forked from njh/gen-webid-cert
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathgen-webid-cert.sh
executable file
·158 lines (137 loc) · 5.02 KB
/
gen-webid-cert.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
#!/bin/sh
#
# gen-webid-cert.sh: WebID Self-signed Certificate Generator
#
# This is free and unencumbered software released into the public domain.
#
# Anyone is free to copy, modify, publish, use, compile, sell, or
# distribute this software, either in source code form or as a compiled
# binary, for any purpose, commercial or non-commercial, and by any
# means.
#
# In jurisdictions that recognize copyright laws, the author or authors
# of this software dedicate any and all copyright interest in the
# software to the public domain. We make this dedication for the benefit
# of the public at large and to the detriment of our heirs and
# successors. We intend this dedication to be an overt act of
# relinquishment in perpetuity of all present and future rights to this
# software under copyright law.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
# IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
# OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
# ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
# OTHER DEALINGS IN THE SOFTWARE.
#
# For more information, please refer to <http://unlicense.org/>
#
# Be safe about permissions
umask 077
echo "WebID Self-signed Certificate Generator."
echo "This script will create a certificate and snippet of RDF for you."
echo "For more information about WebID visit: http://webid.info/"
echo
# Check that OpenSSL is available
command -v openssl >/dev/null 2>&1 || {
echo >&2 "The scripts requires OpenSSL but it is not available. Aborting."
exit 1
}
# Check that certificate already exists
if [ -e webid.pem -o -e webid.p12 ]; then
echo >&2 "webid.pem already exists."
echo >&2 "Please delete it if you would like to create a new one."
exit 1
fi
# Ask for certificate details
read -p "Please enter your name: " NAME
[ -z "$NAME" ] && { echo "No name given, aborting."; exit 1; }
read -p "Please enter your WebID [example: https://www.example.com/foaf.rdf#me]: " WEBID
[ -z "$WEBID" ] && { echo "No WebID given, aborting."; exit 1; }
DEFAULT_SUB=`echo "WebID for $NAME" | sed "s|/|-|g"`
read -p "Please label this certificate [default: $DEFAULT_SUB]: " SUBJECT
SUBJECT=${SUBJECT:-$DEFAULT_SUB}
# Create an OpenSSL configuration file
OPENSSL_CONFIG=`mktemp -q /tmp/webid-openssl-conf.XXXXXXXX`
if [ ! $? -eq 0 ]; then
echo >&2 "Could not create temporary OpenSSL config file. Aborting."
exit 1
fi
cat <<EOF > $OPENSSL_CONFIG
[ req ]
default_md = sha1
default_bits = 2048
distinguished_name = req_distinguished_name
encrypt_key = no
string_mask = nombstr
x509_extensions = req_ext
[ req_distinguished_name ]
commonName = Common Name (eg, YOUR name)
commonName_default = $SUBJECT
UID = A user ID
UID_default="$WEBID"
[ req_ext ]
subjectKeyIdentifier = hash
subjectAltName = critical,@subject_alt
basicConstraints = CA:false
extendedKeyUsage = clientAuth
nsCertType = client
[ subject_alt ]
URI.1="$WEBID"
EOF
# Create the self-signed certificate as a PEM file
openssl req -new -batch \
-days 3650 \
-config $OPENSSL_CONFIG \
-keyout webid.pem \
-out webid.pem \
-x509
RESULT=$?
rm -f $OPENSSL_CONFIG
if [ ! $RESULT -eq 0 ]; then
echo >&2 "Failed to create certificate. Aborting."
exit 1
fi
# Display information about the certificate that was generated
openssl x509 -in webid.pem -noout -text
# Offer to convert to P12 format
read -p "Would you like to create a P12 file (for import into Firefox)? [y/N]" DOP12
if [ "$DOP12" = "y" -o "$DOP12" = "Y" ]; then
openssl pkcs12 -export -clcerts \
-name "$SUBJECT" \
-in webid.pem \
-inkey webid.pem \
-out webid.p12
fi
# Offer to load the certificate into Keychain on Mac OS X
command -v security >/dev/null 2>&1 && {
read -p "Would you like to import the certificate into your Mac OS keychain? [y/N]" DOIMPORT
if [ "$DOIMPORT" = "y" -o "$DOIMPORT" = "Y" ]; then
security import webid.pem
fi
}
# Display RDF/XML
MODULUS=`openssl rsa -in webid.pem -modulus -noout | awk '{print substr($0,9)}'`
EXPONENT=`openssl rsa -in webid.pem -text -noout | awk '/Exponent/ { print $2 }'`
echo
echo "Upload this RDF/XML to the location of your WebID:"
echo
echo "<?xml version=\"1.0\"?>"
echo "<rdf:RDF"
echo " xmlns:rdf=\"http://www.w3.org/1999/02/22-rdf-syntax-ns#\""
echo " xmlns:cert=\"http://www.w3.org/ns/auth/cert#\""
echo " xmlns:foaf=\"http://xmlns.com/foaf/0.1/\">"
echo " <foaf:Person rdf:about=\"$WEBID\">"
echo " <foaf:name>$NAME</foaf:name>"
echo " <cert:key>"
echo " <cert:RSAPublicKey>"
echo " <cert:modulus rdf:datatype=\"http://www.w3.org/2001/XMLSchema#hexBinary\">$MODULUS</cert:modulus>"
echo " <cert:exponent rdf:datatype=\"http://www.w3.org/2001/XMLSchema#integer\">$EXPONENT</cert:exponent>"
echo " </cert:RSAPublicKey>"
echo " </cert:key>"
echo " </foaf:Person>"
echo "</rdf:RDF>"
echo
echo "Your certificate has been written to webid.pem in the current directory."
echo