Merge remote-tracking branch 'bz/master'

Conflicts:
	README

4 files changed, 100 insertions, 0 deletions

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..3268211
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+.*.sw?
diff --git a/630105/.gitignore b/630105/.gitignore
new file mode 100644
index 0000000..303bea6
--- /dev/null
+++ b/630105/.gitignore
@@ -0,0 +1,6 @@
+ca-cert.pem
+ca-key.pem
+server-cert.pem
+server-key.csr
+server-key.pem
+server-key.pem.secure
diff --git a/630105/Makefile b/630105/Makefile
new file mode 100644
index 0000000..f577f2c
--- /dev/null
+++ b/630105/Makefile
@@ -0,0 +1,35 @@
+all: regular
+
+.PHONY: regular cech clean test_regular test_cech
+
+OK_CA_SUBJECT=/C=IL/L=Raanana/O=Red Hat/CN=my CA
+OK_SERVER_SUBJECT=/C=IL/L=Raanana/O=Red Hat/CN=my server
+OK_SERVER_SUBJECT_SPICEC=C=IL,L=Raanana,O=Red Hat,CN=my server
+CECH_CA_SUBJECT=/O=Nějaká česká firma/CN=ps-desk.brq.redhat.com
+CECH_SERVER_SUBJECT=/O=Nějaká česká firma/CN=ps-desk.brq.redhat.com server
+CECH_SERVER_SUBJECT_SPICEC=O=Nějaká česká firma,CN=ps-desk.brq.redhat.com server
+
+CWD=$(shell pwd)
+
+regular:
+	./make_new.sh "$(OK_CA_SUBJECT)" "$(OK_SERVER_SUBJECT)"
+
+cech_just_ca:
+	./make_new.sh "$(CECH_CA_SUBJECT)" "$(OK_SERVER_SUBJECT)"
+
+cech:
+	./make_new.sh "$(CECH_CA_SUBJECT)" "$(CECH_SERVER_SUBJECT)"
+
+
+machine:
+	qemu.upstream -vga qxl -m 256 -spice port=6200,tls-port=7200,disable-ticketing,x509-dir=$(CWD),tls-channel=main,tls-channel=inputs
+
+# ca certificate in cech isn't a problem.
+spicec_regular:
+	spicec -h localhost -p 6200 -s 7200 --secure-channels=all --ca-file ca-cert.pem --host-subject "$(OK_SERVER_SUBJECT_SPICEC)"
+
+spicec_cech:
+	spicec -h localhost -p 6200 -s 7200 --secure-channels=all --ca-file ca-cert.pem --host-subject "$(CECH_SERVER_SUBJECT_SPICEC)"
+
+clean:
+	rm -f *.secure *.pem *.csr
diff --git a/630105/make_new.sh b/630105/make_new.sh
new file mode 100755
index 0000000..12b697a
--- /dev/null
+++ b/630105/make_new.sh
@@ -0,0 +1,58 @@
+#!/bin/bash
+
+# reference:
+# http://www.tc.umn.edu/~brams006/selfsign.html
+
+SERVER_KEY=server-key.pem
+# The bug is: when certificate subject is in chech, we don't parse
+# it correctly (i.e. we mangle it somewhere along the way)
+CERT_SUBJECT=$1
+SERVER_SUBJECT=$2
+
+if [ "x$CERT_SUBJECT" == "x" ] ;then
+    echo supply ca subject please.
+    exit -1
+fi
+
+if [ "x$SERVER_SUBJECT" == "x" ]; then
+    echo supply server subject please.
+    exit -1
+fi
+
+# creating a key for our ca
+if [ ! -e ca-key.pem ]; then
+    openssl genrsa -des3 -out ca-key.pem 1024
+fi
+# creating a ca
+if [ ! -e ca-cert.pem ]; then
+    openssl req -new -x509 -days 1095 -key ca-key.pem -out ca-cert.pem -utf8 -subj "$CERT_SUBJECT"
+fi
+# create server key
+if [ ! -e $SERVER_KEY ]; then
+    openssl genrsa -out $SERVER_KEY 1024
+fi
+# create a certificate signing request (csr)
+if [ ! -e server-key.csr ]; then
+    openssl req -new -key $SERVER_KEY -out server-key.csr -utf8 -subj "$SERVER_SUBJECT"
+fi
+# signing our server certificate with this ca
+if [ ! -e server-cert.pem ]; then
+    openssl x509 -req -days 1095 -in server-key.csr -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
+fi
+
+# now create a key that doesn't require a passphrase
+openssl rsa -in $SERVER_KEY -out $SERVER_KEY.insecure
+mv $SERVER_KEY $SERVER_KEY.secure
+mv $SERVER_KEY.insecure $SERVER_KEY
+
+# show the results (no other effect)
+openssl rsa -noout -text -in $SERVER_KEY
+openssl rsa -noout -text -in ca-key.pem
+openssl req -noout -text -in server-key.csr
+openssl x509 -noout -text -in server-cert.pem
+openssl x509 -noout -text -in ca-cert.pem
+
+echo "Subject for server certificate in copy pastable mode: (first -esc_msb, second without)"
+openssl x509 -in server-cert.pem -noout -subject -nameopt oneline,-esc_msb
+openssl x509 -in server-cert.pem -noout -subject -nameopt oneline
+