#
# Requires certtool (from GnuTLS).
#
-# Copyright (C) 2011-2012 Simon Ruderich
+# Copyright (C) 2011-2013 Simon Ruderich
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# along with this program. If not, see <http://www.gnu.org/licenses/>.
-tempfile=`mktemp` || exit 1
+set -e
-die() {
- rm -f "$tempfile"
+
+if test "$#" -ge 1 && test x"$*" != 'x--force'; then
+ echo "Usage: $0 [--force]" >&2
exit 1
-}
+fi
+
+# Prevent accidental overwrites.
+if test x"$1" != 'x--force'; then
+ for x in proxy-ca-key.pem proxy-ca.pem \
+ proxy-key.pem proxy-invalid.pem proxy-dh.pem; do
+ if test -f "$x"; then
+ echo "File '$x' already exists. Use --force to overwrite." >&2
+ exit 2
+ fi
+ done
+fi
+
+
+tempfile=`mktemp`
+trap 'rm -f "$tempfile"' EXIT
# Generate proxy CA key file.
-certtool --generate-privkey > proxy-ca-key.pem || die
+certtool --generate-privkey \
+ --sec-param high \
+ --outfile proxy-ca-key.pem
# Generate proxy CA.
echo 'cn = tlsproxy CA' > "$tempfile"
echo ca >> "$tempfile"
echo cert_signing_key >> "$tempfile"
+echo 'expiration_days = 3650' >> "$tempfile"
certtool --generate-self-signed \
--load-privkey proxy-ca-key.pem \
--template "$tempfile" \
- --outfile proxy-ca.pem || die
+ --outfile proxy-ca.pem
# Generate proxy key file.
-certtool --generate-privkey > proxy-key.pem || die
+certtool --generate-privkey \
+ --sec-param high \
+ --outfile proxy-key.pem
# Generate proxy "invalid" server certificate. It's used for problematic
# connections.
echo tls_www_server >> "$tempfile"
echo encryption_key >> "$tempfile"
echo signing_key >> "$tempfile"
+echo 'expiration_days = 3650' >> "$tempfile"
certtool --generate-self-signed \
--load-privkey proxy-key.pem \
--template "$tempfile" \
- --outfile proxy-invalid.pem || die
+ --outfile proxy-invalid.pem
rm "$tempfile"
+# Generate proxy Diffie-Hellman parameters.
+certtool --generate-dh-params \
+ --sec-param high \
+ --outfile proxy-dh.pem
+
echo done