search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
remove <heimbase.h> since its not used
[heimdal.git] / lib / hx509 / data / gen-req.sh
blobb832a43d96462bdd111aea23866fe3a3748c069a
1 #!/bin/sh
2 # $Id$
3 #
4 # This script need openssl 0.9.8a or newer, so it can parse the
5 # otherName section for pkinit certificates.
6 #
7
8 openssl=openssl
9
10 gen_cert()
11 {
12 keytype=${6:-rsa:1024}
13 ${openssl} req \
14 -new \
15 -subj "$1" \
16 -config openssl.cnf \
17 -newkey $keytype \
18 -sha1 \
19 -nodes \
20 -keyout out.key \
21 -out cert.req > /dev/null 2>/dev/null
22
23 if [ "$3" = "ca" ] ; then
24 ${openssl} x509 \
25 -req \
26 -days 3650 \
27 -in cert.req \
28 -extfile openssl.cnf \
29 -extensions $4 \
30 -signkey out.key \
31 -out cert.crt
32
33 ln -s ca.crt `${openssl} x509 -hash -noout -in cert.crt`.0
34
35 name=$3
36
37 elif [ "$3" = "proxy" ] ; then
38
39 ${openssl} x509 \
40 -req \
41 -in cert.req \
42 -days 3650 \
43 -out cert.crt \
44 -CA $2.crt \
45 -CAkey $2.key \
46 -CAcreateserial \
47 -extfile openssl.cnf \
48 -extensions $4
49
50 name=$5
51 else
52
53 ${openssl} ca \
54 -name $4 \
55 -days 3650 \
56 -cert $2.crt \
57 -keyfile $2.key \
58 -in cert.req \
59 -out cert.crt \
60 -outdir . \
61 -batch \
62 -config openssl.cnf
63
64 name=$3
65 fi
66
67 mv cert.crt $name.crt
68 mv out.key $name.key
69 }
70
71 echo "01" > serial
72 > index.txt
73 rm -f *.0
74
75 gen_cert "/CN=hx509 Test Root CA/C=SE" "root" "ca" "v3_ca"
76 gen_cert "/CN=OCSP responder/C=SE" "ca" "ocsp-responder" "ocsp"
77 gen_cert "/CN=Test cert/C=SE" "ca" "test" "usr"
78 gen_cert "/CN=Revoke cert/C=SE" "ca" "revoke" "usr"
79 gen_cert "/CN=Test cert KeyEncipherment/C=SE" "ca" "test-ke-only" "usr_ke"
80 gen_cert "/CN=Test cert DigitalSignature/C=SE" "ca" "test-ds-only" "usr_ds"
81 gen_cert "/CN=pkinit/C=SE" "ca" "pkinit" "pkinit_client"
82 $openssl ecparam -name secp256r1 -out eccurve.pem
83 gen_cert "/CN=pkinit-ec/C=SE" "ca" "pkinit-ec" "pkinit_client" "XXX" ec:eccurve.pem
84 gen_cert "/C=SE/CN=pkinit/CN=pkinit-proxy" "pkinit" "proxy" "proxy_cert" pkinit-proxy
85 gen_cert "/CN=kdc/C=SE" "ca" "kdc" "pkinit_kdc"
86 gen_cert "/CN=www.test.h5l.se/C=SE" "ca" "https" "https"
87 gen_cert "/CN=Sub CA/C=SE" "ca" "sub-ca" "subca"
88 gen_cert "/CN=Test sub cert/C=SE" "sub-ca" "sub-cert" "usr"
89 gen_cert "/C=SE/CN=Test cert/CN=proxy" "test" "proxy" "proxy_cert" proxy-test
90 gen_cert "/C=SE/CN=Test cert/CN=proxy/CN=child" "proxy-test" "proxy" "proxy_cert" proxy-level-test
91 gen_cert "/C=SE/CN=Test cert/CN=no-proxy" "test" "proxy" "usr_cert" no-proxy-test
92 gen_cert "/C=SE/CN=Test cert/CN=proxy10" "test" "proxy" "proxy10_cert" proxy10-test
93 gen_cert "/C=SE/CN=Test cert/CN=proxy10/CN=child" "proxy10-test" "proxy" "proxy10_cert" proxy10-child-test
94 gen_cert "/C=SE/CN=Test cert/CN=proxy10/CN=child/CN=child" "proxy10-child-test" "proxy" "proxy10_cert" proxy10-child-child-test
95
96
97 # combine
98 cat sub-ca.crt ca.crt > sub-ca-combined.crt
99 cat test.crt test.key > test.combined.crt
100 cat pkinit-proxy.crt pkinit.crt > pkinit-proxy-chain.crt
101
102 # password protected key
103 ${openssl} rsa -in test.key -aes256 -passout pass:foobar -out test-pw.key
104 ${openssl} rsa -in pkinit.key -aes256 -passout pass:foo -out pkinit-pw.key
105
106
107 ${openssl} ca \
108 -name usr \
109 -cert ca.crt \
110 -keyfile ca.key \
111 -revoke revoke.crt \
112 -config openssl.cnf
113
114 ${openssl} pkcs12 \
115 -export \
116 -in test.crt \
117 -inkey test.key \
118 -passout pass:foobar \
119 -out test.p12 \
120 -name "friendlyname-test" \
121 -certfile ca.crt \
122 -caname ca
123
124 ${openssl} pkcs12 \
125 -export \
126 -in sub-cert.crt \
127 -inkey sub-cert.key \
128 -passout pass:foobar \
129 -out sub-cert.p12 \
130 -name "friendlyname-sub-cert" \
131 -certfile sub-ca-combined.crt \
132 -caname sub-ca \
133 -caname ca
134
135 ${openssl} pkcs12 \
136 -keypbe NONE \
137 -certpbe NONE \
138 -export \
139 -in test.crt \
140 -inkey test.key \
141 -passout pass:foobar \
142 -out test-nopw.p12 \
143 -name "friendlyname-cert" \
144 -certfile ca.crt \
145 -caname ca
146
147 ${openssl} smime \
148 -sign \
149 -nodetach \
150 -binary \
151 -in static-file \
152 -signer test.crt \
153 -inkey test.key \
154 -outform DER \
155 -out test-signed-data
156
157 ${openssl} smime \
158 -sign \
159 -nodetach \
160 -binary \
161 -in static-file \
162 -signer test.crt \
163 -inkey test.key \
164 -noattr \
165 -outform DER \
166 -out test-signed-data-noattr
167
168 ${openssl} smime \
169 -sign \
170 -nodetach \
171 -binary \
172 -in static-file \
173 -signer test.crt \
174 -inkey test.key \
175 -noattr \
176 -nocerts \
177 -outform DER \
178 -out test-signed-data-noattr-nocerts
179
180 ${openssl} smime \
181 -sign \
182 -md sha1 \
183 -nodetach \
184 -binary \
185 -in static-file \
186 -signer test.crt \
187 -inkey test.key \
188 -outform DER \
189 -out test-signed-sha-1
190
191 ${openssl} smime \
192 -sign \
193 -md sha256 \
194 -nodetach \
195 -binary \
196 -in static-file \
197 -signer test.crt \
198 -inkey test.key \
199 -outform DER \
200 -out test-signed-sha-256
201
202 ${openssl} smime \
203 -sign \
204 -md sha512 \
205 -nodetach \
206 -binary \
207 -in static-file \
208 -signer test.crt \
209 -inkey test.key \
210 -outform DER \
211 -out test-signed-sha-512
212
213
214 ${openssl} smime \
215 -encrypt \
216 -nodetach \
217 -binary \
218 -in static-file \
219 -outform DER \
220 -out test-enveloped-rc2-40 \
221 -rc2-40 \
222 test.crt
223
224 ${openssl} smime \
225 -encrypt \
226 -nodetach \
227 -binary \
228 -in static-file \
229 -outform DER \
230 -out test-enveloped-rc2-64 \
231 -rc2-64 \
232 test.crt
233
234 ${openssl} smime \
235 -encrypt \
236 -nodetach \
237 -binary \
238 -in static-file \
239 -outform DER \
240 -out test-enveloped-rc2-128 \
241 -rc2-128 \
242 test.crt
243
244 ${openssl} smime \
245 -encrypt \
246 -nodetach \
247 -binary \
248 -in static-file \
249 -outform DER \
250 -out test-enveloped-des \
251 -des \
252 test.crt
253
254 ${openssl} smime \
255 -encrypt \
256 -nodetach \
257 -binary \
258 -in static-file \
259 -outform DER \
260 -out test-enveloped-des-ede3 \
261 -des3 \
262 test.crt
263
264 ${openssl} smime \
265 -encrypt \
266 -nodetach \
267 -binary \
268 -in static-file \
269 -outform DER \
270 -out test-enveloped-aes-128 \
271 -aes128 \
272 test.crt
273
274 ${openssl} smime \
275 -encrypt \
276 -nodetach \
277 -binary \
278 -in static-file \
279 -outform DER \
280 -out test-enveloped-aes-256 \
281 -aes256 \
282 test.crt
283
284 echo ocsp requests
285
286 ${openssl} ocsp \
287 -issuer ca.crt \
288 -cert test.crt \
289 -reqout ocsp-req1.der
290
291 ${openssl} ocsp \
292 -index index.txt \
293 -rsigner ocsp-responder.crt \
294 -rkey ocsp-responder.key \
295 -CA ca.crt \
296 -reqin ocsp-req1.der \
297 -noverify \
298 -respout ocsp-resp1-ocsp.der
299
300 ${openssl} ocsp \
301 -index index.txt \
302 -rsigner ca.crt \
303 -rkey ca.key \
304 -CA ca.crt \
305 -reqin ocsp-req1.der \
306 -noverify \
307 -respout ocsp-resp1-ca.der
308
309 ${openssl} ocsp \
310 -index index.txt \
311 -rsigner ocsp-responder.crt \
312 -rkey ocsp-responder.key \
313 -CA ca.crt \
314 -resp_no_certs \
315 -reqin ocsp-req1.der \
316 -noverify \
317 -respout ocsp-resp1-ocsp-no-cert.der
318
319 ${openssl} ocsp \
320 -index index.txt \
321 -rsigner ocsp-responder.crt \
322 -rkey ocsp-responder.key \
323 -CA ca.crt \
324 -reqin ocsp-req1.der \
325 -resp_key_id \
326 -noverify \
327 -respout ocsp-resp1-keyhash.der
328
329 ${openssl} ocsp \
330 -issuer ca.crt \
331 -cert revoke.crt \
332 -reqout ocsp-req2.der
333
334 ${openssl} ocsp \
335 -index index.txt \
336 -rsigner ocsp-responder.crt \
337 -rkey ocsp-responder.key \
338 -CA ca.crt \
339 -reqin ocsp-req2.der \
340 -noverify \
341 -respout ocsp-resp2.der
342
343 ${openssl} ca \
344 -gencrl \
345 -name usr \
346 -crldays 3600 \
347 -keyfile ca.key \
348 -cert ca.crt \
349 -crl_reason superseded \
350 -out crl1.crl \
351 -config openssl.cnf
352
353 ${openssl} crl -in crl1.crl -outform der -out crl1.der
Heimdal