docker-entrypoint.sh 6.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162
  1. #!/bin/sh
  2. echo "Zammad S/MIME test certificate generation"
  3. if [[ ! -e "$CERT_DIR/RootCA.key" ]] || [[ ! -e "$CERT_DIR/RootCA.crt" ]]
  4. then
  5. echo "Generating RootCA.key and RootCA.csr"
  6. openssl req -new -newkey rsa:4096 -nodes -out $CERT_DIR/RootCA.csr -keyout $CERT_DIR/RootCA.key -extensions v3_ca -subj "/emailAddress=RootCA@example.com/C=DE/ST=Berlin/L=Berlin/O=Example Security/OU=IT Department/CN=example.com"
  7. echo "Generating RootCA.crt"
  8. openssl x509 -signkey $CERT_DIR/RootCA.key -days 73000 -req -in $CERT_DIR/RootCA.csr -set_serial 01 -out $CERT_DIR/RootCA.crt
  9. echo "Generating RootCA.secret"
  10. cp pass.secret $CERT_DIR/RootCA.secret
  11. fi
  12. if [[ ! -e "$CERT_DIR/IntermediateCA.key" ]] || [[ ! -e "$CERT_DIR/IntermediateCA.crt" ]]
  13. then
  14. echo "Generating IntermediateCA.key and IntermediateCA.csr"
  15. openssl req -new -newkey rsa:4096 -nodes -out $CERT_DIR/IntermediateCA.csr -keyout $CERT_DIR/IntermediateCA.key -subj "/emailAddress=IntermediateCA@example.com/C=DE/ST=Berlin/L=Berlin/O=Example Security/OU=IT Department/CN=example.com"
  16. echo "Generating IntermediateCA.crt"
  17. openssl x509 -CA $CERT_DIR/RootCA.crt -CAkey $CERT_DIR/RootCA.key -passin file:pass.secret -days 73000 -req -in $CERT_DIR/IntermediateCA.csr -set_serial 02 -out $CERT_DIR/IntermediateCA.crt
  18. echo "Generating IntermediateCA.secret"
  19. cp pass.secret $CERT_DIR/IntermediateCA.secret
  20. fi
  21. if [[ ! -e "$CERT_DIR/ChainCA.key" ]] || [[ ! -e "$CERT_DIR/ChainCA.crt" ]]
  22. then
  23. echo "Generating ChainCA.key and ChainCA.csr"
  24. openssl req -new -newkey rsa:4096 -nodes -out $CERT_DIR/ChainCA.csr -keyout $CERT_DIR/ChainCA.key -subj "/emailAddress=ChainCA@example.com/C=DE/ST=Berlin/L=Berlin/O=Example Security/OU=IT Department/CN=example.com"
  25. echo "Generating ChainCA.crt"
  26. openssl x509 -CA $CERT_DIR/IntermediateCA.crt -CAkey $CERT_DIR/IntermediateCA.key -passin file:pass.secret -days 73000 -req -in $CERT_DIR/ChainCA.csr -set_serial 03 -out $CERT_DIR/ChainCA.crt
  27. echo "Generating ChainCA.secret"
  28. cp pass.secret $CERT_DIR/ChainCA.secret
  29. fi
  30. for EMAIL_ADDRESS in smime1@example.com smime2@example.com smime3@example.com smimedouble@example.com CaseInsenstive@eXample.COM
  31. do
  32. if [[ ! -e "$CERT_DIR/$EMAIL_ADDRESS.crt" ]]
  33. then
  34. echo "Generating $EMAIL_ADDRESS.key"
  35. openssl genrsa -aes256 -passout file:pass.secret -out $CERT_DIR/$EMAIL_ADDRESS.key 4096
  36. echo "Generating $EMAIL_ADDRESS.csr (certificate signing request)"
  37. openssl req -new -key $CERT_DIR/$EMAIL_ADDRESS.key -passin file:pass.secret -out $CERT_DIR/$EMAIL_ADDRESS.csr -subj "/emailAddress=$EMAIL_ADDRESS/C=DE/ST=Berlin/L=Berlin/O=Example Security/OU=IT Department/CN=example.com"
  38. echo "Generating $EMAIL_ADDRESS.crt (certificate)"
  39. if [ "$EMAIL_ADDRESS" != "smimedouble@example.com" ]
  40. then
  41. extfile="config.cnf"
  42. else
  43. # special config that contains two email addresses in one certificate
  44. extfile="double.cnf"
  45. fi
  46. openssl x509 -req \
  47. -days 73000 \
  48. -in $CERT_DIR/$EMAIL_ADDRESS.csr \
  49. -CA $CERT_DIR/RootCA.crt \
  50. -CAkey $CERT_DIR/RootCA.key \
  51. -out $CERT_DIR/$EMAIL_ADDRESS.crt \
  52. -addtrust emailProtection \
  53. -addreject clientAuth \
  54. -addreject serverAuth \
  55. -trustout \
  56. -CAcreateserial -CAserial /tmp/RootCA.seq \
  57. -extensions smime \
  58. -extfile "$extfile" \
  59. -passin file:pass.secret
  60. echo "Generating $EMAIL_ADDRESS.secret"
  61. cp pass.secret $CERT_DIR/$EMAIL_ADDRESS.secret
  62. fi
  63. done
  64. echo "Generating from CA chain"
  65. for EMAIL_ADDRESS in chain@example.com
  66. do
  67. if [[ ! -e "$CERT_DIR/$EMAIL_ADDRESS.crt" ]]
  68. then
  69. echo "Generating $EMAIL_ADDRESS.key"
  70. openssl genrsa -aes256 -passout file:pass.secret -out $CERT_DIR/$EMAIL_ADDRESS.key 4096
  71. echo "Generating $EMAIL_ADDRESS.csr (certificate signing request)"
  72. openssl req -new -key $CERT_DIR/$EMAIL_ADDRESS.key -passin file:pass.secret -out $CERT_DIR/$EMAIL_ADDRESS.csr -subj "/emailAddress=$EMAIL_ADDRESS/C=DE/ST=Berlin/L=Berlin/O=Example Security/OU=IT Department/CN=example.com"
  73. echo "Generating $EMAIL_ADDRESS.crt (certificate)"
  74. openssl x509 -req \
  75. -days 73000 \
  76. -in $CERT_DIR/$EMAIL_ADDRESS.csr \
  77. -CA $CERT_DIR/ChainCA.crt \
  78. -CAkey $CERT_DIR/ChainCA.key \
  79. -out $CERT_DIR/$EMAIL_ADDRESS.crt \
  80. -addtrust emailProtection \
  81. -addreject clientAuth \
  82. -addreject serverAuth \
  83. -trustout \
  84. -CAcreateserial -CAserial /tmp/ChainCA.seq \
  85. -extensions smime \
  86. -extfile "config.cnf" \
  87. -passin file:pass.secret
  88. echo "Generating $EMAIL_ADDRESS.secret"
  89. cp pass.secret $CERT_DIR/$EMAIL_ADDRESS.secret
  90. fi
  91. done
  92. echo "Generating expired"
  93. FAKETIME=-10y date
  94. if [[ ! -e "$CERT_DIR/ExpiredCA.key" ]] || [[ ! -e "$CERT_DIR/ExpiredCA.crt" ]]
  95. then
  96. echo "Generating ExpiredCA.key"
  97. FAKETIME=-10y openssl genrsa -aes256 -passout file:pass.secret -out $CERT_DIR/ExpiredCA.key 4096
  98. echo "Generating ExpiredCA.crt"
  99. FAKETIME=-10y openssl req -new -x509 -days 1 -key $CERT_DIR/ExpiredCA.key -passin file:pass.secret -out $CERT_DIR/ExpiredCA.crt -subj "/emailAddress=ExpiredCA@example.com/C=DE/ST=Berlin/L=Berlin/O=Example Security/OU=IT Department/CN=example.com"
  100. echo "Generating ExpiredCA.secret"
  101. cp pass.secret $CERT_DIR/ExpiredCA.secret
  102. fi
  103. for EMAIL_ADDRESS in expiredsmime1@example.com expiredsmime2@example.com
  104. do
  105. if [[ ! -e "$CERT_DIR/$EMAIL_ADDRESS.crt" ]]
  106. then
  107. echo "Generating $EMAIL_ADDRESS.key"
  108. FAKETIME=-10y openssl genrsa -aes256 -passout file:pass.secret -out $CERT_DIR/$EMAIL_ADDRESS.key 4096
  109. echo "Generating $EMAIL_ADDRESS.csr (certificate signing request)"
  110. FAKETIME=-10y openssl req -new -key $CERT_DIR/$EMAIL_ADDRESS.key -passin file:pass.secret -out $CERT_DIR/$EMAIL_ADDRESS.csr -subj "/emailAddress=$EMAIL_ADDRESS/C=DE/ST=Berlin/L=Berlin/O=Example Security/OU=IT Department/CN=example.com"
  111. echo "Generating $EMAIL_ADDRESS.crt (certificate)"
  112. FAKETIME=-10y openssl x509 -req \
  113. -days 1 \
  114. -in $CERT_DIR/$EMAIL_ADDRESS.csr \
  115. -CA $CERT_DIR/ExpiredCA.crt \
  116. -CAkey $CERT_DIR/ExpiredCA.key \
  117. -out $CERT_DIR/$EMAIL_ADDRESS.crt \
  118. -addtrust emailProtection \
  119. -addreject clientAuth \
  120. -addreject serverAuth \
  121. -trustout \
  122. -CAcreateserial -CAserial /tmp/ExpiredCA.seq \
  123. -extensions smime \
  124. -extfile config.cnf \
  125. -passin file:pass.secret
  126. echo "Generating $EMAIL_ADDRESS.secret"
  127. cp pass.secret $CERT_DIR/$EMAIL_ADDRESS.secret
  128. fi
  129. done
  130. # run command passed to docker run
  131. exec "$@"