lib/hx509/data/mkcert.sh

   1 #! /bin/bash
   2
   3 set -e
   4
   5 DAYS=182500
   6
   7 key() {
   8     local key=$1; shift
   9
  10     if [ ! -f "${key}.pem" ]; then
  11         openssl genpkey \
  12             -paramfile <(openssl ecparam -name prime256v1) \
  13             -out "${key}.pem"
  14     fi
  15 }
  16
  17 req() {
  18     local key=$1; shift
  19     local dn=$1; shift
  20
  21     openssl req -new -sha256 -key "${key}.pem" \
  22         -config <(printf "[req]\n%s\n%s\n[dn]\nCN_default=foo\n" \
  23                    "prompt = yes" "distinguished_name = dn") \
  24         -subj "${dn}"
  25 }
  26
  27 cert() {
  28     local cert=$1; shift
  29     local exts=$1; shift
  30
  31     openssl x509 -req -sha256 -out "${cert}.pem" \
  32         -extfile <(printf "%s\n" "$exts") "$@"
  33 }
  34
  35 genroot() {
  36     local dn=$1; shift
  37     local key=$1; shift
  38     local cert=$1; shift
  39
  40     exts=$(printf "%s\n%s\n%s\n%s\n" \
  41            "subjectKeyIdentifier = hash" \
  42            "authorityKeyIdentifier  = keyid" \
  43            "basicConstraints = CA:true" \
  44            "keyUsage = keyCertSign, cRLSign" )
  45     key "$key"; req "$key" "$dn" |
  46         cert "$cert" "$exts" -signkey "${key}.pem" \
  47             -set_serial 1 -days "${DAYS}"
  48 }
  49
  50 genee() {
  51     local dn=$1; shift
  52     local key=$1; shift
  53     local cert=$1; shift
  54     local cakey=$1; shift
  55     local cacert=$1; shift
  56
  57     exts=$(printf "%s\n%s\n%s\n%s\n" \
  58             "subjectKeyIdentifier = hash" \
  59             "authorityKeyIdentifier = keyid, issuer" \
  60             "basicConstraints = CA:false" \
  61             "keyUsage = digitalSignature, keyEncipherment, dataEncipherment" \
  62         )
  63     key "$key"; req "$key" "$dn" |
  64         cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \
  65             -set_serial 2 -days "${DAYS}" "$@"
  66 }
  67
  68
  69 genroot "/C=SE/O=Heimdal/CN=CA secp256r1" \
  70         secp256r1TestCA.key secp256r1TestCA.cert
  71 genee "/C=SE/O=Heimdal/CN=Server" \
  72         secp256r2TestServer.key secp256r2TestServer.cert \
  73         secp256r1TestCA.key secp256r1TestCA.cert
  74 genee "/C=SE/O=Heimdal/CN=Client" \
  75         secp256r2TestClient.key secp256r2TestClient.cert \
  76         secp256r1TestCA.key secp256r1TestCA.cert
  77
  78 cat secp256r1TestCA.key.pem secp256r1TestCA.cert.pem > \
  79         secp256r1TestCA.pem
  80 cat secp256r2TestClient.cert.pem secp256r2TestClient.key.pem > \
  81         secp256r2TestClient.pem
  82 cat secp256r2TestServer.cert.pem secp256r2TestServer.key.pem > \
  83         secp256r2TestServer.pem