assemble-chains.sh 10 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199
  1. #!/usr/bin/env bash
  2. #
  3. # assemble-chains.sh
  4. # Create certs and assemble all the certificate CA path test cert chains.
  5. check_result(){
  6. if [ $1 -ne 0 ]; then
  7. echo "$2 Failed, Abort"
  8. exit 1
  9. else
  10. echo "$2 Succeeded!"
  11. fi
  12. }
  13. create_an_intermediate(){
  14. # $1 - chain ID
  15. # $2 - ICA Number (Example entity signed by ICA1 signed by ICA2 and so on)
  16. # $2 - pathLength to use
  17. # $3 - Signer of this Intermediate
  18. # $4 - The signers Key
  19. # example: create_an_intermediate "chainA" "ICA1" "0" "../ca-cert.pem" "../ca-key.pem"
  20. chainID="$1"
  21. icaNum="$2"
  22. pathLen="$3"
  23. signer="$4"
  24. signerKey="$5"
  25. echo "pathLen = $3, $pathLen"
  26. echo ""
  27. #pipe the following arguments to openssl req...
  28. if [ "$pathLen" = "no_pathlen" ]; then
  29. echo "Updating $chainID-$icaNum-$pathLen.pem"
  30. echo -e "US\\nWashington\\nSeattle\\nwolfSSL Inc.\\nEngineering\\n$chainID-$icaNum-$pathLen\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key "$chainID-$icaNum-key.pem" -config ../renewcerts/wolfssl.cnf -nodes -sha256 > temp-req.pem
  31. check_result $? "Step 1"
  32. openssl x509 -req -in temp-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions wolfssl_opts_ICA -days 1000 -CA $signer -CAkey $signerKey -set_serial 100 -sha256 > "$chainID-$icaNum-$pathLen.pem"
  33. check_result $? "Step 2"
  34. rm temp-req.pem
  35. openssl x509 -in "$chainID-$icaNum-$pathLen.pem" -text > ca_tmp.pem
  36. check_result $? "Step 3"
  37. mv ca_tmp.pem "$chainID-$icaNum-$pathLen.pem"
  38. else
  39. echo "Updating $chainID-$icaNum-pathlen$pathLen.pem"
  40. echo -e "US\\nWashington\\nSeattle\\nwolfSSL Inc.\\nEngineering\\n$chainID-$icaNum-pathlen$pathLen\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key "$chainID-$icaNum-key.pem" -config ../renewcerts/wolfssl.cnf -nodes -sha256 > temp-req.pem
  41. check_result $? "Step 1"
  42. openssl x509 -req -in temp-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions "pathlen_$pathLen" -days 1000 -CA $signer -CAkey $signerKey -set_serial 100 -sha256 > "$chainID-$icaNum-pathlen$pathLen.pem"
  43. check_result $? "Step 2"
  44. rm temp-req.pem
  45. openssl x509 -in "$chainID-$icaNum-pathlen$pathLen.pem" -text > ca_tmp.pem
  46. check_result $? "Step 3"
  47. mv ca_tmp.pem "$chainID-$icaNum-pathlen$pathLen.pem"
  48. fi
  49. echo "End of Section"
  50. echo "-------------------------------------------------------------------------"
  51. }
  52. ###########################################################
  53. ########## update chainA-entity.pem ################
  54. ###########################################################
  55. create_an_entity(){
  56. # $1 - chain ID
  57. # $2 - ICA Number (Example entity signed by ICA1 signed by ICA2 and so on)
  58. # $2 - pathLength to use
  59. # $3 - Signer of this Intermediate
  60. # $4 - The signers Key
  61. # example: create_an_intermediate "chainA" "ICA1" "0" "../ca-cert.pem" "../ca-key.pem"
  62. chainID="$1"
  63. signer="$2"
  64. signerKey="$3"
  65. echo "Updating $chainID-entity.pem"
  66. echo ""
  67. #pipe the following arguments to openssl req...
  68. echo -e "US\\nWashington\\nSeattle\\nwolfSSL Inc.\\nEngineering\\n$chainID-entity\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key "$chainID-entity-key.pem" -config ../renewcerts/wolfssl.cnf -nodes -sha256 > temp-req.pem
  69. check_result $? "Step 1"
  70. openssl x509 -req -in temp-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions test_pathlen -days 1000 -CA "$signer" -CAkey "$signerKey" -set_serial 101 -sha256 > "$chainID"-entity.pem
  71. check_result $? "Step 2"
  72. rm temp-req.pem
  73. openssl x509 -in "$chainID"-entity.pem -text > cert_tmp.pem
  74. check_result $? "Step 3"
  75. mv cert_tmp.pem "$chainID"-entity.pem
  76. echo "End of Section"
  77. echo "-------------------------------------------------------------------------"
  78. }
  79. ###########################################################
  80. ########## Create the certs ################
  81. ###########################################################
  82. create_an_intermediate "chainA" "ICA1" "0" "../ca-cert.pem" "../ca-key.pem"
  83. create_an_entity "chainA" "chainA-ICA1-pathlen0.pem" "chainA-ICA1-key.pem"
  84. create_an_intermediate "chainB" "ICA2" "1" "../ca-cert.pem" "../ca-key.pem"
  85. create_an_intermediate "chainB" "ICA1" "0" "chainB-ICA2-pathlen1.pem" "chainB-ICA2-key.pem"
  86. create_an_entity "chainB" "chainB-ICA1-pathlen0.pem" "chainB-ICA1-key.pem"
  87. create_an_intermediate "chainC" "ICA1" "1" "../ca-cert.pem" "../ca-key.pem"
  88. create_an_entity "chainC" "chainC-ICA1-pathlen1.pem" "chainC-ICA1-key.pem"
  89. create_an_intermediate "chainD" "ICA1" "127" "../ca-cert.pem" "../ca-key.pem"
  90. create_an_entity "chainD" "chainD-ICA1-pathlen127.pem" "chainD-ICA1-key.pem"
  91. create_an_intermediate "chainE" "ICA1" "128" "../ca-cert.pem" "../ca-key.pem"
  92. create_an_entity "chainE" "chainE-ICA1-pathlen128.pem" "chainE-ICA1-key.pem"
  93. create_an_intermediate "chainF" "ICA2" "0" "../ca-cert.pem" "../ca-key.pem"
  94. create_an_intermediate "chainF" "ICA1" "1" "chainF-ICA2-pathlen0.pem" "chainF-ICA2-key.pem"
  95. create_an_entity "chainF" "chainF-ICA1-pathlen1.pem" "chainF-ICA1-key.pem"
  96. create_an_intermediate "chainG" "ICA7" "100" "../ca-cert.pem" "../ca-key.pem"
  97. create_an_intermediate "chainG" "ICA6" "10" "chainG-ICA7-pathlen100.pem" "chainG-ICA7-key.pem"
  98. create_an_intermediate "chainG" "ICA5" "20" "chainG-ICA6-pathlen10.pem" "chainG-ICA6-key.pem"
  99. create_an_intermediate "chainG" "ICA4" "5" "chainG-ICA5-pathlen20.pem" "chainG-ICA5-key.pem"
  100. create_an_intermediate "chainG" "ICA3" "99" "chainG-ICA4-pathlen5.pem" "chainG-ICA4-key.pem"
  101. create_an_intermediate "chainG" "ICA2" "1" "chainG-ICA3-pathlen99.pem" "chainG-ICA3-key.pem"
  102. create_an_intermediate "chainG" "ICA1" "0" "chainG-ICA2-pathlen1.pem" "chainG-ICA2-key.pem"
  103. create_an_entity "chainG" "chainG-ICA1-pathlen0.pem" "chainG-ICA1-key.pem"
  104. # Fail: PathLen of 2, signing PathLen of 2, signing Pathlen of 2, signing PathLen 0
  105. # max_path_len = 2, max_path_len -= 1 (1), max_path_len -= 1 (0), max-path_len 0, non-entity cert.
  106. create_an_intermediate "chainH" "ICA4" "2" "../ca-cert.pem" "../ca-key.pem"
  107. create_an_intermediate "chainH" "ICA3" "2" "chainH-ICA4-pathlen2.pem" "chainH-ICA4-key.pem"
  108. create_an_intermediate "chainH" "ICA2" "2" "chainH-ICA3-pathlen2.pem" "chainH-ICA3-key.pem"
  109. create_an_intermediate "chainH" "ICA1" "0" "chainH-ICA2-pathlen2.pem" "chainH-ICA2-key.pem"
  110. create_an_entity "chainH" "chainH-ICA1-pathlen0.pem" "chainH-ICA1-key.pem"
  111. # Success, PathLen of 2 followed by 2 Intermediates with no pathLen set
  112. create_an_intermediate "chainI" "ICA3" "2" "../ca-cert.pem" "../ca-key.pem"
  113. create_an_intermediate "chainI" "ICA2" "no_pathlen" "chainI-ICA3-pathlen2.pem" "chainI-ICA3-key.pem"
  114. create_an_intermediate "chainI" "ICA1" "no_pathlen" "chainI-ICA2-no_pathlen.pem" "chainI-ICA2-key.pem"
  115. create_an_entity "chainI" "chainI-ICA1-no_pathlen.pem" "chainI-ICA1-key.pem"
  116. # Fail: PathLen of 2 followed by 3 Intermediates with no pathLen set
  117. create_an_intermediate "chainJ" "ICA4" "2" "../ca-cert.pem" "../ca-key.pem"
  118. create_an_intermediate "chainJ" "ICA3" "no_pathlen" "chainJ-ICA4-pathlen2.pem" "chainJ-ICA4-key.pem"
  119. create_an_intermediate "chainJ" "ICA2" "no_pathlen" "chainJ-ICA3-no_pathlen.pem" "chainJ-ICA3-key.pem"
  120. create_an_intermediate "chainJ" "ICA1" "no_pathlen" "chainJ-ICA2-no_pathlen.pem" "chainJ-ICA2-key.pem"
  121. create_an_entity "chainJ" "chainJ-ICA1-no_pathlen.pem" "chainJ-ICA1-key.pem"
  122. ###########################################################
  123. ########## Assemble Chains ################
  124. ###########################################################
  125. # Success: PathLen of 0
  126. ## chainA-ICA1-pathlen0.pem: signed by ca-cert.pem
  127. ## chainA-entity.pem: signed by chainA-ICA1-pathlen0.pem
  128. cat chainA-entity.pem chainA-ICA1-pathlen0.pem > chainA-assembled.pem
  129. # Success: PathLen of 1
  130. ## chainB-ICA2-pathlen1.pem: signed by ca-cert.pem
  131. ## chainB-ICA1-pathlen0.pem: signed by chainB-ICA2-pathlen1.pem
  132. ## chainB-entity.pem: signed by chainB-ICA1-pathlen0.pem
  133. cat chainB-entity.pem chainB-ICA1-pathlen0.pem chainB-ICA2-pathlen1.pem > chainB-assembled.pem
  134. ## chainC-entity.pem: signed by chainC-ICA1-pathlen1.pem
  135. cat chainC-entity.pem chainC-ICA1-pathlen1.pem > chainC-assembled.pem
  136. # Success: PathLen of 127
  137. ## chainD-ICA1-pathlen127.pem: signed by ca-cert.pem
  138. ## chainD-entity.pem: signed by chainD-entity.pem
  139. cat chainD-entity.pem chainD-ICA1-pathlen127.pem > chainD-assembled.pem
  140. # Failure: PathLen of 128
  141. ## chainE-ICA1-pathlen128.pem: signed by ca-cert.pem
  142. ## chainE-entity.pem: signed by chainE-ICA1-pathlen128.pem
  143. cat chainE-entity.pem chainE-ICA1-pathlen128.pem > chainE-assembled.pem
  144. # Failure: PathLen of 0, signing PathLen of 1
  145. ## chainF-ICA1-pathlen1.pem: signed by chainA-ICA1-pathlen0.pem
  146. ## chainF-entity.pem: signed by chainF-ICA1-pathlen1.pem
  147. cat chainF-entity.pem chainF-ICA1-pathlen1.pem chainF-ICA2-pathlen0.pem > chainF-assembled.pem
  148. # Success: PathLen of 127, signing PathLen of 10, signing PathLen of 20, signing
  149. # PathLen of 5, signing PathLen of 99, signing PathLen of 1, signing
  150. # PathLen of 0
  151. cat chainG-entity.pem chainG-ICA1-pathlen0.pem > chainG-assembled.pem
  152. cat chainG-ICA2-pathlen1.pem chainG-ICA3-pathlen99.pem >> chainG-assembled.pem
  153. cat chainG-ICA4-pathlen5.pem chainG-ICA5-pathlen20.pem >> chainG-assembled.pem
  154. cat chainG-ICA6-pathlen10.pem chainG-ICA7-pathlen100.pem >> chainG-assembled.pem
  155. # Fail: PathLen of 2, signing PathLen of 2, signing Pathlen of 2, signing PathLen 0
  156. # max_path_len = 2, max_path_len -= 1 (1), max_path_len -= 1 (0), max-path_len 0, non-entity cert.
  157. cat chainH-entity.pem chainH-ICA1-pathlen0.pem > chainH-assembled.pem
  158. cat chainH-ICA2-pathlen2.pem chainH-ICA3-pathlen2.pem >> chainH-assembled.pem
  159. cat chainH-ICA4-pathlen2.pem >> chainH-assembled.pem
  160. # Fail:
  161. cat chainI-entity.pem chainI-ICA1-no_pathlen.pem > chainI-assembled.pem
  162. cat chainI-ICA2-no_pathlen.pem chainI-ICA3-pathlen2.pem >> chainI-assembled.pem
  163. # Fail: PathLen of 2, signing PathLen of 2, signing Pathlen of 2, signing PathLen 0
  164. # max_path_len = 2, max_path_len -= 1 (1), max_path_len -= 1 (0), max-path_len 0, non-entity cert.
  165. cat chainJ-entity.pem chainJ-ICA1-no_pathlen.pem > chainJ-assembled.pem
  166. cat chainJ-ICA2-no_pathlen.pem chainJ-ICA3-no_pathlen.pem >> chainJ-assembled.pem
  167. cat chainJ-ICA4-pathlen2.pem >> chainJ-assembled.pem