Trang chủ Khám phá Trợ giúp
Đăng nhập
SoftwareDesign
/
csu3_am335x
8
0
Fork 0
Các tập tin Các vấn đề 0 Yêu cầu kéo về 0 Wiki
Branch: master
Branches Tags
csu3_am335x
/
EVSE
/
GPL
/
tpm2-tss-3.2.0
/
script
/
ekca
/
create_ca.sh

create_ca.sh 5.4 KB
Permalink Lịch sử Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220 
  1. #!/usr/bin/env bash
    2. 

  2. 

  3. #set -x
    4. 

  4. 

  5. #set -euf
    6. 

  6. 

  7. echo "Creating ekcert for $1 => $3"
    8. 

  8. echo "Creating ekcert for $2 => $4"
    9. 

  9. 

  10. ROOTCRT=$6.crt
    11. 

  11. ROOTCRTPEM=$6.pem
    12. 

  12. INTERMEDCRT=$5.crt
    13. 

  13. ROOTCRL=$6.crl
    14. 

  14. INTERMEDCRL=$5.crl
    15. 

  15. 

  16. OS=$(uname)
    17. 

  17. DATE_FMT_BEFORE=""
    18. 

  18. DATE_FMT_AFTER=""
    19. 

  19. SED_CMD=""
    20. 

  20. 

  21. if [ "$OS" == "Linux" ]; then
    22. 

  22.     DATE_FMT_BEFORE="+%y%m%d000000Z -u -d -1day"
    23. 

  23.     DATE_FMT_AFTER="+%y%m%d000000Z -u -d +10years+1day"
    24. 

  24.     SED_CMD="sed -i"
    25. 

  25. elif [ "$OS" == "FreeBSD" ]; then
    26. 

  26.     DATE_FMT_BEFORE="-u -v-1d +%y%m%d000000Z"
    27. 

  27.     DATE_FMT_AFTER="-u -v+10y +%y%m%d000000Z"
    28. 

  28.     SED_CMD="sed -i '' -e"
    29. 

  29. fi
    30. 

  30. 

  31. EKCADIR="$(dirname $(realpath ${0}))/"
    32. 

  32. 

  33. CA_DIR="$(mktemp -d ekca-XXXXXX)"
    34. 

  34. 

  35. pushd "$CA_DIR"
    36. 

  36. 

  37. mkdir root-ca
    38. 

  38. pushd root-ca
    39. 

  39. 

  40. mkdir certreqs certs crl newcerts private
    41. 

  41. touch root-ca.index
    42. 

  42. echo 00 > root-ca.crlnum
    43. 

  43. echo 1000 > root-ca.serial
    44. 

  44. echo "123456" > pass.txt
    45. 

  45. 

  46. cp "${EKCADIR}/root-ca.cnf" ./
    47. 

  47. export OPENSSL_CONF=./root-ca.cnf
    48. 

  48. ROOT_URL="file:$ROOTCRT"
    49. 

  49. ${SED_CMD} "s|ROOTCRT|$ROOT_URL|g" $OPENSSL_CONF
    50. 

  50. ROOT_URL="file:$ROOTCRL"
    51. 

  51. ${SED_CMD} "s|ROOTCRL|$ROOT_URL|g" $OPENSSL_CONF
    52. 

  52. openssl req -new -out root-ca.req.pem -passout file:pass.txt
    53. 

  53. 

  54. #
    55. 

  55. # Create self signed root certificate
    56. 

  56. #
    57. 

  57. 

  58. openssl ca -selfsign \
    59. 

  59.     -in root-ca.req.pem \
    60. 

  60.     -out root-ca.cert.pem \
    61. 

  61.     -extensions root-ca_ext \
    62. 

  62.     -startdate `date ${DATE_FMT_BEFORE}` \
    63. 

  63.     -enddate `date ${DATE_FMT_AFTER}` \
    64. 

  64.     -passin file:pass.txt -batch
    65. 

  65. 

  66. openssl x509 -outform der -in  root-ca.cert.pem -out root-ca.cert.crt
    67. 

  67. 

  68. openssl verify -verbose -CAfile root-ca.cert.pem \
    69. 

  69.         root-ca.cert.pem
    70. 

  70. 

  71. openssl ca -gencrl  -cert root-ca.cert.pem \
    72. 

  72.         -out root-ca.cert.crl.pem -passin file:pass.txt
    73. 

  73. openssl crl -in root-ca.cert.crl.pem -outform DER -out root-ca.cert.crl
    74. 

  74. 

  75. popd #root-ca
    76. 

  76. 

  77. #
    78. 

  78. # Create intermediate certificate
    79. 

  79. #
    80. 

  80. mkdir intermed-ca
    81. 

  81. pushd intermed-ca
    82. 

  82. 

  83. mkdir certreqs certs crl newcerts private
    84. 

  84. touch intermed-ca.index
    85. 

  85. echo 00 > intermed-ca.crlnum
    86. 

  86. echo 2000 > intermed-ca.serial
    87. 

  87. echo "abcdef" > pass.txt
    88. 

  88. 

  89. cp "${EKCADIR}/intermed-ca.cnf" ./
    90. 

  90. export OPENSSL_CONF=./intermed-ca.cnf
    91. 

  91. 

  92. # Adapt CRT URL to current test directory
    93. 

  93. ${SED_CMD} "s|ROOTCRT|$ROOT_URL|g" $OPENSSL_CONF
    94. 

  94. 

  95. openssl req -new -out intermed-ca.req.pem -passout file:pass.txt
    96. 

  96. 

  97. openssl rsa -inform PEM -in private/intermed-ca.key.pem \
    98. 

  98.         -outform DER -out private/intermed-ca.key.der -passin file:pass.txt
    99. 

  99. 

  100. cp intermed-ca.req.pem  \
    101. 

  101.    ../root-ca/certreqs/
    102. 

  102. 

  103. INTERMED_URL="file:$INTERMEDCRT"
    104. 

  104. ${SED_CMD} "s|INTERMEDCRT|$INTERMED_URL|g" $OPENSSL_CONF
    105. 

  105. 

  106. pushd ../root-ca
    107. 

  107. export OPENSSL_CONF=./root-ca.cnf
    108. 

  108. 

  109. openssl ca \
    110. 

  110.     -in certreqs/intermed-ca.req.pem \
    111. 

  111.     -out certs/intermed-ca.cert.pem \
    112. 

  112.     -extensions intermed-ca_ext \
    113. 

  113.     -startdate `date ${DATE_FMT_BEFORE}` \
    114. 

  114.     -enddate `date ${DATE_FMT_AFTER}` \
    115. 

  115.     -passin file:pass.txt -batch
    116. 

  116. 

  117. openssl x509 -outform der -in certs/intermed-ca.cert.pem \
    118. 

  118.         -out certs/intermed-ca.cert.crt
    119. 

  119. 

  120. openssl verify -verbose -CAfile root-ca.cert.pem \
    121. 

  121.         certs/intermed-ca.cert.pem
    122. 

  122. 

  123. cp certs/intermed-ca.cert.pem \
    124. 

  124.    ../intermed-ca
    125. 

  125. 

  126. cp certs/intermed-ca.cert.crt \
    127. 

  127.    ../intermed-ca
    128. 

  128. 

  129. popd #root-ca
    130. 

  130. 

  131. export OPENSSL_CONF=./intermed-ca.cnf
    132. 

  132. openssl ca -gencrl  -cert ../root-ca/certs/intermed-ca.cert.pem \
    133. 

  133.         -out intermed-ca.crl.pem -passin file:pass.txt
    134. 

  134. openssl crl -in intermed-ca.crl.pem -outform DER -out intermed-ca.crl
    135. 

  135. 

  136. popd #intermed-ca
    137. 

  137. 

  138. #
    139. 

  139. # Create RSA EK certificate
    140. 

  140. #
    141. 

  141. mkdir ek
    142. 

  142. pushd ek
    143. 

  143. 

  144. cp "${EKCADIR}/ek.cnf" ./
    145. 

  145. export OPENSSL_CONF=ek.cnf
    146. 

  146. echo "abc123" > pass.txt
    147. 

  147. 

  148. # Adapt CRT and CRL URL to current test directory
    149. 

  149. 

  150. INTERMED_URL="file:$INTERMEDCRT"
    151. 

  151. ${SED_CMD} "s|INTERMEDCRT|$INTERMED_URL|g" $OPENSSL_CONF
    152. 

  152. 

  153. INTERMED_URL="file:$INTERMEDCRL"
    154. 

  154. ${SED_CMD} "s|INTERMEDCRL|$INTERMED_URL|g" $OPENSSL_CONF
    155. 

  155. 

  156. cp "$1" ../intermed-ca/certreqs/ek.pub.pem
    157. 

  157. 

  158. openssl req -new -nodes -newkey rsa:2048 -passin file:pass.txt -out ../intermed-ca/certreqs/nonsense.csr.pem
    159. 

  159. 

  160. pushd ../intermed-ca
    161. 

  161. export OPENSSL_CONF=./intermed-ca.cnf
    162. 

  162. 

  163. openssl x509 -req -in certreqs/nonsense.csr.pem -force_pubkey certreqs/ek.pub.pem -out certs/ek.cert.der \
    164. 

  164.     -outform DER -extfile ../ek/ek.cnf -extensions ek_ext -set_serial 12345 \
    165. 

  165.     -CA intermed-ca.cert.pem -CAkey private/intermed-ca.key.pem -passin file:pass.txt
    166. 

  166. 

  167. cp certs/ek.cert.der ../ek
    168. 

  168. 

  169. popd #intermed-ca
    170. 

  170. 

  171. popd #EK
    172. 

  172. 

  173. #
    174. 

  174. # Create ECC EK Certificate
    175. 

  175. #
    176. 

  176. mkdir ekecc
    177. 

  177. pushd ekecc
    178. 

  178. 

  179. cp "${EKCADIR}/ek.cnf" ./
    180. 

  180. export OPENSSL_CONF=ek.cnf
    181. 

  181. echo "abc123" > pass.txt
    182. 

  182. 

  183. # Adapt CRT and CRL URL to current test directory
    184. 

  184. 

  185. INTERMED_URL="file:$INTERMEDCRT"
    186. 

  186. ${SED_CMD} "s|INTERMEDCRT|$INTERMED_URL|g" $OPENSSL_CONF
    187. 

  187. 

  188. INTERMED_URL="file:$INTERMEDCRL"
    189. 

  189. ${SED_CMD} "s|INTERMEDCRL|$INTERMED_URL|g" $OPENSSL_CONF
    190. 

  190. 

  191. cp "$2" ../intermed-ca/certreqs/ekecc.pub.pem
    192. 

  192. 

  193. openssl req -new -nodes -newkey rsa:2048 -passin file:pass.txt -out ../intermed-ca/certreqs/nonsense.csr.pem
    194. 

  194. 

  195. pushd ../intermed-ca
    196. 

  196. export OPENSSL_CONF=./intermed-ca.cnf
    197. 

  197. 

  198. openssl x509 -req -in certreqs/nonsense.csr.pem -force_pubkey certreqs/ekecc.pub.pem -out certs/ekecc.cert.der \
    199. 

  199.     -outform DER -extfile ../ek/ek.cnf -extensions ek_ext -set_serial 12345 \
    200. 

  200.     -CA intermed-ca.cert.pem -CAkey private/intermed-ca.key.pem -passin file:pass.txt
    201. 

  201. 

  202. cp certs/ekecc.cert.der ../ekecc
    203. 

  203. 

  204. popd #intermed-ca
    205. 

  205. 

  206. popd #EK
    207. 

  207. 

  208. popd #CA_DIR
    209. 

  209. 

  210. # Copy used CRL and CRT files to test directory.
    211. 

  211. 

  212. cp "${CA_DIR}/ek/ek.cert.der" "$3"
    213. 

  213. cp "${CA_DIR}/ekecc/ekecc.cert.der" "$4"
    214. 

  214. cp "${CA_DIR}/intermed-ca/intermed-ca.cert.crt" "$INTERMEDCRT"
    215. 

  215. cp "${CA_DIR}/intermed-ca/intermed-ca.crl" "$INTERMEDCRL"
    216. 

  216. cp "${CA_DIR}/root-ca/root-ca.cert.crt" "$ROOTCRT"
    217. 

  217. cp "${CA_DIR}/root-ca/root-ca.cert.crl" "$ROOTCRL"
    218. 

  218. cp "${CA_DIR}/root-ca/root-ca.cert.pem" "$ROOTCRTPEM"
    219. 

  219. 

  220. rm -rf $CA_DIR
    221.