arduino/esp8266
1
0
Fork 0
mirror of https://github.com/esp8266/Arduino.git synced 2025-06-16 11:21:18 +03:00
Code Activity

TLS 1.2 now passing a bunch of tests.

Browse Source 
git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@266 9a5d90b5-6617-0410-8a86-bb477d3ed2e3
This commit is contained in:
cameronrich
2016-08-15 10:51:02 +00:00
committed by Yasuki Ikeuchi
parent fc6b6b346f
commit 871a70e495
8 changed files with 123 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
ssl/test/axTLS.ca_x509_sha256.pem Normal file
View File

@ -0,0 +1,18 @@
-----BEGIN CERTIFICATE-----
MIIC5DCCAcwCCQDGL4Ul/VVK0TANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQKEylh
eFRMUyBQcm9qZWN0IERvZGd5IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNjA4
MTUxMDIwNTZaFw0zMDA0MjQxMDIwNTZaMDQxMjAwBgNVBAoTKWF4VExTIFByb2pl
Y3QgRG9kZ3kgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEA6d9BDlOJo6fdmSkUdAkMYFnlAK4Q5qwE/vYX8umY0Gz1
CEIwEyKJq+rCpl2vmlwEETGcphlRsiybOMwVfdRDQv51ZfTJnz1WQZBKdsYb55xy
JWOZFHSpuZa+THW1TOImpvxXoK3OMh/dcuaQG5G7QoWMWRK5aZvpl27rRx033dik
U8lO12oaUtCD3AgNttU7zTLiIQjeIZ9JbES74mx1s4lT22nmXoL5/AdJa3yGjDjG
J1RX8hQ7/pbcC2s4+0XIjGthB2ClJWyvv8bY96POZ+Kc5XLFFjxYoGHtRzQbw2gx
rx7r5/a+d7XgWedMnwf1M1/v9vNA14kgjg2pwuFD4QIDAQABMA0GCSqGSIb3DQEB
CwUAA4IBAQBW9MtGYroXnu8id8rDvjki8Vk8lDBD0AkOq5QYbXB322Wbg2C+cmHP
zQAJ9YZU/NjnRZiEX1QVoZAXdSXXScbUbSlBQweEvGZmailTGPhJ/wtmNtK6P7ZP
YIJ6XaQdALvteULFMhEQKM9UUkrsbqh41wtoTjOsMlWcRvq9FHLujXxyzjvFPdEI
kz26d7F2yqtgzxW4YLAlclZu6vex/MzNmbjhHenMWp6LNWVWofdIv9jRS1tOSyK+
hg2sV7CL75nzQ/A22ql8X3SZLAZNR/V7DF+MSBrIcHBzgFZ8QEGlNam29WseuC2C
51+ZXtv0DZ1bPmX+Pz1E06wMGlBTpC4z
-----END CERTIFICATE-----

15
ssl/test/axTLS.x509_1024_sha256.pem Normal file
View File

@ -0,0 +1,15 @@
-----BEGIN CERTIFICATE-----
MIICWDCCAUACCQCMs+C6AhuzaTANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQKEylh
eFRMUyBQcm9qZWN0IERvZGd5IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNjA4
MTUxMDIwNTZaFw0zMDA0MjQxMDIwNTZaMCwxFjAUBgNVBAoTDWF4VExTIFByb2pl
Y3QxEjAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAq9P2gjL8e0OgMrA81JoZeqaZMRmSaTH8xIHf7MkbGYW1ZyBWW+n+017itYgH
pu61CiYcyAfuUACTL2VBhrakCb+j53OF0V+9uEH/BkftUUcu+6ppBB4XI5KbYmTH
JjhBW8N1OHadHLCG4dkQLjnaFgekpM8xZzvd4kkbM4mZqtECAwEAATANBgkqhkiG
9w0BAQsFAAOCAQEAG/SBHWYNVf5drxN1aLx9UqTpryjmzDP9/gckKpuNEiDCmp38
MIKBJYamL9hTwmtf1k4vHB2sxXfv9AVULwMa7+RcgUc3fhTWWoqf1LvYvzMrx9W9
yU6bfXQh5zb6TOrq/j4fliA2NeDvAzq8tzhBVhiyvy0GhhU1C9eBRVFr4D9l/B2z
odWvCZ4ljLjtmoOhrSSf0OHFuk/eqFJ/SS1jo3ugl7wEmMzphOjmwgK7CLyACBSn
6Bzlh/A16AgqznniMHZ9p99zopMSqPUkCCHPEUiqs8hoy6Pc7O6FrTKfkeiAnY1u
SfKiOf4ODmDcLb5gVtDx+zp59Q/khBX+6IT+BA==
-----END CERTIFICATE-----

15
ssl/test/axTLS.x509_1024_sha384.pem Normal file
View File

@ -0,0 +1,15 @@
-----BEGIN CERTIFICATE-----
MIICWDCCAUACCQCMs+C6AhuzajANBgkqhkiG9w0BAQwFADA0MTIwMAYDVQQKEylh
eFRMUyBQcm9qZWN0IERvZGd5IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNjA4
MTUxMDIwNTZaFw0zMDA0MjQxMDIwNTZaMCwxFjAUBgNVBAoTDWF4VExTIFByb2pl
Y3QxEjAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAq9P2gjL8e0OgMrA81JoZeqaZMRmSaTH8xIHf7MkbGYW1ZyBWW+n+017itYgH
pu61CiYcyAfuUACTL2VBhrakCb+j53OF0V+9uEH/BkftUUcu+6ppBB4XI5KbYmTH
JjhBW8N1OHadHLCG4dkQLjnaFgekpM8xZzvd4kkbM4mZqtECAwEAATANBgkqhkiG
9w0BAQwFAAOCAQEA151mqDTC1YPiFq4t7J2UK84jYlGriW0z6KhfmtecLm18Uu07
vDh+cvWoFRf/fgSlO7c6td0Jb4NGjPBwpV4UmoYND65d1+EkrP+Bl+2DndUi/xka
h4bwfmPrKAjDbUZaNnRi1zQdyPU9tta9b0MamHQVHFOIAyLQXDf1/Tz+wRaFPCIH
PfJEqjD4Nr15O41aMJOaM170rOtbQ9uH4Vlotpt+xJsHufmHFMf1fJtgBXayCzmS
1927ajoKNyDA/QQ+e+60uba6UN6CQnoMzmkMypMxD4JBUt6TEgB46uQ7nkkf3raS
tMAyMnytSc+O7EbhZSWWBSTUkeI+YWjLAtI42Q==
-----END CERTIFICATE-----

15
ssl/test/axTLS.x509_1024_sha512.pem Normal file
View File

@ -0,0 +1,15 @@
-----BEGIN CERTIFICATE-----
MIICWDCCAUACCQCMs+C6AhuzazANBgkqhkiG9w0BAQ0FADA0MTIwMAYDVQQKEylh
eFRMUyBQcm9qZWN0IERvZGd5IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNjA4
MTUxMDIwNTZaFw0zMDA0MjQxMDIwNTZaMCwxFjAUBgNVBAoTDWF4VExTIFByb2pl
Y3QxEjAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAq9P2gjL8e0OgMrA81JoZeqaZMRmSaTH8xIHf7MkbGYW1ZyBWW+n+017itYgH
pu61CiYcyAfuUACTL2VBhrakCb+j53OF0V+9uEH/BkftUUcu+6ppBB4XI5KbYmTH
JjhBW8N1OHadHLCG4dkQLjnaFgekpM8xZzvd4kkbM4mZqtECAwEAATANBgkqhkiG
9w0BAQ0FAAOCAQEA51hsTX6DlE9WnI0XaNfx0hfWG74maMZK+GG1LQKi6JlaA6U4
7aLpoluw4G7oZz39ROuNbOvTMrhN4kOXG16Zk2HGufzAQgqoegIsgI2BiaOtmBnn
vOchhiZ16JLmKB6ZMlESFubV1Ynyr6QacTLOipLGICGn3N65BrbwfaXD/nbJQd+a
YOwkJ9OHxbK9zqLMBG3kK/QKXqID3dI21+MDCGSSBAh/tVPhwTMcTzViF5vT4Mpq
81+Z9eg3vI++rOiBppdjRKH4CFcO74rEA6j9fNFHI0PiS142TtT4vXLf+D4PQLkI
tBuSq99ensRy5IvjYXpcx7/jixVd3MmwWrolbg==
-----END CERTIFICATE-----

15
ssl/tls1.c
View File

@ -765,7 +765,9 @@ void add_packet(SSL *ssl, const uint8_t *pkt, int len)
SHA256_Update(&ssl->dc->sha256_ctx, pkt, len); SHA256_Update(&ssl->dc->sha256_ctx, pkt, len);
} }
if (ssl->version < SSL_PROTOCOL_VERSION_TLS1_2) if (ssl->version < SSL_PROTOCOL_VERSION_TLS1_2 ||
ssl->next_state == HS_SERVER_HELLO ||
ssl->next_state == 0)
{ {
MD5_Update(&ssl->dc->md5_ctx, pkt, len); MD5_Update(&ssl->dc->md5_ctx, pkt, len);
SHA1_Update(&ssl->dc->sha1_ctx, pkt, len); SHA1_Update(&ssl->dc->sha1_ctx, pkt, len);
@ -894,7 +896,7 @@ static void prf(SSL *ssl, const uint8_t *sec, int sec_len,
void generate_master_secret(SSL *ssl, const uint8_t *premaster_secret) void generate_master_secret(SSL *ssl, const uint8_t *premaster_secret)
{ {
uint8_t buf[128]; uint8_t buf[128];
//print_blob("premaster secret", premaster_secret, 48); //print_blob("premaster secret", premaster_secret, 48);
strcpy((char *)buf, "master secret"); strcpy((char *)buf, "master secret");
memcpy(&buf[13], ssl->dc->client_random, SSL_RANDOM_SIZE); memcpy(&buf[13], ssl->dc->client_random, SSL_RANDOM_SIZE);
memcpy(&buf[45], ssl->dc->server_random, SSL_RANDOM_SIZE); memcpy(&buf[45], ssl->dc->server_random, SSL_RANDOM_SIZE);
@ -1994,6 +1996,7 @@ static int check_certificate_chain(SSL *ssl)
if (!found) if (!found)
{ {
ret = SSL_ERROR_INVALID_CERT_HASH_ALG; ret = SSL_ERROR_INVALID_CERT_HASH_ALG;
goto error; goto error;
} }
@ -2033,7 +2036,7 @@ int process_certificate(SSL *ssl, X509_CTX **x509_ctx)
uint8_t *buf = &ssl->bm_data[ssl->dc->bm_proc_index]; uint8_t *buf = &ssl->bm_data[ssl->dc->bm_proc_index];
int pkt_size = ssl->bm_index; int pkt_size = ssl->bm_index;
int cert_size, offset = 5, offset_start; int cert_size, offset = 5, offset_start;
int total_cert_size = (buf[offset]<<8) + buf[offset+1]; int total_cert_len = (buf[offset]<<8) + buf[offset+1];
int is_client = IS_SET_SSL_FLAG(SSL_IS_CLIENT); int is_client = IS_SET_SSL_FLAG(SSL_IS_CLIENT);
X509_CTX *chain = 0; X509_CTX *chain = 0;
X509_CTX **certs = 0; X509_CTX **certs = 0;
@ -2042,13 +2045,13 @@ int process_certificate(SSL *ssl, X509_CTX **x509_ctx)
int i = 0; int i = 0;
offset += 2; offset += 2;
PARANOIA_CHECK(total_cert_size, offset); PARANOIA_CHECK(pkt_size, total_cert_len + offset);
// record the start point for the second pass // record the start point for the second pass
offset_start = offset; offset_start = offset;
// first pass - count the certificates // first pass - count the certificates
while (offset < total_cert_size) while (offset < total_cert_len)
{ {
offset++; /* skip empty char */ offset++; /* skip empty char */
cert_size = (buf[offset]<<8) + buf[offset+1]; cert_size = (buf[offset]<<8) + buf[offset+1];
@ -2067,7 +2070,7 @@ int process_certificate(SSL *ssl, X509_CTX **x509_ctx)
offset = offset_start; offset = offset_start;
// second pass - load the certificates // second pass - load the certificates
while (offset < total_cert_size) while (offset < total_cert_len)
{ {
offset++; /* skip empty char */ offset++; /* skip empty char */
cert_size = (buf[offset]<<8) + buf[offset+1]; cert_size = (buf[offset]<<8) + buf[offset+1];

7
ssl/tls1_clnt.c
View File

@ -462,7 +462,7 @@ static int send_cert_verify(SSL *ssl)
if (rsa_ctx) if (rsa_ctx)
{ {
SSL_CTX_LOCK(ssl->ssl_ctx->mutex); SSL_CTX_LOCK(ssl->ssl_ctx->mutex);
n = RSA_encrypt(rsa_ctx, dgst, dgst_len, &buf[offset+2], 1); n = RSA_encrypt(rsa_ctx, dgst, dgst_len, &buf[offset + 2], 1);
SSL_CTX_UNLOCK(ssl->ssl_ctx->mutex); SSL_CTX_UNLOCK(ssl->ssl_ctx->mutex);
if (n == 0) if (n == 0)
@ -478,12 +478,13 @@ static int send_cert_verify(SSL *ssl)
if (ssl->version >= SSL_PROTOCOL_VERSION_TLS1_2) // TLS1.2 if (ssl->version >= SSL_PROTOCOL_VERSION_TLS1_2) // TLS1.2
{ {
n += 2; n += 2; // sig/alg
offset -= 2;
} }
buf[2] = n >> 8; buf[2] = n >> 8;
buf[3] = n & 0xff; buf[3] = n & 0xff;
ret = send_packet(ssl, PT_HANDSHAKE_PROTOCOL, NULL, n + offset - 2); ret = send_packet(ssl, PT_HANDSHAKE_PROTOCOL, NULL, n + offset);
error: error:
return ret; return ret;

26
ssl/tls1_svr.c
View File

@ -185,6 +185,12 @@ do_compression:
offset += id_len; offset += id_len;
PARANOIA_CHECK(pkt_size, offset + id_len); PARANOIA_CHECK(pkt_size, offset + id_len);
if (offset == pkt_size)
{
/* no extensions */
goto error;
}
/* extension size */ /* extension size */
id_len = buf[offset++] << 8; id_len = buf[offset++] << 8;
id_len += buf[offset++]; id_len += buf[offset++];
@ -420,13 +426,23 @@ static const uint8_t g_cert_request[] = { HS_CERT_REQ, 0,
0, 0 0, 0
}; };
static const uint8_t g_cert_request_v1[] = { HS_CERT_REQ, 0, 0, 4, 1, 0, 0, 0 };
/* /*
* Send the certificate request message. * Send the certificate request message.
*/ */
static int send_certificate_request(SSL *ssl) static int send_certificate_request(SSL *ssl)
{ {
return send_packet(ssl, PT_HANDSHAKE_PROTOCOL, if (ssl->version >= SSL_PROTOCOL_VERSION_TLS1_2) // TLS1.2
{
return send_packet(ssl, PT_HANDSHAKE_PROTOCOL,
g_cert_request, sizeof(g_cert_request)); g_cert_request, sizeof(g_cert_request));
}
else
{
return send_packet(ssl, PT_HANDSHAKE_PROTOCOL,
g_cert_request_v1, sizeof(g_cert_request_v1));
}
} }
/* /*
@ -442,8 +458,6 @@ static int process_cert_verify(SSL *ssl)
X509_CTX *x509_ctx = ssl->x509_ctx; X509_CTX *x509_ctx = ssl->x509_ctx;
int ret = SSL_OK; int ret = SSL_OK;
int offset = 6; int offset = 6;
uint8_t hash_alg;
uint8_t sig_alg;
int rsa_len; int rsa_len;
int n; int n;
@ -451,10 +465,12 @@ static int process_cert_verify(SSL *ssl)
if (ssl->version >= SSL_PROTOCOL_VERSION_TLS1_2) // TLS1.2 if (ssl->version >= SSL_PROTOCOL_VERSION_TLS1_2) // TLS1.2
{ {
hash_alg = buf[4]; // TODO: need to be able to handle another hash type here
sig_alg = buf[5]; //uint8_t hash_alg = buf[4];
//uint8_t sig_alg = buf[5];
offset = 8; offset = 8;
rsa_len = (buf[6] << 8) + buf[7]; rsa_len = (buf[6] << 8) + buf[7];
//printf("YO, GOT %d %d\n", hash_alg, sig_alg);
} }
else else
{ {

56
tools/make_certs.sh
View File

@ -56,7 +56,7 @@ prompt = no
[ req_distinguished_name ] [ req_distinguished_name ]
O = $PROJECT_NAME O = $PROJECT_NAME
CN = 127.0.0.1 CN = localhost
EOF EOF
cat > device_cert.conf << EOF cat > device_cert.conf << EOF
@ -70,20 +70,15 @@ EOF
# private key generation # private key generation
openssl genrsa -out axTLS.ca_key.pem 2048 openssl genrsa -out axTLS.ca_key.pem 2048
openssl genrsa -out axTLS.key_512.pem 512
openssl genrsa -out axTLS.key_1024.pem 1024 openssl genrsa -out axTLS.key_1024.pem 1024
openssl genrsa -out axTLS.key_1042.pem 1042
openssl genrsa -out axTLS.key_2048.pem 2048 openssl genrsa -out axTLS.key_2048.pem 2048
openssl genrsa -out axTLS.key_4096.pem 4096 openssl genrsa -out axTLS.key_4096.pem 4096
openssl genrsa -out axTLS.device_key.pem 1024 openssl genrsa -out axTLS.device_key.pem 1024
openssl genrsa -aes128 -passout pass:abcd -out axTLS.key_aes128.pem 512 openssl genrsa -aes128 -passout pass:abcd -out axTLS.key_aes128.pem 1024
openssl genrsa -aes256 -passout pass:abcd -out axTLS.key_aes256.pem 512 openssl genrsa -aes256 -passout pass:abcd -out axTLS.key_aes256.pem 1024
# convert private keys into DER format # convert private keys into DER format
openssl rsa -in axTLS.key_512.pem -out axTLS.key_512 -outform DER
openssl rsa -in axTLS.key_1024.pem -out axTLS.key_1024 -outform DER openssl rsa -in axTLS.key_1024.pem -out axTLS.key_1024 -outform DER
openssl rsa -in axTLS.key_1042.pem -out axTLS.key_1042 -outform DER
openssl rsa -in axTLS.key_2048.pem -out axTLS.key_2048 -outform DER openssl rsa -in axTLS.key_2048.pem -out axTLS.key_2048 -outform DER
openssl rsa -in axTLS.key_4096.pem -out axTLS.key_4096 -outform DER openssl rsa -in axTLS.key_4096.pem -out axTLS.key_4096 -outform DER
openssl rsa -in axTLS.device_key.pem -out axTLS.device_key -outform DER openssl rsa -in axTLS.device_key.pem -out axTLS.device_key -outform DER
@ -91,12 +86,8 @@ openssl rsa -in axTLS.device_key.pem -out axTLS.device_key -outform DER
# cert requests # cert requests
openssl req -out axTLS.ca_x509.req -key axTLS.ca_key.pem -new \ openssl req -out axTLS.ca_x509.req -key axTLS.ca_key.pem -new \
-config ./ca_cert.conf -config ./ca_cert.conf
openssl req -out axTLS.x509_512.req -key axTLS.key_512.pem -new \
-config ./certs.conf
openssl req -out axTLS.x509_1024.req -key axTLS.key_1024.pem -new \ openssl req -out axTLS.x509_1024.req -key axTLS.key_1024.pem -new \
-config ./certs.conf -config ./certs.conf
openssl req -out axTLS.x509_1042.req -key axTLS.key_1042.pem -new \
-config ./certs.conf
openssl req -out axTLS.x509_2048.req -key axTLS.key_2048.pem -new \ openssl req -out axTLS.x509_2048.req -key axTLS.key_2048.pem -new \
-config ./certs.conf -config ./certs.conf
openssl req -out axTLS.x509_4096.req -key axTLS.key_4096.pem -new \ openssl req -out axTLS.x509_4096.req -key axTLS.key_4096.pem -new \
@ -110,25 +101,32 @@ openssl req -out axTLS.x509_aes256.req -key axTLS.key_aes256.pem \
# generate the actual certs. # generate the actual certs.
openssl x509 -req -in axTLS.ca_x509.req -out axTLS.ca_x509.pem \ openssl x509 -req -in axTLS.ca_x509.req -out axTLS.ca_x509.pem \
-sha1 -days 5000 -signkey axTLS.ca_key.pem -sha1 -days 5000 -signkey axTLS.ca_key.pem \
openssl x509 -req -in axTLS.x509_512.req -out axTLS.x509_512.pem \ -CAkey axTLS.ca_key.pem
-sha1 -CAcreateserial -days 5000 \ openssl x509 -req -in axTLS.ca_x509.req -out axTLS.ca_x509_sha256.pem \
-CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem -sha256 -days 5000 -signkey axTLS.ca_key.pem \
-CAkey axTLS.ca_key.pem
openssl x509 -req -in axTLS.x509_1024.req -out axTLS.x509_1024.pem \ openssl x509 -req -in axTLS.x509_1024.req -out axTLS.x509_1024.pem \
-sha1 -CAcreateserial -days 5000 \ -sha1 -CAcreateserial -days 5000 \
-CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem -CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem
openssl x509 -req -in axTLS.x509_1042.req -out axTLS.x509_1042.pem \ openssl x509 -req -in axTLS.x509_1024.req -out axTLS.x509_1024_sha256.pem \
-sha1 -CAcreateserial -days 5000 \ -sha256 -CAcreateserial -days 5000 \
-CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem -CA axTLS.ca_x509_sha256.pem -CAkey axTLS.ca_key.pem
openssl x509 -req -in axTLS.x509_1024.req -out axTLS.x509_1024_sha384.pem \
-sha384 -CAcreateserial -days 5000 \
-CA axTLS.ca_x509_sha256.pem -CAkey axTLS.ca_key.pem
openssl x509 -req -in axTLS.x509_1024.req -out axTLS.x509_1024_sha512.pem \
-sha512 -CAcreateserial -days 5000 \
-CA axTLS.ca_x509_sha256.pem -CAkey axTLS.ca_key.pem
openssl x509 -req -in axTLS.x509_2048.req -out axTLS.x509_2048.pem \ openssl x509 -req -in axTLS.x509_2048.req -out axTLS.x509_2048.pem \
-sha1 -CAcreateserial -days 5000 \ -sha1 -CAcreateserial -days 5000 \
-CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem -CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem
openssl x509 -req -in axTLS.x509_4096.req -out axTLS.x509_4096.pem \ openssl x509 -req -in axTLS.x509_4096.req -out axTLS.x509_4096.pem \
-sha256 -CAcreateserial -days 5000 \ -sha1 -CAcreateserial -days 5000 \
-CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem -CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem
openssl x509 -req -in axTLS.x509_device.req -out axTLS.x509_device.pem \ openssl x509 -req -in axTLS.x509_device.req -out axTLS.x509_device.pem \
-sha1 -CAcreateserial -days 5000 \ -sha1 -CAcreateserial -days 5000 \
-CA axTLS.x509_512.pem -CAkey axTLS.key_512.pem -CA axTLS.x509_1024.pem -CAkey axTLS.key_1024.pem
openssl x509 -req -in axTLS.x509_aes128.req \ openssl x509 -req -in axTLS.x509_aes128.req \
-out axTLS.x509_aes128.pem \ -out axTLS.x509_aes128.pem \
-sha1 -CAcreateserial -days 5000 \ -sha1 -CAcreateserial -days 5000 \
@ -141,35 +139,33 @@ openssl x509 -req -in axTLS.x509_aes256.req \
# note: must be root to do this # note: must be root to do this
DATE_NOW=`date` DATE_NOW=`date`
if date -s "Jan 1 2025"; then if date -s "Jan 1 2025"; then
openssl x509 -req -in axTLS.x509_512.req -out axTLS.x509_bad_before.pem \ openssl x509 -req -in axTLS.x509_1024.req -out axTLS.x509_bad_before.pem \
-sha1 -CAcreateserial -days 365 \ -sha1 -CAcreateserial -days 365 \
-CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem -CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem
date -s "$DATE_NOW" date -s "$DATE_NOW"
touch axTLS.x509_bad_before.pem touch axTLS.x509_bad_before.pem
fi fi
openssl x509 -req -in axTLS.x509_512.req -out axTLS.x509_bad_after.pem \ openssl x509 -req -in axTLS.x509_1024.req -out axTLS.x509_bad_after.pem \
-sha1 -CAcreateserial -days -365 \ -sha1 -CAcreateserial -days -365 \
-CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem -CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem
# some cleanup # some cleanup
rm axTLS*.req rm axTLS*.req
rm axTLS.srl rm *.srl
rm *.conf rm *.conf
# need this for the client tests # need this for the client tests
openssl x509 -in axTLS.ca_x509.pem -outform DER -out axTLS.ca_x509.cer openssl x509 -in axTLS.ca_x509.pem -outform DER -out axTLS.ca_x509.cer
openssl x509 -in axTLS.x509_512.pem -outform DER -out axTLS.x509_512.cer
openssl x509 -in axTLS.x509_1024.pem -outform DER -out axTLS.x509_1024.cer openssl x509 -in axTLS.x509_1024.pem -outform DER -out axTLS.x509_1024.cer
openssl x509 -in axTLS.x509_1042.pem -outform DER -out axTLS.x509_1042.cer
openssl x509 -in axTLS.x509_2048.pem -outform DER -out axTLS.x509_2048.cer openssl x509 -in axTLS.x509_2048.pem -outform DER -out axTLS.x509_2048.cer
openssl x509 -in axTLS.x509_4096.pem -outform DER -out axTLS.x509_4096.cer openssl x509 -in axTLS.x509_4096.pem -outform DER -out axTLS.x509_4096.cer
openssl x509 -in axTLS.x509_device.pem -outform DER -out axTLS.x509_device.cer openssl x509 -in axTLS.x509_device.pem -outform DER -out axTLS.x509_device.cer
# generate pkcs8 files (use RC4-128 for encryption) # generate pkcs8 files (use RC4-128 for encryption)
openssl pkcs8 -in axTLS.key_512.pem -passout pass:abcd -topk8 -v1 PBE-SHA1-RC4-128 -out axTLS.encrypted_pem.p8 openssl pkcs8 -in axTLS.key_1024.pem -passout pass:abcd -topk8 -v1 PBE-SHA1-RC4-128 -out axTLS.encrypted_pem.p8
openssl pkcs8 -in axTLS.key_512.pem -passout pass:abcd -topk8 -outform DER -v1 PBE-SHA1-RC4-128 -out axTLS.encrypted.p8 openssl pkcs8 -in axTLS.key_1024.pem -passout pass:abcd -topk8 -outform DER -v1 PBE-SHA1-RC4-128 -out axTLS.encrypted.p8
openssl pkcs8 -in axTLS.key_512.pem -nocrypt -topk8 -out axTLS.unencrypted_pem.p8 openssl pkcs8 -in axTLS.key_1024.pem -nocrypt -topk8 -out axTLS.unencrypted_pem.p8
openssl pkcs8 -in axTLS.key_512.pem -nocrypt -topk8 -outform DER -out axTLS.unencrypted.p8 openssl pkcs8 -in axTLS.key_1024.pem -nocrypt -topk8 -outform DER -out axTLS.unencrypted.p8
# generate pkcs12 files (use RC4-128 for encryption) # generate pkcs12 files (use RC4-128 for encryption)
openssl pkcs12 -export -in axTLS.x509_1024.pem -inkey axTLS.key_1024.pem -certfile axTLS.ca_x509.pem -keypbe PBE-SHA1-RC4-128 -certpbe PBE-SHA1-RC4-128 -name "p12_with_CA" -out axTLS.withCA.p12 -password pass:abcd openssl pkcs12 -export -in axTLS.x509_1024.pem -inkey axTLS.key_1024.pem -certfile axTLS.ca_x509.pem -keypbe PBE-SHA1-RC4-128 -certpbe PBE-SHA1-RC4-128 -name "p12_with_CA" -out axTLS.withCA.p12 -password pass:abcd