renewcerts.sh 4.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116
  1. #!/bin/sh
  2. # bwrap execution environment to avoid port conflicts
  3. if [ "${AM_BWRAPPED-}" != "yes" ]; then
  4. bwrap_path="$(command -v bwrap)"
  5. if [ -n "$bwrap_path" ]; then
  6. export AM_BWRAPPED=yes
  7. exec "$bwrap_path" --cap-add ALL --unshare-net --dev-bind / / "$0" "$@"
  8. fi
  9. fi
  10. check_result(){
  11. if [ $1 -ne 0 ]; then
  12. if [ -n "$2" ]; then
  13. echo "Step Failed, Abort"
  14. else
  15. echo "$2 Failed, Abort"
  16. fi
  17. exit 1
  18. else
  19. echo "Step Succeeded"
  20. fi
  21. }
  22. echo "OCSP renew certs Step 1"
  23. openssl req \
  24. -new \
  25. -key root-ca-key.pem \
  26. -out root-ca-cert.csr \
  27. -config ../renewcerts/wolfssl.cnf \
  28. -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com"
  29. check_result $? ""
  30. echo "OCSP renew certs Step 2"
  31. openssl x509 \
  32. -req -in root-ca-cert.csr \
  33. -extfile openssl.cnf \
  34. -extensions v3_ca \
  35. -days 1000 \
  36. -signkey root-ca-key.pem \
  37. -set_serial 99 \
  38. -out root-ca-cert.pem
  39. check_result $? ""
  40. rm root-ca-cert.csr
  41. echo "OCSP renew certs Step 3"
  42. openssl x509 -in root-ca-cert.pem -text > tmp.pem
  43. check_result $? ""
  44. mv tmp.pem root-ca-cert.pem
  45. # $1 cert, $2 name, $3 ca, $4 extensions, $5 serial
  46. update_cert() {
  47. echo "Updating certificate \"$1-cert.pem\""
  48. openssl req \
  49. -new \
  50. -key "$1"-key.pem \
  51. -out "$1"-cert.csr \
  52. -config ../renewcerts/wolfssl.cnf \
  53. -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=$2/emailAddress=info@wolfssl.com"
  54. check_result $? "Step 1"
  55. openssl x509 \
  56. -req -in "$1"-cert.csr \
  57. -extfile openssl.cnf \
  58. -extensions "$4" \
  59. -days 1000 \
  60. -CA "$3"-cert.pem \
  61. -CAkey "$3"-key.pem \
  62. -set_serial "$5" \
  63. -out "$1"-cert.pem
  64. check_result $? "Step 2"
  65. rm "$1"-cert.csr
  66. openssl x509 -in "$1"-cert.pem -text > "$1"_tmp.pem
  67. check_result $? "Step 3"
  68. mv "$1"_tmp.pem "$1"-cert.pem
  69. cat "$3"-cert.pem >> "$1"-cert.pem
  70. }
  71. update_cert intermediate1-ca "wolfSSL intermediate CA 1" root-ca v3_ca 01
  72. update_cert intermediate2-ca "wolfSSL intermediate CA 2" root-ca v3_ca 02
  73. update_cert intermediate3-ca "wolfSSL REVOKED intermediate CA" root-ca v3_ca 03 # REVOKED
  74. update_cert ocsp-responder "wolfSSL OCSP Responder" root-ca v3_ocsp 04
  75. update_cert server1 "www1.wolfssl.com" intermediate1-ca v3_req1 05
  76. update_cert server2 "www2.wolfssl.com" intermediate1-ca v3_req1 06 # REVOKED
  77. update_cert server3 "www3.wolfssl.com" intermediate2-ca v3_req2 07
  78. update_cert server4 "www4.wolfssl.com" intermediate2-ca v3_req2 08 # REVOKED
  79. update_cert server5 "www5.wolfssl.com" intermediate3-ca v3_req3 09
  80. # Create response DER buffer for test
  81. openssl ocsp -port 22221 -ndays 1000 -index index-ca-and-intermediate-cas.txt -rsigner ocsp-responder-cert.pem -rkey ocsp-responder-key.pem -CA root-ca-cert.pem -partial_chain &
  82. PID=$!
  83. sleep 1 # Make sure server is ready
  84. openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response.der -noverify
  85. openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-nointern.der -no_intern -noverify
  86. openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -cert ./intermediate2-ca-cert.pem -url http://localhost:22221/ -respout test-multi-response.der -noverify
  87. kill $PID
  88. wait $PID
  89. # now start up a responder that signs using rsa-pss
  90. openssl ocsp -port 22221 -ndays 1000 -index index-ca-and-intermediate-cas.txt -rsigner ocsp-responder-cert.pem -rkey ocsp-responder-key.pem -CA root-ca-cert.pem -rsigopt rsa_padding_mode:pss &
  91. PID=$!
  92. sleep 1 # Make sure server is ready
  93. openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-rsapss.der -noverify
  94. # can verify with the following command
  95. # openssl ocsp -respin test-response-nointern.der -CAfile root-ca-cert.pem -issuer intermediate1-ca-cert.pem
  96. kill $PID
  97. wait $PID
  98. exit 0