From 28a36efd03061be6ee5f736d109ba476e425d2aa Mon Sep 17 00:00:00 2001 From: Louis Hampton Date: Thu, 18 May 2023 18:42:24 +0100 Subject: [PATCH] Add basic OCSP support to create_certs.sh --- .gitignore | 2 + iso15118/shared/pki/configs/ca.cnf | 16 ++++++ .../shared/pki/configs/contractLeafCert.cnf | 2 +- iso15118/shared/pki/configs/cpoSubCA1Cert.cnf | 1 + iso15118/shared/pki/configs/cpoSubCA2Cert.cnf | 2 +- iso15118/shared/pki/configs/cpsLeafCert.cnf | 2 +- iso15118/shared/pki/configs/cpsSubCA1Cert.cnf | 2 +- iso15118/shared/pki/configs/cpsSubCA2Cert.cnf | 2 +- iso15118/shared/pki/configs/moRootCACert.cnf | 2 +- iso15118/shared/pki/configs/moSubCA1Cert.cnf | 2 +- iso15118/shared/pki/configs/moSubCA2Cert.cnf | 2 +- iso15118/shared/pki/configs/ocspLocalhost.cnf | 15 ++++++ iso15118/shared/pki/configs/oemLeafCert.cnf | 2 +- iso15118/shared/pki/configs/oemRootCACert.cnf | 2 +- iso15118/shared/pki/configs/oemSubCA1Cert.cnf | 2 +- iso15118/shared/pki/configs/oemSubCA2Cert.cnf | 2 +- iso15118/shared/pki/configs/seccLeafCert.cnf | 2 +- iso15118/shared/pki/configs/v2gRootCACert.cnf | 2 +- iso15118/shared/pki/create_certs.sh | 51 ++++++++++++++++--- 19 files changed, 91 insertions(+), 22 deletions(-) create mode 100644 iso15118/shared/pki/configs/ca.cnf create mode 100644 iso15118/shared/pki/configs/ocspLocalhost.cnf diff --git a/.gitignore b/.gitignore index 82753b70..7f195e14 100644 --- a/.gitignore +++ b/.gitignore @@ -116,3 +116,5 @@ venv.bak/ iso15118/shared/pki/iso15118_2 iso15118/shared/pki/iso15118_20 /iso15118/shared/pki/pki-ext/ +iso15118/shared/pki/index.txt* +iso15118/shared/pki/serial* \ No newline at end of file diff --git a/iso15118/shared/pki/configs/ca.cnf b/iso15118/shared/pki/configs/ca.cnf new file mode 100644 index 00000000..e06781cd --- /dev/null +++ b/iso15118/shared/pki/configs/ca.cnf @@ -0,0 +1,16 @@ +[ca] +default_ca = CA_default + +[CA_default] +database = index.txt +default_md = sha256 +policy = policy_strict +serial = serial + +[policy_strict] +countryName = match +stateOrProvinceName = optional +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional \ No newline at end of file diff --git a/iso15118/shared/pki/configs/contractLeafCert.cnf b/iso15118/shared/pki/configs/contractLeafCert.cnf index 8268cf2d..994418cb 100644 --- a/iso15118/shared/pki/configs/contractLeafCert.cnf +++ b/iso15118/shared/pki/configs/contractLeafCert.cnf @@ -12,4 +12,4 @@ domainComponent = MO basicConstraints = critical,CA:false keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment,keyAgreement subjectKeyIdentifier = hash -authorityInfoAccess = OCSP;URI:https://www.example.com/, caIssuers;URI:https://www.example.com/Intermediate-CA.cer +authorityInfoAccess = OCSP;URI:https://localhost:8080/ diff --git a/iso15118/shared/pki/configs/cpoSubCA1Cert.cnf b/iso15118/shared/pki/configs/cpoSubCA1Cert.cnf index a7d25cce..ce5225fc 100644 --- a/iso15118/shared/pki/configs/cpoSubCA1Cert.cnf +++ b/iso15118/shared/pki/configs/cpoSubCA1Cert.cnf @@ -12,4 +12,5 @@ domainComponent = V2G basicConstraints = critical,CA:true,pathlen:1 keyUsage = critical,keyCertSign,cRLSign subjectKeyIdentifier = hash +authorityInfoAccess = OCSP;URI:https://localhost:8080/ diff --git a/iso15118/shared/pki/configs/cpoSubCA2Cert.cnf b/iso15118/shared/pki/configs/cpoSubCA2Cert.cnf index ba367b6d..4875bc91 100644 --- a/iso15118/shared/pki/configs/cpoSubCA2Cert.cnf +++ b/iso15118/shared/pki/configs/cpoSubCA2Cert.cnf @@ -12,4 +12,4 @@ domainComponent = V2G basicConstraints = critical,CA:true,pathlen:0 keyUsage = critical,keyCertSign,cRLSign subjectKeyIdentifier = hash - +authorityInfoAccess = OCSP;URI:https://localhost:8080/ diff --git a/iso15118/shared/pki/configs/cpsLeafCert.cnf b/iso15118/shared/pki/configs/cpsLeafCert.cnf index f9248aec..8bedb4e4 100644 --- a/iso15118/shared/pki/configs/cpsLeafCert.cnf +++ b/iso15118/shared/pki/configs/cpsLeafCert.cnf @@ -12,4 +12,4 @@ domainComponent = CPS basicConstraints = critical,CA:false keyUsage = critical,digitalSignature subjectKeyIdentifier = hash - +authorityInfoAccess = OCSP;URI:https://localhost:8080/ diff --git a/iso15118/shared/pki/configs/cpsSubCA1Cert.cnf b/iso15118/shared/pki/configs/cpsSubCA1Cert.cnf index b107aa97..9d480792 100644 --- a/iso15118/shared/pki/configs/cpsSubCA1Cert.cnf +++ b/iso15118/shared/pki/configs/cpsSubCA1Cert.cnf @@ -12,4 +12,4 @@ domainComponent = CPS basicConstraints = critical,CA:true,pathlen:1 keyUsage = critical,keyCertSign,cRLSign subjectKeyIdentifier = hash - +authorityInfoAccess = OCSP;URI:https://localhost:8080/ diff --git a/iso15118/shared/pki/configs/cpsSubCA2Cert.cnf b/iso15118/shared/pki/configs/cpsSubCA2Cert.cnf index 0f9883cc..22686ebe 100644 --- a/iso15118/shared/pki/configs/cpsSubCA2Cert.cnf +++ b/iso15118/shared/pki/configs/cpsSubCA2Cert.cnf @@ -12,4 +12,4 @@ domainComponent = CPS basicConstraints = critical,CA:true,pathlen:0 keyUsage = critical,keyCertSign,cRLSign subjectKeyIdentifier = hash - +authorityInfoAccess = OCSP;URI:https://localhost:8080/ diff --git a/iso15118/shared/pki/configs/moRootCACert.cnf b/iso15118/shared/pki/configs/moRootCACert.cnf index ccda2fe0..06e71e4c 100644 --- a/iso15118/shared/pki/configs/moRootCACert.cnf +++ b/iso15118/shared/pki/configs/moRootCACert.cnf @@ -12,5 +12,5 @@ domainComponent = MO basicConstraints = critical,CA:true keyUsage = critical,keyCertSign,cRLSign subjectKeyIdentifier = hash -authorityInfoAccess = OCSP;URI:https://www.example.com/, caIssuers;URI:https://www.example.com/Intermediate-CA.cer +authorityInfoAccess = OCSP;URI:https://localhost:8080/ diff --git a/iso15118/shared/pki/configs/moSubCA1Cert.cnf b/iso15118/shared/pki/configs/moSubCA1Cert.cnf index a84c7f40..3b0122c6 100644 --- a/iso15118/shared/pki/configs/moSubCA1Cert.cnf +++ b/iso15118/shared/pki/configs/moSubCA1Cert.cnf @@ -12,5 +12,5 @@ domainComponent = MO basicConstraints = critical,CA:true,pathlen:1 keyUsage = critical,keyCertSign,cRLSign subjectKeyIdentifier = hash -authorityInfoAccess = OCSP;URI:https://www.example.com/, caIssuers;URI:https://www.example.com/Intermediate-CA.cer +authorityInfoAccess = OCSP;URI:https://localhost:8080/ diff --git a/iso15118/shared/pki/configs/moSubCA2Cert.cnf b/iso15118/shared/pki/configs/moSubCA2Cert.cnf index 97db6247..e63ff10d 100644 --- a/iso15118/shared/pki/configs/moSubCA2Cert.cnf +++ b/iso15118/shared/pki/configs/moSubCA2Cert.cnf @@ -12,5 +12,5 @@ domainComponent = MO basicConstraints = critical,CA:true,pathlen:0 keyUsage = critical,digitalSignature,nonRepudiation,keyCertSign,cRLSign subjectKeyIdentifier = hash -authorityInfoAccess = OCSP;URI:https://www.example.com/, caIssuers;URI:https://www.example.com/Intermediate-CA.cer +authorityInfoAccess = OCSP;URI:https://localhost:8080/ diff --git a/iso15118/shared/pki/configs/ocspLocalhost.cnf b/iso15118/shared/pki/configs/ocspLocalhost.cnf new file mode 100644 index 00000000..5995c23a --- /dev/null +++ b/iso15118/shared/pki/configs/ocspLocalhost.cnf @@ -0,0 +1,15 @@ +[req] +prompt = no +distinguished_name = ca_dn + +[ca_dn] +commonName = localhost +organizationName = Switch +countryName = UK + +[ext] +basicConstraints = CA:false +keyUsage = critical, digitalSignature +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +extendedKeyUsage = critical, OCSPSigning \ No newline at end of file diff --git a/iso15118/shared/pki/configs/oemLeafCert.cnf b/iso15118/shared/pki/configs/oemLeafCert.cnf index 37509ec3..865b6c34 100644 --- a/iso15118/shared/pki/configs/oemLeafCert.cnf +++ b/iso15118/shared/pki/configs/oemLeafCert.cnf @@ -12,4 +12,4 @@ domainComponent = OEM basicConstraints = critical,CA:false keyUsage = critical,digitalSignature,keyAgreement subjectKeyIdentifier = hash - +authorityInfoAccess = OCSP;URI:https://localhost:8080/ diff --git a/iso15118/shared/pki/configs/oemRootCACert.cnf b/iso15118/shared/pki/configs/oemRootCACert.cnf index 072ef905..3ce2eb3f 100644 --- a/iso15118/shared/pki/configs/oemRootCACert.cnf +++ b/iso15118/shared/pki/configs/oemRootCACert.cnf @@ -12,4 +12,4 @@ domainComponent = OEM basicConstraints = critical,CA:true keyUsage = critical,keyCertSign,cRLSign subjectKeyIdentifier = hash - +authorityInfoAccess = OCSP;URI:https://localhost:8080/ diff --git a/iso15118/shared/pki/configs/oemSubCA1Cert.cnf b/iso15118/shared/pki/configs/oemSubCA1Cert.cnf index fb0ea37b..ef39a8bd 100644 --- a/iso15118/shared/pki/configs/oemSubCA1Cert.cnf +++ b/iso15118/shared/pki/configs/oemSubCA1Cert.cnf @@ -12,4 +12,4 @@ domainComponent = OEM basicConstraints = critical,CA:true,pathlen:1 keyUsage = critical,keyCertSign,cRLSign subjectKeyIdentifier = hash - +authorityInfoAccess = OCSP;URI:https://localhost:8080/ diff --git a/iso15118/shared/pki/configs/oemSubCA2Cert.cnf b/iso15118/shared/pki/configs/oemSubCA2Cert.cnf index 9dbc6c79..e1454d9d 100644 --- a/iso15118/shared/pki/configs/oemSubCA2Cert.cnf +++ b/iso15118/shared/pki/configs/oemSubCA2Cert.cnf @@ -12,4 +12,4 @@ domainComponent = OEM basicConstraints = critical,CA:true,pathlen:0 keyUsage = critical,keyCertSign,cRLSign subjectKeyIdentifier = hash - +authorityInfoAccess = OCSP;URI:https://localhost:8080/ diff --git a/iso15118/shared/pki/configs/seccLeafCert.cnf b/iso15118/shared/pki/configs/seccLeafCert.cnf index 4d6d5eb3..8095a88e 100644 --- a/iso15118/shared/pki/configs/seccLeafCert.cnf +++ b/iso15118/shared/pki/configs/seccLeafCert.cnf @@ -12,4 +12,4 @@ domainComponent = CPO basicConstraints = critical,CA:false keyUsage = critical,digitalSignature,keyAgreement subjectKeyIdentifier = hash - +authorityInfoAccess = OCSP;URI:https://localhost:8080/ diff --git a/iso15118/shared/pki/configs/v2gRootCACert.cnf b/iso15118/shared/pki/configs/v2gRootCACert.cnf index e5c2b728..4617862a 100644 --- a/iso15118/shared/pki/configs/v2gRootCACert.cnf +++ b/iso15118/shared/pki/configs/v2gRootCACert.cnf @@ -12,4 +12,4 @@ domainComponent = V2G basicConstraints = critical,CA:true keyUsage = critical,keyCertSign,cRLSign subjectKeyIdentifier = hash - +authorityInfoAccess = OCSP;URI:https://localhost:8080/ diff --git a/iso15118/shared/pki/create_certs.sh b/iso15118/shared/pki/create_certs.sh index e120a69a..9a8f9c5c 100755 --- a/iso15118/shared/pki/create_certs.sh +++ b/iso15118/shared/pki/create_certs.sh @@ -43,7 +43,7 @@ ISO_20="iso-20" usage() { echo " - Usage: "$0" [-h] [-v ] [-p password] [-k] + Usage: "$0" [-h] [-v ] [-p password] [-k] [--ocsp-req] [--ocsp-resp] Options: -h --help Returns this helper @@ -52,6 +52,10 @@ usage() { -p --password The password to encrypt and decrypt the private keys -k --keysight Generate certificates to be used while pairing with Keysight test system, alongside this iso15118 project. + --ocsp-req Don't generate any certificates - instead, send an OCSP request to + validate the SECC leaf certificate. + --ocsp-resp Don't generate any certificates - instead, start an OCSP responder for + validating SECC leaf certificates. Description: @@ -104,6 +108,12 @@ while [ -n "$1" ]; do -k|--keysight) keysight_certs="1" ;; + --ocsp-req) + ocsp_request="1" + ;; + --ocsp-resp) + ocsp_responder="1" + ;; *) echo "Unknown option $1" usage @@ -112,7 +122,6 @@ while [ -n "$1" ]; do shift done - # Set the cryptographic parameters, depending on whether to create certificates and key # material for ISO 15118-2 or ISO 15118-20 @@ -142,13 +151,31 @@ fi echo "Password used is: '$password'" -# 0) Create directories if not yet existing CERT_PATH=$ISO_FOLDER/certs KEY_PATH=$ISO_FOLDER/private_keys CSR_PATH=$ISO_FOLDER/csrs +NEWCERT_PATH=$ISO_FOLDER/newcerts + +if [ "$ocsp_request" == "1" ]; +then + openssl ocsp -verify_other $CERT_PATH/ocspLocalhost.pem -trust_other -url localhost:8080 -resp_text -issuer $CERT_PATH/cpoSubCA2Cert.pem -cert $CERT_PATH/seccLeafCert.pem + exit +fi + +if [ "$ocsp_responder" == "1" ]; +then + openssl ocsp -host localhost -port 8080 -text -index index.txt -CA $CERT_PATH/cpoSubCA2Cert.pem -rkey $KEY_PATH/ocspLocalhost.key -rsigner $CERT_PATH/ocspLocalhost.pem + exit +fi + +# 0) Create directories if not yet existing mkdir -p $CERT_PATH mkdir -p $CSR_PATH mkdir -p $KEY_PATH +mkdir -p $NEWCERT_PATH +echo -n "" > index.txt +echo "00" > serial +sync # 1) Create a self-signed V2GRootCA certificate @@ -187,8 +214,7 @@ openssl req -new -key $KEY_PATH/v2gRootCA.key -passin pass:$password -config con # - each issued certificate must contain a unique serial number assigned by the CA (must be unique within the issuers number range) -> -set_serial # - save the certificate at the location provided -> -out # - make the certificate valid for 40 years (give in days) -> -days -openssl x509 -req -in $CSR_PATH/v2gRootCA.csr -extfile configs/v2gRootCACert.cnf -extensions ext -signkey $KEY_PATH/v2gRootCA.key -passin pass:$password $SHA -set_serial 12345 -out $CERT_PATH/v2gRootCACert.pem -days $VALIDITY_V2G_ROOT_CERT - +yes | openssl ca -in $CSR_PATH/v2gRootCA.csr -config configs/ca.cnf -extfile configs/v2gRootCACert.cnf -extensions ext -outdir $NEWCERT_PATH -selfsign -keyfile $KEY_PATH/v2gRootCA.key -passin pass:$password -out $CERT_PATH/v2gRootCACert.pem -days $VALIDITY_V2G_ROOT_CERT # 2) Create an intermediate CPO sub-CA 1 certificate which is directly signed # by the V2GRootCA certificate @@ -203,7 +229,7 @@ openssl req -new -key $KEY_PATH/cpoSubCA1.key -passin pass:$password -config con # find the CA’s private key. We need the private key to create the signature # and the public key certificate to make sure that the CA’s certificate and # private key match. -openssl x509 -req -in $CSR_PATH/cpoSubCA1.csr -extfile configs/cpoSubCA1Cert.cnf -extensions ext -CA $CERT_PATH/v2gRootCACert.pem -CAkey $KEY_PATH/v2gRootCA.key -passin pass:$password -set_serial 12346 -out $CERT_PATH/cpoSubCA1Cert.pem -days $VALIDITY_CPO_SUBCA1_CERT +yes | openssl ca -in $CSR_PATH/cpoSubCA1.csr -config configs/ca.cnf -extfile configs/cpoSubCA1Cert.cnf -extensions ext -outdir $NEWCERT_PATH -cert $CERT_PATH/v2gRootCACert.pem -keyfile $KEY_PATH/v2gRootCA.key -passin pass:$password -out $CERT_PATH/cpoSubCA1Cert.pem -days $VALIDITY_CPO_SUBCA1_CERT # 3) Create a second intermediate CPO sub-CA certificate (sub-CA 2) just the way @@ -216,7 +242,7 @@ openssl x509 -req -in $CSR_PATH/cpoSubCA1.csr -extfile configs/cpoSubCA1Cert.cnf # - validity period differs openssl ecparam -genkey -name $EC_CURVE | openssl ec $SYMMETRIC_CIPHER -passout pass:$password -out $KEY_PATH/cpoSubCA2.key openssl req -new -key $KEY_PATH/cpoSubCA2.key -passin pass:$password -config configs/cpoSubCA2Cert.cnf -out $CSR_PATH/cpoSubCA2.csr -openssl x509 -req -in $CSR_PATH/cpoSubCA2.csr -extfile configs/cpoSubCA2Cert.cnf -extensions ext -CA $CERT_PATH/cpoSubCA1Cert.pem -CAkey $KEY_PATH/cpoSubCA1.key -passin pass:$password -set_serial 12347 -days $VALIDITY_CPO_SUBCA2_CERT -out $CERT_PATH/cpoSubCA2Cert.pem +yes | openssl ca -in $CSR_PATH/cpoSubCA2.csr -config configs/ca.cnf -extfile configs/cpoSubCA2Cert.cnf -extensions ext -outdir $NEWCERT_PATH -cert $CERT_PATH/cpoSubCA1Cert.pem -keyfile $KEY_PATH/cpoSubCA1.key -passin pass:$password -days $VALIDITY_CPO_SUBCA2_CERT -out $CERT_PATH/cpoSubCA2Cert.pem # 4) Create an SECC certificate, which is the leaf certificate belonging to @@ -228,7 +254,7 @@ openssl x509 -req -in $CSR_PATH/cpoSubCA2.csr -extfile configs/cpoSubCA2Cert.cnf # - validity period differs openssl ecparam -genkey -name $EC_CURVE | openssl ec $SYMMETRIC_CIPHER -passout pass:$password -out $KEY_PATH/seccLeaf.key openssl req -new -key $KEY_PATH/seccLeaf.key -passin pass:$password -config configs/seccLeafCert.cnf -out $CSR_PATH/seccLeafCert.csr -openssl x509 -req -in $CSR_PATH/seccLeafCert.csr -extfile configs/seccLeafCert.cnf -extensions ext -CA $CERT_PATH/cpoSubCA2Cert.pem -CAkey $KEY_PATH/cpoSubCA2.key -passin pass:$password -set_serial 12348 -days $VALIDITY_SECC_LEAF_CERT -out $CERT_PATH/seccLeafCert.pem +yes | openssl ca -in $CSR_PATH/seccLeafCert.csr -config configs/ca.cnf -extfile configs/seccLeafCert.cnf -extensions ext -outdir $NEWCERT_PATH -cert $CERT_PATH/cpoSubCA2Cert.pem -keyfile $KEY_PATH/cpoSubCA2.key -passin pass:$password -days $VALIDITY_SECC_LEAF_CERT -out $CERT_PATH/seccLeafCert.pem # 4.1) Concatenate the SECC certificate with the CPO Sub-2 and Sub-1 certificates to # provide a certificate chain that can be used for an SSL context when # implementing the TLS handshake @@ -363,6 +389,15 @@ echo $password > $KEY_PATH/contractLeafPassword.txt echo $password > $KEY_PATH/cpsLeafPassword.txt echo $password > $KEY_PATH/moSubCA2LeafPassword.txt + +# 19) Create an OCSP cryptographic pair, signed by cpoSubCA2, allowing us to verify seccLeafCert. +# The OCSP cryptographic pair must be signed by the same CA that signed the +# certificate being checked. +openssl ecparam -genkey -name $EC_CURVE | openssl ec $SYMMETRIC_CIPHER -passout pass:$password -out $KEY_PATH/ocspLocalhost.key +openssl req -new -key $KEY_PATH/ocspLocalhost.key -passin pass:$password -config configs/ocspLocalhost.cnf -out $CSR_PATH/ocspLocalhost.csr +openssl x509 -req -in $CSR_PATH/ocspLocalhost.csr -extfile configs/ocspLocalhost.cnf -extensions ext -CA $CERT_PATH/cpoSubCA2Cert.pem -CAkey $KEY_PATH/cpoSubCA2.key -passin pass:$password -out $CERT_PATH/ocspLocalhost.pem + + if [ "$keysight_certs" == "1" ]; then # The following portion of the script is to help convert the generated certificates work with Keysight test system.