27753561a1
I have a case where LOK convert-to with ODT->PDF and SignCertificateCaPem/SignCertificateCertPem/SignCertificateKeyPem set creates a corrupted PDF signature, while more or less the same on the desktop works. The PDF signature is a hex dump, and once converted to binary, one can analyze the content using 'openssl asn1parse -inform der -in ... -i'. Still, the LOK and the desktop case differs, because this script generates random certificates and then the binary output in the two cases differs, so hard to see the actual difference. Fix the problem by still generating .p12 output (needed for the desktop case) in the no-password case, so a single run can emit ca/cert/key PEM files and a .p12 archive, so exactly the same input can be used for desktop and LOK signing. It turns out the actual problem I looked at was some setup problem, because now that the same input can be used in the two cases, the LOK signing during PDF export works fine. Change-Id: Ifc5ff73cd6fbbc057af536c84e4367ce1d489931 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/176081 Reviewed-by: Miklos Vajna <vmiklos@collabora.com> Tested-by: Jenkins
227 lines
7.7 KiB
Bash
Executable file
227 lines
7.7 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
#
|
|
# This file is part of the LibreOffice project.
|
|
#
|
|
# This Source Code Form is subject to the terms of the Mozilla Public
|
|
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
#
|
|
# The purpose of this script is to create certificates to be able to test ODF signing code.
|
|
#
|
|
# What it does:
|
|
#
|
|
# 1) Create a test root CA.
|
|
#
|
|
# 2) Create an intermediate CA, as signing certificates with a root CA is
|
|
# considered unsafe.
|
|
#
|
|
# 3) Create two client certificates that can be used to sign ODF documents in
|
|
# LibreOffice.
|
|
#
|
|
# References:
|
|
#
|
|
# <https://jamielinux.com/docs/openssl-certificate-authority/> for most of the
|
|
# commands.
|
|
#
|
|
# <https://www.sslshopper.com/article-most-common-openssl-commands.html> for
|
|
# the PKCS#12 export of self-signed certificates
|
|
#
|
|
|
|
set -e
|
|
|
|
root="$PWD"
|
|
algo="RSA"
|
|
pass="y"
|
|
|
|
if [ -n "$1" ]; then
|
|
algo="$1"
|
|
fi
|
|
|
|
if [ "$2" == "NOPASS" ]; then
|
|
pass="n"
|
|
fi
|
|
|
|
if [ -d "$root/ca" ]; then
|
|
echo "'ca' directory already exists in $root, please remove it before running this script."
|
|
exit 1
|
|
fi
|
|
|
|
if [ -z "$SSLPASS" ]; then
|
|
# Unless specified otherwise, we'll use this as a password everywhere.
|
|
export SSLPASS="xmlsecurity"
|
|
fi
|
|
|
|
# 1) Create the root pair.
|
|
|
|
mkdir "$root/ca"
|
|
|
|
cd "$root/ca"
|
|
mkdir certs crl newcerts private
|
|
chmod 700 private
|
|
touch index.txt
|
|
echo 1000 > serial
|
|
|
|
sed "s|@ROOT@|$root|g" "$root/templates/root.cnf" > "$root/ca/openssl.cnf"
|
|
|
|
# Create the root key.
|
|
cd "$root/ca"
|
|
openssl genrsa -aes256 -out private/ca.key.pem -passout env:SSLPASS 4096
|
|
chmod 400 private/ca.key.pem
|
|
|
|
# Create the root certificate.
|
|
cd "$root/ca"
|
|
openssl req -config openssl.cnf \
|
|
-key private/ca.key.pem \
|
|
-new -x509 -days 36500 -sha256 -extensions v3_ca \
|
|
-out certs/ca.cert.pem \
|
|
-passin env:SSLPASS \
|
|
-subj "/C=UK/ST=England/O=Xmlsecurity ${algo} Test/CN=Xmlsecurity ${algo} Test Root CA"
|
|
chmod 444 certs/ca.cert.pem
|
|
|
|
# 2) Create the intermediate pair.
|
|
|
|
# Prepare the directory.
|
|
mkdir "$root/ca/intermediate"
|
|
cd "$root/ca/intermediate"
|
|
mkdir certs crl csr newcerts private
|
|
chmod 700 private
|
|
touch index.txt
|
|
echo 1000 > serial
|
|
|
|
# crlnumber is used to keep track of certificate revocation lists.
|
|
echo 1000 > "$root/ca/intermediate/crlnumber"
|
|
|
|
# Copy the intermediate CA configuration file.
|
|
sed "s|@ROOT@|$root|g" "$root/templates/intermediate.cnf" > "$root/ca/intermediate/openssl.cnf"
|
|
|
|
# Create the intermediate key.
|
|
|
|
cd "$root/ca"
|
|
openssl genrsa -aes256 \
|
|
-out intermediate/private/intermediate.key.pem \
|
|
-passout env:SSLPASS 4096
|
|
chmod 400 intermediate/private/intermediate.key.pem
|
|
|
|
# Create the intermediate certificate.
|
|
|
|
# Intermediate key.
|
|
cd "$root/ca"
|
|
openssl req -config intermediate/openssl.cnf -new -sha256 \
|
|
-key intermediate/private/intermediate.key.pem \
|
|
-out intermediate/csr/intermediate.csr.pem \
|
|
-passin env:SSLPASS \
|
|
-subj "/C=UK/ST=England/O=Xmlsecurity ${algo} Test/CN=Xmlsecurity Intermediate Root CA"
|
|
|
|
# The certificate itself.
|
|
openssl ca -batch -config openssl.cnf -extensions v3_intermediate_ca \
|
|
-days 36500 -notext -md sha256 \
|
|
-in intermediate/csr/intermediate.csr.pem \
|
|
-passin env:SSLPASS \
|
|
-out intermediate/certs/intermediate.cert.pem
|
|
chmod 444 intermediate/certs/intermediate.cert.pem
|
|
|
|
# Create the certificate chain file.
|
|
cat intermediate/certs/intermediate.cert.pem \
|
|
certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem
|
|
chmod 444 intermediate/certs/ca-chain.cert.pem
|
|
|
|
# 3) Create the real certificate.
|
|
|
|
for i in Alice Bob
|
|
do
|
|
# Create a key.
|
|
cd "$root/ca"
|
|
if [ "$algo" == "ECDSA" ]; then
|
|
openssl ecparam -name secp256r1 -genkey \
|
|
-out intermediate/private/example-xmlsecurity-${i}.key.pem
|
|
else
|
|
if [ "$pass" == "y" ]; then
|
|
openssl genrsa -aes256 \
|
|
-out intermediate/private/example-xmlsecurity-${i}.key.pem \
|
|
-passout env:SSLPASS 2048
|
|
else
|
|
openssl genrsa \
|
|
-out intermediate/private/example-xmlsecurity-${i}.key.pem \
|
|
2048
|
|
fi
|
|
fi
|
|
chmod 400 intermediate/private/example-xmlsecurity-${i}.key.pem
|
|
|
|
# Create a certificate signing request (CSR).
|
|
|
|
cd "$root/ca"
|
|
if [ "$pass" == "y" ]; then
|
|
openssl req -config intermediate/openssl.cnf \
|
|
-key intermediate/private/example-xmlsecurity-${i}.key.pem \
|
|
-new -sha256 -out intermediate/csr/example-xmlsecurity-${i}.csr.pem \
|
|
-passin env:SSLPASS \
|
|
-subj "/C=UK/ST=England/O=Xmlsecurity ${algo} Test/CN=Xmlsecurity ${algo} Test example ${i}"
|
|
else
|
|
openssl req -config intermediate/openssl.cnf \
|
|
-key intermediate/private/example-xmlsecurity-${i}.key.pem \
|
|
-new -sha256 -out intermediate/csr/example-xmlsecurity-${i}.csr.pem \
|
|
-subj "/C=UK/ST=England/O=Xmlsecurity ${algo} Test/CN=Xmlsecurity ${algo} Test example ${i}"
|
|
fi
|
|
|
|
# To create a certificate, use the intermediate CA to sign the CSR.
|
|
cd "$root/ca"
|
|
# usr_cert: the cert will be used for signing.
|
|
if [ "$pass" == "y" ]; then
|
|
openssl ca -batch -config intermediate/openssl.cnf \
|
|
-extensions usr_cert -days 36500 -notext -md sha256 \
|
|
-in intermediate/csr/example-xmlsecurity-${i}.csr.pem \
|
|
-passin env:SSLPASS \
|
|
-out intermediate/certs/example-xmlsecurity-${i}.cert.pem
|
|
else
|
|
openssl ca -batch -config intermediate/openssl.cnf \
|
|
-extensions usr_cert -days 36500 -notext -md sha256 \
|
|
-in intermediate/csr/example-xmlsecurity-${i}.csr.pem \
|
|
-passin env:SSLPASS \
|
|
-out intermediate/certs/example-xmlsecurity-${i}.cert.pem
|
|
fi
|
|
chmod 444 intermediate/certs/example-xmlsecurity-${i}.cert.pem
|
|
|
|
# Export it in PKCS#12 format.
|
|
if [ "$algo" == "ECDSA" ]; then
|
|
openssl pkcs12 -export \
|
|
-out ./intermediate/private/example-xmlsecurity-${i}.cert.p12 \
|
|
-passout env:SSLPASS \
|
|
-inkey intermediate/private/example-xmlsecurity-${i}.key.pem \
|
|
-passin env:SSLPASS \
|
|
-in intermediate/certs/example-xmlsecurity-${i}.cert.pem \
|
|
-certfile intermediate/certs/ca-chain.cert.pem
|
|
else
|
|
if [ "$pass" == "y" ]; then
|
|
openssl pkcs12 -export \
|
|
-out ./intermediate/private/example-xmlsecurity-${i}.cert.p12 \
|
|
-passout env:SSLPASS \
|
|
-inkey intermediate/private/example-xmlsecurity-${i}.key.pem \
|
|
-passin env:SSLPASS \
|
|
-in intermediate/certs/example-xmlsecurity-${i}.cert.pem \
|
|
-certfile intermediate/certs/ca-chain.cert.pem \
|
|
-CSP "Microsoft Enhanced RSA and AES Cryptographic Provider"
|
|
else
|
|
openssl pkcs12 -export \
|
|
-out ./intermediate/private/example-xmlsecurity-${i}.cert.p12 \
|
|
-passout env:SSLPASS \
|
|
-inkey intermediate/private/example-xmlsecurity-${i}.key.pem \
|
|
-in intermediate/certs/example-xmlsecurity-${i}.cert.pem \
|
|
-certfile intermediate/certs/ca-chain.cert.pem \
|
|
-CSP "Microsoft Enhanced RSA and AES Cryptographic Provider"
|
|
fi
|
|
fi
|
|
done
|
|
|
|
echo
|
|
echo "Authority certificate is at: <$root/ca/intermediate/certs/ca-chain.cert.pem>."
|
|
echo "To be able to import it in Windows, rename the '.pem' extension to '.cer'."
|
|
for i in Alice Bob
|
|
do
|
|
echo "Signing certificate is at <$root/ca/intermediate/private/example-xmlsecurity-${i}.cert.p12>."
|
|
if [ "$pass" != "y" ]; then
|
|
echo "Cert file is at <$root/ca/intermediate/certs/example-xmlsecurity-${i}.cert.pem>."
|
|
echo "Key file is at <$root/ca/intermediate/private/example-xmlsecurity-${i}.key.pem>."
|
|
fi
|
|
done
|
|
|
|
# vim:set shiftwidth=4 expandtab:
|