[Libreoffice-commits] core.git: 4 commits - xmlsecurity/inc xmlsecurity/qa xmlsecurity/source

Miklos Vajna vmiklos at collabora.co.uk
Tue Jan 5 01:28:40 PST 2016


 xmlsecurity/inc/xmlsecurity/sigstruct.hxx              |    4 
 xmlsecurity/inc/xmlsecurity/xmlsignaturehelper.hxx     |    1 
 xmlsecurity/qa/create-certs/create-certs.sh            |  164 +++++++++++++++++
 xmlsecurity/qa/create-certs/templates/intermediate.cnf |  132 +++++++++++++
 xmlsecurity/qa/create-certs/templates/root.cnf         |  132 +++++++++++++
 xmlsecurity/source/helper/xmlsignaturehelper.cxx       |    5 
 xmlsecurity/source/helper/xsecctl.cxx                  |   25 ++
 xmlsecurity/source/helper/xsecctl.hxx                  |    4 
 xmlsecurity/source/helper/xsecparser.cxx               |   16 +
 xmlsecurity/source/helper/xsecparser.hxx               |    3 
 xmlsecurity/source/helper/xsecsign.cxx                 |   25 ++
 xmlsecurity/source/helper/xsecverify.cxx               |   21 ++
 12 files changed, 530 insertions(+), 2 deletions(-)

New commits:
commit 075c7eceb0769b61d11a3857e33af1b2c6341bc5
Author: Miklos Vajna <vmiklos at collabora.co.uk>
Date:   Tue Jan 5 10:12:36 2016 +0100

    xmlsecurity: handle description in XSecController::prepareSignatureToWrite()
    
    With this, if DigitalSignaturesDialog sets a signature description, then
    that becomes part of the signed content. This is backwards-compatible in
    two ways:
    
    1) When the description is empty, the output is not changed.
    
    2) When parsing, the description is optional: we only require that if
    its hash is mentioned in the signed content, then the string matches its
    hash; but omitting both the string and its hash is OK.
    
    Change-Id: I82db5beea16bd325558a86201dc902d35543ed0a

diff --git a/xmlsecurity/source/helper/xsecsign.cxx b/xmlsecurity/source/helper/xsecsign.cxx
index 1106e11..25ba21e 100644
--- a/xmlsecurity/source/helper/xsecsign.cxx
+++ b/xmlsecurity/source/helper/xsecsign.cxx
@@ -168,6 +168,14 @@ cssu::Reference< cssxc::sax::XReferenceResolvedListener > XSecController::prepar
     internalSignatureInfor.addReference(TYPE_SAMEDOCUMENT_REFERENCE, internalSignatureInfor.signatureInfor.ouPropertyId, -1 );
     size++;
 
+    if (!internalSignatureInfor.signatureInfor.ouDescription.isEmpty())
+    {
+        // Only mention the hash of the description in the signature if it's non-empty.
+        internalSignatureInfor.signatureInfor.ouDescriptionPropertyId = createId();
+        internalSignatureInfor.addReference(TYPE_SAMEDOCUMENT_REFERENCE, internalSignatureInfor.signatureInfor.ouDescriptionPropertyId, -1);
+        size++;
+    }
+
     /*
      * replace both digestValues and signatueValue to " "
      */
diff --git a/xmlsecurity/source/helper/xsecverify.cxx b/xmlsecurity/source/helper/xsecverify.cxx
index d41214e..a3fa87a 100644
--- a/xmlsecurity/source/helper/xsecverify.cxx
+++ b/xmlsecurity/source/helper/xsecverify.cxx
@@ -290,7 +290,17 @@ void XSecController::setPropertyId( OUString& ouPropertyId )
         return;
     }
     InternalSignatureInformation &isi = m_vInternalSignatureInformations.back();
-    isi.signatureInfor.ouPropertyId = ouPropertyId;
+
+    if (isi.signatureInfor.ouPropertyId.isEmpty())
+    {
+        // <SignatureProperty> ID attribute is for the date.
+        isi.signatureInfor.ouPropertyId = ouPropertyId;
+    }
+    else
+    {
+        // <SignatureProperty> ID attribute is for the description.
+        isi.signatureInfor.ouDescriptionPropertyId = ouPropertyId;
+    }
 }
 
 /* public: for signature verify */
commit a968893e6afd3b79c6c048962373859cea75a77b
Author: Miklos Vajna <vmiklos at collabora.co.uk>
Date:   Tue Jan 5 09:57:38 2016 +0100

    xmlsecurity: parse dc:description in XSecParser
    
    With this, the description is written in the XML file,
    DigitalSignaturesDialog doesn't set it yet, though.
    
    Change-Id: I54a73d6fbdf8ed936714a21ba1df5998849fd1fa

diff --git a/xmlsecurity/source/helper/xsecctl.hxx b/xmlsecurity/source/helper/xsecctl.hxx
index 22b54e9..dcb4eaa 100644
--- a/xmlsecurity/source/helper/xsecctl.hxx
+++ b/xmlsecurity/source/helper/xsecctl.hxx
@@ -371,6 +371,7 @@ private:
     void setDigestValue( OUString& ouDigestValue );
 
     void setDate( OUString& ouDate );
+    void setDescription(const OUString& rDescription);
 
     void setId( OUString& ouId );
     void setPropertyId( OUString& ouPropertyId );
diff --git a/xmlsecurity/source/helper/xsecparser.cxx b/xmlsecurity/source/helper/xsecparser.cxx
index e429535..b7d3734 100644
--- a/xmlsecurity/source/helper/xsecparser.cxx
+++ b/xmlsecurity/source/helper/xsecparser.cxx
@@ -35,6 +35,7 @@ XSecParser::XSecParser(XSecController* pXSecController,
     , m_bInDigestValue(false)
     , m_bInSignatureValue(false)
     , m_bInDate(false)
+    , m_bInDescription(false)
     , m_pXSecController(pXSecController)
     , m_xNextHandler(xNextHandler)
     , m_bReferenceUnresolved(false)
@@ -65,6 +66,7 @@ void SAL_CALL XSecParser::startDocument(  )
     m_bInSignatureValue = false;
     m_bInDigestValue = false;
     m_bInDate = false;
+    m_bInDescription = false;
 
     if (m_xNextHandler.is())
     {
@@ -176,6 +178,11 @@ void SAL_CALL XSecParser::startElement(
             m_ouDate.clear();
                 m_bInDate = true;
             }
+            else if (aName == NSTAG_DC ":" TAG_DESCRIPTION)
+            {
+                m_ouDescription.clear();
+                m_bInDescription = true;
+            }
 
         if (m_xNextHandler.is())
         {
@@ -248,6 +255,11 @@ void SAL_CALL XSecParser::endElement( const OUString& aName )
             m_pXSecController->setDate( m_ouDate );
                 m_bInDate = false;
         }
+            else if (aName == NSTAG_DC ":" TAG_DESCRIPTION)
+            {
+                m_pXSecController->setDescription( m_ouDescription );
+                m_bInDescription = false;
+            }
 
         if (m_xNextHandler.is())
         {
@@ -296,6 +308,10 @@ void SAL_CALL XSecParser::characters( const OUString& aChars )
     {
         m_ouDate += aChars;
     }
+    else if (m_bInDescription)
+    {
+        m_ouDescription += aChars;
+    }
 
     if (m_xNextHandler.is())
     {
diff --git a/xmlsecurity/source/helper/xsecparser.hxx b/xmlsecurity/source/helper/xsecparser.hxx
index 0cf47b1..f87ca23 100644
--- a/xmlsecurity/source/helper/xsecparser.hxx
+++ b/xmlsecurity/source/helper/xsecparser.hxx
@@ -64,6 +64,8 @@ private:
     OUString m_ouDigestValue;
     OUString m_ouSignatureValue;
     OUString m_ouDate;
+    /// Characters of a <dc:description> element, as just read from XML.
+    OUString m_ouDescription;
 
     /*
      * whether inside a particular element
@@ -74,6 +76,7 @@ private:
     bool m_bInDigestValue;
     bool m_bInSignatureValue;
     bool m_bInDate;
+    bool m_bInDescription;
 
     /*
      * the XSecController collaborating with XSecParser
diff --git a/xmlsecurity/source/helper/xsecverify.cxx b/xmlsecurity/source/helper/xsecverify.cxx
index 2ebd27d..d41214e 100644
--- a/xmlsecurity/source/helper/xsecverify.cxx
+++ b/xmlsecurity/source/helper/xsecverify.cxx
@@ -262,6 +262,15 @@ void XSecController::setDate( OUString& ouDate )
     isi.signatureInfor.ouDateTime = ouDate;
 }
 
+void XSecController::setDescription(const OUString& rDescription)
+{
+    if (m_vInternalSignatureInformations.empty())
+        return;
+
+    InternalSignatureInformation& rInformation = m_vInternalSignatureInformations.back();
+    rInformation.signatureInfor.ouDescription = rDescription;
+}
+
 void XSecController::setId( OUString& ouId )
 {
     if (m_vInternalSignatureInformations.empty())
commit 88cbfe58c4a36c20bdb2445f43043f0a5a006ee3
Author: Miklos Vajna <vmiklos at collabora.co.uk>
Date:   Tue Jan 5 09:54:11 2016 +0100

    xmlsecurity: add XMLSignatureHelper::SetDescription()
    
    First step to be able to add a comment while signing a document.
    
    Change-Id: I8f7ab95de5015b723481e94bd72585caf754288f

diff --git a/xmlsecurity/inc/xmlsecurity/sigstruct.hxx b/xmlsecurity/inc/xmlsecurity/sigstruct.hxx
index 0eb7cd8..ea0e0f3 100644
--- a/xmlsecurity/inc/xmlsecurity/sigstruct.hxx
+++ b/xmlsecurity/inc/xmlsecurity/sigstruct.hxx
@@ -74,6 +74,10 @@ struct SignatureInformation
     OUString ouDateTime;
     OUString ouSignatureId;
     OUString ouPropertyId;
+    /// Characters of the <dc:description> element inside the signature.
+    OUString ouDescription;
+    /// The Id attribute of the <SignatureProperty> element that contains the <dc:description>.
+    OUString ouDescriptionPropertyId;
 
     SignatureInformation( sal_Int32 nId )
     {
diff --git a/xmlsecurity/inc/xmlsecurity/xmlsignaturehelper.hxx b/xmlsecurity/inc/xmlsecurity/xmlsignaturehelper.hxx
index 9ac33fc..e4c981d 100644
--- a/xmlsecurity/inc/xmlsecurity/xmlsignaturehelper.hxx
+++ b/xmlsecurity/inc/xmlsecurity/xmlsignaturehelper.hxx
@@ -164,6 +164,7 @@ public:
         const OUString& ouX509SerialNumber, const OUString& ouX509Cert);
 
     void        SetDateTime( sal_Int32 nSecurityId, const Date& rDate, const tools::Time& rTime );
+    void SetDescription(sal_Int32 nSecurityId, const OUString& rDescription);
 
     void        AddForSigning( sal_Int32 securityId, const OUString& uri, const OUString& objectURL, bool bBinary );
     bool        CreateAndWriteSignature( const com::sun::star::uno::Reference< com::sun::star::xml::sax::XDocumentHandler >& xDocumentHandler );
diff --git a/xmlsecurity/source/helper/xmlsignaturehelper.cxx b/xmlsecurity/source/helper/xmlsignaturehelper.cxx
index 496d1b5..2498aff 100644
--- a/xmlsecurity/source/helper/xmlsignaturehelper.cxx
+++ b/xmlsecurity/source/helper/xmlsignaturehelper.cxx
@@ -128,6 +128,11 @@ void XMLSignatureHelper::SetDateTime( sal_Int32 nSecurityId, const ::Date& rDate
     mpXSecController->setDate( nSecurityId, stDateTime );
 }
 
+void XMLSignatureHelper::SetDescription(sal_Int32 nSecurityId, const OUString& rDescription)
+{
+    mpXSecController->setDescription(nSecurityId, rDescription);
+}
+
 void XMLSignatureHelper::AddForSigning( sal_Int32 nSecurityId, const OUString& uri, const OUString& objectURL, bool bBinary )
 {
     mpXSecController->signAStream( nSecurityId, uri, objectURL, bBinary );
diff --git a/xmlsecurity/source/helper/xsecctl.cxx b/xmlsecurity/source/helper/xsecctl.cxx
index 3a77b13..eed58b5 100644
--- a/xmlsecurity/source/helper/xsecctl.cxx
+++ b/xmlsecurity/source/helper/xsecctl.cxx
@@ -37,6 +37,7 @@ namespace cssl = com::sun::star::lang;
 namespace cssxc = com::sun::star::xml::crypto;
 namespace cssxs = com::sun::star::xml::sax;
 namespace cssxw = com::sun::star::xml::wrapper;
+using namespace com::sun::star;
 
 /* bridge component names */
 #define XMLSIGNATURE_COMPONENT "com.sun.star.xml.crypto.XMLSignature"
@@ -725,6 +726,7 @@ void XSecController::exportSignature(
     OUString tag_SignatureProperties(TAG_SIGNATUREPROPERTIES);
     OUString tag_SignatureProperty(TAG_SIGNATUREPROPERTY);
     OUString tag_Date(TAG_DATE);
+    OUString tag_Description(TAG_DESCRIPTION);
 
     const SignatureReferenceInformations& vReferenceInfors = signatureInfo.vSignatureReferenceInfors;
     SvXMLAttributeList *pAttributeList;
@@ -944,6 +946,29 @@ void XSecController::exportSignature(
                 }
                 xDocumentHandler->endElement( tag_SignatureProperty );
             }
+
+            // Write signature description.
+            if (!signatureInfo.ouDescription.isEmpty())
+            {
+                // SignatureProperty element.
+                pAttributeList = new SvXMLAttributeList();
+                pAttributeList->AddAttribute(ATTR_ID, signatureInfo.ouDescriptionPropertyId);
+                pAttributeList->AddAttribute(ATTR_TARGET, CHAR_FRAGMENT + signatureInfo.ouSignatureId);
+                xDocumentHandler->startElement(tag_SignatureProperty, uno::Reference<xml::sax::XAttributeList>(pAttributeList));
+
+                {
+                    // Description element.
+                    pAttributeList = new SvXMLAttributeList();
+                    pAttributeList->AddAttribute(ATTR_XMLNS ":" NSTAG_DC, NS_DC);
+
+                    xDocumentHandler->startElement(NSTAG_DC ":" + tag_Description, uno::Reference<xml::sax::XAttributeList>(pAttributeList));
+                    xDocumentHandler->characters(signatureInfo.ouDescription);
+                    xDocumentHandler->endElement(NSTAG_DC ":" + tag_Description);
+                }
+
+                xDocumentHandler->endElement(tag_SignatureProperty);
+            }
+
             xDocumentHandler->endElement( tag_SignatureProperties );
         }
         xDocumentHandler->endElement( tag_Object );
diff --git a/xmlsecurity/source/helper/xsecctl.hxx b/xmlsecurity/source/helper/xsecctl.hxx
index f354bbb..22b54e9 100644
--- a/xmlsecurity/source/helper/xsecctl.hxx
+++ b/xmlsecurity/source/helper/xsecctl.hxx
@@ -79,7 +79,7 @@
 #define TAG_SIGNATUREPROPERTY       "SignatureProperty"
 #define TAG_TIMESTAMP           "timestamp"
 #define TAG_DATE            "date"
-//#define TAG_TIME          "time"
+#define TAG_DESCRIPTION "description"
 
 #define ATTR_XMLNS          "xmlns"
 #define ATTR_ALGORITHM          "Algorithm"
@@ -450,6 +450,7 @@ public:
     void setDate(
         sal_Int32 nSecurityId,
         const ::com::sun::star::util::DateTime& rDateTime );
+    void setDescription(sal_Int32 nSecurityId, const OUString& rDescription);
 
 
     bool WriteSignature(
diff --git a/xmlsecurity/source/helper/xsecsign.cxx b/xmlsecurity/source/helper/xsecsign.cxx
index 42af9d0..1106e11 100644
--- a/xmlsecurity/source/helper/xsecsign.cxx
+++ b/xmlsecurity/source/helper/xsecsign.cxx
@@ -258,6 +258,23 @@ void XSecController::setDate(
     }
 }
 
+void XSecController::setDescription(sal_Int32 nSecurityId, const OUString& rDescription)
+{
+    int nIndex = findSignatureInfor(nSecurityId);
+
+    if (nIndex == -1)
+    {
+        InternalSignatureInformation aInformation(nSecurityId, nullptr);
+        aInformation.signatureInfor.ouDescription = rDescription;
+        m_vInternalSignatureInformations.push_back(aInformation);
+    }
+    else
+    {
+        SignatureInformation& rInformation = m_vInternalSignatureInformations[nIndex].signatureInfor;
+        rInformation.ouDescription = rDescription;
+    }
+}
+
 bool XSecController::WriteSignature(
     const cssu::Reference<cssxs::XDocumentHandler>& xDocumentHandler )
 {
commit 679cc560bc2cfc6c75b8979cc115c9c54e2b0d40
Author: Miklos Vajna <vmiklos at collabora.co.uk>
Date:   Tue Jan 5 09:47:12 2016 +0100

    xmlsecurity: add script to create test certificates
    
    Change-Id: I9280cec602e15e3ae478911360ff7ce68d460474

diff --git a/xmlsecurity/qa/create-certs/create-certs.sh b/xmlsecurity/qa/create-certs/create-certs.sh
new file mode 100755
index 0000000..cc2d317
--- /dev/null
+++ b/xmlsecurity/qa/create-certs/create-certs.sh
@@ -0,0 +1,164 @@
+#!/bin/bash -e
+#
+# This file is part of the LibreOffice project.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# The purpose of this script is to create certificates to be able to test ODF signing code.
+#
+# What it does:
+#
+# 1) Create a test root CA.
+#
+# 2) Create an intermediate CA, as signing certificates with a root CA is
+# considered unsafe.
+#
+# 3) Create two client certificates that can be used to sign ODF documents in
+# LibreOffice.
+#
+# References:
+#
+# <https://jamielinux.com/docs/openssl-certificate-authority/> for most of the
+# commands.
+#
+# <https://www.sslshopper.com/article-most-common-openssl-commands.html> for
+# the PKCS#12 export of self-signed certificates
+#
+
+root="$PWD"
+
+if [ -d "$root/ca" ]; then
+    echo "'ca' directory already exists in $root, please remove it before running this script."
+    exit 1
+fi
+
+if [ -z "$SSLPASS" ]; then
+    # Unless specified otherwise, we'll use this as a password everywhere.
+    export SSLPASS="xmlsecurity"
+fi
+
+# 1) Create the root pair.
+
+mkdir "$root/ca"
+
+cd "$root/ca"
+mkdir certs crl newcerts private
+chmod 700 private
+touch index.txt
+echo 1000 > serial
+
+sed "s|@ROOT@|$root|g" "$root/templates/root.cnf" > "$root/ca/openssl.cnf"
+
+# Create the root key.
+cd "$root/ca"
+openssl genrsa -aes256 -out private/ca.key.pem -passout env:SSLPASS 4096
+chmod 400 private/ca.key.pem
+
+# Create the root certificate.
+cd "$root/ca"
+openssl req -config openssl.cnf \
+    -key private/ca.key.pem \
+    -new -x509 -days 7300 -sha256 -extensions v3_ca \
+    -out certs/ca.cert.pem \
+    -passin env:SSLPASS \
+    -subj '/C=UK/ST=England/O=Xmlsecurity Test/CN=Xmlsecurity Test Root CA'
+chmod 444 certs/ca.cert.pem
+
+# 2) Create the intermediate pair.
+
+# Prepare the directory.
+mkdir "$root/ca/intermediate"
+cd "$root/ca/intermediate"
+mkdir certs crl csr newcerts private
+chmod 700 private
+touch index.txt
+echo 1000 > serial
+
+# crlnumber is used to keep track of certificate revocation lists.
+echo 1000 > "$root/ca/intermediate/crlnumber"
+
+# Copy the intermediate CA configuration file.
+sed "s|@ROOT@|$root|g" "$root/templates/intermediate.cnf" > "$root/ca/intermediate/openssl.cnf"
+
+# Create the intermediate key.
+
+cd "$root/ca"
+openssl genrsa -aes256 \
+    -out intermediate/private/intermediate.key.pem \
+    -passout env:SSLPASS 4096
+chmod 400 intermediate/private/intermediate.key.pem
+
+# Create the intermediate certificate.
+
+# Intermediate key.
+cd "$root/ca"
+openssl req -config intermediate/openssl.cnf -new -sha256 \
+    -key intermediate/private/intermediate.key.pem \
+    -out intermediate/csr/intermediate.csr.pem \
+    -passin env:SSLPASS \
+    -subj '/C=UK/ST=England/O=Xmlsecurity Test/CN=Xmlsecurity Intermediate Root CA'
+
+# The certificate itself.
+openssl ca -batch -config openssl.cnf -extensions v3_intermediate_ca \
+    -days 3650 -notext -md sha256 \
+    -in intermediate/csr/intermediate.csr.pem \
+    -passin env:SSLPASS \
+    -out intermediate/certs/intermediate.cert.pem
+chmod 444 intermediate/certs/intermediate.cert.pem
+
+# Create the certificate chain file.
+cat intermediate/certs/intermediate.cert.pem \
+    certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem
+chmod 444 intermediate/certs/ca-chain.cert.pem
+
+# 3) Create the real certificate.
+
+for i in Alice Bob
+do
+    # Create a key.
+    cd "$root/ca"
+    openssl genrsa -aes256 \
+        -out intermediate/private/example-xmlsecurity-${i}.key.pem \
+        -passout env:SSLPASS 2048
+    chmod 400 intermediate/private/example-xmlsecurity-${i}.key.pem
+
+    # Create a certificate signing request (CSR).
+
+    cd "$root/ca"
+    openssl req -config intermediate/openssl.cnf \
+        -key intermediate/private/example-xmlsecurity-${i}.key.pem \
+        -new -sha256 -out intermediate/csr/example-xmlsecurity-${i}.csr.pem \
+        -passin env:SSLPASS \
+        -subj "/C=UK/ST=England/O=Xmlsecurity Test/CN=Xmlsecurity Test example ${i}"
+
+    # To create a certificate, use the intermediate CA to sign the CSR.
+    cd "$root/ca"
+    # usr_cert: the cert will be used for signing.
+    openssl ca -batch -config intermediate/openssl.cnf \
+        -extensions usr_cert -days 375 -notext -md sha256 \
+        -in intermediate/csr/example-xmlsecurity-${i}.csr.pem \
+        -passin env:SSLPASS \
+        -out intermediate/certs/example-xmlsecurity-${i}.cert.pem
+    chmod 444 intermediate/certs/example-xmlsecurity-${i}.cert.pem
+
+    # Export it in PKCS#12 format.
+    openssl pkcs12 -export \
+        -out ./intermediate/private/example-xmlsecurity-${i}.cert.p12 \
+        -passout env:SSLPASS \
+        -inkey intermediate/private/example-xmlsecurity-${i}.key.pem \
+        -passin env:SSLPASS \
+        -in intermediate/certs/example-xmlsecurity-${i}.cert.pem \
+        -certfile intermediate/certs/ca-chain.cert.pem
+done
+
+echo
+echo "Authority certificate is at: <$root/ca/intermediate/certs/ca-chain.cert.pem>."
+echo "To be able to import it in Windows, rename the '.pem' extension to '.cer'."
+for i in Alice Bob
+do
+    echo "Signing certificate is at <$root/ca/intermediate/private/example-xmlsecurity-${i}.cert.p12>."
+done
+
+# vim:set shiftwidth=4 expandtab:
diff --git a/xmlsecurity/qa/create-certs/templates/intermediate.cnf b/xmlsecurity/qa/create-certs/templates/intermediate.cnf
new file mode 100644
index 0000000..c6fd12d
--- /dev/null
+++ b/xmlsecurity/qa/create-certs/templates/intermediate.cnf
@@ -0,0 +1,132 @@
+# OpenSSL intermediate CA configuration file.
+# Copy to `$root/ca/intermediate/openssl.cnf`.
+
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir               = @ROOT@/ca/intermediate
+certs             = $dir/certs
+crl_dir           = $dir/crl
+new_certs_dir     = $dir/newcerts
+database          = $dir/index.txt
+serial            = $dir/serial
+RANDFILE          = $dir/private/.rand
+
+# The root key and root certificate.
+private_key       = $dir/private/intermediate.key.pem
+certificate       = $dir/certs/intermediate.cert.pem
+
+# For certificate revocation lists.
+crlnumber         = $dir/crlnumber
+crl               = $dir/crl/intermediate.crl.pem
+crl_extensions    = crl_ext
+default_crl_days  = 30
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha256
+
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 375
+preserve          = no
+policy            = policy_loose
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md          = sha256
+
+# Extension to add when the -x509 option is used.
+x509_extensions     = v3_ca
+
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name
+localityName                    = Locality Name
+0.organizationName              = Organization Name
+organizationalUnitName          = Organizational Unit Name
+commonName                      = Common Name
+emailAddress                    = Email Address
+
+# Optionally, specify some defaults.
+countryName_default             = GB
+stateOrProvinceName_default     = England
+localityName_default            =
+0.organizationName_default      = Xmlsecurity Test
+organizationalUnitName_default  =
+emailAddress_default            =
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always
+
+[ ocsp ]
+# Extension for OCSP signing certificates (`man ocsp`).
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, OCSPSigning
diff --git a/xmlsecurity/qa/create-certs/templates/root.cnf b/xmlsecurity/qa/create-certs/templates/root.cnf
new file mode 100644
index 0000000..1298d74
--- /dev/null
+++ b/xmlsecurity/qa/create-certs/templates/root.cnf
@@ -0,0 +1,132 @@
+# OpenSSL root CA configuration file.
+# Copy to `$root/ca/openssl.cnf`.
+
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir               = @ROOT@/ca
+certs             = $dir/certs
+crl_dir           = $dir/crl
+new_certs_dir     = $dir/newcerts
+database          = $dir/index.txt
+serial            = $dir/serial
+RANDFILE          = $dir/private/.rand
+
+# The root key and root certificate.
+private_key       = $dir/private/ca.key.pem
+certificate       = $dir/certs/ca.cert.pem
+
+# For certificate revocation lists.
+crlnumber         = $dir/crlnumber
+crl               = $dir/crl/ca.crl.pem
+crl_extensions    = crl_ext
+default_crl_days  = 30
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha256
+
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 375
+preserve          = no
+policy            = policy_strict
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md          = sha256
+
+# Extension to add when the -x509 option is used.
+x509_extensions     = v3_ca
+
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name
+localityName                    = Locality Name
+0.organizationName              = Organization Name
+organizationalUnitName          = Organizational Unit Name
+commonName                      = Common Name
+emailAddress                    = Email Address
+
+# Optionally, specify some defaults.
+countryName_default             = GB
+stateOrProvinceName_default     = England
+localityName_default            =
+0.organizationName_default      = Xmlsecurity Test
+organizationalUnitName_default  =
+emailAddress_default            =
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always
+
+[ ocsp ]
+# Extension for OCSP signing certificates (`man ocsp`).
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, OCSPSigning


More information about the Libreoffice-commits mailing list