2
0

gencrls.sh 6.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222
  1. #!/bin/bash
  2. # gencrls, crl config already done, see taoCerts.txt for setup
  3. check_result(){
  4. if [ $1 -ne 0 ]; then
  5. echo "Step failed, Abort"
  6. exit 1
  7. else
  8. echo "Step Succeeded!"
  9. fi
  10. }
  11. setup_files() {
  12. #set up the file system for updating the crls
  13. echo "setting up the file system for generating the crls..."
  14. echo ""
  15. mkdir demoCA || exit 1
  16. touch ./demoCA/index.txt || exit 1
  17. touch ./index.txt || exit 1
  18. touch ../crl/index.txt || exit 1
  19. touch ./crlnumber || exit 1
  20. touch ../crl/crlnumber || exit 1
  21. echo "01" >> crlnumber || exit 1
  22. echo "01" >> ../crl/crlnumber || exit 1
  23. touch ./blank.index.txt || exit 1
  24. touch ./demoCA/index.txt.attr || exit 1
  25. touch ../crl/index.txt.attr || exit 1
  26. }
  27. cleanup_files() {
  28. rm blank.index.txt || exit 1
  29. rm index.* || exit 1
  30. rm crlnumber* || exit 1
  31. rm -rf demoCA || exit 1
  32. echo "Removed ../wolfssl.cnf, blank.index.txt, index.*, crlnumber*, demoCA/"
  33. echo " ../crl/index.txt"
  34. echo ""
  35. exit 0
  36. }
  37. trap cleanup_files EXIT
  38. #setup the files
  39. setup_files
  40. # caCrl
  41. # revoke server-revoked-cert.pem
  42. echo "Step 1"
  43. openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out crl2.pem -keyfile ../client-key.pem -cert ../client-cert.pem
  44. check_result $?
  45. echo "Step 2"
  46. openssl ca -config ../renewcerts/wolfssl.cnf -revoke ../server-revoked-cert.pem -keyfile ../ca-key.pem -cert ../ca-cert.pem
  47. check_result $?
  48. echo "Step 3"
  49. openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out crl.pem -keyfile ../ca-key.pem -cert ../ca-cert.pem
  50. check_result $?
  51. # metadata
  52. echo "Step 4"
  53. openssl crl -in crl.pem -text > tmp
  54. check_result $?
  55. mv tmp crl.pem
  56. # install (only needed if working outside wolfssl)
  57. #cp crl.pem ~/wolfssl/certs/crl/crl.pem
  58. # crl2 create
  59. echo "Step 5"
  60. openssl crl -in crl.pem -text > tmp
  61. check_result $?
  62. echo "Step 6"
  63. openssl crl -in crl2.pem -text >> tmp
  64. check_result $?
  65. mv tmp crl2.pem
  66. # caCrl server revoked
  67. echo "Step 7"
  68. openssl ca -config ../renewcerts/wolfssl.cnf -revoke ../server-cert.pem -keyfile ../ca-key.pem -cert ../ca-cert.pem
  69. check_result $?
  70. # caCrl server revoked generation
  71. echo "Step 8"
  72. openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out crl.revoked -keyfile ../ca-key.pem -cert ../ca-cert.pem
  73. check_result $?
  74. # metadata
  75. echo "Step 9"
  76. openssl crl -in crl.revoked -text > tmp
  77. check_result $?
  78. mv tmp crl.revoked
  79. # install (only needed if working outside wolfssl)
  80. #cp crl.revoked ~/wolfssl/certs/crl/crl.revoked
  81. # remove revoked so next time through the normal CA won't have server revoked
  82. cp blank.index.txt demoCA/index.txt
  83. # revoke the general server cert
  84. echo "Step 10"
  85. openssl ca -config ../renewcerts/wolfssl.cnf -revoke ../server-cert.pem -keyfile ../ca-key.pem -cert ../ca-cert.pem
  86. check_result $?
  87. echo "Step 11"
  88. openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out extra-crls/general-server-crl.pem -keyfile ../ca-key.pem -cert ../ca-cert.pem
  89. check_result $?
  90. # remove revoked so next time through the normal CA won't have server revoked
  91. cp blank.index.txt demoCA/index.txt
  92. echo "Step 12"
  93. # revoke an intermediate cert
  94. openssl ca -config ../renewcerts/wolfssl.cnf -revoke ../intermediate/ca-int-cert.pem -keyfile ../ca-key.pem -cert ../ca-cert.pem
  95. openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out extra-crls/ca-int-cert-revoked.pem -keyfile ../ca-key.pem -cert ../ca-cert.pem
  96. # remove revoked so next time through the normal CA won't have server revoked
  97. cp blank.index.txt demoCA/index.txt
  98. # caEccCrl
  99. echo "Step 13"
  100. openssl ca -config ../renewcerts/wolfssl.cnf -revoke ../server-revoked-cert.pem -keyfile ../ca-ecc-key.pem -cert ../ca-ecc-cert.pem
  101. check_result $?
  102. echo "Step 14"
  103. openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out caEccCrl.pem -keyfile ../ca-ecc-key.pem -cert ../ca-ecc-cert.pem
  104. check_result $?
  105. # metadata
  106. echo "Step 15"
  107. openssl crl -in caEccCrl.pem -text > tmp
  108. check_result $?
  109. mv tmp caEccCrl.pem
  110. # install (only needed if working outside wolfssl)
  111. #cp caEccCrl.pem ~/wolfssl/certs/crl/caEccCrl.pem
  112. # caEcc384Crl
  113. # server-revoked-cert.pem is already revoked in Step 10
  114. #openssl ca -config ../renewcerts/wolfssl.cnf -revoke ../server-revoked-cert.pem -keyfile ../ca-ecc384-key.pem -cert ../ca-ecc384-cert.pem
  115. echo "Step 16"
  116. openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out caEcc384Crl.pem -keyfile ../ca-ecc384-key.pem -cert ../ca-ecc384-cert.pem
  117. check_result $?
  118. # metadata
  119. echo "Step 17"
  120. openssl crl -in caEcc384Crl.pem -text > tmp
  121. check_result $?
  122. mv tmp caEcc384Crl.pem
  123. # install (only needed if working outside wolfssl)
  124. #cp caEcc384Crl.pem ~/wolfssl/certs/crl/caEcc384Crl.pem
  125. # cliCrl
  126. echo "Step 18"
  127. openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out cliCrl.pem -keyfile ../client-key.pem -cert ../client-cert.pem
  128. check_result $?
  129. # metadata
  130. echo "Step 19"
  131. openssl crl -in cliCrl.pem -text > tmp
  132. check_result $?
  133. mv tmp cliCrl.pem
  134. # install (only needed if working outside wolfssl)
  135. #cp cliCrl.pem ~/wolfssl/certs/crl/cliCrl.pem
  136. # eccCliCRL
  137. echo "Step 20"
  138. openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out eccCliCRL.pem -keyfile ../ecc-client-key.pem -cert ../client-ecc-cert.pem
  139. check_result $?
  140. # metadata
  141. echo "Step 21"
  142. openssl crl -in eccCliCRL.pem -text > tmp
  143. check_result $?
  144. mv tmp eccCliCRL.pem
  145. # install (only needed if working outside wolfssl)
  146. #cp eccCliCRL.pem ~/wolfssl/certs/crl/eccCliCRL.pem
  147. # eccSrvCRL
  148. echo "Step 22"
  149. openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out eccSrvCRL.pem -keyfile ../ecc-key.pem -cert ../server-ecc.pem
  150. check_result $?
  151. # metadata
  152. echo "Step 23"
  153. openssl crl -in eccSrvCRL.pem -text > tmp
  154. check_result $?
  155. mv tmp eccSrvCRL.pem
  156. # install (only needed if working outside wolfssl)
  157. #cp eccSrvCRL.pem ~/wolfssl/certs/crl/eccSrvCRL.pem
  158. # caEccCrl
  159. echo "Step 24"
  160. openssl ca -config ./wolfssl.cnf -gencrl -crldays 1000 -out caEccCrl.pem -keyfile ../ca-ecc-key.pem -cert ../ca-ecc-cert.pem
  161. check_result $?
  162. # ca-ecc384-cert
  163. echo "Step 25"
  164. openssl ca -config ./wolfssl.cnf -gencrl -crldays 1000 -out caEcc384Crl.pem -keyfile ../ca-ecc384-key.pem -cert ../ca-ecc384-cert.pem
  165. check_result $?
  166. # create crl and crl2 der files for unit test
  167. echo "Step 26"
  168. openssl crl -in crl.pem -inform PEM -out crl.der -outform DER
  169. openssl crl -in crl2.pem -inform PEM -out crl2.der -outform DER
  170. # clear state for RSA-PSS revoke
  171. cp blank.index.txt demoCA/index.txt
  172. echo "Step 27 RSA-PSS revoke"
  173. openssl ca -config ../renewcerts/wolfssl.cnf -revoke ../rsapss/server-rsapss.pem -keyfile ../rsapss/ca-rsapss-priv.pem -cert ../rsapss/ca-rsapss.pem
  174. check_result $?
  175. echo "Step 28 RSA-PSS"
  176. openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out crl_rsapss.pem -keyfile ../rsapss/ca-rsapss-priv.pem -cert ../rsapss/ca-rsapss.pem
  177. check_result $?
  178. # metadata
  179. echo "Step 29"
  180. openssl crl -in crl_rsapss.pem -text > tmp
  181. check_result $?
  182. mv tmp crl_rsapss.pem
  183. exit 0