gen-testcerts.sh 7.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208
  1. #!/bin/sh
  2. check_result() {
  3. if [ $1 -ne 0 ]; then
  4. echo "Step Failed, Abort"
  5. exit 1
  6. else
  7. echo "Step Succeeded!"
  8. fi
  9. }
  10. # Args: 1=FileName, 2=CN, 3=AltName, 4=CA
  11. build_test_cert_conf() {
  12. echo "# Generated openssl conf" > "$1".conf
  13. echo "" >> "$1".conf
  14. echo "[ ca ]" >> "$1".conf
  15. echo "default_ca = CA_default" >> "$1".conf
  16. echo "[ CA_default ]" >> "$1".conf
  17. echo "certificate = ../ca-cert.pem" >> "$1".conf
  18. echo "database = ./index.txt" >> "$1".conf
  19. echo "new_certs_dir = ./certs" >> "$1".conf
  20. echo "private_key = ./private/cakey.pem" >> "$1".conf
  21. echo "serial = ./serial" >> "$1".conf
  22. echo "default_md = sha256" >> "$1".conf
  23. echo "default_days = 1000" >> "$1".conf
  24. echo "policy = default_ca_policy" >> "$1".conf
  25. echo "" >> "$1".conf
  26. echo "[ default_ca_policy ]" >> "$1".conf
  27. echo "commonName = supplied" >> "$1".conf
  28. echo "stateOrProvinceName = supplied" >> "$1".conf
  29. echo "countryName = supplied" >> "$1".conf
  30. echo "emailAddress = supplied" >> "$1".conf
  31. echo "organizationName = optional" >> "$1".conf
  32. echo "organizationalUnitName = optional" >> "$1".conf
  33. echo "" >> "$1".conf
  34. echo "[ req ]" >> "$1".conf
  35. echo "prompt = no" >> "$1".conf
  36. echo "default_bits = 2048" >> "$1".conf
  37. echo "distinguished_name = req_distinguished_name" >> "$1".conf
  38. if [ -n "$3" ]; then
  39. echo "req_extensions = req_ext" >> "$1".conf
  40. fi
  41. if [ -n "$4" ]; then
  42. echo "basicConstraints=CA:true,pathlen:0" >> "$1".conf
  43. echo "" >> "$1".conf
  44. fi
  45. echo "" >> "$1".conf
  46. echo "[ req_distinguished_name ]" >> "$1".conf
  47. echo "C = US" >> "$1".conf
  48. echo "ST = Montana" >> "$1".conf
  49. echo "L = Bozeman" >> "$1".conf
  50. echo "OU = Engineering" >> "$1".conf
  51. echo "CN = $2" >> "$1".conf
  52. echo "emailAddress = info@wolfssl.com" >> "$1".conf
  53. echo "" >> "$1".conf
  54. if [ -n "$3" ]; then
  55. echo "[ req_ext ]" >> "$1".conf
  56. case "$3" in
  57. *DER*)
  58. echo "subjectAltName = $3" >> "$1".conf
  59. ;;
  60. *)
  61. echo "subjectAltName = @alt_names" >> "$1".conf
  62. echo "[alt_names]" >> "$1".conf
  63. echo "DNS.1 = $3" >> "$1".conf
  64. ;;
  65. esac
  66. fi
  67. }
  68. # Args: 1=FileName
  69. generate_test_cert() {
  70. rm "$1".der
  71. rm "$1".pem
  72. echo "step 1 create configuration"
  73. build_test_cert_conf "$1" "$2" "$3"
  74. check_result $?
  75. echo "step 2 create csr"
  76. openssl req -new -sha256 -out "$1".csr -key ../server-key.pem -config "$1".conf
  77. check_result $?
  78. echo "step 3 check csr"
  79. openssl req -text -noout -in "$1".csr -config "$1".conf
  80. check_result $?
  81. echo "step 4 create cert"
  82. if [ "$3" = "" ]; then
  83. openssl x509 -req -days 1000 -sha256 \
  84. -in "$1".csr -signkey ../server-key.pem \
  85. -out "$1".pem -extfile "$1".conf
  86. else
  87. openssl x509 -req -days 1000 -sha256 \
  88. -in "$1".csr -signkey ../server-key.pem \
  89. -out "$1".pem -extensions req_ext -extfile "$1".conf
  90. fi
  91. check_result $?
  92. rm "$1".conf
  93. rm "$1".csr
  94. if [ -n "$4" ]; then
  95. echo "step 5 generate crl"
  96. mkdir ../crl/demoCA
  97. touch ../crl/demoCA/index.txt
  98. touch ../crl/demoCA/index.txt.attr
  99. echo "01" > ../crl/crlnumber
  100. openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 \
  101. -out crl.revoked -keyfile ../server-key.pem -cert "$1".pem
  102. check_result $?
  103. rm ../crl/"$1"Crl.pem
  104. openssl crl -in crl.revoked -text > tmp.pem
  105. check_result $?
  106. mv tmp.pem ../crl/"$1"Crl.pem
  107. rm crl.revoked
  108. rm -rf ../crl/demoCA #cleans up index.txt and index.txt.attr
  109. rm ../crl/crlnumber*
  110. fi
  111. echo "step 6 add cert text information to pem"
  112. openssl x509 -inform pem -in "$1".pem -text > tmp.pem
  113. check_result $?
  114. mv tmp.pem "$1".pem
  115. echo "step 7 make binary der version"
  116. openssl x509 -inform pem -in "$1".pem -outform der -out "$1".der
  117. check_result $?
  118. }
  119. generate_expired_certs() {
  120. rm "$1".der
  121. rm "$1".pem
  122. mkdir -p certs
  123. touch ./index.txt
  124. touch ./index.txt.attr
  125. echo 1000 > ./serial
  126. echo "step 1 create configuration"
  127. build_test_cert_conf "$1" www.wolfssl.com 0 "$3"
  128. check_result $?
  129. echo "step 2 create csr"
  130. openssl req -new -sha256 -out "$1".csr -key "$2" -config "$1".conf
  131. check_result $?
  132. echo "step 3 check csr"
  133. openssl req -text -noout -in "$1".csr -config "$1".conf
  134. check_result $?
  135. echo "step 4 create cert"
  136. openssl ca -config ../renewcerts/wolfssl.cnf -selfsign -config "$1".conf \
  137. -keyfile "$2" -in "$1".csr -out "$1".pem \
  138. -startdate 20180731000000Z -enddate 20180830000000Z -batch
  139. check_result $?
  140. rm "$1".conf
  141. rm "$1".csr
  142. echo "step 5 add cert text information to pem"
  143. openssl x509 -inform pem -in "$1".pem -text > tmp.pem
  144. check_result $?
  145. mv tmp.pem "$1".pem
  146. echo "step 7 make binary der version"
  147. openssl x509 -inform pem -in "$1".pem -outform der -out "$1".der
  148. check_result $?
  149. rm -rf certs
  150. rm ./index.txt*
  151. rm ./serial*
  152. }
  153. # Generate Good CN=localhost, Alt=None
  154. generate_test_cert server-goodcn localhost "" 1
  155. # Generate Good CN=www.nomatch.com, Alt=localhost
  156. generate_test_cert server-goodalt www.nomatch.com localhost 1
  157. # Generate Good CN=*localhost, Alt=None
  158. # Surround "*localhost" with quotes to prevent shell expansion to wildcard
  159. generate_test_cert server-goodcnwild "*localhost" "" 1
  160. # Generate Good CN=www.nomatch.com, Alt=*localhost
  161. # Surround "*localhost" with quotes to prevent shell expansion to wildcard
  162. generate_test_cert server-goodaltwild www.nomatch.com "*localhost" 1
  163. # Generate Bad CN=localhost\0h, Alt=None
  164. # DG: Have not found a way to properly encode null in common name
  165. generate_test_cert server-badcnnull DER:30:0d:82:0b:6c:6f:63:61:6c:68:6f:73:74:00:68
  166. # Generate Bad Name CN=www.nomatch.com, Alt=None
  167. generate_test_cert server-badcn www.nomatch.com
  168. # Generate Bad Alt CN=www.nomatch.com, Alt=localhost\0h
  169. generate_test_cert server-badaltnull www.nomatch.com DER:30:0d:82:0b:6c:6f:63:61:6c:68:6f:73:74:00:68
  170. # Generate Bad Alt Name CN=www.nomatch.com, Alt=www.nomatch.com
  171. generate_test_cert server-badaltname www.nomatch.com www.nomatch.com
  172. # Generate Good Alt Name CN=localhost, Alt=localhost
  173. generate_test_cert server-localhost localhost localhost
  174. # Generate Bad Alt Name CN=localhost, Alt=garbage
  175. generate_test_cert server-garbage localhost garbage
  176. # Generate Expired Certificates
  177. generate_expired_certs expired/expired-ca ../ca-key.pem 1
  178. generate_expired_certs expired/expired-cert ../server-key.pem