Google Git
Sign in
apache / qpid-broker-j / 7e4408615a64838e0b9cb3d205f550b3c3c1c053 / . / qpid-test-utils / src / main / resources / ssl / generate_certificates.sh
blob: 636d6d56ce17ce6216f3b0698c367aafd83b3c46 [file] [log] [blame]
#!/bin/sh
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
MY_PATH="$(dirname "$(readlink -f "$0")")"
CRL_HTTP_PORT=8186
PASSWORD=password
ROOT_CA=MyRootCA
INTERMEDIATE_CA=intermediate_ca
OPENSSL_DIR="$MY_PATH/openssl"
OPENSSL_CONF="$OPENSSL_DIR/openssl.conf"
CERTIFICATES_DIR="$MY_PATH/certificates"
VALID_DAYS=1461
CLIENT_KEYSTORE="$CERTIFICATES_DIR/client_keystore.jks"
CLIENT_TRUSTSTORE="$CERTIFICATES_DIR/client_truststore.jks"
CLIENT_EXPIRED_KEYSTORE="$CERTIFICATES_DIR/client_expired_keystore.jks"
CLIENT_EXPIRED_CRT="$CERTIFICATES_DIR/client_expired.crt"
CLIENT_UNTRUSTED_KEYSTORE="$CERTIFICATES_DIR/client_untrusted_keystore.jks"
BROKER_KEYSTORE="$CERTIFICATES_DIR/broker_keystore.jks"
BROKER_TRUSTSTORE="$CERTIFICATES_DIR/broker_truststore.jks"
BROKER_PEERSTORE="$CERTIFICATES_DIR/broker_peerstore.jks"
BROKER_EXPIRED_TRUSTSTORE="$CERTIFICATES_DIR/broker_expired_truststore.jks"
BROKER_CRT="$CERTIFICATES_DIR/broker.crt"
BROKER_CSR="$CERTIFICATES_DIR/broker.csr"
BROKER_ALIAS="broker"
TEST_KEYSTORE="$CERTIFICATES_DIR/test_keystore.jks"
TEST_PK_ONLY_KEYSTORE="$CERTIFICATES_DIR/test_pk_only_keystore.jks"
TEST_CERT_ONLY_KEYSTORE="$CERTIFICATES_DIR/test_cert_only_keystore.jks"
TEST_SYMMETRIC_KEY_KEYSTORE="$CERTIFICATES_DIR/test_symmetric_key_keystore.jks"
TEST_EMPTY_KEYSTORE="$CERTIFICATES_DIR/test_empty_keystore.jks"
# set to true for debug
DEBUG=false
generate_selfsigned_ca()
{
echo "Generating selfsigned CA certificate"
openssl req -x509 -newkey rsa:2048 -keyout "$CERTIFICATES_DIR/$ROOT_CA.key" -out "$CERTIFICATES_DIR/$ROOT_CA.crt" -days 1461 -subj '/C=CA/ST=Ontario/O=ACME/CN=MyRootCA' -passout pass:$PASSWORD -sha512 && \
keytool -import -alias rootca -file "$CERTIFICATES_DIR/$ROOT_CA.crt" -storepass "$PASSWORD" -noprompt -deststoretype PKCS12 -keystore "$CLIENT_KEYSTORE" && \
keytool -import -alias rootca -file "$CERTIFICATES_DIR/$ROOT_CA.crt" -storepass "$PASSWORD" -noprompt -deststoretype PKCS12 -keystore "$CLIENT_TRUSTSTORE" && \
keytool -import -alias rootca -file "$CERTIFICATES_DIR/$ROOT_CA.crt" -storepass "$PASSWORD" -noprompt -deststoretype PKCS12 -keystore "$BROKER_KEYSTORE" && \
keytool -import -alias rootca -file "$CERTIFICATES_DIR/$ROOT_CA.crt" -storepass "$PASSWORD" -noprompt -deststoretype PKCS12 -keystore "$BROKER_TRUSTSTORE"
_rc=$?
if [ $_rc -eq 0 ]; then
echo "Selfsigned CA certificate successfully generated"
else
echo "Failed to generate selfsigned CA certificate" >&2
fi
return $_rc
}
prepare_openssl_environment()
{
echo "Preparing openssl environment"
rm -rf "$CERTIFICATES_DIR" && \
mkdir "$CERTIFICATES_DIR" && \
rm -rf "$OPENSSL_DIR" && \
mkdir "$OPENSSL_DIR" && \
cp "$MY_PATH/openssl.conf" "$OPENSSL_DIR" && \
sed -i "s|^dir = .|dir = $OPENSSL_DIR|" "$OPENSSL_CONF" && \
echo 1234 > "$OPENSSL_DIR"/serial && \
echo 1234 > "$OPENSSL_DIR"/crlnumber && \
touch "$OPENSSL_DIR"/index.txt && \
echo "unique_subject = no" > "$OPENSSL_DIR"/index.txt.attr && \
mkdir "$OPENSSL_DIR"/newcerts
_rc=$?
if [ $_rc -eq 0 ]; then
echo "Openssl environment successfully prepared"
else
echo "Failed to prepare openssl environment" >&2
fi
return $_rc
}
# $1 - alias
generate_signed_certificate()
{
_alias=$1
_subject="/C=CA/ST=ON/L=Toronto/O=acme/OU=art/CN=$_alias@acme.org"
echo "Generating CA signed certificate '$_alias'"
openssl req -x509 -newkey rsa:2048 -keyout "$CERTIFICATES_DIR/$_alias.self.key" -out "$CERTIFICATES_DIR/$_alias.self.crt" -subj "$_subject" -sha512 -passout pass:$PASSWORD && \
openssl req -config "$OPENSSL_CONF" -new -key "$CERTIFICATES_DIR/$_alias.self.key" -out "$CERTIFICATES_DIR/$_alias.csr" -sha512 -subj "$_subject" -passin pass:$PASSWORD && \
openssl ca -config "$OPENSSL_CONF" -md sha512 -extensions v3_req -batch -passin pass:$PASSWORD -out "$CERTIFICATES_DIR/$_alias.crt" -keyfile "$CERTIFICATES_DIR/$ROOT_CA.key" -cert "$CERTIFICATES_DIR/$ROOT_CA.crt" -days $VALID_DAYS -infiles "$CERTIFICATES_DIR/$_alias.csr" && \
openssl pkcs12 -export -chain -CAfile "$CERTIFICATES_DIR/$ROOT_CA.crt" -in "$CERTIFICATES_DIR/$_alias.crt" -inkey "$CERTIFICATES_DIR/$_alias.self.key" -out "$CERTIFICATES_DIR/$_alias.jks" -name $_alias -passin pass:"$PASSWORD" -passout pass:"$PASSWORD" && \
keytool -importkeystore -srckeystore "$CERTIFICATES_DIR/$_alias.jks" -srcstoretype PKCS12 -storepass "$PASSWORD" -srcstorepass "$PASSWORD" -alias $_alias -deststoretype PKCS12 -destkeystore "$CLIENT_KEYSTORE"
_rc=$?
if [ $_rc -eq 0 ]; then
echo "CA signed certificate '$_alias' successfully generated"
else
echo "Failed to generate CA signed certificate '$_alias'" >&2
fi
return $_rc
}
# $1 - certificate alias
generate_signed_certificate_with_intermediate_signed_certificate()
{
_alias=$1
_intermediate_ca_subject="/C=CA/ST=ON/L=Toronto/O=acme/OU=art/CN=$INTERMEDIATE_CA@acme.org"
_subject="/C=CA/ST=ON/L=Toronto/O=acme/OU=art/CN=$_alias@acme.org"
echo "Generating CA signed certificate '$_alias' with intermediate CA certificate '$INTERMEDIATE_CA'"
openssl req -x509 -newkey rsa:2048 -keyout "$CERTIFICATES_DIR/$INTERMEDIATE_CA.self.key" -out "$CERTIFICATES_DIR/$INTERMEDIATE_CA.self.crt" -subj "$_intermediate_ca_subject" -sha512 -passout pass:$PASSWORD && \
openssl req -config "$OPENSSL_CONF" -verbose -new -key "$CERTIFICATES_DIR/$INTERMEDIATE_CA.self.key" -out "$CERTIFICATES_DIR/$INTERMEDIATE_CA.csr" -sha512 -subj "$_intermediate_ca_subject" -passin pass:$PASSWORD && \
openssl ca -config "$OPENSSL_CONF" -md sha512 -extensions v3_ca -batch -passin pass:$PASSWORD -out "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crt" -keyfile "$CERTIFICATES_DIR/$ROOT_CA.key" -cert "$CERTIFICATES_DIR/$ROOT_CA.crt" -days $VALID_DAYS -infiles "$CERTIFICATES_DIR/$INTERMEDIATE_CA.csr" && \
openssl pkcs12 -export -chain -CAfile "$CERTIFICATES_DIR/$ROOT_CA.crt" -in "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crt" -inkey "$CERTIFICATES_DIR/$INTERMEDIATE_CA.self.key" -out "$CERTIFICATES_DIR/$INTERMEDIATE_CA.jks" -name $INTERMEDIATE_CA -passin pass:"$PASSWORD" -passout pass:"$PASSWORD"
echo "Generating CA signed certificate for '$_alias'" && \
openssl req -x509 -newkey rsa:2048 -keyout "$CERTIFICATES_DIR/$_alias.self.key" -out "$CERTIFICATES_DIR/$_alias.self.crt" -subj "$_subject" -sha512 -passout pass:$PASSWORD && \
openssl req -config "$OPENSSL_CONF" -verbose -new -key "$CERTIFICATES_DIR/$_alias.self.key" -out "$CERTIFICATES_DIR/$_alias.csr" -sha512 -subj "$_subject" -passin pass:$PASSWORD && \
openssl ca -config "$OPENSSL_CONF" -md sha512 -extensions v3_req -batch -passin pass:$PASSWORD -out "$CERTIFICATES_DIR/$_alias.crt" -keyfile "$CERTIFICATES_DIR/$INTERMEDIATE_CA.self.key" -cert "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crt" -days $VALID_DAYS -infiles "$CERTIFICATES_DIR/$_alias.csr" && \
cat "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crt" "$CERTIFICATES_DIR/$ROOT_CA.crt" > "$CERTIFICATES_DIR/chain_with_intermediate.crt"
openssl pkcs12 -export -chain -CAfile "$CERTIFICATES_DIR/chain_with_intermediate.crt" -in "$CERTIFICATES_DIR/$_alias.crt" -inkey "$CERTIFICATES_DIR/$_alias.self.key" -out "$CERTIFICATES_DIR/$_alias.jks" -name $_alias -passin pass:"$PASSWORD" -passout pass:"$PASSWORD" && \
keytool -importkeystore -srckeystore "$CERTIFICATES_DIR/$_alias.jks" -srcstoretype PKCS12 -storepass "$PASSWORD" -srcstorepass "$PASSWORD" -alias $_alias -deststoretype PKCS12 -destkeystore "$CLIENT_KEYSTORE"
_rc=$?
if [ $_rc -eq 0 ]; then
echo "CA signed certificate '$_alias' with intermediate CA certificate '$INTERMEDIATE_CA' successfully generated"
else
echo "Failed to generate CA signed certificate '$_alias' with intermediate CA certificate '$INTERMEDIATE_CA'" >&2
fi
return $_rc
}
generate_expired_certificate()
{
_alias=user1
echo "Generating expired certificate '$_alias'"
keytool -genkeypair -alias $_alias -dname CN=USER1 -startdate "2010/01/01 12:00:00" -validity $VALID_DAYS -keysize 2048 -keyalg RSA -sigalg SHA512withRSA -keypass "$PASSWORD" -storepass "$PASSWORD" -deststoretype PKCS12 -keystore "$CLIENT_EXPIRED_KEYSTORE" && \
keytool -exportcert -keystore "$CLIENT_EXPIRED_KEYSTORE" -storepass "$PASSWORD" -alias $_alias -rfc -file "$CLIENT_EXPIRED_CRT" && \
keytool -import -alias $_alias -file "$CLIENT_EXPIRED_CRT" -storepass "$PASSWORD" -noprompt -deststoretype PKCS12 -sigalg SHA512withRSA -keystore "$BROKER_EXPIRED_TRUSTSTORE"
_rc=$?
if [ $_rc -eq 0 ]; then
echo "Expired certificate '$_alias' successfully generated"
else
echo "Failed to generate expired certificate '$_alias'" >&2
fi
return $_rc
}
generate_signed_broker_certificate()
{
_subject="/C=CA/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=localhost"
echo "Generating CA signed certificate '$BROKER_ALIAS'"
openssl req -x509 -newkey rsa:2048 -keyout "$CERTIFICATES_DIR/$BROKER_ALIAS.self.key" -out "$CERTIFICATES_DIR/$BROKER_ALIAS.self.crt" -subj "$_subject" -passout pass:$PASSWORD && \
openssl req -config "$OPENSSL_CONF" -verbose -new -key "$CERTIFICATES_DIR/$BROKER_ALIAS.self.key" -out "$BROKER_CSR" -sha512 -subj "$_subject" -passin pass:$PASSWORD && \
openssl ca -config "$OPENSSL_CONF" -md sha512 -extensions v3_req -batch -passin pass:$PASSWORD -out "$BROKER_CRT" -keyfile "$CERTIFICATES_DIR/$ROOT_CA.key" -cert "$CERTIFICATES_DIR/$ROOT_CA.crt" -days $VALID_DAYS -infiles "$BROKER_CSR" && \
openssl pkcs12 -export -chain -CAfile "$CERTIFICATES_DIR/$ROOT_CA.crt" -in "$BROKER_CRT" -inkey "$CERTIFICATES_DIR/$BROKER_ALIAS.self.key" -out "$CERTIFICATES_DIR/$BROKER_ALIAS.jks" -name $BROKER_ALIAS -passin pass:"$PASSWORD" -passout pass:"$PASSWORD" && \
keytool -importkeystore -srckeystore "$CERTIFICATES_DIR/$BROKER_ALIAS.jks" -srcstoretype PKCS12 -storepass "$PASSWORD" -srcstorepass "$PASSWORD" -alias $BROKER_ALIAS -deststoretype PKCS12 -destkeystore "$BROKER_KEYSTORE"
_rc=$?
if [ $_rc -eq 0 ]; then
echo "CA signed certificate '$BROKER_ALIAS' successfully generated"
else
echo "Failed to generate CA signed certificate '$BROKER_ALIAS'" >&2
fi
return $_rc
}
# $1 - certificate alias
# $2 - keystore where certificate will be imported
import_to_keystore()
{
_alias=$1
_keystore="$2"
echo "Importing certificate '$_alias' to keystore '$_keystore'"
keytool -import -alias $_alias -file "$CERTIFICATES_DIR/$_alias.crt" -storepass "$PASSWORD" -noprompt -deststoretype PKCS12 -sigalg SHA512withRSA -keystore "$_keystore"
_rc=$?
if [ $_rc -eq 0 ]; then
echo "Certificate '$_alias' successfully imported to keystore '$_keystore'"
else
echo "Failed to import certificate '$_alias' to keystore '$_keystore'" >&2
fi
return $_rc
}
generate_untrusted_client_certificate()
{
_alias=untrusted_client
echo "Generating untrusted certificate '$_alias'"
keytool -genkeypair -alias $_alias -dname CN=$_alias -validity $VALID_DAYS -keysize 2048 -keyalg RSA -sigalg SHA512withRSA -keypass "$PASSWORD" -storepass "$PASSWORD" -deststoretype PKCS12 -keystore "$CLIENT_UNTRUSTED_KEYSTORE"
_rc=$?
if [ $_rc -eq 0 ]; then
echo "Untrusted certificate '$_alias' successfully generated"
else
echo "Failed to generate untrusted certificate '$_alias'" >&2
fi
return $_rc
}
add_certificate_crl_distribution_point()
{
echo "Add CRL distribution points to openssl configuration"
sed -i "/\[ v3_req \]/a crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$ROOT_CA.crl" "$OPENSSL_CONF" && \
sed -i "/\[ v3_ca \]/a crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$ROOT_CA.crl" "$OPENSSL_CONF"
_rc=$?
if [ $_rc -eq 0 ]; then
echo "CRL distribution points successfully addded"
else
echo "Failed to add CRL distribution points" >&2
fi
return $_rc
}
set_certificate_crl_distribution_point_to_intermediate_ca()
{
echo "Setting CRL distribution point for intermediate CA certificate '$INTERMEDIATE_CA'"
sed -i -z "s|crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$ROOT_CA.crl|crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$INTERMEDIATE_CA.crl|" "$OPENSSL_CONF"
_rc=$?
if [ $_rc -eq 0 ]; then
echo "CRL distribution point for intermediate CA certificate '$INTERMEDIATE_CA' successfully set"
else
echo "Failed to set CRL distribution point for intermediate CA certificate '$INTERMEDIATE_CA'" >&2
fi
return $_rc
}
set_certificate_crl_distribution_point_to_empty_crl()
{
echo "Setting CRL distribution point to empty CRL"
sed -i -z "s|crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$INTERMEDIATE_CA.crl|crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$ROOT_CA.empty.crl|" "$OPENSSL_CONF"
_rc=$?
if [ $_rc -eq 0 ]; then
echo "CRL distribution point to empty CRL successfully set"
else
echo "Failed to set CRL distribution to empty CRL" >&2
fi
return $_rc
}
set_certificate_crl_distribution_point_to_invalid_crl_path()
{
echo "Setting CRL distribution point to invalid CRL path"
sed -i "s|crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$ROOT_CA.empty.crl|crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/not/a/crl|" "$OPENSSL_CONF"
_rc=$?
if [ $_rc -eq 0 ]; then
echo "CRL distribution point to invalid CRL path successfully set"
else
echo "Failed to set CRL distribution to invalid CRL path" >&2
fi
return $_rc
}
generate_intermediate_crl()
{
echo "Generating intermediate CA certificate '$INTERMEDIATE_CA' CRL"
openssl ca -config "$OPENSSL_CONF" -passin pass:$PASSWORD -gencrl -keyfile "$CERTIFICATES_DIR/$INTERMEDIATE_CA.self.key" -cert "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crt" -out "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crl.pem" && \
openssl crl -inform PEM -in "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crl.pem" -outform DER -out "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crl"
_rc=$?
if [ $_rc -eq 0 ]; then
echo "Intermediate CA certificate '$INTERMEDIATE_CA' CRL successfully generated"
else
echo "Failed to generate intermediate CA certificate '$INTERMEDIATE_CA' CRL" >&2
fi
return $_rc
}
# $1 - part of CRL file name
generate_crl()
{
_crl_name_part=$1
_crl_path_prefix=
if [ -n "$_crl_name_part" ]; then
_crl_path_prefix="$CERTIFICATES_DIR/$ROOT_CA.$_crl_name_part"
else
_crl_path_prefix="$CERTIFICATES_DIR/$ROOT_CA"
fi
echo "Generating certificate '$ROOT_CA' CRL to '$_crl_path_prefix'"
openssl ca -config "$OPENSSL_CONF" -passin pass:$PASSWORD -gencrl -keyfile "$CERTIFICATES_DIR/$ROOT_CA.key" -cert "$CERTIFICATES_DIR/$ROOT_CA.crt" -out "$_crl_path_prefix.crl.pem" && \
openssl crl -inform PEM -in "$_crl_path_prefix.crl.pem" -outform DER -out "$_crl_path_prefix.crl"
_rc=$?
if [ $_rc -eq 0 ]; then
echo "Certificate '$ROOT_CA' CRL successfully generated to '$_crl_path_prefix'"
else
echo "Failed to generate certificate '$ROOT_CA' CRL to '$_crl_path_prefix'" >&2
fi
return $_rc
}
revoke_certificate()
{
_alias=$1
echo "Revoking certificate '$_alias'"
openssl ca -config "$OPENSSL_CONF" -passin pass:$PASSWORD -revoke "$CERTIFICATES_DIR/$_alias.crt" -keyfile "$CERTIFICATES_DIR/$ROOT_CA.key" -cert "$CERTIFICATES_DIR/$ROOT_CA.crt"
_rc=$?
if [ $_rc -eq 0 ]; then
echo "Certificate '$_alias' successfully revoked"
else
echo "Failed to revoke certificate '$_alias'" >&2
fi
return $_rc
}
prepare_test_keystores()
{
echo "Preparing test keystores"
cp "$BROKER_KEYSTORE" "$TEST_KEYSTORE" && \
import_to_keystore "app1" "$TEST_KEYSTORE" && \
import_to_keystore "app2" "$TEST_KEYSTORE" && \
cp "$BROKER_KEYSTORE" "$TEST_PK_ONLY_KEYSTORE" && \
keytool -delete -v -alias rootca -storepass password -keystore "$TEST_PK_ONLY_KEYSTORE" && \
cp "$BROKER_KEYSTORE" "$TEST_CERT_ONLY_KEYSTORE" && \
keytool -delete -v -alias $BROKER_ALIAS -storepass password -keystore "$TEST_CERT_ONLY_KEYSTORE" && \
cp "$BROKER_KEYSTORE" "$TEST_SYMMETRIC_KEY_KEYSTORE" && \
keytool -genseckey -alias testalias -keyalg AES -keysize 256 -storetype PKCS12 -storepass "$PASSWORD" -keystore "$TEST_SYMMETRIC_KEY_KEYSTORE" && \
cp "$TEST_PK_ONLY_KEYSTORE" "$TEST_EMPTY_KEYSTORE"
keytool -delete -v -alias $BROKER_ALIAS -storepass password -keystore "$TEST_EMPTY_KEYSTORE" && \
_rc=$?
if [ $_rc -eq 0 ]; then
echo "Test keystores prepared"
else
echo "Failed to prepare keystores" >&2
fi
return $_rc
}
main()
{
prepare_openssl_environment && \
generate_selfsigned_ca && \
generate_signed_certificate "app1" && \
generate_signed_certificate "app2" && \
generate_expired_certificate && \
generate_signed_broker_certificate && \
import_to_keystore "app1" "$BROKER_PEERSTORE" && \
generate_untrusted_client_certificate && \
add_certificate_crl_distribution_point && \
generate_signed_certificate "allowed_by_ca" && \
generate_signed_certificate "revoked_by_ca" && \
set_certificate_crl_distribution_point_to_intermediate_ca && \
generate_signed_certificate_with_intermediate_signed_certificate "allowed_by_ca_with_intermediate" && \
generate_intermediate_crl && \
set_certificate_crl_distribution_point_to_empty_crl && \
generate_signed_certificate "revoked_by_ca_empty_crl" && \
set_certificate_crl_distribution_point_to_invalid_crl_path && \
generate_signed_certificate "revoked_by_ca_invalid_crl_path" && \
generate_crl "empty" && \
revoke_certificate "$INTERMEDIATE_CA" && \
revoke_certificate "revoked_by_ca" && \
revoke_certificate "revoked_by_ca_empty_crl" && \
revoke_certificate "revoked_by_ca_invalid_crl_path" && \
generate_crl && \
prepare_test_keystores
}
if [ "$DEBUG" = true ]; then
main
else
main 2>/dev/null 1>&2
fi