docker-entrypoint.sh 6.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163
  1. #!/bin/bash
  2. echo "Zammad S/MIME test certificate generation"
  3. if [[ ! -e "$CERT_DIR/RootCA.key" ]] || [[ ! -e "$CERT_DIR/RootCA.crt" ]]
  4. then
  5. echo "Generating RootCA.key and RootCA.csr"
  6. openssl req -new -newkey rsa:4096 -nodes -out $CERT_DIR/RootCA.csr -keyout $CERT_DIR/RootCA.key -extensions v3_ca -subj "/emailAddress=RootCA@example.com/C=DE/ST=Berlin/L=Berlin/O=Example Security/OU=IT Department/CN=example.com"
  7. echo "Generating RootCA.crt"
  8. openssl x509 -signkey $CERT_DIR/RootCA.key -days 73000 -req -in $CERT_DIR/RootCA.csr -set_serial 01 -out $CERT_DIR/RootCA.crt
  9. echo "Generating RootCA.secret"
  10. cp pass.secret $CERT_DIR/RootCA.secret
  11. fi
  12. if [[ ! -e "$CERT_DIR/IntermediateCA.key" ]] || [[ ! -e "$CERT_DIR/IntermediateCA.crt" ]]
  13. then
  14. echo "Generating IntermediateCA.key and IntermediateCA.csr"
  15. openssl req -new -newkey rsa:4096 -nodes -out $CERT_DIR/IntermediateCA.csr -keyout $CERT_DIR/IntermediateCA.key -subj "/emailAddress=IntermediateCA@example.com/C=DE/ST=Berlin/L=Berlin/O=Example Security/OU=IT Department/CN=example.com"
  16. echo "Generating IntermediateCA.crt"
  17. openssl x509 -CA $CERT_DIR/RootCA.crt -CAkey $CERT_DIR/RootCA.key -passin file:pass.secret -days 73000 -req -in $CERT_DIR/IntermediateCA.csr -set_serial 02 -out $CERT_DIR/IntermediateCA.crt
  18. echo "Generating IntermediateCA.secret"
  19. cp pass.secret $CERT_DIR/IntermediateCA.secret
  20. fi
  21. if [[ ! -e "$CERT_DIR/ChainCA.key" ]] || [[ ! -e "$CERT_DIR/ChainCA.crt" ]]
  22. then
  23. echo "Generating ChainCA.key and ChainCA.csr"
  24. openssl req -new -newkey rsa:4096 -nodes -out $CERT_DIR/ChainCA.csr -keyout $CERT_DIR/ChainCA.key -subj "/emailAddress=ChainCA@example.com/C=DE/ST=Berlin/L=Berlin/O=Example Security/OU=IT Department/CN=example.com"
  25. echo "Generating ChainCA.crt"
  26. openssl x509 -CA $CERT_DIR/IntermediateCA.crt -CAkey $CERT_DIR/IntermediateCA.key -passin file:pass.secret -days 73000 -req -in $CERT_DIR/ChainCA.csr -set_serial 03 -out $CERT_DIR/ChainCA.crt
  27. echo "Generating ChainCA.secret"
  28. cp pass.secret $CERT_DIR/ChainCA.secret
  29. fi
  30. for EMAIL_ADDRESS in smime1@example.com smime2@example.com smime3@example.com smimedouble@example.com CaseInsenstive@eXample.COM
  31. do
  32. if [[ ! -e "$CERT_DIR/$EMAIL_ADDRESS.crt" ]]
  33. then
  34. echo "Generating $EMAIL_ADDRESS.key"
  35. openssl genrsa -aes256 -passout file:pass.secret -out $CERT_DIR/$EMAIL_ADDRESS.key 4096
  36. echo "Generating $EMAIL_ADDRESS.csr (certificate signing request)"
  37. openssl req -new -key $CERT_DIR/$EMAIL_ADDRESS.key -passin file:pass.secret -out $CERT_DIR/$EMAIL_ADDRESS.csr -subj "/emailAddress=$EMAIL_ADDRESS/C=DE/ST=Berlin/L=Berlin/O=Example Security/OU=IT Department/CN=example.com"
  38. echo "Generating $EMAIL_ADDRESS.crt (certificate)"
  39. if [ "$EMAIL_ADDRESS" != "smimedouble@example.com" ]
  40. then
  41. extfile="config.cnf"
  42. else
  43. # special config that contains two email addresses in one certificate
  44. extfile="double.cnf"
  45. fi
  46. openssl x509 -req \
  47. -days 73000 \
  48. -in $CERT_DIR/$EMAIL_ADDRESS.csr \
  49. -CA $CERT_DIR/RootCA.crt \
  50. -CAkey $CERT_DIR/RootCA.key \
  51. -out $CERT_DIR/$EMAIL_ADDRESS.crt \
  52. -addtrust emailProtection \
  53. -addreject clientAuth \
  54. -addreject serverAuth \
  55. -trustout \
  56. -CAcreateserial -CAserial /tmp/RootCA.seq \
  57. -extensions smime \
  58. -extfile "$extfile" \
  59. -passin file:pass.secret
  60. echo "Generating $EMAIL_ADDRESS.secret"
  61. cp pass.secret $CERT_DIR/$EMAIL_ADDRESS.secret
  62. fi
  63. done
  64. echo "Generating from CA chain"
  65. # shellcheck disable=SC2043
  66. for EMAIL_ADDRESS in chain@example.com
  67. do
  68. if [[ ! -e "$CERT_DIR/$EMAIL_ADDRESS.crt" ]]
  69. then
  70. echo "Generating $EMAIL_ADDRESS.key"
  71. openssl genrsa -aes256 -passout file:pass.secret -out $CERT_DIR/$EMAIL_ADDRESS.key 4096
  72. echo "Generating $EMAIL_ADDRESS.csr (certificate signing request)"
  73. openssl req -new -key $CERT_DIR/$EMAIL_ADDRESS.key -passin file:pass.secret -out $CERT_DIR/$EMAIL_ADDRESS.csr -subj "/emailAddress=$EMAIL_ADDRESS/C=DE/ST=Berlin/L=Berlin/O=Example Security/OU=IT Department/CN=example.com"
  74. echo "Generating $EMAIL_ADDRESS.crt (certificate)"
  75. openssl x509 -req \
  76. -days 73000 \
  77. -in $CERT_DIR/$EMAIL_ADDRESS.csr \
  78. -CA $CERT_DIR/ChainCA.crt \
  79. -CAkey $CERT_DIR/ChainCA.key \
  80. -out $CERT_DIR/$EMAIL_ADDRESS.crt \
  81. -addtrust emailProtection \
  82. -addreject clientAuth \
  83. -addreject serverAuth \
  84. -trustout \
  85. -CAcreateserial -CAserial /tmp/ChainCA.seq \
  86. -extensions smime \
  87. -extfile "config.cnf" \
  88. -passin file:pass.secret
  89. echo "Generating $EMAIL_ADDRESS.secret"
  90. cp pass.secret $CERT_DIR/$EMAIL_ADDRESS.secret
  91. fi
  92. done
  93. echo "Generating expired"
  94. FAKETIME=-10y date
  95. if [[ ! -e "$CERT_DIR/ExpiredCA.key" ]] || [[ ! -e "$CERT_DIR/ExpiredCA.crt" ]]
  96. then
  97. echo "Generating ExpiredCA.key"
  98. FAKETIME=-10y openssl genrsa -aes256 -passout file:pass.secret -out $CERT_DIR/ExpiredCA.key 4096
  99. echo "Generating ExpiredCA.crt"
  100. FAKETIME=-10y openssl req -new -x509 -days 1 -key $CERT_DIR/ExpiredCA.key -passin file:pass.secret -out $CERT_DIR/ExpiredCA.crt -subj "/emailAddress=ExpiredCA@example.com/C=DE/ST=Berlin/L=Berlin/O=Example Security/OU=IT Department/CN=example.com"
  101. echo "Generating ExpiredCA.secret"
  102. cp pass.secret $CERT_DIR/ExpiredCA.secret
  103. fi
  104. for EMAIL_ADDRESS in expiredsmime1@example.com expiredsmime2@example.com
  105. do
  106. if [[ ! -e "$CERT_DIR/$EMAIL_ADDRESS.crt" ]]
  107. then
  108. echo "Generating $EMAIL_ADDRESS.key"
  109. FAKETIME=-10y openssl genrsa -aes256 -passout file:pass.secret -out $CERT_DIR/$EMAIL_ADDRESS.key 4096
  110. echo "Generating $EMAIL_ADDRESS.csr (certificate signing request)"
  111. FAKETIME=-10y openssl req -new -key $CERT_DIR/$EMAIL_ADDRESS.key -passin file:pass.secret -out $CERT_DIR/$EMAIL_ADDRESS.csr -subj "/emailAddress=$EMAIL_ADDRESS/C=DE/ST=Berlin/L=Berlin/O=Example Security/OU=IT Department/CN=example.com"
  112. echo "Generating $EMAIL_ADDRESS.crt (certificate)"
  113. FAKETIME=-10y openssl x509 -req \
  114. -days 1 \
  115. -in $CERT_DIR/$EMAIL_ADDRESS.csr \
  116. -CA $CERT_DIR/ExpiredCA.crt \
  117. -CAkey $CERT_DIR/ExpiredCA.key \
  118. -out $CERT_DIR/$EMAIL_ADDRESS.crt \
  119. -addtrust emailProtection \
  120. -addreject clientAuth \
  121. -addreject serverAuth \
  122. -trustout \
  123. -CAcreateserial -CAserial /tmp/ExpiredCA.seq \
  124. -extensions smime \
  125. -extfile config.cnf \
  126. -passin file:pass.secret
  127. echo "Generating $EMAIL_ADDRESS.secret"
  128. cp pass.secret $CERT_DIR/$EMAIL_ADDRESS.secret
  129. fi
  130. done
  131. # run command passed to docker run
  132. exec "$@"