_name=CN=127.0.0.1,O=Intevation\\ Test,C=DE \ aheinecke@43: selfsign=1 issuer_key=valid_ssl_bp.key \ aheinecke@43: not_before=20130101000000 not_after=20301231235959 \ aheinecke@43: is_ca=1 max_pathlen=0 output_file=valid_ssl_bp.pem aheinecke@43: cat valid_ssl_bp.key >> valid_ssl_bp.pem aheinecke@43: aheinecke@43: gen_key filename=valid_ssl_rsa.key aheinecke@43: cert_write issuer_name=CN=127.0.0.1,O=Do_Not_Trust_Test,C=DE \ aheinecke@43: selfsign=1 issuer_key=valid_ssl_rsa.key \ aheinecke@43: not_before=20130101000000 not_after=20151231235959 \ aheinecke@43: is_ca=1 max_pathlen=0 output_file=valid_ssl_rsa.pem aheinecke@49: cat valid_ssl_rsa.key >> valid_ssl_rsa.pem aheinecke@43: aheinecke@234: # Test list certificates (using the rsa key) aheinecke@234: aheinecke@234: for i in {1..30} aheinecke@234: do aheinecke@234: gen_key filename=valid_ssl_rsa.key aheinecke@234: cert_write issuer_name=CN=TestRootCA$i,O=Do_Not_Trust_Test,C=DE \ aheinecke@234: selfsign=1 issuer_key=valid_ssl_rsa.key \ aheinecke@234: not_before=20130101000000 not_after=20151231235959 \ aheinecke@234: is_ca=1 max_pathlen=0 output_file=valid_ssl_rsa.pem aheinecke@234: CERT=$(cat valid_ssl_rsa.pem | grep -v "\-\-\-\-" | tr -d "\\n") aheinecke@234: echo -e I:${CERT}\\r >> list-valid.txt aheinecke@234: done aheinecke@234: aheinecke@234: for i in {1..15} aheinecke@234: do aheinecke@234: gen_key filename=valid_ssl_rsa.key aheinecke@234: cert_write issuer_name=CN=TestRootCADelete$i,O=Do_Not_Trust_Test,C=DE \ aheinecke@234: selfsign=1 issuer_key=valid_ssl_rsa.key \ aheinecke@234: not_before=20130101000000 not_after=20151231235959 \ aheinecke@234: is_ca=1 max_pathlen=0 output_file=valid_ssl_rsa.pem aheinecke@234: CERT=$(cat valid_ssl_rsa.pem | grep -v "\-\-\-\-" | tr -d "\\n") aheinecke@234: echo -e R:${CERT}\\r >> list-valid.txt aheinecke@234: done andre@300: aheinecke@435: cp list-valid.txt list-valid-updated.txt aheinecke@435: for i in {1..5} aheinecke@435: do aheinecke@435: gen_key filename=valid_ssl_rsa.key aheinecke@435: cert_write issuer_name=CN=New_Certificate_$i,O=Do_Not_Trust_Test,C=DE \ aheinecke@435: selfsign=1 issuer_key=valid_ssl_rsa.key \ aheinecke@435: not_before=20130101000000 not_after=20151231235959 \ aheinecke@435: is_ca=1 max_pathlen=0 output_file=valid_ssl_rsa.pem aheinecke@435: CERT=$(cat valid_ssl_rsa.pem | grep -v "\-\-\-\-" | tr -d "\\n") aheinecke@435: echo -e I:${CERT}\\r >> list-valid-updated.txt aheinecke@435: done aheinecke@435: # Datum manuell angepasst und intevation root ca zu R: hinzugefuegt aheinecke@435: aheinecke@435: andre@300: # NSS andre@300: mkdir nss andre@300: certutil -d nss -A -i valid_ssl_rsa.pem -n "test" -t c,C andre@300: certutil -d nss -D -n "test" aheinecke@569: aheinecke@569: # Code signing aheinecke@569: mkdir codesign aheinecke@569: cd codesign aheinecke@569: # Root CA aheinecke@569: gen_key filename=codesigning_root.key aheinecke@569: cert_write issuer_name="CN=Public TrustBridge Test,O=Public secret do not trust this,C=DE" \ aheinecke@569: selfsign=1 issuer_key=codesigning_root.key \ aheinecke@569: not_before=20130101000000 not_after=20151231235959 \ aheinecke@569: is_ca=1 max_pathlen=0 output_file=codesigning_root.pem aheinecke@569: aheinecke@569: # Codesign cert andre@758: gen_key rsa_keysize=3072 filename=codesigning.key aheinecke@569: cert_req filename=codesigning.key output_file=codesigning.csr \ aheinecke@569: subject_name="CN=Public TrustBridge codesigning test,O=Public secret do not trust this,C=DE" \ aheinecke@569: key_usage=digital_signature \ aheinecke@569: ns_cert_type=object_signing aheinecke@569: aheinecke@569: # Sign it: aheinecke@569: cert_write request_file=codesigning.csr issuer_crt=codesigning_root.pem \ aheinecke@569: issuer_key=codesigning_root.key output_file=codesigning.pem \ aheinecke@569: not_before=20130101000000 not_after=20151231235959 \ aheinecke@569: key_usage=digital_signature \ aheinecke@569: ns_cert_type=object_signing aheinecke@569: aheinecke@569: osslsigncode sign -certs codesigning.pem -key codesigning.key \ aheinecke@569: -n "TrustBridgeTest" -i https://wald.intevation.org/projects/trustbridge/ \ aheinecke@571: -h sha256 \ aheinecke@569: -in ~/ubuntu/src/m13-repo/build-windows/TrustBridge-0.6+21-aee3eb10bbba.exe \ aheinecke@569: -out TrustBridge-0.6+21-aee3eb10bbba-signed.exe andre@637: andre@637: # Different test certificates. andre@758: gen_key rsa_keysize=3072 filename=codesigning-other.key andre@637: cert_req filename=codesigning-other.key output_file=codesigning-other.csr \ andre@637: subject_name="CN=Public TrustBridge codesigning test,O=Public secret do not trust this,C=DE" \ andre@637: key_usage=digital_signature \ andre@637: ns_cert_type=object_signing andre@637: andre@637: cert_write request_file=codesigning-other.csr issuer_crt=codesigning_root.pem \ andre@637: issuer_key=codesigning_root.key output_file=codesigning-other.pem \ andre@637: not_before=20130101000000 not_after=20151231235959 \ andre@637: key_usage=digital_signature \ andre@637: ns_cert_type=object_signing andre@1087: andre@1087: # Testserver mit hiawatha andre@1087: apt-get install build-essential cmake libxslt-dev libxml2-dev libz-dev andre@1087: andre@1087: wget https://www.hiawatha-webserver.org/files/hiawatha-9.7.tar.gz andre@1087: sha256sum hiawatha-9.7.tar.gz andre@1087: andre@1087: e8581336883b7b963f38572f6396f8c47b43e5bedd3147d052fa3652e6c0ed86 hiawatha-9.7.tar.gz andre@1087: andre@1087: mkdir hiawatha-prefix andre@1087: tar -xf hiawatha-9.7.tar.gz andre@1087: cd hiawatha-9.7 andre@1087: mkdir build andre@1087: cd build andre@1087: cmake .. -DCMAKE_INSTALL_PREFIX=/home/intevation/hiawatha-prefix andre@1087: make && make install andre@1087: andre@1087: # Root CA andre@1087: gen_key filename=ssl_root.key andre@1087: cert_write issuer_name="CN=TrustBridge SSL Test CA,O=Public secret do not trust this,C=DE" \ andre@1087: selfsign=1 issuer_key=ssl_root.key \ andre@1087: not_before=20130101000000 not_after=20151231235959 \ andre@1087: is_ca=1 max_pathlen=0 output_file=ssl_root.pem andre@1087: andre@1087: # SSL cert andre@1087: gen_key type=ec ec_curve=brainpoolP256r1 filename=ssl-test.key andre@1087: cert_req filename=ssl-test.key output_file=ssl-test.csr \ andre@1087: subject_name="CN=tb-devel.intevation.de,O=Public secret do not trust this,C=DE" \ andre@1087: ns_cert_type=ssl_server andre@1087: andre@1087: # Sign it andre@1087: cert_write request_file=ssl-test.csr issuer_crt=ssl_root.pem \ andre@1087: issuer_key=ssl_root.key output_file=ssl-test.pem \ andre@1087: not_before=20130101000000 not_after=20151231235959 \ andre@1087: ns_cert_type=ssl_server andre@1087: andre@1087: cat ssl-test.pem ssl-test.key > ssl-test-combined.pem andre@1087: andre@1087: # Kopieren des Zertifikats nach /home/intevation auf dem testserver andre@1087: # Editieren von /home/intevation/hiawatha-prefix/etc/hiawatha andre@1087: andre@1087: # Binding settings: andre@1087: Port = 44413 andre@1087: SSLcertFile = /home/intevation/ssl-test-combined.pem andre@1087: andre@1087: # Default website settings andre@1087: Hostname = thetis.intevation.de:44413 andre@1087: WebsiteRoot = /home/intevation/m13-files andre@1087: StartFile = index.html andre@1087: andre@1087: # Trustbridge download ordner nach /home/intevation/m13-files kopieren. andre@1087: andre@1087: screen -R server andre@1087: /home/intevation/hiawatha-prefix/sbin/hiawatha -d