2
0

make_certs.sh 7.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174
  1. #!/bin/sh
  2. #
  3. # Copyright (c) 2007, Cameron Rich
  4. #
  5. # All rights reserved.
  6. #
  7. # Redistribution and use in source and binary forms, with or without
  8. # modification, are permitted provided that the following conditions are met:
  9. #
  10. # * Redistributions of source code must retain the above copyright notice,
  11. # this list of conditions and the following disclaimer.
  12. # * Redistributions in binary form must reproduce the above copyright
  13. # notice, this list of conditions and the following disclaimer in the
  14. # documentation and/or other materials provided with the distribution.
  15. # * Neither the name of the axTLS project nor the names of its
  16. # contributors may be used to endorse or promote products derived
  17. # from this software without specific prior written permission.
  18. #
  19. # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  20. # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  21. # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
  22. # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
  23. # CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  24. # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
  25. # TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  26. # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
  27. # OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
  28. # NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  29. # THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  30. #
  31. #
  32. # Generate the certificates and keys for testing.
  33. #
  34. PROJECT_NAME="axTLS Project"
  35. # Generate the openssl configuration files.
  36. cat > ca_cert.conf << EOF
  37. [ req ]
  38. distinguished_name = req_distinguished_name
  39. prompt = no
  40. [ req_distinguished_name ]
  41. O = $PROJECT_NAME Dodgy Certificate Authority
  42. EOF
  43. cat > certs.conf << EOF
  44. [ req ]
  45. distinguished_name = req_distinguished_name
  46. prompt = no
  47. [ req_distinguished_name ]
  48. O = $PROJECT_NAME
  49. CN = 127.0.0.1
  50. EOF
  51. cat > device_cert.conf << EOF
  52. [ req ]
  53. distinguished_name = req_distinguished_name
  54. prompt = no
  55. [ req_distinguished_name ]
  56. O = $PROJECT_NAME Device Certificate
  57. EOF
  58. # private key generation
  59. openssl genrsa -out axTLS.ca_key.pem 1024
  60. openssl genrsa -out axTLS.key_512.pem 512
  61. openssl genrsa -out axTLS.key_1024.pem 1024
  62. openssl genrsa -out axTLS.key_2048.pem 2048
  63. openssl genrsa -out axTLS.key_4096.pem 4096
  64. openssl genrsa -out axTLS.device_key.pem 1024
  65. openssl genrsa -aes128 -passout pass:abcd -out axTLS.key_aes128.pem 512
  66. openssl genrsa -aes256 -passout pass:abcd -out axTLS.key_aes256.pem 512
  67. # convert private keys into DER format
  68. openssl rsa -in axTLS.key_512.pem -out axTLS.key_512 -outform DER
  69. openssl rsa -in axTLS.key_1024.pem -out axTLS.key_1024 -outform DER
  70. openssl rsa -in axTLS.key_2048.pem -out axTLS.key_2048 -outform DER
  71. openssl rsa -in axTLS.key_4096.pem -out axTLS.key_4096 -outform DER
  72. openssl rsa -in axTLS.device_key.pem -out axTLS.device_key -outform DER
  73. # cert requests
  74. openssl req -out axTLS.ca_x509.req -key axTLS.ca_key.pem -new \
  75. -config ./ca_cert.conf
  76. openssl req -out axTLS.x509_512.req -key axTLS.key_512.pem -new \
  77. -config ./certs.conf
  78. openssl req -out axTLS.x509_1024.req -key axTLS.key_1024.pem -new \
  79. -config ./certs.conf
  80. openssl req -out axTLS.x509_2048.req -key axTLS.key_2048.pem -new \
  81. -config ./certs.conf
  82. openssl req -out axTLS.x509_4096.req -key axTLS.key_4096.pem -new \
  83. -config ./certs.conf
  84. openssl req -out axTLS.x509_device.req -key axTLS.device_key.pem -new \
  85. -config ./device_cert.conf
  86. openssl req -out axTLS.x509_aes128.req -key axTLS.key_aes128.pem \
  87. -new -config ./certs.conf -passin pass:abcd
  88. openssl req -out axTLS.x509_aes256.req -key axTLS.key_aes256.pem \
  89. -new -config ./certs.conf -passin pass:abcd
  90. # generate the actual certs.
  91. openssl x509 -req -in axTLS.ca_x509.req -out axTLS.ca_x509.pem \
  92. -sha1 -days 10000 -signkey axTLS.ca_key.pem
  93. openssl x509 -req -in axTLS.x509_512.req -out axTLS.x509_512.pem \
  94. -sha1 -CAcreateserial -days 10000 \
  95. -CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem
  96. openssl x509 -req -in axTLS.x509_1024.req -out axTLS.x509_1024.pem \
  97. -sha1 -CAcreateserial -days 10000 \
  98. -CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem
  99. openssl x509 -req -in axTLS.x509_2048.req -out axTLS.x509_2048.pem \
  100. -md5 -CAcreateserial -days 10000 \
  101. -CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem
  102. openssl x509 -req -in axTLS.x509_4096.req -out axTLS.x509_4096.pem \
  103. -md5 -CAcreateserial -days 10000 \
  104. -CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem
  105. openssl x509 -req -in axTLS.x509_device.req -out axTLS.x509_device.pem \
  106. -sha1 -CAcreateserial -days 10000 \
  107. -CA axTLS.x509_512.pem -CAkey axTLS.key_512.pem
  108. openssl x509 -req -in axTLS.x509_aes128.req \
  109. -out axTLS.x509_aes128.pem \
  110. -sha1 -CAcreateserial -days 10000 \
  111. -CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem
  112. openssl x509 -req -in axTLS.x509_aes256.req \
  113. -out axTLS.x509_aes256.pem \
  114. -sha1 -CAcreateserial -days 10000 \
  115. -CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem
  116. # note: must be root to do this
  117. DATE_NOW=`date`
  118. if date -s "Jan 1 2025"; then
  119. openssl x509 -req -in axTLS.x509_512.req -out axTLS.x509_bad_before.pem \
  120. -sha1 -CAcreateserial -days 365 \
  121. -CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem
  122. date -s "$DATE_NOW"
  123. touch axTLS.x509_bad_before.pem
  124. fi
  125. openssl x509 -req -in axTLS.x509_512.req -out axTLS.x509_bad_after.pem \
  126. -sha1 -CAcreateserial -days -365 \
  127. -CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem
  128. # some cleanup
  129. rm axTLS*.req
  130. rm axTLS.srl
  131. rm *.conf
  132. # need this for the client tests
  133. openssl x509 -in axTLS.ca_x509.pem -outform DER -out axTLS.ca_x509.cer
  134. openssl x509 -in axTLS.x509_512.pem -outform DER -out axTLS.x509_512.cer
  135. openssl x509 -in axTLS.x509_1024.pem -outform DER -out axTLS.x509_1024.cer
  136. openssl x509 -in axTLS.x509_2048.pem -outform DER -out axTLS.x509_2048.cer
  137. openssl x509 -in axTLS.x509_4096.pem -outform DER -out axTLS.x509_4096.cer
  138. openssl x509 -in axTLS.x509_device.pem -outform DER -out axTLS.x509_device.cer
  139. # generate pkcs8 files (use RC4-128 for encryption)
  140. openssl pkcs8 -in axTLS.key_512.pem -passout pass:abcd -topk8 -v1 PBE-SHA1-RC4-128 -out axTLS.encrypted_pem.p8
  141. openssl pkcs8 -in axTLS.key_512.pem -passout pass:abcd -topk8 -outform DER -v1 PBE-SHA1-RC4-128 -out axTLS.encrypted.p8
  142. openssl pkcs8 -in axTLS.key_512.pem -nocrypt -topk8 -out axTLS.unencrypted_pem.p8
  143. openssl pkcs8 -in axTLS.key_512.pem -nocrypt -topk8 -outform DER -out axTLS.unencrypted.p8
  144. # generate pkcs12 files (use RC4-128 for encryption)
  145. openssl pkcs12 -export -in axTLS.x509_1024.pem -inkey axTLS.key_1024.pem -certfile axTLS.ca_x509.pem -keypbe PBE-SHA1-RC4-128 -certpbe PBE-SHA1-RC4-128 -name "p12_with_CA" -out axTLS.withCA.p12 -password pass:abcd
  146. openssl pkcs12 -export -in axTLS.x509_1024.pem -inkey axTLS.key_1024.pem -keypbe PBE-SHA1-RC4-128 -certpbe PBE-SHA1-RC4-128 -name "p12_without_CA" -out axTLS.withoutCA.p12 -password pass:abcd
  147. openssl pkcs12 -export -in axTLS.x509_1024.pem -inkey axTLS.key_1024.pem -keypbe PBE-SHA1-RC4-128 -certpbe PBE-SHA1-RC4-128 -out axTLS.noname.p12 -password pass:abcd
  148. # PEM certificate chain
  149. cat axTLS.ca_x509.pem >> axTLS.x509_device.pem
  150. # set default key/cert for use in the server
  151. xxd -i axTLS.x509_1024.cer | sed -e \
  152. "s/axTLS_x509_1024_cer/default_certificate/" > ../../ssl/cert.h
  153. xxd -i axTLS.key_1024 | sed -e \
  154. "s/axTLS_key_1024/default_private_key/" > ../../ssl/private_key.h