[exim.git] / test / aux-fixed / exim-ca / genall

#!/bin/bash
#

set -e

# Debugging.  Set V for clica verbosity.
set -x
#V=
V='-v'

clica --help >/dev/null 2>&1

echo Ensure time is set to 2012/11/01 12:34
echo use -  date -u 110112342012
echo hit return when ready
read junk

# Main suite: RSA certs
for tld in com org net
do
    iname="example.$tld"
    idir=$iname

####
    # create CAs & server certs
    rm -fr "$idir"

    # create CA cert + templates
    # -D  dir to work in
    # -p  passwd for cert
    # -B  keysize in bits
    # -I  create CA cert
    # -N  org name
    # -F  create sub-signing cert
    # -C CRL
    # -O create OCSP responder cert
    clica $V -D "$idir" -p password -B 2048 -I -N $iname -F -C http://crl.$iname/latest.crl -O http://oscp.$iname/

    # create server certs
    # -m <months>
    clica $V -D $idir -p password -s 101 -S server1.$iname -m 301 \
	-8 alternatename.server1.example.$tld,alternatename2.server1.example.$tld,*.test.ex
    clica $V -D $idir -p password -s 102 -S revoked1.$iname -m 301
    clica $V -D $idir -p password -s 103 -S expired1.$iname -m 1

    clica $V -D $idir -p password -s 201 -S  server2.$iname -m 301 \
	-3 'CN=clica CA rsa,O=example.com' -8 '*.test.ex'
    clica $V -D $idir -p password -s 202 -S revoked2.$iname -m 301
    clica $V -D $idir -p password -s 203 -S expired2.$iname -m 1

####

    # openssl seems to generate a file (ca_chain.pam) in an order it
    # cannot then use (the key applies to the first cert in the file?).
    # Generate a shuffled one.
    for n in 1 2
    do
      cd $idir/server$n.$iname
        openssl pkcs12 -in server$n.$iname.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys
        cat server$n.$iname.pem cacerts.pem > fullchain.pem
        rm cacerts.pem
      cd ../..
    done

####

    # generate unlocked keys and client cert bundles
    for server in server1 revoked1 expired1 server2 revoked2 expired2
    do
	SDIR=$idir/$server.$iname
	SPFX=$SDIR/$server.$iname
	openssl rsa -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
	cat $SPFX.pem $iname/CA/Signer.pem >$SPFX.chain.pem
    done

####

 # so, for full-chain OCSP we sill want an OCSP resp for the Signer cert and also (?) one for the
 # CA cert itself.  The existing bits below only create for the leaf certs, next layer down.
 #
 # First test will be just adding OCSP for the Signer cert. Presumably we could use the CA cert
 # to sign that.

    # create OCSP reqs & resps
    CADIR=$idir/CA

    #give ourselves an OSCP key to work with
    pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer rsa' -d $CADIR -K password -W password
    openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key

    # also need variation from Signer
    pk12util -o $CADIR/Signer.p12 -n 'Signing Cert rsa' -d $CADIR -K password -W password
    openssl pkcs12 -in $CADIR/Signer.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/Signer.key

    # ditto for CA
    # - the "-n names" here appear to be hardcoded in clica
    pk12util -o $CADIR/CA.p12 -n 'Certificate Authority rsa' -d $CADIR -K password -W password
    openssl pkcs12 -in $CADIR/CA.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/CA.key

    # create some index files for the ocsp responder to work with
# tab-sep, and fields can be empty
# 0: Revoked/Expired/Valid letter
# 1: Expiry date (ASN1_UTCTIME)
# 2: Revocation date
# 3: Serial no. (unique, in hex)
# 4: file
# 5: DN, index

    cat >$CADIR/index.valid.txt <<EOF
V	130110200751Z		65	unknown	CN=server1.$iname
V	130110200751Z		66	unknown	CN=revoked1.$iname
V	130110200751Z		67	unknown	CN=expired1.$iname
V	130110200751Z		c9	unknown	CN=server2.$iname
V	130110200751Z		ca	unknown	CN=revoked2.$iname
V	130110200751Z		cb	unknown	CN=expired2.$iname
V	130110200751Z		42	unknown	CN=clica Signing Cert rsa
V	130110200751Z		41	unknown	CN=clica CA rsa
EOF
    cat >$CADIR/index.revoked.txt <<EOF
R	130110200751Z	100201142709Z,superseded	65	unknown	CN=server1.$iname
R	130110200751Z	100201142709Z,superseded	66	unknown	CN=revoked1.$iname
R	130110200751Z	100201142709Z,superseded	67	unknown	CN=expired1.$iname
R	130110200751Z	100201142709Z,superseded	c9	unknown	CN=server2.$iname
R	130110200751Z	100201142709Z,superseded	ca	unknown	CN=revoked2.$iname
R	130110200751Z	100201142709Z,superseded	cb	unknown	CN=expired2.$iname
R	130110200751Z	100201142709Z,superseded	42	unknown	CN=clica Signing Cert rsa
EOF

    # Now create all the ocsp requests and responses for the leaf certs
    IVALID="-index $CADIR/index.valid.txt"
    IREVOKED="-index $CADIR/index.revoked.txt"

    echo "unique_subject = yes" > $CADIR/index.valid.txt.attr
    echo "unique_subject = yes" > $CADIR/index.revoked.txt.attr

    for server in server1 revoked1 expired1 server2 revoked2 expired2
    do
	SPFX=$idir/$server.$iname/$server.$iname
	openssl ocsp -issuer $CADIR/Signer.pem -sha256 -cert $SPFX.pem -no_nonce -reqout $SPFX.ocsp.req
	REQIN="-reqin $SPFX.ocsp.req"

	# These ones get used by the "traditional" testcases. OCSP resp signed by a cert which is
	# signed by the signer of the leaf-cert being attested to.
	OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify"
	openssl ocsp $IVALID   $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.good.resp
	openssl ocsp $IVALID   $OGENCOMMON -ndays 30   $REQIN -respout $SPFX.ocsp.dated.resp
	openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.revoked.resp

	OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -noverify"
	openssl ocsp $IVALID   $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signer.good.resp
	openssl ocsp $IVALID   $OGENCOMMON -ndays 30   $REQIN -respout $SPFX.ocsp.signer.dated.resp
	openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signer.revoked.resp

	# These ones get used by the "LetsEncrypt mode" testcases. OCSP resp is signed directly by the
	# signer of the leaf-cert being attested to.
	OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -resp_no_certs -noverify"
	openssl ocsp $IVALID   $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signernocert.good.resp
	openssl ocsp $IVALID   $OGENCOMMON -ndays 30   $REQIN -respout $SPFX.ocsp.signernocert.dated.resp
	openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signernocert.revoked.resp
    done

    # convert one good leaf-resp to PEM
    $server=server1
    RESP=$idir/$server.$iname/$server.$iname.ocsp.signernocert.good.resp
    ocsptool -S $RESP -j > $RESP.pem

    # Then, ocsp request and responses for the signer cert
    REQ=$CADIR/Signer.ocsp.req
    RESP=$CADIR/Signer.ocsp.signernocert.good.resp
    openssl ocsp -issuer $CADIR/CA.pem -sha256 -cert $CADIR/Signer.pem -no_nonce -reqout $REQ
    openssl ocsp $IVALID -rsigner $CADIR/CA.pem -rkey $CADIR/CA.key -CA $CADIR/CA.pem -resp_no_certs -noverify \
	-ndays 3652 -reqin $REQ -respout $RESP
    ocsptool -S $RESP -j > $RESP.pem

    RESP=$CADIR/Signer.ocsp.signernocert.revoked.resp
    openssl ocsp $IREVOKED -rsigner $CADIR/CA.pem -rkey $CADIR/CA.key -CA $CADIR/CA.pem -resp_no_certs -noverify \
	-ndays 3652 -reqin $REQ -respout $RESP
    ocsptool -S $RESP -j > $RESP.pem

    # Then, ocsp request and response for the CA cert
    REQ=$CADIR/CA.ocsp.req
    RESP=$CADIR/CA.ocsp.signernocert.good.resp
    openssl ocsp -issuer $CADIR/CA.pem -sha256 -cert $CADIR/CA.pem -no_nonce -reqout $REQ
    openssl ocsp $IVALID -rsigner $CADIR/CA.pem -rkey $CADIR/CA.key -CA $CADIR/CA.pem -resp_no_certs -noverify \
	-ndays 3652 -reqin $REQ -respout $RESP
    ocsptool -S $RESP -j > $RESP.pem

####
done

# Create one EC leaf cert in the RSA cert tree.  It will have an EC pubkey but be signed using its parent
# therefore its parent's algo, RSA.
clica $V -D example.com -p password -k ec -q nistp521 -s 1101 -S server1_ec.example.com -m 301 -8 'server1.example.com,*.test.ex'
SDIR=example.com/server1_ec.example.com
SPFX=$SDIR/server1_ec.example.com
openssl ec -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
cat $SPFX.pem example.com/CA/Signer.pem >$SPFX.chain.pem


###############################################################################
# Limited suite: EC certs
# separate trust root & chain
# .com only, server1 good only, no ocsp
# with server1 in SAN of leaf

for tld in com
do
    iname="example_ec.$tld"
    idir=$iname

####
    # create CAs & server certs
    rm -fr "$idir"

    # create CA cert + templates
    clica $V -D "$idir" -p password -B 2048 -I -N $iname -F \
	-k ec -q nistp521 \
	-C http://crl.example.$tld/latest.crl -O http://oscp.example.$tld/

    # create server certs
    # -m <months>
    clica $V -D $idir -p password -s 2101 -S server1.$iname -m 301 \
	-k ec -q nistp521 \
	-8 server1.example.$tld,alternatename.server1.example.$tld,alternatename2.server1.example.$tld,*.test.ex

####

    # openssl seems to generate a file (ca_chain.pam) in an order it
    # cannot then use (the key applies to the first cert in the file?).
    # Generate a shuffled one.
    cd $idir/server1.$iname
        openssl pkcs12 -in server1.$iname.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys
        cat server1.$iname.pem cacerts.pem > fullchain.pem
        rm cacerts.pem
    cd ../..

####

    # generate unlocked keys and client cert bundles
    for server in server1
    do
	SDIR=$idir/$server.$iname
	SPFX=$SDIR/$server.$iname
	openssl ec -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
	cat $SPFX.pem $idir/CA/Signer.pem >$SPFX.chain.pem
    done

####
    # create OCSP reqs & resps
    CADIR=$idir/CA
    #give ourselves an OSCP key to work with
    pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer ec' -d $CADIR -K password -W password
    openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key

    # create some index files for the ocsp responder to work with
# tab-sep
# 0: Revoked/Expired/Valid letter
# 1: Expiry date (ASN1_UTCTIME)
# 2: Revocation date
# 3: Serial no. (unique)
# 4: file
# 5: DN, index

    cat >$CADIR/index.valid.txt <<EOF
V	130110200751Z		835	unknown	CN=server1.$iname
EOF

    # Now create all the ocsp requests and responses
    IVALID="-index $CADIR/index.valid.txt"
    for server in server1
    do
	SPFX=$idir/$server.$iname/$server.$iname
	openssl ocsp -issuer $CADIR/Signer.pem -sha256 -cert $SPFX.pem -no_nonce -reqout $SPFX.ocsp.req
	REQIN="-reqin $SPFX.ocsp.req"

	OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify"
	openssl ocsp $IVALID   $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.good.resp
    done
####
done

###############################################################################

echo Please to reset date to now.
echo 'service ntpdate start (not on a systemd though...)'
echo 
echo Then hit return
read junk


# Create CRL files in .der and .pem
# empty versions, and ones with the revoked servers
DATENOW=`date -u +%Y%m%d%H%M%SZ`
for tld in com org net
do
    CADIR=example.$tld/CA
    CRLIN=$CADIR/crl.empty.in.txt
    echo "update=$DATENOW " >$CRLIN
    crlutil -G -d $CADIR -f $CADIR/pwdfile \
	-n 'Signing Cert rsa' -c $CRLIN -o $CADIR/crl.empty
    openssl crl -in $CADIR/crl.empty -inform der -out $CADIR/crl.empty.pem
done
sleep 2
DATENOW=`date -u +%Y%m%d%H%M%SZ`
for tld in com org net
do
    CADIR=example.$tld/CA
    CRLIN=$CADIR/crl.v2.in.txt
    echo "update=$DATENOW " >$CRLIN
    echo "addcert 102 $DATENOW" >>$CRLIN
    echo "addcert 202 $DATENOW" >>$CRLIN
    crlutil -G -d $CADIR -f $CADIR/pwdfile \
	-n 'Signing Cert rsa' -c $CRLIN -o $CADIR/crl.v2
    openssl crl -in $CADIR/crl.v2 -inform der -out $CADIR/crl.v2.pem

    CRLIN=$CADIR/crl.Signer.in.txt
    echo "update=$DATENOW " >$CRLIN
    crlutil -G -d $CADIR -f $CADIR/pwdfile \
	-n 'Certificate Authority rsa' -c $CRLIN -o $CADIR/crl.Signer
    openssl crl -in $CADIR/crl.Signer -inform der -out $CADIR/crl.Signer.pem

    cat $CADIR/crl.Signer.pem $CADIR/crl.v2.pem > $CADIR/crl.chain.pem
done

# Finally, a single certificate-directory
cd example.com/server1.example.com
mkdir -p certdir
cd certdir
f=../../CA/CA.pem
h=`openssl x509 -hash -noout -in $f`
rm -f $h.0
ln -s $f $h.0
f=../../CA/Signer.pem
h=`openssl x509 -hash -noout -in $f`
rm -f $h.0
ln -s $f $h.0
cd ../../..

pwd
ls -l

find example* -type d -print0 | xargs -0 chmod 755
find example* -type f -print0 | xargs -0 chmod 644

echo "CA, Certificate, CRL and OSCP Response generation complete"
Commit	Line	Data
f5d78688 JH	1	#!/bin/bash
	2	#
	3
f2f2c91b	4	set -e
ba86e143 JH	5
ba86e143 JH	6	# Debugging. Set V for clica verbosity.
854586e1 JH	7	set -x
	8	#V=
	9	V='-v'
f2f2c91b	10
74e2fb4b JH	11	clica --help >/dev/null 2>&1
74e2fb4b JH	12
f5d78688 JH	13	echo Ensure time is set to 2012/11/01 12:34
	14	echo use - date -u 110112342012
	15	echo hit return when ready
	16	read junk
ba86e143 JH	17
ba86e143 JH	18	# Main suite: RSA certs
f5d78688 JH	19	for tld in com org net
f5d78688 JH	20	do
ba86e143 JH	21	iname="example.$tld"
	22	idir=$iname
	23
	24	####
	25	# create CAs & server certs
f2f2c91b	26	rm -fr "$idir"
2b4a568d	27
ba86e143	28	# create CA cert + templates
e326959e JH	29	# -D dir to work in
	30	# -p passwd for cert
	31	# -B keysize in bits
	32	# -I create CA cert
	33	# -N org name
	34	# -F create sub-signing cert
	35	# -C CRL
	36	# -O create OCSP responder cert
a7a1ad14	37	clica $V -D "$idir" -p password -B 2048 -I -N $iname -F -C http://crl.$iname/latest.crl -O http://oscp.$iname/
ba86e143 JH	38
ba86e143 JH	39	# create server certs
73ef9378	40	# -m <months>
ba86e143	41	clica $V -D $idir -p password -s 101 -S server1.$iname -m 301 \
f2f2c91b	42	-8 alternatename.server1.example.$tld,alternatename2.server1.example.$tld,*.test.ex
ba86e143 JH	43	clica $V -D $idir -p password -s 102 -S revoked1.$iname -m 301
ba86e143 JH	44	clica $V -D $idir -p password -s 103 -S expired1.$iname -m 1
854586e1 JH	45
	46	clica $V -D $idir -p password -s 201 -S server2.$iname -m 301 \
	47	-3 'CN=clica CA rsa,O=example.com' -8 '*.test.ex'
ba86e143 JH	48	clica $V -D $idir -p password -s 202 -S revoked2.$iname -m 301
ba86e143 JH	49	clica $V -D $idir -p password -s 203 -S expired2.$iname -m 1
82525c6f	50
ba86e143	51	####
82525c6f JH	52
	53	# openssl seems to generate a file (ca_chain.pam) in an order it
	54	# cannot then use (the key applies to the first cert in the file?).
	55	# Generate a shuffled one.
854586e1 JH	56	for n in 1 2
	57	do
	58	cd $idir/server$n.$iname
	59	openssl pkcs12 -in server$n.$iname.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys
	60	cat server$n.$iname.pem cacerts.pem > fullchain.pem
ba86e143	61	rm cacerts.pem
854586e1 JH	62	cd ../..
854586e1 JH	63	done
f5d78688	64
ba86e143 JH	65	####
	66
	67	# generate unlocked keys and client cert bundles
	68	for server in server1 revoked1 expired1 server2 revoked2 expired2
	69	do
	70	SDIR=$idir/$server.$iname
	71	SPFX=$SDIR/$server.$iname
	72	openssl rsa -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
	73	cat $SPFX.pem $iname/CA/Signer.pem >$SPFX.chain.pem
	74	done
	75
	76	####
	77
e326959e JH	78	# so, for full-chain OCSP we sill want an OCSP resp for the Signer cert and also (?) one for the
	79	# CA cert itself. The existing bits below only create for the leaf certs, next layer down.
	80	#
	81	# First test will be just adding OCSP for the Signer cert. Presumably we could use the CA cert
	82	# to sign that.
	83
ba86e143 JH	84	# create OCSP reqs & resps
ba86e143 JH	85	CADIR=$idir/CA
e326959e	86
f5d78688	87	#give ourselves an OSCP key to work with
ba86e143	88	pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer rsa' -d $CADIR -K password -W password
f5d78688 JH	89	openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key
f5d78688 JH	90
74e2fb4b	91	# also need variation from Signer
ba86e143	92	pk12util -o $CADIR/Signer.p12 -n 'Signing Cert rsa' -d $CADIR -K password -W password
74e2fb4b	93	openssl pkcs12 -in $CADIR/Signer.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/Signer.key
f5d78688	94
e326959e JH	95	# ditto for CA
	96	# - the "-n names" here appear to be hardcoded in clica
	97	pk12util -o $CADIR/CA.p12 -n 'Certificate Authority rsa' -d $CADIR -K password -W password
	98	openssl pkcs12 -in $CADIR/CA.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/CA.key
	99
f5d78688	100	# create some index files for the ocsp responder to work with
e326959e	101	# tab-sep, and fields can be empty
74e2fb4b JH	102	# 0: Revoked/Expired/Valid letter
	103	# 1: Expiry date (ASN1_UTCTIME)
	104	# 2: Revocation date
e326959e	105	# 3: Serial no. (unique, in hex)
74e2fb4b JH	106	# 4: file
	107	# 5: DN, index
	108
f5d78688	109	cat >$CADIR/index.valid.txt <<EOF
ba86e143 JH	110	V 130110200751Z 65 unknown CN=server1.$iname
	111	V 130110200751Z 66 unknown CN=revoked1.$iname
	112	V 130110200751Z 67 unknown CN=expired1.$iname
	113	V 130110200751Z c9 unknown CN=server2.$iname
	114	V 130110200751Z ca unknown CN=revoked2.$iname
	115	V 130110200751Z cb unknown CN=expired2.$iname
e326959e JH	116	V 130110200751Z 42 unknown CN=clica Signing Cert rsa
e326959e JH	117	V 130110200751Z 41 unknown CN=clica CA rsa
f5d78688 JH	118	EOF
f5d78688 JH	119	cat >$CADIR/index.revoked.txt <<EOF
ba86e143 JH	120	R 130110200751Z 100201142709Z,superseded 65 unknown CN=server1.$iname
	121	R 130110200751Z 100201142709Z,superseded 66 unknown CN=revoked1.$iname
	122	R 130110200751Z 100201142709Z,superseded 67 unknown CN=expired1.$iname
	123	R 130110200751Z 100201142709Z,superseded c9 unknown CN=server2.$iname
	124	R 130110200751Z 100201142709Z,superseded ca unknown CN=revoked2.$iname
	125	R 130110200751Z 100201142709Z,superseded cb unknown CN=expired2.$iname
e326959e	126	R 130110200751Z 100201142709Z,superseded 42 unknown CN=clica Signing Cert rsa
f5d78688 JH	127	EOF
f5d78688 JH	128
e326959e	129	# Now create all the ocsp requests and responses for the leaf certs
ba86e143 JH	130	IVALID="-index $CADIR/index.valid.txt"
ba86e143 JH	131	IREVOKED="-index $CADIR/index.revoked.txt"
4e0c20cb JH	132
	133	echo "unique_subject = yes" > $CADIR/index.valid.txt.attr
	134	echo "unique_subject = yes" > $CADIR/index.revoked.txt.attr
	135
f5d78688 JH	136	for server in server1 revoked1 expired1 server2 revoked2 expired2
f5d78688 JH	137	do
ba86e143	138	SPFX=$idir/$server.$iname/$server.$iname
4e0c20cb	139	openssl ocsp -issuer $CADIR/Signer.pem -sha256 -cert $SPFX.pem -no_nonce -reqout $SPFX.ocsp.req
ba86e143	140	REQIN="-reqin $SPFX.ocsp.req"
74e2fb4b	141
e326959e JH	142	# These ones get used by the "traditional" testcases. OCSP resp signed by a cert which is
e326959e JH	143	# signed by the signer of the leaf-cert being attested to.
74e2fb4b	144	OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify"
4e0c20cb JH	145	openssl ocsp $IVALID $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.good.resp
	146	openssl ocsp $IVALID $OGENCOMMON -ndays 30 $REQIN -respout $SPFX.ocsp.dated.resp
	147	openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.revoked.resp
74e2fb4b JH	148
74e2fb4b JH	149	OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -noverify"
4e0c20cb JH	150	openssl ocsp $IVALID $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signer.good.resp
	151	openssl ocsp $IVALID $OGENCOMMON -ndays 30 $REQIN -respout $SPFX.ocsp.signer.dated.resp
	152	openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signer.revoked.resp
74e2fb4b	153
e326959e JH	154	# These ones get used by the "LetsEncrypt mode" testcases. OCSP resp is signed directly by the
e326959e JH	155	# signer of the leaf-cert being attested to.
74e2fb4b	156	OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -resp_no_certs -noverify"
4e0c20cb JH	157	openssl ocsp $IVALID $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signernocert.good.resp
	158	openssl ocsp $IVALID $OGENCOMMON -ndays 30 $REQIN -respout $SPFX.ocsp.signernocert.dated.resp
	159	openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signernocert.revoked.resp
f5d78688	160	done
e326959e JH	161
	162	# convert one good leaf-resp to PEM
	163	$server=server1
	164	RESP=$idir/$server.$iname/$server.$iname.ocsp.signernocert.good.resp
	165	ocsptool -S $RESP -j > $RESP.pem
	166
	167	# Then, ocsp request and responses for the signer cert
	168	REQ=$CADIR/Signer.ocsp.req
	169	RESP=$CADIR/Signer.ocsp.signernocert.good.resp
	170	openssl ocsp -issuer $CADIR/CA.pem -sha256 -cert $CADIR/Signer.pem -no_nonce -reqout $REQ
	171	openssl ocsp $IVALID -rsigner $CADIR/CA.pem -rkey $CADIR/CA.key -CA $CADIR/CA.pem -resp_no_certs -noverify \
	172	-ndays 3652 -reqin $REQ -respout $RESP
	173	ocsptool -S $RESP -j > $RESP.pem
	174
	175	RESP=$CADIR/Signer.ocsp.signernocert.revoked.resp
	176	openssl ocsp $IREVOKED -rsigner $CADIR/CA.pem -rkey $CADIR/CA.key -CA $CADIR/CA.pem -resp_no_certs -noverify \
	177	-ndays 3652 -reqin $REQ -respout $RESP
	178	ocsptool -S $RESP -j > $RESP.pem
	179
	180	# Then, ocsp request and response for the CA cert
	181	REQ=$CADIR/CA.ocsp.req
	182	RESP=$CADIR/CA.ocsp.signernocert.good.resp
	183	openssl ocsp -issuer $CADIR/CA.pem -sha256 -cert $CADIR/CA.pem -no_nonce -reqout $REQ
	184	openssl ocsp $IVALID -rsigner $CADIR/CA.pem -rkey $CADIR/CA.key -CA $CADIR/CA.pem -resp_no_certs -noverify \
	185	-ndays 3652 -reqin $REQ -respout $RESP
	186	ocsptool -S $RESP -j > $RESP.pem
	187
ba86e143	188	####
f5d78688 JH	189	done
f5d78688 JH	190
ba86e143 JH	191	# Create one EC leaf cert in the RSA cert tree. It will have an EC pubkey but be signed using its parent
	192	# therefore its parent's algo, RSA.
	193	clica $V -D example.com -p password -k ec -q nistp521 -s 1101 -S server1_ec.example.com -m 301 -8 'server1.example.com,*.test.ex'
	194	SDIR=example.com/server1_ec.example.com
	195	SPFX=$SDIR/server1_ec.example.com
	196	openssl ec -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
	197	cat $SPFX.pem example.com/CA/Signer.pem >$SPFX.chain.pem
	198
	199
	200
	201	###############################################################################
	202	# Limited suite: EC certs
	203	# separate trust root & chain
	204	# .com only, server1 good only, no ocsp
	205	# with server1 in SAN of leaf
	206
	207	for tld in com
f5d78688	208	do
ba86e143 JH	209	iname="example_ec.$tld"
	210	idir=$iname
	211
	212	####
	213	# create CAs & server certs
	214	rm -fr "$idir"
	215
	216	# create CA cert + templates
a7a1ad14	217	clica $V -D "$idir" -p password -B 2048 -I -N $iname -F \
ba86e143 JH	218	-k ec -q nistp521 \
	219	-C http://crl.example.$tld/latest.crl -O http://oscp.example.$tld/
	220
	221	# create server certs
	222	# -m <months>
	223	clica $V -D $idir -p password -s 2101 -S server1.$iname -m 301 \
	224	-k ec -q nistp521 \
	225	-8 server1.example.$tld,alternatename.server1.example.$tld,alternatename2.server1.example.$tld,*.test.ex
	226
	227	####
	228
	229	# openssl seems to generate a file (ca_chain.pam) in an order it
	230	# cannot then use (the key applies to the first cert in the file?).
	231	# Generate a shuffled one.
	232	cd $idir/server1.$iname
	233	openssl pkcs12 -in server1.$iname.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys
	234	cat server1.$iname.pem cacerts.pem > fullchain.pem
	235	rm cacerts.pem
	236	cd ../..
	237
	238	####
	239
	240	# generate unlocked keys and client cert bundles
	241	for server in server1
89f2a269	242	do
ba86e143 JH	243	SDIR=$idir/$server.$iname
	244	SPFX=$SDIR/$server.$iname
	245	openssl ec -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
dc9c8f8b	246	cat $SPFX.pem $idir/CA/Signer.pem >$SPFX.chain.pem
f5d78688	247	done
ba86e143	248
b66afe22 JH	249	####
	250	# create OCSP reqs & resps
	251	CADIR=$idir/CA
	252	#give ourselves an OSCP key to work with
	253	pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer ec' -d $CADIR -K password -W password
	254	openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key
	255
	256	# create some index files for the ocsp responder to work with
	257	# tab-sep
	258	# 0: Revoked/Expired/Valid letter
	259	# 1: Expiry date (ASN1_UTCTIME)
	260	# 2: Revocation date
	261	# 3: Serial no. (unique)
	262	# 4: file
	263	# 5: DN, index
	264
	265	cat >$CADIR/index.valid.txt <<EOF
5b2fd993	266	V 130110200751Z 835 unknown CN=server1.$iname
b66afe22 JH	267	EOF
	268
	269	# Now create all the ocsp requests and responses
	270	IVALID="-index $CADIR/index.valid.txt"
	271	for server in server1
	272	do
	273	SPFX=$idir/$server.$iname/$server.$iname
	274	openssl ocsp -issuer $CADIR/Signer.pem -sha256 -cert $SPFX.pem -no_nonce -reqout $SPFX.ocsp.req
	275	REQIN="-reqin $SPFX.ocsp.req"
	276
	277	OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify"
	278	openssl ocsp $IVALID $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.good.resp
	279	done
	280	####
f5d78688 JH	281	done
f5d78688 JH	282
ba86e143 JH	283	###############################################################################
ba86e143 JH	284
f5d78688	285	echo Please to reset date to now.
f2f2c91b	286	echo 'service ntpdate start (not on a systemd though...)'
f5d78688 JH	287	echo
	288	echo Then hit return
	289	read junk
	290
ba86e143 JH	291
ba86e143 JH	292
f5d78688 JH	293	# Create CRL files in .der and .pem
f5d78688 JH	294	# empty versions, and ones with the revoked servers
dc9c8f8b	295	DATENOW=`date -u +%Y%m%d%H%M%SZ`
f5d78688 JH	296	for tld in com org net
	297	do
	298	CADIR=example.$tld/CA
	299	CRLIN=$CADIR/crl.empty.in.txt
f5d78688 JH	300	echo "update=$DATENOW " >$CRLIN
f5d78688 JH	301	crlutil -G -d $CADIR -f $CADIR/pwdfile \
ba86e143	302	-n 'Signing Cert rsa' -c $CRLIN -o $CADIR/crl.empty
f5d78688 JH	303	openssl crl -in $CADIR/crl.empty -inform der -out $CADIR/crl.empty.pem
	304	done
	305	sleep 2
dc9c8f8b	306	DATENOW=`date -u +%Y%m%d%H%M%SZ`
f5d78688 JH	307	for tld in com org net
	308	do
	309	CADIR=example.$tld/CA
	310	CRLIN=$CADIR/crl.v2.in.txt
f5d78688 JH	311	echo "update=$DATENOW " >$CRLIN
	312	echo "addcert 102 $DATENOW" >>$CRLIN
	313	echo "addcert 202 $DATENOW" >>$CRLIN
	314	crlutil -G -d $CADIR -f $CADIR/pwdfile \
ba86e143	315	-n 'Signing Cert rsa' -c $CRLIN -o $CADIR/crl.v2
f5d78688	316	openssl crl -in $CADIR/crl.v2 -inform der -out $CADIR/crl.v2.pem
dc9c8f8b JH	317
	318	CRLIN=$CADIR/crl.Signer.in.txt
	319	echo "update=$DATENOW " >$CRLIN
	320	crlutil -G -d $CADIR -f $CADIR/pwdfile \
	321	-n 'Certificate Authority rsa' -c $CRLIN -o $CADIR/crl.Signer
	322	openssl crl -in $CADIR/crl.Signer -inform der -out $CADIR/crl.Signer.pem
	323
	324	cat $CADIR/crl.Signer.pem $CADIR/crl.v2.pem > $CADIR/crl.chain.pem
f5d78688 JH	325	done
f5d78688 JH	326
a7fec7a7 JH	327	# Finally, a single certificate-directory
a7fec7a7 JH	328	cd example.com/server1.example.com
f2f2c91b	329	mkdir -p certdir
a7fec7a7 JH	330	cd certdir
	331	f=../../CA/CA.pem
	332	h=`openssl x509 -hash -noout -in $f`
f2f2c91b	333	rm -f $h.0
a7fec7a7 JH	334	ln -s $f $h.0
	335	f=../../CA/Signer.pem
	336	h=`openssl x509 -hash -noout -in $f`
f2f2c91b	337	rm -f $h.0
a7fec7a7	338	ln -s $f $h.0
f2f2c91b JH	339	cd ../../..
	340
	341	pwd
	342	ls -l
a7fec7a7	343
ba86e143 JH	344	find example* -type d -print0 \| xargs -0 chmod 755
ba86e143 JH	345	find example* -type f -print0 \| xargs -0 chmod 644
89f2a269	346
f5d78688	347	echo "CA, Certificate, CRL and OSCP Response generation complete"