From 6426496b0133275935b6822205bf9dfa82f890f4 Mon Sep 17 00:00:00 2001 From: loop0day Date: Wed, 1 May 2019 00:53:31 +0800 Subject: [PATCH 1/3] Add keyUsage to signcsr.cnf --- apps/gmca/signcsr.cnf | 1 + 1 file changed, 1 insertion(+) diff --git a/apps/gmca/signcsr.cnf b/apps/gmca/signcsr.cnf index ff9e22dc..6f784d0d 100644 --- a/apps/gmca/signcsr.cnf +++ b/apps/gmca/signcsr.cnf @@ -186,6 +186,7 @@ basicConstraints=CA:FALSE # This is typical in keyUsage for a client certificate. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment +keyUsage = digitalSignature # This will be displayed in Netscape's comment listbox. nsComment = "OpenSSL Generated Certificate" From 879c1b4a15a3e21f72fc9081437a1af5bb088ca7 Mon Sep 17 00:00:00 2001 From: loop0day Date: Wed, 1 May 2019 00:54:26 +0800 Subject: [PATCH 2/3] Change dir from ./demoCA to .ca --- apps/gmca/signenccsr.cnf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/gmca/signenccsr.cnf b/apps/gmca/signenccsr.cnf index ea9542aa..2a21fd42 100644 --- a/apps/gmca/signenccsr.cnf +++ b/apps/gmca/signenccsr.cnf @@ -15,7 +15,7 @@ default_ca = CA_default # The default ca section #################################################################### [ CA_default ] -dir = ./demoCA # Where everything is kept +dir = .ca # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. From 66cc664a2361649962fa4dbc79d406f351c174d5 Mon Sep 17 00:00:00 2001 From: loop0day Date: Wed, 1 May 2019 01:04:18 +0800 Subject: [PATCH 3/3] 1. Change $ca_usercert_dir to $ca_cert_dir in function signcsr 2. Fix some typos in function getcertbyserial 3. Add function revokecertbyname 4. Export signenccsr, genenccert and revokecertbyname operations --- apps/gmca/gmca | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/apps/gmca/gmca b/apps/gmca/gmca index 29a10757..83299cc4 100755 --- a/apps/gmca/gmca +++ b/apps/gmca/gmca @@ -234,7 +234,7 @@ function signenccsr { common_name=$1 csrfile="$ca_csr_dir/$common_name.csr" subject="$user_dn_enc_prefix/CN=$common_name" - gmssl ca -config ./signenccsr.cnf -batch -subj=$subject -md $md -days 365 -outdir $ca_usercert_dir -infiles "$csrfile" + gmssl ca -config ./signenccsr.cnf -batch -subj=$subject -md $md -days 365 -outdir $ca_cert_dir -infiles "$csrfile" } function gencert { @@ -277,7 +277,7 @@ function listcertsbyname { function getcertbyserial { #FIXME: check argument exist local serial=$1 - local cerfile=$ca_cert_dir/$serial.pem + local certfile=$ca_cert_dir/$serial.pem gmssl x509 -in $certfile } @@ -320,6 +320,12 @@ function _revokecertfile { #gmssl ca -config ./ca.cnf -valid $certfile } +function revokecertbyname { + common_name=$1 + serial=`awk -F'\t' '{print $2,$4,$6}' $ca_index_file | grep -E "CN=$common_name$" | awk '{print $2}'` + _revokecertfile "$ca_cert_dir/$serial.pem" +} + function revokecertbyserial { serial=$1 _revokecertfile "$ca_cert_dir/$serial.pem" @@ -408,6 +414,12 @@ case $opt in shift shift ;; + -signenccsr) + common_name="$2" + signenccsr "$common_name" + shift + shift + ;; -rejectcsr) common_name="$2" rejectcsr "$common_name" @@ -420,6 +432,12 @@ case $opt in shift shift ;; + -genenccert) + common_name="$2" + genenccert $common_name + shift + shift + ;; -listcerts) listcerts shift @@ -452,6 +470,12 @@ case $opt in revokereasons shift ;; + -revokecertbyname) + name="$2" + revokecertbyname "$name" + shift + shift + ;; -revokecert) certfile="$2" revokebycert "$certfile"