-#!/bin/sh
+#!/bin/bash
+
+set -e
msg() {
echo
cd `dirname $0`
echo
-echo "This script re-generates all private keys and certificates"
-echo "needed to run the Unit Test."
-echo
-echo " *** IMPORTANT ***"
-echo
-echo "This script will change the system date momentarily to generate"
-echo "a couple of certificates (sudo password will be requested). This"
-echo "is because it uses the OpenSSL x509 utility instead of the ca"
-echo "utility which allows to set a starting date for the certificates."
-echo
-echo "A few manual changes need to be made. The first certificate"
-echo "in ca-roots.pem and ca-roots-bad.pem need to be replaced by"
-echo "the contents of ca.pem."
-echo
-echo "Also, file-database.c:test_lookup_certificates_issued_by has"
-echo "an ISSUER variable that needs to be changed by the CA identifier"
-echo "(read the comment in that function) if you modify this script."
-echo
-echo " *** IMPORTANT ***"
+echo "This script regenerates all private keys and certificates"
+echo "needed to run glib-networking tests. Please note this script"
+echo "depends on datefudge, openssl, and python3's cryptography module."
echo
-read -p "Press [Enter] key to continue..." key
+read -p "Press [Enter] key to continue..."
#######################################################################
### Obsolete/Untrusted Root CA
echo "00" > serial
msg "Creating CA private key for obsolete/untrusted CA"
-openssl genrsa -out old-ca-key.pem 1024
+openssl genrsa -out old-ca-key.pem 2048
msg "Creating CA certificate for obsolete/untrusted CA"
openssl req -x509 -new -config ssl/old-ca.conf -days 10950 -key old-ca-key.pem -out old-ca.pem
#######################################################################
msg "Creating CA private key"
-openssl genrsa -out ca-key.pem 1024
+openssl genrsa -out ca-key.pem 2048
msg "Creating CA certificate"
openssl req -x509 -new -config ssl/ca.conf -days 10950 -key ca-key.pem -out ca.pem
#######################################################################
+### New Root CA with OCSP MustStaple
+#######################################################################
+
+msg "Creating CA (OCSP) certificate"
+openssl req -x509 -new -config ssl/ca.conf -addext tlsfeature=status_request -days 10950 -key ca-key.pem -out ca-ocsp.pem
+
+#######################################################################
### New Root CA, issued by Obsolete/Untrusted Root CA
#######################################################################
#######################################################################
msg "Creating server private key"
-openssl genrsa -out server-key.pem 512
+openssl genrsa -out server-key.pem 2048
msg "Creating server certificate request"
openssl req -config ssl/server.conf -key server-key.pem -new -out server-csr.pem
cat server.pem > server-and-key.pem
cat server-key.pem >> server-and-key.pem
+msg "Updating digest of the new certificate in connections.c"
+DIGEST=$( openssl x509 -outform der -in server.pem | openssl sha256 -binary | base64 | sed 's/\//\\\//g' )
+sed -i "/define SERVER_CERT_DIGEST_B64/s/\"\([^\"]\+\)\"/\"$DIGEST\"/" ../connection.c
+
msg "Converting server certificate from PEM to DER"
openssl x509 -in server.pem -outform DER -out server.der
msg "Converting server private key from PEM to DER"
openssl rsa -in server-key.pem -outform DER -out server-key.der
+msg "Converting server private key to PKCS #8"
+openssl pkcs8 -topk8 -in server-key.pem -outform PEM -nocrypt -out server-key-pkcs8.pem
+openssl pkcs8 -topk8 -in server-key.pem -outform DER -nocrypt -out server-key-pkcs8.der
+
+#######################################################################
+### Server (OCSP required by CA)
+#######################################################################
+
+msg "Creating server (OCSP required by CA) certificate"
+openssl x509 -req -in server-csr.pem -days 9125 -CA ca-ocsp.pem -CAkey ca-key.pem -CAserial serial -extfile ssl/server.conf -extensions v3_req_ext -out server-ocsp-required-by-ca.pem
+
+msg "Concatenating server (OCSP required by CA) certificate and private key into a single file"
+cat server-ocsp-required-by-ca.pem > server-ocsp-required-by-ca-and-key.pem
+cat server-key.pem >> server-ocsp-required-by-ca-and-key.pem
+
+#######################################################################
+### Server (OCSP required by server)
+#######################################################################
+
+msg "Creating server (OCSP required by server) certificate"
+openssl x509 -req -in server-csr.pem -days 9125 -CA ca.pem -CAkey ca-key.pem -CAserial serial -extfile ssl/server-muststaple.conf -extensions v3_req_ext -out server-ocsp-required-by-server.pem
+
+msg "Concatenating server (OCSP required by server) certificate and private key into a single file"
+cat server-ocsp-required-by-server.pem > server-ocsp-required-by-server-and-key.pem
+cat server-key.pem >> server-ocsp-required-by-server-and-key.pem
+
#######################################################################
### Server (self-signed)
#######################################################################
# It is not possible to specify the start and end date using the "x509" tool.
# It would be better to use the "ca" tool. Sorry!
msg "Creating client certificate (past)"
-sudo date -s "17 JUL 2000 18:00:00"
-openssl x509 -req -in client-csr.pem -days 365 -startdate -enddate -CA ca.pem -CAkey ca-key.pem -CAserial serial -out client-past.pem
-sudo hwclock -s
+datefudge "17 JUL 2000 18:00:00" openssl x509 -req -in client-csr.pem -days 365 -startdate -enddate -CA ca.pem -CAkey ca-key.pem -CAserial serial -out client-past.pem
touch client-past.pem
msg "Creating client certificate (future)"
-sudo date -s "17 JUL 2060 18:00:00"
-openssl x509 -req -in client-csr.pem -days 365 -startdate -enddate -CA ca.pem -CAkey ca-key.pem -CAserial serial -out client-future.pem
-sudo hwclock -s
+datefudge "17 JUL 2060 18:00:00" openssl x509 -req -in client-csr.pem -days 365 -startdate -enddate -CA ca.pem -CAkey ca-key.pem -CAserial serial -out client-future.pem
touch client-future.pem
+msg "Creating second client key pair"
+openssl genrsa -out client2-key.pem 2048
+openssl req -config ssl/client.conf -key client2-key.pem -new -out client2-csr.pem
+openssl x509 -req -in client2-csr.pem -days 9125 -CA ca.pem -CAkey ca-key.pem -CAserial serial -out client2.pem
+
+msg "Concatenating second client certificate and private key into a single file"
+cat client2.pem client2-key.pem > client2-and-key.pem
+
#######################################################################
### Concatenate all non-CA certificates
#######################################################################
echo "00" > intermediate-serial
msg "Creating intermediate CA private key"
-openssl genrsa -out intermediate-ca-key.pem 512
+openssl genrsa -out intermediate-ca-key.pem 2048
msg "Creating intermediate CA certificate request"
openssl req -config ssl/intermediate-ca.conf -key intermediate-ca-key.pem -new -out intermediate-ca-csr.pem
#######################################################################
msg "Creating server (intermediate CA) private key"
-openssl genrsa -out server-intermediate-key.pem 512
+openssl genrsa -out server-intermediate-key.pem 2048
msg "Creating server (intermediate CA) certificate request"
openssl req -config ssl/server-intermediate.conf -key server-intermediate-key.pem -new -out server-intermediate-csr.pem
cat ca.pem >> chain.pem
#######################################################################
+### Updating CA Root files
+#######################################################################
+
+msg "Updating CA Root files"
+./update-chain-with-new-root.py ca-roots.pem ca.pem
+./update-chain-with-new-root.py ca-roots-bad.pem ca.pem
+
+#######################################################################
+### Update test expectations
+#######################################################################
+
+msg "Updating test expectations"
+./update-test-database.py ca.pem ../file-database.h
+./update-certificate-test.py server.pem ../certificate.h
+
+#######################################################################
### Cleanup
#######################################################################