--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/dejsem.1.5/ssl/ssl.sh Wed Nov 27 09:50:16 2019 +0100
@@ -0,0 +1,120 @@
+#!/bin/bash
+(($#)) || { echo "Syntax: $0 <channel#> | CA"; exit -1; }
+
+ca() {
+ read -p "Really to discard existing credentials? y|[N]" x
+ x=$x.
+ x=${x:0:1}
+ [[ ${x^[a-z]} != Y ]] && exit 1
+ rm -f *.crt
+ rm -f *.bks
+ who=$ca
+ set -e
+ # create CA keys -----------------------------------------------------------
+ echo "creating $who keys..."
+ openssl req -new -nodes -out $who.req -keyout $who.key -subj /CN=$who -newkey rsa:2048 -sha512
+ chmod 600 $who.key
+ # selfsign CA public key ---------------------------------------------------
+ echo "selfsigning $who public key..."
+ openssl x509 -req -in $who.req -signkey $who.key -days 9999 -set_serial $RANDOM -sha512 -extfile CA.ext -out $who.crt
+ # upload CA public key -----------------------------------------------------
+ echo "uploading $who public key..."
+ up $who.crt
+ echo "$ca successfully created and uploaded."
+}
+channel() {
+ [[ -e $ca.crt ]] && [[ -e $ca.key ]] || { echo "$ca keys not available."; exit 1; }
+ who=$chan
+ bouncy_store="-keystore $who.bks -storetype bks-v1 -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath $jar -storepass:env PASS"
+ default_store="-keystore $who.jks -storepass:env PASS"
+ p=heslo
+ set -e
+ rm -f $chan.{pem,bks,jks}
+ # import CA public key into android key store ------------------------------
+ store=$bouncy_store
+ echo "importing $ca public key into android key store..."
+ PASS=$p keytool -import -noprompt -alias $ca -file $ca.crt $store
+ # create android client keys -----------------------------------------------
+ echo "creating $who android client keys..."
+ PASS=$p keytool -genkey -alias $who -keysize 2048 -keyalg RSA -dname "CN=$who" -validity 9999 -keypass:env PASS $store
+ PASS=$p keytool -certreq -alias $who -file $who.req $store
+ # sign android client public key -------------------------------------------
+ echo "signing $who android client public key..."
+ openssl x509 -req -in $who.req -CAkey $ca.key -CA $ca.crt -days 9999 -set_serial $RANDOM -sha512 -out $who.crt
+ cat $ca.crt >> $who.crt
+ # import client public key into android key store --------------------------
+ echo "importing $who client public key into android key store..."
+ PASS=$p keytool -import -alias $who -file $who.crt $store
+ # import server public key into android client key store -------------------
+ echo "importing server public key into android client key store..."
+ PASS=$p keytool -import -noprompt -alias srv -file srv.crt $store
+ rm -f $who.{req,crt}
+ echo -e "*-----\n* Android client keystore $who.bks successfully created.\n*-----"
+ # import CA public key into default java key store -------------------------
+ store=$default_store
+ echo "importing $ca public key into default java key store..."
+ PASS=$p keytool -import -noprompt -alias $ca -file $ca.crt $store
+ # create default java client keys ------------------------------------------
+ echo "creating $who default java client keys..."
+ PASS=$p keytool -genkey -alias $who -keysize 2048 -keyalg RSA -dname "CN=$who" -validity 9999 -keypass:env PASS $store
+ PASS=$p keytool -certreq -alias $who -file $who.req $store
+ # sign default java client public key --------------------------------------
+ echo "signing $who default java client public key..."
+ openssl x509 -req -in $who.req -CAkey $ca.key -CA $ca.crt -days 9999 -set_serial $RANDOM -sha512 -out $who.crt
+ cat $ca.crt >> $who.crt
+ # import client public key into default java key store ---------------------
+ echo "importing $who client public key into default java key store..."
+ PASS=$p keytool -import -alias $who -file $who.crt $store
+ rm -f $who.{req,crt}
+ # import server public key into default java client key store --------------
+ echo "importing server public key into default java client key store..."
+ PASS=$p keytool -import -noprompt -alias srv -file srv.crt $store
+ echo -e "*-----\n* Default java client keystore $who.jks successfully created.\n*-----"
+ # create openssl client keys -----------------------------------------------
+ echo "creating $who openssl client keys..."
+ openssl req -new -nodes -out $who.req -keyout $who.key -subj /CN=$who -newkey rsa:2048 -sha512
+ # sign openssl client public key -------------------------------------------
+ echo "signing $who openssl client public key..."
+ openssl x509 -req -in $who.req -CAkey $ca.key -CA $ca.crt -days 9999 -set_serial $RANDOM -sha512 -out $who.crt
+ cat $who.key $who.crt > $who.pem
+ chmod 600 $who.pem
+ rm -f $who.{key,req,crt}
+ echo -e "*-----\n* Client keys $who.pem successfully created.\n*-----"
+}
+srv() {
+ set -e
+ who=srv
+ rm -f $who.{pem,crt,key}
+ # create server keys -------------------------------------------------------
+ echo "creating $who server keys..."
+ openssl req -new -nodes -out $who.req -keyout $who.key -subj /CN=$who -newkey rsa:2048 -sha512
+ # sign server public key ---------------------------------------------------
+ echo "signing $who server public key..."
+ openssl x509 -req -in $who.req -CAkey $ca.key -CA $ca.crt -days 9999 -set_serial $RANDOM -sha512 -out $who.crt
+ cat $who.key $who.crt > $who.pem
+ chmod 600 $who.pem
+ rm -f $who.{key,req}
+ # upload server keys -------------------------------------------------------
+ echo "uploading $who server keys..."
+ up $who.pem
+ echo -e "*-----\n* Server keys $who.pem successfully created and uploaded.\n*-----"
+}
+up() {
+# scp -p $1 hh@hal.hh.cz:/L/dejsem/ssl/
+ echo "--->DUMMY UPLOAD<---"
+}
+
+ca=dejCA
+# bcprov od verze 149 nabízí zvláštní typ KeyStore "BKS_V1" pro zpětnou kompatibilitu
+jar=bcprov-jdk15on-150.jar
+[[ -e $jar ]] || { echo "Bouncy Castle $jar not found in current dir"; exit 1; }
+if [[ $1 == CA ]]
+then ca
+ srv
+else declare -i n=10#${1^^[a-z]}
+ if [[ $n -gt 99 ]] || [[ $n -lt 0 ]]
+ then { echo "needed 0 =< channel# < 100"; exit 1; }
+ else chan=$(printf %02d $n)
+ channel
+ fi
+fi