hostapd/tests/hwsim/auth_serv/ica-generate.sh
Jouni Malinen b4635f0a61 tests: GnuTLS configuration of intermediate CA certificate
GnuTLS seems to require the intermediate CA certificate to be included
both in the ca_cert and client_cert file for the cases of server and
client certificates using different intermediate CA certificates. Use
the user_and_ica.pem file with GnuTLS builds and reorder the
certificates in that file to make this work with GnuTLS.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-29 12:01:22 +02:00

87 lines
4.4 KiB
Bash
Executable file

#!/bin/sh
OPENSSL=openssl
echo
echo "---[ Intermediate CA - Server ]-----------------------------------------"
echo
cat ec-ca-openssl.cnf |
sed "s/ec-ca/rootCA/" |
sed "s/#@CN@/commonName_default = Server Intermediate CA/" \
> openssl.cnf.tmp
mkdir -p iCA-server/certs iCA-server/crl iCA-server/newcerts iCA-server/private
touch iCA-server/index.txt
$OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout iCA-server/private/cakey.pem -out iCA-server/careq.pem -outform PEM -days 3652 -sha256
$OPENSSL ca -config openssl.cnf.tmp -md sha256 -create_serial -out iCA-server/cacert.pem -days 3652 -batch -keyfile ca-key.pem -cert ca.pem -extensions v3_ca -outdir rootCA/newcerts -infiles iCA-server/careq.pem
cat iCA-server/cacert.pem ca.pem > iCA-server/ca-and-root.pem
rm openssl.cnf.tmp
echo
echo "---[ Intermediate CA - User ]-------------------------------------------"
echo
cat ec-ca-openssl.cnf |
sed "s/ec-ca/rootCA/" |
sed "s/#@CN@/commonName_default = User Intermediate CA/" \
> openssl.cnf.tmp
mkdir -p iCA-user/certs iCA-user/crl iCA-user/newcerts iCA-user/private
touch iCA-user/index.txt
$OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout iCA-user/private/cakey.pem -out iCA-user/careq.pem -outform PEM -days 3652 -sha256
$OPENSSL ca -config openssl.cnf.tmp -md sha256 -create_serial -out iCA-user/cacert.pem -days 3652 -batch -keyfile ca-key.pem -cert ca.pem -extensions v3_ca -outdir rootCA/newcerts -infiles iCA-user/careq.pem
cat iCA-user/cacert.pem ca.pem > iCA-user/ca-and-root.pem
rm openssl.cnf.tmp
echo
echo "---[ Server ]-----------------------------------------------------------"
echo
cat ec-ca-openssl.cnf |
sed "s/ec-ca/iCA-server/" |
sed "s/#@CN@/commonName_default = server.w1.fi/" |
sed "s/#@ALTNAME@/subjectAltName=critical,DNS:server.w1.fi/" \
> openssl.cnf.tmp
$OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout iCA-server/server.key -out iCA-server/server.req -outform PEM -sha256
$OPENSSL ca -config openssl.cnf.tmp -batch -keyfile iCA-server/private/cakey.pem -cert iCA-server/cacert.pem -create_serial -in iCA-server/server.req -out iCA-server/server.pem -extensions ext_server -md sha256
cat iCA-server/cacert.pem iCA-server/server.pem > iCA-server/server_and_ica.pem
rm openssl.cnf.tmp
echo
echo "---[ Server - revoked ]-------------------------------------------------"
echo
cat ec-ca-openssl.cnf |
sed "s/ec-ca/iCA-server/" |
sed "s/#@CN@/commonName_default = server-revoked.w1.fi/" |
sed "s/#@ALTNAME@/subjectAltName=critical,DNS:server-revoked.w1.fi/" \
> openssl.cnf.tmp
$OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout iCA-server/server-revoked.key -out iCA-server/server-revoked.req -outform PEM -sha256
$OPENSSL ca -config openssl.cnf.tmp -batch -keyfile iCA-server/private/cakey.pem -cert iCA-server/cacert.pem -create_serial -in iCA-server/server-revoked.req -out iCA-server/server-revoked.pem -extensions ext_server -md sha256
$OPENSSL ca -config openssl.cnf.tmp -revoke iCA-server/server-revoked.pem -keyfile iCA-server/private/cakey.pem -cert iCA-server/cacert.pem
cat iCA-server/cacert.pem iCA-server/server-revoked.pem > iCA-server/server-revoked_and_ica.pem
rm openssl.cnf.tmp
echo
echo "---[ User ]-----------------------------------------------------------"
echo
cat ec-ca-openssl.cnf |
sed "s/ec-ca/iCA-user/" |
sed "s/#@CN@/commonName_default = user.w1.fi/" |
sed "s/#@ALTNAME@/subjectAltName=critical,DNS:user.w1.fi/" \
> openssl.cnf.tmp
$OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout iCA-user/user.key -out iCA-user/user.req -outform PEM -sha256
$OPENSSL ca -config openssl.cnf.tmp -batch -keyfile iCA-user/private/cakey.pem -cert iCA-user/cacert.pem -create_serial -in iCA-user/user.req -out iCA-user/user.pem -extensions ext_client -md sha256
cat iCA-user/user.pem iCA-user/cacert.pem > iCA-user/user_and_ica.pem
rm openssl.cnf.tmp
echo
echo "---[ Verify ]-----------------------------------------------------------"
echo
$OPENSSL verify -CAfile ca.pem iCA-server/cacert.pem
$OPENSSL verify -CAfile ca.pem iCA-user/cacert.pem
$OPENSSL verify -CAfile ca.pem -untrusted iCA-server/cacert.pem iCA-server/server.pem
$OPENSSL verify -CAfile ca.pem -untrusted iCA-server/cacert.pem iCA-server/server-revoked.pem
$OPENSSL verify -CAfile ca.pem iCA-user/cacert.pem
$OPENSSL verify -CAfile ca.pem -untrusted iCA-user/cacert.pem iCA-user/user.pem