tadpol · August 28, 2017 17:17
diff --git a/adc_test_client_certs.sh b/adc_test_client_certs.sh
 #!/bin/sh

 set -x
 set -e

 DEVICE_HOST=${DEVICE_HOST:-<>.m2.exosite-dev.io}

 BY_ACTION=${BY_ACTION:-write}
 USE_CERT=${USE_CERT:-rsa}
 HOST_CA=${HOST_CA:-MURANO_ROOT_CA.cer}
 if [ ! -f "$HOST_CA" ]; then
 	HOST_CA=/vagrant/MURANO_ROOT_CA.cer
 fi
 if [ ! -f "$HOST_CA" ]; then
 	echo "Missing Root CA!"
 	exit 5
 fi

 did=`hostname`
 DEVICE_ID=${DEVICE_ID:-C${USE_CERT}_${did}}

 uname -a
 openssl version
 curl --version

 if [ "z$BY_ACTION" != "zkeys" ]; then
 	tmpname=`basename $0`
 	WKS=`mktemp -d -t ${tmpname}.XXXXXX`
 	cd $WKS
 fi

 if [ "z${USE_CERT}" = "zrsa" ]; then
 	# Create self-signed RSA cert; our Test CA.
 	openssl req -x509 -nodes -days 365 -subj "/C=US/ST=MN/L=Mpls/O=Exosite/CN=TestRsaCa" \
 		-newkey rsa:2048 -keyout ca-key.pem -out ca.pem

 	# Create RSA private key and a CSR for that key
 	openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout client-key.pem \
 		-subj "/C=US/ST=MN/L=Mpls/O=Exosite/CN=${DEVICE_ID}"

 	# Sign with Test CA.
 	openssl x509 -req -days 730 -in CSR.csr -CA ca.pem -CAkey ca-key.pem \
 		-CAcreateserial -out client-signed.cer

 	cat client-key.pem client-signed.cer > client-up.pem

 else
 	# Create self-signed ECDSA cert; our Test CA.
 	openssl ecparam -name secp521r1 -genkey -param_enc explicit -out ca-key.pem
 	openssl req -new -x509 -key ca-key.pem -out ca.pem -days 730 \
 		-subj "/C=US/ST=MN/L=Mpls/O=Exosite/CN=TestEcdsaCA"

 	# Create ECDSA private key
 	openssl ecparam -name secp521r1 -genkey -param_enc explicit -out client-key.pem

 	# Create CSR from private key
 	openssl req -out CSR.csr -key client-key.pem -new \
 		-subj "/C=US/ST=MN/L=Mpls/O=Exosite/CN=${DEVICE_ID}"

 	# Sign with Test CA.
 	openssl x509 -req -days 730 -in CSR.csr -CA ca.pem -CAkey ca-key.pem \
 		-CAcreateserial -out client-signed.cer

 	cat client-key.pem client-signed.cer > client-up.pem
 fi

 # Test with curl (not on macOS. -k doesn't work as we expect.)
 case $BY_ACTION in
 	timestamp)
 		curl -v https://${DEVICE_HOST}/timestamp \
 			--cert client-signed.cer --key client-key.pem --cacert $HOST_CA
 		;;

 	write)
 		curl -v https://${DEVICE_HOST}/onep:v1/stack/alias \
 			--cert client-signed.cer --key client-key.pem --cacert $HOST_CA \
 			-H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8' \
 			-d 'data_in=42'
 		;;

 	activate)
 		curl -v https://${DEVICE_HOST}/provision/activate \
 			--cert client-signed.cer --key client-key.pem --cacert $HOST_CA \
 			-H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8' \
 			-d "id=$DEVICE_ID"
 		;;
 	keys)
 		echo "just built keys."
 		;;
 esac

 if [ "z$BY_ACTION" != "zkeys" ]; then
 	cd $HOME
 	rm -r $WKS
 fi

 #  vim: set sw=4 ts=4 :
	#!/bin/sh

	set -x
	set -e

	DEVICE_HOST=${DEVICE_HOST:-<>.m2.exosite-dev.io}

	BY_ACTION=${BY_ACTION:-write}
	USE_CERT=${USE_CERT:-rsa}
	HOST_CA=${HOST_CA:-MURANO_ROOT_CA.cer}
	if [ ! -f "$HOST_CA" ]; then
	HOST_CA=/vagrant/MURANO_ROOT_CA.cer
	fi
	if [ ! -f "$HOST_CA" ]; then
	echo "Missing Root CA!"
	exit 5
	fi

	did=`hostname`
	DEVICE_ID=${DEVICE_ID:-C${USE_CERT}_${did}}

	uname -a
	openssl version
	curl --version

	if [ "z$BY_ACTION" != "zkeys" ]; then
	tmpname=`basename $0`
	WKS=`mktemp -d -t ${tmpname}.XXXXXX`
	cd $WKS
	fi

	if [ "z${USE_CERT}" = "zrsa" ]; then
	# Create self-signed RSA cert; our Test CA.
	openssl req -x509 -nodes -days 365 -subj "/C=US/ST=MN/L=Mpls/O=Exosite/CN=TestRsaCa" \
	-newkey rsa:2048 -keyout ca-key.pem -out ca.pem

	# Create RSA private key and a CSR for that key
	openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout client-key.pem \
	-subj "/C=US/ST=MN/L=Mpls/O=Exosite/CN=${DEVICE_ID}"

	# Sign with Test CA.
	openssl x509 -req -days 730 -in CSR.csr -CA ca.pem -CAkey ca-key.pem \
	-CAcreateserial -out client-signed.cer

	cat client-key.pem client-signed.cer > client-up.pem

	else
	# Create self-signed ECDSA cert; our Test CA.
	openssl ecparam -name secp521r1 -genkey -param_enc explicit -out ca-key.pem
	openssl req -new -x509 -key ca-key.pem -out ca.pem -days 730 \
	-subj "/C=US/ST=MN/L=Mpls/O=Exosite/CN=TestEcdsaCA"

	# Create ECDSA private key
	openssl ecparam -name secp521r1 -genkey -param_enc explicit -out client-key.pem

	# Create CSR from private key
	openssl req -out CSR.csr -key client-key.pem -new \
	-subj "/C=US/ST=MN/L=Mpls/O=Exosite/CN=${DEVICE_ID}"

	# Sign with Test CA.
	openssl x509 -req -days 730 -in CSR.csr -CA ca.pem -CAkey ca-key.pem \
	-CAcreateserial -out client-signed.cer

	cat client-key.pem client-signed.cer > client-up.pem
	fi

	# Test with curl (not on macOS. -k doesn't work as we expect.)
	case $BY_ACTION in
	timestamp)
	curl -v https://${DEVICE_HOST}/timestamp \
	--cert client-signed.cer --key client-key.pem --cacert $HOST_CA
	;;

	write)
	curl -v https://${DEVICE_HOST}/onep:v1/stack/alias \
	--cert client-signed.cer --key client-key.pem --cacert $HOST_CA \
	-H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8' \
	-d 'data_in=42'
	;;

	activate)
	curl -v https://${DEVICE_HOST}/provision/activate \
	--cert client-signed.cer --key client-key.pem --cacert $HOST_CA \
	-H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8' \
	-d "id=$DEVICE_ID"
	;;
	keys)
	echo "just built keys."
	;;
	esac

	if [ "z$BY_ACTION" != "zkeys" ]; then
	cd $HOME
	rm -r $WKS
	fi

	# vim: set sw=4 ts=4 :