diff options
author | Alon Levy <alevy@redhat.com> | 2012-03-21 14:32:49 +0200 |
---|---|---|
committer | Alon Levy <alevy@redhat.com> | 2012-03-21 14:32:49 +0200 |
commit | c9924d6b4847fb681dee11b8959457393828d797 (patch) | |
tree | a7174b5b82451e84a0a7cb032b586221f865a6d6 | |
parent | 8f5a42c6215641630ad66e92df9d5dd861d70280 (diff) | |
parent | ae558ebc6fc3ec7120b7bbfc10f555184d96165f (diff) |
Merge remote-tracking branch 'bz/master'
Conflicts:
README
-rw-r--r-- | .gitignore | 1 | ||||
-rw-r--r-- | 630105/.gitignore | 6 | ||||
-rw-r--r-- | 630105/Makefile | 35 | ||||
-rwxr-xr-x | 630105/make_new.sh | 58 |
4 files changed, 100 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..3268211 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.*.sw? diff --git a/630105/.gitignore b/630105/.gitignore new file mode 100644 index 0000000..303bea6 --- /dev/null +++ b/630105/.gitignore @@ -0,0 +1,6 @@ +ca-cert.pem +ca-key.pem +server-cert.pem +server-key.csr +server-key.pem +server-key.pem.secure diff --git a/630105/Makefile b/630105/Makefile new file mode 100644 index 0000000..f577f2c --- /dev/null +++ b/630105/Makefile @@ -0,0 +1,35 @@ +all: regular + +.PHONY: regular cech clean test_regular test_cech + +OK_CA_SUBJECT=/C=IL/L=Raanana/O=Red Hat/CN=my CA +OK_SERVER_SUBJECT=/C=IL/L=Raanana/O=Red Hat/CN=my server +OK_SERVER_SUBJECT_SPICEC=C=IL,L=Raanana,O=Red Hat,CN=my server +CECH_CA_SUBJECT=/O=Nějaká česká firma/CN=ps-desk.brq.redhat.com +CECH_SERVER_SUBJECT=/O=Nějaká česká firma/CN=ps-desk.brq.redhat.com server +CECH_SERVER_SUBJECT_SPICEC=O=Nějaká česká firma,CN=ps-desk.brq.redhat.com server + +CWD=$(shell pwd) + +regular: + ./make_new.sh "$(OK_CA_SUBJECT)" "$(OK_SERVER_SUBJECT)" + +cech_just_ca: + ./make_new.sh "$(CECH_CA_SUBJECT)" "$(OK_SERVER_SUBJECT)" + +cech: + ./make_new.sh "$(CECH_CA_SUBJECT)" "$(CECH_SERVER_SUBJECT)" + + +machine: + qemu.upstream -vga qxl -m 256 -spice port=6200,tls-port=7200,disable-ticketing,x509-dir=$(CWD),tls-channel=main,tls-channel=inputs + +# ca certificate in cech isn't a problem. +spicec_regular: + spicec -h localhost -p 6200 -s 7200 --secure-channels=all --ca-file ca-cert.pem --host-subject "$(OK_SERVER_SUBJECT_SPICEC)" + +spicec_cech: + spicec -h localhost -p 6200 -s 7200 --secure-channels=all --ca-file ca-cert.pem --host-subject "$(CECH_SERVER_SUBJECT_SPICEC)" + +clean: + rm -f *.secure *.pem *.csr diff --git a/630105/make_new.sh b/630105/make_new.sh new file mode 100755 index 0000000..12b697a --- /dev/null +++ b/630105/make_new.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +# reference: +# http://www.tc.umn.edu/~brams006/selfsign.html + +SERVER_KEY=server-key.pem +# The bug is: when certificate subject is in chech, we don't parse +# it correctly (i.e. we mangle it somewhere along the way) +CERT_SUBJECT=$1 +SERVER_SUBJECT=$2 + +if [ "x$CERT_SUBJECT" == "x" ] ;then + echo supply ca subject please. + exit -1 +fi + +if [ "x$SERVER_SUBJECT" == "x" ]; then + echo supply server subject please. + exit -1 +fi + +# creating a key for our ca +if [ ! -e ca-key.pem ]; then + openssl genrsa -des3 -out ca-key.pem 1024 +fi +# creating a ca +if [ ! -e ca-cert.pem ]; then + openssl req -new -x509 -days 1095 -key ca-key.pem -out ca-cert.pem -utf8 -subj "$CERT_SUBJECT" +fi +# create server key +if [ ! -e $SERVER_KEY ]; then + openssl genrsa -out $SERVER_KEY 1024 +fi +# create a certificate signing request (csr) +if [ ! -e server-key.csr ]; then + openssl req -new -key $SERVER_KEY -out server-key.csr -utf8 -subj "$SERVER_SUBJECT" +fi +# signing our server certificate with this ca +if [ ! -e server-cert.pem ]; then + openssl x509 -req -days 1095 -in server-key.csr -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem +fi + +# now create a key that doesn't require a passphrase +openssl rsa -in $SERVER_KEY -out $SERVER_KEY.insecure +mv $SERVER_KEY $SERVER_KEY.secure +mv $SERVER_KEY.insecure $SERVER_KEY + +# show the results (no other effect) +openssl rsa -noout -text -in $SERVER_KEY +openssl rsa -noout -text -in ca-key.pem +openssl req -noout -text -in server-key.csr +openssl x509 -noout -text -in server-cert.pem +openssl x509 -noout -text -in ca-cert.pem + +echo "Subject for server certificate in copy pastable mode: (first -esc_msb, second without)" +openssl x509 -in server-cert.pem -noout -subject -nameopt oneline,-esc_msb +openssl x509 -in server-cert.pem -noout -subject -nameopt oneline + |