wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-01 03:34:39 +02:00
Code Issues Packages Projects Releases Wiki Activity

bad sig certificate renew script

Browse Source
This commit is contained in:
Jacob Barthelmeh
2018-03-09 09:50:52 -07:00
parent 849e1eb10d
commit f6b5427f2b
3 changed files with 69 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
certs/renewcerts.sh
View File

@@ -240,7 +240,7 @@ function run_renewcerts(){
mv tmp.pem client-ecc-cert.pem mv tmp.pem client-ecc-cert.pem
############################################################ ############################################################
########## update the self-signed server-ecc.pem ########### ########## update the server-ecc.pem #######################
############################################################ ############################################################
echo "Updating server-ecc.pem" echo "Updating server-ecc.pem"
echo "" echo ""
@@ -248,7 +248,7 @@ function run_renewcerts(){
echo -e "US\nWashington\nSeattle\nEliptic\nECC\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ecc-key.pem -nodes -out server-ecc.csr echo -e "US\nWashington\nSeattle\nEliptic\nECC\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ecc-key.pem -nodes -out server-ecc.csr
openssl x509 -req -in server-ecc.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ecc-key.pem -out server-ecc.pem openssl x509 -req -in server-ecc.csr -days 1000 -extfile wolfssl.cnf -extensions server_ecc -CAfile ca-ecc-cert.pem -CAkey ca-ecc-key.pem -out server-ecc.pem
rm server-ecc.csr rm server-ecc.csr
openssl x509 -in server-ecc.pem -text > tmp.pem openssl x509 -in server-ecc.pem -text > tmp.pem
@@ -329,6 +329,13 @@ function run_renewcerts(){
echo "" echo ""
echo "" | openssl pkcs12 -des3 -descert -export -in server-ecc-rsa.pem -inkey ecc-key.pem -certfile server-ecc.pem -out ecc-rsa-server.p12 -password stdin echo "" | openssl pkcs12 -des3 -descert -export -in server-ecc-rsa.pem -inkey ecc-key.pem -certfile server-ecc.pem -out ecc-rsa-server.p12 -password stdin
############################################################
###### update the test-servercert.p12 file #################
############################################################
echo "Updating test-servercert.p12 (password is \"wolfSSL test\")"
echo ""
echo "wolfSSL test" | openssl pkcs12 -des3 -descert -export -in server-cert.pem -inkey server-key.pem -certfile ca-cert.pem -out test-servercert.p12 -password stdin
############################################################ ############################################################
###### calling gen-ext-certs.sh ################## ###### calling gen-ext-certs.sh ##################
############################################################ ############################################################
@@ -338,6 +345,15 @@ function run_renewcerts(){
./certs/test/gen-ext-certs.sh ./certs/test/gen-ext-certs.sh
cd ./certs cd ./certs
############################################################
###### calling gen-badsig.sh ##################
############################################################
echo "Calling gen-badsig.sh"
echo ""
cd ./test
./gen-badsig.sh
cd ../
############################################################ ############################################################
########## store DER files as buffers ###################### ########## store DER files as buffers ######################
############################################################ ############################################################

9
certs/renewcerts/wolfssl.cnf
View File

@@ -177,6 +177,15 @@ authorityKeyIdentifier=keyid:always
basicConstraints=critical, CA:TRUE basicConstraints=critical, CA:TRUE
keyUsage=critical, digitalSignature, keyCertSign, cRLSign keyUsage=critical, digitalSignature, keyCertSign, cRLSign
# server-ecc extensions
[ server_ecc ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always
basicConstraints=critical, CA:FALSE
keyUsage=critical, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage=serverAuth
nsCertType=server
#tsa default #tsa default
[ tsa ] [ tsa ]
default_tsa = tsa_config1 default_tsa = tsa_config1

42
certs/test/gen-badsig.sh Executable file
View File

@@ -0,0 +1,42 @@
#!/bin/bash
generate() {
# read in certificate and alter the last part of the signature
num_lines=$(wc -l < $cert)
i=1
rm -f $pem_out
touch $pem_out
while IFS= read -r line
do
if [[ $((i+1)) -eq ${num_lines} ]]; then
# last line before END tag. Alter the sig here
idx=`expr ${#line} - 4`
chr=${line:idx:1}
if [ "$chr" == "x" ] || [ "$chr" == "X" ]; then
echo "${line:0:${idx}}a${line:$((idx+1)):$((idx+4))}" >> $pem_out
else
echo "${line:0:${idx}}x${line:$((idx+1)):$((idx+4))}" >> $pem_out
fi
else
echo "$line" >> $pem_out
fi
let i++
done < "$cert"
# output to DER format also
openssl x509 -in $pem_out -out $der_out -outform DER
}
# create server RSA certificate with bad signature
cert="../server-cert.pem"
pem_out=server-cert-rsa-badsig.pem
der_out=server-cert-rsa-badsig.der
generate
# create server ECC certificate with bad signature
cert="../server-ecc.pem"
pem_out=server-cert-ecc-badsig.pem
der_out=server-cert-ecc-badsig.der
generate