1#!/usr/bin/env bash 2#*************************************************************************** 3# _ _ ____ _ 4# Project ___| | | | _ \| | 5# / __| | | | |_) | | 6# | (__| |_| | _ <| |___ 7# \___|\___/|_| \_\_____| 8# 9# Copyright (C) EdelWeb for EdelKey and OpenEvidence 10# 11# This software is licensed as described in the file COPYING, which 12# you should have received as part of this distribution. The terms 13# are also available at https://curl.se/docs/copyright.html. 14# 15# You may opt to use, copy, modify, merge, publish, distribute and/or sell 16# copies of the Software, and permit persons to whom the Software is 17# furnished to do so, under the terms of the COPYING file. 18# 19# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY 20# KIND, either express or implied. 21# 22# SPDX-License-Identifier: curl 23# 24########################################################################### 25 26# exit on first fail 27set -eu 28 29OPENSSL=openssl 30if [ -f /usr/local/ssl/bin/openssl ]; then 31 OPENSSL=/usr/local/ssl/bin/openssl 32fi 33 34command -v "$OPENSSL" 35"$OPENSSL" version 36 37USAGE='echo Usage is genserv.sh <prefix> <caprefix>' 38 39HOME=$(pwd) 40cd "$HOME" 41 42KEYSIZE=2048 43DURATION=300 44# The -sha256 option was introduced in OpenSSL 1.0.1 45DIGESTALGO=-sha256 46 47REQ=YES 48P12=NO 49DHP=NO 50 51NOTOK= 52 53PREFIX="${1:-}" 54if [ -z "$PREFIX" ]; then 55 echo 'No configuration prefix' 56 NOTOK=1 57else 58 if [ ! -f "$PREFIX-sv.prm" ]; then 59 echo "No configuration file $PREFIX-sv.prm" 60 NOTOK=1 61 fi 62fi 63 64CAPREFIX="${2:-}" 65if [ -z "$CAPREFIX" ]; then 66 echo 'No CA prefix' 67 NOTOK=1 68else 69 if [ ! -f "$CAPREFIX-ca.cacert" ]; then 70 echo "No CA certificate file $CAPREFIX-ca.caert" 71 NOTOK=1 72 fi 73 if [ ! -f "$CAPREFIX-ca.key" ]; then 74 echo "No $CAPREFIX key" 75 NOTOK=1 76 fi 77fi 78 79if [ -n "$NOTOK" ]; then 80 echo 'Sorry, I cannot do that for you.' 81 $USAGE 82 exit 83fi 84 85echo "PREFIX=$PREFIX CAPREFIX=$CAPREFIX DURATION=$DURATION KEYSIZE=$KEYSIZE" 86 87set -x 88 89if [ "$DHP" = YES ]; then 90 "$OPENSSL" dhparam -2 -out "$PREFIX-sv.dhp" "$KEYSIZE" 91fi 92if [ "$REQ" = YES ]; then 93 "$OPENSSL" req -config "$PREFIX-sv.prm" -newkey "rsa:$KEYSIZE" -keyout "$PREFIX-sv.key" -out "$PREFIX-sv.csr" -passout fd:0 <<EOF 94pass:secret 95EOF 96fi 97 98"$OPENSSL" rsa -in "$PREFIX-sv.key" -out "$PREFIX-sv.key" -passin fd:0 <<EOF 99pass:secret 100EOF 101 102echo 'pseudo secrets generated' 103 104"$OPENSSL" rsa -in "$PREFIX-sv.key" -pubout -outform DER -out "$PREFIX-sv.pub.der" 105"$OPENSSL" rsa -in "$PREFIX-sv.key" -pubout -outform PEM -out "$PREFIX-sv.pub.pem" 106"$OPENSSL" x509 -extfile "$PREFIX-sv.prm" -days "$DURATION" -CA "$CAPREFIX-ca.cacert" -CAkey "$CAPREFIX-ca.key" -CAcreateserial -in "$PREFIX-sv.csr" -req -text -nameopt multiline "$DIGESTALGO" > "$PREFIX-sv.crt" 107 108if [ "$P12" = YES ]; then 109 "$OPENSSL" pkcs12 -export -des3 -out "$PREFIX-sv.p12" -caname "$CAPREFIX" -name "$PREFIX" -inkey "$PREFIX-sv.key" -in "$PREFIX-sv.crt" -certfile "$CAPREFIX-ca.crt" 110fi 111 112"$OPENSSL" x509 -noout -text -hash -in "$PREFIX-sv.crt" -nameopt multiline 113 114# revoke server cert 115touch "$CAPREFIX-ca.db" 116echo 01 > "$CAPREFIX-ca.cnt" 117"$OPENSSL" ca -config "$CAPREFIX-ca.cnf" -revoke "$PREFIX-sv.crt" 118 119# issue CRL 120"$OPENSSL" ca -config "$CAPREFIX-ca.cnf" -gencrl -out "$PREFIX-sv.crl" 121 122"$OPENSSL" x509 -in "$PREFIX-sv.crt" -outform der -out "$PREFIX-sv.der" 123 124# all together now 125touch "$PREFIX-sv.dhp" 126cat "$PREFIX-sv.prm" "$PREFIX-sv.key" "$PREFIX-sv.crt" "$PREFIX-sv.dhp" > "$PREFIX-sv.pem" 127chmod o-r "$PREFIX-sv.prm" 128 129"$OPENSSL" x509 -in "$PREFIX-sv.pem" -pubkey -noout | \ 130"$OPENSSL" pkey -pubin -outform der | "$OPENSSL" dgst -sha256 -binary | \ 131"$OPENSSL" enc -base64 > "$PREFIX-sv.pubkey-pinned" 132 133echo "$PREFIX-sv.pem done" 134
