RestructurisationHEADmaster

1 files changed, 355 insertions, 0 deletions

diff --git a/ca_maker_erg.sh b/ca_maker_erg.sh
new file mode 100755
index 0000000..db53278
--- /dev/null
+++ b/ca_maker_erg.sh
@@ -0,0 +1,355 @@
+#!/bin/bash
+usage() {
+   echo "Script name: $0";
+   echo "";
+   echo "Usage: $0 --key-type [ RSA | EC | EX25519 ]";
+   echo "                      --curve [ P-256 | P-384 | P512 ]";
+   echo "                      --rsa-bits [ 2048 | 4096 ]";
+   echo "                      --days <n>";
+   echo "";
+   echo "Options: ";
+   echo "      --key-type [ RSA | EC | EC25519 ]";
+   echo "          Note: Pico W can use EC or RSA keys only, not EC25519,";
+   echo "                and Tasmota can only use 2048 bit RSA keys.";
+   echo "      --curve [ P-256 | P-384 | P512 ]";
+   echo "      --rsa-bits [ 2048 | 4096 ]";
+   echo "      --days [ <integer> ]";
+   echo "      --dir [ <mosquitto directory> ]";
+   echo "      --output-format [ PEM | DER ]";
+   echo "      --server_only [ True | False ]";
+   echo "      --subjectAltName <subjectAltName>";
+   echo "       Example subjectAltName: DNS.1:example.com,DNS.2:192.168.1.167,IP.1:192.168.1.167'";
+}
+
+# This creates a very slimline CA and Server cert with a full SAN multihost server.
+# The Mosquitto server requires keys and certs in PEM format, but it also exports
+# the CA Cert in DER for use in clients such as the Pico W
+TEMP="$(getopt -o h --long help,key-type:,curve:,rsa-bits:,ca_valid_for:,days:,dir:,output-format:,server_only:,subjectAltName: -- "$@")"
+
+eval set -- "$TEMP"
+
+if [ $# == 0 ] ; then
+    usage;
+    exit 1;
+fi
+
+mosquitto_dir="/home/erg/cert_test_1"
+key_type='EC'
+curve='P-256'
+rsa_bits='2048'
+# Choice to encrypt the CA Key or not? either BLANK or cypher (preferably aes-256-cbc)
+encryption=''
+# encryption='-aes-256-cbc'
+output_format='der'
+# Multiple DNS names and IP Addresses. Note mbedtls can't currently use data from IP fields,
+# but can read an IP from a DNS field, to the same effect.
+# Use as many unique names as you need, in the format DNS.1, DNS.2, DNS.3, IP.1, IP.2 etc.
+# subjectAltName='DNS.1:server_name,DNS.2:server_name.example.com,DNS.3:192.168.1.1,IP.1:192.168.1.1'
+subjectAltName='DNS.1:example.com,DNS.2:192.168.0.167,IP.1:192.168.0.167'
+ca_valid_for=3650
+certs_valid_for=365
+server_only="True"
+
+while true
+do
+  case "$1" in
+    -h|--help)
+        usage
+        exit 0;
+        ;;
+        # Note: Pico W can use EC or RSA keys only, not EC25519, and Tasmota can only use 2048 bit RSA keys.
+        # Default choice of Key Types: RSA || EC || ED25519
+    --key-type) key_type="$2"; shift 2;;
+        # Choice of NIST Curves for EC Keys: P-256 || P-384 || P-521
+    --curve) curve="$2"; shift 2;;
+        # Choice of Bits for RSA Keys: 2048 || 4096
+    --rsa-bits) rsa_bits="$2"; shift 2;;
+        # How many days is the CA Cert valid for:
+    --ca_valid_for) ca_valid_for="$2"; shift;;
+        # How many days is the Cert valid for:
+    --days) certs_valid_for="$2"; shift 2;;
+        # Mosquitto directory:
+    --dir) mosquitto_dir="$2"; shift 2;;
+        # Output format: PEM ||  DER
+    --output-format) output_format="$2"; shift 2;;
+        # Only generate server certificate and key, not the CA. Defaults to True.
+    --server_only) server_only="$2";shift 2;;
+    --subjectAltName) subjectAltName="$2";shift 2;;
+    -- ) shift; break;;
+    * ) break;;
+  esac
+done
+
+echo "subjectAltName you specified: $subjectAltName"
+
+if [ "$server_only" == "True" ] || [ "$server_only" == "true" ]|| [ "$server_only" == "Yes" ] || [ "$server_only" == 'yes' ]; then
+    server_only='True'
+else
+    server_only='False'
+fi
+
+# Mosquitto subdirectories:
+mosquitto_dir_ca="${mosquitto_dir}/certs/CA"
+mosquitto_dir_server="${mosquitto_dir}/certs/server"
+mosquitto_dir_csr="${mosquitto_dir}/certs/csr_files"
+ssl_ca_crt="${mosquitto_dir_ca}/ca_crt.${output_format}"
+ssl_ca_key="${mosquitto_dir_ca}/ca_key.${output_format}"
+
+# NOTE: If you need to create one or more client Keys and Certs in either PEM or DER format,
+# you can call the 'client_maker' script one or more times at the bottom of this script, so
+# just scroll right to the end to add the details. You can call 'client_maker' independantly
+# whenever you need more clients.
+
+#############################################################
+#                   Check passed option values sane         #
+#############################################################
+echo "Checking if CA dir exists: $mosquitto_dir_ca ..."
+if [ ! -d $mosquitto_dir_ca ];then
+    echo "Certificate authority folder does not exist, exiting"
+    exit 1
+fi
+
+# Check CA key and cert exist:
+echo "Checking CA key and cert exist: ..."
+if [ ! -f ${ssl_ca_crt} ]; then # I: Double quote to prevent globbing and word splitting.
+    echo "CA certificate does not exist, exiting!"
+    exit 1
+fi
+if [ ! -f "${mosquitto_dir_ca}/ca_key.pem" ] && [ ! -f "${mosquitto_dir_ca}/ca_key.der" ]; then
+    echo "CA key does not exist, exiting!"
+    exit 1
+fi
+# Check CA certificate is still valid:
+# Date format we get from openssl:
+#  Nov 18 13:47:56 2034 GMT
+#  %b %d  %H:%M:%S %Y %Z
+#  compare dates from the CA cert and current one:
+echo "Checking CA certificate valid ..."
+cert_valid_until=$(openssl x509 -enddate -noout -in "${ssl_ca_crt}" | cut -d'=' -f2)
+echo "CA certificate valid until: ${cert_valid_until}"
+if [ ! $(($(date -d "$cert_valid_until" +"%s") > $(date +"%s"))) ];then
+    echo "CA certificate expired, exiting!"
+    exit 1
+fi
+# Check key type:
+if [ "$key_type" != 'EC' ] && [ "$key_type" != 'RSA' ] && [ "$key_type" != 'EC25519' ]; then
+    echo "Wrong key type specified: '$key_type'"
+    echo "Valid keys: [ EC | RSA | EC25519 ]"
+    usage
+    exit 1;
+fi
+
+# Check curve:
+if [ "$curve" != 'P-256' ] && [ "$curve" != 'P-384' ] && [ "$curve" != 'P-521' ]; then
+    echo "Wrong NIST curve specified: '$curve'"
+    echo "Curve must be one of: [ P-256 | P-384 | P-521 ]"
+    usage
+    exit 1;
+fi
+
+# Check RSA bits:
+if [ "$rsa_bits" != '2048' ] && [ "$rsa_bits" != '4096' ]; then
+    echo "Wrong RSA bits specified: '$rsa_bits'"
+    echo "Must be one of: [ 2048 | 4096 ]"
+    usage
+    exit 1;
+fi
+
+# Check days parameter is a number:
+if [ -n "$certs_valid_for" ] && [ "$certs_valid_for" -eq "$certs_valid_for" ] 2>/dev/null; then
+  echo "Certificate will be valid for: '$certs_valid_for' days"
+else
+  echo "Not a number: $certs_valid_for"
+  usage
+  exit 1;
+fi
+
+# Check output format:
+if [ ${output_format} == 'PEM' ] || [ ${output_format} == 'pem' ]; then # I: Double quote to prevent globbing and word splitting.
+  output_format="pem"
+elif [ $output_format == 'DER' ] || [ $output_format == 'der' ]; then # I: Double quote to prevent globbing and word splitting.
+  output_format="der"
+else echo "Incorrect certificate format type specified: '$output_format'";
+    usage
+    exit 1;
+fi
+
+
+############################################################
+#   End of user defined variables
+############################################################
+
+
+# Set the algorithm
+algorithm="-algorithm ${key_type}"
+
+# Set the specific pkeyopt for the chosen algorithm (BLANK for ED25519)
+if [ "${key_type}" == "EC" ]; then
+  echo 'Creating EC Key ...'
+  pkeyopt="-pkeyopt ec_paramgen_curve:${curve}"
+elif [ "${key_type}" == "RSA" ]; then
+  echo 'Creating RSA Key ...'
+  pkeyopt="-pkeyopt rsa_keygen_bits:${rsa_bits}"
+elif [ "${key_type}" == "ED25519" ]; then
+  echo 'Creating ED25519 Key'
+  pkeyopt=""
+else
+  echo 'Key Type not found!'
+  exit 1
+fi
+
+############################################################
+#   Backup existing certs and create dir structure
+############################################################
+
+# if certs dir already exists, rename it so we don't overwrite anything important
+# but if it doesn't, then redirect the 'No such file or directory' error to null
+time_stamp=$(date +"%Y-%m-%d_%H-%M")
+if [ ! -d "${mosquitto_dir_ca}" ]; then
+    mkdir -p "${mosquitto_dir_ca}-${time_stamp}" 2>/dev/null
+else
+    cp "${mosquitto_dir_ca}" "${mosquitto_dir_ca}-${time_stamp}" 2>/dev/null
+fi
+
+if [ ! -d "${mosquitto_dir_server}" ]; then
+    mkdir -p "${mosquitto_dir_server}-${time_stamp}" 2>/dev/null
+else
+    cp "${mosquitto_dir_server}" "${mosquitto_dir_server}-$time_stamp" 2>/dev/null
+fi
+
+# create a sensible directory structure to store everything if not exists:
+mkdir -p "${mosquitto_dir}"/certs/{DH,CA,server,clients,csr_files}
+
+
+###########################################################
+# dhparamfile Creation
+###########################################################
+
+# Output DH parameters for safe prime group ffdhe2048
+if [ "$server_only" == "True" ]; then
+openssl genpkey \
+    -genparam \
+    -algorithm DH \
+    -pkeyopt group:ffdhe2048 \
+    -out "$mosquitto_dir/certs/DH/dhp_ffdhe2048.pem"
+fi
+
+###########################################################
+# CA Creation
+###########################################################
+
+if [ "${server_only}" == 'True' ]; then
+openssl genpkey \
+    $algorithm $pkeyopt \
+    -outform pem \
+    -out "$mosquitto_dir_ca/ca_key.pem" "$encryption"
+fi
+
+
+# Self sign the CA cert
+
+if [ "${server_only}" == 'True' ]; then
+openssl req \
+    -x509 \
+    -new \
+    -key "$mosquitto_dir_ca/ca_key.pem" \
+    -days $ca_valid_for\
+    -subj '/CN=MQTT CA' \
+    -outform pem \
+    -out "$mosquitto_dir_ca/ca_crt.pem"
+fi
+
+###########################################################
+# Server Creation
+###########################################################
+
+# Create the Key
+openssl genpkey \
+    $algorithm $pkeyopt \
+    -outform pem \
+    -out "$mosquitto_dir_server/server_key.pem"
+
+# Create the certificate signing request (CSR)
+openssl req \
+    -new \
+    -subj "/CN=MQTT Server" \
+    -addext "subjectAltName = ${subjectAltName}" \
+    -nodes \
+    -key "$mosquitto_dir_server/server_key.pem" \
+    -out "$mosquitto_dir_server/server_req.csr"
+
+# Sign and authenticate it with the CA
+# We use copy_extensions to include the subjectAltNames from the CSR in the Server Cert
+echo "Sign and authenticate CSR with the CA ..."
+openssl x509 \
+    -req \
+    -in "$mosquitto_dir_server/server_req.csr" \
+    -copy_extensions copy \
+    -CA "${mosquitto_dir_ca}/ca_crt.pem" \
+    -CAkey "${mosquitto_dir_ca}/ca_key.pem" \
+    -CAcreateserial \
+    -days "${certs_valid_for}" \
+    -outform pem \
+    -out "$mosquitto_dir_server/server_crt.pem"
+
+
+###########################################################
+# Key and Cert Checking
+###########################################################
+
+# Examine the key to check that it looks OK
+openssl pkey \
+    -in "$mosquitto_dir_server/server_key.pem" \
+    -text \
+    -noout
+
+# Examine the CSR
+openssl req \
+    -in "$mosquitto_dir_server/server_req.csr" \
+    -noout \
+    -text
+
+# Validate the CA certificate
+openssl x509 \
+    -in "$mosquitto_dir_server/server_crt.pem" \
+    -text \
+    -noout
+
+#clean up after the server cert creation
+mv "$mosquitto_dir_server/server_req.csr" "$mosquitto_dir_csr"
+
+###########################################################
+# Key Export and Read Permissions fix
+###########################################################
+
+#We need to export a copy of our CA Certificate in DER format for micropython.
+openssl x509 \
+    -in "$mosquitto_dir_ca/ca_crt.pem" \
+    -out "$mosquitto_dir_ca/ca_crt.der" \
+    -outform "$output_format"
+
+# and save a copy of it somewhere useful
+cp \
+    "$mosquitto_dir_ca/ca_crt.der" \
+    "$mosquitto_dir/certs/clients"
+
+# but pem based clients need the pem version of it too
+cp \
+   "$mosquitto_dir_ca/ca_crt.pem" \
+   "$mosquitto_dir/certs/clients"
+
+# We also need to give read access to server_key.pem so it can be used by Mosquitto
+chmod 644 "$mosquitto_dir_server/server_key.pem"
+
+
+# move the ca_maker script to certs/CA  and remove its execute permissions
+# to reduce the probability of running it by accident again
+# and overwriting everything in your certs directory
+#mv $mosquitto_dir/ca_maker $mosquitto_dir/certs/CA/ca_maker
+#chmod -x $mosquitto_dir/certs/CA/ca_maker
+
+# auto run the client_maker pem/der username
+# ./client_maker der pico
+#client_maker pem user2
+#client_maker pem user3
+#client_maker der user4