ocsp cviko

2025-05-21 21:27:58 +03:00 · 2025-05-21 21:27:58 +03:00 · 36b8208b53
parent bc22012846
commit 36b8208b53
3 changed files with 136 additions and 0 deletions
--- a/ocsp_cviko/cviko5.sh
+++ b/ocsp_cviko/cviko5.sh
@ -0,0 +1,81 @@
+# cleanup
+rm -rf t
+pkill -f openssl
+
+# ca
+mkdir t
+mkdir t/ocsp
+mkdir t/ocsp/ca
+mkdir t/ocsp/ca/certs
+mkdir t/ocsp/ca/crl
+mkdir t/ocsp/ca/newcerts
+
+touch t/ocsp/ca/index.txt
+echo '1000' > t/ocsp/ca/serial
+mkdir t/ocsp/logs
+cp ocsp.cnf t/ocsp/ocsp.cnf 
+
+# ca.crt
+echo '### CREATING CA (ec prime256v1) ###'
+openssl ecparam -name prime256v1 -genkey -noout -out t/ocsp/ca.key
+openssl ec -in t/ocsp/ca.key -pubout -out t/ocsp/ca_pub.key
+openssl req -x509 -new \
+            -sha256 -days 3650 \
+            -key t/ocsp/ca.key \
+            -out t/ocsp/ca.crt \
+            -subj '/O=CA/CN=ca.test/OU=ca.test' \
+            -extensions v3_ca
+
+# inter1.crt
+echo '### CREATING INTER1 (RSA) ###'
+openssl genpkey -algorithm RSA -out t/ocsp/inter1.key -pkeyopt rsa_keygen_bits:4096
+openssl req -new -key t/ocsp/inter1.key -out t/ocsp/inter1.csr -subj '/O=Inter/CN=inter.test/OU=2'
+openssl ca -config t/ocsp/ocsp.cnf \
+           -in t/ocsp/inter1.csr \
+           -out t/ocsp/inter1.crt \
+           -cert t/ocsp/ca.crt \
+           -keyfile t/ocsp/ca.key \
+           -notext -batch -updatedb -extensions v3_req #2>/dev/null
+
+# inter2.crt
+echo '### CREATING INTER2 (EdDSA) ###'
+openssl genpkey -algorithm Ed448 -out t/ocsp/inter2.key
+openssl req -new -key t/ocsp/inter2.key -out t/ocsp/inter2.csr -subj '/O=Inter/CN=inter.test/OU=3'
+openssl ca -config t/ocsp/ocsp.cnf \
+           -in t/ocsp/inter2.csr \
+           -out t/ocsp/inter2.crt \
+           -cert t/ocsp/inter1.crt \
+           -keyfile t/ocsp/inter1.key \
+           -notext -batch -updatedb -extensions v3_req #2>/dev/null
+
+# client.crt
+echo '### CREATING CLIENT ###'
+openssl ecparam -name prime256v1 -genkey -noout -out t/ocsp/client.key
+openssl req -new -key t/ocsp/client.key -out t/ocsp/client.csr -subj '/O=Client/CN=client.test/OU=4'
+openssl ca -config t/ocsp/ocsp.cnf \
+           -in t/ocsp/client.csr \
+           -out t/ocsp/client.crt \
+           -cert t/ocsp/inter2.crt \
+           -keyfile t/ocsp/inter2.key \
+           -notext -batch -updatedb -extensions v3_req #2>/dev/null
+
+# chain
+echo '### CREATING CHAIN ###'
+cat t/ocsp/client.crt  > t/ocsp/chain.pem
+cat t/ocsp/inter1.crt >> t/ocsp/chain.pem
+cat t/ocsp/inter2.crt >> t/ocsp/chain.pem
+cat t/ocsp/ca.crt  >> t/ocsp/chain.pem
+
+# sign
+echo '### SIGNING ###'
+openssl dgst -sha256 -sign t/ocsp/client.key -out file.sig file
+
+# verify
+echo '### VERIFYING ###'
+openssl dgst -sha256 -verify <(openssl x509 -in t/ocsp/client.crt -pubkey -noout) \
+            -signature file.sig file
+
+# start ocsp server
+#openssl ocsp -index t/ocsp/ca/index.txt -port 2560 -ndays 999 -rsigner t/ocsp/ca/ca.crt -rkey t/ocsp/ca/ca.key -CA t/ocsp/ca/ca.crt -text >t/ocsp/logs/log.ocsp1 2>t/ocsp/logs/log.ocsp2 &
+#sleep(1);
+
--- a/ocsp_cviko/file
+++ b/ocsp_cviko/file
@ -0,0 +1 @@
+hello world
--- a/ocsp_cviko/ocsp.cnf
+++ b/ocsp_cviko/ocsp.cnf
@ -0,0 +1,54 @@
+[ ca ]
+default_ca = CA_default
+
+[ CA_default ]
+dir             = ./t/ocsp/ca      # Where everything is kept
+# dir             = ./ca
+certs           = $dir/certs            # Where the issued certs are kept
+crl_dir         = $dir/crl              # Where the issued crl are kept
+database        = $dir/index.txt        # database index file.
+new_certs_dir   = $dir/newcerts         # default place for new certs.
+
+certificate     = $dir/ca.crt           # The CA certificate
+serial          = $dir/serial           # The current serial number
+crlnumber       = $dir/crlnumber        # the current crl number must be commented out to leave a V1 CRL
+crl             = $dir/crl.pem          # The current CRL
+private_key     = $dir/ca.key # The private key
+RANDFILE        = $dir/private/.rand    # private random number file
+
+# x509_extensions = usr_cert              # The extentions to add to the cert
+
+default_days    = 365                   # how long to certify for
+default_crl_days= 30                    # how long before next CRL
+default_md      = default               # which md to use.
+preserve        = no                    # keep passed DN ordering
+policy          = policy_any            # Which policy is used
+
+[ policy_any ]
+countryName             = optional
+stateOrProvinceName     = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+x509_extensions = v3_ca
+prompt = no
+default_bits       = 2048
+default_md         = sha256
+prompt             = no
+distinguished_name = dn
+req_extensions     = req_ext
+
+[ v3_req ]
+authorityInfoAccess = OCSP;URI:http://127.0.0.1:2560
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, serverAuth, timeStamping, OCSPSigning
+
+[ v3_ca ]
+authorityInfoAccess = OCSP;URI:http://127.0.0.1:2560
+basicConstraints = CA:TRUE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, serverAuth, timeStamping, OCSPSigning