diff options
| author | Rob Austein <sra@hactrn.net> | 2011-09-06 20:34:10 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2011-09-06 20:34:10 +0000 |
| commit | 55922962a53291c15b57a7a993f73757c235499b (patch) | |
| tree | 5b7792ec383aba98089e98fee5e9a51959802e2e /scripts/Old/generate-testrepo.pl | |
| parent | b417bbfc937c79fa96c726192d7f834a051a445e (diff) | |
Cleanup
svn path=/scripts/Old/apnic-test-3.tgz; revision=3972
Diffstat (limited to 'scripts/Old/generate-testrepo.pl')
| -rw-r--r-- | scripts/Old/generate-testrepo.pl | 337 |
1 files changed, 0 insertions, 337 deletions
diff --git a/scripts/Old/generate-testrepo.pl b/scripts/Old/generate-testrepo.pl deleted file mode 100644 index bacbe0de..00000000 --- a/scripts/Old/generate-testrepo.pl +++ /dev/null @@ -1,337 +0,0 @@ -# $Id$ - -# Hack to generate a small test repository for testing Apache + OpenSSL + RPKI - -use strict; - -my %resources; -my %parent; -my @ordering; -my %hashes; - -my $openssl = "../../openssl/openssl/apps/openssl"; -my $subdir = "apacheca"; -my $passwd = "fnord"; -my $keybits = 2048; -my $verbose = 0; -my $debug = 1; -my $revoke = 0; - -sub openssl { - print(STDERR join(" ", qw(+ openssl), @_), "\n") - if ($debug); - !system($openssl, @_) - or die("openssl @_ returned $?\n"); -} - -# Ok, this is a bit complicated, but the idea is to let us specify the -# resources we're giving to each leaf entity and let the program do -# the work of figuring out what resources each issuers need to have, -# the order in which we need to generate the certificates, which -# certificates need to sign which other certificates, etcetera. -# -# This would be much easier to read in a sane language (eg, Scheme). - -{ - my @ctx; - my $loop ; - $loop= sub { - my $x = shift; - if (ref($x) eq "HASH") { - while (my ($k, $v) = each(%$x)) { - $parent{$k} = $ctx[@ctx - 1]; - push(@ordering, $k); - push(@ctx, $k); $loop->($v); pop(@ctx); - } - } else { - for my $c (@ctx) { push(@{$resources{$c}}, @$x) } - } - }; - $loop->({ - RIR => { - LIR1 => { - ISP1 => [IPv4 => "192.0.2.1-192.0.2.33", AS => "64533"], - ISP2 => [IPv4 => "192.0.2.44-192.0.2.100"], - }, - LIR2 => { - ISP3 => [IPv6 => "2001:db8::44-2001:db8::100"], - ISP4 => [IPv6 => "2001:db8::10:0:44", AS => "64544"], - }, - }, - }); -} - -# Put this stuff into a subdirectory - -mkdir($subdir) unless (-d $subdir); -chdir($subdir) or die; - -# Generate configurations for each entity. - -while (my ($entity, $resources) = each(%resources)) { - my %r; - print($entity, ":\n") - if ($verbose); - for (my $i = 0; $i < @$resources; $i += 2) { - printf(" %4s: %s\n", $resources->[$i], $resources->[$i+1]) - if ($verbose); - push(@{$r{$resources->[$i]}}, $resources->[$i+1]); - } - open(F, ">${entity}.cnf") or die; - print(F <<EOF); - - [ ca ] - default_ca = ca_default - - [ ca_default ] - - certificate = ${entity}.cer - serial = ${entity}/serial - private_key = ${entity}.key - database = ${entity}/index - new_certs_dir = ${entity} - name_opt = ca_default - cert_opt = ca_default - default_days = 365 - default_crl_days = 30 - default_md = sha1 - preserve = no - copy_extensions = copy - policy = ca_policy_anything - unique_subject = no - - [ ca_policy_anything ] - countryName = optional - stateOrProvinceName = optional - localityName = optional - organizationName = optional - organizationalUnitName = optional - commonName = supplied - emailAddress = optional - givenName = optional - surname = optional - - [ req ] - default_bits = $keybits - encrypt_key = no - distinguished_name = req_dn - x509_extensions = req_x509_ext - prompt = no - - [ req_dn ] - - CN = TEST ENTITY $entity - - [ req_x509_ext ] - - basicConstraints = critical,CA:true - subjectKeyIdentifier = hash - authorityKeyIdentifier = keyid - keyUsage = critical,keyCertSign,cRLSign - subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombats-r-us.hactrn.net/ - -EOF - - print(F <<EOF) if ($parent{$entity}); - - authorityInfoAccess = caIssuers;URI:rsync://wombats-r-us.hactrn.net/$parent{$entity}.cer - -EOF - - print(F <<EOF) if ($r{AS} || $r{RDI}); - - sbgp-autonomousSysNum = critical,\@asid_ext - -EOF - - print(F <<EOF) if ($r{IPv4} || $r{IPv6}); - - sbgp-ipAddrBlock = critical,\@addr_ext - -EOF - - print(F <<EOF); - - [ asid_ext ] - -EOF - - for my $n (qw(AS RDI)) { - my $i = 0; - for my $a (@{$r{$n}}) { - print(F "\t", $n, ".", $i++, " = ", $a, "\n"); - } - } - - print(F <<EOF); - - - [ addr_ext ] - -EOF - - for my $n (qw(IPv4 IPv6)) { - my $i = 0; - for my $a (@{$r{$n}}) { - print(F "\t", $n, ".", $i++, " = ", $a, "\n"); - } - } - close(F); -} - -# Revoke old certificates, maybe. - -if ($revoke) { - for my $cert (glob("*/*.pem")) { - my $conf = (split("/", $cert))[0] . ".cnf"; - openssl("ca", "-verbose", "-config", $conf, "-revoke", $cert); - unlink($cert); - } -} - -# Run OpenSSL to create the keys and certificates. We generate keys -# separately to avoid wasting /dev/random bits if we need to change -# the configuration. - -for my $entity (@ordering) { - openssl("genrsa", "-out", "${entity}.key", $keybits) - unless (-f "${entity}.key"); - openssl("req", "-new", "-config", "${entity}.cnf", "-key", "${entity}.key", "-out", "${entity}.req"); - - mkdir($entity) - unless (-d $entity); - if (!-f "${entity}/index") { - open(F, ">${entity}/index") or die; - close(F); - } - if (!-f "${entity}/serial") { - open(F, ">${entity}/serial") or die; - print(F "01\n") or die; - close(F); - } - - openssl("ca", "-batch", "-verbose", "-out", "${entity}.cer", "-in", "${entity}.req", - "-extensions", "req_x509_ext", "-extfile", "${entity}.cnf", - ($parent{$entity} - ? ("-config", "${parent{$entity}}.cnf") - : ("-config", "${entity}.cnf", "-selfsign"))); -} - -# Generate CRLs - -for my $entity (@ordering) { - openssl("ca", "-batch", "-verbose", "-out", "${entity}.crl", - "-config", "${entity}.cnf", "-gencrl"); -} - -# Generate EE certs - -for my $parent (@ordering) { - my $entity = "${parent}-EE"; - open(F, ">${entity}.cnf") or die; - print(F <<EOF); - - [ req ] - default_bits = $keybits - encrypt_key = no - distinguished_name = req_dn - x509_extensions = req_x509_ext - prompt = no - - [ req_dn ] - - CN = TEST ENDPOINT ENTITY ${entity} - - [ req_x509_ext ] - - basicConstraints = critical,CA:false - subjectKeyIdentifier = hash - authorityKeyIdentifier = keyid - subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombats-r-us.hactrn.net/ - authorityInfoAccess = caIssuers;URI:rsync://wombats-r-us.hactrn.net/$parent.cer - -EOF - - close(F); - openssl("genrsa", "-out", "${entity}.key", $keybits) - unless (-f "${entity}.key"); - openssl("req", "-new", "-config", "${entity}.cnf", "-key", "${entity}.key", "-out", "${entity}.req"); - - mkdir($entity) - unless (-d $entity); - if (!-f "${entity}/index") { - open(F, ">${entity}/index") or die; - close(F); - } - if (!-f "${entity}/serial") { - open(F, ">${entity}/serial") or die; - print(F "01\n") or die; - close(F); - } - - openssl("ca", "-batch", "-verbose", "-config", "${parent}.cnf", - "-extensions", "req_x509_ext", "-extfile", "${entity}.cnf", - "-out", "${entity}.cer", "-in", "${entity}.req"); -} - -# Generate hashes - -for my $cert (map({("$_.cer", "$_-EE.cer")} @ordering)) { - my $hash = `$openssl x509 -noout -hash -in $cert`; - chomp($hash); - $hash .= "."; - $hash .= (0 + $hashes{$hash}++); - unlink($hash) if (-l $hash); - symlink($cert, $hash) - or die("Couldn't link $hash to $cert: $!\n"); -} - -for my $crl (map({"$_.crl"} @ordering)) { - my $hash = `$openssl crl -noout -hash -in $crl`; - chomp($hash); - $hash .= ".r"; - $hash .= (0 + $hashes{$hash}++); - unlink($hash) if (-l $hash); - symlink($crl, $hash) - or die("Couldn't link $hash to $crl: $!\n"); -} - -# Generate PKCS12 forms of EE certificates -# -chain argument to pkcs12 requires certificate store, which we configure via an environment variable - -$ENV{SSL_CERT_DIR} = do { my $pwd = `pwd`; chomp($pwd); $pwd; }; - -for my $ee (map({"$_-EE"} @ordering)) { - my @cmd = ("pkcs12", "-export", "-in", "$ee.cer", "-inkey", "$ee.key", "-password", "pass:$passwd"); - openssl(@cmd, "-out", "$ee.p12"); - openssl(@cmd, "-out", "$ee.chain.p12", "-chain"); -} - -# Finally, generate an unrelated self-signed certificate for the server - -my $hostname = `hostname`; -chomp($hostname); -open(F, ">server.cnf") or die; -print(F <<EOF); - - [ req ] - default_bits = $keybits - encrypt_key = no - distinguished_name = req_dn - prompt = no - - [ req_dn ] - - CN = $hostname - -EOF - -close(F); -openssl(qw(genrsa -out server.key), $keybits) - unless (-f "server.key"); -openssl(qw(req -new -config server.cnf -key server.key -out server.req)); -openssl(qw(x509 -req -CAcreateserial -in server.req -out server.cer -signkey server.key)); - -# Local Variables: -# compile-command: "perl generate-testrepo.pl" -# End: |