From 7991e300c1154bbd6dd4093bc032b0f79a2e8e8f Mon Sep 17 00:00:00 2001
From: Rob Austein <sra@hactrn.net>
Date: Sun, 16 Sep 2007 19:16:30 +0000
Subject: Cleanup

svn path=/scripts/rcynic-prototype.pl; revision=971
---
 scripts/xmlsec-demo.sh | 152 -------------------------------------------------
 1 file changed, 152 deletions(-)
 delete mode 100644 scripts/xmlsec-demo.sh

(limited to 'scripts/xmlsec-demo.sh')

diff --git a/scripts/xmlsec-demo.sh b/scripts/xmlsec-demo.sh
deleted file mode 100644
index dde26db3..00000000
--- a/scripts/xmlsec-demo.sh
+++ /dev/null
@@ -1,152 +0,0 @@
-#!/bin/sh -
-# $Id$
-
-# Demo of how one could use the xmlsec package to sign and verify XML
-# messages.  On FreeBSD, the xmlsec 1.x command line program is called
-# "xmlsec1" to distinuish it from the old xmlsec 0.x program, which
-# had a somewhat different command line syntax.  YMMV.
-#
-# Basic idea of the demo is to create a four level deep cert chain,
-# use that to sign an XML document, then demonstrate that it verifies.
-
-# Subsequent discussion on the mailing list concluded that xmlsec (the
-# protocol, not just this particular implementation) is hopelessly
-# broken and that we should just use CMS (aka PKCS#7 ng).  Done.
-
-set -xe
-
-: ${input=input.xml} ${unsigned=unsigned.xml} ${signed=signed.xml}
-: ${alice=alice} ${bob=bob} ${carol=carol} ${dave=dave}
-: ${xmlsec=xmlsec1}
-
-# Some input with which to work.  Feel free to supply your own instead.
-
-test -r $input || cat >$input <<'EOF'
-  <reference anchor="RFC3779">
-    <front>
-      <title>X.509 Extensions for IP Addresses and AS Identifiers</title>
-      <author fullname="C. Lynn" initials="C." surname="Lynn">
-	<organization/>
-      </author>
-      <author fullname="S. Kent" initials="S." surname="Kent">
-	<organization/>
-      </author>
-      <author fullname="K. Seo" initials="K." surname="Seo">
-	<organization/>
-      </author>
-      <date month="June" year="2004"/>
-      <keyword>allocation</keyword>
-      <keyword>atrribute certificate</keyword>
-      <keyword>authorization</keyword>
-      <keyword>autonomous system number authorization</keyword>
-      <keyword>certificate</keyword>
-      <keyword>delegation</keyword>
-      <keyword>internet registry</keyword>
-      <keyword>ip address authorization</keyword>
-      <keyword>public key infrastructure</keyword>
-      <keyword>right-to-use</keyword>
-      <keyword>secure allocation </keyword>
-      <abstract>
-	<t>This document defines two X.509 v3 certificate extensions. The
-	  first binds a list of IP address blocks, or prefixes, to the
-	  subject of a certificate. The second binds a list of autonomous
-	  system identifiers to the subject of a certificate. These
-	  extensions may be used to convey the authorization of the
-	  subject to use the IP addresses and autonomous system
-	  identifiers contained in the extensions. [STANDARDS TRACK] 
-	</t>
-      </abstract>
-    </front>
-    <seriesInfo name="RFC" value="3779"/>
-    <format type="TXT" octets="60732" target="http://www.rfc-editor.org/rfc/rfc3779.txt"/>
-    <!-- current-status PROPOSED STANDARD -->
-    <!-- publication-status PROPOSED STANDARD -->
-  </reference>
-EOF
-
-# Set up a simple chain of certs.
-
-for i in $alice $bob $carol $dave
-do
-  test -r $i.cnf || cat >$i.cnf <<EOF
-
-    [ req ]
-    distinguished_name		= req_dn
-    x509_extensions		= req_x509_ext
-    prompt			= no
-    default_md			= sha1
-
-    [ req_dn ]
-    CN				= Test Certificate $i
-
-    [ req_x509_ext ]
-    basicConstraints		= CA:true
-    subjectKeyIdentifier	= hash
-    authorityKeyIdentifier	= keyid:always
-
-EOF
-
-  test -r $i.key -a -r $i.req ||
-  openssl req -new -newkey rsa:2048 -nodes -keyout $i.key -out $i.req -config $i.cnf
-
-done
-
-test -r $alice.cer || openssl x509 -req -in $alice.req -out $alice.cer -extfile $alice.cnf -extensions req_x509_ext -signkey $alice.key
-test -r $bob.cer   || openssl x509 -req -in $bob.req   -out $bob.cer   -extfile $bob.cnf   -extensions req_x509_ext -CA $alice.cer -CAkey $alice.key -CAcreateserial
-test -r $carol.cer || openssl x509 -req -in $carol.req -out $carol.cer -extfile $carol.cnf -extensions req_x509_ext -CA $bob.cer   -CAkey $bob.key   -CAcreateserial
-test -r $dave.cer  || openssl x509 -req -in $dave.req  -out $dave.cer  -extfile $dave.cnf  -extensions req_x509_ext -CA $carol.cer -CAkey $carol.key -CAcreateserial
-
-# The xmlsec command line tool takes most of its instructions in the
-# form of an XML template.  XSLT was designed for this kind of work,
-# so just use an XSL transform to wrap our input with the template.
-#
-# NB: The XML signature specification supports several different
-# signing modes.  In theory, which one of them I get is determined by
-# the template.  Documentation is a bit sparse, though, so I just went
-# with the first halfway sane thing I found in the supplied examples.
-
-test -r $unsigned ||
-xsltproc --output $unsigned - $input <<'EOF'
-
-  <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
-    <xsl:output method="xml" encoding="us-ascii" indent="yes"/>
-    <xsl:template match="/">
-      <Envelope xmlns="urn:envelope">
-	<xsl:copy-of select="/"/>
-	<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
-	  <SignedInfo>
-	    <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
-	    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
-	    <Reference>
-	      <Transforms>
-		<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
-	      </Transforms>
-	      <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
-	      <DigestValue/>
-	    </Reference>
-	  </SignedInfo>
-	  <SignatureValue/>
-	  <KeyInfo>
-	    <X509Data>
-	      <X509Certificate/>
-	    </X509Data>
-	  </KeyInfo>
-	</Signature>
-      </Envelope>
-    </xsl:template>
-  </xsl:stylesheet>
-
-EOF
-
-# Sign the template we generated.  We sign with the bottommost key,
-# and include the two bottommost certs in the signed document.
-
-test -r $signed ||
-$xmlsec sign --privkey-pem $dave.key,$dave.cer,$carol.cer --output $signed $unsigned
-
-# Verify the signed message.  We tell xmlsec to trust the root cert,
-# and supply the second level cert as it's not in the signed message.
-# This should be enough for xmlsec to verify the signature; removing
-# any these should cause verification to fail (try it!).
-
-$xmlsec verify --trusted-pem $alice.cer --untrusted-pem $bob.cer $signed
-- 
cgit v1.2.3