server/genkey.sh - platform/packages/apps/Car/DebuggingRestrictionController - Git at Google

 #/bin/bash

 echo "This script generates the key and certificate chain for deploying"
 echo "the AAOS Debugging Restriction Controller client and service"
 echo
 echo "WARNING: Only use this script if you are using a self-signed CA."
 echo
 echo "Continue (y/N)?"
 read c
 if [[ "$c" != "y" ]]
 then
     exit -1
 fi

 echo "Enter the path of the CA certificate:"
 read ca_cert

 echo "Enter path of the CA private key:"
 read ca_key

 echo
 echo "Enter the number of days the token signing key should be valid for:"
 echo "  (press return for 365 days)"
 read validity

 if [[ -z "$validity" ]] ; then
   validity=365
 fi
 echo "Using '$validity' days"

 echo
 echo "Enter the hostname that identifies the token signer:"
 read hostname

 echo
 echo "Generating the token signing key and certificate signing request ..."
 echo "Please fill in the fields when requested."
 date=$(date +%Y-%m-%d)
 folder=$(mktemp -d)
 req="$folder/token_signing-${date}.req"
 key="$folder/token_signing-${date}.key"
 signed="$folder/token_signing-${date}.pem"

 config="
 [ server ]
 basicConstraints = critical,CA:false
 keyUsage = nonRepudiation, digitalSignature
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer:always
 subjectAltName = @alt_names

 [ alt_names ]
 DNS.1 = $hostname
 "

 openssl req -nodes -newkey rsa:2048 -sha256 -keyout "${key}" -out "${req}"
 echo "Signing the certificate ..."

 openssl x509 -req \
     -in "$req" -out "$signed" -CA "$ca_cert" -CAkey "$ca_key" \
     -sha256 -days "$validity" -set_serial 666 \
     -extensions server -extfile <(echo "$config")

 key_out="token_signing_key-$date.pem"
 cert_chain_out="token_signing_certs-$date.pem"
 cat "$key" > "$key_out"
 cat "$signed" "$ca_cert" > "$cert_chain_out"


 echo "The token signing key and certificate chain have been created."
 echo "See $key_out and $cert_chain_out."
 echo
 echo "Verifying the certificate chain ..."
 openssl verify -CAfile "$ca_cert" "$cert_chain_out"
 rm -rf "$folder"
	#/bin/bash

	echo "This script generates the key and certificate chain for deploying"
	echo "the AAOS Debugging Restriction Controller client and service"
	echo
	echo "WARNING: Only use this script if you are using a self-signed CA."
	echo
	echo "Continue (y/N)?"
	read c
	if [[ "$c" != "y" ]]
	then
	exit -1
	fi

	echo "Enter the path of the CA certificate:"
	read ca_cert

	echo "Enter path of the CA private key:"
	read ca_key

	echo
	echo "Enter the number of days the token signing key should be valid for:"
	echo " (press return for 365 days)"
	read validity

	if [[ -z "$validity" ]] ; then
	validity=365
	fi
	echo "Using '$validity' days"

	echo
	echo "Enter the hostname that identifies the token signer:"
	read hostname

	echo
	echo "Generating the token signing key and certificate signing request ..."
	echo "Please fill in the fields when requested."
	date=$(date +%Y-%m-%d)
	folder=$(mktemp -d)
	req="$folder/token_signing-${date}.req"
	key="$folder/token_signing-${date}.key"
	signed="$folder/token_signing-${date}.pem"

	config="
	[ server ]
	basicConstraints = critical,CA:false
	keyUsage = nonRepudiation, digitalSignature
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always,issuer:always
	subjectAltName = @alt_names

	[ alt_names ]
	DNS.1 = $hostname
	"

	openssl req -nodes -newkey rsa:2048 -sha256 -keyout "${key}" -out "${req}"
	echo "Signing the certificate ..."

	openssl x509 -req \
	-in "$req" -out "$signed" -CA "$ca_cert" -CAkey "$ca_key" \
	-sha256 -days "$validity" -set_serial 666 \
	-extensions server -extfile <(echo "$config")

	key_out="token_signing_key-$date.pem"
	cert_chain_out="token_signing_certs-$date.pem"
	cat "$key" > "$key_out"
	cat "$signed" "$ca_cert" > "$cert_chain_out"


	echo "The token signing key and certificate chain have been created."
	echo "See $key_out and $cert_chain_out."
	echo
	echo "Verifying the certificate chain ..."
	openssl verify -CAfile "$ca_cert" "$cert_chain_out"
	rm -rf "$folder"