|
1 #!/bin/bash |
|
2 (($#)) || { echo "Syntax: $0 <channel#> | CA"; exit -1; } |
|
3 |
|
4 ca() { |
|
5 read -p "Really to discard existing credentials? y|[N]" x |
|
6 x=$x. |
|
7 x=${x:0:1} |
|
8 [[ ${x^[a-z]} != Y ]] && exit 1 |
|
9 rm -f *.crt |
|
10 rm -f *.bks |
|
11 who=$ca |
|
12 set -e |
|
13 # create CA keys ----------------------------------------------------------- |
|
14 echo "creating $who keys..." |
|
15 openssl req -new -nodes -out $who.req -keyout $who.key -subj /CN=$who -newkey rsa:2048 -sha512 |
|
16 chmod 600 $who.key |
|
17 # selfsign CA public key --------------------------------------------------- |
|
18 echo "selfsigning $who public key..." |
|
19 openssl x509 -req -in $who.req -signkey $who.key -days 9999 -set_serial $RANDOM -sha512 -extfile CA.ext -out $who.crt |
|
20 # upload CA public key ----------------------------------------------------- |
|
21 echo "uploading $who public key..." |
|
22 up $who.crt |
|
23 echo "$ca successfully created and uploaded." |
|
24 } |
|
25 channel() { |
|
26 [[ -e $ca.crt ]] && [[ -e $ca.key ]] || { echo "$ca keys not available."; exit 1; } |
|
27 who=$chan |
|
28 bouncy_store="-keystore $who.bks -storetype bks-v1 -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath $jar -storepass:env PASS" |
|
29 default_store="-keystore $who.jks -storepass:env PASS" |
|
30 p=heslo |
|
31 set -e |
|
32 rm -f $chan.{pem,bks,jks} |
|
33 # import CA public key into android key store ------------------------------ |
|
34 store=$bouncy_store |
|
35 echo "importing $ca public key into android key store..." |
|
36 PASS=$p keytool -import -noprompt -alias $ca -file $ca.crt $store |
|
37 # create android client keys ----------------------------------------------- |
|
38 echo "creating $who android client keys..." |
|
39 PASS=$p keytool -genkey -alias $who -keysize 2048 -keyalg RSA -dname "CN=$who" -validity 9999 -keypass:env PASS $store |
|
40 PASS=$p keytool -certreq -alias $who -file $who.req $store |
|
41 # sign android client public key ------------------------------------------- |
|
42 echo "signing $who android client public key..." |
|
43 openssl x509 -req -in $who.req -CAkey $ca.key -CA $ca.crt -days 9999 -set_serial $RANDOM -sha512 -out $who.crt |
|
44 cat $ca.crt >> $who.crt |
|
45 # import client public key into android key store -------------------------- |
|
46 echo "importing $who client public key into android key store..." |
|
47 PASS=$p keytool -import -alias $who -file $who.crt $store |
|
48 # import server public key into android client key store ------------------- |
|
49 echo "importing server public key into android client key store..." |
|
50 PASS=$p keytool -import -noprompt -alias srv -file srv.crt $store |
|
51 rm -f $who.{req,crt} |
|
52 echo -e "*-----\n* Android client keystore $who.bks successfully created.\n*-----" |
|
53 # import CA public key into default java key store ------------------------- |
|
54 store=$default_store |
|
55 echo "importing $ca public key into default java key store..." |
|
56 PASS=$p keytool -import -noprompt -alias $ca -file $ca.crt $store |
|
57 # create default java client keys ------------------------------------------ |
|
58 echo "creating $who default java client keys..." |
|
59 PASS=$p keytool -genkey -alias $who -keysize 2048 -keyalg RSA -dname "CN=$who" -validity 9999 -keypass:env PASS $store |
|
60 PASS=$p keytool -certreq -alias $who -file $who.req $store |
|
61 # sign default java client public key -------------------------------------- |
|
62 echo "signing $who default java client public key..." |
|
63 openssl x509 -req -in $who.req -CAkey $ca.key -CA $ca.crt -days 9999 -set_serial $RANDOM -sha512 -out $who.crt |
|
64 cat $ca.crt >> $who.crt |
|
65 # import client public key into default java key store --------------------- |
|
66 echo "importing $who client public key into default java key store..." |
|
67 PASS=$p keytool -import -alias $who -file $who.crt $store |
|
68 rm -f $who.{req,crt} |
|
69 # import server public key into default java client key store -------------- |
|
70 echo "importing server public key into default java client key store..." |
|
71 PASS=$p keytool -import -noprompt -alias srv -file srv.crt $store |
|
72 echo -e "*-----\n* Default java client keystore $who.jks successfully created.\n*-----" |
|
73 # create openssl client keys ----------------------------------------------- |
|
74 echo "creating $who openssl client keys..." |
|
75 openssl req -new -nodes -out $who.req -keyout $who.key -subj /CN=$who -newkey rsa:2048 -sha512 |
|
76 # sign openssl client public key ------------------------------------------- |
|
77 echo "signing $who openssl client public key..." |
|
78 openssl x509 -req -in $who.req -CAkey $ca.key -CA $ca.crt -days 9999 -set_serial $RANDOM -sha512 -out $who.crt |
|
79 cat $who.key $who.crt > $who.pem |
|
80 chmod 600 $who.pem |
|
81 rm -f $who.{key,req,crt} |
|
82 echo -e "*-----\n* Client keys $who.pem successfully created.\n*-----" |
|
83 } |
|
84 srv() { |
|
85 set -e |
|
86 who=srv |
|
87 rm -f $who.{pem,crt,key} |
|
88 # create server keys ------------------------------------------------------- |
|
89 echo "creating $who server keys..." |
|
90 openssl req -new -nodes -out $who.req -keyout $who.key -subj /CN=$who -newkey rsa:2048 -sha512 |
|
91 # sign server public key --------------------------------------------------- |
|
92 echo "signing $who server public key..." |
|
93 openssl x509 -req -in $who.req -CAkey $ca.key -CA $ca.crt -days 9999 -set_serial $RANDOM -sha512 -out $who.crt |
|
94 cat $who.key $who.crt > $who.pem |
|
95 chmod 600 $who.pem |
|
96 rm -f $who.{key,req} |
|
97 # upload server keys ------------------------------------------------------- |
|
98 echo "uploading $who server keys..." |
|
99 up $who.pem |
|
100 echo -e "*-----\n* Server keys $who.pem successfully created and uploaded.\n*-----" |
|
101 } |
|
102 up() { |
|
103 # scp -p $1 hh@hal.hh.cz:/L/dejsem/ssl/ |
|
104 echo "--->DUMMY UPLOAD<---" |
|
105 } |
|
106 |
|
107 ca=dejCA |
|
108 # bcprov od verze 149 nabízí zvláštní typ KeyStore "BKS_V1" pro zpětnou kompatibilitu |
|
109 jar=bcprov-jdk15on-150.jar |
|
110 [[ -e $jar ]] || { echo "Bouncy Castle $jar not found in current dir"; exit 1; } |
|
111 if [[ $1 == CA ]] |
|
112 then ca |
|
113 srv |
|
114 else declare -i n=10#${1^^[a-z]} |
|
115 if [[ $n -gt 99 ]] || [[ $n -lt 0 ]] |
|
116 then { echo "needed 0 =< channel# < 100"; exit 1; } |
|
117 else chan=$(printf %02d $n) |
|
118 channel |
|
119 fi |
|
120 fi |