1#!/bin/bash 2 3set -x 4 5#set -euf 6 7echo "Creating ekcert for $1 => $3" 8echo "Creating ekcert for $2 => $4" 9 10ROOTCRT=$6.crt 11ROOTCRTPEM=$6.pem 12INTERMEDCRT=$5.crt 13ROOTCRL=$6.crl 14INTERMEDCRL=$5.crl 15 16EKCADIR="$(dirname $(realpath ${0}))/" 17 18CA_DIR="$(mktemp -d ekca-XXXXXX)" 19 20pushd "$CA_DIR" 21 22mkdir root-ca 23pushd root-ca 24 25mkdir certreqs certs crl newcerts private 26touch root-ca.index 27echo 00 > root-ca.crlnum 28echo 1000 > root-ca.serial 29echo "123456" > pass.txt 30 31cp "${EKCADIR}/root-ca.cnf" ./ 32export OPENSSL_CONF=./root-ca.cnf 33ROOT_URL="file:$ROOTCRT" 34sed -i "s|ROOTCRT|$ROOT_URL|g" $OPENSSL_CONF 35ROOT_URL="file:$ROOTCRL" 36sed -i "s|ROOTCRL|$ROOT_URL|g" $OPENSSL_CONF 37openssl req -new -out root-ca.req.pem -passout file:pass.txt 38 39# 40# Create self signed root certificate 41# 42openssl ca -selfsign \ 43 -in root-ca.req.pem \ 44 -out root-ca.cert.pem \ 45 -extensions root-ca_ext \ 46 -startdate `date +%y%m%d000000Z -u -d -1day` \ 47 -enddate `date +%y%m%d000000Z -u -d +10years+1day` \ 48 -passin file:pass.txt -batch 49 50openssl x509 -outform der -in root-ca.cert.pem -out root-ca.cert.crt 51 52openssl verify -verbose -CAfile root-ca.cert.pem \ 53 root-ca.cert.pem 54 55openssl ca -gencrl -cert root-ca.cert.pem \ 56 -out root-ca.cert.crl.pem -passin file:pass.txt 57openssl crl -in root-ca.cert.crl.pem -outform DER -out root-ca.cert.crl 58 59popd #root-ca 60 61# 62# Create intermediate certificate 63# 64mkdir intermed-ca 65pushd intermed-ca 66 67mkdir certreqs certs crl newcerts private 68touch intermed-ca.index 69echo 00 > intermed-ca.crlnum 70echo 2000 > intermed-ca.serial 71echo "abcdef" > pass.txt 72 73cp "${EKCADIR}/intermed-ca.cnf" ./ 74export OPENSSL_CONF=./intermed-ca.cnf 75 76# Adapt CRT URL to current test directory 77sed -i "s|ROOTCRT|$ROOT_URL|g" $OPENSSL_CONF 78 79openssl req -new -out intermed-ca.req.pem -passout file:pass.txt 80 81openssl req -new \ 82 -key private/intermed-ca.key.pem \ 83 -out intermed-ca.req.pem \ 84 -passin file:pass.txt 85 86openssl rsa -inform PEM -in private/intermed-ca.key.pem \ 87 -outform DER -out private/intermed-ca.key.der -passin file:pass.txt 88 89cp intermed-ca.req.pem \ 90 ../root-ca/certreqs/ 91 92INTERMED_URL="file:$INTERMEDCRT" 93sed -i "s|INTERMEDCRT|$INTERMED_URL|g" $OPENSSL_CONF 94 95pushd ../root-ca 96export OPENSSL_CONF=./root-ca.cnf 97 98openssl ca \ 99 -in certreqs/intermed-ca.req.pem \ 100 -out certs/intermed-ca.cert.pem \ 101 -extensions intermed-ca_ext \ 102 -startdate `date +%y%m%d000000Z -u -d -1day` \ 103 -enddate `date +%y%m%d000000Z -u -d +5years+1day` \ 104 -passin file:pass.txt -batch 105 106openssl x509 -outform der -in certs/intermed-ca.cert.pem \ 107 -out certs/intermed-ca.cert.crt 108 109openssl verify -verbose -CAfile root-ca.cert.pem \ 110 certs/intermed-ca.cert.pem 111 112cp certs/intermed-ca.cert.pem \ 113 ../intermed-ca 114 115cp certs/intermed-ca.cert.crt \ 116 ../intermed-ca 117 118popd #root-ca 119 120export OPENSSL_CONF=./intermed-ca.cnf 121openssl ca -gencrl -cert ../root-ca/certs/intermed-ca.cert.pem \ 122 -out intermed-ca.crl.pem -passin file:pass.txt 123openssl crl -in intermed-ca.crl.pem -outform DER -out intermed-ca.crl 124 125popd #intermed-ca 126 127# 128# Create RSA EK certificate 129# 130mkdir ek 131pushd ek 132 133cp "${EKCADIR}/ek.cnf" ./ 134export OPENSSL_CONF=ek.cnf 135echo "abc123" > pass.txt 136 137# Adapt CRT and CRL URL to current test directory 138 139INTERMED_URL="file:$INTERMEDCRT" 140sed -i "s|INTERMEDCRT|$INTERMED_URL|g" $OPENSSL_CONF 141 142INTERMED_URL="file:$INTERMEDCRL" 143sed -i "s|INTERMEDCRL|$INTERMED_URL|g" $OPENSSL_CONF 144 145cp "$1" ../intermed-ca/certreqs/ek.pub.pem 146 147openssl req -new -nodes -newkey rsa:2048 -passin file:pass.txt -out ../intermed-ca/certreqs/nonsense.csr.pem 148 149pushd ../intermed-ca 150export OPENSSL_CONF=./intermed-ca.cnf 151 152openssl x509 -req -in certreqs/nonsense.csr.pem -force_pubkey certreqs/ek.pub.pem -out certs/ek.cert.der \ 153 -outform DER -extfile ../ek/ek.cnf -extensions ek_ext -set_serial 12345 \ 154 -CA intermed-ca.cert.pem -CAkey private/intermed-ca.key.pem -passin file:pass.txt 155 156cp certs/ek.cert.der ../ek 157 158popd #intermed-ca 159 160popd #EK 161 162# 163# Create ECC EK Certificate 164# 165mkdir ekecc 166pushd ekecc 167 168cp "${EKCADIR}/ek.cnf" ./ 169export OPENSSL_CONF=ek.cnf 170echo "abc123" > pass.txt 171 172# Adapt CRT and CRL URL to current test directory 173 174INTERMED_URL="file:$INTERMEDCRT" 175sed -i "s|INTERMEDCRT|$INTERMED_URL|g" $OPENSSL_CONF 176 177INTERMED_URL="file:$INTERMEDCRL" 178sed -i "s|INTERMEDCRL|$INTERMED_URL|g" $OPENSSL_CONF 179 180cp "$2" ../intermed-ca/certreqs/ekecc.pub.pem 181 182openssl req -new -nodes -newkey rsa:2048 -passin file:pass.txt -out ../intermed-ca/certreqs/nonsense.csr.pem 183 184pushd ../intermed-ca 185export OPENSSL_CONF=./intermed-ca.cnf 186 187openssl x509 -req -in certreqs/nonsense.csr.pem -force_pubkey certreqs/ekecc.pub.pem -out certs/ekecc.cert.der \ 188 -outform DER -extfile ../ek/ek.cnf -extensions ek_ext -set_serial 12345 \ 189 -CA intermed-ca.cert.pem -CAkey private/intermed-ca.key.pem -passin file:pass.txt 190 191cp certs/ekecc.cert.der ../ekecc 192 193popd #intermed-ca 194 195popd #EK 196 197popd #CA_DIR 198 199# Copy used CRL and CRT files to test directory. 200 201cp "${CA_DIR}/ek/ek.cert.der" "$3" 202cp "${CA_DIR}/ekecc/ekecc.cert.der" "$4" 203cp "${CA_DIR}/intermed-ca/intermed-ca.cert.crt" "$INTERMEDCRT" 204cp "${CA_DIR}/intermed-ca/intermed-ca.crl" "$INTERMEDCRL" 205cp "${CA_DIR}/root-ca/root-ca.cert.crt" "$ROOTCRT" 206cp "${CA_DIR}/root-ca/root-ca.cert.crl" "$ROOTCRL" 207cp "${CA_DIR}/root-ca/root-ca.cert.pem" "$ROOTCRTPEM" 208 209rm -rf $CA_DIR 210