gfwleak/luwenpeng-certificate
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TSG-7583: 自签发证书用于TSG各组件间加密通信

Browse Source
This commit is contained in:
luwenpeng
2021-08-31 17:53:17 +08:00
parent 917c5cfaf7
commit b94a73294d
6 changed files with 208 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
README.md
View File

@@ -1 +1,58 @@
签发证书用于各组件间加密通信 # 自签发证书用于TSG各组件间加密通信
**注意**
* 证书有效 20 年
* 为了前向保密使用椭圆曲线prime256v1而未使用RSA
**证书信息**
```
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15951331750435990784 (0xdd5e83b69725ad00)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=US, ST=California, L=San Francisco, O=Gdnt-cloud, CN=*.gdnt-cloud.com
Validity
Not Before: Aug 31 05:59:42 2021 GMT
Not After : Aug 29 05:59:42 2031 GMT
Subject: C=US, ST=California, L=San Francisco, O=Gdnt-cloud, CN=*.gdnt-cloud.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:49:70:50:9d:7b:57:ad:f3:61:99:8d:99:ab:ec:
cf:27:b3:1e:dd:42:48:b7:48:9e:af:11:f5:71:ad:
13:ba:01:a0:24:81:ee:9e:ab:59:a0:d0:cc:98:44:
27:36:8f:c4:3e:5b:87:e8:cb:6b:65:57:0c:b0:44:
90:a2:2a:7b:f3
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Alternative Name:
DNS:*.gdnt-cloud.com, DNS:gdnt-cloud.com
Signature Algorithm: ecdsa-with-SHA256
30:45:02:20:18:b9:48:84:e3:34:6e:cf:ff:9a:95:b3:a1:32:
27:61:3d:eb:4d:8a:88:d5:12:d4:46:d8:dc:22:77:df:3d:18:
02:21:00:c9:24:3e:30:eb:53:11:2c:51:cd:18:24:c6:e4:07:
16:4b:72:08:6c:91:5a:6a:ab:90:e1:03:11:2d:63:f9:04
-----BEGIN CERTIFICATE-----
MIICBTCCAaugAwIBAgIJAN1eg7aXJa0AMAoGCCqGSM49BAMCMGoxCzAJBgNVBAYT
AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2Nv
MRMwEQYDVQQKDApHZG50LWNsb3VkMRkwFwYDVQQDDBAqLmdkbnQtY2xvdWQuY29t
MB4XDTIxMDgzMTA1NTk0MloXDTMxMDgyOTA1NTk0MlowajELMAkGA1UEBhMCVVMx
EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzAR
BgNVBAoMCkdkbnQtY2xvdWQxGTAXBgNVBAMMECouZ2RudC1jbG91ZC5jb20wWTAT
BgcqhkjOPQIBBggqhkjOPQMBBwNCAARJcFCde1et82GZjZmr7M8nsx7dQki3SJ6v
EfVxrRO6AaAkge6eq1mg0MyYRCc2j8Q+W4foy2tlVwywRJCiKnvzozowODAJBgNV
HRMEAjAAMCsGA1UdEQQkMCKCECouZ2RudC1jbG91ZC5jb22CDmdkbnQtY2xvdWQu
Y29tMAoGCCqGSM49BAMCA0gAMEUCIBi5SITjNG7P/5qVs6EyJ2E9602KiNUS1EbY
3CJ33z0YAiEAySQ+MOtTESxRzRgkxuQHFktyCGyRWmqrkOEDES1j+QQ=
-----END CERTIFICATE-----
Not Before: Aug 31 05:59:42 2021 GMT
Not After : Aug 29 05:59:42 2031 GMT
```

21
conf/wildcard.conf Normal file
View File

@@ -0,0 +1,21 @@
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
req_extensions = req_v3_usr
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = California
localityName = San Francisco
organizationName = Gdnt-cloud
commonName = *.__DOMAIN__
[ req_v3_usr ]
basicConstraints = CA:FALSE
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = *.__DOMAIN__
DNS.2 = __DOMAIN__

13
crt/self-sign.crt Normal file
View File

@@ -0,0 +1,13 @@
-----BEGIN CERTIFICATE-----
MIICBTCCAaugAwIBAgIJAN1eg7aXJa0AMAoGCCqGSM49BAMCMGoxCzAJBgNVBAYT
AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2Nv
MRMwEQYDVQQKDApHZG50LWNsb3VkMRkwFwYDVQQDDBAqLmdkbnQtY2xvdWQuY29t
MB4XDTIxMDgzMTA1NTk0MloXDTMxMDgyOTA1NTk0MlowajELMAkGA1UEBhMCVVMx
EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzAR
BgNVBAoMCkdkbnQtY2xvdWQxGTAXBgNVBAMMECouZ2RudC1jbG91ZC5jb20wWTAT
BgcqhkjOPQIBBggqhkjOPQMBBwNCAARJcFCde1et82GZjZmr7M8nsx7dQki3SJ6v
EfVxrRO6AaAkge6eq1mg0MyYRCc2j8Q+W4foy2tlVwywRJCiKnvzozowODAJBgNV
HRMEAjAAMCsGA1UdEQQkMCKCECouZ2RudC1jbG91ZC5jb22CDmdkbnQtY2xvdWQu
Y29tMAoGCCqGSM49BAMCA0gAMEUCIBi5SITjNG7P/5qVs6EyJ2E9602KiNUS1EbY
3CJ33z0YAiEAySQ+MOtTESxRzRgkxuQHFktyCGyRWmqrkOEDES1j+QQ=
-----END CERTIFICATE-----

8
key/self-sign.key Normal file
View File

@@ -0,0 +1,8 @@
-----BEGIN EC PARAMETERS-----
BggqhkjOPQMBBw==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIC6qFeIiJvkGqYIxpfl14NZ8bOu6Fk0jfLumg39lTTLMoAoGCCqGSM49
AwEHoUQDQgAESXBQnXtXrfNhmY2Zq+zPJ7Me3UJIt0ierxH1ca0TugGgJIHunqtZ
oNDMmEQnNo/EPluH6MtrZVcMsESQoip78w==
-----END EC PRIVATE KEY-----

7
sign.sh Normal file
View File

@@ -0,0 +1,7 @@
#!/bin/bash
openssl ecparam -name secp256r1 -genkey -out key/self-sign.key # 使用椭圆曲线生成私钥
#./tool gen-key key/self-sign.key gdnt-cloud.com 2048 # 使用 RSA 生成私钥
./tool gen-csr csr/self-sign.csr gdnt-cloud.com conf/wildcard.conf key/self-sign.key
./tool self-sign crt/self-sign.crt gdnt-cloud.com 3650 sha256 req_v3_usr conf/wildcard.conf csr/self-sign.csr key/self-sign.key
./tool chain chain.pem gdnt-cloud.com crt/self-sign.crt

101
tool Executable file
View File

@@ -0,0 +1,101 @@
#!/usr/bin/env bash
set -eu
COMMAND=$1
shift
OUT=$1
shift
DOMAIN=$1
shift
mkdir -p $(dirname $OUT)
PREGEN_OUT=$(echo "$OUT" | sed "s#/gen/#/pregen/#")
if [ -e $PREGEN_OUT ]
then
cp $PREGEN_OUT $OUT
exit 0
fi
case "$COMMAND" in
chain)
cat $@ > $OUT
;;
dhparam)
openssl dhparam \
-out $OUT \
$1
;;
gen-csr)
openssl req -new \
-out $OUT \
-config <(cat $1 | sed "s/__DOMAIN__/$DOMAIN/g") \
-key $2
;;
gen-csr-no-subject)
openssl req -new \
-subj / \
-out $OUT \
-config <(cat $1 | sed "s/__DOMAIN__/$DOMAIN/g") \
-key $2
;;
gen-ca)
openssl req -new -x509 -days 7300 \
-out $OUT \
-config $1 \
-key $2
;;
gen-key)
openssl genrsa \
-out $OUT \
$1
;;
gen-ecckey)
openssl ecparam \
-out $OUT \
-name $1 \
-genkey
;;
gen-pkcs12-p12)
openssl pkcs12 \
-out $OUT \
-export \
-clcerts \
-passout "pass:$DOMAIN" \
-in $1 \
-inkey $2
;;
pkcs12-convert-p12-pem)
openssl pkcs12 \
-out $OUT \
-clcerts \
-passin "pass:$DOMAIN" \
-passout "pass:$DOMAIN" \
-in $1
;;
self-sign)
openssl x509 -req -CAcreateserial \
-out $OUT \
-days $1 \
-$2 \
-extensions $3 \
-extfile <(cat $4 | sed "s/__DOMAIN__/$DOMAIN/g") \
-in $5 \
-signkey $6
;;
sign)
openssl x509 \
-req \
-CAcreateserial \
-days $1 \
-$2 \
-out $OUT \
-extensions $3 \
-extfile <(cat $4 | sed "s/__DOMAIN__/$DOMAIN/g") \
-in $5 \
-CAkey $6 \
-CA $7
;;
*)
echo "Unknown command."
exit 1
esac