#!/bin/sh set -ue PATH="/usr/bin:/bin" export PATH BASEDIR="$(dirname -- "$0")" OU="InterIMAP test suite" cd "$BASEDIR" OPENSSL_CONF="./openssl.cnf" export OPENSSL_CONF cadir="$(mktemp --tmpdir --directory)" trap 'rm -rf -- "$cadir"' EXIT INT TERM genpkey() { local key="$1" shift openssl genpkey -out "$key" "$@" 2>&1 } # generate CA (we intentionally throw away the private key and serial # file to avoid reuse) genpkey "$cadir/ca.key" -algorithm RSA openssl req -new -x509 -rand /dev/urandom \ -subj "/OU=$OU/CN=Fake Root CA" \ -addext subjectKeyIdentifier="hash" \ -addext authorityKeyIdentifier="keyid:always,issuer" \ -addext basicConstraints="critical,CA:TRUE" \ -key "$cadir/ca.key" -out ./ca.crt SERIAL=1 new() { local key="$1" cn="$2" openssl req -new -rand /dev/urandom -key "$key" \ -subj "/OU=$OU/CN=$cn" ${3+-addext subjectAltName="$3"} \ -out "$cadir/new.csr" cat >"$cadir/new-ext.cnf" <<-EOF basicConstraints = critical, CA:FALSE keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = critical, serverAuth EOF if [ -n "${3+x}" ]; then printf "subjectAltName = %s\\n" "$3" >>"$cadir/new-ext.cnf" fi openssl x509 -req -in "$cadir/new.csr" -CA ./ca.crt -CAkey "$cadir/ca.key" \ -CAserial "$cadir/ca.srl" -CAcreateserial -extfile "$cadir/new-ext.cnf" 2>&1 } genpkey ./dovecot.rsa.key -algorithm RSA new ./dovecot.rsa.key "localhost" "DNS:localhost,DNS:ip6-localhost,IP:127.0.0.1,IP:::1" >./dovecot.rsa.crt genpkey ./dovecot.ecdsa.key -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -pkeyopt ec_param_enc:named_curve new ./dovecot.ecdsa.key "localhost" >./dovecot.ecdsa.crt genpkey ./dovecot.rsa2.key -algorithm RSA new ./dovecot.rsa2.key "imap.example.net" "DNS:imap.example.net,DNS:localhost" >./dovecot.rsa2.crt