1#!/usr/bin/env bash 2#*************************************************************************** 3# _ _ ____ _ 4# Project ___| | | | _ \| | 5# / __| | | | |_) | | 6# | (__| |_| | _ <| |___ 7# \___|\___/|_| \_\_____| 8# 9# Copyright (C) EdelWeb for EdelKey and OpenEvidence 10# 11# This software is licensed as described in the file COPYING, which 12# you should have received as part of this distribution. The terms 13# are also available at https://curl.se/docs/copyright.html. 14# 15# You may opt to use, copy, modify, merge, publish, distribute and/or sell 16# copies of the Software, and permit persons to whom the Software is 17# furnished to do so, under the terms of the COPYING file. 18# 19# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY 20# KIND, either express or implied. 21# 22# SPDX-License-Identifier: curl 23# 24########################################################################### 25 26# exit on first fail 27set -eu 28 29OPENSSL=openssl 30if [ -f /usr/local/ssl/bin/openssl ]; then 31 OPENSSL=/usr/local/ssl/bin/openssl 32fi 33 34USAGE='echo Usage is genserv.sh <prefix> <caprefix>' 35 36HOME=$(pwd) 37cd "$HOME" 38 39KEYSIZE=2048 40DURATION=3000 41# The -sha256 option was introduced in OpenSSL 1.0.1 42DIGESTALGO=-sha256 43 44REQ=YES 45P12=NO 46DHP=NO 47 48NOTOK= 49 50PREFIX="${1:-}" 51if [ -z "$PREFIX" ]; then 52 echo 'No configuration prefix' 53 NOTOK=1 54else 55 if [ ! -f "$PREFIX-sv.prm" ]; then 56 echo "No configuration file $PREFIX-sv.prm" 57 NOTOK=1 58 fi 59fi 60 61CAPREFIX="${2:-}" 62if [ -z "$CAPREFIX" ]; then 63 echo No CA prefix 64 NOTOK=1 65else 66 if [ ! -f "$CAPREFIX-ca.cacert" ]; then 67 echo "No CA certificate file $CAPREFIX-ca.caert" 68 NOTOK=1 69 fi 70 if [ ! -f "$CAPREFIX-ca.key" ]; then 71 echo "No $CAPREFIX key" 72 NOTOK=1 73 fi 74fi 75 76if [ -n "$NOTOK" ]; then 77 echo 'Sorry, I cannot do that for you.' 78 $USAGE 79 exit 80fi 81 82if [ -z "${SERIAL:-}" ]; then 83 SERIAL="$(date +'%s')${RANDOM:(-4)}" 84fi 85 86echo "SERIAL=$SERIAL PREFIX=$PREFIX CAPREFIX=$CAPREFIX DURATION=$DURATION KEYSIZE=$KEYSIZE" 87 88set -x 89 90if [ "$DHP" = YES ]; then 91 "$OPENSSL" dhparam -2 -out "$PREFIX-sv.dhp" "$KEYSIZE" 92fi 93if [ "$REQ" = YES ]; then 94 "$OPENSSL" req -config "$PREFIX-sv.prm" -newkey "rsa:$KEYSIZE" -keyout "$PREFIX-sv.key" -out "$PREFIX-sv.csr" -passout fd:0 <<EOF 95pass:secret 96EOF 97fi 98 99"$OPENSSL" rsa -in "$PREFIX-sv.key" -out "$PREFIX-sv.key" -passin fd:0 <<EOF 100pass:secret 101EOF 102 103echo 'pseudo secrets generated' 104 105"$OPENSSL" rsa -in "$PREFIX-sv.key" -pubout -outform DER -out "$PREFIX-sv.pub.der" 106"$OPENSSL" rsa -in "$PREFIX-sv.key" -pubout -outform PEM -out "$PREFIX-sv.pub.pem" 107"$OPENSSL" x509 -set_serial "$SERIAL" -extfile "$PREFIX-sv.prm" -days "$DURATION" -CA "$CAPREFIX-ca.cacert" -CAkey "$CAPREFIX-ca.key" -in "$PREFIX-sv.csr" -req -text -nameopt multiline "$DIGESTALGO" > "$PREFIX-sv.crt" 108 109if [ "$P12" = YES ]; then 110 "$OPENSSL" pkcs12 -export -des3 -out "$PREFIX-sv.p12" -caname "$CAPREFIX" -name "$PREFIX" -inkey "$PREFIX-sv.key" -in "$PREFIX-sv.crt" -certfile "$CAPREFIX-ca.crt" 111fi 112 113"$OPENSSL" x509 -noout -text -hash -in "$PREFIX-sv.crt" -nameopt multiline 114 115# revoke server cert 116touch "$CAPREFIX-ca.db" 117echo 01 > "$CAPREFIX-ca.cnt" 118"$OPENSSL" ca -config "$CAPREFIX-ca.cnf" -revoke "$PREFIX-sv.crt" 119 120# issue CRL 121"$OPENSSL" ca -config "$CAPREFIX-ca.cnf" -gencrl -out "$PREFIX-sv.crl" 122 123"$OPENSSL" x509 -in "$PREFIX-sv.crt" -outform der -out "$PREFIX-sv.der" 124 125# all together now 126touch "$PREFIX-sv.dhp" 127cat "$PREFIX-sv.prm" "$PREFIX-sv.key" "$PREFIX-sv.crt" "$PREFIX-sv.dhp" > "$PREFIX-sv.pem" 128chmod o-r "$PREFIX-sv.prm" 129 130"$OPENSSL" x509 -in "$PREFIX-sv.pem" -pubkey -noout | \ 131"$OPENSSL" pkey -pubin -outform der | "$OPENSSL" dgst -sha256 -binary | \ 132"$OPENSSL" enc -base64 > "$PREFIX-sv.pubkey-pinned" 133 134echo "$PREFIX-sv.pem done" 135