blob: f44976468ed8a730ddb898c19facdec24eb7030f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
|
#!/bin/sh
set -ue
PATH="/usr/bin:/bin"
export PATH
BASEDIR="$(dirname -- "$0")"
OU="InterIMAP test suite"
cd "$BASEDIR"
OPENSSL_CONF="./openssl.cnf"
export OPENSSL_CONF
cadir="$(mktemp --tmpdir --directory)"
trap 'rm -rf -- "$cadir"' EXIT INT TERM
genpkey() {
local key="$1"
shift
openssl genpkey -out "$key" "$@" 2>&1
}
# generate CA (we intentionally throw away the private key and serial
# file to avoid reuse)
genpkey "$cadir/ca.key" -algorithm RSA
openssl req -new -x509 -rand /dev/urandom \
-subj "/OU=$OU/CN=Fake Root CA" \
-addext subjectKeyIdentifier="hash" \
-addext authorityKeyIdentifier="keyid:always,issuer" \
-addext basicConstraints="critical,CA:TRUE" \
-key "$cadir/ca.key" -out ./ca.crt
SERIAL=1
new() {
local key="$1" cn="$2"
openssl req -new -rand /dev/urandom -key "$key" \
-subj "/OU=$OU/CN=$cn" ${3+-addext subjectAltName="$3"} \
-out "$cadir/new.csr"
cat >"$cadir/new-ext.cnf" <<-EOF
basicConstraints = critical, CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = critical, serverAuth
EOF
if [ -n "${3+x}" ]; then
printf "subjectAltName = %s\\n" "$3" >>"$cadir/new-ext.cnf"
fi
openssl x509 -req -in "$cadir/new.csr" -CA ./ca.crt -CAkey "$cadir/ca.key" \
-CAserial "$cadir/ca.srl" -CAcreateserial -extfile "$cadir/new-ext.cnf" 2>&1
}
genpkey ./dovecot.rsa.key -algorithm RSA
new ./dovecot.rsa.key "localhost" "DNS:localhost,DNS:ip6-localhost,IP:127.0.0.1,IP:::1" >./dovecot.rsa.crt
genpkey ./dovecot.ecdsa.key -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -pkeyopt ec_param_enc:named_curve
new ./dovecot.ecdsa.key "localhost" >./dovecot.ecdsa.crt
genpkey ./dovecot.rsa2.key -algorithm RSA
new ./dovecot.rsa2.key "imap.example.net" "DNS:imap.example.net,DNS:localhost" >./dovecot.rsa2.crt
|