mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-09 02:40:53 +02:00
98 lines
3.7 KiB
Bash
Executable File
98 lines
3.7 KiB
Bash
Executable File
#!/bin/sh
|
|
|
|
# Create a minimal openssl config for `openssl req`. All DN fields come from
|
|
# -subj, but openssl req still requires a [distinguished_name] section to
|
|
# exist in the config. Using this temp file avoids relying on the system
|
|
# openssl.cnf (which may not exist when testing with a custom OpenSSL build).
|
|
WOLF_REQ_CONF=$(mktemp)
|
|
printf '[req]\ndistinguished_name=req_dn\n[req_dn]\n' > "$WOLF_REQ_CONF"
|
|
trap 'rm -f "$WOLF_REQ_CONF"' EXIT
|
|
|
|
# $1 cert, $2 name, $3 ca, $4 extensions, $5 serial
|
|
update_cert(){
|
|
|
|
openssl req \
|
|
-new \
|
|
-config "$WOLF_REQ_CONF" \
|
|
-key $1-key.pem \
|
|
-out $1-cert.csr \
|
|
-subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=$2/emailAddress=facts@wolfssl.com"
|
|
|
|
openssl x509 \
|
|
-req -in $1-cert.csr \
|
|
-extfile $6 \
|
|
-extensions $4 \
|
|
-days 1000 \
|
|
-CA $3-cert.pem \
|
|
-CAkey $3-key.pem \
|
|
-set_serial $5 \
|
|
-out $1-cert.pem \
|
|
-sha256
|
|
|
|
rm $1-cert.csr
|
|
openssl x509 -in $1-cert.pem -text > $1_tmp.pem
|
|
mv $1_tmp.pem $1-cert.pem
|
|
cat $3-cert.pem >> $1-cert.pem
|
|
}
|
|
|
|
|
|
|
|
printf '%s\n' "Using CNF: $1"
|
|
|
|
openssl req \
|
|
-new \
|
|
-config "$WOLF_REQ_CONF" \
|
|
-key root-ca-key.pem \
|
|
-out root-ca-cert.csr \
|
|
-subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=facts@wolfssl.com"
|
|
|
|
openssl x509 \
|
|
-req -in root-ca-cert.csr \
|
|
-extfile $1 \
|
|
-extensions v3_ca \
|
|
-days 1000 \
|
|
-signkey root-ca-key.pem \
|
|
-set_serial 99 \
|
|
-out root-ca-cert.pem \
|
|
-sha256
|
|
|
|
rm root-ca-cert.csr
|
|
openssl x509 -in root-ca-cert.pem -text > tmp.pem
|
|
mv tmp.pem root-ca-cert.pem
|
|
|
|
# imposter-root-ca: self-signed cert sharing the legitimate root-ca DN but
|
|
# with a different key. Used to test that OCSP responder authorization is
|
|
# bound to the CertID issuerKeyHash, not just the issuer name.
|
|
openssl req \
|
|
-new \
|
|
-config "$WOLF_REQ_CONF" \
|
|
-key imposter-root-ca-key.pem \
|
|
-out imposter-root-ca-cert.csr \
|
|
-subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=facts@wolfssl.com"
|
|
|
|
openssl x509 \
|
|
-req -in imposter-root-ca-cert.csr \
|
|
-extfile $1 \
|
|
-extensions v3_ca \
|
|
-days 1000 \
|
|
-signkey imposter-root-ca-key.pem \
|
|
-set_serial 199 \
|
|
-out imposter-root-ca-cert.pem \
|
|
-sha256
|
|
|
|
rm imposter-root-ca-cert.csr
|
|
openssl x509 -in imposter-root-ca-cert.pem -text > imposter-root-ca-cert_tmp.pem
|
|
mv imposter-root-ca-cert_tmp.pem imposter-root-ca-cert.pem
|
|
|
|
update_cert intermediate1-ca "wolfSSL intermediate CA 1" root-ca v3_ca 01 $1
|
|
update_cert intermediate2-ca "wolfSSL intermediate CA 2" root-ca v3_ca 02 $1
|
|
update_cert intermediate3-ca "wolfSSL REVOKED intermediate CA" root-ca v3_ca 03 $1 # REVOKED
|
|
|
|
update_cert ocsp-responder "wolfSSL OCSP Responder" root-ca v3_ocsp 04 $1
|
|
|
|
update_cert server1 "www1.wolfssl.com" intermediate1-ca v3_req1 05 $1
|
|
update_cert server2 "www2.wolfssl.com" intermediate1-ca v3_req1 06 $1 # REVOKED
|
|
update_cert server3 "www3.wolfssl.com" intermediate2-ca v3_req2 07 $1
|
|
update_cert server4 "www4.wolfssl.com" intermediate2-ca v3_req2 08 $1 # REVOKED
|
|
update_cert server5 "www5.wolfssl.com" intermediate3-ca v3_req3 09 $1
|