tterem · April 18, 2019 09:07
diff --git a/generate.key.sh b/generate.key.sh
 #!/bin/bash

 PASS="123456"
 DN_SERVER="server"
 DN_CLIENT="client"
 VALIDITY=10000
 DIR=$1
 HOST="localhost"

 cd ${DIR}
 rm -f client.* server.* client-wrong-hostname.* client-different-cert.* server-wrong-hostname.* server-different-cert.* server-wildcard-hostname.* client-wildcard-hostname.*

 function generate_keystore
 {
    FILE_NAME=$1
    DN=$2
    HOST_NAME=$3
    PASSWORD=$4

    local_openssl_config="
    [ req ]
    prompt = no
    distinguished_name = req_distinguished_name
    x509_extensions = san_self_signed
    [ req_distinguished_name ]
    CN=$DN
    [ san_self_signed ]
    subjectAltName = DNS:$HOST_NAME
    subjectKeyIdentifier = hash
    authorityKeyIdentifier = keyid:always,issuer
    basicConstraints = CA:true
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign, cRLSign
    extendedKeyUsage = serverAuth, clientAuth, timeStamping
    "

    openssl req \
      -newkey rsa:2048 -nodes \
      -keyout "test.key.pem" \
      -x509 -sha256 -days $VALIDITY \
      -config <(echo "$local_openssl_config") \
      -out "test.cert.pem"
    openssl x509 -noout -text -in "test.cert.pem"
    openssl pkcs12 -export -in test.cert.pem -inkey test.key.pem -out $FILE_NAME.p12 -name $DN -passout pass:$PASSWORD
    keytool -importkeystore -destkeystore $FILE_NAME.keystore -deststorepass $PASSWORD -srckeystore $FILE_NAME.p12 -srcstoretype PKCS12 -srcstorepass $PASSWORD
    rm -f test.cert.pem test.key.pem
    #  keytool -genkey \
    #        -keyalg RSA \
    #        -alias $DN \
    #        -keystore $FILE_NAME \
    #        -storepass $PASSWORD \
    #        -validity $VALIDITY \
    #        -keysize 2048 \
    #        -keypass $PASSWORD \
    #        -dname 'CN=Tomas, OU=Tomas, O=Tomas, L=Brno, ST=Czech Republic, C=CZ' \
    #        -ext "SAN=dns:localhost,ip:$HOST_NAME"
    #  keytool -importkeystore -srckeystore $FILE_NAME \
    #     -destkeystore ${FILE_NAME%.*}.p12 -deststoretype PKCS12 \
    #     -srcstorepass $PASSWORD -deststorepass $PASSWORD
 }

 function export_certificate
 {
    FILE_NAME=$1
    ALIAS=$2
    EXPORT_FILE_NAME=$3
    PASSWORD=$4
    keytool -export -alias $ALIAS -keystore $FILE_NAME -storepass $PASSWORD -file $EXPORT_FILE_NAME
 }

 function import_certificate
 {
    FILE_NAME=$1
    ALIAS=$2
    IMPORT_FILE_NAME=$3
    PASSWORD=$4
    keytool -import -noprompt -alias $ALIAS -keystore $FILE_NAME -storepass $PASSWORD -file $IMPORT_FILE_NAME
 }

 generate_keystore "server" "$DN_SERVER" "$HOST" "$PASS"
 generate_keystore "client" "$DN_CLIENT" "$HOST" "$PASS"

 generate_keystore "server-wrong-hostname" "$DN_SERVER" "abc" "$PASS"
 generate_keystore "client-wrong-hostname" "$DN_CLIENT" "$HOST" "$PASS"

 generate_keystore "server-wildcard-hostname" "$DN_SERVER" "*host" "$PASS"
 generate_keystore "client-wildcard-hostname" "$DN_CLIENT" "$HOST" "$PASS"

 generate_keystore "server-different-cert" "$DN_SERVER" "$HOST" "$PASS"
 generate_keystore "client-different-cert" "$DN_CLIENT" "$HOST" "$PASS"



 export_certificate "server.keystore" "$DN_SERVER" "server.crt" "$PASS"
 export_certificate "client.keystore" "$DN_CLIENT" "client.crt" "$PASS"

 export_certificate "server-wrong-hostname.keystore" "$DN_SERVER" "server-wrong-hostname.crt" "$PASS"
 export_certificate "client-wrong-hostname.keystore" "$DN_CLIENT" "client-wrong-hostname.crt" "$PASS"

 export_certificate "server-wildcard-hostname.keystore" "$DN_SERVER" "server-wildcard-hostname.crt" "$PASS"
 export_certificate "client-wildcard-hostname.keystore" "$DN_CLIENT" "client-wildcard-hostname.crt" "$PASS"

 export_certificate "server-different-cert.keystore" "$DN_SERVER" "server-different-cert.crt" "$PASS"
 export_certificate "client-different-cert.keystore" "$DN_CLIENT" "client-different-cert.crt" "$PASS"


 import_certificate "server.truststore" "$DN_CLIENT" "client.crt" "$PASS"
 import_certificate "client.truststore" "$DN_SERVER" "server.crt" "$PASS"

 import_certificate "server-wrong-hostname.truststore" "$DN_CLIENT" "client-wrong-hostname.crt" "$PASS"
 import_certificate "client-wrong-hostname.truststore" "$DN_SERVER" "server-wrong-hostname.crt" "$PASS"

 import_certificate "server-wildcard-hostname.truststore" "$DN_CLIENT" "client-wildcard-hostname.crt" "$PASS"
 import_certificate "client-wildcard-hostname.truststore" "$DN_SERVER" "server-wildcard-hostname.crt" "$PASS"

 import_certificate "server-different-cert.truststore" "$DN_CLIENT" "client-different-cert.crt" "$PASS"
 import_certificate "client-different-cert.truststore" "$DN_SERVER" "server-different-cert.crt" "$PASS"
	#!/bin/bash

	PASS="123456"
	DN_SERVER="server"
	DN_CLIENT="client"
	VALIDITY=10000
	DIR=$1
	HOST="localhost"

	cd ${DIR}
	rm -f client.* server.* client-wrong-hostname.* client-different-cert.* server-wrong-hostname.* server-different-cert.* server-wildcard-hostname.* client-wildcard-hostname.*

	function generate_keystore
	{
	FILE_NAME=$1
	DN=$2
	HOST_NAME=$3
	PASSWORD=$4

	local_openssl_config="
	[ req ]
	prompt = no
	distinguished_name = req_distinguished_name
	x509_extensions = san_self_signed
	[ req_distinguished_name ]
	CN=$DN
	[ san_self_signed ]
	subjectAltName = DNS:$HOST_NAME
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always,issuer
	basicConstraints = CA:true
	keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign, cRLSign
	extendedKeyUsage = serverAuth, clientAuth, timeStamping
	"

	openssl req \
	-newkey rsa:2048 -nodes \
	-keyout "test.key.pem" \
	-x509 -sha256 -days $VALIDITY \
	-config <(echo "$local_openssl_config") \
	-out "test.cert.pem"
	openssl x509 -noout -text -in "test.cert.pem"
	openssl pkcs12 -export -in test.cert.pem -inkey test.key.pem -out $FILE_NAME.p12 -name $DN -passout pass:$PASSWORD
	keytool -importkeystore -destkeystore $FILE_NAME.keystore -deststorepass $PASSWORD -srckeystore $FILE_NAME.p12 -srcstoretype PKCS12 -srcstorepass $PASSWORD
	rm -f test.cert.pem test.key.pem
	# keytool -genkey \
	# -keyalg RSA \
	# -alias $DN \
	# -keystore $FILE_NAME \
	# -storepass $PASSWORD \
	# -validity $VALIDITY \
	# -keysize 2048 \
	# -keypass $PASSWORD \
	# -dname 'CN=Tomas, OU=Tomas, O=Tomas, L=Brno, ST=Czech Republic, C=CZ' \
	# -ext "SAN=dns:localhost,ip:$HOST_NAME"
	# keytool -importkeystore -srckeystore $FILE_NAME \
	# -destkeystore ${FILE_NAME%.*}.p12 -deststoretype PKCS12 \
	# -srcstorepass $PASSWORD -deststorepass $PASSWORD
	}

	function export_certificate
	{
	FILE_NAME=$1
	ALIAS=$2
	EXPORT_FILE_NAME=$3
	PASSWORD=$4
	keytool -export -alias $ALIAS -keystore $FILE_NAME -storepass $PASSWORD -file $EXPORT_FILE_NAME
	}

	function import_certificate
	{
	FILE_NAME=$1
	ALIAS=$2
	IMPORT_FILE_NAME=$3
	PASSWORD=$4
	keytool -import -noprompt -alias $ALIAS -keystore $FILE_NAME -storepass $PASSWORD -file $IMPORT_FILE_NAME
	}

	generate_keystore "server" "$DN_SERVER" "$HOST" "$PASS"
	generate_keystore "client" "$DN_CLIENT" "$HOST" "$PASS"

	generate_keystore "server-wrong-hostname" "$DN_SERVER" "abc" "$PASS"
	generate_keystore "client-wrong-hostname" "$DN_CLIENT" "$HOST" "$PASS"

	generate_keystore "server-wildcard-hostname" "$DN_SERVER" "*host" "$PASS"
	generate_keystore "client-wildcard-hostname" "$DN_CLIENT" "$HOST" "$PASS"

	generate_keystore "server-different-cert" "$DN_SERVER" "$HOST" "$PASS"
	generate_keystore "client-different-cert" "$DN_CLIENT" "$HOST" "$PASS"



	export_certificate "server.keystore" "$DN_SERVER" "server.crt" "$PASS"
	export_certificate "client.keystore" "$DN_CLIENT" "client.crt" "$PASS"

	export_certificate "server-wrong-hostname.keystore" "$DN_SERVER" "server-wrong-hostname.crt" "$PASS"
	export_certificate "client-wrong-hostname.keystore" "$DN_CLIENT" "client-wrong-hostname.crt" "$PASS"

	export_certificate "server-wildcard-hostname.keystore" "$DN_SERVER" "server-wildcard-hostname.crt" "$PASS"
	export_certificate "client-wildcard-hostname.keystore" "$DN_CLIENT" "client-wildcard-hostname.crt" "$PASS"

	export_certificate "server-different-cert.keystore" "$DN_SERVER" "server-different-cert.crt" "$PASS"
	export_certificate "client-different-cert.keystore" "$DN_CLIENT" "client-different-cert.crt" "$PASS"


	import_certificate "server.truststore" "$DN_CLIENT" "client.crt" "$PASS"
	import_certificate "client.truststore" "$DN_SERVER" "server.crt" "$PASS"

	import_certificate "server-wrong-hostname.truststore" "$DN_CLIENT" "client-wrong-hostname.crt" "$PASS"
	import_certificate "client-wrong-hostname.truststore" "$DN_SERVER" "server-wrong-hostname.crt" "$PASS"

	import_certificate "server-wildcard-hostname.truststore" "$DN_CLIENT" "client-wildcard-hostname.crt" "$PASS"
	import_certificate "client-wildcard-hostname.truststore" "$DN_SERVER" "server-wildcard-hostname.crt" "$PASS"

	import_certificate "server-different-cert.truststore" "$DN_CLIENT" "client-different-cert.crt" "$PASS"
	import_certificate "client-different-cert.truststore" "$DN_SERVER" "server-different-cert.crt" "$PASS"