blob: 7ac81b353f2efb5936787a589c66cac7e53c4fd1 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
|
#!/usr/bin/env bash
#
# This file is part of the LibreOffice project.
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# The purpose of this script is to create certificates to be able to test ODF signing code.
#
# What it does:
#
# 1) Create a test root CA.
#
# 2) Create an intermediate CA, as signing certificates with a root CA is
# considered unsafe.
#
# 3) Create two client certificates that can be used to sign ODF documents in
# LibreOffice.
#
# References:
#
# <https://jamielinux.com/docs/openssl-certificate-authority/> for most of the
# commands.
#
# <https://www.sslshopper.com/article-most-common-openssl-commands.html> for
# the PKCS#12 export of self-signed certificates
#
set -e
root="$PWD"
algo="RSA"
pass="y"
if [ -n "$1" ]; then
algo="$1"
fi
if [ "$2" == "NOPASS" ]; then
pass="n"
fi
if [ -d "$root/ca" ]; then
echo "'ca' directory already exists in $root, please remove it before running this script."
exit 1
fi
if [ -z "$SSLPASS" ]; then
# Unless specified otherwise, we'll use this as a password everywhere.
export SSLPASS="xmlsecurity"
fi
# 1) Create the root pair.
mkdir "$root/ca"
cd "$root/ca"
mkdir certs crl newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial
sed "s|@ROOT@|$root|g" "$root/templates/root.cnf" > "$root/ca/openssl.cnf"
# Create the root key.
cd "$root/ca"
openssl genrsa -aes256 -out private/ca.key.pem -passout env:SSLPASS 4096
chmod 400 private/ca.key.pem
# Create the root certificate.
cd "$root/ca"
openssl req -config openssl.cnf \
-key private/ca.key.pem \
-new -x509 -days 36500 -sha256 -extensions v3_ca \
-out certs/ca.cert.pem \
-passin env:SSLPASS \
-subj "/C=UK/ST=England/O=Xmlsecurity ${algo} Test/CN=Xmlsecurity ${algo} Test Root CA"
chmod 444 certs/ca.cert.pem
# 2) Create the intermediate pair.
# Prepare the directory.
mkdir "$root/ca/intermediate"
cd "$root/ca/intermediate"
mkdir certs crl csr newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial
# crlnumber is used to keep track of certificate revocation lists.
echo 1000 > "$root/ca/intermediate/crlnumber"
# Copy the intermediate CA configuration file.
sed "s|@ROOT@|$root|g" "$root/templates/intermediate.cnf" > "$root/ca/intermediate/openssl.cnf"
# Create the intermediate key.
cd "$root/ca"
openssl genrsa -aes256 \
-out intermediate/private/intermediate.key.pem \
-passout env:SSLPASS 4096
chmod 400 intermediate/private/intermediate.key.pem
# Create the intermediate certificate.
# Intermediate key.
cd "$root/ca"
openssl req -config intermediate/openssl.cnf -new -sha256 \
-key intermediate/private/intermediate.key.pem \
-out intermediate/csr/intermediate.csr.pem \
-passin env:SSLPASS \
-subj "/C=UK/ST=England/O=Xmlsecurity ${algo} Test/CN=Xmlsecurity Intermediate Root CA"
# The certificate itself.
openssl ca -batch -config openssl.cnf -extensions v3_intermediate_ca \
-days 36500 -notext -md sha256 \
-in intermediate/csr/intermediate.csr.pem \
-passin env:SSLPASS \
-out intermediate/certs/intermediate.cert.pem
chmod 444 intermediate/certs/intermediate.cert.pem
# Create the certificate chain file.
cat intermediate/certs/intermediate.cert.pem \
certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem
chmod 444 intermediate/certs/ca-chain.cert.pem
# 3) Create the real certificate.
for i in Alice Bob
do
# Create a key.
cd "$root/ca"
if [ "$algo" == "ECDSA" ]; then
openssl ecparam -name secp256r1 -genkey \
-out intermediate/private/example-xmlsecurity-${i}.key.pem
else
if [ "$pass" == "y" ]; then
openssl genrsa -aes256 \
-out intermediate/private/example-xmlsecurity-${i}.key.pem \
-passout env:SSLPASS 2048
else
openssl genrsa \
-out intermediate/private/example-xmlsecurity-${i}.key.pem \
2048
fi
fi
chmod 400 intermediate/private/example-xmlsecurity-${i}.key.pem
# Create a certificate signing request (CSR).
cd "$root/ca"
if [ "$pass" == "y" ]; then
openssl req -config intermediate/openssl.cnf \
-key intermediate/private/example-xmlsecurity-${i}.key.pem \
-new -sha256 -out intermediate/csr/example-xmlsecurity-${i}.csr.pem \
-passin env:SSLPASS \
-subj "/C=UK/ST=England/O=Xmlsecurity ${algo} Test/CN=Xmlsecurity ${algo} Test example ${i}"
else
openssl req -config intermediate/openssl.cnf \
-key intermediate/private/example-xmlsecurity-${i}.key.pem \
-new -sha256 -out intermediate/csr/example-xmlsecurity-${i}.csr.pem \
-subj "/C=UK/ST=England/O=Xmlsecurity ${algo} Test/CN=Xmlsecurity ${algo} Test example ${i}"
fi
# To create a certificate, use the intermediate CA to sign the CSR.
cd "$root/ca"
# usr_cert: the cert will be used for signing.
if [ "$pass" == "y" ]; then
openssl ca -batch -config intermediate/openssl.cnf \
-extensions usr_cert -days 36500 -notext -md sha256 \
-in intermediate/csr/example-xmlsecurity-${i}.csr.pem \
-passin env:SSLPASS \
-out intermediate/certs/example-xmlsecurity-${i}.cert.pem
else
openssl ca -batch -config intermediate/openssl.cnf \
-extensions usr_cert -days 36500 -notext -md sha256 \
-in intermediate/csr/example-xmlsecurity-${i}.csr.pem \
-passin env:SSLPASS \
-out intermediate/certs/example-xmlsecurity-${i}.cert.pem
fi
chmod 444 intermediate/certs/example-xmlsecurity-${i}.cert.pem
# Export it in PKCS#12 format.
if [ "$algo" == "ECDSA" ]; then
openssl pkcs12 -export \
-out ./intermediate/private/example-xmlsecurity-${i}.cert.p12 \
-passout env:SSLPASS \
-inkey intermediate/private/example-xmlsecurity-${i}.key.pem \
-passin env:SSLPASS \
-in intermediate/certs/example-xmlsecurity-${i}.cert.pem \
-certfile intermediate/certs/ca-chain.cert.pem
else
if [ "$pass" == "y" ]; then
openssl pkcs12 -export \
-out ./intermediate/private/example-xmlsecurity-${i}.cert.p12 \
-passout env:SSLPASS \
-inkey intermediate/private/example-xmlsecurity-${i}.key.pem \
-passin env:SSLPASS \
-in intermediate/certs/example-xmlsecurity-${i}.cert.pem \
-certfile intermediate/certs/ca-chain.cert.pem \
-CSP "Microsoft Enhanced RSA and AES Cryptographic Provider"
else
openssl pkcs12 -export \
-out ./intermediate/private/example-xmlsecurity-${i}.cert.p12 \
-passout env:SSLPASS \
-inkey intermediate/private/example-xmlsecurity-${i}.key.pem \
-in intermediate/certs/example-xmlsecurity-${i}.cert.pem \
-certfile intermediate/certs/ca-chain.cert.pem \
-CSP "Microsoft Enhanced RSA and AES Cryptographic Provider"
fi
fi
done
echo
echo "Authority certificate is at: <$root/ca/intermediate/certs/ca-chain.cert.pem>."
echo "To be able to import it in Windows, rename the '.pem' extension to '.cer'."
for i in Alice Bob
do
echo "Signing certificate is at <$root/ca/intermediate/private/example-xmlsecurity-${i}.cert.p12>."
if [ "$pass" != "y" ]; then
echo "Cert file is at <$root/ca/intermediate/certs/example-xmlsecurity-${i}.cert.pem>."
echo "Key file is at <$root/ca/intermediate/private/example-xmlsecurity-${i}.key.pem>."
fi
done
# vim:set shiftwidth=4 expandtab:
|