OSX/libsecurity_ssl/regressions/CreateCerts.sh

   1 #!/bin/sh -e
   2
   3 #  CreateCerts.sh
   4 #  Security
   5 #
   6 #  Copyright 2011,2015 Apple, Inc. All rights reserved.
   7
   8 # This script may require modern version of openssl
   9
  10 echo "Create Certs"
  11
  12 #Overrride which openssl to use:
  13 #OPENSSL=/opt/openssl/bin/openssl
  14 OPENSSL=openssl
  15
  16 DIR=test-certs
  17
  18
  19 mkdir -p $DIR
  20 cd $DIR
  21
  22 gen_config()
  23 {
  24     cat >ext.conf << _EOF_
  25   basicConstraints            = CA:FALSE
  26 _EOF_
  27 }
  28
  29 gen_rsa_cert()
  30 {
  31     ${OPENSSL} req -x509 -days 14600 -nodes -subj "$2"  -newkey rsa:2048 -keyout $1.Key.pem -out $1.Cert.pem
  32     ${OPENSSL} rsa -outform DER -in $1.Key.pem -out $1.Key.der
  33     ${OPENSSL} x509 -outform DER -in $1.Cert.pem -out $1.Cert.der
  34     xxd -i $1.Key.der > $1_Key.h
  35     xxd -i $1.Cert.der > $1_Cert.h
  36 }
  37
  38 gen_ec_cert()
  39 {
  40     ${OPENSSL} req -x509 -days 14600 -nodes -subj "$2"  -newkey ec:ecparam.pem -keyout $1.Key.pem -out $1.Cert.pem
  41     ${OPENSSL} ec -outform DER -in $1.Key.pem -out $1.Key.der
  42     ${OPENSSL} x509 -outform DER -in $1.Cert.pem -out $1.Cert.der
  43     xxd -i $1.Key.der > $1_Key.h
  44     xxd -i $1.Cert.der > $1_Cert.h
  45 }
  46
  47
  48 create_rsa_key()
  49 {
  50     ${OPENSSL} req -new -nodes -subj "$2" -newkey rsa:1024 -keyout $1.Key.pem -out $1.Req.pem
  51     ${OPENSSL} rsa -outform DER -in $1.Key.pem -out $1.Key.der
  52     xxd -i $1.Key.der > $1_Key.h
  53 }
  54
  55 create_ec_key()
  56 {
  57     ${OPENSSL} req -new -nodes -subj "$2" -newkey ec:ecparam.pem -keyout $1.Key.pem -out $1.Req.pem
  58     ${OPENSSL} ec -outform DER -in $1.Key.pem -out $1.Key.der
  59     xxd -i $1.Key.der > $1_Key.h
  60 }
  61
  62 sign_cert()
  63 {
  64     ${OPENSSL} x509 -days 14600 -req -in $1.Req.pem -CA $2.Cert.pem -CAkey $2.Key.pem -set_serial $3 -out $1.Cert.$2.pem -extfile ext.conf
  65     ${OPENSSL} x509 -outform DER -in $1.Cert.$2.pem -out $1.Cert.$2.der
  66     xxd -i $1.Cert.$2.der > $1_Cert_$2.h
  67 }
  68
  69 #generate openssl config file
  70 gen_config
  71
  72 #generate EC params
  73 ${OPENSSL} ecparam -name prime256v1 -out ecparam.pem
  74
  75 echo "**** Generating CA keys and certs..."
  76 # generate CA certs
  77 gen_rsa_cert CA-RSA '/CN=SecurityTest CA Cert (RSA)'
  78 gen_rsa_cert Untrusted-CA-RSA '/CN=SecurityTest CA Cert (RSA)'
  79 gen_ec_cert CA-ECC '/CN=SecurityTest CA Cert (ECC)'
  80
  81 echo "**** Generating Server keys and csr..."
  82 # generate Server keys and CSR
  83 create_rsa_key ServerRSA '/OU=SecurityTests Server Cert (RSA)/CN=localhost'
  84 create_ec_key ServerECC '/OU=SecurityTests Server Cert (ECC)/CN=localhost'
  85
  86 echo "**** Generating Client keys and csr..."
  87 # generate client certs
  88 create_rsa_key ClientRSA '/OU=SecurityTests Client Cert (RSA)/CN=localhost'
  89 create_ec_key ClientECC '/OU=SecurityTests Client Cert (ECC)/CN=localhost'
  90 create_rsa_key UntrustedClientRSA '/OU=SecurityTests Client Cert (RSA)(Untrusted)/CN=localhost'
  91
  92 echo "**** Signing Servers certs..."
  93 sign_cert ServerRSA CA-RSA 1
  94 sign_cert ServerRSA CA-ECC 2
  95 sign_cert ServerECC CA-RSA 3
  96 sign_cert ServerECC CA-ECC 4
  97
  98 echo "**** Signing Clients certs..."
  99 sign_cert ClientRSA CA-RSA 1001
 100 sign_cert ClientRSA CA-ECC 1002
 101 sign_cert ClientECC CA-RSA 1003
 102 sign_cert ClientECC CA-ECC 1004
 103
 104 sign_cert UntrustedClientRSA Untrusted-CA-RSA 9999
 105