xref: /aosp_15_r20/external/openthread/tools/tcat_ble_client/auth-generate/create-cert-tcat-device.sh (revision cfb92d1480a9e65faed56933e9c12405f45898b4) 
1#!/bin/bash
2#
3#  Copyright (c) 2024, The OpenThread Authors.
4#  All rights reserved.
5#
6#  Redistribution and use in source and binary forms, with or without
7#  modification, are permitted provided that the following conditions are met:
8#  1. Redistributions of source code must retain the above copyright
9#     notice, this list of conditions and the following disclaimer.
10#  2. Redistributions in binary form must reproduce the above copyright
11#     notice, this list of conditions and the following disclaimer in the
12#     documentation and/or other materials provided with the distribution.
13#  3. Neither the name of the copyright holder nor the
14#     names of its contributors may be used to endorse or promote products
15#     derived from this software without specific prior written permission.
16#
17#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
18#  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19#  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20#  ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
21#  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
22#  CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
23#  SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
24#  INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
25#  CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
26#  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27#  POSSIBILITY OF SUCH DAMAGE.
28#
29
30# Script to generate a TCAT Device X509v3 certificate.
31
32if [ $# -ne 2 ]; then
33    echo "Usage: ./create-cert-tcat-device.sh <NameOfDevice> <NameOfCA>"
34    exit 1
35fi
36set -eu
37
38# days certificate is valid
39SECONDS1=$(date +%s)                               # time now
40SECONDS2=$(date --date="2999-12-31 23:59:59Z" +%s) # target end time
41((VALIDITY = "(${SECONDS2}-${SECONDS1})/(24*3600)"))
42echo "create-cert-tcat-device.sh - Using validity param -days ${VALIDITY}"
43
44NAME="${1}"
45CANAME="${2}"
46CACERTFILE="ca/${CANAME}_cert.pem"
47((ID = ${NAME:0-1}))
48((SERIAL = 13800 + ID))
49
50echo "  TCAT device name   : ${NAME}"
51echo "  TCAT device CA name: ${CANAME}"
52echo "  Numeric serial ID  : ${ID}"
53
54# create csr for device.
55# conform to 802.1AR guidelines, using only CN + serialNumber when
56# manufacturer is already present as CA. CN is not even mandatory, but just good practice.
57openssl req -new -key "keys/${NAME}_key.pem" -out "${NAME}.csr" -subj \
58    "/CN=TCAT Example ${NAME}/serialNumber=4723-9833-000${ID}"
59
60# sign csr by CA
61mkdir -p "output/${NAME}"
62openssl x509 -set_serial "${SERIAL}" -CAform PEM -CA "${CACERTFILE}" \
63    -CAkey "ca/${CANAME}_key.pem" -extfile "ext/${NAME}.ext" -extensions \
64    "${NAME}" -req -in "${NAME}.csr" -out "output/${NAME}/device_cert.pem" \
65    -days "${VALIDITY}" -sha256
66
67# delete temp files
68rm -f "${NAME}.csr"
69
70# copy supporting files, for immediate use by TCAT Commissioner as 'cert_path'.
71# Normally a Commissioner must not use Device certs, but for testing purposes this
72# option is provided here.
73cp "output/${NAME}/device_cert.pem" "output/${NAME}/commissioner_cert.pem"
74cp "${CACERTFILE}" "output/${NAME}/ca_cert.pem"
75cp "keys/${NAME}_key.pem" "output/${NAME}/commissioner_key.pem"
76cp "keys/${NAME}_key.pem" "output/${NAME}/device_key.pem"
77