1#! /bin/bash
2
3set -e
4
5DAYS=182500
6
7key() {
8    local key=$1; shift
9
10    if [ ! -f "${key}.pem" ]; then
11	openssl genpkey \
12	    -paramfile <(openssl ecparam -name prime256v1) \
13	    -out "${key}.pem"
14    fi
15}
16
17req() {
18    local key=$1; shift
19    local dn=$1; shift
20
21    openssl req -new -sha256 -key "${key}.pem" \
22	-config <(printf "[req]\n%s\n%s\n[dn]\nCN_default=foo\n" \
23		   "prompt = yes" "distinguished_name = dn") \
24	-subj "${dn}"
25}
26
27cert() {
28    local cert=$1; shift
29    local exts=$1; shift
30
31    openssl x509 -req -sha256 -out "${cert}.pem" \
32	-extfile <(printf "%s\n" "$exts") "$@"
33}
34
35genroot() {
36    local dn=$1; shift
37    local key=$1; shift
38    local cert=$1; shift
39
40    exts=$(printf "%s\n%s\n%s\n%s\n" \
41	   "subjectKeyIdentifier = hash" \
42	   "authorityKeyIdentifier  = keyid" \
43	   "basicConstraints = CA:true" \
44	   "keyUsage = keyCertSign, cRLSign" )
45    key "$key"; req "$key" "$dn" |
46	cert "$cert" "$exts" -signkey "${key}.pem" \
47	    -set_serial 1 -days "${DAYS}"
48}
49
50genee() {
51    local dn=$1; shift
52    local key=$1; shift
53    local cert=$1; shift
54    local cakey=$1; shift
55    local cacert=$1; shift
56
57    exts=$(printf "%s\n%s\n%s\n%s\n" \
58	    "subjectKeyIdentifier = hash" \
59	    "authorityKeyIdentifier = keyid, issuer" \
60	    "basicConstraints = CA:false" \
61	    "keyUsage = digitalSignature, keyEncipherment, dataEncipherment" \
62	)
63    key "$key"; req "$key" "$dn" |
64	cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \
65	    -set_serial 2 -days "${DAYS}" "$@"
66}
67
68
69genroot "/C=SE/O=Heimdal/CN=CA secp256r1" \
70	secp256r1TestCA.key secp256r1TestCA.cert
71genee "/C=SE/O=Heimdal/CN=Server" \
72	secp256r2TestServer.key secp256r2TestServer.cert \
73	secp256r1TestCA.key secp256r1TestCA.cert
74genee "/C=SE/O=Heimdal/CN=Client" \
75	secp256r2TestClient.key secp256r2TestClient.cert \
76	secp256r1TestCA.key secp256r1TestCA.cert
77
78cat secp256r1TestCA.key.pem secp256r1TestCA.cert.pem > \
79	secp256r1TestCA.pem
80cat secp256r2TestClient.cert.pem secp256r2TestClient.key.pem > \
81	secp256r2TestClient.pem
82cat secp256r2TestServer.cert.pem secp256r2TestServer.key.pem > \
83	secp256r2TestServer.pem
84