# cleanup
rm -rf t
pkill -f openssl

# ca
mkdir t
mkdir t/ocsp
mkdir t/ocsp/ca
mkdir t/ocsp/ca/certs
mkdir t/ocsp/ca/crl
mkdir t/ocsp/ca/newcerts

touch t/ocsp/ca/index.txt
echo '1000' > t/ocsp/ca/serial
mkdir t/ocsp/logs
cp ocsp.cnf t/ocsp/ocsp.cnf 

# ca.crt
echo '### CREATING CA (ec prime256v1) ###'
openssl ecparam -name prime256v1 -genkey -noout -out t/ocsp/ca.key
openssl ec -in t/ocsp/ca.key -pubout -out t/ocsp/ca_pub.key
openssl req -x509 -new \
            -sha256 -days 3650 \
            -key t/ocsp/ca.key \
            -out t/ocsp/ca.crt \
            -subj '/O=CA/CN=ca.test/OU=ca.test' \
            -extensions v3_ca

# inter1.crt
echo '### CREATING INTER1 (RSA) ###'
openssl genpkey -algorithm RSA -out t/ocsp/inter1.key -pkeyopt rsa_keygen_bits:4096
openssl req -new -key t/ocsp/inter1.key -out t/ocsp/inter1.csr -subj '/O=Inter/CN=inter.test/OU=2'
openssl ca -config t/ocsp/ocsp.cnf \
           -in t/ocsp/inter1.csr \
           -out t/ocsp/inter1.crt \
           -cert t/ocsp/ca.crt \
           -keyfile t/ocsp/ca.key \
           -notext -batch -updatedb -extensions v3_req #2>/dev/null

# inter2.crt
echo '### CREATING INTER2 (EdDSA) ###'
openssl genpkey -algorithm Ed448 -out t/ocsp/inter2.key
openssl req -new -key t/ocsp/inter2.key -out t/ocsp/inter2.csr -subj '/O=Inter/CN=inter.test/OU=3'
openssl ca -config t/ocsp/ocsp.cnf \
           -in t/ocsp/inter2.csr \
           -out t/ocsp/inter2.crt \
           -cert t/ocsp/inter1.crt \
           -keyfile t/ocsp/inter1.key \
           -notext -batch -updatedb -extensions v3_req #2>/dev/null

# client.crt
echo '### CREATING CLIENT ###'
openssl ecparam -name prime256v1 -genkey -noout -out t/ocsp/client.key
openssl req -new -key t/ocsp/client.key -out t/ocsp/client.csr -subj '/O=Client/CN=client.test/OU=4'
openssl ca -config t/ocsp/ocsp.cnf \
           -in t/ocsp/client.csr \
           -out t/ocsp/client.crt \
           -cert t/ocsp/inter2.crt \
           -keyfile t/ocsp/inter2.key \
           -notext -batch -updatedb -extensions v3_req #2>/dev/null

# chain
echo '### CREATING CHAIN ###'
cat t/ocsp/client.crt  > t/ocsp/chain.pem
cat t/ocsp/inter1.crt >> t/ocsp/chain.pem
cat t/ocsp/inter2.crt >> t/ocsp/chain.pem
cat t/ocsp/ca.crt  >> t/ocsp/chain.pem

# sign
echo '### SIGNING ###'
openssl dgst -sha256 -sign t/ocsp/client.key -out file.sig file

# verify
echo '### VERIFYING ###'
openssl dgst -sha256 -verify <(openssl x509 -in t/ocsp/client.crt -pubkey -noout) \
            -signature file.sig file

# start ocsp server
#openssl ocsp -index t/ocsp/ca/index.txt -port 2560 -ndays 999 -rsigner t/ocsp/ca/ca.crt -rkey t/ocsp/ca/ca.key -CA t/ocsp/ca/ca.crt -text >t/ocsp/logs/log.ocsp1 2>t/ocsp/logs/log.ocsp2 &
#sleep(1);