[thirdparty/openssl.git] / test / certs / mkcert.sh

#! /bin/bash
#
# Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
# Copyright (c) 2016 Viktor Dukhovni <openssl-users@dukhovni.org>.
# All rights reserved.
#
# Licensed under the OpenSSL license (the "License").  You may not use
# this file except in compliance with the License.  You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html

# This file is dual-licensed and is also available under other terms.
# Please contact the author.

# 100 years should be enough for now
if [ -z "$DAYS" ]; then
    DAYS=36525
fi

if [ -z "$OPENSSL_SIGALG" ]; then
    OPENSSL_SIGALG=sha256
fi

if [ -z "$REQMASK" ]; then
    REQMASK=utf8only
fi

stderr_onerror() {
    (
        err=$("$@" >&3 2>&1) || {
            printf "%s\n" "$err" >&2
            exit 1
        }
    ) 3>&1
}

key() {
    local key=$1; shift

    local alg=rsa
    if [ -n "$OPENSSL_KEYALG" ]; then
        alg=$OPENSSL_KEYALG
    fi

    local bits=2048
    if [ -n "$OPENSSL_KEYBITS" ]; then
        bits=$OPENSSL_KEYBITS
    fi

    if [ ! -f "${key}.pem" ]; then
        args=(-algorithm "$alg")
        case $alg in
        rsa) args=("${args[@]}" -pkeyopt rsa_keygen_bits:$bits );;
        ec)  args=("${args[@]}" -pkeyopt "ec_paramgen_curve:$bits")
               args=("${args[@]}" -pkeyopt ec_param_enc:named_curve);;
        dsa)  args=(-paramfile "$bits");;
        ed25519)  ;;
        *) printf "Unsupported key algorithm: %s\n" "$alg" >&2; return 1;;
        esac
        stderr_onerror \
            openssl genpkey "${args[@]}" -out "${key}.pem"
    fi
}

# Usage: $0 req keyname dn1 dn2 ...
req() {
    local key=$1; shift

    key "$key"
    local errs

    stderr_onerror \
        openssl req -new -"${OPENSSL_SIGALG}" -key "${key}.pem" \
            -config <(printf "string_mask=%s\n[req]\n%s\n%s\n[dn]\n" \
              "$REQMASK" "prompt = no" "distinguished_name = dn"
                      for dn in "$@"; do echo "$dn"; done)
}

req_nocn() {
    local key=$1; shift

    key "$key"
    stderr_onerror \
        openssl req -new -"${OPENSSL_SIGALG}" -subj / -key "${key}.pem" \
            -config <(printf "[req]\n%s\n[dn]\nCN_default =\n" \
		      "distinguished_name = dn")
}

cert() {
    local cert=$1; shift
    local exts=$1; shift

    stderr_onerror \
        openssl x509 -req -"${OPENSSL_SIGALG}" -out "${cert}.pem" \
            -extfile <(printf "%s\n" "$exts") "$@"
}

genroot() {
    local cn=$1; shift
    local key=$1; shift
    local cert=$1; shift
    local skid="subjectKeyIdentifier = hash"
    local akid="authorityKeyIdentifier = keyid"

    exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = critical,CA:true")
    for eku in "$@"
    do
        exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku")
    done
    csr=$(req "$key" "CN = $cn") || return 1
    echo "$csr" |
       cert "$cert" "$exts" -signkey "${key}.pem" -set_serial 1 -days "${DAYS}"
}

genca() {
    local cn=$1; shift
    local key=$1; shift
    local cert=$1; shift
    local cakey=$1; shift
    local cacert=$1; shift
    local skid="subjectKeyIdentifier = hash"
    local akid="authorityKeyIdentifier = keyid"

    exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = critical,CA:true")
    for eku in "$@"
    do
        exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku")
    done
    if [ -n "$NC" ]; then
        exts=$(printf "%s\nnameConstraints = %s\n" "$exts" "$NC")
    fi
    csr=$(req "$key" "CN = $cn") || return 1
    echo "$csr" |
        cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \
	    -set_serial 2 -days "${DAYS}"
}

gen_nonbc_ca() {
    local cn=$1; shift
    local key=$1; shift
    local cert=$1; shift
    local cakey=$1; shift
    local cacert=$1; shift
    local skid="subjectKeyIdentifier = hash"
    local akid="authorityKeyIdentifier = keyid"

    exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid")
    exts=$(printf "%s\nkeyUsage = %s\n" "$exts" "keyCertSign, cRLSign")
    for eku in "$@"
    do
        exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku")
    done
    csr=$(req "$key" "CN = $cn") || return 1
    echo "$csr" |
        cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \
	    -set_serial 2 -days "${DAYS}"
}

# Usage: $0 genpc keyname certname eekeyname eecertname pcext1 pcext2 ...
#
# Note: takes csr on stdin, so must be used with $0 req like this:
#
# $0 req keyname dn | $0 genpc keyname certname eekeyname eecertname pcext ...
genpc() {
    local key=$1; shift
    local cert=$1; shift
    local cakey=$1; shift
    local ca=$1; shift

    exts=$(printf "%s\n%s\n%s\n%s\n" \
	    "subjectKeyIdentifier = hash" \
	    "authorityKeyIdentifier = keyid, issuer:always" \
	    "basicConstraints = CA:false" \
	    "proxyCertInfo = critical, @pcexts";
           echo "[pcexts]";
           for x in "$@"; do echo $x; done)
    cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
	 -set_serial 2 -days "${DAYS}"
}

# Usage: $0 geneealt keyname certname eekeyname eecertname alt1 alt2 ...
#
# Note: takes csr on stdin, so must be used with $0 req like this:
#
# $0 req keyname dn | $0 geneealt keyname certname eekeyname eecertname alt ...
geneealt() {
    local key=$1; shift
    local cert=$1; shift
    local cakey=$1; shift
    local ca=$1; shift

    exts=$(printf "%s\n%s\n%s\n%s\n" \
	    "subjectKeyIdentifier = hash" \
	    "authorityKeyIdentifier = keyid" \
	    "basicConstraints = CA:false" \
	    "subjectAltName = @alts";
           echo "[alts]";
           for x in "$@"; do echo $x; done)
    cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
	 -set_serial 2 -days "${DAYS}"
}

genee() {
    local OPTIND=1
    local purpose=serverAuth

    while getopts p: o
    do
        case $o in
        p) purpose="$OPTARG";;
        *) echo "Usage: $0 genee [-p EKU] cn keyname certname cakeyname cacertname" >&2
           return 1;;
        esac
    done

    shift $((OPTIND - 1))
    local cn=$1; shift
    local key=$1; shift
    local cert=$1; shift
    local cakey=$1; shift
    local ca=$1; shift

    exts=$(printf "%s\n%s\n%s\n%s\n%s\n[alts]\n%s\n" \
	    "subjectKeyIdentifier = hash" \
	    "authorityKeyIdentifier = keyid, issuer" \
	    "basicConstraints = CA:false" \
	    "extendedKeyUsage = $purpose" \
	    "subjectAltName = @alts" "DNS=${cn}")
    csr=$(req "$key" "CN = $cn") || return 1
    echo "$csr" |
	cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
	    -set_serial 2 -days "${DAYS}" "$@"
}

genss() {
    local cn=$1; shift
    local key=$1; shift
    local cert=$1; shift

    exts=$(printf "%s\n%s\n%s\n%s\n%s\n[alts]\n%s\n" \
	    "subjectKeyIdentifier   = hash" \
	    "authorityKeyIdentifier = keyid, issuer" \
	    "basicConstraints = CA:false" \
	    "extendedKeyUsage = serverAuth" \
	    "subjectAltName = @alts" "DNS=${cn}")
    csr=$(req "$key" "CN = $cn") || return 1
    echo "$csr" |
        cert "$cert" "$exts" -signkey "${key}.pem" \
            -set_serial 1 -days "${DAYS}" "$@"
}

gennocn() {
    local key=$1; shift
    local cert=$1; shift

    csr=$(req_nocn "$key") || return 1
    echo "$csr" |
	cert "$cert" "" -signkey "${key}.pem" -set_serial 1 -days -1 "$@"
}

"$@"
Commit	Line	Data
84783517 VD	1	#! /bin/bash
84783517 VD	2	#
624265c6	3	# Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
84783517 VD	4	# Copyright (c) 2016 Viktor Dukhovni <openssl-users@dukhovni.org>.
	5	# All rights reserved.
	6	#
624265c6 RS	7	# Licensed under the OpenSSL license (the "License"). You may not use
	8	# this file except in compliance with the License. You can obtain a copy
	9	# in the file LICENSE in the source distribution or at
	10	# https://www.openssl.org/source/license.html
	11
	12	# This file is dual-licensed and is also available under other terms.
	13	# Please contact the author.
84783517 VD	14
84783517 VD	15	# 100 years should be enough for now
b58614d7 DSH	16	if [ -z "$DAYS" ]; then
	17	DAYS=36525
	18	fi
84783517	19
fbb82a60 VD	20	if [ -z "$OPENSSL_SIGALG" ]; then
	21	OPENSSL_SIGALG=sha256
	22	fi
	23
d83b7e1a DSH	24	if [ -z "$REQMASK" ]; then
	25	REQMASK=utf8only
	26	fi
	27
84783517 VD	28	stderr_onerror() {
	29	(
	30	err=$("$@" >&3 2>&1) \|\| {
	31	printf "%s\n" "$err" >&2
	32	exit 1
	33	}
	34	) 3>&1
	35	}
	36
	37	key() {
	38	local key=$1; shift
	39
	40	local alg=rsa
	41	if [ -n "$OPENSSL_KEYALG" ]; then
	42	alg=$OPENSSL_KEYALG
	43	fi
	44
	45	local bits=2048
	46	if [ -n "$OPENSSL_KEYBITS" ]; then
	47	bits=$OPENSSL_KEYBITS
	48	fi
	49
	50	if [ ! -f "${key}.pem" ]; then
	51	args=(-algorithm "$alg")
	52	case $alg in
	53	rsa) args=("${args[@]}" -pkeyopt rsa_keygen_bits:$bits );;
c0a445a9	54	ec) args=("${args[@]}" -pkeyopt "ec_paramgen_curve:$bits")
84783517	55	args=("${args[@]}" -pkeyopt ec_param_enc:named_curve);;
0c8736f4	56	dsa) args=(-paramfile "$bits");;
bc88fc79	57	ed25519) ;;
84783517 VD	58	*) printf "Unsupported key algorithm: %s\n" "$alg" >&2; return 1;;
	59	esac
	60	stderr_onerror \
	61	openssl genpkey "${args[@]}" -out "${key}.pem"
	62	fi
	63	}
	64
71c8cd20	65	# Usage: $0 req keyname dn1 dn2 ...
84783517 VD	66	req() {
84783517 VD	67	local key=$1; shift
84783517 VD	68
	69	key "$key"
	70	local errs
	71
	72	stderr_onerror \
fbb82a60	73	openssl req -new -"${OPENSSL_SIGALG}" -key "${key}.pem" \
d83b7e1a DSH	74	-config <(printf "string_mask=%s\n[req]\n%s\n%s\n[dn]\n" \
d83b7e1a DSH	75	"$REQMASK" "prompt = no" "distinguished_name = dn"
71c8cd20	76	for dn in "$@"; do echo "$dn"; done)
84783517 VD	77	}
	78
	79	req_nocn() {
	80	local key=$1; shift
	81
	82	key "$key"
	83	stderr_onerror \
fbb82a60	84	openssl req -new -"${OPENSSL_SIGALG}" -subj / -key "${key}.pem" \
84783517 VD	85	-config <(printf "[req]\n%s\n[dn]\nCN_default =\n" \
	86	"distinguished_name = dn")
	87	}
	88
	89	cert() {
	90	local cert=$1; shift
	91	local exts=$1; shift
	92
	93	stderr_onerror \
fbb82a60	94	openssl x509 -req -"${OPENSSL_SIGALG}" -out "${cert}.pem" \
84783517 VD	95	-extfile <(printf "%s\n" "$exts") "$@"
	96	}
	97
	98	genroot() {
	99	local cn=$1; shift
	100	local key=$1; shift
	101	local cert=$1; shift
	102	local skid="subjectKeyIdentifier = hash"
	103	local akid="authorityKeyIdentifier = keyid"
	104
a7be5759	105	exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = critical,CA:true")
33cc5dde VD	106	for eku in "$@"
	107	do
	108	exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku")
	109	done
71c8cd20	110	csr=$(req "$key" "CN = $cn") \|\| return 1
84783517 VD	111	echo "$csr" \|
	112	cert "$cert" "$exts" -signkey "${key}.pem" -set_serial 1 -days "${DAYS}"
	113	}
	114
	115	genca() {
	116	local cn=$1; shift
	117	local key=$1; shift
	118	local cert=$1; shift
	119	local cakey=$1; shift
	120	local cacert=$1; shift
	121	local skid="subjectKeyIdentifier = hash"
	122	local akid="authorityKeyIdentifier = keyid"
	123
a7be5759	124	exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = critical,CA:true")
33cc5dde VD	125	for eku in "$@"
	126	do
	127	exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku")
	128	done
d83b7e1a DSH	129	if [ -n "$NC" ]; then
	130	exts=$(printf "%s\nnameConstraints = %s\n" "$exts" "$NC")
	131	fi
71c8cd20	132	csr=$(req "$key" "CN = $cn") \|\| return 1
84783517 VD	133	echo "$csr" \|
84783517 VD	134	cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \
33cc5dde	135	-set_serial 2 -days "${DAYS}"
84783517 VD	136	}
84783517 VD	137
4d9e33ac VD	138	gen_nonbc_ca() {
	139	local cn=$1; shift
	140	local key=$1; shift
	141	local cert=$1; shift
	142	local cakey=$1; shift
	143	local cacert=$1; shift
	144	local skid="subjectKeyIdentifier = hash"
	145	local akid="authorityKeyIdentifier = keyid"
	146
	147	exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid")
	148	exts=$(printf "%s\nkeyUsage = %s\n" "$exts" "keyCertSign, cRLSign")
	149	for eku in "$@"
	150	do
	151	exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku")
	152	done
71c8cd20	153	csr=$(req "$key" "CN = $cn") \|\| return 1
4d9e33ac VD	154	echo "$csr" \|
	155	cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \
	156	-set_serial 2 -days "${DAYS}"
	157	}
	158
71c8cd20 RL	159	# Usage: $0 genpc keyname certname eekeyname eecertname pcext1 pcext2 ...
	160	#
	161	# Note: takes csr on stdin, so must be used with $0 req like this:
	162	#
	163	# $0 req keyname dn \| $0 genpc keyname certname eekeyname eecertname pcext ...
	164	genpc() {
	165	local key=$1; shift
	166	local cert=$1; shift
	167	local cakey=$1; shift
	168	local ca=$1; shift
	169
	170	exts=$(printf "%s\n%s\n%s\n%s\n" \
	171	"subjectKeyIdentifier = hash" \
	172	"authorityKeyIdentifier = keyid, issuer:always" \
	173	"basicConstraints = CA:false" \
	174	"proxyCertInfo = critical, @pcexts";
	175	echo "[pcexts]";
	176	for x in "$@"; do echo $x; done)
	177	cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
	178	-set_serial 2 -days "${DAYS}"
	179	}
	180
46f4e1be	181	# Usage: $0 geneealt keyname certname eekeyname eecertname alt1 alt2 ...
d83b7e1a DSH	182	#
	183	# Note: takes csr on stdin, so must be used with $0 req like this:
	184	#
46f4e1be	185	# $0 req keyname dn \| $0 geneealt keyname certname eekeyname eecertname alt ...
d83b7e1a DSH	186	geneealt() {
	187	local key=$1; shift
	188	local cert=$1; shift
	189	local cakey=$1; shift
	190	local ca=$1; shift
	191
	192	exts=$(printf "%s\n%s\n%s\n%s\n" \
	193	"subjectKeyIdentifier = hash" \
	194	"authorityKeyIdentifier = keyid" \
	195	"basicConstraints = CA:false" \
	196	"subjectAltName = @alts";
	197	echo "[alts]";
	198	for x in "$@"; do echo $x; done)
	199	cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
	200	-set_serial 2 -days "${DAYS}"
	201	}
	202
84783517 VD	203	genee() {
	204	local OPTIND=1
	205	local purpose=serverAuth
	206
	207	while getopts p: o
	208	do
	209	case $o in
	210	p) purpose="$OPTARG";;
	211	*) echo "Usage: $0 genee [-p EKU] cn keyname certname cakeyname cacertname" >&2
	212	return 1;;
	213	esac
	214	done
	215
	216	shift $((OPTIND - 1))
	217	local cn=$1; shift
	218	local key=$1; shift
	219	local cert=$1; shift
	220	local cakey=$1; shift
	221	local ca=$1; shift
	222
	223	exts=$(printf "%s\n%s\n%s\n%s\n%s\n[alts]\n%s\n" \
	224	"subjectKeyIdentifier = hash" \
	225	"authorityKeyIdentifier = keyid, issuer" \
	226	"basicConstraints = CA:false" \
	227	"extendedKeyUsage = $purpose" \
	228	"subjectAltName = @alts" "DNS=${cn}")
71c8cd20	229	csr=$(req "$key" "CN = $cn") \|\| return 1
84783517 VD	230	echo "$csr" \|
	231	cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
	232	-set_serial 2 -days "${DAYS}" "$@"
	233	}
	234
	235	genss() {
	236	local cn=$1; shift
	237	local key=$1; shift
	238	local cert=$1; shift
	239
	240	exts=$(printf "%s\n%s\n%s\n%s\n%s\n[alts]\n%s\n" \
	241	"subjectKeyIdentifier = hash" \
	242	"authorityKeyIdentifier = keyid, issuer" \
	243	"basicConstraints = CA:false" \
	244	"extendedKeyUsage = serverAuth" \
	245	"subjectAltName = @alts" "DNS=${cn}")
71c8cd20	246	csr=$(req "$key" "CN = $cn") \|\| return 1
84783517 VD	247	echo "$csr" \|
	248	cert "$cert" "$exts" -signkey "${key}.pem" \
	249	-set_serial 1 -days "${DAYS}" "$@"
	250	}
	251
	252	gennocn() {
	253	local key=$1; shift
	254	local cert=$1; shift
	255
	256	csr=$(req_nocn "$key") \|\| return 1
	257	echo "$csr" \|
	258	cert "$cert" "" -signkey "${key}.pem" -set_serial 1 -days -1 "$@"
	259	}
	260
	261	"$@"