wolfssl/certs/test/gen-testcerts.sh

#!/bin/sh

# Args: 1=FileName, 2=CN, 3=AltName, 4=CA
function build_test_cert_conf {
	echo "# Generated openssl conf" 					 > $1.conf
	echo "" 											>> $1.conf
	echo "[ ca ]" 										>> $1.conf
	echo "default_ca = CA_default"						>> $1.conf
	echo "[ CA_default ]"								>> $1.conf
	echo "certificate     = ../ca-cert.pem"				>> $1.conf
	echo "database        = ./index.txt"				>> $1.conf
	echo "new_certs_dir   = ./certs"					>> $1.conf
	echo "private_key     = ./private/cakey.pem"		>> $1.conf
	echo "serial          = ./serial"					>> $1.conf
	echo "default_md      = sha256"						>> $1.conf
	echo "default_days    = 1000"						>> $1.conf
	echo "policy          = default_ca_policy"			>> $1.conf
	echo "" 											>> $1.conf
	echo "[ default_ca_policy ]"						>> $1.conf
	echo "commonName              = supplied"			>> $1.conf
	echo "stateOrProvinceName     = supplied"			>> $1.conf
	echo "countryName             = supplied"			>> $1.conf
	echo "emailAddress            = supplied"			>> $1.conf
	echo "organizationName        = optional"			>> $1.conf
	echo "organizationalUnitName  = optional"			>> $1.conf
	echo "" 											>> $1.conf
	echo "[ req ]" 										>> $1.conf
	echo "prompt = no"									>> $1.conf
	echo "default_bits        = 2048" 					>> $1.conf
	echo "distinguished_name  = req_distinguished_name" >> $1.conf
	echo "req_extensions      = req_ext" 				>> $1.conf
	if [ -n "$4" ]; then
		echo "basicConstraints=CA:true,pathlen:0"       >> $1.conf
		echo "" 										>> $1.conf
	fi
	echo "" 											>> $1.conf
	echo "[ req_distinguished_name ]" 					>> $1.conf
	echo "C = US" 										>> $1.conf
	echo "ST = Montana" 								>> $1.conf
	echo "L = Bozeman" 									>> $1.conf
	echo "OU = Engineering" 							>> $1.conf
	echo "CN = $2"  									>> $1.conf
	echo "emailAddress = info@wolfssl.com" 				>> $1.conf
	echo "" 											>> $1.conf
	echo "[ req_ext ]" 									>> $1.conf
	if [ -n "$3" ]; then
		if [[ "$3" != *"DER"* ]]; then
			echo "subjectAltName = @alt_names"			>> $1.conf
			echo "[alt_names]"							>> $1.conf
			echo "DNS.1 = $3"							>> $1.conf
		else
			echo "subjectAltName = $3" 					>> $1.conf
		fi
	fi
}

# Args: 1=FileName
function generate_test_cert {
	rm $1.der
	rm $1.pem

	echo "step 1 create configuration"
	build_test_cert_conf $1 $2 $3

	echo "step 2 create csr"
	openssl req -new -sha256 -out $1.csr -key ../server-key.pem -config $1.conf

	echo "step 3 check csr"
	openssl req -text -noout -in $1.csr

	echo "step 4 create cert"
	openssl x509 -req -days 1000 -sha256 -in $1.csr -signkey ../server-key.pem \
	             -out $1.pem -extensions req_ext -extfile $1.conf
	rm $1.conf
	rm $1.csr

	if [ -n "$4" ]; then
		echo "step 5 generate crl"
		mkdir ../crl/demoCA
		touch ../crl/demoCA/index.txt
	    echo "01" > ../crl/crlnumber
		openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out crl.revoked -keyfile ../server-key.pem -cert $1.pem
		rm ../crl/$1Crl.pem
		openssl crl -in crl.revoked -text > tmp.pem
		mv tmp.pem ../crl/$1Crl.pem
		rm crl.revoked
		rm -rf ../crl/demoCA
		rm ../crl/crlnumber*
	fi

	echo "step 6 add cert text information to pem"
	openssl x509 -inform pem -in $1.pem -text > tmp.pem
	mv tmp.pem $1.pem

	echo "step 7 make binary der version"
	openssl x509 -inform pem -in $1.pem -outform der -out $1.der
}

function generate_expired_certs {
	rm $1.der
	rm $1.pem

	mkdir -p certs
	touch ./index.txt
	echo 1000 > ./serial

	echo "step 1 create configuration"
	build_test_cert_conf $1 www.wolfssl.com 0 $3

	echo "step 2 create csr"
	openssl req -new -sha256 -out $1.csr -key $2 -config $1.conf

	echo "step 3 check csr"
	openssl req -text -noout -in $1.csr

	echo "step 4 create cert"
	openssl ca -selfsign -config $1.conf -keyfile $2 -in $1.csr -out $1.pem \
		-startdate 201807310000Z -enddate 201808300000Z -batch
	rm $1.conf
	rm $1.csr

	echo "step 5 add cert text information to pem"
	openssl x509 -inform pem -in $1.pem -text > tmp.pem
	mv tmp.pem $1.pem

	echo "step 7 make binary der version"
	openssl x509 -inform pem -in $1.pem -outform der -out $1.der

	rm -rf certs
	rm ./index.txt*
	rm ./serial*
}

# Generate Good CN=localhost, Alt=None
generate_test_cert server-goodcn localhost "" 1

# Generate Good CN=www.nomatch.com, Alt=localhost
generate_test_cert server-goodalt www.nomatch.com localhost 1

# Generate Good CN=*localhost, Alt=None
generate_test_cert server-goodcnwild *localhost "" 1

# Generate Good CN=www.nomatch.com, Alt=*localhost
generate_test_cert server-goodaltwild www.nomatch.com *localhost 1

# Generate Bad CN=localhost\0h, Alt=None
# DG: Have not found a way to properly encode null in common name
generate_test_cert server-badcnnull DER:30:0d:82:0b:6c:6f:63:61:6c:68:6f:73:74:00:68

# Generate Bad Name CN=www.nomatch.com, Alt=None
generate_test_cert server-badcn www.nomatch.com

# Generate Bad Alt CN=www.nomatch.com, Alt=localhost\0h
generate_test_cert server-badaltnull www.nomatch.com DER:30:0d:82:0b:6c:6f:63:61:6c:68:6f:73:74:00:68

# Generate Bad Alt Name CN=www.nomatch.com, Alt=www.nomatch.com
generate_test_cert server-badaltname www.nomatch.com www.nomatch.com

# Generate Good Alt Name CN=localhost, Alt=localhost
generate_test_cert server-localhost localhost localhost

# Generate Bad Alt Name CN=localhost, Alt=garbage
generate_test_cert server-garbage localhost garbage


# Generate Expired Certificates
generate_expired_certs expired-ca ../ca-key.pem 1
generate_expired_certs expired-cert ../server-key.pem