grpc
/
grpc-go
mirror of https://github.com/grpc/grpc-go.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
grpc-go/security/advancedtls/testdata/crl/provider_create.sh

117 lines
4.5 KiB
Bash
Executable File
Raw Permalink Blame History

#!/bin/bash
# The script contains a sequence of commands described in README.md
# Generate client/server self signed CAs and certs.
openssl req -x509 \
-newkey rsa:4096 \
-keyout provider_server_trust_key.pem \
-out provider_server_trust_cert.pem \
-days 365 \
-subj "/C=US/ST=VA/O=Internet Widgits Pty Ltd/CN=foo.bar.hoo.ca.com" \
-nodes
openssl req -x509 \
-newkey rsa:4096 \
-keyout provider_client_trust_key.pem \
-out provider_client_trust_cert.pem \
-days 365 \
-subj "/C=US/ST=CA/L=SVL/O=Internet Widgits Pty Ltd" \
-nodes
openssl req -newkey rsa:4096 \
-keyout provider_server_cert.key \
-out provider_new_cert.csr \
-nodes \
-subj "/C=US/ST=CA/L=DUMMYCITY/O=Internet Widgits Pty Ltd/CN=foo.bar.com" \
-sha256
openssl x509 -req \
-in provider_new_cert.csr \
-out provider_server_cert.pem \
-CA provider_client_trust_cert.pem \
-CAkey provider_client_trust_key.pem \
-CAcreateserial \
-days 3650 \
-sha256 \
-extfile provider_extensions.conf
openssl req -newkey rsa:4096 \
-keyout provider_client_cert.key \
-out provider_new_cert.csr \
-nodes \
-subj "/C=US/ST=CA/O=Internet Widgits Pty Ltd/CN=foo.bar.hoo.com" \
-sha256
openssl x509 -req \
-in provider_new_cert.csr \
-out provider_client_cert.pem \
-CA provider_server_trust_cert.pem \
-CAkey provider_server_trust_key.pem \
-CAcreateserial \
-days 3650 \
-sha256 \
-extfile provider_extensions.conf
# Generate files need for CRL issuing.
echo "1000" > provider_crlnumber.txt
touch provider_index.txt
# Generate two CRLs.
openssl ca -gencrl \
-keyfile provider_client_trust_key.pem \
-cert provider_client_trust_cert.pem \
-out provider_crl_empty.pem \
-config provider_crl.cnf
openssl ca -revoke provider_server_cert.pem \
-keyfile provider_client_trust_key.pem \
-cert provider_client_trust_cert.pem \
-config provider_crl.cnf
openssl ca -gencrl \
-keyfile provider_client_trust_key.pem \
-cert provider_client_trust_cert.pem \
-out provider_crl_server_revoked.pem \
-config provider_crl.cnf
# Generate malicious CRLs.
openssl genrsa \
-out provider_malicious_client_trust_key.pem 4096
SubjectKeyIdentifier=$(openssl x509 -in provider_client_trust_cert.pem \
-noout \
-text \
| awk '/Subject Key Identifier/ {getline; print $1;}')
sed -i "s/subjectKeyIdentifier = hash/subjectKeyIdentifier = $SubjectKeyIdentifier/g" \
provider_extensions.conf
openssl req -new \
-key provider_malicious_client_trust_key.pem \
-out cert_malicious_request.csr \
-subj "/C=US/ST=CA/L=SVL/O=Internet Widgits Pty Ltd" \
-config provider_extensions.conf
openssl x509 -req \
-in cert_malicious_request.csr \
-signkey provider_malicious_client_trust_key.pem \
-out provider_malicious_client_trust_cert.pem \
-days 3650 \
-extfile provider_extensions.conf \
-extensions extensions
openssl ca -gencrl \
-keyfile provider_malicious_client_trust_key.pem \
-cert provider_malicious_client_trust_cert.pem \
-out provider_malicious_crl_empty.pem \
-config provider_crl.cnf
sed -i "s/subjectKeyIdentifier = .*/subjectKeyIdentifier = hash/g" \
provider_extensions.conf
rm *.csr
Reference in New Issue View Git Blame Copy Permalink