1#!/bin/bash
2
3# Use newly built oqsprovider to save PKCS#12 files from keys and
4# and certificates files generated using alg $1.
5# Assumed oqsprovider-certgen.sh to have run before for same algorithm
6
7set -e
8set -x
9
10if [ $# -lt 1 ]; then
11    echo "Usage: $0 <algorithmname>. Exiting."
12    exit 1
13fi
14
15echo "oqsprovider-pkcs12gen.sh commencing..."
16
17if [ -z "$OPENSSL_APP" ]; then
18    echo "OPENSSL_APP env var not set. Exiting."
19    exit 1
20fi
21
22if [ -z "$OPENSSL_MODULES" ]; then
23    echo "Warning: OPENSSL_MODULES env var not set."
24fi
25
26if [ -z "$OPENSSL_CONF" ]; then
27    echo "OPENSSL_CONF env var not set. Exiting."
28    exit 1
29fi
30
31# Set OSX DYLD_LIBRARY_PATH if not already externally set
32if [ -z "$DYLD_LIBRARY_PATH" ]; then
33    export DYLD_LIBRARY_PATH=$LD_LIBRARY_PATH
34fi
35
36# Assumes certgen has been run before: Quick check
37if [[ -f tmp/$1_CA.crt &&  -f tmp/$1_CA.key ]]; then
38   echo "Key and certificate using $1 found."
39else
40   echo "File tmp/$1_CA.crt and/or tmp/$1_CA.key not found. Did certgen run before? Exiting."
41   exit -1
42fi
43
44echo "Generating PKCS#12 files..."
45
46# pkcs12 test:
47$OPENSSL_APP pkcs12 -export -in tmp/$1_srv.crt -inkey tmp/$1_srv.key -passout pass: -out tmp/$1_srv_1.p12
48
49if [ $? -ne 0 ] || [ ! -f tmp/$1_srv_1.p12 ]; then
50    echo "PKCS#12 generation with oqsprovider enabled failed."
51    exit 1
52fi
53
54# Generate config file with oqsprovider disabled
55sed -e 's/^oqsprovider/# oqsprovider/' $OPENSSL_CONF > tmp/openssl-ca-no-oqsprovider.cnf
56
57# This print an error but OpenSSL returns 0 and .p12 file is generated correctly
58OPENSSL_CONF=tmp/openssl-ca-no-oqsprovider.cnf $OPENSSL_APP pkcs12 -provider default -provider oqsprovider -export -in tmp/$1_srv.crt -inkey tmp/$1_srv.key -passout pass: -out tmp/$1_srv_2.p12
59
60if [ $? -ne 0 ] || [ ! -f tmp/$1_srv_2.p12 ]; then
61    echo "PKCS#12 generation with oqsprovider disabled failed."
62    exit 1
63fi
64
65if [ $(cat tmp/$1_srv_1.p12 | $OPENSSL_APP sha256) -neq $(cat tmp/$1_srv_2.p12 | $OPENSSL_APP sha256) ]; then
66    echo "PKCS#12 files differ when oqsprovider is enabled or not."
67    exit 1
68fi
69