1: #!/bin/sh
    2: 
    3: digest='-sha1'
    4: reqcmd="../util/shlib_wrap.sh ../apps/openssl req"
    5: x509cmd="../util/shlib_wrap.sh ../apps/openssl x509 $digest"
    6: verifycmd="../util/shlib_wrap.sh ../apps/openssl verify"
    7: dummycnf="../apps/openssl.cnf"
    8: 
    9: CAkey="keyCA.ss"
   10: CAcert="certCA.ss"
   11: CAreq="reqCA.ss"
   12: CAconf="CAss.cnf"
   13: CAreq2="req2CA.ss"      # temp
   14: 
   15: Uconf="Uss.cnf"
   16: Ukey="keyU.ss"
   17: Ureq="reqU.ss"
   18: Ucert="certU.ss"
   19: 
   20: P1conf="P1ss.cnf"
   21: P1key="keyP1.ss"
   22: P1req="reqP1.ss"
   23: P1cert="certP1.ss"
   24: P1intermediate="tmp_intP1.ss"
   25: 
   26: P2conf="P2ss.cnf"
   27: P2key="keyP2.ss"
   28: P2req="reqP2.ss"
   29: P2cert="certP2.ss"
   30: P2intermediate="tmp_intP2.ss"
   31: 
   32: echo
   33: echo "make a certificate request using 'req'"
   34: 
   35: echo "string to make the random number generator think it has entropy" >> ./.rnd
   36: 
   37: if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
   38:   req_new='-newkey dsa:../apps/dsa512.pem'
   39: else
   40:   req_new='-new'
   41: fi
   42: 
   43: $reqcmd -config $CAconf -out $CAreq -keyout $CAkey $req_new #>err.ss
   44: if [ $? != 0 ]; then
   45:         echo "error using 'req' to generate a certificate request"
   46:         exit 1
   47: fi
   48: echo
   49: echo "convert the certificate request into a self signed certificate using 'x509'"
   50: $x509cmd -CAcreateserial -in $CAreq -days 30 -req -out $CAcert -signkey $CAkey -extfile $CAconf -extensions v3_ca >err.ss
   51: if [ $? != 0 ]; then
   52:         echo "error using 'x509' to self sign a certificate request"
   53:         exit 1
   54: fi
   55: 
   56: echo
   57: echo "convert a certificate into a certificate request using 'x509'"
   58: $x509cmd -in $CAcert -x509toreq -signkey $CAkey -out $CAreq2 >err.ss
   59: if [ $? != 0 ]; then
   60:         echo "error using 'x509' convert a certificate to a certificate request"
   61:         exit 1
   62: fi
   63: 
   64: $reqcmd -config $dummycnf -verify -in $CAreq -noout
   65: if [ $? != 0 ]; then
   66:         echo first generated request is invalid
   67:         exit 1
   68: fi
   69: 
   70: $reqcmd -config $dummycnf -verify -in $CAreq2 -noout
   71: if [ $? != 0 ]; then
   72:         echo second generated request is invalid
   73:         exit 1
   74: fi
   75: 
   76: $verifycmd -CAfile $CAcert $CAcert
   77: if [ $? != 0 ]; then
   78:         echo first generated cert is invalid
   79:         exit 1
   80: fi
   81: 
   82: echo
   83: echo "make a user certificate request using 'req'"
   84: $reqcmd -config $Uconf -out $Ureq -keyout $Ukey $req_new >err.ss
   85: if [ $? != 0 ]; then
   86:         echo "error using 'req' to generate a user certificate request"
   87:         exit 1
   88: fi
   89: 
   90: echo
   91: echo "sign user certificate request with the just created CA via 'x509'"
   92: $x509cmd -CAcreateserial -in $Ureq -days 30 -req -out $Ucert -CA $CAcert -CAkey $CAkey -extfile $Uconf -extensions v3_ee >err.ss
   93: if [ $? != 0 ]; then
   94:         echo "error using 'x509' to sign a user certificate request"
   95:         exit 1
   96: fi
   97: 
   98: $verifycmd -CAfile $CAcert $Ucert
   99: echo
  100: echo "Certificate details"
  101: $x509cmd -subject -issuer -startdate -enddate -noout -in $Ucert
  102: 
  103: echo
  104: echo "make a proxy certificate request using 'req'"
  105: $reqcmd -config $P1conf -out $P1req -keyout $P1key $req_new >err.ss
  106: if [ $? != 0 ]; then
  107:         echo "error using 'req' to generate a proxy certificate request"
  108:         exit 1
  109: fi
  110: 
  111: echo
  112: echo "sign proxy certificate request with the just created user certificate via 'x509'"
  113: $x509cmd -CAcreateserial -in $P1req -days 30 -req -out $P1cert -CA $Ucert -CAkey $Ukey -extfile $P1conf -extensions v3_proxy >err.ss
  114: if [ $? != 0 ]; then
  115:         echo "error using 'x509' to sign a proxy certificate request"
  116:         exit 1
  117: fi
  118: 
  119: cat $Ucert > $P1intermediate
  120: $verifycmd -CAfile $CAcert -untrusted $P1intermediate $P1cert
  121: echo
  122: echo "Certificate details"
  123: $x509cmd -subject -issuer -startdate -enddate -noout -in $P1cert
  124: 
  125: echo
  126: echo "make another proxy certificate request using 'req'"
  127: $reqcmd -config $P2conf -out $P2req -keyout $P2key $req_new >err.ss
  128: if [ $? != 0 ]; then
  129:         echo "error using 'req' to generate another proxy certificate request"
  130:         exit 1
  131: fi
  132: 
  133: echo
  134: echo "sign second proxy certificate request with the first proxy certificate via 'x509'"
  135: $x509cmd -CAcreateserial -in $P2req -days 30 -req -out $P2cert -CA $P1cert -CAkey $P1key -extfile $P2conf -extensions v3_proxy >err.ss
  136: if [ $? != 0 ]; then
  137:         echo "error using 'x509' to sign a second proxy certificate request"
  138:         exit 1
  139: fi
  140: 
  141: cat $Ucert $P1cert > $P2intermediate
  142: $verifycmd -CAfile $CAcert -untrusted $P2intermediate $P2cert
  143: echo
  144: echo "Certificate details"
  145: $x509cmd -subject -issuer -startdate -enddate -noout -in $P2cert
  146: 
  147: echo
  148: echo The generated CA certificate is $CAcert
  149: echo The generated CA private key is $CAkey
  150: 
  151: echo The generated user certificate is $Ucert
  152: echo The generated user private key is $Ukey
  153: 
  154: echo The first generated proxy certificate is $P1cert
  155: echo The first generated proxy private key is $P1key
  156: 
  157: echo The second generated proxy certificate is $P2cert
  158: echo The second generated proxy private key is $P2key
  159: 
  160: /bin/rm err.ss
  161: #/bin/rm $P1intermediate
  162: #/bin/rm $P2intermediate
  163: exit 0