VirtualBox

source: vbox/trunk/src/libs/openssl-3.0.7/test/certs/mkcert.sh@ 98227

Last change on this file since 98227 was 94320, checked in by vboxsync, 3 years ago

libs/openssl-3.0.1: Export to OSE and fix copyright headers in Makefiles, bugref:10128
  • Property svn:executable set to *
File size: 11.2 KB
Line 
1#! /bin/bash
2#
3# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
4# Copyright (c) 2016 Viktor Dukhovni <openssl-users@dukhovni.org>.
5# All rights reserved.
6#
7# Licensed under the Apache License 2.0 (the "License"). You may not use
8# this file except in compliance with the License. You can obtain a copy
9# in the file LICENSE in the source distribution or at
10# https://www.openssl.org/source/license.html
11
12# This file is dual-licensed and is also available under other terms.
13# Please contact the author.
14
15# 100 years should be enough for now
16if [ -z "$DAYS" ]; then
17 DAYS=36525
18fi
19
20if [ -z "$OPENSSL_SIGALG" ]; then
21 OPENSSL_SIGALG=sha256
22fi
23
24if [ -z "$REQMASK" ]; then
25 REQMASK=utf8only
26fi
27
28stderr_onerror() {
29 (
30 err=$("$@" >&3 2>&1) || {
31 printf "%s\n" "$err" >&2
32 exit 1
33 }
34 ) 3>&1
35}
36
37key() {
38 local key=$1; shift
39
40 local alg=rsa
41 if [ -n "$OPENSSL_KEYALG" ]; then
42 alg=$OPENSSL_KEYALG
43 fi
44
45 local bits=2048
46 if [ -n "$OPENSSL_KEYBITS" ]; then
47 bits=$OPENSSL_KEYBITS
48 fi
49
50 if [ ! -f "${key}.pem" ]; then
51 args=(-algorithm "$alg")
52 case $alg in
53 rsa) args=("${args[@]}" -pkeyopt rsa_keygen_bits:$bits );;
54 ec) args=("${args[@]}" -pkeyopt "ec_paramgen_curve:$bits")
55 args=("${args[@]}" -pkeyopt ec_param_enc:named_curve);;
56 dsa) args=(-paramfile "$bits");;
57 ed25519) ;;
58 ed448) ;;
59 *) printf "Unsupported key algorithm: %s\n" "$alg" >&2; return 1;;
60 esac
61 stderr_onerror \
62 openssl genpkey "${args[@]}" -out "${key}.pem"
63 fi
64}
65
66# Usage: $0 req keyname dn1 dn2 ...
67req() {
68 local key=$1; shift
69
70 key "$key"
71 local errs
72
73 stderr_onerror \
74 openssl req -new -"${OPENSSL_SIGALG}" -key "${key}.pem" \
75 -config <(printf "string_mask=%s\n[req]\n%s\n%s\n[dn]\n" \
76 "$REQMASK" "prompt = no" "distinguished_name = dn"
77 for dn in "$@"; do echo "$dn"; done)
78}
79
80req_nocn() {
81 local key=$1; shift
82
83 key "$key"
84 stderr_onerror \
85 openssl req -new -"${OPENSSL_SIGALG}" -subj / -key "${key}.pem" \
86 -config <(printf "[req]\n%s\n[dn]\nCN_default =\n" \
87 "distinguished_name = dn")
88}
89
90cert() {
91 local cert=$1; shift
92 local exts=$1; shift
93
94 stderr_onerror \
95 openssl x509 -req -"${OPENSSL_SIGALG}" -out "${cert}.pem" \
96 -extfile <(printf "%s\n" "$exts") "$@"
97}
98
99genroot() {
100 local cn=$1; shift
101 local key=$1; shift
102 local cert=$1; shift
103 local bcon="basicConstraints = critical,CA:true"
104 local ku="keyUsage = keyCertSign,cRLSign"
105 local skid="subjectKeyIdentifier = hash"
106 local akid="authorityKeyIdentifier = keyid"
107
108 exts=$(printf "%s\n%s\n%s\n" "$bcon" "$ku" "$skid" "$akid")
109 for eku in "$@"
110 do
111 exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku")
112 done
113 csr=$(req "$key" "CN = $cn") || return 1
114 echo "$csr" |
115 cert "$cert" "$exts" -signkey "${key}.pem" -set_serial 1 -days "${DAYS}"
116}
117
118genca() {
119 local OPTIND=1
120 local purpose=
121
122 while getopts p: o
123 do
124 case $o in
125 p) purpose="$OPTARG";;
126 *) echo "Usage: $0 genca [-p EKU] cn keyname certname cakeyname cacertname" >&2
127 return 1;;
128 esac
129 done
130
131 shift $((OPTIND - 1))
132 local cn=$1; shift
133 local key=$1; shift
134 local cert=$1; shift
135 local cakey=$1; shift
136 local cacert=$1; shift
137 local bcon="basicConstraints = critical,CA:true"
138 local ku="keyUsage = keyCertSign,cRLSign"
139 local skid="subjectKeyIdentifier = hash"
140 local akid="authorityKeyIdentifier = keyid"
141
142 exts=$(printf "%s\n%s\n%s\n" "$bcon" "$ku" "$skid" "$akid")
143 if [ -n "$purpose" ]; then
144 exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$purpose")
145 fi
146 if [ -n "$NC" ]; then
147 exts=$(printf "%s\nnameConstraints = %s\n" "$exts" "$NC")
148 fi
149 csr=$(req "$key" "CN = $cn") || return 1
150 echo "$csr" |
151 cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \
152 -set_serial 2 -days "${DAYS}" "$@"
153}
154
155gen_nonbc_ca() {
156 local cn=$1; shift
157 local key=$1; shift
158 local cert=$1; shift
159 local cakey=$1; shift
160 local cacert=$1; shift
161 local skid="subjectKeyIdentifier = hash"
162 local akid="authorityKeyIdentifier = keyid"
163
164 exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid")
165 exts=$(printf "%s\nkeyUsage = %s\n" "$exts" "keyCertSign, cRLSign")
166 for eku in "$@"
167 do
168 exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku")
169 done
170 csr=$(req "$key" "CN = $cn") || return 1
171 echo "$csr" |
172 cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \
173 -set_serial 2 -days "${DAYS}"
174}
175
176# Usage: $0 genpc keyname certname eekeyname eecertname pcext1 pcext2 ...
177#
178# Note: takes csr on stdin, so must be used with $0 req like this:
179#
180# $0 req keyname dn | $0 genpc keyname certname eekeyname eecertname pcext ...
181genpc() {
182 local key=$1; shift
183 local cert=$1; shift
184 local cakey=$1; shift
185 local ca=$1; shift
186
187 exts=$(printf "%s\n%s\n%s\n%s\n" \
188 "subjectKeyIdentifier = hash" \
189 "authorityKeyIdentifier = keyid, issuer:always" \
190 "basicConstraints = CA:false" \
191 "proxyCertInfo = critical, @pcexts";
192 echo "[pcexts]";
193 for x in "$@"; do echo $x; done)
194 cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
195 -set_serial 2 -days "${DAYS}"
196}
197
198geneeconfig() {
199 local key=$1; shift
200 local cert=$1; shift
201 local cakey=$1; shift
202 local ca=$1; shift
203 local conf=$1; shift
204
205 exts=$(printf "%s\n%s\n%s\n%s\n" \
206 "subjectKeyIdentifier = hash" \
207 "authorityKeyIdentifier = keyid" \
208 "basicConstraints = CA:false"; \
209 echo "$conf")
210
211 cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
212 -set_serial 2 -days "${DAYS}"
213}
214
215# Usage: $0 geneealt keyname certname cakeyname cacertname alt1 alt2 ...
216#
217# Note: takes csr on stdin, so must be used with $0 req like this:
218#
219# $0 req keyname dn | $0 geneealt keyname certname cakeyname cacertname alt ...
220geneealt() {
221 local key=$1; shift
222 local cert=$1; shift
223 local cakey=$1; shift
224 local ca=$1; shift
225
226 conf=$(echo "subjectAltName = @alts"
227 echo "[alts]";
228 for x in "$@"; do echo "$x"; done)
229
230 geneeconfig $key $cert $cakey $ca "$conf"
231}
232
233genee() {
234 local OPTIND=1
235 local purpose=serverAuth
236
237 while getopts p: o
238 do
239 case $o in
240 p) purpose="$OPTARG";;
241 *) echo "Usage: $0 genee [-p EKU] cn keyname certname cakeyname cacertname" >&2
242 return 1;;
243 esac
244 done
245
246 shift $((OPTIND - 1))
247 local cn=$1; shift
248 local key=$1; shift
249 local cert=$1; shift
250 local cakey=$1; shift
251 local ca=$1; shift
252
253 exts=$(printf "%s\n%s\n%s\n%s\n%s\n[alts]\n%s\n" \
254 "subjectKeyIdentifier = hash" \
255 "authorityKeyIdentifier = keyid, issuer" \
256 "basicConstraints = CA:false" \
257 "extendedKeyUsage = $purpose" \
258 "subjectAltName = @alts" "DNS=${cn}")
259 csr=$(req "$key" "CN = $cn") || return 1
260 echo "$csr" |
261 cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
262 -set_serial 2 -days "${DAYS}" "$@"
263}
264
265geneeextra() {
266 local OPTIND=1
267 local purpose=serverAuth
268
269 while getopts p: o
270 do
271 case $o in
272 p) purpose="$OPTARG";;
273 *) echo "Usage: $0 geneeextra [-p EKU] cn keyname certname cakeyname cacertname extraext" >&2
274 return 1;;
275 esac
276 done
277
278 shift $((OPTIND - 1))
279 local cn=$1; shift
280 local key=$1; shift
281 local cert=$1; shift
282 local cakey=$1; shift
283 local ca=$1; shift
284 local extraext=$1; shift
285
286 exts=$(printf "%s\n%s\n%s\n%s\n%s\n%s\n[alts]\n%s\n" \
287 "subjectKeyIdentifier = hash" \
288 "authorityKeyIdentifier = keyid, issuer" \
289 "basicConstraints = CA:false" \
290 "extendedKeyUsage = $purpose" \
291 "subjectAltName = @alts"\
292 "$extraext" "DNS=${cn}")
293 csr=$(req "$key" "CN = $cn") || return 1
294 echo "$csr" |
295 cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
296 -set_serial 2 -days "${DAYS}" "$@"
297}
298
299geneenocsr() {
300 local OPTIND=1
301 local purpose=serverAuth
302
303 while getopts p: o
304 do
305 case $o in
306 p) purpose="$OPTARG";;
307 *) echo "Usage: $0 geneenocsr [-p EKU] cn certname cakeyname cacertname" >&2
308 return 1;;
309 esac
310 done
311
312 shift $((OPTIND - 1))
313 local cn=$1; shift
314 local cert=$1; shift
315 local cakey=$1; shift
316 local ca=$1; shift
317
318 exts=$(printf "%s\n%s\n%s\n%s\n%s\n[alts]\n%s\n" \
319 "subjectKeyIdentifier = hash" \
320 "authorityKeyIdentifier = keyid, issuer" \
321 "basicConstraints = CA:false" \
322 "extendedKeyUsage = $purpose" \
323 "subjectAltName = @alts" "DNS=${cn}")
324 cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
325 -set_serial 2 -days "${DAYS}" "$@"
326}
327
328genss() {
329 local cn=$1; shift
330 local key=$1; shift
331 local cert=$1; shift
332
333 exts=$(printf "%s\n%s\n%s\n%s\n%s\n[alts]\n%s\n" \
334 "subjectKeyIdentifier = hash" \
335 "authorityKeyIdentifier = keyid, issuer" \
336 "basicConstraints = CA:false" \
337 "extendedKeyUsage = serverAuth" \
338 "subjectAltName = @alts" "DNS=${cn}")
339 csr=$(req "$key" "CN = $cn") || return 1
340 echo "$csr" |
341 cert "$cert" "$exts" -signkey "${key}.pem" \
342 -set_serial 1 -days "${DAYS}" "$@"
343}
344
345gennocn() {
346 local key=$1; shift
347 local cert=$1; shift
348
349 csr=$(req_nocn "$key") || return 1
350 echo "$csr" |
351 cert "$cert" "" -signkey "${key}.pem" -set_serial 1 -days -1 "$@"
352}
353
354genct() {
355 local OPTIND=1
356 local purpose=serverAuth
357
358 while getopts p: o
359 do
360 case $o in
361 p) purpose="$OPTARG";;
362 *) echo "Usage: $0 genct [-p EKU] cn keyname certname cakeyname cacertname ctlogkey" >&2
363 return 1;;
364 esac
365 done
366
367 shift $((OPTIND - 1))
368 local cn=$1; shift
369 local key=$1; shift
370 local cert=$1; shift
371 local cakey=$1; shift
372 local ca=$1; shift
373 local logkey=$1; shift
374
375 exts=$(printf "%s\n%s\n%s\n%s\n%s\n%s\n[alts]\n%s\n" \
376 "subjectKeyIdentifier = hash" \
377 "authorityKeyIdentifier = keyid, issuer" \
378 "basicConstraints = CA:false" \
379 "extendedKeyUsage = $purpose" \
380 "1.3.6.1.4.1.11129.2.4.3 = critical,ASN1:NULL"\
381 "subjectAltName = @alts" "DNS=${cn}")
382 csr=$(req "$key" "CN = $cn") || return 1
383 echo "$csr" |
384 cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
385 -set_serial 2 -days "${DAYS}" "$@"
386 cat ${cert}.pem ${ca}.pem > ${cert}-chain.pem
387 go run github.com/google/certificate-transparency-go/ctutil/sctgen \
388 --log_private_key ${logkey}.pem \
389 --timestamp="2020-01-01T00:00:00Z" \
390 --cert_chain ${cert}-chain.pem \
391 --tls_out ${cert}.tlssct
392 rm ${cert}-chain.pem
393 filesize=$(wc -c <${cert}.tlssct)
394 exts=$(printf "%s\n%s\n%s\n%s\n%s%04X%04X%s\n%s\n[alts]\n%s\n" \
395 "subjectKeyIdentifier = hash" \
396 "authorityKeyIdentifier = keyid, issuer" \
397 "basicConstraints = CA:false" \
398 "extendedKeyUsage = $purpose" \
399 "1.3.6.1.4.1.11129.2.4.2 = ASN1:FORMAT:HEX,OCT:" $((filesize+2)) $filesize `xxd -p ${cert}.tlssct | tr -d '\n'` \
400 "subjectAltName = @alts" "DNS=${cn}")
401 echo "$csr" |
402 cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
403 -set_serial 2 -days "${DAYS}" "$@"
404}
405
406"$@"
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette