dejsem.1.5/ssl/ssl.sh
changeset 0 676905a3b03c
equal deleted inserted replaced
-1:000000000000 0:676905a3b03c
       
     1 #!/bin/bash
       
     2 (($#)) || { echo "Syntax: $0 <channel#> | CA"; exit -1; }
       
     3 
       
     4 ca() {
       
     5     read -p "Really to discard existing credentials? y|[N]" x
       
     6     x=$x.
       
     7     x=${x:0:1}
       
     8     [[ ${x^[a-z]} != Y ]] && exit 1
       
     9     rm -f *.crt
       
    10     rm -f *.bks
       
    11     who=$ca
       
    12     set -e
       
    13     # create CA keys -----------------------------------------------------------
       
    14     echo "creating $who keys..."
       
    15     openssl req -new -nodes -out $who.req -keyout $who.key -subj /CN=$who -newkey rsa:2048 -sha512
       
    16     chmod 600 $who.key
       
    17     # selfsign CA public key ---------------------------------------------------
       
    18     echo "selfsigning $who public key..."
       
    19     openssl x509 -req -in $who.req -signkey $who.key -days 9999 -set_serial $RANDOM -sha512 -extfile CA.ext -out $who.crt
       
    20     # upload CA public key -----------------------------------------------------
       
    21     echo "uploading $who public key..."
       
    22     up $who.crt
       
    23     echo "$ca successfully created and uploaded."
       
    24 }
       
    25 channel() {
       
    26     [[ -e $ca.crt ]] && [[ -e $ca.key ]] || { echo "$ca keys not available."; exit 1; }
       
    27     who=$chan
       
    28     bouncy_store="-keystore $who.bks -storetype bks-v1 -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath $jar -storepass:env PASS"
       
    29     default_store="-keystore $who.jks -storepass:env PASS"
       
    30     p=heslo
       
    31     set -e
       
    32     rm -f $chan.{pem,bks,jks}
       
    33     # import CA public key into android key store ------------------------------
       
    34     store=$bouncy_store
       
    35     echo "importing $ca public key into android key store..."
       
    36     PASS=$p keytool -import -noprompt -alias $ca -file $ca.crt $store
       
    37     # create android client keys -----------------------------------------------
       
    38     echo "creating $who android client keys..."
       
    39     PASS=$p keytool -genkey -alias $who -keysize 2048 -keyalg RSA -dname "CN=$who" -validity 9999 -keypass:env PASS $store
       
    40     PASS=$p keytool -certreq -alias $who -file $who.req $store
       
    41      # sign android client public key -------------------------------------------
       
    42     echo "signing $who android client public key..."
       
    43     openssl x509 -req -in $who.req -CAkey $ca.key -CA $ca.crt -days 9999 -set_serial $RANDOM -sha512 -out $who.crt
       
    44     cat $ca.crt >> $who.crt
       
    45     # import client public key into android key store --------------------------
       
    46     echo "importing $who client public key into android key store..."
       
    47     PASS=$p keytool -import -alias $who -file $who.crt $store
       
    48     # import server public key into android client key store -------------------
       
    49     echo "importing server public key into android client key store..."
       
    50     PASS=$p keytool -import -noprompt -alias srv -file srv.crt $store
       
    51     rm -f $who.{req,crt}
       
    52     echo -e "*-----\n* Android client keystore $who.bks successfully created.\n*-----"
       
    53     # import CA public key into default java key store -------------------------
       
    54     store=$default_store
       
    55     echo "importing $ca public key into default java key store..."
       
    56     PASS=$p keytool -import -noprompt -alias $ca -file $ca.crt $store
       
    57     # create default java client keys ------------------------------------------
       
    58     echo "creating $who default java client keys..."
       
    59     PASS=$p keytool -genkey -alias $who -keysize 2048 -keyalg RSA -dname "CN=$who" -validity 9999 -keypass:env PASS $store
       
    60     PASS=$p keytool -certreq -alias $who -file $who.req $store
       
    61     # sign default java client public key --------------------------------------
       
    62     echo "signing $who default java client public key..."
       
    63     openssl x509 -req -in $who.req -CAkey $ca.key -CA $ca.crt -days 9999 -set_serial $RANDOM -sha512 -out $who.crt
       
    64     cat $ca.crt >> $who.crt
       
    65     # import client public key into default java key store ---------------------
       
    66     echo "importing $who client public key into default java key store..."
       
    67     PASS=$p keytool -import -alias $who -file $who.crt $store
       
    68     rm -f $who.{req,crt}
       
    69     # import server public key into default java client key store --------------
       
    70     echo "importing server public key into default java client key store..."
       
    71     PASS=$p keytool -import -noprompt -alias srv -file srv.crt $store
       
    72     echo -e "*-----\n* Default java client keystore $who.jks successfully created.\n*-----"
       
    73     # create openssl client keys -----------------------------------------------
       
    74     echo "creating $who openssl client keys..."
       
    75     openssl req -new -nodes -out $who.req -keyout $who.key -subj /CN=$who -newkey rsa:2048 -sha512
       
    76     # sign openssl client public key -------------------------------------------
       
    77     echo "signing $who openssl client public key..."
       
    78     openssl x509 -req -in $who.req -CAkey $ca.key -CA $ca.crt -days 9999 -set_serial $RANDOM -sha512 -out $who.crt    
       
    79     cat $who.key $who.crt > $who.pem
       
    80     chmod 600 $who.pem
       
    81     rm -f $who.{key,req,crt}
       
    82     echo -e "*-----\n* Client keys $who.pem successfully created.\n*-----"
       
    83 }
       
    84 srv() {
       
    85     set -e
       
    86     who=srv
       
    87     rm -f $who.{pem,crt,key}
       
    88     # create server keys -------------------------------------------------------
       
    89     echo "creating $who server keys..."
       
    90     openssl req -new -nodes -out $who.req -keyout $who.key -subj /CN=$who -newkey rsa:2048 -sha512
       
    91     # sign server public key ---------------------------------------------------
       
    92     echo "signing $who server public key..."
       
    93     openssl x509 -req -in $who.req -CAkey $ca.key -CA $ca.crt -days 9999 -set_serial $RANDOM -sha512 -out $who.crt
       
    94     cat $who.key $who.crt > $who.pem
       
    95     chmod 600 $who.pem
       
    96     rm -f $who.{key,req}
       
    97     # upload server keys -------------------------------------------------------
       
    98     echo "uploading $who server keys..."
       
    99     up $who.pem
       
   100     echo -e "*-----\n* Server keys $who.pem successfully created and uploaded.\n*-----"
       
   101 }
       
   102 up() {
       
   103 #    scp -p $1 hh@hal.hh.cz:/L/dejsem/ssl/
       
   104 	echo "--->DUMMY UPLOAD<---"
       
   105 }
       
   106 
       
   107 ca=dejCA
       
   108 # bcprov od verze 149 nabízí zvláštní typ KeyStore "BKS_V1" pro zpětnou kompatibilitu
       
   109 jar=bcprov-jdk15on-150.jar
       
   110 [[ -e $jar ]] || { echo "Bouncy Castle $jar not found in current dir"; exit 1; }
       
   111 if [[ $1 == CA ]] 
       
   112 then    ca
       
   113         srv
       
   114 else    declare -i n=10#${1^^[a-z]}
       
   115         if [[ $n -gt 99 ]] || [[ $n -lt 0 ]]
       
   116         then    { echo "needed 0 =< channel# < 100"; exit 1; }
       
   117         else    chan=$(printf %02d $n)
       
   118                 channel
       
   119         fi
       
   120 fi