From 6f260045fa10f16104bae1a9aa067288096b3722 Mon Sep 17 00:00:00 2001
From: Pierre-Olivier Mercier <nemunaire@nemunai.re>
Date: Mon, 20 Jan 2014 18:23:02 +0100
Subject: [PATCH] CA.sh: Add a Master CA

---
 misc/CA.sh | 75 +++++++++++++++++++++++++++++++++++++++---------------
 1 file changed, 55 insertions(+), 20 deletions(-)

diff --git a/misc/CA.sh b/misc/CA.sh
index aa0f6212..16d07dfd 100755
--- a/misc/CA.sh
+++ b/misc/CA.sh
@@ -11,17 +11,21 @@ fi
 CAKEY=./cakey.key
 CAREQ=./careq.csr
 CACERT=./cacert.crt
+MASTERKEY=./master.key
+MASTEREQ=./master.csr
+MASTERCERT=./master.crt
+
 DAYS=365
 
-#GREEN="\033[1;32m"
-#RED="\033[1;31m"
-#COLOR_RST="\033[0m"
+GREEN="\033[1;32m"
+RED="\033[1;31m"
+COLOR_RST="\033[0m"
 
-GREEN="<font color=green>"
-RED="<font color=red>"
-COLOR_RST="</font>"
-BOLD="<b>"
-END_BOLD="</b>"
+#GREEN="<font color=green>"
+#RED="<font color=red>"
+#COLOR_RST="</font>"
+#BOLD="<b>"
+#END_BOLD="</b>"
 
 usage()
 {
@@ -61,7 +65,7 @@ case $1 in
         ESCAPED=$(echo "${TOP_DIR}" | sed 's/[\/\.]/\\&/g')
 
         echo -e "${GREEN}Making CA key and csr${COLOR_RST}"
-        sed -i 's/=.*#COMMONNAME/= FIC2014 CA #COMMONNAME/' $OPENSSL_CONF
+        sed -i 's/=.*#COMMONNAME/= FIC2014 MASTER #COMMONNAME/' $OPENSSL_CONF
         sed -i "s/=.*#DIR/= ${ESCAPED} #DIR/" $OPENSSL_CONF
         sed -i "s/=.*#CERTTYPE/= objsign #CERTTYPE/" $OPENSSL_CONF
 
@@ -71,9 +75,37 @@ case $1 in
             exit 5
         fi
 
+	# MASTER CA
+        sed -i 's/cacert\.crt/master\.crt/' $OPENSSL_CONF
+        sed -i 's/cakey\.key/master\.key/' $OPENSSL_CONF
         pass=`pwgen -n -B -y 12 1`
+	echo "Master pass: " $pass
+        openssl req -batch -new -keyout ${TOP_DIR}/private/${MASTERKEY}     \
+                    -out ${TOP_DIR}/${MASTEREQ} -passout pass:$pass         \
+                    -config $OPENSSL_CONF > $OUTPUT 2>&1
+        if [ $? -ne 0 ]; then
+            cat $OUTPUT
+            clean "ca"
+            exit 4
+        fi
 
-        openssl req -batch -new -keyout ${TOP_DIR}/private/${CAKEY}         \
+        echo -e "${GREEN}Self signes the MASTER certificate${COLOR_RST}"
+        openssl ca -batch -create_serial -out ${TOP_DIR}/${MASTERCERT}      \
+                -days ${DAYS} -keyfile ${TOP_DIR}/private/${MASTERKEY}      \
+                -selfsign -extensions v3_ca -config ${OPENSSL_CONF}         \
+                -infiles ${TOP_DIR}/${MASTEREQ} > $OUTPUT 2>&1
+        if [ $? -ne 0 ]; then
+            cat $OUTPUT
+            clean "ca"
+            exit 4
+        fi
+
+        sed -i 's/=.*#COMMONNAME/= FIC2014 CA #COMMONNAME/' $OPENSSL_CONF
+	echo -e "${GREEN}Generate CA certificate${COLOR_RST}"
+	
+        pass=`pwgen -n -B -y 12 1`
+	echo "CA pass: " $pass
+        openssl req -batch -new -keyout ${TOP_DIR}/private/${CAKEY}	    \
                     -out ${TOP_DIR}/${CAREQ} -passout pass:$pass            \
                     -config $OPENSSL_CONF > $OUTPUT 2>&1
         if [ $? -ne 0 ]; then
@@ -90,17 +122,20 @@ case $1 in
             clean "ca"
             exit 4
         fi
-
-        echo -e "${GREEN}Self signes the CA certificate${COLOR_RST}"
-        openssl ca -batch -create_serial -out ${TOP_DIR}/${CACERT}          \
-                -days ${DAYS} -keyfile ${TOP_DIR}/private/${CAKEY}          \
-                -selfsign -extensions v3_ca -config ${OPENSSL_CONF}         \
-                -infiles ${TOP_DIR}/${CAREQ} > $OUTPUT 2>&1
+        echo -e "${GREEN}Signing CA crt by Master${COLOR_RST}"
+	openssl ca -policy policy_match -config ${OPENSSL_CONF}             \
+                   -out ${TOP_DIR}/${CACERT} -infiles ${TOP_DIR}/${CAREQ}
         if [ $? -ne 0 ]; then
+            echo -e "${RED}Signing failed for CA${COLOR_RST}"
+            rm -rf ${TOP_DIR}/${CACERT} ${TOP_DIR}/${CAKEY} ${TOP_DIR}/${CAREQ}
             cat $OUTPUT
-            clean "ca"
+            sed -i 's/master\.crt/cacert\.crt/' $OPENSSL_CONF
+            sed -i 's/master\.key/cakey\.key/' $OPENSSL_CONF
             exit 4
-        fi
+	fi
+
+        sed -i 's/master\.crt/cacert\.crt/' $OPENSSL_CONF
+        sed -i 's/master\.key/cakey\.key/' $OPENSSL_CONF
         ;;
     "-newserver" )
         echo -e "${GREEN}Making the Server key and cert${COLOR_RST}"
@@ -108,7 +143,7 @@ case $1 in
             echo -e "${RED}Can not found the CA's key${COLOR_RST}"
             exit 2
         fi
-        sed -i 's/=.*#COMMONNAME/= FIC2014 Server #COMMONNAME/' $OPENSSL_CONF
+        sed -i 's/=.*#COMMONNAME/= srs.epita.fr #COMMONNAME/' $OPENSSL_CONF
         sed -i "s/=.*#CERTTYPE/= server #CERTTYPE/" $OPENSSL_CONF
         openssl req -batch -new -keyout server.key -out server.csr          \
                     -days ${DAYS} -config ${OPENSSL_CONF} > $OUTPUT 2>&1
@@ -118,7 +153,7 @@ case $1 in
         fi
         echo -e "${GREEN}Signing the Server crt${COLOR_RST}"
         openssl ca -policy policy_match -config ${OPENSSL_CONF}             \
-                   -out server.crt -infiles server.csr > $OUTPUT 2>&1
+                   -out server.crt -infiles server.csr
         if [ $? -ne 0 ]; then
             echo -e "${RED}Signing failed for new server${COLOR_RST}"
             rm -rf server.key server.crt server.csr