#!/bin/bash # renewcerts.sh # # renews the following certs: # client-cert.pem # client-cert.der # client-ecc-cert.pem # client-ecc-cert.der # ca-cert.pem # ca-cert.der # ca-ecc-cert.pem # ca-ecc-cert.der # ca-ecc384-cert.pem # ca-ecc384-cert.der # server-cert.pem # server-cert.der # server-ecc-rsa.pem # server-ecc.pem # 1024/client-cert.der # 1024/client-cert.pem # server-ecc-comp.pem # client-ca.pem # test/digsigku.pem # ecc-privOnlyCert.pem # client-uri-cert.pem # client-relative-uri.pem # updates the following crls: # crl/cliCrl.pem # crl/crl.pem # crl/crl.revoked # crl/eccCliCRL.pem # crl/eccSrvCRL.pem # if HAVE_NTRU # ntru-cert.pem # ntru-key.raw ############################################################################### ######################## FUNCTIONS SECTION #################################### ############################################################################### #the function that will be called when we are ready to renew the certs. function run_renewcerts(){ cd certs/ echo "" #move the custom cnf into our working directory cp renewcerts/wolfssl.cnf wolfssl.cnf # To generate these all in sha1 add the flag "-sha1" on appropriate lines # That is all lines beginning with: "openssl req" ############################################################ #### update the self-signed (2048-bit) client-uri-cert.pem # ############################################################ echo "Updating 2048-bit client-uri-cert.pem" echo "" #pipe the following arguments to openssl req... echo -e "US\nMontana\nBozeman\nwolfSSL_2048\nURI\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key client-key.pem -nodes -out client-cert.csr openssl x509 -req -in client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions uri -signkey client-key.pem -out client-uri-cert.pem rm client-cert.csr openssl x509 -in client-uri-cert.pem -text > tmp.pem mv tmp.pem client-uri-cert.pem ############################################################ #### update the self-signed (2048-bit) client-relative-uri.pem ############################################################ echo "Updating 2048-bit client-relative-uri.pem" echo "" #pipe the following arguments to openssl req... echo -e "US\nMontana\nBozeman\nwolfSSL_2048\nRELATIVE_URI\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key client-key.pem -nodes -out client-cert.csr openssl x509 -req -in client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions relative_uri -signkey client-key.pem -out client-relative-uri.pem rm client-cert.csr openssl x509 -in client-relative-uri.pem -text > tmp.pem mv tmp.pem client-relative-uri.pem ############################################################ #### update the self-signed (2048-bit) client-cert.pem ##### ############################################################ echo "Updating 2048-bit client-cert.pem" echo "" #pipe the following arguments to openssl req... echo -e "US\nMontana\nBozeman\nwolfSSL_2048\nProgramming-2048\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key client-key.pem -nodes -out client-cert.csr openssl x509 -req -in client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey client-key.pem -out client-cert.pem rm client-cert.csr openssl x509 -in client-cert.pem -text > tmp.pem mv tmp.pem client-cert.pem ############################################################ #### update the self-signed (3072-bit) client-cert.pem ##### ############################################################ echo "Updating 3072-bit client-cert.pem" echo "" #pipe the following arguments to openssl req... echo -e "US\nMontana\nBozeman\nwolfSSL_3072\nProgramming-3072\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -newkey rsa:3072 -keyout client-key-3072.pem -nodes -out client-cert-3072.csr openssl x509 -req -in client-cert-3072.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey client-key-3072.pem -out client-cert-3072.pem rm client-cert-3072.csr openssl x509 -in client-cert-3072.pem -text > tmp.pem mv tmp.pem client-cert-3072.pem ############################################################ #### update the self-signed (1024-bit) client-cert.pem ##### ############################################################ echo "Updating 1024-bit client-cert.pem" echo "" #pipe the following arguments to openssl req... echo -e "US\nMontana\nBozeman\nwolfSSL_1024\nProgramming-1024\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key \1024/client-key.pem -nodes -out \1024/client-cert.csr openssl x509 -req -in \1024/client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey \1024/client-key.pem -out \1024/client-cert.pem rm \1024/client-cert.csr openssl x509 -in \1024/client-cert.pem -text > \1024/tmp.pem mv \1024/tmp.pem \1024/client-cert.pem ############################################################ ########## update the self-signed ca-cert.pem ############## ############################################################ echo "Updating ca-cert.pem" echo "" #pipe the following arguments to openssl req... echo -e "US\nMontana\nBozeman\nSawtooth\nConsulting\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ca-key.pem -nodes -out ca-cert.csr openssl x509 -req -in ca-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ca-key.pem -out ca-cert.pem rm ca-cert.csr openssl x509 -in ca-cert.pem -text > tmp.pem mv tmp.pem ca-cert.pem ############################################################ ########## update the self-signed ca-ecc-cert.pem ########## ############################################################ echo "Updating ca-ecc-cert.pem" echo "" #pipe the following arguments to openssl req... echo -e "US\nWashington\nSeattle\nwolfSSL\nDevelopment\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ca-ecc-key.pem -nodes -out ca-ecc-cert.csr openssl x509 -req -in ca-ecc-cert.csr -days 1000 -extfile wolfssl.cnf -extensions ca_ecc_cert -signkey ca-ecc-key.pem -out ca-ecc-cert.pem rm ca-ecc-cert.csr openssl x509 -in ca-ecc-cert.pem -text > tmp.pem mv tmp.pem ca-ecc-cert.pem ############################################################ ########## update the self-signed ca-ecc384-cert.pem ####### ############################################################ echo "Updating ca-ecc384-cert.pem" echo "" #pipe the following arguments to openssl req... echo -e "US\nWashington\nSeattle\nwolfSSL\nDevelopment\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ca-ecc384-key.pem -nodes -sha384 -out ca-ecc384-cert.csr openssl x509 -req -in ca-ecc384-cert.csr -days 1000 -extfile wolfssl.cnf -extensions ca_ecc_cert -signkey ca-ecc384-key.pem -sha384 -out ca-ecc384-cert.pem rm ca-ecc384-cert.csr openssl x509 -in ca-ecc384-cert.pem -text > tmp.pem mv tmp.pem ca-ecc384-cert.pem ############################################################ ##### update the self-signed (1024-bit) ca-cert.pem ######## ############################################################ echo "Updating 1024-bit ca-cert.pem" echo "" #pipe the following arguments to openssl req... echo -e "US\nMontana\nBozeman\nSawtooth\nConsulting_1024\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key \1024/ca-key.pem -nodes -sha1 -out \1024/ca-cert.csr openssl x509 -req -in \1024/ca-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey \1024/ca-key.pem -out \1024/ca-cert.pem rm \1024/ca-cert.csr openssl x509 -in \1024/ca-cert.pem -text > \1024/tmp.pem mv \1024/tmp.pem \1024/ca-cert.pem ########################################################### ########## update and sign server-cert.pem ################ ########################################################### echo "Updating server-cert.pem" echo "" #pipe the following arguments to openssl req... echo -e "US\nMontana\nBozeman\nwolfSSL\nSupport\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key server-key.pem -nodes > server-req.pem openssl x509 -req -in server-req.pem -extfile wolfssl.cnf -extensions wolfssl_opts -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem rm server-req.pem openssl x509 -in ca-cert.pem -text > ca_tmp.pem openssl x509 -in server-cert.pem -text > srv_tmp.pem mv srv_tmp.pem server-cert.pem cat ca_tmp.pem >> server-cert.pem rm ca_tmp.pem ########################################################### ########## update and sign server-revoked-key.pem ######### ########################################################### echo "Updating server-revoked-cert.pem" echo "" #pipe the following arguments to openssl req... echo -e "US\nMontana\nBozeman\nwolfSSL_revoked\nSupport_revoked\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key server-revoked-key.pem -nodes > server-revoked-req.pem openssl x509 -req -in server-revoked-req.pem -extfile wolfssl.cnf -extensions wolfssl_opts -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 02 > server-revoked-cert.pem rm server-revoked-req.pem openssl x509 -in ca-cert.pem -text > ca_tmp.pem openssl x509 -in server-revoked-cert.pem -text > srv_tmp.pem mv srv_tmp.pem server-revoked-cert.pem cat ca_tmp.pem >> server-revoked-cert.pem rm ca_tmp.pem ########################################################### ########## update and sign server-duplicate-policy.pem #### ########################################################### echo "Updating server-duplicate-policy.pem" echo "" #pipe the following arguments to openssl req... echo -e "US\nMontana\nBozeman\nwolfSSL\ntesting duplicate policy\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key server-key.pem -nodes > ./test/server-duplicate-policy-req.pem openssl x509 -req -in ./test/server-duplicate-policy-req.pem -extfile wolfssl.cnf -extensions policy_test -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 02 > ./test/server-duplicate-policy.pem rm ./test/server-duplicate-policy-req.pem openssl x509 -in ca-cert.pem -text > ca_tmp.pem openssl x509 -in ./test/server-duplicate-policy.pem -text > srv_tmp.pem mv srv_tmp.pem ./test/server-duplicate-policy.pem cat ca_tmp.pem >> ./test/server-duplicate-policy.pem rm ca_tmp.pem ########################################################### #### update and sign (1024-bit) server-cert.pem ########### ########################################################### echo "Updating 1024-bit server-cert.pem" echo "" #pipe the following arguments to openssl req... echo -e "US\nMontana\nBozeman\nwolfSSL\nSupport_1024\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key \1024/server-key.pem -nodes -sha1 > \1024/server-req.pem openssl x509 -req -in \1024/server-req.pem -extfile wolfssl.cnf -extensions wolfssl_opts -days 1000 -CA \1024/ca-cert.pem -CAkey \1024/ca-key.pem -set_serial 01 > \1024/server-cert.pem rm \1024/server-req.pem openssl x509 -in \1024/ca-cert.pem -text > \1024/ca_tmp.pem openssl x509 -in \1024/server-cert.pem -text > \1024/srv_tmp.pem mv \1024/srv_tmp.pem \1024/server-cert.pem cat \1024/ca_tmp.pem >> \1024/server-cert.pem rm \1024/ca_tmp.pem ############################################################ ########## update and sign the server-ecc-rsa.pem ########## ############################################################ echo "Updating server-ecc-rsa.pem" echo "" echo -e "US\nMontana\nBozeman\nElliptic - RSAsig\nECC-RSAsig\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ecc-key.pem -nodes > server-ecc-req.pem openssl x509 -req -in server-ecc-req.pem -extfile wolfssl.cnf -extensions wolfssl_opts -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-ecc-rsa.pem rm server-ecc-req.pem openssl x509 -in server-ecc-rsa.pem -text > tmp.pem mv tmp.pem server-ecc-rsa.pem ############################################################ ####### update the self-signed client-ecc-cert.pem ######### ############################################################ echo "Updating client-ecc-cert.pem" echo "" #pipe the following arguments to openssl req... echo -e "US\nOregon\nSalem\nClient ECC\nFast\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ecc-client-key.pem -nodes -out client-ecc-cert.csr openssl x509 -req -in client-ecc-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ecc-client-key.pem -out client-ecc-cert.pem rm client-ecc-cert.csr openssl x509 -in client-ecc-cert.pem -text > tmp.pem mv tmp.pem client-ecc-cert.pem ############################################################ ########## update the server-ecc.pem ####################### ############################################################ echo "Updating server-ecc.pem" echo "" #pipe the following arguments to openssl req... echo -e "US\nWashington\nSeattle\nEliptic\nECC\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ecc-key.pem -nodes -out server-ecc.csr openssl x509 -req -in server-ecc.csr -days 1000 -extfile wolfssl.cnf -extensions server_ecc -CAfile ca-ecc-cert.pem -CAkey ca-ecc-key.pem -out server-ecc.pem rm server-ecc.csr openssl x509 -in server-ecc.pem -text > tmp.pem mv tmp.pem server-ecc.pem ############################################################ ###### update the self-signed server-ecc-comp.pem ########## ############################################################ echo "Updating server-ecc-comp.pem" echo "" #pipe the following arguments to openssl req... echo -e "US\nMontana\nBozeman\nElliptic - comp\nServer ECC-comp\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ecc-key-comp.pem -nodes -out server-ecc-comp.csr openssl x509 -req -in server-ecc-comp.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ecc-key-comp.pem -out server-ecc-comp.pem rm server-ecc-comp.csr openssl x509 -in server-ecc-comp.pem -text > tmp.pem mv tmp.pem server-ecc-comp.pem ############################################################ ############## create the client-ca.pem file ############### ############################################################ echo "Updating client-ca.pem" echo "" cat client-cert.pem client-ecc-cert.pem > client-ca.pem ############################################################ ###### update the self-signed ecc-privOnlyCert.pem ######### ############################################################ echo "Updating ecc-privOnlyCert.pem" echo "" #pipe the following arguments to openssl req... echo -e ".\n.\n.\nWR\n.\nDE\n.\n.\n.\n" | openssl req -new -key ecc-privOnlyKey.pem -nodes -out ecc-privOnly.csr openssl x509 -req -in ecc-privOnly.csr -days 1000 -signkey ecc-privOnlyKey.pem -out ecc-privOnlyCert.pem rm ecc-privOnly.csr ############################################################ ###### update the self-signed test/digsigku.pem ########## ############################################################ echo "Updating test/digsigku.pem" echo "" #pipe the following arguments to openssl req... echo -e "US\nWashington\nSeattle\nFoofarah\nArglebargle\nfoobarbaz\ninfo@worlss.com\n.\n.\n" | openssl req -new -key ecc-key.pem -nodes -sha1 -out digsigku.csr openssl x509 -req -in digsigku.csr -days 1000 -extfile wolfssl.cnf -extensions digsigku -signkey ecc-key.pem -sha1 -set_serial 16393466893990650224 -out digsigku.pem rm digsigku.csr openssl x509 -in digsigku.pem -text > tmp.pem mv tmp.pem digsigku.pem mv digsigku.pem test/digsigku.pem ############################################################ ########## make .der files from .pem files ################# ############################################################ echo "Creating der formatted certs..." echo "" openssl x509 -inform PEM -in \1024/client-cert.pem -outform DER -out \1024/client-cert.der openssl x509 -inform PEM -in \1024/server-cert.pem -outform DER -out \1024/server-cert.der openssl x509 -inform PEM -in \1024/ca-cert.pem -outform DER -out \1024/ca-cert.der openssl x509 -inform PEM -in ca-cert.pem -outform DER -out ca-cert.der openssl x509 -inform PEM -in ca-ecc-cert.pem -outform DER -out ca-ecc-cert.der openssl x509 -inform PEM -in ca-ecc384-cert.pem -outform DER -out ca-ecc384-cert.der openssl x509 -inform PEM -in client-cert.pem -outform DER -out client-cert.der openssl x509 -inform PEM -in server-cert.pem -outform DER -out server-cert.der openssl x509 -inform PEM -in client-ecc-cert.pem -outform DER -out client-ecc-cert.der openssl x509 -inform PEM -in server-ecc-rsa.pem -outform DER -out server-ecc-rsa.der openssl x509 -inform PEM -in server-ecc.pem -outform DER -out server-ecc.der openssl x509 -inform PEM -in server-ecc-comp.pem -outform DER -out server-ecc-comp.der ############################################################ ###### update the ecc-rsa-server.p12 file ################## ############################################################ echo "Updating ecc-rsa-server.p12 (password is \"\")" echo "" echo "" | openssl pkcs12 -des3 -descert -export -in server-ecc-rsa.pem -inkey ecc-key.pem -certfile server-ecc.pem -out ecc-rsa-server.p12 -password stdin ############################################################ ###### update the test-servercert.p12 file ################# ############################################################ echo "Updating test-servercert.p12 (password is \"wolfSSL test\")" echo "" echo "wolfSSL test" | openssl pkcs12 -des3 -descert -export -in server-cert.pem -inkey server-key.pem -certfile ca-cert.pem -out test-servercert.p12 -password stdin ############################################################ ###### calling gen-ext-certs.sh ################## ############################################################ echo "Calling gen-ext-certs.sh" echo "" cd .. ./certs/test/gen-ext-certs.sh cd ./certs ############################################################ ###### calling gen-badsig.sh ################## ############################################################ echo "Calling gen-badsig.sh" echo "" cd ./test ./gen-badsig.sh cd ../ ############################################################ ########## generate ocsp certs ###################### ############################################################ echo "Changing directory to ocsp..." echo "" # guard against recursive calls to renewcerts.sh if [ -d ocsp ]; then cd ./ocsp echo "Execute ./renewcerts.sh..." ./renewcerts.sh cd ../ else echo "Error could not find ocsp directory" exit 1 fi ############################################################ ###### calling assemble-chains.sh ################## ############################################################ echo "Calling assemble-chains.sh" echo "" cd ./test-pathlen ./assemble-chains.sh cd ../ ############################################################ ########## store DER files as buffers ###################### ############################################################ echo "Changing directory to wolfssl root..." echo "" cd ../ echo "Execute ./gencertbuf.pl..." echo "" ./gencertbuf.pl ############################################################ ########## generate the new crls ########################### ############################################################ echo "Change directory to wolfssl/certs" echo "" cd certs echo "We are back in the certs directory" echo "" echo "Updating the crls..." echo "" cd crl echo "changed directory: cd/crl" echo "" ./gencrls.sh echo "ran ./gencrls.sh" echo "" #cleanup the file system now that we're done echo "Performing final steps, cleaning up the file system..." echo "" rm ../wolfssl.cnf } #function for restoring a previous configure state function restore_config(){ mv tmp.status config.status mv tmp.options.h wolfssl/options.h make clean make -j 8 } #function for copy and pasting ntru updates function move_ntru(){ cp ntru-cert.pem certs/ntru-cert.pem cp ntru-key.raw certs/ntru-key.raw cp ntru-cert.der certs/ntru-cert.der } ############################################################################### ##################### THE EXECUTABLE BODY ##################################### ############################################################################### #start in root. cd ../ #if HAVE_NTRU already defined && there is no argument if grep HAVE_NTRU "wolfssl/options.h" && [ -z "$1" ] then #run the function to renew the certs run_renewcerts # run_renewcerts will end in the wolfssl/certs/crl dir, backup to root. cd ../../ echo "changed directory to wolfssl root directory." echo "" echo "" echo "Enter directory to ed25519 certificate generation example." echo "Can be found at https://github.com/wolfSSL/wolfssl-examples" read ED25519_DIR if [ -d "${ED25519_DIR}" ]; then pushd ./certs/ed25519 ./gen-ed25519.sh ${ED25519_DIR} popd else echo "Unable to find directory ${ED25519_DIR}" exit 1 fi ############################################################ ########## update ntru if already installed ################ ############################################################ # We cannot assume that user has certgen and keygen enabled ./configure --with-ntru --enable-certgen --enable-keygen make check #copy/paste ntru-certs and key to certs/ move_ntru #else if there was an argument given, check it for validity or print out error elif [ ! -z "$1" ]; then #valid argument then renew certs without ntru if [ "$1" == "--override-ntru" ]; then echo "overriding ntru, update all certs except ntru." run_renewcerts #valid argument create ed25519 certificates elif [ "$1" == "--ed25519" ] || [ "$2" == "--ed25519" ]; then echo "" echo "Enter directory to ed25519 certificate generation example." echo "Can be found at https://github.com/wolfSSL/wolfssl-examples" read ED25519_DIR pushd ./certs/ed25519 ./gen-ed25519.sh ${ED25519_DIR} popd #valid argument print out other valid arguments elif [ "$1" == "-h" ] || [ "$1" == "-help" ]; then echo "" echo "\"no argument\" will attempt to update all certificates" echo "--override-ntru updates all certificates except ntru" echo "--ed25519 updates all ed25519 certificates" echo "-h or -help display this menu" echo "" echo "" #else the argument was invalid, tell user to use -h or -help else echo "" echo "That is not a valid option." echo "" echo "use -h or -help for a list of available options." echo "" fi #else HAVE_NTRU not already defined else echo "Saving the configure state" echo "" cp config.status tmp.status cp wolfssl/options.h tmp.options.h echo "Running make clean" echo "" make clean #attempt to define ntru by configuring with ntru echo "Configuring with ntru, enabling certgen and keygen" echo "" ./configure --with-ntru --enable-certgen --enable-keygen make check # check options.h a second time, if the user had # ntru installed on their system and in the default # path location, then it will now be defined, if the # user does not have ntru on their system this will fail # again and we will not update any certs until user installs # ntru in the default location # if now defined if grep HAVE_NTRU "wolfssl/options.h"; then run_renewcerts #run_renewcerts leaves us in wolfssl/certs/crl, backup to root cd ../../ echo "changed directory to wolfssl root directory." echo "" move_ntru echo "ntru-certs, and ntru-key.raw have been updated" echo "" # restore previous configure state restore_config else # restore previous configure state restore_config echo "" echo "ntru is not installed at the default location," echo "or ntru not installed, none of the certs were updated." echo "" echo "clone the ntru repository into your \"cd ~\" directory then," echo "\"cd NTRUEncrypt\" and run \"make\" then \"make install\"" echo "once complete run this script again to update all the certs." echo "" echo "To update all certs except ntru use \"./renewcerts.sh --override-ntru\"" echo "" fi #END now defined fi #END already defined exit 0