Merge branch 'feature/add_generate_cert_script' into 'master'

add generate cert script See merge request espressif/esp-idf!24075
2023-06-15 20:32:58 +08:00
parent 98bc3d7e01 864f7632a4
commit 13c794f5be
4 changed files with 263 additions and 12 deletions
--- a/examples/wifi/wifi_enterprise/README.md
+++ b/examples/wifi/wifi_enterprise/README.md
@@ -12,13 +12,14 @@ This example shows how ESP32 connects to AP with Wi-Fi enterprise encryption. Th
 5. Enable wpa2 enterprise.
 6. Connect to AP.
-*Note:* 1. The certificates currently are generated and are present in examples/wifi/wifi_enterprise/main folder.
+*Note:* 
-        2. The expiration date of the certificates is 2027/06/05.
+1. The certificates currently are generated and are present in examples/wifi/wifi_enterprise/main folder.
-        3. In case using suite-b, please use appropriate certificates such as RSA-3072 or p384 EC certificates.
+2. The expiration date of the certificates is 2027/06/05.
 3. In case using suite-b, please go into `generate_certs` directory, then execute the script as `sh generate_certs.sh <type>` to create appropriate certificates such as RSA-3072 or p384 EC certificates.
 The steps to create new certificates are given below.
-## The file ca.pem, ca.key, server.pem, server.crt and server.key can be used to configure AP with enterprise encryption.
+The file ca.pem, ca.key, server.pem, server.crt and server.key can be used to configure AP with enterprise encryption.
 ## How to use Example
@@ -43,7 +44,7 @@ idf.py -p PORT flash monitor
 ## Steps to create enterprise openssl certs
 1. make directry tree
-
+```
  mkdir demoCA
  mkdir demoCA/newcerts
  mkdir demoCA/private
@@ -58,30 +59,36 @@ idf.py -p PORT flash monitor
      [ xpserver_ext ]
      extendedKeyUsage = 1.3.6.1.5.5.7.3.1
-
+```
 2. ca.pem: root certificate, foundation of certificate verigy
 ```
  openssl req -new -x509 -keyout ca.key -out ca.pem
-
+```
 3. generate rsa keys for client and server
 ```
  openssl genrsa -out client.key 2048
  openssl genrsa -out server.key 2048
-
+```
 4. generate certificate signing req for both client and server
 ```
  openssl req -new -key client.key -out client.csr
  openssl req -new -key server.key -out server.csr
-
+```
 5. create certs (.crt) for client nd server
 ```
  openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key (password) -out client.crt -extensions xpclient_ext -extfile xpextensions
  openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key (password) -out server.crt -extensions xpserver_ext -extfile xpextensions
-
+```
 6. export .p12 files
 ```
  openssl pkcs12 -export -out client.p12 -inkey client.key -in client.crt
  openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt
-
+```
 7. create .pem files
 ```
  openssl pkcs12 -in client.p12 -out client.pem
  openssl pkcs12 -in server.p12 -out server.pem
-
+```
 ### Example output
--- a/examples/wifi/wifi_enterprise/generate_certs/example-ca-openssl.cnf
+++ b/examples/wifi/wifi_enterprise/generate_certs/example-ca-openssl.cnf
@@ -0,0 +1,117 @@
 # OpenSSL configuration file
 HOME			= .
 RANDFILE		= $ENV::HOME/.rnd
 oid_section		= new_oids
 [ new_oids ]
 [ ca ]
 default_ca	= CA_default
 [ CA_default ]
 dir		= ./ca
 certs		= $dir/certs
 crl_dir		= $dir/crl
 database	= $dir/index.txt
 unique_subject	= no
 new_certs_dir	= $dir/newcerts
 certificate	= $dir/cacert.pem
 serial		= $dir/serial
 crlnumber	= $dir/crlnumber
 crl		= $dir/crl.pem
 private_key	= $dir/private/cakey.pem
 RANDFILE	= $dir/private/.rand
 x509_extensions	= usr_cert
 name_opt 	= ca_default
 cert_opt 	= ca_default
 copy_extensions = copy
 default_days	= 3650
 default_crl_days= 30
 default_md	= default
 preserve	= no
 policy		= policy_match
 [ policy_match ]
 countryName		= match
 stateOrProvinceName	= optional
 organizationName	= match
 organizationalUnitName	= optional
 commonName		= supplied
 #emailAddress		= optional
 [ policy_anything ]
 countryName		= optional
 stateOrProvinceName	= optional
 localityName		= optional
 organizationName	= optional
 organizationalUnitName	= optional
 commonName		= supplied
 #emailAddress		= optional
 [ req ]
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
 x509_extensions	= v3_ca
 string_mask = utf8only
 [ req_distinguished_name ]
 countryName			= Country Name (2 letter code)
 countryName_default		= CN
 countryName_min			= 2
 countryName_max			= 2
 localityName			= Locality Name (eg, city)
 localityName_default		= Shanghai
 0.organizationName		= Organization Name (eg, company)
 0.organizationName_default	= espressif
 commonName			= Common Name (e.g. server FQDN or YOUR name)
 #@CN@
 commonName_max			= 64
 [ req_attributes ]
 [ v3_ca ]
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid:always,issuer
 basicConstraints = critical, CA:true
 #keyUsage = critical, cRLSign, keyCertSign
 [ crl_ext ]
 # issuerAltName=issuer:copy
 authorityKeyIdentifier=keyid:always
 [ usr_cert ]
 basicConstraints=CA:FALSE
 nsComment = "OpenSSL Generated Certificate"
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid:issuer
 [ v3_req ]
 basicConstraints = CA:FALSE
 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 [ ext_client ]
 extendedKeyUsage = 1.3.6.1.5.5.7.3.2
 basicConstraints=CA:FALSE
 subjectKeyIdentifier = hash
 nsComment = "OpenSSL Generated Certificate"
 authorityKeyIdentifier = keyid:always, issuer
 [ ext_server ]
 extendedKeyUsage = 1.3.6.1.5.5.7.3.1
 basicConstraints=CA:FALSE
 subjectKeyIdentifier = hash
 nsComment = "OpenSSL Generated Certificate"
 authorityKeyIdentifier = keyid:always, issuer
--- a/examples/wifi/wifi_enterprise/generate_certs/generate_certs.sh
+++ b/examples/wifi/wifi_enterprise/generate_certs/generate_certs.sh
@@ -0,0 +1,126 @@
 #!/bin/bash
 help_text="
 Usage: generate_certs.sh <cert_type>\n
 <cert_type> only support p384, 2048, 3072, 4096\n
 example:\n
 sh generate_certs.sh p384\n
 sh generate_certs.sh 2048\n
 sh generate_certs.sh 3072\n
 sh generate_certs.sh 4096\n
 "
 DIGEST="-sha256"
 DIGEST_CA="-md sha256"
 CERT_TYPE="2048"
 CERT="2048-ca"
 show_help() {
    echo -e $help_text
 }
 init_param() {
    if [ $(basename "$(pwd)") != "generate_certs" ]; then
        echo "path is incorrect, please go into generate_certs directory"
        exit
    fi
    CERT_TYPE=$1
    CERT=${CERT_TYPE}-ca
    if [ -d "$CERT" ]; then
        rm -rf "$CERT"
    fi
    if [ $1 = "p384" ] || [ $1 = "3072" ]; then
        DIGEST="-sha384"
        DIGEST_CA="-md sha384"
    elif [ $1 = "2048" ] || [ $1 = "4096" ]; then
        DIGEST="-sha256"
        DIGEST_CA="-md sha256"
    else
        echo "parameter error"
        exit
    fi
 }
 create_ca() {
    echo
    echo "---[ Root CA ]----------------------------------------------------------"
    if [ -d $CERT ]; then
        rm $CERT
    fi
    mkdir -p $CERT
    cat example-ca-openssl.cnf |
    sed "s/#@CN@/commonName_default = Root CA/" |
    sed s%\./ca$%./$CERT% \
    > ${CERT}-openssl.cnf.tmp
    mkdir -p $CERT/certs $CERT/crl $CERT/newcerts $CERT/private
    case "$CERT_TYPE" in
        "p384") openssl ecparam -out $CERT/ca.key -name secp384r1 -genkey;;
        "2048") openssl genrsa -out $CERT/ca.key 2048;;
        "3072") openssl genrsa -out $CERT/ca.key 3072;;
        "4096") openssl genrsa -out $CERT/ca.key 4096;;
    esac
    openssl req -config ${CERT}-openssl.cnf.tmp -batch -new -x509 -key $CERT/ca.key -out $CERT/ca.pem $DIGEST
    touch $CERT/index.txt
    rm ${CERT}-openssl.cnf.tmp
 }
 create_certs() {
    echo
    echo "---[ Server ]-----------------------------------------------------------"
    echo
    cat example-ca-openssl.cnf |
    	sed "s/#@CN@/commonName_default = $CERT_TYPE.$1/" |
        sed s%\./ca$%./$CERT% \
        > ${CERT}-openssl.cnf.tmp
    echo "---[ Generate $1 Key]----------------------------------------------"
    case "$CERT_TYPE" in
        "p384") openssl ecparam -out $CERT/$1.key -name secp384r1 -genkey;;
        "2048") openssl genrsa -out $CERT/$1.key 2048;;
        "3072") openssl genrsa -out $CERT/$1.key 3072;;
        "4096") openssl genrsa -out $CERT/$1.key 4096;;
    esac
    echo "---[ Generate $1 Req]----------------------------------------------"
    openssl req -config ${CERT}-openssl.cnf.tmp -batch -new -key $CERT/$1.key -out $CERT/$1.req $DIGEST
    openssl ca -config ${CERT_TYPE}-ca-openssl.cnf.tmp -batch -keyfile $CERT/ca.key -cert $CERT/ca.pem -create_serial -in $CERT/$1.req -out $CERT/$1.pem -extensions ext_$1 ${DIGEST_CA}
    cp $CERT/$1.pem $CERT/$1.crt
    rm ${CERT_TYPE}-ca-openssl.cnf.tmp
 }
 verify() {
    echo
    echo "---[ Verify ]-----------------------------------------------------------"
    echo
    openssl verify -CAfile $CERT/ca.pem $CERT/server.pem
    openssl verify -CAfile $CERT/ca.pem $CERT/server.crt
    openssl verify -CAfile $CERT/ca.pem $CERT/client.pem
    openssl verify -CAfile $CERT/ca.pem $CERT/client.crt
 }
 clean() {
    rm $CERT/*.req
    rm $CERT/index*
    rm $CERT/serial*
    rm -rf $CERT/certs
    rm -rf $CERT/newcerts
    rm -rf $CERT/private
    rm -rf $CERT/crl
 }
 if [ "$1" = "--help" ] || [ "$1" = "-h" ] || [ -z "$1" ]; then
    show_help
    exit 0
 else
    init_param $1
    create_ca
    create_certs "server"
    create_certs "client"
    verify
    clean
 fi
--- a/tools/ci/executable-list.txt
+++ b/tools/ci/executable-list.txt
@@ -43,6 +43,7 @@ examples/storage/parttool/parttool_example.sh
 examples/system/ota/otatool/get_running_partition.py
 examples/system/ota/otatool/otatool_example.py
 examples/system/ota/otatool/otatool_example.sh
 examples/wifi/wifi_enterprise/generate_certs/generate_certs.sh
 install.fish
 install.sh
 tools/check_python_dependencies.py