Hi,
On 23/01/19 14:46, Adrian Sevcenco wrote:
> Hi! Does anyone have a receipe of creation of an proxy cert with openssl?
> First I would like to emulate the creation of proxy certificate with
> openssl
> then implement the receipe in python.
> The purpose would be to have a workflow similar with the grid-proxy-*
> but for connecting to openssl based services
> (those would reject the proxy cert created by grid-proxy-init because of
> Signature Algorithm: md5WithRSAEncryption instead of certificate
> signature of
> Signature Algorithm: sha256WithRSAEncryption)
for the GT-eos project I wrote the attached script to do just that.
Use 'genproxy --help' to get help on usage (which is VERY similar to
grid-proxy-init usage).
HTH,
JJK / Jan Just Keijser
Nikhef
Amsterdam
########################################################################
To unsubscribe from the LCG-ROLLOUT list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=LCG-ROLLOUT&A=1
#! /bin/bash
# $Id: genproxy,v 1.2 2008/11/10 14:43:39 janjust Exp $
# $Id: genproxy,v 1.3 2016/08/16 fs $
# 2016-08-16 Frank Scheiner (HLRS):
# * Updated defaults
# * added printout of GSI proxy credential filename and path
# * changed handling of info and debug messages in the code
# * removed OpenSSL version check, assuming we will always use a version
# >= 0.9.8
#
# New defaults:
# * 1024 bits for the generated private key of the GSI proxy credential
# * creates RFC 3820 compliant GSI proxy credentials
#
# $Id: genproxy,v 1.4 2016/10/13 fs $
# 2016-10-13 Frank Scheiner (HLRS):
# * output is now closer to output from `grid-proxy-init`
# * added error message for wrong passphrase (identical to error output
# of `grid-proxy-init`)
#
# $Id: genproxy,v 1.5 2016/10/18 fs $
# 2016-10-18 Frank Scheiner (HLRS):
# * the generated GSI proxy credential (GPC) is now created by mktemp
# beforehand to fight symlink attacks in `/tmp`. If needed the name
# and path of the GPC can still be configured by using the environment
# variable `X509_USER_PROXY`.
#
# $Id: genproxy,v 1.6 2017/07/12 fs $
# 2017-07-12 Frank Scheiner (HLRS)
# * Added copyright statement and license with consent of Jan Just Keijser
# from 2017-07-06.
# * the "-o" option was deactivated by accident in v1.5. This option now
# works again and takes precedence over the setting of the environment
# variable `X509_USER_PROXY`.
#
# $Id: genproxy,v 2.0 2017/11/27 janjust $
# 2017-11-27 Jan Just Keijser (Nikhef)
# * Added support for PKCS12 certificates
# * Ensured that it continues to work with OpenSSL 1.1
# * Added trap handler to clean up temp files
#
:<<COPYRIGHT
Copyright (C) 2008-2017 Jan Just Keijser, Nikhef
Copyright (C) 2016-2017 Frank Scheiner, HLRS, Universitaet Stuttgart
The program is distributed under the terms of the GNU General Public License
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
COPYRIGHT
###############################################################################
# FUNCTIONS
###############################################################################
function debug()
{
if [ -n "${DEBUG:-}" ]
then
echo -e "$@"
fi
}
function info()
{
if [ -z "${QUIET:-}" ]
then
echo -e "$@"
fi
}
function run_cmd()
{
local exitcode=0
if [ -n "${DEBUG:-}" ]
then
echo -e "run_cmd: $@"
eval "$@" 1> "${MESSAGES}" 2>&1
exitcode=$?
else
eval "$@" 1> "${MESSAGES}" 2>&1
exitcode=$?
fi
return $exitcode
}
function do_cleanup()
{
# Use quotes around file names in case $TMP contains spaces
rm -f "${OPENSSL_CONF}" "${TMP_USERCERT}" "${PROXYCERT}" "${PROXYKEY}" "${PROXYREQ}" "${MESSAGES}"
# Needed as otherwise the terminal is screwed up after interrupting the "read" command
stty sane
exit ${1:-1}
}
function abort()
{
exitcode=$1
shift
echo "ERROR: [log in to unmask] Aborting." 1>&2
do_cleanup ${exitcode}
}
###############################################################################
# MAIN
###############################################################################
VERSION="genproxy version 2.0"
USAGE="\
This script will generate a GSI proxy credential pretty much like globus' grid-proxy-init
Options
[--help] Displays usage.
[--version] Displays version.
[--debug] Enables extra debug output.
[--quiet] Quiet mode, minimal output.
[--limited] Creates a limited globus proxy.
[--old] Creates a legacy globus proxy.
[--gt3] Creates a pre-RFC3820 compliant proxy.
[--rfc] Creates a RFC3820 compliant proxy (default).
[--days=N] Number of days the proxy is valid (default=1).
[--path-length=N] Allow a chain of at most N proxies to be generated
from this one (default=2).
[--bits=N] Number of bits in key (512, 1024, 2048, default=1024).
[--shaNUM] SHA hashing strength to use (default=sha256).
[--cert=certfile] Non-standard location of user certificate or PKCS#12 file.
[--key=keyfile] Non-standard location of user key.
[--out=proxyfile] Non-standard location of new proxy cert.
"
DEBUG=
QUIET=
while [ $# -gt 0 ]
do
case "$1" in
(--days|-d) DAYS=$2
# VALID=`expr 24 \* $DAYS`:00
shift
;;
(--days=*) DAYS=${1##--days=}
# VALID=`expr 24 \* $DAYS`:00
;;
# (--valid) VALID=$2
# shift
# ;;
# (--valid=*) VALID=${1##--valid=}
# ;;
(--cert) X509_USERCERT=$2
shift
;;
(--cert=*) X509_USERCERT=${1##--cert=}
;;
(--key) X509_USERKEY=$2
shift
;;
(--key=*) X509_USERKEY=${1##--key=}
;;
(--out|-o) X509_USERPROXY=$2
shift
;;
(--out=*) X509_USERPROXY=${1##--out=}
;;
(--pcpl) PROXY_PATHLENGTH=$2
shift
;;
(--pcpl=*) PROXY_PATHLENGTH=${1##--pcpl=}
;;
(--path-length) PROXY_PATHLENGTH=$2
shift
;;
(--path-length=*) PROXY_PATHLENGTH=${1##--path-length=}
;;
(--version|-V) echo "$VERSION"
exit 0
;;
(--debug) DEBUG=1
QUIET=
;;
(--quiet|-q) QUIET=1
DEBUG=
;;
(--limited) PROXY_POLICY=limited_policy
;;
(--old) PROXY_STYLE=legacy_proxy
;;
(--gt3) PROXY_STYLE=globus_proxy
;;
(--rfc) PROXY_STYLE=rfc3820_proxy
;;
(--bits|-b) BITS=$2
shift
;;
(--bits=*) BITS=${1##--bits=}
;;
(--sha*) SHA_ALG=${1##--}
;;
(*) echo "$VERSION"
echo "$USAGE"
exit 0
;;
esac
shift
done
#info "Starting proxy generation"
trap do_cleanup SIGINT
trap do_cleanup SIGTERM
# Apply defaults
DAYS=${DAYS:-1}
#VALID=${VALID:-12:00}
TMP=${TMPDIR:-/tmp}
PROXY_SUGGEST=${TMP}/x509up_u`id -u`
PROXY="${X509_USERPROXY:-$PROXY_SUGGEST}"
PROXY_PATHLENGTH=${PROXY_PATHLENGTH:-2}
PROXY_POLICY=${PROXY_POLICY:-normal_policy}
PROXY_STYLE=${PROXY_STYLE:-rfc3820_proxy}
X509_USERCERT="${X509_USERCERT:-$HOME/.globus/usercert.pem}"
X509_USERKEY="${X509_USERKEY:-$HOME/.globus/userkey.pem}"
X509_P12CRED="${X509_USERCERT:-$HOME/.globus/usercred.p12}"
BITS=${BITS:-1024}
SHA_ALG=${SHA_ALG:-sha256}
OPENSSL="/usr/bin/openssl"
#OPENSSL="/home/janjust/src/openssl-1.1.0g/apps/openssl"
unset TMP_USERCERT
debug "Output File: $PROXY"
# Check if we already own the proxy file. If not, check that we can create it
if [ ! -O "${PROXY}" ]
then
rm -f "${PROXY}" && touch "${PROXY}"
if [ $? -ne 0 ]
then
abort 1 "Cannot create proxy file '${PROXY}'."
fi
fi
# Explicitly set permission on the output proxy
chmod 600 "${PROXY}"
# Do not attempt "export MESSAGES=`mktemp...`" as it drowns out all errorcodes
MESSAGES=`mktemp "${TMP}/messages.XXXXXX"`
if [ $? -ne 0 ]
then
abort 2 "Could not create temporary file in ${TMP}."
fi
export MESSAGES
debug "running 'openssl x509 -noout -in $X509_USERCERT -subject'"
SUBJECT=`$OPENSSL x509 -noout -in "${X509_USERCERT}" -subject 2> /dev/null`
if [ $? -eq 0 ]
then
debug "running 'openssl x509 -noout -in $X509_USERCERT -serial'"
use_pkcs12=0
else
debug "$X509_USERCERT does not appear to be a valid PEM encoded certificate, trying PKCS#12"
echo -n "Enter Import Password: "
read -s pkcs12pass
TMP_USERCERT=`mktemp "${TMP}/usercert.XXXXXX"`
$OPENSSL pkcs12 -in "${X509_P12CRED}" -clcerts -nokeys -out "${TMP_USERCERT}" -passin stdin <<< "${pkcs12pass}"
if [ $? -eq 0 ]
then
use_pkcs12=1
else
abort 3 "Could not read user certificate file '$X509_USERCERT'."
fi
SUBJECT=`$OPENSSL x509 -noout -in "${TMP_USERCERT}" -subject`
fi
debug "convert \"${SUBJECT}\" to a suitable format"
SUBJ=`echo "${SUBJECT}" | sed 's/subject= *//;s/\([A-Za-z0-9.]*\) = /\/\1=/;s/, \([A-Za-z0-9.]*\) = /\/\1=/g'`
info "Your identity: $SUBJ"
SERIAL=`$OPENSSL x509 -noout -in "${TMP_USERCERT:-$X509_USERCERT}" -serial | sed -e s'/serial= *//'`
debug "Certificate serial number: $SERIAL"
# Create temporary files
# Note that we need to export OPENSSL_CONF for the 'openssl req' command!
export OPENSSL_CONF=`mktemp ${TMP}/openssl.cnf.XXXXXX`
PROXYREQ=`mktemp "${TMP}/proxyrequest.XXXXXX"`
PROXYKEY=`mktemp "${TMP}/proxykey.XXXXXX"`
PROXYCERT=`mktemp "${TMP}/proxycert.XXXXXX"`
if [ "$PROXY_STYLE" = "legacy_proxy" ]
then
if [ "$PROXY_POLICY" = "normal_policy" ]
then
PROXY_SUBJ="proxy"
else
PROXY_SUBJ="limited proxy"
fi
PROXY_EXTENSIONS=""
PROXY_SERIAL="0x$SERIAL"
else
# for non-legacy proxies, the proxy policy (limited, normal) is implemented
# using X509v3 extensions, which are loaded from the 'extfile'
RND=`expr $RANDOM \* $RANDOM`
PROXY_SUBJ="$RND"
PROXY_SERIAL="$RND"
PROXY_EXTENSIONS="-extfile ${OPENSSL_CONF}"
fi
# Create openssl.cnf on the fly ...
cat > $OPENSSL_CONF << EOF
extensions = ${PROXY_STYLE}
[ rfc3820_proxy ]
keyUsage = critical,digitalSignature,keyEncipherment
1.3.6.1.5.5.7.1.14 = critical,ASN1:SEQUENCE:rfc3820_seq_sect
[ rfc3820_seq_sect ]
field1 = INTEGER:${PROXY_PATHLENGTH}
field2 = SEQUENCE:${PROXY_POLICY}
[ globus_proxy ]
keyUsage = critical,digitalSignature,keyEncipherment
1.3.6.1.4.1.3536.1.222=critical,ASN1:SEQUENCE:globus_seq_sect
[ globus_seq_sect ]
field1 = SEQUENCE:${PROXY_POLICY}
field2 = EXPLICIT:1C,INTEGER:${PROXY_PATHLENGTH}
[ normal_policy ]
p1 = OID:1.3.6.1.5.5.7.21.1
[ limited_policy ]
p1 = OID:1.3.6.1.4.1.3536.1.1.1.9
[ req ]
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
EOF
run_cmd $OPENSSL req -new -nodes -keyout "${PROXYKEY}" -out "${PROXYREQ}" \
-newkey rsa:$BITS -subj \"$SUBJ/CN=$PROXY_SUBJ\"
if [ $use_pkcs12 -eq 0 ]
then
run_cmd $OPENSSL x509 -req \
-in "${PROXYREQ}" \
-CA "${X509_USERCERT}" \
-CAkey "${X509_USERKEY}" \
-out "${PROXYCERT}" \
-set_serial ${PROXY_SERIAL} -${SHA_ALG} -days $DAYS \
${PROXY_EXTENSIONS}
else
# we cannot use run_cmd wiht a "here" document
$OPENSSL x509 -req \
-in "${PROXYREQ}" \
-CA "${TMP_USERCERT}" \
-CAkey "${X509_P12CRED}" \
-CAkeyform pkcs12 \
-out "${PROXYCERT}" \
-set_serial ${PROXY_SERIAL} -${SHA_ALG} -days $DAYS \
${PROXY_EXTENSIONS} \
-passin stdin <<< "${pkcs12pass}"
fi
exitcode=$?
# No longer needed, get rid of it ASAP
unset pkcs12pass
if [ $exitcode -eq 0 ]
then
exitcode=$?
cat "${PROXYCERT}" "${PROXYKEY}" "${TMP_USERCERT:-$X509_USERCERT}" > "$PROXY"
# simple proxy validation
end_date=`$OPENSSL x509 -noout -enddate -in "$PROXY" | sed 's/notAfter=//'`
info "Your proxy \`$PROXY' is valid until: `date -d \"$end_date\"`"
else
if grep 'unable to load CA Private Key' < "${MESSAGES}" &>/dev/null
then
debug "`cat "${MESSAGES}"`"
info "Error: Couldn't read user key in $X509_USERKEY."
debug "Given pass phrase might be incorrect."
fi
fi
do_cleanup $exitcode
########################################################################
To unsubscribe from the LCG-ROLLOUT list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=LCG-ROLLOUT&A=1
|