updating renewcerts script

certs/renewcerts.sh

@@ -8,6 +8,10 @@
 #                       client-ecc-cert.der
 #                       ca-cert.pem
 #                       ca-cert.der
+#                       ca-ecc-cert.pem
+#                       ca-ecc-cert.der
+#                       ca-ecc384-cert.pem
+#                       ca-ecc384-cert.der
 #                       server-cert.pem
 #                       server-cert.der
 #                       server-ecc-rsa.pem
@@ -17,6 +21,7 @@
 #                       server-ecc-comp.pem
 #                       client-ca.pem
 #                       test/digsigku.pem
+#                       ecc-privOnlyCert.pem
 # updates the following crls:
 #                       crl/cliCrl.pem
 #                       crl/crl.pem
@@ -100,12 +105,38 @@ function run_renewcerts(){
     openssl x509 -in ca-cert.pem -text > tmp.pem
     mv tmp.pem ca-cert.pem
     ############################################################
+    ########## update the self-signed ca-ecc-cert.pem ##########
+    ############################################################
+    echo "Updating ca-ecc-cert.pem"
+    echo ""
+    #pipe the following arguments to openssl req...
+    echo -e  "US\nWashington\nSeattle\nwolfSSL\nDevelopment\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ca-ecc-key.pem -nodes -out ca-ecc-cert.csr
+
+    openssl x509 -req -in ca-ecc-cert.csr -days 1000 -extfile wolfssl.cnf -extensions ca_ecc_cert -signkey ca-ecc-key.pem -out ca-ecc-cert.pem
+    rm ca-ecc-cert.csr
+
+    openssl x509 -in ca-ecc-cert.pem -text > tmp.pem
+    mv tmp.pem ca-ecc-cert.pem
+    ############################################################
+    ########## update the self-signed ca-ecc384-cert.pem #######
+    ############################################################
+    echo "Updating ca-ecc384-cert.pem"
+    echo ""
+    #pipe the following arguments to openssl req...
+    echo -e  "US\nWashington\nSeattle\nwolfSSL\nDevelopment\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ca-ecc384-key.pem -nodes -sha384 -out ca-ecc384-cert.csr
+
+    openssl x509 -req -in ca-ecc384-cert.csr -days 1000 -extfile wolfssl.cnf -extensions ca_ecc_cert -signkey ca-ecc384-key.pem -sha384 -out ca-ecc384-cert.pem
+    rm ca-ecc384-cert.csr
+
+    openssl x509 -in ca-ecc384-cert.pem -text > tmp.pem
+    mv tmp.pem ca-ecc384-cert.pem
+    ############################################################
     ##### update the self-signed (1024-bit) ca-cert.pem ########
     ############################################################
     echo "Updating 1024-bit ca-cert.pem"
     echo ""
     #pipe the following arguments to openssl req...
-    echo -e  "US\nMontana\nBozeman\nSawtooth\nConsulting_1024\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key \1024/ca-key.pem -nodes -out \1024/ca-cert.csr
+    echo -e  "US\nMontana\nBozeman\nSawtooth\nConsulting_1024\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key \1024/ca-key.pem -nodes -sha1 -out \1024/ca-cert.csr
 
     openssl x509 -req -in \1024/ca-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey \1024/ca-key.pem -out \1024/ca-cert.pem
     rm \1024/ca-cert.csr
@@ -169,7 +200,7 @@ function run_renewcerts(){
     echo "Updating 1024-bit server-cert.pem"
     echo ""
     #pipe the following arguments to openssl req...
-    echo -e "US\nMontana\nBozeman\nwolfSSL\nSupport_1024\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key \1024/server-key.pem -nodes > \1024/server-req.pem
+    echo -e "US\nMontana\nBozeman\nwolfSSL\nSupport_1024\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key \1024/server-key.pem -nodes -sha1 > \1024/server-req.pem
 
     openssl x509 -req -in \1024/server-req.pem -extfile wolfssl.cnf -extensions wolfssl_opts -days 1000 -CA \1024/ca-cert.pem -CAkey \1024/ca-key.pem -set_serial 01 > \1024/server-cert.pem
 
@@ -244,6 +275,18 @@ function run_renewcerts(){
     echo ""
     cat client-cert.pem client-ecc-cert.pem > client-ca.pem
 
+    ############################################################
+    ###### update the self-signed ecc-privOnlyCert.pem #########
+    ############################################################
+    echo "Updating ecc-privOnlyCert.pem"
+    echo ""
+    #pipe the following arguments to openssl req...
+    echo -e ".\n.\n.\nWR\n.\nDE\n.\n.\n.\n" | openssl req -new -key ecc-privOnlyKey.pem -nodes -out ecc-privOnly.csr
+
+
+    openssl x509 -req -in ecc-privOnly.csr -days 1000 -signkey ecc-privOnlyKey.pem -out ecc-privOnlyCert.pem
+    rm ecc-privOnly.csr
+
     ############################################################
     ###### update the self-signed test/digsigku.pem   ##########
     ############################################################
@@ -263,10 +306,15 @@ function run_renewcerts(){
     ############################################################
     ########## make .der files from .pem files #################
     ############################################################
-    openssl x509 -inform PEM -in \1024/client-cert.pem -outform DER -out \1024/client-cert.der
     echo "Creating der formatted certs..."
     echo ""
+    openssl x509 -inform PEM -in \1024/client-cert.pem -outform DER -out \1024/client-cert.der
+    openssl x509 -inform PEM -in \1024/server-cert.pem -outform DER -out \1024/server-cert.der
+    openssl x509 -inform PEM -in \1024/ca-cert.pem -outform DER -out \1024/ca-cert.der
+
     openssl x509 -inform PEM -in ca-cert.pem -outform DER -out ca-cert.der
+    openssl x509 -inform PEM -in ca-ecc-cert.pem -outform DER -out ca-ecc-cert.der
+    openssl x509 -inform PEM -in ca-ecc384-cert.pem -outform DER -out ca-ecc384-cert.der
     openssl x509 -inform PEM -in client-cert.pem -outform DER -out client-cert.der
     openssl x509 -inform PEM -in server-cert.pem -outform DER -out server-cert.der
     openssl x509 -inform PEM -in client-ecc-cert.pem -outform DER -out client-ecc-cert.der
@@ -281,6 +329,15 @@ function run_renewcerts(){
     echo ""
     echo "" | openssl pkcs12 -des3 -descert -export -in server-ecc-rsa.pem -inkey ecc-key.pem -certfile server-ecc.pem -out ecc-rsa-server.p12 -password stdin
 
+    ############################################################
+    ###### calling gen-ext-certs.sh           ##################
+    ############################################################
+    echo "Calling gen-ext-certs.sh"
+    echo ""
+    cd ..
+    ./certs/test/gen-ext-certs.sh
+    cd ./certs
+
     ############################################################
     ########## store DER files as buffers ######################
     ############################################################

certs/renewcerts/wolfssl.cnf

@@ -170,6 +170,13 @@ authorityKeyIdentifier=keyid:always,issuer:always
 basicConstraints=critical, CA:TRUE
 keyUsage=critical, nonRepudiation, keyEncipherment
 
+# ca-ecc-cert extensions
+[ ca_ecc_cert ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always
+basicConstraints=critical, CA:TRUE
+keyUsage=critical, digitalSignature, keyCertSign, cRLSign
+
 #tsa default
 [ tsa ]
 default_tsa = tsa_config1