19ca3d0733e7f93c140fdc693ffb0aaaa21de7a19Kenny Root#!/bin/bash - 29ca3d0733e7f93c140fdc693ffb0aaaa21de7a19Kenny Root# Copyright (C) 2012 The Android Open Source Project 39ca3d0733e7f93c140fdc693ffb0aaaa21de7a19Kenny Root# 49ca3d0733e7f93c140fdc693ffb0aaaa21de7a19Kenny Root# Licensed under the Apache License, Version 2.0 (the "License"); 59ca3d0733e7f93c140fdc693ffb0aaaa21de7a19Kenny Root# you may not use this file except in compliance with the License. 69ca3d0733e7f93c140fdc693ffb0aaaa21de7a19Kenny Root# You may obtain a copy of the License at 79ca3d0733e7f93c140fdc693ffb0aaaa21de7a19Kenny Root# 89ca3d0733e7f93c140fdc693ffb0aaaa21de7a19Kenny Root# http://www.apache.org/licenses/LICENSE-2.0 99ca3d0733e7f93c140fdc693ffb0aaaa21de7a19Kenny Root# 109ca3d0733e7f93c140fdc693ffb0aaaa21de7a19Kenny Root# Unless required by applicable law or agreed to in writing, software 119ca3d0733e7f93c140fdc693ffb0aaaa21de7a19Kenny Root# distributed under the License is distributed on an "AS IS" BASIS, 129ca3d0733e7f93c140fdc693ffb0aaaa21de7a19Kenny Root# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 139ca3d0733e7f93c140fdc693ffb0aaaa21de7a19Kenny Root# See the License for the specific language governing permissions and 149ca3d0733e7f93c140fdc693ffb0aaaa21de7a19Kenny Root# limitations under the License. 159ca3d0733e7f93c140fdc693ffb0aaaa21de7a19Kenny Root 169ca3d0733e7f93c140fdc693ffb0aaaa21de7a19Kenny Rootset -o nounset # Treat unset variables as an error 179ca3d0733e7f93c140fdc693ffb0aaaa21de7a19Kenny Rootset -e 189ca3d0733e7f93c140fdc693ffb0aaaa21de7a19Kenny Root 19aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny RootDIR=$(dirname "$0") 209ca3d0733e7f93c140fdc693ffb0aaaa21de7a19Kenny Root 21aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootif [ ! -f "$DIR/privkey.pem" ]; then 22aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Root openssl genrsa -out "$DIR/privkey.pem" 2048 23f2c1e7e3f9935e272a0a07a9637fc36ccd08e7deKenny Rootfi 24f2c1e7e3f9935e272a0a07a9637fc36ccd08e7deKenny Root 25aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl req -config "$DIR/default.cnf" -new -key "$DIR/privkey.pem" -nodes -batch > /tmp/cert-rsa-req.pem 26aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl req -in /tmp/cert-rsa-req.pem -pubkey -noout | openssl rsa -pubin -pubout -outform der > "$DIR/cert-rsa-pubkey.der" 27aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl x509 -extfile "$DIR/default.cnf" -days 3650 -extensions usr_cert -req -signkey "$DIR/privkey.pem" -outform d -set_serial -99999999999999999999 < /tmp/cert-rsa-req.pem > "$DIR/cert-rsa.der" 28691f0a5a1c5b0294fb050f6247be14e74078395bBrian Carlstromrm /tmp/cert-rsa-req.pem 299ca3d0733e7f93c140fdc693ffb0aaaa21de7a19Kenny Root 30aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl asn1parse -in "$DIR/cert-rsa.der" -inform d -out "$DIR/cert-rsa-tbs.der" -noout -strparse 4 31aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny RootSIG_OFFSET=$(openssl asn1parse -in "$DIR/cert-rsa.der" -inform d | tail -1 | cut -f1 -d:) 32aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl asn1parse -in "$DIR/cert-rsa.der" -inform d -strparse "$SIG_OFFSET" -noout -out "$DIR/cert-rsa-sig.der" 339ca3d0733e7f93c140fdc693ffb0aaaa21de7a19Kenny Root 349ca3d0733e7f93c140fdc693ffb0aaaa21de7a19Kenny Root# extract startdate and enddate 35aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl x509 -in "$DIR/cert-rsa.der" -inform d -noout -startdate -enddate > "$DIR/cert-rsa-dates.txt" 369ca3d0733e7f93c140fdc693ffb0aaaa21de7a19Kenny Root 379ca3d0733e7f93c140fdc693ffb0aaaa21de7a19Kenny Root# extract serial 38aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl x509 -in "$DIR/cert-rsa.der" -inform d -noout -serial > "$DIR/cert-rsa-serial.txt" 399ca3d0733e7f93c140fdc693ffb0aaaa21de7a19Kenny Root 40aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl req -config "$DIR/default.cnf" -new -key "$DIR/privkey.pem" -nodes -batch | openssl x509 -extfile "$DIR/default.cnf" -extensions keyUsage_extraLong_cert -req -signkey "$DIR/privkey.pem" -outform d > "$DIR/cert-keyUsage-extraLong.der" 419ca3d0733e7f93c140fdc693ffb0aaaa21de7a19Kenny Root 42aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl req -config "$DIR/default.cnf" -new -key "$DIR/privkey.pem" -nodes -batch | openssl x509 -extfile "$DIR/default.cnf" -extensions extendedKeyUsage_cert -req -signkey "$DIR/privkey.pem" -outform d > "$DIR/cert-extendedKeyUsage.der" 439ca3d0733e7f93c140fdc693ffb0aaaa21de7a19Kenny Root 44aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl req -config "$DIR/default.cnf" -new -key "$DIR/privkey.pem" -nodes -batch | openssl x509 -extfile "$DIR/default.cnf" -extensions ca_cert -req -signkey "$DIR/privkey.pem" -outform d > "$DIR/cert-ca.der" 459ca3d0733e7f93c140fdc693ffb0aaaa21de7a19Kenny Root 46aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl req -config "$DIR/default.cnf" -new -key "$DIR/privkey.pem" -nodes -batch | openssl x509 -extfile "$DIR/default.cnf" -extensions userWithPathLen_cert -req -signkey "$DIR/privkey.pem" -outform d > "$DIR/cert-userWithPathLen.der" 479ca3d0733e7f93c140fdc693ffb0aaaa21de7a19Kenny Root 48aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl req -config "$DIR/default.cnf" -new -key "$DIR/privkey.pem" -nodes -batch | openssl x509 -extfile "$DIR/default.cnf" -extensions caWithPathLen_cert -req -signkey "$DIR/privkey.pem" -outform d > "$DIR/cert-caWithPathLen.der" 499ca3d0733e7f93c140fdc693ffb0aaaa21de7a19Kenny Root 50aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl req -config "$DIR/default.cnf" -new -key "$DIR/privkey.pem" -nodes -batch | openssl x509 -extfile "$DIR/default.cnf" -extensions alt_other_cert -req -signkey "$DIR/privkey.pem" -outform d > "$DIR/cert-alt-other.der" 519ca3d0733e7f93c140fdc693ffb0aaaa21de7a19Kenny Root 52aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl req -config "$DIR/default.cnf" -new -key "$DIR/privkey.pem" -nodes -batch | openssl x509 -extfile "$DIR/default.cnf" -extensions alt_email_cert -req -signkey "$DIR/privkey.pem" -outform d > "$DIR/cert-alt-email.der" 539ca3d0733e7f93c140fdc693ffb0aaaa21de7a19Kenny Root 54aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl req -config "$DIR/default.cnf" -new -key "$DIR/privkey.pem" -nodes -batch | openssl x509 -extfile "$DIR/default.cnf" -extensions alt_dns_cert -req -signkey "$DIR/privkey.pem" -outform d > "$DIR/cert-alt-dns.der" 559ca3d0733e7f93c140fdc693ffb0aaaa21de7a19Kenny Root 56aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl req -config "$DIR/default.cnf" -new -key "$DIR/privkey.pem" -nodes -batch | openssl x509 -extfile "$DIR/default.cnf" -extensions alt_dirname_cert -req -signkey "$DIR/privkey.pem" -outform d > "$DIR/cert-alt-dirname.der" 579ca3d0733e7f93c140fdc693ffb0aaaa21de7a19Kenny Root 58aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl req -config "$DIR/default.cnf" -new -key "$DIR/privkey.pem" -nodes -batch | openssl x509 -extfile "$DIR/default.cnf" -extensions alt_uri_cert -req -signkey "$DIR/privkey.pem" -outform d > "$DIR/cert-alt-uri.der" 599ca3d0733e7f93c140fdc693ffb0aaaa21de7a19Kenny Root 60aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl req -config "$DIR/default.cnf" -new -key "$DIR/privkey.pem" -nodes -batch | openssl x509 -extfile "$DIR/default.cnf" -extensions alt_rid_cert -req -signkey "$DIR/privkey.pem" -outform d > "$DIR/cert-alt-rid.der" 619ca3d0733e7f93c140fdc693ffb0aaaa21de7a19Kenny Root 62aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl req -config "$DIR/default.cnf" -new -key "$DIR/privkey.pem" -nodes -batch | openssl x509 -extfile "$DIR/default.cnf" -extensions alt_none_cert -req -signkey "$DIR/privkey.pem" -outform d > "$DIR/cert-alt-none.der" 630d7f656d7d7bdb65531cf97d25060a426d03ae76Kenny Root 64aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl req -config "$DIR/default.cnf" -new -key "$DIR/privkey.pem" -nodes -batch | openssl x509 -extfile "$DIR/default.cnf" -extensions ipv6_cert -req -signkey "$DIR/privkey.pem" -outform d > "$DIR/cert-ipv6.der" 659ca3d0733e7f93c140fdc693ffb0aaaa21de7a19Kenny Root 66aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl req -config "$DIR/default.cnf" -new -key "$DIR/privkey.pem" -nodes -batch | openssl x509 -extfile "$DIR/default.cnf" -extensions unsupported_cert -req -signkey "$DIR/privkey.pem" -outform d > "$DIR/cert-unsupported.der" 679ca3d0733e7f93c140fdc693ffb0aaaa21de7a19Kenny Root 68aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl req -config "$DIR/default.cnf" -new -key "$DIR/privkey.pem" -nodes -batch -config "$DIR/default.cnf" -extensions usr_cert -x509 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:1 -outform d > "$DIR/cert-sigopt.der" 69a698d224635ccfe3f141ccf627221271aa53bf69Kenny Root 70aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootif [ ! -f "$DIR/dsapriv.pem" ]; then 71f2c1e7e3f9935e272a0a07a9637fc36ccd08e7deKenny Root openssl dsaparam -out /tmp/dsaparam.pem 1024 72aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Root openssl gendsa -out "$DIR/dsapriv.pem" /tmp/dsaparam.pem 73f2c1e7e3f9935e272a0a07a9637fc36ccd08e7deKenny Root rm -f /tmp/dsaparam.pem 74f2c1e7e3f9935e272a0a07a9637fc36ccd08e7deKenny Rootfi 75aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl req -config "$DIR/default.cnf" -new -key "$DIR/dsapriv.pem" -nodes -batch | openssl x509 -extfile "$DIR/default.cnf" -extensions keyUsage_cert -req -signkey "$DIR/dsapriv.pem" -outform d > "$DIR/cert-dsa.der" 769ca3d0733e7f93c140fdc693ffb0aaaa21de7a19Kenny Root 77aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootif [ ! -f "$DIR/ecpriv.pem" ]; then 78aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Root openssl ecparam -name prime256v1 -genkey -out "$DIR/ecpriv.pem" -noout 79f2c1e7e3f9935e272a0a07a9637fc36ccd08e7deKenny Rootfi 80aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl req -config "$DIR/default.cnf" -new -key "$DIR/ecpriv.pem" -nodes -batch | openssl x509 -extfile "$DIR/default.cnf" -extensions keyUsage_critical_cert -req -signkey "$DIR/ecpriv.pem" -outform d > "$DIR/cert-ec.der" 819ca3d0733e7f93c140fdc693ffb0aaaa21de7a19Kenny Root 82e9eff570af49def101e6b98f48eac98ae2245dbeKenny Root# Create temporary CA for CRL generation 83e9eff570af49def101e6b98f48eac98ae2245dbeKenny Rootrm -rf /tmp/ca 84e9eff570af49def101e6b98f48eac98ae2245dbeKenny Rootmkdir -p /tmp/ca 85e9eff570af49def101e6b98f48eac98ae2245dbeKenny Roottouch /tmp/ca/index.txt 86e9eff570af49def101e6b98f48eac98ae2245dbeKenny Roottouch /tmp/ca/index.txt.attr 87e9eff570af49def101e6b98f48eac98ae2245dbeKenny Rootecho "01" > /tmp/ca/serial 88aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootif [ ! -f "$DIR/cakey.pem" ]; then 89aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Root openssl req -new -nodes -batch -x509 -extensions v3_ca -keyout "$DIR/cakey.pem" -out "$DIR/cacert.pem" -days 3650 -config "$DIR/default.cnf" 90f2c1e7e3f9935e272a0a07a9637fc36ccd08e7deKenny Rootfi 91aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootcp "$DIR/cakey.pem" "$DIR/cacert.pem" /tmp 92aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl x509 -in /tmp/cacert.pem -outform d > "$DIR/cert-crl-ca.der" 93e9eff570af49def101e6b98f48eac98ae2245dbeKenny Root 94aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl ca -gencrl -crlhours 70 -keyfile /tmp/cakey.pem -cert /tmp/cacert.pem -out /tmp/crl-empty.pem -config "$DIR/default.cnf" 95aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl crl -in /tmp/crl-empty.pem -outform d -out "$DIR/crl-empty.der" 968659e5f09d368ac074cabeafe65fb35acb919e49Kenny Root 97aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl x509 -inform d -in "$DIR/cert-rsa.der" -out /tmp/cert-rsa.pem 98aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl ca -revoke /tmp/cert-rsa.pem -keyfile /tmp/cakey.pem -cert /tmp/cacert.pem -config "$DIR/default.cnf" 99aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl ca -gencrl -crlhours 70 -keyfile /tmp/cakey.pem -cert /tmp/cacert.pem -out /tmp/crl-rsa.pem -config "$DIR/default.cnf" 100aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl crl -in /tmp/crl-rsa.pem -outform d -out "$DIR/crl-rsa.der" 101e9eff570af49def101e6b98f48eac98ae2245dbeKenny Root 102aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl asn1parse -in "$DIR/crl-rsa.der" -inform d -out "$DIR/crl-rsa-tbs.der" -noout -strparse 4 103aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny RootSIG_OFFSET=$(openssl asn1parse -in "$DIR/crl-rsa.der" -inform d | tail -1 | cut -f1 -d:) 104aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl asn1parse -in "$DIR/crl-rsa.der" -inform d -strparse "$SIG_OFFSET" -noout -out "$DIR/crl-rsa-sig.der" 105e9eff570af49def101e6b98f48eac98ae2245dbeKenny Root 106aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl x509 -inform d -in "$DIR/cert-dsa.der" -out /tmp/cert-dsa.pem 107aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl ca -revoke /tmp/cert-dsa.pem -keyfile /tmp/cakey.pem -cert /tmp/cacert.pem -crl_reason cessationOfOperation -extensions unsupported_cert -config "$DIR/default.cnf" 108aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl ca -gencrl -startdate 140101010101Z -crldays 30 -keyfile /tmp/cakey.pem -cert /tmp/cacert.pem -out /tmp/crl-rsa-dsa.pem -config "$DIR/default.cnf" 109aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl ca -gencrl -startdate 140101010101Z -crldays 30 -keyfile /tmp/cakey.pem -cert /tmp/cacert.pem -out "$DIR/crl-rsa-dsa-sigopt.pem" -config "$DIR/default.cnf" -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:1 110aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl crl -in /tmp/crl-rsa-dsa.pem -outform d -out "$DIR/crl-rsa-dsa.der" 111aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl crl -in "$DIR/crl-rsa-dsa-sigopt.pem" -outform d -out "$DIR/crl-rsa-dsa-sigopt.der" 112e9eff570af49def101e6b98f48eac98ae2245dbeKenny Root 113e9eff570af49def101e6b98f48eac98ae2245dbeKenny Root# Unsupported extensions 114aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl ca -gencrl -crlexts unsupported_cert -keyfile /tmp/cakey.pem -cert /tmp/cacert.pem -out /tmp/crl-unsupported.pem -config "$DIR/default.cnf" 115aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl crl -in /tmp/crl-unsupported.pem -outform d -out "$DIR/crl-unsupported.der" 116e9eff570af49def101e6b98f48eac98ae2245dbeKenny Root 117aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl crl -inform d -in "$DIR/crl-rsa.der" -noout -lastupdate -nextupdate > "$DIR/crl-rsa-dates.txt" 118aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl crl -inform d -in "$DIR/crl-rsa-dsa.der" -noout -lastupdate -nextupdate > "$DIR/crl-rsa-dsa-dates.txt" 119e9eff570af49def101e6b98f48eac98ae2245dbeKenny Root 120691f0a5a1c5b0294fb050f6247be14e74078395bBrian Carlstromrm /tmp/cert-rsa.pem /tmp/cert-dsa.pem /tmp/cacert.pem /tmp/cakey.pem /tmp/crl-rsa.pem /tmp/crl-rsa-dsa.pem /tmp/crl-unsupported.pem /tmp/crl-empty.pem 121691f0a5a1c5b0294fb050f6247be14e74078395bBrian Carlstromrm -r /tmp/ca 122e9eff570af49def101e6b98f48eac98ae2245dbeKenny Root 123309e456e6f3b603b50806a24c56abd9fdb3bd7a9Kenny Root 124aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootcat "$DIR/cert-rsa.der" "$DIR/cert-dsa.der" > /tmp/certs.der 125aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl x509 -inform d -in "$DIR/cert-rsa.der" > /tmp/certs.pem 126aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl x509 -inform d -in "$DIR/cert-dsa.der" >> /tmp/certs.pem 127309e456e6f3b603b50806a24c56abd9fdb3bd7a9Kenny Root 128aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl crl2pkcs7 -certfile /tmp/certs.pem -nocrl > "$DIR/certs-pk7.pem" 129aad989be8a7ff7a44a4bc27b6b83723560af6107Kenny Rootopenssl crl2pkcs7 -certfile /tmp/certs.pem -nocrl -outform d > "$DIR/certs-pk7.der" 130309e456e6f3b603b50806a24c56abd9fdb3bd7a9Kenny Root 131691f0a5a1c5b0294fb050f6247be14e74078395bBrian Carlstromrm /tmp/certs.pem 132