123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208 |
- #!/bin/sh
- check_result() {
- if [ $1 -ne 0 ]; then
- echo "Step Failed, Abort"
- exit 1
- else
- echo "Step Succeeded!"
- fi
- }
- build_test_cert_conf() {
- echo "# Generated openssl conf" > "$1".conf
- echo "" >> "$1".conf
- echo "[ ca ]" >> "$1".conf
- echo "default_ca = CA_default" >> "$1".conf
- echo "[ CA_default ]" >> "$1".conf
- echo "certificate = ../ca-cert.pem" >> "$1".conf
- echo "database = ./index.txt" >> "$1".conf
- echo "new_certs_dir = ./certs" >> "$1".conf
- echo "private_key = ./private/cakey.pem" >> "$1".conf
- echo "serial = ./serial" >> "$1".conf
- echo "default_md = sha256" >> "$1".conf
- echo "default_days = 1000" >> "$1".conf
- echo "policy = default_ca_policy" >> "$1".conf
- echo "" >> "$1".conf
- echo "[ default_ca_policy ]" >> "$1".conf
- echo "commonName = supplied" >> "$1".conf
- echo "stateOrProvinceName = supplied" >> "$1".conf
- echo "countryName = supplied" >> "$1".conf
- echo "emailAddress = supplied" >> "$1".conf
- echo "organizationName = optional" >> "$1".conf
- echo "organizationalUnitName = optional" >> "$1".conf
- echo "" >> "$1".conf
- echo "[ req ]" >> "$1".conf
- echo "prompt = no" >> "$1".conf
- echo "default_bits = 2048" >> "$1".conf
- echo "distinguished_name = req_distinguished_name" >> "$1".conf
- if [ -n "$3" ]; then
- echo "req_extensions = req_ext" >> "$1".conf
- fi
- if [ -n "$4" ]; then
- echo "basicConstraints=CA:true,pathlen:0" >> "$1".conf
- echo "" >> "$1".conf
- fi
- echo "" >> "$1".conf
- echo "[ req_distinguished_name ]" >> "$1".conf
- echo "C = US" >> "$1".conf
- echo "ST = Montana" >> "$1".conf
- echo "L = Bozeman" >> "$1".conf
- echo "OU = Engineering" >> "$1".conf
- echo "CN = $2" >> "$1".conf
- echo "emailAddress = info@wolfssl.com" >> "$1".conf
- echo "" >> "$1".conf
- if [ -n "$3" ]; then
- echo "[ req_ext ]" >> "$1".conf
- case "$3" in
- *DER*)
- echo "subjectAltName = $3" >> "$1".conf
- ;;
- *)
- echo "subjectAltName = @alt_names" >> "$1".conf
- echo "[alt_names]" >> "$1".conf
- echo "DNS.1 = $3" >> "$1".conf
- ;;
- esac
- fi
- }
- generate_test_cert() {
- rm "$1".der
- rm "$1".pem
- echo "step 1 create configuration"
- build_test_cert_conf "$1" "$2" "$3"
- check_result $?
- echo "step 2 create csr"
- openssl req -new -sha256 -out "$1".csr -key ../server-key.pem -config "$1".conf
- check_result $?
- echo "step 3 check csr"
- openssl req -text -noout -in "$1".csr -config "$1".conf
- check_result $?
- echo "step 4 create cert"
- if [ "$3" = "" ]; then
- openssl x509 -req -days 1000 -sha256 \
- -in "$1".csr -signkey ../server-key.pem \
- -out "$1".pem -extfile "$1".conf
- else
- openssl x509 -req -days 1000 -sha256 \
- -in "$1".csr -signkey ../server-key.pem \
- -out "$1".pem -extensions req_ext -extfile "$1".conf
- fi
- check_result $?
- rm "$1".conf
- rm "$1".csr
- if [ -n "$4" ]; then
- echo "step 5 generate crl"
- mkdir ../crl/demoCA
- touch ../crl/demoCA/index.txt
- touch ../crl/demoCA/index.txt.attr
- echo "01" > ../crl/crlnumber
- openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 \
- -out crl.revoked -keyfile ../server-key.pem -cert "$1".pem
- check_result $?
- rm ../crl/"$1"Crl.pem
- openssl crl -in crl.revoked -text > tmp.pem
- check_result $?
- mv tmp.pem ../crl/"$1"Crl.pem
- rm crl.revoked
- rm -rf ../crl/demoCA
- rm ../crl/crlnumber*
- fi
- echo "step 6 add cert text information to pem"
- openssl x509 -inform pem -in "$1".pem -text > tmp.pem
- check_result $?
- mv tmp.pem "$1".pem
- echo "step 7 make binary der version"
- openssl x509 -inform pem -in "$1".pem -outform der -out "$1".der
- check_result $?
- }
- generate_expired_certs() {
- rm "$1".der
- rm "$1".pem
- mkdir -p certs
- touch ./index.txt
- touch ./index.txt.attr
- echo 1000 > ./serial
- echo "step 1 create configuration"
- build_test_cert_conf "$1" www.wolfssl.com 0 "$3"
- check_result $?
- echo "step 2 create csr"
- openssl req -new -sha256 -out "$1".csr -key "$2" -config "$1".conf
- check_result $?
- echo "step 3 check csr"
- openssl req -text -noout -in "$1".csr -config "$1".conf
- check_result $?
- echo "step 4 create cert"
- openssl ca -config ../renewcerts/wolfssl.cnf -selfsign -config "$1".conf \
- -keyfile "$2" -in "$1".csr -out "$1".pem \
- -startdate 20180731000000Z -enddate 20180830000000Z -batch
- check_result $?
- rm "$1".conf
- rm "$1".csr
- echo "step 5 add cert text information to pem"
- openssl x509 -inform pem -in "$1".pem -text > tmp.pem
- check_result $?
- mv tmp.pem "$1".pem
- echo "step 7 make binary der version"
- openssl x509 -inform pem -in "$1".pem -outform der -out "$1".der
- check_result $?
- rm -rf certs
- rm ./index.txt*
- rm ./serial*
- }
- generate_test_cert server-goodcn localhost "" 1
- generate_test_cert server-goodalt www.nomatch.com localhost 1
- generate_test_cert server-goodcnwild "*localhost" "" 1
- generate_test_cert server-goodaltwild www.nomatch.com "*localhost" 1
- generate_test_cert server-badcnnull DER:30:0d:82:0b:6c:6f:63:61:6c:68:6f:73:74:00:68
- generate_test_cert server-badcn www.nomatch.com
- generate_test_cert server-badaltnull www.nomatch.com DER:30:0d:82:0b:6c:6f:63:61:6c:68:6f:73:74:00:68
- generate_test_cert server-badaltname www.nomatch.com www.nomatch.com
- generate_test_cert server-localhost localhost localhost
- generate_test_cert server-garbage localhost garbage
- generate_expired_certs expired/expired-ca ../ca-key.pem 1
- generate_expired_certs expired/expired-cert ../server-key.pem
|