File: gen-keys.sh

package info (click to toggle)
ima-evm-utils 1.5-2
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 880 kB
  • sloc: ansic: 4,211; sh: 3,159; awk: 113; makefile: 109
file content (161 lines) | stat: -rwxr-xr-x 4,598 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
 
#!/bin/bash
# SPDX-License-Identifier: GPL-2.0
#
# Generate keys for the tests
#
# Copyright (C) 2020 Vitaly Chikunov <vt@altlinux.org>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.

cd "$(dirname "$0")" || exit 1
PATH=../src:$PATH
type openssl

log() {
  echo >&2 - "$*"
  eval "$@"
}

if [ "$1" = clean ]; then
  rm -f test-ca.conf
elif [ "$1" = force ] || [ ! -e test-ca.conf ] \
	|| [ gen-keys.sh -nt test-ca.conf ]; then
cat > test-ca.conf <<- EOF
	[ req ]
	distinguished_name = req_distinguished_name
	prompt = no
	string_mask = utf8only
	x509_extensions = v3_ca

	[ req_distinguished_name ]
	O = IMA-CA
	CN = IMA/EVM certificate signing key
	emailAddress = ca@ima-ca

	[ v3_ca ]
	basicConstraints=CA:TRUE
	subjectKeyIdentifier=hash
	authorityKeyIdentifier=keyid:always,issuer

	[ skid ]
	basicConstraints=CA:TRUE
	subjectKeyIdentifier=12345678
	authorityKeyIdentifier=keyid:always,issuer
EOF
fi

# RSA
# Second key will be used for wrong key tests.
for m in 1024 1024_skid 2048; do
  if [ "$1" = clean ] || [ "$1" = force ] \
	  || [ gen-keys.sh -nt test-rsa$m.key ]; then
    rm -f test-rsa$m.cer test-rsa$m.key test-rsa$m.pub
  fi
  if [ "$1" = clean ]; then
    continue
  fi
  if [ -z "${m%%*_*}" ]; then
    # Add named extension.
    bits=${m%_*}
    ext="-extensions ${m#*_}"
  else
    bits=$m
    ext=
  fi
  if [ ! -e test-rsa$m.key ]; then
    log openssl req -verbose -new -nodes -utf8 -sha256 -days 10000 -batch -x509 $ext \
      -config test-ca.conf \
      -newkey rsa:$bits \
      -out test-rsa$m.cer -outform DER \
      -keyout test-rsa$m.key
    # for v1 signatures
    log openssl pkey -in test-rsa$m.key -out test-rsa$m.pub -pubout
    if [ $m = 1024_skid ]; then
      # Create combined key+cert.
      log openssl x509 -inform DER -in test-rsa$m.cer >> test-rsa$m.key
    fi
  fi
done

for curve in prime192v1 prime256v1; do
  if [ "$1" = clean ] || [ "$1" = force ]; then
    rm -f test-$curve.cer test-$curve.key test-$curve.pub
  fi
  if [ "$1" = clean ]; then
    continue
  fi
  if [ ! -e test-$curve.key ]; then
    log openssl req -verbose -new -nodes -utf8 -sha256 -days 10000 -batch -x509 \
      -config test-ca.conf \
      -newkey ec \
      -pkeyopt ec_paramgen_curve:$curve \
      -out test-$curve.cer -outform DER \
      -keyout test-$curve.key
    if [ -s test-$curve.key ]; then
      log openssl pkey -in test-$curve.key -out test-$curve.pub -pubout
    fi
  fi
done

# EC-RDSA
for m in \
  gost2012_256:A \
  gost2012_256:B \
  gost2012_256:C \
  gost2012_512:A \
  gost2012_512:B; do
    IFS=':' read -r algo param <<< "$m"
    if [ "$1" = clean ] || [ "$1" = force ]; then
      rm -f "test-$algo-$param.key" "test-$algo-$param.cer" "test-$algo-$param.pub"
    fi
    if [ "$1" = clean ]; then
      continue
    fi
    [ -e "test-$algo-$param.key" ] && continue
    log openssl req -nodes -x509 -utf8 -days 10000 -batch \
      -config test-ca.conf \
      -newkey "$algo" \
      -pkeyopt "paramset:$param" \
      -out    "test-$algo-$param.cer" -outform DER \
      -keyout "test-$algo-$param.key"
    if [ -s "test-$algo-$param.key" ]; then
      log openssl pkey -in "test-$algo-$param.key" -out "test-$algo-$param.pub" -pubout
    fi
done

# SM2, If openssl 3.0 is installed, gen SM2 keys using
if [ -x /opt/openssl3/bin/openssl ]; then
  (PATH=/opt/openssl3/bin:$PATH LD_LIBRARY_PATH=/opt/openssl3/lib
  for curve in sm2; do
    if [ "$1" = clean ] || [ "$1" = force ]; then
      rm -f test-$curve.cer test-$curve.key test-$curve.pub
    fi
    if [ "$1" = clean ]; then
      continue
    fi
    if [ ! -e test-$curve.key ]; then
      log openssl req -verbose -new -nodes -utf8 -days 10000 -batch -x509 \
        -sm3 -sigopt "distid:1234567812345678" \
        -config test-ca.conf \
        -copy_extensions copyall \
        -newkey $curve \
        -out test-$curve.cer -outform DER \
        -keyout test-$curve.key
      if [ -s test-$curve.key ]; then
        log openssl pkey -in test-$curve.key -out test-$curve.pub -pubout
      fi
    fi
  done)
fi

# This script leaves test-ca.conf, *.cer, *.pub, *.key files for sing/verify tests.
# They are never deleted except by `make distclean'.