1#!/bin/bash -
2# Copyright (C) 2012 The Android Open Source Project
3#
4# Licensed under the Apache License, Version 2.0 (the "License");
5# you may not use this file except in compliance with the License.
6# You may obtain a copy of the License at
7#
8#      http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS,
12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13# See the License for the specific language governing permissions and
14# limitations under the License.
15
16set -o nounset                              # Treat unset variables as an error
17set -e
18
19DIR=$(dirname "$0")
20
21if [ ! -f "$DIR/privkey.pem" ]; then
22    openssl genrsa -out "$DIR/privkey.pem" 2048
23fi
24
25openssl req -config "$DIR/default.cnf" -new -key "$DIR/privkey.pem" -nodes -batch > /tmp/cert-rsa-req.pem
26openssl req -in /tmp/cert-rsa-req.pem -pubkey -noout | openssl rsa -pubin -pubout -outform der > "$DIR/cert-rsa-pubkey.der"
27openssl x509 -extfile "$DIR/default.cnf" -days 3650 -extensions usr_cert -req -signkey "$DIR/privkey.pem" -outform d -set_serial -99999999999999999999 < /tmp/cert-rsa-req.pem > "$DIR/cert-rsa.der"
28rm /tmp/cert-rsa-req.pem
29
30openssl asn1parse -in "$DIR/cert-rsa.der" -inform d -out "$DIR/cert-rsa-tbs.der" -noout -strparse 4
31SIG_OFFSET=$(openssl asn1parse -in "$DIR/cert-rsa.der" -inform d | tail -1 | cut -f1 -d:)
32openssl asn1parse -in "$DIR/cert-rsa.der" -inform d -strparse "$SIG_OFFSET" -noout -out "$DIR/cert-rsa-sig.der"
33
34# extract startdate and enddate
35openssl x509 -in "$DIR/cert-rsa.der" -inform d -noout -startdate -enddate > "$DIR/cert-rsa-dates.txt"
36
37# extract serial
38openssl x509 -in "$DIR/cert-rsa.der" -inform d -noout -serial > "$DIR/cert-rsa-serial.txt"
39
40openssl req -config "$DIR/default.cnf" -new -key "$DIR/privkey.pem" -nodes -batch | openssl x509 -extfile "$DIR/default.cnf" -extensions keyUsage_extraLong_cert -req -signkey "$DIR/privkey.pem" -outform d > "$DIR/cert-keyUsage-extraLong.der"
41
42openssl req -config "$DIR/default.cnf" -new -key "$DIR/privkey.pem" -nodes -batch | openssl x509 -extfile "$DIR/default.cnf" -extensions extendedKeyUsage_cert -req -signkey "$DIR/privkey.pem" -outform d > "$DIR/cert-extendedKeyUsage.der"
43
44openssl req -config "$DIR/default.cnf" -new -key "$DIR/privkey.pem" -nodes -batch | openssl x509 -extfile "$DIR/default.cnf" -extensions ca_cert -req -signkey "$DIR/privkey.pem" -outform d > "$DIR/cert-ca.der"
45
46openssl req -config "$DIR/default.cnf" -new -key "$DIR/privkey.pem" -nodes -batch | openssl x509 -extfile "$DIR/default.cnf" -extensions userWithPathLen_cert -req -signkey "$DIR/privkey.pem" -outform d > "$DIR/cert-userWithPathLen.der"
47
48openssl req -config "$DIR/default.cnf" -new -key "$DIR/privkey.pem" -nodes -batch | openssl x509 -extfile "$DIR/default.cnf" -extensions caWithPathLen_cert -req -signkey "$DIR/privkey.pem" -outform d > "$DIR/cert-caWithPathLen.der"
49
50openssl req -config "$DIR/default.cnf" -new -key "$DIR/privkey.pem" -nodes -batch | openssl x509 -extfile "$DIR/default.cnf" -extensions alt_other_cert -req -signkey "$DIR/privkey.pem" -outform d > "$DIR/cert-alt-other.der"
51
52openssl req -config "$DIR/default.cnf" -new -key "$DIR/privkey.pem" -nodes -batch | openssl x509 -extfile "$DIR/default.cnf" -extensions alt_email_cert -req -signkey "$DIR/privkey.pem" -outform d > "$DIR/cert-alt-email.der"
53
54openssl req -config "$DIR/default.cnf" -new -key "$DIR/privkey.pem" -nodes -batch | openssl x509 -extfile "$DIR/default.cnf" -extensions alt_dns_cert -req -signkey "$DIR/privkey.pem" -outform d > "$DIR/cert-alt-dns.der"
55
56openssl req -config "$DIR/default.cnf" -new -key "$DIR/privkey.pem" -nodes -batch | openssl x509 -extfile "$DIR/default.cnf" -extensions alt_dirname_cert -req -signkey "$DIR/privkey.pem" -outform d > "$DIR/cert-alt-dirname.der"
57
58openssl req -config "$DIR/default.cnf" -new -key "$DIR/privkey.pem" -nodes -batch | openssl x509 -extfile "$DIR/default.cnf" -extensions alt_uri_cert -req -signkey "$DIR/privkey.pem" -outform d > "$DIR/cert-alt-uri.der"
59
60openssl req -config "$DIR/default.cnf" -new -key "$DIR/privkey.pem" -nodes -batch | openssl x509 -extfile "$DIR/default.cnf" -extensions alt_rid_cert -req -signkey "$DIR/privkey.pem" -outform d > "$DIR/cert-alt-rid.der"
61
62openssl req -config "$DIR/default.cnf" -new -key "$DIR/privkey.pem" -nodes -batch | openssl x509 -extfile "$DIR/default.cnf" -extensions alt_none_cert -req -signkey "$DIR/privkey.pem" -outform d > "$DIR/cert-alt-none.der"
63
64openssl req -config "$DIR/default.cnf" -new -key "$DIR/privkey.pem" -nodes -batch | openssl x509 -extfile "$DIR/default.cnf" -extensions ipv6_cert -req -signkey "$DIR/privkey.pem" -outform d > "$DIR/cert-ipv6.der"
65
66openssl req -config "$DIR/default.cnf" -new -key "$DIR/privkey.pem" -nodes -batch | openssl x509 -extfile "$DIR/default.cnf" -extensions unsupported_cert -req -signkey "$DIR/privkey.pem" -outform d > "$DIR/cert-unsupported.der"
67
68openssl req -config "$DIR/default.cnf" -new -key "$DIR/privkey.pem" -nodes -batch -config "$DIR/default.cnf" -extensions usr_cert -x509 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:1 -outform d > "$DIR/cert-sigopt.der"
69
70if [ ! -f "$DIR/dsapriv.pem" ]; then
71    openssl dsaparam -out /tmp/dsaparam.pem 1024
72    openssl gendsa -out "$DIR/dsapriv.pem" /tmp/dsaparam.pem
73    rm -f /tmp/dsaparam.pem
74fi
75openssl req -config "$DIR/default.cnf" -new -key "$DIR/dsapriv.pem" -nodes -batch | openssl x509 -extfile "$DIR/default.cnf" -extensions keyUsage_cert -req -signkey "$DIR/dsapriv.pem" -outform d > "$DIR/cert-dsa.der"
76
77if [ ! -f "$DIR/ecpriv.pem" ]; then
78    openssl ecparam -name prime256v1 -genkey -out "$DIR/ecpriv.pem" -noout
79fi
80openssl req -config "$DIR/default.cnf" -new -key "$DIR/ecpriv.pem" -nodes -batch | openssl x509 -extfile "$DIR/default.cnf" -extensions keyUsage_critical_cert -req -signkey "$DIR/ecpriv.pem" -outform d > "$DIR/cert-ec.der"
81
82# Create temporary CA for CRL generation
83rm -rf /tmp/ca
84mkdir -p /tmp/ca
85touch /tmp/ca/index.txt
86touch /tmp/ca/index.txt.attr
87echo "01" > /tmp/ca/serial
88if [ ! -f "$DIR/cakey.pem" ]; then
89    openssl req -new -nodes -batch -x509 -extensions v3_ca -keyout "$DIR/cakey.pem" -out "$DIR/cacert.pem" -days 3650 -config "$DIR/default.cnf"
90fi
91cp "$DIR/cakey.pem" "$DIR/cacert.pem" /tmp
92openssl x509 -in /tmp/cacert.pem -outform d > "$DIR/cert-crl-ca.der"
93
94openssl ca -gencrl -crlhours 70 -keyfile /tmp/cakey.pem -cert /tmp/cacert.pem -out /tmp/crl-empty.pem -config "$DIR/default.cnf"
95openssl crl -in /tmp/crl-empty.pem -outform d -out "$DIR/crl-empty.der"
96
97openssl x509 -inform d -in "$DIR/cert-rsa.der" -out /tmp/cert-rsa.pem
98openssl ca -revoke /tmp/cert-rsa.pem -keyfile /tmp/cakey.pem -cert /tmp/cacert.pem -config "$DIR/default.cnf"
99openssl ca -gencrl -crlhours 70 -keyfile /tmp/cakey.pem -cert /tmp/cacert.pem -out /tmp/crl-rsa.pem -config "$DIR/default.cnf"
100openssl crl -in /tmp/crl-rsa.pem -outform d -out "$DIR/crl-rsa.der"
101
102openssl asn1parse -in "$DIR/crl-rsa.der" -inform d -out "$DIR/crl-rsa-tbs.der" -noout -strparse 4
103SIG_OFFSET=$(openssl asn1parse -in "$DIR/crl-rsa.der" -inform d | tail -1 | cut -f1 -d:)
104openssl asn1parse -in "$DIR/crl-rsa.der" -inform d -strparse "$SIG_OFFSET" -noout -out "$DIR/crl-rsa-sig.der"
105
106openssl x509 -inform d -in "$DIR/cert-dsa.der" -out /tmp/cert-dsa.pem
107openssl ca -revoke /tmp/cert-dsa.pem -keyfile /tmp/cakey.pem -cert /tmp/cacert.pem -crl_reason cessationOfOperation -extensions unsupported_cert -config "$DIR/default.cnf"
108openssl ca -gencrl -startdate 140101010101Z -crldays 30 -keyfile /tmp/cakey.pem -cert /tmp/cacert.pem -out /tmp/crl-rsa-dsa.pem -config "$DIR/default.cnf"
109openssl ca -gencrl -startdate 140101010101Z -crldays 30 -keyfile /tmp/cakey.pem -cert /tmp/cacert.pem -out "$DIR/crl-rsa-dsa-sigopt.pem" -config "$DIR/default.cnf" -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:1
110openssl crl -in /tmp/crl-rsa-dsa.pem -outform d -out "$DIR/crl-rsa-dsa.der"
111openssl crl -in "$DIR/crl-rsa-dsa-sigopt.pem" -outform d -out "$DIR/crl-rsa-dsa-sigopt.der"
112
113# Unsupported extensions
114openssl ca -gencrl -crlexts unsupported_cert -keyfile /tmp/cakey.pem -cert /tmp/cacert.pem -out /tmp/crl-unsupported.pem -config "$DIR/default.cnf"
115openssl crl -in /tmp/crl-unsupported.pem -outform d -out "$DIR/crl-unsupported.der"
116
117openssl crl -inform d -in "$DIR/crl-rsa.der" -noout -lastupdate -nextupdate > "$DIR/crl-rsa-dates.txt"
118openssl crl -inform d -in "$DIR/crl-rsa-dsa.der" -noout -lastupdate -nextupdate > "$DIR/crl-rsa-dsa-dates.txt"
119
120rm /tmp/cert-rsa.pem /tmp/cert-dsa.pem /tmp/cacert.pem /tmp/cakey.pem /tmp/crl-rsa.pem /tmp/crl-rsa-dsa.pem /tmp/crl-unsupported.pem /tmp/crl-empty.pem
121rm -r /tmp/ca
122
123
124cat "$DIR/cert-rsa.der" "$DIR/cert-dsa.der" > /tmp/certs.der
125openssl x509 -inform d -in "$DIR/cert-rsa.der" > /tmp/certs.pem
126openssl x509 -inform d -in "$DIR/cert-dsa.der" >> /tmp/certs.pem
127
128openssl crl2pkcs7 -certfile /tmp/certs.pem -nocrl > "$DIR/certs-pk7.pem"
129openssl crl2pkcs7 -certfile /tmp/certs.pem -nocrl -outform d > "$DIR/certs-pk7.der"
130
131rm /tmp/certs.pem
132