├── .gitignore ├── Makefile ├── generate-certs.sh ├── 00-generate-root-ca.sh ├── 03-issue-client-cert.sh ├── 01-issue-inter-ca.sh ├── 02-issue-server-cert.sh ├── README.md └── LICENSE /.gitignore: -------------------------------------------------------------------------------- 1 | *.pem 2 | *.key 3 | *.csr 4 | *.srl 5 | ca/ 6 | config 7 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: all clean 2 | 3 | all: 4 | ./generate-certs.sh 5 | -------------------------------------------------------------------------------- /generate-certs.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -euo pipefail 4 | 5 | cd "$(dirname "$0")" 6 | 7 | clean() { 8 | rm -f *.pem *.key *.csr *.srl config 9 | rm -rf ./ca/ 10 | } 11 | 12 | clean 13 | 14 | DEFAULT_RSA_PSS_SIGNOPTS='-sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:20' 15 | export RSA_PSS_SIGNOPTS="${RSA_PSS_SIGNOPTS-${DEFAULT_RSA_PSS_SIGNOPTS}}" 16 | 17 | export ALG="${ALG:-rsa}" 18 | ./00-generate-root-ca.sh 19 | ./01-issue-inter-ca.sh server 20 | ./01-issue-inter-ca.sh client 21 | ./02-issue-server-cert.sh "${SERVER_CERT_ISSUER:-inter-ca-server}" 22 | ./03-issue-client-cert.sh "${CLIENT_CERT_ISSUER:-inter-ca-client}" 23 | 24 | CLIENT_KEYFILE="${TLS_CLIENT_FNAME:-client-key}.pem" 25 | CLIENT_CERTFILE="${TLS_CLIENT_FNAME:-client-cert}.pem" 26 | SERVER_KEYFILE="server-key.pem" 27 | SERVER_CERTFILE="server-cert.pem" 28 | 29 | dir="$(date --iso-8601=second | tr ':' '-')" 30 | mkdir "$dir" 31 | 32 | mv ca.pem "$dir/ca.pem" 33 | 34 | mv $CLIENT_KEYFILE "$dir/$CLIENT_KEYFILE" 35 | cat $CLIENT_CERTFILE inter-ca-client.pem > "$dir/$CLIENT_CERTFILE" 36 | 37 | mv $SERVER_KEYFILE "$dir/key.pem" 38 | cat $SERVER_CERTFILE inter-ca-server.pem > "$dir/cert.pem" 39 | 40 | clean 41 | -------------------------------------------------------------------------------- /00-generate-root-ca.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## This script generates ca.key and self-signed ca.pem 4 | set -euo pipefail 5 | 6 | echo "Generating root CA" 7 | 8 | cd "$(dirname "$0")" 9 | 10 | CA_C="${TLS_DN_C:-SE}" 11 | CA_ST="${TLS_DN_ST:-Stockholm}" 12 | CA_L="${TLS_DN_L:-Stockholm}" 13 | CA_O="${TLS_DN_O:-MyOrgName}" 14 | CA_OU="${TLS_DN_OU:-MyRootCA}" 15 | CA_CN="MyRootCA" 16 | 17 | SIGNOPTS='' 18 | ensure_private_key() { 19 | file="$1" 20 | if [ ! -f "$file" ]; then 21 | case $ALG in 22 | rsa) 23 | openssl genrsa -out "$file" 2048 24 | ;; 25 | rsa-pss) 26 | openssl genrsa -out "$file" 2048 27 | ## CA do not support this algorithm for now 28 | # openssl genpkey -algorithm RSA-PSS -pkeyopt rsa_keygen_bits:2048 -out "$file" 29 | # SIGNOPTS=$RSA_PSS_SIGNOPTS 30 | ;; 31 | ec|ecc) 32 | openssl ecparam -name prime256v1 -genkey -noout -out "$file" 33 | ;; 34 | dsa) 35 | openssl gendsa -out "$file" <(openssl dsaparam 2048) 36 | ;; 37 | *) 38 | echo "Unknown algorithm: $ALG" 39 | exit 1 40 | ;; 41 | esac 42 | fi 43 | } 44 | 45 | 46 | ensure_private_key ca.key 47 | if [ ! -f ca.pem ]; then 48 | openssl req -sha256 -new -key "ca.key" -out "ca.csr" -nodes \ 49 | -subj "/C=${CA_C}/ST=${CA_ST}/L=${CA_L}/O=${CA_O}/OU=${CA_OU}/CN=${CA_CN}" -addext "basicConstraints=critical,CA:true" 50 | openssl x509 -req -in ca.csr -sha256 -signkey ca.key -out ca.pem -days 3650 $SIGNOPTS 51 | rm -f ca.csr 52 | fi 53 | -------------------------------------------------------------------------------- /03-issue-client-cert.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -euo pipefail 4 | 5 | if [ -z "${1:-}" ]; then 6 | echo "Usage: $0 " 7 | echo " is the name of the CA cert files" 8 | echo "There should be a .pem for the CA certificate" 9 | echo "and a .key for the private key" 10 | exit 1 11 | fi 12 | 13 | echo "Issuing client certificate" 14 | 15 | ISSUER_CA="${1}" 16 | 17 | cd "$(dirname "$0")" 18 | 19 | CL_C="${TLS_DN_C:-SE}" 20 | CL_ST="${TLS_DN_ST:-Stockholm}" 21 | CL_L="${TLS_DN_L:-Stockholm}" 22 | CL_O="${TLS_DN_O:-MyOrgName}" 23 | CL_OU="${TLS_DN_OU:-MyServiceClient}" 24 | CL_CN="${TLS_CLIENT_COMMON_NAME:-localhost}" 25 | 26 | KEYFILE="${TLS_CLIENT_FNAME:-client-key}.pem" 27 | CERTFILE="${TLS_CLIENT_FNAME:-client-cert}.pem" 28 | 29 | SIGNOPTS='' 30 | if [ ! -f "${KEYFILE}" ]; then 31 | case $ALG in 32 | rsa) 33 | openssl genrsa -out "${KEYFILE}" 2048 34 | ;; 35 | rsa-pss) 36 | #openssl genrsa -out "${KEYFILE}" 2048 37 | openssl genpkey -algorithm RSA-PSS -pkeyopt rsa_keygen_bits:2048 -out "${KEYFILE}" 38 | SIGNOPTS=$RSA_PSS_SIGNOPTS 39 | ;; 40 | ec|ecc) 41 | openssl ecparam -name prime256v1 -genkey -noout -out "${KEYFILE}" 42 | ;; 43 | dsa) 44 | openssl gendsa -out "${KEYFILE}" <(openssl dsaparam 2048) 45 | ;; 46 | *) 47 | echo "Unknown algorithm: $ALG" 48 | exit 1 49 | ;; 50 | esac 51 | fi 52 | 53 | if [ ! -f "${CERTFILE}" ]; then 54 | openssl req -sha256 -new -key "${KEYFILE}" -out client.csr -nodes -subj "/C=${CL_C}/ST=${CL_ST}/L=${CL_L}/O=${CL_O}/OU=${CL_OU}/CN=${CL_CN}" -addext "basicConstraints=critical,CA:false" 55 | openssl x509 -req -CA "${ISSUER_CA}.pem" -CAkey "${ISSUER_CA}.key" $SIGNOPTS -in client.csr -out "${CERTFILE}" -days 3650 -CAcreateserial 56 | rm -f client.csr 57 | fi 58 | -------------------------------------------------------------------------------- /01-issue-inter-ca.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -euo pipefail 4 | 5 | ## This script issues an intermediate CA by root CA 6 | ## generates files: inter-ca-.key inter-ca-.pem 7 | ## where suffix is to make it possible to issue more than one intermediate CAs 8 | 9 | echo "Issuing intermediate CA" 10 | 11 | SUFFIX="${1:-}" 12 | 13 | cd "$(dirname "$0")" 14 | 15 | CA_C="${TLS_DN_C:-SE}" 16 | CA_ST="${TLS_DN_ST:-Stockholm}" 17 | CA_L="${TLS_DN_L:-Stockholm}" 18 | CA_O="${TLS_DN_O:-MyOrgName}" 19 | CA_OU="${TLS_DN_OU:-MyIntermediateCA}" 20 | CA_CN="${TLS_INTER_CA_CN:-MyIntermediateCA-${SUFFIX}}" 21 | 22 | if [ -z "${SUFFIX}" ]; then 23 | FILE_NAME="inter-ca" 24 | else 25 | FILE_NAME="inter-ca-${SUFFIX}" 26 | fi 27 | 28 | mkdir -p ca 29 | rm -f ./ca/* 30 | if [ ! -f ca/index.txt ]; then touch ca/index.txt; fi 31 | if [ ! -f ca/index.txt.attr ]; then touch ca/index.txt.attr; fi 32 | if [ ! -f ca/serial ]; then date '+%s' > ca/serial; fi 33 | 34 | SIGNOPTS='' 35 | if ! [ -f "${FILE_NAME}.key" ]; then 36 | case $ALG in 37 | rsa) 38 | openssl genrsa -out "${FILE_NAME}.key" 2048 39 | ;; 40 | rsa-pss) 41 | if [ "${SUFFIX}" = 'server' ]; then 42 | openssl genrsa -out "${FILE_NAME}.key" 2048 43 | else 44 | openssl genpkey -algorithm RSA-PSS -pkeyopt rsa_keygen_bits:2048 -out "${FILE_NAME}.key" 45 | #SIGNOPTS=$RSA_PSS_SIGNOPTS 46 | fi 47 | ;; 48 | ec|ecc) 49 | openssl ecparam -name prime256v1 -genkey -noout -out "${FILE_NAME}.key" 50 | ;; 51 | dsa) 52 | openssl gendsa -out "${FILE_NAME}.key" <(openssl dsaparam 2048) 53 | ;; 54 | *) 55 | echo "Unknown algorithm: $ALG" 56 | exit 1 57 | ;; 58 | esac 59 | fi 60 | openssl req -sha256 -new -key "${FILE_NAME}.key" -out "${FILE_NAME}.csr" -nodes -subj "/C=${CA_C}/ST=${CA_ST}/L=${CA_L}/O=${CA_O}/OU=${CA_OU}/CN=${CA_CN}" -addext "basicConstraints=critical,CA:true" 61 | 62 | # openssl onelines do not support ca extentions well 63 | # hence the need of a config file 64 | 65 | cat < config 66 | [ca] 67 | default_ca = DEFAULT_CA 68 | 69 | [DEFAULT_CA] 70 | dir = ./ca 71 | database = \$dir/index.txt 72 | new_certs_dir = \$dir 73 | 74 | certificate = ca.pem 75 | private_key = ca.key 76 | serial = \$dir/serial 77 | 78 | default_days = 3650 79 | default_crl_days= 30 80 | default_md = sha256 81 | 82 | policy = my_policy 83 | email_in_dn = no 84 | 85 | name_opt = ca_default 86 | cert_opt = ca_default 87 | copy_extensions = none 88 | 89 | [my_policy] 90 | countryName = supplied 91 | stateOrProvinceName = supplied 92 | organizationName = supplied 93 | organizationalUnitName = supplied 94 | commonName = supplied 95 | emailAddress = optional 96 | 97 | [ca_ext] 98 | keyUsage = critical,keyCertSign,cRLSign 99 | basicConstraints = critical,CA:true 100 | subjectKeyIdentifier = hash 101 | authorityKeyIdentifier = keyid,issuer 102 | EOF 103 | 104 | openssl ca -batch -config config $SIGNOPTS -in "${FILE_NAME}.csr" -out "${FILE_NAME}.pem" -notext -extensions ca_ext 105 | rm -f "${FILE_NAME}.csr" 106 | -------------------------------------------------------------------------------- /02-issue-server-cert.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -e 2 | 3 | set -euo pipefail 4 | 5 | if [ -z "${1:-}" ]; then 6 | echo "Usage: $0 " 7 | echo " is the name of the CA cert files" 8 | echo "There should be a .pem for the CA certificate" 9 | echo "and a .key for the private key" 10 | exit 1 11 | fi 12 | 13 | echo "Issuing server certificate" 14 | 15 | ISSUER_CA="${1}" 16 | 17 | cd "$(dirname "$0")" 18 | 19 | DN_C="${TLS_DN_C:-SE}" 20 | DN_ST="${TLS_DN_ST:-Stockholm}" 21 | DN_L="${TLS_DN_L:-Stockholm}" 22 | DN_O="${TLS_DN_O:-MyOrgName}" 23 | DN_OU="${TLS_DN_OU:-MyService}" 24 | DN_CN="${TLS_SERVER_COMMON_NAME:-localhost}" 25 | 26 | SAN_IP="" 27 | if [ -n "${TLS_SERVER_IP:-}" ]; then 28 | SAN_IP="IP = $TLS_SERVER_IP" 29 | fi 30 | SAN_DNS="DNS = $DN_CN" 31 | if [ -n "${TLS_SERVER_DNS:-}" ]; then 32 | SAN_DNS="DNS = $TLS_SERVER_DNS" 33 | fi 34 | 35 | # Openssl command oneliners do not support request extentions well 36 | # hence the need of a config file 37 | 38 | cat <<-EOF > config 39 | [req] 40 | default_bits = 2048 41 | prompt = no 42 | default_md = sha256 43 | req_extensions = req_ext 44 | distinguished_name = dn 45 | 46 | [dn] 47 | C = $DN_C 48 | ST = $DN_ST 49 | L = $DN_L 50 | O = $DN_O 51 | OU = $DN_OU 52 | CN = $DN_CN 53 | 54 | [req_ext] 55 | subjectAltName = @alt_names 56 | keyUsage = digitalSignature, keyEncipherment 57 | extendedKeyUsage = serverAuth 58 | 59 | [alt_names] 60 | $SAN_DNS 61 | $SAN_IP 62 | 63 | [ca] 64 | default_ca = DEFAULT_CA 65 | 66 | [DEFAULT_CA] 67 | dir = ./ca 68 | database = \$dir/index.txt 69 | new_certs_dir = \$dir 70 | 71 | certificate = ${ISSUER_CA}.pem 72 | private_key = ${ISSUER_CA}.key 73 | serial = \$dir/serial 74 | 75 | default_days = 3650 76 | default_crl_days= 30 77 | default_md = sha256 78 | 79 | policy = cert_policy 80 | email_in_dn = no 81 | 82 | name_opt = ca_default 83 | cert_opt = ca_default 84 | copy_extensions = none 85 | 86 | [ cert_policy ] 87 | countryName = supplied 88 | stateOrProvinceName = supplied 89 | organizationName = supplied 90 | organizationalUnitName = supplied 91 | commonName = supplied 92 | emailAddress = optional 93 | EOF 94 | 95 | mkdir -p ca 96 | rm -f ./ca/* 97 | if [ ! -f ca/index.txt ]; then touch ca/index.txt; fi 98 | if [ ! -f ca/index.txt.attr ]; then touch ca/index.txt.attr; fi 99 | if [ ! -f ca/serial ]; then date '+%s' > ca/serial; fi 100 | 101 | KEYFILE='server-key.pem' 102 | CERTFILE='server-cert.pem' 103 | SIGNOPTS='' 104 | case $ALG in 105 | rsa*) 106 | openssl genrsa -out $KEYFILE 2048 107 | openssl req -newkey rsa:2048 -sha256 -key $KEYFILE -out server.csr -nodes -config ./config 108 | ;; 109 | ec|ecc) 110 | openssl ecparam -name prime256v1 -genkey -noout -out $KEYFILE 111 | openssl req -newkey ec:<(openssl ecparam -name secp384r1) -key $KEYFILE -out server.csr -nodes -config ./config 112 | ;; 113 | dsa) 114 | openssl gendsa -out "$KEYFILE" <(openssl dsaparam 2048) 115 | openssl req -newkey dsa:<(openssl dsaparam 2048) -key $KEYFILE -out server.csr -nodes -config ./config 116 | ;; 117 | *) 118 | echo "Unknown algorithm: $ALG" 119 | exit 1 120 | ;; 121 | esac 122 | openssl ca -notext -batch -out $CERTFILE -config config $SIGNOPTS -extensions req_ext -infiles server.csr 123 | rm -f server.csr 124 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # TLS Scripts 2 | 3 | This repository contains a set of scripts for generating test TLS certificates. The main entry point is **`generate-certs.sh`**, which orchestrates creation of: 4 | 5 | - A Root CA (self-signed) 6 | - Two Intermediate CAs (issued by the Root CA), named `inter-ca-1` and `inter-ca-2` 7 | - A Server certificate/key 8 | - A Client certificate/key 9 | 10 | You can specify who issues the server or client certificate via environment variables: 11 | 12 | - `SERVER_CERT_ISSUER` 13 | - `CLIENT_CERT_ISSUER` 14 | 15 | By default: 16 | - The **server** certificate is issued by `inter-ca-1` 17 | - The **client** certificate is issued by `inter-ca-2` 18 | 19 | > **Note:** These scripts are intended *only* for testing. For production-grade Public Key Infrastructure (PKI) you should consider tools such as [Cloudflare cfssl](https://github.com/cloudflare/cfssl) or other more fully-featured PKI solutions. 20 | 21 | --- 22 | 23 | ## Components & Script Breakdown 24 | 25 | Each script can be run independently, provided their required input files (from preceding steps) are present and haven’t been removed. 26 | 27 | ### 1. Root CA — `00-generate-root-ca.sh` 28 | 29 | Sets up the Root CA with configurable distinguished name (DN) parameters via environment variables, falling back to defaults when not provided: 30 | 31 | ```bash 32 | CA_C="${TLS_DN_C:-SE}" # Country 33 | CA_ST="${TLS_DN_ST:-Stockholm}"# State or Province 34 | CA_L="${TLS_DN_L:-Stockholm}" # Locality (City) 35 | CA_O="${TLS_DN_O:-MyOrgName}" # Organization 36 | CA_OU="${TLS_DN_OU:-MyRootCA}" # Organizational Unit 37 | CA_CN="MyRootCA" # Common Name 38 | ``` 39 | 40 | ### 2. Intermediate CA — `01-issue-inter-ca.sh` 41 | 42 | Creates one or more intermediate CAs under the Root CA. The DN fields are similarly configurable: 43 | 44 | ```bash 45 | CA_C="${TLS_DN_C:-SE}" 46 | CA_ST="${TLS_DN_ST:-Stockholm}" 47 | CA_L="${TLS_DN_L:-Stockholm}" 48 | CA_O="${TLS_DN_O:-MyOrgName}" 49 | CA_OU="${TLS_DN_OU:-MyIntermediateCA}" 50 | CA_CN="${TLS_INTER_CA_CN:-MyIntermediateCA-}" # You can specify the suffix or override 51 | ``` 52 | 53 | ### 3. Server Certificate — `02-issue-server-cert.sh` 54 | 55 | Generates a server certificate. Key DN fields and Subject Alternative Names (SANs) are configurable via environment variables. The certificate issuer can be chosen (default: `inter-ca-1`). 56 | 57 | ```bash 58 | DN_C="${TLS_DN_C:-SE}" 59 | DN_ST="${TLS_DN_ST:-Stockholm}" 60 | DN_L="${TLS_DN_L:-Stockholm}" 61 | DN_O="${TLS_DN_O:-MyOrgName}" 62 | DN_OU="${TLS_DN_OU:-MyService}" 63 | DN_CN="${TLS_SERVER_COMMON_NAME:-localhost}" 64 | 65 | # Optional SANs 66 | TLS_SERVER_IP # IP address to include in SAN if set 67 | TLS_SERVER_DNS # DNS name in SAN if set 68 | 69 | SERVER_CERT_ISSUER=inter-ca-1 # or “ca” … depends on your setup 70 | ``` 71 | 72 | ### 4. Client Certificate — `03-issue-client-cert.sh` 73 | 74 | Similar approach as for the server, but for client-side certificate: 75 | 76 | ```bash 77 | CL_C="${TLS_DN_C:-SE}" 78 | CL_ST="${TLS_DN_ST:-Stockholm}" 79 | CL_L="${TLS_DN_L:-Stockholm}" 80 | CL_O="${TLS_DN_O:-MyOrgName}" 81 | CL_OU="${TLS_DN_OU:-MyServiceClient}" 82 | CL_CN="${TLS_CLIENT_COMMON_NAME:-localhost}" 83 | 84 | CLIENT_CERT_ISSUER=inter-ca-2 85 | ``` 86 | 87 | --- 88 | 89 | ## Cryptographic Algorithms Supported 90 | 91 | You can choose the type of cryptographic key via the `ALG` environment variable. Options: 92 | 93 | - `rsa`: Generates a **2048-bit RSA** key (key size is fixed in the current scripts) 94 | - `rsa-pss`: Generates an **RSA-PSS** key (uses Probabilistic Signature Scheme, also known as PSS padding). 95 | This option is more secure for signatures. Currently, it applies only to client certificates — 96 | server certificates will continue to use standard RSA. 97 | - `ec`: Generates an **ECDSA** key using curve `prime256v1` 98 | - `dsa`: Generates a **DSA** key 99 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright {yyyy} {name of copyright owner} 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | --------------------------------------------------------------------------------