#!/bin/sh
USE_RSA=0
SIGNATURE_HASH=0
ECDSA_CURVE=secp384r1
DIGEST_ALGORITHM=sha384
if [ "$1" == "rsa" ];then
USE_RSA=1
DIGEST_ALGORITHM=sha256
elif [ "$1" == "256" ];then
ECDSA_CURVE=prime256v1
DIGEST_ALGORITHM=sha256
elif [ "$1" == "384" ];then
ECDSA_CURVE=secp384r1
DIGEST_ALGORITHM=sha384
elif [ "$1" == "512" ];then
ECDSA_CURVE=secp521r1
DIGEST_ALGORITHM=sha512
fi
if [ $USE_RSA == 1 ];then
echo "Generate RSA certificate"
echo ""
else
echo "Generate ECDSA certificate"
echo "Curve: $ECDSA_CURVE"
echo "Digest: $DIGEST_ALGORITHM"
fi
CONFIG_FILE=opensslroot.cfg
function prepare()
{
echo "authorityKeyIdentifier=keyid,issuer
subjectKeyIdentifier=hash
basicConstraints = CA:true,pathlen:0
keyUsage = cRLSign, keyCertSign" > v3.ext
echo "authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:false,pathlen:0
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment" > v3_attest.ext
}
prepare
#--------------------------------------------------------------------------------------------------------------
# Generate rootCA key
#
if [ ${USE_RSA} == 1 ];then
openssl genrsa -out qpsa_rootca.key 2048
else
openssl ecparam -out qpsa_rootca.key -name ${ECDSA_CURVE} -genkey
fi
# use below command to query the supported parameter for ecdsa,
# usally use: prime256v1(NIST P-256),secp384r1(NIST P-384),secp521r1(NIST P-521)
# openssl ecparam -list_curves
#Generate certificate for rootCA
openssl req -new -key qpsa_rootca.key -x509 -out qpsa_rootca.crt \
-subj "/C=US/ST=California/L=San Diego/OU=General Use Test Key (for testing only)/OU=CDMA Technologies/O=None/CN=Generated Root CA 1" \
-days 7300 -set_serial 1 -config ${CONFIG_FILE} -${DIGEST_ALGORITHM}
#Convert crt format to der
openssl x509 -inform PEM -in qpsa_rootca.crt -outform DER -out qpsa_rootca.der
#--------------------------------------------------------------------------------------------------------------
#Generate attestCA key
if [ ${USE_RSA} == 1 ];then
openssl genrsa -out qpsa_attestca.key 2048
else
openssl ecparam -out qpsa_attestca.key -name ${ECDSA_CURVE} -genkey
fi
#Generate csr for attestCA
openssl req -new -key qpsa_attestca.key -out qpsa_attestca.csr \
-subj "/C=US/ST=CA/L=San Diego/OU=CDMA Technologies/O=None/CN=Generated Attestation CA" \
-config ${CONFIG_FILE}
#Generate certificate for attestCA and signed by rootCA
openssl x509 -req -in qpsa_attestca.csr -CA qpsa_rootca.crt -CAkey qpsa_rootca.key -out qpsa_attestca.crt -set_serial 5 -days 7300 -extfile v3.ext -${DIGEST_ALGORITHM}
#Convert crt format to der
openssl x509 -inform PEM -in qpsa_attestca.crt -outform DER -out qpsa_attestca.der
#--------------------------------------------------------------------------------------------------------------
#//Generate attest key
if [ ${USE_RSA} == 1 ];then
openssl genrsa -out qpsa_attest.key 2048
else
openssl ecparam -out qpsa_attest.key -name ${ECDSA_CURVE} -genkey
fi
#Generate csr for attest
openssl req -new -key qpsa_attest.key -out qpsa_attest.csr \
-subj "/C=US/CN=QPSA User/L=San Diego/O=ASIC/ST=California/OU=Test key only" \
-config ${CONFIG_FILE}
#Generate certificate for attest and signed by attestCA
#openssl x509 -req -in qpsa_attest.csr -CA qpsa_attestca.crt -CAkey qpsa_attestca.key -out qpsa_attest.crt -days 7300 -set_serial 38758 -extfile v3_attest.ext -${DIGEST_ALGORITHM}
openssl x509 -req -in qpsa_attest.csr -CA qpsa_attestca.crt -CAkey qpsa_attestca.key -outform DER -out qpsa_attest.der -days 7300 -set_serial 38758 -extfile v3_attest.ext -${DIGEST_ALGORITHM}
#Convert crt format to der
#openssl x509 -inform PEM -in qpsa_attest.crt -outform DER -out qpsa_attest.der
#--------------------------------------------------------------------------------------------------------------
#Get public key from crt
openssl x509 -in qpsa_rootca.crt -pubkey -noout > qpsa_rootca_pubkey.key
openssl x509 -in qpsa_attestca.crt -pubkey -noout > qpsa_attestca_pubkey.key
#openssl x509 -in qpsa_attest.crt -pubkey -noout > qpsa_attest_pubkey.key
#Get the public key from private key -modulus
if [ ${USE_RSA} == 1 ];then
# openssl rsa -in qpsa_attest.key -noout -modulus > qpsa_attest_pubkey_from_pri.key
openssl rsa -in qpsa_attest.key -pubout > qpsa_attest_pubkey_from_pri.key
openssl rsa -in qpsa_attest.key -pubout -outform DER > qpsa_attest_pubkey_from_pri.der
else
openssl pkey -in qpsa_attest.key -pubout > qpsa_attest_pubkey_from_pri.key
openssl pkey -in qpsa_attest.key -pubout -outform DER > qpsa_attest_pubkey_from_pri.der
fi
echo "verify the certificate train: qpsa_rootca.crt -> qpsa_attestca.crt -> qpsa_attest.crt"
echo ""
openssl verify -CAfile qpsa_rootca.crt qpsa_attestca.crt
#openssl verify -CAfile qpsa_attestca.crt qpsa_attest.der
#openssl verify -CAfile qpsa_rootca.crt -untrusted qpsa_attestca.crt qpsa_attest.crt
echo "signature data.txt"
echo "adkjdkfjskjfksjtestdata, this is the test data" > data.txt
if [ ${SIGNATURE_HASH} == 1 ];then
openssl dgst -${DIGEST_ALGORITHM} -binary -out data.${DIGEST_ALGORITHM} data.txt
if [ ${USE_RSA} == 1 ];then
#now not support, need padding
openssl rsautl -sign -inkey qpsa_attest.key -raw -in data.${DIGEST_ALGORITHM} -out data.sig
else
openssl pkeyutl -sign -inkey qpsa_attest.key -in data.${DIGEST_ALGORITHM} -out data.sig
fi
else
openssl dgst -${DIGEST_ALGORITHM} -sign qpsa_attest.key -out data.sig data.txt
fi
echo "verify the signature of data.txt"
openssl dgst -${DIGEST_ALGORITHM} -verify qpsa_attest_pubkey_from_pri.key -signature data.sig data.txt
其中USE_RSA=1 为使用RSA算法,0为使用ECDSA算法, 以下为配置文件opensslroot.cfg内容:
HOME = .
RANDFILE = $ENV::HOME/.rnd
oid_section = new_oids
[ new_oids ]
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha1 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = nombstr
req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
basicConstraints=CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_req ]
# Extensions to add to a certificate request
subjectKeyIdentifier=hash
#authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
basicConstraints = CA:true
keyUsage = cRLSign, keyCertSign
[ crl_ext ]
authorityKeyIdentifier=keyid:always,issuer:always
[ proxy_cert_ext ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo