]>
Commit | Line | Data |
---|---|---|
84783517 VD |
1 | #! /bin/bash |
2 | # | |
3 | # Copyright (c) 2016 Viktor Dukhovni <openssl-users@dukhovni.org>. | |
4 | # All rights reserved. | |
5 | # | |
6 | # Contributed to the OpenSSL project under the terms of the OpenSSL license | |
7 | # included with the version of the OpenSSL software that includes this module. | |
8 | ||
9 | # 100 years should be enough for now | |
10 | # | |
b58614d7 DSH |
11 | if [ -z "$DAYS" ]; then |
12 | DAYS=36525 | |
13 | fi | |
84783517 | 14 | |
fbb82a60 VD |
15 | if [ -z "$OPENSSL_SIGALG" ]; then |
16 | OPENSSL_SIGALG=sha256 | |
17 | fi | |
18 | ||
d83b7e1a DSH |
19 | if [ -z "$REQMASK" ]; then |
20 | REQMASK=utf8only | |
21 | fi | |
22 | ||
84783517 VD |
23 | stderr_onerror() { |
24 | ( | |
25 | err=$("$@" >&3 2>&1) || { | |
26 | printf "%s\n" "$err" >&2 | |
27 | exit 1 | |
28 | } | |
29 | ) 3>&1 | |
30 | } | |
31 | ||
32 | key() { | |
33 | local key=$1; shift | |
34 | ||
35 | local alg=rsa | |
36 | if [ -n "$OPENSSL_KEYALG" ]; then | |
37 | alg=$OPENSSL_KEYALG | |
38 | fi | |
39 | ||
40 | local bits=2048 | |
41 | if [ -n "$OPENSSL_KEYBITS" ]; then | |
42 | bits=$OPENSSL_KEYBITS | |
43 | fi | |
44 | ||
45 | if [ ! -f "${key}.pem" ]; then | |
46 | args=(-algorithm "$alg") | |
47 | case $alg in | |
48 | rsa) args=("${args[@]}" -pkeyopt rsa_keygen_bits:$bits );; | |
c0a445a9 | 49 | ec) args=("${args[@]}" -pkeyopt "ec_paramgen_curve:$bits") |
84783517 VD |
50 | args=("${args[@]}" -pkeyopt ec_param_enc:named_curve);; |
51 | *) printf "Unsupported key algorithm: %s\n" "$alg" >&2; return 1;; | |
52 | esac | |
53 | stderr_onerror \ | |
54 | openssl genpkey "${args[@]}" -out "${key}.pem" | |
55 | fi | |
56 | } | |
57 | ||
71c8cd20 | 58 | # Usage: $0 req keyname dn1 dn2 ... |
84783517 VD |
59 | req() { |
60 | local key=$1; shift | |
84783517 VD |
61 | |
62 | key "$key" | |
63 | local errs | |
64 | ||
65 | stderr_onerror \ | |
fbb82a60 | 66 | openssl req -new -"${OPENSSL_SIGALG}" -key "${key}.pem" \ |
d83b7e1a DSH |
67 | -config <(printf "string_mask=%s\n[req]\n%s\n%s\n[dn]\n" \ |
68 | "$REQMASK" "prompt = no" "distinguished_name = dn" | |
71c8cd20 | 69 | for dn in "$@"; do echo "$dn"; done) |
84783517 VD |
70 | } |
71 | ||
72 | req_nocn() { | |
73 | local key=$1; shift | |
74 | ||
75 | key "$key" | |
76 | stderr_onerror \ | |
fbb82a60 | 77 | openssl req -new -"${OPENSSL_SIGALG}" -subj / -key "${key}.pem" \ |
84783517 VD |
78 | -config <(printf "[req]\n%s\n[dn]\nCN_default =\n" \ |
79 | "distinguished_name = dn") | |
80 | } | |
81 | ||
82 | cert() { | |
83 | local cert=$1; shift | |
84 | local exts=$1; shift | |
85 | ||
86 | stderr_onerror \ | |
fbb82a60 | 87 | openssl x509 -req -"${OPENSSL_SIGALG}" -out "${cert}.pem" \ |
84783517 VD |
88 | -extfile <(printf "%s\n" "$exts") "$@" |
89 | } | |
90 | ||
91 | genroot() { | |
92 | local cn=$1; shift | |
93 | local key=$1; shift | |
94 | local cert=$1; shift | |
95 | local skid="subjectKeyIdentifier = hash" | |
96 | local akid="authorityKeyIdentifier = keyid" | |
97 | ||
a7be5759 | 98 | exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = critical,CA:true") |
33cc5dde VD |
99 | for eku in "$@" |
100 | do | |
101 | exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku") | |
102 | done | |
71c8cd20 | 103 | csr=$(req "$key" "CN = $cn") || return 1 |
84783517 VD |
104 | echo "$csr" | |
105 | cert "$cert" "$exts" -signkey "${key}.pem" -set_serial 1 -days "${DAYS}" | |
106 | } | |
107 | ||
108 | genca() { | |
109 | local cn=$1; shift | |
110 | local key=$1; shift | |
111 | local cert=$1; shift | |
112 | local cakey=$1; shift | |
113 | local cacert=$1; shift | |
114 | local skid="subjectKeyIdentifier = hash" | |
115 | local akid="authorityKeyIdentifier = keyid" | |
116 | ||
a7be5759 | 117 | exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = critical,CA:true") |
33cc5dde VD |
118 | for eku in "$@" |
119 | do | |
120 | exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku") | |
121 | done | |
d83b7e1a DSH |
122 | if [ -n "$NC" ]; then |
123 | exts=$(printf "%s\nnameConstraints = %s\n" "$exts" "$NC") | |
124 | fi | |
71c8cd20 | 125 | csr=$(req "$key" "CN = $cn") || return 1 |
84783517 VD |
126 | echo "$csr" | |
127 | cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \ | |
33cc5dde | 128 | -set_serial 2 -days "${DAYS}" |
84783517 VD |
129 | } |
130 | ||
4d9e33ac VD |
131 | gen_nonbc_ca() { |
132 | local cn=$1; shift | |
133 | local key=$1; shift | |
134 | local cert=$1; shift | |
135 | local cakey=$1; shift | |
136 | local cacert=$1; shift | |
137 | local skid="subjectKeyIdentifier = hash" | |
138 | local akid="authorityKeyIdentifier = keyid" | |
139 | ||
140 | exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid") | |
141 | exts=$(printf "%s\nkeyUsage = %s\n" "$exts" "keyCertSign, cRLSign") | |
142 | for eku in "$@" | |
143 | do | |
144 | exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku") | |
145 | done | |
71c8cd20 | 146 | csr=$(req "$key" "CN = $cn") || return 1 |
4d9e33ac VD |
147 | echo "$csr" | |
148 | cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \ | |
149 | -set_serial 2 -days "${DAYS}" | |
150 | } | |
151 | ||
71c8cd20 RL |
152 | # Usage: $0 genpc keyname certname eekeyname eecertname pcext1 pcext2 ... |
153 | # | |
154 | # Note: takes csr on stdin, so must be used with $0 req like this: | |
155 | # | |
156 | # $0 req keyname dn | $0 genpc keyname certname eekeyname eecertname pcext ... | |
157 | genpc() { | |
158 | local key=$1; shift | |
159 | local cert=$1; shift | |
160 | local cakey=$1; shift | |
161 | local ca=$1; shift | |
162 | ||
163 | exts=$(printf "%s\n%s\n%s\n%s\n" \ | |
164 | "subjectKeyIdentifier = hash" \ | |
165 | "authorityKeyIdentifier = keyid, issuer:always" \ | |
166 | "basicConstraints = CA:false" \ | |
167 | "proxyCertInfo = critical, @pcexts"; | |
168 | echo "[pcexts]"; | |
169 | for x in "$@"; do echo $x; done) | |
170 | cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \ | |
171 | -set_serial 2 -days "${DAYS}" | |
172 | } | |
173 | ||
d83b7e1a DSH |
174 | # Usage: $0 genalt keyname certname eekeyname eecertname alt1 alt2 ... |
175 | # | |
176 | # Note: takes csr on stdin, so must be used with $0 req like this: | |
177 | # | |
178 | # $0 req keyname dn | $0 genalt keyname certname eekeyname eecertname alt ... | |
179 | geneealt() { | |
180 | local key=$1; shift | |
181 | local cert=$1; shift | |
182 | local cakey=$1; shift | |
183 | local ca=$1; shift | |
184 | ||
185 | exts=$(printf "%s\n%s\n%s\n%s\n" \ | |
186 | "subjectKeyIdentifier = hash" \ | |
187 | "authorityKeyIdentifier = keyid" \ | |
188 | "basicConstraints = CA:false" \ | |
189 | "subjectAltName = @alts"; | |
190 | echo "[alts]"; | |
191 | for x in "$@"; do echo $x; done) | |
192 | cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \ | |
193 | -set_serial 2 -days "${DAYS}" | |
194 | } | |
195 | ||
84783517 VD |
196 | genee() { |
197 | local OPTIND=1 | |
198 | local purpose=serverAuth | |
199 | ||
200 | while getopts p: o | |
201 | do | |
202 | case $o in | |
203 | p) purpose="$OPTARG";; | |
204 | *) echo "Usage: $0 genee [-p EKU] cn keyname certname cakeyname cacertname" >&2 | |
205 | return 1;; | |
206 | esac | |
207 | done | |
208 | ||
209 | shift $((OPTIND - 1)) | |
210 | local cn=$1; shift | |
211 | local key=$1; shift | |
212 | local cert=$1; shift | |
213 | local cakey=$1; shift | |
214 | local ca=$1; shift | |
215 | ||
216 | exts=$(printf "%s\n%s\n%s\n%s\n%s\n[alts]\n%s\n" \ | |
217 | "subjectKeyIdentifier = hash" \ | |
218 | "authorityKeyIdentifier = keyid, issuer" \ | |
219 | "basicConstraints = CA:false" \ | |
220 | "extendedKeyUsage = $purpose" \ | |
221 | "subjectAltName = @alts" "DNS=${cn}") | |
71c8cd20 | 222 | csr=$(req "$key" "CN = $cn") || return 1 |
84783517 VD |
223 | echo "$csr" | |
224 | cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \ | |
225 | -set_serial 2 -days "${DAYS}" "$@" | |
226 | } | |
227 | ||
228 | genss() { | |
229 | local cn=$1; shift | |
230 | local key=$1; shift | |
231 | local cert=$1; shift | |
232 | ||
233 | exts=$(printf "%s\n%s\n%s\n%s\n%s\n[alts]\n%s\n" \ | |
234 | "subjectKeyIdentifier = hash" \ | |
235 | "authorityKeyIdentifier = keyid, issuer" \ | |
236 | "basicConstraints = CA:false" \ | |
237 | "extendedKeyUsage = serverAuth" \ | |
238 | "subjectAltName = @alts" "DNS=${cn}") | |
71c8cd20 | 239 | csr=$(req "$key" "CN = $cn") || return 1 |
84783517 VD |
240 | echo "$csr" | |
241 | cert "$cert" "$exts" -signkey "${key}.pem" \ | |
242 | -set_serial 1 -days "${DAYS}" "$@" | |
243 | } | |
244 | ||
245 | gennocn() { | |
246 | local key=$1; shift | |
247 | local cert=$1; shift | |
248 | ||
249 | csr=$(req_nocn "$key") || return 1 | |
250 | echo "$csr" | | |
251 | cert "$cert" "" -signkey "${key}.pem" -set_serial 1 -days -1 "$@" | |
252 | } | |
253 | ||
254 | "$@" |