tests/certs/scripts/genserv.sh


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143

#!/bin/bash
#***************************************************************************
#                                  _   _ ____  _
#  Project                     ___| | | |  _ \| |
#                             / __| | | | |_) | |
#                            | (__| |_| |  _ <| |___
#                             \___|\___/|_| \_\_____|
#
# Copyright (C) EdelWeb for EdelKey and OpenEvidence
#
# This software is licensed as described in the file COPYING, which
# you should have received as part of this distribution. The terms
# are also available at https://curl.se/docs/copyright.html.
#
# You may opt to use, copy, modify, merge, publish, distribute and/or sell
# copies of the Software, and permit persons to whom the Software is
# furnished to do so, under the terms of the COPYING file.
#
# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
# KIND, either express or implied.
#
# SPDX-License-Identifier: curl
#
###########################################################################

OPENSSL=openssl
if [ -f /usr/local/ssl/bin/openssl ] ; then
   OPENSSL=/usr/local/ssl/bin/openssl
fi

USAGE="echo Usage is genserv.sh <prefix> <caprefix>"

# exit on first fail
set -e

HOME=`pwd`
cd $HOME

KEYSIZE=2048
DURATION=3000
# The -sha256 option was introduced in OpenSSL 1.0.1
DIGESTALGO=-sha256

REQ=YES
P12=NO
DHP=NO

PREFIX=$1
if [ ".$PREFIX" = . ] ; then
   echo No configuration prefix
   NOTOK=1
else
   if [ ! -f $PREFIX-sv.prm ] ; then
      echo No configuration file $PREFIX-sv.prm
      NOTOK=1
   fi
fi

CAPREFIX=$2
if [ ".$CAPREFIX" = . ] ; then
   echo No CA prefix
   NOTOK=1
else
   if [ ! -f $CAPREFIX-ca.cacert ] ; then
      echo No CA certificate file $CAPREFIX-ca.caert
      NOTOK=1
   fi
   if [ ! -f $CAPREFIX-ca.key ] ; then
      echo No $CAPREFIX key
      NOTOK=1
   fi
fi

if [ ".$NOTOK" != . ] ; then
   echo "Sorry, I can't do that for you."
   $USAGE
   exit
fi

if [ ".$SERIAL" = . ] ; then
   GETSERIAL="\$t = time ;\$d =  \$t . substr(\$t+$$ ,-4,4)-1;print \$d"
   SERIAL=`/usr/bin/env perl -e "$GETSERIAL"`
fi

echo SERIAL=$SERIAL PREFIX=$PREFIX CAPREFIX=$CAPREFIX DURATION=$DURATION KEYSIZE=$KEYSIZE

if [ "$DHP." = YES. ] ; then
   echo "openssl dhparam -2 -out $PREFIX-sv.dhp $KEYSIZE"
   $OPENSSL dhparam -2 -out $PREFIX-sv.dhp $KEYSIZE
fi

if [ "$REQ." = YES. ] ; then
   echo "openssl req -config $PREFIX-sv.prm -newkey rsa:$KEYSIZE -keyout $PREFIX-sv.key -out $PREFIX-sv.csr -passout XXX"
   $OPENSSL req -config $PREFIX-sv.prm -newkey rsa:$KEYSIZE -keyout $PREFIX-sv.key -out $PREFIX-sv.csr -passout pass:secret
fi

echo "openssl rsa -in $PREFIX-sv.key -out $PREFIX-sv.key"
$OPENSSL rsa -in $PREFIX-sv.key -out $PREFIX-sv.key -passin pass:secret
echo pseudo secrets generated

echo "openssl rsa -in $PREFIX-sv.key -pubout -outform DER -out $PREFIX-sv.pub.der"
$OPENSSL rsa -in $PREFIX-sv.key -pubout -outform DER -out $PREFIX-sv.pub.der

echo "openssl rsa -in $PREFIX-sv.key -pubout -outform PEM -out $PREFIX-sv.pub.pem"
$OPENSSL rsa -in $PREFIX-sv.key -pubout -outform PEM -out $PREFIX-sv.pub.pem

echo "openssl x509 -set_serial $SERIAL -extfile $PREFIX-sv.prm -days $DURATION  -CA $CAPREFIX-ca.cacert -CAkey $CAPREFIX-ca.key -in $PREFIX-sv.csr -req -text -nameopt multiline $DIGESTALGO > $PREFIX-sv.crt "

$OPENSSL x509 -set_serial $SERIAL -extfile $PREFIX-sv.prm -days $DURATION  -CA $CAPREFIX-ca.cacert -CAkey $CAPREFIX-ca.key -in $PREFIX-sv.csr -req -text -nameopt multiline $DIGESTALGO > $PREFIX-sv.crt

if [ "$P12." = YES. ] ; then

   echo "$OPENSSL pkcs12 -export -des3 -out $PREFIX-sv.p12 -caname $CAPREFIX -name $PREFIX -inkey $PREFIX-sv.key -in $PREFIX-sv.crt -certfile $CAPREFIX-ca.crt "

   $OPENSSL pkcs12 -export -des3 -out $PREFIX-sv.p12 -caname $CAPREFIX -name $PREFIX -inkey $PREFIX-sv.key -in $PREFIX-sv.crt -certfile $CAPREFIX-ca.crt
fi

echo "openssl x509 -noout -text -hash -in $PREFIX-sv.selfcert -nameopt multiline"
$OPENSSL x509 -noout -text -hash -in $PREFIX-sv.crt -nameopt multiline

# revoke server cert
touch $CAPREFIX-ca.db
echo 01 > $CAPREFIX-ca.cnt
echo "openssl ca -config $CAPREFIX-ca.cnf -revoke $PREFIX-sv.crt"
$OPENSSL ca -config $CAPREFIX-ca.cnf -revoke $PREFIX-sv.crt

# issue CRL
echo "openssl ca -config $CAPREFIX-ca.cnf -gencrl -out $PREFIX-sv.crl"
$OPENSSL ca -config $CAPREFIX-ca.cnf -gencrl -out $PREFIX-sv.crl

echo "openssl x509 -in $PREFIX-sv.crt -outform der -out $PREFIX-sv.der "
$OPENSSL x509 -in $PREFIX-sv.crt -outform der -out $PREFIX-sv.der

# all together now
touch $PREFIX-sv.dhp
cat $PREFIX-sv.prm $PREFIX-sv.key  $PREFIX-sv.crt $PREFIX-sv.dhp >$PREFIX-sv.pem
chmod o-r $PREFIX-sv.prm

$OPENSSL x509 -in $PREFIX-sv.pem -pubkey -noout | \
$OPENSSL pkey -pubin -outform der | $OPENSSL dgst -sha256 -binary | \
$OPENSSL enc -base64 >$PREFIX-sv.pubkey-pinned

echo "$PREFIX-sv.pem done"