1*6236dae4SAndroid Build Coastguard Worker#!/usr/bin/env bash 2*6236dae4SAndroid Build Coastguard Worker#*************************************************************************** 3*6236dae4SAndroid Build Coastguard Worker# _ _ ____ _ 4*6236dae4SAndroid Build Coastguard Worker# Project ___| | | | _ \| | 5*6236dae4SAndroid Build Coastguard Worker# / __| | | | |_) | | 6*6236dae4SAndroid Build Coastguard Worker# | (__| |_| | _ <| |___ 7*6236dae4SAndroid Build Coastguard Worker# \___|\___/|_| \_\_____| 8*6236dae4SAndroid Build Coastguard Worker# 9*6236dae4SAndroid Build Coastguard Worker# Copyright (C) EdelWeb for EdelKey and OpenEvidence 10*6236dae4SAndroid Build Coastguard Worker# 11*6236dae4SAndroid Build Coastguard Worker# This software is licensed as described in the file COPYING, which 12*6236dae4SAndroid Build Coastguard Worker# you should have received as part of this distribution. The terms 13*6236dae4SAndroid Build Coastguard Worker# are also available at https://curl.se/docs/copyright.html. 14*6236dae4SAndroid Build Coastguard Worker# 15*6236dae4SAndroid Build Coastguard Worker# You may opt to use, copy, modify, merge, publish, distribute and/or sell 16*6236dae4SAndroid Build Coastguard Worker# copies of the Software, and permit persons to whom the Software is 17*6236dae4SAndroid Build Coastguard Worker# furnished to do so, under the terms of the COPYING file. 18*6236dae4SAndroid Build Coastguard Worker# 19*6236dae4SAndroid Build Coastguard Worker# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY 20*6236dae4SAndroid Build Coastguard Worker# KIND, either express or implied. 21*6236dae4SAndroid Build Coastguard Worker# 22*6236dae4SAndroid Build Coastguard Worker# SPDX-License-Identifier: curl 23*6236dae4SAndroid Build Coastguard Worker# 24*6236dae4SAndroid Build Coastguard Worker########################################################################### 25*6236dae4SAndroid Build Coastguard Worker 26*6236dae4SAndroid Build Coastguard Worker# exit on first fail 27*6236dae4SAndroid Build Coastguard Workerset -eu 28*6236dae4SAndroid Build Coastguard Worker 29*6236dae4SAndroid Build Coastguard WorkerOPENSSL=openssl 30*6236dae4SAndroid Build Coastguard Workerif [ -f /usr/local/ssl/bin/openssl ]; then 31*6236dae4SAndroid Build Coastguard Worker OPENSSL=/usr/local/ssl/bin/openssl 32*6236dae4SAndroid Build Coastguard Workerfi 33*6236dae4SAndroid Build Coastguard Worker 34*6236dae4SAndroid Build Coastguard Workercommand -v "$OPENSSL" 35*6236dae4SAndroid Build Coastguard Worker"$OPENSSL" version 36*6236dae4SAndroid Build Coastguard Worker 37*6236dae4SAndroid Build Coastguard WorkerUSAGE='echo Usage is genserv.sh <prefix> <caprefix>' 38*6236dae4SAndroid Build Coastguard Worker 39*6236dae4SAndroid Build Coastguard WorkerHOME=$(pwd) 40*6236dae4SAndroid Build Coastguard Workercd "$HOME" 41*6236dae4SAndroid Build Coastguard Worker 42*6236dae4SAndroid Build Coastguard WorkerKEYSIZE=2048 43*6236dae4SAndroid Build Coastguard WorkerDURATION=300 44*6236dae4SAndroid Build Coastguard Worker# The -sha256 option was introduced in OpenSSL 1.0.1 45*6236dae4SAndroid Build Coastguard WorkerDIGESTALGO=-sha256 46*6236dae4SAndroid Build Coastguard Worker 47*6236dae4SAndroid Build Coastguard WorkerREQ=YES 48*6236dae4SAndroid Build Coastguard WorkerP12=NO 49*6236dae4SAndroid Build Coastguard WorkerDHP=NO 50*6236dae4SAndroid Build Coastguard Worker 51*6236dae4SAndroid Build Coastguard WorkerNOTOK= 52*6236dae4SAndroid Build Coastguard Worker 53*6236dae4SAndroid Build Coastguard WorkerPREFIX="${1:-}" 54*6236dae4SAndroid Build Coastguard Workerif [ -z "$PREFIX" ]; then 55*6236dae4SAndroid Build Coastguard Worker echo 'No configuration prefix' 56*6236dae4SAndroid Build Coastguard Worker NOTOK=1 57*6236dae4SAndroid Build Coastguard Workerelse 58*6236dae4SAndroid Build Coastguard Worker if [ ! -f "$PREFIX-sv.prm" ]; then 59*6236dae4SAndroid Build Coastguard Worker echo "No configuration file $PREFIX-sv.prm" 60*6236dae4SAndroid Build Coastguard Worker NOTOK=1 61*6236dae4SAndroid Build Coastguard Worker fi 62*6236dae4SAndroid Build Coastguard Workerfi 63*6236dae4SAndroid Build Coastguard Worker 64*6236dae4SAndroid Build Coastguard WorkerCAPREFIX="${2:-}" 65*6236dae4SAndroid Build Coastguard Workerif [ -z "$CAPREFIX" ]; then 66*6236dae4SAndroid Build Coastguard Worker echo 'No CA prefix' 67*6236dae4SAndroid Build Coastguard Worker NOTOK=1 68*6236dae4SAndroid Build Coastguard Workerelse 69*6236dae4SAndroid Build Coastguard Worker if [ ! -f "$CAPREFIX-ca.cacert" ]; then 70*6236dae4SAndroid Build Coastguard Worker echo "No CA certificate file $CAPREFIX-ca.caert" 71*6236dae4SAndroid Build Coastguard Worker NOTOK=1 72*6236dae4SAndroid Build Coastguard Worker fi 73*6236dae4SAndroid Build Coastguard Worker if [ ! -f "$CAPREFIX-ca.key" ]; then 74*6236dae4SAndroid Build Coastguard Worker echo "No $CAPREFIX key" 75*6236dae4SAndroid Build Coastguard Worker NOTOK=1 76*6236dae4SAndroid Build Coastguard Worker fi 77*6236dae4SAndroid Build Coastguard Workerfi 78*6236dae4SAndroid Build Coastguard Worker 79*6236dae4SAndroid Build Coastguard Workerif [ -n "$NOTOK" ]; then 80*6236dae4SAndroid Build Coastguard Worker echo 'Sorry, I cannot do that for you.' 81*6236dae4SAndroid Build Coastguard Worker $USAGE 82*6236dae4SAndroid Build Coastguard Worker exit 83*6236dae4SAndroid Build Coastguard Workerfi 84*6236dae4SAndroid Build Coastguard Worker 85*6236dae4SAndroid Build Coastguard Workerecho "PREFIX=$PREFIX CAPREFIX=$CAPREFIX DURATION=$DURATION KEYSIZE=$KEYSIZE" 86*6236dae4SAndroid Build Coastguard Worker 87*6236dae4SAndroid Build Coastguard Workerset -x 88*6236dae4SAndroid Build Coastguard Worker 89*6236dae4SAndroid Build Coastguard Workerif [ "$DHP" = YES ]; then 90*6236dae4SAndroid Build Coastguard Worker "$OPENSSL" dhparam -2 -out "$PREFIX-sv.dhp" "$KEYSIZE" 91*6236dae4SAndroid Build Coastguard Workerfi 92*6236dae4SAndroid Build Coastguard Workerif [ "$REQ" = YES ]; then 93*6236dae4SAndroid Build Coastguard Worker "$OPENSSL" req -config "$PREFIX-sv.prm" -newkey "rsa:$KEYSIZE" -keyout "$PREFIX-sv.key" -out "$PREFIX-sv.csr" -passout fd:0 <<EOF 94*6236dae4SAndroid Build Coastguard Workerpass:secret 95*6236dae4SAndroid Build Coastguard WorkerEOF 96*6236dae4SAndroid Build Coastguard Workerfi 97*6236dae4SAndroid Build Coastguard Worker 98*6236dae4SAndroid Build Coastguard Worker"$OPENSSL" rsa -in "$PREFIX-sv.key" -out "$PREFIX-sv.key" -passin fd:0 <<EOF 99*6236dae4SAndroid Build Coastguard Workerpass:secret 100*6236dae4SAndroid Build Coastguard WorkerEOF 101*6236dae4SAndroid Build Coastguard Worker 102*6236dae4SAndroid Build Coastguard Workerecho 'pseudo secrets generated' 103*6236dae4SAndroid Build Coastguard Worker 104*6236dae4SAndroid Build Coastguard Worker"$OPENSSL" rsa -in "$PREFIX-sv.key" -pubout -outform DER -out "$PREFIX-sv.pub.der" 105*6236dae4SAndroid Build Coastguard Worker"$OPENSSL" rsa -in "$PREFIX-sv.key" -pubout -outform PEM -out "$PREFIX-sv.pub.pem" 106*6236dae4SAndroid Build Coastguard Worker"$OPENSSL" x509 -extfile "$PREFIX-sv.prm" -days "$DURATION" -CA "$CAPREFIX-ca.cacert" -CAkey "$CAPREFIX-ca.key" -CAcreateserial -in "$PREFIX-sv.csr" -req -text -nameopt multiline "$DIGESTALGO" > "$PREFIX-sv.crt" 107*6236dae4SAndroid Build Coastguard Worker 108*6236dae4SAndroid Build Coastguard Workerif [ "$P12" = YES ]; then 109*6236dae4SAndroid Build Coastguard Worker "$OPENSSL" pkcs12 -export -des3 -out "$PREFIX-sv.p12" -caname "$CAPREFIX" -name "$PREFIX" -inkey "$PREFIX-sv.key" -in "$PREFIX-sv.crt" -certfile "$CAPREFIX-ca.crt" 110*6236dae4SAndroid Build Coastguard Workerfi 111*6236dae4SAndroid Build Coastguard Worker 112*6236dae4SAndroid Build Coastguard Worker"$OPENSSL" x509 -noout -text -hash -in "$PREFIX-sv.crt" -nameopt multiline 113*6236dae4SAndroid Build Coastguard Worker 114*6236dae4SAndroid Build Coastguard Worker# revoke server cert 115*6236dae4SAndroid Build Coastguard Workertouch "$CAPREFIX-ca.db" 116*6236dae4SAndroid Build Coastguard Workerecho 01 > "$CAPREFIX-ca.cnt" 117*6236dae4SAndroid Build Coastguard Worker"$OPENSSL" ca -config "$CAPREFIX-ca.cnf" -revoke "$PREFIX-sv.crt" 118*6236dae4SAndroid Build Coastguard Worker 119*6236dae4SAndroid Build Coastguard Worker# issue CRL 120*6236dae4SAndroid Build Coastguard Worker"$OPENSSL" ca -config "$CAPREFIX-ca.cnf" -gencrl -out "$PREFIX-sv.crl" 121*6236dae4SAndroid Build Coastguard Worker 122*6236dae4SAndroid Build Coastguard Worker"$OPENSSL" x509 -in "$PREFIX-sv.crt" -outform der -out "$PREFIX-sv.der" 123*6236dae4SAndroid Build Coastguard Worker 124*6236dae4SAndroid Build Coastguard Worker# all together now 125*6236dae4SAndroid Build Coastguard Workertouch "$PREFIX-sv.dhp" 126*6236dae4SAndroid Build Coastguard Workercat "$PREFIX-sv.prm" "$PREFIX-sv.key" "$PREFIX-sv.crt" "$PREFIX-sv.dhp" > "$PREFIX-sv.pem" 127*6236dae4SAndroid Build Coastguard Workerchmod o-r "$PREFIX-sv.prm" 128*6236dae4SAndroid Build Coastguard Worker 129*6236dae4SAndroid Build Coastguard Worker"$OPENSSL" x509 -in "$PREFIX-sv.pem" -pubkey -noout | \ 130*6236dae4SAndroid Build Coastguard Worker"$OPENSSL" pkey -pubin -outform der | "$OPENSSL" dgst -sha256 -binary | \ 131*6236dae4SAndroid Build Coastguard Worker"$OPENSSL" enc -base64 > "$PREFIX-sv.pubkey-pinned" 132*6236dae4SAndroid Build Coastguard Worker 133*6236dae4SAndroid Build Coastguard Workerecho "$PREFIX-sv.pem done" 134