diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh index 5e3f5b0a4..39bcc135d 100755 --- a/certs/renewcerts.sh +++ b/certs/renewcerts.sh @@ -354,6 +354,32 @@ function run_renewcerts(){ ./gen-badsig.sh cd ../ + ############################################################ + ########## generate ocsp certs ###################### + ############################################################ + echo "Changing directory to ocsp..." + echo "" + + # guard against recursive calls to renewcerts.sh + if [ -d ocsp ]; then + cd ./ocsp + echo "Execute ./renewcerts.sh..." + ./renewcerts.sh + cd ../ + else + echo "Error could not find ocsp directory" + exit 1 + fi + + ############################################################ + ###### calling assemble-chains.sh ################## + ############################################################ + echo "Calling assemble-chains.sh" + echo "" + cd ./test-pathlen + ./assemble-chains.sh + cd ../ + ############################################################ ########## store DER files as buffers ###################### ############################################################ diff --git a/certs/renewcerts/wolfssl.cnf b/certs/renewcerts/wolfssl.cnf index 11293afd3..c251cc71e 100644 --- a/certs/renewcerts/wolfssl.cnf +++ b/certs/renewcerts/wolfssl.cnf @@ -125,6 +125,40 @@ subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always basicConstraints=CA:true +# CA with pathlen 0 +[ pathlen_0 ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always +basicConstraints=CA:true,pathlen:0 +keyUsage=keyCertSign, cRLSign + +# CA with pathlen 1 +[ pathlen_1 ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always +basicConstraints=CA:true,pathlen:1 +keyUsage=keyCertSign, cRLSign + +# CA with pathlen 127 +[ pathlen_127 ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always +basicConstraints=CA:true,pathlen:127 +keyUsage=keyCertSign, cRLSign + +# CA with pathlen 128 +[ pathlen_128 ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always +basicConstraints=CA:true,pathlen:128 +keyUsage=keyCertSign, cRLSign + +# test pathlen server cert +[ test_pathlen ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always +basicConstraints=CA:false + # Extensions to add to a certificate request [ v3_req ] basicConstraints = CA:FALSE diff --git a/certs/test-pathlen/assemble-chains.sh b/certs/test-pathlen/assemble-chains.sh index 583ded2e8..ab46b397c 100755 --- a/certs/test-pathlen/assemble-chains.sh +++ b/certs/test-pathlen/assemble-chains.sh @@ -1,8 +1,192 @@ #!/bin/bash # # assemble-chains.sh -# Assemble all the certificate CA path test cert chains. +# Create certs and assemble all the certificate CA path test cert chains. + +########################################################### +########## update server-0-ca.pem ################ +########################################################### +echo "Updating server-0-ca.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 0 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-0-ca-req.pem + +openssl x509 -req -in server-0-ca-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions pathlen_0 -days 1000 -CA ../ca-cert.pem -CAkey ../ca-key.pem -set_serial 100 -sha1 > server-0-ca.pem + +rm server-0-ca-req.pem +openssl x509 -in server-0-ca.pem -text > ca_tmp.pem +mv ca_tmp.pem server-0-ca.pem + + +########################################################### +########## update server-0-cert.pem ################ +########################################################### +echo "Updating server-0-cert.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 0\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-0-cert-req.pem + +openssl x509 -req -in server-0-cert-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions test_pathlen -days 1000 -CA server-0-ca.pem -CAkey ../server-key.pem -set_serial 101 -sha1 > server-0-cert.pem + +rm server-0-cert-req.pem +openssl x509 -in server-0-cert.pem -text > cert_tmp.pem +mv cert_tmp.pem server-0-cert.pem + + +########################################################### +########## update server-1-ca.pem ################ +########################################################### +echo "Updating server-1-ca.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 1 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-1-ca-req.pem + +openssl x509 -req -in server-1-ca-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions pathlen_1 -days 1000 -CA ../ca-cert.pem -CAkey ../ca-key.pem -set_serial 102 -sha1 > server-1-ca.pem + +rm server-1-ca-req.pem +openssl x509 -in server-1-ca.pem -text > ca_tmp.pem +mv ca_tmp.pem server-1-ca.pem + + +########################################################### +########## update server-1-cert.pem ################ +########################################################### +echo "Updating server-1-cert.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 1\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-1-cert-req.pem + +openssl x509 -req -in server-1-cert-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions test_pathlen -days 1000 -CA server-1-ca.pem -CAkey ../server-key.pem -set_serial 105 -sha1 > server-1-cert.pem + +rm server-1-cert-req.pem +openssl x509 -in server-1-cert.pem -text > cert_tmp.pem +mv cert_tmp.pem server-1-cert.pem + + +########################################################### +########## update server-0-1-ca.pem ################ +########################################################### +echo "Updating server-0-1-ca.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 0-1 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-0-1-ca-req.pem + +openssl x509 -req -in server-0-1-ca-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions pathlen_1 -days 1000 -CA server-0-ca.pem -CAkey ../server-key.pem -set_serial 110 -sha1 > server-0-1-ca.pem + +rm server-0-1-ca-req.pem +openssl x509 -in server-0-1-ca.pem -text > ca_tmp.pem +mv ca_tmp.pem server-0-1-ca.pem + + +########################################################### +########## update server-0-1-cert.pem ################ +########################################################### +echo "Updating server-0-1-cert.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 0-1\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-0-1-cert-req.pem + +openssl x509 -req -in server-0-1-cert-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions test_pathlen -days 1000 -CA server-0-1-ca.pem -CAkey ../server-key.pem -set_serial 111 -sha1 > server-0-1-cert.pem + +rm server-0-1-cert-req.pem +openssl x509 -in server-0-1-cert.pem -text > cert_tmp.pem +mv cert_tmp.pem server-0-1-cert.pem + + +########################################################### +########## update server-1-0-ca.pem ################ +########################################################### +echo "Updating server-1-0-ca.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 1-0 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-1-0-ca-req.pem + +openssl x509 -req -in server-1-0-ca-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions pathlen_0 -days 1000 -CA server-1-ca.pem -CAkey ../server-key.pem -set_serial 103 -sha1 > server-1-0-ca.pem + +rm server-1-0-ca-req.pem +openssl x509 -in server-1-0-ca.pem -text > ca_tmp.pem +mv ca_tmp.pem server-1-0-ca.pem + + +########################################################### +########## update server-1-0-cert.pem ################ +########################################################### +echo "Updating server-1-0-cert.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 1-0\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-1-0-cert-req.pem + +openssl x509 -req -in server-1-0-cert-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions test_pathlen -days 1000 -CA server-1-0-ca.pem -CAkey ../server-key.pem -set_serial 104 -sha1 > server-1-0-cert.pem + +rm server-1-0-cert-req.pem +openssl x509 -in server-1-0-cert.pem -text > cert_tmp.pem +mv cert_tmp.pem server-1-0-cert.pem + + +########################################################### +########## update server-127-ca.pem ################ +########################################################### +echo "Updating server-127-ca.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 127 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-127-ca-req.pem + +openssl x509 -req -in server-127-ca-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions pathlen_127 -days 1000 -CA ../ca-cert.pem -CAkey ../ca-key.pem -set_serial 106 -sha1 > server-127-ca.pem + +rm server-127-ca-req.pem +openssl x509 -in server-127-ca.pem -text > ca_tmp.pem +mv ca_tmp.pem server-127-ca.pem + + +########################################################### +########## update server-127-cert.pem ################ +########################################################### +echo "Updating server-127-cert.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 127\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-127-cert-req.pem + +openssl x509 -req -in server-127-cert-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions test_pathlen -days 1000 -CA server-127-ca.pem -CAkey ../server-key.pem -set_serial 107 -sha1 > server-127-cert.pem + +rm server-127-cert-req.pem +openssl x509 -in server-127-cert.pem -text > cert_tmp.pem +mv cert_tmp.pem server-127-cert.pem + + +########################################################### +########## update server-128-ca.pem ################ +########################################################### +echo "Updating server-128-ca.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 128 CA\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-128-ca-req.pem + +openssl x509 -req -in server-128-ca-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions pathlen_128 -days 1000 -CA ../ca-cert.pem -CAkey ../ca-key.pem -set_serial 106 -sha1 > server-128-ca.pem + +rm server-128-ca-req.pem +openssl x509 -in server-128-ca.pem -text > ca_tmp.pem +mv ca_tmp.pem server-128-ca.pem + + +########################################################### +########## update server-128-cert.pem ################ +########################################################### +echo "Updating server-128-cert.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\nWashington\nSeattle\nwolfSSL Inc.\nEngineering\nServer 128\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ../server-key.pem -nodes -sha1 > server-128-cert-req.pem + +openssl x509 -req -in server-128-cert-req.pem -extfile ../renewcerts/wolfssl.cnf -extensions test_pathlen -days 1000 -CA server-128-ca.pem -CAkey ../server-key.pem -set_serial 107 -sha1 > server-128-cert.pem + +rm server-128-cert-req.pem +openssl x509 -in server-128-cert.pem -text > cert_tmp.pem +mv cert_tmp.pem server-128-cert.pem + + +########################################################### +########## Assemble Chains ################ +########################################################### # Success: PathLen of 0 ## server-0-ca.pem: signed by ca-cert.pem ## server-0-cert.pem: signed by server-0-ca.pem