diff --git a/certs/crl/gencrls.sh b/certs/crl/gencrls.sh index ddeb01fe2..8ef69a43d 100755 --- a/certs/crl/gencrls.sh +++ b/certs/crl/gencrls.sh @@ -104,4 +104,10 @@ mv tmp eccSrvCRL.pem # install (only needed if working outside wolfssl) #cp eccSrvCRL.pem ~/wolfssl/certs/crl/eccSrvCRL.pem +# caEccCrl +openssl ca -config ../ecc/wolfssl.cnf -gencrl -crldays 1000 -out caEccCrl.pem -keyfile ../ca-ecc-key.pem -cert ../ca-ecc-cert.pem + +# ca-ecc384-cert +openssl ca -config ../ecc/wolfssl.cnf -gencrl -crldays 1000 -out caEcc384Crl.pem -keyfile ../ca-ecc384-key.pem -cert ../ca-ecc384-cert.pem + exit 0 diff --git a/certs/ed25519/gen-ed25519.sh b/certs/ed25519/gen-ed25519.sh new file mode 100755 index 000000000..5bf72adc4 --- /dev/null +++ b/certs/ed25519/gen-ed25519.sh @@ -0,0 +1,18 @@ +#!/bin/bash + +EXAMPLE=$1 +echo "This uses ed25519 certificate generator from wolfssl-examples github" +echo "The script takes in the directory to wolfssl-examples" + +pushd ${EXAMPLE} +make +if [ $? -ne 0 ]; then + echo "Unable to build example" + exit 1 +fi + +./tls.sh +popd +mv ${EXAMPLE}/*.pem . +mv ${EXAMPLE}/*.der . + diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh index edc7ac164..39bcc135d 100755 --- a/certs/renewcerts.sh +++ b/certs/renewcerts.sh @@ -8,6 +8,10 @@ # client-ecc-cert.der # ca-cert.pem # ca-cert.der +# ca-ecc-cert.pem +# ca-ecc-cert.der +# ca-ecc384-cert.pem +# ca-ecc384-cert.der # server-cert.pem # server-cert.der # server-ecc-rsa.pem @@ -17,6 +21,7 @@ # server-ecc-comp.pem # client-ca.pem # test/digsigku.pem +# ecc-privOnlyCert.pem # updates the following crls: # crl/cliCrl.pem # crl/crl.pem @@ -100,12 +105,38 @@ function run_renewcerts(){ openssl x509 -in ca-cert.pem -text > tmp.pem mv tmp.pem ca-cert.pem ############################################################ + ########## update the self-signed ca-ecc-cert.pem ########## + ############################################################ + echo "Updating ca-ecc-cert.pem" + echo "" + #pipe the following arguments to openssl req... + echo -e "US\nWashington\nSeattle\nwolfSSL\nDevelopment\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ca-ecc-key.pem -nodes -out ca-ecc-cert.csr + + openssl x509 -req -in ca-ecc-cert.csr -days 1000 -extfile wolfssl.cnf -extensions ca_ecc_cert -signkey ca-ecc-key.pem -out ca-ecc-cert.pem + rm ca-ecc-cert.csr + + openssl x509 -in ca-ecc-cert.pem -text > tmp.pem + mv tmp.pem ca-ecc-cert.pem + ############################################################ + ########## update the self-signed ca-ecc384-cert.pem ####### + ############################################################ + echo "Updating ca-ecc384-cert.pem" + echo "" + #pipe the following arguments to openssl req... + echo -e "US\nWashington\nSeattle\nwolfSSL\nDevelopment\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ca-ecc384-key.pem -nodes -sha384 -out ca-ecc384-cert.csr + + openssl x509 -req -in ca-ecc384-cert.csr -days 1000 -extfile wolfssl.cnf -extensions ca_ecc_cert -signkey ca-ecc384-key.pem -sha384 -out ca-ecc384-cert.pem + rm ca-ecc384-cert.csr + + openssl x509 -in ca-ecc384-cert.pem -text > tmp.pem + mv tmp.pem ca-ecc384-cert.pem + ############################################################ ##### update the self-signed (1024-bit) ca-cert.pem ######## ############################################################ echo "Updating 1024-bit ca-cert.pem" echo "" #pipe the following arguments to openssl req... - echo -e "US\nMontana\nBozeman\nSawtooth\nConsulting_1024\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key \1024/ca-key.pem -nodes -out \1024/ca-cert.csr + echo -e "US\nMontana\nBozeman\nSawtooth\nConsulting_1024\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key \1024/ca-key.pem -nodes -sha1 -out \1024/ca-cert.csr openssl x509 -req -in \1024/ca-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey \1024/ca-key.pem -out \1024/ca-cert.pem rm \1024/ca-cert.csr @@ -169,7 +200,7 @@ function run_renewcerts(){ echo "Updating 1024-bit server-cert.pem" echo "" #pipe the following arguments to openssl req... - echo -e "US\nMontana\nBozeman\nwolfSSL\nSupport_1024\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key \1024/server-key.pem -nodes > \1024/server-req.pem + echo -e "US\nMontana\nBozeman\nwolfSSL\nSupport_1024\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key \1024/server-key.pem -nodes -sha1 > \1024/server-req.pem openssl x509 -req -in \1024/server-req.pem -extfile wolfssl.cnf -extensions wolfssl_opts -days 1000 -CA \1024/ca-cert.pem -CAkey \1024/ca-key.pem -set_serial 01 > \1024/server-cert.pem @@ -209,7 +240,7 @@ function run_renewcerts(){ mv tmp.pem client-ecc-cert.pem ############################################################ - ########## update the self-signed server-ecc.pem ########### + ########## update the server-ecc.pem ####################### ############################################################ echo "Updating server-ecc.pem" echo "" @@ -217,7 +248,7 @@ function run_renewcerts(){ echo -e "US\nWashington\nSeattle\nEliptic\nECC\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ecc-key.pem -nodes -out server-ecc.csr - openssl x509 -req -in server-ecc.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ecc-key.pem -out server-ecc.pem + openssl x509 -req -in server-ecc.csr -days 1000 -extfile wolfssl.cnf -extensions server_ecc -CAfile ca-ecc-cert.pem -CAkey ca-ecc-key.pem -out server-ecc.pem rm server-ecc.csr openssl x509 -in server-ecc.pem -text > tmp.pem @@ -244,6 +275,18 @@ function run_renewcerts(){ echo "" cat client-cert.pem client-ecc-cert.pem > client-ca.pem + ############################################################ + ###### update the self-signed ecc-privOnlyCert.pem ######### + ############################################################ + echo "Updating ecc-privOnlyCert.pem" + echo "" + #pipe the following arguments to openssl req... + echo -e ".\n.\n.\nWR\n.\nDE\n.\n.\n.\n" | openssl req -new -key ecc-privOnlyKey.pem -nodes -out ecc-privOnly.csr + + + openssl x509 -req -in ecc-privOnly.csr -days 1000 -signkey ecc-privOnlyKey.pem -out ecc-privOnlyCert.pem + rm ecc-privOnly.csr + ############################################################ ###### update the self-signed test/digsigku.pem ########## ############################################################ @@ -263,10 +306,15 @@ function run_renewcerts(){ ############################################################ ########## make .der files from .pem files ################# ############################################################ - openssl x509 -inform PEM -in \1024/client-cert.pem -outform DER -out \1024/client-cert.der echo "Creating der formatted certs..." echo "" + openssl x509 -inform PEM -in \1024/client-cert.pem -outform DER -out \1024/client-cert.der + openssl x509 -inform PEM -in \1024/server-cert.pem -outform DER -out \1024/server-cert.der + openssl x509 -inform PEM -in \1024/ca-cert.pem -outform DER -out \1024/ca-cert.der + openssl x509 -inform PEM -in ca-cert.pem -outform DER -out ca-cert.der + openssl x509 -inform PEM -in ca-ecc-cert.pem -outform DER -out ca-ecc-cert.der + openssl x509 -inform PEM -in ca-ecc384-cert.pem -outform DER -out ca-ecc384-cert.der openssl x509 -inform PEM -in client-cert.pem -outform DER -out client-cert.der openssl x509 -inform PEM -in server-cert.pem -outform DER -out server-cert.der openssl x509 -inform PEM -in client-ecc-cert.pem -outform DER -out client-ecc-cert.der @@ -281,6 +329,57 @@ function run_renewcerts(){ echo "" echo "" | openssl pkcs12 -des3 -descert -export -in server-ecc-rsa.pem -inkey ecc-key.pem -certfile server-ecc.pem -out ecc-rsa-server.p12 -password stdin + ############################################################ + ###### update the test-servercert.p12 file ################# + ############################################################ + echo "Updating test-servercert.p12 (password is \"wolfSSL test\")" + echo "" + echo "wolfSSL test" | openssl pkcs12 -des3 -descert -export -in server-cert.pem -inkey server-key.pem -certfile ca-cert.pem -out test-servercert.p12 -password stdin + + ############################################################ + ###### calling gen-ext-certs.sh ################## + ############################################################ + echo "Calling gen-ext-certs.sh" + echo "" + cd .. + ./certs/test/gen-ext-certs.sh + cd ./certs + + ############################################################ + ###### calling gen-badsig.sh ################## + ############################################################ + echo "Calling gen-badsig.sh" + echo "" + cd ./test + ./gen-badsig.sh + cd ../ + + ############################################################ + ########## generate ocsp certs ###################### + ############################################################ + echo "Changing directory to ocsp..." + echo "" + + # guard against recursive calls to renewcerts.sh + if [ -d ocsp ]; then + cd ./ocsp + echo "Execute ./renewcerts.sh..." + ./renewcerts.sh + cd ../ + else + echo "Error could not find ocsp directory" + exit 1 + fi + + ############################################################ + ###### calling assemble-chains.sh ################## + ############################################################ + echo "Calling assemble-chains.sh" + echo "" + cd ./test-pathlen + ./assemble-chains.sh + cd ../ + ############################################################ ########## store DER files as buffers ###################### ############################################################ @@ -350,6 +449,19 @@ then echo "changed directory to wolfssl root directory." echo "" + echo "" + echo "Enter directory to ed25519 certificate generation example." + echo "Can be found at https://github.com/wolfSSL/wolfssl-examples" + read ED25519_DIR + if [ -d "${ED25519_DIR}" ]; then + pushd ./certs/ed25519 + ./gen-ed25519.sh ${ED25519_DIR} + popd + else + echo "Unable to find directory ${ED25519_DIR}" + exit 1 + fi + ############################################################ ########## update ntru if already installed ################ ############################################################ @@ -367,11 +479,21 @@ elif [ ! -z "$1" ]; then if [ "$1" == "--override-ntru" ]; then echo "overriding ntru, update all certs except ntru." run_renewcerts + #valid argument create ed25519 certificates + elif [ "$1" == "--ed25519" ] || [ "$2" == "--ed25519" ]; then + echo "" + echo "Enter directory to ed25519 certificate generation example." + echo "Can be found at https://github.com/wolfSSL/wolfssl-examples" + read ED25519_DIR + pushd ./certs/ed25519 + ./gen-ed25519.sh ${ED25519_DIR} + popd #valid argument print out other valid arguments elif [ "$1" == "-h" ] || [ "$1" == "-help" ]; then echo "" echo "\"no argument\" will attempt to update all certificates" echo "--override-ntru updates all certificates except ntru" + echo "--ed25519 updates all ed25519 certificates" echo "-h or -help display this menu" echo "" echo "" @@ -441,3 +563,4 @@ else fi #END now defined fi #END already defined +exit 0 diff --git a/certs/renewcerts/wolfssl.cnf b/certs/renewcerts/wolfssl.cnf index 079ec5ec8..c251cc71e 100644 --- a/certs/renewcerts/wolfssl.cnf +++ b/certs/renewcerts/wolfssl.cnf @@ -125,6 +125,40 @@ subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always basicConstraints=CA:true +# CA with pathlen 0 +[ pathlen_0 ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always +basicConstraints=CA:true,pathlen:0 +keyUsage=keyCertSign, cRLSign + +# CA with pathlen 1 +[ pathlen_1 ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always +basicConstraints=CA:true,pathlen:1 +keyUsage=keyCertSign, cRLSign + +# CA with pathlen 127 +[ pathlen_127 ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always +basicConstraints=CA:true,pathlen:127 +keyUsage=keyCertSign, cRLSign + +# CA with pathlen 128 +[ pathlen_128 ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always +basicConstraints=CA:true,pathlen:128 +keyUsage=keyCertSign, cRLSign + +# test pathlen server cert +[ test_pathlen ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always +basicConstraints=CA:false + # Extensions to add to a certificate request [ v3_req ] basicConstraints = CA:FALSE @@ -170,6 +204,22 @@ authorityKeyIdentifier=keyid:always,issuer:always basicConstraints=critical, CA:TRUE keyUsage=critical, nonRepudiation, keyEncipherment +# ca-ecc-cert extensions +[ ca_ecc_cert ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always +basicConstraints=critical, CA:TRUE +keyUsage=critical, digitalSignature, keyCertSign, cRLSign + +# server-ecc extensions +[ server_ecc ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always +basicConstraints=critical, CA:FALSE +keyUsage=critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage=serverAuth +nsCertType=server + #tsa default [ tsa ] default_tsa = tsa_config1 diff --git a/certs/test-pathlen/assemble-chains.sh b/certs/test-pathlen/assemble-chains.sh index 583ded2e8..ab46b397c 100755 --- a/certs/test-pathlen/assemble-chains.sh +++ b/certs/test-pathlen/assemble-chains.sh @@ -1,8 +1,192 @@ #!/bin/bash # # assemble-chains.sh -# Assemble all the certificate CA path test cert chains. +# Create certs and assemble all the certificate CA path test cert chains. + +########################################################### +########## update server-0-ca.pem ################ +########################################################### +echo "Updating server-0-ca.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 0 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-0-ca-req.pem + +openssl x509 -req -in server-0-ca-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions pathlen_0 -days 1000 -CA ../ca-cert.pem -CAkey ../ca-key.pem -set_serial 100 -sha1 > server-0-ca.pem + +rm server-0-ca-req.pem +openssl x509 -in server-0-ca.pem -text > ca_tmp.pem +mv ca_tmp.pem server-0-ca.pem + + +########################################################### +########## update server-0-cert.pem ################ +########################################################### +echo "Updating server-0-cert.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 0\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-0-cert-req.pem + +openssl x509 -req -in server-0-cert-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions test_pathlen -days 1000 -CA server-0-ca.pem -CAkey ../server-key.pem -set_serial 101 -sha1 > server-0-cert.pem + +rm server-0-cert-req.pem +openssl x509 -in server-0-cert.pem -text > cert_tmp.pem +mv cert_tmp.pem server-0-cert.pem + + +########################################################### +########## update server-1-ca.pem ################ +########################################################### +echo "Updating server-1-ca.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 1 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-1-ca-req.pem + +openssl x509 -req -in server-1-ca-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions pathlen_1 -days 1000 -CA ../ca-cert.pem -CAkey ../ca-key.pem -set_serial 102 -sha1 > server-1-ca.pem + +rm server-1-ca-req.pem +openssl x509 -in server-1-ca.pem -text > ca_tmp.pem +mv ca_tmp.pem server-1-ca.pem + + +########################################################### +########## update server-1-cert.pem ################ +########################################################### +echo "Updating server-1-cert.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 1\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-1-cert-req.pem + +openssl x509 -req -in server-1-cert-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions test_pathlen -days 1000 -CA server-1-ca.pem -CAkey ../server-key.pem -set_serial 105 -sha1 > server-1-cert.pem + +rm server-1-cert-req.pem +openssl x509 -in server-1-cert.pem -text > cert_tmp.pem +mv cert_tmp.pem server-1-cert.pem + + +########################################################### +########## update server-0-1-ca.pem ################ +########################################################### +echo "Updating server-0-1-ca.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 0-1 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-0-1-ca-req.pem + +openssl x509 -req -in server-0-1-ca-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions pathlen_1 -days 1000 -CA server-0-ca.pem -CAkey ../server-key.pem -set_serial 110 -sha1 > server-0-1-ca.pem + +rm server-0-1-ca-req.pem +openssl x509 -in server-0-1-ca.pem -text > ca_tmp.pem +mv ca_tmp.pem server-0-1-ca.pem + + +########################################################### +########## update server-0-1-cert.pem ################ +########################################################### +echo "Updating server-0-1-cert.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 0-1\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-0-1-cert-req.pem + +openssl x509 -req -in server-0-1-cert-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions test_pathlen -days 1000 -CA server-0-1-ca.pem -CAkey ../server-key.pem -set_serial 111 -sha1 > server-0-1-cert.pem + +rm server-0-1-cert-req.pem +openssl x509 -in server-0-1-cert.pem -text > cert_tmp.pem +mv cert_tmp.pem server-0-1-cert.pem + + +########################################################### +########## update server-1-0-ca.pem ################ +########################################################### +echo "Updating server-1-0-ca.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 1-0 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-1-0-ca-req.pem + +openssl x509 -req -in server-1-0-ca-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions pathlen_0 -days 1000 -CA server-1-ca.pem -CAkey ../server-key.pem -set_serial 103 -sha1 > server-1-0-ca.pem + +rm server-1-0-ca-req.pem +openssl x509 -in server-1-0-ca.pem -text > ca_tmp.pem +mv ca_tmp.pem server-1-0-ca.pem + + +########################################################### +########## update server-1-0-cert.pem ################ +########################################################### +echo "Updating server-1-0-cert.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 1-0\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-1-0-cert-req.pem + +openssl x509 -req -in server-1-0-cert-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions test_pathlen -days 1000 -CA server-1-0-ca.pem -CAkey ../server-key.pem -set_serial 104 -sha1 > server-1-0-cert.pem + +rm server-1-0-cert-req.pem +openssl x509 -in server-1-0-cert.pem -text > cert_tmp.pem +mv cert_tmp.pem server-1-0-cert.pem + + +########################################################### +########## update server-127-ca.pem ################ +########################################################### +echo "Updating server-127-ca.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 127 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-127-ca-req.pem + +openssl x509 -req -in server-127-ca-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions pathlen_127 -days 1000 -CA ../ca-cert.pem -CAkey ../ca-key.pem -set_serial 106 -sha1 > server-127-ca.pem + +rm server-127-ca-req.pem +openssl x509 -in server-127-ca.pem -text > ca_tmp.pem +mv ca_tmp.pem server-127-ca.pem + + +########################################################### +########## update server-127-cert.pem ################ +########################################################### +echo "Updating server-127-cert.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 127\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-127-cert-req.pem + +openssl x509 -req -in server-127-cert-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions test_pathlen -days 1000 -CA server-127-ca.pem -CAkey ../server-key.pem -set_serial 107 -sha1 > server-127-cert.pem + +rm server-127-cert-req.pem +openssl x509 -in server-127-cert.pem -text > cert_tmp.pem +mv cert_tmp.pem server-127-cert.pem + + +########################################################### +########## update server-128-ca.pem ################ +########################################################### +echo "Updating server-128-ca.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 128 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-128-ca-req.pem + +openssl x509 -req -in server-128-ca-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions pathlen_128 -days 1000 -CA ../ca-cert.pem -CAkey ../ca-key.pem -set_serial 106 -sha1 > server-128-ca.pem + +rm server-128-ca-req.pem +openssl x509 -in server-128-ca.pem -text > ca_tmp.pem +mv ca_tmp.pem server-128-ca.pem + + +########################################################### +########## update server-128-cert.pem ################ +########################################################### +echo "Updating server-128-cert.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 128\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-128-cert-req.pem + +openssl x509 -req -in server-128-cert-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions test_pathlen -days 1000 -CA server-128-ca.pem -CAkey ../server-key.pem -set_serial 107 -sha1 > server-128-cert.pem + +rm server-128-cert-req.pem +openssl x509 -in server-128-cert.pem -text > cert_tmp.pem +mv cert_tmp.pem server-128-cert.pem + + +########################################################### +########## Assemble Chains ################ +########################################################### # Success: PathLen of 0 ## server-0-ca.pem: signed by ca-cert.pem ## server-0-cert.pem: signed by server-0-ca.pem diff --git a/certs/test/gen-badsig.sh b/certs/test/gen-badsig.sh new file mode 100755 index 000000000..aafe06f97 --- /dev/null +++ b/certs/test/gen-badsig.sh @@ -0,0 +1,42 @@ +#!/bin/bash + +generate() { + # read in certificate and alter the last part of the signature + num_lines=$(wc -l < $cert) + i=1 + + rm -f $pem_out + touch $pem_out + while IFS= read -r line + do + if [[ $((i+1)) -eq ${num_lines} ]]; then + # last line before END tag. Alter the sig here + idx=`expr ${#line} - 4` + chr=${line:idx:1} + if [ "$chr" == "x" ] || [ "$chr" == "X" ]; then + echo "${line:0:${idx}}a${line:$((idx+1)):$((idx+4))}" >> $pem_out + else + echo "${line:0:${idx}}x${line:$((idx+1)):$((idx+4))}" >> $pem_out + fi + else + echo "$line" >> $pem_out + fi + let i++ + done < "$cert" + + # output to DER format also + openssl x509 -in $pem_out -out $der_out -outform DER +} + +# create server RSA certificate with bad signature +cert="../server-cert.pem" +pem_out=server-cert-rsa-badsig.pem +der_out=server-cert-rsa-badsig.der +generate + +# create server ECC certificate with bad signature +cert="../server-ecc.pem" +pem_out=server-cert-ecc-badsig.pem +der_out=server-cert-ecc-badsig.der +generate +