Files
2026-05-05 13:46:05 -06:00

110 lines
4.4 KiB
Bash
Executable File

#!/bin/bash
#
# Generate test certificates for serial number 0 testing (issue #8615)
#
# Tests verify that root CAs (self-signed + CA:TRUE) with serial 0 are
# accepted as trust anchors, while all other cert types with serial 0
# are rejected per RFC 5280 section 4.1.2.2.
#
# Output files (certs only -- EE keys use temp files):
# root_serial0.pem / root_serial0_key.pem - Root CA with serial 0
# ee_serial0.pem - EE cert with serial 0 (rejected)
# ee_normal.pem - Normal EE cert (serial 100)
# selfsigned_nonca_serial0.pem - Self-signed non-CA, serial 0
# intermediate_serial0.pem - Intermediate CA, serial 0
# (CA:TRUE but issuer != subject)
set -e
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
cd "$SCRIPT_DIR"
echo "==================================================="
echo "Generating serial 0 test certificates in: $SCRIPT_DIR"
echo "==================================================="
# 1. Create Root CA with serial number 0
echo ""
echo "[1/5] Creating Root CA with serial number 0..."
openssl req -x509 -newkey rsa:2048 -keyout root_serial0_key.pem -out root_serial0.pem \
-days 7300 -nodes -subj "/CN=Test Root CA Serial 0/O=wolfSSL Test/C=US" \
-set_serial 0 \
-addext "basicConstraints=critical,CA:TRUE" \
-addext "keyUsage=critical,keyCertSign,cRLSign"
echo " Root CA serial number:"
openssl x509 -in root_serial0.pem -noout -serial
# 2. Create end-entity cert with serial 0 signed by root_serial0
echo ""
echo "[2/5] Creating end-entity certificate with serial number 0..."
openssl req -newkey rsa:2048 -keyout ee_serial0_key.tmp -out ee_serial0.csr.tmp -nodes \
-subj "/CN=End Entity Serial 0/O=wolfSSL Test/C=US"
openssl x509 -req -in ee_serial0.csr.tmp -CA root_serial0.pem -CAkey root_serial0_key.pem \
-out ee_serial0.pem -days 3650 -set_serial 0 \
-extfile <(echo "basicConstraints=CA:FALSE
keyUsage=digitalSignature,keyEncipherment
extendedKeyUsage=serverAuth,clientAuth")
rm -f ee_serial0_key.tmp ee_serial0.csr.tmp
echo " End-entity cert serial number:"
openssl x509 -in ee_serial0.pem -noout -serial
# 3. Create normal end-entity cert signed by root CA with serial 0
echo ""
echo "[3/5] Creating normal end-entity certificate (signed by serial 0 root)..."
openssl req -newkey rsa:2048 -keyout ee_normal_key.tmp -out ee_normal.csr.tmp -nodes \
-subj "/CN=End Entity Normal/O=wolfSSL Test/C=US"
openssl x509 -req -in ee_normal.csr.tmp -CA root_serial0.pem -CAkey root_serial0_key.pem \
-out ee_normal.pem -days 3650 -set_serial 100 \
-extfile <(echo "basicConstraints=CA:FALSE
keyUsage=digitalSignature,keyEncipherment
extendedKeyUsage=serverAuth,clientAuth")
rm -f ee_normal_key.tmp ee_normal.csr.tmp
echo " Normal end-entity cert serial number:"
openssl x509 -in ee_normal.pem -noout -serial
# 4. Create self-signed non-CA certificate with serial 0
echo ""
echo "[4/5] Creating self-signed non-CA certificate with serial number 0..."
openssl req -x509 -newkey rsa:2048 -keyout selfsigned_nonca_serial0_key.tmp \
-out selfsigned_nonca_serial0.pem -days 3650 -nodes \
-subj "/CN=Self-Signed Non-CA Serial 0/O=wolfSSL Test/C=US" \
-set_serial 0 \
-addext "basicConstraints=CA:FALSE" \
-addext "keyUsage=digitalSignature,keyEncipherment"
rm -f selfsigned_nonca_serial0_key.tmp
echo " Self-signed non-CA cert serial number:"
openssl x509 -in selfsigned_nonca_serial0.pem -noout -serial
# 5. Create intermediate CA cert with serial 0, signed by root_serial0
# (CA:TRUE but issuer != subject, so cert->selfSigned will be 0).
echo ""
echo "[5/5] Creating intermediate CA certificate with serial number 0..."
openssl req -newkey rsa:2048 -keyout intermediate_serial0_key.tmp \
-out intermediate_serial0.csr.tmp -nodes \
-subj "/CN=Intermediate CA Serial 0/O=wolfSSL Test/C=US"
openssl x509 -req -in intermediate_serial0.csr.tmp \
-CA root_serial0.pem -CAkey root_serial0_key.pem \
-out intermediate_serial0.pem -days 3650 -set_serial 0 \
-extfile <(echo "basicConstraints=critical,CA:TRUE
keyUsage=critical,keyCertSign,cRLSign")
rm -f intermediate_serial0_key.tmp intermediate_serial0.csr.tmp
echo " Intermediate CA cert serial number:"
openssl x509 -in intermediate_serial0.pem -noout -serial
echo ""
echo "==================================================="
echo "Certificate generation complete!"
echo "==================================================="