1 files changed, 100 insertions, 0 deletions

diff --git a/create_codesign_ca.sh b/create_codesign_ca.sh
new file mode 100755
index 0000000..2483ad0
--- /dev/null
+++ b/create_codesign_ca.sh
@@ -0,0 +1,100 @@
+#!/usr/bin/env sh
+
+set -e
+set -x
+
+COPT='-algorithm EC  -pkeyopt ec_paramgen_curve:secp384r1 -pkeyopt ec_param_enc:named_curve'
+MYDIR="$(dirname "${0}")"
+
+readonly BASE="${1:-ddk}"
+readonly REVI=1
+readonly PRFX="${BASE}-"
+readonly ROOT="${PRFX}ca"
+readonly CODE="${PRFX}code"
+
+cd "${MYDIR}"
+
+# PKCS #8 private key, encrypted, PEM format.
+# shellcheck disable=SC2086
+openssl genpkey ${COPT} -aes-256-cbc -pass "pass:onlytemporary" -out "${ROOT}-private.pem" 2>/dev/null
+openssl ec -in "${ROOT}-private.pem" -passin "pass:onlytemporary" -out "${ROOT}-private-nopass.pem" #2>/dev/null
+mv "${ROOT}-private-nopass.pem" "${ROOT}-private.pem"
+openssl asn1parse -i -in "${ROOT}-private.pem"
+
+# -cert.pem is certificate (public key + subject + signature)
+openssl req -batch -verbose -new -sha256 -x509 -days 1826 -key "${ROOT}-private.pem" -out "${ROOT}-cert.pem" -config - << EOF
+[req]
+encrypt_key = yes
+prompt = no
+utf8 = yes
+string_mask = utf8only
+distinguished_name = dn
+x509_extensions = v3_ca
+
+[v3_ca]
+subjectKeyIdentifier = hash
+basicConstraints = critical, CA:TRUE, pathlen:0
+keyUsage = critical, keyCertSign, cRLSign
+
+[dn]
+CN = ${BASE} Root CA ${REVI}
+EOF
+openssl x509 -in "${ROOT}-cert.pem" -text -noout -nameopt utf8 -sha256 -fingerprint > "${ROOT}-cert.pem.x509.txt"
+openssl asn1parse -i -in "${ROOT}-cert.pem" > "${ROOT}-cert.pem.asn1.txt"
+
+# subordinate #1: code signing
+cat << EOF > "${CODE}-csr.config"
+[req]
+encrypt_key = yes
+prompt = no
+utf8 = yes
+string_mask = utf8only
+distinguished_name = dn
+req_extensions = v3_req
+
+[v3_req]
+subjectKeyIdentifier = hash
+keyUsage = critical, digitalSignature
+# msCodeInd = Microsoft Individual Code Signing
+# msCodeCom = Microsoft Commercial Code Signing
+extendedKeyUsage = critical, codeSigning, msCodeInd
+
+[dn]
+CN = ${base} Code Signing Authority
+EOF
+
+# PKCS #8 private key, encrypted, PEM format.
+# shellcheck disable=SC2086
+openssl genpkey ${COPT} -aes-256-cbc -pass "pass:onlytemporary" -out "${CODE}-private.pem" 2>/dev/null
+openssl ec -in "${CODE}-private.pem" -passin "pass:onlytemporary" -out "${CODE}-private-nopass.pem" 2>/dev/null
+mv "${CODE}-private-nopass.pem" "${CODE}-private.pem"
+openssl asn1parse -i -in "${CODE}-private.pem"
+
+openssl pkey -in "${CODE}-private.pem" -pubout > "${CODE}-public.pem"
+# Play some with the public key
+openssl pkey -pubin -in "${CODE}-public.pem" -text -noout > "${CODE}-public.pem.txt"
+openssl asn1parse -i -in "${CODE}-public.pem" > "${CODE}-public.pem.asn1.txt"
+
+# -csr.pem is certificate signing request
+openssl req -batch -verbose -new -sha256 -key "${CODE}-private.pem" -out "${CODE}-csr.pem" -config "${CODE}-csr.config"
+openssl req -batch -verbose -in "${CODE}-csr.pem" -text -noout -nameopt utf8 > "${CODE}-csr.pem.txt"
+openssl asn1parse -i -in "${CODE}-csr.pem" > "${CODE}-csr.pem.asn1.txt"
+
+# -cert.pem is certificate (public key + subject + signature)
+openssl x509 -req -sha256 -days 1095 \
+  -extfile "${CODE}-csr.config" -extensions v3_req \
+  -in "${CODE}-csr.pem" \
+  -CA "${ROOT}-cert.pem" -CAkey "${ROOT}-private.pem" -CAcreateserial -out "${CODE}-cert.pem"
+openssl x509 -in "${CODE}-cert.pem" -text -noout -nameopt utf8 -sha256 -fingerprint > "${CODE}-cert.pem.x509.txt"
+openssl asn1parse -i -in "${CODE}-cert.pem" > "${CODE}-cert.pem.asn1.txt"
+
+# PKCS #12 .p12 is private key and certificate(-chain), encrypted
+openssl pkcs12 -export \
+  -keypbe aes-256-cbc -certpbe aes-256-cbc -macalg sha256 \
+  -inkey "${CODE}-private.pem" \
+  -in "${CODE}-cert.pem" \
+  -chain -CAfile "${ROOT}-cert.pem" \
+  -out "${CODE}.p12" \
+  -passout pass:""
+openssl pkcs12 -in "${CODE}.p12" -info -nodes -nokeys -out "${CODE}.p12.txt" -passin pass:"" -passout pass:""
+openssl asn1parse -i -inform DER -in "${CODE}.p12"