feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #1428 from JacobBarthelmeh/Certs

Browse Source 
Update to certificate renew scripts
This commit is contained in:
toddouska
2018-03-19 09:05:15 -07:00
committed by GitHub
parent 465f1d491f 607bd96317
commit b28c6a394f
6 changed files with 429 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
certs/crl/gencrls.sh
View File

@@ -104,4 +104,10 @@ mv tmp eccSrvCRL.pem
# install (only needed if working outside wolfssl) # install (only needed if working outside wolfssl)
#cp eccSrvCRL.pem ~/wolfssl/certs/crl/eccSrvCRL.pem #cp eccSrvCRL.pem ~/wolfssl/certs/crl/eccSrvCRL.pem
# caEccCrl
openssl ca -config ../ecc/wolfssl.cnf -gencrl -crldays 1000 -out caEccCrl.pem -keyfile ../ca-ecc-key.pem -cert ../ca-ecc-cert.pem
# ca-ecc384-cert
openssl ca -config ../ecc/wolfssl.cnf -gencrl -crldays 1000 -out caEcc384Crl.pem -keyfile ../ca-ecc384-key.pem -cert ../ca-ecc384-cert.pem
exit 0 exit 0

18
certs/ed25519/gen-ed25519.sh Executable file
View File

@@ -0,0 +1,18 @@
#!/bin/bash
EXAMPLE=$1
echo "This uses ed25519 certificate generator from wolfssl-examples github"
echo "The script takes in the directory to wolfssl-examples"
pushd ${EXAMPLE}
make
if [ $? -ne 0 ]; then
echo "Unable to build example"
exit 1
fi
./tls.sh
popd
mv ${EXAMPLE}/*.pem .
mv ${EXAMPLE}/*.der .

133
certs/renewcerts.sh
View File

@@ -8,6 +8,10 @@
# client-ecc-cert.der # client-ecc-cert.der
# ca-cert.pem # ca-cert.pem
# ca-cert.der # ca-cert.der
# ca-ecc-cert.pem
# ca-ecc-cert.der
# ca-ecc384-cert.pem
# ca-ecc384-cert.der
# server-cert.pem # server-cert.pem
# server-cert.der # server-cert.der
# server-ecc-rsa.pem # server-ecc-rsa.pem
@@ -17,6 +21,7 @@
# server-ecc-comp.pem # server-ecc-comp.pem
# client-ca.pem # client-ca.pem
# test/digsigku.pem # test/digsigku.pem
# ecc-privOnlyCert.pem
# updates the following crls: # updates the following crls:
# crl/cliCrl.pem # crl/cliCrl.pem
# crl/crl.pem # crl/crl.pem
@@ -100,12 +105,38 @@ function run_renewcerts(){
openssl x509 -in ca-cert.pem -text > tmp.pem openssl x509 -in ca-cert.pem -text > tmp.pem
mv tmp.pem ca-cert.pem mv tmp.pem ca-cert.pem
############################################################ ############################################################
########## update the self-signed ca-ecc-cert.pem ##########
############################################################
echo "Updating ca-ecc-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL\nDevelopment\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ca-ecc-key.pem -nodes -out ca-ecc-cert.csr
openssl x509 -req -in ca-ecc-cert.csr -days 1000 -extfile wolfssl.cnf -extensions ca_ecc_cert -signkey ca-ecc-key.pem -out ca-ecc-cert.pem
rm ca-ecc-cert.csr
openssl x509 -in ca-ecc-cert.pem -text > tmp.pem
mv tmp.pem ca-ecc-cert.pem
############################################################
########## update the self-signed ca-ecc384-cert.pem #######
############################################################
echo "Updating ca-ecc384-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL\nDevelopment\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ca-ecc384-key.pem -nodes -sha384 -out ca-ecc384-cert.csr
openssl x509 -req -in ca-ecc384-cert.csr -days 1000 -extfile wolfssl.cnf -extensions ca_ecc_cert -signkey ca-ecc384-key.pem -sha384 -out ca-ecc384-cert.pem
rm ca-ecc384-cert.csr
openssl x509 -in ca-ecc384-cert.pem -text > tmp.pem
mv tmp.pem ca-ecc384-cert.pem
############################################################
##### update the self-signed (1024-bit) ca-cert.pem ######## ##### update the self-signed (1024-bit) ca-cert.pem ########
############################################################ ############################################################
echo "Updating 1024-bit ca-cert.pem" echo "Updating 1024-bit ca-cert.pem"
echo "" echo ""
#pipe the following arguments to openssl req... #pipe the following arguments to openssl req...
echo -e "US\nMontana\nBozeman\nSawtooth\nConsulting_1024\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key \1024/ca-key.pem -nodes -out \1024/ca-cert.csr echo -e "US\nMontana\nBozeman\nSawtooth\nConsulting_1024\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key \1024/ca-key.pem -nodes -sha1 -out \1024/ca-cert.csr
openssl x509 -req -in \1024/ca-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey \1024/ca-key.pem -out \1024/ca-cert.pem openssl x509 -req -in \1024/ca-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey \1024/ca-key.pem -out \1024/ca-cert.pem
rm \1024/ca-cert.csr rm \1024/ca-cert.csr
@@ -169,7 +200,7 @@ function run_renewcerts(){
echo "Updating 1024-bit server-cert.pem" echo "Updating 1024-bit server-cert.pem"
echo "" echo ""
#pipe the following arguments to openssl req... #pipe the following arguments to openssl req...
echo -e "US\nMontana\nBozeman\nwolfSSL\nSupport_1024\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key \1024/server-key.pem -nodes > \1024/server-req.pem echo -e "US\nMontana\nBozeman\nwolfSSL\nSupport_1024\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key \1024/server-key.pem -nodes -sha1 > \1024/server-req.pem
openssl x509 -req -in \1024/server-req.pem -extfile wolfssl.cnf -extensions wolfssl_opts -days 1000 -CA \1024/ca-cert.pem -CAkey \1024/ca-key.pem -set_serial 01 > \1024/server-cert.pem openssl x509 -req -in \1024/server-req.pem -extfile wolfssl.cnf -extensions wolfssl_opts -days 1000 -CA \1024/ca-cert.pem -CAkey \1024/ca-key.pem -set_serial 01 > \1024/server-cert.pem
@@ -209,7 +240,7 @@ function run_renewcerts(){
mv tmp.pem client-ecc-cert.pem mv tmp.pem client-ecc-cert.pem
############################################################ ############################################################
########## update the self-signed server-ecc.pem ########### ########## update the server-ecc.pem #######################
############################################################ ############################################################
echo "Updating server-ecc.pem" echo "Updating server-ecc.pem"
echo "" echo ""
@@ -217,7 +248,7 @@ function run_renewcerts(){
echo -e "US\nWashington\nSeattle\nEliptic\nECC\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ecc-key.pem -nodes -out server-ecc.csr echo -e "US\nWashington\nSeattle\nEliptic\nECC\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ecc-key.pem -nodes -out server-ecc.csr
openssl x509 -req -in server-ecc.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ecc-key.pem -out server-ecc.pem openssl x509 -req -in server-ecc.csr -days 1000 -extfile wolfssl.cnf -extensions server_ecc -CAfile ca-ecc-cert.pem -CAkey ca-ecc-key.pem -out server-ecc.pem
rm server-ecc.csr rm server-ecc.csr
openssl x509 -in server-ecc.pem -text > tmp.pem openssl x509 -in server-ecc.pem -text > tmp.pem
@@ -244,6 +275,18 @@ function run_renewcerts(){
echo "" echo ""
cat client-cert.pem client-ecc-cert.pem > client-ca.pem cat client-cert.pem client-ecc-cert.pem > client-ca.pem
############################################################
###### update the self-signed ecc-privOnlyCert.pem #########
############################################################
echo "Updating ecc-privOnlyCert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e ".\n.\n.\nWR\n.\nDE\n.\n.\n.\n" | openssl req -new -key ecc-privOnlyKey.pem -nodes -out ecc-privOnly.csr
openssl x509 -req -in ecc-privOnly.csr -days 1000 -signkey ecc-privOnlyKey.pem -out ecc-privOnlyCert.pem
rm ecc-privOnly.csr
############################################################ ############################################################
###### update the self-signed test/digsigku.pem ########## ###### update the self-signed test/digsigku.pem ##########
############################################################ ############################################################
@@ -263,10 +306,15 @@ function run_renewcerts(){
############################################################ ############################################################
########## make .der files from .pem files ################# ########## make .der files from .pem files #################
############################################################ ############################################################
openssl x509 -inform PEM -in \1024/client-cert.pem -outform DER -out \1024/client-cert.der
echo "Creating der formatted certs..." echo "Creating der formatted certs..."
echo "" echo ""
openssl x509 -inform PEM -in \1024/client-cert.pem -outform DER -out \1024/client-cert.der
openssl x509 -inform PEM -in \1024/server-cert.pem -outform DER -out \1024/server-cert.der
openssl x509 -inform PEM -in \1024/ca-cert.pem -outform DER -out \1024/ca-cert.der
openssl x509 -inform PEM -in ca-cert.pem -outform DER -out ca-cert.der openssl x509 -inform PEM -in ca-cert.pem -outform DER -out ca-cert.der
openssl x509 -inform PEM -in ca-ecc-cert.pem -outform DER -out ca-ecc-cert.der
openssl x509 -inform PEM -in ca-ecc384-cert.pem -outform DER -out ca-ecc384-cert.der
openssl x509 -inform PEM -in client-cert.pem -outform DER -out client-cert.der openssl x509 -inform PEM -in client-cert.pem -outform DER -out client-cert.der
openssl x509 -inform PEM -in server-cert.pem -outform DER -out server-cert.der openssl x509 -inform PEM -in server-cert.pem -outform DER -out server-cert.der
openssl x509 -inform PEM -in client-ecc-cert.pem -outform DER -out client-ecc-cert.der openssl x509 -inform PEM -in client-ecc-cert.pem -outform DER -out client-ecc-cert.der
@@ -281,6 +329,57 @@ function run_renewcerts(){
echo "" echo ""
echo "" | openssl pkcs12 -des3 -descert -export -in server-ecc-rsa.pem -inkey ecc-key.pem -certfile server-ecc.pem -out ecc-rsa-server.p12 -password stdin echo "" | openssl pkcs12 -des3 -descert -export -in server-ecc-rsa.pem -inkey ecc-key.pem -certfile server-ecc.pem -out ecc-rsa-server.p12 -password stdin
############################################################
###### update the test-servercert.p12 file #################
############################################################
echo "Updating test-servercert.p12 (password is \"wolfSSL test\")"
echo ""
echo "wolfSSL test" | openssl pkcs12 -des3 -descert -export -in server-cert.pem -inkey server-key.pem -certfile ca-cert.pem -out test-servercert.p12 -password stdin
############################################################
###### calling gen-ext-certs.sh ##################
############################################################
echo "Calling gen-ext-certs.sh"
echo ""
cd ..
./certs/test/gen-ext-certs.sh
cd ./certs
############################################################
###### calling gen-badsig.sh ##################
############################################################
echo "Calling gen-badsig.sh"
echo ""
cd ./test
./gen-badsig.sh
cd ../
############################################################
########## generate ocsp certs ######################
############################################################
echo "Changing directory to ocsp..."
echo ""
# guard against recursive calls to renewcerts.sh
if [ -d ocsp ]; then
cd ./ocsp
echo "Execute ./renewcerts.sh..."
./renewcerts.sh
cd ../
else
echo "Error could not find ocsp directory"
exit 1
fi
############################################################
###### calling assemble-chains.sh ##################
############################################################
echo "Calling assemble-chains.sh"
echo ""
cd ./test-pathlen
./assemble-chains.sh
cd ../
############################################################ ############################################################
########## store DER files as buffers ###################### ########## store DER files as buffers ######################
############################################################ ############################################################
@@ -350,6 +449,19 @@ then
echo "changed directory to wolfssl root directory." echo "changed directory to wolfssl root directory."
echo "" echo ""
echo ""
echo "Enter directory to ed25519 certificate generation example."
echo "Can be found at https://github.com/wolfSSL/wolfssl-examples"
read ED25519_DIR
if [ -d "${ED25519_DIR}" ]; then
pushd ./certs/ed25519
./gen-ed25519.sh ${ED25519_DIR}
popd
else
echo "Unable to find directory ${ED25519_DIR}"
exit 1
fi
############################################################ ############################################################
########## update ntru if already installed ################ ########## update ntru if already installed ################
############################################################ ############################################################
@@ -367,11 +479,21 @@ elif [ ! -z "$1" ]; then
if [ "$1" == "--override-ntru" ]; then if [ "$1" == "--override-ntru" ]; then
echo "overriding ntru, update all certs except ntru." echo "overriding ntru, update all certs except ntru."
run_renewcerts run_renewcerts
#valid argument create ed25519 certificates
elif [ "$1" == "--ed25519" ] || [ "$2" == "--ed25519" ]; then
echo ""
echo "Enter directory to ed25519 certificate generation example."
echo "Can be found at https://github.com/wolfSSL/wolfssl-examples"
read ED25519_DIR
pushd ./certs/ed25519
./gen-ed25519.sh ${ED25519_DIR}
popd
#valid argument print out other valid arguments #valid argument print out other valid arguments
elif [ "$1" == "-h" ] || [ "$1" == "-help" ]; then elif [ "$1" == "-h" ] || [ "$1" == "-help" ]; then
echo "" echo ""
echo "\"no argument\" will attempt to update all certificates" echo "\"no argument\" will attempt to update all certificates"
echo "--override-ntru updates all certificates except ntru" echo "--override-ntru updates all certificates except ntru"
echo "--ed25519 updates all ed25519 certificates"
echo "-h or -help display this menu" echo "-h or -help display this menu"
echo "" echo ""
echo "" echo ""
@@ -441,3 +563,4 @@ else
fi #END now defined fi #END now defined
fi #END already defined fi #END already defined
exit 0

50
certs/renewcerts/wolfssl.cnf
View File

@@ -125,6 +125,40 @@ subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=CA:true basicConstraints=CA:true
# CA with pathlen 0
[ pathlen_0 ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=CA:true,pathlen:0
keyUsage=keyCertSign, cRLSign
# CA with pathlen 1
[ pathlen_1 ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=CA:true,pathlen:1
keyUsage=keyCertSign, cRLSign
# CA with pathlen 127
[ pathlen_127 ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=CA:true,pathlen:127
keyUsage=keyCertSign, cRLSign
# CA with pathlen 128
[ pathlen_128 ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=CA:true,pathlen:128
keyUsage=keyCertSign, cRLSign
# test pathlen server cert
[ test_pathlen ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=CA:false
# Extensions to add to a certificate request # Extensions to add to a certificate request
[ v3_req ] [ v3_req ]
basicConstraints = CA:FALSE basicConstraints = CA:FALSE
@@ -170,6 +204,22 @@ authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=critical, CA:TRUE basicConstraints=critical, CA:TRUE
keyUsage=critical, nonRepudiation, keyEncipherment keyUsage=critical, nonRepudiation, keyEncipherment
# ca-ecc-cert extensions
[ ca_ecc_cert ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always
basicConstraints=critical, CA:TRUE
keyUsage=critical, digitalSignature, keyCertSign, cRLSign
# server-ecc extensions
[ server_ecc ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always
basicConstraints=critical, CA:FALSE
keyUsage=critical, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage=serverAuth
nsCertType=server
#tsa default #tsa default
[ tsa ] [ tsa ]
default_tsa = tsa_config1 default_tsa = tsa_config1

186
certs/test-pathlen/assemble-chains.sh
View File

@@ -1,8 +1,192 @@
#!/bin/bash #!/bin/bash
# #
# assemble-chains.sh # assemble-chains.sh
# Assemble all the certificate CA path test cert chains. # Create certs and assemble all the certificate CA path test cert chains.
###########################################################
########## update server-0-ca.pem ################
###########################################################
echo "Updating server-0-ca.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 0 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-0-ca-req.pem
openssl x509 -req -in server-0-ca-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions pathlen_0 -days 1000 -CA ../ca-cert.pem -CAkey ../ca-key.pem -set_serial 100 -sha1 > server-0-ca.pem
rm server-0-ca-req.pem
openssl x509 -in server-0-ca.pem -text > ca_tmp.pem
mv ca_tmp.pem server-0-ca.pem
###########################################################
########## update server-0-cert.pem ################
###########################################################
echo "Updating server-0-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 0\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-0-cert-req.pem
openssl x509 -req -in server-0-cert-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions test_pathlen -days 1000 -CA server-0-ca.pem -CAkey ../server-key.pem -set_serial 101 -sha1 > server-0-cert.pem
rm server-0-cert-req.pem
openssl x509 -in server-0-cert.pem -text > cert_tmp.pem
mv cert_tmp.pem server-0-cert.pem
###########################################################
########## update server-1-ca.pem ################
###########################################################
echo "Updating server-1-ca.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 1 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-1-ca-req.pem
openssl x509 -req -in server-1-ca-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions pathlen_1 -days 1000 -CA ../ca-cert.pem -CAkey ../ca-key.pem -set_serial 102 -sha1 > server-1-ca.pem
rm server-1-ca-req.pem
openssl x509 -in server-1-ca.pem -text > ca_tmp.pem
mv ca_tmp.pem server-1-ca.pem
###########################################################
########## update server-1-cert.pem ################
###########################################################
echo "Updating server-1-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 1\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-1-cert-req.pem
openssl x509 -req -in server-1-cert-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions test_pathlen -days 1000 -CA server-1-ca.pem -CAkey ../server-key.pem -set_serial 105 -sha1 > server-1-cert.pem
rm server-1-cert-req.pem
openssl x509 -in server-1-cert.pem -text > cert_tmp.pem
mv cert_tmp.pem server-1-cert.pem
###########################################################
########## update server-0-1-ca.pem ################
###########################################################
echo "Updating server-0-1-ca.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 0-1 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-0-1-ca-req.pem
openssl x509 -req -in server-0-1-ca-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions pathlen_1 -days 1000 -CA server-0-ca.pem -CAkey ../server-key.pem -set_serial 110 -sha1 > server-0-1-ca.pem
rm server-0-1-ca-req.pem
openssl x509 -in server-0-1-ca.pem -text > ca_tmp.pem
mv ca_tmp.pem server-0-1-ca.pem
###########################################################
########## update server-0-1-cert.pem ################
###########################################################
echo "Updating server-0-1-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 0-1\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-0-1-cert-req.pem
openssl x509 -req -in server-0-1-cert-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions test_pathlen -days 1000 -CA server-0-1-ca.pem -CAkey ../server-key.pem -set_serial 111 -sha1 > server-0-1-cert.pem
rm server-0-1-cert-req.pem
openssl x509 -in server-0-1-cert.pem -text > cert_tmp.pem
mv cert_tmp.pem server-0-1-cert.pem
###########################################################
########## update server-1-0-ca.pem ################
###########################################################
echo "Updating server-1-0-ca.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 1-0 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-1-0-ca-req.pem
openssl x509 -req -in server-1-0-ca-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions pathlen_0 -days 1000 -CA server-1-ca.pem -CAkey ../server-key.pem -set_serial 103 -sha1 > server-1-0-ca.pem
rm server-1-0-ca-req.pem
openssl x509 -in server-1-0-ca.pem -text > ca_tmp.pem
mv ca_tmp.pem server-1-0-ca.pem
###########################################################
########## update server-1-0-cert.pem ################
###########################################################
echo "Updating server-1-0-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 1-0\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-1-0-cert-req.pem
openssl x509 -req -in server-1-0-cert-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions test_pathlen -days 1000 -CA server-1-0-ca.pem -CAkey ../server-key.pem -set_serial 104 -sha1 > server-1-0-cert.pem
rm server-1-0-cert-req.pem
openssl x509 -in server-1-0-cert.pem -text > cert_tmp.pem
mv cert_tmp.pem server-1-0-cert.pem
###########################################################
########## update server-127-ca.pem ################
###########################################################
echo "Updating server-127-ca.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 127 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-127-ca-req.pem
openssl x509 -req -in server-127-ca-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions pathlen_127 -days 1000 -CA ../ca-cert.pem -CAkey ../ca-key.pem -set_serial 106 -sha1 > server-127-ca.pem
rm server-127-ca-req.pem
openssl x509 -in server-127-ca.pem -text > ca_tmp.pem
mv ca_tmp.pem server-127-ca.pem
###########################################################
########## update server-127-cert.pem ################
###########################################################
echo "Updating server-127-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 127\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-127-cert-req.pem
openssl x509 -req -in server-127-cert-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions test_pathlen -days 1000 -CA server-127-ca.pem -CAkey ../server-key.pem -set_serial 107 -sha1 > server-127-cert.pem
rm server-127-cert-req.pem
openssl x509 -in server-127-cert.pem -text > cert_tmp.pem
mv cert_tmp.pem server-127-cert.pem
###########################################################
########## update server-128-ca.pem ################
###########################################################
echo "Updating server-128-ca.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 128 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-128-ca-req.pem
openssl x509 -req -in server-128-ca-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions pathlen_128 -days 1000 -CA ../ca-cert.pem -CAkey ../ca-key.pem -set_serial 106 -sha1 > server-128-ca.pem
rm server-128-ca-req.pem
openssl x509 -in server-128-ca.pem -text > ca_tmp.pem
mv ca_tmp.pem server-128-ca.pem
###########################################################
########## update server-128-cert.pem ################
###########################################################
echo "Updating server-128-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 128\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-128-cert-req.pem
openssl x509 -req -in server-128-cert-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions test_pathlen -days 1000 -CA server-128-ca.pem -CAkey ../server-key.pem -set_serial 107 -sha1 > server-128-cert.pem
rm server-128-cert-req.pem
openssl x509 -in server-128-cert.pem -text > cert_tmp.pem
mv cert_tmp.pem server-128-cert.pem
###########################################################
########## Assemble Chains ################
###########################################################
# Success: PathLen of 0 # Success: PathLen of 0
## server-0-ca.pem: signed by ca-cert.pem ## server-0-ca.pem: signed by ca-cert.pem
## server-0-cert.pem: signed by server-0-ca.pem ## server-0-cert.pem: signed by server-0-ca.pem

42
certs/test/gen-badsig.sh Executable file
View File

@@ -0,0 +1,42 @@
#!/bin/bash
generate() {
# read in certificate and alter the last part of the signature
num_lines=$(wc -l < $cert)
i=1
rm -f $pem_out
touch $pem_out
while IFS= read -r line
do
if [[ $((i+1)) -eq ${num_lines} ]]; then
# last line before END tag. Alter the sig here
idx=`expr ${#line} - 4`
chr=${line:idx:1}
if [ "$chr" == "x" ] || [ "$chr" == "X" ]; then
echo "${line:0:${idx}}a${line:$((idx+1)):$((idx+4))}" >> $pem_out
else
echo "${line:0:${idx}}x${line:$((idx+1)):$((idx+4))}" >> $pem_out
fi
else
echo "$line" >> $pem_out
fi
let i++
done < "$cert"
# output to DER format also
openssl x509 -in $pem_out -out $der_out -outform DER
}
# create server RSA certificate with bad signature
cert="../server-cert.pem"
pem_out=server-cert-rsa-badsig.pem
der_out=server-cert-rsa-badsig.der
generate
# create server ECC certificate with bad signature
cert="../server-ecc.pem"
pem_out=server-cert-ecc-badsig.pem
der_out=server-cert-ecc-badsig.der
generate