mirrors/wolfssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
wolfssl/certs/renewcerts.sh
Sean Parkinson fb531dacc2 Certs with RSA-PSS sig 
Add support for parsing and verifying certificates with RSA-PSS
signatures. Including check PSS parameters in key with those in
signature algorithm.
Add support for parsing private RSA PSS key.
Add support for parsing public RSA PSS key.
2022-08-11 09:43:01 +10:00

864 lines
41 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# renewcerts.sh
#
# renews the following certs:
# client-cert.pem
# client-cert.der
# client-ecc-cert.pem
# client-ecc-cert.der
# ca-cert.pem
# ca-cert.der
# ca-ecc-cert.pem
# ca-ecc-cert.der
# ca-ecc384-cert.pem
# ca-ecc384-cert.der
# server-cert.pem
# server-cert.der
# server-cert-chain.der
# server-ecc-rsa.pem
# server-ecc.pem
# 1024/client-cert.der
# 1024/client-cert.pem
# server-ecc-comp.pem
# client-ca.pem
# test/digsigku.pem
# ecc-privOnlyCert.pem
# client-uri-cert.pem
# client-relative-uri.pem
# client-crl-dist.pem
# entity-no-ca-bool-cert.pem
# fpki-cert.der
# updates the following crls:
# crl/cliCrl.pem
# crl/crl.pem
# crl/crl.revoked
# crl/eccCliCRL.pem
# crl/eccSrvCRL.pem
#
# pkcs7:
# test-degenerate.p7b
###############################################################################
######################## FUNCTIONS SECTION ####################################
###############################################################################
#function for restoring a previous configure state
restore_config(){
mv tmp.status config.status
mv tmp.options.h wolfssl/options.h
make clean
make -j 8
}
check_result(){
if [ $1 -ne 0 ]; then
echo "Failed at \"$2\", Abort"
exit 1
else
echo "Step Succeeded!"
fi
}
#the function that will be called when we are ready to renew the certs.
run_renewcerts(){
#call update for some ecc certs
./certs/ecc/genecc.sh
check_result $? "Step 0"
cd certs/ || { echo "Couldn't cd to certs directory"; exit 1; }
echo ""
#move the custom cnf into our working directory
cp renewcerts/wolfssl.cnf wolfssl.cnf || exit 1
# To generate these all in sha1 add the flag "-sha1" on appropriate lines
# That is all lines beginning with: "openssl req"
############################################################
#### update the self-signed (2048-bit) client-uri-cert.pem #
############################################################
echo "Updating 2048-bit client-uri-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\\nMontana\\nBozeman\\nwolfSSL_2048\\nURI\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key client-key.pem -config ./wolfssl.cnf -nodes -out client-cert.csr
check_result $? "Step 1"
openssl x509 -req -in client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions uri -signkey client-key.pem -out client-uri-cert.pem
check_result $? "Step 2"
rm client-cert.csr
openssl x509 -in client-uri-cert.pem -text > tmp.pem
check_result $? "Step 3"
mv tmp.pem client-uri-cert.pem
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
# Public Versions of client-key.pem
############################################################
openssl rsa -inform pem -in certs/client-key.pem -outform der -out certs/client-keyPub.der -pubout
openssl rsa -inform pem -in certs/client-key.pem -outform pem -out certs/client-keyPub.pem -pubout
############################################################
# Public Versions of server-key.pem
############################################################
#openssl rsa -inform pem -in certs/server-key.pem -outform der -out certs/server-keyPub.der -pubout
openssl rsa -inform pem -in certs/server-key.pem -outform pem -out certs/server-keyPub.pem -pubout
############################################################
# Public Versions of ecc-key.pem
############################################################
#openssl ec -inform pem -in certs/ecc-key.pem -outform der -out certs/ecc-keyPub.der -pubout
openssl ec -inform pem -in certs/ecc-key.pem -outform pem -out certs/ecc-keyPub.pem -pubout
############################################################
#### update the self-signed (2048-bit) client-relative-uri.pem
############################################################
echo "Updating 2048-bit client-relative-uri.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\\nMontana\\nBozeman\\nwolfSSL_2048\\nRELATIVE_URI\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key client-key.pem -config ./wolfssl.cnf -nodes -out client-cert.csr
check_result $? "Step 1"
openssl x509 -req -in client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions relative_uri -signkey client-key.pem -out client-relative-uri.pem
check_result $? "Step 2"
rm client-cert.csr
openssl x509 -in client-relative-uri.pem -text > tmp.pem
check_result $? "Step 3"
mv tmp.pem client-relative-uri.pem
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
#### update the self-signed (2048-bit) client-cert-ext.pem
############################################################
echo "Updating 2048-bit client-cert-ext.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\\nMontana\\nBozeman\\nwolfSSL_2048\\nProgramming-2048\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key client-key.pem -config ./wolfssl.cnf -nodes -out client-cert.csr
check_result $? "Step 1"
openssl x509 -req -in client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions client_cert_ext -signkey client-key.pem -out client-cert-ext.pem
check_result $? "Step 2"
rm client-cert.csr
openssl x509 -in client-cert-ext.pem -outform DER -out client-cert-ext.der
check_result $? "Step 3"
openssl x509 -in client-cert-ext.pem -text > tmp.pem
check_result $? "Step 4"
mv tmp.pem client-cert-ext.pem
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
#### update the self-signed (2048-bit) client-crl-dist.pem
############################################################
echo "Updating 2048-bit client-crl-dist.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\\nMontana\\nBozeman\\nwolfSSL_2048\\nCRL_DIST\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key client-key.pem -config ./wolfssl.cnf -nodes -out client-cert.csr
check_result $? "Step 1"
openssl x509 -req -in client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions crl_dist_points -signkey client-key.pem -out client-crl-dist.pem
check_result $? "Step 2"
rm client-cert.csr
openssl x509 -in client-crl-dist.pem -text > tmp.pem
check_result $? "Step 3"
mv tmp.pem client-crl-dist.pem
openssl x509 -in client-crl-dist.pem -outform der -out client-crl-dist.der
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
#### update the self-signed (2048-bit) client-cert.pem #####
############################################################
echo "Updating 2048-bit client-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\\nMontana\\nBozeman\\nwolfSSL_2048\\nProgramming-2048\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key client-key.pem -config ./wolfssl.cnf -nodes -out client-cert.csr
check_result $? "Step 1"
openssl x509 -req -in client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey client-key.pem -out client-cert.pem
check_result $? "Step 2"
rm client-cert.csr
openssl x509 -in client-cert.pem -text > tmp.pem
check_result $? "Step 3"
mv tmp.pem client-cert.pem
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
#### update the self-signed (1024-bit) client-cert.pem #####
############################################################
echo "Updating 1024-bit client-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\\nMontana\\nBozeman\\nwolfSSL_1024\\nProgramming-1024\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ./1024/client-key.pem -config ./wolfssl.cnf -nodes -out ./1024/client-cert.csr
check_result $? "Step 1"
openssl x509 -req -in ./1024/client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ./1024/client-key.pem -out ./1024/client-cert.pem
check_result $? "Step 2"
rm ./1024/client-cert.csr
openssl x509 -in ./1024/client-cert.pem -text > ./1024/tmp.pem
check_result $? "Step 3"
mv ./1024/tmp.pem ./1024/client-cert.pem
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
#### update the self-signed (3072-bit) client-cert.pem #####
############################################################
echo "Updating 3072-bit client-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\\nMontana\\nBozeman\\nwolfSSL_3072\\nProgramming-3072\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ./3072/client-key.pem -config ./wolfssl.cnf -nodes -out ./3072/client-cert.csr
check_result $? "Step 1"
openssl x509 -req -in ./3072/client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ./3072/client-key.pem -out ./3072/client-cert.pem
check_result $? "Step 2"
rm ./3072/client-cert.csr
openssl x509 -in ./3072/client-cert.pem -text > ./3072/tmp.pem
check_result $? "Step 3"
mv ./3072/tmp.pem ./3072/client-cert.pem
openssl rsa -in ./3072/client-key.pem -outform der -out ./3072/client-key.der
openssl rsa -inform pem -in ./3072/client-key.pem -outform der -out ./3072/client-keyPub.der -pubout
openssl x509 -in ./3072/client-cert.pem -outform der -out ./3072/client-cert.der
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
#### update the self-signed (4096-bit) client-cert.pem #####
############################################################
echo "Updating 4096-bit client-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\\nMontana\\nBozeman\\nwolfSSL_4096\\nProgramming-4096\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ./4096/client-key.pem -config ./wolfssl.cnf -nodes -out ./4096/client-cert.csr
check_result $? "Step 1"
openssl x509 -req -in ./4096/client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ./4096/client-key.pem -out ./4096/client-cert.pem
check_result $? "Step 2"
rm ./4096/client-cert.csr
openssl x509 -in ./4096/client-cert.pem -text > ./4096/tmp.pem
check_result $? "Step 3"
mv ./4096/tmp.pem ./4096/client-cert.pem
openssl rsa -in ./4096/client-key.pem -outform der -out ./4096/client-key.der
openssl rsa -inform pem -in ./4096/client-key.pem -outform der -out ./4096/client-keyPub.der -pubout
openssl x509 -in ./4096/client-cert.pem -outform der -out ./4096/client-cert.der
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
########## update the self-signed ca-cert.pem ##############
############################################################
echo "Updating ca-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\\nMontana\\nBozeman\\nSawtooth\\nConsulting\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ca-key.pem -config ./wolfssl.cnf -nodes -out ca-cert.csr
check_result $? "Step 1"
openssl x509 -req -in ca-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ca-key.pem -out ca-cert.pem
check_result $? "Step 2"
rm ca-cert.csr
openssl x509 -in ca-cert.pem -text > tmp.pem
check_result $? "Step 3"
mv tmp.pem ca-cert.pem
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
########## update the self-signed ca-cert-chain.der ########
############################################################
echo "Updating ca-cert-chain.der"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\\nMontana\\nBozeman\\nSawtooth\\nConsulting\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key 1024/ca-key.pem -config ./wolfssl.cnf -nodes -out ca-cert.csr
check_result $? "Step 1"
openssl x509 -req -in ca-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey 1024/ca-key.pem -outform DER -out ca-cert-chain.der
check_result $? "Step 2"
rm ca-cert.csr
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
########## update the self-signed ca-ecc-cert.pem ##########
############################################################
echo "Updating ca-ecc-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\\nWashington\\nSeattle\\nwolfSSL\\nDevelopment\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ca-ecc-key.pem -config ./wolfssl.cnf -nodes -out ca-ecc-cert.csr
check_result $? "Step 1"
openssl x509 -req -in ca-ecc-cert.csr -days 1000 -extfile wolfssl.cnf -extensions ca_ecc_cert -signkey ca-ecc-key.pem -out ca-ecc-cert.pem
check_result $? "Step 2"
rm ca-ecc-cert.csr
openssl x509 -in ca-ecc-cert.pem -text > tmp.pem
check_result $? "Step 3"
mv tmp.pem ca-ecc-cert.pem
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
########## update the self-signed ca-ecc384-cert.pem #######
############################################################
echo "Updating ca-ecc384-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\\nWashington\\nSeattle\\nwolfSSL\\nDevelopment\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ca-ecc384-key.pem -config ./wolfssl.cnf -nodes -sha384 -out ca-ecc384-cert.csr
check_result $? "Step 1"
openssl x509 -req -in ca-ecc384-cert.csr -days 1000 -extfile wolfssl.cnf -extensions ca_ecc_cert -signkey ca-ecc384-key.pem -sha384 -out ca-ecc384-cert.pem
check_result $? "Step 2"
rm ca-ecc384-cert.csr
openssl x509 -in ca-ecc384-cert.pem -text > tmp.pem
check_result $? "Step 3"
mv tmp.pem ca-ecc384-cert.pem
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
##### update the self-signed (1024-bit) ca-cert.pem ########
############################################################
echo "Updating 1024-bit ca-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\\nMontana\\nBozeman\\nSawtooth\\nConsulting_1024\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ./1024/ca-key.pem -config ./wolfssl.cnf -nodes -sha1 -out ./1024/ca-cert.csr
check_result $? "Step 1"
openssl x509 -req -in ./1024/ca-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ./1024/ca-key.pem -out ./1024/ca-cert.pem
check_result $? "Step 2"
rm ./1024/ca-cert.csr
openssl x509 -in ./1024/ca-cert.pem -text > ./1024/tmp.pem
check_result $? "Step 3"
mv ./1024/tmp.pem ./1024/ca-cert.pem
echo "End of section"
echo "---------------------------------------------------------------------"
###########################################################
########## update and sign fpki-cert.der ################
###########################################################
echo "Updating fpki-cert.der"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\nFPKI\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key server-key.pem -config ./wolfssl.cnf -nodes > fpki-req.pem
check_result $? "Step 1"
openssl x509 -req -in fpki-req.pem -extfile wolfssl.cnf -extensions fpki_ext -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out fpki-cert.der -outform DER
check_result $? "Step 2"
rm fpki-req.pem
echo "End of section"
echo "---------------------------------------------------------------------"
###########################################################
########## update and sign server-cert.pem ################
###########################################################
echo "Updating server-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\nSupport\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key server-key.pem -config ./wolfssl.cnf -nodes > server-req.pem
check_result $? "Step 1"
openssl x509 -req -in server-req.pem -extfile wolfssl.cnf -extensions wolfssl_opts -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
check_result $? "Step 2"
rm server-req.pem
openssl x509 -in ca-cert.pem -text > ca_tmp.pem
check_result $? "Step 3"
openssl x509 -in server-cert.pem -text > srv_tmp.pem
check_result $? "Step 4"
mv srv_tmp.pem server-cert.pem
cat ca_tmp.pem >> server-cert.pem
rm ca_tmp.pem
echo "End of section"
echo "---------------------------------------------------------------------"
###########################################################
########## update and sign server-revoked-key.pem #########
###########################################################
echo "Updating server-revoked-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\\nMontana\\nBozeman\\nwolfSSL_revoked\\nSupport_revoked\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key server-revoked-key.pem -config ./wolfssl.cnf -nodes > server-revoked-req.pem
check_result $? "Step 1"
openssl x509 -req -in server-revoked-req.pem -extfile wolfssl.cnf -extensions wolfssl_opts -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 02 > server-revoked-cert.pem
check_result $? "Step 2"
rm server-revoked-req.pem
openssl x509 -in ca-cert.pem -text > ca_tmp.pem
check_result $? "Step 3"
openssl x509 -in server-revoked-cert.pem -text > srv_tmp.pem
check_result $? "Step 4"
mv srv_tmp.pem server-revoked-cert.pem
cat ca_tmp.pem >> server-revoked-cert.pem
rm ca_tmp.pem
echo "End of section"
echo "---------------------------------------------------------------------"
###########################################################
########## update and sign server-duplicate-policy.pem ####
###########################################################
echo "Updating server-duplicate-policy.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\ntesting duplicate policy\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key server-key.pem -config ./wolfssl.cnf -nodes > ./test/server-duplicate-policy-req.pem
check_result $? "Step 1"
openssl x509 -req -in ./test/server-duplicate-policy-req.pem -extfile wolfssl.cnf -extensions policy_test -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 02 > ./test/server-duplicate-policy.pem
check_result $? "Step 2"
rm ./test/server-duplicate-policy-req.pem
openssl x509 -in ca-cert.pem -text > ca_tmp.pem
check_result $? "Step 3"
openssl x509 -in ./test/server-duplicate-policy.pem -text > srv_tmp.pem
check_result $? "Step 4"
mv srv_tmp.pem ./test/server-duplicate-policy.pem
cat ca_tmp.pem >> ./test/server-duplicate-policy.pem
rm ca_tmp.pem
echo "End of section"
echo "---------------------------------------------------------------------"
###########################################################
#### update and sign (1024-bit) server-cert.pem ###########
###########################################################
echo "Updating 1024-bit server-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\nSupport_1024\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ./1024/server-key.pem -config ./wolfssl.cnf -nodes -sha1 > ./1024/server-req.pem
check_result $? "Step 1"
openssl x509 -req -in ./1024/server-req.pem -extfile wolfssl.cnf -extensions wolfssl_opts -days 1000 -CA ./1024/ca-cert.pem -CAkey ./1024/ca-key.pem -set_serial 01 > ./1024/server-cert.pem
check_result $? "Step 2"
rm ./1024/server-req.pem
openssl x509 -in ./1024/ca-cert.pem -text > ./1024/ca_tmp.pem
check_result $? "Step 3"
openssl x509 -in ./1024/server-cert.pem -text > ./1024/srv_tmp.pem
check_result $? "Step 4"
mv ./1024/srv_tmp.pem ./1024/server-cert.pem
cat ./1024/ca_tmp.pem >> ./1024/server-cert.pem
rm ./1024/ca_tmp.pem
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
########## update and sign the server-ecc-rsa.pem ##########
############################################################
echo "Updating server-ecc-rsa.pem"
echo ""
echo -e "US\\nMontana\\nBozeman\\nElliptic - RSAsig\\nECC-RSAsig\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ecc-key.pem -config ./wolfssl.cnf -nodes > server-ecc-req.pem
check_result $? "Step 1"
openssl x509 -req -in server-ecc-req.pem -extfile wolfssl.cnf -extensions wolfssl_opts -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-ecc-rsa.pem
check_result $? "Step 2"
rm server-ecc-req.pem
openssl x509 -in server-ecc-rsa.pem -text > tmp.pem
check_result $? "Step 3"
mv tmp.pem server-ecc-rsa.pem
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
####### update the self-signed client-ecc-cert.pem #########
############################################################
echo "Updating client-ecc-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\\nOregon\\nSalem\\nClient ECC\\nFast\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ecc-client-key.pem -config ./wolfssl.cnf -nodes -out client-ecc-cert.csr
check_result $? "Step 1"
openssl x509 -req -in client-ecc-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ecc-client-key.pem -out client-ecc-cert.pem
check_result $? "Step 2"
rm client-ecc-cert.csr
openssl x509 -in client-ecc-cert.pem -text > tmp.pem
check_result $? "Step 3"
mv tmp.pem client-ecc-cert.pem
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
########## update the server-ecc.pem #######################
############################################################
echo "Updating server-ecc.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\\nWashington\\nSeattle\\nEliptic\\nECC\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ecc-key.pem -config ./wolfssl.cnf -nodes -out server-ecc.csr
check_result $? "Step 1"
openssl x509 -req -in server-ecc.csr -days 1000 -extfile wolfssl.cnf -extensions server_ecc -CA ca-ecc-cert.pem -CAkey ca-ecc-key.pem -set_serial 03 -out server-ecc.pem
check_result $? "Step 2"
rm server-ecc.csr
openssl x509 -in server-ecc.pem -text > tmp.pem
check_result $? "Step 3"
mv tmp.pem server-ecc.pem
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
###### update the self-signed server-ecc-comp.pem ##########
############################################################
echo "Updating server-ecc-comp.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\\nMontana\\nBozeman\\nElliptic - comp\\nServer ECC-comp\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ecc-key-comp.pem -config ./wolfssl.cnf -nodes -out server-ecc-comp.csr
check_result $? "Step 1"
openssl x509 -req -in server-ecc-comp.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ecc-key-comp.pem -out server-ecc-comp.pem
check_result $? "Step 2"
rm server-ecc-comp.csr
openssl x509 -in server-ecc-comp.pem -text > tmp.pem
check_result $? "Step 3"
mv tmp.pem server-ecc-comp.pem
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
############## create the client-ca.pem file ###############
############################################################
echo "Updating client-ca.pem"
echo ""
cat client-cert.pem client-ecc-cert.pem > client-ca.pem
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
###### update the self-signed ecc-privOnlyCert.pem #########
############################################################
echo "Updating ecc-privOnlyCert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e ".\\n.\\n.\\nWR\\n.\\nDE\\n.\\n.\\n.\\n" | openssl req -new -key ecc-privOnlyKey.pem -config ./wolfssl.cnf -nodes -out ecc-privOnly.csr
check_result $? "Step 1"
openssl x509 -req -in ecc-privOnly.csr -days 1000 -signkey ecc-privOnlyKey.pem -out ecc-privOnlyCert.pem
check_result $? "Step 2"
rm ecc-privOnly.csr
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
###### update the self-signed test/digsigku.pem ##########
############################################################
echo "Updating test/digsigku.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\\nWashington\\nSeattle\\nFoofarah\\nArglebargle\\nfoobarbaz\\ninfo@worlss.com\\n.\\n.\\n" | openssl req -new -key ecc-key.pem -config ./wolfssl.cnf -nodes -sha1 -out digsigku.csr
check_result $? "Step 1"
openssl x509 -req -in digsigku.csr -days 1000 -extfile wolfssl.cnf -extensions digsigku -signkey ecc-key.pem -sha1 -set_serial 16393466893990650224 -out digsigku.pem
check_result $? "Step 2"
rm digsigku.csr
openssl x509 -in digsigku.pem -text > tmp.pem
check_result $? "Step 3"
mv tmp.pem digsigku.pem
mv digsigku.pem test/digsigku.pem
echo "End of section"
echo "---------------------------------------------------------------------"
###########################################################
#### update and sign entity-no-ca-bool-cert.pem ###########
###########################################################
echo "Updating entity-no-ca-bool-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\nNoCaBool\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key entity-no-ca-bool-key.pem -config ./wolfssl.cnf -nodes > entity-no-ca-bool-req.pem
check_result $? "Step 1"
openssl x509 -req -in entity-no-ca-bool-req.pem -extfile ./wolfssl.cnf -extensions "entity_no_CA_BOOL" -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > entity-no-ca-bool-cert.pem
check_result $? "Step 2"
rm entity-no-ca-bool-req.pem
openssl x509 -in ca-cert.pem -text > ca_tmp.pem
check_result $? "Step 3"
openssl x509 -in entity-no-ca-bool-cert.pem -text > entity_tmp.pem
check_result $? "Step 4"
mv entity_tmp.pem entity-no-ca-bool-cert.pem
cat ca_tmp.pem >> entity-no-ca-bool-cert.pem
rm ca_tmp.pem
echo "End of section"
############################################################
########## make .der files from .pem files #################
############################################################
echo "Creating der formatted certs..."
echo ""
openssl x509 -inform PEM -in ./1024/client-cert.pem -outform DER -out ./1024/client-cert.der
check_result $? "Der Cert 1"
openssl x509 -inform PEM -in ./1024/server-cert.pem -outform DER -out ./1024/server-cert.der
check_result $? "Der Cert 2"
openssl x509 -inform PEM -in ./1024/ca-cert.pem -outform DER -out ./1024/ca-cert.der
check_result $? "Der Cert 3"
openssl x509 -inform PEM -in ca-cert.pem -outform DER -out ca-cert.der
check_result $? "Der Cert 4"
openssl x509 -inform PEM -in ca-ecc-cert.pem -outform DER -out ca-ecc-cert.der
check_result $? "Der Cert 5"
openssl x509 -inform PEM -in ca-ecc384-cert.pem -outform DER -out ca-ecc384-cert.der
check_result $? "Der Cert 6"
openssl x509 -inform PEM -in client-cert.pem -outform DER -out client-cert.der
check_result $? "Der Cert 7"
openssl x509 -inform PEM -in server-cert.pem -outform DER -out server-cert.der
check_result $? "Der Cert 8"
openssl x509 -inform PEM -in client-ecc-cert.pem -outform DER -out client-ecc-cert.der
check_result $? "Der Cert 9"
openssl x509 -inform PEM -in server-ecc-rsa.pem -outform DER -out server-ecc-rsa.der
check_result $? "Der Cert 10"
openssl x509 -inform PEM -in server-ecc.pem -outform DER -out server-ecc.der
check_result $? "Der Cert 11"
openssl x509 -inform PEM -in server-ecc-comp.pem -outform DER -out server-ecc-comp.der
check_result $? "Der Cert 12"
cat server-cert.der ca-cert.der >server-cert-chain.der
check_result $? "Der Cert 13"
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
########## generate RSA-PSS certificates ###################
############################################################
echo "Renewing RSA-PSS certificates"
cd rsapss
./renew-rsapss-certs.sh
cd ..
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
########## generate Ed25519 certificates ###################
############################################################
echo "Renewing Ed25519 certificates"
cd ed25519
./gen-ed25519-certs.sh
cd ..
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
########## generate Ed448 certificates #####################
############################################################
echo "Renewing Ed448 certificates"
cd ed448
./gen-ed448-certs.sh
cd ..
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
########## generate P-521 certificates #####################
############################################################
echo "Renewing Ed448 certificates"
cd p521
./gen-p521-certs.sh
cd ..
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
###### update the ecc-rsa-server.p12 file ##################
############################################################
echo "Updating ecc-rsa-server.p12 (password is \"\")"
echo ""
echo "" | openssl pkcs12 -des3 -descert -export -in server-ecc-rsa.pem -inkey ecc-key.pem -certfile server-ecc.pem -out ecc-rsa-server.p12 -password stdin
check_result $? "Step 1"
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
###### update the test-servercert.p12 file #################
############################################################
echo "Updating test-servercert.p12 (password is \"wolfSSL test\")"
echo ""
echo "wolfSSL test" | openssl pkcs12 -des3 -descert -export -in server-cert.pem -inkey server-key.pem -certfile ca-cert.pem -out test-servercert.p12 -password stdin
check_result $? "Step 1"
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
###### update the test-servercert-rc2.p12 file #############
############################################################
echo "Updating test-servercert-rc2.p12 (password is \"wolfSSL test\")"
echo ""
echo "wolfSSL test" | openssl pkcs12 -export -in server-cert.pem -inkey server-key.pem -certfile ca-cert.pem -out test-servercert-rc2.p12 -password stdin
check_result $? "Step 1"
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
###### calling gen-ext-certs.sh ##################
############################################################
echo "Calling gen-ext-certs.sh"
echo ""
cd .. || exit 1
./certs/test/gen-ext-certs.sh
check_result $? "gen-ext-certs.sh"
cd ./certs || { echo "Couldn't cd to certs directory"; exit 1; }
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
###### calling gen-badsig.sh ##################
############################################################
echo "Calling gen-badsig.sh"
echo ""
cd ./test || { echo "Failed to switch to dir ./test"; exit 1; }
./gen-badsig.sh
check_result $? "gen-badsig.sh"
cd ../ || exit 1
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
###### calling gen-testcerts.sh ##################
############################################################
echo "Calling gen-testcerts.sh"
echo ""
cd ./test || { echo "Failed to switch to dir ./test"; exit 1; }
./gen-testcerts.sh
check_result $? "gen-testcerts.sh"
cd ../ || exit 1
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
###### generate cms bundles in test directory ##############
############################################################
echo "Generating CMS bundle"
echo ""
cd ./test || { echo "Failed to switch to dir ./test"; exit 1; }
echo "test" | openssl cms -encrypt -binary -keyid -out ktri-keyid-cms.msg -outform der -recip ../client-cert.pem -nocerts
check_result $? "generate ktri-keyid-cms.msg"
cd ../ || exit 1
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
########## generate ocsp certs ######################
############################################################
echo "Changing directory to ocsp..."
echo ""
# guard against recursive calls to renewcerts.sh
if [ -d ocsp ]; then
cd ./ocsp || { echo "Failed to switch to dir ./ocsp"; exit 1; }
echo "Execute ocsp/renewcerts.sh..."
./renewcerts.sh
check_result $? "renewcerts.sh"
cd ../ || exit 1
else
echo "Error could not find ocsp directory"
exit 1
fi
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
###### calling assemble-chains.sh ##################
############################################################
echo "Calling assemble-chains.sh"
echo ""
cd ./test-pathlen || { echo "Failed to switch to dir ./test-pathlen";
exit 1; }
./assemble-chains.sh
check_result $? "assemble-chains.sh"
cd ../ || exit 1
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
########## store DER files as buffers ######################
############################################################
echo "Changing directory to wolfssl root..."
echo ""
cd ../ || exit 1
echo "Execute ./gencertbuf.pl..."
echo ""
./gencertbuf.pl
check_result $? "gencertbuf.pl"
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
########## generate the new crls ###########################
############################################################
echo "Change directory to wolfssl/certs"
echo ""
cd ./certs || { echo "Failed to switch to dir ./certs"; exit 1; }
echo "We are back in the certs directory"
echo ""
echo "Updating the crls..."
echo ""
cd ./crl || { echo "Failed to switch to dir ./crl"; exit 1; }
echo "changed directory: cd/crl"
echo ""
./gencrls.sh
check_result $? "gencrls.sh"
echo "ran ./gencrls.sh"
echo ""
############################################################
########## generate PKCS7 bundles ##########################
############################################################
echo "Changing directory to wolfssl certs..."
echo ""
cd ../ || exit 1
echo "Creating test-degenerate.p7b..."
echo ""
openssl crl2pkcs7 -nocrl -certfile ./client-cert.pem -out test-degenerate.p7b -outform DER
check_result $? ""
echo "End of section"
echo "---------------------------------------------------------------------"
#cleanup the file system now that we're done
echo "Performing final steps, cleaning up the file system..."
echo ""
rm ../wolfssl.cnf
echo "End of Updates. Everything was successfully updated!"
echo "---------------------------------------------------------------------"
}
###############################################################################
##################### THE EXECUTABLE BODY #####################################
###############################################################################
#start in root.
cd ../ || exit 1
#if there was an argument given, check it for validity or print out error
if [ ! -z "$1" ]; then
#valid argument print out other valid arguments
if [ "$1" == "-h" ] || [ "$1" == "-help" ]; then
echo ""
echo "\"no argument\" will attempt to update all certificates"
echo "-h or -help display this menu"
echo ""
echo ""
#else the argument was invalid, tell user to use -h or -help
else
echo ""
echo "That is not a valid option."
echo ""
echo "use -h or -help for a list of available options."
echo ""
fi
else
echo "Saving the configure state"
echo ""
cp config.status tmp.status || exit 1
cp wolfssl/options.h tmp.options.h || exit 1
echo "Running make clean"
echo ""
make clean
check_result $? "make clean"
run_renewcerts
cd ../ || exit 1
rm ./certs/wolfssl.cnf
# restore previous configure state
restore_config
check_result $? "restoring old configuration"
fi #END already defined
exit 0
Reference in New Issue View Git Blame Copy Permalink