feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge branch 'master' of https://github.com/kaleb-himes/cyassl into certs

Browse Source
This commit is contained in:
toddouska
2014-07-31 16:33:46 -07:00
parent dffd5e09bf f51bba0a43
commit 3cc648f56d
3 changed files with 439 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
certs/crl/gencrls.sh
View File

@ -5,53 +5,53 @@
# caCrl
openssl ca -gencrl -crldays 365 -out crl.pem -keyfile ~/cyassl/certs/ca-key.pem -cert ~/cyassl/certs/ca-cert.pem
openssl ca -config ../renewcerts/cyassl.cnf -gencrl -crldays 365 -out crl.pem -keyfile ../ca-key.pem -cert ../ca-cert.pem
# metadata
openssl crl -in crl.pem -text > tmp
mv tmp crl.pem
# install
cp crl.pem ~/cyassl/certs/crl/crl.pem
# install (only needed if working outside cyassl)
#cp crl.pem ~/cyassl/certs/crl/crl.pem
# caCrl server revoked
openssl ca -revoke ~/cyassl/certs/server-cert.pem -keyfile ~/cyassl/certs/ca-key.pem -cert ~/cyassl/certs/ca-cert.pem
openssl ca -config ../renewcerts/cyassl.cnf -revoke ../server-cert.pem -keyfile ../ca-key.pem -cert ../ca-cert.pem
# caCrl server revoked generation
openssl ca -gencrl -crldays 365 -out crl.revoked -keyfile ~/cyassl/certs/ca-key.pem -cert ~/cyassl/certs/ca-cert.pem
openssl ca -config ../renewcerts/cyassl.cnf -gencrl -crldays 365 -out crl.revoked -keyfile ../ca-key.pem -cert ../ca-cert.pem
# metadata
openssl crl -in crl.revoked -text > tmp
mv tmp crl.revoked
# install
cp crl.revoked ~/cyassl/certs/crl/crl.revoked
# install (only needed if working outside cyassl)
#cp crl.revoked ~/cyassl/certs/crl/crl.revoked
# remove revoked so next time through the normal CA won't have server revoked
cp blank.index.txt demoCA/index.txt
# cliCrl
openssl ca -gencrl -crldays 365 -out cliCrl.pem -keyfile ~/cyassl/certs/client-key.pem -cert ~/cyassl/certs/client-cert.pem
openssl ca -config ../renewcerts/cyassl.cnf -gencrl -crldays 365 -out cliCrl.pem -keyfile ../client-key.pem -cert ../client-cert.pem
# metadata
openssl crl -in cliCrl.pem -text > tmp
mv tmp cliCrl.pem
# install
cp cliCrl.pem ~/cyassl/certs/crl/cliCrl.pem
# install (only needed if working outside cyassl)
#cp cliCrl.pem ~/cyassl/certs/crl/cliCrl.pem
# eccCliCRL
openssl ca -gencrl -crldays 365 -out eccCliCRL.pem -keyfile ~/cyassl/certs/ecc-client-key.pem -cert ~/cyassl/certs/client-ecc-cert.pem
openssl ca -config ../renewcerts/cyassl.cnf -gencrl -crldays 365 -out eccCliCRL.pem -keyfile ../ecc-client-key.pem -cert ../client-ecc-cert.pem
# metadata
openssl crl -in eccCliCRL.pem -text > tmp
mv tmp eccCliCRL.pem
# install
cp eccCliCRL.pem ~/cyassl/certs/crl/eccCliCRL.pem
# install (only needed if working outside cyassl)
#cp eccCliCRL.pem ~/cyassl/certs/crl/eccCliCRL.pem
# eccSrvCRL
openssl ca -gencrl -crldays 365 -out eccSrvCRL.pem -keyfile ~/cyassl/certs/ecc-key.pem -cert ~/cyassl/certs/server-ecc.pem
openssl ca -config ../renewcerts/cyassl.cnf -gencrl -crldays 365 -out eccSrvCRL.pem -keyfile ../ecc-key.pem -cert ../server-ecc.pem
# metadata
openssl crl -in eccSrvCRL.pem -text > tmp
mv tmp eccSrvCRL.pem
# install
cp eccSrvCRL.pem ~/cyassl/certs/crl/eccSrvCRL.pem
# install (only needed if working outside cyassl)
#cp eccSrvCRL.pem ~/cyassl/certs/crl/eccSrvCRL.pem

253
certs/renewcerts.sh Executable file
View File

@ -0,0 +1,253 @@
#!/bin/bash
###############################################################################
######################## FUNCTIONS SECTION ####################################
###############################################################################
#the function that will be called when we are ready to renew the certs.
function run_renewcerts(){
cd certs/
echo ""
#move the custom cnf into our working directory
cp renewcerts/cyassl.cnf cyassl.cnf
# To generate these all in sha1 add the flag "-sha1" on appropriate lines
# That is all lines beginning with: "openssl req"
############################################################
########## update the self-signed client-cert.pem ##########
############################################################
echo "Updating client-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nMontana\nBozeman\nwolfSSL\nProgramming\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key client-key.pem -nodes -out client-cert.csr
openssl x509 -req -in client-cert.csr -days 1000 -extfile cyassl.cnf -extensions cyassl_opts -signkey client-key.pem -out client-cert.pem
rm client-cert.csr
openssl x509 -in client-cert.pem -text > tmp.pem
mv tmp.pem client-cert.pem
############################################################
########## update the self-signed ca-cert.pem ##############
############################################################
echo "Updating ca-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nMontana\nBozeman\nSawtooth\nConsulting\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ca-key.pem -nodes -out ca-cert.csr
openssl x509 -req -in ca-cert.csr -days 1000 -extfile cyassl.cnf -extensions cyassl_opts -signkey ca-key.pem -out ca-cert.pem
rm ca-cert.csr
openssl x509 -in ca-cert.pem -text > tmp.pem
mv tmp.pem ca-cert.pem
###########################################################
########## update and sign server-cert.ptm ################
###########################################################
echo "Updating server-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nMontana\nBozeman\nwolfSSL\nSupport\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key server-key.pem -nodes > server-req.pem
openssl x509 -req -in server-req.pem -extfile cyassl.cnf -extensions cyassl_opts -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
rm server-req.pem
openssl x509 -in ca-cert.pem -text > ca_tmp.pem
openssl x509 -in server-cert.pem -text > srv_tmp.pem
mv srv_tmp.pem server-cert.pem
cat ca_tmp.pem >> server-cert.pem
rm ca_tmp.pem
############################################################
########## update and sign the server-ecc-rsa.pem ##########
############################################################
echo "Updating server-ecc-rsa.pem"
echo ""
echo -e "US\nMontana\nBozeman\nElliptic - RSAsig\nECC-RSAsig\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ecc-key.pem -nodes > server-ecc-req.pem
openssl x509 -req -in server-ecc-req.pem -extfile cyassl.cnf -extensions cyassl_opts -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-ecc-rsa.pem
rm server-ecc-req.pem
openssl x509 -in server-ecc-rsa.pem -text > tmp.pem
mv tmp.pem server-ecc-rsa.pem
############################################################
########## make .der files from .pem files #################
############################################################
echo "Generating new ca-cert.der, client-cert.der, server-cert.der..."
echo ""
openssl x509 -inform PEM -in ca-cert.pem -outform DER -out ca-cert.der
openssl x509 -inform PEM -in client-cert.pem -outform DER -out client-cert.der
openssl x509 -inform PEM -in server-cert.pem -outform DER -out server-cert.der
echo "Changing directory to cyassl root..."
echo ""
cd ../
echo "Execute ./gencertbuf.pl..."
echo ""
./gencertbuf.pl
############################################################
########## generate the new crls ###########################
############################################################
echo "Change directory to cyassl/certs"
echo ""
cd certs
echo "We are back in the certs directory"
echo ""
#set up the file system for updating the crls
echo "setting up the file system for generating the crls..."
echo ""
touch crl/index.txt
touch crl/crlnumber
echo "01" >> crl/crlnumber
touch crl/blank.index.txt
mkdir crl/demoCA
touch crl/demoCA/index.txt
echo "Updating the crls..."
echo ""
cd crl
echo "changed directory: cd/crl"
echo ""
./gencrls.sh
echo "ran ./gencrls.sh"
echo ""
#cleanup the file system now that we're done
echo "Performing final steps, cleaning up the file system..."
echo ""
rm ../cyassl.cnf
rm blank.index.txt
rm index.*
rm crlnumber*
rm -r demoCA
echo "Removed ../cyassl.cnf, blank.index.txt, index.*, crlnumber*, demoCA/"
echo ""
}
#function for restoring a previous configure state
function restore_config(){
mv tmp.status config.status
mv tmp.options.h cyassl/options.h
make clean
make -j 8
}
#function for copy and pasting ntru updates
function move_ntru(){
cp ntru-cert.pem certs/ntru-cert.pem
cp ntru-cert.der certs/ntru-cert.der
cp ntru-key.raw certs/ntru-key.raw
}
###############################################################################
##################### THE EXECUTABLE BODY #####################################
###############################################################################
#start in root.
cd ../
#if HAVE_NTRU already defined && there is no argument
if grep HAVE_NTRU "cyassl/options.h" && [ -z "$1" ]
then
#run the function to renew the certs
run_renewcerts
# run_renewcerts will end in the cyassl/certs/crl dir, backup to root.
cd ../../
echo "changed directory to cyassl root directory."
echo ""
############################################################
########## update ntru if already installed ################
############################################################
# We cannot assume that user has certgen and keygen enabled
./configure --with-ntru --enable-certgen --enable-keygen
make check
#copy/paste ntru-certs and key to certs/
move_ntru
#else if there was an argument given, check it for validity or print out error
elif [ ! -z "$1" ]; then
#valid argument then renew certs without ntru
if [ "$1" == "--override-ntru" ]; then
echo "overriding ntru, update all certs except ntru."
run_renewcerts
#valid argument print out other valid arguments
elif [ "$1" == "-h" ] || [ "$1" == "-help" ]; then
echo ""
echo "\"no argument\" will attempt to update all certificates"
echo "--override-ntru updates all certificates except ntru"
echo "-h or -help display this menu"
echo ""
echo ""
#else the argument was invalid, tell user to use -h or -help
else
echo ""
echo "That is not a valid option."
echo ""
echo "use -h or -help for a list of available options."
echo ""
fi
#else HAVE_NTRU not already defined
else
echo "Saving the configure state"
echo ""
cp config.status tmp.status
cp cyassl/options.h tmp.options.h
echo "Running make clean"
echo ""
make clean
#attempt to define ntru by configuring with ntru
echo "Configuring with ntru, enabling certgen and keygen"
echo ""
./configure --with-ntru --enable-certgen --enable-keygen
make check
# check options.h a second time, if the user had
# ntru installed on their system and in the default
# path location, then it will now be defined, if the
# user does not have ntru on their system this will fail
# again and we will not update any certs until user installs
# ntru in the default location
# if now defined
if grep HAVE_NTRU "cyassl/options.h"; then
run_renewcerts
#run_renewcerts leaves us in cyassl/certs/crl, backup to root
cd ../../
echo "changed directory to cyassl root directory."
echo ""
move_ntru
echo "ntru-certs, and ntru-key.raw have been updated"
echo ""
# restore previous configure state
restore_config
else
# restore previous configure state
restore_config
echo ""
echo "ntru is not installed at the default location,"
echo "or ntru not installed, none of the certs were updated."
echo ""
echo "clone the ntru repository into your \"cd ~\" directory then,"
echo "\"cd NTRUEncrypt\" and run \"make\" then \"make install\""
echo "once complete run this script again to update all the certs."
echo ""
echo "To update all certs except ntru use \"./renewcerts.sh --override-ntru\""
echo ""
fi #END now defined
fi #END already defined

170
certs/renewcerts/cyassl.cnf Normal file
View File

@ -0,0 +1,170 @@
#
# cyassl configuration file
#
HOME = .
RANDFILE = $ENV::HOME/.rnd
oid_section = new_oids
[ new_oids ]
# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
####################################################################
# CHANGE THIS LINE TO BE YOUR CYASSL_ROOT DIRECTORY #
# #
dir = $HOME./.. #
####################################################################
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/certs/crl # Where the issued crl are kept
database = $dir/certs/crl/demoCA/index.txt # database index file.
new_certs_dir = $dir/certs # default place for new certs.
certificate = $dir/certs/ca-cert.pem # The CA certificate
serial = $dir/certs/serial # The current serial number
crlnumber = $dir/certs/crl/crlnumber # the current crl number
crl = $dir/certs/crl/crl.pem # The current CRL
private_key = $dir/certs/ca-key.pem # The private key
RANDFILE = $dir/certs/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 1000 # how long to certify for
default_crl_days = 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# default req
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = utf8only
#default req_dist_name
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Montana
localityName = Locality Name (eg, city)
localityName_default = Bozeman
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Sawtooth
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Consulting
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = www.wolfssl.com
commonName_max = 64
emailAddress = Email Address
emailAddress_default = info@wolfssl.com
emailAddress_max = 64
#default req_attr
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
# These extensions are added when 'ca' signs a request.
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment = "cyaSSL Generated Certificate using openSSL command line utility."
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
#cyassl extensions
[cyassl_opts]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=CA:true
# Extensions to add to a certificate request
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# Extensions for a typical CA
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
# CRL extensions.
[ crl_ext ]
authorityKeyIdentifier=keyid:always
# These extensions should be added when creating a proxy certificate
[ proxy_cert_ext ]
basicConstraints=CA:FALSE
nsComment = "cyaSSL Generated Certificate using openSSL command line utility"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
#tsa default
[ tsa ]
default_tsa = tsa_config1
# These are used by the TSA reply generation only.
[ tsa_config1 ]
dir = ./demoCA # directory
serial = $dir/tsaserial # (mandatory)
crypto_device = builtin # engine
signer_cert = $dir/tsacert.pem # certificate
certs = $dir/cacert.pem # chain
signer_key = $dir/private/tsakey.pem # (optional)
default_policy = tsa_policy1 # Policy
other_policies = tsa_policy2, tsa_policy3 # (optional)
digests = md5, sha1 # (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # (optional)
ordering = yes # timestamps?
tsa_name = yes # include?
ess_cert_id_chain = no # include chain?