1 #!/bin/sh 2 3 if [ -z "$OPENSSL" ]; then 4 OPENSSL=openssl 5 fi 6 export OPENSSL_CONF=$PWD/openssl.cnf 7 PASS=whatever 8 if [ -z "$DOMAIN" ]; then 9 DOMAIN=w1.fi 10 fi 11 COMPANY=w1.fi 12 OPER_ENG="engw1.fi TESTING USE" 13 OPER_FI="finw1.fi TESTIKYTT" 14 CNR="Hotspot 2.0 Trust Root CA - 99" 15 CNO="ocsp.$DOMAIN" 16 CNV="osu-revoked.$DOMAIN" 17 CNOC="osu-client.$DOMAIN" 18 OSU_SERVER_HOSTNAME="osu.$DOMAIN" 19 DEBUG=0 20 OCSP_URI="http://$CNO:8888/" 21 LOGO_URI="http://osu.w1.fi/w1fi_logo.png" 22 LOGO_HASH256="4532f7ec36424381617c03c6ce87b55a51d6e7177ffafda243cebf280a68954d" 23 LOGO_HASH1="5e1d5085676eede6b02da14d31c523ec20ffba0b" 24 25 # Command line overrides 26 USAGE=$( cat <<EOF 27 Usage:\n 28 # -c: Company name, used to generate Subject name CN for Intermediate CA\n 29 # -C: Subject name CN of the Root CA ($CNR)\n 30 # -D: Enable debugging (set -x, etc)\n 31 # -g: Logo sha1 hash ($LOGO_HASH1)\n 32 # -G: Logo sha256 hash ($LOGO_HASH256)\n 33 # -h: Show this help message\n 34 # -l: Logo URI ($LOGO_URI)\n 35 # -m: Domain ($DOMAIN)\n 36 # -o: Subject name CN for OSU-Client Server ($CNOC)\n 37 # -O: Subject name CN for OCSP Server ($CNO)\n 38 # -p: passphrase for private keys ($PASS)\n 39 # -r: Operator-english ($OPER_ENG)\n 40 # -R: Operator-finish ($OPER_FI)\n 41 # -S: OSU Server name ($OSU_SERVER_HOSTNAME)\n 42 # -u: OCSP-URI ($OCSP_URI)\n 43 # -V: Subject name CN for OSU-Revoked Server ($CNV)\n 44 EOF 45 ) 46 47 while getopts "c:C:Dg:G:l:m:o:O:p:r:R:S:u:V:h" flag 48 do 49 case $flag in 50 c) COMPANY=$OPTARG;; 51 C) CNR=$OPTARG;; 52 D) DEBUG=1;; 53 g) LOGO_HASH1=$OPTARG;; 54 G) LOGO_HASH256=$OPTARG;; 55 h) echo -e $USAGE; exit 0;; 56 l) LOGO_URI=$OPTARG;; 57 m) DOMAIN=$OPTARG;; 58 o) CNOC=$OPTARG;; 59 O) CNO=$OPTARG;; 60 p) PASS=$OPTARG;; 61 r) OPER_ENG=$OPTARG;; 62 R) OPER_FI=$OPTARG;; 63 S) OSU_SERVER_HOSTNAME=$OPTARG;; 64 u) OCSP_URI=$OPTARG;; 65 V) CNV=$OPTARG;; 66 *) echo "Unknown flag: $flag"; echo -e $USAGE; exit 1;; 67 esac 68 done 69 70 fail() 71 { 72 echo "$*" 73 exit 1 74 } 75 76 echo 77 echo "---[ Root CA ]----------------------------------------------------------" 78 echo 79 80 if [ $DEBUG = 1 ] 81 then 82 set -x 83 fi 84 85 # Set the passphrase and some other common config accordingly. 86 cat openssl-root.cnf | sed "s/@PASSWORD@/$PASS/" \ 87 > my-openssl-root.cnf 88 89 cat openssl.cnf | sed "s/@PASSWORD@/$PASS/" | 90 sed "s,@OCSP_URI@,$OCSP_URI," | 91 sed "s,@LOGO_URI@,$LOGO_URI," | 92 sed "s,@LOGO_HASH1@,$LOGO_HASH1," | 93 sed "s,@LOGO_HASH256@,$LOGO_HASH256," | 94 sed "s/@DOMAIN@/$DOMAIN/" \ 95 > my-openssl.cnf 96 97 98 cat my-openssl-root.cnf | sed "s/#@CN@/commonName_default = $CNR/" > openssl.cnf.tmp 99 mkdir -p rootCA/certs rootCA/crl rootCA/newcerts rootCA/private 100 touch rootCA/index.txt 101 if [ -e rootCA/private/cakey.pem ]; then 102 echo " * Use existing Root CA" 103 else 104 echo " * Generate Root CA private key" 105 $OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:4096 -keyout rootCA/private/cakey.pem -out rootCA/careq.pem || fail "Failed to generate Root CA private key" 106 echo " * Sign Root CA certificate" 107 $OPENSSL ca -config openssl.cnf.tmp -md sha256 -create_serial -out rootCA/cacert.pem -days 10957 -batch -keyfile rootCA/private/cakey.pem -passin pass:$PASS -selfsign -extensions v3_ca -outdir rootCA/newcerts -infiles rootCA/careq.pem || fail "Failed to sign Root CA certificate" 108 $OPENSSL x509 -in rootCA/cacert.pem -out rootCA/cacert.der -outform DER || fail "Failed to create rootCA DER" 109 sha256sum rootCA/cacert.der > rootCA/cacert.fingerprint || fail "Failed to create rootCA fingerprint" 110 fi 111 if [ ! -e rootCA/crlnumber ]; then 112 echo 00 > rootCA/crlnumber 113 fi 114 115 echo 116 echo "---[ Intermediate CA ]--------------------------------------------------" 117 echo 118 119 cat my-openssl.cnf | sed "s/#@CN@/commonName_default = $COMPANY Hotspot 2.0 Intermediate CA/" > openssl.cnf.tmp 120 mkdir -p demoCA/certs demoCA/crl demoCA/newcerts demoCA/private 121 touch demoCA/index.txt 122 if [ -e demoCA/private/cakey.pem ]; then 123 echo " * Use existing Intermediate CA" 124 else 125 echo " * Generate Intermediate CA private key" 126 $OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -keyout demoCA/private/cakey.pem -out demoCA/careq.pem || fail "Failed to generate Intermediate CA private key" 127 echo " * Sign Intermediate CA certificate" 128 $OPENSSL ca -config openssl.cnf.tmp -md sha256 -create_serial -out demoCA/cacert.pem -days 3652 -batch -keyfile rootCA/private/cakey.pem -cert rootCA/cacert.pem -passin pass:$PASS -extensions v3_ca -infiles demoCA/careq.pem || fail "Failed to sign Intermediate CA certificate" 129 # horrible from security view point, but for testing purposes since OCSP responder does not seem to support -passin 130 openssl rsa -in demoCA/private/cakey.pem -out demoCA/private/cakey-plain.pem -passin pass:$PASS 131 $OPENSSL x509 -in demoCA/cacert.pem -out demoCA/cacert.der -outform DER || fail "Failed to create demoCA DER." 132 sha256sum demoCA/cacert.der > demoCA/cacert.fingerprint || fail "Failed to create demoCA fingerprint" 133 fi 134 if [ ! -e demoCA/crlnumber ]; then 135 echo 00 > demoCA/crlnumber 136 fi 137 138 echo 139 echo "OCSP responder" 140 echo 141 142 cat my-openssl.cnf | sed "s/#@CN@/commonName_default = $CNO/" > openssl.cnf.tmp 143 $OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out ocsp.csr -keyout ocsp.key -extensions v3_OCSP 144 $OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -keyfile demoCA/private/cakey.pem -passin pass:$PASS -in ocsp.csr -out ocsp.pem -days 730 -extensions v3_OCSP || fail "Could not generate ocsp.pem" 145 146 echo 147 echo "---[ Server - to be revoked ] ------------------------------------------" 148 echo 149 150 cat my-openssl.cnf | sed "s/#@CN@/commonName_default = $CNV/" > openssl.cnf.tmp 151 $OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out server-revoked.csr -keyout server-revoked.key 152 $OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in server-revoked.csr -out server-revoked.pem -key $PASS -days 730 -extensions ext_server 153 $OPENSSL ca -revoke server-revoked.pem -key $PASS 154 155 echo 156 echo "---[ Server - with client ext key use ] ---------------------------------" 157 echo "---[ Only used for negative-testing for OSU-client implementation ] -----" 158 echo 159 160 cat my-openssl.cnf | sed "s/#@CN@/commonName_default = $CNOC/" > openssl.cnf.tmp 161 $OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out server-client.csr -keyout server-client.key || fail "Could not create server-client.key" 162 $OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in server-client.csr -out server-client.pem -key $PASS -days 730 -extensions ext_client || fail "Could not create server-client.pem" 163 164 echo 165 echo "---[ User ]-------------------------------------------------------------" 166 echo 167 168 cat my-openssl.cnf | sed "s/#@CN@/commonName_default = User/" > openssl.cnf.tmp 169 $OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out user.csr -keyout user.key || fail "Could not create user.key" 170 $OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in user.csr -out user.pem -key $PASS -days 730 -extensions ext_client || fail "Could not create user.pem" 171 172 echo 173 echo "---[ Server ]-----------------------------------------------------------" 174 echo 175 176 ALT="DNS:$OSU_SERVER_HOSTNAME" 177 ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:$OPER_ENG" 178 ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:$OPER_FI" 179 180 cat my-openssl.cnf | 181 sed "s/#@CN@/commonName_default = $OSU_SERVER_HOSTNAME/" | 182 sed "s/^##organizationalUnitName/organizationalUnitName/" | 183 sed "s/#@OU@/organizationalUnitName_default = Hotspot 2.0 Online Sign Up Server/" | 184 sed "s/#@ALTNAME@/subjectAltName=critical,$ALT/" \ 185 > openssl.cnf.tmp 186 echo $OPENSSL req -config $PWD/openssl.cnf.tmp -batch -sha256 -new -newkey rsa:2048 -nodes -out server.csr -keyout server.key -reqexts v3_osu_server 187 $OPENSSL req -config $PWD/openssl.cnf.tmp -batch -sha256 -new -newkey rsa:2048 -nodes -out server.csr -keyout server.key -reqexts v3_osu_server || fail "Failed to generate server request" 188 $OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in server.csr -out server.pem -key $PASS -days 730 -extensions ext_server -policy policy_osu_server || fail "Failed to sign server certificate" 189 190 #dump logotype details for debugging 191 $OPENSSL x509 -in server.pem -out server.der -outform DER 192 openssl asn1parse -in server.der -inform DER | grep HEX | tail -1 | sed 's/.*://' | xxd -r -p > logo.der 193 openssl asn1parse -in logo.der -inform DER > logo.asn1 194 195 196 echo 197 echo "---[ CRL ]---------------------------------------------------------------" 198 echo 199 200 $OPENSSL ca -config $PWD/my-openssl.cnf -gencrl -md sha256 -out demoCA/crl/crl.pem -passin pass:$PASS 201 202 echo 203 echo "---[ Verify ]------------------------------------------------------------" 204 echo 205 206 $OPENSSL verify -CAfile rootCA/cacert.pem demoCA/cacert.pem 207 $OPENSSL verify -CAfile rootCA/cacert.pem -untrusted demoCA/cacert.pem *.pem 208 209 cat rootCA/cacert.pem demoCA/cacert.pem > ca.pem 210