gen-testcerts.sh 3.1 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697
  1. #!/bin/sh
  2. # Args: 1=FileName, 2=CN, 3=AltName
  3. function build_test_cert_conf {
  4. echo "[ req ]" > $1.conf
  5. echo "prompt = no" >> $1.conf
  6. echo "default_bits = 2048" >> $1.conf
  7. echo "distinguished_name = req_distinguished_name" >> $1.conf
  8. echo "req_extensions = req_ext" >> $1.conf
  9. echo "" >> $1.conf
  10. echo "[ req_distinguished_name ]" >> $1.conf
  11. echo "C = US" >> $1.conf
  12. echo "ST = Montana" >> $1.conf
  13. echo "L = Bozeman" >> $1.conf
  14. echo "OU = Engineering" >> $1.conf
  15. echo "CN = $2" >> $1.conf
  16. echo "emailAddress = info@wolfssl.com" >> $1.conf
  17. echo "" >> $1.conf
  18. echo "[ req_ext ]" >> $1.conf
  19. if [ -n "$3" ]; then
  20. if [[ "$3" != *"DER"* ]]; then
  21. echo "subjectAltName = @alt_names" >> $1.conf
  22. echo "[alt_names]" >> $1.conf
  23. echo "DNS.1 = $3" >> $1.conf
  24. else
  25. echo "subjectAltName = $3" >> $1.conf
  26. fi
  27. fi
  28. }
  29. # Args: 1=FileName
  30. function generate_test_cert {
  31. rm $1.der
  32. rm $1.pem
  33. echo "step 1 create configuration"
  34. build_test_cert_conf $1 $2 $3
  35. echo "step 2 create csr"
  36. openssl req -new -sha256 -out $1.csr -key ../server-key.pem -config $1.conf
  37. echo "step 3 check csr"
  38. openssl req -text -noout -in $1.csr
  39. echo "step 4 create cert"
  40. openssl x509 -req -days 1000 -sha256 -in $1.csr -signkey ../server-key.pem \
  41. -out $1.pem -extensions req_ext -extfile $1.conf
  42. rm $1.conf
  43. rm $1.csr
  44. if [ -n "$4" ]; then
  45. echo "step 5 generate crl"
  46. mkdir ../crl/demoCA
  47. touch ../crl/demoCA/index.txt
  48. echo "01" > ../crl/crlnumber
  49. openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out crl.revoked -keyfile ../server-key.pem -cert $1.pem
  50. rm ../crl/$1Crl.pem
  51. openssl crl -in crl.revoked -text > tmp.pem
  52. mv tmp.pem ../crl/$1Crl.pem
  53. rm crl.revoked
  54. rm -rf ../crl/demoCA
  55. rm ../crl/crlnumber*
  56. fi
  57. echo "step 6 add cert text information to pem"
  58. openssl x509 -inform pem -in $1.pem -text > tmp.pem
  59. mv tmp.pem $1.pem
  60. echo "step 7 make binary der version"
  61. openssl x509 -inform pem -in $1.pem -outform der -out $1.der
  62. }
  63. # Generate Good CN=localhost, Alt=None
  64. generate_test_cert server-goodcn localhost "" 1
  65. # Generate Good CN=www.nomatch.com, Alt=localhost
  66. generate_test_cert server-goodalt www.nomatch.com localhost 1
  67. # Generate Good CN=*localhost, Alt=None
  68. generate_test_cert server-goodcnwild *localhost "" 1
  69. # Generate Good CN=www.nomatch.com, Alt=*localhost
  70. generate_test_cert server-goodaltwild www.nomatch.com *localhost 1
  71. # Generate Bad CN=localhost\0h, Alt=None
  72. # DG: Have not found a way to properly encode null in common name
  73. generate_test_cert server-badcnnull DER:30:0d:82:0b:6c:6f:63:61:6c:68:6f:73:74:00:68
  74. # Generate Bad Name CN=www.nomatch.com, Alt=None
  75. generate_test_cert server-badcn www.nomatch.com
  76. # Generate Bad Alt CN=www.nomatch.com, Alt=localhost\0h
  77. generate_test_cert server-badaltnull www.nomatch.com DER:30:0d:82:0b:6c:6f:63:61:6c:68:6f:73:74:00:68
  78. # Generate Bad Alt Name CN=www.nomatch.com, Alt=www.nomatch.com
  79. generate_test_cert server-badaltname www.nomatch.com www.nomatch.com