[PATCH] hs20-ca: provide command-line args to setup.sh

greearb at candelatech.com greearb
Fri Mar 20 19:44:38 PDT 2015 

From: Ben Greear <greearb at candelatech.com>

This gives more flexibility when generating keys.

Signed-off-by: Ben Greear<greearb at candelatech.com>
---
 hs20/server/ca/openssl-root.cnf |  4 +--
 hs20/server/ca/openssl.cnf      |  4 +--
 hs20/server/ca/setup.sh         | 79 +++++++++++++++++++++++++++++++++++++----
 3 files changed, 76 insertions(+), 11 deletions(-)

diff --git a/hs20/server/ca/openssl-root.cnf b/hs20/server/ca/openssl-root.cnf
index 5b220fe..5bc50be 100644
--- a/hs20/server/ca/openssl-root.cnf
+++ b/hs20/server/ca/openssl-root.cnf
@@ -69,8 +69,8 @@ distinguished_name	= req_distinguished_name
 attributes		= req_attributes
 x509_extensions	= v3_ca	# The extentions to add to the self signed cert
 
-input_password = whatever
-output_password = whatever
+input_password = @PASSWORD@
+output_password = @PASSWORD@
 
 string_mask = utf8only
 
diff --git a/hs20/server/ca/openssl.cnf b/hs20/server/ca/openssl.cnf
index a939f08..e29e737 100644
--- a/hs20/server/ca/openssl.cnf
+++ b/hs20/server/ca/openssl.cnf
@@ -80,8 +80,8 @@ distinguished_name	= req_distinguished_name
 attributes		= req_attributes
 x509_extensions	= v3_ca	# The extentions to add to the self signed cert
 
-input_password = whatever
-output_password = whatever
+input_password = @PASSWORD@
+output_password = @PASSWORD@
 
 string_mask = utf8only
 
diff --git a/hs20/server/ca/setup.sh b/hs20/server/ca/setup.sh
index f61bf73..fcf24ad 100755
--- a/hs20/server/ca/setup.sh
+++ b/hs20/server/ca/setup.sh
@@ -5,6 +5,45 @@ if [ -z "$OPENSSL" ]; then
 fi
 export OPENSSL_CONF=$PWD/openssl.cnf
 PASS=whatever
+CNI="w1.fi Hotspot 2.0 Intermediate CA"
+CNR="Hotspot 2.0 Trust Root CA - 99"
+CNO="ocsp.w1.fi"
+CNV="osu-revoked.w1.fi"
+CNOC="osu-client.w1.fi"
+SERVERNAME="osu.w1.fi"
+DNS=$SERVERNAME
+DEBUG=0
+
+# Command line over-rides
+USAGE=$( cat <<EOF
+Usage:\n
+# -C:  SSL Commonname for Root CA ($CNR)\n
+# -d:  DNS Name ($DNS)\n
+# -D:  Enable debugging (set -x, etc)
+# -I:  SSL Commonname for Intermediate CA ($CNI)\n
+# -o:  SSL Commonname for OSU-Client Server ($CNOC)\n
+# -O:  SSL Commonname for OCSP Server ($CNO)\n
+# -p:  password ($PASS)\n
+# -S:  servername ($SERVERNAME)\n
+# -V:  SSL Commonname for OSU-Revoked Server ($CNV)\n
+EOF
+)
+
+while getopts "C:d:DI:o:O:p:S:V:" flag
+  do
+  case $flag in
+      C) CNR=$OPTARG;;
+      d) DNS=$OPTARG;;
+      D) DEBUG=1;;
+      I) CNI=$OPTARG;;
+      o) CNOC=$OPTARG;;
+      O) CNO=$OPTARG;;
+      p) PASS=$OPTARG;;
+      S) SERVERNAME=$OPTARG;;
+      V) CNV=$OPTARG;;
+      *) echo "Un-known flag: $flag"; echo -e $USAGE;exit 1;;
+  esac
+done
 
 fail()
 {
@@ -16,7 +55,33 @@ echo
 echo "---[ Root CA ]----------------------------------------------------------"
 echo
 
-cat openssl-root.cnf | sed "s/#@CN@/commonName_default = Hotspot 2.0 Trust Root CA - 99/" > openssl.cnf.tmp
+if [ $DEBUG == 1 ]
+then
+    set -x
+fi
+
+if [ ! -f openssl-root.cnf.orig ]
+then
+    cp openssl-root.cnf openssl-root.cnf.orig
+else
+    cp openssl-root.cnf.orig openssl-root.cnf
+fi
+
+if [ ! -f openssl.cnf.orig ]
+then
+    cp openssl.cnf openssl.cnf.orig
+else
+    cp openssl.cnf.orig openssl.cnf
+fi
+
+# Set the password accordingly.
+cat openssl-root.cnf | sed "s/@PASSWORD@/$PASS/" > openssl-root.cnf.tmp
+mv openssl-root.cnf.tmp openssl-root.cnf
+cat openssl.cnf | sed "s/@PASSWORD@/$PASS/" > openssl.cnf.tmp
+mv openssl.cnf.tmp openssl.cnf
+
+
+cat openssl-root.cnf | sed "s/#@CN@/commonName_default = $CNR/" > openssl.cnf.tmp
 mkdir -p rootCA/certs rootCA/crl rootCA/newcerts rootCA/private
 touch rootCA/index.txt
 if [ -e rootCA/private/cakey.pem ]; then
@@ -35,7 +100,7 @@ echo
 echo "---[ Intermediate CA ]--------------------------------------------------"
 echo
 
-cat openssl.cnf | sed "s/#@CN@/commonName_default = w1.fi Hotspot 2.0 Intermediate CA/" > openssl.cnf.tmp
+cat openssl.cnf | sed "s/#@CN@/commonName_default = $CNI/" > openssl.cnf.tmp
 mkdir -p demoCA/certs demoCA/crl demoCA/newcerts demoCA/private
 touch demoCA/index.txt
 if [ -e demoCA/private/cakey.pem ]; then
@@ -56,7 +121,7 @@ echo
 echo "OCSP responder"
 echo
 
-cat openssl.cnf | sed "s/#@CN@/commonName_default = ocsp.w1.fi/" > openssl.cnf.tmp
+cat openssl.cnf | sed "s/#@CN@/commonName_default = $CNO/" > openssl.cnf.tmp
 $OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out ocsp.csr -keyout ocsp.key -extensions v3_OCSP
 $OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -keyfile demoCA/private/cakey.pem -passin pass:$PASS -in ocsp.csr -out ocsp.pem -days 730 -extensions v3_OCSP
 
@@ -64,7 +129,7 @@ echo
 echo "---[ Server - to be revoked ] ------------------------------------------"
 echo
 
-cat openssl.cnf | sed "s/#@CN@/commonName_default = osu-revoked.w1.fi/" > openssl.cnf.tmp
+cat openssl.cnf | sed "s/#@CN@/commonName_default = $CNV/" > openssl.cnf.tmp
 $OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out server-revoked.csr -keyout server-revoked.key
 $OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in server-revoked.csr -out server-revoked.pem -key $PASS -days 730 -extensions ext_server
 $OPENSSL ca -revoke server-revoked.pem -key $PASS
@@ -73,7 +138,7 @@ echo
 echo "---[ Server - with client ext key use ] ---------------------------------"
 echo
 
-cat openssl.cnf | sed "s/#@CN@/commonName_default = osu-client.w1.fi/" > openssl.cnf.tmp
+cat openssl.cnf | sed "s/#@CN@/commonName_default = $CNOC/" > openssl.cnf.tmp
 $OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out server-client.csr -keyout server-client.key
 $OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in server-client.csr -out server-client.pem -key $PASS -days 730 -extensions ext_client
 
@@ -89,12 +154,12 @@ echo
 echo "---[ Server ]-----------------------------------------------------------"
 echo
 
-ALT="DNS:osu.w1.fi"
+ALT="DNS:$DNS"
 ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:engw1.fi TESTING USE"
 ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:finw1.fi TESTIK?YTT?"
 
 cat openssl.cnf |
-	sed "s/#@CN@/commonName_default = osu.w1.fi/" |
+	sed "s/#@CN@/commonName_default = $SERVERNAME/" |
 	sed "s/^##organizationalUnitName/organizationalUnitName/" |
 	sed "s/#@OU@/organizationalUnitName_default = Hotspot 2.0 Online Sign Up Server/" |
 	sed "s/#@ALTNAME@/subjectAltName=critical,$ALT/" \
-- 
1.9.3

More information about the Hostap mailing list