tadpol/adc_test_client_certs.sh

## adc_test_client_certs.sh
#!/bin/sh

set -x
set -e

DEVICE_HOST=${DEVICE_HOST:-<>.m2.exosite-dev.io}

BY_ACTION=${BY_ACTION:-write}
USE_CERT=${USE_CERT:-rsa}
HOST_CA=${HOST_CA:-MURANO_ROOT_CA.cer}
if [ ! -f "$HOST_CA" ]; then
	HOST_CA=/vagrant/MURANO_ROOT_CA.cer
fi
if [ ! -f "$HOST_CA" ]; then
	echo "Missing Root CA!"
	exit 5
fi

did=`hostname`
DEVICE_ID=${DEVICE_ID:-C${USE_CERT}_${did}}

uname -a
openssl version
curl --version

if [ "z$BY_ACTION" != "zkeys" ]; then
	tmpname=`basename $0`
	WKS=`mktemp -d -t ${tmpname}.XXXXXX`
	cd $WKS
fi

if [ "z${USE_CERT}" = "zrsa" ]; then
	# Create self-signed RSA cert; our Test CA.
	openssl req -x509 -nodes -days 365 -subj "/C=US/ST=MN/L=Mpls/O=Exosite/CN=TestRsaCa" \
		-newkey rsa:2048 -keyout ca-key.pem -out ca.pem

	# Create RSA private key and a CSR for that key
	openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout client-key.pem \
		-subj "/C=US/ST=MN/L=Mpls/O=Exosite/CN=${DEVICE_ID}"

	# Sign with Test CA.
	openssl x509 -req -days 730 -in CSR.csr -CA ca.pem -CAkey ca-key.pem \
		-CAcreateserial -out client-signed.cer

	cat client-key.pem client-signed.cer > client-up.pem

else
	# Create self-signed ECDSA cert; our Test CA.
	openssl ecparam -name secp521r1 -genkey -param_enc explicit -out ca-key.pem
	openssl req -new -x509 -key ca-key.pem -out ca.pem -days 730 \
		-subj "/C=US/ST=MN/L=Mpls/O=Exosite/CN=TestEcdsaCA"

	# Create ECDSA private key
	openssl ecparam -name secp521r1 -genkey -param_enc explicit -out client-key.pem

	# Create CSR from private key
	openssl req -out CSR.csr -key client-key.pem -new \
		-subj "/C=US/ST=MN/L=Mpls/O=Exosite/CN=${DEVICE_ID}"

	# Sign with Test CA.
	openssl x509 -req -days 730 -in CSR.csr -CA ca.pem -CAkey ca-key.pem \
		-CAcreateserial -out client-signed.cer

	cat client-key.pem client-signed.cer > client-up.pem
fi

# Test with curl (not on macOS. -k doesn't work as we expect.)
case $BY_ACTION in
	timestamp)
		curl -v https://${DEVICE_HOST}/timestamp \
			--cert client-signed.cer --key client-key.pem --cacert $HOST_CA
		;;

	write)
		curl -v https://${DEVICE_HOST}/onep:v1/stack/alias \
			--cert client-signed.cer --key client-key.pem --cacert $HOST_CA \
			-H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8' \
			-d 'data_in=42'
		;;

	activate)
		curl -v https://${DEVICE_HOST}/provision/activate \
			--cert client-signed.cer --key client-key.pem --cacert $HOST_CA \
			-H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8' \
			-d "id=$DEVICE_ID"
		;;
	keys)
		echo "just built keys."
		;;
esac

if [ "z$BY_ACTION" != "zkeys" ]; then
	cd $HOME
	rm -r $WKS
fi

#  vim: set sw=4 ts=4 :
	#!/bin/sh

	set -x
	set -e

	DEVICE_HOST=${DEVICE_HOST:-<>.m2.exosite-dev.io}

	BY_ACTION=${BY_ACTION:-write}
	USE_CERT=${USE_CERT:-rsa}
	HOST_CA=${HOST_CA:-MURANO_ROOT_CA.cer}
	if [ ! -f "$HOST_CA" ]; then
	HOST_CA=/vagrant/MURANO_ROOT_CA.cer
	fi
	if [ ! -f "$HOST_CA" ]; then
	echo "Missing Root CA!"
	exit 5
	fi

	did=`hostname`
	DEVICE_ID=${DEVICE_ID:-C${USE_CERT}_${did}}

	uname -a
	openssl version
	curl --version

	if [ "z$BY_ACTION" != "zkeys" ]; then
	tmpname=`basename $0`
	WKS=`mktemp -d -t ${tmpname}.XXXXXX`
	cd $WKS
	fi

	if [ "z${USE_CERT}" = "zrsa" ]; then
	# Create self-signed RSA cert; our Test CA.
	openssl req -x509 -nodes -days 365 -subj "/C=US/ST=MN/L=Mpls/O=Exosite/CN=TestRsaCa" \
	-newkey rsa:2048 -keyout ca-key.pem -out ca.pem

	# Create RSA private key and a CSR for that key
	openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout client-key.pem \
	-subj "/C=US/ST=MN/L=Mpls/O=Exosite/CN=${DEVICE_ID}"

	# Sign with Test CA.
	openssl x509 -req -days 730 -in CSR.csr -CA ca.pem -CAkey ca-key.pem \
	-CAcreateserial -out client-signed.cer

	cat client-key.pem client-signed.cer > client-up.pem

	else
	# Create self-signed ECDSA cert; our Test CA.
	openssl ecparam -name secp521r1 -genkey -param_enc explicit -out ca-key.pem
	openssl req -new -x509 -key ca-key.pem -out ca.pem -days 730 \
	-subj "/C=US/ST=MN/L=Mpls/O=Exosite/CN=TestEcdsaCA"

	# Create ECDSA private key
	openssl ecparam -name secp521r1 -genkey -param_enc explicit -out client-key.pem

	# Create CSR from private key
	openssl req -out CSR.csr -key client-key.pem -new \
	-subj "/C=US/ST=MN/L=Mpls/O=Exosite/CN=${DEVICE_ID}"

	# Sign with Test CA.
	openssl x509 -req -days 730 -in CSR.csr -CA ca.pem -CAkey ca-key.pem \
	-CAcreateserial -out client-signed.cer

	cat client-key.pem client-signed.cer > client-up.pem
	fi

	# Test with curl (not on macOS. -k doesn't work as we expect.)
	case $BY_ACTION in
	timestamp)
	curl -v https://${DEVICE_HOST}/timestamp \
	--cert client-signed.cer --key client-key.pem --cacert $HOST_CA
	;;

	write)
	curl -v https://${DEVICE_HOST}/onep:v1/stack/alias \
	--cert client-signed.cer --key client-key.pem --cacert $HOST_CA \
	-H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8' \
	-d 'data_in=42'
	;;

	activate)
	curl -v https://${DEVICE_HOST}/provision/activate \
	--cert client-signed.cer --key client-key.pem --cacert $HOST_CA \
	-H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8' \
	-d "id=$DEVICE_ID"
	;;
	keys)
	echo "just built keys."
	;;
	esac

	if [ "z$BY_ACTION" != "zkeys" ]; then
	cd $HOME
	rm -r $WKS
	fi

	# vim: set sw=4 ts=4 :