210 lines
5.2 KiB
Bash
Executable File
210 lines
5.2 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
set -x
|
|
|
|
#set -euf
|
|
|
|
echo "Creating ekcert for $1 => $3"
|
|
echo "Creating ekcert for $2 => $4"
|
|
|
|
ROOTCRT=$6.crt
|
|
ROOTCRTPEM=$6.pem
|
|
INTERMEDCRT=$5.crt
|
|
ROOTCRL=$6.crl
|
|
INTERMEDCRL=$5.crl
|
|
|
|
EKCADIR="$(dirname $(realpath ${0}))/"
|
|
|
|
CA_DIR="$(mktemp -d ekca-XXXXXX)"
|
|
|
|
pushd "$CA_DIR"
|
|
|
|
mkdir root-ca
|
|
pushd root-ca
|
|
|
|
mkdir certreqs certs crl newcerts private
|
|
touch root-ca.index
|
|
echo 00 > root-ca.crlnum
|
|
echo 1000 > root-ca.serial
|
|
echo "123456" > pass.txt
|
|
|
|
cp "${EKCADIR}/root-ca.cnf" ./
|
|
export OPENSSL_CONF=./root-ca.cnf
|
|
ROOT_URL="file:$ROOTCRT"
|
|
sed -i "s|ROOTCRT|$ROOT_URL|g" $OPENSSL_CONF
|
|
ROOT_URL="file:$ROOTCRL"
|
|
sed -i "s|ROOTCRL|$ROOT_URL|g" $OPENSSL_CONF
|
|
openssl req -new -out root-ca.req.pem -passout file:pass.txt
|
|
|
|
#
|
|
# Create self signed root certificate
|
|
#
|
|
openssl ca -selfsign \
|
|
-in root-ca.req.pem \
|
|
-out root-ca.cert.pem \
|
|
-extensions root-ca_ext \
|
|
-startdate `date +%y%m%d000000Z -u -d -1day` \
|
|
-enddate `date +%y%m%d000000Z -u -d +10years+1day` \
|
|
-passin file:pass.txt -batch
|
|
|
|
openssl x509 -outform der -in root-ca.cert.pem -out root-ca.cert.crt
|
|
|
|
openssl verify -verbose -CAfile root-ca.cert.pem \
|
|
root-ca.cert.pem
|
|
|
|
openssl ca -gencrl -cert root-ca.cert.pem \
|
|
-out root-ca.cert.crl.pem -passin file:pass.txt
|
|
openssl crl -in root-ca.cert.crl.pem -outform DER -out root-ca.cert.crl
|
|
|
|
popd #root-ca
|
|
|
|
#
|
|
# Create intermediate certificate
|
|
#
|
|
mkdir intermed-ca
|
|
pushd intermed-ca
|
|
|
|
mkdir certreqs certs crl newcerts private
|
|
touch intermed-ca.index
|
|
echo 00 > intermed-ca.crlnum
|
|
echo 2000 > intermed-ca.serial
|
|
echo "abcdef" > pass.txt
|
|
|
|
cp "${EKCADIR}/intermed-ca.cnf" ./
|
|
export OPENSSL_CONF=./intermed-ca.cnf
|
|
|
|
# Adapt CRT URL to current test directory
|
|
sed -i "s|ROOTCRT|$ROOT_URL|g" $OPENSSL_CONF
|
|
|
|
openssl req -new -out intermed-ca.req.pem -passout file:pass.txt
|
|
|
|
openssl req -new \
|
|
-key private/intermed-ca.key.pem \
|
|
-out intermed-ca.req.pem \
|
|
-passin file:pass.txt
|
|
|
|
openssl rsa -inform PEM -in private/intermed-ca.key.pem \
|
|
-outform DER -out private/intermed-ca.key.der -passin file:pass.txt
|
|
|
|
cp intermed-ca.req.pem \
|
|
../root-ca/certreqs/
|
|
|
|
INTERMED_URL="file:$INTERMEDCRT"
|
|
sed -i "s|INTERMEDCRT|$INTERMED_URL|g" $OPENSSL_CONF
|
|
|
|
pushd ../root-ca
|
|
export OPENSSL_CONF=./root-ca.cnf
|
|
|
|
openssl ca \
|
|
-in certreqs/intermed-ca.req.pem \
|
|
-out certs/intermed-ca.cert.pem \
|
|
-extensions intermed-ca_ext \
|
|
-startdate `date +%y%m%d000000Z -u -d -1day` \
|
|
-enddate `date +%y%m%d000000Z -u -d +5years+1day` \
|
|
-passin file:pass.txt -batch
|
|
|
|
openssl x509 -outform der -in certs/intermed-ca.cert.pem \
|
|
-out certs/intermed-ca.cert.crt
|
|
|
|
openssl verify -verbose -CAfile root-ca.cert.pem \
|
|
certs/intermed-ca.cert.pem
|
|
|
|
cp certs/intermed-ca.cert.pem \
|
|
../intermed-ca
|
|
|
|
cp certs/intermed-ca.cert.crt \
|
|
../intermed-ca
|
|
|
|
popd #root-ca
|
|
|
|
export OPENSSL_CONF=./intermed-ca.cnf
|
|
openssl ca -gencrl -cert ../root-ca/certs/intermed-ca.cert.pem \
|
|
-out intermed-ca.crl.pem -passin file:pass.txt
|
|
openssl crl -in intermed-ca.crl.pem -outform DER -out intermed-ca.crl
|
|
|
|
popd #intermed-ca
|
|
|
|
#
|
|
# Create RSA EK certificate
|
|
#
|
|
mkdir ek
|
|
pushd ek
|
|
|
|
cp "${EKCADIR}/ek.cnf" ./
|
|
export OPENSSL_CONF=ek.cnf
|
|
echo "abc123" > pass.txt
|
|
|
|
# Adapt CRT and CRL URL to current test directory
|
|
|
|
INTERMED_URL="file:$INTERMEDCRT"
|
|
sed -i "s|INTERMEDCRT|$INTERMED_URL|g" $OPENSSL_CONF
|
|
|
|
INTERMED_URL="file:$INTERMEDCRL"
|
|
sed -i "s|INTERMEDCRL|$INTERMED_URL|g" $OPENSSL_CONF
|
|
|
|
cp "$1" ../intermed-ca/certreqs/ek.pub.pem
|
|
|
|
openssl req -new -nodes -newkey rsa:2048 -passin file:pass.txt -out ../intermed-ca/certreqs/nonsense.csr.pem
|
|
|
|
pushd ../intermed-ca
|
|
export OPENSSL_CONF=./intermed-ca.cnf
|
|
|
|
openssl x509 -req -in certreqs/nonsense.csr.pem -force_pubkey certreqs/ek.pub.pem -out certs/ek.cert.der \
|
|
-outform DER -extfile ../ek/ek.cnf -extensions ek_ext -set_serial 12345 \
|
|
-CA intermed-ca.cert.pem -CAkey private/intermed-ca.key.pem -passin file:pass.txt
|
|
|
|
cp certs/ek.cert.der ../ek
|
|
|
|
popd #intermed-ca
|
|
|
|
popd #EK
|
|
|
|
#
|
|
# Create ECC EK Certificate
|
|
#
|
|
mkdir ekecc
|
|
pushd ekecc
|
|
|
|
cp "${EKCADIR}/ek.cnf" ./
|
|
export OPENSSL_CONF=ek.cnf
|
|
echo "abc123" > pass.txt
|
|
|
|
# Adapt CRT and CRL URL to current test directory
|
|
|
|
INTERMED_URL="file:$INTERMEDCRT"
|
|
sed -i "s|INTERMEDCRT|$INTERMED_URL|g" $OPENSSL_CONF
|
|
|
|
INTERMED_URL="file:$INTERMEDCRL"
|
|
sed -i "s|INTERMEDCRL|$INTERMED_URL|g" $OPENSSL_CONF
|
|
|
|
cp "$2" ../intermed-ca/certreqs/ekecc.pub.pem
|
|
|
|
openssl req -new -nodes -newkey rsa:2048 -passin file:pass.txt -out ../intermed-ca/certreqs/nonsense.csr.pem
|
|
|
|
pushd ../intermed-ca
|
|
export OPENSSL_CONF=./intermed-ca.cnf
|
|
|
|
openssl x509 -req -in certreqs/nonsense.csr.pem -force_pubkey certreqs/ekecc.pub.pem -out certs/ekecc.cert.der \
|
|
-outform DER -extfile ../ek/ek.cnf -extensions ek_ext -set_serial 12345 \
|
|
-CA intermed-ca.cert.pem -CAkey private/intermed-ca.key.pem -passin file:pass.txt
|
|
|
|
cp certs/ekecc.cert.der ../ekecc
|
|
|
|
popd #intermed-ca
|
|
|
|
popd #EK
|
|
|
|
popd #CA_DIR
|
|
|
|
# Copy used CRL and CRT files to test directory.
|
|
|
|
cp "${CA_DIR}/ek/ek.cert.der" "$3"
|
|
cp "${CA_DIR}/ekecc/ekecc.cert.der" "$4"
|
|
cp "${CA_DIR}/intermed-ca/intermed-ca.cert.crt" "$INTERMEDCRT"
|
|
cp "${CA_DIR}/intermed-ca/intermed-ca.crl" "$INTERMEDCRL"
|
|
cp "${CA_DIR}/root-ca/root-ca.cert.crt" "$ROOTCRT"
|
|
cp "${CA_DIR}/root-ca/root-ca.cert.crl" "$ROOTCRL"
|
|
cp "${CA_DIR}/root-ca/root-ca.cert.pem" "$ROOTCRTPEM"
|
|
|
|
rm -rf $CA_DIR
|