1
0

renewcerts.sh 41 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878
  1. #!/bin/bash
  2. # renewcerts.sh
  3. #
  4. # renews the following certs:
  5. # client-cert.pem
  6. # client-cert.der
  7. # client-ecc-cert.pem
  8. # client-ecc-cert.der
  9. # ca-cert.pem
  10. # ca-cert.der
  11. # ca-ecc-cert.pem
  12. # ca-ecc-cert.der
  13. # ca-ecc384-cert.pem
  14. # ca-ecc384-cert.der
  15. # server-cert.pem
  16. # server-cert.der
  17. # server-cert-chain.der
  18. # server-ecc-rsa.pem
  19. # server-ecc.pem
  20. # 1024/client-cert.der
  21. # 1024/client-cert.pem
  22. # server-ecc-comp.pem
  23. # client-ca.pem
  24. # test/digsigku.pem
  25. # ecc-privOnlyCert.pem
  26. # client-uri-cert.pem
  27. # client-relative-uri.pem
  28. # client-crl-dist.pem
  29. # entity-no-ca-bool-cert.pem
  30. # fpki-cert.der
  31. # rid-cert.der
  32. # updates the following crls:
  33. # crl/cliCrl.pem
  34. # crl/crl.pem
  35. # crl/crl.revoked
  36. # crl/eccCliCRL.pem
  37. # crl/eccSrvCRL.pem
  38. #
  39. # pkcs7:
  40. # test-degenerate.p7b
  41. ###############################################################################
  42. ######################## FUNCTIONS SECTION ####################################
  43. ###############################################################################
  44. #function for restoring a previous configure state
  45. restore_config(){
  46. mv tmp.status config.status
  47. mv tmp.options.h wolfssl/options.h
  48. make clean
  49. make -j 8
  50. }
  51. check_result(){
  52. if [ $1 -ne 0 ]; then
  53. echo "Failed at \"$2\", Abort"
  54. exit 1
  55. else
  56. echo "Step Succeeded!"
  57. fi
  58. }
  59. #the function that will be called when we are ready to renew the certs.
  60. run_renewcerts(){
  61. #call update for some ecc certs
  62. ./certs/ecc/genecc.sh
  63. check_result $? "Step 0"
  64. cd certs/ || { echo "Couldn't cd to certs directory"; exit 1; }
  65. echo ""
  66. #move the custom cnf into our working directory
  67. cp renewcerts/wolfssl.cnf wolfssl.cnf || exit 1
  68. # To generate these all in sha1 add the flag "-sha1" on appropriate lines
  69. # That is all lines beginning with: "openssl req"
  70. ############################################################
  71. #### update the self-signed (2048-bit) client-uri-cert.pem #
  72. ############################################################
  73. echo "Updating 2048-bit client-uri-cert.pem"
  74. echo ""
  75. #pipe the following arguments to openssl req...
  76. echo -e "US\\nMontana\\nBozeman\\nwolfSSL_2048\\nURI\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key client-key.pem -config ./wolfssl.cnf -nodes -out client-cert.csr
  77. check_result $? "Step 1"
  78. openssl x509 -req -in client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions uri -signkey client-key.pem -out client-uri-cert.pem
  79. check_result $? "Step 2"
  80. rm client-cert.csr
  81. openssl x509 -in client-uri-cert.pem -text > tmp.pem
  82. check_result $? "Step 3"
  83. mv tmp.pem client-uri-cert.pem
  84. echo "End of section"
  85. echo "---------------------------------------------------------------------"
  86. ############################################################
  87. # Public Versions of client-key.pem
  88. ############################################################
  89. openssl rsa -inform pem -in certs/client-key.pem -outform der -out certs/client-keyPub.der -pubout
  90. openssl rsa -inform pem -in certs/client-key.pem -outform pem -out certs/client-keyPub.pem -pubout
  91. ############################################################
  92. # Public Versions of server-key.pem
  93. ############################################################
  94. #openssl rsa -inform pem -in certs/server-key.pem -outform der -out certs/server-keyPub.der -pubout
  95. openssl rsa -inform pem -in certs/server-key.pem -outform pem -out certs/server-keyPub.pem -pubout
  96. ############################################################
  97. # Public Versions of ecc-key.pem
  98. ############################################################
  99. #openssl ec -inform pem -in certs/ecc-key.pem -outform der -out certs/ecc-keyPub.der -pubout
  100. openssl ec -inform pem -in certs/ecc-key.pem -outform pem -out certs/ecc-keyPub.pem -pubout
  101. ############################################################
  102. #### update the self-signed (2048-bit) client-relative-uri.pem
  103. ############################################################
  104. echo "Updating 2048-bit client-relative-uri.pem"
  105. echo ""
  106. #pipe the following arguments to openssl req...
  107. echo -e "US\\nMontana\\nBozeman\\nwolfSSL_2048\\nRELATIVE_URI\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key client-key.pem -config ./wolfssl.cnf -nodes -out client-cert.csr
  108. check_result $? "Step 1"
  109. openssl x509 -req -in client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions relative_uri -signkey client-key.pem -out client-relative-uri.pem
  110. check_result $? "Step 2"
  111. rm client-cert.csr
  112. openssl x509 -in client-relative-uri.pem -text > tmp.pem
  113. check_result $? "Step 3"
  114. mv tmp.pem client-relative-uri.pem
  115. echo "End of section"
  116. echo "---------------------------------------------------------------------"
  117. ############################################################
  118. #### update the self-signed (2048-bit) client-cert-ext.pem
  119. ############################################################
  120. echo "Updating 2048-bit client-cert-ext.pem"
  121. echo ""
  122. #pipe the following arguments to openssl req...
  123. echo -e "US\\nMontana\\nBozeman\\nwolfSSL_2048\\nProgramming-2048\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key client-key.pem -config ./wolfssl.cnf -nodes -out client-cert.csr
  124. check_result $? "Step 1"
  125. openssl x509 -req -in client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions client_cert_ext -signkey client-key.pem -out client-cert-ext.pem
  126. check_result $? "Step 2"
  127. rm client-cert.csr
  128. openssl x509 -in client-cert-ext.pem -outform DER -out client-cert-ext.der
  129. check_result $? "Step 3"
  130. openssl x509 -in client-cert-ext.pem -text > tmp.pem
  131. check_result $? "Step 4"
  132. mv tmp.pem client-cert-ext.pem
  133. echo "End of section"
  134. echo "---------------------------------------------------------------------"
  135. ############################################################
  136. #### update the self-signed (2048-bit) client-crl-dist.pem
  137. ############################################################
  138. echo "Updating 2048-bit client-crl-dist.pem"
  139. echo ""
  140. #pipe the following arguments to openssl req...
  141. echo -e "US\\nMontana\\nBozeman\\nwolfSSL_2048\\nCRL_DIST\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key client-key.pem -config ./wolfssl.cnf -nodes -out client-cert.csr
  142. check_result $? "Step 1"
  143. openssl x509 -req -in client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions crl_dist_points -signkey client-key.pem -out client-crl-dist.pem
  144. check_result $? "Step 2"
  145. rm client-cert.csr
  146. openssl x509 -in client-crl-dist.pem -text > tmp.pem
  147. check_result $? "Step 3"
  148. mv tmp.pem client-crl-dist.pem
  149. openssl x509 -in client-crl-dist.pem -outform der -out client-crl-dist.der
  150. echo "End of section"
  151. echo "---------------------------------------------------------------------"
  152. ############################################################
  153. #### update the self-signed (2048-bit) client-cert.pem #####
  154. ############################################################
  155. echo "Updating 2048-bit client-cert.pem"
  156. echo ""
  157. #pipe the following arguments to openssl req...
  158. echo -e "US\\nMontana\\nBozeman\\nwolfSSL_2048\\nProgramming-2048\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key client-key.pem -config ./wolfssl.cnf -nodes -out client-cert.csr
  159. check_result $? "Step 1"
  160. openssl x509 -req -in client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey client-key.pem -out client-cert.pem
  161. check_result $? "Step 2"
  162. rm client-cert.csr
  163. openssl x509 -in client-cert.pem -text > tmp.pem
  164. check_result $? "Step 3"
  165. mv tmp.pem client-cert.pem
  166. echo "End of section"
  167. echo "---------------------------------------------------------------------"
  168. ############################################################
  169. #### update the self-signed (1024-bit) client-cert.pem #####
  170. ############################################################
  171. echo "Updating 1024-bit client-cert.pem"
  172. echo ""
  173. #pipe the following arguments to openssl req...
  174. echo -e "US\\nMontana\\nBozeman\\nwolfSSL_1024\\nProgramming-1024\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ./1024/client-key.pem -config ./wolfssl.cnf -nodes -out ./1024/client-cert.csr
  175. check_result $? "Step 1"
  176. openssl x509 -req -in ./1024/client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ./1024/client-key.pem -out ./1024/client-cert.pem
  177. check_result $? "Step 2"
  178. rm ./1024/client-cert.csr
  179. openssl x509 -in ./1024/client-cert.pem -text > ./1024/tmp.pem
  180. check_result $? "Step 3"
  181. mv ./1024/tmp.pem ./1024/client-cert.pem
  182. echo "End of section"
  183. echo "---------------------------------------------------------------------"
  184. ############################################################
  185. #### update the self-signed (3072-bit) client-cert.pem #####
  186. ############################################################
  187. echo "Updating 3072-bit client-cert.pem"
  188. echo ""
  189. #pipe the following arguments to openssl req...
  190. echo -e "US\\nMontana\\nBozeman\\nwolfSSL_3072\\nProgramming-3072\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ./3072/client-key.pem -config ./wolfssl.cnf -nodes -out ./3072/client-cert.csr
  191. check_result $? "Step 1"
  192. openssl x509 -req -in ./3072/client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ./3072/client-key.pem -out ./3072/client-cert.pem
  193. check_result $? "Step 2"
  194. rm ./3072/client-cert.csr
  195. openssl x509 -in ./3072/client-cert.pem -text > ./3072/tmp.pem
  196. check_result $? "Step 3"
  197. mv ./3072/tmp.pem ./3072/client-cert.pem
  198. openssl rsa -in ./3072/client-key.pem -outform der -out ./3072/client-key.der
  199. openssl rsa -inform pem -in ./3072/client-key.pem -outform der -out ./3072/client-keyPub.der -pubout
  200. openssl x509 -in ./3072/client-cert.pem -outform der -out ./3072/client-cert.der
  201. echo "End of section"
  202. echo "---------------------------------------------------------------------"
  203. ############################################################
  204. #### update the self-signed (4096-bit) client-cert.pem #####
  205. ############################################################
  206. echo "Updating 4096-bit client-cert.pem"
  207. echo ""
  208. #pipe the following arguments to openssl req...
  209. echo -e "US\\nMontana\\nBozeman\\nwolfSSL_4096\\nProgramming-4096\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ./4096/client-key.pem -config ./wolfssl.cnf -nodes -out ./4096/client-cert.csr
  210. check_result $? "Step 1"
  211. openssl x509 -req -in ./4096/client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ./4096/client-key.pem -out ./4096/client-cert.pem
  212. check_result $? "Step 2"
  213. rm ./4096/client-cert.csr
  214. openssl x509 -in ./4096/client-cert.pem -text > ./4096/tmp.pem
  215. check_result $? "Step 3"
  216. mv ./4096/tmp.pem ./4096/client-cert.pem
  217. openssl rsa -in ./4096/client-key.pem -outform der -out ./4096/client-key.der
  218. openssl rsa -inform pem -in ./4096/client-key.pem -outform der -out ./4096/client-keyPub.der -pubout
  219. openssl x509 -in ./4096/client-cert.pem -outform der -out ./4096/client-cert.der
  220. echo "End of section"
  221. echo "---------------------------------------------------------------------"
  222. ############################################################
  223. ########## update the self-signed ca-cert.pem ##############
  224. ############################################################
  225. echo "Updating ca-cert.pem"
  226. echo ""
  227. #pipe the following arguments to openssl req...
  228. echo -e "US\\nMontana\\nBozeman\\nSawtooth\\nConsulting\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ca-key.pem -config ./wolfssl.cnf -nodes -out ca-cert.csr
  229. check_result $? "Step 1"
  230. openssl x509 -req -in ca-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ca-key.pem -out ca-cert.pem
  231. check_result $? "Step 2"
  232. rm ca-cert.csr
  233. openssl x509 -in ca-cert.pem -text > tmp.pem
  234. check_result $? "Step 3"
  235. mv tmp.pem ca-cert.pem
  236. echo "End of section"
  237. echo "---------------------------------------------------------------------"
  238. ############################################################
  239. ########## update the self-signed ca-cert-chain.der ########
  240. ############################################################
  241. echo "Updating ca-cert-chain.der"
  242. echo ""
  243. #pipe the following arguments to openssl req...
  244. echo -e "US\\nMontana\\nBozeman\\nSawtooth\\nConsulting\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key 1024/ca-key.pem -config ./wolfssl.cnf -nodes -out ca-cert.csr
  245. check_result $? "Step 1"
  246. openssl x509 -req -in ca-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey 1024/ca-key.pem -outform DER -out ca-cert-chain.der
  247. check_result $? "Step 2"
  248. rm ca-cert.csr
  249. echo "End of section"
  250. echo "---------------------------------------------------------------------"
  251. ############################################################
  252. ########## update the self-signed ca-ecc-cert.pem ##########
  253. ############################################################
  254. echo "Updating ca-ecc-cert.pem"
  255. echo ""
  256. #pipe the following arguments to openssl req...
  257. echo -e "US\\nWashington\\nSeattle\\nwolfSSL\\nDevelopment\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ca-ecc-key.pem -config ./wolfssl.cnf -nodes -out ca-ecc-cert.csr
  258. check_result $? "Step 1"
  259. openssl x509 -req -in ca-ecc-cert.csr -days 1000 -extfile wolfssl.cnf -extensions ca_ecc_cert -signkey ca-ecc-key.pem -out ca-ecc-cert.pem
  260. check_result $? "Step 2"
  261. rm ca-ecc-cert.csr
  262. openssl x509 -in ca-ecc-cert.pem -text > tmp.pem
  263. check_result $? "Step 3"
  264. mv tmp.pem ca-ecc-cert.pem
  265. echo "End of section"
  266. echo "---------------------------------------------------------------------"
  267. ############################################################
  268. ########## update the self-signed ca-ecc384-cert.pem #######
  269. ############################################################
  270. echo "Updating ca-ecc384-cert.pem"
  271. echo ""
  272. #pipe the following arguments to openssl req...
  273. echo -e "US\\nWashington\\nSeattle\\nwolfSSL\\nDevelopment\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ca-ecc384-key.pem -config ./wolfssl.cnf -nodes -sha384 -out ca-ecc384-cert.csr
  274. check_result $? "Step 1"
  275. openssl x509 -req -in ca-ecc384-cert.csr -days 1000 -extfile wolfssl.cnf -extensions ca_ecc_cert -signkey ca-ecc384-key.pem -sha384 -out ca-ecc384-cert.pem
  276. check_result $? "Step 2"
  277. rm ca-ecc384-cert.csr
  278. openssl x509 -in ca-ecc384-cert.pem -text > tmp.pem
  279. check_result $? "Step 3"
  280. mv tmp.pem ca-ecc384-cert.pem
  281. echo "End of section"
  282. echo "---------------------------------------------------------------------"
  283. ############################################################
  284. ##### update the self-signed (1024-bit) ca-cert.pem ########
  285. ############################################################
  286. echo "Updating 1024-bit ca-cert.pem"
  287. echo ""
  288. #pipe the following arguments to openssl req...
  289. echo -e "US\\nMontana\\nBozeman\\nSawtooth\\nConsulting_1024\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ./1024/ca-key.pem -config ./wolfssl.cnf -nodes -sha1 -out ./1024/ca-cert.csr
  290. check_result $? "Step 1"
  291. openssl x509 -req -in ./1024/ca-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ./1024/ca-key.pem -out ./1024/ca-cert.pem
  292. check_result $? "Step 2"
  293. rm ./1024/ca-cert.csr
  294. openssl x509 -in ./1024/ca-cert.pem -text > ./1024/tmp.pem
  295. check_result $? "Step 3"
  296. mv ./1024/tmp.pem ./1024/ca-cert.pem
  297. echo "End of section"
  298. echo "---------------------------------------------------------------------"
  299. ###########################################################
  300. ########## update and sign fpki-cert.der ################
  301. ###########################################################
  302. echo "Updating fpki-cert.der"
  303. echo ""
  304. #pipe the following arguments to openssl req...
  305. echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\nFPKI\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key server-key.pem -config ./wolfssl.cnf -nodes > fpki-req.pem
  306. check_result $? "Step 1"
  307. openssl x509 -req -in fpki-req.pem -extfile wolfssl.cnf -extensions fpki_ext -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out fpki-cert.der -outform DER
  308. check_result $? "Step 2"
  309. rm fpki-req.pem
  310. echo "End of section"
  311. echo "---------------------------------------------------------------------"
  312. ###########################################################
  313. ########## update and sign rid-cert.der ################
  314. ###########################################################
  315. echo "Updating rid-cert.der"
  316. echo ""
  317. #pipe the following arguments to openssl req...
  318. echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\nRID\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key server-key.pem -config ./wolfssl.cnf -nodes > rid-req.pem
  319. check_result $? "Step 1"
  320. openssl x509 -req -in rid-req.pem -extfile wolfssl.cnf -extensions rid_ext -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 7 -out rid-cert.der -outform DER
  321. check_result $? "Step 2"
  322. rm rid-req.pem
  323. echo "End of section"
  324. echo "---------------------------------------------------------------------"
  325. ###########################################################
  326. ########## update and sign server-cert.pem ################
  327. ###########################################################
  328. echo "Updating server-cert.pem"
  329. echo ""
  330. #pipe the following arguments to openssl req...
  331. echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\nSupport\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key server-key.pem -config ./wolfssl.cnf -nodes > server-req.pem
  332. check_result $? "Step 1"
  333. openssl x509 -req -in server-req.pem -extfile wolfssl.cnf -extensions wolfssl_opts -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
  334. check_result $? "Step 2"
  335. rm server-req.pem
  336. openssl x509 -in ca-cert.pem -text > ca_tmp.pem
  337. check_result $? "Step 3"
  338. openssl x509 -in server-cert.pem -text > srv_tmp.pem
  339. check_result $? "Step 4"
  340. mv srv_tmp.pem server-cert.pem
  341. cat ca_tmp.pem >> server-cert.pem
  342. rm ca_tmp.pem
  343. echo "End of section"
  344. echo "---------------------------------------------------------------------"
  345. ###########################################################
  346. ########## update and sign server-revoked-key.pem #########
  347. ###########################################################
  348. echo "Updating server-revoked-cert.pem"
  349. echo ""
  350. #pipe the following arguments to openssl req...
  351. echo -e "US\\nMontana\\nBozeman\\nwolfSSL_revoked\\nSupport_revoked\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key server-revoked-key.pem -config ./wolfssl.cnf -nodes > server-revoked-req.pem
  352. check_result $? "Step 1"
  353. openssl x509 -req -in server-revoked-req.pem -extfile wolfssl.cnf -extensions wolfssl_opts -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 02 > server-revoked-cert.pem
  354. check_result $? "Step 2"
  355. rm server-revoked-req.pem
  356. openssl x509 -in ca-cert.pem -text > ca_tmp.pem
  357. check_result $? "Step 3"
  358. openssl x509 -in server-revoked-cert.pem -text > srv_tmp.pem
  359. check_result $? "Step 4"
  360. mv srv_tmp.pem server-revoked-cert.pem
  361. cat ca_tmp.pem >> server-revoked-cert.pem
  362. rm ca_tmp.pem
  363. echo "End of section"
  364. echo "---------------------------------------------------------------------"
  365. ###########################################################
  366. ########## update and sign server-duplicate-policy.pem ####
  367. ###########################################################
  368. echo "Updating server-duplicate-policy.pem"
  369. echo ""
  370. #pipe the following arguments to openssl req...
  371. echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\ntesting duplicate policy\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key server-key.pem -config ./wolfssl.cnf -nodes > ./test/server-duplicate-policy-req.pem
  372. check_result $? "Step 1"
  373. openssl x509 -req -in ./test/server-duplicate-policy-req.pem -extfile wolfssl.cnf -extensions policy_test -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 02 > ./test/server-duplicate-policy.pem
  374. check_result $? "Step 2"
  375. rm ./test/server-duplicate-policy-req.pem
  376. openssl x509 -in ca-cert.pem -text > ca_tmp.pem
  377. check_result $? "Step 3"
  378. openssl x509 -in ./test/server-duplicate-policy.pem -text > srv_tmp.pem
  379. check_result $? "Step 4"
  380. mv srv_tmp.pem ./test/server-duplicate-policy.pem
  381. cat ca_tmp.pem >> ./test/server-duplicate-policy.pem
  382. rm ca_tmp.pem
  383. echo "End of section"
  384. echo "---------------------------------------------------------------------"
  385. ###########################################################
  386. #### update and sign (1024-bit) server-cert.pem ###########
  387. ###########################################################
  388. echo "Updating 1024-bit server-cert.pem"
  389. echo ""
  390. #pipe the following arguments to openssl req...
  391. echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\nSupport_1024\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ./1024/server-key.pem -config ./wolfssl.cnf -nodes -sha1 > ./1024/server-req.pem
  392. check_result $? "Step 1"
  393. openssl x509 -req -in ./1024/server-req.pem -extfile wolfssl.cnf -extensions wolfssl_opts -days 1000 -CA ./1024/ca-cert.pem -CAkey ./1024/ca-key.pem -set_serial 01 > ./1024/server-cert.pem
  394. check_result $? "Step 2"
  395. rm ./1024/server-req.pem
  396. openssl x509 -in ./1024/ca-cert.pem -text > ./1024/ca_tmp.pem
  397. check_result $? "Step 3"
  398. openssl x509 -in ./1024/server-cert.pem -text > ./1024/srv_tmp.pem
  399. check_result $? "Step 4"
  400. mv ./1024/srv_tmp.pem ./1024/server-cert.pem
  401. cat ./1024/ca_tmp.pem >> ./1024/server-cert.pem
  402. rm ./1024/ca_tmp.pem
  403. echo "End of section"
  404. echo "---------------------------------------------------------------------"
  405. ############################################################
  406. ########## update and sign the server-ecc-rsa.pem ##########
  407. ############################################################
  408. echo "Updating server-ecc-rsa.pem"
  409. echo ""
  410. echo -e "US\\nMontana\\nBozeman\\nElliptic - RSAsig\\nECC-RSAsig\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ecc-key.pem -config ./wolfssl.cnf -nodes > server-ecc-req.pem
  411. check_result $? "Step 1"
  412. openssl x509 -req -in server-ecc-req.pem -extfile wolfssl.cnf -extensions wolfssl_opts -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-ecc-rsa.pem
  413. check_result $? "Step 2"
  414. rm server-ecc-req.pem
  415. openssl x509 -in server-ecc-rsa.pem -text > tmp.pem
  416. check_result $? "Step 3"
  417. mv tmp.pem server-ecc-rsa.pem
  418. echo "End of section"
  419. echo "---------------------------------------------------------------------"
  420. ############################################################
  421. ####### update the self-signed client-ecc-cert.pem #########
  422. ############################################################
  423. echo "Updating client-ecc-cert.pem"
  424. echo ""
  425. #pipe the following arguments to openssl req...
  426. echo -e "US\\nOregon\\nSalem\\nClient ECC\\nFast\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ecc-client-key.pem -config ./wolfssl.cnf -nodes -out client-ecc-cert.csr
  427. check_result $? "Step 1"
  428. openssl x509 -req -in client-ecc-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ecc-client-key.pem -out client-ecc-cert.pem
  429. check_result $? "Step 2"
  430. rm client-ecc-cert.csr
  431. openssl x509 -in client-ecc-cert.pem -text > tmp.pem
  432. check_result $? "Step 3"
  433. mv tmp.pem client-ecc-cert.pem
  434. echo "End of section"
  435. echo "---------------------------------------------------------------------"
  436. ############################################################
  437. ########## update the server-ecc.pem #######################
  438. ############################################################
  439. echo "Updating server-ecc.pem"
  440. echo ""
  441. #pipe the following arguments to openssl req...
  442. echo -e "US\\nWashington\\nSeattle\\nEliptic\\nECC\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ecc-key.pem -config ./wolfssl.cnf -nodes -out server-ecc.csr
  443. check_result $? "Step 1"
  444. openssl x509 -req -in server-ecc.csr -days 1000 -extfile wolfssl.cnf -extensions server_ecc -CA ca-ecc-cert.pem -CAkey ca-ecc-key.pem -set_serial 03 -out server-ecc.pem
  445. check_result $? "Step 2"
  446. rm server-ecc.csr
  447. openssl x509 -in server-ecc.pem -text > tmp.pem
  448. check_result $? "Step 3"
  449. mv tmp.pem server-ecc.pem
  450. echo "End of section"
  451. echo "---------------------------------------------------------------------"
  452. ############################################################
  453. ###### update the self-signed server-ecc-comp.pem ##########
  454. ############################################################
  455. echo "Updating server-ecc-comp.pem"
  456. echo ""
  457. #pipe the following arguments to openssl req...
  458. echo -e "US\\nMontana\\nBozeman\\nElliptic - comp\\nServer ECC-comp\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ecc-key-comp.pem -config ./wolfssl.cnf -nodes -out server-ecc-comp.csr
  459. check_result $? "Step 1"
  460. openssl x509 -req -in server-ecc-comp.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ecc-key-comp.pem -out server-ecc-comp.pem
  461. check_result $? "Step 2"
  462. rm server-ecc-comp.csr
  463. openssl x509 -in server-ecc-comp.pem -text > tmp.pem
  464. check_result $? "Step 3"
  465. mv tmp.pem server-ecc-comp.pem
  466. echo "End of section"
  467. echo "---------------------------------------------------------------------"
  468. ############################################################
  469. ############## create the client-ca.pem file ###############
  470. ############################################################
  471. echo "Updating client-ca.pem"
  472. echo ""
  473. cat client-cert.pem client-ecc-cert.pem > client-ca.pem
  474. echo "End of section"
  475. echo "---------------------------------------------------------------------"
  476. ############################################################
  477. ###### update the self-signed ecc-privOnlyCert.pem #########
  478. ############################################################
  479. echo "Updating ecc-privOnlyCert.pem"
  480. echo ""
  481. #pipe the following arguments to openssl req...
  482. echo -e ".\\n.\\n.\\nWR\\n.\\nDE\\n.\\n.\\n.\\n" | openssl req -new -key ecc-privOnlyKey.pem -config ./wolfssl.cnf -nodes -out ecc-privOnly.csr
  483. check_result $? "Step 1"
  484. openssl x509 -req -in ecc-privOnly.csr -days 1000 -signkey ecc-privOnlyKey.pem -out ecc-privOnlyCert.pem
  485. check_result $? "Step 2"
  486. rm ecc-privOnly.csr
  487. echo "End of section"
  488. echo "---------------------------------------------------------------------"
  489. ############################################################
  490. ###### update the self-signed test/digsigku.pem ##########
  491. ############################################################
  492. echo "Updating test/digsigku.pem"
  493. echo ""
  494. #pipe the following arguments to openssl req...
  495. echo -e "US\\nWashington\\nSeattle\\nFoofarah\\nArglebargle\\nfoobarbaz\\ninfo@worlss.com\\n.\\n.\\n" | openssl req -new -key ecc-key.pem -config ./wolfssl.cnf -nodes -sha1 -out digsigku.csr
  496. check_result $? "Step 1"
  497. openssl x509 -req -in digsigku.csr -days 1000 -extfile wolfssl.cnf -extensions digsigku -signkey ecc-key.pem -sha1 -set_serial 16393466893990650224 -out digsigku.pem
  498. check_result $? "Step 2"
  499. rm digsigku.csr
  500. openssl x509 -in digsigku.pem -text > tmp.pem
  501. check_result $? "Step 3"
  502. mv tmp.pem digsigku.pem
  503. mv digsigku.pem test/digsigku.pem
  504. echo "End of section"
  505. echo "---------------------------------------------------------------------"
  506. ###########################################################
  507. #### update and sign entity-no-ca-bool-cert.pem ###########
  508. ###########################################################
  509. echo "Updating entity-no-ca-bool-cert.pem"
  510. echo ""
  511. #pipe the following arguments to openssl req...
  512. echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\nNoCaBool\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key entity-no-ca-bool-key.pem -config ./wolfssl.cnf -nodes > entity-no-ca-bool-req.pem
  513. check_result $? "Step 1"
  514. openssl x509 -req -in entity-no-ca-bool-req.pem -extfile ./wolfssl.cnf -extensions "entity_no_CA_BOOL" -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > entity-no-ca-bool-cert.pem
  515. check_result $? "Step 2"
  516. rm entity-no-ca-bool-req.pem
  517. openssl x509 -in ca-cert.pem -text > ca_tmp.pem
  518. check_result $? "Step 3"
  519. openssl x509 -in entity-no-ca-bool-cert.pem -text > entity_tmp.pem
  520. check_result $? "Step 4"
  521. mv entity_tmp.pem entity-no-ca-bool-cert.pem
  522. cat ca_tmp.pem >> entity-no-ca-bool-cert.pem
  523. rm ca_tmp.pem
  524. echo "End of section"
  525. ############################################################
  526. ########## make .der files from .pem files #################
  527. ############################################################
  528. echo "Creating der formatted certs..."
  529. echo ""
  530. openssl x509 -inform PEM -in ./1024/client-cert.pem -outform DER -out ./1024/client-cert.der
  531. check_result $? "Der Cert 1"
  532. openssl x509 -inform PEM -in ./1024/server-cert.pem -outform DER -out ./1024/server-cert.der
  533. check_result $? "Der Cert 2"
  534. openssl x509 -inform PEM -in ./1024/ca-cert.pem -outform DER -out ./1024/ca-cert.der
  535. check_result $? "Der Cert 3"
  536. openssl x509 -inform PEM -in ca-cert.pem -outform DER -out ca-cert.der
  537. check_result $? "Der Cert 4"
  538. openssl x509 -inform PEM -in ca-ecc-cert.pem -outform DER -out ca-ecc-cert.der
  539. check_result $? "Der Cert 5"
  540. openssl x509 -inform PEM -in ca-ecc384-cert.pem -outform DER -out ca-ecc384-cert.der
  541. check_result $? "Der Cert 6"
  542. openssl x509 -inform PEM -in client-cert.pem -outform DER -out client-cert.der
  543. check_result $? "Der Cert 7"
  544. openssl x509 -inform PEM -in server-cert.pem -outform DER -out server-cert.der
  545. check_result $? "Der Cert 8"
  546. openssl x509 -inform PEM -in client-ecc-cert.pem -outform DER -out client-ecc-cert.der
  547. check_result $? "Der Cert 9"
  548. openssl x509 -inform PEM -in server-ecc-rsa.pem -outform DER -out server-ecc-rsa.der
  549. check_result $? "Der Cert 10"
  550. openssl x509 -inform PEM -in server-ecc.pem -outform DER -out server-ecc.der
  551. check_result $? "Der Cert 11"
  552. openssl x509 -inform PEM -in server-ecc-comp.pem -outform DER -out server-ecc-comp.der
  553. check_result $? "Der Cert 12"
  554. cat server-cert.der ca-cert.der >server-cert-chain.der
  555. check_result $? "Der Cert 13"
  556. echo "End of section"
  557. echo "---------------------------------------------------------------------"
  558. ############################################################
  559. ########## generate RSA-PSS certificates ###################
  560. ############################################################
  561. echo "Renewing RSA-PSS certificates"
  562. cd rsapss
  563. ./renew-rsapss-certs.sh
  564. cd ..
  565. echo "End of section"
  566. echo "---------------------------------------------------------------------"
  567. ############################################################
  568. ########## generate Ed25519 certificates ###################
  569. ############################################################
  570. echo "Renewing Ed25519 certificates"
  571. cd ed25519
  572. ./gen-ed25519-certs.sh
  573. cd ..
  574. echo "End of section"
  575. echo "---------------------------------------------------------------------"
  576. ############################################################
  577. ########## generate Ed448 certificates #####################
  578. ############################################################
  579. echo "Renewing Ed448 certificates"
  580. cd ed448
  581. ./gen-ed448-certs.sh
  582. cd ..
  583. echo "End of section"
  584. echo "---------------------------------------------------------------------"
  585. ############################################################
  586. ########## generate P-521 certificates #####################
  587. ############################################################
  588. echo "Renewing Ed448 certificates"
  589. cd p521
  590. ./gen-p521-certs.sh
  591. cd ..
  592. echo "End of section"
  593. echo "---------------------------------------------------------------------"
  594. ############################################################
  595. ###### update the ecc-rsa-server.p12 file ##################
  596. ############################################################
  597. echo "Updating ecc-rsa-server.p12 (password is \"\")"
  598. echo ""
  599. echo "" | openssl pkcs12 -des3 -descert -export -in server-ecc-rsa.pem -inkey ecc-key.pem -certfile server-ecc.pem -out ecc-rsa-server.p12 -password stdin
  600. check_result $? "Step 1"
  601. echo "End of section"
  602. echo "---------------------------------------------------------------------"
  603. ############################################################
  604. ###### update the test-servercert.p12 file #################
  605. ############################################################
  606. echo "Updating test-servercert.p12 (password is \"wolfSSL test\")"
  607. echo ""
  608. echo "wolfSSL test" | openssl pkcs12 -des3 -descert -export -in server-cert.pem -inkey server-key.pem -certfile ca-cert.pem -out test-servercert.p12 -password stdin
  609. check_result $? "Step 1"
  610. echo "End of section"
  611. echo "---------------------------------------------------------------------"
  612. ############################################################
  613. ###### update the test-servercert-rc2.p12 file #############
  614. ############################################################
  615. echo "Updating test-servercert-rc2.p12 (password is \"wolfSSL test\")"
  616. echo ""
  617. echo "wolfSSL test" | openssl pkcs12 -export -in server-cert.pem -inkey server-key.pem -certfile ca-cert.pem -out test-servercert-rc2.p12 -password stdin
  618. check_result $? "Step 1"
  619. echo "End of section"
  620. echo "---------------------------------------------------------------------"
  621. ############################################################
  622. ###### calling gen-ext-certs.sh ##################
  623. ############################################################
  624. echo "Calling gen-ext-certs.sh"
  625. echo ""
  626. cd .. || exit 1
  627. ./certs/test/gen-ext-certs.sh
  628. check_result $? "gen-ext-certs.sh"
  629. cd ./certs || { echo "Couldn't cd to certs directory"; exit 1; }
  630. echo "End of section"
  631. echo "---------------------------------------------------------------------"
  632. ############################################################
  633. ###### calling gen-badsig.sh ##################
  634. ############################################################
  635. echo "Calling gen-badsig.sh"
  636. echo ""
  637. cd ./test || { echo "Failed to switch to dir ./test"; exit 1; }
  638. ./gen-badsig.sh
  639. check_result $? "gen-badsig.sh"
  640. cd ../ || exit 1
  641. echo "End of section"
  642. echo "---------------------------------------------------------------------"
  643. ############################################################
  644. ###### calling gen-testcerts.sh ##################
  645. ############################################################
  646. echo "Calling gen-testcerts.sh"
  647. echo ""
  648. cd ./test || { echo "Failed to switch to dir ./test"; exit 1; }
  649. ./gen-testcerts.sh
  650. check_result $? "gen-testcerts.sh"
  651. cd ../ || exit 1
  652. echo "End of section"
  653. echo "---------------------------------------------------------------------"
  654. ############################################################
  655. ###### generate cms bundles in test directory ##############
  656. ############################################################
  657. echo "Generating CMS bundle"
  658. echo ""
  659. cd ./test || { echo "Failed to switch to dir ./test"; exit 1; }
  660. echo "test" | openssl cms -encrypt -binary -keyid -out ktri-keyid-cms.msg -outform der -recip ../client-cert.pem -nocerts
  661. check_result $? "generate ktri-keyid-cms.msg"
  662. cd ../ || exit 1
  663. echo "End of section"
  664. echo "---------------------------------------------------------------------"
  665. ############################################################
  666. ########## generate ocsp certs ######################
  667. ############################################################
  668. echo "Changing directory to ocsp..."
  669. echo ""
  670. # guard against recursive calls to renewcerts.sh
  671. if [ -d ocsp ]; then
  672. cd ./ocsp || { echo "Failed to switch to dir ./ocsp"; exit 1; }
  673. echo "Execute ocsp/renewcerts.sh..."
  674. ./renewcerts.sh
  675. check_result $? "renewcerts.sh"
  676. cd ../ || exit 1
  677. else
  678. echo "Error could not find ocsp directory"
  679. exit 1
  680. fi
  681. echo "End of section"
  682. echo "---------------------------------------------------------------------"
  683. ############################################################
  684. ###### calling assemble-chains.sh ##################
  685. ############################################################
  686. echo "Calling assemble-chains.sh"
  687. echo ""
  688. cd ./test-pathlen || { echo "Failed to switch to dir ./test-pathlen";
  689. exit 1; }
  690. ./assemble-chains.sh
  691. check_result $? "assemble-chains.sh"
  692. cd ../ || exit 1
  693. echo "End of section"
  694. echo "---------------------------------------------------------------------"
  695. ############################################################
  696. ########## store DER files as buffers ######################
  697. ############################################################
  698. echo "Changing directory to wolfssl root..."
  699. echo ""
  700. cd ../ || exit 1
  701. echo "Execute ./gencertbuf.pl..."
  702. echo ""
  703. ./gencertbuf.pl
  704. check_result $? "gencertbuf.pl"
  705. echo "End of section"
  706. echo "---------------------------------------------------------------------"
  707. ############################################################
  708. ########## generate the new crls ###########################
  709. ############################################################
  710. echo "Change directory to wolfssl/certs"
  711. echo ""
  712. cd ./certs || { echo "Failed to switch to dir ./certs"; exit 1; }
  713. echo "We are back in the certs directory"
  714. echo ""
  715. echo "Updating the crls..."
  716. echo ""
  717. cd ./crl || { echo "Failed to switch to dir ./crl"; exit 1; }
  718. echo "changed directory: cd/crl"
  719. echo ""
  720. ./gencrls.sh
  721. check_result $? "gencrls.sh"
  722. echo "ran ./gencrls.sh"
  723. echo ""
  724. ############################################################
  725. ########## generate PKCS7 bundles ##########################
  726. ############################################################
  727. echo "Changing directory to wolfssl certs..."
  728. echo ""
  729. cd ../ || exit 1
  730. echo "Creating test-degenerate.p7b..."
  731. echo ""
  732. openssl crl2pkcs7 -nocrl -certfile ./client-cert.pem -out test-degenerate.p7b -outform DER
  733. check_result $? ""
  734. echo "End of section"
  735. echo "---------------------------------------------------------------------"
  736. #cleanup the file system now that we're done
  737. echo "Performing final steps, cleaning up the file system..."
  738. echo ""
  739. rm ../wolfssl.cnf
  740. echo "End of Updates. Everything was successfully updated!"
  741. echo "---------------------------------------------------------------------"
  742. }
  743. ###############################################################################
  744. ##################### THE EXECUTABLE BODY #####################################
  745. ###############################################################################
  746. #start in root.
  747. cd ../ || exit 1
  748. #if there was an argument given, check it for validity or print out error
  749. if [ ! -z "$1" ]; then
  750. #valid argument print out other valid arguments
  751. if [ "$1" == "-h" ] || [ "$1" == "-help" ]; then
  752. echo ""
  753. echo "\"no argument\" will attempt to update all certificates"
  754. echo "-h or -help display this menu"
  755. echo ""
  756. echo ""
  757. #else the argument was invalid, tell user to use -h or -help
  758. else
  759. echo ""
  760. echo "That is not a valid option."
  761. echo ""
  762. echo "use -h or -help for a list of available options."
  763. echo ""
  764. fi
  765. else
  766. echo "Saving the configure state"
  767. echo ""
  768. cp config.status tmp.status || exit 1
  769. cp wolfssl/options.h tmp.options.h || exit 1
  770. echo "Running make clean"
  771. echo ""
  772. make clean
  773. check_result $? "make clean"
  774. run_renewcerts
  775. cd ../ || exit 1
  776. rm ./certs/wolfssl.cnf
  777. # restore previous configure state
  778. restore_config
  779. check_result $? "restoring old configuration"
  780. fi #END already defined
  781. exit 0