Home Explore Help
Sign In
SMusatov
/
zammad
mirror of https://github.com/zammad/zammad.git
1
0
Fork 0
Files
Tree: f43894dd00
Branches Tags
zammad
/
spec
/
fixtures
/
files
/
smime
/
generate
/
docker-entrypoint.sh

docker-entrypoint.sh 14 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389 
  1. #!/bin/bash
    2. 

  2. 

  3. echo "Zammad S/MIME test certificate generation"
    4. 

  4. 

  5. # prepare crl stuff
    6. 

  6. touch /tmp/index.txt
    7. 

  7. echo 1000 > /tmp/serial
    8. 

  8. 

  9. if [[ ! -e "$CERT_DIR/RootCA.key" ]] || [[ ! -e "$CERT_DIR/RootCA.crt" ]] || [[ -z "$SKIP_REGENERATE" ]]
    10. 

  10. then
    11. 

  11.     export CA="RootCA"
    12. 

  12. 

  13.     echo "Generating RootCA.key and RootCA.crt"
    14. 

  14.     openssl req -batch -config ca.cnf \
    15. 

  15.         -new -x509 -days 7300 -sha256 -extensions v3_ca -out "${CERT_DIR}/RootCA.crt" \
    16. 

  16.         -newkey rsa:4096 -nodes -keyout "${CERT_DIR}/RootCA.key" \
    17. 

  17.         -subj "/emailAddress=RootCA@example.com/C=DE/ST=Berlin/L=Berlin/O=Example Security/OU=IT Department/CN=example.com"
    18. 

  18. 

  19.     echo "Generating RootCA.secret"
    20. 

  20.     cp pass.secret $CERT_DIR/RootCA.secret
    21. 

  21. 

  22.     unset CA
    23. 

  23. fi
    24. 

  24. 

  25. if [[ ! -e "$CERT_DIR/IntermediateCA.key" ]] || [[ ! -e "$CERT_DIR/IntermediateCA.crt" ]] || [[ -z "$SKIP_REGENERATE" ]]
    26. 

  26. then
    27. 

  27.     export CA="RootCA"
    28. 

  28.     export ICA="IntermediateCA"
    29. 

  29. 

  30.     echo "Generating IntermediateCA.key and IntermediateCA.csr"
    31. 

  31.     openssl req -batch -config intermediate.cnf \
    32. 

  32.         -new -sha256 -out $CERT_DIR/IntermediateCA.csr \
    33. 

  33.         -newkey rsa:4096 -nodes -keyout $CERT_DIR/IntermediateCA.key \
    34. 

  34.         -subj "/emailAddress=IntermediateCA@example.com/C=DE/ST=Berlin/L=Berlin/O=Example Security/OU=IT Department/CN=example.com"
    35. 

  35. 

  36.     echo "Generating IntermediateCA.crt"
    37. 

  37.     openssl ca -batch -config ca.cnf \
    38. 

  38.         -extensions v3_intermediate_ca -days 7300 -notext -md sha256 \
    39. 

  39.         -in $CERT_DIR/IntermediateCA.csr -out $CERT_DIR/IntermediateCA.crt
    40. 

  40. 

  41.     echo "Generating IntermediateCA.secret"
    42. 

  42.     cp pass.secret $CERT_DIR/IntermediateCA.secret
    43. 

  43. 

  44.     unset CA
    45. 

  45.     unset ICA
    46. 

  46. fi
    47. 

  47. 

  48. if [[ ! -e "$CERT_DIR/ChainCA.crt" ]] || [[ -z "$SKIP_REGENERATE" ]]
    49. 

  49. then
    50. 

  50.     echo "Generating ChainCA.key and ChainCA.csr"
    51. 

  51.     cp $CERT_DIR/IntermediateCA.key $CERT_DIR/ChainCA.key
    52. 

  52.     cat $CERT_DIR/IntermediateCA.crt $CERT_DIR/RootCA.crt > $CERT_DIR/ChainCA.crt
    53. 

  53. 

  54.     echo "Generating IntermediateCA.secret"
    55. 

  55.     cp pass.secret $CERT_DIR/ChainCA.secret
    56. 

  56. fi
    57. 

  57. 

  58. for EMAIL_ADDRESS in smime1@example.com smime2@example.com smime3@example.com smimedouble@example.com CaseInsenstive@eXample.COM pgp+smime-sender@example.com pgp+smime-recipient@example.com chain@example.com
    59. 

  59. do
    60. 

  60.     if [[ ! -e "$CERT_DIR/$EMAIL_ADDRESS.crt" ]] || [[ -z "$SKIP_REGENERATE" ]]
    61. 

  61.     then
    62. 

  62.         export CA="RootCA"
    63. 

  63.         export ICA="IntermediateCA"
    64. 

  64. 

  65.         echo "Generating $EMAIL_ADDRESS.key"
    66. 

  66.         openssl genrsa -aes256 -passout file:pass.secret -out $CERT_DIR/${EMAIL_ADDRESS}.key 4096
    67. 

  67. 

  68.         echo "Generating $EMAIL_ADDRESS.csr (certificate signing request)"
    69. 

  69.         openssl req -batch -config intermediate.cnf \
    70. 

  70.             -new -sha256 -out $CERT_DIR/${EMAIL_ADDRESS}.csr \
    71. 

  71.             -key $CERT_DIR/${EMAIL_ADDRESS}.key -passin file:pass.secret \
    72. 

  72.             -subj "/emailAddress=${EMAIL_ADDRESS}/C=DE/ST=Berlin/L=Berlin/O=Example Security/OU=IT Department/CN=example.com"
    73. 

  73. 

  74.         echo "Generating $EMAIL_ADDRESS.crt (certificate)"
    75. 

  75. 

  76.         if [ "$EMAIL_ADDRESS" != "smimedouble@example.com" ]
    77. 

  77.         then
    78. 

  78.             SAN="email:${EMAIL_ADDRESS}"
    79. 

  79.         else
    80. 

  80.             SAN="email:smimedouble@example.com,email:smimedouble@example.de"
    81. 

  81.         fi
    82. 

  82. 

  83.         export SAN
    84. 

  84.         openssl ca -batch -config intermediate.cnf \
    85. 

  85.             -extensions smime -days 7300 -notext -md sha256 \
    86. 

  86.             -in $CERT_DIR/${EMAIL_ADDRESS}.csr -out $CERT_DIR/${EMAIL_ADDRESS}.crt
    87. 

  87.         unset SAN
    88. 

  88. 

  89.         echo "Generating $EMAIL_ADDRESS.secret"
    90. 

  90.         cp pass.secret $CERT_DIR/$EMAIL_ADDRESS.secret
    91. 

  91. 

  92.         unset CA
    93. 

  93.         unset ICA
    94. 

  94.     fi
    95. 

  95. done
    96. 

  96. 

  97. 

  98. echo "Generating a combo of private key and certificate for issue #3727"
    99. 

  99. 

  100. if [[ ! -e "$CERT_DIR/issue_3727.key" ]] || [[ -z "$SKIP_REGENERATE" ]]
    101. 

  101. then
    102. 

  102.     cat "$CERT_DIR/smime1@example.com.key" "$CERT_DIR/smime1@example.com.crt" > "$CERT_DIR/issue_3727.key"
    103. 

  103.     cp "$CERT_DIR/smime1@example.com.secret" "$CERT_DIR/issue_3727.secret"
    104. 

  104. 

  105.     # Get SHA1 fingerprint of the certificate, in lowercase.
    106. 

  106.     openssl x509 -fingerprint -sha1 -noout -in "$CERT_DIR/smime1@example.com.crt" | sed -r 's/.*=([0-9A-F:]{59})/\1/' | sed 's/://g' | tr '[:upper:]' '[:lower:]' > "$CERT_DIR/issue_3727.fingerprint"
    107. 

  107. fi
    108. 

  108. 

  109. 

  110. echo "Generating expired"
    111. 

  111. FAKETIME=-10y date
    112. 

  112. 

  113. if [[ ! -e "$CERT_DIR/ExpiredCA.key" ]] || [[ ! -e "$CERT_DIR/ExpiredCA.crt" ]] || [[ -z "$SKIP_REGENERATE" ]]
    114. 

  114. then
    115. 

  115.     export CA="ExpiredCA"
    116. 

  116. 

  117.     echo "Generating ExpiredCA.key and ExpiredCA.crt"
    118. 

  118.     FAKETIME=-10y \
    119. 

  119.     openssl req -batch -config ca.cnf \
    120. 

  120.         -new -x509 -days 365 -sha256 -extensions v3_ca -out "${CERT_DIR}/ExpiredCA.crt" \
    121. 

  121.         -newkey rsa:4096 -nodes -keyout "${CERT_DIR}/ExpiredCA.key" \
    122. 

  122.         -subj "/emailAddress=ExpiredCA@example.com/C=DE/ST=Berlin/L=Berlin/O=Example Security/OU=IT Department/CN=example.com"
    123. 

  123. 

  124.     echo "Generating ExpiredCA.secret"
    125. 

  125.     cp pass.secret $CERT_DIR/ExpiredCA.secret
    126. 

  126. 

  127.     unset CA
    128. 

  128. fi
    129. 

  129. 

  130. if [[ ! -e "$CERT_DIR/ExpiredIntermediateCA.key" ]] || [[ ! -e "$CERT_DIR/ExpiredIntermediateCA.crt" ]] || [[ -z "$SKIP_REGENERATE" ]]
    131. 

  131. then
    132. 

  132.     export CA="ExpiredCA"
    133. 

  133.     export ICA="ExpiredIntermediateCA"
    134. 

  134. 

  135.     echo "Generating ExpiredIntermediateCA.key and ExpiredIntermediateCA.csr"
    136. 

  136.     FAKETIME=-10y \
    137. 

  137.     openssl req -batch -config intermediate.cnf \
    138. 

  138.         -new -sha256 -out $CERT_DIR/ExpiredIntermediateCA.csr \
    139. 

  139.         -newkey rsa:4096 -nodes -keyout $CERT_DIR/ExpiredIntermediateCA.key \
    140. 

  140.         -subj "/emailAddress=ExpiredIntermediateCA@example.com/C=DE/ST=Berlin/L=Berlin/O=Example Security/OU=IT Department/CN=example.com"
    141. 

  141. 

  142.     echo "Generating ExpiredIntermediateCA.crt"
    143. 

  143.     FAKETIME=-10y \
    144. 

  144.     openssl ca -batch -config ca.cnf \
    145. 

  145.         -extensions v3_intermediate_ca -days 365 -notext -md sha256 \
    146. 

  146.         -in $CERT_DIR/ExpiredIntermediateCA.csr -out $CERT_DIR/ExpiredIntermediateCA.crt
    147. 

  147. 

  148.     echo "Generating ExpiredIntermediateCA.secret"
    149. 

  149.     cp pass.secret $CERT_DIR/ExpiredIntermediateCA.secret
    150. 

  150. 

  151.     unset CA
    152. 

  152.     unset ICA
    153. 

  153. fi
    154. 

  154. 

  155. for EMAIL_ADDRESS in expiredsmime1@example.com expiredsmime2@example.com
    156. 

  156. do
    157. 

  157.     if [[ ! -e "$CERT_DIR/$EMAIL_ADDRESS.crt" ]] || [[ -z "$SKIP_REGENERATE" ]]
    158. 

  158.     then
    159. 

  159.         export CA="ExpiredCA"
    160. 

  160.         export ICA="ExpiredIntermediateCA"
    161. 

  161. 

  162.         echo "Generating $EMAIL_ADDRESS.key"
    163. 

  163.         FAKETIME=-10y \
    164. 

  164.         openssl genrsa -aes256 -passout file:pass.secret -out $CERT_DIR/$EMAIL_ADDRESS.key 4096
    165. 

  165. 

  166.         echo "Generating $EMAIL_ADDRESS.csr (certificate signing request)"
    167. 

  167. 

  168.         FAKETIME=-10y \
    169. 

  169.         openssl req -batch -config intermediate.cnf \
    170. 

  170.             -new -sha256 -out $CERT_DIR/${EMAIL_ADDRESS}.csr \
    171. 

  171.             -key $CERT_DIR/${EMAIL_ADDRESS}.key -passin file:pass.secret \
    172. 

  172.             -subj "/emailAddress=${EMAIL_ADDRESS}/C=DE/ST=Berlin/L=Berlin/O=Example Security/OU=IT Department/CN=example.com"
    173. 

  173. 

  174.         echo "Generating $EMAIL_ADDRESS.crt (certificate)"
    175. 

  175.         export SAN="email:${EMAIL_ADDRESS}"
    176. 

  176.         FAKETIME=-10y \
    177. 

  177.         openssl ca -batch -config intermediate.cnf \
    178. 

  178.             -extensions smime -days 365 -notext -md sha256 \
    179. 

  179.             -in $CERT_DIR/${EMAIL_ADDRESS}.csr -out $CERT_DIR/${EMAIL_ADDRESS}.crt
    180. 

  180.         unset SAN
    181. 

  181. 

  182.         echo "Generating $EMAIL_ADDRESS.secret"
    183. 

  183.         cp pass.secret $CERT_DIR/$EMAIL_ADDRESS.secret
    184. 

  184. 

  185.         unset CA
    186. 

  186.         unset ICA
    187. 

  187.     fi
    188. 

  188. done
    189. 

  189. 

  190. if [[ ! -e "$CERT_DIR/SenderCA.key" ]] || [[ ! -e "$CERT_DIR/SenderCA.crt" ]] || [[ -z "$SKIP_REGENERATE" ]]
    191. 

  191. then
    192. 

  192.     export CA="SenderCA"
    193. 

  193. 

  194.     echo "Generating SenderCA.key and SenderCA.crt"
    195. 

  195.     openssl req -batch -config ca.cnf \
    196. 

  196.         -new -x509 -days 7300 -sha256 -extensions v3_ca -out "${CERT_DIR}/SenderCA.crt" \
    197. 

  197.         -newkey rsa:4096 -nodes -keyout "${CERT_DIR}/SenderCA.key" \
    198. 

  198.         -subj "/emailAddress=SenderCA@example.com/C=DE/ST=Berlin/L=Berlin/O=Example Security/OU=IT Department/CN=example.com"
    199. 

  199. 

  200.     echo "Generating SenderCA.secret"
    201. 

  201.     cp pass.secret $CERT_DIR/SenderCA.secret
    202. 

  202. 

  203.     unset CA
    204. 

  204. fi
    205. 

  205. 

  206. if [[ ! -e "$CERT_DIR/SenderIntermediateCA.key" ]] || [[ ! -e "$CERT_DIR/SenderIntermediateCA.crt" ]] || [[ -z "$SKIP_REGENERATE" ]]
    207. 

  207. then
    208. 

  208.     export CA="SenderCA"
    209. 

  209.     export ICA="SenderIntermediateCA"
    210. 

  210. 

  211.     echo "Generating SenderIntermediateCA.key and SenderIntermediateCA.csr"
    212. 

  212.     openssl req -batch -config intermediate.cnf \
    213. 

  213.         -new -sha256 -out $CERT_DIR/SenderIntermediateCA.csr \
    214. 

  214.         -newkey rsa:4096 -nodes -keyout $CERT_DIR/SenderIntermediateCA.key \
    215. 

  215.         -subj "/emailAddress=SenderIntermediateCA@example.com/C=DE/ST=Berlin/L=Berlin/O=Example Security/OU=IT Department/CN=example.com"
    216. 

  216. 

  217.     echo "Generating SenderIntermediateCA.crt"
    218. 

  218.     openssl ca -batch -config ca.cnf \
    219. 

  219.         -extensions v3_intermediate_ca -days 7300 -notext -md sha256 \
    220. 

  220.         -in $CERT_DIR/SenderIntermediateCA.csr -out $CERT_DIR/SenderIntermediateCA.crt
    221. 

  221. 

  222.     echo "Generating SenderIntermediateCA.secret"
    223. 

  223.     cp pass.secret $CERT_DIR/SenderIntermediateCA.secret
    224. 

  224. 

  225.     unset CA
    226. 

  226.     unset ICA
    227. 

  227. fi
    228. 

  228. 

  229. EMAIL_ADDRESS="smime-sender-ca@example.com"
    230. 

  230. 

  231. if [[ ! -e "$CERT_DIR/$EMAIL_ADDRESS.crt" ]] || [[ -z "$SKIP_REGENERATE" ]]
    232. 

  232. then
    233. 

  233.     export CA="SenderCA"
    234. 

  234.     export ICA="SenderIntermediateCA"
    235. 

  235. 

  236.     echo "Generating $EMAIL_ADDRESS.key"
    237. 

  237.     openssl genrsa -aes256 -passout file:pass.secret -out $CERT_DIR/${EMAIL_ADDRESS}.key 4096
    238. 

  238. 

  239.     echo "Generating $EMAIL_ADDRESS.csr (certificate signing request)"
    240. 

  240.     openssl req -batch -config intermediate.cnf \
    241. 

  241.         -new -sha256 -out $CERT_DIR/${EMAIL_ADDRESS}.csr \
    242. 

  242.         -key $CERT_DIR/${EMAIL_ADDRESS}.key -passin file:pass.secret \
    243. 

  243.         -subj "/emailAddress=${EMAIL_ADDRESS}/C=DE/ST=Berlin/L=Berlin/O=Example Security/OU=IT Department/CN=example.com"
    244. 

  244. 

  245.     echo "Generating $EMAIL_ADDRESS.crt (certificate)"
    246. 

  246. 

  247.     if [ "$EMAIL_ADDRESS" != "smimedouble@example.com" ]
    248. 

  248.     then
    249. 

  249.         SAN="email:${EMAIL_ADDRESS}"
    250. 

  250.     else
    251. 

  251.         # special config that contains two email addresses in one certificate
    252. 

  252.         SAN="email:smimedouble@example.com,email:smimedouble.example.de"
    253. 

  253.     fi
    254. 

  254. 

  255.     export SAN
    256. 

  256.     openssl ca -batch -config intermediate.cnf \
    257. 

  257.         -extensions smime -days 7300 -notext -md sha256 \
    258. 

  258.         -in $CERT_DIR/${EMAIL_ADDRESS}.csr -out $CERT_DIR/${EMAIL_ADDRESS}.crt
    259. 

  259.     unset SAN
    260. 

  260. 

  261.     echo "Generating $EMAIL_ADDRESS.secret"
    262. 

  262.     cp pass.secret $CERT_DIR/$EMAIL_ADDRESS.secret
    263. 

  263. 

  264.     unset CA
    265. 

  265.     unset ICA
    266. 

  266. fi
    267. 

  267. 

  268. echo "Generating test mails"
    269. 

  269. 

  270. for TEST_MAIL_SIGNER in sender_is_signer,smime1@example.com sender_not_signer,smime1@example.com sender_is_signer_with_ca,smime-sender-ca@example.com
    271. 

  271. do
    272. 

  272.     TEST_MAIL=${TEST_MAIL_SIGNER%,*}
    273. 

  273.     TEST_SIGNER=${TEST_MAIL_SIGNER#*,}
    274. 

  274. 

  275.     if [[ ! -e "$CERT_DIR/$TEST_MAIL.eml" ]] || [[ -z "$SKIP_REGENERATE" ]]
    276. 

  276.     then
    277. 

  277.         if [[ ! -e "$CERT_DIR/$TEST_MAIL.eml.head.txt" ]] || [[ ! -e "$CERT_DIR/$TEST_MAIL.eml.body.txt" ]] || [[ -n "$SKIP_REGENERATE" ]]
    278. 

  278.         then
    279. 

  279.             echo "$CERT_DIR/$TEST_MAIL.eml.head.txt or $CERT_DIR/$TEST_MAIL.eml.body.txt not found, skipping..."
    280. 

  280.             continue
    281. 

  281.         fi
    282. 

  282. 

  283.         if [[ ! -e "$CERT_DIR/$TEST_SIGNER.crt" ]] || [[ ! -e "$CERT_DIR/$TEST_SIGNER.key" ]] || [[ ! -e "$CERT_DIR/$TEST_SIGNER.secret" ]] || [[ -n "$SKIP_REGENERATE" ]]
    284. 

  284.         then
    285. 

  285.             echo "$CERT_DIR/$TEST_SIGNER.secret or $CERT_DIR/$TEST_SIGNER.secret or $CERT_DIR/$TEST_SIGNER.secret not found, skipping..."
    286. 

  286.             continue
    287. 

  287.         fi
    288. 

  288. 

  289.         if [ $TEST_SIGNER != "smime-sender-ca@example.com" ]
    290. 

  290.         then
    291. 

  291.             CERTFILE="RootCA.crt"
    292. 

  292.         else
    293. 

  293.             CERTFILE="SenderCA.crt"
    294. 

  294.         fi
    295. 

  295. 

  296.         echo "Generating $CERT_DIR/$TEST_MAIL.eml"
    297. 

  297.         openssl smime -sign -in "$CERT_DIR/$TEST_MAIL.eml.body.txt" -out "$CERT_DIR/$TEST_MAIL.eml" \
    298. 

  298.             -signer "$CERT_DIR/$TEST_SIGNER.crt" -inkey "$CERT_DIR/$TEST_SIGNER.key" \
    299. 

  299.             -certfile "$CERT_DIR/$CERTFILE" -text -passin "file:$CERT_DIR/$TEST_SIGNER.secret"
    300. 

  300.         cat "$CERT_DIR/$TEST_MAIL.eml.head.txt" "$CERT_DIR/$TEST_MAIL.eml" > /tmp/test_mail && mv /tmp/test_mail "$CERT_DIR/$TEST_MAIL.eml"
    301. 

  301.     fi
    302. 

  302. done
    303. 

  303. 

  304. echo "Generating further certificates for test variation"
    305. 

  305. 

  306. certs=(
    307. 

  307.     "alice@acme.corp,true,true,false,true,alice@acme.corp+sign+encrypt,rsa"
    308. 

  308.     "alice@acme.corp,false,true,false,true,alice@acme.corp+encrypt,rsa"
    309. 

  309.     "alice@acme.corp,true,false,false,true,alice@acme.corp+sign,rsa"
    310. 

  310.     "alice@acme.corp,true,true,true,true,alice@acme.corp+sign+encrypt+expired,rsa"
    311. 

  311.     "alice@acme.corp,true,true,true,true,alice@acme.corp+sign+encrypt+ec,ec"
    312. 

  312.     "alice@acme.corp,true,true,true,false,alice@acme.corp+sign+encrypt+future,rsa"
    313. 

  313. )
    314. 

  314. 

  315. # email sign encrypt expired effective filename algorithm
    316. 

  316. for cert in "${certs[@]}"; do
    317. 

  317.     IFS=$',' read -r email sign encrypt expired effective filename algorithm <<< "$cert"
    318. 

  318. 

  319.     if [[ -e "$CERT_DIR/$filename.crt" ]] && [[ -n "$SKIP_REGENERATE" ]]
    320. 

  320.     then
    321. 

  321.         continue
    322. 

  322.     fi
    323. 

  323. 

  324.     if [ "$sign" == "true" ] && [ "$encrypt" == "true" ]
    325. 

  325.     then
    326. 

  326.         KU="nonRepudiation, digitalSignature, keyEncipherment"
    327. 

  327.     elif [ "$sign" == "true" ]
    328. 

  328.     then
    329. 

  329.         KU="nonRepudiation, digitalSignature"
    330. 

  330.     elif [ "$encrypt" == "true" ]
    331. 

  331.     then
    332. 

  332.         KU="keyEncipherment"
    333. 

  333.     fi
    334. 

  334. 

  335.     FAKETIME=""
    336. 

  336.     if [ "$expired" == "true" ]
    337. 

  337.     then
    338. 

  338.         FAKETIME=-10y
    339. 

  339.     fi
    340. 

  340. 

  341.     if [ "$effective" == "false" ]
    342. 

  342.     then
    343. 

  343.         FAKETIME=+10y
    344. 

  344.     fi
    345. 

  345. 

  346.     echo "Generating $filename.key"
    347. 

  347.     if [ "$algorithm" == "ec" ]
    348. 

  348.     then
    349. 

  349.         openssl genpkey -algorithm EC \
    350. 

  350.             -pkeyopt ec_paramgen_curve:prime192v1 \
    351. 

  351.             -pkeyopt ec_param_enc:named_curve \
    352. 

  352.             -out $CERT_DIR/${filename}.key -pass file:pass.secret
    353. 

  353.     else
    354. 

  354.         openssl genrsa -aes256 -passout file:pass.secret -out $CERT_DIR/${filename}.key 4096
    355. 

  355.     fi
    356. 

  356. 

  357.     echo "Generating $filename.csr (certificate signing request)"
    358. 

  358.     openssl req -batch -config intermediate.cnf \
    359. 

  359.         -new -sha256 -out $CERT_DIR/${filename}.csr \
    360. 

  360.         -key $CERT_DIR/${filename}.key -passin file:pass.secret \
    361. 

  361.         -subj "/emailAddress=${email}/C=DE/ST=Berlin/L=Berlin/O=Example Security/OU=IT Department/CN=example.com"
    362. 

  362. 

  363.     echo "Generating $filename.crt (certificate)"
    364. 

  364.     export SAN="email:${email}"
    365. 

  365.     export KU
    366. 

  366.     export FAKETIME
    367. 

  367.     openssl ca -batch -config intermediate.cnf \
    368. 

  368.         -extensions smime -days 3285 -notext -md sha256 \
    369. 

  369.         -in $CERT_DIR/${filename}.csr -out $CERT_DIR/${filename}.crt
    370. 

  370.     unset SAN
    371. 

  371.     unset KU
    372. 

  372.     unset FAKETIME
    373. 

  373. 

  374.     echo "Generating $filename.secret"
    375. 

  375.     cp pass.secret $CERT_DIR/$filename.secret
    376. 

  376. 

  377.     # get rid of crl stuff because of email reusage
    378. 

  378.     rm -f /tmp/*
    379. 

  379.     touch /tmp/index.txt
    380. 

  380.     echo 1000 > /tmp/serial
    381. 

  381.     rm -f $CERT_DIR/*.pem
    382. 

  382. done
    383. 

  383. 

  384. 

  385. # cleanup serial number named certificate copies
    386. 

  386. rm -f $CERT_DIR/*.pem
    387. 

  387. 

  388. # run command passed to docker run
    389. 

  389. exec "$@"
    390.