add openssl.cnf

author: Schanzenbach, Martin <mschanzenbach@posteo.de> 2019-02-17 22:33:17 +0100
committer: Schanzenbach, Martin <mschanzenbach@posteo.de> 2019-02-17 22:33:17 +0100
commit: 003606cc941a4580d787c9970193bb22e307c413 (patch)
tree: fbf18951270628d70365c6ab83c723020cc491ed /src
parent: 09df88645767b8d20075cb3b6d1b2f400a75c605 (diff)
download: gnunet-003606cc941a4580d787c9970193bb22e307c413.tar.gz
gnunet-003606cc941a4580d787c9970193bb22e307c413.zip
3 files changed, 259 insertions, 2 deletions
diff --git a/src/gns/Makefile.am b/src/gns/Makefile.am
index 1abc57d57..13f6a6e52 100644
--- a/src/gns/Makefile.am
+++ b/src/gns/Makefile.am
@@ -79,6 +79,9 @@ bin_PROGRAMS = \
 noinst_PROGRAMS = \
  gnunet-gns-benchmark
+pkgdata_DATA = \
+        openssl.cnf
 if HAVE_MHD
 if LINUX
 bin_PROGRAMS += gnunet-bcd
@@ -91,6 +94,15 @@ plugin_LTLIBRARIES = \
  libgnunet_plugin_block_gns.la \
  libgnunet_plugin_gnsrecord_gns.la
+xPFX=$(pkgdatadir)/openssl.cnf
+do_subst = $(SED) -e 's,[@]PREFIX[@],${xPFX},g'
+gnunet-gns-proxy-setup-ca: gnunet-gns-proxy-setup-ca.in
+        $(do_subst) < $(top_srcdir)/src/gns/gnunet-gns-proxy-setup-ca.in > gnunet-gns-proxy-setup-ca
+        chmod +x gnunet-gns-proxy-setup-ca
 libgnunet_plugin_gnsrecord_gns_la_SOURCES = \
  plugin_gnsrecord_gns.c
diff --git a/src/gns/gnunet-gns-proxy-setup-ca b/src/gns/gnunet-gns-proxy-setup-ca.in
index 7c1d58dc2..d3753b074 100644
--- a/src/gns/gnunet-gns-proxy-setup-ca
+++ b/src/gns/gnunet-gns-proxy-setup-ca.in
@@ -4,7 +4,7 @@
 #
 # TODO: We should sed the real paths to the binaries involved here.
+OPENSSLCFG=@PREFIX@
 if ! which openssl > /dev/null
 then
    echo "'openssl' command not found. Please install it."
@@ -36,7 +36,7 @@ GNSCANO=`mktemp /tmp/gnscakeynoencXXXXXX.pem`
 GNS_CA_CERT_PEM=`gnunet-config -s gns-proxy -o PROXY_CACERT -f $options`
 mkdir -p `dirname $GNS_CA_CERT_PEM`
-openssl req -new -x509 -days 3650 -extensions v3_ca -keyout $GNSCAKY -out $GNSCERT -subj "/C=ZZ/L=World/O=GNU/OU=GNUnet/CN=GNS Proxy CA/emailAddress=bounce@gnunet.org" -passout pass:"GNU Name System"
+openssl req -config $OPENSSLCFG -new -x509 -days 3650 -extensions v3_ca -keyout $GNSCAKY -out $GNSCERT -subj "/C=ZZ/L=World/O=GNU/OU=GNUnet/CN=GNS Proxy CA/emailAddress=bounce@gnunet.org" -passout pass:"GNU Name System"
 echo "Removing passphrase from key"
 openssl rsa -passin pass:"GNU Name System" -in $GNSCAKY -out $GNSCANO
diff --git a/src/gns/openssl.cnf b/src/gns/openssl.cnf
new file mode 100644
index 000000000..503460f9f
--- /dev/null
+++ b/src/gns/openssl.cnf
@@ -0,0 +1,245 @@
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME                    = .
+RANDFILE                = $ENV::HOME/.rnd
+# Extra OBJECT IDENTIFIER info:
+#oid_file               = $ENV::HOME/.oid
+oid_section             = new_oids
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions            = 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+[ new_oids ]
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+####################################################################
+[ ca ]
+default_ca      = CA_default            # The default ca section
+####################################################################
+[ CA_default ]
+dir             = ./demoCA              # Where everything is kept
+certs           = $dir/certs            # Where the issued certs are kept
+crl_dir         = $dir/crl              # Where the issued crl are kept
+database        = $dir/index.txt        # database index file.
+new_certs_dir   = $dir/newcerts         # default place for new certs.
+certificate     = $dir/cacert.pem       # The CA certificate
+serial          = $dir/serial           # The current serial number
+crl             = $dir/crl.pem          # The current CRL
+private_key     = $dir/private/cakey.pem# The private key
+RANDFILE        = $dir/private/.rand    # private random number file
+x509_extensions = usr_cert              # The extentions to add to the cert
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions        = crl_ext
+default_days    = 365                   # how long to certify for
+default_crl_days= 30                    # how long before next CRL
+default_md      = md5                   # which md to use.
+preserve        = no                    # keep passed DN ordering
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy          = policy_match
+# For the CA policy
+[ policy_match ]
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+####################################################################
+[ req ]
+default_bits            = 1024
+default_keyfile         = privkey.pem
+distinguished_name      = req_distinguished_name
+attributes              = req_attributes
+x509_extensions = v3_ca # The extentions to add to the self signed cert
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix   : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+# req_extensions = v3_req # The extensions to add to a certificate request
+[ req_distinguished_name ]
+countryName                     = Country Name (2 letter code)
+countryName_default             = AU
+countryName_min                 = 2
+countryName_max                 = 2
+stateOrProvinceName             = State or Province Name (full name)
+stateOrProvinceName_default     = Some-State
+localityName                    = Locality Name (eg, city)
+0.organizationName              = Organization Name (eg, company)
+0.organizationName_default      = Internet Widgits Pty Ltd
+# we can do this but it is not needed normally :-)
+#1.organizationName             = Second Organization Name (eg, company)
+#1.organizationName_default     = World Wide Web Pty Ltd
+organizationalUnitName          = Organizational Unit Name (eg, section)
+#organizationalUnitName_default =
+commonName                      = Common Name (eg, YOUR name)
+commonName_max                  = 64
+emailAddress                    = Email Address
+emailAddress_max                = 40
+# SET-ex3                       = SET extension number 3
+[ req_attributes ]
+challengePassword               = A challenge password
+challengePassword_min           = 4
+challengePassword_max           = 20
+unstructuredName                = An optional company name
+[ usr_cert ]
+# These extensions are added when 'ca' signs a request.
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+basicConstraints=CA:FALSE
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+# This is OK for an SSL server.
+# nsCertType                    = server
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+# For normal client use this is typical
+# nsCertType = client, email
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+# This will be displayed in Netscape's comment listbox.
+nsComment                       = "OpenSSL Generated Certificate"
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# Copy subject details
+# issuerAltName=issuer:copy
+#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+[ v3_req ]
+# Extensions to add to a certificate request
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+[ v3_ca ]
+# Extensions for a typical CA
+# PKIX recommendation.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+# Some might want this also
+# nsCertType = sslCA, emailCA
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+[ crl_ext ]
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
author	Schanzenbach, Martin <mschanzenbach@posteo.de>	2019-02-17 22:33:17 +0100
committer	Schanzenbach, Martin <mschanzenbach@posteo.de>	2019-02-17 22:33:17 +0100
commit	003606cc941a4580d787c9970193bb22e307c413 (patch)
tree	fbf18951270628d70365c6ab83c723020cc491ed /src
parent	09df88645767b8d20075cb3b6d1b2f400a75c605 (diff)
download	gnunet-003606cc941a4580d787c9970193bb22e307c413.tar.gz gnunet-003606cc941a4580d787c9970193bb22e307c413.zip

diff --git a/src/gns/Makefile.am b/src/gns/Makefile.am index 1abc57d57..13f6a6e52 100644 --- a/src/gns/Makefile.am +++ b/src/gns/Makefile.am
@@ -79,6 +79,9 @@ bin_PROGRAMS = \
79	noinst_PROGRAMS = \	79	noinst_PROGRAMS = \
80	gnunet-gns-benchmark	80	gnunet-gns-benchmark
81		81
		82	pkgdata_DATA = \
		83	openssl.cnf
		84
82	if HAVE_MHD	85	if HAVE_MHD
83	if LINUX	86	if LINUX
84	bin_PROGRAMS += gnunet-bcd	87	bin_PROGRAMS += gnunet-bcd
@@ -91,6 +94,15 @@ plugin_LTLIBRARIES = \
91	libgnunet_plugin_block_gns.la \	94	libgnunet_plugin_block_gns.la \
92	libgnunet_plugin_gnsrecord_gns.la	95	libgnunet_plugin_gnsrecord_gns.la
93		96
		97	xPFX=$(pkgdatadir)/openssl.cnf
		98
		99	do_subst = $(SED) -e 's,[@]PREFIX[@],${xPFX},g'
		100
		101	gnunet-gns-proxy-setup-ca: gnunet-gns-proxy-setup-ca.in
		102	$(do_subst) < $(top_srcdir)/src/gns/gnunet-gns-proxy-setup-ca.in > gnunet-gns-proxy-setup-ca
		103	chmod +x gnunet-gns-proxy-setup-ca
		104
		105
94		106
95	libgnunet_plugin_gnsrecord_gns_la_SOURCES = \	107	libgnunet_plugin_gnsrecord_gns_la_SOURCES = \
96	plugin_gnsrecord_gns.c	108	plugin_gnsrecord_gns.c


diff --git a/src/gns/gnunet-gns-proxy-setup-ca b/src/gns/gnunet-gns-proxy-setup-ca.in index 7c1d58dc2..d3753b074 100644 --- a/src/gns/gnunet-gns-proxy-setup-ca +++ b/src/gns/gnunet-gns-proxy-setup-ca.in
@@ -4,7 +4,7 @@
4	#	4	#
5		5
6	# TODO: We should sed the real paths to the binaries involved here.	6	# TODO: We should sed the real paths to the binaries involved here.
7		7	OPENSSLCFG=@PREFIX@
8	if ! which openssl > /dev/null	8	if ! which openssl > /dev/null
9	then	9	then
10	echo "'openssl' command not found. Please install it."	10	echo "'openssl' command not found. Please install it."
@@ -36,7 +36,7 @@ GNSCANO=`mktemp /tmp/gnscakeynoencXXXXXX.pem`
36	GNS_CA_CERT_PEM=`gnunet-config -s gns-proxy -o PROXY_CACERT -f $options`	36	GNS_CA_CERT_PEM=`gnunet-config -s gns-proxy -o PROXY_CACERT -f $options`
37	mkdir -p `dirname $GNS_CA_CERT_PEM`	37	mkdir -p `dirname $GNS_CA_CERT_PEM`
38		38
39	openssl req -new -x509 -days 3650 -extensions v3_ca -keyout $GNSCAKY -out $GNSCERT -subj "/C=ZZ/L=World/O=GNU/OU=GNUnet/CN=GNS Proxy CA/emailAddress=bounce@gnunet.org" -passout pass:"GNU Name System"	39	openssl req -config $OPENSSLCFG -new -x509 -days 3650 -extensions v3_ca -keyout $GNSCAKY -out $GNSCERT -subj "/C=ZZ/L=World/O=GNU/OU=GNUnet/CN=GNS Proxy CA/emailAddress=bounce@gnunet.org" -passout pass:"GNU Name System"
40		40
41	echo "Removing passphrase from key"	41	echo "Removing passphrase from key"
42	openssl rsa -passin pass:"GNU Name System" -in $GNSCAKY -out $GNSCANO	42	openssl rsa -passin pass:"GNU Name System" -in $GNSCAKY -out $GNSCANO


diff --git a/src/gns/openssl.cnf b/src/gns/openssl.cnf new file mode 100644 index 000000000..503460f9f --- /dev/null +++ b/src/gns/openssl.cnf
@@ -0,0 +1,245 @@
		1	#
		2	# OpenSSL example configuration file.
		3	# This is mostly being used for generation of certificate requests.
		4	#
		5
		6	# This definition stops the following lines choking if HOME isn't
		7	# defined.
		8	HOME = .
		9	RANDFILE = $ENV::HOME/.rnd
		10
		11	# Extra OBJECT IDENTIFIER info:
		12	#oid_file = $ENV::HOME/.oid
		13	oid_section = new_oids
		14
		15	# To use this configuration file with the "-extfile" option of the
		16	# "openssl x509" utility, name here the section containing the
		17	# X.509v3 extensions to use:
		18	# extensions =
		19	# (Alternatively, use a configuration file that has only
		20	# X.509v3 extensions in its main [= default] section.)
		21
		22	[ new_oids ]
		23
		24	# We can add new OIDs in here for use by 'ca' and 'req'.
		25	# Add a simple OID like this:
		26	# testoid1=1.2.3.4
		27	# Or use config file substitution like this:
		28	# testoid2=${testoid1}.5.6
		29
		30	####################################################################
		31	[ ca ]
		32	default_ca = CA_default # The default ca section
		33
		34	####################################################################
		35	[ CA_default ]
		36
		37	dir = ./demoCA # Where everything is kept
		38	certs = $dir/certs # Where the issued certs are kept
		39	crl_dir = $dir/crl # Where the issued crl are kept
		40	database = $dir/index.txt # database index file.
		41	new_certs_dir = $dir/newcerts # default place for new certs.
		42
		43	certificate = $dir/cacert.pem # The CA certificate
		44	serial = $dir/serial # The current serial number
		45	crl = $dir/crl.pem # The current CRL
		46	private_key = $dir/private/cakey.pem# The private key
		47	RANDFILE = $dir/private/.rand # private random number file
		48
		49	x509_extensions = usr_cert # The extentions to add to the cert
		50
		51	# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
		52	# so this is commented out by default to leave a V1 CRL.
		53	# crl_extensions = crl_ext
		54
		55	default_days = 365 # how long to certify for
		56	default_crl_days= 30 # how long before next CRL
		57	default_md = md5 # which md to use.
		58	preserve = no # keep passed DN ordering
		59
		60	# A few difference way of specifying how similar the request should look
		61	# For type CA, the listed attributes must be the same, and the optional
		62	# and supplied fields are just that :-)
		63	policy = policy_match
		64
		65	# For the CA policy
		66	[ policy_match ]
		67	countryName = match
		68	stateOrProvinceName = match
		69	organizationName = match
		70	organizationalUnitName = optional
		71	commonName = supplied
		72	emailAddress = optional
		73
		74	# For the 'anything' policy
		75	# At this point in time, you must list all acceptable 'object'
		76	# types.
		77	[ policy_anything ]
		78	countryName = optional
		79	stateOrProvinceName = optional
		80	localityName = optional
		81	organizationName = optional
		82	organizationalUnitName = optional
		83	commonName = supplied
		84	emailAddress = optional
		85
		86	####################################################################
		87	[ req ]
		88	default_bits = 1024
		89	default_keyfile = privkey.pem
		90	distinguished_name = req_distinguished_name
		91	attributes = req_attributes
		92	x509_extensions = v3_ca # The extentions to add to the self signed cert
		93
		94	# Passwords for private keys if not present they will be prompted for
		95	# input_password = secret
		96	# output_password = secret
		97
		98	# This sets a mask for permitted string types. There are several options.
		99	# default: PrintableString, T61String, BMPString.
		100	# pkix : PrintableString, BMPString.
		101	# utf8only: only UTF8Strings.
		102	# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
		103	# MASK:XXXX a literal mask value.
		104	# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
		105	# so use this option with caution!
		106	string_mask = nombstr
		107
		108	# req_extensions = v3_req # The extensions to add to a certificate request
		109
		110	[ req_distinguished_name ]
		111	countryName = Country Name (2 letter code)
		112	countryName_default = AU
		113	countryName_min = 2
		114	countryName_max = 2
		115
		116	stateOrProvinceName = State or Province Name (full name)
		117	stateOrProvinceName_default = Some-State
		118
		119	localityName = Locality Name (eg, city)
		120
		121	0.organizationName = Organization Name (eg, company)
		122	0.organizationName_default = Internet Widgits Pty Ltd
		123
		124	# we can do this but it is not needed normally :-)
		125	#1.organizationName = Second Organization Name (eg, company)
		126	#1.organizationName_default = World Wide Web Pty Ltd
		127
		128	organizationalUnitName = Organizational Unit Name (eg, section)
		129	#organizationalUnitName_default =
		130
		131	commonName = Common Name (eg, YOUR name)
		132	commonName_max = 64
		133
		134	emailAddress = Email Address
		135	emailAddress_max = 40
		136
		137	# SET-ex3 = SET extension number 3
		138
		139	[ req_attributes ]
		140	challengePassword = A challenge password
		141	challengePassword_min = 4
		142	challengePassword_max = 20
		143
		144	unstructuredName = An optional company name
		145
		146	[ usr_cert ]
		147
		148	# These extensions are added when 'ca' signs a request.
		149
		150	# This goes against PKIX guidelines but some CAs do it and some software
		151	# requires this to avoid interpreting an end user certificate as a CA.
		152
		153	basicConstraints=CA:FALSE
		154
		155	# Here are some examples of the usage of nsCertType. If it is omitted
		156	# the certificate can be used for anything except object signing.
		157
		158	# This is OK for an SSL server.
		159	# nsCertType = server
		160
		161	# For an object signing certificate this would be used.
		162	# nsCertType = objsign
		163
		164	# For normal client use this is typical
		165	# nsCertType = client, email
		166
		167	# and for everything including object signing:
		168	# nsCertType = client, email, objsign
		169
		170	# This is typical in keyUsage for a client certificate.
		171	# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
		172
		173	# This will be displayed in Netscape's comment listbox.
		174	nsComment = "OpenSSL Generated Certificate"
		175
		176	# PKIX recommendations harmless if included in all certificates.
		177	subjectKeyIdentifier=hash
		178	authorityKeyIdentifier=keyid,issuer:always
		179
		180	# This stuff is for subjectAltName and issuerAltname.
		181	# Import the email address.
		182	# subjectAltName=email:copy
		183
		184	# Copy subject details
		185	# issuerAltName=issuer:copy
		186
		187	#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
		188	#nsBaseUrl
		189	#nsRevocationUrl
		190	#nsRenewalUrl
		191	#nsCaPolicyUrl
		192	#nsSslServerName
		193
		194	[ v3_req ]
		195
		196	# Extensions to add to a certificate request
		197
		198	basicConstraints = CA:FALSE
		199	keyUsage = nonRepudiation, digitalSignature, keyEncipherment
		200
		201	[ v3_ca ]
		202
		203
		204	# Extensions for a typical CA
		205
		206
		207	# PKIX recommendation.
		208
		209	subjectKeyIdentifier=hash
		210
		211	authorityKeyIdentifier=keyid:always,issuer:always
		212
		213	# This is what PKIX recommends but some broken software chokes on critical
		214	# extensions.
		215	#basicConstraints = critical,CA:true
		216	# So we do this instead.
		217	basicConstraints = CA:true
		218
		219	# Key usage: this is typical for a CA certificate. However since it will
		220	# prevent it being used as an test self-signed certificate it is best
		221	# left out by default.
		222	# keyUsage = cRLSign, keyCertSign
		223
		224	# Some might want this also
		225	# nsCertType = sslCA, emailCA
		226
		227	# Include email address in subject alt name: another PKIX recommendation
		228	# subjectAltName=email:copy
		229	# Copy issuer details
		230	# issuerAltName=issuer:copy
		231
		232	# DER hex encoding of an extension: beware experts only!
		233	# obj=DER:02:03
		234	# Where 'obj' is a standard or added object
		235	# You can even override a supported extension:
		236	# basicConstraints= critical, DER:30:03:01:01:FF
		237
		238	[ crl_ext ]
		239
		240	# CRL extensions.
		241	# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
		242
		243	# issuerAltName=issuer:copy
		244	authorityKeyIdentifier=keyid:always,issuer:always
		245