WolfSSL
/
wolfssh
mirror of https://github.com/wolfSSL/wolfssh.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #465 from JacobBarthelmeh/Certs 

renew cert script, add check for user name in UPN and host IP in alt. names
pull/472/head
John Safranek 2022-10-21 09:43:58 -07:00 committed by GitHub
parent d45cf49fc3 49256a2e40
commit d8e3288dd6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
15 changed files with 392 additions and 100 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

111
apps/wolfsshd/auth.c
View File

@ -39,6 +39,10 @@
#include <wolfssl/wolfcrypt/error-crypt.h>
#include <wolfssl/wolfcrypt/coding.h>
#ifdef WOLFSSL_FPKI
#include <wolfssl/wolfcrypt/asn.h>
#endif
#ifdef NO_INLINE
#include <wolfssh/misc.h>
#else
@ -740,29 +744,96 @@ static int RequestAuthentication(WS_UserAuthData* authData,
if (ret == WOLFSSH_USERAUTH_SUCCESS &&
authData->type == WOLFSSH_USERAUTH_PUBLICKEY) {
/* if this is a certificate and no specific authorized keys file has
* been set then rely on CA to have verified the cert */
if (authData->sf.publicKey.isCert &&
!wolfSSHD_ConfigGetAuthKeysFileSet(authCtx->conf)) {
wolfSSH_Log(WS_LOG_INFO,
"[SSHD] Relying on CA for public key check");
ret = WOLFSSH_USERAUTH_SUCCESS;
}
else {
/* if not a certificate then parse through authorized key file */
rc = authCtx->checkPublicKeyCb(usr, &authData->sf.publicKey,
wolfSSHD_ConfigGetUserCAKeysFile(authCtx->conf));
if (rc == WSSHD_AUTH_SUCCESS) {
wolfSSH_Log(WS_LOG_INFO, "[SSHD] Public key ok.");
ret = WOLFSSH_USERAUTH_SUCCESS;
}
else if (rc == WSSHD_AUTH_FAILURE) {
wolfSSH_Log(WS_LOG_INFO, "[SSHD] Public key not authorized.");
#ifdef WOLFSSL_FPKI
/* compare user name to UPN in certificate */
if (authData->sf.publicKey.isCert) {
DecodedCert* dCert;
#ifdef WOLFSSH_SMALL_STACK
dCert = (DecodedCert*)WMALLOC(sizeof(DecodedCert), NULL,
DYNTYPE_CERT);
#else
DecodedCert sdCert;
dCert = &sdCert;
#endif
if (dCert == NULL) {
wolfSSH_Log(WS_LOG_ERROR, "[SSHD] Error creating cert struct");
ret = WOLFSSH_USERAUTH_INVALID_PUBLICKEY;
}
else {
wolfSSH_Log(WS_LOG_ERROR, "[SSHD] Error checking public key.");
ret = WOLFSSH_USERAUTH_FAILURE;
wc_InitDecodedCert(dCert, authData->sf.publicKey.publicKey,
authData->sf.publicKey.publicKeySz, NULL);
if (wc_ParseCert(dCert, CERT_TYPE, NO_VERIFY, NULL) != 0) {
wolfSSH_Log(WS_LOG_ERROR, "[SSHD] Unable to parse peer "
"cert.");
ret = WOLFSSH_USERAUTH_INVALID_PUBLICKEY;
}
else {
int usrMatch = 0;
DNS_entry* current = dCert->altNames;
while (current != NULL) {
if (current->type == ASN_OTHER_TYPE &&
current->oidSum == UPN_OID) {
/* found UPN oid, check name against user */
int idx;
for (idx = 0; idx < current->len; idx++) {
if (current->name[idx] == '@') break;
/* UPN format is <user>@<domain>
* since currently not doing any checks on
* domain it is not treated as an error if only
* the user name is present without the domain
*/
}
if ((int)XSTRLEN(usr) == idx &&
XSTRNCMP(usr, current->name, idx) == 0) {
usrMatch = 1;
}
}
current = current->next;
}
if (usrMatch == 0) {
wolfSSH_Log(WS_LOG_ERROR, "[SSHD] incorrect user cert "
"sent");
ret = WOLFSSH_USERAUTH_INVALID_PUBLICKEY;
}
}
FreeDecodedCert(dCert);
#ifdef WOLFSSH_SMALL_STACK
WFREE(dCert, NULL, DYNTYPE_CERT);
#endif
}
}
#endif
if (ret == WOLFSSH_USERAUTH_SUCCESS) {
/* if this is a certificate and no specific authorized keys file has
* been set then rely on CA to have verified the cert */
if (authData->sf.publicKey.isCert &&
!wolfSSHD_ConfigGetAuthKeysFileSet(authCtx->conf)) {
wolfSSH_Log(WS_LOG_INFO,
"[SSHD] Relying on CA for public key check");
ret = WOLFSSH_USERAUTH_SUCCESS;
}
else {
/* if not a certificate then parse through authorized key file */
rc = authCtx->checkPublicKeyCb(usr, &authData->sf.publicKey,
wolfSSHD_ConfigGetUserCAKeysFile(authCtx->conf));
if (rc == WSSHD_AUTH_SUCCESS) {
wolfSSH_Log(WS_LOG_INFO, "[SSHD] Public key ok.");
ret = WOLFSSH_USERAUTH_SUCCESS;
}
else if (rc == WSSHD_AUTH_FAILURE) {
wolfSSH_Log(WS_LOG_INFO, "[SSHD] Public key not authorized.");
ret = WOLFSSH_USERAUTH_INVALID_PUBLICKEY;
}
else {
wolfSSH_Log(WS_LOG_ERROR, "[SSHD] Error checking public key.");
ret = WOLFSSH_USERAUTH_FAILURE;
}
}
}
}

122
examples/client/client.c
View File

@ -60,6 +60,10 @@
#include <sys/select.h>
#endif
#ifdef WOLFSSH_CERTS
#include <wolfssl/wolfcrypt/asn.h>
#endif
#ifndef NO_WOLFSSH_CLIENT
@ -471,8 +475,72 @@ static int wsUserAuth(byte authType,
}
#if defined(WOLFSSH_AGENT) || defined(WOLFSSH_CERTS)
static inline void ato32(const byte* c, word32* u32)
{
*u32 = (c[0] << 24) | (c[1] << 16) | (c[2] << 8) | c[3];
}
#endif
#if defined(WOLFSSH_CERTS) && \
(defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME))
static int ParseRFC6187(const byte* in, word32 inSz, byte** leafOut,
word32* leafOutSz)
{
int ret = WS_SUCCESS;
word32 l = 0, m = 0;
if (inSz < sizeof(word32)) {
printf("inSz %d too small for holding cert name\n", inSz);
return WS_BUFFER_E;
}
/* Skip the name */
ato32(in, &l);
m += l + sizeof(word32);
/* Get the cert count */
if (ret == WS_SUCCESS) {
word32 count;
if (inSz - m < sizeof(word32))
return WS_BUFFER_E;
ato32(in + m, &count);
m += sizeof(word32);
if (ret == WS_SUCCESS && count == 0)
ret = WS_FATAL_ERROR; /* need at least one cert */
}
if (ret == WS_SUCCESS) {
word32 certSz = 0;
if (inSz - m < sizeof(word32))
return WS_BUFFER_E;
ato32(in + m, &certSz);
m += sizeof(word32);
if (ret == WS_SUCCESS) {
/* store leaf cert size to present to user callback */
*leafOutSz = certSz;
*leafOut = (byte*)in + m;
}
if (inSz - m < certSz)
return WS_BUFFER_E;
}
return ret;
}
#endif /* WOLFSSH_CERTS */
static int wsPublicKeyCheck(const byte* pubKey, word32 pubKeySz, void* ctx)
{
int ret = 0;
#ifdef DEBUG_WOLFSSH
printf("Sample public key check callback\n"
" public key = %p\n"
@ -483,7 +551,49 @@ static int wsPublicKeyCheck(const byte* pubKey, word32 pubKeySz, void* ctx)
(void)pubKeySz;
(void)ctx;
#endif
return 0;
#ifdef WOLFSSH_CERTS
#if defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME)
/* try to parse the certificate and check it's IP address */
if (pubKeySz > 0) {
DecodedCert dCert;
byte* der = NULL;
word32 derSz = 0;
if (ParseRFC6187(pubKey, pubKeySz, &der, &derSz) == WS_SUCCESS) {
wc_InitDecodedCert(&dCert, der, derSz, NULL);
if (wc_ParseCert(&dCert, CERT_TYPE, NO_VERIFY, NULL) != 0) {
printf("public key not a cert\n");
}
else {
int ipMatch = 0;
DNS_entry* current = dCert.altNames;
while (current != NULL) {
if (current->type == ASN_IP_TYPE) {
printf("host cert alt. name IP : %s\n",
current->ipString);
printf("\texpecting host IP : %s\n", (char*)ctx);
if (XSTRCMP(ctx, current->ipString) == 0) {
printf("\tmatched!\n");
ipMatch = 1;
}
}
current = current->next;
}
if (ipMatch == 0) {
printf("IP did not match expected IP\n");
ret = -1;
}
}
FreeDecodedCert(&dCert);
}
}
#endif
#endif
return ret;
}
@ -581,14 +691,6 @@ static THREAD_RET readInput(void* in)
}
#ifdef WOLFSSH_AGENT
static inline void ato32(const byte* c, word32* u32)
{
*u32 = (c[0] << 24) | (c[1] << 16) | (c[2] << 8) | c[3];
}
#endif
static THREAD_RET readPeer(void* in)
{
byte buf[80];
@ -1161,7 +1263,7 @@ THREAD_RETURN WOLFSSH_THREAD client_test(void* args)
#endif /* WOLFSSH_CERTS */
wolfSSH_CTX_SetPublicKeyCheck(ctx, wsPublicKeyCheck);
wolfSSH_SetPublicKeyCheckCtx(ssh, (void*)"You've been sampled!");
wolfSSH_SetPublicKeyCheckCtx(ssh, (void*)host);
ret = wolfSSH_SetUsername(ssh, username);
if (ret != WS_SUCCESS)

BIN
keys/ca-cert-ecc.der
View File

Binary file not shown.

52
keys/ca-cert-ecc.pem
View File

@ -1,14 +1,13 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
29:bf:2b:cd:bf:55:54:49:85:b3:69:4e:e1:85:37:79:1e:81:f9:c2
Serial Number: 6 (0x6)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Development, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Development, CN = www.wolfssl.com, emailAddress = ca@example.com
Validity
Not Before: Feb 15 12:50:24 2022 GMT
Not After : Nov 11 12:50:24 2024 GMT
Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Development, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
Not Before: Oct 1 05:54:44 2022 GMT
Not After : Sep 28 05:54:44 2032 GMT
Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Development, CN = www.wolfssl.com, emailAddress = ca@example.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
@ -25,29 +24,34 @@ Certificate:
56:8E:9A:C3:F0:42:DE:18:B9:45:55:6E:F9:93:CF:EA:C3:F3:A5:21
X509v3 Authority Key Identifier:
keyid:56:8E:9A:C3:F0:42:DE:18:B9:45:55:6E:F9:93:CF:EA:C3:F3:A5:21
DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=ca@example.com
serial:06
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: ecdsa-with-SHA256
30:44:02:20:78:ed:4c:1c:a7:2d:b3:35:0b:1d:46:a3:37:31:
0b:8a:05:39:c8:28:31:58:35:f1:98:f7:4b:72:c0:4f:e6:7f:
02:20:02:f2:09:2b:3a:e1:36:92:bf:58:6a:03:12:2d:79:e6:
bd:06:45:61:b9:0e:39:e1:9c:f0:a8:2e:0b:1e:8c:b2
30:45:02:20:18:bc:74:fd:d9:26:f2:f5:c2:f3:f5:cd:99:38:
9d:85:7d:8b:67:c8:f5:51:4a:5a:88:b6:3f:61:38:6b:9f:11:
02:21:00:f1:95:08:34:2b:47:32:93:8c:10:4b:4b:fd:6e:22:
f2:48:3b:5d:8a:74:46:24:7d:30:eb:65:15:06:e4:38:e0
-----BEGIN CERTIFICATE-----
MIIClDCCAjugAwIBAgIUKb8rzb9VVEmFs2lO4YU3eR6B+cIwCgYIKoZIzj0EAwIw
gZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdT
ZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEY
MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
bGZzc2wuY29tMB4XDTIyMDIxNTEyNTAyNFoXDTI0MTExMTEyNTAyNFowgZcxCzAJ
BgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxl
MRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEYMBYGA1UE
AwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
Y29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAtPZbtYBjkXIuZAx5cBM456t
KTiYuhDW6QkqgKkuFyq5ir8zg0bjlQvkd0C1O0NFMw9hU3w3RMHL/IDK6EPqp6Nj
MGEwHQYDVR0OBBYEFFaOmsPwQt4YuUVVbvmTz+rD86UhMB8GA1UdIwQYMBaAFFaO
msPwQt4YuUVVbvmTz+rD86UhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD
AgGGMAoGCCqGSM49BAMCA0cAMEQCIHjtTBynLbM1Cx1GozcxC4oFOcgoMVg18Zj3
S3LAT+Z/AiAC8gkrOuE2kr9YagMSLXnmvQZFYbkOOeGc8KguCx6Msg==
MIIDJjCCAsygAwIBAgIBBjAKBggqhkjOPQQDAjCBlTELMAkGA1UEBhMCVVMxEzAR
BgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dv
bGZTU0wxFDASBgNVBAsMC0RldmVsb3BtZW50MRgwFgYDVQQDDA93d3cud29sZnNz
bC5jb20xHTAbBgkqhkiG9w0BCQEWDmNhQGV4YW1wbGUuY29tMB4XDTIyMTAwMTA1
NTQ0NFoXDTMyMDkyODA1NTQ0NFowgZUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApX
YXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQw
EgYDVQQLDAtEZXZlbG9wbWVudDEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR0w
GwYJKoZIhvcNAQkBFg5jYUBleGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqGSM49
AwEHA0IABALT2W7WAY5FyLmQMeXATOOerSk4mLoQ1ukJKoCpLhcquYq/M4NG45UL
5HdAtTtDRTMPYVN8N0TBy/yAyuhD6qejggEJMIIBBTAdBgNVHQ4EFgQUVo6aw/BC
3hi5RVVu+ZPP6sPzpSEwgcIGA1UdIwSBujCBt4AUVo6aw/BC3hi5RVVu+ZPP6sPz
pSGhgZukgZgwgZUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAw
DgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtEZXZl
bG9wbWVudDEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR0wGwYJKoZIhvcNAQkB
Fg5jYUBleGFtcGxlLmNvbYIBBjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE
AwIBhjAKBggqhkjOPQQDAgNIADBFAiAYvHT92Sby9cLz9c2ZOJ2FfYtnyPVRSlqI
tj9hOGufEQIhAPGVCDQrRzKTjBBLS/1uIvJIO12KdEYkfTDrZRUG5Djg
-----END CERTIFICATE-----

BIN
keys/fred-cert.der 100644
View File

Binary file not shown.

55
keys/fred-cert.pem 100644
View File

@ -0,0 +1,55 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 7 (0x7)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Development, CN = www.wolfssl.com, emailAddress = ca@example.com
Validity
Not Before: Oct 1 05:54:44 2022 GMT
Not After : Sep 28 05:54:44 2032 GMT
Subject: C = US, ST = WA, L = Seattle, O = wolfSSL Inc, OU = Development, CN = Fred, emailAddress = fred@example.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:12:dc:16:d1:17:81:a6:02:f0:0f:11:90:bb:32:
85:66:0e:76:00:62:ac:aa:e3:b9:26:1c:2a:e2:28:
f8:dd:d8:79:3f:c0:02:5e:d1:d1:c5:fe:3c:63:f5:
1f:ae:13:4b:69:ca:e8:ed:f4:36:ba:62:e0:a1:c8:
18:10:4b:55:e1
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Subject Key Identifier:
9C:AF:03:66:F5:F0:04:FC:22:8F:8E:20:26:40:47:01:CE:D6:7A:8D
X509v3 Authority Key Identifier:
keyid:56:8E:9A:C3:F0:42:DE:18:B9:45:55:6E:F9:93:CF:EA:C3:F3:A5:21
DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=ca@example.com
serial:06
X509v3 Subject Alternative Name:
othername:<unsupported>
Signature Algorithm: ecdsa-with-SHA256
30:45:02:21:00:de:95:bb:3a:54:c3:81:6e:f2:89:da:2f:99:
37:e7:40:13:be:40:5c:93:84:0f:36:2e:80:d6:8a:f5:e3:6a:
0c:02:20:55:6b:3a:c8:ed:ce:d1:29:15:b5:32:21:3c:a5:0e:
bc:84:08:db:a3:ef:c1:c5:c3:79:1f:07:c9:c0:bb:b0:f5
-----BEGIN CERTIFICATE-----
MIIDITCCAsegAwIBAgIBBzAKBggqhkjOPQQDAjCBlTELMAkGA1UEBhMCVVMxEzAR
BgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dv
bGZTU0wxFDASBgNVBAsMC0RldmVsb3BtZW50MRgwFgYDVQQDDA93d3cud29sZnNz
bC5jb20xHTAbBgkqhkiG9w0BCQEWDmNhQGV4YW1wbGUuY29tMB4XDTIyMTAwMTA1
NTQ0NFoXDTMyMDkyODA1NTQ0NFowgYgxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJX
QTEQMA4GA1UEBwwHU2VhdHRsZTEUMBIGA1UECgwLd29sZlNTTCBJbmMxFDASBgNV
BAsMC0RldmVsb3BtZW50MQ0wCwYDVQQDDARGcmVkMR8wHQYJKoZIhvcNAQkBFhBm
cmVkQGV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEtwW0ReB
pgLwDxGQuzKFZg52AGKsquO5Jhwq4ij43dh5P8ACXtHRxf48Y/UfrhNLacro7fQ2
umLgocgYEEtV4aOCAREwggENMB0GA1UdDgQWBBScrwNm9fAE/CKPjiAmQEcBztZ6
jTCBwgYDVR0jBIG6MIG3gBRWjprD8ELeGLlFVW75k8/qw/OlIaGBm6SBmDCBlTEL
MAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0
bGUxEDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0RldmVsb3BtZW50MRgwFgYD
VQQDDA93d3cud29sZnNzbC5jb20xHTAbBgkqhkiG9w0BCQEWDmNhQGV4YW1wbGUu
Y29tggEGMCcGA1UdEQQgMB6gHAYKKwYBBAGCNxQCA6AODAxmcmVkQGV4YW1wbGUw
CgYIKoZIzj0EAwIDSAAwRQIhAN6VuzpUw4Fu8onaL5k350ATvkBck4QPNi6A1or1
42oMAiBVazrI7c7RKRW1MiE8pQ68hAjbo+/BxcN5HwfJwLuw9Q==
-----END CERTIFICATE-----

0
keys/john-key.der → keys/fred-key.der
View File

0
keys/john-key.pem → keys/fred-key.pem
View File

5
keys/include.am
View File

@ -20,6 +20,7 @@ EXTRA_DIST+= \
keys/pubkeys-rsa.txt keys/passwd.txt keys/ca-cert-ecc.der \
keys/ca-cert-ecc.pem keys/ca-key-ecc.der keys/ca-key-ecc.pem \
keys/server-cert.der keys/server-cert.pem \
keys/john-cert.der keys/john-cert.pem \
keys/server-key.pem keys/john-key.der keys/john-key.pem
keys/fred-cert.der keys/fred-cert.pem \
keys/server-key.pem keys/fred-key.der keys/fred-key.pem \
keys/renewcerts.sh keys/renewcerts.cnf

BIN
keys/john-cert.der
View File

Binary file not shown.

15
keys/john-cert.pem
View File

@ -1,15 +0,0 @@
-----BEGIN CERTIFICATE-----
MIICSzCCAfGgAwIBAgIQUg79CEuTa/LBX88kspbmFzAKBggqhkjOPQQDAjCBlzEL
MAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0
bGUxEDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0RldmVsb3BtZW50MRgwFgYD
VQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz
bC5jb20wIhgPMjAyMjAyMjYyMjEyMzNaGA8yMDIzMDcxMjIyMTIzM1owgZExCzAJ
BgNVBAYTAlVTMQswCQYDVQQIDAJXQTEQMA4GA1UEBwwHU2VhdHRsZTEUMBIGA1UE
CgwLd29sZlNTTCBJbmMxFDASBgNVBAsMC0RldmVsb3BtZW50MRYwFAYDVQQDDA1K
b2huIFNhZnJhbmVrMR8wHQYJKoZIhvcNAQkBFhBqb2huQHdvbGZzc2wuY29tMFkw
EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEtwW0ReBpgLwDxGQuzKFZg52AGKsquO5
Jhwq4ij43dh5P8ACXtHRxf48Y/UfrhNLacro7fQ2umLgocgYEEtV4aMfMB0wGwYD
VR0RBBQwEoEQam9obkB3b2xmc3NsLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAtsaS
gxyAAWzJ+nSku+VnVz821mL5tnw2rxTUKnWYg10CIE8/UF6OKGcJMJcUpTPc4G7F
IYffUYF+T1BAhyEwTsxx
-----END CERTIFICATE-----

57
keys/renewcerts.cnf 100644
View File

@ -0,0 +1,57 @@
HOME = .
RANDFILE = $ENV::HOME/.rnd
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = $HOME
database = $dir/index.txt # database index file.
certs = $dir/
new_certs_dir = $dir/
certificate = $dir/ca-cert-ecc.pem
serial = $dir/serial
default_md = default
policy = policy_match
email_in_dn = no
RANDFILE = $dir/.rand
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = supplied
organizationName = supplied
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
x509_extensions = v3_ca # The extensions to add to the self signed cert
distinguished_name = req_distinguished_name
prompt = no
# Extensions for a typical CA
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = critical,CA:true
keyUsage = critical, digitalSignature, keyCertSign, cRLSign
# Extensions for fred cert
[ v3_fred ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
subjectAltName = @fred_altnames
[ fred_altnames ]
otherName = msUPN;UTF8:fred@example
# Extensions for server cert
[ v3_server ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
subjectAltName = DNS:example, IP:127.0.0.1
[ req_distinguished_name ]

19
keys/renewcerts.sh 100755
View File

@ -0,0 +1,19 @@
touch index.txt
# renew CA
openssl req -subj '/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=ca@example.com' -key ca-key-ecc.pem -text -out ca-cert-ecc.pem -config renewcerts.cnf -new -nodes -x509 -extensions v3_ca -days 3650 -set_serial 6
openssl x509 -in ca-cert-ecc.pem -outform DER -out ca-cert-ecc.der
# renew fred-cert
openssl req -subj '/C=US/ST=WA/L=Seattle/O=wolfSSL Inc/OU=Development/CN=Fred/emailAddress=fred@example.com' -key fred-key.pem -out fred-cert.csr -config renewcerts.cnf -new -nodes
openssl x509 -req -in fred-cert.csr -days 3650 -extfile renewcerts.cnf -extensions v3_fred -CA ca-cert-ecc.pem -CAkey ca-key-ecc.pem -text -out fred-cert.pem -set_serial 7
openssl x509 -in fred-cert.pem -outform DER -out fred-cert.der
# renew server-cert
openssl req -subj '/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC/CN=www.wolfssl.com/emailAddress=server@example.com' -key server-key.pem -out server-cert.csr -config renewcerts.cnf -new -nodes
openssl x509 -req -in server-cert.csr -days 3650 -extfile renewcerts.cnf -extensions v3_server -CA ca-cert-ecc.pem -CAkey ca-key-ecc.pem -text -out server-cert.pem -set_serial 8
openssl x509 -in server-cert.pem -outform DER -out server-cert.der
rm index.*

BIN
keys/server-cert.der
View File

Binary file not shown.

56
keys/server-cert.pem
View File

@ -1,13 +1,13 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Serial Number: 8 (0x8)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Development, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Development, CN = www.wolfssl.com, emailAddress = ca@example.com
Validity
Not Before: Dec 20 23:07:25 2021 GMT
Not After : Sep 15 23:07:25 2024 GMT
Subject: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
Not Before: Oct 1 05:54:44 2022 GMT
Not After : Sep 28 05:54:44 2032 GMT
Subject: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC, CN = www.wolfssl.com, emailAddress = server@example.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
@ -24,34 +24,32 @@ Certificate:
5D:5D:26:EF:AC:7E:36:F9:9B:76:15:2B:4A:25:02:23:EF:B2:89:30
X509v3 Authority Key Identifier:
keyid:56:8E:9A:C3:F0:42:DE:18:B9:45:55:6E:F9:93:CF:EA:C3:F3:A5:21
DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=ca@example.com
serial:06
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Server Authentication
Netscape Cert Type:
SSL Server
X509v3 Subject Alternative Name:
DNS:example, IP Address:127.0.0.1
Signature Algorithm: ecdsa-with-SHA256
30:44:02:20:5a:67:b9:ee:02:34:27:1b:d4:c4:35:7b:ed:59:
8e:63:c4:8a:b7:e9:92:c1:8a:76:b0:8b:cd:24:49:78:ba:ef:
02:20:29:b8:b6:5f:83:f7:56:6a:f1:4d:d9:9f:52:2a:f9:8f:
53:14:49:8b:5f:5e:87:af:7f:ca:2e:e0:d8:e7:75:0c
30:45:02:20:42:d8:a0:95:e7:aa:4e:63:fd:50:6e:6b:f9:98:
90:be:3d:44:53:68:1b:66:dd:22:a3:12:77:70:94:56:db:82:
02:21:00:ce:18:b2:10:b2:2d:2a:b9:79:d4:76:64:df:28:91:
23:8d:93:22:e9:4b:ea:7f:49:4e:eb:65:ce:c8:86:ba:fb
-----BEGIN CERTIFICATE-----
MIICoDCCAkegAwIBAgIBAzAKBggqhkjOPQQDAjCBlzELMAkGA1UEBhMCVVMxEzAR
MIIDGjCCAsCgAwIBAgIBCDAKBggqhkjOPQQDAjCBlTELMAkGA1UEBhMCVVMxEzAR
BgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dv
bGZTU0wxFDASBgNVBAsMC0RldmVsb3BtZW50MRgwFgYDVQQDDA93d3cud29sZnNz
bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjExMjIw
MjMwNzI1WhcNMjQwOTE1MjMwNzI1WjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgM
Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB0VsaXB0aWMx
DDAKBgNVBAsMA0VDQzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZI
hvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
bC5jb20xHTAbBgkqhkiG9w0BCQEWDmNhQGV4YW1wbGUuY29tMB4XDTIyMTAwMTA1
NTQ0NFoXDTMyMDkyODA1NTQ0NFowgZExCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApX
YXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGljMQww
CgYDVQQLDANFQ0MxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEhMB8GCSqGSIb3
DQEJARYSc2VydmVyQGV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
QgAEuzOsTCdQSsZKpQTDPN6fNttyLc6U6iv6yyAJOSwW6GEC6a9N0wKTmjFbl5Ih
f/DPGNqREQI0huggWDMLgDSJ2KOBiTCBhjAdBgNVHQ4EFgQUXV0m76x+NvmbdhUr
SiUCI++yiTAwHwYDVR0jBBgwFoAUVo6aw/BC3hi5RVVu+ZPP6sPzpSEwDAYDVR0T
AQH/BAIwADAOBgNVHQ8BAf8EBAMCA6gwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEQYJ
YIZIAYb4QgEBBAQDAgZAMAoGCCqGSM49BAMCA0cAMEQCIFpnue4CNCcb1MQ1e+1Z
jmPEirfpksGKdrCLzSRJeLrvAiApuLZfg/dWavFN2Z9SKvmPUxRJi19eh69/yi7g
2Od1DA==
f/DPGNqREQI0huggWDMLgDSJ2KOCAQEwgf4wHQYDVR0OBBYEFF1dJu+sfjb5m3YV
K0olAiPvsokwMIHCBgNVHSMEgbowgbeAFFaOmsPwQt4YuUVVbvmTz+rD86UhoYGb
pIGYMIGVMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UE
BwwHU2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRGV2ZWxvcG1l
bnQxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEdMBsGCSqGSIb3DQEJARYOY2FA
ZXhhbXBsZS5jb22CAQYwGAYDVR0RBBEwD4IHZXhhbXBsZYcEfwAAATAKBggqhkjO
PQQDAgNIADBFAiBC2KCV56pOY/1Qbmv5mJC+PURTaBtm3SKjEndwlFbbggIhAM4Y
shCyLSq5edR2ZN8okSONkyLpS+p/SU7rZc7Ihrr7
-----END CERTIFICATE-----