Initial commit
Change-Id: I6a4444e3c193dae437cd7929f4c39aba7b749efa
diff --git a/contrib/PKI/ca_script2/Makefile b/contrib/PKI/ca_script2/Makefile
new file mode 100644
index 0000000..845176e
--- /dev/null
+++ b/contrib/PKI/ca_script2/Makefile
@@ -0,0 +1,178 @@
+#!/usr/bin/make -s
+#
+# This file is inspired from freeDiameter's contrib/ca_script and
+# improved to handle multiple CA in a hierarchical fashion.
+# Warning: the directory structure is flat, does not reflect the CA hierarchy
+
+SCRIPT_DIR = .
+DATA_DIR = ./ca_data
+
+CONFIG = -config $(SCRIPT_DIR)/openssl.cnf
+REMAKE = $(MAKE) -f $(SCRIPT_DIR)/Makefile
+
+#Disable "make destroy" -- overwrite on command line
+force =
+
+#RSA key sizes, can be overwritten on command line
+cakeysize = 2048
+keysize = 1024
+
+# Save current date
+DATE=`date +%Y%m%d-%H%M%S`
+
+# Default: print the help
+all: help
+
+# Help message
+help:
+ @echo "\n\
+Available commands:\n\
+ make init topca=name\n\
+ Creates the initial top-level CA structure\n\
+ make newca name=newcaname ca=parentca\n\
+ Creates a new sub-CA that can be used for certificates later.\n\
+ make newcert name=foo ca=parentca\n\
+ Create private key and csr, then issue the certificate (named foo.*)\n\
+ make p12 name=foo ca=parentca\n\
+ Same as newcert, but additionnaly creates a pkcs12 file to ship client certificate to Windows or Mac\n\
+ make ship name=foo ca=parentca\n\
+ Create an archive with the data for the client (useful for freeDiameter peers)\n\
+ make revoke name=foo ca=parentca\n\
+ Revokes the certificate foo.cert issued by parentca and regenerates the CRL.\n\
+ make gencrl ca=caname\n\
+ Regenerates the CRL of CA caname. Should be run periodically.\n\
+\n\
+";
+
+# Destroy the CA hierarchy completely. Use with care.
+destroy:
+ @if [ -z "$(force)" ]; then echo "Destroy disabled, use: make destroy force=y"; exit 1; fi
+ @if [ ! -d $(SCRIPT_DIR) ]; then echo "Error in setup"; exit 1; fi
+ @echo "Removing everything (for debug purpose)..."
+ @rm -rf $(DATA_DIR)/*
+
+# Initialize the CA structure
+structure:
+ @if [ -z "$(caname)" ]; then echo "Internal error: caname is missing"; exit 1; fi
+ @if [ -d $(DATA_DIR)/$(caname) ]; then echo "CA $(caname) already exists."; exit 1; fi
+ # Creating CA structure
+ @mkdir -p $(DATA_DIR)/$(caname)
+ @mkdir $(DATA_DIR)/$(caname)/public
+ @mkdir $(DATA_DIR)/$(caname)/public/crl
+ @mkdir $(DATA_DIR)/$(caname)/private
+ @chmod 700 $(DATA_DIR)/$(caname)/private
+ @mkdir $(DATA_DIR)/$(caname)/clients
+ @echo "01" > $(DATA_DIR)/$(caname)/serial
+ @echo "01" > $(DATA_DIR)/$(caname)/crlnumber
+ @touch $(DATA_DIR)/$(caname)/index.txt
+
+# Initialize the top-level CA structure and keys.
+init:
+ @if [ -z "$(topca)" ]; then echo "Please specify the name of the root CA. Ex: make init topca=rootca.testbed.aaa"; exit 1; fi
+ # Create the folder hierarchy
+ @$(REMAKE) structure caname=$(topca)
+ # Generate the self-signed certificate
+ @CA_ROOT_DIR=$(DATA_DIR)/$(topca) openssl req $(CONFIG) -new -batch -x509 -days 3650 -nodes -newkey rsa:$(cakeysize) -out $(DATA_DIR)/$(topca)/public/cacert.pem \
+ -keyout $(DATA_DIR)/$(topca)/private/cakey.pem -extensions ca_cert -subj /CN=$(topca)
+ @ln -s cacert.pem $(DATA_DIR)/$(topca)/public/`openssl x509 -noout -hash < $(DATA_DIR)/$(topca)/public/cacert.pem`.0
+ @touch $(DATA_DIR)/$(topca)/public/cachain.pem
+ @ln -s ../../$(topca)/public/cacert.pem $(DATA_DIR)/$(topca)/public/caroot.pem
+ @$(REMAKE) gencrl ca=$(topca)
+
+# Create a secondary CA
+newca:
+ @if [ -z "$(name)" -o -z "$(ca)" ]; then echo "Missing parameter. Ex: make newca name=subca.testbed.aaa ca=rootca.testbed.aaa"; exit 1; fi
+ @if [ ! -e $(DATA_DIR)/$(ca)/private/cakey.pem ]; then echo "The parent CA $(ca) does not exist."; exit 1; fi
+ @if [ ! -d $(DATA_DIR)/$(name) ]; then $(REMAKE) structure caname=$(name); fi
+ # Generate the private key and CSR for the new CA if needed
+ @if [ ! -e $(DATA_DIR)/$(name)/private/cakey.pem ]; then \
+ openssl genrsa -out $(DATA_DIR)/$(name)/private/cakey.pem $(cakeysize) ; fi
+ @if [ ! -e $(DATA_DIR)/$(name)/private/cacsr.pem ]; then \
+ CA_ROOT_DIR=$(DATA_DIR)/$(name) openssl req $(CONFIG) -new -batch -out $(DATA_DIR)/$(name)/private/cacsr.pem \
+ -key $(DATA_DIR)/$(name)/private/cakey.pem \
+ -subj /CN=$(name) -reqexts v3_req_ca; fi
+ # Revoke a previous certificate for this CA if any
+ @if [ -e $(DATA_DIR)/$(name)/public/cacert.pem ]; then \
+ echo "Revoking previous certificate ..."; \
+ $(REMAKE) revoke name=$(name) ca=$(ca); \
+ mv $(DATA_DIR)/$(name)/public/cacert.pem $(DATA_DIR)/$(name)/public/cacert-$(DATE).pem; fi
+ # Issue the new CA certificate
+ @CA_ROOT_DIR=$(DATA_DIR)/$(ca) openssl ca $(CONFIG) -in $(DATA_DIR)/$(name)/private/cacsr.pem \
+ -out $(DATA_DIR)/$(name)/public/cacert.pem \
+ -batch -extensions ca_cert
+ # Hash and link to parent
+ @ln -s cacert.pem $(DATA_DIR)/$(ca)/public/`openssl x509 -noout -hash < $(DATA_DIR)/$(name)/public/cacert.pem`.0
+ @rm -f $(DATA_DIR)/$(name)/parent
+ @ln -s ../$(ca) $(DATA_DIR)/$(name)/parent
+ @cat $(DATA_DIR)/$(name)/public/cacert.pem $(DATA_DIR)/$(ca)/public/cachain.pem > $(DATA_DIR)/$(name)/public/cachain.pem
+ @ln -s ../../$(ca)/public/caroot.pem $(DATA_DIR)/$(name)/public/caroot.pem
+ @for CRLFILE in `cd $(DATA_DIR)/$(ca)/public/crl && ls -1`; do ln -sf ../../../$(ca)/public/crl/$$CRLFILE $(DATA_DIR)/$(name)/public/crl/$$CRLFILE; done
+ @$(REMAKE) gencrl ca=$(name)
+
+# Create a new certificate for use in TLS communications and other terminal usages
+newcert:
+ @if [ -z "$(name)" -o -z "$(ca)" ]; then echo "Missing parameter. Ex: make newcert name=service.testbed.aaa ca=ca.testbed.aaa"; exit 1; fi
+ @if [ ! -e $(DATA_DIR)/$(ca)/private/cakey.pem ]; then echo "The parent CA $(ca) does not exist."; exit 1; fi
+ @if [ ! -d $(DATA_DIR)/$(ca)/clients/$(name) ]; then mkdir $(DATA_DIR)/$(ca)/clients/$(name); fi
+ # Create a private key if needed
+ @if [ ! -e $(DATA_DIR)/$(ca)/clients/$(name)/privkey.pem ]; then \
+ openssl genrsa -out $(DATA_DIR)/$(ca)/clients/$(name)/privkey.pem $(keysize); fi
+ # Create a CSR if needed
+ @if [ ! -e $(DATA_DIR)/$(ca)/clients/$(name)/csr.pem ]; then \
+ CA_ROOT_DIR=$(DATA_DIR)/$(ca) openssl req $(CONFIG) -new -batch -out $(DATA_DIR)/$(ca)/clients/$(name)/csr.pem \
+ -key $(DATA_DIR)/$(ca)/clients/$(name)/privkey.pem \
+ -subj /CN=$(name); fi
+ # Revoke a previous certificate if any
+ @if [ -e $(DATA_DIR)/$(ca)/clients/$(name)/cert.pem ]; then \
+ $(REMAKE) revoke name=$(name) ca=$(ca); \
+ mv $(DATA_DIR)/$(ca)/clients/$(name)/cert.pem $(DATA_DIR)/$(ca)/clients/$(name)/cert-$(DATE).pem; fi
+ # Now sign the new certificate with the CA key
+ @CA_ROOT_DIR=$(DATA_DIR)/$(ca) openssl ca $(CONFIG) -in $(DATA_DIR)/$(ca)/clients/$(name)/csr.pem \
+ -out $(DATA_DIR)/$(ca)/clients/$(name)/cert.pem \
+ -batch
+ # Hash
+ @ln -sf `cat $(DATA_DIR)/$(ca)/serial.old`.pem $(DATA_DIR)/$(ca)/public/`openssl x509 -noout -hash < $(DATA_DIR)/$(ca)/clients/$(name)/cert.pem`.0
+ # Compiled informations for the client
+ @cat $(DATA_DIR)/$(ca)/clients/$(name)/cert.pem $(DATA_DIR)/$(ca)/public/cachain.pem > $(DATA_DIR)/$(ca)/clients/$(name)/certchain.pem
+ @ln -sf ../../public/crl $(DATA_DIR)/$(ca)/clients/$(name)/crl
+ @ln -sf ../../public/caroot.pem $(DATA_DIR)/$(ca)/clients/$(name)/ca.pem
+
+# Create a PKCS#12 file containing the client's information
+p12: newcert
+ # Create the PKCS#12 file
+ @cat $(DATA_DIR)/$(ca)/clients/$(name)/privkey.pem \
+ $(DATA_DIR)/$(ca)/clients/$(name)/certchain.pem \
+ $(DATA_DIR)/$(ca)/clients/$(name)/ca.pem \
+ | openssl pkcs12 -export -out $(DATA_DIR)/$(ca)/clients/$(name)/$(name).p12
+ @echo "Client certificate is created in $(DATA_DIR)/$(ca)/clients/$(name)/$(name).p12"
+
+# Create an archive to send the data to the client node
+ship:
+ @if [ -z "$(name)" -o -z "$(ca)" ]; then echo "Missing parameter. Ex: make ship name=service.testbed.aaa ca=ca.testbed.aaa"; exit 1; fi
+ @if [ ! -e $(DATA_DIR)/$(ca)/private/cakey.pem ]; then echo "The parent CA $(ca) does not exist."; exit 1; fi
+ @if [ ! -e $(DATA_DIR)/$(ca)/clients/$(name)/privkey.pem ]; then echo "The client $(name) does not exist, use 'make newcert' first."; exit 1; fi
+ # Ship the data
+ @tar -c -C $(DATA_DIR)/$(ca)/clients/$(name) -z -f $(ca)_$(name).tar.gz -h .
+ @echo "The files have been packaged into archive: $(ca)_$(name).tar.gz"
+
+# Revoke a certificate
+revoke:
+ @if [ -z "$(name)" -o -z "$(ca)" ]; then echo "Missing parameter. Ex: make revoke name=service.testbed.aaa ca=ca.testbed.aaa"; exit 1; fi
+ @if [ ! -e $(DATA_DIR)/$(ca)/private/cakey.pem ]; then echo "The parent CA $(ca) does not exist."; exit 1; fi
+ @if [ ! -e $(DATA_DIR)/$(ca)/clients/$(name)/cert.pem ]; \
+ then echo "$(DATA_DIR)/$(ca)/clients/$(name)/cert.pem not found"; \
+ exit 1; \
+ fi;
+ # Revoke the certificate
+ @CA_ROOT_DIR=$(DATA_DIR)/$(ca) openssl ca $(CONFIG) -revoke $(DATA_DIR)/$(ca)/clients/$(name)/cert.pem;
+ @$(REMAKE) gencrl ca=$(ca)
+
+# Regenerate the Certificate Revocation List.
+gencrl:
+ @if [ -z "$(ca)" ]; then echo "Missing parameter. Ex: make gencrl ca=ca.testbed.aaa"; exit 1; fi
+ # Create the CRL
+ @CA_ROOT_DIR=$(DATA_DIR)/$(ca) openssl ca $(CONFIG) -gencrl -out $(DATA_DIR)/$(ca)/public/crl/$(ca).pem
+ @ln -s crl/$(ca).pem $(DATA_DIR)/$(ca)/public/local.pem
+ @ln -s local.pem $(DATA_DIR)/$(ca)/public/`openssl crl -noout -hash < $(DATA_DIR)/$(ca)/public/crl/$(ca).pem`.r0
+
+# End of file...
diff --git a/contrib/PKI/ca_script2/openssl.cnf b/contrib/PKI/ca_script2/openssl.cnf
new file mode 100644
index 0000000..2202209
--- /dev/null
+++ b/contrib/PKI/ca_script2/openssl.cnf
@@ -0,0 +1,120 @@
+# Note: for this file to be working, an environment var CA_ROOT_DIR = directory
+# must be defined and pointing to the CA top-level directory.
+
+HOME = .
+RANDFILE = $ENV::HOME/.rnd
+
+oid_section = new_oids
+
+[ new_oids ]
+
+
+####################################################################
+[ req ]
+default_bits = 1024
+# default_keyfile = privkey.pem
+string_mask = utf8only
+
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+req_extensions = v3_req # overwrite with -reqexts
+x509_extensions = ca_cert # overwrite with -extensions; used for self-signed keys only
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = JP
+countryName_min = 2
+countryName_max = 2
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = Tokyo
+localityName = Locality Name (eg, city)
+localityName_default = Koganei
+0.organizationName = Organization Name (eg, company)
+0.organizationName_default = WIDE
+1.organizationName = Second Organization Name (eg, company)
+1.organizationName_default = NICT
+organizationalUnitName = Organizational Unit Name (eg, section)
+organizationalUnitName_default = AAA WG testbed
+
+[ req_attributes ]
+challengePassword = A challenge password
+challengePassword_min = 0
+challengePassword_max = 20
+unstructuredName = An optional company name
+
+[ v3_req ]
+# Extensions to add to a certificate request
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_req_ca ]
+# Extensions to add to a certificate request for CA
+basicConstraints = CA:TRUE
+
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+[ CA_default ]
+
+dir = $ENV::CA_ROOT_DIR # Where everything is kept
+certs = $dir/public # Where the issued certs are kept
+crl_dir = $dir/public # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+#unique_subject = no # Set to 'no' to allow creation of
+ # several ctificates with same subject.
+new_certs_dir = $dir/public # default place for new certs.
+
+certificate = $dir/public/cacert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+crlnumber = $dir/crlnumber # the current crl number
+crl = $dir/public/local.pem # The current CRL
+private_key = $dir/private/cakey.pem # The private key
+x509_extensions = usr_cert # The extentions to add to the cert
+ # overwrite with -extensions
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+crl_extensions = crl_ext
+
+default_days = 3650 # how long to certify for
+default_crl_days= 365 # how long before next CRL
+default_md = sha1 # which md to use.
+preserve = no # keep passed DN ordering
+
+# We accept to sign anything, but a real deployment would limit to proper domain etc...
+policy = policy_anything
+
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[ usr_cert ]
+basicConstraints=CA:FALSE
+# This is typical in keyUsage for a client certificate.
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+[ ca_cert ]
+# Extensions for a typical CA
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = critical,CA:true # Remove "critical," in case of problems
+keyUsage = cRLSign, keyCertSign
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+[ crl_ext ]
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+