bad sig certificate renew script

2025-07-31 11:17:29 +02:00 · 2018-03-09 09:50:52 -07:00
parent 849e1eb10d
commit f6b5427f2b
3 changed files with 69 additions and 2 deletions
--- a/certs/renewcerts.sh
+++ b/certs/renewcerts.sh
@ -240,7 +240,7 @@ function run_renewcerts(){
    mv tmp.pem client-ecc-cert.pem

    ############################################################
-    ########## update the self-signed server-ecc.pem ###########
+    ########## update the server-ecc.pem #######################
    ############################################################
    echo "Updating server-ecc.pem"
    echo ""
@ -248,7 +248,7 @@ function run_renewcerts(){
    echo -e "US\nWashington\nSeattle\nEliptic\nECC\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ecc-key.pem -nodes -out server-ecc.csr


-    openssl x509 -req -in server-ecc.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ecc-key.pem -out server-ecc.pem
+    openssl x509 -req -in server-ecc.csr -days 1000 -extfile wolfssl.cnf -extensions server_ecc -CAfile ca-ecc-cert.pem -CAkey ca-ecc-key.pem -out server-ecc.pem
    rm server-ecc.csr

    openssl x509 -in server-ecc.pem -text > tmp.pem
@ -329,6 +329,13 @@ function run_renewcerts(){
    echo ""
    echo "" | openssl pkcs12 -des3 -descert -export -in server-ecc-rsa.pem -inkey ecc-key.pem -certfile server-ecc.pem -out ecc-rsa-server.p12 -password stdin

+    ############################################################
+    ###### update the test-servercert.p12 file #################
+    ############################################################
+    echo "Updating test-servercert.p12 (password is \"wolfSSL test\")"
+    echo ""
+    echo "wolfSSL test" | openssl pkcs12 -des3 -descert -export -in server-cert.pem -inkey server-key.pem -certfile ca-cert.pem -out test-servercert.p12 -password stdin
+
    ############################################################
    ###### calling gen-ext-certs.sh           ##################
    ############################################################
@ -338,6 +345,15 @@ function run_renewcerts(){
    ./certs/test/gen-ext-certs.sh
    cd ./certs

+    ############################################################
+    ###### calling gen-badsig.sh              ##################
+    ############################################################
+    echo "Calling gen-badsig.sh"
+    echo ""
+    cd ./test
+    ./gen-badsig.sh
+    cd ../
+
    ############################################################
    ########## store DER files as buffers ######################
    ############################################################
--- a/certs/renewcerts/wolfssl.cnf
+++ b/certs/renewcerts/wolfssl.cnf
@ -177,6 +177,15 @@ authorityKeyIdentifier=keyid:always
 basicConstraints=critical, CA:TRUE
 keyUsage=critical, digitalSignature, keyCertSign, cRLSign

+# server-ecc extensions
+[ server_ecc ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always
+basicConstraints=critical, CA:FALSE
+keyUsage=critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage=serverAuth
+nsCertType=server
+
 #tsa default
 [ tsa ]
 default_tsa = tsa_config1
--- a/certs/test/gen-badsig.sh
+++ b/certs/test/gen-badsig.sh
@ -0,0 +1,42 @@
+#!/bin/bash
+
+generate() {
+    # read in certificate and alter the last part of the signature
+    num_lines=$(wc -l < $cert)
+    i=1
+
+    rm -f $pem_out
+    touch $pem_out
+    while IFS= read -r line
+    do
+        if [[ $((i+1)) -eq ${num_lines} ]]; then
+            # last line before END tag. Alter the sig here
+            idx=`expr ${#line} - 4`
+            chr=${line:idx:1}
+            if [ "$chr" == "x" ] || [ "$chr" == "X" ]; then
+                echo "${line:0:${idx}}a${line:$((idx+1)):$((idx+4))}" >> $pem_out
+            else
+                echo "${line:0:${idx}}x${line:$((idx+1)):$((idx+4))}" >> $pem_out
+            fi
+        else
+            echo "$line" >> $pem_out
+        fi
+    let i++
+    done < "$cert"
+
+    # output to DER format also
+    openssl x509 -in $pem_out -out $der_out -outform DER
+}
+
+# create server RSA certificate with bad signature
+cert="../server-cert.pem"
+pem_out=server-cert-rsa-badsig.pem
+der_out=server-cert-rsa-badsig.der
+generate
+
+# create server ECC certificate with bad signature
+cert="../server-ecc.pem"
+pem_out=server-cert-ecc-badsig.pem
+der_out=server-cert-ecc-badsig.der
+generate
+