github.com/canhui/fabric_ca2_2@v2.0.0-alpha+incompatible/images/fabric-ca-fvt/payload/pki (about) 1 #!/bin/bash 2 # Copyright IBM Corp. All Rights Reserved. 3 # 4 # SPDX-License-Identifier: Apache-2.0 5 # 6 7 function usage { 8 echo "" 9 echo "pki - create self-signed, CA, user and CA-signed certificates" 10 echo " -f) <function>, where <function> is one of" 11 echo " display - display certificate contents" 12 echo " dispcrl - display CRL for a given CA" 13 echo " gencrl - generate a new CRL file" 14 echo " newca - add a new root CA Domain" 15 echo " newcert - create a new self-signed certificate" 16 echo " newreq - create a new cert request" 17 echo " newsub - add a new subordinate CA Domain" 18 echo " pkcs12 - output a pkcs12 package using a list of filenames" 19 echo " specified with the '-c' option" 20 echo " revoke - revoke a cert issued by a given CA and update CRL" 21 echo " sign - sign a cert request with a specific CA" 22 echo " signcert - sign an exisiting cert with a specific CA" 23 echo " -n) <X500dn>, where <X500dn> is expressed as a series of RDNs" 24 echo " in the form:" 25 echo " /type=val1/type=val2/..." 26 echo " -d <digest>" 27 echo " Supported values:" 28 echo " md2|md4|md5|sha|sha1|sha224|sha256|sha384|sha512" 29 echo " -e) <n-days> expiration; 'n'=number of days until expire" 30 echo " -a) <authority> name of newCA, or signingCA DOMAIN" 31 echo " -b) <subordinate> name of new subordinateCA (to create subCAs)" 32 echo " -c) <certfile> cert to display, sign, or include in pkcs12" 33 echo " -k) <keyfile> key for creating pkcs12 packages" 34 echo " -t) <type> keytype: rsa|dsa|ec" 35 echo " -l) <n-bits> keylength" 36 echo " Supported vaules for RSA: 384-4096" 37 echo " Supported vaules for DSA: 256,512,1024,2048,4096" 38 echo " Supported vaules for ECC: 160,224,256,384,521,570" 39 echo " -K) <keyUsage> comma-delmited list for inclusion in KU extension" 40 echo " Supported values: digitalSignature, nonRepudiation, " 41 echo " keyEncipherment, dataEncipherment, keyAgreement, " 42 echo " keyCertSign, cRLSign, encipherOnly, decipherOnly " 43 echo " -E) <extendeKeyUsage> comma-delmited list for inclusion in" 44 echo " EKU extension" 45 echo " Supported values: serverAuth, clientAuth, codeSigning," 46 echo " emailProtection, timeStamping, ipsecIKE, any" 47 echo " Supported but deprecated by RFC:" 48 echo " ipsecEndSystem, ipsecTunnel, ipsecUser)" 49 echo " -p) <prefix> to use for output files (certificates, keys, pkcs12)" 50 echo " -m) <reason> for revocation (for revoke function)" 51 echo " Supported values: unspecified, keyCompromise, CACompromise," 52 echo " affiliationChanged, superseded, cessationOfOperation," 53 echo " certificateHold, removeFromCRL" 54 echo " -r) <reasons> CDP revocation reasons: comma-delmited list for" 55 echo " inclusion in certificate CDP extension" 56 echo " Supported values: keyCompromise, CACompromise, affiliationChanged," 57 echo " superseded, cessationOfOperation, certificateHold," 58 echo " privilegeWithdrawn, AACompromise" 59 echo " -R) <reasons> IDP revocation reasons: comma-delmited list for" 60 echo " inclusion in CRL IDP extension" 61 echo " Supported values: same as for CDP above" 62 echo " -x) used to interactively prompt for subjectAltNames" 63 echo " -C) exclude CRL distribution point extention" 64 echo " -o) crl output file (defalut: crl = crl.pem/crl.der)" 65 echo " -?) usage" 66 } 67 68 function config_opts { 69 configin="$1" 70 71 cp $configin $configin.this 72 config="$configin.this" 73 chmod 664 $config 74 75 if test "$KUstring" = "none"; then 76 sed 's/keyUsage = $KEYUSE/#keyUsage =$KEYUSE/' \ 77 $config > $config.tmp 78 mv $config.tmp $config 79 elif test ! -z "$KUstring"; then 80 sed "s/\(KEYUSE[[:blank:]].*=[[:blank:]]\).*/\1\"$KUstring\"/" \ 81 $config > $config.tmp 82 mv $config.tmp $config 83 fi 84 85 if test -z "$EKUstring"; then 86 : 87 else 88 if test "$EKUstring" = "ike"; then 89 sed "s/#\(EXTKEYUSE[[:blank:]].*=[[:blank:]]\).*/\1"${id_kp_ipsecIKE}"/" \ 90 $config > $config.tmp 91 mv $config.tmp $config 92 elif test "$EKUstring" = "any"; then 93 sed "s/#\(EXTKEYUSE[[:blank:]].*=[[:blank:]]\).*/\1"${anyExtendedKeyUsage}"/" \ 94 $config > $config.tmp 95 mv $config.tmp $config 96 else 97 sed "s/#\(EXTKEYUSE[[:blank:]].*=[[:blank:]]\).*/\1\"${EKUstring}\"/" \ 98 $config > $config.tmp 99 mv $config.tmp $config 100 fi 101 102 sed 's/#extendedKeyUsage = /extendedKeyUsage =/' \ 103 $config > $config.tmp 104 mv $config.tmp $config 105 fi 106 } 107 108 function newcert { 109 config_opts "$baseconf" 110 111 if test -z "$certauth"; then # create a new self-signed certificate 112 if test "$extensions" = "Y"; then 113 test -z "$subjectAltString" && subjalt 114 sed "s/\(SUBALT[[:blank:]].*=[[:blank:]]\).*/\1$subjectAltString/" \ 115 $config > $config.tmp 116 mv $config.tmp $config 117 fi 118 119 $REQ -config $config -new -newkey $keytype \ 120 -nodes -$digest -x509 -subj "$subjectname" -keyout "$keyout.pem" -out "$certout.pem" \ 121 -extensions usr_cert 122 if test "$?" -ne 0; then 123 echo "Create newcert failed." 124 exit 1 125 else 126 $DISPLAY "$certout.pem" 127 echo "Certificate is in $certout.pem, private key is in $keyout.pem" 128 fi 129 test -f "${baseconf}.this" && rm "${baseconf}.this" 130 else # generate a new request and sign it with the requested CA 131 if test ! -d ${casign}; then 132 echo "" 133 echo "${casign} does not exist. Create a new CA domain by running:" 134 echo " \"pki -f newca -a ${casign##/*/} -n <subjname>\"" 135 exit 1 136 fi 137 newreq 138 signreq 139 fi 140 } 141 142 function newca { 143 typeset ANS 144 145 if test -z "$certauth"; then 146 echo "Need name for new CADOMAIN. Use '-a <name>' option." 147 exit 1 148 fi 149 150 if test -f ${caroot}/serial; then 151 echo "CA Domain ( '${caroot}' ) already exists." 152 read -p "Overwrite existing directory?! [Y/N]: " ANS 153 ANS="$(echo $ANS | tr '[[:lower:]]' '[[:upper:]]')" 154 if test "$ANS" != "Y" ; then 155 exit 1 156 else 157 rm -rf "${caroot}" 158 fi 159 fi 160 161 # create the directory hierarchy 162 mkcatree 163 164 config="$caroot/$caconf" 165 166 if test "$extensions" = "Y"; then 167 test -z "$subjectAltString" && subjalt 168 sed "s/\(SUBALT[[:blank:]].*=[[:blank:]]\).*/\1$subjectAltString/" \ 169 "$config" > "${config}.this" 170 mv "${config}.this" "$config" 171 fi 172 173 if test "$CDP" = "no"; then 174 sed 's/crlDistr/#crlDistr/' "$config" > "${config}.this" 175 mv "${config}.this" "$config" 176 sed 's/^issuing/#issuing/' "$config" > "${config}.this" 177 mv "${config}.this" "$config" 178 fi 179 180 if ! test -z "$CDPreason"; then 181 sed "s/^#reasons=\$CDPREASON/reasons=${CDPreason}/" "$config" > "${config}.this" 182 mv "${config}.this" "$config" 183 fi 184 185 if ! test -z "$IDPreason"; then 186 sed "s/^#onlysomereasons=\$IDPREASON/onlysomereasons=${IDPreason}/" "$config" > "${config}.this" 187 mv "${config}.this" "$config" 188 fi 189 190 echo "Making CA certificate ..." 191 $REQ -config "$config" \ 192 -new -newkey "$keytype" \ 193 -nodes \ 194 -new -"$digest"\ 195 -keyout "${caroot}/private/$cakey" \ 196 -subj "$subjectname" \ 197 -out "${caroot}/$careq" 198 if test "$?" -ne 0; then 199 echo "Create newca request failed." 200 exit 1 201 else 202 # $CA -create_serial \ 203 $CA -md "$digest" \ 204 -out "${caroot}/$cacert.pem" \ 205 -config "$config" -batch \ 206 -policy policy_anything\ 207 -subj "$subjectname" \ 208 -extensions v3_ca_has_san \ 209 -keyfile "${caroot}/private/$cakey" \ 210 -startdate "$startDate" -enddate "$endDate" \ 211 -selfsign -infiles "${caroot}/$careq" 212 fi 213 214 $GENCRL \ 215 -keyfile "${caroot}/private/$cakey" \ 216 -cert "${caroot}/$cacert.pem" \ 217 -md $digest \ 218 -crldays $crlexpiration \ 219 -out "${caroot}/crl/${CRLoutput}.pem" \ 220 -config "$config" 221 222 convert CRL pem der "${caroot}/crl/${CRLoutput}.pem" 223 convert X509 pem der "${caroot}/$cacert.pem" 224 convert $ktype pem der "${caroot}/private/cakey.pem" 225 cp "${caroot}/$cacert.pem" "$HOME/${certauth}-cert.pem" 226 cp "${caroot}/$cacert.der" "$HOME/${certauth}-cert.der" 227 cp "${caroot}/private/cakey.pem" "$HOME/${certauth}-key.pem" 228 cp "${caroot}/private/cakey.der" "$HOME/${certauth}-key.der" 229 echo "CERTFILEs:" 230 ls -l "$HOME/${certauth}-cert.pem" "$HOME/${certauth}-cert.der" | sed 's/^/ /' 231 echo "KEYFILEs:" 232 ls -l "$HOME/${certauth}-key.pem" "$HOME/${certauth}-key.der" | sed 's/^/ /' 233 } 234 235 function newsub { 236 if test -z "$certauth"; then 237 echo "Need name for new CADOMAIN. Use '-a <name>' option." 238 exit 1 239 fi 240 241 if test -f ${caroot}/serial; then 242 echo "Sub CA Domain ( '${caroot}' ) already exists." 243 read -p "Overwrite existing directory?! [Y/N]: " ANS 244 ANS="$(echo $ANS | tr '[[:lower:]]' '[[:upper:]]')" 245 if test "$ANS" != "Y" ; then 246 exit 1 247 else 248 rm -rf "${caroot}" 249 fi 250 fi 251 252 mkcatree 253 254 config="$caroot/$caconf" 255 256 if test "$extensions" = "Y"; then 257 test -z "$subjectAltString" && subjalt 258 sed "s/\(SUBALT[[:blank:]].*=[[:blank:]]\).*/\1$subjectAltString/" \ 259 "$config" > "${config}.this" 260 mv "${config}.this" "$config" 261 fi 262 263 if test "$CDP" = "no"; then 264 sed 's/crlDistr/#crlDistr/' "$config" > "${config}.this" 265 mv "${config}.this" "$config" 266 sed 's/^issuing/#issuing/' "$config" > "${config}.this" 267 mv "${config}.this" "$config" 268 fi 269 270 echo "Making CA certificate ..." 271 $REQ -config "$config" -new -nodes -keyout "${caroot}/private/$cakey" \ 272 -new -newkey "$keytype" -nodes \ 273 -subj "$subjectname" -out "${caroot}/$careq" 274 if test "$?" -ne 0; then 275 echo "Create newca request failed." 276 exit 1 277 else 278 echo "Siging CA certificate ..." 279 config="${casign}/$caconf" 280 $CA -md "$digest" \ 281 -config "$config" \ 282 -batch \ 283 -out "${caroot}/$cacert.pem" \ 284 -startdate "$startDate" -enddate "$endDate" \ 285 -policy policy_anything \ 286 -subj "$subjectname" \ 287 -keyfile "${casign}/private/$cakey" \ 288 -extensions v3_ca_has_san \ 289 -infiles "${caroot}/$careq" 290 # -create_serial \ 291 RET=$? 292 fi 293 294 config="${caroot}/$caconf" 295 $GENCRL \ 296 -keyfile "${caroot}/private/$cakey" \ 297 -md $digest \ 298 -crldays $crlexpiration \ 299 -cert "${caroot}/$cacert.pem" \ 300 -out "${caroot}/crl/${CRLoutput}.pem" \ 301 -config "$config" 302 303 convert CRL pem der "${caroot}/crl/${CRLoutput}.pem" 304 convert X509 pem der "${caroot}/$cacert.pem" 305 convert $ktype pem der "${caroot}/private/cakey.pem" 306 cp "${caroot}/$cacert.pem" "$HOME/${subca}-cert.pem" 307 cp "${caroot}/$cacert.der" "$HOME/${subca}-cert.der" 308 cp "${caroot}/private/cakey.pem" "$HOME/${subca}-key.pem" 309 cp "${caroot}/private/cakey.der" "$HOME/${subca}-key.der" 310 echo "CERTFILEs:" 311 ls -l "$HOME/${subca}-cert.pem" "$HOME/${subca}-cert.der" | sed 's/^/ /' 312 echo "KEYFILEs:" 313 ls -l "$HOME/${subca}-key.pem" "$HOME/${subca}-key.der" | sed 's/^/ /' 314 } 315 316 function newreq { 317 config="$baseconf" 318 # create a certificate request 319 320 if test "$extensions" = "Y"; then 321 test -z "$subjectAltString" && subjalt 322 sed "s/\(SUBALT[[:blank:]].*=[[:blank:]]\).*/\1$subjectAltString/" \ 323 $config > ${config}.req 324 config=${config}.req 325 fi 326 327 $REQ -config "$config" -nodes -new -"$digest"\ 328 -newkey "$keytype" -subj "$subjectname" \ 329 -keyout "$keyout.pem" -out "$reqout" 330 if test "$?" -eq 0; then 331 echo "Request is in $reqout, private key is in $keyout.pem" 332 fi 333 } 334 335 function dispcrl { 336 # display CRL for a given CA 337 if test -z "$certauth"; then 338 echo "Need name of an existing CA. Use '-a <name>' option." 339 exit 1 340 fi 341 342 crlfile="$caroot/crl/${CRLoutput}.der" 343 344 $CRL -in "$crlfile" -inform der -noout -text 345 } 346 347 function pkcs12 { 348 config=${caroot}/$caconf.tmp 349 test -f "$tmpcertlist" || touch "$tmpcertlist" 350 for i in $cert; do 351 cat "$i" >> "$tmpcertlist" 352 done 353 354 $PKCS12 -export -des3 \ 355 -out "$pkcs12out" \ 356 -in "$tmpcertlist" \ 357 -passout pass:tcpsup \ 358 -inkey "$keyfile" 359 echo "" 360 echo "New pkcs12 package is in $pkcs12out" 361 rm "$tmpcertlist" 362 #$PKCS12 -in "$pkcs12out" -info 363 } 364 365 function signreq { 366 if test ! -d ${casign}; then 367 echo "" 368 echo "${casign} does not exist. Create a new CA domain by running:" 369 echo " \"pki -f newca -a ${casign##/*/} -n <subjname>\"" 370 exit 1 371 fi 372 373 config=${casign}/$caconf 374 375 config_opts $config 376 377 $CA -config $config \ 378 -startdate "$startDate" -enddate "$endDate" \ 379 -policy policy_anything \ 380 -md $digest \ 381 -passin pass:tcpsup \ 382 -extensions usr_cert_has_san \ 383 -out "$certout.pem" \ 384 -infiles "$reqout" 385 #$keytype \ 386 if test $? -eq 0; then 387 $GENCRL \ 388 -keyfile "${caroot}/private/$cakey" \ 389 -md $digest \ 390 -crldays $crlexpiration \ 391 -cert "${caroot}/$cacert.pem" \ 392 -passin pass:tcpsup \ 393 -out "${caroot}/crl/${CRLoutput}.pem" \ 394 -config "$config" 395 cat "$certout.pem" 396 serial_num=$($X509 -in "$certout.pem" -noout -serial|sed 's/.*=\(.*\)/\1/') 397 convert X509 pem der "${casign}/certsdb/$serial_num.pem" 398 convert X509 pem der "$certout.pem" 399 convert CRL pem der "${casign}/crl/${CRLoutput}.pem" 400 echo "PEM-encoded signed certificate is in $certout.pem" 401 echo "PEM-encoded signed key is in $keyout.pem" 402 echo "DER-encoded signed certificate is in $certout.der" 403 echo "DER-encoded signed key is in $keyout.der" 404 echo "Copy of signed certificate with serial number $serial_num in ${casign}/certsdb/$serial_num.pem" 405 fi 406 } 407 408 function gencrl { 409 if test ! -d ${casign}; then 410 echo "" 411 echo "${casign} does not exist. Create a new CA domain by running:" 412 echo " \"pki -f newca -a <CAname> -n <subjname>\"" 413 exit 1 414 fi 415 416 config=${casign}/$caconf 417 418 $GENCRL \ 419 -keyfile "${caroot}/private/$cakey" \ 420 -md $digest \ 421 -crldays $crlexpiration \ 422 -cert "${caroot}/$cacert.pem" \ 423 -out "${caroot}/crl/${CRLoutput}.pem" \ 424 -passin pass:tcpsup \ 425 -config "$config" 426 if test $? -eq 0; then 427 convert CRL pem der "${caroot}/crl/${CRLoutput}.pem" 428 $CRL -in "${caroot}/crl/${CRLoutput}.pem" -noout -text 429 echo "Updated CRL file is in ${caroot}/crl/${CRLoutput}.pem" 430 else 431 echo "CRL update failed." 432 fi 433 } 434 435 function signcert { 436 config=${casign}/$caconf 437 438 if test ! -d ${casign}; then 439 echo "" 440 echo "${casign} does not exist. Create a new CA domain by running:" 441 echo " \"pki -f newca -a <CAname> -n <subjname>\"" 442 exit 1 443 fi 444 445 $X509 -x509toreq -in "$cert" -signkey newkey.pem -out tmp.pem 446 $CA -config $config \ 447 -policy policy_anything \ 448 -md $digest \ 449 -passin pass:tcpsup \ 450 -extensions usr_cert_has_san \ 451 -out newcert.pem \ 452 -infiles tmp.pem 453 $DISPLAY newcert.pem 454 echo "Signed certificate is in newcert.pem" 455 } 456 457 function revoke { 458 if test ! -d ${casign}; then 459 echo "" 460 echo "${casign} does not exist. Create a new CA domain by running:" 461 echo " \"pki -f newca -a <CAname> -n <subjname>\"" 462 exit 1 463 fi 464 465 config="${casign}/$caconf" 466 467 $CA -revoke "$cert" \ 468 -keyfile "${casign}/private/cakey.pem" \ 469 -cert "${casign}/cacert.pem" \ 470 -crldays $crlexpiration \ 471 -passin pass:tcpsup \ 472 -config "$config" \ 473 ${CRLREASON} 474 if test $? -eq 0; then 475 echo "$cert revoked." 476 gencrl 477 convert CRL pem der "${casign}/crl/${CRLoutput}.pem" 478 else 479 echo "Revoke failed." 480 fi 481 } 482 483 function subjalt { 484 typeset ANS 485 486 while [ "$ANS" != "Y" ]; do 487 echo -n "IPv4 Identity (blank for none): " 488 read IPV4ID 489 echo -n "IPv6 Identity (blank for none): " 490 read IPV6ID 491 echo -n "FQDN Identity (blank for none): " 492 read FQDNID 493 echo -n "UserAtFQDN Identity (blank for none): " 494 read EMAILID 495 echo "" 496 echo "IPv4 Identity: $IPV4ID" 497 echo "IPv6 Identity: $IPV6ID" 498 echo "FQDN Identity: $FQDNID" 499 echo "UserAtFQDN Identity: $EMAILID" 500 echo "" 501 echo -n "Are the above correct? [Y/N]" 502 read ANS 503 ANS=$(echo "$ANS" | tr '[[:lower:]]' '[[:upper:]]') 504 done 505 506 if [ ! -z $IPV4ID ]; then 507 IPV4ID="IP:$IPV4ID," 508 fi 509 510 if [ ! -z $IPV6ID ]; then 511 IPV6ID="IP:$IPV6ID," 512 fi 513 514 if [ ! -z $FQDNID ]; then 515 FQDNID="DNS:$FQDNID," 516 fi 517 518 if [ ! -z $EMAILID ]; then 519 EMAILID="email:$EMAILID," 520 fi 521 522 subjectAltString=$(echo "$IPV4ID$IPV6ID$FQDNID$EMAILID" | sed 's/,$//') 523 # example of setting subjectAltString using OIDs 524 # subjectAltString="otherName:1.3.187;UTF8:04 17 43 41 49 58 41 20 45 43 4f 4e 4f 4d 49 43 41 20 46 45 44 45 52 41 4c,otherName:1.3.187;UTF8:04 35 31 39 30 38 31 39 37 37 32 35 30 39 35 32 39 37 38 31 37 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 39 35 34 30 33 32 36 38 36 44 45 54 52 41 4e 53 50,otherName:1.3.187;UTF8:04 0e 30 30 33 36 30 33 30 35 30 30 30 31 30 34,otherName:1.3.187;UTF8:04 19 44 41 56 49 53 4f 4e 20 4d 41 52 43 45 4c 20 50 41 53 51 55 41 4c 49 4e 49;$subjectAltString" 525 } 526 527 function mkcatree { 528 mkdir -p ${caroot}/ 529 mkdir -p ${caroot}/certsdb 530 mkdir -p ${caroot}/crl 531 mkdir -p ${caroot}/private 532 chmod -R 775 "${caroot}" 533 chmod -R g+s "${caroot}" 534 seed=$( od -x -N8 -An /dev/urandom | sed 's/[[:blank:]]//g' | tr '[[:lower:]]' '[[:upper:]]') 535 echo "$seed" > "${caroot}/serial" 536 echo "$seed" > "${caroot}/crlnumber" 537 touch ${caroot}/index.txt 538 539 if test -z "$subca"; then 540 domain="$certauth" 541 else 542 domain="$subca" 543 fi 544 sed "s/\(DOMAIN[[:blank:]].*=[[:blank:]]\).*/\1$domain/" $baseconf > ${caroot}/$caconf 545 } 546 547 function convert { 548 cmd=$(echo $1| tr a-z A-z) 549 old=$2 550 new=$3 551 src=$4 552 name=${src%%.$old} 553 eval \$${cmd} -in $src -inform $old -outform $new > $name.$new 554 } 555 556 while getopts "?hxf:n:d:l:s:e:a:c:k:t:p:b:K:E:C:m:r:R:o:S:X:" option 557 do case "$option" in 558 f) function="$OPTARG" ;; 559 n) subjectname="$OPTARG" ;; 560 d) digest="$OPTARG" ;; 561 l) keylength="$OPTARG" ;; 562 s) startDate="$OPTARG" ;; 563 e) endDate="$OPTARG" ;; 564 X) crlexpiration="$OPTARG" ;; 565 a) certauth="$OPTARG" ;; 566 c) cert="$OPTARG" ;; 567 x) extensions="Y" ;; 568 t) ktype="$OPTARG" ;; 569 k) keyfile="$OPTARG" ;; 570 p) prefix="$OPTARG" ;; 571 b) subca="$OPTARG" ;; 572 K) KUstring="$OPTARG" ;; 573 E) EKUstring="$OPTARG" ;; 574 C) CDP="$OPTARG" ;; 575 m) revreason="$OPTARG" ;; 576 r) CDPreason="$OPTARG" ;; 577 R) IDPreason="$OPTARG" ;; 578 o) CRLoutput="$OPTARG" ;; 579 S) subjectAltString="$OPTARG";extensions="Y" ;; 580 ?|h|*) usage 581 exit 1 582 ;; 583 esac 584 done 585 shift $(($OPTIND-1)) 586 587 : ${function:="newcert"} 588 : ${subjectname:="/C=US/ST=NC/L=NC/O=IBM/O=FVT/CN=MVS TEST CERT"} 589 : ${digest:="sha1"} 590 : ${crlexpiration:="7300"} 591 : ${expiration:="7300"} 592 : ${keyfile:="newkey.pem"} 593 : ${extensions:="N"} 594 : ${ktype:="rsa"} 595 : ${cert:="$HOME/newcert.pem"} 596 : ${prefix:="new."} 597 : ${KUstring:=""} 598 : ${CDP:="yes"} 599 : ${CDPreason:=""} 600 : ${IDPreason:=""} 601 : ${CRLoutput:="crl"} 602 : ${inform:="pem"} 603 : ${outform:="der"} 604 605 next_year=$(($(date +"%g")+1)) 606 one_year=$(date +"$next_year%m%d%H%M%SZ") 607 now=$(date +"%g%m%d%H%M%SZ") 608 test -z "$startDate" && startDate=$now 609 test -z "$endDate" && endDate=$one_year 610 611 if test ${cert##*.} = 'der'; then 612 inform=der 613 outform=pem 614 fi 615 616 if ! test -z "$revreason"; then 617 CRLREASON="-crl_reason $revreason" 618 fi 619 620 id_kp_ipsecIKE="1.3.6.1.5.5.7.3.17" 621 anyExtendedKeyUsage="2.5.29.37.0" 622 certout="$HOME/${prefix}cert" 623 keyout="$HOME/${prefix}key" 624 : ${reqout:="$HOME/${prefix}req.pem"} 625 pkcs12out="$HOME/${prefix}pkcs12.p12" 626 tmpcertlist="$HOME/${prefix}certlist.in" 627 628 if [ -z "$OPENSSL" ]; then OPENSSL=/usr/bin/openssl; fi 629 630 if test "$subca" = "$certauth" -a "$function" = newsub; then 631 echo "New intermediate CA ( '$subca' ) == Signing CA ( '$certauth' )" 632 echo "Not allowed." 633 exit 1 634 fi 635 636 FABRIC_CA="/etc/hyperledger/fabric-ca" 637 certdir="/tmp" 638 baseconf="$FABRIC_CA/openssl.cnf.base" 639 keyparmdir="$FABRIC_CA/keyparms" 640 caconf="${baseconf##*/}" 641 caexpire="7300" # 20 years 642 if test -z "$subca"; then 643 caroot=$certdir/CAs/$certauth 644 else 645 caroot=$certdir/CAs/$subca 646 fi 647 casign=$certdir/CAs/$certauth 648 cakey=cakey.pem 649 careq=careq.pem 650 cacert=cacert 651 REQ="$OPENSSL req" 652 CA="$OPENSSL ca" 653 VERIFY="$OPENSSL verify" 654 X509="$OPENSSL x509" 655 RSA="$OPENSSL rsa" 656 DSA="$OPENSSL dsa" 657 EC="$OPENSSL ec" 658 CRL="$OPENSSL crl" 659 GENCRL="$CA -gencrl" 660 PKCS12="$OPENSSL pkcs12" 661 DISPLAY="$X509 -noout -text -certopt no_header -nameopt RFC2253 -in " 662 663 664 665 if test "$ktype" = rsa; then 666 if test -z "$keylength"; then keylength=1024; fi 667 keytype="rsa:$keylength" 668 elif test "$ktype" = dsa -o "$ktype" = ec; then 669 if test -z "$keylength"; then keylength=256; fi 670 if test -f "$keyparmdir/$ktype$keylength" ; then 671 keytype="$ktype:$keyparmdir/$ktype$keylength" 672 else echo "Unsupported keytype: $ktype,$keylength" 673 exit 1; 674 fi 675 else echo "Unsupported keytype: $ktype,$keylength" 676 exit 1; 677 fi 678 679 680 case $function in 681 display) if test -f "$cert"; then 682 $DISPLAY "$cert" 683 else 684 echo "$cert not found" 685 exit 1 686 fi 687 ;; 688 dispcrl) dispcrl ;; 689 newcert) newcert ;; 690 newreq) newreq ;; 691 newca) newca ;; 692 newsub) newsub ;; 693 gencrl) gencrl ;; 694 revoke) revoke ;; 695 signreq) signreq ;; 696 signcert) signcert ;; 697 pkcs12) pkcs12 ;; 698 convert) convert X509 $inform $outform $cert ;; 699 *) exit 0 700 esac