PR: 1847 (2c55c0d3) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

apps/CA.sh

+90 −31

Original line number	Original line	Diff line number	Diff line
	@@ -29,26 +29,56 @@

	# default openssl.cnf file has setup as per the following		# default openssl.cnf file has setup as per the following
	# demoCA ... where everything is stored		# demoCA ... where everything is stored
			cp_pem() {
			infile=$1
			outfile=$2
			bound=$3
			flag=0
			exec <$infile;
			while read line; do
			if [ $flag -eq 1 ]; then
			echo $line\|grep "^-----END.*$bound" 2>/dev/null 1>/dev/null
			if [ $? -eq 0 ] ; then
			echo $line >>$outfile
			break
			else
			echo $line >>$outfile
			fi
			fi

			echo $line\|grep "^-----BEGIN.*$bound" 2>/dev/null 1>/dev/null
			if [ $? -eq 0 ]; then
			echo $line >$outfile
			flag=1
			fi
			done
			}

			usage() {
			echo "usage: $0 -newcert\|-newreq\|-newreq-nodes\|-newca\|-sign\|-verify" >&2
			}

	if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi		if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi

	DAYS="-days 365" # 1 year		if [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi # 1 year
	CADAYS="-days 1095" # 3 years		CADAYS="-days 1095" # 3 years
	REQ="$OPENSSL req $SSLEAY_CONFIG"		REQ="$OPENSSL req $SSLEAY_CONFIG"
	CA="$OPENSSL ca $SSLEAY_CONFIG"		CA="$OPENSSL ca $SSLEAY_CONFIG"
	VERIFY="$OPENSSL verify"		VERIFY="$OPENSSL verify"
	X509="$OPENSSL x509"		X509="$OPENSSL x509"
			PKCS12="openssl pkcs12"

	CATOP=./demoCA		if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi
	CAKEY=./cakey.pem		CAKEY=./cakey.pem
	CAREQ=./careq.pem		CAREQ=./careq.pem
	CACERT=./cacert.pem		CACERT=./cacert.pem

	for i		RET=0
	do
	case $i in		while [ "$1" != "" ] ; do
			case $1 in
	-\?\|-h\|-help)		-\?\|-h\|-help)
	echo "usage: CA -newcert\|-newreq\|-newca\|-sign\|-verify" >&2		usage
	exit 0		exit 0
	;;		;;
	-newcert)		-newcert)
	@@ -63,18 +93,23 @@ case $i in
	RET=$?		RET=$?
	echo "Request is in newreq.pem, private key is in newkey.pem"		echo "Request is in newreq.pem, private key is in newkey.pem"
	;;		;;
			-newreq-nodes)
			# create a certificate request
			$REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS
			RET=$?
			echo "Request (and private key) is in newreq.pem"
			;;
	-newca)		-newca)
	# if explicitly asked for or it doesn't exist then setup the directory		# if explicitly asked for or it doesn't exist then setup the directory
	# structure that Eric likes to manage things		# structure that Eric likes to manage things
	NEW="1"		NEW="1"
	if [ "$NEW" -o ! -f ${CATOP}/serial ]; then		if [ "$NEW" -o ! -f ${CATOP}/serial ]; then
	# create the directory hierarchy		# create the directory hierarchy
	mkdir ${CATOP}		mkdir -p ${CATOP}
	mkdir ${CATOP}/certs		mkdir -p ${CATOP}/certs
	mkdir ${CATOP}/crl		mkdir -p ${CATOP}/crl
	mkdir ${CATOP}/newcerts		mkdir -p ${CATOP}/newcerts
	mkdir ${CATOP}/private		mkdir -p ${CATOP}/private
	echo "00" > ${CATOP}/serial
	touch ${CATOP}/index.txt		touch ${CATOP}/index.txt
	fi		fi
	if [ ! -f ${CATOP}/private/$CAKEY ]; then		if [ ! -f ${CATOP}/private/$CAKEY ]; then
	@@ -83,14 +118,20 @@ case $i in

	# ask user for existing CA certificate		# ask user for existing CA certificate
	if [ "$FILE" ]; then		if [ "$FILE" ]; then
	cp $FILE ${CATOP}/private/$CAKEY		cp_pem $FILE ${CATOP}/private/$CAKEY PRIVATE
			cp_pem $FILE ${CATOP}/$CACERT CERTIFICATE
	RET=$?		RET=$?
			if [ ! -f "${CATOP}/serial" ]; then
			$X509 -in ${CATOP}/$CACERT -noout -next_serial \
			-out ${CATOP}/serial
			fi
	else		else
	echo "Making CA certificate ..."		echo "Making CA certificate ..."
	$REQ -new -keyout ${CATOP}/private/$CAKEY \		$REQ -new -keyout ${CATOP}/private/$CAKEY \
	-out ${CATOP}/$CAREQ		-out ${CATOP}/$CAREQ
	$CA -out ${CATOP}/$CACERT $CADAYS -batch \		$CA -create_serial -out ${CATOP}/$CACERT $CADAYS -batch \
	-keyfile ${CATOP}/private/$CAKEY -selfsign \		-keyfile ${CATOP}/private/$CAKEY -selfsign \
			-extensions v3_ca \
	-infiles ${CATOP}/$CAREQ		-infiles ${CATOP}/$CAREQ
	RET=$?		RET=$?
	fi		fi
	@@ -100,16 +141,33 @@ case $i in
	$CA -policy policy_anything -infiles newreq.pem		$CA -policy policy_anything -infiles newreq.pem
	RET=$?		RET=$?
	;;		;;
			-pkcs12)
			if [ -z "$2" ] ; then
			CNAME="My Certificate"
			else
			CNAME="$2"
			fi
			$PKCS12 -in newcert.pem -inkey newreq.pem -certfile ${CATOP}/$CACERT \
			-out newcert.p12 -export -name "$CNAME"
			RET=$?
			exit $RET
			;;
	-sign\|-signreq)		-sign\|-signreq)
	$CA -policy policy_anything -out newcert.pem -infiles newreq.pem		$CA -policy policy_anything -out newcert.pem -infiles newreq.pem
	RET=$?		RET=$?
	cat newcert.pem		cat newcert.pem
	echo "Signed certificate is in newcert.pem"		echo "Signed certificate is in newcert.pem"
	;;		;;
			-signCA)
			$CA -policy policy_anything -out newcert.pem -extensions v3_ca -infiles newreq.pem
			RET=$?
			echo "Signed CA certificate is in newcert.pem"
			;;
	-signcert)		-signcert)
	echo "Cert passphrase will be requested twice - bug?"		echo "Cert passphrase will be requested twice - bug?"
	$X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem		$X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
	$CA -policy policy_anything -out newcert.pem -infiles tmp.pem		$CA -policy policy_anything -out newcert.pem -infiles tmp.pem
			RET=$?
	cat newcert.pem		cat newcert.pem
	echo "Signed certificate is in newcert.pem"		echo "Signed certificate is in newcert.pem"
	;;		;;
	@@ -127,13 +185,14 @@ case $i in
	fi		fi
	done		done
	fi		fi
	exit 0		exit $RET
	;;		;;
	*)		*)
	echo "Unknown arg $i";		echo "Unknown arg $i" >&2
			usage
	exit 1		exit 1
	;;		;;
	esac		esac
			shift
	done		done
	exit $RET		exit $RET