summaryrefslogtreecommitdiff
path: root/openssl-listen
blob: 65cf71482b9fc4893fcdcf51406a9587ae906383 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
#!/bin/bash
# Set-up OpenSSL servers with test keys for EC, DSA and RSA.
# Author: Peter Wu <lekensteyn@gmail.com>

rsa_prv=server.pem
rsa_pub=server.crt
dsa_prv=dsa.pem
dsa_pub=dsa.crt
ecd_prv=secp384r1-dsa.pem
ecd_pub=secp384r1-dsa.crt
ecc_prv=secp384r1-rsa.pem
ecc_pub=secp384r1-rsa.crt
PSK=12345678
PSK=0102030405060708091011121314151617181920

pkdir=$1
portbase=${2:-4430}

if [ -z "$pkdir" ]; then
    cat <<EOF
Usage: $0 path-to-certsdir [port base]"
openssl s_client will listen on three ports,
starting at 'port base' (default 4430)
EOF
    exit 1
fi
[[ $pkdir == */ ]] || pkdir+=/

if ! mkdir -p "$pkdir"; then
    echo "Could not create directory $pkdir" >&2
    exit 1
fi

pids=()

gen_pk() {
    local type keyfile crtfile x509_opts ca_key ca_crt
    type=$1
    keyfile=$2
    crtfile=$3
    # only necessary
    ca_key=$4
    ca_crt=$5

    if [ -n "$ca_key" ]; then
        x509_opts=(-CA "$ca_crt" -CAkey "$ca_key" -set_serial 1$RANDOM)
    else
        x509_opts=(-signkey "$keyfile")
    fi

    case $type in
    RSA)
        openssl genrsa -out "$keyfile"
        ;;
    DSS)
        openssl dsaparam 1024 | openssl gendsa /dev/stdin -out "$keyfile"
        ;;
    ECDSA)
        openssl ecparam -name secp384r1 -out "$keyfile" -genkey
        ;;
    ECDH)
        openssl ecparam -name secp384r1 -out "$keyfile" -genkey
        ;;
    *)
        echo "Invalid cert type $type" >&2
        return 1
    esac

    openssl req -new -key "$keyfile" -subj "/CN=Test Certificate $type" |
        openssl x509 -req -days 3650 -out "$crtfile" \
        "${x509_opts[@]}"
}

start_server() {
    local keyfile crtfile port auth ca_key= ca_crt= opts=()
    auth=$1

    case $auth in
    RSA)
        crtfile=$rsa_pub
        keyfile=$rsa_prv
        port=$portbase
        opts+=(-psk "$PSK")
        ;;
    ECDSA)
        crtfile=$ecd_pub
        keyfile=$ecd_prv
        port=$((portbase+1))
        ;;
    ECDH)
        crtfile=$ecc_pub
        keyfile=$ecc_prv
        ca_key=$pkdir$rsa_prv
        ca_crt=$pkdir$rsa_pub
        port=$((portbase+2))
        ;;
    DSS)
        crtfile=$dsa_pub
        keyfile=$dsa_prv
        port=$((portbase+3))
        ;;
    *)
        echo "Invalid cert type $auth" >&2
        return 1
        ;;
    esac

    if [ ! -e "$pkdir$crtfile" ]; then
        gen_pk "$auth" \
            "$pkdir$keyfile" "$pkdir$crtfile" \
            "$ca_key" "$ca_crt" || return 1
    fi

    openssl s_server -accept $port \
        "${opts[@]}" \
        -cert "$pkdir$crtfile" -key "$pkdir$keyfile" -www &
    pids+=($!)
}

cleanup() {
    if [ ${#pids[@]} -gt 0 ]; then
        echo "Killing: ${pids[*]}"
        kill "${pids[@]}"
    fi
}
trap cleanup EXIT

for auth in RSA ECDSA ECDH DSS; do
    start_server $auth
done

wait

# vim: set et sw=4 ts=4: