From 293c631a012262cfe83531403d1b484fb23f22b6 Mon Sep 17 00:00:00 2001 From: Rein Krul Date: Mon, 11 Nov 2024 14:09:04 +0100 Subject: [PATCH 1/3] gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 3e2275e..c5d8e4b 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ *.pem uzi-did-x509-issuer c.out +.idea \ No newline at end of file From b58cc9af7255b05315f39d59f5fa7db82747d9d9 Mon Sep 17 00:00:00 2001 From: Rein Krul Date: Mon, 11 Nov 2024 19:20:47 +0100 Subject: [PATCH 2/3] Fake Root CA for test UZI certs --- .gitignore | 4 +++- test_ca/.gitignore | 3 +++ test_ca/README.md | 11 +++++++++++ test_ca/ca.key | 28 ++++++++++++++++++++++++++++ test_ca/ca.pem | 18 ++++++++++++++++++ test_ca/generate-root-ca.sh | 18 ++++++++++++++++++ test_ca/issue-cert.sh | 33 +++++++++++++++++++++++++++++++++ test_ca/openssl.conf | 10 ++++++++++ 8 files changed, 124 insertions(+), 1 deletion(-) create mode 100644 test_ca/.gitignore create mode 100644 test_ca/README.md create mode 100644 test_ca/ca.key create mode 100644 test_ca/ca.pem create mode 100755 test_ca/generate-root-ca.sh create mode 100755 test_ca/issue-cert.sh create mode 100644 test_ca/openssl.conf diff --git a/.gitignore b/.gitignore index c5d8e4b..cc4edee 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,6 @@ *.pem +!ca.pem uzi-did-x509-issuer c.out -.idea \ No newline at end of file +.idea +./issuer \ No newline at end of file diff --git a/test_ca/.gitignore b/test_ca/.gitignore new file mode 100644 index 0000000..fa96f78 --- /dev/null +++ b/test_ca/.gitignore @@ -0,0 +1,3 @@ +out +ca.srl +node.ext \ No newline at end of file diff --git a/test_ca/README.md b/test_ca/README.md new file mode 100644 index 0000000..4995fd5 --- /dev/null +++ b/test_ca/README.md @@ -0,0 +1,11 @@ +To issue a new fake UZI certificate, you can use the following command: + +```bash +./issue-cert.sh +``` + +You can then use the tool (in the parent directory) to generate a Verifiable Credential: + +```bash + ./issuer vc test_ca/out/-chain.pem test_ca/out/.key +``` \ No newline at end of file diff --git a/test_ca/ca.key b/test_ca/ca.key new file mode 100644 index 0000000..2a9c622 --- /dev/null +++ b/test_ca/ca.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDT5J8gKdyMJNi3 +cuAmJ+MILrMuwrKyTRYhjUUFHHn5rcVaHN0hzB6v5t74Nt40xUXRNaomDcclBIOl +wt8f62JA2p/j83ENfdLrXvUu9NMThkqZwZ9dzRwK7l3UZBq8NTQUO74W4M2qx8nr +Xq31eWogxUUIFc1XORh5ecebeL5mUb2E6UlmDmNgm2fGeSmmis8zieI+KKYOhi/h +Ytyeixrg7rxP4v0VRrEstcWAetRgXWQX0ElAxs0Vrsy6/vv3pEtXhx8wb2wi2xY1 +4d9Ih8HdeNI++3wIbZz6WVM3fD5QFHV2EZBH+soo0pfKj2tHsaDz3FPMuMzILt6U +6PT4ALIdAgMBAAECggEADvfP69A5NacmrfLN9bQMnBfcbXmwcNr0LMOTdBR6Y1JM +phxy3H/UTR20c3lAwh6LW4d8cPq5Lhq/B/cXluQkSSuIbuxT+J2CSEEpdbsyq+bp +HypnzRL/n6AN/cJihxgFCUbdGzWfIajCUT+bb0M35X+57CPKIRa17WLWYFurq4OK +xQFv2PmBaYOV93jP2NLxn7I7IGLcvWA5KuOaZfSHl2KXB/vfB9xanAY10bM+qumP +Lwday8vG2SA+9fRYvAfeuBD0CZuC9AW3S6/hqrQ8xkg4f94S2aERW7KPNbnRCNXs +dkpE4bPTHlJJxIqWYQkLXsbpX2tYR9WY3izCzd1gcQKBgQDrg4H7l83eBXmFLAMx +MyVnoqHPmVlqIWw4CBeTcE2jWcSsiYDQiPpgnLW81vJPieSKwTv5BBjrgvX7pPFA +gNjczDTVjaq+SXhK/1UE5N3ESJVmyG3Z6hXR382qQNxVASx5IUgXogMA7tvSORuu +NDW57Of88gRald0VfmqlcbruNQKBgQDmUx80PEZOR07tFDz/FDaD3uJU6VLj/WqP +2wVftg4L84mXv124xRFCMR6YKhGi8EiRo9sFYiq8K3LVOO3s/WITgBYlVGGcNRZp +CaOIfSlXjLRfpvZTwCz+Z7fD0nx6mBhFiIhgZuPAJkh/IObmbpAzre/9eaVIk0NJ +Ts6MbYRRSQKBgFWOcKn1e9QsKPk4A/Dbo7sCWcYQ72qeubGhPu9Q3ON6uPf0+9bF +7C8svtjbPSun7F571E2iL2tfJ/1C7mGAbUfI52itDloSVqDoIPqmKeokdCHirgV8 +BHE53Hz9Ew3OX1mhvY7YTD8KhtDX7jZawSnJ5nz9bpd52db1FckEh+QBAoGBAM3E +EsuC0bibIhrRitDDiRR0qbT8Ic6HFo1gOUPRjGkG8LR+BUfN3uZIpbGBW/I6QkrC +nSgJFG65TkTJMF4Z3GXZd29wHCgGkXfTYaLNVoLdtEMEEWqu9ENv+49ZW1XWzVBJ +crTVFsESMpBIn5/bxL42tYG5DH1y+pjia8qvCJfpAoGATLfvCccrFNyEDHXkCyos +2R3AvvsvPfb7kEZE00eGNI5YhX7bxVTW6NH+d44j4tXPBpquCKUDB+/04uW2tpYl +leL98saDj21ZN9EVCfwO7FTsLbkGPQ6cWRVFowYvs8k+u1TAqOGb/5tfwvaDIrqA +C90gtRLH0kowJlvRieqnI9A= +-----END PRIVATE KEY----- diff --git a/test_ca/ca.pem b/test_ca/ca.pem new file mode 100644 index 0000000..b94328d --- /dev/null +++ b/test_ca/ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC9jCCAd6gAwIBAgIURFCqPrL3QQdBNOqkwmXWNgx9pdQwDQYJKoZIhvcNAQEL +BQAwGzEZMBcGA1UEAwwQRmFrZSBVWkkgUm9vdCBDQTAeFw0yNDExMTExNDE1MTha +Fw0zNDExMDkxNDE1MThaMBsxGTAXBgNVBAMMEEZha2UgVVpJIFJvb3QgQ0EwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDT5J8gKdyMJNi3cuAmJ+MILrMu +wrKyTRYhjUUFHHn5rcVaHN0hzB6v5t74Nt40xUXRNaomDcclBIOlwt8f62JA2p/j +83ENfdLrXvUu9NMThkqZwZ9dzRwK7l3UZBq8NTQUO74W4M2qx8nrXq31eWogxUUI +Fc1XORh5ecebeL5mUb2E6UlmDmNgm2fGeSmmis8zieI+KKYOhi/hYtyeixrg7rxP +4v0VRrEstcWAetRgXWQX0ElAxs0Vrsy6/vv3pEtXhx8wb2wi2xY14d9Ih8HdeNI+ ++3wIbZz6WVM3fD5QFHV2EZBH+soo0pfKj2tHsaDz3FPMuMzILt6U6PT4ALIdAgMB +AAGjMjAwMA8GA1UdEwQIMAYBAf8CAQAwHQYDVR0OBBYEFJuxz0XwN7PdeMhyJfcf +m7py1BK9MA0GCSqGSIb3DQEBCwUAA4IBAQAhlpkz68x2dGpOLX3FzAb8Ee+Y2OV+ +RWFpsME9ZVDU06JETPfPCj02PH82lgUnc4jeR81rPSsIt2ssqm2S4zb02Nip595c +AqCKvmBfEc9hPPW2ugpNxT8ZRU4LKrqpV4nJ6nBvDqmGuH5uq9Ng9l9SnM3eKmdZ +tJKc+ZNAPKxVAiueLTdr6W2UbmKoZARQQ0JLkFnZOxnUkr8pQfxUzEIUkHg2dWaa +I/4wo4Pni7xXggFoPDpVztu/iP33XBLqXJwxxHXhq9nc9JU/kEXDt7j8EgoyJo7J +jSKcjpRfpGkE5gqqB4Sa8wAsAPUK3jRreuytllAtQUZRbCtHbxclc9yA +-----END CERTIFICATE----- diff --git a/test_ca/generate-root-ca.sh b/test_ca/generate-root-ca.sh new file mode 100755 index 0000000..0f5fed0 --- /dev/null +++ b/test_ca/generate-root-ca.sh @@ -0,0 +1,18 @@ +#!/bin/bash + +if [[ $OSTYPE == msys ]]; then + echo Script does not work on GitBash/Cygwin! + exit 1 +fi + +CONFIG=" +[req] +distinguished_name=dn +[ dn ] +[ ext ] +basicConstraints=CA:TRUE,pathlen:0 +" + +echo Generating root CA +openssl genrsa -out ca.key 2048 +openssl req -config <(echo "$CONFIG") -extensions ext -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.pem -subj "/CN=Fake UZI Root CA" \ No newline at end of file diff --git a/test_ca/issue-cert.sh b/test_ca/issue-cert.sh new file mode 100755 index 0000000..853850f --- /dev/null +++ b/test_ca/issue-cert.sh @@ -0,0 +1,33 @@ +#!/bin/bash + +if [[ $OSTYPE == msys ]]; then + echo Detected GitBash/Cygwin on Windows + # GitBash/Cygwin on Windows requires escaping the starting slash of the the subject DNS + # Otherwise it gets expanded into a filesystem path. + DN_PREFIX="//" +else + DN_PREFIX="/" +fi + +mkdir out +HOST=$1 +UZI=$2 +URA=$3 +AGB=$4 +echo Generating key and certificate for $HOST +openssl genrsa -out out/$HOST.key 2048 +openssl req -new -key out/$HOST.key -out $HOST.csr -subj "${DN_PREFIX}CN=${HOST}/serialNumber=${UZI}" + +local_openssl_config=" +extendedKeyUsage = serverAuth, clientAuth +subjectAltName = DNS:${HOST}, otherName:2.5.5.5;UTF8:2.16.528.1.1007.99.2110-1-${UZI}-S-${URA}-00.000-${AGB} +" +cat <<< "$local_openssl_config" > node.ext +openssl x509 -req -in $HOST.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out out/$HOST.pem -days 365 -sha256 \ + -extfile node.ext + +cat ca.pem > out/$HOST-chain.pem +cat out/$HOST.pem >> out/$HOST-chain.pem + +rm $HOST.csr +rm node.ext \ No newline at end of file diff --git a/test_ca/openssl.conf b/test_ca/openssl.conf new file mode 100644 index 0000000..952b52b --- /dev/null +++ b/test_ca/openssl.conf @@ -0,0 +1,10 @@ +# Unnamed section of generic options + +# Section for default ca option +[ca] +default_ca = root + +[root] +database = ./certs-database.tmp +default_md = default +default_crl_days = 3000 \ No newline at end of file From 0e81cddc9cd21b6536708cbf166c695616d00d4b Mon Sep 17 00:00:00 2001 From: Rein Krul Date: Tue, 12 Nov 2024 08:45:48 +0100 Subject: [PATCH 3/3] PR feedback --- test_ca/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test_ca/README.md b/test_ca/README.md index 4995fd5..b7b2211 100644 --- a/test_ca/README.md +++ b/test_ca/README.md @@ -4,8 +4,8 @@ To issue a new fake UZI certificate, you can use the following command: ./issue-cert.sh ``` -You can then use the tool (in the parent directory) to generate a Verifiable Credential: +You can then use the credential issuance tool (given you've run `go build .` in the parent directory) to generate a Verifiable Credential: ```bash - ./issuer vc test_ca/out/-chain.pem test_ca/out/.key + ../issuer vc test_ca/out/-chain.pem test_ca/out/.key ``` \ No newline at end of file