1656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#!/bin/sh 2656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# 3656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# CA - wrapper around ca to make it easier to use ... basically ca requires 4656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# some setup stuff to be done before you can use it and this makes 5656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# things easier between now and when Eric is convinced to fix it :-) 6656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# 7656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# CA -newca ... will setup the right stuff 898d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom# CA -newreq ... will generate a certificate request 998d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom# CA -sign ... will sign the generated request and output 10656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# 1198d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom# At the end of that grab newreq.pem and newcert.pem (one has the key 12656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# and the other the certificate) and cat them together and that is what 13656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# you want/need ... I'll make even this a little cleaner later. 14656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# 15656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# 16656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# 12-Jan-96 tjh Added more things ... including CA -signcert which 17656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# converts a certificate to a request and then signs it. 18656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG 1998d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom# environment variable so this can be driven from 2098d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom# a script. 21656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# 25-Jul-96 eay Cleaned up filenames some more. 22656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# 11-Jun-96 eay Fixed a few filename missmatches. 23656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'. 24656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# 18-Apr-96 tjh Original hacking 25656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# 26656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# Tim Hudson 27656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# tjh@cryptsoft.com 28656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# 29656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 30656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# default openssl.cnf file has setup as per the following 31656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# demoCA ... where everything is stored 3298d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstromcp_pem() { 3398d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom infile=$1 3498d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom outfile=$2 3598d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom bound=$3 3698d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom flag=0 3798d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom exec <$infile; 3898d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom while read line; do 3998d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom if [ $flag -eq 1 ]; then 4098d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom echo $line|grep "^-----END.*$bound" 2>/dev/null 1>/dev/null 4198d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom if [ $? -eq 0 ] ; then 4298d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom echo $line >>$outfile 4398d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom break 4498d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom else 4598d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom echo $line >>$outfile 4698d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom fi 4798d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom fi 4898d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom 4998d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom echo $line|grep "^-----BEGIN.*$bound" 2>/dev/null 1>/dev/null 5098d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom if [ $? -eq 0 ]; then 5198d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom echo $line >$outfile 5298d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom flag=1 5398d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom fi 5498d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom done 5598d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom} 5698d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom 5798d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstromusage() { 5898d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom echo "usage: $0 -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify" >&2 5998d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom} 60656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 61656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectif [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi 62656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 6398d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstromif [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi # 1 year 64656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectCADAYS="-days 1095" # 3 years 65656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectREQ="$OPENSSL req $SSLEAY_CONFIG" 66656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectCA="$OPENSSL ca $SSLEAY_CONFIG" 67656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectVERIFY="$OPENSSL verify" 68656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectX509="$OPENSSL x509" 6998d58bb80c64b02a33662f0ea80351d4a1535267Brian CarlstromPKCS12="openssl pkcs12" 70656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 7198d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstromif [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi 72656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectCAKEY=./cakey.pem 73656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectCAREQ=./careq.pem 74656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectCACERT=./cacert.pem 75656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 7698d58bb80c64b02a33662f0ea80351d4a1535267Brian CarlstromRET=0 7798d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom 7898d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstromwhile [ "$1" != "" ] ; do 7998d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstromcase $1 in 80656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project-\?|-h|-help) 8198d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom usage 82656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project exit 0 83656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ;; 8498d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom-newcert) 85656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project # create a certificate 86656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS 87656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RET=$? 88656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project echo "Certificate is in newcert.pem, private key is in newkey.pem" 89656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ;; 9098d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom-newreq) 91656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project # create a certificate request 92656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project $REQ -new -keyout newkey.pem -out newreq.pem $DAYS 93656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RET=$? 94656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project echo "Request is in newreq.pem, private key is in newkey.pem" 95656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ;; 9698d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom-newreq-nodes) 9798d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom # create a certificate request 9898d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom $REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS 9998d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom RET=$? 10098d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom echo "Request (and private key) is in newreq.pem" 10198d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom ;; 10298d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom-newca) 103656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project # if explicitly asked for or it doesn't exist then setup the directory 10498d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom # structure that Eric likes to manage things 105656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project NEW="1" 106656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if [ "$NEW" -o ! -f ${CATOP}/serial ]; then 107656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project # create the directory hierarchy 10898d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom mkdir -p ${CATOP} 10998d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom mkdir -p ${CATOP}/certs 11098d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom mkdir -p ${CATOP}/crl 11198d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom mkdir -p ${CATOP}/newcerts 11298d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom mkdir -p ${CATOP}/private 113656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project touch ${CATOP}/index.txt 114656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project fi 115656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if [ ! -f ${CATOP}/private/$CAKEY ]; then 116656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project echo "CA certificate filename (or enter to create)" 117656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project read FILE 118656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 119656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project # ask user for existing CA certificate 120656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if [ "$FILE" ]; then 12198d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom cp_pem $FILE ${CATOP}/private/$CAKEY PRIVATE 12298d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom cp_pem $FILE ${CATOP}/$CACERT CERTIFICATE 123656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RET=$? 12498d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom if [ ! -f "${CATOP}/serial" ]; then 12598d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom $X509 -in ${CATOP}/$CACERT -noout -next_serial \ 12698d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom -out ${CATOP}/serial 12798d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom fi 128656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 129656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project echo "Making CA certificate ..." 130656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project $REQ -new -keyout ${CATOP}/private/$CAKEY \ 131656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project -out ${CATOP}/$CAREQ 13298d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom $CA -create_serial -out ${CATOP}/$CACERT $CADAYS -batch \ 133656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project -keyfile ${CATOP}/private/$CAKEY -selfsign \ 13498d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom -extensions v3_ca \ 13598d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom -infiles ${CATOP}/$CAREQ 136656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RET=$? 137656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project fi 138656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project fi 139656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ;; 140656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project-xsign) 14198d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom $CA -policy policy_anything -infiles newreq.pem 142656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RET=$? 143656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ;; 14498d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom-pkcs12) 14598d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom if [ -z "$2" ] ; then 14698d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom CNAME="My Certificate" 14798d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom else 14898d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom CNAME="$2" 14998d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom fi 15098d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom $PKCS12 -in newcert.pem -inkey newreq.pem -certfile ${CATOP}/$CACERT \ 15198d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom -out newcert.p12 -export -name "$CNAME" 15298d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom RET=$? 15398d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom exit $RET 15498d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom ;; 15598d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom-sign|-signreq) 156656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project $CA -policy policy_anything -out newcert.pem -infiles newreq.pem 157656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RET=$? 158656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project cat newcert.pem 159656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project echo "Signed certificate is in newcert.pem" 160656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ;; 16198d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom-signCA) 16298d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom $CA -policy policy_anything -out newcert.pem -extensions v3_ca -infiles newreq.pem 16398d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom RET=$? 16498d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom echo "Signed CA certificate is in newcert.pem" 16598d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom ;; 16698d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom-signcert) 167656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project echo "Cert passphrase will be requested twice - bug?" 168656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem 169656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project $CA -policy policy_anything -out newcert.pem -infiles tmp.pem 17098d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom RET=$? 171656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project cat newcert.pem 172656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project echo "Signed certificate is in newcert.pem" 173656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ;; 17498d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom-verify) 175656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project shift 176656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if [ -z "$1" ]; then 177656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project $VERIFY -CAfile $CATOP/$CACERT newcert.pem 178656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RET=$? 179656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 180656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project for j 181656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project do 182656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project $VERIFY -CAfile $CATOP/$CACERT $j 183656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if [ $? != 0 ]; then 184656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RET=$? 185656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project fi 186656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project done 187656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project fi 18898d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom exit $RET 189656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ;; 190656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project*) 19198d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom echo "Unknown arg $i" >&2 19298d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom usage 193656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project exit 1 194656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ;; 195656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectesac 19698d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstromshift 197656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectdone 198656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectexit $RET 199