Re: [Bug-wget] [PATCH] Script to create certs & keys

[Tim Rühsen]

On Samstag, 13. Mai 2017 22:29:42 CEST Vijo Cherian wrote:
> Script to re-generate all certs & keys for testing

That is simply great !

I just used it to re-generated those certs with invalid date fields and that 
made it possible to remove the OpenSSL requirement from Test-https-badcerts.px.

We surely can use that script for Wget2 as well.
If you don't mind, I would adapt it to use GnuTLS tools instead OpenSSL (at 
least I put it on my todo list).

With Best Regards, Tim


signature.asc
Description: This is a digitally signed message part.

[Bug-wget] [PATCH] Script to create certs & keys

[Vijo Cherian]

Script to re-generate all certs & keys for testing

Best,
Vijo.
From 2fcd0d655432e05296de8d428a589dc18fdbfd0b Mon Sep 17 00:00:00 2001
From: Vijo Cherian 
Date: Fri, 12 May 2017 22:13:18 -0700
Subject: [PATCH] Added shell script to create all the certs and keys required
 for SSL testing of wget

---
 util/createcerts.sh | 482 
 1 file changed, 482 insertions(+)
 create mode 100755 util/createcerts.sh

diff --git a/util/createcerts.sh b/util/createcerts.sh
new file mode 100755
index 000..aa94fe7
--- /dev/null
+++ b/util/createcerts.sh
@@ -0,0 +1,482 @@
+#!/bin/bash
+
+# Option handling is based on http://mywiki.wooledge.org/BashFAQ/035
+# Tested on Ubuntu 16.04 (using bash)
+
+testhostname="WgetTestingServer";
+verbose=0 # Variables to be evaluated as shell arithmetic should be initialized to a default or validated beforehand.
+cmd_openssl="";
+CERTSDIR="../tests/certs/";
+tmpfilelist="";
+
+function finish {
+	/bin/rm -f ${tmpfilelist};
+	echo "done";
+}
+
+trap finish EXIT;
+
+function show_usage {
+	echo -e "$0 [options]\n";
+	echo -e "Options:";
+	echo -e "\t-h\tPrint this message";
+	echo -e "\t-a\tRegenerate all certs & keys for testing";
+	echo -e "\t-l\tRegenerate self-signed cert & key";
+	echo -e "\t-s\tRegenerate server cert & key";
+	echo -e "\t-c\tRegenerate client cert & key";
+	echo -e "\t-e\tRegenerate expired cert";
+	echo -e "\t-i\tRegenerate invalid cert";
+	echo -e "\t-o\tRegenerate Root CA cert & key";
+	echo -e "\t-w\tRegenerate IntermediateCA cert";
+	echo -e "\t-r\tRegenerate cert & CRL for cert";
+
+	return 0;
+}
+
+function check_prereqs {
+	# Check if OpenSSL is available
+	command -v openssl 2>/dev/null 1>&2 || { echo >&2 "Need OpenSSL to continue.  Aborting.";
+			 exit 1; }
+	cmd_openssl=`command -v openssl`;
+	echo "Using ${cmd_openssl}";
+	return 0;
+}
+
+function init_conf_file {
+	local conffile=$1;
+	local cacrt=$2;
+	local cakey=$3;
+	local crtindex=$4;
+	local crtserial=$5;
+	local crlnumber=$6;
+	cat >${conffile}  crlnumber;
+	echo "00">icrlnumber;
+	echo "01">certserial;
+	echo "01">icertserial;
+	tmpfilelist="${tmpfilelist} certindex*  crlnumber*";
+	tmpfilelist="${tmpfilelist} icertindex* icrlnumber*";
+	tmpfilelist="${tmpfilelist} certserial* icertserial*";
+	for i in {1..10}
+	do
+		tmpfilelist="${tmpfilelist} 0$i.pem";
+	done
+}
+
+function is_cert_key_ok {
+	local certfile=$1;
+	local keyfile=$2;
+	local check_res=0;
+
+	if ! [ -f $certfile ] && [ -s $certfile ]; then
+		echo "Invalid cert $certfile\n";
+		exit 1;
+	fi
+	if ! [ -f $keyfile ] && [ -s $keyfile ]; then
+		echo "Invalid key $keyfile\n";
+		exit 1;
+	fi
+	check_res=`(openssl x509 -noout -modulus -in $certfile | openssl md5 ;
+			  openssl rsa  -noout -modulus -in $keyfile | openssl md5) |
+			  uniq|wc -l`;
+	if [ ${check_res} -ne 1 ]; then
+		echo "Private key and certfile doesn't match\n";
+		exit 1;
+	fi
+
+	return 0;
+}
+
+function generate_key {
+	local keyfile=$1;
+
+	local key_cmd="${cmd_openssl} genrsa -out ${keyfile} 4096";
+
+	eval ${key_cmd} 2>/dev/null;
+	if [ $? -ne 0 ]; then
+		echo "Failed to generate key pair\n";
+		return 1;
+	fi
+
+	return 0;
+}
+
+function generate_csr {
+	local keyfile=$1;
+	local csrfile=$2;
+	local crttype=$3;
+	local subj111="/C=US/ST=CA/L=Mystery Spot/O=Dis/CN=${testhostname}/";
+	local subj112="emailAddress=${crttype}";
+	local crtsubj=${subj111}${subj112};
+	local csr_cmd="${cmd_openssl} req -new -key ${keyfile} -out ${csrfile} -subj \"${crtsubj}\""
+
+	eval ${csr_cmd} 2>/dev/null;
+	if [ $? -ne 0 ]; then
+		echo "Failed to generate CSR\n";
+		return 1;
+	fi
+
+	return 0;
+}
+
+function sign_cert {
+	local csrfile=$1;
+	local crtfile=$2;
+	local catype=$3;
+	local xopts=${4-'-days 365'};
+
+	local caconf;
+	if [ "$catype"x == "ROOT"x ]; then
+		caconf="./rootca.conf";
+	elif [ "$catype"x == "INTER"x ]; then
+		caconf="./interca.conf";
+	else
+		exit 1;
+	fi
+	local crt_cmd="${cmd_openssl} ca -config ${caconf} -in ${csrfile} -out ${crtfile} -batch ${xopts}";
+
+	eval ${crt_cmd} 2>/dev/null;
+	if [ $? -ne 0 ]; then
+		echo "Failed to create certificate from ${csrfile}";
+		return 1;
+	fi
+
+	return 0;
+}
+
+function generate_crl {
+	local crtfile=$1;
+	local crlfile=$2
+
+	local