Training courses

Kernel and Embedded Linux

Bootlin training courses

Embedded Linux, kernel,
Yocto Project, Buildroot, real-time,
graphics, boot time, debugging...

Bootlin logo

Elixir Cross Referencer

#!/bin/sh
# Id
#
# This script need openssl 0.9.8a or newer, so it can parse the
# otherName section for pkinit certificates.
#

openssl=openssl

gen_cert()
{
	keytype=${6:-rsa:1024}
	${openssl} req \
		-new \
		-subj "$1" \
		-config openssl.cnf \
		-newkey $keytype \
		-sha1 \
		-nodes \
		-keyout out.key \
		-out cert.req > /dev/null 2>/dev/null

        if [ "$3" = "ca" ] ; then
	    ${openssl} x509 \
		-req \
		-days 3650 \
		-in cert.req \
		-extfile openssl.cnf \
		-extensions $4 \
                -signkey out.key \
		-out cert.crt

		ln -s ca.crt `${openssl} x509 -hash -noout -in cert.crt`.0

		name=$3

        elif [ "$3" = "proxy" ] ; then

	    ${openssl} x509 \
		-req \
		-in cert.req \
		-days 3650 \
		-out cert.crt \
		-CA $2.crt \
		-CAkey $2.key \
		-CAcreateserial \
		-extfile openssl.cnf \
		-extensions $4

		name=$5
	else

	    ${openssl} ca \
		-name $4 \
		-days 3650 \
		-cert $2.crt \
		-keyfile $2.key \
		-in cert.req \
		-out cert.crt \
		-outdir . \
		-batch \
		-config openssl.cnf 

		name=$3
	fi

	mv cert.crt $name.crt
	mv out.key $name.key
}

echo "01" > serial
> index.txt
rm -f *.0

gen_cert "/CN=hx509 Test Root CA/C=SE" "root" "ca" "v3_ca"
gen_cert "/CN=OCSP responder/C=SE" "ca" "ocsp-responder" "ocsp"
gen_cert "/CN=Test cert/C=SE" "ca" "test" "usr"
gen_cert "/CN=Revoke cert/C=SE" "ca" "revoke" "usr"
gen_cert "/CN=Test cert KeyEncipherment/C=SE" "ca" "test-ke-only" "usr_ke"
gen_cert "/CN=Test cert DigitalSignature/C=SE" "ca" "test-ds-only" "usr_ds"
gen_cert "/CN=pkinit/C=SE" "ca" "pkinit" "pkinit_client"
$openssl ecparam -name secp256r1 -out eccurve.pem
gen_cert "/CN=pkinit-ec/C=SE" "ca" "pkinit-ec" "pkinit_client" "XXX" ec:eccurve.pem
gen_cert "/C=SE/CN=pkinit/CN=pkinit-proxy" "pkinit" "proxy" "proxy_cert" pkinit-proxy
gen_cert "/CN=kdc/C=SE" "ca" "kdc" "pkinit_kdc"
gen_cert "/CN=www.test.h5l.se/C=SE" "ca" "https" "https"
gen_cert "/CN=Sub CA/C=SE" "ca" "sub-ca" "subca"
gen_cert "/CN=Test sub cert/C=SE" "sub-ca" "sub-cert" "usr"
gen_cert "/C=SE/CN=Test cert/CN=proxy" "test" "proxy" "proxy_cert" proxy-test
gen_cert "/C=SE/CN=Test cert/CN=proxy/CN=child" "proxy-test" "proxy" "proxy_cert" proxy-level-test
gen_cert "/C=SE/CN=Test cert/CN=no-proxy" "test" "proxy" "usr_cert" no-proxy-test
gen_cert "/C=SE/CN=Test cert/CN=proxy10" "test" "proxy" "proxy10_cert" proxy10-test
gen_cert "/C=SE/CN=Test cert/CN=proxy10/CN=child" "proxy10-test" "proxy" "proxy10_cert" proxy10-child-test
gen_cert "/C=SE/CN=Test cert/CN=proxy10/CN=child/CN=child" "proxy10-child-test" "proxy" "proxy10_cert" proxy10-child-child-test


# combine
cat sub-ca.crt ca.crt > sub-ca-combined.crt
cat test.crt test.key > test.combined.crt
cat pkinit-proxy.crt pkinit.crt > pkinit-proxy-chain.crt

# password protected key
${openssl} rsa -in test.key -aes256 -passout pass:foobar -out test-pw.key
${openssl} rsa -in pkinit.key -aes256 -passout pass:foo -out pkinit-pw.key


${openssl} ca \
    -name usr \
    -cert ca.crt \
    -keyfile ca.key \
    -revoke revoke.crt \
    -config openssl.cnf 

${openssl} pkcs12 \
    -export \
    -in test.crt \
    -inkey test.key \
    -passout pass:foobar \
    -out test.p12 \
    -name "friendlyname-test" \
    -certfile ca.crt \
    -caname ca

${openssl} pkcs12 \
    -export \
    -in sub-cert.crt \
    -inkey sub-cert.key \
    -passout pass:foobar \
    -out sub-cert.p12 \
    -name "friendlyname-sub-cert" \
    -certfile sub-ca-combined.crt \
    -caname sub-ca \
    -caname ca

${openssl} pkcs12 \
    -keypbe NONE \
    -certpbe NONE \
    -export \
    -in test.crt \
    -inkey test.key \
    -passout pass:foobar \
    -out test-nopw.p12 \
    -name "friendlyname-cert" \
    -certfile ca.crt \
    -caname ca

${openssl} smime \
    -sign \
    -nodetach \
    -binary \
    -in static-file \
    -signer test.crt \
    -inkey test.key \
    -outform DER \
    -out test-signed-data

${openssl} smime \
    -sign \
    -nodetach \
    -binary \
    -in static-file \
    -signer test.crt \
    -inkey test.key \
    -noattr \
    -outform DER \
    -out test-signed-data-noattr

${openssl} smime \
    -sign \
    -nodetach \
    -binary \
    -in static-file \
    -signer test.crt \
    -inkey test.key \
    -noattr \
    -nocerts \
    -outform DER \
    -out test-signed-data-noattr-nocerts

${openssl} smime \
    -sign \
    -md sha1 \
    -nodetach \
    -binary \
    -in static-file \
    -signer test.crt \
    -inkey test.key \
    -outform DER \
    -out test-signed-sha-1

${openssl} smime \
    -sign \
    -md sha256 \
    -nodetach \
    -binary \
    -in static-file \
    -signer test.crt \
    -inkey test.key \
    -outform DER \
    -out test-signed-sha-256

${openssl} smime \
    -sign \
    -md sha512 \
    -nodetach \
    -binary \
    -in static-file \
    -signer test.crt \
    -inkey test.key \
    -outform DER \
    -out test-signed-sha-512


${openssl} smime \
    -encrypt \
    -nodetach \
    -binary \
    -in static-file \
    -outform DER \
    -out test-enveloped-rc2-40 \
    -rc2-40 \
    test.crt

${openssl} smime \
    -encrypt \
    -nodetach \
    -binary \
    -in static-file \
    -outform DER \
    -out test-enveloped-rc2-64 \
    -rc2-64 \
    test.crt

${openssl} smime \
    -encrypt \
    -nodetach \
    -binary \
    -in static-file \
    -outform DER \
    -out test-enveloped-rc2-128 \
    -rc2-128 \
    test.crt

${openssl} smime \
    -encrypt \
    -nodetach \
    -binary \
    -in static-file \
    -outform DER \
    -out test-enveloped-des \
    -des \
    test.crt

${openssl} smime \
    -encrypt \
    -nodetach \
    -binary \
    -in static-file \
    -outform DER \
    -out test-enveloped-des-ede3 \
    -des3 \
    test.crt

${openssl} smime \
    -encrypt \
    -nodetach \
    -binary \
    -in static-file \
    -outform DER \
    -out test-enveloped-aes-128 \
    -aes128 \
    test.crt

${openssl} smime \
    -encrypt \
    -nodetach \
    -binary \
    -in static-file \
    -outform DER \
    -out test-enveloped-aes-256 \
    -aes256 \
    test.crt

echo ocsp requests

${openssl} ocsp \
    -issuer ca.crt \
    -cert test.crt \
    -reqout ocsp-req1.der

${openssl} ocsp \
    -index index.txt \
    -rsigner ocsp-responder.crt \
    -rkey ocsp-responder.key \
    -CA ca.crt \
    -reqin ocsp-req1.der \
    -noverify \
    -respout ocsp-resp1-ocsp.der

${openssl} ocsp \
    -index index.txt \
    -rsigner ca.crt \
    -rkey ca.key \
    -CA ca.crt \
    -reqin ocsp-req1.der \
    -noverify \
    -respout ocsp-resp1-ca.der

${openssl} ocsp \
    -index index.txt \
    -rsigner ocsp-responder.crt \
    -rkey ocsp-responder.key \
    -CA ca.crt \
    -resp_no_certs \
    -reqin ocsp-req1.der \
    -noverify \
    -respout ocsp-resp1-ocsp-no-cert.der

${openssl} ocsp \
    -index index.txt \
    -rsigner ocsp-responder.crt \
    -rkey ocsp-responder.key \
    -CA ca.crt \
    -reqin ocsp-req1.der \
    -resp_key_id \
    -noverify \
    -respout ocsp-resp1-keyhash.der

${openssl} ocsp \
    -issuer ca.crt \
    -cert revoke.crt \
    -reqout ocsp-req2.der

${openssl} ocsp \
    -index index.txt \
    -rsigner ocsp-responder.crt \
    -rkey ocsp-responder.key \
    -CA ca.crt \
    -reqin ocsp-req2.der \
    -noverify \
    -respout ocsp-resp2.der

${openssl} ca \
    -gencrl \
    -name usr \
    -crldays 3600 \
    -keyfile ca.key \
    -cert ca.crt \
    -crl_reason superseded \
    -out crl1.crl \
    -config openssl.cnf 

${openssl} crl -in crl1.crl -outform der -out crl1.der