:: Demo script for creating CA structure as part of masters thesis
:: Author: Jozef Simko
:: School year: 5., Master study, 2023/24
:: Study program: Computer Networks
:: Organization: Technical University of Kosice (TUKE), Faculty of Electrical Engineering and Informatics (FEI)

:: STRUKTURA PRIECINKOV
:: Tento skript vytvori nasledovnu strukturu priecinkov a suborov:

:: myCA
::  |
::  |_ rootCA
::  |	|_certs			-> priecinok s CA certikatom
::  |	|_newcerts		-> priecinok s podpisanymi certifikatmi, ich nazov sa rovna ich seriovemu cislu
::  |	|_private		-> priecinok pre privatne kluce (mal by mat obmedzeny pristup)
::  |	|_index/index.txt	-> databaza podpisanych certifikatov, ktora obsahuje detaily o podpisanych certifikatoch
::  |	|_serial		-> pocitadlo podpisanych certifikatov
::  |	|_crlnumber		-> pocitadlo zneplatnenych certifikatov
::  |	|_root.cnf		-> konfiguracny subor pre hlavnu CA
::  |
::  |_ intermediateCA
::  |	|_certs			-> priecinok s CA certikatom
::  |	|_newcerts		-> priecinok s podpisanymi certifikatmi, ich nazov sa rovna ich seriovemu cislu
::  |	|_private		-> priecinok pre privatne kluce (mal by mat obmedzeny pristup)
::  |	|_index/index.txt	-> databaza podpisanych certifikatov, ktora obsahuje detaily o podpisanych certifikatoch
::  |	|_serial		-> pocitadlo podpisanych certifikatov
::  |	|_crlnumber		-> pocitadlo zneplatnenych certifikatov
::  |	|_intermediateCA.cnf	-> konfiguracny subor pre sekundarnu CA

:: ---------------------------------------------------------------------------------------------------------------------------

:: Vytvorenie struktury priecinkov
mkdir .\myCA\rootCA\certs , .\myCA\rootCA\private , .\myCA\rootCA\newcerts , .\myCA\rootCA\index
mkdir .\myCA\intermediateCA\certs , .\myCA\intermediateCA\private , .\myCA\intermediateCA\newcerts , .\myCA\intermediateCA\index , .\myCA\intermediateCA\csr

:: PowerShell prikazy - prikaz 'echo' vytvara v PS subory s UTF-16 kodovanim
::"00" | Out-File -encoding ascii -NoNewline ".\myCA\rootCA\serial"
::"0100" | Out-File -encoding ascii -NoNewline ".\myCA\rootCA\crlnumber"
::New-Item -Path ".\myCA\rootCA\index" -Name "index.txt" -ItemType File

::"00" | Out-File -encoding ascii -NoNewline ".\myCA\intermediateCA\serial"
::"0100" | Out-File -encoding ascii -NoNewline ".\myCA\intermediateCA\crlnumber"
::New-Item -Path ".\myCA\intermediateCA\index" -Name "index.txt" -ItemType File

:: Vytvorenie dodatocnych suborov pre rootCA a intermediateCA
:: @serial - zaznamenava aktualne seriove cislo, ktore bude pouzite pre novy certifikatov
:: kazdy certifikat je mozne identifikovat pomocou serioveho cisla - zaznam sa nachadza v subore index.txt
:: @ crlnumber - pocitadlo zrusenych/zneplatnenych certifikatov
:: zneplatnenie moze nastat ak doslo k prezradeniu privatneho kluca, ide o podvodny certifikat alebo sa zmenili informacie ziadatela certifikatu
:: @ index.txt - subory pouzity ako databaza vsetkych podpisanych certifikatov
:: databaza v indexe zaznamenava tieto informacie: status certifikatu, datum platnosti, seriove cislo a doplnkove informacie
echo 00 > .\myCA\rootCA\serial
echo 0100 > .\myCA\rootCA\crlnumber
type NUL > .\myCA\rootCA\index\index.txt

echo 00 > .\myCA\intermediateCA\serial
echo 0100 > .\myCA\intermediateCA\crlnumber
type NUL > .\myCA\intermediateCA\index\index.txt

:: Skopirovanie konfiguracnych suborov do prislusnych zloziek
:: Pre presunutie suborov staci pouzit nahradit prikaz copy prikazom move
copy .\root.cnf .\myCA\rootCA\
copy .\intermediate.cnf .\myCA\intermediateCA\

:: ROOT CA
:: Vygenerovanie sukromneho kluca a certifikatu pre root CA
:: Pouzity algoritmus - PQ algoritmus falcon512
openssl req -config ./myCA/rootCA/root.cnf -new -x509 -days 365 -newkey falcon512 -keyout ./myCA/rootCA/private/falcon512_CA.key -out ./myCA/rootCA/certs/falcon512_CA.crt -nodes

:: INT CA
:: Vygenerovanie sukromneho kluca a certifikatu pre intermediate CA
:: Podpisanie vygenerovaneho certifikatu pre intCA sukromnym klucom root CA
:: Overenie podpisu
openssl req -config ./myCA/intermediateCA/intermediate.cnf -new -newkey falcon512 -keyout ./myCA/intermediateCA/private/falcon512_intCA.key -out ./myCA/intermediateCA/certs/falcon512_intCA.csr -nodes
openssl ca -batch -config ./myCA/rootCA/root.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in ./myCA/intermediateCA/certs/falcon512_intCA.csr -out ./myCA/intermediateCA/certs/falcon512_intCA.crt
openssl verify -CAfile ./myCA/rootCA/certs/falcon512_CA.crt ./myCA/intermediateCA/certs/falcon512_intCA.crt

:: CERT-CHAIN
:: Vytvorenie zretazeneho certifikatu z certifikatov root CA a int CA
:: Overenie vygenerovaneho zretazeneho certifikatu
type .\myCA\rootCA\certs\falcon512_CA.crt , .\myCA\intermediateCA\certs\falcon512_intCA.crt > .\myCA\intermediateCA\certs\falcon512_certchain.pem
openssl verify -CAfile ./myCA/intermediateCA/certs/falcon512_certchain.pem ./myCA/intermediateCA/certs/falcon512_intCA.crt


:: SERVER CERTIFICATE
:: Vygenerovanie sukromneho kluca a certifikatu pre server
:: Overenie podpisu vysledneho certifikatu
openssl req -new -newkey falcon512 -keyout ./myCA/intermediateCA/private/falcon512_server.key -out ./myCA/intermediateCA/csr/falcon512_server.csr -nodes -subj "/CN=test server" 
openssl ca -batch -config ./myCA/intermediateCA/intermediate.cnf -extensions server_cert -days 375 -notext -md sha256 -in ./myCA/intermediateCA/csr/falcon512_server.csr -out ./myCA/intermediateCA/csr/falcon512_server.crt
openssl verify -CAfile .\myCA\intermediateCA\certs\falcon512_certchain.pem ./myCA/intermediateCA/csr/falcon512_server.crt

:: CLIENT CERTIFICATE
:: Vygenerovanie sukromneho kluca a certifikatu pre klienta
:: Overenie podpisu vysledneho certifikatu
openssl req -new -newkey falcon512 -keyout ./myCA/intermediateCA/private/falcon512_client.key -out ./myCA/intermediateCA/csr/falcon512_client.csr -nodes -subj "/CN=www.testclient.com" 
openssl ca -batch -config ./myCA/intermediateCA/intermediate.cnf -extensions client_cert -days 375 -notext -md sha256 -in ./myCA/intermediateCA/csr/falcon512_client.csr -out ./myCA/intermediateCA/csr/falcon512_client.crt
openssl verify -CAfile .\myCA\intermediateCA\certs\falcon512_certchain.pem ./myCA/intermediateCA/csr/falcon512_client.crt


:: REVOKE CERTIFICATE
:: Vygenerovanie dalsieho certifikatu pre "fake" server
:: Podpisanie vygenerovaneho certifikatu
:: Zneplatnenie vytvoreného certifikátu s dôvodom "affiliationChanged" (zmena vlastnosti koncoveho serveru)
::openssl req -new -newkey falcon512 -keyout ./myCA/intermediateCA/private/falcon512_fakeserver.key -out ./myCA/intermediateCA/csr/falcon512_fakeserver.csr -nodes -subj "/CN=fake server"
::openssl ca -batch -config ./myCA/intermediateCA/intermediate.cnf -extensions server_cert -days 375 -notext -md sha256 -in ./myCA/intermediateCA/csr/falcon512_fakeserver.csr -out ./myCA/intermediateCA/csr/falcon512_fakeserver.crt
::openssl ca -config ./myCA/intermediateCA/intermediate.cnf -revoke ./myCA/intermediateCA/csr/falcon512_fakeserver.crt -crl_reason affiliationChanged

:: REMOVE SCRIPT
:: del ./gen_CA.bat