diff options
Diffstat (limited to 'third_party/heimdal/lib/hx509/data/gen-req.sh')
-rwxr-xr-x | third_party/heimdal/lib/hx509/data/gen-req.sh | 360 |
1 files changed, 360 insertions, 0 deletions
diff --git a/third_party/heimdal/lib/hx509/data/gen-req.sh b/third_party/heimdal/lib/hx509/data/gen-req.sh new file mode 100755 index 0000000..09f0dfb --- /dev/null +++ b/third_party/heimdal/lib/hx509/data/gen-req.sh @@ -0,0 +1,360 @@ +#!/bin/sh +# $Id$ +# +# This script need openssl 0.9.8a or newer, so it can parse the +# otherName section for pkinit certificates. +# + +openssl=openssl + +# workaround until openssl -objects lands +if ${openssl} version | grep '^OpenSSL 1\.[1-9]' >/dev/null ; then + config=openssl.1.1.cnf +else + config=openssl.1.0.cnf +fi + +gen_cert() +{ + keytype=${6:-rsa:4096} + ${openssl} req \ + -new \ + -subj "$1" \ + -config ${config} \ + -newkey $keytype \ + -sha1 \ + -nodes \ + -keyout out.key \ + -out cert.req > /dev/null 2>/dev/null + + if [ "$3" = "ca" ] ; then + ${openssl} x509 \ + -req \ + -days 182500 \ + -in cert.req \ + -extfile ${config} \ + -extensions $4 \ + -signkey out.key \ + -out cert.crt + + ln -s ca.crt `${openssl} x509 -hash -noout -in cert.crt`.0 + + name=$3 + + elif [ "$3" = "proxy" ] ; then + + ${openssl} x509 \ + -req \ + -in cert.req \ + -days 182500 \ + -out cert.crt \ + -CA $2.crt \ + -CAkey $2.key \ + -CAcreateserial \ + -extfile ${config} \ + -extensions $4 + + name=$5 + else + + ${openssl} ca \ + -name $4 \ + -days 182500 \ + -cert $2.crt \ + -keyfile $2.key \ + -in cert.req \ + -out cert.crt \ + -outdir . \ + -batch \ + -config ${config} + + name=$3 + fi + + mv cert.crt $name.crt + mv out.key $name.key +} + +echo "01" > serial +> index.txt +rm -f *.0 + +gen_cert "/CN=hx509 Test Root CA/C=SE" "root" "ca" "v3_ca" +gen_cert "/CN=OCSP responder/C=SE" "ca" "ocsp-responder" "ocsp" +gen_cert "/CN=Test cert/C=SE" "ca" "test" "usr" +gen_cert "/CN=Revoke cert/C=SE" "ca" "revoke" "usr" +gen_cert "/CN=Test cert KeyEncipherment/C=SE" "ca" "test-ke-only" "usr_ke" +gen_cert "/CN=Test cert DigitalSignature/C=SE" "ca" "test-ds-only" "usr_ds" +gen_cert "/CN=pkinit/C=SE" "ca" "pkinit" "pkinit_client" +$openssl ecparam -name secp256r1 -out eccurve.pem +gen_cert "/CN=pkinit-ec/C=SE" "ca" "pkinit-ec" "pkinit_client" "XXX" ec:eccurve.pem +gen_cert "/C=SE/CN=pkinit/CN=pkinit-proxy" "pkinit" "proxy" "proxy_cert" pkinit-proxy +gen_cert "/CN=kdc/C=SE" "ca" "kdc" "pkinit_kdc" +gen_cert "/CN=www.test.h5l.se/C=SE" "ca" "https" "https" +gen_cert "/CN=Sub CA/C=SE" "ca" "sub-ca" "subca" +gen_cert "/CN=Test sub cert/C=SE" "sub-ca" "sub-cert" "usr" +gen_cert "/C=SE/CN=Test cert/CN=proxy" "test" "proxy" "proxy_cert" proxy-test +gen_cert "/C=SE/CN=Test cert/CN=proxy/CN=child" "proxy-test" "proxy" "proxy_cert" proxy-level-test +gen_cert "/C=SE/CN=Test cert/CN=no-proxy" "test" "proxy" "usr_cert" no-proxy-test +gen_cert "/C=SE/CN=Test cert/CN=proxy10" "test" "proxy" "proxy10_cert" proxy10-test +gen_cert "/C=SE/CN=Test cert/CN=proxy10/CN=child" "proxy10-test" "proxy" "proxy10_cert" proxy10-child-test +gen_cert "/C=SE/CN=Test cert/CN=proxy10/CN=child/CN=child" "proxy10-child-test" "proxy" "proxy10_cert" proxy10-child-child-test + + +# combine +cat sub-ca.crt ca.crt > sub-ca-combined.crt +cat test.crt test.key > test.combined.crt +cat pkinit-proxy.crt pkinit.crt > pkinit-proxy-chain.crt + +# password protected key +${openssl} rsa -in test.key -aes256 -passout pass:foobar -out test-pw.key +${openssl} rsa -in pkinit.key -aes256 -passout pass:foo -out pkinit-pw.key + + +${openssl} ca \ + -name usr \ + -cert ca.crt \ + -keyfile ca.key \ + -revoke revoke.crt \ + -config ${config} + +${openssl} pkcs12 \ + -export \ + -in test.crt \ + -inkey test.key \ + -passout pass:foobar \ + -out test.p12 \ + -name "friendlyname-test" \ + -certfile ca.crt \ + -caname ca + +${openssl} pkcs12 \ + -export \ + -in sub-cert.crt \ + -inkey sub-cert.key \ + -passout pass:foobar \ + -out sub-cert.p12 \ + -name "friendlyname-sub-cert" \ + -certfile sub-ca-combined.crt \ + -caname sub-ca \ + -caname ca + +${openssl} pkcs12 \ + -keypbe NONE \ + -certpbe NONE \ + -export \ + -in test.crt \ + -inkey test.key \ + -passout pass:foobar \ + -out test-nopw.p12 \ + -name "friendlyname-cert" \ + -certfile ca.crt \ + -caname ca + +${openssl} smime \ + -sign \ + -nodetach \ + -binary \ + -in static-file \ + -signer test.crt \ + -inkey test.key \ + -outform DER \ + -out test-signed-data + +${openssl} smime \ + -sign \ + -nodetach \ + -binary \ + -in static-file \ + -signer test.crt \ + -inkey test.key \ + -noattr \ + -outform DER \ + -out test-signed-data-noattr + +${openssl} smime \ + -sign \ + -nodetach \ + -binary \ + -in static-file \ + -signer test.crt \ + -inkey test.key \ + -noattr \ + -nocerts \ + -outform DER \ + -out test-signed-data-noattr-nocerts + +${openssl} smime \ + -sign \ + -md sha1 \ + -nodetach \ + -binary \ + -in static-file \ + -signer test.crt \ + -inkey test.key \ + -outform DER \ + -out test-signed-sha-1 + +${openssl} smime \ + -sign \ + -md sha256 \ + -nodetach \ + -binary \ + -in static-file \ + -signer test.crt \ + -inkey test.key \ + -outform DER \ + -out test-signed-sha-256 + +${openssl} smime \ + -sign \ + -md sha512 \ + -nodetach \ + -binary \ + -in static-file \ + -signer test.crt \ + -inkey test.key \ + -outform DER \ + -out test-signed-sha-512 + + +${openssl} smime \ + -encrypt \ + -nodetach \ + -binary \ + -in static-file \ + -outform DER \ + -out test-enveloped-rc2-40 \ + -rc2-40 \ + test.crt + +${openssl} smime \ + -encrypt \ + -nodetach \ + -binary \ + -in static-file \ + -outform DER \ + -out test-enveloped-rc2-64 \ + -rc2-64 \ + test.crt + +${openssl} smime \ + -encrypt \ + -nodetach \ + -binary \ + -in static-file \ + -outform DER \ + -out test-enveloped-rc2-128 \ + -rc2-128 \ + test.crt + +${openssl} smime \ + -encrypt \ + -nodetach \ + -binary \ + -in static-file \ + -outform DER \ + -out test-enveloped-des \ + -des \ + test.crt + +${openssl} smime \ + -encrypt \ + -nodetach \ + -binary \ + -in static-file \ + -outform DER \ + -out test-enveloped-des-ede3 \ + -des3 \ + test.crt + +${openssl} smime \ + -encrypt \ + -nodetach \ + -binary \ + -in static-file \ + -outform DER \ + -out test-enveloped-aes-128 \ + -aes128 \ + test.crt + +${openssl} smime \ + -encrypt \ + -nodetach \ + -binary \ + -in static-file \ + -outform DER \ + -out test-enveloped-aes-256 \ + -aes256 \ + test.crt + +echo ocsp requests + +${openssl} ocsp \ + -issuer ca.crt \ + -cert test.crt \ + -reqout ocsp-req1.der + +${openssl} ocsp \ + -index index.txt \ + -rsigner ocsp-responder.crt \ + -rkey ocsp-responder.key \ + -CA ca.crt \ + -reqin ocsp-req1.der \ + -noverify \ + -respout ocsp-resp1-ocsp.der + +${openssl} ocsp \ + -index index.txt \ + -rsigner ca.crt \ + -rkey ca.key \ + -CA ca.crt \ + -reqin ocsp-req1.der \ + -noverify \ + -respout ocsp-resp1-ca.der + +${openssl} ocsp \ + -index index.txt \ + -rsigner ocsp-responder.crt \ + -rkey ocsp-responder.key \ + -CA ca.crt \ + -resp_no_certs \ + -reqin ocsp-req1.der \ + -noverify \ + -respout ocsp-resp1-ocsp-no-cert.der + +${openssl} ocsp \ + -index index.txt \ + -rsigner ocsp-responder.crt \ + -rkey ocsp-responder.key \ + -CA ca.crt \ + -reqin ocsp-req1.der \ + -resp_key_id \ + -noverify \ + -respout ocsp-resp1-keyhash.der + +${openssl} ocsp \ + -issuer ca.crt \ + -cert revoke.crt \ + -reqout ocsp-req2.der + +${openssl} ocsp \ + -index index.txt \ + -rsigner ocsp-responder.crt \ + -rkey ocsp-responder.key \ + -CA ca.crt \ + -reqin ocsp-req2.der \ + -noverify \ + -respout ocsp-resp2.der + +${openssl} ca \ + -gencrl \ + -name usr \ + -crldays 3600 \ + -keyfile ca.key \ + -cert ca.crt \ + -crl_reason superseded \ + -out crl1.crl \ + -config ${config} + +${openssl} crl -in crl1.crl -outform der -out crl1.der |