123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116 |
- #!/bin/sh
- # bwrap execution environment to avoid port conflicts
- if [ "${AM_BWRAPPED-}" != "yes" ]; then
- bwrap_path="$(command -v bwrap)"
- if [ -n "$bwrap_path" ]; then
- export AM_BWRAPPED=yes
- exec "$bwrap_path" --cap-add ALL --unshare-net --dev-bind / / "$0" "$@"
- fi
- fi
- check_result(){
- if [ $1 -ne 0 ]; then
- if [ -n "$2" ]; then
- echo "Step Failed, Abort"
- else
- echo "$2 Failed, Abort"
- fi
- exit 1
- else
- echo "Step Succeeded"
- fi
- }
- echo "OCSP renew certs Step 1"
- openssl req \
- -new \
- -key root-ca-key.pem \
- -out root-ca-cert.csr \
- -config ../renewcerts/wolfssl.cnf \
- -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com"
- check_result $? ""
- echo "OCSP renew certs Step 2"
- openssl x509 \
- -req -in root-ca-cert.csr \
- -extfile openssl.cnf \
- -extensions v3_ca \
- -days 1000 \
- -signkey root-ca-key.pem \
- -set_serial 99 \
- -out root-ca-cert.pem
- check_result $? ""
- rm root-ca-cert.csr
- echo "OCSP renew certs Step 3"
- openssl x509 -in root-ca-cert.pem -text > tmp.pem
- check_result $? ""
- mv tmp.pem root-ca-cert.pem
- # $1 cert, $2 name, $3 ca, $4 extensions, $5 serial
- update_cert() {
- echo "Updating certificate \"$1-cert.pem\""
- openssl req \
- -new \
- -key "$1"-key.pem \
- -out "$1"-cert.csr \
- -config ../renewcerts/wolfssl.cnf \
- -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=$2/emailAddress=info@wolfssl.com"
- check_result $? "Step 1"
- openssl x509 \
- -req -in "$1"-cert.csr \
- -extfile openssl.cnf \
- -extensions "$4" \
- -days 1000 \
- -CA "$3"-cert.pem \
- -CAkey "$3"-key.pem \
- -set_serial "$5" \
- -out "$1"-cert.pem
- check_result $? "Step 2"
- rm "$1"-cert.csr
- openssl x509 -in "$1"-cert.pem -text > "$1"_tmp.pem
- check_result $? "Step 3"
- mv "$1"_tmp.pem "$1"-cert.pem
- cat "$3"-cert.pem >> "$1"-cert.pem
- }
- update_cert intermediate1-ca "wolfSSL intermediate CA 1" root-ca v3_ca 01
- update_cert intermediate2-ca "wolfSSL intermediate CA 2" root-ca v3_ca 02
- update_cert intermediate3-ca "wolfSSL REVOKED intermediate CA" root-ca v3_ca 03 # REVOKED
- update_cert ocsp-responder "wolfSSL OCSP Responder" root-ca v3_ocsp 04
- update_cert server1 "www1.wolfssl.com" intermediate1-ca v3_req1 05
- update_cert server2 "www2.wolfssl.com" intermediate1-ca v3_req1 06 # REVOKED
- update_cert server3 "www3.wolfssl.com" intermediate2-ca v3_req2 07
- update_cert server4 "www4.wolfssl.com" intermediate2-ca v3_req2 08 # REVOKED
- update_cert server5 "www5.wolfssl.com" intermediate3-ca v3_req3 09
- # Create response DER buffer for test
- openssl ocsp -port 22221 -ndays 1000 -index index-ca-and-intermediate-cas.txt -rsigner ocsp-responder-cert.pem -rkey ocsp-responder-key.pem -CA root-ca-cert.pem -partial_chain &
- PID=$!
- sleep 1 # Make sure server is ready
- openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response.der -noverify
- openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-nointern.der -no_intern -noverify
- openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -cert ./intermediate2-ca-cert.pem -url http://localhost:22221/ -respout test-multi-response.der -noverify
- kill $PID
- wait $PID
- # now start up a responder that signs using rsa-pss
- openssl ocsp -port 22221 -ndays 1000 -index index-ca-and-intermediate-cas.txt -rsigner ocsp-responder-cert.pem -rkey ocsp-responder-key.pem -CA root-ca-cert.pem -rsigopt rsa_padding_mode:pss &
- PID=$!
- sleep 1 # Make sure server is ready
- openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-rsapss.der -noverify
- # can verify with the following command
- # openssl ocsp -respin test-response-nointern.der -CAfile root-ca-cert.pem -issuer intermediate1-ca-cert.pem
- kill $PID
- wait $PID
- exit 0
|