Merge pull request #14 from nuts-foundation/selfsigned-ca

Fake Root CA for test UZI certs

.gitignore

@@ -1,3 +1,6 @@
 *.pem
+!ca.pem
 uzi-did-x509-issuer
 c.out
+.idea
+./issuer

test_ca/.gitignore

@@ -0,0 +1,3 @@
+out
+ca.srl
+node.ext

test_ca/README.md

@@ -0,0 +1,11 @@
+To issue a new fake UZI certificate, you can use the following command:
+
+```bash
+./issue-cert.sh <domain> <uzi> <ura> <agb>
+```
+
+You can then use the credential issuance tool (given you've run `go build .` in the parent directory) to generate a Verifiable Credential:
+
+```bash
+ ../issuer vc test_ca/out/<domain>-chain.pem test_ca/out/<domain>.key <did>
+```

test_ca/ca.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDT5J8gKdyMJNi3
+cuAmJ+MILrMuwrKyTRYhjUUFHHn5rcVaHN0hzB6v5t74Nt40xUXRNaomDcclBIOl
+wt8f62JA2p/j83ENfdLrXvUu9NMThkqZwZ9dzRwK7l3UZBq8NTQUO74W4M2qx8nr
+Xq31eWogxUUIFc1XORh5ecebeL5mUb2E6UlmDmNgm2fGeSmmis8zieI+KKYOhi/h
+Ytyeixrg7rxP4v0VRrEstcWAetRgXWQX0ElAxs0Vrsy6/vv3pEtXhx8wb2wi2xY1
+4d9Ih8HdeNI++3wIbZz6WVM3fD5QFHV2EZBH+soo0pfKj2tHsaDz3FPMuMzILt6U
+6PT4ALIdAgMBAAECggEADvfP69A5NacmrfLN9bQMnBfcbXmwcNr0LMOTdBR6Y1JM
+phxy3H/UTR20c3lAwh6LW4d8cPq5Lhq/B/cXluQkSSuIbuxT+J2CSEEpdbsyq+bp
+HypnzRL/n6AN/cJihxgFCUbdGzWfIajCUT+bb0M35X+57CPKIRa17WLWYFurq4OK
+xQFv2PmBaYOV93jP2NLxn7I7IGLcvWA5KuOaZfSHl2KXB/vfB9xanAY10bM+qumP
+Lwday8vG2SA+9fRYvAfeuBD0CZuC9AW3S6/hqrQ8xkg4f94S2aERW7KPNbnRCNXs
+dkpE4bPTHlJJxIqWYQkLXsbpX2tYR9WY3izCzd1gcQKBgQDrg4H7l83eBXmFLAMx
+MyVnoqHPmVlqIWw4CBeTcE2jWcSsiYDQiPpgnLW81vJPieSKwTv5BBjrgvX7pPFA
+gNjczDTVjaq+SXhK/1UE5N3ESJVmyG3Z6hXR382qQNxVASx5IUgXogMA7tvSORuu
+NDW57Of88gRald0VfmqlcbruNQKBgQDmUx80PEZOR07tFDz/FDaD3uJU6VLj/WqP
+2wVftg4L84mXv124xRFCMR6YKhGi8EiRo9sFYiq8K3LVOO3s/WITgBYlVGGcNRZp
+CaOIfSlXjLRfpvZTwCz+Z7fD0nx6mBhFiIhgZuPAJkh/IObmbpAzre/9eaVIk0NJ
+Ts6MbYRRSQKBgFWOcKn1e9QsKPk4A/Dbo7sCWcYQ72qeubGhPu9Q3ON6uPf0+9bF
+7C8svtjbPSun7F571E2iL2tfJ/1C7mGAbUfI52itDloSVqDoIPqmKeokdCHirgV8
+BHE53Hz9Ew3OX1mhvY7YTD8KhtDX7jZawSnJ5nz9bpd52db1FckEh+QBAoGBAM3E
+EsuC0bibIhrRitDDiRR0qbT8Ic6HFo1gOUPRjGkG8LR+BUfN3uZIpbGBW/I6QkrC
+nSgJFG65TkTJMF4Z3GXZd29wHCgGkXfTYaLNVoLdtEMEEWqu9ENv+49ZW1XWzVBJ
+crTVFsESMpBIn5/bxL42tYG5DH1y+pjia8qvCJfpAoGATLfvCccrFNyEDHXkCyos
+2R3AvvsvPfb7kEZE00eGNI5YhX7bxVTW6NH+d44j4tXPBpquCKUDB+/04uW2tpYl
+leL98saDj21ZN9EVCfwO7FTsLbkGPQ6cWRVFowYvs8k+u1TAqOGb/5tfwvaDIrqA
+C90gtRLH0kowJlvRieqnI9A=
+-----END PRIVATE KEY-----

test_ca/ca.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC9jCCAd6gAwIBAgIURFCqPrL3QQdBNOqkwmXWNgx9pdQwDQYJKoZIhvcNAQEL
+BQAwGzEZMBcGA1UEAwwQRmFrZSBVWkkgUm9vdCBDQTAeFw0yNDExMTExNDE1MTha
+Fw0zNDExMDkxNDE1MThaMBsxGTAXBgNVBAMMEEZha2UgVVpJIFJvb3QgQ0EwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDT5J8gKdyMJNi3cuAmJ+MILrMu
+wrKyTRYhjUUFHHn5rcVaHN0hzB6v5t74Nt40xUXRNaomDcclBIOlwt8f62JA2p/j
+83ENfdLrXvUu9NMThkqZwZ9dzRwK7l3UZBq8NTQUO74W4M2qx8nrXq31eWogxUUI
+Fc1XORh5ecebeL5mUb2E6UlmDmNgm2fGeSmmis8zieI+KKYOhi/hYtyeixrg7rxP
+4v0VRrEstcWAetRgXWQX0ElAxs0Vrsy6/vv3pEtXhx8wb2wi2xY14d9Ih8HdeNI+
++3wIbZz6WVM3fD5QFHV2EZBH+soo0pfKj2tHsaDz3FPMuMzILt6U6PT4ALIdAgMB
+AAGjMjAwMA8GA1UdEwQIMAYBAf8CAQAwHQYDVR0OBBYEFJuxz0XwN7PdeMhyJfcf
+m7py1BK9MA0GCSqGSIb3DQEBCwUAA4IBAQAhlpkz68x2dGpOLX3FzAb8Ee+Y2OV+
+RWFpsME9ZVDU06JETPfPCj02PH82lgUnc4jeR81rPSsIt2ssqm2S4zb02Nip595c
+AqCKvmBfEc9hPPW2ugpNxT8ZRU4LKrqpV4nJ6nBvDqmGuH5uq9Ng9l9SnM3eKmdZ
+tJKc+ZNAPKxVAiueLTdr6W2UbmKoZARQQ0JLkFnZOxnUkr8pQfxUzEIUkHg2dWaa
+I/4wo4Pni7xXggFoPDpVztu/iP33XBLqXJwxxHXhq9nc9JU/kEXDt7j8EgoyJo7J
+jSKcjpRfpGkE5gqqB4Sa8wAsAPUK3jRreuytllAtQUZRbCtHbxclc9yA
+-----END CERTIFICATE-----

test_ca/generate-root-ca.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+if [[ $OSTYPE == msys ]]; then
+  echo Script does not work on GitBash/Cygwin!
+  exit 1
+fi
+
+CONFIG="
+[req]
+distinguished_name=dn
+[ dn ]
+[ ext ]
+basicConstraints=CA:TRUE,pathlen:0
+"
+
+echo Generating root CA
+openssl genrsa -out ca.key 2048
+openssl req -config <(echo "$CONFIG") -extensions ext -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.pem -subj "/CN=Fake UZI Root CA"

test_ca/issue-cert.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+if [[ $OSTYPE == msys ]]; then
+  echo Detected GitBash/Cygwin on Windows
+  # GitBash/Cygwin on Windows requires escaping the starting slash of the the subject DNS
+  # Otherwise it gets expanded into a filesystem path.
+  DN_PREFIX="//"
+else
+  DN_PREFIX="/"
+fi
+
+mkdir out
+HOST=$1
+UZI=$2
+URA=$3
+AGB=$4
+echo Generating key and certificate for $HOST
+openssl genrsa -out out/$HOST.key 2048
+openssl req -new -key out/$HOST.key -out $HOST.csr -subj "${DN_PREFIX}CN=${HOST}/serialNumber=${UZI}"
+
+local_openssl_config="
+extendedKeyUsage = serverAuth, clientAuth
+subjectAltName = DNS:${HOST}, otherName:2.5.5.5;UTF8:2.16.528.1.1007.99.2110-1-${UZI}-S-${URA}-00.000-${AGB}
+"
+cat <<< "$local_openssl_config" > node.ext
+openssl x509 -req -in $HOST.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out out/$HOST.pem -days 365 -sha256 \
+  -extfile node.ext
+
+cat ca.pem > out/$HOST-chain.pem
+cat out/$HOST.pem >> out/$HOST-chain.pem
+
+rm $HOST.csr
+rm node.ext

test_ca/openssl.conf

@@ -0,0 +1,10 @@
+# Unnamed section of generic options
+
+# Section for default ca option
+[ca]
+default_ca = root
+
+[root]
+database = ./certs-database.tmp
+default_md = default
+default_crl_days = 3000