xmlsecurity/inc/xmlsecurity/sigstruct.hxx | 4 xmlsecurity/inc/xmlsecurity/xmlsignaturehelper.hxx | 1 xmlsecurity/qa/create-certs/create-certs.sh | 164 +++++++++++++++++ xmlsecurity/qa/create-certs/templates/intermediate.cnf | 132 +++++++++++++ xmlsecurity/qa/create-certs/templates/root.cnf | 132 +++++++++++++ xmlsecurity/source/helper/xmlsignaturehelper.cxx | 5 xmlsecurity/source/helper/xsecctl.cxx | 25 ++ xmlsecurity/source/helper/xsecctl.hxx | 4 xmlsecurity/source/helper/xsecparser.cxx | 16 + xmlsecurity/source/helper/xsecparser.hxx | 3 xmlsecurity/source/helper/xsecsign.cxx | 25 ++ xmlsecurity/source/helper/xsecverify.cxx | 21 ++ 12 files changed, 530 insertions(+), 2 deletions(-)
New commits: commit 075c7eceb0769b61d11a3857e33af1b2c6341bc5 Author: Miklos Vajna <[email protected]> Date: Tue Jan 5 10:12:36 2016 +0100 xmlsecurity: handle description in XSecController::prepareSignatureToWrite() With this, if DigitalSignaturesDialog sets a signature description, then that becomes part of the signed content. This is backwards-compatible in two ways: 1) When the description is empty, the output is not changed. 2) When parsing, the description is optional: we only require that if its hash is mentioned in the signed content, then the string matches its hash; but omitting both the string and its hash is OK. Change-Id: I82db5beea16bd325558a86201dc902d35543ed0a diff --git a/xmlsecurity/source/helper/xsecsign.cxx b/xmlsecurity/source/helper/xsecsign.cxx index 1106e11..25ba21e 100644 --- a/xmlsecurity/source/helper/xsecsign.cxx +++ b/xmlsecurity/source/helper/xsecsign.cxx @@ -168,6 +168,14 @@ cssu::Reference< cssxc::sax::XReferenceResolvedListener > XSecController::prepar internalSignatureInfor.addReference(TYPE_SAMEDOCUMENT_REFERENCE, internalSignatureInfor.signatureInfor.ouPropertyId, -1 ); size++; + if (!internalSignatureInfor.signatureInfor.ouDescription.isEmpty()) + { + // Only mention the hash of the description in the signature if it's non-empty. + internalSignatureInfor.signatureInfor.ouDescriptionPropertyId = createId(); + internalSignatureInfor.addReference(TYPE_SAMEDOCUMENT_REFERENCE, internalSignatureInfor.signatureInfor.ouDescriptionPropertyId, -1); + size++; + } + /* * replace both digestValues and signatueValue to " " */ diff --git a/xmlsecurity/source/helper/xsecverify.cxx b/xmlsecurity/source/helper/xsecverify.cxx index d41214e..a3fa87a 100644 --- a/xmlsecurity/source/helper/xsecverify.cxx +++ b/xmlsecurity/source/helper/xsecverify.cxx @@ -290,7 +290,17 @@ void XSecController::setPropertyId( OUString& ouPropertyId ) return; } InternalSignatureInformation &isi = m_vInternalSignatureInformations.back(); - isi.signatureInfor.ouPropertyId = ouPropertyId; + + if (isi.signatureInfor.ouPropertyId.isEmpty()) + { + // <SignatureProperty> ID attribute is for the date. + isi.signatureInfor.ouPropertyId = ouPropertyId; + } + else + { + // <SignatureProperty> ID attribute is for the description. + isi.signatureInfor.ouDescriptionPropertyId = ouPropertyId; + } } /* public: for signature verify */ commit a968893e6afd3b79c6c048962373859cea75a77b Author: Miklos Vajna <[email protected]> Date: Tue Jan 5 09:57:38 2016 +0100 xmlsecurity: parse dc:description in XSecParser With this, the description is written in the XML file, DigitalSignaturesDialog doesn't set it yet, though. Change-Id: I54a73d6fbdf8ed936714a21ba1df5998849fd1fa diff --git a/xmlsecurity/source/helper/xsecctl.hxx b/xmlsecurity/source/helper/xsecctl.hxx index 22b54e9..dcb4eaa 100644 --- a/xmlsecurity/source/helper/xsecctl.hxx +++ b/xmlsecurity/source/helper/xsecctl.hxx @@ -371,6 +371,7 @@ private: void setDigestValue( OUString& ouDigestValue ); void setDate( OUString& ouDate ); + void setDescription(const OUString& rDescription); void setId( OUString& ouId ); void setPropertyId( OUString& ouPropertyId ); diff --git a/xmlsecurity/source/helper/xsecparser.cxx b/xmlsecurity/source/helper/xsecparser.cxx index e429535..b7d3734 100644 --- a/xmlsecurity/source/helper/xsecparser.cxx +++ b/xmlsecurity/source/helper/xsecparser.cxx @@ -35,6 +35,7 @@ XSecParser::XSecParser(XSecController* pXSecController, , m_bInDigestValue(false) , m_bInSignatureValue(false) , m_bInDate(false) + , m_bInDescription(false) , m_pXSecController(pXSecController) , m_xNextHandler(xNextHandler) , m_bReferenceUnresolved(false) @@ -65,6 +66,7 @@ void SAL_CALL XSecParser::startDocument( ) m_bInSignatureValue = false; m_bInDigestValue = false; m_bInDate = false; + m_bInDescription = false; if (m_xNextHandler.is()) { @@ -176,6 +178,11 @@ void SAL_CALL XSecParser::startElement( m_ouDate.clear(); m_bInDate = true; } + else if (aName == NSTAG_DC ":" TAG_DESCRIPTION) + { + m_ouDescription.clear(); + m_bInDescription = true; + } if (m_xNextHandler.is()) { @@ -248,6 +255,11 @@ void SAL_CALL XSecParser::endElement( const OUString& aName ) m_pXSecController->setDate( m_ouDate ); m_bInDate = false; } + else if (aName == NSTAG_DC ":" TAG_DESCRIPTION) + { + m_pXSecController->setDescription( m_ouDescription ); + m_bInDescription = false; + } if (m_xNextHandler.is()) { @@ -296,6 +308,10 @@ void SAL_CALL XSecParser::characters( const OUString& aChars ) { m_ouDate += aChars; } + else if (m_bInDescription) + { + m_ouDescription += aChars; + } if (m_xNextHandler.is()) { diff --git a/xmlsecurity/source/helper/xsecparser.hxx b/xmlsecurity/source/helper/xsecparser.hxx index 0cf47b1..f87ca23 100644 --- a/xmlsecurity/source/helper/xsecparser.hxx +++ b/xmlsecurity/source/helper/xsecparser.hxx @@ -64,6 +64,8 @@ private: OUString m_ouDigestValue; OUString m_ouSignatureValue; OUString m_ouDate; + /// Characters of a <dc:description> element, as just read from XML. + OUString m_ouDescription; /* * whether inside a particular element @@ -74,6 +76,7 @@ private: bool m_bInDigestValue; bool m_bInSignatureValue; bool m_bInDate; + bool m_bInDescription; /* * the XSecController collaborating with XSecParser diff --git a/xmlsecurity/source/helper/xsecverify.cxx b/xmlsecurity/source/helper/xsecverify.cxx index 2ebd27d..d41214e 100644 --- a/xmlsecurity/source/helper/xsecverify.cxx +++ b/xmlsecurity/source/helper/xsecverify.cxx @@ -262,6 +262,15 @@ void XSecController::setDate( OUString& ouDate ) isi.signatureInfor.ouDateTime = ouDate; } +void XSecController::setDescription(const OUString& rDescription) +{ + if (m_vInternalSignatureInformations.empty()) + return; + + InternalSignatureInformation& rInformation = m_vInternalSignatureInformations.back(); + rInformation.signatureInfor.ouDescription = rDescription; +} + void XSecController::setId( OUString& ouId ) { if (m_vInternalSignatureInformations.empty()) commit 88cbfe58c4a36c20bdb2445f43043f0a5a006ee3 Author: Miklos Vajna <[email protected]> Date: Tue Jan 5 09:54:11 2016 +0100 xmlsecurity: add XMLSignatureHelper::SetDescription() First step to be able to add a comment while signing a document. Change-Id: I8f7ab95de5015b723481e94bd72585caf754288f diff --git a/xmlsecurity/inc/xmlsecurity/sigstruct.hxx b/xmlsecurity/inc/xmlsecurity/sigstruct.hxx index 0eb7cd8..ea0e0f3 100644 --- a/xmlsecurity/inc/xmlsecurity/sigstruct.hxx +++ b/xmlsecurity/inc/xmlsecurity/sigstruct.hxx @@ -74,6 +74,10 @@ struct SignatureInformation OUString ouDateTime; OUString ouSignatureId; OUString ouPropertyId; + /// Characters of the <dc:description> element inside the signature. + OUString ouDescription; + /// The Id attribute of the <SignatureProperty> element that contains the <dc:description>. + OUString ouDescriptionPropertyId; SignatureInformation( sal_Int32 nId ) { diff --git a/xmlsecurity/inc/xmlsecurity/xmlsignaturehelper.hxx b/xmlsecurity/inc/xmlsecurity/xmlsignaturehelper.hxx index 9ac33fc..e4c981d 100644 --- a/xmlsecurity/inc/xmlsecurity/xmlsignaturehelper.hxx +++ b/xmlsecurity/inc/xmlsecurity/xmlsignaturehelper.hxx @@ -164,6 +164,7 @@ public: const OUString& ouX509SerialNumber, const OUString& ouX509Cert); void SetDateTime( sal_Int32 nSecurityId, const Date& rDate, const tools::Time& rTime ); + void SetDescription(sal_Int32 nSecurityId, const OUString& rDescription); void AddForSigning( sal_Int32 securityId, const OUString& uri, const OUString& objectURL, bool bBinary ); bool CreateAndWriteSignature( const com::sun::star::uno::Reference< com::sun::star::xml::sax::XDocumentHandler >& xDocumentHandler ); diff --git a/xmlsecurity/source/helper/xmlsignaturehelper.cxx b/xmlsecurity/source/helper/xmlsignaturehelper.cxx index 496d1b5..2498aff 100644 --- a/xmlsecurity/source/helper/xmlsignaturehelper.cxx +++ b/xmlsecurity/source/helper/xmlsignaturehelper.cxx @@ -128,6 +128,11 @@ void XMLSignatureHelper::SetDateTime( sal_Int32 nSecurityId, const ::Date& rDate mpXSecController->setDate( nSecurityId, stDateTime ); } +void XMLSignatureHelper::SetDescription(sal_Int32 nSecurityId, const OUString& rDescription) +{ + mpXSecController->setDescription(nSecurityId, rDescription); +} + void XMLSignatureHelper::AddForSigning( sal_Int32 nSecurityId, const OUString& uri, const OUString& objectURL, bool bBinary ) { mpXSecController->signAStream( nSecurityId, uri, objectURL, bBinary ); diff --git a/xmlsecurity/source/helper/xsecctl.cxx b/xmlsecurity/source/helper/xsecctl.cxx index 3a77b13..eed58b5 100644 --- a/xmlsecurity/source/helper/xsecctl.cxx +++ b/xmlsecurity/source/helper/xsecctl.cxx @@ -37,6 +37,7 @@ namespace cssl = com::sun::star::lang; namespace cssxc = com::sun::star::xml::crypto; namespace cssxs = com::sun::star::xml::sax; namespace cssxw = com::sun::star::xml::wrapper; +using namespace com::sun::star; /* bridge component names */ #define XMLSIGNATURE_COMPONENT "com.sun.star.xml.crypto.XMLSignature" @@ -725,6 +726,7 @@ void XSecController::exportSignature( OUString tag_SignatureProperties(TAG_SIGNATUREPROPERTIES); OUString tag_SignatureProperty(TAG_SIGNATUREPROPERTY); OUString tag_Date(TAG_DATE); + OUString tag_Description(TAG_DESCRIPTION); const SignatureReferenceInformations& vReferenceInfors = signatureInfo.vSignatureReferenceInfors; SvXMLAttributeList *pAttributeList; @@ -944,6 +946,29 @@ void XSecController::exportSignature( } xDocumentHandler->endElement( tag_SignatureProperty ); } + + // Write signature description. + if (!signatureInfo.ouDescription.isEmpty()) + { + // SignatureProperty element. + pAttributeList = new SvXMLAttributeList(); + pAttributeList->AddAttribute(ATTR_ID, signatureInfo.ouDescriptionPropertyId); + pAttributeList->AddAttribute(ATTR_TARGET, CHAR_FRAGMENT + signatureInfo.ouSignatureId); + xDocumentHandler->startElement(tag_SignatureProperty, uno::Reference<xml::sax::XAttributeList>(pAttributeList)); + + { + // Description element. + pAttributeList = new SvXMLAttributeList(); + pAttributeList->AddAttribute(ATTR_XMLNS ":" NSTAG_DC, NS_DC); + + xDocumentHandler->startElement(NSTAG_DC ":" + tag_Description, uno::Reference<xml::sax::XAttributeList>(pAttributeList)); + xDocumentHandler->characters(signatureInfo.ouDescription); + xDocumentHandler->endElement(NSTAG_DC ":" + tag_Description); + } + + xDocumentHandler->endElement(tag_SignatureProperty); + } + xDocumentHandler->endElement( tag_SignatureProperties ); } xDocumentHandler->endElement( tag_Object ); diff --git a/xmlsecurity/source/helper/xsecctl.hxx b/xmlsecurity/source/helper/xsecctl.hxx index f354bbb..22b54e9 100644 --- a/xmlsecurity/source/helper/xsecctl.hxx +++ b/xmlsecurity/source/helper/xsecctl.hxx @@ -79,7 +79,7 @@ #define TAG_SIGNATUREPROPERTY "SignatureProperty" #define TAG_TIMESTAMP "timestamp" #define TAG_DATE "date" -//#define TAG_TIME "time" +#define TAG_DESCRIPTION "description" #define ATTR_XMLNS "xmlns" #define ATTR_ALGORITHM "Algorithm" @@ -450,6 +450,7 @@ public: void setDate( sal_Int32 nSecurityId, const ::com::sun::star::util::DateTime& rDateTime ); + void setDescription(sal_Int32 nSecurityId, const OUString& rDescription); bool WriteSignature( diff --git a/xmlsecurity/source/helper/xsecsign.cxx b/xmlsecurity/source/helper/xsecsign.cxx index 42af9d0..1106e11 100644 --- a/xmlsecurity/source/helper/xsecsign.cxx +++ b/xmlsecurity/source/helper/xsecsign.cxx @@ -258,6 +258,23 @@ void XSecController::setDate( } } +void XSecController::setDescription(sal_Int32 nSecurityId, const OUString& rDescription) +{ + int nIndex = findSignatureInfor(nSecurityId); + + if (nIndex == -1) + { + InternalSignatureInformation aInformation(nSecurityId, nullptr); + aInformation.signatureInfor.ouDescription = rDescription; + m_vInternalSignatureInformations.push_back(aInformation); + } + else + { + SignatureInformation& rInformation = m_vInternalSignatureInformations[nIndex].signatureInfor; + rInformation.ouDescription = rDescription; + } +} + bool XSecController::WriteSignature( const cssu::Reference<cssxs::XDocumentHandler>& xDocumentHandler ) { commit 679cc560bc2cfc6c75b8979cc115c9c54e2b0d40 Author: Miklos Vajna <[email protected]> Date: Tue Jan 5 09:47:12 2016 +0100 xmlsecurity: add script to create test certificates Change-Id: I9280cec602e15e3ae478911360ff7ce68d460474 diff --git a/xmlsecurity/qa/create-certs/create-certs.sh b/xmlsecurity/qa/create-certs/create-certs.sh new file mode 100755 index 0000000..cc2d317 --- /dev/null +++ b/xmlsecurity/qa/create-certs/create-certs.sh @@ -0,0 +1,164 @@ +#!/bin/bash -e +# +# This file is part of the LibreOffice project. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# The purpose of this script is to create certificates to be able to test ODF signing code. +# +# What it does: +# +# 1) Create a test root CA. +# +# 2) Create an intermediate CA, as signing certificates with a root CA is +# considered unsafe. +# +# 3) Create two client certificates that can be used to sign ODF documents in +# LibreOffice. +# +# References: +# +# <https://jamielinux.com/docs/openssl-certificate-authority/> for most of the +# commands. +# +# <https://www.sslshopper.com/article-most-common-openssl-commands.html> for +# the PKCS#12 export of self-signed certificates +# + +root="$PWD" + +if [ -d "$root/ca" ]; then + echo "'ca' directory already exists in $root, please remove it before running this script." + exit 1 +fi + +if [ -z "$SSLPASS" ]; then + # Unless specified otherwise, we'll use this as a password everywhere. + export SSLPASS="xmlsecurity" +fi + +# 1) Create the root pair. + +mkdir "$root/ca" + +cd "$root/ca" +mkdir certs crl newcerts private +chmod 700 private +touch index.txt +echo 1000 > serial + +sed "s|@ROOT@|$root|g" "$root/templates/root.cnf" > "$root/ca/openssl.cnf" + +# Create the root key. +cd "$root/ca" +openssl genrsa -aes256 -out private/ca.key.pem -passout env:SSLPASS 4096 +chmod 400 private/ca.key.pem + +# Create the root certificate. +cd "$root/ca" +openssl req -config openssl.cnf \ + -key private/ca.key.pem \ + -new -x509 -days 7300 -sha256 -extensions v3_ca \ + -out certs/ca.cert.pem \ + -passin env:SSLPASS \ + -subj '/C=UK/ST=England/O=Xmlsecurity Test/CN=Xmlsecurity Test Root CA' +chmod 444 certs/ca.cert.pem + +# 2) Create the intermediate pair. + +# Prepare the directory. +mkdir "$root/ca/intermediate" +cd "$root/ca/intermediate" +mkdir certs crl csr newcerts private +chmod 700 private +touch index.txt +echo 1000 > serial + +# crlnumber is used to keep track of certificate revocation lists. +echo 1000 > "$root/ca/intermediate/crlnumber" + +# Copy the intermediate CA configuration file. +sed "s|@ROOT@|$root|g" "$root/templates/intermediate.cnf" > "$root/ca/intermediate/openssl.cnf" + +# Create the intermediate key. + +cd "$root/ca" +openssl genrsa -aes256 \ + -out intermediate/private/intermediate.key.pem \ + -passout env:SSLPASS 4096 +chmod 400 intermediate/private/intermediate.key.pem + +# Create the intermediate certificate. + +# Intermediate key. +cd "$root/ca" +openssl req -config intermediate/openssl.cnf -new -sha256 \ + -key intermediate/private/intermediate.key.pem \ + -out intermediate/csr/intermediate.csr.pem \ + -passin env:SSLPASS \ + -subj '/C=UK/ST=England/O=Xmlsecurity Test/CN=Xmlsecurity Intermediate Root CA' + +# The certificate itself. +openssl ca -batch -config openssl.cnf -extensions v3_intermediate_ca \ + -days 3650 -notext -md sha256 \ + -in intermediate/csr/intermediate.csr.pem \ + -passin env:SSLPASS \ + -out intermediate/certs/intermediate.cert.pem +chmod 444 intermediate/certs/intermediate.cert.pem + +# Create the certificate chain file. +cat intermediate/certs/intermediate.cert.pem \ + certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem +chmod 444 intermediate/certs/ca-chain.cert.pem + +# 3) Create the real certificate. + +for i in Alice Bob +do + # Create a key. + cd "$root/ca" + openssl genrsa -aes256 \ + -out intermediate/private/example-xmlsecurity-${i}.key.pem \ + -passout env:SSLPASS 2048 + chmod 400 intermediate/private/example-xmlsecurity-${i}.key.pem + + # Create a certificate signing request (CSR). + + cd "$root/ca" + openssl req -config intermediate/openssl.cnf \ + -key intermediate/private/example-xmlsecurity-${i}.key.pem \ + -new -sha256 -out intermediate/csr/example-xmlsecurity-${i}.csr.pem \ + -passin env:SSLPASS \ + -subj "/C=UK/ST=England/O=Xmlsecurity Test/CN=Xmlsecurity Test example ${i}" + + # To create a certificate, use the intermediate CA to sign the CSR. + cd "$root/ca" + # usr_cert: the cert will be used for signing. + openssl ca -batch -config intermediate/openssl.cnf \ + -extensions usr_cert -days 375 -notext -md sha256 \ + -in intermediate/csr/example-xmlsecurity-${i}.csr.pem \ + -passin env:SSLPASS \ + -out intermediate/certs/example-xmlsecurity-${i}.cert.pem + chmod 444 intermediate/certs/example-xmlsecurity-${i}.cert.pem + + # Export it in PKCS#12 format. + openssl pkcs12 -export \ + -out ./intermediate/private/example-xmlsecurity-${i}.cert.p12 \ + -passout env:SSLPASS \ + -inkey intermediate/private/example-xmlsecurity-${i}.key.pem \ + -passin env:SSLPASS \ + -in intermediate/certs/example-xmlsecurity-${i}.cert.pem \ + -certfile intermediate/certs/ca-chain.cert.pem +done + +echo +echo "Authority certificate is at: <$root/ca/intermediate/certs/ca-chain.cert.pem>." +echo "To be able to import it in Windows, rename the '.pem' extension to '.cer'." +for i in Alice Bob +do + echo "Signing certificate is at <$root/ca/intermediate/private/example-xmlsecurity-${i}.cert.p12>." +done + +# vim:set shiftwidth=4 expandtab: diff --git a/xmlsecurity/qa/create-certs/templates/intermediate.cnf b/xmlsecurity/qa/create-certs/templates/intermediate.cnf new file mode 100644 index 0000000..c6fd12d --- /dev/null +++ b/xmlsecurity/qa/create-certs/templates/intermediate.cnf @@ -0,0 +1,132 @@ +# OpenSSL intermediate CA configuration file. +# Copy to `$root/ca/intermediate/openssl.cnf`. + +[ ca ] +# `man ca` +default_ca = CA_default + +[ CA_default ] +# Directory and file locations. +dir = @ROOT@/ca/intermediate +certs = $dir/certs +crl_dir = $dir/crl +new_certs_dir = $dir/newcerts +database = $dir/index.txt +serial = $dir/serial +RANDFILE = $dir/private/.rand + +# The root key and root certificate. +private_key = $dir/private/intermediate.key.pem +certificate = $dir/certs/intermediate.cert.pem + +# For certificate revocation lists. +crlnumber = $dir/crlnumber +crl = $dir/crl/intermediate.crl.pem +crl_extensions = crl_ext +default_crl_days = 30 + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +name_opt = ca_default +cert_opt = ca_default +default_days = 375 +preserve = no +policy = policy_loose + +[ policy_strict ] +# The root CA should only sign intermediate certificates that match. +# See the POLICY FORMAT section of `man ca`. +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ policy_loose ] +# Allow the intermediate CA to sign a more diverse range of certificates. +# See the POLICY FORMAT section of the `ca` man page. +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +# Options for the `req` tool (`man req`). +default_bits = 2048 +distinguished_name = req_distinguished_name +string_mask = utf8only + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +# Extension to add when the -x509 option is used. +x509_extensions = v3_ca + +[ req_distinguished_name ] +# See <https://en.wikipedia.org/wiki/Certificate_signing_request>. +countryName = Country Name (2 letter code) +stateOrProvinceName = State or Province Name +localityName = Locality Name +0.organizationName = Organization Name +organizationalUnitName = Organizational Unit Name +commonName = Common Name +emailAddress = Email Address + +# Optionally, specify some defaults. +countryName_default = GB +stateOrProvinceName_default = England +localityName_default = +0.organizationName_default = Xmlsecurity Test +organizationalUnitName_default = +emailAddress_default = + +[ v3_ca ] +# Extensions for a typical CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ v3_intermediate_ca ] +# Extensions for a typical intermediate CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true, pathlen:0 +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ usr_cert ] +# Extensions for client certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = client, email +nsComment = "OpenSSL Generated Client Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, emailProtection + +[ server_cert ] +# Extensions for server certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = server +nsComment = "OpenSSL Generated Server Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth + +[ crl_ext ] +# Extension for CRLs (`man x509v3_config`). +authorityKeyIdentifier=keyid:always + +[ ocsp ] +# Extension for OCSP signing certificates (`man ocsp`). +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, digitalSignature +extendedKeyUsage = critical, OCSPSigning diff --git a/xmlsecurity/qa/create-certs/templates/root.cnf b/xmlsecurity/qa/create-certs/templates/root.cnf new file mode 100644 index 0000000..1298d74 --- /dev/null +++ b/xmlsecurity/qa/create-certs/templates/root.cnf @@ -0,0 +1,132 @@ +# OpenSSL root CA configuration file. +# Copy to `$root/ca/openssl.cnf`. + +[ ca ] +# `man ca` +default_ca = CA_default + +[ CA_default ] +# Directory and file locations. +dir = @ROOT@/ca +certs = $dir/certs +crl_dir = $dir/crl +new_certs_dir = $dir/newcerts +database = $dir/index.txt +serial = $dir/serial +RANDFILE = $dir/private/.rand + +# The root key and root certificate. +private_key = $dir/private/ca.key.pem +certificate = $dir/certs/ca.cert.pem + +# For certificate revocation lists. +crlnumber = $dir/crlnumber +crl = $dir/crl/ca.crl.pem +crl_extensions = crl_ext +default_crl_days = 30 + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +name_opt = ca_default +cert_opt = ca_default +default_days = 375 +preserve = no +policy = policy_strict + +[ policy_strict ] +# The root CA should only sign intermediate certificates that match. +# See the POLICY FORMAT section of `man ca`. +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ policy_loose ] +# Allow the intermediate CA to sign a more diverse range of certificates. +# See the POLICY FORMAT section of the `ca` man page. +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +# Options for the `req` tool (`man req`). +default_bits = 2048 +distinguished_name = req_distinguished_name +string_mask = utf8only + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +# Extension to add when the -x509 option is used. +x509_extensions = v3_ca + +[ req_distinguished_name ] +# See <https://en.wikipedia.org/wiki/Certificate_signing_request>. +countryName = Country Name (2 letter code) +stateOrProvinceName = State or Province Name +localityName = Locality Name +0.organizationName = Organization Name +organizationalUnitName = Organizational Unit Name +commonName = Common Name +emailAddress = Email Address + +# Optionally, specify some defaults. +countryName_default = GB +stateOrProvinceName_default = England +localityName_default = +0.organizationName_default = Xmlsecurity Test +organizationalUnitName_default = +emailAddress_default = + +[ v3_ca ] +# Extensions for a typical CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ v3_intermediate_ca ] +# Extensions for a typical intermediate CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true, pathlen:0 +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ usr_cert ] +# Extensions for client certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = client, email +nsComment = "OpenSSL Generated Client Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, emailProtection + +[ server_cert ] +# Extensions for server certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = server +nsComment = "OpenSSL Generated Server Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth + +[ crl_ext ] +# Extension for CRLs (`man x509v3_config`). +authorityKeyIdentifier=keyid:always + +[ ocsp ] +# Extension for OCSP signing certificates (`man ocsp`). +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, digitalSignature +extendedKeyUsage = critical, OCSPSigning _______________________________________________ Libreoffice-commits mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
