#!/bin/sh

# Generate certs for testing OCSP against OpenSSL implementation
#
# There are two CAs:
#   ca1 signs a responder cert which signs responses
#   ca2 signs responses with its ca cert

# Trash existing data
rm -rf ca1 ca2 certs tmp
mkdir ca1 ca2 certs tmp 

# ca1 ##########################################################################

# RSA keys, CA signed responder cert signed responses

# Create ca files
touch ca1/index.txt
echo "01" > ca1/serial
mkdir ca1/private
mkdir ca1/certs

# Generate root cert
openssl req -x509 -newkey rsa:1024 -keyout ca1/private/cakey.pem -out ca1/cacert.pem -subj "/O=Symbian/CN=CA Root Cert" -days 3650 -nodes 
openssl x509 -in ca1/cacert.pem -outform DER -out certs/ca1-root.der

# Generate ocsp responder cert 
openssl req -newkey rsa:1024 -keyout ca1/private/reskey.pem -out tmp/req.pem -subj "/O=Symbian/CN=CA OCSP Responder" -days 3650 -nodes
openssl ca -config openssl.config -name ca1 -in tmp/req.pem -batch -days 3650
openssl x509 -in ca1/certs/01.pem -outform DER -out certs/ca1-responder.der

# Generate entity cert 1
openssl req -newkey rsa:1024 -keyout tmp/key.pem -out tmp/req.pem -subj "/O=Symbian/CN=Entity Cert 1 (Good)" -days 3650 -nodes
openssl ca -config openssl.config -name ca1 -in tmp/req.pem -batch -days 3650
openssl x509 -in ca1/certs/02.pem -outform DER -out certs/ca1-entity1.der

# Generate entity cert 2 and revoke it
openssl req -newkey rsa:1024 -keyout tmp/key.pem -out tmp/req.pem -subj "/O=Symbian/CN=Entity Cert 2 (Revoked)" -days 3650 -nodes
openssl ca -config openssl.config -name ca1 -in tmp/req.pem -batch -days 3650
openssl x509 -in ca1/certs/03.pem -outform DER -out certs/ca1-entity2.der
openssl ca -config openssl.config -name ca1 -revoke ca1/certs/03.pem -crl_reason keyCompromise

# Generate entity cert 3 and then remove it from the ca
openssl req -newkey rsa:1024 -keyout tmp/key.pem -out tmp/req.pem -subj "/O=Symbian/CN=Entity Cert 3 (Unknown)" -days 3650 -nodes
openssl ca -config openssl.config -name ca1 -in tmp/req.pem -batch -days 3650
openssl x509 -in ca1/certs/04.pem -outform DER -out certs/ca1-entity3.der
mv ca1/index.txt tmp
head -3 tmp/index.txt > ca1/index.txt
rm ca1/certs/04.pem

# ca2 ##########################################################################

# DSA keys, CA cert signs responses

# Create ca files
touch ca2/index.txt
echo "01" > ca2/serial
mkdir ca2/private
mkdir ca2/certs

# Generate root cert
openssl req -x509 -newkey rsa:1024 -keyout ca2/private/cakey.pem -out ca2/cacert.pem -subj "/O=Symbian/CN=CA Root Cert" -days 3650 -nodes 
openssl x509 -in ca2/cacert.pem -outform DER -out certs/ca2-root.der

# Generate entity cert 1
openssl req -newkey rsa:1024 -keyout tmp/key.pem -out tmp/req.pem -subj "/O=Symbian/CN=Entity Cert 1 (Good)" -days 3650 -nodes
openssl ca -config openssl.config -name ca2 -in tmp/req.pem -batch -days 3650
openssl x509 -in ca2/certs/01.pem -outform DER -out certs/ca2-entity1.der

# Generate entity cert 2 and revoke it
openssl req -newkey rsa:1024 -keyout tmp/key.pem -out tmp/req.pem -subj "/O=Symbian/CN=Entity Cert 2 (Revoked)" -days 3650 -nodes
openssl ca -config openssl.config -name ca2 -in tmp/req.pem -batch -days 3650
openssl x509 -in ca2/certs/02.pem -outform DER -out certs/ca2-entity2.der
openssl ca -config openssl.config -name ca2 -revoke ca2/certs/02.pem -crl_reason keyCompromise

# Generate entity cert 3 and then remove it from the ca
openssl req -newkey rsa:1024 -keyout tmp/key.pem -out tmp/req.pem -subj "/O=Symbian/CN=Entity Cert 3 (Unknown)" -days 3650 -nodes
openssl ca -config openssl.config -name ca2 -in tmp/req.pem -batch -days 3650
openssl x509 -in ca2/certs/03.pem -outform DER -out certs/ca2-entity3.der
mv ca2/index.txt tmp
head -2 tmp/index.txt > ca2/index.txt
rm ca2/certs/03.pem

# To use DSA instead of RSA, first generate DSA parameters:
#   openssl dsaparam -out tmp/dsaparam.pem 1024
# And use this in the newkey options
#   openssl req -x509 -newkey dsa:tmp/dsaparam.pem ...

# Tidy
rm -rf tmp