-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathR05_BASE_generate_service_crypto.sh
executable file
·156 lines (138 loc) · 7.67 KB
/
R05_BASE_generate_service_crypto.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
#!/bin/bash
# ==============================================
# Script Name: Generate Service Crypto Base Script
# Description: This script generates the server and client crypto for a service.
# Information: This script is used by other scripts.
# ==============================================
# 실행 확인
if [ "$0" = "sh" ] || [ "$0" = "bash" ]; then
echo -e "${SHELL_TEXT_ERROR}Error: This script must be executed from another shell script."
exit 1
fi
(
source CMN_load_function.sh
SERVICE_NAME=""
COMMON_NAME=""
SERVER_KEY_CNF_FILE_PATH=""
CLIENT_KEY_CNF_FILE_PATH=""
SERVER_PRIVATE_KEY_PATH=""
CLIENT_PRIVATE_KEY_PATH=""
SERVER_CSR_FILE_PATH=""
CLIENT_CSR_FILE_PATH=""
SERVER_CERT_FILE_PATH=""
CLIENT_CERT_FILE_PATH=""
SERVER_PUBLIC_CERT_PATH=""
CLIENT_PUBLIC_CERT_PATH=""
SERVER_SELF_SIGNED_CERT_PATH=""
SERVER_SELF_SIGNED_PUBLIC_CERT_PATH=""
SERVER_SIGNED_CLIENT_CERT_PATH=""
SERVER_SIGNED_CLIENT_PUBLIC_CERT_PATH=""
SIGNING_SCRIPT_CMD=""
SERVER_EXTENSIONS="v3_req"
CLIENT_EXTENSIONS="client_cert"
# 명령행 인자를 처리하는 while 루프
while [[ "$#" -gt 0 ]]; do
case $1 in
--service_name=*) SERVICE_NAME="${1#*=}"; shift ;;
--common_name=*) COMMON_NAME="${1#*=}"; shift ;;
--server_key_cnf_file_path=*) SERVER_KEY_CNF_FILE_PATH="${1#*=}"; shift ;;
--client_key_cnf_file_path=*) CLIENT_KEY_CNF_FILE_PATH="${1#*=}"; shift ;;
--server_private_key_path=*) SERVER_PRIVATE_KEY_PATH="${1#*=}"; shift ;;
--client_private_key_path=*) CLIENT_PRIVATE_KEY_PATH="${1#*=}"; shift ;;
--server_csr_file_path=*) SERVER_CSR_FILE_PATH="${1#*=}"; shift ;;
--client_csr_file_path=*) CLIENT_CSR_FILE_PATH="${1#*=}"; shift ;;
--server_cert_file_path=*) SERVER_CERT_FILE_PATH="${1#*=}"; shift ;;
--client_cert_file_path=*) CLIENT_CERT_FILE_PATH="${1#*=}"; shift ;;
--server_public_cert_path=*) SERVER_PUBLIC_CERT_PATH="${1#*=}"; shift ;;
--client_public_cert_path=*) CLIENT_PUBLIC_CERT_PATH="${1#*=}"; shift ;;
--server_self_signed_cert_path=*) SERVER_SELF_SIGNED_CERT_PATH="${1#*=}"; shift ;;
--server_self_signed_public_cert_path=*) SERVER_SELF_SIGNED_PUBLIC_CERT_PATH="${1#*=}"; shift ;;
--server_signed_client_cert_path=*) SERVER_SIGNED_CLIENT_CERT_PATH="${1#*=}"; shift ;;
--server_signed_client_public_cert_path=*) SERVER_SIGNED_CLIENT_PUBLIC_CERT_PATH="${1#*=}"; shift ;;
--server_extensions=*) SERVER_EXTENSIONS="${1#*=}"; shift ;;
--client_extensions=*) CLIENT_EXTENSIONS="${1#*=}"; shift ;;
--signing_script_cmd=*) SIGNING_SCRIPT_CMD="${1#*=}"; shift ;;
*) log e "Unknown option: $1" >&2; exit 1 ;;
esac
done
# 인자 목록 출력
log i "Generating certificates for ${SERVICE_NAME}..."
log d "SERVICE_NAME: ${SERVICE_NAME}"
log d "COMMON_NAME: ${COMMON_NAME}"
log d "SERVER_KEY_CNF_FILE_PATH: ${SERVER_KEY_CNF_FILE_PATH}"
log d "CLIENT_KEY_CNF_FILE_PATH: ${CLIENT_KEY_CNF_FILE_PATH}"
log d "SERVER_PRIVATE_KEY_PATH: ${SERVER_PRIVATE_KEY_PATH}"
log d "CLIENT_PRIVATE_KEY_PATH: ${CLIENT_PRIVATE_KEY_PATH}"
log d "SERVER_CSR_FILE_PATH: ${SERVER_CSR_FILE_PATH}"
log d "CLIENT_CSR_FILE_PATH: ${CLIENT_CSR_FILE_PATH}"
log d "SERVER_CERT_FILE_PATH: ${SERVER_CERT_FILE_PATH}"
log d "CLIENT_CERT_FILE_PATH: ${CLIENT_CERT_FILE_PATH}"
log d "SERVER_PUBLIC_CERT_PATH: ${SERVER_PUBLIC_CERT_PATH}"
log d "CLIENT_PUBLIC_CERT_PATH: ${CLIENT_PUBLIC_CERT_PATH}"
log d "SERVER_SELF_SIGNED_CERT_PATH: ${SERVER_SELF_SIGNED_CERT_PATH}"
log d "SERVER_SELF_SIGNED_PUBLIC_CERT_PATH: ${SERVER_SELF_SIGNED_PUBLIC_CERT_PATH}"
log d "SERVER_SIGNED_CLIENT_CERT_PATH: ${SERVER_SIGNED_CLIENT_CERT_PATH}"
log d "SERVER_SIGNED_CLIENT_PUBLIC_CERT_PATH: ${SERVER_SIGNED_CLIENT_PUBLIC_CERT_PATH}"
log d "SIGNING_SCRIPT_CMD: ${SIGNING_SCRIPT_CMD}"
log i "========================================"
log i "Generating server key for ${SERVICE_NAME}..."
try openssl genrsa -out "${SERVER_PRIVATE_KEY_PATH}" 4096
# CSR 생성
if [ -f "$SERVER_KEY_CNF_FILE_PATH" ]; then
log i "Generating server CSR with config file for ${SERVICE_NAME}..."
try openssl req -new -key "${SERVER_PRIVATE_KEY_PATH}" -out "${SERVER_CSR_FILE_PATH}" -config "${SERVER_KEY_CNF_FILE_PATH}" -subj "/CN=${COMMON_NAME}"
else
log w "No key configuration file found for ${SERVICE_NAME}."
log w "Generating server CSR without a config file for ${SERVICE_NAME}..."
try openssl req -new -key "${SERVER_PRIVATE_KEY_PATH}" -out "${SERVER_CSR_FILE_PATH}" -subj "/CN=${COMMON_NAME}"
fi
# 서명 스크립트 호출
if [ -n "$SIGNING_SCRIPT_CMD" ]; then
FULL_SIGNING_SCRIPT_CMD="$SIGNING_SCRIPT_CMD --csr=\"${SERVER_CSR_FILE_PATH}\" --output=\"${SERVER_CERT_FILE_PATH}\""
if [ -f "$SERVER_KEY_CNF_FILE_PATH" ]; then
FULL_SIGNING_SCRIPT_CMD="$FULL_SIGNING_SCRIPT_CMD --conf=\"$SERVER_KEY_CNF_FILE_PATH\" --extensions=\"$SERVER_EXTENSIONS\""
fi
log i "Signing server certificate for ${SERVICE_NAME} using the signing script... ${FULL_SIGNING_SCRIPT_CMD}"
eval "$FULL_SIGNING_SCRIPT_CMD"
exit_on_error "Server certificate signing failed."
fi
if [ -n "$SERVER_SELF_SIGNED_CERT_PATH" ]; then
log i "Self-signing the server certificate for ${SERVICE_NAME}..."
try openssl x509 -req -in "${SERVER_CSR_FILE_PATH}" -signkey "${SERVER_PRIVATE_KEY_PATH}" -out "${SERVER_SELF_SIGNED_CERT_PATH}" -days 365 --extfile "$SERVER_KEY_CNF_FILE_PATH" -extensions "$SERVER_EXTENSIONS"
fi
log i "----------------------------------------"
log i "Generating client key and certificate for ${SERVICE_NAME}..."
try openssl genrsa -out "${CLIENT_PRIVATE_KEY_PATH}" 4096
if [ -f "$CLIENT_KEY_CNF_FILE_PATH" ]; then
log i "Generating client CSR with config file for ${SERVICE_NAME}..."
try openssl req -new -key "${CLIENT_PRIVATE_KEY_PATH}" -out "${CLIENT_CSR_FILE_PATH}" -config "${CLIENT_KEY_CNF_FILE_PATH}" -subj "/CN=client.${COMMON_NAME}"
else
log w "No client key configuration file found for ${SERVICE_NAME}."
log w "Generating CSR without a config file for ${SERVICE_NAME}..."
try openssl req -new -key "${CLIENT_PRIVATE_KEY_PATH}" -out "${CLIENT_CSR_FILE_PATH}" -subj "/CN=client.${COMMON_NAME}"
fi
if [ -n "$SIGNING_SCRIPT_CMD" ]; then
FULL_SIGNING_SCRIPT_CMD="$SIGNING_SCRIPT_CMD --csr=\"${CLIENT_CSR_FILE_PATH}\" --output=\"${CLIENT_CERT_FILE_PATH}\""
if [ -f "$CLIENT_KEY_CNF_FILE_PATH" ]; then
FULL_SIGNING_SCRIPT_CMD="$FULL_SIGNING_SCRIPT_CMD --conf=\"$CLIENT_KEY_CNF_FILE_PATH\" --extensions=\"$CLIENT_EXTENSIONS\""
fi
log i "Signing client certificate for ${SERVICE_NAME} using the signing script... ${FULL_SIGNING_SCRIPT_CMD}"
eval "$FULL_SIGNING_SCRIPT_CMD"
exit_on_error "Client certificate signing failed."
fi
if [ -n "$SERVER_SIGNED_CLIENT_CERT_PATH" ]; then
log i "Signing the client certificate for ${SERVICE_NAME} with the server certificate..."
try openssl x509 -req -in "${CLIENT_CSR_FILE_PATH}" -CA "${SERVER_CERT_FILE_PATH}" -CAkey "${SERVER_PRIVATE_KEY_PATH}" -out "${SERVER_SIGNED_CLIENT_CERT_PATH}" -days 365 --extfile "$CLIENT_KEY_CNF_FILE_PATH" -extensions "$CLIENT_EXTENSIONS" -CAcreateserial
fi
log i "Copying server certificate to CA directory for ${SERVICE_NAME}..."
try cp "${SERVER_CERT_FILE_PATH}" "${SERVER_PUBLIC_CERT_PATH}"
try cp "${CLIENT_CERT_FILE_PATH}" "${CLIENT_PUBLIC_CERT_PATH}"
if [ -n "$SERVER_SELF_SIGNED_PUBLIC_CERT_PATH" ]; then
try cp "${SERVER_SELF_SIGNED_CERT_PATH}" "${SERVER_SELF_SIGNED_PUBLIC_CERT_PATH}"
fi
if [ -n "$SERVER_SIGNED_CLIENT_PUBLIC_CERT_PATH" ]; then
try cp "${SERVER_SIGNED_CLIENT_CERT_PATH}" "${SERVER_SIGNED_CLIENT_PUBLIC_CERT_PATH}"
fi
log s "==> Finished generating certificates for ${SERVICE_NAME}."
log s "========================================"
)