Etusivu Tutki Apua
Kirjaudu sisään
RISCI_ATOM
/
wolfssl
peilaus alkaen https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Tiedostot Ongelmat 14 Wiki
Puu: 9dcc48c8f7
Haarat Tagit
wolfssl
/
certs
/
ecc
/
genecc.sh

genecc.sh 10 KB
Historia Raaka

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161 
  1. #!/bin/bash
    2. 

  2. 

  3. # run from wolfssl root
    4. 

  4. 

  5. rm ./certs/ecc/*.old
    6. 

  6. rm ./certs/ecc/index.txt*
    7. 

  7. rm ./certs/ecc/serial
    8. 

  8. rm ./certs/ecc/crlnumber
    9. 

  9. 

  10. touch ./certs/ecc/index.txt
    11. 

  11. echo 1000 > ./certs/ecc/serial
    12. 

  12. echo 2000 > ./certs/ecc/crlnumber
    13. 

  13. 

  14. # generate ECC 256-bit CA
    15. 

  15. if [ -f ./certs/ca-ecc-key.pem ]; then
    16. 

  16.     openssl req -config ./certs/ecc/wolfssl.cnf -extensions v3_ca -x509 -nodes -key ./certs/ca-ecc-key.pem -out ./certs/ca-ecc-cert.pem -sha256 \
    17. 

  17.         -days 7300 -batch -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com"
    18. 

  18. else
    19. 

  19.     openssl ecparam -out ./certs/ca-ecc-key.par -name prime256v1
    20. 

  20.     openssl req -config ./certs/ecc/wolfssl.cnf -extensions v3_ca -x509 -nodes -newkey ec:./certs/ca-ecc-key.par -keyout ./certs/ca-ecc-key.pem -out ./certs/ca-ecc-cert.pem -sha256 \
    21. 

  21.         -days 7300 -batch -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com"
    22. 

  22. fi
    23. 

  23. 

  24. openssl x509 -in ./certs/ca-ecc-cert.pem -inform PEM -out ./certs/ca-ecc-cert.der -outform DER
    25. 

  25. openssl ec -in ./certs/ca-ecc-key.pem -inform PEM -out ./certs/ca-ecc-key.der -outform DER
    26. 

  26. 

  27. rm ./certs/ca-ecc-key.par
    28. 

  28. 

  29. # Gen CA CRL
    30. 

  30. openssl ca -batch -config ./certs/ecc/wolfssl.cnf -gencrl -crldays 1000 -out ./certs/crl/caEccCrl.pem -keyfile ./certs/ca-ecc-key.pem -cert ./certs/ca-ecc-cert.pem
    31. 

  31. 

  32. 

  33. 

  34. # Generate ECC 256-bit server cert
    35. 

  35. openssl req -config ./certs/ecc/wolfssl.cnf -sha256 -new -key ./certs/ecc-key.pem -out ./certs/server-ecc-req.pem -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
    36. 

  36. openssl x509 -req -in ./certs/server-ecc-req.pem -CA ./certs/ca-ecc-cert.pem -CAkey ./certs/ca-ecc-key.pem -CAcreateserial -out ./certs/server-ecc.pem -sha256
    37. 

  37. 

  38. # Sign server certificate
    39. 

  39. openssl ca -batch -config ./certs/ecc/wolfssl.cnf -extensions server_cert -days 3650 -notext -md sha256 -in ./certs/server-ecc-req.pem -out ./certs/server-ecc.pem
    40. 

  40. openssl x509 -in ./certs/server-ecc.pem -outform der -out ./certs/server-ecc.der
    41. 

  41. 

  42. # Generate ECC 256-bit self-signed server cert
    43. 

  43. openssl x509 -req -in ./certs/server-ecc-req.pem -days 3650 -extfile ./certs/ecc/wolfssl.cnf -extensions server_cert -signkey ./certs/ecc-key.pem -text -out ./certs/server-ecc-self.pem
    44. 

  44. openssl x509 -inform pem -in ./certs/server-ecc-self.pem -outform der -out ./certs/server-ecc-self.der
    45. 

  45. 

  46. rm ./certs/server-ecc-req.pem
    47. 

  47. 

  48. 

  49. 

  50. # generate ECC 384-bit CA
    51. 

  51. if [ -f ./certs/ca-ecc384-key.pem ]; then
    52. 

  52.     openssl req -config ./certs/ecc/wolfssl_384.cnf -extensions v3_ca -x509 -nodes -key ./certs/ca-ecc384-key.pem -out ./certs/ca-ecc384-cert.pem -sha384 \
    53. 

  53.         -days 7300 -batch -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com"
    54. 

  54. else
    55. 

  55.     openssl ecparam -out ./certs/ca-ecc384-key.par -name secp384r1
    56. 

  56.     openssl req -config ./certs/ecc/wolfssl_384.cnf -extensions v3_ca -x509 -nodes -newkey ec:./certs/ca-ecc384-key.par -keyout ./certs/ca-ecc384-key.pem -out ./certs/ca-ecc384-cert.pem -sha384 \
    57. 

  57.         -days 7300 -batch -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com"
    58. 

  58. fi
    59. 

  59. 

  60. openssl x509 -in ./certs/ca-ecc384-cert.pem -inform PEM -out ./certs/ca-ecc384-cert.der -outform DER
    61. 

  61. openssl ec -in ./certs/ca-ecc384-key.pem -inform PEM -out ./certs/ca-ecc384-key.der -outform DER
    62. 

  62. 

  63. rm ./certs/ca-ecc384-key.par
    64. 

  64. 

  65. # Gen CA CRL
    66. 

  66. openssl ca -batch -config ./certs/ecc/wolfssl_384.cnf -gencrl -crldays 1000 -out ./certs/crl/caEcc384Crl.pem -keyfile ./certs/ca-ecc384-key.pem -cert ./certs/ca-ecc384-cert.pem
    67. 

  67. 

  68. 

  69. 

  70. # Generate ECC 384-bit server cert
    71. 

  71. if [ -f ./certs/server-ecc384-key.pem ]; then
    72. 

  72.     openssl req -config ./certs/ecc/wolfssl_384.cnf -sha384 -x509 -nodes -key ./certs/server-ecc384-key.pem -out ./certs/server-ecc384-req.pem \
    73. 

  73.         -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC384Srv/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
    74. 

  74. else
    75. 

  75.     openssl ecparam -out ./certs/server-ecc384-key.par -name secp384r1
    76. 

  76.     openssl req -config ./certs/ecc/wolfssl_384.cnf -sha384 -x509 -nodes -newkey ec:./certs/server-ecc384-key.par -keyout ./certs/server-ecc384-key.pem -out ./certs/server-ecc384-req.pem \
    77. 

  77.         -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC384Srv/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
    78. 

  78. fi
    79. 

  79. openssl req -config ./certs/ecc/wolfssl_384.cnf -sha384 -new -key ./certs/server-ecc384-key.pem -out ./certs/server-ecc384-req.pem \
    80. 

  80.         -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC384Srv/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
    81. 

  81. openssl ec -in ./certs/server-ecc384-key.pem -inform PEM -out ./certs/server-ecc384-key.der -outform DER
    82. 

  82. 

  83. # Sign server certificate
    84. 

  84. openssl ca -batch -config ./certs/ecc/wolfssl_384.cnf -extensions server_cert -days 10950 -notext -md sha384 -in ./certs/server-ecc384-req.pem -out ./certs/server-ecc384-cert.pem
    85. 

  85. openssl x509 -in ./certs/server-ecc384-cert.pem -outform der -out ./certs/server-ecc384-cert.der
    86. 

  86. 

  87. rm ./certs/server-ecc384-req.pem
    88. 

  88. rm ./certs/server-ecc384-key.par
    89. 

  89. 

  90. # Generate ECC 384-bit client cert
    91. 

  91. if [ -f ./certs/client-ecc384-key.pem ]; then
    92. 

  92.     openssl req -config ./certs/ecc/wolfssl_384.cnf -sha384 -x509 -nodes -key ./certs/client-ecc384-key.pem -out ./certs/client-ecc384-req.pem \
    93. 

  93.         -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC384Cli/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
    94. 

  94. else
    95. 

  95.     openssl ecparam -out ./certs/client-ecc384-key.par -name secp384r1
    96. 

  96.     openssl req -config ./certs/ecc/wolfssl_384.cnf -sha384 -x509 -nodes -newkey ec:./certs/client-ecc384-key.par -keyout ./certs/client-ecc384-key.pem -out ./certs/client-ecc384-req.pem \
    97. 

  97.         -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC384Cli/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
    98. 

  98. fi
    99. 

  99. openssl req -config ./certs/ecc/wolfssl_384.cnf -sha384 -new -key ./certs/client-ecc384-key.pem -out ./certs/client-ecc384-req.pem \
    100. 

  100.         -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC384Clit/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
    101. 

  101. openssl ec -in ./certs/client-ecc384-key.pem -inform PEM -out ./certs/client-ecc384-key.der -outform DER
    102. 

  102. 

  103. # Sign client certificate
    104. 

  104. openssl ca -batch -config ./certs/ecc/wolfssl_384.cnf -extensions usr_cert -days 10950 -notext -md sha384 -in ./certs/client-ecc384-req.pem -out ./certs/client-ecc384-cert.pem
    105. 

  105. openssl x509 -in ./certs/client-ecc384-cert.pem -outform der -out ./certs/client-ecc384-cert.der
    106. 

  106. 

  107. rm ./certs/client-ecc384-req.pem
    108. 

  108. rm ./certs/client-ecc384-key.par
    109. 

  109. 

  110. 

  111. # Generate ECC Kerberos Keys
    112. 

  112. if [ -f ./certs/ecc/secp256k1-key.pem ]; then
    113. 

  113.         openssl ecparam -name secp256k1 -genkey -noout -out ./certs/ecc/secp256k1-key.pem
    114. 

  114.         openssl ec -in ./certs/ecc/secp256k1-key.pem -inform PEM -out ./certs/ecc/secp256k1-key.der -outform DER
    115. 

  115. fi
    116. 

  116. # Create self-signed ECC Kerberos certificates
    117. 

  117. openssl req -config ./certs/ecc/wolfssl.cnf -sha256 -new -key ./certs/ecc/secp256k1-key.pem -out ./certs/ecc/server-secp256k1-req.pem -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC256K1-SRV/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
    118. 

  118. openssl x509 -req -in ./certs/ecc/server-secp256k1-req.pem -days 3650 -extfile ./certs/ecc/wolfssl.cnf -extensions server_cert -signkey ./certs/ecc/secp256k1-key.pem -text -out ./certs/ecc/server-secp256k1-cert.pem
    119. 

  119. openssl x509 -inform pem -in ./certs/ecc/server-secp256k1-cert.pem -outform der -out ./certs/ecc/server-secp256k1-cert.der
    120. 

  120. rm ./certs/ecc/server-secp256k1-req.pem
    121. 

  121. 

  122. openssl req -config ./certs/ecc/wolfssl.cnf -sha256 -new -key ./certs/ecc/secp256k1-key.pem -out ./certs/ecc/client-secp256k1-req.pem -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC256K1-CLI/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
    123. 

  123. openssl x509 -req -in ./certs/ecc/client-secp256k1-req.pem -days 3650 -extfile ./certs/ecc/wolfssl.cnf -extensions usr_cert -signkey ./certs/ecc/secp256k1-key.pem -text -out ./certs/ecc/client-secp256k1-cert.pem
    124. 

  124. openssl x509 -inform pem -in ./certs/ecc/client-secp256k1-cert.pem -outform der -out ./certs/ecc/client-secp256k1-cert.der
    125. 

  125. rm ./certs/ecc/client-secp256k1-req.pem
    126. 

  126. 

  127. # Generate ECC Brainpool Keys
    128. 

  128. if [ -f ./certs/ecc/bp256r1-key.pem ]; then
    129. 

  129.         openssl ecparam -name brainpoolP256r1 -genkey -noout -out ./certs/ecc/bp256r1-key.pem
    130. 

  130.         openssl ec -in ./certs/ecc/bp256r1-key.pem -inform PEM -out ./certs/ecc/bp256r1-key.der -outform DER
    131. 

  131. fi
    132. 

  132. # Create self-signed ECC Brainpool certificates
    133. 

  133. openssl req -config ./certs/ecc/wolfssl.cnf -sha256 -new -key ./certs/ecc/bp256r1-key.pem -out ./certs/ecc/server-bp256r1-req.pem -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC256BPR1-SRV/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
    134. 

  134. openssl x509 -req -in ./certs/ecc/server-bp256r1-req.pem -days 3650 -extfile ./certs/ecc/wolfssl.cnf -extensions server_cert -signkey ./certs/ecc/bp256r1-key.pem -text -out ./certs/ecc/server-bp256r1-cert.pem
    135. 

  135. openssl x509 -inform pem -in ./certs/ecc/server-bp256r1-cert.pem -outform der -out ./certs/ecc/server-bp256r1-cert.der
    136. 

  136. rm ./certs/ecc/server-bp256r1-req.pem
    137. 

  137. 

  138. openssl req -config ./certs/ecc/wolfssl.cnf -sha256 -new -key ./certs/ecc/bp256r1-key.pem -out ./certs/ecc/client-bp256r1-req.pem -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC256BPR1-CLI/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
    139. 

  139. openssl x509 -req -in ./certs/ecc/client-bp256r1-req.pem -days 3650 -extfile ./certs/ecc/wolfssl.cnf -extensions usr_cert -signkey ./certs/ecc/bp256r1-key.pem -text -out ./certs/ecc/client-bp256r1-cert.pem
    140. 

  140. openssl x509 -inform pem -in ./certs/ecc/client-bp256r1-cert.pem -outform der -out ./certs/ecc/client-bp256r1-cert.der
    141. 

  141. rm ./certs/ecc/client-bp256r1-req.pem
    142. 

  142. 

  143. 

  144. # update bad certificate with last byte in signature changed
    145. 

  145. cp ./certs/server-ecc.der ./certs/test/server-cert-ecc-badsig.der
    146. 

  146. sed '$s/.$/W/' ./certs/test/server-cert-ecc-badsig.der >> ./certs/test/server-cert-ecc-badsig-altered.der
    147. 

  147. mv ./certs/test/server-cert-ecc-badsig-altered.der ./certs/test/server-cert-ecc-badsig.der
    148. 

  148. openssl x509 -inform der -in ./certs/test/server-cert-ecc-badsig.der -outform pem -out ./certs/test/server-cert-ecc-badsig.pem
    149. 

  149. 

  150. rm ./certs/ecc/*.old
    151. 

  151. rm ./certs/ecc/index.txt*
    152. 

  152. rm ./certs/ecc/serial
    153. 

  153. rm ./certs/ecc/crlnumber
    154. 

  154. rm ./certs/ecc/index.txt
    155. 

  155. 

  156. rm ./certs/1000.pem
    157. 

  157. rm ./certs/1001.pem
    158. 

  158. rm ./certs/1002.pem
    159. 

  159. rm ./certs/ca-ecc-cert.srl
    160. 

  160. 

  161. exit 0
    162.