diff -r 000000000000 -r 676905a3b03c dejsem.1.5/ssl/ssl.sh --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/dejsem.1.5/ssl/ssl.sh Wed Nov 27 09:50:16 2019 +0100 @@ -0,0 +1,120 @@ +#!/bin/bash +(($#)) || { echo "Syntax: $0 | CA"; exit -1; } + +ca() { + read -p "Really to discard existing credentials? y|[N]" x + x=$x. + x=${x:0:1} + [[ ${x^[a-z]} != Y ]] && exit 1 + rm -f *.crt + rm -f *.bks + who=$ca + set -e + # create CA keys ----------------------------------------------------------- + echo "creating $who keys..." + openssl req -new -nodes -out $who.req -keyout $who.key -subj /CN=$who -newkey rsa:2048 -sha512 + chmod 600 $who.key + # selfsign CA public key --------------------------------------------------- + echo "selfsigning $who public key..." + openssl x509 -req -in $who.req -signkey $who.key -days 9999 -set_serial $RANDOM -sha512 -extfile CA.ext -out $who.crt + # upload CA public key ----------------------------------------------------- + echo "uploading $who public key..." + up $who.crt + echo "$ca successfully created and uploaded." +} +channel() { + [[ -e $ca.crt ]] && [[ -e $ca.key ]] || { echo "$ca keys not available."; exit 1; } + who=$chan + bouncy_store="-keystore $who.bks -storetype bks-v1 -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath $jar -storepass:env PASS" + default_store="-keystore $who.jks -storepass:env PASS" + p=heslo + set -e + rm -f $chan.{pem,bks,jks} + # import CA public key into android key store ------------------------------ + store=$bouncy_store + echo "importing $ca public key into android key store..." + PASS=$p keytool -import -noprompt -alias $ca -file $ca.crt $store + # create android client keys ----------------------------------------------- + echo "creating $who android client keys..." + PASS=$p keytool -genkey -alias $who -keysize 2048 -keyalg RSA -dname "CN=$who" -validity 9999 -keypass:env PASS $store + PASS=$p keytool -certreq -alias $who -file $who.req $store + # sign android client public key ------------------------------------------- + echo "signing $who android client public key..." + openssl x509 -req -in $who.req -CAkey $ca.key -CA $ca.crt -days 9999 -set_serial $RANDOM -sha512 -out $who.crt + cat $ca.crt >> $who.crt + # import client public key into android key store -------------------------- + echo "importing $who client public key into android key store..." + PASS=$p keytool -import -alias $who -file $who.crt $store + # import server public key into android client key store ------------------- + echo "importing server public key into android client key store..." + PASS=$p keytool -import -noprompt -alias srv -file srv.crt $store + rm -f $who.{req,crt} + echo -e "*-----\n* Android client keystore $who.bks successfully created.\n*-----" + # import CA public key into default java key store ------------------------- + store=$default_store + echo "importing $ca public key into default java key store..." + PASS=$p keytool -import -noprompt -alias $ca -file $ca.crt $store + # create default java client keys ------------------------------------------ + echo "creating $who default java client keys..." + PASS=$p keytool -genkey -alias $who -keysize 2048 -keyalg RSA -dname "CN=$who" -validity 9999 -keypass:env PASS $store + PASS=$p keytool -certreq -alias $who -file $who.req $store + # sign default java client public key -------------------------------------- + echo "signing $who default java client public key..." + openssl x509 -req -in $who.req -CAkey $ca.key -CA $ca.crt -days 9999 -set_serial $RANDOM -sha512 -out $who.crt + cat $ca.crt >> $who.crt + # import client public key into default java key store --------------------- + echo "importing $who client public key into default java key store..." + PASS=$p keytool -import -alias $who -file $who.crt $store + rm -f $who.{req,crt} + # import server public key into default java client key store -------------- + echo "importing server public key into default java client key store..." + PASS=$p keytool -import -noprompt -alias srv -file srv.crt $store + echo -e "*-----\n* Default java client keystore $who.jks successfully created.\n*-----" + # create openssl client keys ----------------------------------------------- + echo "creating $who openssl client keys..." + openssl req -new -nodes -out $who.req -keyout $who.key -subj /CN=$who -newkey rsa:2048 -sha512 + # sign openssl client public key ------------------------------------------- + echo "signing $who openssl client public key..." + openssl x509 -req -in $who.req -CAkey $ca.key -CA $ca.crt -days 9999 -set_serial $RANDOM -sha512 -out $who.crt + cat $who.key $who.crt > $who.pem + chmod 600 $who.pem + rm -f $who.{key,req,crt} + echo -e "*-----\n* Client keys $who.pem successfully created.\n*-----" +} +srv() { + set -e + who=srv + rm -f $who.{pem,crt,key} + # create server keys ------------------------------------------------------- + echo "creating $who server keys..." + openssl req -new -nodes -out $who.req -keyout $who.key -subj /CN=$who -newkey rsa:2048 -sha512 + # sign server public key --------------------------------------------------- + echo "signing $who server public key..." + openssl x509 -req -in $who.req -CAkey $ca.key -CA $ca.crt -days 9999 -set_serial $RANDOM -sha512 -out $who.crt + cat $who.key $who.crt > $who.pem + chmod 600 $who.pem + rm -f $who.{key,req} + # upload server keys ------------------------------------------------------- + echo "uploading $who server keys..." + up $who.pem + echo -e "*-----\n* Server keys $who.pem successfully created and uploaded.\n*-----" +} +up() { +# scp -p $1 hh@hal.hh.cz:/L/dejsem/ssl/ + echo "--->DUMMY UPLOAD<---" +} + +ca=dejCA +# bcprov od verze 149 nabízí zvláštní typ KeyStore "BKS_V1" pro zpětnou kompatibilitu +jar=bcprov-jdk15on-150.jar +[[ -e $jar ]] || { echo "Bouncy Castle $jar not found in current dir"; exit 1; } +if [[ $1 == CA ]] +then ca + srv +else declare -i n=10#${1^^[a-z]} + if [[ $n -gt 99 ]] || [[ $n -lt 0 ]] + then { echo "needed 0 =< channel# < 100"; exit 1; } + else chan=$(printf %02d $n) + channel + fi +fi