cpp/test/IceSSL/certs/makecerts


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203

#!/bin/sh
# **********************************************************************
#
# Copyright (c) 2003-2009 ZeroC, Inc. All rights reserved.
#
# This copy of Ice is licensed to you under the terms described in the
# ICE_LICENSE file included in this distribution.
#
# **********************************************************************

TMP=tmp

#
# Generate RSA certificates and keys.
#
if ! [ -f cakey1.pem ]; then

    if [ -d $TMP ]; then
        rm -rf $TMP
    fi
    mkdir $TMP
    echo '01' > $TMP/serial
    touch $TMP/index.txt

    #
    # Generate CA certificates. Also make copies of the certificates using their
    # hash values as filenames, which allows OpenSSL to find them at run time.
    #
    openssl req -config test_ca1.cnf -x509 -days 3650 -newkey rsa:1024 -keyout cakey1.pem -out cacert1.pem \
        -outform PEM -nodes
    openssl req -config test_ca2.cnf -x509 -days 3650 -newkey rsa:1024 -keyout cakey2.pem -out cacert2.pem \
        -outform PEM -nodes
    cp cacert1.pem `openssl x509 -hash -noout -in cacert1.pem`.0
    cp cacert2.pem `openssl x509 -hash -noout -in cacert2.pem`.1

    #
    # Create a server certificate and key (no password).
    #
    rm -rf $TMP
    mkdir $TMP
    echo '01' > $TMP/serial
    touch $TMP/index.txt
    openssl req -config server.cnf -newkey rsa:1024 -nodes -keyout s_rsa_nopass_ca1_priv.pem \
        -keyform PEM -out $TMP/req.pem
    openssl ca -config server.cnf -batch -in $TMP/req.pem -out s_rsa_nopass_ca1_pub.pem \
        -cert cacert1.pem -keyfile cakey1.pem

    #
    # Create a server certificate and key (with password).
    #
    rm -rf $TMP
    mkdir $TMP
    echo '01' > $TMP/serial
    touch $TMP/index.txt
    openssl req -config server.cnf -newkey rsa:1024 -passout pass:server -keyout s_rsa_pass_ca1_priv.pem \
        -keyform PEM -out $TMP/req.pem
    openssl ca -config server.cnf -batch -in $TMP/req.pem -out s_rsa_pass_ca1_pub.pem \
        -cert cacert1.pem -keyfile cakey1.pem -key server

    #
    # Create an expired server certificate and key (no password).
    #
    rm -rf $TMP
    mkdir $TMP
    echo '01' > $TMP/serial
    touch $TMP/index.txt
    openssl req -config server.cnf -newkey rsa:1024 -nodes -keyout s_rsa_nopass_ca1_exp_priv.pem \
        -keyform PEM -out $TMP/req.pem
    openssl ca -config server.cnf -batch -in $TMP/req.pem -out s_rsa_nopass_ca1_exp_pub.pem \
        -cert cacert1.pem -keyfile cakey1.pem -enddate 051231000000Z

    #
    # Create a server certificate and key using "127.0.0.1" as the common name and without
    # subjectAltNames (no password).
    #
    rm -rf $TMP
    mkdir $TMP
    echo '01' > $TMP/serial
    touch $TMP/index.txt
    sed -e 's/= Server$/= 127.0.0.1/' -e 's/^subjectAltName.*$//' < server.cnf > server_cn.cnf
    openssl req -config server_cn.cnf -newkey rsa:1024 -nodes -keyout s_rsa_nopass_ca1_cn1_priv.pem \
        -keyform PEM -out $TMP/req.pem
    openssl ca -config server_cn.cnf -batch -in $TMP/req.pem -out s_rsa_nopass_ca1_cn1_pub.pem \
        -cert cacert1.pem -keyfile cakey1.pem
    rm -f server_cn.cnf

    #
    # Create a server certificate and key using "127.0.0.11" as the common name and without
    # subjectAltNames (no password). The test uses this certificate to ensure that the
    # address "127.0.0.1" does NOT match the common name.
    #
    rm -rf $TMP
    mkdir $TMP
    echo '01' > $TMP/serial
    touch $TMP/index.txt
    sed -e 's/= Server$/= 127.0.0.11/' -e 's/^subjectAltName.*$//' < server.cnf > server_cn.cnf
    openssl req -config server_cn.cnf -newkey rsa:1024 -nodes -keyout s_rsa_nopass_ca1_cn2_priv.pem \
        -keyform PEM -out $TMP/req.pem
    openssl ca -config server_cn.cnf -batch -in $TMP/req.pem -out s_rsa_nopass_ca1_cn2_pub.pem \
        -cert cacert1.pem -keyfile cakey1.pem
    rm -f server_cn.cnf

    #
    # Create a client certificate and key (no password).
    #
    rm -rf $TMP
    mkdir $TMP
    echo '01' > $TMP/serial
    touch $TMP/index.txt
    openssl req -config client.cnf -newkey rsa:1024 -nodes -keyout c_rsa_nopass_ca1_priv.pem \
        -keyform PEM -out $TMP/req.pem
    openssl ca -config client.cnf -batch -in $TMP/req.pem -out c_rsa_nopass_ca1_pub.pem \
        -cert cacert1.pem -keyfile cakey1.pem

    #
    # Create a client certificate and key (with password).
    #
    rm -rf $TMP
    mkdir $TMP
    echo '01' > $TMP/serial
    touch $TMP/index.txt
    openssl req -config client.cnf -newkey rsa:1024 -passout pass:client -keyout c_rsa_pass_ca1_priv.pem \
        -keyform PEM -out $TMP/req.pem
    openssl ca -config client.cnf -batch -in $TMP/req.pem -out c_rsa_pass_ca1_pub.pem \
        -cert cacert1.pem -keyfile cakey1.pem -key server

    #
    # Create an expired client certificate and key (no password).
    #
    rm -rf $TMP
    mkdir $TMP
    echo '01' > $TMP/serial
    touch $TMP/index.txt
    openssl req -config client.cnf -newkey rsa:1024 -nodes -keyout c_rsa_nopass_ca1_exp_priv.pem \
        -keyform PEM -out $TMP/req.pem
    openssl ca -config client.cnf -batch -in $TMP/req.pem -out c_rsa_nopass_ca1_exp_pub.pem \
        -cert cacert1.pem -keyfile cakey1.pem -enddate 051231000000Z

    #
    # Create a server certificate and key (no password) using a different CA.
    #
    rm -rf $TMP
    mkdir $TMP
    echo '01' > $TMP/serial
    touch $TMP/index.txt
    openssl req -config server.cnf -newkey rsa:1024 -nodes -keyout s_rsa_nopass_ca2_priv.pem \
        -keyform PEM -out $TMP/req.pem
    openssl ca -config server.cnf -batch -in $TMP/req.pem -out s_rsa_nopass_ca2_pub.pem \
        -cert cacert2.pem -keyfile cakey2.pem

    #
    # Create a client certificate and key (no password) using a different CA.
    #
    rm -rf $TMP
    mkdir $TMP
    echo '01' > $TMP/serial
    touch $TMP/index.txt
    openssl req -config client.cnf -newkey rsa:1024 -nodes -keyout c_rsa_nopass_ca2_priv.pem \
        -keyform PEM -out $TMP/req.pem
    openssl ca -config client.cnf -batch -in $TMP/req.pem -out c_rsa_nopass_ca2_pub.pem \
        -cert cacert2.pem -keyfile cakey2.pem

    rm -f dsaparam1024.pem
fi

#
# Generate DSA parameters and keys.
#
if ! [ -f dsaparam1024.pem ]; then

    if [ -d $TMP ]; then
        rm -rf $TMP
    fi
    mkdir $TMP
    echo '01' > $TMP/serial
    touch $TMP/index.txt

    openssl dsaparam -out dsaparam1024.pem -outform PEM 1024

    #
    # Create a server certificate and key (no password).
    #
    rm -rf $TMP
    mkdir $TMP
    echo '01' > $TMP/serial
    touch $TMP/index.txt
    openssl req -config server.cnf -newkey dsa:dsaparam1024.pem -nodes -keyout s_dsa_nopass_ca1_priv.pem \
        -keyform PEM -out $TMP/req.pem
    openssl ca -config server.cnf -batch -in $TMP/req.pem -out s_dsa_nopass_ca1_pub.pem \
        -cert cacert1.pem -keyfile cakey1.pem

    #
    # Create a client certificate and key (no password).
    #
    rm -rf $TMP
    mkdir $TMP
    echo '01' > $TMP/serial
    touch $TMP/index.txt
    openssl req -config client.cnf -newkey dsa:dsaparam1024.pem -nodes -keyout c_dsa_nopass_ca1_priv.pem \
        -keyform PEM -out $TMP/req.pem
    openssl ca -config client.cnf -batch -in $TMP/req.pem -out c_dsa_nopass_ca1_pub.pem \
        -cert cacert1.pem -keyfile cakey1.pem
fi