Google Git
Sign in
coral / a71ch-crypto-support / refs/heads/master / . / demos / linux / tls_client / scripts / createTlsCredentials_Optional.sh
blob: a6de9c6cbcb68da1ed3e697cffc1b9c36f5ec35a [file] [log] [blame]
#!/bin/bash
#
# Copyright 2019 NXP
# SPDX-License-Identifier: Apache-2.0
#
#
#
ORG_UNIT="NXP Plug Trust CA"
CERT_VALIDITY=4380 # 12 years
# Create either EC or RSA based credential
if [ "$#" -eq 1 ]; then
if [ "$1" == "RSA" ]; then
CA_TYPE="RSA"
elif [ "$1" == "ECC" ]; then
CA_TYPE="ECC"
else
echo " first argument to script must be ECC or RSA"
echo "Exiting ..."
exit 21
fi
else
echo "Usage createTlsCredentials_Optional [ECC|RSA]"
echo "Exiting ..."
exit 4
fi
################################################
# Set Global variables according to ECC/RSA mode
################################################
# Root CA Files
if [ "${CA_TYPE}" == "RSA" ]; then
ROOT_CA_CN="NXP RootCAvRxxx"
DEVICE_CN="NXP_SE050_TLS_CLIENT_RSA"
SERVER_CN="NXP_SE050_TLS_SERVER_RSA"
CA_RSA_BITS=4096
CERT_RSA_BITS=2048
KEY_DIR=../credentials/RSA
else
ROOT_CA_CN="NXP RootCAvExxx"
DEVICE_CN="NXP_SE050_TLS_CLIENT_ECC"
SERVER_CN="NXP_SE050_TLS_SERVER_ECC"
EC_KEY_TYPE=prime256v1
KEY_DIR=../credentials/${EC_KEY_TYPE}
fi
# Cd to directory where script is stored
SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
echo ${SCRIPT_DIR}
cd ${SCRIPT_DIR}
if [ ! -d ${KEY_DIR} ]; then
mkdir -p ${KEY_DIR}
fi
rootca_key="${KEY_DIR}/tls_rootca_key.pem"
rootca_cer="${KEY_DIR}/tls_rootca.cer"
rootca_srl="tls_rootca.srl"
client_key="${KEY_DIR}/tls_client_key.pem"
client_key_pub="${KEY_DIR}/tls_client_key_pub.pem" # Contains public key only
client_csr="${KEY_DIR}/tls_client.csr"
client_cer="${KEY_DIR}/tls_client.cer"
server_key="${KEY_DIR}/tls_server_key.pem"
server_csr="${KEY_DIR}/tls_server.csr"
server_cer="${KEY_DIR}/tls_server.cer"
echo "Create or Re-use RootCA"
echo "***********************"
if [ ! -e ${rootca_key} ]; then
if [ "${CA_TYPE}" == "RSA" ]; then
echo ">> Create RSA Root CA Key with ${CA_RSA_BITS} bits: (${rootca_key})"
openssl genrsa -out ${rootca_key} ${CA_RSA_BITS}
else
ecc_param_pem="${KEY_DIR}/${EC_KEY_TYPE}.pem"
if [ ! -e ${ecc_param_pem} ]; then
# echo "Creating ECC parameter file: ${ecc_param_pem} for ${EC_KEY_TYPE}"
openssl ecparam -name ${EC_KEY_TYPE} -out ${ecc_param_pem}
fi
echo ">> Create EC Root CA key (${rootca_key})"
openssl ecparam -in ${ecc_param_pem} -genkey -noout -out ${rootca_key}
# openssl ec -in ${rootca_key} -text -noout
fi
echo ">> Create RootCA certificate (${rootca_cer})"
openssl req -x509 -new -nodes -key ${rootca_key} \
-subj "/OU=${ORG_UNIT}/CN=${ROOT_CA_CN}" \
-days ${CERT_VALIDITY} -out ${rootca_cer}
# openssl x509 -in ${rootca_cer} -text -noout
else
if [ ! -e ${rootca_cer} ]; then
echo ">> Create RootCA (${rootca_cer}) certificate"
openssl req -x509 -new -nodes -key ${rootca_key} \
-subj "/OU=${ORG_UNIT}/CN=${ROOT_CA_CN}" \
-days ${CERT_VALIDITY} -out ${rootca_cer}
# openssl x509 -in ${rootca_cer} -text -noout
else
echo ">> RootCA key (${rootca_key}) already exists"
echo ">> RootCA certificate (${rootca_cer}) already exist"
fi
fi
echo "Prepare Client Side TLS credentials"
echo "***********************************"
# Conditionally create client key
if [ ! -e ${client_key} ]; then
echo ">> Create client key (${client_key})"
if [ "${CA_TYPE}" == "RSA" ]; then
openssl genrsa -out ${client_key} ${CERT_RSA_BITS}
else
openssl ecparam -in ${ecc_param_pem} -genkey -noout -out ${client_key}
fi
# openssl ec -in ${client_key} -text -noout
else
echo ">> Client key (${client_key}) already exists"
fi
# Create a client key pem file containing ONLY the public key
echo ">> Extract public key from client keypair: ${client_key_pub}"
if [ "${CA_TYPE}" == "RSA" ]; then
openssl rsa -in ${client_key} -pubout -out ${client_key_pub}
else
openssl ec -in ${client_key} -pubout -out ${client_key_pub}
fi
# echo ">> Create Client CSR"
openssl req -new -key ${client_key} -subj "/CN=${DEVICE_CN}" -out ${client_csr}
# openssl req -in ${client_csr} -text -noout
# Always create a CA signed client certificate
if [ -e ${rootca_key} ] && [ -e ${rootca_cer} ]; then
# echo "CA cert and key present"
if [ -e ${rootca_srl} ]; then
# echo ">> ${rootca_srl} already exists, use it"
x509_serial="-CAserial ${rootca_srl}"
else
# echo ">> no ${rootca_srl} found, create it"
x509_serial="-CAcreateserial"
fi
echo ">> Create Client Certificate (${client_cer})"
openssl x509 -req -sha256 -days ${CERT_VALIDITY} -in ${client_csr} ${x509_serial} -CA ${rootca_cer} -CAkey ${rootca_key} -out ${client_cer}
openssl x509 -in ${client_cer} -text -noout
else
echo "Did not find CA cert and/or CA key pair: Fatal error"
exit -1
fi
echo "Prepare Server Side TLS credentials"
echo "***********************************"
# Conditionally create server key
if [ ! -e ${server_key} ]; then
echo ">> Create server key (${server_key})"
if [ "${CA_TYPE}" == "RSA" ]; then
openssl genrsa -out ${server_key} ${CERT_RSA_BITS}
else
openssl ecparam -in ${ecc_param_pem} -genkey -noout -out ${server_key}
fi
# openssl ec -in ${server_key} -text -noout
else
echo ">> Server key (${server_key}) already exists"
fi
# echo ">> Create Server CSR"
openssl req -new -key ${server_key} -subj "/CN=${SERVER_CN}" -out ${server_csr}
# openssl req -in ${server_csr} -text -noout
# Always create a CA signed server certificate
if [ -e ${rootca_key} ] && [ -e ${rootca_cer} ]; then
# echo "CA cert and key present"
if [ -e ${rootca_srl} ]; then
# echo ">> ${rootca_srl} already exists, use it"
x509_serial="-CAserial ${rootca_srl}"
else
# echo ">> no ${rootca_srl} found, create it"
x509_serial="-CAcreateserial"
fi
echo ">> Create Server Certificate (${server_cer})"
openssl x509 -req -sha256 -days ${CERT_VALIDITY} -in ${server_csr} ${x509_serial} -CA ${rootca_cer} -CAkey ${rootca_key} -out ${server_cer}
openssl x509 -in ${server_cer} -text -noout
else
echo "Did not find CA cert and/or CA key pair: Fatal error"
exit -1
fi
echo ">> Server and Client credentials available for use"
echo ">> ***********************************************"