Home Explore Help
Sign In
OWEALs
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
2
0
Fork 0
Files Issues 8 Wiki
Tree: v5.2.1-sta
Branches Tags
wolfssl
/
certs
/
ecc
/
genecc.sh

genecc.sh 8.5 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128 
  1. #!/bin/bash
    2. 

  2. 

  3. # run from wolfssl root
    4. 

  4. 

  5. rm ./certs/ecc/*.old
    6. 

  6. rm ./certs/ecc/index.txt*
    7. 

  7. rm ./certs/ecc/serial
    8. 

  8. rm ./certs/ecc/crlnumber
    9. 

  9. 

  10. touch ./certs/ecc/index.txt
    11. 

  11. echo 1000 > ./certs/ecc/serial
    12. 

  12. echo 2000 > ./certs/ecc/crlnumber
    13. 

  13. 

  14. # generate ECC 256-bit CA
    15. 

  15. openssl ecparam -out ./certs/ca-ecc-key.par -name prime256v1
    16. 

  16. openssl req -config ./certs/ecc/wolfssl.cnf -extensions v3_ca -x509 -nodes -newkey ec:./certs/ca-ecc-key.par -keyout ./certs/ca-ecc-key.pem -out ./certs/ca-ecc-cert.pem -sha256 \
    17. 

  17. 	-days 7300 -batch -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com"
    18. 

  18. 

  19. openssl x509 -in ./certs/ca-ecc-cert.pem -inform PEM -out ./certs/ca-ecc-cert.der -outform DER
    20. 

  20. openssl ec -in ./certs/ca-ecc-key.pem -inform PEM -out ./certs/ca-ecc-key.der -outform DER
    21. 

  21. 

  22. rm ./certs/ca-ecc-key.par
    23. 

  23. 

  24. # Gen CA CRL
    25. 

  25. openssl ca -config ./certs/ecc/wolfssl.cnf -gencrl -crldays 1000 -out ./certs/crl/caEccCrl.pem -keyfile ./certs/ca-ecc-key.pem -cert ./certs/ca-ecc-cert.pem
    26. 

  26. 

  27. 

  28. 

  29. # Generate ECC 256-bit server cert
    30. 

  30. openssl req -config ./certs/ecc/wolfssl.cnf -sha256 -new -key ./certs/ecc-key.pem -out ./certs/server-ecc-req.pem -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
    31. 

  31. openssl x509 -req -in ./certs/server-ecc-req.pem -CA ./certs/ca-ecc-cert.pem -CAkey ./certs/ca-ecc-key.pem -CAcreateserial -out ./certs/server-ecc.pem -sha256
    32. 

  32. 

  33. # Sign server certificate
    34. 

  34. openssl ca -config ./certs/ecc/wolfssl.cnf -extensions server_cert -days 3650 -notext -md sha256 -in ./certs/server-ecc-req.pem -out ./certs/server-ecc.pem
    35. 

  35. openssl x509 -in ./certs/server-ecc.pem -outform der -out ./certs/server-ecc.der
    36. 

  36. 

  37. # Generate ECC 256-bit self-signed server cert
    38. 

  38. openssl x509 -req -in ./certs/server-ecc-req.pem -days 3650 -extfile ./certs/ecc/wolfssl.cnf -extensions server_cert -signkey ./certs/ecc-key.pem -text -out ./certs/server-ecc-self.pem
    39. 

  39. openssl x509 -inform pem -in ./certs/server-ecc-self.pem -outform der -out ./certs/server-ecc-self.der
    40. 

  40. 

  41. rm ./certs/server-ecc-req.pem 
    42. 

  42. 

  43. 

  44. 

  45. # generate ECC 384-bit CA
    46. 

  46. openssl ecparam -out ./certs/ca-ecc384-key.par -name secp384r1
    47. 

  47. openssl req -config ./certs/ecc/wolfssl_384.cnf -extensions v3_ca -x509 -nodes -newkey ec:./certs/ca-ecc384-key.par -keyout ./certs/ca-ecc384-key.pem -out ./certs/ca-ecc384-cert.pem -sha384 \
    48. 

  48. 	-days 7300 -batch -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com"
    49. 

  49. 

  50. openssl x509 -in ./certs/ca-ecc384-cert.pem -inform PEM -out ./certs/ca-ecc384-cert.der -outform DER
    51. 

  51. openssl ec -in ./certs/ca-ecc384-key.pem -inform PEM -out ./certs/ca-ecc384-key.der -outform DER
    52. 

  52. 

  53. rm ./certs/ca-ecc384-key.par
    54. 

  54. 

  55. # Gen CA CRL
    56. 

  56. openssl ca -config ./certs/ecc/wolfssl_384.cnf -gencrl -crldays 1000 -out ./certs/crl/caEcc384Crl.pem -keyfile ./certs/ca-ecc384-key.pem -cert ./certs/ca-ecc384-cert.pem
    57. 

  57. 

  58. 

  59. 

  60. # Generate ECC 384-bit server cert
    61. 

  61. openssl ecparam -out ./certs/server-ecc384-key.par -name secp384r1
    62. 

  62. openssl req -config ./certs/ecc/wolfssl_384.cnf -sha384 -x509 -nodes -newkey ec:./certs/server-ecc384-key.par -keyout ./certs/server-ecc384-key.pem -out ./certs/server-ecc384-req.pem \
    63. 

  63. 	-subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC384Srv/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
    64. 

  64. openssl req -config ./certs/ecc/wolfssl_384.cnf -sha384 -new -key ./certs/server-ecc384-key.pem -out ./certs/server-ecc384-req.pem \
    65. 

  65. 	-subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC384Srv/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
    66. 

  66. openssl ec -in ./certs/server-ecc384-key.pem -inform PEM -out ./certs/server-ecc384-key.der -outform DER
    67. 

  67. 

  68. # Sign server certificate
    69. 

  69. openssl ca -config ./certs/ecc/wolfssl_384.cnf -extensions server_cert -days 10950 -notext -md sha384 -in ./certs/server-ecc384-req.pem -out ./certs/server-ecc384-cert.pem
    70. 

  70. openssl x509 -in ./certs/server-ecc384-cert.pem -outform der -out ./certs/server-ecc384-cert.der
    71. 

  71. 

  72. rm ./certs/server-ecc384-req.pem 
    73. 

  73. rm ./certs/server-ecc384-key.par
    74. 

  74. 

  75. # Generate ECC 384-bit client cert
    76. 

  76. openssl ecparam -out ./certs/client-ecc384-key.par -name secp384r1
    77. 

  77. openssl req -config ./certs/ecc/wolfssl_384.cnf -sha384 -x509 -nodes -newkey ec:./certs/client-ecc384-key.par -keyout ./certs/client-ecc384-key.pem -out ./certs/client-ecc384-req.pem \
    78. 

  78. 	-subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC384Cli/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
    79. 

  79. openssl req -config ./certs/ecc/wolfssl_384.cnf -sha384 -new -key ./certs/client-ecc384-key.pem -out ./certs/client-ecc384-req.pem \
    80. 

  80. 	-subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC384Clit/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
    81. 

  81. openssl ec -in ./certs/client-ecc384-key.pem -inform PEM -out ./certs/client-ecc384-key.der -outform DER
    82. 

  82. 

  83. # Sign client certificate
    84. 

  84. openssl ca -config ./certs/ecc/wolfssl_384.cnf -extensions usr_cert -days 10950 -notext -md sha384 -in ./certs/client-ecc384-req.pem -out ./certs/client-ecc384-cert.pem
    85. 

  85. openssl x509 -in ./certs/client-ecc384-cert.pem -outform der -out ./certs/client-ecc384-cert.der
    86. 

  86. 

  87. rm ./certs/client-ecc384-req.pem 
    88. 

  88. rm ./certs/client-ecc384-key.par
    89. 

  89. 

  90. 

  91. # Generate ECC Kerberos Keys
    92. 

  92. if [ -f ./certs/ecc/secp256k1-key.pem ]; then
    93. 

  93. 	openssl ecparam -name secp256k1 -genkey -noout -out ./certs/ecc/secp256k1-key.pem
    94. 

  94. 	openssl ec -in ./certs/ecc/secp256k1-key.pem -inform PEM -out ./certs/ecc/secp256k1-key.der -outform DER
    95. 

  95. fi
    96. 

  96. # Create self-signed ECC Kerberos certificates
    97. 

  97. openssl req -config ./certs/ecc/wolfssl.cnf -sha256 -new -key ./certs/ecc/secp256k1-key.pem -out ./certs/ecc/server-secp256k1-req.pem -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC256K1-SRV/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
    98. 

  98. openssl x509 -req -in ./certs/ecc/server-secp256k1-req.pem -days 3650 -extfile ./certs/ecc/wolfssl.cnf -extensions server_cert -signkey ./certs/ecc/secp256k1-key.pem -text -out ./certs/ecc/server-secp256k1-cert.pem
    99. 

  99. openssl x509 -inform pem -in ./certs/ecc/server-secp256k1-cert.pem -outform der -out ./certs/ecc/server-secp256k1-cert.der
    100. 

  100. rm ./certs/ecc/server-secp256k1-req.pem
    101. 

  101. 

  102. openssl req -config ./certs/ecc/wolfssl.cnf -sha256 -new -key ./certs/ecc/secp256k1-key.pem -out ./certs/ecc/client-secp256k1-req.pem -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC256K1-CLI/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
    103. 

  103. openssl x509 -req -in ./certs/ecc/client-secp256k1-req.pem -days 3650 -extfile ./certs/ecc/wolfssl.cnf -extensions usr_cert -signkey ./certs/ecc/secp256k1-key.pem -text -out ./certs/ecc/client-secp256k1-cert.pem
    104. 

  104. openssl x509 -inform pem -in ./certs/ecc/client-secp256k1-cert.pem -outform der -out ./certs/ecc/client-secp256k1-cert.der
    105. 

  105. rm ./certs/ecc/client-secp256k1-req.pem
    106. 

  106. 

  107. # Generate ECC Brainpool Keys
    108. 

  108. if [ -f ./certs/ecc/bp256r1-key.pem ]; then
    109. 

  109. 	openssl ecparam -name brainpoolP256r1 -genkey -noout -out ./certs/ecc/bp256r1-key.pem
    110. 

  110. 	openssl ec -in ./certs/ecc/bp256r1-key.pem -inform PEM -out ./certs/ecc/bp256r1-key.der -outform DER
    111. 

  111. fi
    112. 

  112. # Create self-signed ECC Brainpool certificates
    113. 

  113. openssl req -config ./certs/ecc/wolfssl.cnf -sha256 -new -key ./certs/ecc/bp256r1-key.pem -out ./certs/ecc/server-bp256r1-req.pem -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC256BPR1-SRV/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
    114. 

  114. openssl x509 -req -in ./certs/ecc/server-bp256r1-req.pem -days 3650 -extfile ./certs/ecc/wolfssl.cnf -extensions server_cert -signkey ./certs/ecc/bp256r1-key.pem -text -out ./certs/ecc/server-bp256r1-cert.pem
    115. 

  115. openssl x509 -inform pem -in ./certs/ecc/server-bp256r1-cert.pem -outform der -out ./certs/ecc/server-bp256r1-cert.der
    116. 

  116. rm ./certs/ecc/server-bp256r1-req.pem
    117. 

  117. 

  118. openssl req -config ./certs/ecc/wolfssl.cnf -sha256 -new -key ./certs/ecc/bp256r1-key.pem -out ./certs/ecc/client-bp256r1-req.pem -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC256BPR1-CLI/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
    119. 

  119. openssl x509 -req -in ./certs/ecc/client-bp256r1-req.pem -days 3650 -extfile ./certs/ecc/wolfssl.cnf -extensions usr_cert -signkey ./certs/ecc/bp256r1-key.pem -text -out ./certs/ecc/client-bp256r1-cert.pem
    120. 

  120. openssl x509 -inform pem -in ./certs/ecc/client-bp256r1-cert.pem -outform der -out ./certs/ecc/client-bp256r1-cert.der
    121. 

  121. rm ./certs/ecc/client-bp256r1-req.pem
    122. 

  122. 

  123. 

  124. # Also manually need to:
    125. 

  125. # 1. Copy ./certs/server-ecc.der into ./certs/test/server-cert-ecc-badsig.der `cp ./certs/server-ecc.der ./certs/test/server-cert-ecc-badsig.der`
    126. 

  126. # 2. Modify last byte so its invalidates signature in ./certs/test/server-cert-ecc-badsig.der
    127. 

  127. # 3. Covert bad cert to pem `openssl x509 -inform der -in ./certs/test/server-cert-ecc-badsig.der -outform pem -out ./certs/test/server-cert-ecc-badsig.pem`
    128. 

  128. # 4. Update AKID's for CA's in test.c certext_test() function akid_ecc.
    129.