|
0
|
1 |
#!/bin/bash
|
|
|
2 |
(($#)) || { echo "Syntax: $0 <channel#> | CA"; exit -1; }
|
|
|
3 |
|
|
|
4 |
ca() {
|
|
|
5 |
read -p "Really to discard existing credentials? y|[N]" x
|
|
|
6 |
x=$x.
|
|
|
7 |
x=${x:0:1}
|
|
|
8 |
[[ ${x^[a-z]} != Y ]] && exit 1
|
|
|
9 |
rm -f *.crt
|
|
|
10 |
rm -f *.bks
|
|
|
11 |
who=$ca
|
|
|
12 |
set -e
|
|
|
13 |
# create CA keys -----------------------------------------------------------
|
|
|
14 |
echo "creating $who keys..."
|
|
|
15 |
openssl req -new -nodes -out $who.req -keyout $who.key -subj /CN=$who -newkey rsa:2048 -sha512
|
|
|
16 |
chmod 600 $who.key
|
|
|
17 |
# selfsign CA public key ---------------------------------------------------
|
|
|
18 |
echo "selfsigning $who public key..."
|
|
|
19 |
openssl x509 -req -in $who.req -signkey $who.key -days 9999 -set_serial $RANDOM -sha512 -extfile CA.ext -out $who.crt
|
|
|
20 |
# upload CA public key -----------------------------------------------------
|
|
|
21 |
echo "uploading $who public key..."
|
|
|
22 |
up $who.crt
|
|
|
23 |
echo "$ca successfully created and uploaded."
|
|
|
24 |
}
|
|
|
25 |
channel() {
|
|
|
26 |
[[ -e $ca.crt ]] && [[ -e $ca.key ]] || { echo "$ca keys not available."; exit 1; }
|
|
|
27 |
who=$chan
|
|
|
28 |
bouncy_store="-keystore $who.bks -storetype bks-v1 -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath $jar -storepass:env PASS"
|
|
|
29 |
default_store="-keystore $who.jks -storepass:env PASS"
|
|
|
30 |
p=heslo
|
|
|
31 |
set -e
|
|
|
32 |
rm -f $chan.{pem,bks,jks}
|
|
|
33 |
# import CA public key into android key store ------------------------------
|
|
|
34 |
store=$bouncy_store
|
|
|
35 |
echo "importing $ca public key into android key store..."
|
|
|
36 |
PASS=$p keytool -import -noprompt -alias $ca -file $ca.crt $store
|
|
|
37 |
# create android client keys -----------------------------------------------
|
|
|
38 |
echo "creating $who android client keys..."
|
|
|
39 |
PASS=$p keytool -genkey -alias $who -keysize 2048 -keyalg RSA -dname "CN=$who" -validity 9999 -keypass:env PASS $store
|
|
|
40 |
PASS=$p keytool -certreq -alias $who -file $who.req $store
|
|
|
41 |
# sign android client public key -------------------------------------------
|
|
|
42 |
echo "signing $who android client public key..."
|
|
|
43 |
openssl x509 -req -in $who.req -CAkey $ca.key -CA $ca.crt -days 9999 -set_serial $RANDOM -sha512 -out $who.crt
|
|
|
44 |
cat $ca.crt >> $who.crt
|
|
|
45 |
# import client public key into android key store --------------------------
|
|
|
46 |
echo "importing $who client public key into android key store..."
|
|
|
47 |
PASS=$p keytool -import -alias $who -file $who.crt $store
|
|
|
48 |
# import server public key into android client key store -------------------
|
|
|
49 |
echo "importing server public key into android client key store..."
|
|
|
50 |
PASS=$p keytool -import -noprompt -alias srv -file srv.crt $store
|
|
|
51 |
rm -f $who.{req,crt}
|
|
|
52 |
echo -e "*-----\n* Android client keystore $who.bks successfully created.\n*-----"
|
|
|
53 |
# import CA public key into default java key store -------------------------
|
|
|
54 |
store=$default_store
|
|
|
55 |
echo "importing $ca public key into default java key store..."
|
|
|
56 |
PASS=$p keytool -import -noprompt -alias $ca -file $ca.crt $store
|
|
|
57 |
# create default java client keys ------------------------------------------
|
|
|
58 |
echo "creating $who default java client keys..."
|
|
|
59 |
PASS=$p keytool -genkey -alias $who -keysize 2048 -keyalg RSA -dname "CN=$who" -validity 9999 -keypass:env PASS $store
|
|
|
60 |
PASS=$p keytool -certreq -alias $who -file $who.req $store
|
|
|
61 |
# sign default java client public key --------------------------------------
|
|
|
62 |
echo "signing $who default java client public key..."
|
|
|
63 |
openssl x509 -req -in $who.req -CAkey $ca.key -CA $ca.crt -days 9999 -set_serial $RANDOM -sha512 -out $who.crt
|
|
|
64 |
cat $ca.crt >> $who.crt
|
|
|
65 |
# import client public key into default java key store ---------------------
|
|
|
66 |
echo "importing $who client public key into default java key store..."
|
|
|
67 |
PASS=$p keytool -import -alias $who -file $who.crt $store
|
|
|
68 |
rm -f $who.{req,crt}
|
|
|
69 |
# import server public key into default java client key store --------------
|
|
|
70 |
echo "importing server public key into default java client key store..."
|
|
|
71 |
PASS=$p keytool -import -noprompt -alias srv -file srv.crt $store
|
|
|
72 |
echo -e "*-----\n* Default java client keystore $who.jks successfully created.\n*-----"
|
|
|
73 |
# create openssl client keys -----------------------------------------------
|
|
|
74 |
echo "creating $who openssl client keys..."
|
|
|
75 |
openssl req -new -nodes -out $who.req -keyout $who.key -subj /CN=$who -newkey rsa:2048 -sha512
|
|
|
76 |
# sign openssl client public key -------------------------------------------
|
|
|
77 |
echo "signing $who openssl client public key..."
|
|
|
78 |
openssl x509 -req -in $who.req -CAkey $ca.key -CA $ca.crt -days 9999 -set_serial $RANDOM -sha512 -out $who.crt
|
|
|
79 |
cat $who.key $who.crt > $who.pem
|
|
|
80 |
chmod 600 $who.pem
|
|
|
81 |
rm -f $who.{key,req,crt}
|
|
|
82 |
echo -e "*-----\n* Client keys $who.pem successfully created.\n*-----"
|
|
|
83 |
}
|
|
|
84 |
srv() {
|
|
|
85 |
set -e
|
|
|
86 |
who=srv
|
|
|
87 |
rm -f $who.{pem,crt,key}
|
|
|
88 |
# create server keys -------------------------------------------------------
|
|
|
89 |
echo "creating $who server keys..."
|
|
|
90 |
openssl req -new -nodes -out $who.req -keyout $who.key -subj /CN=$who -newkey rsa:2048 -sha512
|
|
|
91 |
# sign server public key ---------------------------------------------------
|
|
|
92 |
echo "signing $who server public key..."
|
|
|
93 |
openssl x509 -req -in $who.req -CAkey $ca.key -CA $ca.crt -days 9999 -set_serial $RANDOM -sha512 -out $who.crt
|
|
|
94 |
cat $who.key $who.crt > $who.pem
|
|
|
95 |
chmod 600 $who.pem
|
|
|
96 |
rm -f $who.{key,req}
|
|
|
97 |
# upload server keys -------------------------------------------------------
|
|
|
98 |
echo "uploading $who server keys..."
|
|
|
99 |
up $who.pem
|
|
|
100 |
echo -e "*-----\n* Server keys $who.pem successfully created and uploaded.\n*-----"
|
|
|
101 |
}
|
|
|
102 |
up() {
|
|
|
103 |
# scp -p $1 hh@hal.hh.cz:/L/dejsem/ssl/
|
|
|
104 |
echo "--->DUMMY UPLOAD<---"
|
|
|
105 |
}
|
|
|
106 |
|
|
|
107 |
ca=dejCA
|
|
|
108 |
# bcprov od verze 149 nabízí zvláštní typ KeyStore "BKS_V1" pro zpětnou kompatibilitu
|
|
|
109 |
jar=bcprov-jdk15on-150.jar
|
|
|
110 |
[[ -e $jar ]] || { echo "Bouncy Castle $jar not found in current dir"; exit 1; }
|
|
|
111 |
if [[ $1 == CA ]]
|
|
|
112 |
then ca
|
|
|
113 |
srv
|
|
|
114 |
else declare -i n=10#${1^^[a-z]}
|
|
|
115 |
if [[ $n -gt 99 ]] || [[ $n -lt 0 ]]
|
|
|
116 |
then { echo "needed 0 =< channel# < 100"; exit 1; }
|
|
|
117 |
else chan=$(printf %02d $n)
|
|
|
118 |
channel
|
|
|
119 |
fi
|
|
|
120 |
fi
|