#!/usr/bin/env bash # renewcerts.sh # # renews the following certs: # client-cert.pem # client-cert.der # client-ecc-cert.pem # client-ecc-cert.der # ca-cert.pem # ca-cert.der # ca-ecc-cert.pem # ca-ecc-cert.der # ca-ecc384-cert.pem # ca-ecc384-cert.der # server-cert.pem # server-cert.der # server-cert-chain.der # server-ecc-rsa.pem # server-ecc.pem # 1024/client-cert.der # 1024/client-cert.pem # server-ecc-comp.pem # client-ca.pem # client-ca-cert.der # client-ca-cert.pem # client-ecc-ca-cert.der # client-ecc-ca-cert.pem # test/digsigku.pem # ecc-privOnlyCert.pem # client-uri-cert.pem # client-absolute-uri.pem # client-relative-uri.pem # client-crl-dist.pem # entity-no-ca-bool-cert.pem # fpki-cert.der # fpki-certpol-cert.der # rid-cert.der # aia/ca-issuers-cert.pem # aia/multi-aia-cert.pem # aia/overflow-aia-cert.pem # updates the following crls: # crl/cliCrl.pem # crl/crl.pem # crl/crl.revoked # crl/crl_reason.pem # crl/eccCliCRL.pem # crl/eccSrvCRL.pem # # pkcs7: # test-degenerate.p7b ############################################################################### ######################## FUNCTIONS SECTION #################################### ############################################################################### check_result(){ if [ $1 -ne 0 ]; then echo "Failed at \"$2\", Abort" exit 1 else echo "$2 Succeeded!" fi } #the function that will be called when we are ready to renew the certs. run_renewcerts(){ #call update for some ecc certs ./certs/ecc/genecc.sh check_result $? "Step 0" cd certs/ || { echo "Couldn't cd to certs directory"; exit 1; } echo "" #move the custom cnf into our working directory cp renewcerts/wolfssl.cnf wolfssl.cnf || exit 1 # To generate these all in sha1 add the flag "-sha1" on appropriate lines # That is all lines beginning with: "openssl req" ############################################################ #### update the self-signed (2048-bit) client-uri-cert.pem # ############################################################ echo "Updating 2048-bit client-uri-cert.pem" echo "" #pipe the following arguments to openssl req... echo -e "US\\nMontana\\nBozeman\\nwolfSSL_2048\\nURI\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key client-key.pem -config ./wolfssl.cnf -nodes -out client-cert.csr check_result $? "Step 1" openssl x509 -req -in client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions uri -signkey client-key.pem -out client-uri-cert.pem check_result $? "Step 2" rm client-cert.csr openssl x509 -in client-uri-cert.pem -text > tmp.pem check_result $? "Step 3" mv tmp.pem client-uri-cert.pem echo "End of section" echo "---------------------------------------------------------------------" ############################################################ # Public Versions of client-key.pem ############################################################ openssl rsa -inform pem -in client-key.pem -outform der -out client-keyPub.der -pubout openssl rsa -inform pem -in client-key.pem -outform pem -out client-keyPub.pem -pubout ############################################################ # Public Versions of server-key.pem ############################################################ #openssl rsa -inform pem -in server-key.pem -outform der -out server-keyPub.der -pubout openssl rsa -inform pem -in server-key.pem -outform pem -out server-keyPub.pem -pubout ############################################################ # Public Versions of ecc-key.pem ############################################################ #openssl ec -inform pem -in ecc-key.pem -outform der -out ecc-keyPub.der -pubout openssl ec -inform pem -in ecc-key.pem -outform pem -out ecc-keyPub.pem -pubout ############################################################ #### update the self-signed (2048-bit) client-absolute-urn.pem ############################################################ echo "Updating 2048-bit client-absolute-urn.pem" echo "" #pipe the following arguments to openssl req... echo -e "US\\nMontana\\nBozeman\\nwolfSSL_2048\\nABSOLUTE_URN\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key client-key.pem -config ./wolfssl.cnf -nodes -out client-cert.csr check_result $? "Step 1" openssl x509 -req -in client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions absolute_urn -signkey client-key.pem -out client-absolute-urn.pem check_result $? "Step 2" rm client-cert.csr openssl x509 -in client-absolute-urn.pem -text > tmp.pem check_result $? "Step 3" mv tmp.pem client-absolute-urn.pem echo "End of section" echo "---------------------------------------------------------------------" ############################################################ #### update the self-signed (2048-bit) client-relative-uri.pem ############################################################ echo "Updating 2048-bit client-relative-uri.pem" echo "" #pipe the following arguments to openssl req... echo -e "US\\nMontana\\nBozeman\\nwolfSSL_2048\\nRELATIVE_URI\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key client-key.pem -config ./wolfssl.cnf -nodes -out client-cert.csr check_result $? "Step 1" openssl x509 -req -in client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions relative_uri -signkey client-key.pem -out client-relative-uri.pem check_result $? "Step 2" rm client-cert.csr openssl x509 -in client-relative-uri.pem -text > tmp.pem check_result $? "Step 3" mv tmp.pem client-relative-uri.pem echo "End of section" echo "---------------------------------------------------------------------" ############################################################ #### update the self-signed (2048-bit) client-cert-ext.pem ############################################################ echo "Updating 2048-bit client-cert-ext.pem" echo "" #pipe the following arguments to openssl req... echo -e "US\\nMontana\\nBozeman\\nwolfSSL_2048\\nProgramming-2048\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key client-key.pem -config ./wolfssl.cnf -nodes -out client-cert.csr check_result $? "Step 1" openssl x509 -req -in client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions client_cert_ext -signkey client-key.pem -out client-cert-ext.pem check_result $? "Step 2" rm client-cert.csr openssl x509 -in client-cert-ext.pem -outform DER -out client-cert-ext.der check_result $? "Step 3" openssl x509 -in client-cert-ext.pem -text > tmp.pem check_result $? "Step 4" mv tmp.pem client-cert-ext.pem echo "End of section" echo "---------------------------------------------------------------------" ############################################################ #### update the self-signed (2048-bit) client-crl-dist.pem ############################################################ echo "Updating 2048-bit client-crl-dist.pem" echo "" #pipe the following arguments to openssl req... echo -e "US\\nMontana\\nBozeman\\nwolfSSL_2048\\nCRL_DIST\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key client-key.pem -config ./wolfssl.cnf -nodes -out client-cert.csr check_result $? "Step 1" openssl x509 -req -in client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions crl_dist_points -signkey client-key.pem -out client-crl-dist.pem check_result $? "Step 2" rm client-cert.csr openssl x509 -in client-crl-dist.pem -text > tmp.pem check_result $? "Step 3" mv tmp.pem client-crl-dist.pem openssl x509 -in client-crl-dist.pem -outform der -out client-crl-dist.der echo "End of section" echo "---------------------------------------------------------------------" ############################################################ #### update the self-signed (2048-bit) client-cert.pem ##### ############################################################ echo "Updating 2048-bit client-cert.pem" echo "" #pipe the following arguments to openssl req... echo -e "US\\nMontana\\nBozeman\\nwolfSSL_2048\\nProgramming-2048\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key client-key.pem -config ./wolfssl.cnf -nodes -out client-cert.csr check_result $? "Step 1" openssl x509 -req -in client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey client-key.pem -out client-cert.pem check_result $? "Step 2" rm client-cert.csr openssl x509 -in client-cert.pem -text > tmp.pem check_result $? "Step 3" mv tmp.pem client-cert.pem echo "End of section" echo "---------------------------------------------------------------------" ############################################################ #### update the self-signed (1024-bit) client-cert.pem ##### ############################################################ echo "Updating 1024-bit client-cert.pem" echo "" #pipe the following arguments to openssl req... echo -e "US\\nMontana\\nBozeman\\nwolfSSL_1024\\nProgramming-1024\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ./1024/client-key.pem -config ./wolfssl.cnf -nodes -out ./1024/client-cert.csr check_result $? "Step 1" openssl x509 -req -in ./1024/client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ./1024/client-key.pem -out ./1024/client-cert.pem check_result $? "Step 2" rm ./1024/client-cert.csr openssl x509 -in ./1024/client-cert.pem -text > ./1024/tmp.pem check_result $? "Step 3" mv ./1024/tmp.pem ./1024/client-cert.pem echo "End of section" echo "---------------------------------------------------------------------" ############################################################ #### update the self-signed (3072-bit) client-cert.pem ##### ############################################################ echo "Updating 3072-bit client-cert.pem" echo "" #pipe the following arguments to openssl req... echo -e "US\\nMontana\\nBozeman\\nwolfSSL_3072\\nProgramming-3072\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ./3072/client-key.pem -config ./wolfssl.cnf -nodes -out ./3072/client-cert.csr check_result $? "Step 1" openssl x509 -req -in ./3072/client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ./3072/client-key.pem -out ./3072/client-cert.pem check_result $? "Step 2" rm ./3072/client-cert.csr openssl x509 -in ./3072/client-cert.pem -text > ./3072/tmp.pem check_result $? "Step 3" mv ./3072/tmp.pem ./3072/client-cert.pem openssl rsa -in ./3072/client-key.pem -outform der -out ./3072/client-key.der openssl rsa -inform pem -in ./3072/client-key.pem -outform der -out ./3072/client-keyPub.der -pubout openssl x509 -in ./3072/client-cert.pem -outform der -out ./3072/client-cert.der echo "End of section" echo "---------------------------------------------------------------------" ############################################################ #### update the self-signed (4096-bit) client-cert.pem ##### ############################################################ echo "Updating 4096-bit client-cert.pem" echo "" #pipe the following arguments to openssl req... echo -e "US\\nMontana\\nBozeman\\nwolfSSL_4096\\nProgramming-4096\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ./4096/client-key.pem -config ./wolfssl.cnf -nodes -out ./4096/client-cert.csr check_result $? "Step 1" openssl x509 -req -in ./4096/client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ./4096/client-key.pem -out ./4096/client-cert.pem check_result $? "Step 2" rm ./4096/client-cert.csr openssl x509 -in ./4096/client-cert.pem -text > ./4096/tmp.pem check_result $? "Step 3" mv ./4096/tmp.pem ./4096/client-cert.pem openssl rsa -in ./4096/client-key.pem -outform der -out ./4096/client-key.der openssl rsa -inform pem -in ./4096/client-key.pem -outform der -out ./4096/client-keyPub.der -pubout openssl x509 -in ./4096/client-cert.pem -outform der -out ./4096/client-cert.der echo "End of section" echo "---------------------------------------------------------------------" ############################################################ ########## update the self-signed ca-cert.pem ############## ############################################################ echo "Updating ca-cert.pem" echo "" #pipe the following arguments to openssl req... echo -e "US\\nMontana\\nBozeman\\nSawtooth\\nConsulting\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ca-key.pem -config ./wolfssl.cnf -nodes -out ca-cert.csr check_result $? "Step 1" openssl x509 -req -in ca-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ca-key.pem -out ca-cert.pem check_result $? "Step 2" rm ca-cert.csr openssl x509 -in ca-cert.pem -text > tmp.pem check_result $? "Step 3" mv tmp.pem ca-cert.pem echo "End of section" echo "---------------------------------------------------------------------" ############################################################ ########## update AIA test certs ########################### ############################################################ echo "Updating AIA test certs" echo "" mkdir -p aia echo "Updating aia/ca-issuers-cert.pem" echo "" openssl req -new -newkey rsa:2048 -nodes -keyout aia/ca-issuers-key.pem -subj "/CN=wolfssl-aia-test" -out aia/ca-issuers-cert.csr check_result $? "Step AIA-1" openssl x509 -req -in aia/ca-issuers-cert.csr -days 365 -extfile wolfssl.cnf -extensions aia_ca_issuers -signkey aia/ca-issuers-key.pem -out aia/ca-issuers-cert.pem check_result $? "Step AIA-2" rm aia/ca-issuers-cert.csr openssl x509 -in aia/ca-issuers-cert.pem -text > tmp.pem check_result $? "Step AIA-3" mv tmp.pem aia/ca-issuers-cert.pem rm aia/ca-issuers-key.pem echo "End of section" echo "---------------------------------------------------------------------" echo "Updating aia/multi-aia-cert.pem" echo "" openssl req -new -newkey rsa:2048 -nodes -keyout aia/multi-aia-key.pem -subj "/CN=wolfssl-aia-multi-test" -out aia/multi-aia-cert.csr check_result $? "Step AIA-4" openssl x509 -req -in aia/multi-aia-cert.csr -days 365 -extfile wolfssl.cnf -extensions aia_multi -signkey aia/multi-aia-key.pem -out aia/multi-aia-cert.pem check_result $? "Step AIA-5" rm aia/multi-aia-cert.csr openssl x509 -in aia/multi-aia-cert.pem -text > tmp.pem check_result $? "Step AIA-6" mv tmp.pem aia/multi-aia-cert.pem rm aia/multi-aia-key.pem echo "End of section" echo "---------------------------------------------------------------------" echo "Updating aia/overflow-aia-cert.pem" echo "" openssl req -new -newkey rsa:2048 -nodes -keyout aia/overflow-aia-key.pem -subj "/CN=wolfssl-aia-overflow-test" -out aia/overflow-aia-cert.csr check_result $? "Step AIA-7" openssl x509 -req -in aia/overflow-aia-cert.csr -days 365 -extfile wolfssl.cnf -extensions aia_overflow -signkey aia/overflow-aia-key.pem -out aia/overflow-aia-cert.pem check_result $? "Step AIA-8" rm aia/overflow-aia-cert.csr openssl x509 -in aia/overflow-aia-cert.pem -text > tmp.pem check_result $? "Step AIA-9" mv tmp.pem aia/overflow-aia-cert.pem rm aia/overflow-aia-key.pem echo "End of section" echo "---------------------------------------------------------------------" ############################################################ ########## update the self-signed ca-cert-chain.der ######## ############################################################ echo "Updating ca-cert-chain.der" echo "" #pipe the following arguments to openssl req... echo -e "US\\nMontana\\nBozeman\\nSawtooth\\nConsulting\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key 1024/ca-key.pem -config ./wolfssl.cnf -nodes -out ca-cert.csr check_result $? "Step 1" openssl x509 -req -in ca-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey 1024/ca-key.pem -outform DER -out ca-cert-chain.der check_result $? "Step 2" rm ca-cert.csr echo "End of section" echo "---------------------------------------------------------------------" ############################################################ ########## update the self-signed ca-ecc-cert.pem ########## ############################################################ echo "Updating ca-ecc-cert.pem" echo "" #pipe the following arguments to openssl req... echo -e "US\\nWashington\\nSeattle\\nwolfSSL\\nDevelopment\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ca-ecc-key.pem -config ./wolfssl.cnf -nodes -out ca-ecc-cert.csr check_result $? "Step 1" openssl x509 -req -in ca-ecc-cert.csr -days 1000 -extfile wolfssl.cnf -extensions ca_ecc_cert -signkey ca-ecc-key.pem -out ca-ecc-cert.pem check_result $? "Step 2" rm ca-ecc-cert.csr openssl x509 -in ca-ecc-cert.pem -text > tmp.pem check_result $? "Step 3" mv tmp.pem ca-ecc-cert.pem echo "End of section" echo "---------------------------------------------------------------------" ############################################################ ########## update the self-signed ca-ecc384-cert.pem ####### ############################################################ echo "Updating ca-ecc384-cert.pem" echo "" #pipe the following arguments to openssl req... echo -e "US\\nWashington\\nSeattle\\nwolfSSL\\nDevelopment\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ca-ecc384-key.pem -config ./wolfssl.cnf -nodes -sha384 -out ca-ecc384-cert.csr check_result $? "Step 1" openssl x509 -req -in ca-ecc384-cert.csr -days 1000 -extfile wolfssl.cnf -extensions ca_ecc_cert -signkey ca-ecc384-key.pem -sha384 -out ca-ecc384-cert.pem check_result $? "Step 2" rm ca-ecc384-cert.csr openssl x509 -in ca-ecc384-cert.pem -text > tmp.pem check_result $? "Step 3" mv tmp.pem ca-ecc384-cert.pem echo "End of section" echo "---------------------------------------------------------------------" ############################################################ ##### update the self-signed (1024-bit) ca-cert.pem ######## ############################################################ echo "Updating 1024-bit ca-cert.pem" echo "" #pipe the following arguments to openssl req... echo -e "US\\nMontana\\nBozeman\\nSawtooth\\nConsulting_1024\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ./1024/ca-key.pem -config ./wolfssl.cnf -nodes -sha1 -out ./1024/ca-cert.csr check_result $? "Step 1" openssl x509 -req -in ./1024/ca-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ./1024/ca-key.pem -out ./1024/ca-cert.pem check_result $? "Step 2" rm ./1024/ca-cert.csr openssl x509 -in ./1024/ca-cert.pem -text > ./1024/tmp.pem check_result $? "Step 3" mv ./1024/tmp.pem ./1024/ca-cert.pem echo "End of section" echo "---------------------------------------------------------------------" ########################################################### ########## update and sign fpki-cert.der ################ ########################################################### echo "Updating fpki-cert.der" echo "" #pipe the following arguments to openssl req... echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\nFPKI\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key server-key.pem -config ./wolfssl.cnf -nodes > fpki-req.pem check_result $? "Step 1" openssl x509 -req -in fpki-req.pem -extfile wolfssl.cnf -extensions fpki_ext -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out fpki-cert.der -outform DER check_result $? "Step 2" rm fpki-req.pem echo "End of section" echo "---------------------------------------------------------------------" ########################################################### ########## update and sign fpki-certpol-cert.der ################ ########################################################### echo "Updating fpki-certpol-cert.der" echo "" #pipe the following arguments to openssl req... echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\nFPKI\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key server-key.pem -config ./wolfssl.cnf -nodes > fpki-certpol-req.pem check_result $? "Step 1" openssl x509 -req -in fpki-certpol-req.pem -extfile wolfssl.cnf -extensions fpki_ext_certpol -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out fpki-certpol-cert.der -outform DER check_result $? "Step 2" rm fpki-certpol-req.pem echo "End of section" echo "---------------------------------------------------------------------" ########################################################### ########## update and sign rid-cert.der ################ ########################################################### echo "Updating rid-cert.der" echo "" #pipe the following arguments to openssl req... echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\nRID\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key server-key.pem -config ./wolfssl.cnf -nodes > rid-req.pem check_result $? "Step 1" openssl x509 -req -in rid-req.pem -extfile wolfssl.cnf -extensions rid_ext -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 7 -out rid-cert.der -outform DER check_result $? "Step 2" rm rid-req.pem echo "End of section" echo "---------------------------------------------------------------------" ########################################################### ########## update and sign server-cert.pem ################ ########################################################### echo "Updating server-cert.pem" echo "" #pipe the following arguments to openssl req... echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\nSupport\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key server-key.pem -config ./wolfssl.cnf -nodes > server-req.pem check_result $? "Step 1" openssl x509 -req -in server-req.pem -extfile wolfssl.cnf -extensions wolfssl_opts -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem check_result $? "Step 2" rm server-req.pem openssl x509 -in ca-cert.pem -text > ca_tmp.pem check_result $? "Step 3" openssl x509 -in server-cert.pem -text > srv_tmp.pem check_result $? "Step 4" mv srv_tmp.pem server-cert.pem cat ca_tmp.pem >> server-cert.pem rm ca_tmp.pem echo "End of section" echo "---------------------------------------------------------------------" ########################################################### ########## update and sign server-revoked-key.pem ######### ########################################################### echo "Updating server-revoked-cert.pem" echo "" #pipe the following arguments to openssl req... echo -e "US\\nMontana\\nBozeman\\nwolfSSL_revoked\\nSupport_revoked\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key server-revoked-key.pem -config ./wolfssl.cnf -nodes > server-revoked-req.pem check_result $? "Step 1" openssl x509 -req -in server-revoked-req.pem -extfile wolfssl.cnf -extensions wolfssl_opts -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 02 > server-revoked-cert.pem check_result $? "Step 2" rm server-revoked-req.pem openssl x509 -in ca-cert.pem -text > ca_tmp.pem check_result $? "Step 3" openssl x509 -in server-revoked-cert.pem -text > srv_tmp.pem check_result $? "Step 4" mv srv_tmp.pem server-revoked-cert.pem cat ca_tmp.pem >> server-revoked-cert.pem rm ca_tmp.pem echo "End of section" echo "---------------------------------------------------------------------" ########################################################### ########## update and sign server-duplicate-policy.pem #### ########################################################### echo "Updating server-duplicate-policy.pem" echo "" #pipe the following arguments to openssl req... echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\ntesting duplicate policy\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key server-key.pem -config ./wolfssl.cnf -nodes > ./test/server-duplicate-policy-req.pem check_result $? "Step 1" openssl x509 -req -in ./test/server-duplicate-policy-req.pem -extfile wolfssl.cnf -extensions policy_test -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 02 > ./test/server-duplicate-policy.pem check_result $? "Step 2" rm ./test/server-duplicate-policy-req.pem openssl x509 -in ca-cert.pem -text > ca_tmp.pem check_result $? "Step 3" openssl x509 -in ./test/server-duplicate-policy.pem -text > srv_tmp.pem check_result $? "Step 4" mv srv_tmp.pem ./test/server-duplicate-policy.pem cat ca_tmp.pem >> ./test/server-duplicate-policy.pem rm ca_tmp.pem echo "End of section" echo "---------------------------------------------------------------------" ########################################################### #### update and sign (1024-bit) server-cert.pem ########### ########################################################### echo "Updating 1024-bit server-cert.pem" echo "" #pipe the following arguments to openssl req... echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\nSupport_1024\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ./1024/server-key.pem -config ./wolfssl.cnf -nodes -sha1 > ./1024/server-req.pem check_result $? "Step 1" openssl x509 -req -in ./1024/server-req.pem -extfile wolfssl.cnf -extensions wolfssl_opts -days 1000 -CA ./1024/ca-cert.pem -CAkey ./1024/ca-key.pem -set_serial 01 > ./1024/server-cert.pem check_result $? "Step 2" rm ./1024/server-req.pem openssl x509 -in ./1024/ca-cert.pem -text > ./1024/ca_tmp.pem check_result $? "Step 3" openssl x509 -in ./1024/server-cert.pem -text > ./1024/srv_tmp.pem check_result $? "Step 4" mv ./1024/srv_tmp.pem ./1024/server-cert.pem cat ./1024/ca_tmp.pem >> ./1024/server-cert.pem rm ./1024/ca_tmp.pem echo "End of section" echo "---------------------------------------------------------------------" ############################################################ ########## update and sign the server-ecc-rsa.pem ########## ############################################################ echo "Updating server-ecc-rsa.pem" echo "" echo -e "US\\nMontana\\nBozeman\\nElliptic - RSAsig\\nECC-RSAsig\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ecc-key.pem -config ./wolfssl.cnf -nodes > server-ecc-req.pem check_result $? "Step 1" openssl x509 -req -in server-ecc-req.pem -extfile wolfssl.cnf -extensions wolfssl_opts -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-ecc-rsa.pem check_result $? "Step 2" rm server-ecc-req.pem openssl x509 -in server-ecc-rsa.pem -text > tmp.pem check_result $? "Step 3" mv tmp.pem server-ecc-rsa.pem echo "End of section" echo "---------------------------------------------------------------------" ############################################################ ####### update the self-signed client-ecc-cert.pem ######### ############################################################ echo "Updating client-ecc-cert.pem" echo "" #pipe the following arguments to openssl req... echo -e "US\\nOregon\\nSalem\\nClient ECC\\nFast\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ecc-client-key.pem -config ./wolfssl.cnf -nodes -out client-ecc-cert.csr check_result $? "Step 1" openssl x509 -req -in client-ecc-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ecc-client-key.pem -out client-ecc-cert.pem check_result $? "Step 2" rm client-ecc-cert.csr openssl x509 -in client-ecc-cert.pem -text > tmp.pem check_result $? "Step 3" mv tmp.pem client-ecc-cert.pem # Extract the Subject Key Identifier from the generated certificate # for unit test use. openssl x509 -in client-ecc-cert.pem -noout -text | grep -A1 'Subject Key Identifier' | tail -n +2 | sed -e 's/[ :]//g' > test/client-ecc-cert-ski.hex check_result $? "Step 4" echo "End of section" echo "---------------------------------------------------------------------" ############################################################ ########## update the server-ecc.pem ####################### ############################################################ echo "Updating server-ecc.pem" echo "" #pipe the following arguments to openssl req... echo -e "US\\nWashington\\nSeattle\\nElliptic\\nECC\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ecc-key.pem -config ./wolfssl.cnf -nodes -out server-ecc.csr check_result $? "Step 1" openssl x509 -req -in server-ecc.csr -days 1000 -extfile wolfssl.cnf -extensions server_ecc -CA ca-ecc-cert.pem -CAkey ca-ecc-key.pem -set_serial 03 -out server-ecc.pem check_result $? "Step 2" rm server-ecc.csr openssl x509 -in server-ecc.pem -text > tmp.pem check_result $? "Step 3" mv tmp.pem server-ecc.pem echo "End of section" echo "---------------------------------------------------------------------" ############################################################ ###### update the self-signed server-ecc-comp.pem ########## ############################################################ echo "Updating server-ecc-comp.pem" echo "" #pipe the following arguments to openssl req... echo -e "US\\nMontana\\nBozeman\\nElliptic - comp\\nServer ECC-comp\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ecc-key-comp.pem -config ./wolfssl.cnf -nodes -out server-ecc-comp.csr check_result $? "Step 1" openssl x509 -req -in server-ecc-comp.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ecc-key-comp.pem -out server-ecc-comp.pem check_result $? "Step 2" rm server-ecc-comp.csr openssl x509 -in server-ecc-comp.pem -text > tmp.pem check_result $? "Step 3" mv tmp.pem server-ecc-comp.pem echo "End of section" echo "---------------------------------------------------------------------" ############################################################ ############## create the client-ca.pem file ############### ############################################################ echo "Updating client-ca.pem" echo "" cat client-cert.pem client-ecc-cert.pem > client-ca.pem echo "End of section" echo "---------------------------------------------------------------------" ############################################################ ###### update the self-signed ecc-privOnlyCert.pem ######### ############################################################ echo "Updating ecc-privOnlyCert.pem" echo "" #pipe the following arguments to openssl req... echo -e ".\\n.\\n.\\nWR\\n.\\nDE\\n.\\n.\\n.\\n" | openssl req -new -key ecc-privOnlyKey.pem -config ./wolfssl.cnf -nodes -out ecc-privOnly.csr check_result $? "Step 1" openssl x509 -req -in ecc-privOnly.csr -days 1000 -signkey ecc-privOnlyKey.pem -out ecc-privOnlyCert.pem check_result $? "Step 2" rm ecc-privOnly.csr echo "End of section" echo "---------------------------------------------------------------------" ############################################################ ###### update the self-signed test/digsigku.pem ########## ############################################################ echo "Updating test/digsigku.pem" echo "" #pipe the following arguments to openssl req... echo -e "US\\nWashington\\nSeattle\\nFoofarah\\nArglebargle\\nfoobarbaz\\ninfo@worlss.com\\n.\\n.\\n" | openssl req -new -key ecc-key.pem -config ./wolfssl.cnf -nodes -sha1 -out digsigku.csr check_result $? "Step 1" openssl x509 -req -in digsigku.csr -days 1000 -extfile wolfssl.cnf -extensions digsigku -signkey ecc-key.pem -sha1 -set_serial 16393466893990650224 -out digsigku.pem check_result $? "Step 2" rm digsigku.csr openssl x509 -in digsigku.pem -text > tmp.pem check_result $? "Step 3" mv tmp.pem digsigku.pem mv digsigku.pem test/digsigku.pem echo "End of section" echo "---------------------------------------------------------------------" ########################################################### #### update and sign entity-no-ca-bool-cert.pem ########### ########################################################### echo "Updating entity-no-ca-bool-cert.pem" echo "" #pipe the following arguments to openssl req... echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\nNoCaBool\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key entity-no-ca-bool-key.pem -config ./wolfssl.cnf -nodes > entity-no-ca-bool-req.pem check_result $? "Step 1" openssl x509 -req -in entity-no-ca-bool-req.pem -extfile ./wolfssl.cnf -extensions "entity_no_CA_BOOL" -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > entity-no-ca-bool-cert.pem check_result $? "Step 2" rm entity-no-ca-bool-req.pem openssl x509 -in ca-cert.pem -text > ca_tmp.pem check_result $? "Step 3" openssl x509 -in entity-no-ca-bool-cert.pem -text > entity_tmp.pem check_result $? "Step 4" mv entity_tmp.pem entity-no-ca-bool-cert.pem cat ca_tmp.pem >> entity-no-ca-bool-cert.pem rm ca_tmp.pem echo "End of section" ############################################################ ########## make .der files from .pem files ################# ############################################################ echo "Creating der formatted certs..." echo "" openssl x509 -inform PEM -in ./1024/client-cert.pem -outform DER -out ./1024/client-cert.der check_result $? "Der Cert 1" openssl x509 -inform PEM -in ./1024/server-cert.pem -outform DER -out ./1024/server-cert.der check_result $? "Der Cert 2" openssl x509 -inform PEM -in ./1024/ca-cert.pem -outform DER -out ./1024/ca-cert.der check_result $? "Der Cert 3" openssl x509 -inform PEM -in ca-cert.pem -outform DER -out ca-cert.der check_result $? "Der Cert 4" openssl x509 -inform PEM -in ca-ecc-cert.pem -outform DER -out ca-ecc-cert.der check_result $? "Der Cert 5" openssl x509 -inform PEM -in ca-ecc384-cert.pem -outform DER -out ca-ecc384-cert.der check_result $? "Der Cert 6" openssl x509 -inform PEM -in client-cert.pem -outform DER -out client-cert.der check_result $? "Der Cert 7" openssl x509 -inform PEM -in server-cert.pem -outform DER -out server-cert.der check_result $? "Der Cert 8" openssl x509 -inform PEM -in client-ecc-cert.pem -outform DER -out client-ecc-cert.der check_result $? "Der Cert 9" openssl x509 -inform PEM -in server-ecc-rsa.pem -outform DER -out server-ecc-rsa.der check_result $? "Der Cert 10" openssl x509 -inform PEM -in server-ecc.pem -outform DER -out server-ecc.der check_result $? "Der Cert 11" openssl x509 -inform PEM -in server-ecc-comp.pem -outform DER -out server-ecc-comp.der check_result $? "Der Cert 12" cat server-cert.der ca-cert.der >server-cert-chain.der check_result $? "Der Cert 13" echo "End of section" echo "---------------------------------------------------------------------" ############################################################ ########## generate RSA-PSS certificates ################### ############################################################ echo "Renewing RSA-PSS certificates" cd rsapss ./renew-rsapss-certs.sh cd .. echo "End of section" echo "---------------------------------------------------------------------" ############################################################ ########## generate Ed25519 certificates ################### ############################################################ echo "Renewing Ed25519 certificates" cd ed25519 ./gen-ed25519-certs.sh cd .. echo "End of section" echo "---------------------------------------------------------------------" ############################################################ ########## generate Ed448 certificates ##################### ############################################################ echo "Renewing Ed448 certificates" cd ed448 ./gen-ed448-certs.sh cd .. echo "End of section" echo "---------------------------------------------------------------------" ############################################################ ########## generate P-521 certificates ##################### ############################################################ echo "Renewing Ed448 certificates" cd p521 ./gen-p521-certs.sh cd .. echo "End of section" echo "---------------------------------------------------------------------" ############################################################ ########## generate SM2 certificates ####################### ############################################################ echo "Renewing SM2 certificates" cd sm2 ./gen-sm2-certs.sh cd .. echo "End of section" echo "---------------------------------------------------------------------" ############################################################ ########## update Raw Public Key certificates ############## ############################################################ echo "Updating certificates" echo "Updating client-cert-rpk.der" cp client-keyPub.der ./rpk/client-cert-rpk.der check_result $? "Step 1" echo "Updating client-ecc-cert-rpk.der" cp ecc-client-keyPub.der ./rpk/client-ecc-cert-rpk.der check_result $? "Step 2" echo "Updating server-cert-rpk.der" openssl rsa -inform pem -in server-key.pem -outform der -out ./rpk/server-cert-rpk.der -pubout check_result $? "Step 3" echo "Updating server-ecc-cert-rpk.der" openssl ec -inform pem -in ecc-key.pem -outform der -out ./rpk/server-ecc-cert-rpk.der -pubout check_result $? "Step 4" echo "End of section" echo "---------------------------------------------------------------------" ############################################################ ###### update the ecc-rsa-server.p12 file ################## ############################################################ echo "Updating ecc-rsa-server.p12 (password is \"\")" echo "" echo "" | openssl pkcs12 -des3 -descert -export -in server-ecc-rsa.pem -inkey ecc-key.pem -certfile server-ecc.pem -out ecc-rsa-server.p12 -password stdin check_result $? "Step 1" echo "End of section" echo "---------------------------------------------------------------------" ############################################################ ###### update the test-servercert.p12 file ################# ############################################################ echo "Updating test-servercert.p12 (password is \"wolfSSL test\")" echo "" echo "wolfSSL test" | openssl pkcs12 -des3 -descert -export -in server-cert.pem -inkey server-key.pem -certfile ca-cert.pem -out test-servercert.p12 -password stdin check_result $? "Step 1" echo "End of section" echo "---------------------------------------------------------------------" ############################################################ ###### update the test-servercert-rc2.p12 file ############# ############################################################ echo "Updating test-servercert-rc2.p12 (password is \"wolfSSL test\")" echo "" echo "wolfSSL test" | openssl pkcs12 -export -in server-cert.pem -inkey server-key.pem -certfile ca-cert.pem -out test-servercert-rc2.p12 -password stdin check_result $? "Step 1" echo "End of section" echo "---------------------------------------------------------------------" ############################################################ ###### calling gen-ext-certs.sh ################## ############################################################ echo "Calling gen-ext-certs.sh" echo "" cd .. || exit 1 ./certs/test/gen-ext-certs.sh check_result $? "gen-ext-certs.sh" cd ./certs || { echo "Couldn't cd to certs directory"; exit 1; } echo "End of section" echo "---------------------------------------------------------------------" ############################################################ ###### calling gen-badsig.sh ################## ############################################################ echo "Calling gen-badsig.sh" echo "" cd ./test || { echo "Failed to switch to dir ./test"; exit 1; } ./gen-badsig.sh check_result $? "gen-badsig.sh" cd ../ || exit 1 echo "End of section" echo "---------------------------------------------------------------------" ############################################################ ###### calling gen-testcerts.sh ################## ############################################################ echo "Calling gen-testcerts.sh" echo "" cd ./test || { echo "Failed to switch to dir ./test"; exit 1; } ./gen-testcerts.sh check_result $? "gen-testcerts.sh" cd ../ || exit 1 echo "End of section" echo "---------------------------------------------------------------------" ############################################################ ###### generate cms bundles in test directory ############## ############################################################ echo "Generating CMS bundle" echo "" cd ./test || { echo "Failed to switch to dir ./test"; exit 1; } echo "test" | openssl cms -encrypt -binary -keyid -out ktri-keyid-cms.msg -outform der -recip ../client-cert.pem -nocerts check_result $? "generate ktri-keyid-cms.msg" # Generate an EnvelopedData with KARI recipient for testing. echo "testkari" | openssl cms -encrypt -binary -keyid -out kari-keyid-cms.msg -outform der -recip ../client-ecc-cert.pem -nocerts check_result $? "generate kari-keyid-cms.msg" echo "testencrypt" | openssl cms -EncryptedData_encrypt -binary -keyid -aes-128-cbc -secretkey 0123456789ABCDEF0011223344556677 -out encrypteddata.msg -outform der -recip ../client-cert.pem -nocerts check_result $? "generate encrypteddata.msg" cd ../ || exit 1 echo "End of section" echo "---------------------------------------------------------------------" ############################################################ ########## generate ocsp certs ###################### ############################################################ echo "Changing directory to ocsp..." echo "" # guard against recursive calls to renewcerts.sh if [ -d ocsp ]; then cd ./ocsp || { echo "Failed to switch to dir ./ocsp"; exit 1; } echo "Execute ocsp/renewcerts.sh..." ./renewcerts.sh check_result $? "renewcerts.sh" cd ../ || exit 1 else echo "Error could not find ocsp directory" exit 1 fi echo "End of section" echo "---------------------------------------------------------------------" ############################################################ ###### calling assemble-chains.sh ################## ############################################################ echo "Calling assemble-chains.sh" echo "" cd ./test-pathlen || { echo "Failed to switch to dir ./test-pathlen"; exit 1; } ./assemble-chains.sh check_result $? "assemble-chains.sh" cd ../ || exit 1 echo "End of section" echo "---------------------------------------------------------------------" ############################################################ ########## store DER files as buffers ###################### ############################################################ echo "Changing directory to wolfssl root..." echo "" cd ../ || exit 1 echo "Execute ./gencertbuf.pl..." echo "" ./gencertbuf.pl check_result $? "gencertbuf.pl" echo "End of section" echo "---------------------------------------------------------------------" ############################################################ ########## generate the new crls ########################### ############################################################ echo "Change directory to wolfssl/certs" echo "" cd ./certs || { echo "Failed to switch to dir ./certs"; exit 1; } echo "We are back in the certs directory" echo "" echo "Updating the crls..." echo "" cd ./crl || { echo "Failed to switch to dir ./crl"; exit 1; } echo "changed directory: cd/crl" echo "" # has dependency on rsapss generation (rsapss should be ran first) ./gencrls.sh check_result $? "gencrls.sh" echo "ran ./gencrls.sh" echo "" ############################################################ ########## generate PKCS7 bundles ########################## ############################################################ echo "Changing directory to wolfssl certs..." echo "" cd ../ || exit 1 echo "Creating test-degenerate.p7b..." echo "" openssl crl2pkcs7 -nocrl -certfile ./client-cert.pem -out test-degenerate.p7b -outform DER check_result $? "" openssl smime -sign -in ./ca-cert.pem -out test-stream-sign.p7b -signer ./ca-cert.pem -nodetach -nocerts -binary -outform DER -stream -inkey ./ca-key.pem check_result $? "" echo "Creating test-stream-dec.p7b..." echo "" openssl cms -encrypt -in ca-cert.pem -recip client-cert.pem -out test-stream-dec.p7b -outform DER -stream check_result $? "" echo "Creating test-multiple-recipients.p7b..." echo "" openssl smime -encrypt -binary -aes-256-cbc -in ./client-key.pem -out ./test-multiple-recipients.p7b -outform DER ./client-cert.pem ./server-cert.pem check_result $? "" echo "End of section" echo "---------------------------------------------------------------------" ############################################################ ########## update and sign client-ca-cert.pem ############## ############################################################ echo "Updating client-ca-cert.pem" echo "" cat > client-ca-ext.cnf <<'EOF' [ client_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always basicConstraints=critical, CA:FALSE keyUsage=critical, digitalSignature, keyEncipherment extendedKeyUsage=clientAuth EOF check_result $? "Step 1" #pipe the following arguments to openssl req... echo -e "US\\nMontana\\nBozeman\\nwolfSSL_2048\\nProgramming-2048\\n" \ "www.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | \ openssl req -new -key client-key.pem -config ./wolfssl.cnf -nodes \ > client-ca-cert-req.pem check_result $? "Step 2" openssl x509 -req -in client-ca-cert-req.pem -extfile client-ca-ext.cnf \ -extensions client_ca -days 1000 -CA ca-cert.pem -CAkey ca-key.pem \ -set_serial 0x1235 > client-ca-cert.pem check_result $? "Step 3" rm client-ca-cert-req.pem openssl x509 -in client-ca-cert.pem -text > tmp.pem check_result $? "Step 4" mv tmp.pem client-ca-cert.pem openssl x509 -inform PEM -in client-ca-cert.pem -outform DER \ -out client-ca-cert.der check_result $? "Step 5" rm client-ca-ext.cnf echo "End of section" echo "---------------------------------------------------------------------" ############################################################ ####### update and sign client-ecc-ca-cert.pem ############# ############################################################ echo "Updating client-ecc-ca-cert.pem" echo "" #pipe the following arguments to openssl req... echo -e "US\\nOregon\\nSalem\\nClient ECC\\nFast\\nwww.wolfssl.com\\n" \ "info@wolfssl.com\\n.\\n.\\n" | \ openssl req -new -key ecc-client-key.pem -config ./wolfssl.cnf -nodes \ > client-ecc-ca-cert-req.pem check_result $? "Step 1" openssl x509 -req -in client-ecc-ca-cert-req.pem -extfile wolfssl.cnf \ -extensions client_ecc -days 1000 -CA ca-ecc-cert.pem \ -CAkey ca-ecc-key.pem -set_serial 0x1234 > client-ecc-ca-cert.pem check_result $? "Step 2" rm client-ecc-ca-cert-req.pem openssl x509 -in client-ecc-ca-cert.pem -text > tmp.pem check_result $? "Step 3" mv tmp.pem client-ecc-ca-cert.pem openssl x509 -inform PEM -in client-ecc-ca-cert.pem -outform DER \ -out client-ecc-ca-cert.der check_result $? "Step 4" echo "End of section" echo "---------------------------------------------------------------------" #cleanup the file system now that we're done echo "Performing final steps, cleaning up the file system..." echo "" rm ../wolfssl.cnf echo "End of Updates. Everything was successfully updated!" echo "---------------------------------------------------------------------" } ############################################################################### ##################### THE EXECUTABLE BODY ##################################### ############################################################################### #start in root. cd ../ || exit 1 if [ ! -z "$1" ]; then echo "No arguments expected" exit 1 fi echo "Running make clean" echo "" make clean check_result $? "make clean" touch certs/.rnd || exit 1 run_renewcerts cd ../ || exit 1 rm ./certs/wolfssl.cnf exit 0