1#!/bin/sh
2# $Id: gen-req.sh 21786 2007-08-01 19:37:45Z lha $
3#
4# This script need openssl 0.9.8a or newer, so it can parse the
5# otherName section for pkinit certificates.
6#
7
8openssl=$HOME/src/openssl/openssl-0.9.8e/apps/openssl
9
10gen_cert()
11{
12	${openssl} req \
13		-new \
14		-subj "$1" \
15		-config openssl.cnf \
16		-newkey rsa:1024 \
17		-sha1 \
18		-nodes \
19		-keyout out.key \
20		-out cert.req > /dev/null 2>/dev/null
21
22        if [ "$3" = "ca" ] ; then
23	    ${openssl} x509 \
24		-req \
25		-days 3650 \
26		-in cert.req \
27		-extfile openssl.cnf \
28		-extensions $4 \
29                -signkey out.key \
30		-out cert.crt
31
32		ln -s ca.crt `${openssl} x509 -hash -noout -in cert.crt`.0
33
34		name=$3
35
36        elif [ "$3" = "proxy" ] ; then
37
38	    ${openssl} x509 \
39		-req \
40		-in cert.req \
41		-days 3650 \
42		-out cert.crt \
43		-CA $2.crt \
44		-CAkey $2.key \
45		-CAcreateserial \
46		-extfile openssl.cnf \
47		-extensions $4
48
49		name=$5
50	else
51
52	    ${openssl} ca \
53		-name $4 \
54		-days 3650 \
55		-cert $2.crt \
56		-keyfile $2.key \
57		-in cert.req \
58		-out cert.crt \
59		-outdir . \
60		-batch \
61		-config openssl.cnf 
62
63		name=$3
64	fi
65
66	mv cert.crt $name.crt
67	mv out.key $name.key
68}
69
70echo "01" > serial
71> index.txt
72rm -f *.0
73
74gen_cert "/CN=hx509 Test Root CA/C=SE" "root" "ca" "v3_ca"
75gen_cert "/CN=OCSP responder/C=SE" "ca" "ocsp-responder" "ocsp"
76gen_cert "/CN=Test cert/C=SE" "ca" "test" "usr"
77gen_cert "/CN=Revoke cert/C=SE" "ca" "revoke" "usr"
78gen_cert "/CN=Test cert KeyEncipherment/C=SE" "ca" "test-ke-only" "usr_ke"
79gen_cert "/CN=Test cert DigitalSignature/C=SE" "ca" "test-ds-only" "usr_ds"
80gen_cert "/CN=pkinit/C=SE" "ca" "pkinit" "pkinit_client"
81gen_cert "/C=SE/CN=pkinit/CN=pkinit-proxy" "pkinit" "proxy" "proxy_cert" pkinit-proxy
82gen_cert "/CN=kdc/C=SE" "ca" "kdc" "pkinit_kdc"
83gen_cert "/CN=www.test.h5l.se/C=SE" "ca" "https" "https"
84gen_cert "/CN=Sub CA/C=SE" "ca" "sub-ca" "subca"
85gen_cert "/CN=Test sub cert/C=SE" "sub-ca" "sub-cert" "usr"
86gen_cert "/C=SE/CN=Test cert/CN=proxy" "test" "proxy" "proxy_cert" proxy-test
87gen_cert "/C=SE/CN=Test cert/CN=proxy/CN=child" "proxy-test" "proxy" "proxy_cert" proxy-level-test
88gen_cert "/C=SE/CN=Test cert/CN=no-proxy" "test" "proxy" "usr_cert" no-proxy-test
89gen_cert "/C=SE/CN=Test cert/CN=proxy10" "test" "proxy" "proxy10_cert" proxy10-test
90gen_cert "/C=SE/CN=Test cert/CN=proxy10/CN=child" "proxy10-test" "proxy" "proxy10_cert" proxy10-child-test
91gen_cert "/C=SE/CN=Test cert/CN=proxy10/CN=child/CN=child" "proxy10-child-test" "proxy" "proxy10_cert" proxy10-child-child-test
92
93
94# combine
95cat sub-ca.crt ca.crt > sub-ca-combined.crt
96cat test.crt test.key > test.combined.crt
97cat pkinit-proxy.crt pkinit.crt > pkinit-proxy-chain.crt
98
99# password protected key
100${openssl} rsa -in test.key -aes256 -passout pass:foobar -out test-pw.key
101${openssl} rsa -in pkinit.key -aes256 -passout pass:foo -out pkinit-pw.key
102
103
104${openssl} ca \
105    -name usr \
106    -cert ca.crt \
107    -keyfile ca.key \
108    -revoke revoke.crt \
109    -config openssl.cnf 
110
111${openssl} pkcs12 \
112    -export \
113    -in test.crt \
114    -inkey test.key \
115    -passout pass:foobar \
116    -out test.p12 \
117    -name "friendlyname-test" \
118    -certfile ca.crt \
119    -caname ca
120
121${openssl} pkcs12 \
122    -export \
123    -in sub-cert.crt \
124    -inkey sub-cert.key \
125    -passout pass:foobar \
126    -out sub-cert.p12 \
127    -name "friendlyname-sub-cert" \
128    -certfile sub-ca-combined.crt \
129    -caname sub-ca \
130    -caname ca
131
132${openssl} pkcs12 \
133    -keypbe NONE \
134    -certpbe NONE \
135    -export \
136    -in test.crt \
137    -inkey test.key \
138    -passout pass:foobar \
139    -out test-nopw.p12 \
140    -name "friendlyname-cert" \
141    -certfile ca.crt \
142    -caname ca
143
144${openssl} smime \
145    -sign \
146    -nodetach \
147    -binary \
148    -in static-file \
149    -signer test.crt \
150    -inkey test.key \
151    -outform DER \
152    -out test-signed-data
153
154${openssl} smime \
155    -sign \
156    -nodetach \
157    -binary \
158    -in static-file \
159    -signer test.crt \
160    -inkey test.key \
161    -noattr \
162    -outform DER \
163    -out test-signed-data-noattr
164
165${openssl} smime \
166    -sign \
167    -nodetach \
168    -binary \
169    -in static-file \
170    -signer test.crt \
171    -inkey test.key \
172    -noattr \
173    -nocerts \
174    -outform DER \
175    -out test-signed-data-noattr-nocerts
176
177${openssl} smime \
178    -encrypt \
179    -nodetach \
180    -binary \
181    -in static-file \
182    -outform DER \
183    -out test-enveloped-rc2-40 \
184    -rc2-40 \
185    test.crt
186
187${openssl} smime \
188    -encrypt \
189    -nodetach \
190    -binary \
191    -in static-file \
192    -outform DER \
193    -out test-enveloped-rc2-64 \
194    -rc2-64 \
195    test.crt
196
197${openssl} smime \
198    -encrypt \
199    -nodetach \
200    -binary \
201    -in static-file \
202    -outform DER \
203    -out test-enveloped-rc2-128 \
204    -rc2-128 \
205    test.crt
206
207${openssl} smime \
208    -encrypt \
209    -nodetach \
210    -binary \
211    -in static-file \
212    -outform DER \
213    -out test-enveloped-des \
214    -des \
215    test.crt
216
217${openssl} smime \
218    -encrypt \
219    -nodetach \
220    -binary \
221    -in static-file \
222    -outform DER \
223    -out test-enveloped-des-ede3 \
224    -des3 \
225    test.crt
226
227${openssl} smime \
228    -encrypt \
229    -nodetach \
230    -binary \
231    -in static-file \
232    -outform DER \
233    -out test-enveloped-aes-128 \
234    -aes128 \
235    test.crt
236
237${openssl} smime \
238    -encrypt \
239    -nodetach \
240    -binary \
241    -in static-file \
242    -outform DER \
243    -out test-enveloped-aes-256 \
244    -aes256 \
245    test.crt
246
247echo ocsp requests
248
249${openssl} ocsp \
250    -issuer ca.crt \
251    -cert test.crt \
252    -reqout ocsp-req1.der
253
254${openssl} ocsp \
255    -index index.txt \
256    -rsigner ocsp-responder.crt \
257    -rkey ocsp-responder.key \
258    -CA ca.crt \
259    -reqin ocsp-req1.der \
260    -noverify \
261    -respout ocsp-resp1-ocsp.der
262
263${openssl} ocsp \
264    -index index.txt \
265    -rsigner ca.crt \
266    -rkey ca.key \
267    -CA ca.crt \
268    -reqin ocsp-req1.der \
269    -noverify \
270    -respout ocsp-resp1-ca.der
271
272${openssl} ocsp \
273    -index index.txt \
274    -rsigner ocsp-responder.crt \
275    -rkey ocsp-responder.key \
276    -CA ca.crt \
277    -resp_no_certs \
278    -reqin ocsp-req1.der \
279    -noverify \
280    -respout ocsp-resp1-ocsp-no-cert.der
281
282${openssl} ocsp \
283    -index index.txt \
284    -rsigner ocsp-responder.crt \
285    -rkey ocsp-responder.key \
286    -CA ca.crt \
287    -reqin ocsp-req1.der \
288    -resp_key_id \
289    -noverify \
290    -respout ocsp-resp1-keyhash.der
291
292${openssl} ocsp \
293    -issuer ca.crt \
294    -cert revoke.crt \
295    -reqout ocsp-req2.der
296
297${openssl} ocsp \
298    -index index.txt \
299    -rsigner ocsp-responder.crt \
300    -rkey ocsp-responder.key \
301    -CA ca.crt \
302    -reqin ocsp-req2.der \
303    -noverify \
304    -respout ocsp-resp2.der
305
306${openssl} ca \
307    -gencrl \
308    -name usr \
309    -crldays 3600 \
310    -keyfile ca.key \
311    -cert ca.crt \
312    -crl_reason superseded \
313    -out crl1.crl \
314    -config openssl.cnf 
315
316${openssl} crl -in crl1.crl -outform der -out crl1.der
317