4 # Copyright (c) 2007, Cameron Rich
8 # Redistribution and use in source and binary forms, with or without
9 # modification, are permitted provided that the following conditions are met:
11 # * Redistributions of source code must retain the above copyright notice,
12 # this list of conditions and the following disclaimer.
13 # * Redistributions in binary form must reproduce the above copyright
14 # notice, this list of conditions and the following disclaimer in the
15 # documentation and/or other materials provided with the distribution.
16 # * Neither the name of the axTLS project nor the names of its
17 # contributors may be used to endorse or promote products derived
18 # from this software without specific prior written permission.
20 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22 # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
23 # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
24 # CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
25 # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
26 # TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27 # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
28 # OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
29 # NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
30 # THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 # Generate the certificates and keys for testing.
37 PROJECT_NAME
="axTLS Project"
39 # Generate the openssl configuration files.
40 cat > ca_cert.conf
<< EOF
42 distinguished_name = req_distinguished_name
45 [ req_distinguished_name ]
46 O = $PROJECT_NAME Dodgy Certificate Authority
49 cat > certs.conf
<< EOF
51 distinguished_name = req_distinguished_name
54 [ req_distinguished_name ]
59 cat > device_cert.conf
<< EOF
61 distinguished_name = req_distinguished_name
64 [ req_distinguished_name ]
65 O = $PROJECT_NAME Device Certificate
68 # private key generation
69 openssl genrsa
-out axTLS.ca_key.pem
1024
70 openssl genrsa
-out axTLS.key_512.pem
512
71 openssl genrsa
-out axTLS.key_1024.pem
1024
72 openssl genrsa
-out axTLS.key_2048.pem
2048
73 openssl genrsa
-out axTLS.key_4096.pem
4096
74 openssl genrsa
-out axTLS.device_key.pem
1024
75 openssl genrsa
-aes128 -passout pass
:abcd
-out axTLS.key_aes128.pem
512
76 openssl genrsa
-aes256 -passout pass
:abcd
-out axTLS.key_aes256.pem
512
78 # convert private keys into DER format
79 openssl rsa
-in axTLS.key_512.pem
-out axTLS.key_512
-outform DER
80 openssl rsa
-in axTLS.key_1024.pem
-out axTLS.key_1024
-outform DER
81 openssl rsa
-in axTLS.key_2048.pem
-out axTLS.key_2048
-outform DER
82 openssl rsa
-in axTLS.key_4096.pem
-out axTLS.key_4096
-outform DER
83 openssl rsa
-in axTLS.device_key.pem
-out axTLS.device_key
-outform DER
86 openssl req
-out axTLS.ca_x509.req
-key axTLS.ca_key.pem
-new \
87 -config .
/ca_cert.conf
88 openssl req
-out axTLS.x509_512.req
-key axTLS.key_512.pem
-new \
90 openssl req
-out axTLS.x509_1024.req
-key axTLS.key_1024.pem
-new \
92 openssl req
-out axTLS.x509_2048.req
-key axTLS.key_2048.pem
-new \
94 openssl req
-out axTLS.x509_4096.req
-key axTLS.key_4096.pem
-new \
96 openssl req
-out axTLS.x509_device.req
-key axTLS.device_key.pem
-new \
97 -config .
/device_cert.conf
98 openssl req
-out axTLS.x509_aes128.req
-key axTLS.key_aes128.pem \
99 -new -config .
/certs.conf
-passin pass
:abcd
100 openssl req
-out axTLS.x509_aes256.req
-key axTLS.key_aes256.pem \
101 -new -config .
/certs.conf
-passin pass
:abcd
103 # generate the actual certs.
104 openssl x509
-req -in axTLS.ca_x509.req
-out axTLS.ca_x509.pem \
105 -sha1 -days 10000 -signkey axTLS.ca_key.pem
106 openssl x509
-req -in axTLS.x509_512.req
-out axTLS.x509_512.pem \
107 -sha1 -CAcreateserial -days 10000 \
108 -CA axTLS.ca_x509.pem
-CAkey axTLS.ca_key.pem
109 openssl x509
-req -in axTLS.x509_1024.req
-out axTLS.x509_1024.pem \
110 -sha1 -CAcreateserial -days 10000 \
111 -CA axTLS.ca_x509.pem
-CAkey axTLS.ca_key.pem
112 openssl x509
-req -in axTLS.x509_2048.req
-out axTLS.x509_2048.pem \
113 -md5 -CAcreateserial -days 10000 \
114 -CA axTLS.ca_x509.pem
-CAkey axTLS.ca_key.pem
115 openssl x509
-req -in axTLS.x509_4096.req
-out axTLS.x509_4096.pem \
116 -md5 -CAcreateserial -days 10000 \
117 -CA axTLS.ca_x509.pem
-CAkey axTLS.ca_key.pem
118 openssl x509
-req -in axTLS.x509_device.req
-out axTLS.x509_device.pem \
119 -sha1 -CAcreateserial -days 10000 \
120 -CA axTLS.x509_512.pem
-CAkey axTLS.key_512.pem
121 openssl x509
-req -in axTLS.x509_aes128.req \
122 -out axTLS.x509_aes128.pem \
123 -sha1 -CAcreateserial -days 10000 \
124 -CA axTLS.ca_x509.pem
-CAkey axTLS.ca_key.pem
125 openssl x509
-req -in axTLS.x509_aes256.req \
126 -out axTLS.x509_aes256.pem \
127 -sha1 -CAcreateserial -days 10000 \
128 -CA axTLS.ca_x509.pem
-CAkey axTLS.ca_key.pem
130 # note: must be root to do this
132 if date -s "Jan 1 2025"; then
133 openssl x509
-req -in axTLS.x509_512.req
-out axTLS.x509_bad_before.pem \
134 -sha1 -CAcreateserial -days 365 \
135 -CA axTLS.ca_x509.pem
-CAkey axTLS.ca_key.pem
137 touch axTLS.x509_bad_before.pem
139 openssl x509
-req -in axTLS.x509_512.req
-out axTLS.x509_bad_after.pem \
140 -sha1 -CAcreateserial -days -365 \
141 -CA axTLS.ca_x509.pem
-CAkey axTLS.ca_key.pem
148 # need this for the client tests
149 openssl x509
-in axTLS.ca_x509.pem
-outform DER
-out axTLS.ca_x509.cer
150 openssl x509
-in axTLS.x509_512.pem
-outform DER
-out axTLS.x509_512.cer
151 openssl x509
-in axTLS.x509_1024.pem
-outform DER
-out axTLS.x509_1024.cer
152 openssl x509
-in axTLS.x509_2048.pem
-outform DER
-out axTLS.x509_2048.cer
153 openssl x509
-in axTLS.x509_4096.pem
-outform DER
-out axTLS.x509_4096.cer
154 openssl x509
-in axTLS.x509_device.pem
-outform DER
-out axTLS.x509_device.cer
156 # generate pkcs8 files (use RC4-128 for encryption)
157 openssl pkcs8
-in axTLS.key_512.pem
-passout pass
:abcd
-topk8 -v1 PBE-SHA1-RC4-128
-out axTLS.encrypted_pem.p8
158 openssl pkcs8
-in axTLS.key_512.pem
-passout pass
:abcd
-topk8 -outform DER
-v1 PBE-SHA1-RC4-128
-out axTLS.encrypted.p8
159 openssl pkcs8
-in axTLS.key_512.pem
-nocrypt -topk8 -out axTLS.unencrypted_pem.p8
160 openssl pkcs8
-in axTLS.key_512.pem
-nocrypt -topk8 -outform DER
-out axTLS.unencrypted.p8
162 # generate pkcs12 files (use RC4-128 for encryption)
163 openssl pkcs12
-export -in axTLS.x509_1024.pem
-inkey axTLS.key_1024.pem
-certfile axTLS.ca_x509.pem
-keypbe PBE-SHA1-RC4-128
-certpbe PBE-SHA1-RC4-128
-name "p12_with_CA" -out axTLS.withCA.p12
-password pass
:abcd
164 openssl pkcs12
-export -in axTLS.x509_1024.pem
-inkey axTLS.key_1024.pem
-keypbe PBE-SHA1-RC4-128
-certpbe PBE-SHA1-RC4-128
-name "p12_without_CA" -out axTLS.withoutCA.p12
-password pass
:abcd
165 openssl pkcs12
-export -in axTLS.x509_1024.pem
-inkey axTLS.key_1024.pem
-keypbe PBE-SHA1-RC4-128
-certpbe PBE-SHA1-RC4-128
-out axTLS.noname.p12
-password pass
:abcd
167 # PEM certificate chain
168 cat axTLS.ca_x509.pem
>> axTLS.x509_device.pem
170 # set default key/cert for use in the server
171 xxd
-i axTLS.x509_1024.cer |
sed -e \
172 "s/axTLS_x509_1024_cer/default_certificate/" > ..
/..
/ssl
/cert.h
173 xxd
-i axTLS.key_1024 |
sed -e \
174 "s/axTLS_key_1024/default_private_key/" > ..
/..
/ssl
/private_key.h