#!/bin/bash
(($#)) || { echo "Syntax: $0 <channel#> | CA"; exit -1; }
ca() {
read -p "Really to discard existing credentials? y|[N]" x
x=$x.
x=${x:0:1}
[[ ${x^[a-z]} != Y ]] && exit 1
rm -f *.crt
rm -f *.bks
who=$ca
set -e
# create CA keys -----------------------------------------------------------
echo "creating $who keys..."
openssl req -new -nodes -out $who.req -keyout $who.key -subj /CN=$who -newkey rsa:2048 -sha512
chmod 600 $who.key
# selfsign CA public key ---------------------------------------------------
echo "selfsigning $who public key..."
openssl x509 -req -in $who.req -signkey $who.key -days 9999 -set_serial $RANDOM -sha512 -extfile CA.ext -out $who.crt
# upload CA public key -----------------------------------------------------
echo "uploading $who public key..."
up $who.crt
echo "$ca successfully created and uploaded."
}
channel() {
[[ -e $ca.crt ]] && [[ -e $ca.key ]] || { echo "$ca keys not available."; exit 1; }
who=$chan
bouncy_store="-keystore $who.bks -storetype bks-v1 -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath $jar -storepass:env PASS"
default_store="-keystore $who.jks -storepass:env PASS"
p=heslo
set -e
rm -f $chan.{pem,bks,jks}
# import CA public key into android key store ------------------------------
store=$bouncy_store
echo "importing $ca public key into android key store..."
PASS=$p keytool -import -noprompt -alias $ca -file $ca.crt $store
# create android client keys -----------------------------------------------
echo "creating $who android client keys..."
PASS=$p keytool -genkey -alias $who -keysize 2048 -keyalg RSA -dname "CN=$who" -validity 9999 -keypass:env PASS $store
PASS=$p keytool -certreq -alias $who -file $who.req $store
# sign android client public key -------------------------------------------
echo "signing $who android client public key..."
openssl x509 -req -in $who.req -CAkey $ca.key -CA $ca.crt -days 9999 -set_serial $RANDOM -sha512 -out $who.crt
cat $ca.crt >> $who.crt
# import client public key into android key store --------------------------
echo "importing $who client public key into android key store..."
PASS=$p keytool -import -alias $who -file $who.crt $store
# import server public key into android client key store -------------------
echo "importing server public key into android client key store..."
PASS=$p keytool -import -noprompt -alias srv -file srv.crt $store
rm -f $who.{req,crt}
echo -e "*-----\n* Android client keystore $who.bks successfully created.\n*-----"
# import CA public key into default java key store -------------------------
store=$default_store
echo "importing $ca public key into default java key store..."
PASS=$p keytool -import -noprompt -alias $ca -file $ca.crt $store
# create default java client keys ------------------------------------------
echo "creating $who default java client keys..."
PASS=$p keytool -genkey -alias $who -keysize 2048 -keyalg RSA -dname "CN=$who" -validity 9999 -keypass:env PASS $store
PASS=$p keytool -certreq -alias $who -file $who.req $store
# sign default java client public key --------------------------------------
echo "signing $who default java client public key..."
openssl x509 -req -in $who.req -CAkey $ca.key -CA $ca.crt -days 9999 -set_serial $RANDOM -sha512 -out $who.crt
cat $ca.crt >> $who.crt
# import client public key into default java key store ---------------------
echo "importing $who client public key into default java key store..."
PASS=$p keytool -import -alias $who -file $who.crt $store
rm -f $who.{req,crt}
# import server public key into default java client key store --------------
echo "importing server public key into default java client key store..."
PASS=$p keytool -import -noprompt -alias srv -file srv.crt $store
echo -e "*-----\n* Default java client keystore $who.jks successfully created.\n*-----"
# create openssl client keys -----------------------------------------------
echo "creating $who openssl client keys..."
openssl req -new -nodes -out $who.req -keyout $who.key -subj /CN=$who -newkey rsa:2048 -sha512
# sign openssl client public key -------------------------------------------
echo "signing $who openssl client public key..."
openssl x509 -req -in $who.req -CAkey $ca.key -CA $ca.crt -days 9999 -set_serial $RANDOM -sha512 -out $who.crt
cat $who.key $who.crt > $who.pem
chmod 600 $who.pem
rm -f $who.{key,req,crt}
echo -e "*-----\n* Client keys $who.pem successfully created.\n*-----"
}
srv() {
set -e
who=srv
rm -f $who.{pem,crt,key}
# create server keys -------------------------------------------------------
echo "creating $who server keys..."
openssl req -new -nodes -out $who.req -keyout $who.key -subj /CN=$who -newkey rsa:2048 -sha512
# sign server public key ---------------------------------------------------
echo "signing $who server public key..."
openssl x509 -req -in $who.req -CAkey $ca.key -CA $ca.crt -days 9999 -set_serial $RANDOM -sha512 -out $who.crt
cat $who.key $who.crt > $who.pem
chmod 600 $who.pem
rm -f $who.{key,req}
# upload server keys -------------------------------------------------------
echo "uploading $who server keys..."
up $who.pem
echo -e "*-----\n* Server keys $who.pem successfully created and uploaded.\n*-----"
}
up() {
# scp -p $1 hh@hal.hh.cz:/L/dejsem/ssl/
echo "--->DUMMY UPLOAD<---"
}
ca=dejCA
# bcprov od verze 149 nabízí zvláštní typ KeyStore "BKS_V1" pro zpětnou kompatibilitu
jar=bcprov-jdk15on-150.jar
[[ -e $jar ]] || { echo "Bouncy Castle $jar not found in current dir"; exit 1; }
if [[ $1 == CA ]]
then ca
srv
else declare -i n=10#${1^^[a-z]}
if [[ $n -gt 99 ]] || [[ $n -lt 0 ]]
then { echo "needed 0 =< channel# < 100"; exit 1; }
else chan=$(printf %02d $n)
channel
fi
fi