[direct-certificate-discovery-tool] r417 committed - Initial commit of certificate generation script and its helper scripts...
0 views
Skip to first unread message
direct-certifica...@googlecode.com
Dec 5, 2012, 4:53:46 PM12/5/12
to modular-sp...@googlegroups.com
Revision: 417
Author: michal....@esacinc.com
Date: Wed Dec 5 13:53:22 2012
Log: Initial commit of certificate generation script and its helper
scripts + configuration files.
http://code.google.com/p/direct-certificate-discovery-tool/source/detail?r=417
Added:
/MSP3_Tool_Production/tools
/MSP3_Tool_Production/tools/bin
/MSP3_Tool_Production/tools/bin/certgen.sh
/MSP3_Tool_Production/tools/lib
/MSP3_Tool_Production/tools/lib/certgen
/MSP3_Tool_Production/tools/lib/certgen/certgen-lib.sh
/MSP3_Tool_Production/tools/lib/certgen/certgen.properties
/MSP3_Tool_Production/tools/lib/certgen/openssl-certgen.cnf
=======================================
--- /dev/null
+++ /MSP3_Tool_Production/tools/bin/certgen.sh Wed Dec 5 13:53:22 2012
@@ -0,0 +1,228 @@
+#!/bin/bash
+
+# Checking Bash version - at least version 3.2 is required for regex
expansion, etc.
+(( (${BASH_VERSINFO[0]} > 3) || (${BASH_VERSINFO[1]} >= 2) ))
&>"/dev/null" || \
+ { echo "Bash version >= 3.2 is required. Current version: $BASH_VERSION"
&& exit 1; }
+
+shopt -s "expand_aliases"
+shopt -s "extglob"
+
+# readlink on Mac platforms is not a builtin - aliasing 'greadlink' instead
+! { [[ "$OSTYPE" =~ *darwin* ]] && type -a "greadlink" &>"/dev/null"; } ||
\
+ alias readlink='greadlink'
+
+# Filesystem constants
+declare -a CERTGEN_LIB_SCRIPT_FILE_NAMES=(\
+ "certgen-lib.sh"
+)
+
+# Determining filesystem variables
+certgenBinFile="$(readlink -f "$BASH_SOURCE")"
+certgenBinFileName="$(basename "$certgenBinFile")"
+toolsBinDir="$(dirname "$certgenBinFile")"
+toolsDir="$(dirname "$toolsBinDir")"
+toolsLibDir="$toolsDir/lib"
+certgenLibDir="$toolsLibDir/certgen"
+certgenOpensslConfFile="$certgenLibDir/openssl-certgen.cnf"
+certgenPropsFile="$certgenLibDir/certgen.properties"
+projectDir="$(dirname "$toolsDir")"
+targetDir="$projectDir/target"
+certgenOutDir="$targetDir/certgen"
+
+# Sanity checks and sourcing library scripts
+[ -e "$certgenLibDir" ] || { echo "Certificate generator library directory
does not exist: $certgenLibDir" && exit 1; }
+[ -d "$certgenLibDir" ] || { echo "Certificate generator library directory
path is not a directory: $certgenLibDir" && exit 1; }
+[ -r "$certgenLibDir" ] || { echo "Certificate generator library directory
is not readable: $certgenLibDir" && exit 1; }
+
+for certgenLibScriptFileName in ${CERTGEN_LIB_SCRIPT_FILE_NAMES[@]}; do
+ certgenLibScriptFile="$certgenLibDir/$certgenLibScriptFileName"
+
+ [ -e "$certgenLibScriptFile" ] || { echo "Certificate generator library
script file does not exist: $certgenLibScriptFile" && exit 1; }
+ [ -f "$certgenLibScriptFile" ] || { echo "Certificate generator library
script file path is not a file: $certgenLibScriptFile" && exit 1; }
+ [ -r "$certgenLibScriptFile" ] || { echo "Certificate generator library
script is not readable: $certgenLibScriptFile" && exit 1; }
+
+ source "$certgenLibScriptFile" || { echo "Unable to source certificate
generator library script: $certgenLibScriptFile" && exit 1; }
+done
+
+[ -e "$certgenOpensslConfFile" ] || { echo "Certificate generator OpenSSL
configuration file does not exist: $certgenOpensslConfFile" && exit 1; }
+[ -f "$certgenOpensslConfFile" ] || { echo "Certificate generator OpenSSL
configuration file path is not a file: $certgenOpensslConfFile" && exit 1; }
+[ -r "$certgenOpensslConfFile" ] || { echo "Certificate generator OpenSSL
configuration is not readable: $certgenOpensslConfFile" && exit 1; }
+
+[ -e "$certgenPropsFile" ] || { echo "Certificate generator properties
file does not exist: $certgenPropsFile" && exit 1; }
+[ -f "$certgenPropsFile" ] || { echo "Certificate generator properties
file path is not a file: $certgenPropsFile" && exit 1; }
+[ -r "$certgenPropsFile" ] || { echo "Certificate generator properties is
not readable: $certgenPropsFile" && exit 1; }
+
+# Parsing cmdline arguments
+domain=
+declare -i clean=$UNKNOWN
+declare -i help=$FALSE
+outDir=
+
+# Storing # of cmdline arguments before they are reset
+declare -i numArgs=$#
+
+eval set "--" "$(getopt -a -o "-"
-l "c,clean,d:,domain:,help,o:,outdir:" "--" "$@")"
+
+while true; do
+ case "$1" in
+ "--c"|"--clean")
+ clean=$TRUE
+ shift
+ ;;
+
+ "+c")
+ clean=$FALSE
+ shift
+ ;;
+
+ "--d"|"--domain")
+ domain="$2"
+ shift 2
+ ;;
+
+ "--help")
+ help=$TRUE
+ shift
+ ;;
+
+ "--o"|"--outdir")
+ outDir="$2"
+ shift 2
+ ;;
+
+ "--")
+ shift
+ break
+ ;;
+
+ *)
+ break
+ ;;
+ esac
+done
+
+# Printing help and exiting if explicitely invoked or no cmdline arguments
were provided
+if (( ($numArgs == 0) || $help)); then
+ cat <<-EOF
+ Usage: $certgenBinFileName [-c|+c|--clean] -d|--domain <name> [-o|
--outdir <dir>]
+ $certgenBinFileName --help
+
+ -c|+c|--clean optional, remove existing output directory
without prompting
+ -d|--domain <name> domain name to use
+ --help show this help information
+ -o|--outdir <dir> optional, directory to output to, default:
<project basedir>/target/certgen/<domain name>
+EOF
+
+ exit
+fi
+
+# Sanity checking domain
+! [[ "$domain" =~ ^[[:space:]]*$ ]] || { echo "A domain must be
specified." && exit 1; }
+[[ "$domain" =~ ^[[:alnum:]._\-]+$ ]] || { echo "Domain is invalid:
$domain" && exit 1; }
+
+# Determing / sanity checking output directory
+! [[ "$outDir" =~ ^[[:space:]]*$ ]] || outDir="$certgenOutDir/$domain"
+
+# Making sure output directory path is absolute
+[[ "$outDir" =~ ^/ ]] || outDir="$toolsBinDir/$outDir"
+
+if [ -e "$outDir" ]; then
+ [ -d "$outDir" ] || { echo "Output directory path is not a directory:
$outDir" && exit 1; }
+
+ {
+ (($clean != $TRUE)) && \
+ read -p "Output directory ($outDir) exists.${NEWLINE}Remove [Y(ES)/n(o)]
it?: " "rmOutDir" && \
+ [[ ( "${rmOutDir,,}" == "n" ) || ( "${rmOutDir,,}" == "no" ) ]]
+ } || \
+ {
+ { rm -r "$outDir" && echo "Removed output directory: $outDir"; } || exit;
+ }
+fi
+
+# Sanity checking output directory
+[ -e "$outDir" ] || { { mkdir -p "$outDir" && echo "(Re)created output
directory: $outDir"; } || exit; }
+[ -w "$outDir" ] || { echo "Output directory is not writeable: $outDir" &&
exit 1; }
+
+caOutDir="$outDir/ca"
+
+# Sanity checking Certificate Authority (CA) output directory
+[ -e "$caOutDir" ] || { { mkdir "$caOutDir" && echo "(Re)created
Certificate Authority (CA) output directory: $caOutDir"; } || exit; }
+[ -w "$caOutDir" ] || { echo "Certificate Authority (CA) output directory
is not writeable: $caOutDir" && exit 1; }
+
+caName="$domain$SUFFIX_CA"
+caCertFileBase="$caOutDir/$caName$SUFFIX_CERT"
+caCertFileDer="$caCertFileBase$EXT_DER"
+caCertFilePem="$caCertFileBase$EXT_PEM"
+caKeyFileBase="$caOutDir/$caName$SUFFIX_KEY"
+caKeyFileDer="$caKeyFileBase$EXT_DER"
+caKeyFilePem="$caKeyFileBase$EXT_PEM"
+
+# Generate Certificate Authority (CA) key + certificate
+_ssl_gen_ca \
+ -c "$caCertFilePem" \
+ -k "$caKeyFilePem" \
+ -n "$caName" || exit
+
+# Create DER encoded Certificate Authority (CA) certificate
+_ssl_cert_pem_to_der \
+ --cd "$caCertFileDer" \
+ --cp "$caCertFilePem" || exit
+
+# Convert Certificate Authority (CA) key to PKCS#8 format in both PEM and
DER encodings
+_ssl_keys_to_pkcs8 \
+ --kd "$caKeyFileDer" \
+ --kp "$caKeyFilePem" || exit
+
+for entryKey in $(_props_entry_keys); do
+ entryName="$(_props_entry_name "$entryKey")"
+ entryAddress="$(_props_entry_address "$entryKey")"
+ declare -i entryValidityDays="$(_props_entry_validity_days "$entryKey")"
+ declare -i entryKeyBits="$(_props_entry_key_bits "$entryKey")"
+
+ entryCertFileBase="$outDir/$entryName$SUFFIX_CERT"
+ entryCertFileDer="$entryCertFileBase$EXT_DER"
+ entryCertFilePem="$entryCertFileBase$EXT_PEM"
+ entryCertFileReq="$entryCertFileBase$EXT_REQ"
+ entryKeyFileBase="$outDir/$entryName$SUFFIX_KEY"
+ entryKeyFileDer="$entryKeyFileBase$EXT_DER"
+ entryKeyFilePem="$entryKeyFileBase$EXT_PEM"
+ entryKeyFilePkcs12="$entryKeyFileBase$EXT_PKCS12"
+
+ # Generate entry key + certificate request
+ _ssl_gen_entry \
+ -a "$entryAddress" \
+ -k "$entryKeyFilePem" \
+ --kb entryKeyBits \
+ -n "$entryName" \
+ -r "$entryCertFileReq" \
+ --vd $entryValidityDays || exit
+
+ # Sign entry certificate request
+ _ssl_sign_entry \
+ -a "$entryAddress" \
+ -c "$entryCertFilePem" \
+ --cac "$caCertFilePem" \
+ --cak "$caKeyFilePem" \
+ -n "$entryName" \
+ -r "$entryCertFileReq" \
+ --vd $entryValidityDays || exit
+
+ rm "$entryCertFileReq" || exit
+
+ # Create DER encoded entry certificate
+ _ssl_cert_pem_to_der \
+ --cd "$entryCertFileDer" \
+ --cp "$entryCertFilePem" || exit
+
+ # Convert entry key to PKCS#8 in both PEM and DER encodings
+ _ssl_keys_to_pkcs8 \
+ --kd "$entryKeyFileDer" \
+ --kp "$entryKeyFilePem" || exit
+
+ # Create a PKCS#12 file containing the entry's key + certificate
+ _ssl_entry_to_pkcs12 \
+ -c "$entryCertFilePem" \
+ -k "$entryKeyFilePem" \
+ -n "$entryName" \
+ -p "$entryKeyFilePkcs12" || exit
+done
=======================================
--- /dev/null
+++ /MSP3_Tool_Production/tools/lib/certgen/certgen-lib.sh Wed Dec 5
13:53:22 2012
@@ -0,0 +1,557 @@
+# Basic constants
+declare -i FALSE=0
+declare -i TRUE=1
+declare -i UNKNOWN=-1
+NEWLINE=$'\n'
+
+# Algorithm constants
+ALG_PBE_MD5_DES="PBE-MD5-DES"
+ALG_RSA="rsa"
+
+# File encoding constants
+FORM_DER="der"
+FORM_PEM="pem"
+
+# File/name prefix constants
+PREFIX_TMP="~"
+
+# File/name suffix constants
+SUFFIX_CA="_ca"
+SUFFIX_CERT="_cert"
+SUFFIX_KEY="_key"
+
+# File extension constants
+EXT_DER=".der"
+EXT_PEM=".pem"
+EXT_PKCS12=".p12"
+EXT_REQ=".csr"
+
+# OpenSSL configuration section constants
+# Distinguished names
+SECTION_DN_CA="dn_ca"
+SECTION_DN_CERT="dn_cert"
+# X509v3 extensions
+SECTION_EXT_CA="ext_ca"
+SECTION_EXT_CERT="ext_cert"
+SECTION_EXT_CERT_DOMAIN="ext_cert_domain"
+SECTION_EXT_REQ="ext_req"
+
+##
+# Calls the OpenSSL Command Line Interface (CLI) with the given options.
+#
+# * options for OpenSSL
+##
+function _openssl()
+{
+ OPENSSL_CONF="$certgenOpensslConfFile" \
+ SSLEAY_CONF= \
+ "${OPENSSL:-openssl}" \
+ "$@"
+}
+alias _openssl_req='_openssl "req"'
+alias _openssl_pkcs8='_openssl "pkcs8"'
+alias _openssl_pkcs12='_openssl "pkcs12"'
+alias _openssl_rand='_openssl "rand"'
+alias _openssl_x509='_openssl "x509"'
+
+##
+# Generates Certificate Authority (CA) key + certificate.
+#
+# -c|--cert <path> certificate file path
+# -k|--key <path> key file path
+# -n|--name <name> name of the CA
+##
+function _ssl_gen_ca()
+{
+ local certFile
+ local keyFile
+ local name
+
+ eval set "--" "$(getopt -a -o "-"
-l "c:,cert:,k:,key:,n:,name:" "--" "$@")"
+
+ while true; do
+ case "$1" in
+ "--c"|"--cert")
+ certFile="$2"
+ shift 2
+ ;;
+
+ "--k"|"--key")
+ keyFile="$2"
+ shift 2
+ ;;
+
+ "--n"|"--name")
+ name="$2"
+ shift 2
+ ;;
+
+ "--")
+ shift
+ break
+ ;;
+
+ *)
+ break
+ ;;
+ esac
+ done
+
+ dnSection="$SECTION_DN_CA" \
+ name="$name" \
+ \
+ _openssl_req \
+ -extensions "$SECTION_EXT_CA" \
+ -keyform "$FORM_PEM" \
+ -keyout "$keyFile" \
+ -newkey "$ALG_RSA" \
+ -nodes \
+ -out "$certFile" \
+ -outform "$FORM_PEM" \
+ -x509
+}
+
+##
+# Creates a DER encoded certificate from a PEM encoded one.
+#
+# --cd|--certder <path> DER encoded certificate file path
+# --cp|--certpem <path> PEM encoded certificate file path
+##
+function _ssl_cert_pem_to_der()
+{
+ local certFileDer
+ local certFilePem
+
+ eval set "--" "$(getopt -a -o "-"
-l "cd:,certder:,cp:,certpem:" "--" "$@")"
+
+ while true; do
+ case "$1" in
+ "--cd"|"--certder")
+ certFileDer="$2"
+ shift 2
+ ;;
+
+ "--cp"|"--certpem")
+ certFilePem="$2"
+ shift 2
+ ;;
+
+ "--")
+ shift
+ break
+ ;;
+
+ *)
+ break
+ ;;
+ esac
+ done
+
+ _openssl_x509 \
+ -in "$certFilePem" \
+ -inform "$FORM_PEM" \
+ -out "$certFileDer" \
+ -outform "$FORM_DER"
+}
+
+##
+# Creates both DER and PEM encoded, PKCS#8 format keys from a PEM encoded,
regular format one.
+#
+# --kd|--keyder <path> DER encoded key file path
+# --kp|--keypem <path> PEM encoded key file path
+##
+function _ssl_keys_to_pkcs8()
+{
+ local keyFileDer
+ local keyFilePem
+
+ eval set "--" "$(getopt -a -o "-" -l "kd:,keyder:,kp:,keypem:" "--" "$@")"
+
+ while true; do
+ case "$1" in
+ "--kd"|"--keyder")
+ keyFileDer="$2"
+ shift 2
+ ;;
+
+ "--kp"|"--keypem")
+ keyFilePem="$2"
+ shift 2
+ ;;
+
+ "--")
+ shift
+ break
+ ;;
+
+ *)
+ break
+ ;;
+ esac
+ done
+
+ keyFileTmp="$(_tmp_file_name "$keyFilePem")"
+ mv "$keyFilePem" "$keyFileTmp" || return
+
+ _openssl_pkcs8 \
+ -in "$keyFileTmp" \
+ -inform "$FORM_PEM" \
+ -nocrypt \
+ -out "$keyFileDer" \
+ -outform "$FORM_DER" \
+ -topk8 \
+ -v1 "$ALG_PBE_MD5_DES" || return
+
+ _openssl_pkcs8 \
+ -in "$keyFileDer" \
+ -inform "$FORM_DER" \
+ -nocrypt \
+ -out "$keyFilePem" \
+ -outform "$FORM_PEM" \
+ -v1 "$ALG_PBE_MD5_DES" || return
+
+ rm "$keyFileTmp" || return
+}
+
+##
+# Generates an entry key + certificate request.
+#
+# -a|--address <address> email address
+# --kb|--keybits <num> number of key bits
+# -k|--key <path> key file path
+# -n|--name <name> name of the entry
+# -r|--req <path> certificate request file path
+# -k|--key <path> key file path
+# --vd|--validdays <num> number of days the certificate will be valid for
+##
+function _ssl_gen_entry()
+{
+ local address
+ declare -i keyBits
+ local keyFile
+ local name
+ local reqFile
+ declare -i validityDays
+
+ eval set "--" "$(getopt -a -o "-"
-l "a:,address:,k:,key:,kb:,keybits:,n:,name:,r:,req:,vd:,validdays:" "--" "$@")"
+
+ while true; do
+ case "$1" in
+ "--a"|"--address")
+ address="$2"
+ shift 2
+ ;;
+
+ "--k"|"--key")
+ keyFile="$2"
+ shift 2
+ ;;
+
+ "--kb"|"--keybits")
+ keyBits=$2
+ shift 2
+ ;;
+
+ "--n"|"--name")
+ name="$2"
+ shift 2
+ ;;
+
+ "--r"|"--req")
+ reqFile="$2"
+ shift 2
+ ;;
+
+ "--vd"|"--validdays")
+ validityDays=$2
+ shift 2
+ ;;
+
+ "--")
+ shift
+ break
+ ;;
+
+ *)
+ break
+ ;;
+ esac
+ done
+
+ address="$address" \
+ dnSection="$SECTION_DN_CERT" \
+ keyBits="$keyBits" \
+ name="$name" \
+ validityDays="$validityDays" \
+ \
+ _openssl_req \
+ -keyform "$FORM_PEM" \
+ -keyout "$keyFile" \
+ -new \
+ -newkey "$ALG_RSA" \
+ -nodes \
+ -out "$reqFile" \
+ -reqexts "$SECTION_EXT_REQ" || return
+}
+
+##
+# Signs an entry certificate request.
+#
+# -a|--address <address> email address
+# -c|--cert <path> certificate file path
+# --cac|--cacert <path> CA certificate file path
+# --cak|--cakey <path> CA key file path
+# -n|--name <name> name of the entry
+# -r|--req <path> certificate request file path
+# --vd|--validdays <num> number of days the certificate will be valid for
+##
+function _ssl_sign_entry()
+{
+ local address
+ local caCertFile
+ local caKeyFile
+ local certFile
+ local name
+ local reqFile
+ declare -i validityDays
+
+ eval set "--" "$(getopt -a -o "-"
-l "a:,address:,c:,cert:,cac:,cacert:,cak:,cakey:,n:,name:,r:,req:,vd:,validdays:" "--" "$@")"
+
+ while true; do
+ case "$1" in
+ "--a"|"--address")
+ address="$2"
+ shift 2
+ ;;
+
+ "--c"|"--cert")
+ certFile="$2"
+ shift 2
+ ;;
+
+ "--cac"|"--cacert")
+ caCertFile="$2"
+ shift 2
+ ;;
+
+ "--cak"|"--cakey")
+ caKeyFile="$2"
+ shift 2
+ ;;
+
+ "--n"|"--name")
+ name="$2"
+ shift 2
+ ;;
+
+ "--r"|"--req")
+ reqFile="$2"
+ shift 2
+ ;;
+
+ "--vd"|"--validdays")
+ validityDays=$2
+ shift 2
+ ;;
+
+ "--")
+ shift
+ break
+ ;;
+
+ *)
+ break
+ ;;
+ esac
+ done
+
+ local extSection="$SECTION_EXT_CERT"
+ [[ "$certAddress" =~ ^[^@]+@[^@]+$ ]] ||
extSection="$SECTION_EXT_CERT_DOMAIN"
+
+ address="$address" \
+ name="$name" \
+ validityDays="$validityDays" \
+ \
+ _openssl_x509 \
+ -CA "$caCertFile" \
+ -CAform "$FORM_PEM" \
+ -CAkey "$caKeyFile" \
+ -CAkeyform "$FORM_PEM" \
+ -extensions "$extSection" \
+ -extfile "$certgenOpensslConfFile" \
+ -in "$reqFile" \
+ -out "$certFile" \
+ -outform "$FORM_PEM" \
+ -req \
+ -set_serial "$(_ssl_gen_serial)" || exit
+}
+
+##
+# Creates a PKCS#12 file containing an entry's key + certificate
+#
+# -c|--cert <path> certificate file path
+# -k|--key <path> key file path
+# -n|--name <name> name of the entry
+# -p|--pkcs12 <path> PKCS#12 file path
+##
+function _ssl_entry_to_pkcs12()
+{
+ local certFile
+ local keyFile
+ local name
+ local pkcs12File
+
+ eval set "--" "$(getopt -a -o "-"
-l "c:,cert:,k:,key:,n:,name:,p:,pkcs12:" "--" "$@")"
+
+ while true; do
+ case "$1" in
+ "--c"|"--cert")
+ certFile="$2"
+ shift 2
+ ;;
+
+ "--k"|"--key")
+ keyFile="$2"
+ shift 2
+ ;;
+
+ "--n"|"--name")
+ name="$2"
+ shift 2
+ ;;
+
+ "--p"|"--pkcs12")
+ pkcs12File="$2"
+ shift 2
+ ;;
+
+ "--")
+ shift
+ break
+ ;;
+
+ *)
+ break
+ ;;
+ esac
+ done
+
+ _openssl_pkcs12 \
+ -export \
+ -in "$certFile" \
+ -inkey "$keyFile" \
+ -name "$name" \
+ -nodes \
+ -out "$pkcs12File" \
+ -passout "pass:"
+}
+
+##
+# Generates a certificate serial number.
+#
+# -h|--hex whether to use hex encoding
+# -n|--num <num> number of bytes to generate
+##
+function _ssl_gen_serial()
+{
+ declare -i hex=$TRUE
+ declare -i numBytes=64
+
+ eval set "--" "$(getopt -a -o "-" -l "h,hex,n:,num:" "--" "$@")"
+
+ while true; do
+ case "$1" in
+ "--h"|"--hex")
+ hex=$TRUE
+ shift
+ ;;
+
+ "+h")
+ hex=$FALSE
+ shift
+ ;;
+
+ "--n"|"--num")
+ numBytes="$2"
+ shift 2
+ ;;
+
+ "--")
+ shift
+ break
+ ;;
+
+ *)
+ break
+ ;;
+ esac
+ done
+
+ local result="$(_openssl_rand $( ((!$hex)) || printf "--" '-hex\n')
$numBytes)"
+
+ [[ "$result" =~ ^[[:digit:]a-f]+$ ]] || return $(false)
+
+ ((!$hex)) || echo -n "0x"
+ echo "$result"
+}
+
+##
+# Gets a part of the value of a property.
+#
+# 1 part index
+# 2 property key
+##
+function _props_entry_value_part()
+{
+ _props_entry_value "$2" | sed -nr "s/^([^\\|]+)\\|([^\\|]+)\\|([^\\|]+)\\|
([^\\|]+)\$/\\$1/p"
+}
+alias _props_entry_name='_props_entry_value_part 1'
+alias _props_entry_address='_props_entry_value_part 2'
+alias _props_entry_validity_days='_props_entry_value_part 3'
+alias _props_entry_key_bits='_props_entry_value_part 4'
+
+##
+# Gets the value of a property.
+#
+# 1 property key
+##
+function _props_entry_value()
+{
+ _props_entry_lines | sed -nr "/^$1=/ s/^$1=(.+)\$/\\1/p" |
domain="$domain" awk '
+ {
+ while(match($0, "[$]{[^}]+}"))
+ {
+ varName=substr($0, RSTART + 2, RLENGTH - 3)
+ gsub("[$]{"varName"}", ENVIRON[varName])
+ }
+
+ print $0
+ }
+ '
+}
+
+##
+# Gets all available property keys.
+##
+function _props_entry_keys()
+{
+ _props_entry_lines | sed -nr 's/^(CERT_[0-9]+)=.+$/\1/p'
+}
+
+##
+# Gets all available property lines.
+##
+function _props_entry_lines()
+{
+ egrep '^CERT_[[:digit:]]+=[^\|]+\|[^\|]+|[[:digit:]]+|
[[:digit:]]+$' "$certgenPropsFile"
+}
+
+##
+# Gets a temporary file path given an existing file path.
+#
+# 1 file path
+##
+function _tmp_file_name()
+{
+ echo "$(dirname "$1")/$PREFIX_TMP$(basename "$1")"
+}
=======================================
--- /dev/null
+++ /MSP3_Tool_Production/tools/lib/certgen/certgen.properties Wed Dec 5
13:53:22 2012
@@ -0,0 +1,35 @@
+# Properties describing the test case certificates/keys to generate.
+# Strings of the form '${<name>}' in the property values will be
substituted at runtime for the values of the environment
+# variables denoted by <name> or an empty string if the environment
variable does not exist.
+#
+# Each property line is in the form:
+# <property name in config.properties>=<cert/key base name>|<cert email
address or domain>|<validity in days>|<# key bits>
+#
+# Note: this file can be regenerated from the 'Certificates' table on the
Install Worksheet spreadsheet.
+
+CERT_1=dts500_valid_cert_record|dts500@direct1.${domain}|365|1024
+CERT_2=othercert|othercert@direct1.${domain}|365|1024
+CERT_3=dts501_valid|direct1.${domain}|365|1024
+CERT_4=direct9.${domain}|direct9.${domain}|365|1024
+CERT_5=dts500_valid_ldap|dts500@direct1.${domain}|365|1024
+CERT_6=dts501_valid_ldap|direct1.${domain}|365|1024
+CERT_7=dts501_expired|dts501@direct1.${domain}|0|1024
+CERT_11=dts502|dts502@direct1.${domain}|365|4096
+CERT_13=dts505_expired_cert_record|dts505@direct2.${domain}|0|1024
+CERT_14=dts505_mac|dts505@direct2.${domain}|365|1024
+CERT_16=dts515_mac|direct2.${domain}|365|1024
+CERT_17=dts515_address_bound|dts515@direct2.${domain}|365|1024
+CERT_18=dts506_ldap_1_mac|dts506@direct2.${domain}|365|1024
+CERT_19=dts506_ldap_2|dts506@direct2.${domain}|365|1024
+CERT_20=dts507|dts507@direct3.${domain}|365|1024
+CERT_21=dts517|dts517@direct3.${domain}|365|1024
+CERT_24=dts520_invalid_address_cert|dts520@direct5.${domain}|0|1024
+CERT_25=dts520_invalid_domain_cert|dts520@direct5.${domain}|0|1024
+CERT_26=dts520_invalid_address_ldap|dts520@direct5.${domain}|0|1024
+CERT_27=dts520_invalid_domain_ldap|dts520@direct5.${domain}|0|1024
+CERT_28=dts512_expired_address_cert|dts512@direct6.${domain}|0|1024
+CERT_29=expired_direct6_domain_cert|dts512@direct6.${domain}|0|1024
+CERT_37=dts501_valid_add_ldap|dts501@direct1.${domain}|365|1024
+CERT_38=direct2.${domain}_invalid_dns|direct2.${domain}|0|1024
+CERT_39=dts515_invalid_dns_address|dts515@direct2.${domain}|0|1024
+CERT_41=dts515_invalid_ldap_address|dts515@direct2.${domain}|0|1024
=======================================
--- /dev/null
+++ /MSP3_Tool_Production/tools/lib/certgen/openssl-certgen.cnf Wed Dec 5
13:53:22 2012
@@ -0,0 +1,53 @@
+address=
+digest=sha1
+keyBits=1024
+validityDays=365
+dnSection=
+name=
+
+[ca]
+default_ca=ca_default
+
+[ca_default]
+default_bits=${ENV::keyBits}
+default_days=${ENV::validityDays}
+default_md=${ENV::digest}
+preserve=no
+
+[req]
+default_bits=${ENV::keyBits}
+default_days=${ENV::validityDays}
+default_md=${ENV::digest}
+distinguished_name=${ENV::dnSection}
+encrypt_key=no
+prompt=no
+
+[dn_ca]
+C=US
+O=${ENV::name}
+CN=${ENV::name}
+
+[dn_cert]
+emailAddress=${ENV::address}
+C=US
+O=${ENV::name}
+CN=${ENV::name}
+
+[ext_ca]
+authorityKeyIdentifier=keyid, issuer
+basicConstraints=CA:true
+subjectKeyIdentifier=hash
+
+[ext_cert]
+authorityKeyIdentifier=keyid, issuer
+basicConstraints=CA:false
+subjectAltName=email:copy
+subjectKeyIdentifier=hash
+
+[ext_cert_domain]
+authorityKeyIdentifier=keyid, issuer
+basicConstraints=CA:false
+subjectAltName=email:copy,DNS:${ENV::address}
+subjectKeyIdentifier=hash
+
+[ext_req]
Author: michal....@esacinc.com
Date: Wed Dec 5 13:53:22 2012
Log: Initial commit of certificate generation script and its helper
scripts + configuration files.
http://code.google.com/p/direct-certificate-discovery-tool/source/detail?r=417
Added:
/MSP3_Tool_Production/tools
/MSP3_Tool_Production/tools/bin
/MSP3_Tool_Production/tools/bin/certgen.sh
/MSP3_Tool_Production/tools/lib
/MSP3_Tool_Production/tools/lib/certgen
/MSP3_Tool_Production/tools/lib/certgen/certgen-lib.sh
/MSP3_Tool_Production/tools/lib/certgen/certgen.properties
/MSP3_Tool_Production/tools/lib/certgen/openssl-certgen.cnf
=======================================
--- /dev/null
+++ /MSP3_Tool_Production/tools/bin/certgen.sh Wed Dec 5 13:53:22 2012
@@ -0,0 +1,228 @@
+#!/bin/bash
+
+# Checking Bash version - at least version 3.2 is required for regex
expansion, etc.
+(( (${BASH_VERSINFO[0]} > 3) || (${BASH_VERSINFO[1]} >= 2) ))
&>"/dev/null" || \
+ { echo "Bash version >= 3.2 is required. Current version: $BASH_VERSION"
&& exit 1; }
+
+shopt -s "expand_aliases"
+shopt -s "extglob"
+
+# readlink on Mac platforms is not a builtin - aliasing 'greadlink' instead
+! { [[ "$OSTYPE" =~ *darwin* ]] && type -a "greadlink" &>"/dev/null"; } ||
\
+ alias readlink='greadlink'
+
+# Filesystem constants
+declare -a CERTGEN_LIB_SCRIPT_FILE_NAMES=(\
+ "certgen-lib.sh"
+)
+
+# Determining filesystem variables
+certgenBinFile="$(readlink -f "$BASH_SOURCE")"
+certgenBinFileName="$(basename "$certgenBinFile")"
+toolsBinDir="$(dirname "$certgenBinFile")"
+toolsDir="$(dirname "$toolsBinDir")"
+toolsLibDir="$toolsDir/lib"
+certgenLibDir="$toolsLibDir/certgen"
+certgenOpensslConfFile="$certgenLibDir/openssl-certgen.cnf"
+certgenPropsFile="$certgenLibDir/certgen.properties"
+projectDir="$(dirname "$toolsDir")"
+targetDir="$projectDir/target"
+certgenOutDir="$targetDir/certgen"
+
+# Sanity checks and sourcing library scripts
+[ -e "$certgenLibDir" ] || { echo "Certificate generator library directory
does not exist: $certgenLibDir" && exit 1; }
+[ -d "$certgenLibDir" ] || { echo "Certificate generator library directory
path is not a directory: $certgenLibDir" && exit 1; }
+[ -r "$certgenLibDir" ] || { echo "Certificate generator library directory
is not readable: $certgenLibDir" && exit 1; }
+
+for certgenLibScriptFileName in ${CERTGEN_LIB_SCRIPT_FILE_NAMES[@]}; do
+ certgenLibScriptFile="$certgenLibDir/$certgenLibScriptFileName"
+
+ [ -e "$certgenLibScriptFile" ] || { echo "Certificate generator library
script file does not exist: $certgenLibScriptFile" && exit 1; }
+ [ -f "$certgenLibScriptFile" ] || { echo "Certificate generator library
script file path is not a file: $certgenLibScriptFile" && exit 1; }
+ [ -r "$certgenLibScriptFile" ] || { echo "Certificate generator library
script is not readable: $certgenLibScriptFile" && exit 1; }
+
+ source "$certgenLibScriptFile" || { echo "Unable to source certificate
generator library script: $certgenLibScriptFile" && exit 1; }
+done
+
+[ -e "$certgenOpensslConfFile" ] || { echo "Certificate generator OpenSSL
configuration file does not exist: $certgenOpensslConfFile" && exit 1; }
+[ -f "$certgenOpensslConfFile" ] || { echo "Certificate generator OpenSSL
configuration file path is not a file: $certgenOpensslConfFile" && exit 1; }
+[ -r "$certgenOpensslConfFile" ] || { echo "Certificate generator OpenSSL
configuration is not readable: $certgenOpensslConfFile" && exit 1; }
+
+[ -e "$certgenPropsFile" ] || { echo "Certificate generator properties
file does not exist: $certgenPropsFile" && exit 1; }
+[ -f "$certgenPropsFile" ] || { echo "Certificate generator properties
file path is not a file: $certgenPropsFile" && exit 1; }
+[ -r "$certgenPropsFile" ] || { echo "Certificate generator properties is
not readable: $certgenPropsFile" && exit 1; }
+
+# Parsing cmdline arguments
+domain=
+declare -i clean=$UNKNOWN
+declare -i help=$FALSE
+outDir=
+
+# Storing # of cmdline arguments before they are reset
+declare -i numArgs=$#
+
+eval set "--" "$(getopt -a -o "-"
-l "c,clean,d:,domain:,help,o:,outdir:" "--" "$@")"
+
+while true; do
+ case "$1" in
+ "--c"|"--clean")
+ clean=$TRUE
+ shift
+ ;;
+
+ "+c")
+ clean=$FALSE
+ shift
+ ;;
+
+ "--d"|"--domain")
+ domain="$2"
+ shift 2
+ ;;
+
+ "--help")
+ help=$TRUE
+ shift
+ ;;
+
+ "--o"|"--outdir")
+ outDir="$2"
+ shift 2
+ ;;
+
+ "--")
+ shift
+ break
+ ;;
+
+ *)
+ break
+ ;;
+ esac
+done
+
+# Printing help and exiting if explicitely invoked or no cmdline arguments
were provided
+if (( ($numArgs == 0) || $help)); then
+ cat <<-EOF
+ Usage: $certgenBinFileName [-c|+c|--clean] -d|--domain <name> [-o|
--outdir <dir>]
+ $certgenBinFileName --help
+
+ -c|+c|--clean optional, remove existing output directory
without prompting
+ -d|--domain <name> domain name to use
+ --help show this help information
+ -o|--outdir <dir> optional, directory to output to, default:
<project basedir>/target/certgen/<domain name>
+EOF
+
+ exit
+fi
+
+# Sanity checking domain
+! [[ "$domain" =~ ^[[:space:]]*$ ]] || { echo "A domain must be
specified." && exit 1; }
+[[ "$domain" =~ ^[[:alnum:]._\-]+$ ]] || { echo "Domain is invalid:
$domain" && exit 1; }
+
+# Determing / sanity checking output directory
+! [[ "$outDir" =~ ^[[:space:]]*$ ]] || outDir="$certgenOutDir/$domain"
+
+# Making sure output directory path is absolute
+[[ "$outDir" =~ ^/ ]] || outDir="$toolsBinDir/$outDir"
+
+if [ -e "$outDir" ]; then
+ [ -d "$outDir" ] || { echo "Output directory path is not a directory:
$outDir" && exit 1; }
+
+ {
+ (($clean != $TRUE)) && \
+ read -p "Output directory ($outDir) exists.${NEWLINE}Remove [Y(ES)/n(o)]
it?: " "rmOutDir" && \
+ [[ ( "${rmOutDir,,}" == "n" ) || ( "${rmOutDir,,}" == "no" ) ]]
+ } || \
+ {
+ { rm -r "$outDir" && echo "Removed output directory: $outDir"; } || exit;
+ }
+fi
+
+# Sanity checking output directory
+[ -e "$outDir" ] || { { mkdir -p "$outDir" && echo "(Re)created output
directory: $outDir"; } || exit; }
+[ -w "$outDir" ] || { echo "Output directory is not writeable: $outDir" &&
exit 1; }
+
+caOutDir="$outDir/ca"
+
+# Sanity checking Certificate Authority (CA) output directory
+[ -e "$caOutDir" ] || { { mkdir "$caOutDir" && echo "(Re)created
Certificate Authority (CA) output directory: $caOutDir"; } || exit; }
+[ -w "$caOutDir" ] || { echo "Certificate Authority (CA) output directory
is not writeable: $caOutDir" && exit 1; }
+
+caName="$domain$SUFFIX_CA"
+caCertFileBase="$caOutDir/$caName$SUFFIX_CERT"
+caCertFileDer="$caCertFileBase$EXT_DER"
+caCertFilePem="$caCertFileBase$EXT_PEM"
+caKeyFileBase="$caOutDir/$caName$SUFFIX_KEY"
+caKeyFileDer="$caKeyFileBase$EXT_DER"
+caKeyFilePem="$caKeyFileBase$EXT_PEM"
+
+# Generate Certificate Authority (CA) key + certificate
+_ssl_gen_ca \
+ -c "$caCertFilePem" \
+ -k "$caKeyFilePem" \
+ -n "$caName" || exit
+
+# Create DER encoded Certificate Authority (CA) certificate
+_ssl_cert_pem_to_der \
+ --cd "$caCertFileDer" \
+ --cp "$caCertFilePem" || exit
+
+# Convert Certificate Authority (CA) key to PKCS#8 format in both PEM and
DER encodings
+_ssl_keys_to_pkcs8 \
+ --kd "$caKeyFileDer" \
+ --kp "$caKeyFilePem" || exit
+
+for entryKey in $(_props_entry_keys); do
+ entryName="$(_props_entry_name "$entryKey")"
+ entryAddress="$(_props_entry_address "$entryKey")"
+ declare -i entryValidityDays="$(_props_entry_validity_days "$entryKey")"
+ declare -i entryKeyBits="$(_props_entry_key_bits "$entryKey")"
+
+ entryCertFileBase="$outDir/$entryName$SUFFIX_CERT"
+ entryCertFileDer="$entryCertFileBase$EXT_DER"
+ entryCertFilePem="$entryCertFileBase$EXT_PEM"
+ entryCertFileReq="$entryCertFileBase$EXT_REQ"
+ entryKeyFileBase="$outDir/$entryName$SUFFIX_KEY"
+ entryKeyFileDer="$entryKeyFileBase$EXT_DER"
+ entryKeyFilePem="$entryKeyFileBase$EXT_PEM"
+ entryKeyFilePkcs12="$entryKeyFileBase$EXT_PKCS12"
+
+ # Generate entry key + certificate request
+ _ssl_gen_entry \
+ -a "$entryAddress" \
+ -k "$entryKeyFilePem" \
+ --kb entryKeyBits \
+ -n "$entryName" \
+ -r "$entryCertFileReq" \
+ --vd $entryValidityDays || exit
+
+ # Sign entry certificate request
+ _ssl_sign_entry \
+ -a "$entryAddress" \
+ -c "$entryCertFilePem" \
+ --cac "$caCertFilePem" \
+ --cak "$caKeyFilePem" \
+ -n "$entryName" \
+ -r "$entryCertFileReq" \
+ --vd $entryValidityDays || exit
+
+ rm "$entryCertFileReq" || exit
+
+ # Create DER encoded entry certificate
+ _ssl_cert_pem_to_der \
+ --cd "$entryCertFileDer" \
+ --cp "$entryCertFilePem" || exit
+
+ # Convert entry key to PKCS#8 in both PEM and DER encodings
+ _ssl_keys_to_pkcs8 \
+ --kd "$entryKeyFileDer" \
+ --kp "$entryKeyFilePem" || exit
+
+ # Create a PKCS#12 file containing the entry's key + certificate
+ _ssl_entry_to_pkcs12 \
+ -c "$entryCertFilePem" \
+ -k "$entryKeyFilePem" \
+ -n "$entryName" \
+ -p "$entryKeyFilePkcs12" || exit
+done
=======================================
--- /dev/null
+++ /MSP3_Tool_Production/tools/lib/certgen/certgen-lib.sh Wed Dec 5
13:53:22 2012
@@ -0,0 +1,557 @@
+# Basic constants
+declare -i FALSE=0
+declare -i TRUE=1
+declare -i UNKNOWN=-1
+NEWLINE=$'\n'
+
+# Algorithm constants
+ALG_PBE_MD5_DES="PBE-MD5-DES"
+ALG_RSA="rsa"
+
+# File encoding constants
+FORM_DER="der"
+FORM_PEM="pem"
+
+# File/name prefix constants
+PREFIX_TMP="~"
+
+# File/name suffix constants
+SUFFIX_CA="_ca"
+SUFFIX_CERT="_cert"
+SUFFIX_KEY="_key"
+
+# File extension constants
+EXT_DER=".der"
+EXT_PEM=".pem"
+EXT_PKCS12=".p12"
+EXT_REQ=".csr"
+
+# OpenSSL configuration section constants
+# Distinguished names
+SECTION_DN_CA="dn_ca"
+SECTION_DN_CERT="dn_cert"
+# X509v3 extensions
+SECTION_EXT_CA="ext_ca"
+SECTION_EXT_CERT="ext_cert"
+SECTION_EXT_CERT_DOMAIN="ext_cert_domain"
+SECTION_EXT_REQ="ext_req"
+
+##
+# Calls the OpenSSL Command Line Interface (CLI) with the given options.
+#
+# * options for OpenSSL
+##
+function _openssl()
+{
+ OPENSSL_CONF="$certgenOpensslConfFile" \
+ SSLEAY_CONF= \
+ "${OPENSSL:-openssl}" \
+ "$@"
+}
+alias _openssl_req='_openssl "req"'
+alias _openssl_pkcs8='_openssl "pkcs8"'
+alias _openssl_pkcs12='_openssl "pkcs12"'
+alias _openssl_rand='_openssl "rand"'
+alias _openssl_x509='_openssl "x509"'
+
+##
+# Generates Certificate Authority (CA) key + certificate.
+#
+# -c|--cert <path> certificate file path
+# -k|--key <path> key file path
+# -n|--name <name> name of the CA
+##
+function _ssl_gen_ca()
+{
+ local certFile
+ local keyFile
+ local name
+
+ eval set "--" "$(getopt -a -o "-"
-l "c:,cert:,k:,key:,n:,name:" "--" "$@")"
+
+ while true; do
+ case "$1" in
+ "--c"|"--cert")
+ certFile="$2"
+ shift 2
+ ;;
+
+ "--k"|"--key")
+ keyFile="$2"
+ shift 2
+ ;;
+
+ "--n"|"--name")
+ name="$2"
+ shift 2
+ ;;
+
+ "--")
+ shift
+ break
+ ;;
+
+ *)
+ break
+ ;;
+ esac
+ done
+
+ dnSection="$SECTION_DN_CA" \
+ name="$name" \
+ \
+ _openssl_req \
+ -extensions "$SECTION_EXT_CA" \
+ -keyform "$FORM_PEM" \
+ -keyout "$keyFile" \
+ -newkey "$ALG_RSA" \
+ -nodes \
+ -out "$certFile" \
+ -outform "$FORM_PEM" \
+ -x509
+}
+
+##
+# Creates a DER encoded certificate from a PEM encoded one.
+#
+# --cd|--certder <path> DER encoded certificate file path
+# --cp|--certpem <path> PEM encoded certificate file path
+##
+function _ssl_cert_pem_to_der()
+{
+ local certFileDer
+ local certFilePem
+
+ eval set "--" "$(getopt -a -o "-"
-l "cd:,certder:,cp:,certpem:" "--" "$@")"
+
+ while true; do
+ case "$1" in
+ "--cd"|"--certder")
+ certFileDer="$2"
+ shift 2
+ ;;
+
+ "--cp"|"--certpem")
+ certFilePem="$2"
+ shift 2
+ ;;
+
+ "--")
+ shift
+ break
+ ;;
+
+ *)
+ break
+ ;;
+ esac
+ done
+
+ _openssl_x509 \
+ -in "$certFilePem" \
+ -inform "$FORM_PEM" \
+ -out "$certFileDer" \
+ -outform "$FORM_DER"
+}
+
+##
+# Creates both DER and PEM encoded, PKCS#8 format keys from a PEM encoded,
regular format one.
+#
+# --kd|--keyder <path> DER encoded key file path
+# --kp|--keypem <path> PEM encoded key file path
+##
+function _ssl_keys_to_pkcs8()
+{
+ local keyFileDer
+ local keyFilePem
+
+ eval set "--" "$(getopt -a -o "-" -l "kd:,keyder:,kp:,keypem:" "--" "$@")"
+
+ while true; do
+ case "$1" in
+ "--kd"|"--keyder")
+ keyFileDer="$2"
+ shift 2
+ ;;
+
+ "--kp"|"--keypem")
+ keyFilePem="$2"
+ shift 2
+ ;;
+
+ "--")
+ shift
+ break
+ ;;
+
+ *)
+ break
+ ;;
+ esac
+ done
+
+ keyFileTmp="$(_tmp_file_name "$keyFilePem")"
+ mv "$keyFilePem" "$keyFileTmp" || return
+
+ _openssl_pkcs8 \
+ -in "$keyFileTmp" \
+ -inform "$FORM_PEM" \
+ -nocrypt \
+ -out "$keyFileDer" \
+ -outform "$FORM_DER" \
+ -topk8 \
+ -v1 "$ALG_PBE_MD5_DES" || return
+
+ _openssl_pkcs8 \
+ -in "$keyFileDer" \
+ -inform "$FORM_DER" \
+ -nocrypt \
+ -out "$keyFilePem" \
+ -outform "$FORM_PEM" \
+ -v1 "$ALG_PBE_MD5_DES" || return
+
+ rm "$keyFileTmp" || return
+}
+
+##
+# Generates an entry key + certificate request.
+#
+# -a|--address <address> email address
+# --kb|--keybits <num> number of key bits
+# -k|--key <path> key file path
+# -n|--name <name> name of the entry
+# -r|--req <path> certificate request file path
+# -k|--key <path> key file path
+# --vd|--validdays <num> number of days the certificate will be valid for
+##
+function _ssl_gen_entry()
+{
+ local address
+ declare -i keyBits
+ local keyFile
+ local name
+ local reqFile
+ declare -i validityDays
+
+ eval set "--" "$(getopt -a -o "-"
-l "a:,address:,k:,key:,kb:,keybits:,n:,name:,r:,req:,vd:,validdays:" "--" "$@")"
+
+ while true; do
+ case "$1" in
+ "--a"|"--address")
+ address="$2"
+ shift 2
+ ;;
+
+ "--k"|"--key")
+ keyFile="$2"
+ shift 2
+ ;;
+
+ "--kb"|"--keybits")
+ keyBits=$2
+ shift 2
+ ;;
+
+ "--n"|"--name")
+ name="$2"
+ shift 2
+ ;;
+
+ "--r"|"--req")
+ reqFile="$2"
+ shift 2
+ ;;
+
+ "--vd"|"--validdays")
+ validityDays=$2
+ shift 2
+ ;;
+
+ "--")
+ shift
+ break
+ ;;
+
+ *)
+ break
+ ;;
+ esac
+ done
+
+ address="$address" \
+ dnSection="$SECTION_DN_CERT" \
+ keyBits="$keyBits" \
+ name="$name" \
+ validityDays="$validityDays" \
+ \
+ _openssl_req \
+ -keyform "$FORM_PEM" \
+ -keyout "$keyFile" \
+ -new \
+ -newkey "$ALG_RSA" \
+ -nodes \
+ -out "$reqFile" \
+ -reqexts "$SECTION_EXT_REQ" || return
+}
+
+##
+# Signs an entry certificate request.
+#
+# -a|--address <address> email address
+# -c|--cert <path> certificate file path
+# --cac|--cacert <path> CA certificate file path
+# --cak|--cakey <path> CA key file path
+# -n|--name <name> name of the entry
+# -r|--req <path> certificate request file path
+# --vd|--validdays <num> number of days the certificate will be valid for
+##
+function _ssl_sign_entry()
+{
+ local address
+ local caCertFile
+ local caKeyFile
+ local certFile
+ local name
+ local reqFile
+ declare -i validityDays
+
+ eval set "--" "$(getopt -a -o "-"
-l "a:,address:,c:,cert:,cac:,cacert:,cak:,cakey:,n:,name:,r:,req:,vd:,validdays:" "--" "$@")"
+
+ while true; do
+ case "$1" in
+ "--a"|"--address")
+ address="$2"
+ shift 2
+ ;;
+
+ "--c"|"--cert")
+ certFile="$2"
+ shift 2
+ ;;
+
+ "--cac"|"--cacert")
+ caCertFile="$2"
+ shift 2
+ ;;
+
+ "--cak"|"--cakey")
+ caKeyFile="$2"
+ shift 2
+ ;;
+
+ "--n"|"--name")
+ name="$2"
+ shift 2
+ ;;
+
+ "--r"|"--req")
+ reqFile="$2"
+ shift 2
+ ;;
+
+ "--vd"|"--validdays")
+ validityDays=$2
+ shift 2
+ ;;
+
+ "--")
+ shift
+ break
+ ;;
+
+ *)
+ break
+ ;;
+ esac
+ done
+
+ local extSection="$SECTION_EXT_CERT"
+ [[ "$certAddress" =~ ^[^@]+@[^@]+$ ]] ||
extSection="$SECTION_EXT_CERT_DOMAIN"
+
+ address="$address" \
+ name="$name" \
+ validityDays="$validityDays" \
+ \
+ _openssl_x509 \
+ -CA "$caCertFile" \
+ -CAform "$FORM_PEM" \
+ -CAkey "$caKeyFile" \
+ -CAkeyform "$FORM_PEM" \
+ -extensions "$extSection" \
+ -extfile "$certgenOpensslConfFile" \
+ -in "$reqFile" \
+ -out "$certFile" \
+ -outform "$FORM_PEM" \
+ -req \
+ -set_serial "$(_ssl_gen_serial)" || exit
+}
+
+##
+# Creates a PKCS#12 file containing an entry's key + certificate
+#
+# -c|--cert <path> certificate file path
+# -k|--key <path> key file path
+# -n|--name <name> name of the entry
+# -p|--pkcs12 <path> PKCS#12 file path
+##
+function _ssl_entry_to_pkcs12()
+{
+ local certFile
+ local keyFile
+ local name
+ local pkcs12File
+
+ eval set "--" "$(getopt -a -o "-"
-l "c:,cert:,k:,key:,n:,name:,p:,pkcs12:" "--" "$@")"
+
+ while true; do
+ case "$1" in
+ "--c"|"--cert")
+ certFile="$2"
+ shift 2
+ ;;
+
+ "--k"|"--key")
+ keyFile="$2"
+ shift 2
+ ;;
+
+ "--n"|"--name")
+ name="$2"
+ shift 2
+ ;;
+
+ "--p"|"--pkcs12")
+ pkcs12File="$2"
+ shift 2
+ ;;
+
+ "--")
+ shift
+ break
+ ;;
+
+ *)
+ break
+ ;;
+ esac
+ done
+
+ _openssl_pkcs12 \
+ -export \
+ -in "$certFile" \
+ -inkey "$keyFile" \
+ -name "$name" \
+ -nodes \
+ -out "$pkcs12File" \
+ -passout "pass:"
+}
+
+##
+# Generates a certificate serial number.
+#
+# -h|--hex whether to use hex encoding
+# -n|--num <num> number of bytes to generate
+##
+function _ssl_gen_serial()
+{
+ declare -i hex=$TRUE
+ declare -i numBytes=64
+
+ eval set "--" "$(getopt -a -o "-" -l "h,hex,n:,num:" "--" "$@")"
+
+ while true; do
+ case "$1" in
+ "--h"|"--hex")
+ hex=$TRUE
+ shift
+ ;;
+
+ "+h")
+ hex=$FALSE
+ shift
+ ;;
+
+ "--n"|"--num")
+ numBytes="$2"
+ shift 2
+ ;;
+
+ "--")
+ shift
+ break
+ ;;
+
+ *)
+ break
+ ;;
+ esac
+ done
+
+ local result="$(_openssl_rand $( ((!$hex)) || printf "--" '-hex\n')
$numBytes)"
+
+ [[ "$result" =~ ^[[:digit:]a-f]+$ ]] || return $(false)
+
+ ((!$hex)) || echo -n "0x"
+ echo "$result"
+}
+
+##
+# Gets a part of the value of a property.
+#
+# 1 part index
+# 2 property key
+##
+function _props_entry_value_part()
+{
+ _props_entry_value "$2" | sed -nr "s/^([^\\|]+)\\|([^\\|]+)\\|([^\\|]+)\\|
([^\\|]+)\$/\\$1/p"
+}
+alias _props_entry_name='_props_entry_value_part 1'
+alias _props_entry_address='_props_entry_value_part 2'
+alias _props_entry_validity_days='_props_entry_value_part 3'
+alias _props_entry_key_bits='_props_entry_value_part 4'
+
+##
+# Gets the value of a property.
+#
+# 1 property key
+##
+function _props_entry_value()
+{
+ _props_entry_lines | sed -nr "/^$1=/ s/^$1=(.+)\$/\\1/p" |
domain="$domain" awk '
+ {
+ while(match($0, "[$]{[^}]+}"))
+ {
+ varName=substr($0, RSTART + 2, RLENGTH - 3)
+ gsub("[$]{"varName"}", ENVIRON[varName])
+ }
+
+ print $0
+ }
+ '
+}
+
+##
+# Gets all available property keys.
+##
+function _props_entry_keys()
+{
+ _props_entry_lines | sed -nr 's/^(CERT_[0-9]+)=.+$/\1/p'
+}
+
+##
+# Gets all available property lines.
+##
+function _props_entry_lines()
+{
+ egrep '^CERT_[[:digit:]]+=[^\|]+\|[^\|]+|[[:digit:]]+|
[[:digit:]]+$' "$certgenPropsFile"
+}
+
+##
+# Gets a temporary file path given an existing file path.
+#
+# 1 file path
+##
+function _tmp_file_name()
+{
+ echo "$(dirname "$1")/$PREFIX_TMP$(basename "$1")"
+}
=======================================
--- /dev/null
+++ /MSP3_Tool_Production/tools/lib/certgen/certgen.properties Wed Dec 5
13:53:22 2012
@@ -0,0 +1,35 @@
+# Properties describing the test case certificates/keys to generate.
+# Strings of the form '${<name>}' in the property values will be
substituted at runtime for the values of the environment
+# variables denoted by <name> or an empty string if the environment
variable does not exist.
+#
+# Each property line is in the form:
+# <property name in config.properties>=<cert/key base name>|<cert email
address or domain>|<validity in days>|<# key bits>
+#
+# Note: this file can be regenerated from the 'Certificates' table on the
Install Worksheet spreadsheet.
+
+CERT_1=dts500_valid_cert_record|dts500@direct1.${domain}|365|1024
+CERT_2=othercert|othercert@direct1.${domain}|365|1024
+CERT_3=dts501_valid|direct1.${domain}|365|1024
+CERT_4=direct9.${domain}|direct9.${domain}|365|1024
+CERT_5=dts500_valid_ldap|dts500@direct1.${domain}|365|1024
+CERT_6=dts501_valid_ldap|direct1.${domain}|365|1024
+CERT_7=dts501_expired|dts501@direct1.${domain}|0|1024
+CERT_11=dts502|dts502@direct1.${domain}|365|4096
+CERT_13=dts505_expired_cert_record|dts505@direct2.${domain}|0|1024
+CERT_14=dts505_mac|dts505@direct2.${domain}|365|1024
+CERT_16=dts515_mac|direct2.${domain}|365|1024
+CERT_17=dts515_address_bound|dts515@direct2.${domain}|365|1024
+CERT_18=dts506_ldap_1_mac|dts506@direct2.${domain}|365|1024
+CERT_19=dts506_ldap_2|dts506@direct2.${domain}|365|1024
+CERT_20=dts507|dts507@direct3.${domain}|365|1024
+CERT_21=dts517|dts517@direct3.${domain}|365|1024
+CERT_24=dts520_invalid_address_cert|dts520@direct5.${domain}|0|1024
+CERT_25=dts520_invalid_domain_cert|dts520@direct5.${domain}|0|1024
+CERT_26=dts520_invalid_address_ldap|dts520@direct5.${domain}|0|1024
+CERT_27=dts520_invalid_domain_ldap|dts520@direct5.${domain}|0|1024
+CERT_28=dts512_expired_address_cert|dts512@direct6.${domain}|0|1024
+CERT_29=expired_direct6_domain_cert|dts512@direct6.${domain}|0|1024
+CERT_37=dts501_valid_add_ldap|dts501@direct1.${domain}|365|1024
+CERT_38=direct2.${domain}_invalid_dns|direct2.${domain}|0|1024
+CERT_39=dts515_invalid_dns_address|dts515@direct2.${domain}|0|1024
+CERT_41=dts515_invalid_ldap_address|dts515@direct2.${domain}|0|1024
=======================================
--- /dev/null
+++ /MSP3_Tool_Production/tools/lib/certgen/openssl-certgen.cnf Wed Dec 5
13:53:22 2012
@@ -0,0 +1,53 @@
+address=
+digest=sha1
+keyBits=1024
+validityDays=365
+dnSection=
+name=
+
+[ca]
+default_ca=ca_default
+
+[ca_default]
+default_bits=${ENV::keyBits}
+default_days=${ENV::validityDays}
+default_md=${ENV::digest}
+preserve=no
+
+[req]
+default_bits=${ENV::keyBits}
+default_days=${ENV::validityDays}
+default_md=${ENV::digest}
+distinguished_name=${ENV::dnSection}
+encrypt_key=no
+prompt=no
+
+[dn_ca]
+C=US
+O=${ENV::name}
+CN=${ENV::name}
+
+[dn_cert]
+emailAddress=${ENV::address}
+C=US
+O=${ENV::name}
+CN=${ENV::name}
+
+[ext_ca]
+authorityKeyIdentifier=keyid, issuer
+basicConstraints=CA:true
+subjectKeyIdentifier=hash
+
+[ext_cert]
+authorityKeyIdentifier=keyid, issuer
+basicConstraints=CA:false
+subjectAltName=email:copy
+subjectKeyIdentifier=hash
+
+[ext_cert_domain]
+authorityKeyIdentifier=keyid, issuer
+basicConstraints=CA:false
+subjectAltName=email:copy,DNS:${ENV::address}
+subjectKeyIdentifier=hash
+
+[ext_req]
Reply all
Reply to author
Forward
0 new messages