Annotation of embedaddon/axTLS/ssl/test/make_certs.sh, revision 1.1.1.1
1.1 misho 1: #!/bin/sh
2:
3: #
4: # Copyright (c) 2007, Cameron Rich
5: #
6: # All rights reserved.
7: #
8: # Redistribution and use in source and binary forms, with or without
9: # modification, are permitted provided that the following conditions are met:
10: #
11: # * Redistributions of source code must retain the above copyright notice,
12: # this list of conditions and the following disclaimer.
13: # * Redistributions in binary form must reproduce the above copyright
14: # notice, this list of conditions and the following disclaimer in the
15: # documentation and/or other materials provided with the distribution.
16: # * Neither the name of the axTLS project nor the names of its
17: # contributors may be used to endorse or promote products derived
18: # from this software without specific prior written permission.
19: #
20: # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21: # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22: # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
23: # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
24: # CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
25: # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
26: # TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27: # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
28: # OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
29: # NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
30: # THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31: #
32:
33: #
34: # Generate the certificates and keys for testing.
35: #
36:
37: PROJECT_NAME="axTLS Project"
38:
39: # Generate the openssl configuration files.
40: cat > ca_cert.conf << EOF
41: [ req ]
42: distinguished_name = req_distinguished_name
43: prompt = no
44:
45: [ req_distinguished_name ]
46: O = $PROJECT_NAME Dodgy Certificate Authority
47: EOF
48:
49: cat > certs.conf << EOF
50: [ req ]
51: distinguished_name = req_distinguished_name
52: prompt = no
53:
54: [ req_distinguished_name ]
55: O = $PROJECT_NAME
56: CN = 127.0.0.1
57: EOF
58:
59: cat > device_cert.conf << EOF
60: [ req ]
61: distinguished_name = req_distinguished_name
62: prompt = no
63:
64: [ req_distinguished_name ]
65: O = $PROJECT_NAME Device Certificate
66: EOF
67:
68: # private key generation
69: openssl genrsa -out axTLS.ca_key.pem 1024
70: openssl genrsa -out axTLS.key_512.pem 512
71: openssl genrsa -out axTLS.key_1024.pem 1024
72: openssl genrsa -out axTLS.key_1042.pem 1042
73: openssl genrsa -out axTLS.key_2048.pem 2048
74: openssl genrsa -out axTLS.key_4096.pem 4096
75: openssl genrsa -out axTLS.device_key.pem 1024
76: openssl genrsa -aes128 -passout pass:abcd -out axTLS.key_aes128.pem 512
77: openssl genrsa -aes256 -passout pass:abcd -out axTLS.key_aes256.pem 512
78:
79:
80: # convert private keys into DER format
81: openssl rsa -in axTLS.key_512.pem -out axTLS.key_512 -outform DER
82: openssl rsa -in axTLS.key_1024.pem -out axTLS.key_1024 -outform DER
83: openssl rsa -in axTLS.key_1042.pem -out axTLS.key_1042 -outform DER
84: openssl rsa -in axTLS.key_2048.pem -out axTLS.key_2048 -outform DER
85: openssl rsa -in axTLS.key_4096.pem -out axTLS.key_4096 -outform DER
86: openssl rsa -in axTLS.device_key.pem -out axTLS.device_key -outform DER
87:
88: # cert requests
89: openssl req -out axTLS.ca_x509.req -key axTLS.ca_key.pem -new \
90: -config ./ca_cert.conf
91: openssl req -out axTLS.x509_512.req -key axTLS.key_512.pem -new \
92: -config ./certs.conf
93: openssl req -out axTLS.x509_1024.req -key axTLS.key_1024.pem -new \
94: -config ./certs.conf
95: openssl req -out axTLS.x509_1042.req -key axTLS.key_1042.pem -new \
96: -config ./certs.conf
97: openssl req -out axTLS.x509_2048.req -key axTLS.key_2048.pem -new \
98: -config ./certs.conf
99: openssl req -out axTLS.x509_4096.req -key axTLS.key_4096.pem -new \
100: -config ./certs.conf
101: openssl req -out axTLS.x509_device.req -key axTLS.device_key.pem -new \
102: -config ./device_cert.conf
103: openssl req -out axTLS.x509_aes128.req -key axTLS.key_aes128.pem \
104: -new -config ./certs.conf -passin pass:abcd
105: openssl req -out axTLS.x509_aes256.req -key axTLS.key_aes256.pem \
106: -new -config ./certs.conf -passin pass:abcd
107:
108: # generate the actual certs.
109: openssl x509 -req -in axTLS.ca_x509.req -out axTLS.ca_x509.pem \
110: -sha1 -days 5000 -signkey axTLS.ca_key.pem
111: openssl x509 -req -in axTLS.x509_512.req -out axTLS.x509_512.pem \
112: -sha1 -CAcreateserial -days 5000 \
113: -CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem
114: openssl x509 -req -in axTLS.x509_1024.req -out axTLS.x509_1024.pem \
115: -sha1 -CAcreateserial -days 5000 \
116: -CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem
117: openssl x509 -req -in axTLS.x509_1042.req -out axTLS.x509_1042.pem \
118: -sha1 -CAcreateserial -days 5000 \
119: -CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem
120: openssl x509 -req -in axTLS.x509_2048.req -out axTLS.x509_2048.pem \
121: -md5 -CAcreateserial -days 5000 \
122: -CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem
123: openssl x509 -req -in axTLS.x509_4096.req -out axTLS.x509_4096.pem \
124: -md5 -CAcreateserial -days 5000 \
125: -CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem
126: openssl x509 -req -in axTLS.x509_device.req -out axTLS.x509_device.pem \
127: -sha1 -CAcreateserial -days 5000 \
128: -CA axTLS.x509_512.pem -CAkey axTLS.key_512.pem
129: openssl x509 -req -in axTLS.x509_aes128.req \
130: -out axTLS.x509_aes128.pem \
131: -sha1 -CAcreateserial -days 5000 \
132: -CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem
133: openssl x509 -req -in axTLS.x509_aes256.req \
134: -out axTLS.x509_aes256.pem \
135: -sha1 -CAcreateserial -days 5000 \
136: -CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem
137:
138: # note: must be root to do this
139: DATE_NOW=`date`
140: if date -s "Jan 1 2025"; then
141: openssl x509 -req -in axTLS.x509_512.req -out axTLS.x509_bad_before.pem \
142: -sha1 -CAcreateserial -days 365 \
143: -CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem
144: date -s "$DATE_NOW"
145: touch axTLS.x509_bad_before.pem
146: fi
147: openssl x509 -req -in axTLS.x509_512.req -out axTLS.x509_bad_after.pem \
148: -sha1 -CAcreateserial -days -365 \
149: -CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem
150:
151: # some cleanup
152: rm axTLS*.req
153: rm axTLS.srl
154: rm *.conf
155:
156: # need this for the client tests
157: openssl x509 -in axTLS.ca_x509.pem -outform DER -out axTLS.ca_x509.cer
158: openssl x509 -in axTLS.x509_512.pem -outform DER -out axTLS.x509_512.cer
159: openssl x509 -in axTLS.x509_1024.pem -outform DER -out axTLS.x509_1024.cer
160: openssl x509 -in axTLS.x509_1042.pem -outform DER -out axTLS.x509_1042.cer
161: openssl x509 -in axTLS.x509_2048.pem -outform DER -out axTLS.x509_2048.cer
162: openssl x509 -in axTLS.x509_4096.pem -outform DER -out axTLS.x509_4096.cer
163: openssl x509 -in axTLS.x509_device.pem -outform DER -out axTLS.x509_device.cer
164:
165: # generate pkcs8 files (use RC4-128 for encryption)
166: openssl pkcs8 -in axTLS.key_512.pem -passout pass:abcd -topk8 -v1 PBE-SHA1-RC4-128 -out axTLS.encrypted_pem.p8
167: openssl pkcs8 -in axTLS.key_512.pem -passout pass:abcd -topk8 -outform DER -v1 PBE-SHA1-RC4-128 -out axTLS.encrypted.p8
168: openssl pkcs8 -in axTLS.key_512.pem -nocrypt -topk8 -out axTLS.unencrypted_pem.p8
169: openssl pkcs8 -in axTLS.key_512.pem -nocrypt -topk8 -outform DER -out axTLS.unencrypted.p8
170:
171: # generate pkcs12 files (use RC4-128 for encryption)
172: openssl pkcs12 -export -in axTLS.x509_1024.pem -inkey axTLS.key_1024.pem -certfile axTLS.ca_x509.pem -keypbe PBE-SHA1-RC4-128 -certpbe PBE-SHA1-RC4-128 -name "p12_with_CA" -out axTLS.withCA.p12 -password pass:abcd
173: openssl pkcs12 -export -in axTLS.x509_1024.pem -inkey axTLS.key_1024.pem -keypbe PBE-SHA1-RC4-128 -certpbe PBE-SHA1-RC4-128 -name "p12_without_CA" -out axTLS.withoutCA.p12 -password pass:abcd
174: openssl pkcs12 -export -in axTLS.x509_1024.pem -inkey axTLS.key_1024.pem -keypbe PBE-SHA1-RC4-128 -certpbe PBE-SHA1-RC4-128 -out axTLS.noname.p12 -password pass:abcd
175:
176: # PEM certificate chain
177: cat axTLS.ca_x509.pem >> axTLS.x509_device.pem
178:
179: # set default key/cert for use in the server
180: xxd -i axTLS.x509_1024.cer | sed -e \
181: "s/axTLS_x509_1024_cer/default_certificate/" > ../../ssl/cert.h
182: xxd -i axTLS.key_1024 | sed -e \
183: "s/axTLS_key_1024/default_private_key/" > ../../ssl/private_key.h
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>