summaryrefslogtreecommitdiff
path: root/xmlsecurity/qa/create-certs/create-certs.sh
blob: 7ac81b353f2efb5936787a589c66cac7e53c4fd1 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
#!/usr/bin/env bash
#
# This file is part of the LibreOffice project.
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# The purpose of this script is to create certificates to be able to test ODF signing code.
#
# What it does:
#
# 1) Create a test root CA.
#
# 2) Create an intermediate CA, as signing certificates with a root CA is
# considered unsafe.
#
# 3) Create two client certificates that can be used to sign ODF documents in
# LibreOffice.
#
# References:
#
# <https://jamielinux.com/docs/openssl-certificate-authority/> for most of the
# commands.
#
# <https://www.sslshopper.com/article-most-common-openssl-commands.html> for
# the PKCS#12 export of self-signed certificates
#

set -e

root="$PWD"
algo="RSA"
pass="y"

if [ -n "$1" ]; then
    algo="$1"
fi

if [ "$2" == "NOPASS" ]; then
    pass="n"
fi

if [ -d "$root/ca" ]; then
    echo "'ca' directory already exists in $root, please remove it before running this script."
    exit 1
fi

if [ -z "$SSLPASS" ]; then
    # Unless specified otherwise, we'll use this as a password everywhere.
    export SSLPASS="xmlsecurity"
fi

# 1) Create the root pair.

mkdir "$root/ca"

cd "$root/ca"
mkdir certs crl newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial

sed "s|@ROOT@|$root|g" "$root/templates/root.cnf" > "$root/ca/openssl.cnf"

# Create the root key.
cd "$root/ca"
openssl genrsa -aes256 -out private/ca.key.pem -passout env:SSLPASS 4096
chmod 400 private/ca.key.pem

# Create the root certificate.
cd "$root/ca"
openssl req -config openssl.cnf \
    -key private/ca.key.pem \
    -new -x509 -days 36500 -sha256 -extensions v3_ca \
    -out certs/ca.cert.pem \
    -passin env:SSLPASS \
    -subj "/C=UK/ST=England/O=Xmlsecurity ${algo} Test/CN=Xmlsecurity ${algo} Test Root CA"
chmod 444 certs/ca.cert.pem

# 2) Create the intermediate pair.

# Prepare the directory.
mkdir "$root/ca/intermediate"
cd "$root/ca/intermediate"
mkdir certs crl csr newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial

# crlnumber is used to keep track of certificate revocation lists.
echo 1000 > "$root/ca/intermediate/crlnumber"

# Copy the intermediate CA configuration file.
sed "s|@ROOT@|$root|g" "$root/templates/intermediate.cnf" > "$root/ca/intermediate/openssl.cnf"

# Create the intermediate key.

cd "$root/ca"
openssl genrsa -aes256 \
    -out intermediate/private/intermediate.key.pem \
    -passout env:SSLPASS 4096
chmod 400 intermediate/private/intermediate.key.pem

# Create the intermediate certificate.

# Intermediate key.
cd "$root/ca"
openssl req -config intermediate/openssl.cnf -new -sha256 \
    -key intermediate/private/intermediate.key.pem \
    -out intermediate/csr/intermediate.csr.pem \
    -passin env:SSLPASS \
    -subj "/C=UK/ST=England/O=Xmlsecurity ${algo} Test/CN=Xmlsecurity Intermediate Root CA"

# The certificate itself.
openssl ca -batch -config openssl.cnf -extensions v3_intermediate_ca \
    -days 36500 -notext -md sha256 \
    -in intermediate/csr/intermediate.csr.pem \
    -passin env:SSLPASS \
    -out intermediate/certs/intermediate.cert.pem
chmod 444 intermediate/certs/intermediate.cert.pem

# Create the certificate chain file.
cat intermediate/certs/intermediate.cert.pem \
    certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem
chmod 444 intermediate/certs/ca-chain.cert.pem

# 3) Create the real certificate.

for i in Alice Bob
do
    # Create a key.
    cd "$root/ca"
    if [ "$algo" == "ECDSA" ]; then
        openssl ecparam -name secp256r1 -genkey \
            -out intermediate/private/example-xmlsecurity-${i}.key.pem
    else
        if [ "$pass" == "y" ]; then
            openssl genrsa -aes256 \
                -out intermediate/private/example-xmlsecurity-${i}.key.pem \
                -passout env:SSLPASS 2048
        else
            openssl genrsa \
                -out intermediate/private/example-xmlsecurity-${i}.key.pem \
                2048
        fi
    fi
    chmod 400 intermediate/private/example-xmlsecurity-${i}.key.pem

    # Create a certificate signing request (CSR).

    cd "$root/ca"
    if [ "$pass" == "y" ]; then
        openssl req -config intermediate/openssl.cnf \
            -key intermediate/private/example-xmlsecurity-${i}.key.pem \
            -new -sha256 -out intermediate/csr/example-xmlsecurity-${i}.csr.pem \
            -passin env:SSLPASS \
            -subj "/C=UK/ST=England/O=Xmlsecurity ${algo} Test/CN=Xmlsecurity ${algo} Test example ${i}"
    else
        openssl req -config intermediate/openssl.cnf \
            -key intermediate/private/example-xmlsecurity-${i}.key.pem \
            -new -sha256 -out intermediate/csr/example-xmlsecurity-${i}.csr.pem \
            -subj "/C=UK/ST=England/O=Xmlsecurity ${algo} Test/CN=Xmlsecurity ${algo} Test example ${i}"
    fi

    # To create a certificate, use the intermediate CA to sign the CSR.
    cd "$root/ca"
    # usr_cert: the cert will be used for signing.
    if [ "$pass" == "y" ]; then
        openssl ca -batch -config intermediate/openssl.cnf \
            -extensions usr_cert -days 36500 -notext -md sha256 \
            -in intermediate/csr/example-xmlsecurity-${i}.csr.pem \
            -passin env:SSLPASS \
            -out intermediate/certs/example-xmlsecurity-${i}.cert.pem
    else
        openssl ca -batch -config intermediate/openssl.cnf \
            -extensions usr_cert -days 36500 -notext -md sha256 \
            -in intermediate/csr/example-xmlsecurity-${i}.csr.pem \
            -passin env:SSLPASS \
            -out intermediate/certs/example-xmlsecurity-${i}.cert.pem
    fi
    chmod 444 intermediate/certs/example-xmlsecurity-${i}.cert.pem

    # Export it in PKCS#12 format.
    if [ "$algo" == "ECDSA" ]; then
        openssl pkcs12 -export \
            -out ./intermediate/private/example-xmlsecurity-${i}.cert.p12 \
            -passout env:SSLPASS \
            -inkey intermediate/private/example-xmlsecurity-${i}.key.pem \
            -passin env:SSLPASS \
            -in intermediate/certs/example-xmlsecurity-${i}.cert.pem \
            -certfile intermediate/certs/ca-chain.cert.pem
    else
        if [ "$pass" == "y" ]; then
            openssl pkcs12 -export \
                -out ./intermediate/private/example-xmlsecurity-${i}.cert.p12 \
                -passout env:SSLPASS \
                -inkey intermediate/private/example-xmlsecurity-${i}.key.pem \
                -passin env:SSLPASS \
                -in intermediate/certs/example-xmlsecurity-${i}.cert.pem \
                -certfile intermediate/certs/ca-chain.cert.pem \
                -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider"
        else
            openssl pkcs12 -export \
                -out ./intermediate/private/example-xmlsecurity-${i}.cert.p12 \
                -passout env:SSLPASS \
                -inkey intermediate/private/example-xmlsecurity-${i}.key.pem \
                -in intermediate/certs/example-xmlsecurity-${i}.cert.pem \
                -certfile intermediate/certs/ca-chain.cert.pem \
                -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider"
        fi
    fi
done

echo
echo "Authority certificate is at: <$root/ca/intermediate/certs/ca-chain.cert.pem>."
echo "To be able to import it in Windows, rename the '.pem' extension to '.cer'."
for i in Alice Bob
do
    echo "Signing certificate is at <$root/ca/intermediate/private/example-xmlsecurity-${i}.cert.p12>."
    if [ "$pass" != "y" ]; then
        echo "Cert file is at <$root/ca/intermediate/certs/example-xmlsecurity-${i}.cert.pem>."
        echo "Key file is at <$root/ca/intermediate/private/example-xmlsecurity-${i}.key.pem>."
    fi
done

# vim:set shiftwidth=4 expandtab: