feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #1428 from JacobBarthelmeh/Certs

Browse Source 
Update to certificate renew scripts
This commit is contained in:
toddouska
2018-03-19 09:05:15 -07:00
committed by GitHub
parent 465f1d491f 607bd96317
commit b28c6a394f
6 changed files with 429 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
certs/crl/gencrls.sh
View File

@ -104,4 +104,10 @@ mv tmp eccSrvCRL.pem
# install (only needed if working outside wolfssl)
#cp eccSrvCRL.pem ~/wolfssl/certs/crl/eccSrvCRL.pem
# caEccCrl
openssl ca -config ../ecc/wolfssl.cnf -gencrl -crldays 1000 -out caEccCrl.pem -keyfile ../ca-ecc-key.pem -cert ../ca-ecc-cert.pem
# ca-ecc384-cert
openssl ca -config ../ecc/wolfssl.cnf -gencrl -crldays 1000 -out caEcc384Crl.pem -keyfile ../ca-ecc384-key.pem -cert ../ca-ecc384-cert.pem
exit 0

18
certs/ed25519/gen-ed25519.sh Executable file
View File

@ -0,0 +1,18 @@
#!/bin/bash
EXAMPLE=$1
echo "This uses ed25519 certificate generator from wolfssl-examples github"
echo "The script takes in the directory to wolfssl-examples"
pushd ${EXAMPLE}
make
if [ $? -ne 0 ]; then
echo "Unable to build example"
exit 1
fi
./tls.sh
popd
mv ${EXAMPLE}/*.pem .
mv ${EXAMPLE}/*.der .

133
certs/renewcerts.sh
View File

@ -8,6 +8,10 @@
# client-ecc-cert.der
# ca-cert.pem
# ca-cert.der
# ca-ecc-cert.pem
# ca-ecc-cert.der
# ca-ecc384-cert.pem
# ca-ecc384-cert.der
# server-cert.pem
# server-cert.der
# server-ecc-rsa.pem
@ -17,6 +21,7 @@
# server-ecc-comp.pem
# client-ca.pem
# test/digsigku.pem
# ecc-privOnlyCert.pem
# updates the following crls:
# crl/cliCrl.pem
# crl/crl.pem
@ -100,12 +105,38 @@ function run_renewcerts(){
openssl x509 -in ca-cert.pem -text > tmp.pem
mv tmp.pem ca-cert.pem
############################################################
########## update the self-signed ca-ecc-cert.pem ##########
############################################################
echo "Updating ca-ecc-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL\nDevelopment\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ca-ecc-key.pem -nodes -out ca-ecc-cert.csr
openssl x509 -req -in ca-ecc-cert.csr -days 1000 -extfile wolfssl.cnf -extensions ca_ecc_cert -signkey ca-ecc-key.pem -out ca-ecc-cert.pem
rm ca-ecc-cert.csr
openssl x509 -in ca-ecc-cert.pem -text > tmp.pem
mv tmp.pem ca-ecc-cert.pem
############################################################
########## update the self-signed ca-ecc384-cert.pem #######
############################################################
echo "Updating ca-ecc384-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL\nDevelopment\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ca-ecc384-key.pem -nodes -sha384 -out ca-ecc384-cert.csr
openssl x509 -req -in ca-ecc384-cert.csr -days 1000 -extfile wolfssl.cnf -extensions ca_ecc_cert -signkey ca-ecc384-key.pem -sha384 -out ca-ecc384-cert.pem
rm ca-ecc384-cert.csr
openssl x509 -in ca-ecc384-cert.pem -text > tmp.pem
mv tmp.pem ca-ecc384-cert.pem
############################################################
##### update the self-signed (1024-bit) ca-cert.pem ########
############################################################
echo "Updating 1024-bit ca-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nMontana\nBozeman\nSawtooth\nConsulting_1024\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key \1024/ca-key.pem -nodes -out \1024/ca-cert.csr
echo -e "US\nMontana\nBozeman\nSawtooth\nConsulting_1024\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key \1024/ca-key.pem -nodes -sha1 -out \1024/ca-cert.csr
openssl x509 -req -in \1024/ca-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey \1024/ca-key.pem -out \1024/ca-cert.pem
rm \1024/ca-cert.csr
@ -169,7 +200,7 @@ function run_renewcerts(){
echo "Updating 1024-bit server-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nMontana\nBozeman\nwolfSSL\nSupport_1024\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key \1024/server-key.pem -nodes > \1024/server-req.pem
echo -e "US\nMontana\nBozeman\nwolfSSL\nSupport_1024\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key \1024/server-key.pem -nodes -sha1 > \1024/server-req.pem
openssl x509 -req -in \1024/server-req.pem -extfile wolfssl.cnf -extensions wolfssl_opts -days 1000 -CA \1024/ca-cert.pem -CAkey \1024/ca-key.pem -set_serial 01 > \1024/server-cert.pem
@ -209,7 +240,7 @@ function run_renewcerts(){
mv tmp.pem client-ecc-cert.pem
############################################################
########## update the self-signed server-ecc.pem ###########
########## update the server-ecc.pem #######################
############################################################
echo "Updating server-ecc.pem"
echo ""
@ -217,7 +248,7 @@ function run_renewcerts(){
echo -e "US\nWashington\nSeattle\nEliptic\nECC\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ecc-key.pem -nodes -out server-ecc.csr
openssl x509 -req -in server-ecc.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ecc-key.pem -out server-ecc.pem
openssl x509 -req -in server-ecc.csr -days 1000 -extfile wolfssl.cnf -extensions server_ecc -CAfile ca-ecc-cert.pem -CAkey ca-ecc-key.pem -out server-ecc.pem
rm server-ecc.csr
openssl x509 -in server-ecc.pem -text > tmp.pem
@ -244,6 +275,18 @@ function run_renewcerts(){
echo ""
cat client-cert.pem client-ecc-cert.pem > client-ca.pem
############################################################
###### update the self-signed ecc-privOnlyCert.pem #########
############################################################
echo "Updating ecc-privOnlyCert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e ".\n.\n.\nWR\n.\nDE\n.\n.\n.\n" | openssl req -new -key ecc-privOnlyKey.pem -nodes -out ecc-privOnly.csr
openssl x509 -req -in ecc-privOnly.csr -days 1000 -signkey ecc-privOnlyKey.pem -out ecc-privOnlyCert.pem
rm ecc-privOnly.csr
############################################################
###### update the self-signed test/digsigku.pem ##########
############################################################
@ -263,10 +306,15 @@ function run_renewcerts(){
############################################################
########## make .der files from .pem files #################
############################################################
openssl x509 -inform PEM -in \1024/client-cert.pem -outform DER -out \1024/client-cert.der
echo "Creating der formatted certs..."
echo ""
openssl x509 -inform PEM -in \1024/client-cert.pem -outform DER -out \1024/client-cert.der
openssl x509 -inform PEM -in \1024/server-cert.pem -outform DER -out \1024/server-cert.der
openssl x509 -inform PEM -in \1024/ca-cert.pem -outform DER -out \1024/ca-cert.der
openssl x509 -inform PEM -in ca-cert.pem -outform DER -out ca-cert.der
openssl x509 -inform PEM -in ca-ecc-cert.pem -outform DER -out ca-ecc-cert.der
openssl x509 -inform PEM -in ca-ecc384-cert.pem -outform DER -out ca-ecc384-cert.der
openssl x509 -inform PEM -in client-cert.pem -outform DER -out client-cert.der
openssl x509 -inform PEM -in server-cert.pem -outform DER -out server-cert.der
openssl x509 -inform PEM -in client-ecc-cert.pem -outform DER -out client-ecc-cert.der
@ -281,6 +329,57 @@ function run_renewcerts(){
echo ""
echo "" | openssl pkcs12 -des3 -descert -export -in server-ecc-rsa.pem -inkey ecc-key.pem -certfile server-ecc.pem -out ecc-rsa-server.p12 -password stdin
############################################################
###### update the test-servercert.p12 file #################
############################################################
echo "Updating test-servercert.p12 (password is \"wolfSSL test\")"
echo ""
echo "wolfSSL test" | openssl pkcs12 -des3 -descert -export -in server-cert.pem -inkey server-key.pem -certfile ca-cert.pem -out test-servercert.p12 -password stdin
############################################################
###### calling gen-ext-certs.sh ##################
############################################################
echo "Calling gen-ext-certs.sh"
echo ""
cd ..
./certs/test/gen-ext-certs.sh
cd ./certs
############################################################
###### calling gen-badsig.sh ##################
############################################################
echo "Calling gen-badsig.sh"
echo ""
cd ./test
./gen-badsig.sh
cd ../
############################################################
########## generate ocsp certs ######################
############################################################
echo "Changing directory to ocsp..."
echo ""
# guard against recursive calls to renewcerts.sh
if [ -d ocsp ]; then
cd ./ocsp
echo "Execute ./renewcerts.sh..."
./renewcerts.sh
cd ../
else
echo "Error could not find ocsp directory"
exit 1
fi
############################################################
###### calling assemble-chains.sh ##################
############################################################
echo "Calling assemble-chains.sh"
echo ""
cd ./test-pathlen
./assemble-chains.sh
cd ../
############################################################
########## store DER files as buffers ######################
############################################################
@ -350,6 +449,19 @@ then
echo "changed directory to wolfssl root directory."
echo ""
echo ""
echo "Enter directory to ed25519 certificate generation example."
echo "Can be found at https://github.com/wolfSSL/wolfssl-examples"
read ED25519_DIR
if [ -d "${ED25519_DIR}" ]; then
pushd ./certs/ed25519
./gen-ed25519.sh ${ED25519_DIR}
popd
else
echo "Unable to find directory ${ED25519_DIR}"
exit 1
fi
############################################################
########## update ntru if already installed ################
############################################################
@ -367,11 +479,21 @@ elif [ ! -z "$1" ]; then
if [ "$1" == "--override-ntru" ]; then
echo "overriding ntru, update all certs except ntru."
run_renewcerts
#valid argument create ed25519 certificates
elif [ "$1" == "--ed25519" ] || [ "$2" == "--ed25519" ]; then
echo ""
echo "Enter directory to ed25519 certificate generation example."
echo "Can be found at https://github.com/wolfSSL/wolfssl-examples"
read ED25519_DIR
pushd ./certs/ed25519
./gen-ed25519.sh ${ED25519_DIR}
popd
#valid argument print out other valid arguments
elif [ "$1" == "-h" ] || [ "$1" == "-help" ]; then
echo ""
echo "\"no argument\" will attempt to update all certificates"
echo "--override-ntru updates all certificates except ntru"
echo "--ed25519 updates all ed25519 certificates"
echo "-h or -help display this menu"
echo ""
echo ""
@ -441,3 +563,4 @@ else
fi #END now defined
fi #END already defined
exit 0

50
certs/renewcerts/wolfssl.cnf
View File

@ -125,6 +125,40 @@ subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=CA:true
# CA with pathlen 0
[ pathlen_0 ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=CA:true,pathlen:0
keyUsage=keyCertSign, cRLSign
# CA with pathlen 1
[ pathlen_1 ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=CA:true,pathlen:1
keyUsage=keyCertSign, cRLSign
# CA with pathlen 127
[ pathlen_127 ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=CA:true,pathlen:127
keyUsage=keyCertSign, cRLSign
# CA with pathlen 128
[ pathlen_128 ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=CA:true,pathlen:128
keyUsage=keyCertSign, cRLSign
# test pathlen server cert
[ test_pathlen ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=CA:false
# Extensions to add to a certificate request
[ v3_req ]
basicConstraints = CA:FALSE
@ -170,6 +204,22 @@ authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=critical, CA:TRUE
keyUsage=critical, nonRepudiation, keyEncipherment
# ca-ecc-cert extensions
[ ca_ecc_cert ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always
basicConstraints=critical, CA:TRUE
keyUsage=critical, digitalSignature, keyCertSign, cRLSign
# server-ecc extensions
[ server_ecc ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always
basicConstraints=critical, CA:FALSE
keyUsage=critical, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage=serverAuth
nsCertType=server
#tsa default
[ tsa ]
default_tsa = tsa_config1

186
certs/test-pathlen/assemble-chains.sh
View File

@ -1,8 +1,192 @@
#!/bin/bash
#
# assemble-chains.sh
# Assemble all the certificate CA path test cert chains.
# Create certs and assemble all the certificate CA path test cert chains.
###########################################################
########## update server-0-ca.pem ################
###########################################################
echo "Updating server-0-ca.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 0 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-0-ca-req.pem
openssl x509 -req -in server-0-ca-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions pathlen_0 -days 1000 -CA ../ca-cert.pem -CAkey ../ca-key.pem -set_serial 100 -sha1 > server-0-ca.pem
rm server-0-ca-req.pem
openssl x509 -in server-0-ca.pem -text > ca_tmp.pem
mv ca_tmp.pem server-0-ca.pem
###########################################################
########## update server-0-cert.pem ################
###########################################################
echo "Updating server-0-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 0\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-0-cert-req.pem
openssl x509 -req -in server-0-cert-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions test_pathlen -days 1000 -CA server-0-ca.pem -CAkey ../server-key.pem -set_serial 101 -sha1 > server-0-cert.pem
rm server-0-cert-req.pem
openssl x509 -in server-0-cert.pem -text > cert_tmp.pem
mv cert_tmp.pem server-0-cert.pem
###########################################################
########## update server-1-ca.pem ################
###########################################################
echo "Updating server-1-ca.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 1 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-1-ca-req.pem
openssl x509 -req -in server-1-ca-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions pathlen_1 -days 1000 -CA ../ca-cert.pem -CAkey ../ca-key.pem -set_serial 102 -sha1 > server-1-ca.pem
rm server-1-ca-req.pem
openssl x509 -in server-1-ca.pem -text > ca_tmp.pem
mv ca_tmp.pem server-1-ca.pem
###########################################################
########## update server-1-cert.pem ################
###########################################################
echo "Updating server-1-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 1\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-1-cert-req.pem
openssl x509 -req -in server-1-cert-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions test_pathlen -days 1000 -CA server-1-ca.pem -CAkey ../server-key.pem -set_serial 105 -sha1 > server-1-cert.pem
rm server-1-cert-req.pem
openssl x509 -in server-1-cert.pem -text > cert_tmp.pem
mv cert_tmp.pem server-1-cert.pem
###########################################################
########## update server-0-1-ca.pem ################
###########################################################
echo "Updating server-0-1-ca.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 0-1 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-0-1-ca-req.pem
openssl x509 -req -in server-0-1-ca-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions pathlen_1 -days 1000 -CA server-0-ca.pem -CAkey ../server-key.pem -set_serial 110 -sha1 > server-0-1-ca.pem
rm server-0-1-ca-req.pem
openssl x509 -in server-0-1-ca.pem -text > ca_tmp.pem
mv ca_tmp.pem server-0-1-ca.pem
###########################################################
########## update server-0-1-cert.pem ################
###########################################################
echo "Updating server-0-1-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 0-1\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-0-1-cert-req.pem
openssl x509 -req -in server-0-1-cert-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions test_pathlen -days 1000 -CA server-0-1-ca.pem -CAkey ../server-key.pem -set_serial 111 -sha1 > server-0-1-cert.pem
rm server-0-1-cert-req.pem
openssl x509 -in server-0-1-cert.pem -text > cert_tmp.pem
mv cert_tmp.pem server-0-1-cert.pem
###########################################################
########## update server-1-0-ca.pem ################
###########################################################
echo "Updating server-1-0-ca.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 1-0 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-1-0-ca-req.pem
openssl x509 -req -in server-1-0-ca-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions pathlen_0 -days 1000 -CA server-1-ca.pem -CAkey ../server-key.pem -set_serial 103 -sha1 > server-1-0-ca.pem
rm server-1-0-ca-req.pem
openssl x509 -in server-1-0-ca.pem -text > ca_tmp.pem
mv ca_tmp.pem server-1-0-ca.pem
###########################################################
########## update server-1-0-cert.pem ################
###########################################################
echo "Updating server-1-0-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 1-0\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-1-0-cert-req.pem
openssl x509 -req -in server-1-0-cert-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions test_pathlen -days 1000 -CA server-1-0-ca.pem -CAkey ../server-key.pem -set_serial 104 -sha1 > server-1-0-cert.pem
rm server-1-0-cert-req.pem
openssl x509 -in server-1-0-cert.pem -text > cert_tmp.pem
mv cert_tmp.pem server-1-0-cert.pem
###########################################################
########## update server-127-ca.pem ################
###########################################################
echo "Updating server-127-ca.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 127 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-127-ca-req.pem
openssl x509 -req -in server-127-ca-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions pathlen_127 -days 1000 -CA ../ca-cert.pem -CAkey ../ca-key.pem -set_serial 106 -sha1 > server-127-ca.pem
rm server-127-ca-req.pem
openssl x509 -in server-127-ca.pem -text > ca_tmp.pem
mv ca_tmp.pem server-127-ca.pem
###########################################################
########## update server-127-cert.pem ################
###########################################################
echo "Updating server-127-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 127\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-127-cert-req.pem
openssl x509 -req -in server-127-cert-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions test_pathlen -days 1000 -CA server-127-ca.pem -CAkey ../server-key.pem -set_serial 107 -sha1 > server-127-cert.pem
rm server-127-cert-req.pem
openssl x509 -in server-127-cert.pem -text > cert_tmp.pem
mv cert_tmp.pem server-127-cert.pem
###########################################################
########## update server-128-ca.pem ################
###########################################################
echo "Updating server-128-ca.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 128 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-128-ca-req.pem
openssl x509 -req -in server-128-ca-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions pathlen_128 -days 1000 -CA ../ca-cert.pem -CAkey ../ca-key.pem -set_serial 106 -sha1 > server-128-ca.pem
rm server-128-ca-req.pem
openssl x509 -in server-128-ca.pem -text > ca_tmp.pem
mv ca_tmp.pem server-128-ca.pem
###########################################################
########## update server-128-cert.pem ################
###########################################################
echo "Updating server-128-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 128\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-128-cert-req.pem
openssl x509 -req -in server-128-cert-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions test_pathlen -days 1000 -CA server-128-ca.pem -CAkey ../server-key.pem -set_serial 107 -sha1 > server-128-cert.pem
rm server-128-cert-req.pem
openssl x509 -in server-128-cert.pem -text > cert_tmp.pem
mv cert_tmp.pem server-128-cert.pem
###########################################################
########## Assemble Chains ################
###########################################################
# Success: PathLen of 0
## server-0-ca.pem: signed by ca-cert.pem
## server-0-cert.pem: signed by server-0-ca.pem

42
certs/test/gen-badsig.sh Executable file
View File

@ -0,0 +1,42 @@
#!/bin/bash
generate() {
# read in certificate and alter the last part of the signature
num_lines=$(wc -l < $cert)
i=1
rm -f $pem_out
touch $pem_out
while IFS= read -r line
do
if [[ $((i+1)) -eq ${num_lines} ]]; then
# last line before END tag. Alter the sig here
idx=`expr ${#line} - 4`
chr=${line:idx:1}
if [ "$chr" == "x" ] || [ "$chr" == "X" ]; then
echo "${line:0:${idx}}a${line:$((idx+1)):$((idx+4))}" >> $pem_out
else
echo "${line:0:${idx}}x${line:$((idx+1)):$((idx+4))}" >> $pem_out
fi
else
echo "$line" >> $pem_out
fi
let i++
done < "$cert"
# output to DER format also
openssl x509 -in $pem_out -out $der_out -outform DER
}
# create server RSA certificate with bad signature
cert="../server-cert.pem"
pem_out=server-cert-rsa-badsig.pem
der_out=server-cert-rsa-badsig.der
generate
# create server ECC certificate with bad signature
cert="../server-ecc.pem"
pem_out=server-cert-ecc-badsig.pem
der_out=server-cert-ecc-badsig.der
generate