123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863 |
- #!/bin/bash
- # renewcerts.sh
- #
- # renews the following certs:
- # client-cert.pem
- # client-cert.der
- # client-ecc-cert.pem
- # client-ecc-cert.der
- # ca-cert.pem
- # ca-cert.der
- # ca-ecc-cert.pem
- # ca-ecc-cert.der
- # ca-ecc384-cert.pem
- # ca-ecc384-cert.der
- # server-cert.pem
- # server-cert.der
- # server-cert-chain.der
- # server-ecc-rsa.pem
- # server-ecc.pem
- # 1024/client-cert.der
- # 1024/client-cert.pem
- # server-ecc-comp.pem
- # client-ca.pem
- # test/digsigku.pem
- # ecc-privOnlyCert.pem
- # client-uri-cert.pem
- # client-relative-uri.pem
- # client-crl-dist.pem
- # entity-no-ca-bool-cert.pem
- # fpki-cert.der
- # updates the following crls:
- # crl/cliCrl.pem
- # crl/crl.pem
- # crl/crl.revoked
- # crl/eccCliCRL.pem
- # crl/eccSrvCRL.pem
- #
- # pkcs7:
- # test-degenerate.p7b
- ###############################################################################
- ######################## FUNCTIONS SECTION ####################################
- ###############################################################################
- #function for restoring a previous configure state
- restore_config(){
- mv tmp.status config.status
- mv tmp.options.h wolfssl/options.h
- make clean
- make -j 8
- }
- check_result(){
- if [ $1 -ne 0 ]; then
- echo "Failed at \"$2\", Abort"
- exit 1
- else
- echo "Step Succeeded!"
- fi
- }
- #the function that will be called when we are ready to renew the certs.
- run_renewcerts(){
- #call update for some ecc certs
- ./certs/ecc/genecc.sh
- check_result $? "Step 0"
- cd certs/ || { echo "Couldn't cd to certs directory"; exit 1; }
- echo ""
- #move the custom cnf into our working directory
- cp renewcerts/wolfssl.cnf wolfssl.cnf || exit 1
- # To generate these all in sha1 add the flag "-sha1" on appropriate lines
- # That is all lines beginning with: "openssl req"
- ############################################################
- #### update the self-signed (2048-bit) client-uri-cert.pem #
- ############################################################
- echo "Updating 2048-bit client-uri-cert.pem"
- echo ""
- #pipe the following arguments to openssl req...
- echo -e "US\\nMontana\\nBozeman\\nwolfSSL_2048\\nURI\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key client-key.pem -config ./wolfssl.cnf -nodes -out client-cert.csr
- check_result $? "Step 1"
- openssl x509 -req -in client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions uri -signkey client-key.pem -out client-uri-cert.pem
- check_result $? "Step 2"
- rm client-cert.csr
- openssl x509 -in client-uri-cert.pem -text > tmp.pem
- check_result $? "Step 3"
- mv tmp.pem client-uri-cert.pem
- echo "End of section"
- echo "---------------------------------------------------------------------"
- ############################################################
- # Public Versions of client-key.pem
- ############################################################
- openssl rsa -inform pem -in certs/client-key.pem -outform der -out certs/client-keyPub.der -pubout
- openssl rsa -inform pem -in certs/client-key.pem -outform pem -out certs/client-keyPub.pem -pubout
- ############################################################
- # Public Versions of server-key.pem
- ############################################################
- #openssl rsa -inform pem -in certs/server-key.pem -outform der -out certs/server-keyPub.der -pubout
- openssl rsa -inform pem -in certs/server-key.pem -outform pem -out certs/server-keyPub.pem -pubout
- ############################################################
- # Public Versions of ecc-key.pem
- ############################################################
- #openssl ec -inform pem -in certs/ecc-key.pem -outform der -out certs/ecc-keyPub.der -pubout
- openssl ec -inform pem -in certs/ecc-key.pem -outform pem -out certs/ecc-keyPub.pem -pubout
- ############################################################
- #### update the self-signed (2048-bit) client-relative-uri.pem
- ############################################################
- echo "Updating 2048-bit client-relative-uri.pem"
- echo ""
- #pipe the following arguments to openssl req...
- echo -e "US\\nMontana\\nBozeman\\nwolfSSL_2048\\nRELATIVE_URI\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key client-key.pem -config ./wolfssl.cnf -nodes -out client-cert.csr
- check_result $? "Step 1"
- openssl x509 -req -in client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions relative_uri -signkey client-key.pem -out client-relative-uri.pem
- check_result $? "Step 2"
- rm client-cert.csr
- openssl x509 -in client-relative-uri.pem -text > tmp.pem
- check_result $? "Step 3"
- mv tmp.pem client-relative-uri.pem
- echo "End of section"
- echo "---------------------------------------------------------------------"
- ############################################################
- #### update the self-signed (2048-bit) client-cert-ext.pem
- ############################################################
- echo "Updating 2048-bit client-cert-ext.pem"
- echo ""
- #pipe the following arguments to openssl req...
- echo -e "US\\nMontana\\nBozeman\\nwolfSSL_2048\\nProgramming-2048\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key client-key.pem -config ./wolfssl.cnf -nodes -out client-cert.csr
- check_result $? "Step 1"
- openssl x509 -req -in client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions client_cert_ext -signkey client-key.pem -out client-cert-ext.pem
- check_result $? "Step 2"
- rm client-cert.csr
- openssl x509 -in client-cert-ext.pem -outform DER -out client-cert-ext.der
- check_result $? "Step 3"
- openssl x509 -in client-cert-ext.pem -text > tmp.pem
- check_result $? "Step 4"
- mv tmp.pem client-cert-ext.pem
- echo "End of section"
- echo "---------------------------------------------------------------------"
- ############################################################
- #### update the self-signed (2048-bit) client-crl-dist.pem
- ############################################################
- echo "Updating 2048-bit client-crl-dist.pem"
- echo ""
- #pipe the following arguments to openssl req...
- echo -e "US\\nMontana\\nBozeman\\nwolfSSL_2048\\nCRL_DIST\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key client-key.pem -config ./wolfssl.cnf -nodes -out client-cert.csr
- check_result $? "Step 1"
- openssl x509 -req -in client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions crl_dist_points -signkey client-key.pem -out client-crl-dist.pem
- check_result $? "Step 2"
- rm client-cert.csr
- openssl x509 -in client-crl-dist.pem -text > tmp.pem
- check_result $? "Step 3"
- mv tmp.pem client-crl-dist.pem
- openssl x509 -in client-crl-dist.pem -outform der -out client-crl-dist.der
- echo "End of section"
- echo "---------------------------------------------------------------------"
- ############################################################
- #### update the self-signed (2048-bit) client-cert.pem #####
- ############################################################
- echo "Updating 2048-bit client-cert.pem"
- echo ""
- #pipe the following arguments to openssl req...
- echo -e "US\\nMontana\\nBozeman\\nwolfSSL_2048\\nProgramming-2048\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key client-key.pem -config ./wolfssl.cnf -nodes -out client-cert.csr
- check_result $? "Step 1"
- openssl x509 -req -in client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey client-key.pem -out client-cert.pem
- check_result $? "Step 2"
- rm client-cert.csr
- openssl x509 -in client-cert.pem -text > tmp.pem
- check_result $? "Step 3"
- mv tmp.pem client-cert.pem
- echo "End of section"
- echo "---------------------------------------------------------------------"
- ############################################################
- #### update the self-signed (1024-bit) client-cert.pem #####
- ############################################################
- echo "Updating 1024-bit client-cert.pem"
- echo ""
- #pipe the following arguments to openssl req...
- echo -e "US\\nMontana\\nBozeman\\nwolfSSL_1024\\nProgramming-1024\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ./1024/client-key.pem -config ./wolfssl.cnf -nodes -out ./1024/client-cert.csr
- check_result $? "Step 1"
- openssl x509 -req -in ./1024/client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ./1024/client-key.pem -out ./1024/client-cert.pem
- check_result $? "Step 2"
- rm ./1024/client-cert.csr
- openssl x509 -in ./1024/client-cert.pem -text > ./1024/tmp.pem
- check_result $? "Step 3"
- mv ./1024/tmp.pem ./1024/client-cert.pem
- echo "End of section"
- echo "---------------------------------------------------------------------"
- ############################################################
- #### update the self-signed (3072-bit) client-cert.pem #####
- ############################################################
- echo "Updating 3072-bit client-cert.pem"
- echo ""
- #pipe the following arguments to openssl req...
- echo -e "US\\nMontana\\nBozeman\\nwolfSSL_3072\\nProgramming-3072\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ./3072/client-key.pem -config ./wolfssl.cnf -nodes -out ./3072/client-cert.csr
- check_result $? "Step 1"
- openssl x509 -req -in ./3072/client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ./3072/client-key.pem -out ./3072/client-cert.pem
- check_result $? "Step 2"
- rm ./3072/client-cert.csr
- openssl x509 -in ./3072/client-cert.pem -text > ./3072/tmp.pem
- check_result $? "Step 3"
- mv ./3072/tmp.pem ./3072/client-cert.pem
- openssl rsa -in ./3072/client-key.pem -outform der -out ./3072/client-key.der
- openssl rsa -inform pem -in ./3072/client-key.pem -outform der -out ./3072/client-keyPub.der -pubout
- openssl x509 -in ./3072/client-cert.pem -outform der -out ./3072/client-cert.der
- echo "End of section"
- echo "---------------------------------------------------------------------"
- ############################################################
- #### update the self-signed (4096-bit) client-cert.pem #####
- ############################################################
- echo "Updating 4096-bit client-cert.pem"
- echo ""
- #pipe the following arguments to openssl req...
- echo -e "US\\nMontana\\nBozeman\\nwolfSSL_4096\\nProgramming-4096\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ./4096/client-key.pem -config ./wolfssl.cnf -nodes -out ./4096/client-cert.csr
- check_result $? "Step 1"
- openssl x509 -req -in ./4096/client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ./4096/client-key.pem -out ./4096/client-cert.pem
- check_result $? "Step 2"
- rm ./4096/client-cert.csr
- openssl x509 -in ./4096/client-cert.pem -text > ./4096/tmp.pem
- check_result $? "Step 3"
- mv ./4096/tmp.pem ./4096/client-cert.pem
- openssl rsa -in ./4096/client-key.pem -outform der -out ./4096/client-key.der
- openssl rsa -inform pem -in ./4096/client-key.pem -outform der -out ./4096/client-keyPub.der -pubout
- openssl x509 -in ./4096/client-cert.pem -outform der -out ./4096/client-cert.der
- echo "End of section"
- echo "---------------------------------------------------------------------"
- ############################################################
- ########## update the self-signed ca-cert.pem ##############
- ############################################################
- echo "Updating ca-cert.pem"
- echo ""
- #pipe the following arguments to openssl req...
- echo -e "US\\nMontana\\nBozeman\\nSawtooth\\nConsulting\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ca-key.pem -config ./wolfssl.cnf -nodes -out ca-cert.csr
- check_result $? "Step 1"
- openssl x509 -req -in ca-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ca-key.pem -out ca-cert.pem
- check_result $? "Step 2"
- rm ca-cert.csr
- openssl x509 -in ca-cert.pem -text > tmp.pem
- check_result $? "Step 3"
- mv tmp.pem ca-cert.pem
- echo "End of section"
- echo "---------------------------------------------------------------------"
- ############################################################
- ########## update the self-signed ca-cert-chain.der ########
- ############################################################
- echo "Updating ca-cert-chain.der"
- echo ""
- #pipe the following arguments to openssl req...
- echo -e "US\\nMontana\\nBozeman\\nSawtooth\\nConsulting\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key 1024/ca-key.pem -config ./wolfssl.cnf -nodes -out ca-cert.csr
- check_result $? "Step 1"
- openssl x509 -req -in ca-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey 1024/ca-key.pem -outform DER -out ca-cert-chain.der
- check_result $? "Step 2"
- rm ca-cert.csr
- echo "End of section"
- echo "---------------------------------------------------------------------"
- ############################################################
- ########## update the self-signed ca-ecc-cert.pem ##########
- ############################################################
- echo "Updating ca-ecc-cert.pem"
- echo ""
- #pipe the following arguments to openssl req...
- echo -e "US\\nWashington\\nSeattle\\nwolfSSL\\nDevelopment\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ca-ecc-key.pem -config ./wolfssl.cnf -nodes -out ca-ecc-cert.csr
- check_result $? "Step 1"
- openssl x509 -req -in ca-ecc-cert.csr -days 1000 -extfile wolfssl.cnf -extensions ca_ecc_cert -signkey ca-ecc-key.pem -out ca-ecc-cert.pem
- check_result $? "Step 2"
- rm ca-ecc-cert.csr
- openssl x509 -in ca-ecc-cert.pem -text > tmp.pem
- check_result $? "Step 3"
- mv tmp.pem ca-ecc-cert.pem
- echo "End of section"
- echo "---------------------------------------------------------------------"
- ############################################################
- ########## update the self-signed ca-ecc384-cert.pem #######
- ############################################################
- echo "Updating ca-ecc384-cert.pem"
- echo ""
- #pipe the following arguments to openssl req...
- echo -e "US\\nWashington\\nSeattle\\nwolfSSL\\nDevelopment\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ca-ecc384-key.pem -config ./wolfssl.cnf -nodes -sha384 -out ca-ecc384-cert.csr
- check_result $? "Step 1"
- openssl x509 -req -in ca-ecc384-cert.csr -days 1000 -extfile wolfssl.cnf -extensions ca_ecc_cert -signkey ca-ecc384-key.pem -sha384 -out ca-ecc384-cert.pem
- check_result $? "Step 2"
- rm ca-ecc384-cert.csr
- openssl x509 -in ca-ecc384-cert.pem -text > tmp.pem
- check_result $? "Step 3"
- mv tmp.pem ca-ecc384-cert.pem
- echo "End of section"
- echo "---------------------------------------------------------------------"
- ############################################################
- ##### update the self-signed (1024-bit) ca-cert.pem ########
- ############################################################
- echo "Updating 1024-bit ca-cert.pem"
- echo ""
- #pipe the following arguments to openssl req...
- echo -e "US\\nMontana\\nBozeman\\nSawtooth\\nConsulting_1024\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ./1024/ca-key.pem -config ./wolfssl.cnf -nodes -sha1 -out ./1024/ca-cert.csr
- check_result $? "Step 1"
- openssl x509 -req -in ./1024/ca-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ./1024/ca-key.pem -out ./1024/ca-cert.pem
- check_result $? "Step 2"
- rm ./1024/ca-cert.csr
- openssl x509 -in ./1024/ca-cert.pem -text > ./1024/tmp.pem
- check_result $? "Step 3"
- mv ./1024/tmp.pem ./1024/ca-cert.pem
- echo "End of section"
- echo "---------------------------------------------------------------------"
- ###########################################################
- ########## update and sign fpki-cert.der ################
- ###########################################################
- echo "Updating fpki-cert.der"
- echo ""
- #pipe the following arguments to openssl req...
- echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\nFPKI\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key server-key.pem -config ./wolfssl.cnf -nodes > fpki-req.pem
- check_result $? "Step 1"
- openssl x509 -req -in fpki-req.pem -extfile wolfssl.cnf -extensions fpki_ext -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out fpki-cert.der -outform DER
- check_result $? "Step 2"
- rm fpki-req.pem
- echo "End of section"
- echo "---------------------------------------------------------------------"
- ###########################################################
- ########## update and sign server-cert.pem ################
- ###########################################################
- echo "Updating server-cert.pem"
- echo ""
- #pipe the following arguments to openssl req...
- echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\nSupport\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key server-key.pem -config ./wolfssl.cnf -nodes > server-req.pem
- check_result $? "Step 1"
- openssl x509 -req -in server-req.pem -extfile wolfssl.cnf -extensions wolfssl_opts -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
- check_result $? "Step 2"
- rm server-req.pem
- openssl x509 -in ca-cert.pem -text > ca_tmp.pem
- check_result $? "Step 3"
- openssl x509 -in server-cert.pem -text > srv_tmp.pem
- check_result $? "Step 4"
- mv srv_tmp.pem server-cert.pem
- cat ca_tmp.pem >> server-cert.pem
- rm ca_tmp.pem
- echo "End of section"
- echo "---------------------------------------------------------------------"
- ###########################################################
- ########## update and sign server-revoked-key.pem #########
- ###########################################################
- echo "Updating server-revoked-cert.pem"
- echo ""
- #pipe the following arguments to openssl req...
- echo -e "US\\nMontana\\nBozeman\\nwolfSSL_revoked\\nSupport_revoked\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key server-revoked-key.pem -config ./wolfssl.cnf -nodes > server-revoked-req.pem
- check_result $? "Step 1"
- openssl x509 -req -in server-revoked-req.pem -extfile wolfssl.cnf -extensions wolfssl_opts -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 02 > server-revoked-cert.pem
- check_result $? "Step 2"
- rm server-revoked-req.pem
- openssl x509 -in ca-cert.pem -text > ca_tmp.pem
- check_result $? "Step 3"
- openssl x509 -in server-revoked-cert.pem -text > srv_tmp.pem
- check_result $? "Step 4"
- mv srv_tmp.pem server-revoked-cert.pem
- cat ca_tmp.pem >> server-revoked-cert.pem
- rm ca_tmp.pem
- echo "End of section"
- echo "---------------------------------------------------------------------"
- ###########################################################
- ########## update and sign server-duplicate-policy.pem ####
- ###########################################################
- echo "Updating server-duplicate-policy.pem"
- echo ""
- #pipe the following arguments to openssl req...
- echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\ntesting duplicate policy\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key server-key.pem -config ./wolfssl.cnf -nodes > ./test/server-duplicate-policy-req.pem
- check_result $? "Step 1"
- openssl x509 -req -in ./test/server-duplicate-policy-req.pem -extfile wolfssl.cnf -extensions policy_test -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 02 > ./test/server-duplicate-policy.pem
- check_result $? "Step 2"
- rm ./test/server-duplicate-policy-req.pem
- openssl x509 -in ca-cert.pem -text > ca_tmp.pem
- check_result $? "Step 3"
- openssl x509 -in ./test/server-duplicate-policy.pem -text > srv_tmp.pem
- check_result $? "Step 4"
- mv srv_tmp.pem ./test/server-duplicate-policy.pem
- cat ca_tmp.pem >> ./test/server-duplicate-policy.pem
- rm ca_tmp.pem
- echo "End of section"
- echo "---------------------------------------------------------------------"
- ###########################################################
- #### update and sign (1024-bit) server-cert.pem ###########
- ###########################################################
- echo "Updating 1024-bit server-cert.pem"
- echo ""
- #pipe the following arguments to openssl req...
- echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\nSupport_1024\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ./1024/server-key.pem -config ./wolfssl.cnf -nodes -sha1 > ./1024/server-req.pem
- check_result $? "Step 1"
- openssl x509 -req -in ./1024/server-req.pem -extfile wolfssl.cnf -extensions wolfssl_opts -days 1000 -CA ./1024/ca-cert.pem -CAkey ./1024/ca-key.pem -set_serial 01 > ./1024/server-cert.pem
- check_result $? "Step 2"
- rm ./1024/server-req.pem
- openssl x509 -in ./1024/ca-cert.pem -text > ./1024/ca_tmp.pem
- check_result $? "Step 3"
- openssl x509 -in ./1024/server-cert.pem -text > ./1024/srv_tmp.pem
- check_result $? "Step 4"
- mv ./1024/srv_tmp.pem ./1024/server-cert.pem
- cat ./1024/ca_tmp.pem >> ./1024/server-cert.pem
- rm ./1024/ca_tmp.pem
- echo "End of section"
- echo "---------------------------------------------------------------------"
- ############################################################
- ########## update and sign the server-ecc-rsa.pem ##########
- ############################################################
- echo "Updating server-ecc-rsa.pem"
- echo ""
- echo -e "US\\nMontana\\nBozeman\\nElliptic - RSAsig\\nECC-RSAsig\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ecc-key.pem -config ./wolfssl.cnf -nodes > server-ecc-req.pem
- check_result $? "Step 1"
- openssl x509 -req -in server-ecc-req.pem -extfile wolfssl.cnf -extensions wolfssl_opts -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-ecc-rsa.pem
- check_result $? "Step 2"
- rm server-ecc-req.pem
- openssl x509 -in server-ecc-rsa.pem -text > tmp.pem
- check_result $? "Step 3"
- mv tmp.pem server-ecc-rsa.pem
- echo "End of section"
- echo "---------------------------------------------------------------------"
- ############################################################
- ####### update the self-signed client-ecc-cert.pem #########
- ############################################################
- echo "Updating client-ecc-cert.pem"
- echo ""
- #pipe the following arguments to openssl req...
- echo -e "US\\nOregon\\nSalem\\nClient ECC\\nFast\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ecc-client-key.pem -config ./wolfssl.cnf -nodes -out client-ecc-cert.csr
- check_result $? "Step 1"
- openssl x509 -req -in client-ecc-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ecc-client-key.pem -out client-ecc-cert.pem
- check_result $? "Step 2"
- rm client-ecc-cert.csr
- openssl x509 -in client-ecc-cert.pem -text > tmp.pem
- check_result $? "Step 3"
- mv tmp.pem client-ecc-cert.pem
- echo "End of section"
- echo "---------------------------------------------------------------------"
- ############################################################
- ########## update the server-ecc.pem #######################
- ############################################################
- echo "Updating server-ecc.pem"
- echo ""
- #pipe the following arguments to openssl req...
- echo -e "US\\nWashington\\nSeattle\\nEliptic\\nECC\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ecc-key.pem -config ./wolfssl.cnf -nodes -out server-ecc.csr
- check_result $? "Step 1"
- openssl x509 -req -in server-ecc.csr -days 1000 -extfile wolfssl.cnf -extensions server_ecc -CA ca-ecc-cert.pem -CAkey ca-ecc-key.pem -set_serial 03 -out server-ecc.pem
- check_result $? "Step 2"
- rm server-ecc.csr
- openssl x509 -in server-ecc.pem -text > tmp.pem
- check_result $? "Step 3"
- mv tmp.pem server-ecc.pem
- echo "End of section"
- echo "---------------------------------------------------------------------"
- ############################################################
- ###### update the self-signed server-ecc-comp.pem ##########
- ############################################################
- echo "Updating server-ecc-comp.pem"
- echo ""
- #pipe the following arguments to openssl req...
- echo -e "US\\nMontana\\nBozeman\\nElliptic - comp\\nServer ECC-comp\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ecc-key-comp.pem -config ./wolfssl.cnf -nodes -out server-ecc-comp.csr
- check_result $? "Step 1"
- openssl x509 -req -in server-ecc-comp.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ecc-key-comp.pem -out server-ecc-comp.pem
- check_result $? "Step 2"
- rm server-ecc-comp.csr
- openssl x509 -in server-ecc-comp.pem -text > tmp.pem
- check_result $? "Step 3"
- mv tmp.pem server-ecc-comp.pem
- echo "End of section"
- echo "---------------------------------------------------------------------"
- ############################################################
- ############## create the client-ca.pem file ###############
- ############################################################
- echo "Updating client-ca.pem"
- echo ""
- cat client-cert.pem client-ecc-cert.pem > client-ca.pem
- echo "End of section"
- echo "---------------------------------------------------------------------"
- ############################################################
- ###### update the self-signed ecc-privOnlyCert.pem #########
- ############################################################
- echo "Updating ecc-privOnlyCert.pem"
- echo ""
- #pipe the following arguments to openssl req...
- echo -e ".\\n.\\n.\\nWR\\n.\\nDE\\n.\\n.\\n.\\n" | openssl req -new -key ecc-privOnlyKey.pem -config ./wolfssl.cnf -nodes -out ecc-privOnly.csr
- check_result $? "Step 1"
- openssl x509 -req -in ecc-privOnly.csr -days 1000 -signkey ecc-privOnlyKey.pem -out ecc-privOnlyCert.pem
- check_result $? "Step 2"
- rm ecc-privOnly.csr
- echo "End of section"
- echo "---------------------------------------------------------------------"
- ############################################################
- ###### update the self-signed test/digsigku.pem ##########
- ############################################################
- echo "Updating test/digsigku.pem"
- echo ""
- #pipe the following arguments to openssl req...
- echo -e "US\\nWashington\\nSeattle\\nFoofarah\\nArglebargle\\nfoobarbaz\\ninfo@worlss.com\\n.\\n.\\n" | openssl req -new -key ecc-key.pem -config ./wolfssl.cnf -nodes -sha1 -out digsigku.csr
- check_result $? "Step 1"
- openssl x509 -req -in digsigku.csr -days 1000 -extfile wolfssl.cnf -extensions digsigku -signkey ecc-key.pem -sha1 -set_serial 16393466893990650224 -out digsigku.pem
- check_result $? "Step 2"
- rm digsigku.csr
- openssl x509 -in digsigku.pem -text > tmp.pem
- check_result $? "Step 3"
- mv tmp.pem digsigku.pem
- mv digsigku.pem test/digsigku.pem
- echo "End of section"
- echo "---------------------------------------------------------------------"
- ###########################################################
- #### update and sign entity-no-ca-bool-cert.pem ###########
- ###########################################################
- echo "Updating entity-no-ca-bool-cert.pem"
- echo ""
- #pipe the following arguments to openssl req...
- echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\nNoCaBool\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key entity-no-ca-bool-key.pem -config ./wolfssl.cnf -nodes > entity-no-ca-bool-req.pem
- check_result $? "Step 1"
- openssl x509 -req -in entity-no-ca-bool-req.pem -extfile ./wolfssl.cnf -extensions "entity_no_CA_BOOL" -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > entity-no-ca-bool-cert.pem
- check_result $? "Step 2"
- rm entity-no-ca-bool-req.pem
- openssl x509 -in ca-cert.pem -text > ca_tmp.pem
- check_result $? "Step 3"
- openssl x509 -in entity-no-ca-bool-cert.pem -text > entity_tmp.pem
- check_result $? "Step 4"
- mv entity_tmp.pem entity-no-ca-bool-cert.pem
- cat ca_tmp.pem >> entity-no-ca-bool-cert.pem
- rm ca_tmp.pem
- echo "End of section"
- ############################################################
- ########## make .der files from .pem files #################
- ############################################################
- echo "Creating der formatted certs..."
- echo ""
- openssl x509 -inform PEM -in ./1024/client-cert.pem -outform DER -out ./1024/client-cert.der
- check_result $? "Der Cert 1"
- openssl x509 -inform PEM -in ./1024/server-cert.pem -outform DER -out ./1024/server-cert.der
- check_result $? "Der Cert 2"
- openssl x509 -inform PEM -in ./1024/ca-cert.pem -outform DER -out ./1024/ca-cert.der
- check_result $? "Der Cert 3"
- openssl x509 -inform PEM -in ca-cert.pem -outform DER -out ca-cert.der
- check_result $? "Der Cert 4"
- openssl x509 -inform PEM -in ca-ecc-cert.pem -outform DER -out ca-ecc-cert.der
- check_result $? "Der Cert 5"
- openssl x509 -inform PEM -in ca-ecc384-cert.pem -outform DER -out ca-ecc384-cert.der
- check_result $? "Der Cert 6"
- openssl x509 -inform PEM -in client-cert.pem -outform DER -out client-cert.der
- check_result $? "Der Cert 7"
- openssl x509 -inform PEM -in server-cert.pem -outform DER -out server-cert.der
- check_result $? "Der Cert 8"
- openssl x509 -inform PEM -in client-ecc-cert.pem -outform DER -out client-ecc-cert.der
- check_result $? "Der Cert 9"
- openssl x509 -inform PEM -in server-ecc-rsa.pem -outform DER -out server-ecc-rsa.der
- check_result $? "Der Cert 10"
- openssl x509 -inform PEM -in server-ecc.pem -outform DER -out server-ecc.der
- check_result $? "Der Cert 11"
- openssl x509 -inform PEM -in server-ecc-comp.pem -outform DER -out server-ecc-comp.der
- check_result $? "Der Cert 12"
- cat server-cert.der ca-cert.der >server-cert-chain.der
- check_result $? "Der Cert 13"
- echo "End of section"
- echo "---------------------------------------------------------------------"
- ############################################################
- ########## generate RSA-PSS certificates ###################
- ############################################################
- echo "Renewing RSA-PSS certificates"
- cd rsapss
- ./renew-rsapss-certs.sh
- cd ..
- echo "End of section"
- echo "---------------------------------------------------------------------"
- ############################################################
- ########## generate Ed25519 certificates ###################
- ############################################################
- echo "Renewing Ed25519 certificates"
- cd ed25519
- ./gen-ed25519-certs.sh
- cd ..
- echo "End of section"
- echo "---------------------------------------------------------------------"
- ############################################################
- ########## generate Ed448 certificates #####################
- ############################################################
- echo "Renewing Ed448 certificates"
- cd ed448
- ./gen-ed448-certs.sh
- cd ..
- echo "End of section"
- echo "---------------------------------------------------------------------"
- ############################################################
- ########## generate P-521 certificates #####################
- ############################################################
- echo "Renewing Ed448 certificates"
- cd p521
- ./gen-p521-certs.sh
- cd ..
- echo "End of section"
- echo "---------------------------------------------------------------------"
- ############################################################
- ###### update the ecc-rsa-server.p12 file ##################
- ############################################################
- echo "Updating ecc-rsa-server.p12 (password is \"\")"
- echo ""
- echo "" | openssl pkcs12 -des3 -descert -export -in server-ecc-rsa.pem -inkey ecc-key.pem -certfile server-ecc.pem -out ecc-rsa-server.p12 -password stdin
- check_result $? "Step 1"
- echo "End of section"
- echo "---------------------------------------------------------------------"
- ############################################################
- ###### update the test-servercert.p12 file #################
- ############################################################
- echo "Updating test-servercert.p12 (password is \"wolfSSL test\")"
- echo ""
- echo "wolfSSL test" | openssl pkcs12 -des3 -descert -export -in server-cert.pem -inkey server-key.pem -certfile ca-cert.pem -out test-servercert.p12 -password stdin
- check_result $? "Step 1"
- echo "End of section"
- echo "---------------------------------------------------------------------"
- ############################################################
- ###### update the test-servercert-rc2.p12 file #############
- ############################################################
- echo "Updating test-servercert-rc2.p12 (password is \"wolfSSL test\")"
- echo ""
- echo "wolfSSL test" | openssl pkcs12 -export -in server-cert.pem -inkey server-key.pem -certfile ca-cert.pem -out test-servercert-rc2.p12 -password stdin
- check_result $? "Step 1"
- echo "End of section"
- echo "---------------------------------------------------------------------"
- ############################################################
- ###### calling gen-ext-certs.sh ##################
- ############################################################
- echo "Calling gen-ext-certs.sh"
- echo ""
- cd .. || exit 1
- ./certs/test/gen-ext-certs.sh
- check_result $? "gen-ext-certs.sh"
- cd ./certs || { echo "Couldn't cd to certs directory"; exit 1; }
- echo "End of section"
- echo "---------------------------------------------------------------------"
- ############################################################
- ###### calling gen-badsig.sh ##################
- ############################################################
- echo "Calling gen-badsig.sh"
- echo ""
- cd ./test || { echo "Failed to switch to dir ./test"; exit 1; }
- ./gen-badsig.sh
- check_result $? "gen-badsig.sh"
- cd ../ || exit 1
- echo "End of section"
- echo "---------------------------------------------------------------------"
- ############################################################
- ###### calling gen-testcerts.sh ##################
- ############################################################
- echo "Calling gen-testcerts.sh"
- echo ""
- cd ./test || { echo "Failed to switch to dir ./test"; exit 1; }
- ./gen-testcerts.sh
- check_result $? "gen-testcerts.sh"
- cd ../ || exit 1
- echo "End of section"
- echo "---------------------------------------------------------------------"
- ############################################################
- ###### generate cms bundles in test directory ##############
- ############################################################
- echo "Generating CMS bundle"
- echo ""
- cd ./test || { echo "Failed to switch to dir ./test"; exit 1; }
- echo "test" | openssl cms -encrypt -binary -keyid -out ktri-keyid-cms.msg -outform der -recip ../client-cert.pem -nocerts
- check_result $? "generate ktri-keyid-cms.msg"
- cd ../ || exit 1
- echo "End of section"
- echo "---------------------------------------------------------------------"
- ############################################################
- ########## generate ocsp certs ######################
- ############################################################
- echo "Changing directory to ocsp..."
- echo ""
- # guard against recursive calls to renewcerts.sh
- if [ -d ocsp ]; then
- cd ./ocsp || { echo "Failed to switch to dir ./ocsp"; exit 1; }
- echo "Execute ocsp/renewcerts.sh..."
- ./renewcerts.sh
- check_result $? "renewcerts.sh"
- cd ../ || exit 1
- else
- echo "Error could not find ocsp directory"
- exit 1
- fi
- echo "End of section"
- echo "---------------------------------------------------------------------"
- ############################################################
- ###### calling assemble-chains.sh ##################
- ############################################################
- echo "Calling assemble-chains.sh"
- echo ""
- cd ./test-pathlen || { echo "Failed to switch to dir ./test-pathlen";
- exit 1; }
- ./assemble-chains.sh
- check_result $? "assemble-chains.sh"
- cd ../ || exit 1
- echo "End of section"
- echo "---------------------------------------------------------------------"
- ############################################################
- ########## store DER files as buffers ######################
- ############################################################
- echo "Changing directory to wolfssl root..."
- echo ""
- cd ../ || exit 1
- echo "Execute ./gencertbuf.pl..."
- echo ""
- ./gencertbuf.pl
- check_result $? "gencertbuf.pl"
- echo "End of section"
- echo "---------------------------------------------------------------------"
- ############################################################
- ########## generate the new crls ###########################
- ############################################################
- echo "Change directory to wolfssl/certs"
- echo ""
- cd ./certs || { echo "Failed to switch to dir ./certs"; exit 1; }
- echo "We are back in the certs directory"
- echo ""
- echo "Updating the crls..."
- echo ""
- cd ./crl || { echo "Failed to switch to dir ./crl"; exit 1; }
- echo "changed directory: cd/crl"
- echo ""
- ./gencrls.sh
- check_result $? "gencrls.sh"
- echo "ran ./gencrls.sh"
- echo ""
- ############################################################
- ########## generate PKCS7 bundles ##########################
- ############################################################
- echo "Changing directory to wolfssl certs..."
- echo ""
- cd ../ || exit 1
- echo "Creating test-degenerate.p7b..."
- echo ""
- openssl crl2pkcs7 -nocrl -certfile ./client-cert.pem -out test-degenerate.p7b -outform DER
- check_result $? ""
- echo "End of section"
- echo "---------------------------------------------------------------------"
- #cleanup the file system now that we're done
- echo "Performing final steps, cleaning up the file system..."
- echo ""
- rm ../wolfssl.cnf
- echo "End of Updates. Everything was successfully updated!"
- echo "---------------------------------------------------------------------"
- }
- ###############################################################################
- ##################### THE EXECUTABLE BODY #####################################
- ###############################################################################
- #start in root.
- cd ../ || exit 1
- #if there was an argument given, check it for validity or print out error
- if [ ! -z "$1" ]; then
- #valid argument print out other valid arguments
- if [ "$1" == "-h" ] || [ "$1" == "-help" ]; then
- echo ""
- echo "\"no argument\" will attempt to update all certificates"
- echo "-h or -help display this menu"
- echo ""
- echo ""
- #else the argument was invalid, tell user to use -h or -help
- else
- echo ""
- echo "That is not a valid option."
- echo ""
- echo "use -h or -help for a list of available options."
- echo ""
- fi
- else
- echo "Saving the configure state"
- echo ""
- cp config.status tmp.status || exit 1
- cp wolfssl/options.h tmp.options.h || exit 1
- echo "Running make clean"
- echo ""
- make clean
- check_result $? "make clean"
- run_renewcerts
- cd ../ || exit 1
- rm ./certs/wolfssl.cnf
- # restore previous configure state
- restore_config
- check_result $? "restoring old configuration"
- fi #END already defined
- exit 0
|