#
# Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
#
# This code is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 only, as
# published by the Free Software Foundation.  Oracle designates this
# particular file as subject to the "Classpath" exception as provided
# by Oracle in the LICENSE file that accompanied this code.
#
# This code is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
# version 2 for more details (a copy is included in the LICENSE file that
# accompanied this code).
#
# You should have received a copy of the GNU General Public License version
# 2 along with this work; if not, write to the Free Software Foundation,
# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
# or visit www.oracle.com if you need additional information or have any
# questions.
#

#!/bin/ksh
#
# needs ksh to run the script.
set -e

OPENSSL=openssl

# generate a self-signed root certificate
if [ ! -f root/finished ]; then
    if [ ! -d root ]; then
        mkdir root
    fi

    # SHA1withRSA 1024
    ${OPENSSL} req -x509 -newkey rsa:1024 -keyout root/root_key_1024.pem \
        -out root/root_cert_sha1_1024.pem -subj "/C=US/O=Example" \
        -config openssl.cnf -reqexts cert_issuer -days 7650 -sha1 \
        -passin pass:passphrase -passout pass:passphrase

    # SHA1withRSA 512
    ${OPENSSL} req -x509 -newkey rsa:512 -keyout root/root_key_512.pem \
        -out root/root_cert_sha1_512.pem -subj "/C=US/O=Example" \
        -config openssl.cnf -reqexts cert_issuer -days 7650 -sha1 \
        -passin pass:passphrase -passout pass:passphrase

    # MD2withRSA 2048
    ${OPENSSL} req -x509 -newkey rsa:2048 -keyout root/root_key_2048.pem \
        -out root/root_cert_md2_2048.pem -subj "/C=US/O=Example" \
        -config openssl.cnf -reqexts cert_issuer -days 7650 -md2 \
        -passin pass:passphrase -passout pass:passphrase

    openssl req -newkey rsa:1024 -keyout root/root_crlissuer_key.pem \
        -out root/root_crlissuer_req.pem -subj "/C=US/O=Example" -days 7650 \
        -passin pass:passphrase -passout pass:passphrase

    openssl x509 -req -in root/root_crlissuer_req.pem -extfile openssl.cnf \
        -extensions crl_issuer -CA root/root_cert_sha1_1024.pem \
        -CAkey root/root_key_1024.pem -out root/root_crlissuer_cert.pem \
        -CAcreateserial -CAserial root/root_cert.srl -days 7200 \
        -passin pass:passphrase

    touch root/finished
fi


# generate subca cert issuer
if [ ! -f subca/finished ]; then
    if [ ! -d subca ]; then
        mkdir subca
    fi

    # RSA 1024
    ${OPENSSL} req -newkey rsa:1024 -keyout subca/subca_key_1024.pem \
        -out subca/subca_req_1024.pem -subj "/C=US/O=Example/OU=Class-1" \
        -days 7650 -passin pass:passphrase -passout pass:passphrase

    # RSA 512
    ${OPENSSL} req -newkey rsa:512 -keyout subca/subca_key_512.pem \
        -out subca/subca_req_512.pem -subj "/C=US/O=Example/OU=Class-1" \
        -days 7650 -passin pass:passphrase -passout pass:passphrase

    # SHA1withRSA 1024 signed with RSA 1024
    ${OPENSSL} x509 -req -in subca/subca_req_1024.pem -extfile openssl.cnf \
        -extensions cert_issuer -CA root/root_cert_sha1_1024.pem \
        -CAkey root/root_key_1024.pem -out subca/subca_cert_sha1_1024_1024.pem \
        -CAcreateserial -sha1 \
        -CAserial root/root_cert.srl -days 7200 -passin pass:passphrase

    # SHA1withRSA 1024 signed with RSA 512
    ${OPENSSL} x509 -req -in subca/subca_req_1024.pem -extfile openssl.cnf \
        -extensions cert_issuer -CA root/root_cert_sha1_512.pem \
        -CAkey root/root_key_512.pem -out subca/subca_cert_sha1_1024_512.pem \
        -CAcreateserial -sha1 \
        -CAserial root/root_cert.srl -days 7200 -passin pass:passphrase

    # SHA1withRSA 512 signed with RSA 1024
    ${OPENSSL} x509 -req -in subca/subca_req_512.pem -extfile openssl.cnf \
        -extensions cert_issuer -CA root/root_cert_sha1_1024.pem \
        -CAkey root/root_key_1024.pem -out subca/subca_cert_sha1_512_1024.pem \
        -CAcreateserial -sha1 \
        -CAserial root/root_cert.srl -days 7200 -passin pass:passphrase

    # SHA1withRSA 512 signed with RSA 512
    ${OPENSSL} x509 -req -in subca/subca_req_512.pem -extfile openssl.cnf \
        -extensions cert_issuer -CA root/root_cert_sha1_512.pem \
        -CAkey root/root_key_512.pem -out subca/subca_cert_sha1_512_512.pem \
        -CAcreateserial -sha1 \
        -CAserial root/root_cert.srl -days 7200 -passin pass:passphrase

    # MD2withRSA 1024 signed with RSA 1024
    ${OPENSSL} x509 -req -in subca/subca_req_1024.pem -extfile openssl.cnf \
        -extensions cert_issuer -CA root/root_cert_sha1_1024.pem \
        -CAkey root/root_key_1024.pem -out subca/subca_cert_md2_1024_1024.pem \
        -CAcreateserial -md2 \
        -CAserial root/root_cert.srl -days 7200 -passin pass:passphrase

    # MD2withRSA 1024 signed with RSA 512
    ${OPENSSL} x509 -req -in subca/subca_req_1024.pem -extfile openssl.cnf \
        -extensions cert_issuer -CA root/root_cert_sha1_512.pem \
        -CAkey root/root_key_512.pem -out subca/subca_cert_md2_1024_512.pem \
        -CAcreateserial -md2 \
        -CAserial root/root_cert.srl -days 7200 -passin pass:passphrase

    openssl req -newkey rsa:1024 -keyout subca/subca_crlissuer_key.pem \
        -out subca/subca_crlissuer_req.pem -subj "/C=US/O=Example/OU=Class-1" \
        -days 7650 -passin pass:passphrase -passout pass:passphrase

    openssl x509 -req -in subca/subca_crlissuer_req.pem -extfile openssl.cnf \
        -extensions crl_issuer -CA root/root_cert_sha1_1024.pem \
        -CAkey root/root_key_1024.pem -out subca/subca_crlissuer_cert.pem \
        -CAcreateserial -CAserial root/root_cert.srl -days 7200 \
        -passin pass:passphrase

    touch subca/finished
fi


# generate certifiacte for Alice
if [ ! -f subca/alice/finished ]; then
    if [ ! -d subca/alice ]; then
        mkdir -p subca/alice
    fi

    # RSA 1024
    ${OPENSSL} req -newkey rsa:1024 -keyout subca/alice/alice_key_1024.pem \
        -out subca/alice/alice_req_1024.pem \
        -subj "/C=US/O=Example/OU=Class-1/CN=Alice" -days 7650 \
        -passin pass:passphrase -passout pass:passphrase

    # RSA 512
    ${OPENSSL} req -newkey rsa:512 -keyout subca/alice/alice_key_512.pem \
        -out subca/alice/alice_req_512.pem \
        -subj "/C=US/O=Example/OU=Class-1/CN=Alice" -days 7650 \
        -passin pass:passphrase -passout pass:passphrase

    # SHA1withRSA 1024 signed with RSA 1024
    ${OPENSSL} x509 -req -in subca/alice/alice_req_1024.pem \
        -extfile openssl.cnf -extensions ee_of_subca \
        -CA subca/subca_cert_sha1_1024_1024.pem \
        -CAkey subca/subca_key_1024.pem \
        -out subca/alice/alice_cert_sha1_1024_1024.pem -CAcreateserial -sha1 \
        -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase

    # SHA1withRSA 1024 signed with RSA 512
    ${OPENSSL} x509 -req -in subca/alice/alice_req_1024.pem \
        -extfile openssl.cnf -extensions ee_of_subca \
        -CA subca/subca_cert_sha1_512_1024.pem \
        -CAkey subca/subca_key_512.pem \
        -out subca/alice/alice_cert_sha1_1024_512.pem -CAcreateserial -sha1 \
        -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase

    # SHA1withRSA 512 signed with RSA 1024
    ${OPENSSL} x509 -req -in subca/alice/alice_req_512.pem \
        -extfile openssl.cnf -extensions ee_of_subca \
        -CA subca/subca_cert_sha1_1024_1024.pem \
        -CAkey subca/subca_key_1024.pem \
        -out subca/alice/alice_cert_sha1_512_1024.pem -CAcreateserial -sha1 \
        -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase

    # SHA1withRSA 512 signed with RSA 512
    ${OPENSSL} x509 -req -in subca/alice/alice_req_512.pem \
        -extfile openssl.cnf -extensions ee_of_subca \
        -CA subca/subca_cert_sha1_512_1024.pem \
        -CAkey subca/subca_key_512.pem \
        -out subca/alice/alice_cert_sha1_512_512.pem -CAcreateserial -sha1 \
        -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase

    # MD2withRSA 1024 signed with RSA 1024
    ${OPENSSL} x509 -req -in subca/alice/alice_req_1024.pem \
        -extfile openssl.cnf -extensions ee_of_subca \
        -CA subca/subca_cert_sha1_1024_1024.pem \
        -CAkey subca/subca_key_1024.pem \
        -out subca/alice/alice_cert_md2_1024_1024.pem -CAcreateserial -md2 \
        -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase

    # MD2withRSA 1024 signed with RSA 512
    ${OPENSSL} x509 -req -in subca/alice/alice_req_1024.pem \
        -extfile openssl.cnf -extensions ee_of_subca \
        -CA subca/subca_cert_sha1_512_1024.pem \
        -CAkey subca/subca_key_512.pem \
        -out subca/alice/alice_cert_md2_1024_512.pem -CAcreateserial -md2 \
        -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase

    touch subca/alice/finished
fi

if [ ! -f root/revoked ]; then
    if [ ! -d root ]; then
        mkdir root
    fi

    if [ ! -f root/index.txt ]; then
        touch root/index.txt
        echo 00 > root/crlnumber
    fi

    openssl ca -gencrl -config openssl.cnf -name ca_top -crldays 7000 -md sha1 \
        -crl_reason superseded -keyfile root/root_crlissuer_key.pem \
        -cert root/root_crlissuer_cert.pem -out root/top_crl.pem \
        -passin pass:passphrase

    touch root/revoked
fi

if [ ! -f subca/revoked ]; then
    if [ ! -d subca ]; then
        mkdir subca
    fi

    if [ ! -f subca/index.txt ]; then
        touch subca/index.txt
        echo 00 > subca/crlnumber
    fi

    # revoke alice's SHA1withRSA 1024 signed with RSA 1024
    openssl ca -revoke subca/alice/alice_cert_sha1_1024_1024.pem \
        -config openssl.cnf \
        -name ca_subca -crl_reason superseded \
        -keyfile subca/subca_crlissuer_key.pem \
        -cert subca/subca_crlissuer_cert.pem -passin pass:passphrase

    openssl ca -gencrl -config openssl.cnf \
        -name ca_subca -crldays 7000 -md md2 \
        -crl_reason superseded -keyfile subca/subca_crlissuer_key.pem \
        -cert subca/subca_crlissuer_cert.pem \
        -out subca/subca_crl.pem \
        -passin pass:passphrase

    touch subca/revoked
fi