From 4f6ee556dca24298084c6ba059f2de01e421d2ab Mon Sep 17 00:00:00 2001 From: kaleb-himes Date: Wed, 19 Sep 2018 14:03:10 -0600 Subject: [PATCH] Refactor the cert renewal scripts with error handling Portability updates --- certs/crl/gencrls.sh | 90 ++++++- certs/ecc/wolfssl.cnf | 17 +- certs/ocsp/renewcerts.sh | 61 +++-- certs/renewcerts.sh | 369 ++++++++++++++++++-------- certs/renewcerts/wolfssl.cnf | 14 +- certs/test-pathlen/assemble-chains.sh | 116 +++++--- certs/test/gen-testcerts.sh | 193 ++++++++------ examples/server/server.c | 2 +- 8 files changed, 593 insertions(+), 269 deletions(-) diff --git a/certs/crl/gencrls.sh b/certs/crl/gencrls.sh index 378c3f507..b166fbf14 100755 --- a/certs/crl/gencrls.sh +++ b/certs/crl/gencrls.sh @@ -1,25 +1,41 @@ #!/bin/bash # gencrls, crl config already done, see taoCerts.txt for setup +check_result(){ + if [ $1 -ne 0 ]; then + echo "Step failed, Abort" + exit 1 + else + echo "Step Succeeded!" + fi +} -function setup_files() { +setup_files() { #set up the file system for updating the crls echo "setting up the file system for generating the crls..." echo "" - touch ./index.txt - touch ./crlnumber - echo "01" >> crlnumber - touch ./blank.index.txt - mkdir demoCA - touch ./demoCA/index.txt + mkdir demoCA || exit 1 + touch ./demoCA/index.txt || exit 1 + touch ./index.txt || exit 1 + touch ../ecc/index.txt || exit 1 + touch ./crlnumber || exit 1 + touch ../ecc/crlnumber || exit 1 + echo "01" >> crlnumber || exit 1 + echo "01" >> ../ecc/crlnumber || exit 1 + touch ./blank.index.txt || exit 1 + touch ./demoCA/index.txt.attr || exit 1 + touch ../ecc/index.txt.attr || exit 1 } -function cleanup_files() { - rm blank.index.txt - rm index.* - rm crlnumber* - rm -r demoCA +cleanup_files() { + rm blank.index.txt || exit 1 + rm index.* || exit 1 + rm crlnumber* || exit 1 + rm ../ecc/crlnumber* || exit 1 + rm ../ecc/index.* || exit 1 + rm -r demoCA || exit 1 echo "Removed ../wolfssl.cnf, blank.index.txt, index.*, crlnumber*, demoCA/" + echo " ../ecc/index.txt" echo "" exit 0 } @@ -30,31 +46,49 @@ setup_files # caCrl # revoke server-revoked-cert.pem +echo "Step 1" openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out crl2.pem -keyfile ../client-key.pem -cert ../client-cert.pem +check_result $? +echo "Step 2" openssl ca -config ../renewcerts/wolfssl.cnf -revoke ../server-revoked-cert.pem -keyfile ../ca-key.pem -cert ../ca-cert.pem +check_result $? +echo "Step 3" openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out crl.pem -keyfile ../ca-key.pem -cert ../ca-cert.pem +check_result $? # metadata +echo "Step 4" openssl crl -in crl.pem -text > tmp +check_result $? mv tmp crl.pem # install (only needed if working outside wolfssl) #cp crl.pem ~/wolfssl/certs/crl/crl.pem # crl2 create +echo "Step 5" openssl crl -in crl.pem -text > tmp +check_result $? +echo "Step 6" openssl crl -in crl2.pem -text >> tmp +check_result $? mv tmp crl2.pem # caCrl server revoked +echo "Step 7" openssl ca -config ../renewcerts/wolfssl.cnf -revoke ../server-cert.pem -keyfile ../ca-key.pem -cert ../ca-cert.pem +check_result $? # caCrl server revoked generation +echo "Step 8" openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out crl.revoked -keyfile ../ca-key.pem -cert ../ca-cert.pem +check_result $? # metadata +echo "Step 9" openssl crl -in crl.revoked -text > tmp +check_result $? mv tmp crl.revoked # install (only needed if working outside wolfssl) #cp crl.revoked ~/wolfssl/certs/crl/crl.revoked @@ -64,58 +98,90 @@ mv tmp crl.revoked cp blank.index.txt demoCA/index.txt # caEccCrl +echo "Step 10" openssl ca -config ../renewcerts/wolfssl.cnf -revoke ../server-revoked-cert.pem -keyfile ../ca-ecc-key.pem -cert ../ca-ecc-cert.pem +check_result $? +echo "Step 11" openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out caEccCrl.pem -keyfile ../ca-ecc-key.pem -cert ../ca-ecc-cert.pem +check_result $? # metadata +echo "Step 12" openssl crl -in caEccCrl.pem -text > tmp +check_result $? mv tmp caEccCrl.pem # install (only needed if working outside wolfssl) #cp caEccCrl.pem ~/wolfssl/certs/crl/caEccCrl.pem # caEcc384Crl +echo "Step 13" openssl ca -config ../renewcerts/wolfssl.cnf -revoke ../server-revoked-cert.pem -keyfile ../ca-ecc384-key.pem -cert ../ca-ecc384-cert.pem +if [ $? -ne 0 ]; then + echo "Already revoked CRL number 02, skipping" +else + echo "Revoked CRL 02" +fi +echo "Step 14" openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out caEcc384Crl.pem -keyfile ../ca-ecc384-key.pem -cert ../ca-ecc384-cert.pem +check_result $? # metadata +echo "Step 15" openssl crl -in caEcc384Crl.pem -text > tmp +check_result $? mv tmp caEcc384Crl.pem # install (only needed if working outside wolfssl) #cp caEcc384Crl.pem ~/wolfssl/certs/crl/caEcc384Crl.pem # cliCrl +echo "Step 16" openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out cliCrl.pem -keyfile ../client-key.pem -cert ../client-cert.pem +check_result $? # metadata +echo "Step 17" openssl crl -in cliCrl.pem -text > tmp +check_result $? mv tmp cliCrl.pem # install (only needed if working outside wolfssl) #cp cliCrl.pem ~/wolfssl/certs/crl/cliCrl.pem # eccCliCRL +echo "Step 18" openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out eccCliCRL.pem -keyfile ../ecc-client-key.pem -cert ../client-ecc-cert.pem +check_result $? # metadata +echo "Step 19" openssl crl -in eccCliCRL.pem -text > tmp +check_result $? mv tmp eccCliCRL.pem # install (only needed if working outside wolfssl) #cp eccCliCRL.pem ~/wolfssl/certs/crl/eccCliCRL.pem # eccSrvCRL +echo "Step 20" openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out eccSrvCRL.pem -keyfile ../ecc-key.pem -cert ../server-ecc.pem +check_result $? # metadata +echo "Step 21" openssl crl -in eccSrvCRL.pem -text > tmp +check_result $? mv tmp eccSrvCRL.pem # install (only needed if working outside wolfssl) #cp eccSrvCRL.pem ~/wolfssl/certs/crl/eccSrvCRL.pem # caEccCrl +echo "Step 22" openssl ca -config ../ecc/wolfssl.cnf -gencrl -crldays 1000 -out caEccCrl.pem -keyfile ../ca-ecc-key.pem -cert ../ca-ecc-cert.pem +check_result $? # ca-ecc384-cert +echo "Step 23" openssl ca -config ../ecc/wolfssl.cnf -gencrl -crldays 1000 -out caEcc384Crl.pem -keyfile ../ca-ecc384-key.pem -cert ../ca-ecc384-cert.pem +check_result $? exit 0 diff --git a/certs/ecc/wolfssl.cnf b/certs/ecc/wolfssl.cnf index 71be3e113..969fdb9a3 100644 --- a/certs/ecc/wolfssl.cnf +++ b/certs/ecc/wolfssl.cnf @@ -3,20 +3,21 @@ default_ca = CA_default [ CA_default ] -# Directory and file locations. +# Directory and file locations relevant to where the script is executing dir = . -certs = $dir/certs -new_certs_dir = $dir/certs -database = $dir/certs/ecc/index.txt -serial = $dir/certs/ecc/serial +certs = $dir/../ +new_certs_dir = $dir/../ +database = $dir/../ecc/index.txt +serial = $dir/../ecc/serial +# This should come from the system disregard local pathing RANDFILE = $dir/private/.rand # The root key and root certificate. -private_key = $dir/certs/ca-ecc-key.pem -certificate = $dir/certs/ca-ecc-cert.pem +private_key = $dir/../ca-ecc-key.pem +certificate = $dir/../ca-ecc-cert.pem # For certificate revocation lists. -crlnumber = $dir/certs/ecc/crlnumber +crlnumber = $dir/../ecc/crlnumber crl_extensions = crl_ext default_crl_days = 1000 diff --git a/certs/ocsp/renewcerts.sh b/certs/ocsp/renewcerts.sh index cdbabdf81..50e9e3d79 100755 --- a/certs/ocsp/renewcerts.sh +++ b/certs/ocsp/renewcerts.sh @@ -1,11 +1,28 @@ #!/bin/sh +check_result(){ + if [ $1 -ne 0 ]; then + if [ -n "$2" ]; then + echo "Step Failed, Abort" + else + echo "$2 Failed, Abort" + fi + exit 1 + else + echo "Step Succeeded" + fi +} + +echo "OCSP renew certs Step 1" openssl req \ -new \ -key root-ca-key.pem \ -out root-ca-cert.csr \ + -config ../renewcerts/wolfssl.cnf \ -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com" +check_result $? "" +echo "OCSP renew certs Step 2" openssl x509 \ -req -in root-ca-cert.csr \ -extfile openssl.cnf \ @@ -14,33 +31,41 @@ openssl x509 \ -signkey root-ca-key.pem \ -set_serial 99 \ -out root-ca-cert.pem +check_result $? "" rm root-ca-cert.csr +echo "OCSP renew certs Step 3" openssl x509 -in root-ca-cert.pem -text > tmp.pem +check_result $? "" mv tmp.pem root-ca-cert.pem # $1 cert, $2 name, $3 ca, $4 extensions, $5 serial -function update_cert() { - openssl req \ - -new \ - -key $1-key.pem \ - -out $1-cert.csr \ +update_cert() { + echo "Updating certificate \"$1-cert.pem\"" + openssl req \ + -new \ + -key "$1"-key.pem \ + -out "$1"-cert.csr \ + -config ../renewcerts/wolfssl.cnf \ -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=$2/emailAddress=info@wolfssl.com" + check_result $? "Step 1" - openssl x509 \ - -req -in $1-cert.csr \ - -extfile openssl.cnf \ - -extensions $4 \ - -days 1000 \ - -CA $3-cert.pem \ - -CAkey $3-key.pem \ - -set_serial $5 \ - -out $1-cert.pem + openssl x509 \ + -req -in "$1"-cert.csr \ + -extfile openssl.cnf \ + -extensions "$4" \ + -days 1000 \ + -CA "$3"-cert.pem \ + -CAkey "$3"-key.pem \ + -set_serial "$5" \ + -out "$1"-cert.pem + check_result $? "Step 2" - rm $1-cert.csr - openssl x509 -in $1-cert.pem -text > $1_tmp.pem - mv $1_tmp.pem $1-cert.pem - cat $3-cert.pem >> $1-cert.pem + rm "$1"-cert.csr + openssl x509 -in "$1"-cert.pem -text > "$1"_tmp.pem + check_result $? "Step 3" + mv "$1"_tmp.pem "$1"-cert.pem + cat "$3"-cert.pem >> "$1"-cert.pem } update_cert intermediate1-ca "wolfSSL intermediate CA 1" root-ca v3_ca 01 diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh index 693abb9c6..9b3f41c95 100755 --- a/certs/renewcerts.sh +++ b/certs/renewcerts.sh @@ -37,12 +37,33 @@ ######################## FUNCTIONS SECTION #################################### ############################################################################### +#function for restoring a previous configure state +restore_config(){ + mv tmp.status config.status + mv tmp.options.h wolfssl/options.h + make clean + make -j 8 +} + +check_result(){ + if [ $1 -ne 0 ]; then + echo "Failed at \"$2\", Abort" + if [ "$2" = "configure for ntru" ] || \ + [ "$2" = "make check with ntru" ]; then + restore_config + fi + exit 1 + else + echo "Step Succeeded!" + fi +} + #the function that will be called when we are ready to renew the certs. -function run_renewcerts(){ - cd certs/ +run_renewcerts(){ + cd certs/ || { echo "Couldn't cd to certs directory"; exit 1; } echo "" #move the custom cnf into our working directory - cp renewcerts/wolfssl.cnf wolfssl.cnf + cp renewcerts/wolfssl.cnf wolfssl.cnf || exit 1 # To generate these all in sha1 add the flag "-sha1" on appropriate lines # That is all lines beginning with: "openssl req" @@ -53,339 +74,439 @@ function run_renewcerts(){ echo "Updating 2048-bit client-uri-cert.pem" echo "" #pipe the following arguments to openssl req... - echo -e "US\nMontana\nBozeman\nwolfSSL_2048\nURI\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key client-key.pem -nodes -out client-cert.csr - + echo -e "US\nMontana\nBozeman\nwolfSSL_2048\nURI\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key client-key.pem -config ./wolfssl.cnf -nodes -out client-cert.csr + check_result $? "Step 1" openssl x509 -req -in client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions uri -signkey client-key.pem -out client-uri-cert.pem + check_result $? "Step 2" rm client-cert.csr openssl x509 -in client-uri-cert.pem -text > tmp.pem + check_result $? "Step 3" mv tmp.pem client-uri-cert.pem - + echo "End of section" + echo "---------------------------------------------------------------------" ############################################################ #### update the self-signed (2048-bit) client-relative-uri.pem ############################################################ echo "Updating 2048-bit client-relative-uri.pem" echo "" #pipe the following arguments to openssl req... - echo -e "US\nMontana\nBozeman\nwolfSSL_2048\nRELATIVE_URI\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key client-key.pem -nodes -out client-cert.csr + echo -e "US\nMontana\nBozeman\nwolfSSL_2048\nRELATIVE_URI\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key client-key.pem -config ./wolfssl.cnf -nodes -out client-cert.csr + check_result $? "Step 1" openssl x509 -req -in client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions relative_uri -signkey client-key.pem -out client-relative-uri.pem + check_result $? "Step 2" rm client-cert.csr openssl x509 -in client-relative-uri.pem -text > tmp.pem + check_result $? "Step 3" mv tmp.pem client-relative-uri.pem - + echo "End of section" + echo "---------------------------------------------------------------------" ############################################################ #### update the self-signed (2048-bit) client-cert.pem ##### ############################################################ echo "Updating 2048-bit client-cert.pem" echo "" #pipe the following arguments to openssl req... - echo -e "US\nMontana\nBozeman\nwolfSSL_2048\nProgramming-2048\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key client-key.pem -nodes -out client-cert.csr + echo -e "US\nMontana\nBozeman\nwolfSSL_2048\nProgramming-2048\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key client-key.pem -config ./wolfssl.cnf -nodes -out client-cert.csr + check_result $? "Step 1" openssl x509 -req -in client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey client-key.pem -out client-cert.pem + check_result $? "Step 2" rm client-cert.csr openssl x509 -in client-cert.pem -text > tmp.pem + check_result $? "Step 3" mv tmp.pem client-cert.pem - - + echo "End of section" + echo "---------------------------------------------------------------------" ############################################################ #### update the self-signed (3072-bit) client-cert.pem ##### ############################################################ echo "Updating 3072-bit client-cert.pem" echo "" #pipe the following arguments to openssl req... - echo -e "US\nMontana\nBozeman\nwolfSSL_3072\nProgramming-3072\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -newkey rsa:3072 -keyout client-key-3072.pem -nodes -out client-cert-3072.csr + echo -e "US\nMontana\nBozeman\nwolfSSL_3072\nProgramming-3072\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -newkey rsa:3072 -keyout client-key-3072.pem -config ./wolfssl.cnf -nodes -out client-cert-3072.csr + check_result $? "Step 1" openssl x509 -req -in client-cert-3072.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey client-key-3072.pem -out client-cert-3072.pem + check_result $? "Step 2" rm client-cert-3072.csr openssl x509 -in client-cert-3072.pem -text > tmp.pem + check_result $? "Step 3" mv tmp.pem client-cert-3072.pem - - + echo "End of section" + echo "---------------------------------------------------------------------" ############################################################ #### update the self-signed (1024-bit) client-cert.pem ##### ############################################################ echo "Updating 1024-bit client-cert.pem" echo "" #pipe the following arguments to openssl req... - echo -e "US\nMontana\nBozeman\nwolfSSL_1024\nProgramming-1024\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key \1024/client-key.pem -nodes -out \1024/client-cert.csr + echo -e "US\nMontana\nBozeman\nwolfSSL_1024\nProgramming-1024\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ./1024/client-key.pem -config ./wolfssl.cnf -nodes -out ./1024/client-cert.csr + check_result $? "Step 1" - openssl x509 -req -in \1024/client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey \1024/client-key.pem -out \1024/client-cert.pem - rm \1024/client-cert.csr + openssl x509 -req -in ./1024/client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ./1024/client-key.pem -out ./1024/client-cert.pem + check_result $? "Step 2" + rm ./1024/client-cert.csr - openssl x509 -in \1024/client-cert.pem -text > \1024/tmp.pem - mv \1024/tmp.pem \1024/client-cert.pem + openssl x509 -in ./1024/client-cert.pem -text > ./1024/tmp.pem + check_result $? "Step 3" + mv ./1024/tmp.pem ./1024/client-cert.pem + echo "End of section" + echo "---------------------------------------------------------------------" ############################################################ ########## update the self-signed ca-cert.pem ############## ############################################################ echo "Updating ca-cert.pem" echo "" #pipe the following arguments to openssl req... - echo -e "US\nMontana\nBozeman\nSawtooth\nConsulting\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ca-key.pem -nodes -out ca-cert.csr + echo -e "US\nMontana\nBozeman\nSawtooth\nConsulting\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ca-key.pem -config ./wolfssl.cnf -nodes -out ca-cert.csr + check_result $? "Step 1" openssl x509 -req -in ca-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ca-key.pem -out ca-cert.pem + check_result $? "Step 2" rm ca-cert.csr openssl x509 -in ca-cert.pem -text > tmp.pem + check_result $? "Step 3" mv tmp.pem ca-cert.pem + echo "End of section" + echo "---------------------------------------------------------------------" ############################################################ ########## update the self-signed ca-ecc-cert.pem ########## ############################################################ echo "Updating ca-ecc-cert.pem" echo "" #pipe the following arguments to openssl req... - echo -e "US\nWashington\nSeattle\nwolfSSL\nDevelopment\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ca-ecc-key.pem -nodes -out ca-ecc-cert.csr + echo -e "US\nWashington\nSeattle\nwolfSSL\nDevelopment\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ca-ecc-key.pem -config ./wolfssl.cnf -nodes -out ca-ecc-cert.csr + check_result $? "Step 1" openssl x509 -req -in ca-ecc-cert.csr -days 1000 -extfile wolfssl.cnf -extensions ca_ecc_cert -signkey ca-ecc-key.pem -out ca-ecc-cert.pem + check_result $? "Step 2" rm ca-ecc-cert.csr openssl x509 -in ca-ecc-cert.pem -text > tmp.pem + check_result $? "Step 3" mv tmp.pem ca-ecc-cert.pem + echo "End of section" + echo "---------------------------------------------------------------------" ############################################################ ########## update the self-signed ca-ecc384-cert.pem ####### ############################################################ echo "Updating ca-ecc384-cert.pem" echo "" #pipe the following arguments to openssl req... - echo -e "US\nWashington\nSeattle\nwolfSSL\nDevelopment\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ca-ecc384-key.pem -nodes -sha384 -out ca-ecc384-cert.csr + echo -e "US\nWashington\nSeattle\nwolfSSL\nDevelopment\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ca-ecc384-key.pem -config ./wolfssl.cnf -nodes -sha384 -out ca-ecc384-cert.csr + check_result $? "Step 1" openssl x509 -req -in ca-ecc384-cert.csr -days 1000 -extfile wolfssl.cnf -extensions ca_ecc_cert -signkey ca-ecc384-key.pem -sha384 -out ca-ecc384-cert.pem + check_result $? "Step 2" rm ca-ecc384-cert.csr openssl x509 -in ca-ecc384-cert.pem -text > tmp.pem + check_result $? "Step 3" mv tmp.pem ca-ecc384-cert.pem + echo "End of section" + echo "---------------------------------------------------------------------" ############################################################ ##### update the self-signed (1024-bit) ca-cert.pem ######## ############################################################ echo "Updating 1024-bit ca-cert.pem" echo "" #pipe the following arguments to openssl req... - echo -e "US\nMontana\nBozeman\nSawtooth\nConsulting_1024\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key \1024/ca-key.pem -nodes -sha1 -out \1024/ca-cert.csr + echo -e "US\nMontana\nBozeman\nSawtooth\nConsulting_1024\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ./1024/ca-key.pem -config ./wolfssl.cnf -nodes -sha1 -out ./1024/ca-cert.csr + check_result $? "Step 1" - openssl x509 -req -in \1024/ca-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey \1024/ca-key.pem -out \1024/ca-cert.pem - rm \1024/ca-cert.csr + openssl x509 -req -in ./1024/ca-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ./1024/ca-key.pem -out ./1024/ca-cert.pem + check_result $? "Step 2" + rm ./1024/ca-cert.csr - openssl x509 -in \1024/ca-cert.pem -text > \1024/tmp.pem - mv \1024/tmp.pem \1024/ca-cert.pem + openssl x509 -in ./1024/ca-cert.pem -text > ./1024/tmp.pem + check_result $? "Step 3" + mv ./1024/tmp.pem ./1024/ca-cert.pem + echo "End of section" + echo "---------------------------------------------------------------------" ########################################################### ########## update and sign server-cert.pem ################ ########################################################### echo "Updating server-cert.pem" echo "" #pipe the following arguments to openssl req... - echo -e "US\nMontana\nBozeman\nwolfSSL\nSupport\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key server-key.pem -nodes > server-req.pem + echo -e "US\nMontana\nBozeman\nwolfSSL\nSupport\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key server-key.pem -config ./wolfssl.cnf -nodes > server-req.pem + check_result $? "Step 1" openssl x509 -req -in server-req.pem -extfile wolfssl.cnf -extensions wolfssl_opts -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem + check_result $? "Step 2" rm server-req.pem openssl x509 -in ca-cert.pem -text > ca_tmp.pem + check_result $? "Step 3" openssl x509 -in server-cert.pem -text > srv_tmp.pem + check_result $? "Step 4" mv srv_tmp.pem server-cert.pem cat ca_tmp.pem >> server-cert.pem rm ca_tmp.pem + echo "End of section" + echo "---------------------------------------------------------------------" ########################################################### ########## update and sign server-revoked-key.pem ######### ########################################################### echo "Updating server-revoked-cert.pem" echo "" #pipe the following arguments to openssl req... - echo -e "US\nMontana\nBozeman\nwolfSSL_revoked\nSupport_revoked\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key server-revoked-key.pem -nodes > server-revoked-req.pem + echo -e "US\nMontana\nBozeman\nwolfSSL_revoked\nSupport_revoked\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key server-revoked-key.pem -config ./wolfssl.cnf -nodes > server-revoked-req.pem + check_result $? "Step 1" openssl x509 -req -in server-revoked-req.pem -extfile wolfssl.cnf -extensions wolfssl_opts -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 02 > server-revoked-cert.pem - + check_result $? "Step 2" rm server-revoked-req.pem openssl x509 -in ca-cert.pem -text > ca_tmp.pem + check_result $? "Step 3" openssl x509 -in server-revoked-cert.pem -text > srv_tmp.pem + check_result $? "Step 4" mv srv_tmp.pem server-revoked-cert.pem cat ca_tmp.pem >> server-revoked-cert.pem rm ca_tmp.pem + echo "End of section" + echo "---------------------------------------------------------------------" ########################################################### ########## update and sign server-duplicate-policy.pem #### ########################################################### echo "Updating server-duplicate-policy.pem" echo "" #pipe the following arguments to openssl req... - echo -e "US\nMontana\nBozeman\nwolfSSL\ntesting duplicate policy\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key server-key.pem -nodes > ./test/server-duplicate-policy-req.pem + echo -e "US\nMontana\nBozeman\nwolfSSL\ntesting duplicate policy\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key server-key.pem -config ./wolfssl.cnf -nodes > ./test/server-duplicate-policy-req.pem + check_result $? "Step 1" openssl x509 -req -in ./test/server-duplicate-policy-req.pem -extfile wolfssl.cnf -extensions policy_test -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 02 > ./test/server-duplicate-policy.pem - + check_result $? "Step 2" rm ./test/server-duplicate-policy-req.pem openssl x509 -in ca-cert.pem -text > ca_tmp.pem + check_result $? "Step 3" openssl x509 -in ./test/server-duplicate-policy.pem -text > srv_tmp.pem + check_result $? "Step 4" mv srv_tmp.pem ./test/server-duplicate-policy.pem cat ca_tmp.pem >> ./test/server-duplicate-policy.pem rm ca_tmp.pem + echo "End of section" + echo "---------------------------------------------------------------------" ########################################################### #### update and sign (1024-bit) server-cert.pem ########### ########################################################### echo "Updating 1024-bit server-cert.pem" echo "" #pipe the following arguments to openssl req... - echo -e "US\nMontana\nBozeman\nwolfSSL\nSupport_1024\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key \1024/server-key.pem -nodes -sha1 > \1024/server-req.pem + echo -e "US\nMontana\nBozeman\nwolfSSL\nSupport_1024\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ./1024/server-key.pem -config ./wolfssl.cnf -nodes -sha1 > ./1024/server-req.pem + check_result $? "Step 1" - openssl x509 -req -in \1024/server-req.pem -extfile wolfssl.cnf -extensions wolfssl_opts -days 1000 -CA \1024/ca-cert.pem -CAkey \1024/ca-key.pem -set_serial 01 > \1024/server-cert.pem + openssl x509 -req -in ./1024/server-req.pem -extfile wolfssl.cnf -extensions wolfssl_opts -days 1000 -CA ./1024/ca-cert.pem -CAkey ./1024/ca-key.pem -set_serial 01 > ./1024/server-cert.pem + check_result $? "Step 2" + rm ./1024/server-req.pem - rm \1024/server-req.pem - - openssl x509 -in \1024/ca-cert.pem -text > \1024/ca_tmp.pem - openssl x509 -in \1024/server-cert.pem -text > \1024/srv_tmp.pem - mv \1024/srv_tmp.pem \1024/server-cert.pem - cat \1024/ca_tmp.pem >> \1024/server-cert.pem - rm \1024/ca_tmp.pem + openssl x509 -in ./1024/ca-cert.pem -text > ./1024/ca_tmp.pem + check_result $? "Step 3" + openssl x509 -in ./1024/server-cert.pem -text > ./1024/srv_tmp.pem + check_result $? "Step 4" + mv ./1024/srv_tmp.pem ./1024/server-cert.pem + cat ./1024/ca_tmp.pem >> ./1024/server-cert.pem + rm ./1024/ca_tmp.pem + echo "End of section" + echo "---------------------------------------------------------------------" ############################################################ ########## update and sign the server-ecc-rsa.pem ########## ############################################################ echo "Updating server-ecc-rsa.pem" echo "" - echo -e "US\nMontana\nBozeman\nElliptic - RSAsig\nECC-RSAsig\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ecc-key.pem -nodes > server-ecc-req.pem + echo -e "US\nMontana\nBozeman\nElliptic - RSAsig\nECC-RSAsig\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ecc-key.pem -config ./wolfssl.cnf -nodes > server-ecc-req.pem + check_result $? "Step 1" openssl x509 -req -in server-ecc-req.pem -extfile wolfssl.cnf -extensions wolfssl_opts -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-ecc-rsa.pem - + check_result $? "Step 2" rm server-ecc-req.pem openssl x509 -in server-ecc-rsa.pem -text > tmp.pem + check_result $? "Step 3" mv tmp.pem server-ecc-rsa.pem + echo "End of section" + echo "---------------------------------------------------------------------" ############################################################ ####### update the self-signed client-ecc-cert.pem ######### ############################################################ echo "Updating client-ecc-cert.pem" echo "" #pipe the following arguments to openssl req... - echo -e "US\nOregon\nSalem\nClient ECC\nFast\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ecc-client-key.pem -nodes -out client-ecc-cert.csr - + echo -e "US\nOregon\nSalem\nClient ECC\nFast\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ecc-client-key.pem -config ./wolfssl.cnf -nodes -out client-ecc-cert.csr + check_result $? "Step 1" openssl x509 -req -in client-ecc-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ecc-client-key.pem -out client-ecc-cert.pem + check_result $? "Step 2" rm client-ecc-cert.csr openssl x509 -in client-ecc-cert.pem -text > tmp.pem + check_result $? "Step 3" mv tmp.pem client-ecc-cert.pem - + echo "End of section" + echo "---------------------------------------------------------------------" ############################################################ ########## update the server-ecc.pem ####################### ############################################################ echo "Updating server-ecc.pem" echo "" #pipe the following arguments to openssl req... - echo -e "US\nWashington\nSeattle\nEliptic\nECC\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ecc-key.pem -nodes -out server-ecc.csr + echo -e "US\nWashington\nSeattle\nEliptic\nECC\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ecc-key.pem -config ./wolfssl.cnf -nodes -out server-ecc.csr + check_result $? "Step 1" - - openssl x509 -req -in server-ecc.csr -days 1000 -extfile wolfssl.cnf -extensions server_ecc -CAfile ca-ecc-cert.pem -CAkey ca-ecc-key.pem -out server-ecc.pem + openssl x509 -req -in server-ecc.csr -days 1000 -extfile wolfssl.cnf -extensions server_ecc -CA ca-ecc-cert.pem -CAkey ca-ecc-key.pem -set_serial 03 -out server-ecc.pem + check_result $? "Step 2" rm server-ecc.csr openssl x509 -in server-ecc.pem -text > tmp.pem + check_result $? "Step 3" mv tmp.pem server-ecc.pem + echo "End of section" + echo "---------------------------------------------------------------------" ############################################################ ###### update the self-signed server-ecc-comp.pem ########## ############################################################ echo "Updating server-ecc-comp.pem" echo "" #pipe the following arguments to openssl req... - echo -e "US\nMontana\nBozeman\nElliptic - comp\nServer ECC-comp\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ecc-key-comp.pem -nodes -out server-ecc-comp.csr - + echo -e "US\nMontana\nBozeman\nElliptic - comp\nServer ECC-comp\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ecc-key-comp.pem -config ./wolfssl.cnf -nodes -out server-ecc-comp.csr + check_result $? "Step 1" openssl x509 -req -in server-ecc-comp.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ecc-key-comp.pem -out server-ecc-comp.pem + check_result $? "Step 2" rm server-ecc-comp.csr openssl x509 -in server-ecc-comp.pem -text > tmp.pem + check_result $? "Step 3" mv tmp.pem server-ecc-comp.pem - + echo "End of section" + echo "---------------------------------------------------------------------" ############################################################ ############## create the client-ca.pem file ############### ############################################################ echo "Updating client-ca.pem" echo "" cat client-cert.pem client-ecc-cert.pem > client-ca.pem - + echo "End of section" + echo "---------------------------------------------------------------------" ############################################################ ###### update the self-signed ecc-privOnlyCert.pem ######### ############################################################ echo "Updating ecc-privOnlyCert.pem" echo "" #pipe the following arguments to openssl req... - echo -e ".\n.\n.\nWR\n.\nDE\n.\n.\n.\n" | openssl req -new -key ecc-privOnlyKey.pem -nodes -out ecc-privOnly.csr - + echo -e ".\n.\n.\nWR\n.\nDE\n.\n.\n.\n" | openssl req -new -key ecc-privOnlyKey.pem -config ./wolfssl.cnf -nodes -out ecc-privOnly.csr + check_result $? "Step 1" openssl x509 -req -in ecc-privOnly.csr -days 1000 -signkey ecc-privOnlyKey.pem -out ecc-privOnlyCert.pem + check_result $? "Step 2" rm ecc-privOnly.csr - + echo "End of section" + echo "---------------------------------------------------------------------" ############################################################ ###### update the self-signed test/digsigku.pem ########## ############################################################ echo "Updating test/digsigku.pem" echo "" #pipe the following arguments to openssl req... - echo -e "US\nWashington\nSeattle\nFoofarah\nArglebargle\nfoobarbaz\ninfo@worlss.com\n.\n.\n" | openssl req -new -key ecc-key.pem -nodes -sha1 -out digsigku.csr - + echo -e "US\nWashington\nSeattle\nFoofarah\nArglebargle\nfoobarbaz\ninfo@worlss.com\n.\n.\n" | openssl req -new -key ecc-key.pem -config ./wolfssl.cnf -nodes -sha1 -out digsigku.csr + check_result $? "Step 1" openssl x509 -req -in digsigku.csr -days 1000 -extfile wolfssl.cnf -extensions digsigku -signkey ecc-key.pem -sha1 -set_serial 16393466893990650224 -out digsigku.pem + check_result $? "Step 2" rm digsigku.csr openssl x509 -in digsigku.pem -text > tmp.pem + check_result $? "Step 3" mv tmp.pem digsigku.pem mv digsigku.pem test/digsigku.pem - + echo "End of section" + echo "---------------------------------------------------------------------" ############################################################ ########## make .der files from .pem files ################# ############################################################ echo "Creating der formatted certs..." echo "" - openssl x509 -inform PEM -in \1024/client-cert.pem -outform DER -out \1024/client-cert.der - openssl x509 -inform PEM -in \1024/server-cert.pem -outform DER -out \1024/server-cert.der - openssl x509 -inform PEM -in \1024/ca-cert.pem -outform DER -out \1024/ca-cert.der + openssl x509 -inform PEM -in ./1024/client-cert.pem -outform DER -out ./1024/client-cert.der + check_result $? "Der Cert 1" + openssl x509 -inform PEM -in ./1024/server-cert.pem -outform DER -out ./1024/server-cert.der + check_result $? "Der Cert 2" + openssl x509 -inform PEM -in ./1024/ca-cert.pem -outform DER -out ./1024/ca-cert.der + check_result $? "Der Cert 3" openssl x509 -inform PEM -in ca-cert.pem -outform DER -out ca-cert.der + check_result $? "Der Cert 4" openssl x509 -inform PEM -in ca-ecc-cert.pem -outform DER -out ca-ecc-cert.der + check_result $? "Der Cert 5" openssl x509 -inform PEM -in ca-ecc384-cert.pem -outform DER -out ca-ecc384-cert.der + check_result $? "Der Cert 6" openssl x509 -inform PEM -in client-cert.pem -outform DER -out client-cert.der + check_result $? "Der Cert 7" openssl x509 -inform PEM -in server-cert.pem -outform DER -out server-cert.der + check_result $? "Der Cert 8" openssl x509 -inform PEM -in client-ecc-cert.pem -outform DER -out client-ecc-cert.der + check_result $? "Der Cert 9" openssl x509 -inform PEM -in server-ecc-rsa.pem -outform DER -out server-ecc-rsa.der + check_result $? "Der Cert 10" openssl x509 -inform PEM -in server-ecc.pem -outform DER -out server-ecc.der + check_result $? "Der Cert 11" openssl x509 -inform PEM -in server-ecc-comp.pem -outform DER -out server-ecc-comp.der - + check_result $? "Der Cert 12" + echo "End of section" + echo "---------------------------------------------------------------------" ############################################################ ###### update the ecc-rsa-server.p12 file ################## ############################################################ echo "Updating ecc-rsa-server.p12 (password is \"\")" echo "" echo "" | openssl pkcs12 -des3 -descert -export -in server-ecc-rsa.pem -inkey ecc-key.pem -certfile server-ecc.pem -out ecc-rsa-server.p12 -password stdin - + check_result $? "Step 1" + echo "End of section" + echo "---------------------------------------------------------------------" ############################################################ ###### update the test-servercert.p12 file ################# ############################################################ echo "Updating test-servercert.p12 (password is \"wolfSSL test\")" echo "" echo "wolfSSL test" | openssl pkcs12 -des3 -descert -export -in server-cert.pem -inkey server-key.pem -certfile ca-cert.pem -out test-servercert.p12 -password stdin - + check_result $? "Step 1" + echo "End of section" + echo "---------------------------------------------------------------------" ############################################################ ###### calling gen-ext-certs.sh ################## ############################################################ echo "Calling gen-ext-certs.sh" echo "" - cd .. + cd .. || exit 1 ./certs/test/gen-ext-certs.sh - cd ./certs - + check_result $? "gen-ext-certs.sh" + cd ./certs || { echo "Couldn't cd to certs directory"; exit 1; } + echo "End of section" + echo "---------------------------------------------------------------------" ############################################################ ###### calling gen-badsig.sh ################## ############################################################ echo "Calling gen-badsig.sh" echo "" - cd ./test + cd ./test || { echo "Failed to switch to dir ./test"; exit 1; } ./gen-badsig.sh - cd ../ - + check_result $? "gen-badsig.sh" + cd ../ || exit 1 + echo "End of section" + echo "---------------------------------------------------------------------" ############################################################ ########## generate ocsp certs ###################### ############################################################ @@ -394,50 +515,58 @@ function run_renewcerts(){ # guard against recursive calls to renewcerts.sh if [ -d ocsp ]; then - cd ./ocsp - echo "Execute ./renewcerts.sh..." + cd ./ocsp || { echo "Failed to switch to dir ./ocsp"; exit 1; } + echo "Execute ocsp/renewcerts.sh..." ./renewcerts.sh - cd ../ + check_result $? "renewcerts.sh" + cd ../ || exit 1 else echo "Error could not find ocsp directory" exit 1 fi - + echo "End of section" + echo "---------------------------------------------------------------------" ############################################################ ###### calling assemble-chains.sh ################## ############################################################ echo "Calling assemble-chains.sh" echo "" - cd ./test-pathlen + cd ./test-pathlen || { echo "Failed to switch to dir ./test-pathlen"; + exit 1; } ./assemble-chains.sh - cd ../ - + check_result $? "assemble-chains.sh" + cd ../ || exit 1 + echo "End of section" + echo "---------------------------------------------------------------------" ############################################################ ########## store DER files as buffers ###################### ############################################################ echo "Changing directory to wolfssl root..." echo "" - cd ../ + cd ../ || exit 1 echo "Execute ./gencertbuf.pl..." echo "" ./gencertbuf.pl - + check_result $? "gencertbuf.pl" + echo "End of section" + echo "---------------------------------------------------------------------" ############################################################ ########## generate the new crls ########################### ############################################################ echo "Change directory to wolfssl/certs" echo "" - cd certs + cd ./certs || { echo "Failed to switch to dir ./certs"; exit 1; } echo "We are back in the certs directory" echo "" echo "Updating the crls..." echo "" - cd crl + cd ./crl || { echo "Failed to switch to dir ./crl"; exit 1; } echo "changed directory: cd/crl" echo "" ./gencrls.sh + check_result $? "gencrls.sh" echo "ran ./gencrls.sh" echo "" @@ -446,22 +575,15 @@ function run_renewcerts(){ echo "" rm ../wolfssl.cnf - -} - -#function for restoring a previous configure state -function restore_config(){ - mv tmp.status config.status - mv tmp.options.h wolfssl/options.h - make clean - make -j 8 + echo "End of Updates. Everything was successfully updated!" + echo "---------------------------------------------------------------------" } #function for copy and pasting ntru updates -function move_ntru(){ - cp ntru-cert.pem certs/ntru-cert.pem - cp ntru-key.raw certs/ntru-key.raw - cp ntru-cert.der certs/ntru-cert.der +move_ntru(){ + cp ntru-cert.pem certs/ntru-cert.pem || exit 1 + cp ntru-key.raw certs/ntru-key.raw || exit 1 + cp ntru-cert.der certs/ntru-cert.der || exit 1 } ############################################################################### @@ -469,7 +591,7 @@ function move_ntru(){ ############################################################################### #start in root. -cd ../ +cd ../ || exit 1 #if HAVE_NTRU already defined && there is no argument if grep HAVE_NTRU "wolfssl/options.h" && [ -z "$1" ] then @@ -477,18 +599,27 @@ then #run the function to renew the certs run_renewcerts # run_renewcerts will end in the wolfssl/certs/crl dir, backup to root. - cd ../../ + cd ../ || exit 1 + CURRDIR=${PWD##*/} + if [ "$CURRDIR" = "certs" ]; then + cd ../ || exit 1 + else + echo "We are not in the right directory! Abort." + exit 1 + fi echo "changed directory to wolfssl root directory." echo "" echo "" echo "Enter directory to ed25519 certificate generation example." echo "Can be found at https://github.com/wolfSSL/wolfssl-examples" - read ED25519_DIR + read -r ED25519_DIR if [ -d "${ED25519_DIR}" ]; then - pushd ./certs/ed25519 - ./gen-ed25519.sh ${ED25519_DIR} - popd + pushd ./certs/ed25519 || { echo "Failed to push certs/ed25519"; + exit 1; } + ./gen-ed25519.sh "${ED25519_DIR}" + check_result $? "./gen-ed25519.sh" + popd || exit 1 else echo "Unable to find directory ${ED25519_DIR}" exit 1 @@ -499,8 +630,13 @@ then ############################################################ # We cannot assume that user has certgen and keygen enabled + CFLAG_TMP="-DWOLFSSL_STATIC_RSA" + export CFLAGS=${CFLAG_TMP} ./configure --with-ntru --enable-certgen --enable-keygen + check_result $? "configure for ntru" make check + check_result $? "make check with ntru" + export CFLAGS="" #copy/paste ntru-certs and key to certs/ move_ntru @@ -516,10 +652,12 @@ elif [ ! -z "$1" ]; then echo "" echo "Enter directory to ed25519 certificate generation example." echo "Can be found at https://github.com/wolfSSL/wolfssl-examples" - read ED25519_DIR - pushd ./certs/ed25519 - ./gen-ed25519.sh ${ED25519_DIR} - popd + read -r ED25519_DIR + pushd ./certs/ed25519 || { echo "failed to push ./certs/ed25519"; + exit 1; } + ./gen-ed25519.sh "${ED25519_DIR}" + check_result $? "./gen-ed25519.sh" + popd || exit 1 #valid argument print out other valid arguments elif [ "$1" == "-h" ] || [ "$1" == "-help" ]; then echo "" @@ -541,18 +679,24 @@ elif [ ! -z "$1" ]; then else echo "Saving the configure state" echo "" - cp config.status tmp.status - cp wolfssl/options.h tmp.options.h + cp config.status tmp.status || exit 1 + cp wolfssl/options.h tmp.options.h || exit 1 echo "Running make clean" echo "" make clean + check_result $? "make clean" #attempt to define ntru by configuring with ntru echo "Configuring with ntru, enabling certgen and keygen" echo "" + CFLAG_TMP="-DWOLFSSL_STATIC_RSA" + export CFLAGS=${CFLAG_TMP} ./configure --with-ntru --enable-certgen --enable-keygen + check_result $? "configure for ntru" make check + check_result $? "make check with ntru" + export CFLAGS="" # check options.h a second time, if the user had # ntru installed on their system and in the default @@ -565,7 +709,14 @@ else if grep HAVE_NTRU "wolfssl/options.h"; then run_renewcerts #run_renewcerts leaves us in wolfssl/certs/crl, backup to root - cd ../../ + cd ../ || exit 1 + CURRDIR=${PWD##*/} + if [ "$CURRDIR" = "certs" ]; then + cd ../ || exit 1 + else + echo "We are not in the right directory! Abort." + exit 1 + fi echo "changed directory to wolfssl root directory." echo "" @@ -576,10 +727,12 @@ else # restore previous configure state restore_config + check_result $? "restoring old configuration" else # restore previous configure state restore_config + check_result $? "restoring old configuration" echo "" echo "ntru is not installed at the default location," diff --git a/certs/renewcerts/wolfssl.cnf b/certs/renewcerts/wolfssl.cnf index 585a46911..367552613 100644 --- a/certs/renewcerts/wolfssl.cnf +++ b/certs/renewcerts/wolfssl.cnf @@ -11,13 +11,13 @@ oid_section = new_oids tsa_policy1 = 1.2.3.4.1 tsa_policy2 = 1.2.3.4.5.6 tsa_policy3 = 1.2.3.4.5.7 -businessCategory=2.5.4.15 -streetAddress=2.5.4.9 -stateOrProvinceName=2.5.4.8 -countryName=2.5.4.6 -jurisdictionOfIncorporationLocalityName=1.3.6.1.4.1.311.60.2.1.1 -jurisdictionOfIncorporationStateOrProvinceName=1.3.6.1.4.1.311.60.2.1.2 -jurisdictionOfIncorporationCountryName=1.3.6.1.4.1.311.60.2.1.3 +#businessCategory=2.5.4.15 +#streetAddress=2.5.4.9 +#stateOrProvinceName=2.5.4.8 +#countryName=2.5.4.6 +#jurisdictionOfIncorporationLocalityName=1.3.6.1.4.1.311.60.2.1.1 +#jurisdictionOfIncorporationStateOrProvinceName=1.3.6.1.4.1.311.60.2.1.2 +#jurisdictionOfIncorporationCountryName=1.3.6.1.4.1.311.60.2.1.3 #################################################################### [ ca ] diff --git a/certs/test-pathlen/assemble-chains.sh b/certs/test-pathlen/assemble-chains.sh index ab46b397c..1e1fa5a61 100755 --- a/certs/test-pathlen/assemble-chains.sh +++ b/certs/test-pathlen/assemble-chains.sh @@ -3,6 +3,14 @@ # assemble-chains.sh # Create certs and assemble all the certificate CA path test cert chains. +check_result(){ + if [ $1 -ne 0 ]; then + echo "$2 Failed, Abort" + exit 1 + else + echo "$2 Succeeded!" + fi +} ########################################################### ########## update server-0-ca.pem ################ @@ -10,180 +18,216 @@ echo "Updating server-0-ca.pem" echo "" #pipe the following arguments to openssl req... -echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 0 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-0-ca-req.pem +echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 0 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -config ../renewcerts/wolfssl.cnf -nodes -sha1 > server-0-ca-req.pem +check_result $? "Step 1" openssl x509 -req -in server-0-ca-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions pathlen_0 -days 1000 -CA ../ca-cert.pem -CAkey ../ca-key.pem -set_serial 100 -sha1 > server-0-ca.pem +check_result $? "Step 2" rm server-0-ca-req.pem openssl x509 -in server-0-ca.pem -text > ca_tmp.pem +check_result $? "Step 3" mv ca_tmp.pem server-0-ca.pem - - +echo "End of Section" +echo "-------------------------------------------------------------------------" ########################################################### ########## update server-0-cert.pem ################ ########################################################### echo "Updating server-0-cert.pem" echo "" #pipe the following arguments to openssl req... -echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 0\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-0-cert-req.pem +echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 0\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -config ../renewcerts/wolfssl.cnf -nodes -sha1 > server-0-cert-req.pem +check_result $? "Step 1" openssl x509 -req -in server-0-cert-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions test_pathlen -days 1000 -CA server-0-ca.pem -CAkey ../server-key.pem -set_serial 101 -sha1 > server-0-cert.pem +check_result $? "Step 2" rm server-0-cert-req.pem openssl x509 -in server-0-cert.pem -text > cert_tmp.pem +check_result $? "Step 3" mv cert_tmp.pem server-0-cert.pem - - +echo "End of Section" +echo "-------------------------------------------------------------------------" ########################################################### ########## update server-1-ca.pem ################ ########################################################### echo "Updating server-1-ca.pem" echo "" #pipe the following arguments to openssl req... -echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 1 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-1-ca-req.pem +echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 1 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -config ../renewcerts/wolfssl.cnf -nodes -sha1 > server-1-ca-req.pem +check_result $? "Step 1" openssl x509 -req -in server-1-ca-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions pathlen_1 -days 1000 -CA ../ca-cert.pem -CAkey ../ca-key.pem -set_serial 102 -sha1 > server-1-ca.pem +check_result $? "Step 2" rm server-1-ca-req.pem openssl x509 -in server-1-ca.pem -text > ca_tmp.pem +check_result $? "Step 3" mv ca_tmp.pem server-1-ca.pem - - +echo "End of Section" +echo "-------------------------------------------------------------------------" ########################################################### ########## update server-1-cert.pem ################ ########################################################### echo "Updating server-1-cert.pem" echo "" #pipe the following arguments to openssl req... -echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 1\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-1-cert-req.pem +echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 1\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -config ../renewcerts/wolfssl.cnf -nodes -sha1 > server-1-cert-req.pem +check_result $? "Step 1" openssl x509 -req -in server-1-cert-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions test_pathlen -days 1000 -CA server-1-ca.pem -CAkey ../server-key.pem -set_serial 105 -sha1 > server-1-cert.pem +check_result $? "Step 2" rm server-1-cert-req.pem openssl x509 -in server-1-cert.pem -text > cert_tmp.pem +check_result $? "Step 3" mv cert_tmp.pem server-1-cert.pem - - +echo "End of Section" +echo "-------------------------------------------------------------------------" ########################################################### ########## update server-0-1-ca.pem ################ ########################################################### echo "Updating server-0-1-ca.pem" echo "" #pipe the following arguments to openssl req... -echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 0-1 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-0-1-ca-req.pem +echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 0-1 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -config ../renewcerts/wolfssl.cnf -nodes -sha1 > server-0-1-ca-req.pem +check_result $? "Step 1" openssl x509 -req -in server-0-1-ca-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions pathlen_1 -days 1000 -CA server-0-ca.pem -CAkey ../server-key.pem -set_serial 110 -sha1 > server-0-1-ca.pem +check_result $? "Step 2" rm server-0-1-ca-req.pem openssl x509 -in server-0-1-ca.pem -text > ca_tmp.pem +check_result $? "Step 3" mv ca_tmp.pem server-0-1-ca.pem - - +echo "End of Section" +echo "-------------------------------------------------------------------------" ########################################################### ########## update server-0-1-cert.pem ################ ########################################################### echo "Updating server-0-1-cert.pem" echo "" #pipe the following arguments to openssl req... -echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 0-1\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-0-1-cert-req.pem +echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 0-1\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -config ../renewcerts/wolfssl.cnf -nodes -sha1 > server-0-1-cert-req.pem +check_result $? "Step 1" openssl x509 -req -in server-0-1-cert-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions test_pathlen -days 1000 -CA server-0-1-ca.pem -CAkey ../server-key.pem -set_serial 111 -sha1 > server-0-1-cert.pem +check_result $? "Step 2" rm server-0-1-cert-req.pem openssl x509 -in server-0-1-cert.pem -text > cert_tmp.pem +check_result $? "Step 3" mv cert_tmp.pem server-0-1-cert.pem - - +echo "End of Section" +echo "-------------------------------------------------------------------------" ########################################################### ########## update server-1-0-ca.pem ################ ########################################################### echo "Updating server-1-0-ca.pem" echo "" #pipe the following arguments to openssl req... -echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 1-0 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-1-0-ca-req.pem +echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 1-0 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -config ../renewcerts/wolfssl.cnf -nodes -sha1 > server-1-0-ca-req.pem +check_result $? "Step 1" openssl x509 -req -in server-1-0-ca-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions pathlen_0 -days 1000 -CA server-1-ca.pem -CAkey ../server-key.pem -set_serial 103 -sha1 > server-1-0-ca.pem +check_result $? "Step 2" rm server-1-0-ca-req.pem openssl x509 -in server-1-0-ca.pem -text > ca_tmp.pem +check_result $? "Step 3" mv ca_tmp.pem server-1-0-ca.pem - - +echo "End of Section" +echo "-------------------------------------------------------------------------" ########################################################### ########## update server-1-0-cert.pem ################ ########################################################### echo "Updating server-1-0-cert.pem" echo "" #pipe the following arguments to openssl req... -echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 1-0\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-1-0-cert-req.pem +echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 1-0\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -config ../renewcerts/wolfssl.cnf -nodes -sha1 > server-1-0-cert-req.pem +check_result $? "Step 1" openssl x509 -req -in server-1-0-cert-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions test_pathlen -days 1000 -CA server-1-0-ca.pem -CAkey ../server-key.pem -set_serial 104 -sha1 > server-1-0-cert.pem +check_result $? "Step 2" rm server-1-0-cert-req.pem openssl x509 -in server-1-0-cert.pem -text > cert_tmp.pem +check_result $? "Step 3" mv cert_tmp.pem server-1-0-cert.pem - - +echo "End of Section" +echo "-------------------------------------------------------------------------" ########################################################### ########## update server-127-ca.pem ################ ########################################################### echo "Updating server-127-ca.pem" echo "" #pipe the following arguments to openssl req... -echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 127 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-127-ca-req.pem +echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 127 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -config ../renewcerts/wolfssl.cnf -nodes -sha1 > server-127-ca-req.pem +check_result $? "Step 1" openssl x509 -req -in server-127-ca-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions pathlen_127 -days 1000 -CA ../ca-cert.pem -CAkey ../ca-key.pem -set_serial 106 -sha1 > server-127-ca.pem +check_result $? "Step 2" rm server-127-ca-req.pem openssl x509 -in server-127-ca.pem -text > ca_tmp.pem +check_result $? "Step 3" mv ca_tmp.pem server-127-ca.pem - - +echo "End of Section" +echo "-------------------------------------------------------------------------" ########################################################### ########## update server-127-cert.pem ################ ########################################################### echo "Updating server-127-cert.pem" echo "" #pipe the following arguments to openssl req... -echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 127\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-127-cert-req.pem +echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 127\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -config ../renewcerts/wolfssl.cnf -nodes -sha1 > server-127-cert-req.pem +check_result $? "Step 1" openssl x509 -req -in server-127-cert-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions test_pathlen -days 1000 -CA server-127-ca.pem -CAkey ../server-key.pem -set_serial 107 -sha1 > server-127-cert.pem +check_result $? "Step 2" rm server-127-cert-req.pem openssl x509 -in server-127-cert.pem -text > cert_tmp.pem +check_result $? "Step 3" mv cert_tmp.pem server-127-cert.pem - - +echo "End of Section" +echo "-------------------------------------------------------------------------" ########################################################### ########## update server-128-ca.pem ################ ########################################################### echo "Updating server-128-ca.pem" echo "" #pipe the following arguments to openssl req... -echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 128 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-128-ca-req.pem +echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 128 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -config ../renewcerts/wolfssl.cnf -nodes -sha1 > server-128-ca-req.pem +check_result $? "Step 1" openssl x509 -req -in server-128-ca-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions pathlen_128 -days 1000 -CA ../ca-cert.pem -CAkey ../ca-key.pem -set_serial 106 -sha1 > server-128-ca.pem +check_result $? "Step 2" rm server-128-ca-req.pem openssl x509 -in server-128-ca.pem -text > ca_tmp.pem +check_result $? "Step 3" mv ca_tmp.pem server-128-ca.pem - - +echo "End of Section" +echo "-------------------------------------------------------------------------" ########################################################### ########## update server-128-cert.pem ################ ########################################################### echo "Updating server-128-cert.pem" echo "" #pipe the following arguments to openssl req... -echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 128\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-128-cert-req.pem +echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 128\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -config ../renewcerts/wolfssl.cnf -nodes -sha1 > server-128-cert-req.pem +check_result $? "Step 1" openssl x509 -req -in server-128-cert-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions test_pathlen -days 1000 -CA server-128-ca.pem -CAkey ../server-key.pem -set_serial 107 -sha1 > server-128-cert.pem +check_result $? "Step 2" rm server-128-cert-req.pem openssl x509 -in server-128-cert.pem -text > cert_tmp.pem +check_result $? "Step 3" mv cert_tmp.pem server-128-cert.pem - - +echo "End of Section" +echo "-------------------------------------------------------------------------" ########################################################### ########## Assemble Chains ################ ########################################################### diff --git a/certs/test/gen-testcerts.sh b/certs/test/gen-testcerts.sh index 24398700a..107d7c45c 100755 --- a/certs/test/gen-testcerts.sh +++ b/certs/test/gen-testcerts.sh @@ -1,130 +1,163 @@ #!/bin/sh +check_result() { + if [ $1 -ne 0 ]; then + echo "Step Failed, Abort" + exit 1 + else + echo "Step Succeeded!" + fi +} # Args: 1=FileName, 2=CN, 3=AltName, 4=CA -function build_test_cert_conf { - echo "# Generated openssl conf" > $1.conf - echo "" >> $1.conf - echo "[ ca ]" >> $1.conf - echo "default_ca = CA_default" >> $1.conf - echo "[ CA_default ]" >> $1.conf - echo "certificate = ../ca-cert.pem" >> $1.conf - echo "database = ./index.txt" >> $1.conf - echo "new_certs_dir = ./certs" >> $1.conf - echo "private_key = ./private/cakey.pem" >> $1.conf - echo "serial = ./serial" >> $1.conf - echo "default_md = sha256" >> $1.conf - echo "default_days = 1000" >> $1.conf - echo "policy = default_ca_policy" >> $1.conf - echo "" >> $1.conf - echo "[ default_ca_policy ]" >> $1.conf - echo "commonName = supplied" >> $1.conf - echo "stateOrProvinceName = supplied" >> $1.conf - echo "countryName = supplied" >> $1.conf - echo "emailAddress = supplied" >> $1.conf - echo "organizationName = optional" >> $1.conf - echo "organizationalUnitName = optional" >> $1.conf - echo "" >> $1.conf - echo "[ req ]" >> $1.conf - echo "prompt = no" >> $1.conf - echo "default_bits = 2048" >> $1.conf - echo "distinguished_name = req_distinguished_name" >> $1.conf - echo "req_extensions = req_ext" >> $1.conf - if [ -n "$4" ]; then - echo "basicConstraints=CA:true,pathlen:0" >> $1.conf - echo "" >> $1.conf - fi - echo "" >> $1.conf - echo "[ req_distinguished_name ]" >> $1.conf - echo "C = US" >> $1.conf - echo "ST = Montana" >> $1.conf - echo "L = Bozeman" >> $1.conf - echo "OU = Engineering" >> $1.conf - echo "CN = $2" >> $1.conf - echo "emailAddress = info@wolfssl.com" >> $1.conf - echo "" >> $1.conf - echo "[ req_ext ]" >> $1.conf +build_test_cert_conf() { + echo "# Generated openssl conf" > "$1".conf + echo "" >> "$1".conf + echo "[ ca ]" >> "$1".conf + echo "default_ca = CA_default" >> "$1".conf + echo "[ CA_default ]" >> "$1".conf + echo "certificate = ../ca-cert.pem" >> "$1".conf + echo "database = ./index.txt" >> "$1".conf + echo "new_certs_dir = ./certs" >> "$1".conf + echo "private_key = ./private/cakey.pem" >> "$1".conf + echo "serial = ./serial" >> "$1".conf + echo "default_md = sha256" >> "$1".conf + echo "default_days = 1000" >> "$1".conf + echo "policy = default_ca_policy" >> "$1".conf + echo "" >> "$1".conf + echo "[ default_ca_policy ]" >> "$1".conf + echo "commonName = supplied" >> "$1".conf + echo "stateOrProvinceName = supplied" >> "$1".conf + echo "countryName = supplied" >> "$1".conf + echo "emailAddress = supplied" >> "$1".conf + echo "organizationName = optional" >> "$1".conf + echo "organizationalUnitName = optional" >> "$1".conf + echo "" >> "$1".conf + echo "[ req ]" >> "$1".conf + echo "prompt = no" >> "$1".conf + echo "default_bits = 2048" >> "$1".conf + echo "distinguished_name = req_distinguished_name" >> "$1".conf if [ -n "$3" ]; then - if [[ "$3" != *"DER"* ]]; then - echo "subjectAltName = @alt_names" >> $1.conf - echo "[alt_names]" >> $1.conf - echo "DNS.1 = $3" >> $1.conf + echo "req_extensions = req_ext" >> "$1".conf + fi + if [ -n "$4" ]; then + echo "basicConstraints=CA:true,pathlen:0" >> "$1".conf + echo "" >> "$1".conf + fi + echo "" >> "$1".conf + echo "[ req_distinguished_name ]" >> "$1".conf + echo "C = US" >> "$1".conf + echo "ST = Montana" >> "$1".conf + echo "L = Bozeman" >> "$1".conf + echo "OU = Engineering" >> "$1".conf + echo "CN = $2" >> "$1".conf + echo "emailAddress = info@wolfssl.com" >> "$1".conf + echo "" >> "$1".conf + if [ -n "$3" ]; then + echo "[ req_ext ]" >> "$1".conf + if [ "$3" != *"DER"* ]; then + echo "subjectAltName = @alt_names" >> "$1".conf + echo "[alt_names]" >> "$1".conf + echo "DNS.1 = $3" >> "$1".conf else - echo "subjectAltName = $3" >> $1.conf + echo "subjectAltName = $3" >> "$1".conf fi fi } # Args: 1=FileName -function generate_test_cert { - rm $1.der - rm $1.pem +generate_test_cert() { + rm "$1".der + rm "$1".pem echo "step 1 create configuration" - build_test_cert_conf $1 $2 $3 + build_test_cert_conf "$1" "$2" "$3" + check_result $? echo "step 2 create csr" - openssl req -new -sha256 -out $1.csr -key ../server-key.pem -config $1.conf + openssl req -new -sha256 -out "$1".csr -key ../server-key.pem -config "$1".conf + check_result $? echo "step 3 check csr" - openssl req -text -noout -in $1.csr + openssl req -text -noout -in "$1".csr + check_result $? echo "step 4 create cert" - openssl x509 -req -days 1000 -sha256 -in $1.csr -signkey ../server-key.pem \ - -out $1.pem -extensions req_ext -extfile $1.conf - rm $1.conf - rm $1.csr + if [ "$3" = "" ]; then + openssl x509 -req -days 1000 -sha256 \ + -in "$1".csr -signkey ../server-key.pem \ + -out "$1".pem -extfile "$1".conf + else + openssl x509 -req -days 1000 -sha256 \ + -in "$1".csr -signkey ../server-key.pem \ + -out "$1".pem -extensions req_ext -extfile "$1".conf + fi + check_result $? + rm "$1".conf + rm "$1".csr if [ -n "$4" ]; then echo "step 5 generate crl" mkdir ../crl/demoCA touch ../crl/demoCA/index.txt - echo "01" > ../crl/crlnumber - openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out crl.revoked -keyfile ../server-key.pem -cert $1.pem - rm ../crl/$1Crl.pem + echo "01" > ../crl/crlnumber + openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 \ + -out crl.revoked -keyfile ../server-key.pem -cert "$1".pem + check_result $? + rm ../crl/"$1"Crl.pem openssl crl -in crl.revoked -text > tmp.pem - mv tmp.pem ../crl/$1Crl.pem + check_result $? + mv tmp.pem ../crl/"$1"Crl.pem rm crl.revoked rm -rf ../crl/demoCA rm ../crl/crlnumber* fi echo "step 6 add cert text information to pem" - openssl x509 -inform pem -in $1.pem -text > tmp.pem - mv tmp.pem $1.pem + openssl x509 -inform pem -in "$1".pem -text > tmp.pem + check_result $? + mv tmp.pem "$1".pem echo "step 7 make binary der version" - openssl x509 -inform pem -in $1.pem -outform der -out $1.der + openssl x509 -inform pem -in "$1".pem -outform der -out "$1".der + check_result $? } -function generate_expired_certs { - rm $1.der - rm $1.pem +generate_expired_certs() { + rm "$1".der + rm "$1".pem mkdir -p certs touch ./index.txt echo 1000 > ./serial echo "step 1 create configuration" - build_test_cert_conf $1 www.wolfssl.com 0 $3 + build_test_cert_conf "$1" www.wolfssl.com 0 "$3" + check_result $? echo "step 2 create csr" - openssl req -new -sha256 -out $1.csr -key $2 -config $1.conf + openssl req -new -sha256 -out "$1".csr -key "$2" -config "$1".conf + check_result $? echo "step 3 check csr" - openssl req -text -noout -in $1.csr + openssl req -text -noout -in "$1".csr + check_result $? echo "step 4 create cert" - openssl ca -selfsign -config $1.conf -keyfile $2 -in $1.csr -out $1.pem \ - -startdate 201807310000Z -enddate 201808300000Z -batch - rm $1.conf - rm $1.csr + openssl ca -config ../renewcerts/wolfssl.cnf -selfsign -config "$1".conf \ + -keyfile "$2" -in "$1".csr -out "$1".pem \ + -startdate 201807310000Z -enddate 201808300000Z -batch + check_result $? + rm "$1".conf + rm "$1".csr echo "step 5 add cert text information to pem" - openssl x509 -inform pem -in $1.pem -text > tmp.pem - mv tmp.pem $1.pem + openssl x509 -inform pem -in "$1".pem -text > tmp.pem + check_result $? + mv tmp.pem "$1".pem echo "step 7 make binary der version" - openssl x509 -inform pem -in $1.pem -outform der -out $1.der + openssl x509 -inform pem -in "$1".pem -outform der -out "$1".der + check_result $? rm -rf certs rm ./index.txt* @@ -138,10 +171,12 @@ generate_test_cert server-goodcn localhost "" 1 generate_test_cert server-goodalt www.nomatch.com localhost 1 # Generate Good CN=*localhost, Alt=None -generate_test_cert server-goodcnwild *localhost "" 1 +# Surround "*localhost" with quotes to prevent shell expansion to wildcard +generate_test_cert server-goodcnwild "*localhost" "" 1 # Generate Good CN=www.nomatch.com, Alt=*localhost -generate_test_cert server-goodaltwild www.nomatch.com *localhost 1 +# Surround "*localhost" with quotes to prevent shell expansion to wildcard +generate_test_cert server-goodaltwild www.nomatch.com "*localhost" 1 # Generate Bad CN=localhost\0h, Alt=None # DG: Have not found a way to properly encode null in common name diff --git a/examples/server/server.c b/examples/server/server.c index 46a54986b..0866c61a1 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -1110,7 +1110,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) #ifdef HAVE_NTRU if (useNtruKey) { - if (SSL_CTX_use_NTRUPrivateKey_file(ctx, ourKey) + if (wolfSSL_CTX_use_NTRUPrivateKey_file(ctx, ourKey) != WOLFSSL_SUCCESS) err_sys_ex(runWithErrors, "can't load ntru key file, " "Please run from wolfSSL home dir");