[PATCH 1/2] hs20-ca: Update key generation scripts and files.

greearb at candelatech.com greearb
Mon Mar 23 11:05:42 PDT 2015 

From: Ben Greear <greearb at candelatech.com>

This lets us properly over-ride the default w1.fi
related strings in order to properly generate keys
that can be used by the OCSP process.

Signed-off-by: Ben Greear <greearb at candelatech.com>
---
 hs20/server/ca/openssl.cnf | 12 ++++++------
 hs20/server/ca/setup.sh    | 42 ++++++++++++++++++++++++++++++------------
 2 files changed, 36 insertions(+), 18 deletions(-)

diff --git a/hs20/server/ca/openssl.cnf b/hs20/server/ca/openssl.cnf
index e29e737..c614479 100644
--- a/hs20/server/ca/openssl.cnf
+++ b/hs20/server/ca/openssl.cnf
@@ -95,7 +95,7 @@ localityName			= Locality Name (eg, city)
 localityName_default		= Tuusula
 
 0.organizationName		= Organization Name (eg, company)
-0.organizationName_default	= w1.fi
+0.organizationName_default	= @DOMAIN@
 
 ##organizationalUnitName		= Organizational Unit Name (eg, section)
 #organizationalUnitName_default	=
@@ -117,10 +117,10 @@ subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid:always,issuer
 basicConstraints = critical, CA:true, pathlen:0
 keyUsage = critical, cRLSign, keyCertSign
-authorityInfoAccess = OCSP;URI:http://osu.w1.fi:8888/
+authorityInfoAccess = OCSP;URI:@OCSP_URI@
 # For SP intermediate CA
 #subjectAltName=critical,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:engExample OSU
-#nameConstraints=permitted;DNS:.w1.fi
+#nameConstraints=permitted;DNS:. at DOMAIN@
 #1.3.6.1.5.5.7.1.12=ASN1:SEQUENCE:LogotypeExtn
 
 [ v3_osu_server ]
@@ -159,7 +159,7 @@ algorithm=OID:sha256
 [sha1_alg]
 algorithm=OID:sha1
 [URI]
-uri=IA5STRING:http://osu.w1.fi/w1fi_logo.png
+uri=IA5STRING:@LOGO_URI@
 [LogotypeImageInfo]
 # default value color(1), component optional
 #type=IMP:0,INTEGER:1
@@ -184,7 +184,7 @@ extendedKeyUsage = OCSPSigning
 basicConstraints=CA:FALSE
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer
-authorityInfoAccess = OCSP;URI:http://osu.w1.fi:8888/
+authorityInfoAccess = OCSP;@OCSP_URI@
 #@ALTNAME@
 extendedKeyUsage = clientAuth
 
@@ -194,7 +194,7 @@ extendedKeyUsage = clientAuth
 basicConstraints=critical, CA:FALSE
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer
-authorityInfoAccess = OCSP;URI:http://osu.w1.fi:8888/
+authorityInfoAccess = OCSP;URI:@OCSP_URI@
 #@ALTNAME@
 extendedKeyUsage = critical, serverAuth
 keyUsage = critical, keyEncipherment
diff --git a/hs20/server/ca/setup.sh b/hs20/server/ca/setup.sh
index fcf24ad..35d32b1 100755
--- a/hs20/server/ca/setup.sh
+++ b/hs20/server/ca/setup.sh
@@ -5,41 +5,52 @@ if [ -z "$OPENSSL" ]; then
 fi
 export OPENSSL_CONF=$PWD/openssl.cnf
 PASS=whatever
-CNI="w1.fi Hotspot 2.0 Intermediate CA"
+if [ -z "$DOMAIN" ]; then
+    DOMAIN=w1.fi
+fi
+CNI="$DOMAIN Hotspot 2.0 Intermediate CA"
 CNR="Hotspot 2.0 Trust Root CA - 99"
-CNO="ocsp.w1.fi"
-CNV="osu-revoked.w1.fi"
-CNOC="osu-client.w1.fi"
-SERVERNAME="osu.w1.fi"
+CNO="ocsp.$DOMAIN"
+CNV="osu-revoked.$DOMAIN"
+CNOC="osu-client.$DOMAIN"
+SERVERNAME="osu.$DOMAIN"
 DNS=$SERVERNAME
 DEBUG=0
+OCSP_URI="http://$CNO:8888/"
+LOGO_URI="http://osu.w1.fi/w1fi_logo.png"
 
 # Command line over-rides
 USAGE=$( cat <<EOF
 Usage:\n
 # -C:  SSL Commonname for Root CA ($CNR)\n
 # -d:  DNS Name ($DNS)\n
-# -D:  Enable debugging (set -x, etc)
+# -D:  Enable debugging (set -x, etc)\n
+# -h:  Show this help message\n
 # -I:  SSL Commonname for Intermediate CA ($CNI)\n
+# -m:  Domain ($DOMAIN)\n
 # -o:  SSL Commonname for OSU-Client Server ($CNOC)\n
 # -O:  SSL Commonname for OCSP Server ($CNO)\n
 # -p:  password ($PASS)\n
 # -S:  servername ($SERVERNAME)\n
+# -u:  OCSP-URI ($OCSP_URI)\n
 # -V:  SSL Commonname for OSU-Revoked Server ($CNV)\n
 EOF
 )
 
-while getopts "C:d:DI:o:O:p:S:V:" flag
+while getopts "C:d:DI:m:o:O:p:S:u:V:h" flag
   do
   case $flag in
       C) CNR=$OPTARG;;
       d) DNS=$OPTARG;;
       D) DEBUG=1;;
+      h) echo -e $USAGE; exit 0;;
       I) CNI=$OPTARG;;
+      m) DOMAIN=$OPTARG;;
       o) CNOC=$OPTARG;;
       O) CNO=$OPTARG;;
       p) PASS=$OPTARG;;
       S) SERVERNAME=$OPTARG;;
+      u) OCSP_URI=$OPTARG;;
       V) CNV=$OPTARG;;
       *) echo "Un-known flag: $flag"; echo -e $USAGE;exit 1;;
   esac
@@ -74,10 +85,17 @@ else
     cp openssl.cnf.orig openssl.cnf
 fi
 
-# Set the password accordingly.
-cat openssl-root.cnf | sed "s/@PASSWORD@/$PASS/" > openssl-root.cnf.tmp
+# Set the password and some other common config accordingly.
+cat openssl-root.cnf | sed "s/@PASSWORD@/$PASS/" \
+ > openssl-root.cnf.tmp
 mv openssl-root.cnf.tmp openssl-root.cnf
-cat openssl.cnf | sed "s/@PASSWORD@/$PASS/" > openssl.cnf.tmp
+
+set -x
+cat openssl.cnf | sed "s/@PASSWORD@/$PASS/" |
+sed "s, at OCSP_URI@,$OCSP_URI," |
+sed "s, at LOGO_URI@,$LOGO_URI," |
+sed "s/@DOMAIN@/$DOMAIN/" \
+ > openssl.cnf.tmp
 mv openssl.cnf.tmp openssl.cnf
 
 
@@ -155,8 +173,8 @@ echo "---[ Server ]-----------------------------------------------------------"
 echo
 
 ALT="DNS:$DNS"
-ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:engw1.fi TESTING USE"
-ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:finw1.fi TESTIK??YTT??"
+ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:eng$DOMAIN TESTING USE"
+ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:fin$DOMAIN TESTIK??YTT??"
 
 cat openssl.cnf |
 	sed "s/#@CN@/commonName_default = $SERVERNAME/" |
-- 
1.9.3

More information about the Hostap mailing list