summaryrefslogtreecommitdiffstats
path: root/third_party/heimdal/lib/hx509/data/gen-req.sh
diff options
context:
space:
mode:
Diffstat (limited to 'third_party/heimdal/lib/hx509/data/gen-req.sh')
-rwxr-xr-xthird_party/heimdal/lib/hx509/data/gen-req.sh360
1 files changed, 360 insertions, 0 deletions
diff --git a/third_party/heimdal/lib/hx509/data/gen-req.sh b/third_party/heimdal/lib/hx509/data/gen-req.sh
new file mode 100755
index 0000000..09f0dfb
--- /dev/null
+++ b/third_party/heimdal/lib/hx509/data/gen-req.sh
@@ -0,0 +1,360 @@
+#!/bin/sh
+# $Id$
+#
+# This script need openssl 0.9.8a or newer, so it can parse the
+# otherName section for pkinit certificates.
+#
+
+openssl=openssl
+
+# workaround until openssl -objects lands
+if ${openssl} version | grep '^OpenSSL 1\.[1-9]' >/dev/null ; then
+ config=openssl.1.1.cnf
+else
+ config=openssl.1.0.cnf
+fi
+
+gen_cert()
+{
+ keytype=${6:-rsa:4096}
+ ${openssl} req \
+ -new \
+ -subj "$1" \
+ -config ${config} \
+ -newkey $keytype \
+ -sha1 \
+ -nodes \
+ -keyout out.key \
+ -out cert.req > /dev/null 2>/dev/null
+
+ if [ "$3" = "ca" ] ; then
+ ${openssl} x509 \
+ -req \
+ -days 182500 \
+ -in cert.req \
+ -extfile ${config} \
+ -extensions $4 \
+ -signkey out.key \
+ -out cert.crt
+
+ ln -s ca.crt `${openssl} x509 -hash -noout -in cert.crt`.0
+
+ name=$3
+
+ elif [ "$3" = "proxy" ] ; then
+
+ ${openssl} x509 \
+ -req \
+ -in cert.req \
+ -days 182500 \
+ -out cert.crt \
+ -CA $2.crt \
+ -CAkey $2.key \
+ -CAcreateserial \
+ -extfile ${config} \
+ -extensions $4
+
+ name=$5
+ else
+
+ ${openssl} ca \
+ -name $4 \
+ -days 182500 \
+ -cert $2.crt \
+ -keyfile $2.key \
+ -in cert.req \
+ -out cert.crt \
+ -outdir . \
+ -batch \
+ -config ${config}
+
+ name=$3
+ fi
+
+ mv cert.crt $name.crt
+ mv out.key $name.key
+}
+
+echo "01" > serial
+> index.txt
+rm -f *.0
+
+gen_cert "/CN=hx509 Test Root CA/C=SE" "root" "ca" "v3_ca"
+gen_cert "/CN=OCSP responder/C=SE" "ca" "ocsp-responder" "ocsp"
+gen_cert "/CN=Test cert/C=SE" "ca" "test" "usr"
+gen_cert "/CN=Revoke cert/C=SE" "ca" "revoke" "usr"
+gen_cert "/CN=Test cert KeyEncipherment/C=SE" "ca" "test-ke-only" "usr_ke"
+gen_cert "/CN=Test cert DigitalSignature/C=SE" "ca" "test-ds-only" "usr_ds"
+gen_cert "/CN=pkinit/C=SE" "ca" "pkinit" "pkinit_client"
+$openssl ecparam -name secp256r1 -out eccurve.pem
+gen_cert "/CN=pkinit-ec/C=SE" "ca" "pkinit-ec" "pkinit_client" "XXX" ec:eccurve.pem
+gen_cert "/C=SE/CN=pkinit/CN=pkinit-proxy" "pkinit" "proxy" "proxy_cert" pkinit-proxy
+gen_cert "/CN=kdc/C=SE" "ca" "kdc" "pkinit_kdc"
+gen_cert "/CN=www.test.h5l.se/C=SE" "ca" "https" "https"
+gen_cert "/CN=Sub CA/C=SE" "ca" "sub-ca" "subca"
+gen_cert "/CN=Test sub cert/C=SE" "sub-ca" "sub-cert" "usr"
+gen_cert "/C=SE/CN=Test cert/CN=proxy" "test" "proxy" "proxy_cert" proxy-test
+gen_cert "/C=SE/CN=Test cert/CN=proxy/CN=child" "proxy-test" "proxy" "proxy_cert" proxy-level-test
+gen_cert "/C=SE/CN=Test cert/CN=no-proxy" "test" "proxy" "usr_cert" no-proxy-test
+gen_cert "/C=SE/CN=Test cert/CN=proxy10" "test" "proxy" "proxy10_cert" proxy10-test
+gen_cert "/C=SE/CN=Test cert/CN=proxy10/CN=child" "proxy10-test" "proxy" "proxy10_cert" proxy10-child-test
+gen_cert "/C=SE/CN=Test cert/CN=proxy10/CN=child/CN=child" "proxy10-child-test" "proxy" "proxy10_cert" proxy10-child-child-test
+
+
+# combine
+cat sub-ca.crt ca.crt > sub-ca-combined.crt
+cat test.crt test.key > test.combined.crt
+cat pkinit-proxy.crt pkinit.crt > pkinit-proxy-chain.crt
+
+# password protected key
+${openssl} rsa -in test.key -aes256 -passout pass:foobar -out test-pw.key
+${openssl} rsa -in pkinit.key -aes256 -passout pass:foo -out pkinit-pw.key
+
+
+${openssl} ca \
+ -name usr \
+ -cert ca.crt \
+ -keyfile ca.key \
+ -revoke revoke.crt \
+ -config ${config}
+
+${openssl} pkcs12 \
+ -export \
+ -in test.crt \
+ -inkey test.key \
+ -passout pass:foobar \
+ -out test.p12 \
+ -name "friendlyname-test" \
+ -certfile ca.crt \
+ -caname ca
+
+${openssl} pkcs12 \
+ -export \
+ -in sub-cert.crt \
+ -inkey sub-cert.key \
+ -passout pass:foobar \
+ -out sub-cert.p12 \
+ -name "friendlyname-sub-cert" \
+ -certfile sub-ca-combined.crt \
+ -caname sub-ca \
+ -caname ca
+
+${openssl} pkcs12 \
+ -keypbe NONE \
+ -certpbe NONE \
+ -export \
+ -in test.crt \
+ -inkey test.key \
+ -passout pass:foobar \
+ -out test-nopw.p12 \
+ -name "friendlyname-cert" \
+ -certfile ca.crt \
+ -caname ca
+
+${openssl} smime \
+ -sign \
+ -nodetach \
+ -binary \
+ -in static-file \
+ -signer test.crt \
+ -inkey test.key \
+ -outform DER \
+ -out test-signed-data
+
+${openssl} smime \
+ -sign \
+ -nodetach \
+ -binary \
+ -in static-file \
+ -signer test.crt \
+ -inkey test.key \
+ -noattr \
+ -outform DER \
+ -out test-signed-data-noattr
+
+${openssl} smime \
+ -sign \
+ -nodetach \
+ -binary \
+ -in static-file \
+ -signer test.crt \
+ -inkey test.key \
+ -noattr \
+ -nocerts \
+ -outform DER \
+ -out test-signed-data-noattr-nocerts
+
+${openssl} smime \
+ -sign \
+ -md sha1 \
+ -nodetach \
+ -binary \
+ -in static-file \
+ -signer test.crt \
+ -inkey test.key \
+ -outform DER \
+ -out test-signed-sha-1
+
+${openssl} smime \
+ -sign \
+ -md sha256 \
+ -nodetach \
+ -binary \
+ -in static-file \
+ -signer test.crt \
+ -inkey test.key \
+ -outform DER \
+ -out test-signed-sha-256
+
+${openssl} smime \
+ -sign \
+ -md sha512 \
+ -nodetach \
+ -binary \
+ -in static-file \
+ -signer test.crt \
+ -inkey test.key \
+ -outform DER \
+ -out test-signed-sha-512
+
+
+${openssl} smime \
+ -encrypt \
+ -nodetach \
+ -binary \
+ -in static-file \
+ -outform DER \
+ -out test-enveloped-rc2-40 \
+ -rc2-40 \
+ test.crt
+
+${openssl} smime \
+ -encrypt \
+ -nodetach \
+ -binary \
+ -in static-file \
+ -outform DER \
+ -out test-enveloped-rc2-64 \
+ -rc2-64 \
+ test.crt
+
+${openssl} smime \
+ -encrypt \
+ -nodetach \
+ -binary \
+ -in static-file \
+ -outform DER \
+ -out test-enveloped-rc2-128 \
+ -rc2-128 \
+ test.crt
+
+${openssl} smime \
+ -encrypt \
+ -nodetach \
+ -binary \
+ -in static-file \
+ -outform DER \
+ -out test-enveloped-des \
+ -des \
+ test.crt
+
+${openssl} smime \
+ -encrypt \
+ -nodetach \
+ -binary \
+ -in static-file \
+ -outform DER \
+ -out test-enveloped-des-ede3 \
+ -des3 \
+ test.crt
+
+${openssl} smime \
+ -encrypt \
+ -nodetach \
+ -binary \
+ -in static-file \
+ -outform DER \
+ -out test-enveloped-aes-128 \
+ -aes128 \
+ test.crt
+
+${openssl} smime \
+ -encrypt \
+ -nodetach \
+ -binary \
+ -in static-file \
+ -outform DER \
+ -out test-enveloped-aes-256 \
+ -aes256 \
+ test.crt
+
+echo ocsp requests
+
+${openssl} ocsp \
+ -issuer ca.crt \
+ -cert test.crt \
+ -reqout ocsp-req1.der
+
+${openssl} ocsp \
+ -index index.txt \
+ -rsigner ocsp-responder.crt \
+ -rkey ocsp-responder.key \
+ -CA ca.crt \
+ -reqin ocsp-req1.der \
+ -noverify \
+ -respout ocsp-resp1-ocsp.der
+
+${openssl} ocsp \
+ -index index.txt \
+ -rsigner ca.crt \
+ -rkey ca.key \
+ -CA ca.crt \
+ -reqin ocsp-req1.der \
+ -noverify \
+ -respout ocsp-resp1-ca.der
+
+${openssl} ocsp \
+ -index index.txt \
+ -rsigner ocsp-responder.crt \
+ -rkey ocsp-responder.key \
+ -CA ca.crt \
+ -resp_no_certs \
+ -reqin ocsp-req1.der \
+ -noverify \
+ -respout ocsp-resp1-ocsp-no-cert.der
+
+${openssl} ocsp \
+ -index index.txt \
+ -rsigner ocsp-responder.crt \
+ -rkey ocsp-responder.key \
+ -CA ca.crt \
+ -reqin ocsp-req1.der \
+ -resp_key_id \
+ -noverify \
+ -respout ocsp-resp1-keyhash.der
+
+${openssl} ocsp \
+ -issuer ca.crt \
+ -cert revoke.crt \
+ -reqout ocsp-req2.der
+
+${openssl} ocsp \
+ -index index.txt \
+ -rsigner ocsp-responder.crt \
+ -rkey ocsp-responder.key \
+ -CA ca.crt \
+ -reqin ocsp-req2.der \
+ -noverify \
+ -respout ocsp-resp2.der
+
+${openssl} ca \
+ -gencrl \
+ -name usr \
+ -crldays 3600 \
+ -keyfile ca.key \
+ -cert ca.crt \
+ -crl_reason superseded \
+ -out crl1.crl \
+ -config ${config}
+
+${openssl} crl -in crl1.crl -outform der -out crl1.der