Gitiles
Code Review Sign In
gerrit.omnirom.org / android_external_wpa_supplicant_8 / 1dc4d2010e96bb0240640f644bbd1b53b51a4276 / . / hs20 / server / ca / setup.sh
blob: 78abcccff45542e1b75e469a01f8fcb06a646ae8 [file] [log] [blame]
Dmitry Shmidtdf5a7e42014-04-02 12:59:59 -0700[diff] [blame]1#!/bin/sh
2
3if [ -z "$OPENSSL" ]; then
4 OPENSSL=openssl
5fi
6export OPENSSL_CONF=$PWD/openssl.cnf
7PASS=whatever
Dmitry Shmidtaf9da312015-04-03 10:03:11 -0700[diff] [blame]8if [ -z "$DOMAIN" ]; then
9 DOMAIN=w1.fi
10fi
11COMPANY=w1.fi
12OPER_ENG="engw1.fi TESTING USE"
13OPER_FI="finw1.fi TESTIKÄYTTÖ"
14CNR="Hotspot 2.0 Trust Root CA - 99"
15CNO="ocsp.$DOMAIN"
16CNV="osu-revoked.$DOMAIN"
17CNOC="osu-client.$DOMAIN"
18OSU_SERVER_HOSTNAME="osu.$DOMAIN"
19DEBUG=0
20OCSP_URI="http://$CNO:8888/"
21LOGO_URI="http://osu.w1.fi/w1fi_logo.png"
22LOGO_HASH256="4532f7ec36424381617c03c6ce87b55a51d6e7177ffafda243cebf280a68954d"
23LOGO_HASH1="5e1d5085676eede6b02da14d31c523ec20ffba0b"
24
25# Command line overrides
26USAGE=$( cat <<EOF
27Usage:\n
28# -c: Company name, used to generate Subject name CN for Intermediate CA\n
29# -C: Subject name CN of the Root CA ($CNR)\n
30# -D: Enable debugging (set -x, etc)\n
31# -g: Logo sha1 hash ($LOGO_HASH1)\n
32# -G: Logo sha256 hash ($LOGO_HASH256)\n
33# -h: Show this help message\n
34# -l: Logo URI ($LOGO_URI)\n
35# -m: Domain ($DOMAIN)\n
36# -o: Subject name CN for OSU-Client Server ($CNOC)\n
37# -O: Subject name CN for OCSP Server ($CNO)\n
38# -p: passphrase for private keys ($PASS)\n
39# -r: Operator-english ($OPER_ENG)\n
40# -R: Operator-finish ($OPER_FI)\n
41# -S: OSU Server name ($OSU_SERVER_HOSTNAME)\n
42# -u: OCSP-URI ($OCSP_URI)\n
43# -V: Subject name CN for OSU-Revoked Server ($CNV)\n
44EOF
45)
46
47while getopts "c:C:Dg:G:l:m:o:O:p:r:R:S:u:V:h" flag
48 do
49 case $flag in
50 c) COMPANY=$OPTARG;;
51 C) CNR=$OPTARG;;
52 D) DEBUG=1;;
53 g) LOGO_HASH1=$OPTARG;;
54 G) LOGO_HASH256=$OPTARG;;
55 h) echo -e $USAGE; exit 0;;
56 l) LOGO_URI=$OPTARG;;
57 m) DOMAIN=$OPTARG;;
58 o) CNOC=$OPTARG;;
59 O) CNO=$OPTARG;;
60 p) PASS=$OPTARG;;
61 r) OPER_ENG=$OPTARG;;
62 R) OPER_FI=$OPTARG;;
63 S) OSU_SERVER_HOSTNAME=$OPTARG;;
64 u) OCSP_URI=$OPTARG;;
65 V) CNV=$OPTARG;;
66 *) echo "Unknown flag: $flag"; echo -e $USAGE; exit 1;;
67 esac
68done
Dmitry Shmidtdf5a7e42014-04-02 12:59:59 -0700[diff] [blame]69
70fail()
71{
72 echo "$*"
73 exit 1
74}
75
76echo
77echo "---[ Root CA ]----------------------------------------------------------"
78echo
79
Dmitry Shmidtaf9da312015-04-03 10:03:11 -0700[diff] [blame]80if [ $DEBUG = 1 ]
81then
82 set -x
83fi
84
85# Set the passphrase and some other common config accordingly.
86cat openssl-root.cnf | sed "s/@PASSWORD@/$PASS/" \
87 > my-openssl-root.cnf
88
89cat openssl.cnf | sed "s/@PASSWORD@/$PASS/" |
90sed "s,@OCSP_URI@,$OCSP_URI," |
91sed "s,@LOGO_URI@,$LOGO_URI," |
92sed "s,@LOGO_HASH1@,$LOGO_HASH1," |
93sed "s,@LOGO_HASH256@,$LOGO_HASH256," |
94sed "s/@DOMAIN@/$DOMAIN/" \
95 > my-openssl.cnf
96
97
98cat my-openssl-root.cnf | sed "s/#@CN@/commonName_default = $CNR/" > openssl.cnf.tmp
Dmitry Shmidtdf5a7e42014-04-02 12:59:59 -0700[diff] [blame]99mkdir -p rootCA/certs rootCA/crl rootCA/newcerts rootCA/private
100touch rootCA/index.txt
101if [ -e rootCA/private/cakey.pem ]; then
102 echo " * Use existing Root CA"
103else
104 echo " * Generate Root CA private key"
105 $OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:4096 -keyout rootCA/private/cakey.pem -out rootCA/careq.pem || fail "Failed to generate Root CA private key"
106 echo " * Sign Root CA certificate"
107 $OPENSSL ca -config openssl.cnf.tmp -md sha256 -create_serial -out rootCA/cacert.pem -days 10957 -batch -keyfile rootCA/private/cakey.pem -passin pass:$PASS -selfsign -extensions v3_ca -outdir rootCA/newcerts -infiles rootCA/careq.pem || fail "Failed to sign Root CA certificate"
Dmitry Shmidtaf9da312015-04-03 10:03:11 -0700[diff] [blame]108 $OPENSSL x509 -in rootCA/cacert.pem -out rootCA/cacert.der -outform DER || fail "Failed to create rootCA DER"
109 sha256sum rootCA/cacert.der > rootCA/cacert.fingerprint || fail "Failed to create rootCA fingerprint"
Dmitry Shmidtdf5a7e42014-04-02 12:59:59 -0700[diff] [blame]110fi
111if [ ! -e rootCA/crlnumber ]; then
112 echo 00 > rootCA/crlnumber
113fi
114
115echo
116echo "---[ Intermediate CA ]--------------------------------------------------"
117echo
118
Dmitry Shmidtaf9da312015-04-03 10:03:11 -0700[diff] [blame]119cat my-openssl.cnf | sed "s/#@CN@/commonName_default = $COMPANY Hotspot 2.0 Intermediate CA/" > openssl.cnf.tmp
Dmitry Shmidtdf5a7e42014-04-02 12:59:59 -0700[diff] [blame]120mkdir -p demoCA/certs demoCA/crl demoCA/newcerts demoCA/private
121touch demoCA/index.txt
122if [ -e demoCA/private/cakey.pem ]; then
123 echo " * Use existing Intermediate CA"
124else
125 echo " * Generate Intermediate CA private key"
126 $OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -keyout demoCA/private/cakey.pem -out demoCA/careq.pem || fail "Failed to generate Intermediate CA private key"
127 echo " * Sign Intermediate CA certificate"
128 $OPENSSL ca -config openssl.cnf.tmp -md sha256 -create_serial -out demoCA/cacert.pem -days 3652 -batch -keyfile rootCA/private/cakey.pem -cert rootCA/cacert.pem -passin pass:$PASS -extensions v3_ca -infiles demoCA/careq.pem || fail "Failed to sign Intermediate CA certificate"
129 # horrible from security view point, but for testing purposes since OCSP responder does not seem to support -passin
130 openssl rsa -in demoCA/private/cakey.pem -out demoCA/private/cakey-plain.pem -passin pass:$PASS
Dmitry Shmidtaf9da312015-04-03 10:03:11 -0700[diff] [blame]131 $OPENSSL x509 -in demoCA/cacert.pem -out demoCA/cacert.der -outform DER || fail "Failed to create demoCA DER."
132 sha256sum demoCA/cacert.der > demoCA/cacert.fingerprint || fail "Failed to create demoCA fingerprint"
Dmitry Shmidtdf5a7e42014-04-02 12:59:59 -0700[diff] [blame]133fi
134if [ ! -e demoCA/crlnumber ]; then
135 echo 00 > demoCA/crlnumber
136fi
137
138echo
139echo "OCSP responder"
140echo
141
Dmitry Shmidtaf9da312015-04-03 10:03:11 -0700[diff] [blame]142cat my-openssl.cnf | sed "s/#@CN@/commonName_default = $CNO/" > openssl.cnf.tmp
Dmitry Shmidtdf5a7e42014-04-02 12:59:59 -0700[diff] [blame]143$OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out ocsp.csr -keyout ocsp.key -extensions v3_OCSP
Dmitry Shmidtaf9da312015-04-03 10:03:11 -0700[diff] [blame]144$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -keyfile demoCA/private/cakey.pem -passin pass:$PASS -in ocsp.csr -out ocsp.pem -days 730 -extensions v3_OCSP || fail "Could not generate ocsp.pem"
Dmitry Shmidtdf5a7e42014-04-02 12:59:59 -0700[diff] [blame]145
146echo
147echo "---[ Server - to be revoked ] ------------------------------------------"
148echo
149
Dmitry Shmidtaf9da312015-04-03 10:03:11 -0700[diff] [blame]150cat my-openssl.cnf | sed "s/#@CN@/commonName_default = $CNV/" > openssl.cnf.tmp
Dmitry Shmidtdf5a7e42014-04-02 12:59:59 -0700[diff] [blame]151$OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out server-revoked.csr -keyout server-revoked.key
152$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in server-revoked.csr -out server-revoked.pem -key $PASS -days 730 -extensions ext_server
153$OPENSSL ca -revoke server-revoked.pem -key $PASS
154
155echo
156echo "---[ Server - with client ext key use ] ---------------------------------"
Dmitry Shmidtaf9da312015-04-03 10:03:11 -0700[diff] [blame]157echo "---[ Only used for negative-testing for OSU-client implementation ] -----"
Dmitry Shmidtdf5a7e42014-04-02 12:59:59 -0700[diff] [blame]158echo
159
Dmitry Shmidtaf9da312015-04-03 10:03:11 -0700[diff] [blame]160cat my-openssl.cnf | sed "s/#@CN@/commonName_default = $CNOC/" > openssl.cnf.tmp
161$OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out server-client.csr -keyout server-client.key || fail "Could not create server-client.key"
162$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in server-client.csr -out server-client.pem -key $PASS -days 730 -extensions ext_client || fail "Could not create server-client.pem"
Dmitry Shmidtdf5a7e42014-04-02 12:59:59 -0700[diff] [blame]163
164echo
165echo "---[ User ]-------------------------------------------------------------"
166echo
167
Dmitry Shmidtaf9da312015-04-03 10:03:11 -0700[diff] [blame]168cat my-openssl.cnf | sed "s/#@CN@/commonName_default = User/" > openssl.cnf.tmp
169$OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out user.csr -keyout user.key || fail "Could not create user.key"
170$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in user.csr -out user.pem -key $PASS -days 730 -extensions ext_client || fail "Could not create user.pem"
Dmitry Shmidtdf5a7e42014-04-02 12:59:59 -0700[diff] [blame]171
172echo
173echo "---[ Server ]-----------------------------------------------------------"
174echo
175
Dmitry Shmidtaf9da312015-04-03 10:03:11 -0700[diff] [blame]176ALT="DNS:$OSU_SERVER_HOSTNAME"
177ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:$OPER_ENG"
178ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:$OPER_FI"
Dmitry Shmidtdf5a7e42014-04-02 12:59:59 -0700[diff] [blame]179
Dmitry Shmidtaf9da312015-04-03 10:03:11 -0700[diff] [blame]180cat my-openssl.cnf |
181 sed "s/#@CN@/commonName_default = $OSU_SERVER_HOSTNAME/" |
Dmitry Shmidtdf5a7e42014-04-02 12:59:59 -0700[diff] [blame]182 sed "s/^##organizationalUnitName/organizationalUnitName/" |
183 sed "s/#@OU@/organizationalUnitName_default = Hotspot 2.0 Online Sign Up Server/" |
184 sed "s/#@ALTNAME@/subjectAltName=critical,$ALT/" \
185 > openssl.cnf.tmp
186echo $OPENSSL req -config $PWD/openssl.cnf.tmp -batch -sha256 -new -newkey rsa:2048 -nodes -out server.csr -keyout server.key -reqexts v3_osu_server
187$OPENSSL req -config $PWD/openssl.cnf.tmp -batch -sha256 -new -newkey rsa:2048 -nodes -out server.csr -keyout server.key -reqexts v3_osu_server || fail "Failed to generate server request"
188$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in server.csr -out server.pem -key $PASS -days 730 -extensions ext_server -policy policy_osu_server || fail "Failed to sign server certificate"
189
190#dump logotype details for debugging
191$OPENSSL x509 -in server.pem -out server.der -outform DER
192openssl asn1parse -in server.der -inform DER | grep HEX | tail -1 | sed 's/.*://' | xxd -r -p > logo.der
193openssl asn1parse -in logo.der -inform DER > logo.asn1
194
195
196echo
197echo "---[ CRL ]---------------------------------------------------------------"
198echo
199
Dmitry Shmidtaf9da312015-04-03 10:03:11 -0700[diff] [blame]200$OPENSSL ca -config $PWD/my-openssl.cnf -gencrl -md sha256 -out demoCA/crl/crl.pem -passin pass:$PASS
Dmitry Shmidtdf5a7e42014-04-02 12:59:59 -0700[diff] [blame]201
202echo
203echo "---[ Verify ]------------------------------------------------------------"
204echo
205
206$OPENSSL verify -CAfile rootCA/cacert.pem demoCA/cacert.pem
207$OPENSSL verify -CAfile rootCA/cacert.pem -untrusted demoCA/cacert.pem *.pem
208
209cat rootCA/cacert.pem demoCA/cacert.pem > ca.pem