1156952Sume#!/bin/sh 2156952Sume# Copyright 2013-2022 The OpenSSL Project Authors. All Rights Reserved. 3156952Sume# 4156952Sume# Licensed under the Apache License 2.0 (the "License"). You may not use 5156952Sume# this file except in compliance with the License. You can obtain a copy 6156952Sume# in the file LICENSE in the source distribution or at 7156952Sume# https://www.openssl.org/source/license.html 8156952Sume 9156952Sume 10156952Sume# Utility to recreate S/MIME certificates 11156952Sume 12156952SumeOPENSSL=../../apps/openssl 13156952SumeOPENSSL_CONF=./ca.cnf 14156952Sumeexport OPENSSL_CONF 15156952Sume 16156952Sume# Root CA: create certificate directly 17156952SumeCN="Test S/MIME RSA Root" $OPENSSL req -config ca.cnf -x509 -noenc \ 18170244Sume -keyout smroot.pem -out smroot.pem -newkey rsa:2048 -days 36501 19170244Sume 20170244Sume# EE RSA certificates: create request first 21156952SumeCN="Test S/MIME EE RSA #1" $OPENSSL req -config ca.cnf -noenc \ 22170244Sume -keyout smrsa1.pem -out req.pem -newkey rsa:2048 23156956Sume# Sign request: end entity extensions 24156952Sume$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ 25156952Sume -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa1.pem 26156952Sume 27156952SumeCN="Test S/MIME EE RSA #2" $OPENSSL req -config ca.cnf -noenc \ 28156952Sume -keyout smrsa2.pem -out req.pem -newkey rsa:2048 29156952Sume$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ 30156952Sume -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa2.pem 31156952Sume 32156952SumeCN="Test S/MIME EE RSA #3" $OPENSSL req -config ca.cnf -noenc \ 33156952Sume -keyout smrsa3.pem -out req.pem -newkey rsa:2048 34156952Sume$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ 35156952Sume -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa3.pem 36156952Sume 37156952Sume# Create DSA parameters 38156952Sume 39156952Sume$OPENSSL dsaparam -out dsap.pem 2048 40156952Sume 41156952SumeCN="Test S/MIME EE DSA #1" $OPENSSL req -config ca.cnf -noenc \ 42156952Sume -keyout smdsa1.pem -out req.pem -newkey dsa:dsap.pem 43156956Sume$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ 44156956Sume -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa1.pem 45156952SumeCN="Test S/MIME EE DSA #2" $OPENSSL req -config ca.cnf -noenc \ 46156952Sume -keyout smdsa2.pem -out req.pem -newkey dsa:dsap.pem 47156956Sume$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ 48156952Sume -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa2.pem 49156952SumeCN="Test S/MIME EE DSA #3" $OPENSSL req -config ca.cnf -noenc \ 50156952Sume -keyout smdsa3.pem -out req.pem -newkey dsa:dsap.pem 51156952Sume$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ 52165258Sume -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa3.pem 53165258Sume 54156952Sume# Create EC parameters 55156952Sume 56156952Sume$OPENSSL ecparam -out ecp.pem -name P-256 57156952Sume$OPENSSL ecparam -out ecp2.pem -name K-283 58156952Sume 59156952SumeCN="Test S/MIME EE EC #1" $OPENSSL req -config ca.cnf -noenc \ 60156952Sume -keyout smec1.pem -out req.pem -newkey ec:ecp.pem 61156952Sume$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ 62156952Sume -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec1.pem 63156952SumeCN="Test S/MIME EE EC #2" $OPENSSL req -config ca.cnf -noenc \ 64156952Sume -keyout smec2.pem -out req.pem -newkey ec:ecp2.pem 65156952Sume$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ 66156952Sume -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec2.pem 67156952Sume# Do not renew this cert as it is used for legacy data decrypt test 68156952Sume#CN="Test S/MIME EE EC #3" $OPENSSL req -config ca.cnf -noenc \ 69156952Sume# -keyout smec3.pem -out req.pem -newkey ec:ecp.pem 70156952Sume#$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ 71156952Sume# -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec3.pem 72156952Sume# Create X9.42 DH parameters. 73156952Sume$OPENSSL genpkey -genparam -algorithm DHX -out dhp.pem 74156952Sume# Generate X9.42 DH key. 75156952Sume$OPENSSL genpkey -paramfile dhp.pem -out smdh.pem 76156952Sume$OPENSSL pkey -pubout -in smdh.pem -out dhpub.pem 77156952Sume# Generate dummy request. 78156952SumeCN="Test S/MIME EE DH #1" $OPENSSL req -config ca.cnf -noenc \ 79156952Sume -keyout smtmp.pem -out req.pem -newkey rsa:2048 80156952Sume# Sign request but force public key to DH 81156952Sume$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ 82156952Sume -force_pubkey dhpub.pem \ 83156952Sume -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdh.pem 84170244Sume# Remove temp files. 85170244Sumerm -f req.pem ecp.pem ecp2.pem dsap.pem dhp.pem dhpub.pem smtmp.pem smroot.srl 86170244Sume