lib/hx509/data/gen-req.sh

   1 #!/bin/sh
   2 # $Id$
   3 #
   4 # This script need openssl 0.9.8a or newer, so it can parse the
   5 # otherName section for pkinit certificates.
   6 #
   7
   8 openssl=openssl
   9
  10 # workaround until openssl -objects lands
  11 if ${openssl} version | grep '^OpenSSL 1\.[1-9]' >/dev/null ; then
  12     config=openssl.1.1.cnf
  13 else
  14     config=openssl.1.0.cnf
  15 fi
  16
  17 gen_cert()
  18 {
  19         keytype=${6:-rsa:4096}
  20         ${openssl} req \
  21                 -new \
  22                 -subj "$1" \
  23                 -config ${config} \
  24                 -newkey $keytype \
  25                 -sha1 \
  26                 -nodes \
  27                 -keyout out.key \
  28                 -out cert.req > /dev/null 2>/dev/null
  29
  30         if [ "$3" = "ca" ] ; then
  31             ${openssl} x509 \
  32                 -req \
  33                 -days 182500 \
  34                 -in cert.req \
  35                 -extfile ${config} \
  36                 -extensions $4 \
  37                 -signkey out.key \
  38                 -out cert.crt
  39
  40                 ln -s ca.crt `${openssl} x509 -hash -noout -in cert.crt`.0
  41
  42                 name=$3
  43
  44         elif [ "$3" = "proxy" ] ; then
  45
  46             ${openssl} x509 \
  47                 -req \
  48                 -in cert.req \
  49                 -days 182500 \
  50                 -out cert.crt \
  51                 -CA $2.crt \
  52                 -CAkey $2.key \
  53                 -CAcreateserial \
  54                 -extfile ${config} \
  55                 -extensions $4
  56
  57                 name=$5
  58         else
  59
  60             ${openssl} ca \
  61                 -name $4 \
  62                 -days 182500 \
  63                 -cert $2.crt \
  64                 -keyfile $2.key \
  65                 -in cert.req \
  66                 -out cert.crt \
  67                 -outdir . \
  68                 -batch \
  69                 -config ${config}
  70
  71                 name=$3
  72         fi
  73
  74         mv cert.crt $name.crt
  75         mv out.key $name.key
  76 }
  77
  78 echo "01" > serial
  79 > index.txt
  80 rm -f *.0
  81
  82 gen_cert "/CN=hx509 Test Root CA/C=SE" "root" "ca" "v3_ca"
  83 gen_cert "/CN=OCSP responder/C=SE" "ca" "ocsp-responder" "ocsp"
  84 gen_cert "/CN=Test cert/C=SE" "ca" "test" "usr"
  85 gen_cert "/CN=Revoke cert/C=SE" "ca" "revoke" "usr"
  86 gen_cert "/CN=Test cert KeyEncipherment/C=SE" "ca" "test-ke-only" "usr_ke"
  87 gen_cert "/CN=Test cert DigitalSignature/C=SE" "ca" "test-ds-only" "usr_ds"
  88 gen_cert "/CN=pkinit/C=SE" "ca" "pkinit" "pkinit_client"
  89 $openssl ecparam -name secp256r1 -out eccurve.pem
  90 gen_cert "/CN=pkinit-ec/C=SE" "ca" "pkinit-ec" "pkinit_client" "XXX" ec:eccurve.pem
  91 gen_cert "/C=SE/CN=pkinit/CN=pkinit-proxy" "pkinit" "proxy" "proxy_cert" pkinit-proxy
  92 gen_cert "/CN=kdc/C=SE" "ca" "kdc" "pkinit_kdc"
  93 gen_cert "/CN=www.test.h5l.se/C=SE" "ca" "https" "https"
  94 gen_cert "/CN=Sub CA/C=SE" "ca" "sub-ca" "subca"
  95 gen_cert "/CN=Test sub cert/C=SE" "sub-ca" "sub-cert" "usr"
  96 gen_cert "/C=SE/CN=Test cert/CN=proxy" "test" "proxy" "proxy_cert" proxy-test
  97 gen_cert "/C=SE/CN=Test cert/CN=proxy/CN=child" "proxy-test" "proxy" "proxy_cert" proxy-level-test
  98 gen_cert "/C=SE/CN=Test cert/CN=no-proxy" "test" "proxy" "usr_cert" no-proxy-test
  99 gen_cert "/C=SE/CN=Test cert/CN=proxy10" "test" "proxy" "proxy10_cert" proxy10-test
 100 gen_cert "/C=SE/CN=Test cert/CN=proxy10/CN=child" "proxy10-test" "proxy" "proxy10_cert" proxy10-child-test
 101 gen_cert "/C=SE/CN=Test cert/CN=proxy10/CN=child/CN=child" "proxy10-child-test" "proxy" "proxy10_cert" proxy10-child-child-test
 102
 103
 104 # combine
 105 cat sub-ca.crt ca.crt > sub-ca-combined.crt
 106 cat test.crt test.key > test.combined.crt
 107 cat pkinit-proxy.crt pkinit.crt > pkinit-proxy-chain.crt
 108
 109 # password protected key
 110 ${openssl} rsa -in test.key -aes256 -passout pass:foobar -out test-pw.key
 111 ${openssl} rsa -in pkinit.key -aes256 -passout pass:foo -out pkinit-pw.key
 112
 113
 114 ${openssl} ca \
 115     -name usr \
 116     -cert ca.crt \
 117     -keyfile ca.key \
 118     -revoke revoke.crt \
 119     -config ${config}
 120
 121 ${openssl} pkcs12 \
 122     -export \
 123     -in test.crt \
 124     -inkey test.key \
 125     -passout pass:foobar \
 126     -out test.p12 \
 127     -name "friendlyname-test" \
 128     -certfile ca.crt \
 129     -caname ca
 130
 131 ${openssl} pkcs12 \
 132     -export \
 133     -in sub-cert.crt \
 134     -inkey sub-cert.key \
 135     -passout pass:foobar \
 136     -out sub-cert.p12 \
 137     -name "friendlyname-sub-cert" \
 138     -certfile sub-ca-combined.crt \
 139     -caname sub-ca \
 140     -caname ca
 141
 142 ${openssl} pkcs12 \
 143     -keypbe NONE \
 144     -certpbe NONE \
 145     -export \
 146     -in test.crt \
 147     -inkey test.key \
 148     -passout pass:foobar \
 149     -out test-nopw.p12 \
 150     -name "friendlyname-cert" \
 151     -certfile ca.crt \
 152     -caname ca
 153
 154 ${openssl} smime \
 155     -sign \
 156     -nodetach \
 157     -binary \
 158     -in static-file \
 159     -signer test.crt \
 160     -inkey test.key \
 161     -outform DER \
 162     -out test-signed-data
 163
 164 ${openssl} smime \
 165     -sign \
 166     -nodetach \
 167     -binary \
 168     -in static-file \
 169     -signer test.crt \
 170     -inkey test.key \
 171     -noattr \
 172     -outform DER \
 173     -out test-signed-data-noattr
 174
 175 ${openssl} smime \
 176     -sign \
 177     -nodetach \
 178     -binary \
 179     -in static-file \
 180     -signer test.crt \
 181     -inkey test.key \
 182     -noattr \
 183     -nocerts \
 184     -outform DER \
 185     -out test-signed-data-noattr-nocerts
 186
 187 ${openssl} smime \
 188     -sign \
 189     -md sha1 \
 190     -nodetach \
 191     -binary \
 192     -in static-file \
 193     -signer test.crt \
 194     -inkey test.key \
 195     -outform DER \
 196     -out test-signed-sha-1
 197
 198 ${openssl} smime \
 199     -sign \
 200     -md sha256 \
 201     -nodetach \
 202     -binary \
 203     -in static-file \
 204     -signer test.crt \
 205     -inkey test.key \
 206     -outform DER \
 207     -out test-signed-sha-256
 208
 209 ${openssl} smime \
 210     -sign \
 211     -md sha512 \
 212     -nodetach \
 213     -binary \
 214     -in static-file \
 215     -signer test.crt \
 216     -inkey test.key \
 217     -outform DER \
 218     -out test-signed-sha-512
 219
 220
 221 ${openssl} smime \
 222     -encrypt \
 223     -nodetach \
 224     -binary \
 225     -in static-file \
 226     -outform DER \
 227     -out test-enveloped-rc2-40 \
 228     -rc2-40 \
 229     test.crt
 230
 231 ${openssl} smime \
 232     -encrypt \
 233     -nodetach \
 234     -binary \
 235     -in static-file \
 236     -outform DER \
 237     -out test-enveloped-rc2-64 \
 238     -rc2-64 \
 239     test.crt
 240
 241 ${openssl} smime \
 242     -encrypt \
 243     -nodetach \
 244     -binary \
 245     -in static-file \
 246     -outform DER \
 247     -out test-enveloped-rc2-128 \
 248     -rc2-128 \
 249     test.crt
 250
 251 ${openssl} smime \
 252     -encrypt \
 253     -nodetach \
 254     -binary \
 255     -in static-file \
 256     -outform DER \
 257     -out test-enveloped-des \
 258     -des \
 259     test.crt
 260
 261 ${openssl} smime \
 262     -encrypt \
 263     -nodetach \
 264     -binary \
 265     -in static-file \
 266     -outform DER \
 267     -out test-enveloped-des-ede3 \
 268     -des3 \
 269     test.crt
 270
 271 ${openssl} smime \
 272     -encrypt \
 273     -nodetach \
 274     -binary \
 275     -in static-file \
 276     -outform DER \
 277     -out test-enveloped-aes-128 \
 278     -aes128 \
 279     test.crt
 280
 281 ${openssl} smime \
 282     -encrypt \
 283     -nodetach \
 284     -binary \
 285     -in static-file \
 286     -outform DER \
 287     -out test-enveloped-aes-256 \
 288     -aes256 \
 289     test.crt
 290
 291 echo ocsp requests
 292
 293 ${openssl} ocsp \
 294     -issuer ca.crt \
 295     -cert test.crt \
 296     -reqout ocsp-req1.der
 297
 298 ${openssl} ocsp \
 299     -index index.txt \
 300     -rsigner ocsp-responder.crt \
 301     -rkey ocsp-responder.key \
 302     -CA ca.crt \
 303     -reqin ocsp-req1.der \
 304     -noverify \
 305     -respout ocsp-resp1-ocsp.der
 306
 307 ${openssl} ocsp \
 308     -index index.txt \
 309     -rsigner ca.crt \
 310     -rkey ca.key \
 311     -CA ca.crt \
 312     -reqin ocsp-req1.der \
 313     -noverify \
 314     -respout ocsp-resp1-ca.der
 315
 316 ${openssl} ocsp \
 317     -index index.txt \
 318     -rsigner ocsp-responder.crt \
 319     -rkey ocsp-responder.key \
 320     -CA ca.crt \
 321     -resp_no_certs \
 322     -reqin ocsp-req1.der \
 323     -noverify \
 324     -respout ocsp-resp1-ocsp-no-cert.der
 325
 326 ${openssl} ocsp \
 327     -index index.txt \
 328     -rsigner ocsp-responder.crt \
 329     -rkey ocsp-responder.key \
 330     -CA ca.crt \
 331     -reqin ocsp-req1.der \
 332     -resp_key_id \
 333     -noverify \
 334     -respout ocsp-resp1-keyhash.der
 335
 336 ${openssl} ocsp \
 337     -issuer ca.crt \
 338     -cert revoke.crt \
 339     -reqout ocsp-req2.der
 340
 341 ${openssl} ocsp \
 342     -index index.txt \
 343     -rsigner ocsp-responder.crt \
 344     -rkey ocsp-responder.key \
 345     -CA ca.crt \
 346     -reqin ocsp-req2.der \
 347     -noverify \
 348     -respout ocsp-resp2.der
 349
 350 ${openssl} ca \
 351     -gencrl \
 352     -name usr \
 353     -crldays 3600 \
 354     -keyfile ca.key \
 355     -cert ca.crt \
 356     -crl_reason superseded \
 357     -out crl1.crl \
 358     -config ${config}
 359
 360 ${openssl} crl -in crl1.crl -outform der -out crl1.der