feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Refactor the cert renewal scripts with error handling

Browse Source 
Portability updates
This commit is contained in:
kaleb-himes
2018-09-19 14:03:10 -06:00
parent 085daa78cd
commit 4f6ee556dc
8 changed files with 593 additions and 269 deletions
Download Patch File Download Diff File Expand all files Collapse all files

90
certs/crl/gencrls.sh
View File

@ -1,25 +1,41 @@
#!/bin/bash
# gencrls, crl config already done, see taoCerts.txt for setup
check_result(){
if [ $1 -ne 0 ]; then
echo "Step failed, Abort"
exit 1
else
echo "Step Succeeded!"
fi
}
function setup_files() {
setup_files() {
#set up the file system for updating the crls
echo "setting up the file system for generating the crls..."
echo ""
touch ./index.txt
touch ./crlnumber
echo "01" >> crlnumber
touch ./blank.index.txt
mkdir demoCA
touch ./demoCA/index.txt
mkdir demoCA || exit 1
touch ./demoCA/index.txt || exit 1
touch ./index.txt || exit 1
touch ../ecc/index.txt || exit 1
touch ./crlnumber || exit 1
touch ../ecc/crlnumber || exit 1
echo "01" >> crlnumber || exit 1
echo "01" >> ../ecc/crlnumber || exit 1
touch ./blank.index.txt || exit 1
touch ./demoCA/index.txt.attr || exit 1
touch ../ecc/index.txt.attr || exit 1
}
function cleanup_files() {
rm blank.index.txt
rm index.*
rm crlnumber*
rm -r demoCA
cleanup_files() {
rm blank.index.txt || exit 1
rm index.* || exit 1
rm crlnumber* || exit 1
rm ../ecc/crlnumber* || exit 1
rm ../ecc/index.* || exit 1
rm -r demoCA || exit 1
echo "Removed ../wolfssl.cnf, blank.index.txt, index.*, crlnumber*, demoCA/"
echo " ../ecc/index.txt"
echo ""
exit 0
}
@ -30,31 +46,49 @@ setup_files
# caCrl
# revoke server-revoked-cert.pem
echo "Step 1"
openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out crl2.pem -keyfile ../client-key.pem -cert ../client-cert.pem
check_result $?
echo "Step 2"
openssl ca -config ../renewcerts/wolfssl.cnf -revoke ../server-revoked-cert.pem -keyfile ../ca-key.pem -cert ../ca-cert.pem
check_result $?
echo "Step 3"
openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out crl.pem -keyfile ../ca-key.pem -cert ../ca-cert.pem
check_result $?
# metadata
echo "Step 4"
openssl crl -in crl.pem -text > tmp
check_result $?
mv tmp crl.pem
# install (only needed if working outside wolfssl)
#cp crl.pem ~/wolfssl/certs/crl/crl.pem
# crl2 create
echo "Step 5"
openssl crl -in crl.pem -text > tmp
check_result $?
echo "Step 6"
openssl crl -in crl2.pem -text >> tmp
check_result $?
mv tmp crl2.pem
# caCrl server revoked
echo "Step 7"
openssl ca -config ../renewcerts/wolfssl.cnf -revoke ../server-cert.pem -keyfile ../ca-key.pem -cert ../ca-cert.pem
check_result $?
# caCrl server revoked generation
echo "Step 8"
openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out crl.revoked -keyfile ../ca-key.pem -cert ../ca-cert.pem
check_result $?
# metadata
echo "Step 9"
openssl crl -in crl.revoked -text > tmp
check_result $?
mv tmp crl.revoked
# install (only needed if working outside wolfssl)
#cp crl.revoked ~/wolfssl/certs/crl/crl.revoked
@ -64,58 +98,90 @@ mv tmp crl.revoked
cp blank.index.txt demoCA/index.txt
# caEccCrl
echo "Step 10"
openssl ca -config ../renewcerts/wolfssl.cnf -revoke ../server-revoked-cert.pem -keyfile ../ca-ecc-key.pem -cert ../ca-ecc-cert.pem
check_result $?
echo "Step 11"
openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out caEccCrl.pem -keyfile ../ca-ecc-key.pem -cert ../ca-ecc-cert.pem
check_result $?
# metadata
echo "Step 12"
openssl crl -in caEccCrl.pem -text > tmp
check_result $?
mv tmp caEccCrl.pem
# install (only needed if working outside wolfssl)
#cp caEccCrl.pem ~/wolfssl/certs/crl/caEccCrl.pem
# caEcc384Crl
echo "Step 13"
openssl ca -config ../renewcerts/wolfssl.cnf -revoke ../server-revoked-cert.pem -keyfile ../ca-ecc384-key.pem -cert ../ca-ecc384-cert.pem
if [ $? -ne 0 ]; then
echo "Already revoked CRL number 02, skipping"
else
echo "Revoked CRL 02"
fi
echo "Step 14"
openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out caEcc384Crl.pem -keyfile ../ca-ecc384-key.pem -cert ../ca-ecc384-cert.pem
check_result $?
# metadata
echo "Step 15"
openssl crl -in caEcc384Crl.pem -text > tmp
check_result $?
mv tmp caEcc384Crl.pem
# install (only needed if working outside wolfssl)
#cp caEcc384Crl.pem ~/wolfssl/certs/crl/caEcc384Crl.pem
# cliCrl
echo "Step 16"
openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out cliCrl.pem -keyfile ../client-key.pem -cert ../client-cert.pem
check_result $?
# metadata
echo "Step 17"
openssl crl -in cliCrl.pem -text > tmp
check_result $?
mv tmp cliCrl.pem
# install (only needed if working outside wolfssl)
#cp cliCrl.pem ~/wolfssl/certs/crl/cliCrl.pem
# eccCliCRL
echo "Step 18"
openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out eccCliCRL.pem -keyfile ../ecc-client-key.pem -cert ../client-ecc-cert.pem
check_result $?
# metadata
echo "Step 19"
openssl crl -in eccCliCRL.pem -text > tmp
check_result $?
mv tmp eccCliCRL.pem
# install (only needed if working outside wolfssl)
#cp eccCliCRL.pem ~/wolfssl/certs/crl/eccCliCRL.pem
# eccSrvCRL
echo "Step 20"
openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out eccSrvCRL.pem -keyfile ../ecc-key.pem -cert ../server-ecc.pem
check_result $?
# metadata
echo "Step 21"
openssl crl -in eccSrvCRL.pem -text > tmp
check_result $?
mv tmp eccSrvCRL.pem
# install (only needed if working outside wolfssl)
#cp eccSrvCRL.pem ~/wolfssl/certs/crl/eccSrvCRL.pem
# caEccCrl
echo "Step 22"
openssl ca -config ../ecc/wolfssl.cnf -gencrl -crldays 1000 -out caEccCrl.pem -keyfile ../ca-ecc-key.pem -cert ../ca-ecc-cert.pem
check_result $?
# ca-ecc384-cert
echo "Step 23"
openssl ca -config ../ecc/wolfssl.cnf -gencrl -crldays 1000 -out caEcc384Crl.pem -keyfile ../ca-ecc384-key.pem -cert ../ca-ecc384-cert.pem
check_result $?
exit 0

17
certs/ecc/wolfssl.cnf
View File

@ -3,20 +3,21 @@
default_ca = CA_default
[ CA_default ]
# Directory and file locations.
# Directory and file locations relevant to where the script is executing
dir = .
certs = $dir/certs
new_certs_dir = $dir/certs
database = $dir/certs/ecc/index.txt
serial = $dir/certs/ecc/serial
certs = $dir/../
new_certs_dir = $dir/../
database = $dir/../ecc/index.txt
serial = $dir/../ecc/serial
# This should come from the system disregard local pathing
RANDFILE = $dir/private/.rand
# The root key and root certificate.
private_key = $dir/certs/ca-ecc-key.pem
certificate = $dir/certs/ca-ecc-cert.pem
private_key = $dir/../ca-ecc-key.pem
certificate = $dir/../ca-ecc-cert.pem
# For certificate revocation lists.
crlnumber = $dir/certs/ecc/crlnumber
crlnumber = $dir/../ecc/crlnumber
crl_extensions = crl_ext
default_crl_days = 1000

61
certs/ocsp/renewcerts.sh
View File

@ -1,11 +1,28 @@
#!/bin/sh
check_result(){
if [ $1 -ne 0 ]; then
if [ -n "$2" ]; then
echo "Step Failed, Abort"
else
echo "$2 Failed, Abort"
fi
exit 1
else
echo "Step Succeeded"
fi
}
echo "OCSP renew certs Step 1"
openssl req \
-new \
-key root-ca-key.pem \
-out root-ca-cert.csr \
-config ../renewcerts/wolfssl.cnf \
-subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com"
check_result $? ""
echo "OCSP renew certs Step 2"
openssl x509 \
-req -in root-ca-cert.csr \
-extfile openssl.cnf \
@ -14,33 +31,41 @@ openssl x509 \
-signkey root-ca-key.pem \
-set_serial 99 \
-out root-ca-cert.pem
check_result $? ""
rm root-ca-cert.csr
echo "OCSP renew certs Step 3"
openssl x509 -in root-ca-cert.pem -text > tmp.pem
check_result $? ""
mv tmp.pem root-ca-cert.pem
# $1 cert, $2 name, $3 ca, $4 extensions, $5 serial
function update_cert() {
openssl req \
-new \
-key $1-key.pem \
-out $1-cert.csr \
update_cert() {
echo "Updating certificate \"$1-cert.pem\""
openssl req \
-new \
-key "$1"-key.pem \
-out "$1"-cert.csr \
-config ../renewcerts/wolfssl.cnf \
-subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=$2/emailAddress=info@wolfssl.com"
check_result $? "Step 1"
openssl x509 \
-req -in $1-cert.csr \
-extfile openssl.cnf \
-extensions $4 \
-days 1000 \
-CA $3-cert.pem \
-CAkey $3-key.pem \
-set_serial $5 \
-out $1-cert.pem
openssl x509 \
-req -in "$1"-cert.csr \
-extfile openssl.cnf \
-extensions "$4" \
-days 1000 \
-CA "$3"-cert.pem \
-CAkey "$3"-key.pem \
-set_serial "$5" \
-out "$1"-cert.pem
check_result $? "Step 2"
rm $1-cert.csr
openssl x509 -in $1-cert.pem -text > $1_tmp.pem
mv $1_tmp.pem $1-cert.pem
cat $3-cert.pem >> $1-cert.pem
rm "$1"-cert.csr
openssl x509 -in "$1"-cert.pem -text > "$1"_tmp.pem
check_result $? "Step 3"
mv "$1"_tmp.pem "$1"-cert.pem
cat "$3"-cert.pem >> "$1"-cert.pem
}
update_cert intermediate1-ca "wolfSSL intermediate CA 1" root-ca v3_ca 01

369
certs/renewcerts.sh
View File

@ -37,12 +37,33 @@
######################## FUNCTIONS SECTION ####################################
###############################################################################
#function for restoring a previous configure state
restore_config(){
mv tmp.status config.status
mv tmp.options.h wolfssl/options.h
make clean
make -j 8
}
check_result(){
if [ $1 -ne 0 ]; then
echo "Failed at \"$2\", Abort"
if [ "$2" = "configure for ntru" ] || \
[ "$2" = "make check with ntru" ]; then
restore_config
fi
exit 1
else
echo "Step Succeeded!"
fi
}
#the function that will be called when we are ready to renew the certs.
function run_renewcerts(){
cd certs/
run_renewcerts(){
cd certs/ || { echo "Couldn't cd to certs directory"; exit 1; }
echo ""
#move the custom cnf into our working directory
cp renewcerts/wolfssl.cnf wolfssl.cnf
cp renewcerts/wolfssl.cnf wolfssl.cnf || exit 1
# To generate these all in sha1 add the flag "-sha1" on appropriate lines
# That is all lines beginning with: "openssl req"
@ -53,339 +74,439 @@ function run_renewcerts(){
echo "Updating 2048-bit client-uri-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nMontana\nBozeman\nwolfSSL_2048\nURI\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key client-key.pem -nodes -out client-cert.csr
echo -e "US\nMontana\nBozeman\nwolfSSL_2048\nURI\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key client-key.pem -config ./wolfssl.cnf -nodes -out client-cert.csr
check_result $? "Step 1"
openssl x509 -req -in client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions uri -signkey client-key.pem -out client-uri-cert.pem
check_result $? "Step 2"
rm client-cert.csr
openssl x509 -in client-uri-cert.pem -text > tmp.pem
check_result $? "Step 3"
mv tmp.pem client-uri-cert.pem
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
#### update the self-signed (2048-bit) client-relative-uri.pem
############################################################
echo "Updating 2048-bit client-relative-uri.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nMontana\nBozeman\nwolfSSL_2048\nRELATIVE_URI\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key client-key.pem -nodes -out client-cert.csr
echo -e "US\nMontana\nBozeman\nwolfSSL_2048\nRELATIVE_URI\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key client-key.pem -config ./wolfssl.cnf -nodes -out client-cert.csr
check_result $? "Step 1"
openssl x509 -req -in client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions relative_uri -signkey client-key.pem -out client-relative-uri.pem
check_result $? "Step 2"
rm client-cert.csr
openssl x509 -in client-relative-uri.pem -text > tmp.pem
check_result $? "Step 3"
mv tmp.pem client-relative-uri.pem
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
#### update the self-signed (2048-bit) client-cert.pem #####
############################################################
echo "Updating 2048-bit client-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nMontana\nBozeman\nwolfSSL_2048\nProgramming-2048\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key client-key.pem -nodes -out client-cert.csr
echo -e "US\nMontana\nBozeman\nwolfSSL_2048\nProgramming-2048\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key client-key.pem -config ./wolfssl.cnf -nodes -out client-cert.csr
check_result $? "Step 1"
openssl x509 -req -in client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey client-key.pem -out client-cert.pem
check_result $? "Step 2"
rm client-cert.csr
openssl x509 -in client-cert.pem -text > tmp.pem
check_result $? "Step 3"
mv tmp.pem client-cert.pem
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
#### update the self-signed (3072-bit) client-cert.pem #####
############################################################
echo "Updating 3072-bit client-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nMontana\nBozeman\nwolfSSL_3072\nProgramming-3072\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -newkey rsa:3072 -keyout client-key-3072.pem -nodes -out client-cert-3072.csr
echo -e "US\nMontana\nBozeman\nwolfSSL_3072\nProgramming-3072\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -newkey rsa:3072 -keyout client-key-3072.pem -config ./wolfssl.cnf -nodes -out client-cert-3072.csr
check_result $? "Step 1"
openssl x509 -req -in client-cert-3072.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey client-key-3072.pem -out client-cert-3072.pem
check_result $? "Step 2"
rm client-cert-3072.csr
openssl x509 -in client-cert-3072.pem -text > tmp.pem
check_result $? "Step 3"
mv tmp.pem client-cert-3072.pem
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
#### update the self-signed (1024-bit) client-cert.pem #####
############################################################
echo "Updating 1024-bit client-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nMontana\nBozeman\nwolfSSL_1024\nProgramming-1024\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key \1024/client-key.pem -nodes -out \1024/client-cert.csr
echo -e "US\nMontana\nBozeman\nwolfSSL_1024\nProgramming-1024\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ./1024/client-key.pem -config ./wolfssl.cnf -nodes -out ./1024/client-cert.csr
check_result $? "Step 1"
openssl x509 -req -in \1024/client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey \1024/client-key.pem -out \1024/client-cert.pem
rm \1024/client-cert.csr
openssl x509 -req -in ./1024/client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ./1024/client-key.pem -out ./1024/client-cert.pem
check_result $? "Step 2"
rm ./1024/client-cert.csr
openssl x509 -in \1024/client-cert.pem -text > \1024/tmp.pem
mv \1024/tmp.pem \1024/client-cert.pem
openssl x509 -in ./1024/client-cert.pem -text > ./1024/tmp.pem
check_result $? "Step 3"
mv ./1024/tmp.pem ./1024/client-cert.pem
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
########## update the self-signed ca-cert.pem ##############
############################################################
echo "Updating ca-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nMontana\nBozeman\nSawtooth\nConsulting\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ca-key.pem -nodes -out ca-cert.csr
echo -e "US\nMontana\nBozeman\nSawtooth\nConsulting\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ca-key.pem -config ./wolfssl.cnf -nodes -out ca-cert.csr
check_result $? "Step 1"
openssl x509 -req -in ca-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ca-key.pem -out ca-cert.pem
check_result $? "Step 2"
rm ca-cert.csr
openssl x509 -in ca-cert.pem -text > tmp.pem
check_result $? "Step 3"
mv tmp.pem ca-cert.pem
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
########## update the self-signed ca-ecc-cert.pem ##########
############################################################
echo "Updating ca-ecc-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL\nDevelopment\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ca-ecc-key.pem -nodes -out ca-ecc-cert.csr
echo -e "US\nWashington\nSeattle\nwolfSSL\nDevelopment\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ca-ecc-key.pem -config ./wolfssl.cnf -nodes -out ca-ecc-cert.csr
check_result $? "Step 1"
openssl x509 -req -in ca-ecc-cert.csr -days 1000 -extfile wolfssl.cnf -extensions ca_ecc_cert -signkey ca-ecc-key.pem -out ca-ecc-cert.pem
check_result $? "Step 2"
rm ca-ecc-cert.csr
openssl x509 -in ca-ecc-cert.pem -text > tmp.pem
check_result $? "Step 3"
mv tmp.pem ca-ecc-cert.pem
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
########## update the self-signed ca-ecc384-cert.pem #######
############################################################
echo "Updating ca-ecc384-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL\nDevelopment\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ca-ecc384-key.pem -nodes -sha384 -out ca-ecc384-cert.csr
echo -e "US\nWashington\nSeattle\nwolfSSL\nDevelopment\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ca-ecc384-key.pem -config ./wolfssl.cnf -nodes -sha384 -out ca-ecc384-cert.csr
check_result $? "Step 1"
openssl x509 -req -in ca-ecc384-cert.csr -days 1000 -extfile wolfssl.cnf -extensions ca_ecc_cert -signkey ca-ecc384-key.pem -sha384 -out ca-ecc384-cert.pem
check_result $? "Step 2"
rm ca-ecc384-cert.csr
openssl x509 -in ca-ecc384-cert.pem -text > tmp.pem
check_result $? "Step 3"
mv tmp.pem ca-ecc384-cert.pem
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
##### update the self-signed (1024-bit) ca-cert.pem ########
############################################################
echo "Updating 1024-bit ca-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nMontana\nBozeman\nSawtooth\nConsulting_1024\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key \1024/ca-key.pem -nodes -sha1 -out \1024/ca-cert.csr
echo -e "US\nMontana\nBozeman\nSawtooth\nConsulting_1024\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ./1024/ca-key.pem -config ./wolfssl.cnf -nodes -sha1 -out ./1024/ca-cert.csr
check_result $? "Step 1"
openssl x509 -req -in \1024/ca-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey \1024/ca-key.pem -out \1024/ca-cert.pem
rm \1024/ca-cert.csr
openssl x509 -req -in ./1024/ca-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ./1024/ca-key.pem -out ./1024/ca-cert.pem
check_result $? "Step 2"
rm ./1024/ca-cert.csr
openssl x509 -in \1024/ca-cert.pem -text > \1024/tmp.pem
mv \1024/tmp.pem \1024/ca-cert.pem
openssl x509 -in ./1024/ca-cert.pem -text > ./1024/tmp.pem
check_result $? "Step 3"
mv ./1024/tmp.pem ./1024/ca-cert.pem
echo "End of section"
echo "---------------------------------------------------------------------"
###########################################################
########## update and sign server-cert.pem ################
###########################################################
echo "Updating server-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nMontana\nBozeman\nwolfSSL\nSupport\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key server-key.pem -nodes > server-req.pem
echo -e "US\nMontana\nBozeman\nwolfSSL\nSupport\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key server-key.pem -config ./wolfssl.cnf -nodes > server-req.pem
check_result $? "Step 1"
openssl x509 -req -in server-req.pem -extfile wolfssl.cnf -extensions wolfssl_opts -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
check_result $? "Step 2"
rm server-req.pem
openssl x509 -in ca-cert.pem -text > ca_tmp.pem
check_result $? "Step 3"
openssl x509 -in server-cert.pem -text > srv_tmp.pem
check_result $? "Step 4"
mv srv_tmp.pem server-cert.pem
cat ca_tmp.pem >> server-cert.pem
rm ca_tmp.pem
echo "End of section"
echo "---------------------------------------------------------------------"
###########################################################
########## update and sign server-revoked-key.pem #########
###########################################################
echo "Updating server-revoked-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nMontana\nBozeman\nwolfSSL_revoked\nSupport_revoked\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key server-revoked-key.pem -nodes > server-revoked-req.pem
echo -e "US\nMontana\nBozeman\nwolfSSL_revoked\nSupport_revoked\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key server-revoked-key.pem -config ./wolfssl.cnf -nodes > server-revoked-req.pem
check_result $? "Step 1"
openssl x509 -req -in server-revoked-req.pem -extfile wolfssl.cnf -extensions wolfssl_opts -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 02 > server-revoked-cert.pem
check_result $? "Step 2"
rm server-revoked-req.pem
openssl x509 -in ca-cert.pem -text > ca_tmp.pem
check_result $? "Step 3"
openssl x509 -in server-revoked-cert.pem -text > srv_tmp.pem
check_result $? "Step 4"
mv srv_tmp.pem server-revoked-cert.pem
cat ca_tmp.pem >> server-revoked-cert.pem
rm ca_tmp.pem
echo "End of section"
echo "---------------------------------------------------------------------"
###########################################################
########## update and sign server-duplicate-policy.pem ####
###########################################################
echo "Updating server-duplicate-policy.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nMontana\nBozeman\nwolfSSL\ntesting duplicate policy\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key server-key.pem -nodes > ./test/server-duplicate-policy-req.pem
echo -e "US\nMontana\nBozeman\nwolfSSL\ntesting duplicate policy\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key server-key.pem -config ./wolfssl.cnf -nodes > ./test/server-duplicate-policy-req.pem
check_result $? "Step 1"
openssl x509 -req -in ./test/server-duplicate-policy-req.pem -extfile wolfssl.cnf -extensions policy_test -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 02 > ./test/server-duplicate-policy.pem
check_result $? "Step 2"
rm ./test/server-duplicate-policy-req.pem
openssl x509 -in ca-cert.pem -text > ca_tmp.pem
check_result $? "Step 3"
openssl x509 -in ./test/server-duplicate-policy.pem -text > srv_tmp.pem
check_result $? "Step 4"
mv srv_tmp.pem ./test/server-duplicate-policy.pem
cat ca_tmp.pem >> ./test/server-duplicate-policy.pem
rm ca_tmp.pem
echo "End of section"
echo "---------------------------------------------------------------------"
###########################################################
#### update and sign (1024-bit) server-cert.pem ###########
###########################################################
echo "Updating 1024-bit server-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nMontana\nBozeman\nwolfSSL\nSupport_1024\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key \1024/server-key.pem -nodes -sha1 > \1024/server-req.pem
echo -e "US\nMontana\nBozeman\nwolfSSL\nSupport_1024\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ./1024/server-key.pem -config ./wolfssl.cnf -nodes -sha1 > ./1024/server-req.pem
check_result $? "Step 1"
openssl x509 -req -in \1024/server-req.pem -extfile wolfssl.cnf -extensions wolfssl_opts -days 1000 -CA \1024/ca-cert.pem -CAkey \1024/ca-key.pem -set_serial 01 > \1024/server-cert.pem
openssl x509 -req -in ./1024/server-req.pem -extfile wolfssl.cnf -extensions wolfssl_opts -days 1000 -CA ./1024/ca-cert.pem -CAkey ./1024/ca-key.pem -set_serial 01 > ./1024/server-cert.pem
check_result $? "Step 2"
rm ./1024/server-req.pem
rm \1024/server-req.pem
openssl x509 -in \1024/ca-cert.pem -text > \1024/ca_tmp.pem
openssl x509 -in \1024/server-cert.pem -text > \1024/srv_tmp.pem
mv \1024/srv_tmp.pem \1024/server-cert.pem
cat \1024/ca_tmp.pem >> \1024/server-cert.pem
rm \1024/ca_tmp.pem
openssl x509 -in ./1024/ca-cert.pem -text > ./1024/ca_tmp.pem
check_result $? "Step 3"
openssl x509 -in ./1024/server-cert.pem -text > ./1024/srv_tmp.pem
check_result $? "Step 4"
mv ./1024/srv_tmp.pem ./1024/server-cert.pem
cat ./1024/ca_tmp.pem >> ./1024/server-cert.pem
rm ./1024/ca_tmp.pem
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
########## update and sign the server-ecc-rsa.pem ##########
############################################################
echo "Updating server-ecc-rsa.pem"
echo ""
echo -e "US\nMontana\nBozeman\nElliptic - RSAsig\nECC-RSAsig\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ecc-key.pem -nodes > server-ecc-req.pem
echo -e "US\nMontana\nBozeman\nElliptic - RSAsig\nECC-RSAsig\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ecc-key.pem -config ./wolfssl.cnf -nodes > server-ecc-req.pem
check_result $? "Step 1"
openssl x509 -req -in server-ecc-req.pem -extfile wolfssl.cnf -extensions wolfssl_opts -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-ecc-rsa.pem
check_result $? "Step 2"
rm server-ecc-req.pem
openssl x509 -in server-ecc-rsa.pem -text > tmp.pem
check_result $? "Step 3"
mv tmp.pem server-ecc-rsa.pem
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
####### update the self-signed client-ecc-cert.pem #########
############################################################
echo "Updating client-ecc-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nOregon\nSalem\nClient ECC\nFast\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ecc-client-key.pem -nodes -out client-ecc-cert.csr
echo -e "US\nOregon\nSalem\nClient ECC\nFast\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ecc-client-key.pem -config ./wolfssl.cnf -nodes -out client-ecc-cert.csr
check_result $? "Step 1"
openssl x509 -req -in client-ecc-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ecc-client-key.pem -out client-ecc-cert.pem
check_result $? "Step 2"
rm client-ecc-cert.csr
openssl x509 -in client-ecc-cert.pem -text > tmp.pem
check_result $? "Step 3"
mv tmp.pem client-ecc-cert.pem
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
########## update the server-ecc.pem #######################
############################################################
echo "Updating server-ecc.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nEliptic\nECC\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ecc-key.pem -nodes -out server-ecc.csr
echo -e "US\nWashington\nSeattle\nEliptic\nECC\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ecc-key.pem -config ./wolfssl.cnf -nodes -out server-ecc.csr
check_result $? "Step 1"
openssl x509 -req -in server-ecc.csr -days 1000 -extfile wolfssl.cnf -extensions server_ecc -CAfile ca-ecc-cert.pem -CAkey ca-ecc-key.pem -out server-ecc.pem
openssl x509 -req -in server-ecc.csr -days 1000 -extfile wolfssl.cnf -extensions server_ecc -CA ca-ecc-cert.pem -CAkey ca-ecc-key.pem -set_serial 03 -out server-ecc.pem
check_result $? "Step 2"
rm server-ecc.csr
openssl x509 -in server-ecc.pem -text > tmp.pem
check_result $? "Step 3"
mv tmp.pem server-ecc.pem
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
###### update the self-signed server-ecc-comp.pem ##########
############################################################
echo "Updating server-ecc-comp.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nMontana\nBozeman\nElliptic - comp\nServer ECC-comp\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ecc-key-comp.pem -nodes -out server-ecc-comp.csr
echo -e "US\nMontana\nBozeman\nElliptic - comp\nServer ECC-comp\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ecc-key-comp.pem -config ./wolfssl.cnf -nodes -out server-ecc-comp.csr
check_result $? "Step 1"
openssl x509 -req -in server-ecc-comp.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ecc-key-comp.pem -out server-ecc-comp.pem
check_result $? "Step 2"
rm server-ecc-comp.csr
openssl x509 -in server-ecc-comp.pem -text > tmp.pem
check_result $? "Step 3"
mv tmp.pem server-ecc-comp.pem
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
############## create the client-ca.pem file ###############
############################################################
echo "Updating client-ca.pem"
echo ""
cat client-cert.pem client-ecc-cert.pem > client-ca.pem
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
###### update the self-signed ecc-privOnlyCert.pem #########
############################################################
echo "Updating ecc-privOnlyCert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e ".\n.\n.\nWR\n.\nDE\n.\n.\n.\n" | openssl req -new -key ecc-privOnlyKey.pem -nodes -out ecc-privOnly.csr
echo -e ".\n.\n.\nWR\n.\nDE\n.\n.\n.\n" | openssl req -new -key ecc-privOnlyKey.pem -config ./wolfssl.cnf -nodes -out ecc-privOnly.csr
check_result $? "Step 1"
openssl x509 -req -in ecc-privOnly.csr -days 1000 -signkey ecc-privOnlyKey.pem -out ecc-privOnlyCert.pem
check_result $? "Step 2"
rm ecc-privOnly.csr
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
###### update the self-signed test/digsigku.pem ##########
############################################################
echo "Updating test/digsigku.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nFoofarah\nArglebargle\nfoobarbaz\ninfo@worlss.com\n.\n.\n" | openssl req -new -key ecc-key.pem -nodes -sha1 -out digsigku.csr
echo -e "US\nWashington\nSeattle\nFoofarah\nArglebargle\nfoobarbaz\ninfo@worlss.com\n.\n.\n" | openssl req -new -key ecc-key.pem -config ./wolfssl.cnf -nodes -sha1 -out digsigku.csr
check_result $? "Step 1"
openssl x509 -req -in digsigku.csr -days 1000 -extfile wolfssl.cnf -extensions digsigku -signkey ecc-key.pem -sha1 -set_serial 16393466893990650224 -out digsigku.pem
check_result $? "Step 2"
rm digsigku.csr
openssl x509 -in digsigku.pem -text > tmp.pem
check_result $? "Step 3"
mv tmp.pem digsigku.pem
mv digsigku.pem test/digsigku.pem
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
########## make .der files from .pem files #################
############################################################
echo "Creating der formatted certs..."
echo ""
openssl x509 -inform PEM -in \1024/client-cert.pem -outform DER -out \1024/client-cert.der
openssl x509 -inform PEM -in \1024/server-cert.pem -outform DER -out \1024/server-cert.der
openssl x509 -inform PEM -in \1024/ca-cert.pem -outform DER -out \1024/ca-cert.der
openssl x509 -inform PEM -in ./1024/client-cert.pem -outform DER -out ./1024/client-cert.der
check_result $? "Der Cert 1"
openssl x509 -inform PEM -in ./1024/server-cert.pem -outform DER -out ./1024/server-cert.der
check_result $? "Der Cert 2"
openssl x509 -inform PEM -in ./1024/ca-cert.pem -outform DER -out ./1024/ca-cert.der
check_result $? "Der Cert 3"
openssl x509 -inform PEM -in ca-cert.pem -outform DER -out ca-cert.der
check_result $? "Der Cert 4"
openssl x509 -inform PEM -in ca-ecc-cert.pem -outform DER -out ca-ecc-cert.der
check_result $? "Der Cert 5"
openssl x509 -inform PEM -in ca-ecc384-cert.pem -outform DER -out ca-ecc384-cert.der
check_result $? "Der Cert 6"
openssl x509 -inform PEM -in client-cert.pem -outform DER -out client-cert.der
check_result $? "Der Cert 7"
openssl x509 -inform PEM -in server-cert.pem -outform DER -out server-cert.der
check_result $? "Der Cert 8"
openssl x509 -inform PEM -in client-ecc-cert.pem -outform DER -out client-ecc-cert.der
check_result $? "Der Cert 9"
openssl x509 -inform PEM -in server-ecc-rsa.pem -outform DER -out server-ecc-rsa.der
check_result $? "Der Cert 10"
openssl x509 -inform PEM -in server-ecc.pem -outform DER -out server-ecc.der
check_result $? "Der Cert 11"
openssl x509 -inform PEM -in server-ecc-comp.pem -outform DER -out server-ecc-comp.der
check_result $? "Der Cert 12"
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
###### update the ecc-rsa-server.p12 file ##################
############################################################
echo "Updating ecc-rsa-server.p12 (password is \"\")"
echo ""
echo "" | openssl pkcs12 -des3 -descert -export -in server-ecc-rsa.pem -inkey ecc-key.pem -certfile server-ecc.pem -out ecc-rsa-server.p12 -password stdin
check_result $? "Step 1"
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
###### update the test-servercert.p12 file #################
############################################################
echo "Updating test-servercert.p12 (password is \"wolfSSL test\")"
echo ""
echo "wolfSSL test" | openssl pkcs12 -des3 -descert -export -in server-cert.pem -inkey server-key.pem -certfile ca-cert.pem -out test-servercert.p12 -password stdin
check_result $? "Step 1"
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
###### calling gen-ext-certs.sh ##################
############################################################
echo "Calling gen-ext-certs.sh"
echo ""
cd ..
cd .. || exit 1
./certs/test/gen-ext-certs.sh
cd ./certs
check_result $? "gen-ext-certs.sh"
cd ./certs || { echo "Couldn't cd to certs directory"; exit 1; }
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
###### calling gen-badsig.sh ##################
############################################################
echo "Calling gen-badsig.sh"
echo ""
cd ./test
cd ./test || { echo "Failed to switch to dir ./test"; exit 1; }
./gen-badsig.sh
cd ../
check_result $? "gen-badsig.sh"
cd ../ || exit 1
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
########## generate ocsp certs ######################
############################################################
@ -394,50 +515,58 @@ function run_renewcerts(){
# guard against recursive calls to renewcerts.sh
if [ -d ocsp ]; then
cd ./ocsp
echo "Execute ./renewcerts.sh..."
cd ./ocsp || { echo "Failed to switch to dir ./ocsp"; exit 1; }
echo "Execute ocsp/renewcerts.sh..."
./renewcerts.sh
cd ../
check_result $? "renewcerts.sh"
cd ../ || exit 1
else
echo "Error could not find ocsp directory"
exit 1
fi
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
###### calling assemble-chains.sh ##################
############################################################
echo "Calling assemble-chains.sh"
echo ""
cd ./test-pathlen
cd ./test-pathlen || { echo "Failed to switch to dir ./test-pathlen";
exit 1; }
./assemble-chains.sh
cd ../
check_result $? "assemble-chains.sh"
cd ../ || exit 1
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
########## store DER files as buffers ######################
############################################################
echo "Changing directory to wolfssl root..."
echo ""
cd ../
cd ../ || exit 1
echo "Execute ./gencertbuf.pl..."
echo ""
./gencertbuf.pl
check_result $? "gencertbuf.pl"
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
########## generate the new crls ###########################
############################################################
echo "Change directory to wolfssl/certs"
echo ""
cd certs
cd ./certs || { echo "Failed to switch to dir ./certs"; exit 1; }
echo "We are back in the certs directory"
echo ""
echo "Updating the crls..."
echo ""
cd crl
cd ./crl || { echo "Failed to switch to dir ./crl"; exit 1; }
echo "changed directory: cd/crl"
echo ""
./gencrls.sh
check_result $? "gencrls.sh"
echo "ran ./gencrls.sh"
echo ""
@ -446,22 +575,15 @@ function run_renewcerts(){
echo ""
rm ../wolfssl.cnf
}
#function for restoring a previous configure state
function restore_config(){
mv tmp.status config.status
mv tmp.options.h wolfssl/options.h
make clean
make -j 8
echo "End of Updates. Everything was successfully updated!"
echo "---------------------------------------------------------------------"
}
#function for copy and pasting ntru updates
function move_ntru(){
cp ntru-cert.pem certs/ntru-cert.pem
cp ntru-key.raw certs/ntru-key.raw
cp ntru-cert.der certs/ntru-cert.der
move_ntru(){
cp ntru-cert.pem certs/ntru-cert.pem || exit 1
cp ntru-key.raw certs/ntru-key.raw || exit 1
cp ntru-cert.der certs/ntru-cert.der || exit 1
}
###############################################################################
@ -469,7 +591,7 @@ function move_ntru(){
###############################################################################
#start in root.
cd ../
cd ../ || exit 1
#if HAVE_NTRU already defined && there is no argument
if grep HAVE_NTRU "wolfssl/options.h" && [ -z "$1" ]
then
@ -477,18 +599,27 @@ then
#run the function to renew the certs
run_renewcerts
# run_renewcerts will end in the wolfssl/certs/crl dir, backup to root.
cd ../../
cd ../ || exit 1
CURRDIR=${PWD##*/}
if [ "$CURRDIR" = "certs" ]; then
cd ../ || exit 1
else
echo "We are not in the right directory! Abort."
exit 1
fi
echo "changed directory to wolfssl root directory."
echo ""
echo ""
echo "Enter directory to ed25519 certificate generation example."
echo "Can be found at https://github.com/wolfSSL/wolfssl-examples"
read ED25519_DIR
read -r ED25519_DIR
if [ -d "${ED25519_DIR}" ]; then
pushd ./certs/ed25519
./gen-ed25519.sh ${ED25519_DIR}
popd
pushd ./certs/ed25519 || { echo "Failed to push certs/ed25519";
exit 1; }
./gen-ed25519.sh "${ED25519_DIR}"
check_result $? "./gen-ed25519.sh"
popd || exit 1
else
echo "Unable to find directory ${ED25519_DIR}"
exit 1
@ -499,8 +630,13 @@ then
############################################################
# We cannot assume that user has certgen and keygen enabled
CFLAG_TMP="-DWOLFSSL_STATIC_RSA"
export CFLAGS=${CFLAG_TMP}
./configure --with-ntru --enable-certgen --enable-keygen
check_result $? "configure for ntru"
make check
check_result $? "make check with ntru"
export CFLAGS=""
#copy/paste ntru-certs and key to certs/
move_ntru
@ -516,10 +652,12 @@ elif [ ! -z "$1" ]; then
echo ""
echo "Enter directory to ed25519 certificate generation example."
echo "Can be found at https://github.com/wolfSSL/wolfssl-examples"
read ED25519_DIR
pushd ./certs/ed25519
./gen-ed25519.sh ${ED25519_DIR}
popd
read -r ED25519_DIR
pushd ./certs/ed25519 || { echo "failed to push ./certs/ed25519";
exit 1; }
./gen-ed25519.sh "${ED25519_DIR}"
check_result $? "./gen-ed25519.sh"
popd || exit 1
#valid argument print out other valid arguments
elif [ "$1" == "-h" ] || [ "$1" == "-help" ]; then
echo ""
@ -541,18 +679,24 @@ elif [ ! -z "$1" ]; then
else
echo "Saving the configure state"
echo ""
cp config.status tmp.status
cp wolfssl/options.h tmp.options.h
cp config.status tmp.status || exit 1
cp wolfssl/options.h tmp.options.h || exit 1
echo "Running make clean"
echo ""
make clean
check_result $? "make clean"
#attempt to define ntru by configuring with ntru
echo "Configuring with ntru, enabling certgen and keygen"
echo ""
CFLAG_TMP="-DWOLFSSL_STATIC_RSA"
export CFLAGS=${CFLAG_TMP}
./configure --with-ntru --enable-certgen --enable-keygen
check_result $? "configure for ntru"
make check
check_result $? "make check with ntru"
export CFLAGS=""
# check options.h a second time, if the user had
# ntru installed on their system and in the default
@ -565,7 +709,14 @@ else
if grep HAVE_NTRU "wolfssl/options.h"; then
run_renewcerts
#run_renewcerts leaves us in wolfssl/certs/crl, backup to root
cd ../../
cd ../ || exit 1
CURRDIR=${PWD##*/}
if [ "$CURRDIR" = "certs" ]; then
cd ../ || exit 1
else
echo "We are not in the right directory! Abort."
exit 1
fi
echo "changed directory to wolfssl root directory."
echo ""
@ -576,10 +727,12 @@ else
# restore previous configure state
restore_config
check_result $? "restoring old configuration"
else
# restore previous configure state
restore_config
check_result $? "restoring old configuration"
echo ""
echo "ntru is not installed at the default location,"

14
certs/renewcerts/wolfssl.cnf
View File

@ -11,13 +11,13 @@ oid_section = new_oids
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
businessCategory=2.5.4.15
streetAddress=2.5.4.9
stateOrProvinceName=2.5.4.8
countryName=2.5.4.6
jurisdictionOfIncorporationLocalityName=1.3.6.1.4.1.311.60.2.1.1
jurisdictionOfIncorporationStateOrProvinceName=1.3.6.1.4.1.311.60.2.1.2
jurisdictionOfIncorporationCountryName=1.3.6.1.4.1.311.60.2.1.3
#businessCategory=2.5.4.15
#streetAddress=2.5.4.9
#stateOrProvinceName=2.5.4.8
#countryName=2.5.4.6
#jurisdictionOfIncorporationLocalityName=1.3.6.1.4.1.311.60.2.1.1
#jurisdictionOfIncorporationStateOrProvinceName=1.3.6.1.4.1.311.60.2.1.2
#jurisdictionOfIncorporationCountryName=1.3.6.1.4.1.311.60.2.1.3
####################################################################
[ ca ]

116
certs/test-pathlen/assemble-chains.sh
View File

@ -3,6 +3,14 @@
# assemble-chains.sh
# Create certs and assemble all the certificate CA path test cert chains.
check_result(){
if [ $1 -ne 0 ]; then
echo "$2 Failed, Abort"
exit 1
else
echo "$2 Succeeded!"
fi
}
###########################################################
########## update server-0-ca.pem ################
@ -10,180 +18,216 @@
echo "Updating server-0-ca.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 0 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-0-ca-req.pem
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 0 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -config ../renewcerts/wolfssl.cnf -nodes -sha1 > server-0-ca-req.pem
check_result $? "Step 1"
openssl x509 -req -in server-0-ca-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions pathlen_0 -days 1000 -CA ../ca-cert.pem -CAkey ../ca-key.pem -set_serial 100 -sha1 > server-0-ca.pem
check_result $? "Step 2"
rm server-0-ca-req.pem
openssl x509 -in server-0-ca.pem -text > ca_tmp.pem
check_result $? "Step 3"
mv ca_tmp.pem server-0-ca.pem
echo "End of Section"
echo "-------------------------------------------------------------------------"
###########################################################
########## update server-0-cert.pem ################
###########################################################
echo "Updating server-0-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 0\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-0-cert-req.pem
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 0\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -config ../renewcerts/wolfssl.cnf -nodes -sha1 > server-0-cert-req.pem
check_result $? "Step 1"
openssl x509 -req -in server-0-cert-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions test_pathlen -days 1000 -CA server-0-ca.pem -CAkey ../server-key.pem -set_serial 101 -sha1 > server-0-cert.pem
check_result $? "Step 2"
rm server-0-cert-req.pem
openssl x509 -in server-0-cert.pem -text > cert_tmp.pem
check_result $? "Step 3"
mv cert_tmp.pem server-0-cert.pem
echo "End of Section"
echo "-------------------------------------------------------------------------"
###########################################################
########## update server-1-ca.pem ################
###########################################################
echo "Updating server-1-ca.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 1 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-1-ca-req.pem
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 1 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -config ../renewcerts/wolfssl.cnf -nodes -sha1 > server-1-ca-req.pem
check_result $? "Step 1"
openssl x509 -req -in server-1-ca-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions pathlen_1 -days 1000 -CA ../ca-cert.pem -CAkey ../ca-key.pem -set_serial 102 -sha1 > server-1-ca.pem
check_result $? "Step 2"
rm server-1-ca-req.pem
openssl x509 -in server-1-ca.pem -text > ca_tmp.pem
check_result $? "Step 3"
mv ca_tmp.pem server-1-ca.pem
echo "End of Section"
echo "-------------------------------------------------------------------------"
###########################################################
########## update server-1-cert.pem ################
###########################################################
echo "Updating server-1-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 1\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-1-cert-req.pem
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 1\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -config ../renewcerts/wolfssl.cnf -nodes -sha1 > server-1-cert-req.pem
check_result $? "Step 1"
openssl x509 -req -in server-1-cert-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions test_pathlen -days 1000 -CA server-1-ca.pem -CAkey ../server-key.pem -set_serial 105 -sha1 > server-1-cert.pem
check_result $? "Step 2"
rm server-1-cert-req.pem
openssl x509 -in server-1-cert.pem -text > cert_tmp.pem
check_result $? "Step 3"
mv cert_tmp.pem server-1-cert.pem
echo "End of Section"
echo "-------------------------------------------------------------------------"
###########################################################
########## update server-0-1-ca.pem ################
###########################################################
echo "Updating server-0-1-ca.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 0-1 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-0-1-ca-req.pem
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 0-1 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -config ../renewcerts/wolfssl.cnf -nodes -sha1 > server-0-1-ca-req.pem
check_result $? "Step 1"
openssl x509 -req -in server-0-1-ca-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions pathlen_1 -days 1000 -CA server-0-ca.pem -CAkey ../server-key.pem -set_serial 110 -sha1 > server-0-1-ca.pem
check_result $? "Step 2"
rm server-0-1-ca-req.pem
openssl x509 -in server-0-1-ca.pem -text > ca_tmp.pem
check_result $? "Step 3"
mv ca_tmp.pem server-0-1-ca.pem
echo "End of Section"
echo "-------------------------------------------------------------------------"
###########################################################
########## update server-0-1-cert.pem ################
###########################################################
echo "Updating server-0-1-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 0-1\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-0-1-cert-req.pem
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 0-1\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -config ../renewcerts/wolfssl.cnf -nodes -sha1 > server-0-1-cert-req.pem
check_result $? "Step 1"
openssl x509 -req -in server-0-1-cert-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions test_pathlen -days 1000 -CA server-0-1-ca.pem -CAkey ../server-key.pem -set_serial 111 -sha1 > server-0-1-cert.pem
check_result $? "Step 2"
rm server-0-1-cert-req.pem
openssl x509 -in server-0-1-cert.pem -text > cert_tmp.pem
check_result $? "Step 3"
mv cert_tmp.pem server-0-1-cert.pem
echo "End of Section"
echo "-------------------------------------------------------------------------"
###########################################################
########## update server-1-0-ca.pem ################
###########################################################
echo "Updating server-1-0-ca.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 1-0 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-1-0-ca-req.pem
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 1-0 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -config ../renewcerts/wolfssl.cnf -nodes -sha1 > server-1-0-ca-req.pem
check_result $? "Step 1"
openssl x509 -req -in server-1-0-ca-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions pathlen_0 -days 1000 -CA server-1-ca.pem -CAkey ../server-key.pem -set_serial 103 -sha1 > server-1-0-ca.pem
check_result $? "Step 2"
rm server-1-0-ca-req.pem
openssl x509 -in server-1-0-ca.pem -text > ca_tmp.pem
check_result $? "Step 3"
mv ca_tmp.pem server-1-0-ca.pem
echo "End of Section"
echo "-------------------------------------------------------------------------"
###########################################################
########## update server-1-0-cert.pem ################
###########################################################
echo "Updating server-1-0-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 1-0\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-1-0-cert-req.pem
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 1-0\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -config ../renewcerts/wolfssl.cnf -nodes -sha1 > server-1-0-cert-req.pem
check_result $? "Step 1"
openssl x509 -req -in server-1-0-cert-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions test_pathlen -days 1000 -CA server-1-0-ca.pem -CAkey ../server-key.pem -set_serial 104 -sha1 > server-1-0-cert.pem
check_result $? "Step 2"
rm server-1-0-cert-req.pem
openssl x509 -in server-1-0-cert.pem -text > cert_tmp.pem
check_result $? "Step 3"
mv cert_tmp.pem server-1-0-cert.pem
echo "End of Section"
echo "-------------------------------------------------------------------------"
###########################################################
########## update server-127-ca.pem ################
###########################################################
echo "Updating server-127-ca.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 127 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-127-ca-req.pem
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 127 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -config ../renewcerts/wolfssl.cnf -nodes -sha1 > server-127-ca-req.pem
check_result $? "Step 1"
openssl x509 -req -in server-127-ca-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions pathlen_127 -days 1000 -CA ../ca-cert.pem -CAkey ../ca-key.pem -set_serial 106 -sha1 > server-127-ca.pem
check_result $? "Step 2"
rm server-127-ca-req.pem
openssl x509 -in server-127-ca.pem -text > ca_tmp.pem
check_result $? "Step 3"
mv ca_tmp.pem server-127-ca.pem
echo "End of Section"
echo "-------------------------------------------------------------------------"
###########################################################
########## update server-127-cert.pem ################
###########################################################
echo "Updating server-127-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 127\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-127-cert-req.pem
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 127\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -config ../renewcerts/wolfssl.cnf -nodes -sha1 > server-127-cert-req.pem
check_result $? "Step 1"
openssl x509 -req -in server-127-cert-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions test_pathlen -days 1000 -CA server-127-ca.pem -CAkey ../server-key.pem -set_serial 107 -sha1 > server-127-cert.pem
check_result $? "Step 2"
rm server-127-cert-req.pem
openssl x509 -in server-127-cert.pem -text > cert_tmp.pem
check_result $? "Step 3"
mv cert_tmp.pem server-127-cert.pem
echo "End of Section"
echo "-------------------------------------------------------------------------"
###########################################################
########## update server-128-ca.pem ################
###########################################################
echo "Updating server-128-ca.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 128 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-128-ca-req.pem
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 128 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -config ../renewcerts/wolfssl.cnf -nodes -sha1 > server-128-ca-req.pem
check_result $? "Step 1"
openssl x509 -req -in server-128-ca-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions pathlen_128 -days 1000 -CA ../ca-cert.pem -CAkey ../ca-key.pem -set_serial 106 -sha1 > server-128-ca.pem
check_result $? "Step 2"
rm server-128-ca-req.pem
openssl x509 -in server-128-ca.pem -text > ca_tmp.pem
check_result $? "Step 3"
mv ca_tmp.pem server-128-ca.pem
echo "End of Section"
echo "-------------------------------------------------------------------------"
###########################################################
########## update server-128-cert.pem ################
###########################################################
echo "Updating server-128-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 128\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-128-cert-req.pem
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 128\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -config ../renewcerts/wolfssl.cnf -nodes -sha1 > server-128-cert-req.pem
check_result $? "Step 1"
openssl x509 -req -in server-128-cert-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions test_pathlen -days 1000 -CA server-128-ca.pem -CAkey ../server-key.pem -set_serial 107 -sha1 > server-128-cert.pem
check_result $? "Step 2"
rm server-128-cert-req.pem
openssl x509 -in server-128-cert.pem -text > cert_tmp.pem
check_result $? "Step 3"
mv cert_tmp.pem server-128-cert.pem
echo "End of Section"
echo "-------------------------------------------------------------------------"
###########################################################
########## Assemble Chains ################
###########################################################

193
certs/test/gen-testcerts.sh
View File

@ -1,130 +1,163 @@
#!/bin/sh
check_result() {
if [ $1 -ne 0 ]; then
echo "Step Failed, Abort"
exit 1
else
echo "Step Succeeded!"
fi
}
# Args: 1=FileName, 2=CN, 3=AltName, 4=CA
function build_test_cert_conf {
echo "# Generated openssl conf" > $1.conf
echo "" >> $1.conf
echo "[ ca ]" >> $1.conf
echo "default_ca = CA_default" >> $1.conf
echo "[ CA_default ]" >> $1.conf
echo "certificate = ../ca-cert.pem" >> $1.conf
echo "database = ./index.txt" >> $1.conf
echo "new_certs_dir = ./certs" >> $1.conf
echo "private_key = ./private/cakey.pem" >> $1.conf
echo "serial = ./serial" >> $1.conf
echo "default_md = sha256" >> $1.conf
echo "default_days = 1000" >> $1.conf
echo "policy = default_ca_policy" >> $1.conf
echo "" >> $1.conf
echo "[ default_ca_policy ]" >> $1.conf
echo "commonName = supplied" >> $1.conf
echo "stateOrProvinceName = supplied" >> $1.conf
echo "countryName = supplied" >> $1.conf
echo "emailAddress = supplied" >> $1.conf
echo "organizationName = optional" >> $1.conf
echo "organizationalUnitName = optional" >> $1.conf
echo "" >> $1.conf
echo "[ req ]" >> $1.conf
echo "prompt = no" >> $1.conf
echo "default_bits = 2048" >> $1.conf
echo "distinguished_name = req_distinguished_name" >> $1.conf
echo "req_extensions = req_ext" >> $1.conf
if [ -n "$4" ]; then
echo "basicConstraints=CA:true,pathlen:0" >> $1.conf
echo "" >> $1.conf
fi
echo "" >> $1.conf
echo "[ req_distinguished_name ]" >> $1.conf
echo "C = US" >> $1.conf
echo "ST = Montana" >> $1.conf
echo "L = Bozeman" >> $1.conf
echo "OU = Engineering" >> $1.conf
echo "CN = $2" >> $1.conf
echo "emailAddress = info@wolfssl.com" >> $1.conf
echo "" >> $1.conf
echo "[ req_ext ]" >> $1.conf
build_test_cert_conf() {
echo "# Generated openssl conf" > "$1".conf
echo "" >> "$1".conf
echo "[ ca ]" >> "$1".conf
echo "default_ca = CA_default" >> "$1".conf
echo "[ CA_default ]" >> "$1".conf
echo "certificate = ../ca-cert.pem" >> "$1".conf
echo "database = ./index.txt" >> "$1".conf
echo "new_certs_dir = ./certs" >> "$1".conf
echo "private_key = ./private/cakey.pem" >> "$1".conf
echo "serial = ./serial" >> "$1".conf
echo "default_md = sha256" >> "$1".conf
echo "default_days = 1000" >> "$1".conf
echo "policy = default_ca_policy" >> "$1".conf
echo "" >> "$1".conf
echo "[ default_ca_policy ]" >> "$1".conf
echo "commonName = supplied" >> "$1".conf
echo "stateOrProvinceName = supplied" >> "$1".conf
echo "countryName = supplied" >> "$1".conf
echo "emailAddress = supplied" >> "$1".conf
echo "organizationName = optional" >> "$1".conf
echo "organizationalUnitName = optional" >> "$1".conf
echo "" >> "$1".conf
echo "[ req ]" >> "$1".conf
echo "prompt = no" >> "$1".conf
echo "default_bits = 2048" >> "$1".conf
echo "distinguished_name = req_distinguished_name" >> "$1".conf
if [ -n "$3" ]; then
if [[ "$3" != *"DER"* ]]; then
echo "subjectAltName = @alt_names" >> $1.conf
echo "[alt_names]" >> $1.conf
echo "DNS.1 = $3" >> $1.conf
echo "req_extensions = req_ext" >> "$1".conf
fi
if [ -n "$4" ]; then
echo "basicConstraints=CA:true,pathlen:0" >> "$1".conf
echo "" >> "$1".conf
fi
echo "" >> "$1".conf
echo "[ req_distinguished_name ]" >> "$1".conf
echo "C = US" >> "$1".conf
echo "ST = Montana" >> "$1".conf
echo "L = Bozeman" >> "$1".conf
echo "OU = Engineering" >> "$1".conf
echo "CN = $2" >> "$1".conf
echo "emailAddress = info@wolfssl.com" >> "$1".conf
echo "" >> "$1".conf
if [ -n "$3" ]; then
echo "[ req_ext ]" >> "$1".conf
if [ "$3" != *"DER"* ]; then
echo "subjectAltName = @alt_names" >> "$1".conf
echo "[alt_names]" >> "$1".conf
echo "DNS.1 = $3" >> "$1".conf
else
echo "subjectAltName = $3" >> $1.conf
echo "subjectAltName = $3" >> "$1".conf
fi
fi
}
# Args: 1=FileName
function generate_test_cert {
rm $1.der
rm $1.pem
generate_test_cert() {
rm "$1".der
rm "$1".pem
echo "step 1 create configuration"
build_test_cert_conf $1 $2 $3
build_test_cert_conf "$1" "$2" "$3"
check_result $?
echo "step 2 create csr"
openssl req -new -sha256 -out $1.csr -key ../server-key.pem -config $1.conf
openssl req -new -sha256 -out "$1".csr -key ../server-key.pem -config "$1".conf
check_result $?
echo "step 3 check csr"
openssl req -text -noout -in $1.csr
openssl req -text -noout -in "$1".csr
check_result $?
echo "step 4 create cert"
openssl x509 -req -days 1000 -sha256 -in $1.csr -signkey ../server-key.pem \
-out $1.pem -extensions req_ext -extfile $1.conf
rm $1.conf
rm $1.csr
if [ "$3" = "" ]; then
openssl x509 -req -days 1000 -sha256 \
-in "$1".csr -signkey ../server-key.pem \
-out "$1".pem -extfile "$1".conf
else
openssl x509 -req -days 1000 -sha256 \
-in "$1".csr -signkey ../server-key.pem \
-out "$1".pem -extensions req_ext -extfile "$1".conf
fi
check_result $?
rm "$1".conf
rm "$1".csr
if [ -n "$4" ]; then
echo "step 5 generate crl"
mkdir ../crl/demoCA
touch ../crl/demoCA/index.txt
echo "01" > ../crl/crlnumber
openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out crl.revoked -keyfile ../server-key.pem -cert $1.pem
rm ../crl/$1Crl.pem
echo "01" > ../crl/crlnumber
openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 \
-out crl.revoked -keyfile ../server-key.pem -cert "$1".pem
check_result $?
rm ../crl/"$1"Crl.pem
openssl crl -in crl.revoked -text > tmp.pem
mv tmp.pem ../crl/$1Crl.pem
check_result $?
mv tmp.pem ../crl/"$1"Crl.pem
rm crl.revoked
rm -rf ../crl/demoCA
rm ../crl/crlnumber*
fi
echo "step 6 add cert text information to pem"
openssl x509 -inform pem -in $1.pem -text > tmp.pem
mv tmp.pem $1.pem
openssl x509 -inform pem -in "$1".pem -text > tmp.pem
check_result $?
mv tmp.pem "$1".pem
echo "step 7 make binary der version"
openssl x509 -inform pem -in $1.pem -outform der -out $1.der
openssl x509 -inform pem -in "$1".pem -outform der -out "$1".der
check_result $?
}
function generate_expired_certs {
rm $1.der
rm $1.pem
generate_expired_certs() {
rm "$1".der
rm "$1".pem
mkdir -p certs
touch ./index.txt
echo 1000 > ./serial
echo "step 1 create configuration"
build_test_cert_conf $1 www.wolfssl.com 0 $3
build_test_cert_conf "$1" www.wolfssl.com 0 "$3"
check_result $?
echo "step 2 create csr"
openssl req -new -sha256 -out $1.csr -key $2 -config $1.conf
openssl req -new -sha256 -out "$1".csr -key "$2" -config "$1".conf
check_result $?
echo "step 3 check csr"
openssl req -text -noout -in $1.csr
openssl req -text -noout -in "$1".csr
check_result $?
echo "step 4 create cert"
openssl ca -selfsign -config $1.conf -keyfile $2 -in $1.csr -out $1.pem \
-startdate 201807310000Z -enddate 201808300000Z -batch
rm $1.conf
rm $1.csr
openssl ca -config ../renewcerts/wolfssl.cnf -selfsign -config "$1".conf \
-keyfile "$2" -in "$1".csr -out "$1".pem \
-startdate 201807310000Z -enddate 201808300000Z -batch
check_result $?
rm "$1".conf
rm "$1".csr
echo "step 5 add cert text information to pem"
openssl x509 -inform pem -in $1.pem -text > tmp.pem
mv tmp.pem $1.pem
openssl x509 -inform pem -in "$1".pem -text > tmp.pem
check_result $?
mv tmp.pem "$1".pem
echo "step 7 make binary der version"
openssl x509 -inform pem -in $1.pem -outform der -out $1.der
openssl x509 -inform pem -in "$1".pem -outform der -out "$1".der
check_result $?
rm -rf certs
rm ./index.txt*
@ -138,10 +171,12 @@ generate_test_cert server-goodcn localhost "" 1
generate_test_cert server-goodalt www.nomatch.com localhost 1
# Generate Good CN=*localhost, Alt=None
generate_test_cert server-goodcnwild *localhost "" 1
# Surround "*localhost" with quotes to prevent shell expansion to wildcard
generate_test_cert server-goodcnwild "*localhost" "" 1
# Generate Good CN=www.nomatch.com, Alt=*localhost
generate_test_cert server-goodaltwild www.nomatch.com *localhost 1
# Surround "*localhost" with quotes to prevent shell expansion to wildcard
generate_test_cert server-goodaltwild www.nomatch.com "*localhost" 1
# Generate Bad CN=localhost\0h, Alt=None
# DG: Have not found a way to properly encode null in common name

2
examples/server/server.c
View File

@ -1110,7 +1110,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
#ifdef HAVE_NTRU
if (useNtruKey) {
if (SSL_CTX_use_NTRUPrivateKey_file(ctx, ourKey)
if (wolfSSL_CTX_use_NTRUPrivateKey_file(ctx, ourKey)
!= WOLFSSL_SUCCESS)
err_sys_ex(runWithErrors, "can't load ntru key file, "
"Please run from wolfSSL home dir");