mosquitto单向认证

#!/bin/sh
#(&＃64;)generate-CA.sh - Create CA key-pair and server key-pair signed by CA# Copyright (c) 2013 Jan-Piet Mens
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# 1. Redistributions of source code must retain the above copyright notice,
# this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# 3. Neither the name of mosquitto nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.set -eDIR&＃61;${TARGET:&＃61;&＃39;.&＃39;}
# A space-separated list of alternate hostnames (subjAltName)
# may be empty ""
ALTHOSTNAMES&＃61;"broker.example.com foo.example.de"
CA_ORG&＃61;&＃39;/O&＃61;MQTTitude.org/emailAddress&＃61;nobody&＃64;example.net&＃39;
CA_DN&＃61;"/CN&＃61;An MQTT broker${CA_ORG}"
CACERT&＃61;${DIR}/ca
SERVER&＃61;${DIR}/server
SERVER_DN&＃61;"/CN&＃61;$(hostname -f)$CA_ORG"
keybits&＃61;2048
openssl&＃61;$(which openssl)function maxdays() {nowyear&＃61;$(date &＃43;%Y)years&＃61;$(expr 2032 - $nowyear)days&＃61;$(expr $years &＃39;*&＃39; 365)echo $days
}function getipaddresses() {/sbin/ifconfig |sed -En &＃39;/inet6? /p&＃39; |sed -Ee &＃39;s/inet6? (addr:)?//&＃39; |awk &＃39;{print $1;}&＃39; |sed -e &＃39;s/[%/].*//&＃39; |egrep -v &＃39;(::1|127\.0\.0\.1)&＃39; # omit loopback to add it later
}function addresslist() {ALIST&＃61;""for a in $(getipaddresses); doALIST&＃61;"${ALIST}IP:$a,"doneALIST&＃61;"${ALIST}IP:127.0.0.1,IP:::1,"for h in $(echo ${ALTHOSTNAMES}); doALIST&＃61;"${ALIST}DNS:$h,"doneALIST&＃61;"${ALIST}DNS:localhost"echo $ALIST}days&＃61;$(maxdays)if [ -n "$CAKILLFILES" ]; thenrm -f $CACERT.??? $SERVER.??? $CACERT.srl
fiif [ ! -f $CACERT.crt ]; then# Create un-encrypted (!) key$openssl req -newkey rsa:${keybits} -x509 -nodes -days $days -extensions v3_ca -keyout $CACERT.key -out $CACERT.crt -subj "${CA_DN}"echo "Created CA certificate in $CACERT.crt"$openssl x509 -in $CACERT.crt -nameopt multiline -subject -nooutchmod 400 $CACERT.keychmod 444 $CACERT.crt
fiif [ ! -f $SERVER.key ]; thenecho "--- Creating server key and signing request"$openssl genrsa -out $SERVER.key $keybits$openssl req -new \-out $SERVER.csr \-key $SERVER.key \-subj "${SERVER_DN}"chmod 400 $SERVER.key
fiif [ -f $SERVER.csr -a ! -f $SERVER.crt ]; then# There&＃39;s no way to pass subjAltName on the CLI so# create a cnf file and use that.CNF&＃61;&＃96;mktemp /tmp/cacnf.XXXXXXXX&＃96; || { echo "$0: can&＃39;t create temp file" >&2; exit 1; }sed -e &＃39;s/^.*%%% //&＃39; > $CNF <<\!ENDconfig%%% [ JPMextensions ]%%% basicConstraints &＃61; critical,CA:false%%% nsCertType &＃61; server%%% keyUsage &＃61; nonRepudiation, digitalSignature, keyEncipherment%%% nsComment &＃61; "Broker Certificate"%%% subjectKeyIdentifier &＃61; hash%%% authorityKeyIdentifier &＃61; keyid,issuer:always%%% subjectAltName &＃61; $ENV::SUBJALTNAME%%% # issuerAltName &＃61; issuer:copy%%% nsCaRevocationUrl &＃61; http://mqttitude.org/carev/%%% nsRevocationUrl &＃61; http://mqttitude.org/carev/
!ENDconfigSUBJALTNAME&＃61;"$(addresslist)"export SUBJALTNAME # Use environment. Because I can. ;-)echo "--- Creating and signing server certificate"$openssl x509 -req \-in $SERVER.csr \-CA $CACERT.crt \-CAkey $CACERT.key \-CAcreateserial \-CAserial "${DIR}/ca.srl" \-out $SERVER.crt \-days $days \-extfile ${CNF} \-extensions JPMextensionsrm -f $CNFchmod 444 $SERVER.crt
fi


$ wget https://github.com/iandl/mqttitude/blob/master/tools/TLS/generate-CA.sh .
$ bash ./generate-CA.sh