generate_crypto.sh

###################################
# This phase creates all the certs
# and keys we'll use in a later
# phase, for testing the ca_app
# library.
###################################

##############
# Set env vars
##############
# Domains
LOCAL_DOMAIN="example.net"

# Base paths
CRYPTO_EXPORT_PATH="${HOME}/export"
CRYPTO_DIR="${HOME}/crypto"
LOCAL_CA_DIR="${CRYPTO_DIR}/local_ca"
LOCAL_DEV_DIR="${CRYPTO_DIR}/local_dev"

# General device info
DEVICE_SERIAL="abc123"
DEVICE_MODEL="air-quality-sensor"

# Building DIDN-IDs for devices
L_DIDN_ID="${DEVICE_SERIAL}.${DEVICE_MODEL}._device.${LOCAL_DOMAIN}"

# Specific file paths

## Local CA
LOCAL_CA_KEY="${LOCAL_CA_DIR}/ca.example.net.key.pem"
LOCAL_CA_CERT="${LOCAL_CA_DIR}/ca.example.net.cert.pem"

## Local Dev
LOCAL_DEV_KEY="${LOCAL_DEV_DIR}/${L_DIDN_ID}.key.pem"
LOCAL_DEV_CSR="${LOCAL_DEV_DIR}/${L_DIDN_ID}.csr.pem"
LOCAL_DEV_CERT="${LOCAL_DEV_DIR}/${L_DIDN_ID}.cert.pem"

##############
# Install OpenSSL
##############
apt-get update && \
    apt-get install -y \
    openssl \
    tree

##############
# Fix OpenSSL
# config for
# CA signing
##############
# RUN cat /etc/ssl/openssl.cnf | \
#    sed \
#        -e 's/^\[ usr_cert \]/[ usr_cert ]\n\nsubjectAltName = DNS:copy/g' \
#        -e 's/^\[ v3_req \]/[ v3_req ]\n\nsubjectAltName = DNS:copy/g' \
#  | tee /usr/lib/ssl/openssl.cnf
cat /usr/lib/ssl/openssl.cnf



##############
# Create dirs
##############
mkdir -p \
    ${CRYPTO_EXPORT_PATH} \
    ${CRYPTO_DIR} \
    ${LOCAL_CA_DIR} \
    ${LOCAL_DEV_DIR} \
    ${LOCAL_CA_DIR}/demoCA/

##############
# Drop dev
# conf files
##############
cp /usr/lib/ssl/openssl.cnf ${LOCAL_CA_DIR}/san.cnf
echo "[ SAN ]\nsubjectAltName = DNS:${L_DIDN_ID}" >> ${LOCAL_CA_DIR}/san.cnf


##############
# Create local
# CA
##############
cd ${LOCAL_CA_DIR}
openssl genrsa \
    -out ${LOCAL_CA_KEY} \
    4096
openssl req \
    -key ${LOCAL_CA_KEY} \
    -new \
    -x509 \
    -days 7300 \
    -sha256 \
    -subj "/C=US/ST=CA/O=Example Networks/CN=Example Networks CA" \
    -out ${LOCAL_CA_CERT}
openssl x509 -noout -text -in ${LOCAL_CA_CERT}
touch ${LOCAL_CA_DIR}/demoCA/index.txt
touch ${LOCAL_CA_DIR}/demoCA/index.txt.attr

##############
# Create local
# device
##############
cd ${LOCAL_CA_DIR}
openssl genrsa \
    -out ${LOCAL_DEV_KEY} \
    2048
openssl req \
    -key ${LOCAL_DEV_KEY} \
    -new \
    -sha256 \
    -subj "/C=US/ST=CA/O=Example Networks/CN=${L_DIDN_ID}" \
    -addext "subjectAltName = DNS:${L_DIDN_ID}" \
    -out ${LOCAL_DEV_CSR}
echo "#################### LOCAL DEV CSR ####################"
openssl req -noout -text -in ${LOCAL_DEV_CSR}
openssl ca \
    -extensions usr_cert \
    -extensions v3_req \
    -extensions SAN \
    -days 375 \
    -notext \
    -md sha256 \
    -keyfile ${LOCAL_CA_KEY} \
    -cert ${LOCAL_CA_CERT} \
    -outdir ${LOCAL_DEV_DIR} \
    -create_serial \
    -extfile ${LOCAL_CA_DIR}/san.cnf \
    -batch \
    -in ${LOCAL_DEV_CSR} \
    -out ${LOCAL_DEV_CERT}
echo "#################### LOCAL DEV CERTIFICATE ####################"
openssl x509 -noout -text -in ${LOCAL_DEV_CERT}

##############
# Copy files
# for export
##############
cp ${LOCAL_CA_KEY} ${CRYPTO_EXPORT_PATH}
cp ${LOCAL_CA_CERT} ${CRYPTO_EXPORT_PATH}
cp ${LOCAL_DEV_KEY} ${CRYPTO_EXPORT_PATH}
cp ${LOCAL_DEV_CSR} ${CRYPTO_EXPORT_PATH}
cp ${LOCAL_DEV_CERT} ${CRYPTO_EXPORT_PATH}

##############
# Print results
##############
echo "######## RESULTING FILES ##########"
ls -lah ${CRYPTO_EXPORT_PATH}
echo "Crypto builder phase complete!"