wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-30 18:57:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4115 from SparkiDev/ed25519_openssl_fix

Browse Source 
ED25119 and SHAKE-256: fixes
This commit is contained in:
David Garske
2021-06-11 10:41:51 -07:00
committed by GitHub
parent b28aab4cf9 5a78574a8a
commit 7eb840d615
7 changed files with 142 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

105
certs/ed25519/gen-ed25519-certs.sh Executable file
View File

@ -0,0 +1,105 @@
#!/bin/bash
check_result(){
if [ $1 -ne 0 ]; then
echo "Failed at \"$2\", Abort"
exit 1
else
echo "Step Succeeded!"
fi
}
openssl pkey -in root-ed25519-priv.pem -noout >/dev/null 2>&1
if [ $? -ne 0 ]; then
echo "OpenSSL does not support Ed25519"
echo "Skipping Ed25519 certificate renewal"
exit 0
fi
############################################################
###### update the self-signed root-ed25519.pem #############
############################################################
echo "Updating root-ed25519.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\\nMontana\\nBozeman\\nwolfSSL_Ed25519\\nRoot-Ed25519\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | \
openssl req -new -key root-ed25519-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out root-ed25519.csr
check_result $? "Generate request"
openssl x509 -req -in root-ed25519.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions ca_ecc_cert -signkey root-ed25519-priv.pem -out root-ed25519.pem
check_result $? "Generate certificate"
rm root-ed25519.csr
openssl x509 -in root-ed25519.pem -outform DER > root-ed25519.der
check_result $? "Convert to DER"
openssl x509 -in root-ed25519.pem -text > tmp.pem
check_result $? "Add text"
mv tmp.pem root-ed25519.pem
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
###### update ca-ed25519.pem signed by root ################
############################################################
echo "Updating ca-ed25519.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\\nMontana\\nBozeman\\nwolfSSL_ed25519\\nCA-ed25519\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n\\n\\n\\n" | openssl req -new -key ca-ed25519-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out ca-ed25519.csr
check_result $? "Generate request"
openssl x509 -req -in ca-ed25519.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions ca_ecc_cert -CA root-ed25519.pem -CAkey root-ed25519-priv.pem -set_serial 01 -out ca-ed25519.pem
check_result $? "Generate certificate"
rm ca-ed25519.csr
openssl x509 -in ca-ed25519.pem -outform DER > ca-ed25519.der
check_result $? "Convert to DER"
openssl x509 -in ca-ed25519.pem -text > tmp.pem
check_result $? "Add text"
mv tmp.pem ca-ed25519.pem
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
###### update server-ed25519.pem signed by ca ##############
############################################################
echo "Updating server-ed25519.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\\nMontana\\nBozeman\\nwolfSSL_ed25519\\nServer-ed25519\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n\\n\\n\\n" | openssl req -new -key server-ed25519-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out server-ed25519.csr
check_result $? "Generate request"
openssl x509 -req -in server-ed25519.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions server_ecc -CA ca-ed25519.pem -CAkey ca-ed25519-priv.pem -set_serial 01 -out server-ed25519-cert.pem
check_result $? "Generate certificate"
rm server-ed25519.csr
openssl x509 -in server-ed25519-cert.pem -outform DER > server-ed25519.der
check_result $? "Convert to DER"
openssl x509 -in server-ed25519-cert.pem -text > tmp.pem
check_result $? "Add text"
mv tmp.pem server-ed25519-cert.pem
cat server-ed25519-cert.pem ca-ed25519.pem > server-ed25519.pem
check_result $? "Add CA into server cert"
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
###### update the self-signed client-ed25519.pem ###########
############################################################
echo "Updating client-ed25519.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\\nMontana\\nBozeman\\nwolfSSL_ed25519\\nClient-ed25519\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n\\n\\n\\n" | openssl req -new -key client-ed25519-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out client-ed25519.csr
check_result $? "Generate request"
openssl x509 -req -in client-ed25519.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions client_ecc -signkey client-ed25519-priv.pem -out client-ed25519.pem
check_result $? "Generate certificate"
rm client-ed25519.csr
openssl x509 -in client-ed25519.pem -outform DER > client-ed25519.der
check_result $? "Convert to DER"
openssl x509 -in client-ed25519.pem -text > tmp.pem
check_result $? "Add text"
mv tmp.pem client-ed25519.pem
echo "End of section"
echo "---------------------------------------------------------------------"

16
certs/ed25519/gen-ed25519-keys.sh Executable file
View File

@ -0,0 +1,16 @@
#!/bin/sh
for key in root ca server client
do
openssl genpkey -algorithm ED25519 > ${key}-ed25519-priv.pem
openssl pkey -in ${key}-ed25519-priv.pem -outform DER -out ${key}-ed25519-priv.der
openssl pkey -in ${key}-ed25519-priv.pem -outform PEM -pubout -out ${key}-ed25519-key.pem
openssl pkey -in ${key}-ed25519-priv.pem -outform DER -pubout -out ${key}-ed25519-key.der
done

5
certs/ed25519/include.am
View File

@ -28,3 +28,8 @@ EXTRA_DIST += \
certs/ed25519/server-ed25519-key.pem \ certs/ed25519/server-ed25519-key.pem \
certs/ed25519/server-ed25519-priv.der \ certs/ed25519/server-ed25519-priv.der \
certs/ed25519/server-ed25519-priv.pem certs/ed25519/server-ed25519-priv.pem
EXTRA_DIST += \
certs/ed25519/gen-ed25519.sh \
certs/ed25519/gen-ed25519-certs.sh \
certs/ed25519/gen-ed25519-keys.sh

8
certs/renewcerts/wolfssl.cnf
View File

@ -271,6 +271,14 @@ keyUsage=critical, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage=serverAuth extendedKeyUsage=serverAuth
nsCertType=server nsCertType=server
# server-ecc extensions
[ client_ecc ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always
basicConstraints=critical, CA:FALSE
keyUsage=critical, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage=clientAuth
# test parsing URI # test parsing URI
[ uri ] [ uri ]
subjectKeyIdentifier=hash subjectKeyIdentifier=hash

1
configure.ac
View File

@ -1778,6 +1778,7 @@ fi
AC_ARG_ENABLE([shake256], AC_ARG_ENABLE([shake256],
[AS_HELP_STRING([--enable-shake256],[Enable wolfSSL SHAKE256 support (default: disabled)])], [AS_HELP_STRING([--enable-shake256],[Enable wolfSSL SHAKE256 support (default: disabled)])],
[ ENABLED_SHAKE256=$enableval ] [ ENABLED_SHAKE256=$enableval ]
[ ENABLED_SHAKE256=no ]
) )
# SHA512 # SHA512

12
scripts/openssl.test
View File

@ -467,7 +467,7 @@ IFS=$OIFS #restore separator
# #
# Check for cerificate support in wolfSSL # Check for cerificate support in wolfSSL
wolf_certs=`$WOLFSSL_CLIENT -help 2>&1` wolf_certs=`$WOLFSSL_CLIENT -? 2>&1`
case $wolf_certs in case $wolf_certs in
*"cert"*) *"cert"*)
;; ;;
@ -666,7 +666,7 @@ if [ "$wolf_ed25519" != "" ];
then then
cert_file="${CERT_DIR}/ed25519/server-ed25519.pem" cert_file="${CERT_DIR}/ed25519/server-ed25519.pem"
key_file="${CERT_DIR}/ed25519/server-ed25519-priv.pem" key_file="${CERT_DIR}/ed25519/server-ed25519-priv.pem"
ca_file="${CERT_DIR}/ed25519/root-ed25519.pem" ca_file="${CERT_DIR}/ed25519/client-ed25519.pem"
openssl_suite="Ed25519" openssl_suite="Ed25519"
start_openssl_server start_openssl_server
@ -974,8 +974,8 @@ do
fi fi
if [ $ed25519_openssl_pid != $no_pid -a "$version" != "0" -a "$version" != "1" -a "$version" != "2" ] if [ $ed25519_openssl_pid != $no_pid -a "$version" != "0" -a "$version" != "1" -a "$version" != "2" ]
then then
cert="${CERT_DIR}/ed25519/server-ed25519.pem" cert="${CERT_DIR}/ed25519/client-ed25519.pem"
key="${CERT_DIR}/ed25519/server-ed25519-priv.pem" key="${CERT_DIR}/ed25519/client-ed25519-priv.pem"
caCert="${CERT_DIR}/ed25519/server-ed25519.pem" caCert="${CERT_DIR}/ed25519/server-ed25519.pem"
wolf_temp_cases_total=$((wolf_temp_cases_total + 1)) wolf_temp_cases_total=$((wolf_temp_cases_total + 1))
@ -1112,8 +1112,8 @@ do
# Ed25519 # Ed25519
if [ $ed25519_openssl_pid != $no_pid ] if [ $ed25519_openssl_pid != $no_pid ]
then then
cert="${CERT_DIR}/ed25519/server-ed25519.pem" cert="${CERT_DIR}/ed25519/client-ed25519.pem"
key="${CERT_DIR}/ed25519/server-ed25519-priv.pem" key="${CERT_DIR}/ed25519/client-ed25519-priv.pem"
caCert="${CERT_DIR}/ed25519/server-ed25519.pem" caCert="${CERT_DIR}/ed25519/server-ed25519.pem"
wolf_temp_cases_total=$((wolf_temp_cases_total + 1)) wolf_temp_cases_total=$((wolf_temp_cases_total + 1))

2
wolfcrypt/src/sha3.c
View File

@ -1168,7 +1168,7 @@ int wc_Sha3_GetFlags(wc_Sha3* sha3, word32* flags)
} }
#endif #endif
#if defined(WOLFSSL_SHAKE256) #ifdef WOLFSSL_SHAKE256
/* Initialize the state for a Shake256 hash operation. /* Initialize the state for a Shake256 hash operation.
* *
* shake wc_Shake object holding state. * shake wc_Shake object holding state.