mirror of
https://github.com/vanhoefm/fragattacks.git
synced 2024-12-12 17:08:20 -05:00
b4635f0a61
GnuTLS seems to require the intermediate CA certificate to be included both in the ca_cert and client_cert file for the cases of server and client certificates using different intermediate CA certificates. Use the user_and_ica.pem file with GnuTLS builds and reorder the certificates in that file to make this work with GnuTLS. Signed-off-by: Jouni Malinen <j@w1.fi>
88 lines
4.4 KiB
Bash
Executable File
88 lines
4.4 KiB
Bash
Executable File
#!/bin/sh
|
|
|
|
OPENSSL=openssl
|
|
|
|
echo
|
|
echo "---[ Intermediate CA - Server ]-----------------------------------------"
|
|
echo
|
|
|
|
cat ec-ca-openssl.cnf |
|
|
sed "s/ec-ca/rootCA/" |
|
|
sed "s/#@CN@/commonName_default = Server Intermediate CA/" \
|
|
> openssl.cnf.tmp
|
|
mkdir -p iCA-server/certs iCA-server/crl iCA-server/newcerts iCA-server/private
|
|
touch iCA-server/index.txt
|
|
$OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout iCA-server/private/cakey.pem -out iCA-server/careq.pem -outform PEM -days 3652 -sha256
|
|
$OPENSSL ca -config openssl.cnf.tmp -md sha256 -create_serial -out iCA-server/cacert.pem -days 3652 -batch -keyfile ca-key.pem -cert ca.pem -extensions v3_ca -outdir rootCA/newcerts -infiles iCA-server/careq.pem
|
|
cat iCA-server/cacert.pem ca.pem > iCA-server/ca-and-root.pem
|
|
rm openssl.cnf.tmp
|
|
|
|
echo
|
|
echo "---[ Intermediate CA - User ]-------------------------------------------"
|
|
echo
|
|
|
|
cat ec-ca-openssl.cnf |
|
|
sed "s/ec-ca/rootCA/" |
|
|
sed "s/#@CN@/commonName_default = User Intermediate CA/" \
|
|
> openssl.cnf.tmp
|
|
mkdir -p iCA-user/certs iCA-user/crl iCA-user/newcerts iCA-user/private
|
|
touch iCA-user/index.txt
|
|
$OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout iCA-user/private/cakey.pem -out iCA-user/careq.pem -outform PEM -days 3652 -sha256
|
|
$OPENSSL ca -config openssl.cnf.tmp -md sha256 -create_serial -out iCA-user/cacert.pem -days 3652 -batch -keyfile ca-key.pem -cert ca.pem -extensions v3_ca -outdir rootCA/newcerts -infiles iCA-user/careq.pem
|
|
cat iCA-user/cacert.pem ca.pem > iCA-user/ca-and-root.pem
|
|
rm openssl.cnf.tmp
|
|
|
|
echo
|
|
echo "---[ Server ]-----------------------------------------------------------"
|
|
echo
|
|
|
|
cat ec-ca-openssl.cnf |
|
|
sed "s/ec-ca/iCA-server/" |
|
|
sed "s/#@CN@/commonName_default = server.w1.fi/" |
|
|
sed "s/#@ALTNAME@/subjectAltName=critical,DNS:server.w1.fi/" \
|
|
> openssl.cnf.tmp
|
|
$OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout iCA-server/server.key -out iCA-server/server.req -outform PEM -sha256
|
|
$OPENSSL ca -config openssl.cnf.tmp -batch -keyfile iCA-server/private/cakey.pem -cert iCA-server/cacert.pem -create_serial -in iCA-server/server.req -out iCA-server/server.pem -extensions ext_server -md sha256
|
|
cat iCA-server/cacert.pem iCA-server/server.pem > iCA-server/server_and_ica.pem
|
|
rm openssl.cnf.tmp
|
|
|
|
echo
|
|
echo "---[ Server - revoked ]-------------------------------------------------"
|
|
echo
|
|
|
|
cat ec-ca-openssl.cnf |
|
|
sed "s/ec-ca/iCA-server/" |
|
|
sed "s/#@CN@/commonName_default = server-revoked.w1.fi/" |
|
|
sed "s/#@ALTNAME@/subjectAltName=critical,DNS:server-revoked.w1.fi/" \
|
|
> openssl.cnf.tmp
|
|
$OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout iCA-server/server-revoked.key -out iCA-server/server-revoked.req -outform PEM -sha256
|
|
$OPENSSL ca -config openssl.cnf.tmp -batch -keyfile iCA-server/private/cakey.pem -cert iCA-server/cacert.pem -create_serial -in iCA-server/server-revoked.req -out iCA-server/server-revoked.pem -extensions ext_server -md sha256
|
|
$OPENSSL ca -config openssl.cnf.tmp -revoke iCA-server/server-revoked.pem -keyfile iCA-server/private/cakey.pem -cert iCA-server/cacert.pem
|
|
cat iCA-server/cacert.pem iCA-server/server-revoked.pem > iCA-server/server-revoked_and_ica.pem
|
|
rm openssl.cnf.tmp
|
|
|
|
echo
|
|
echo "---[ User ]-----------------------------------------------------------"
|
|
echo
|
|
|
|
cat ec-ca-openssl.cnf |
|
|
sed "s/ec-ca/iCA-user/" |
|
|
sed "s/#@CN@/commonName_default = user.w1.fi/" |
|
|
sed "s/#@ALTNAME@/subjectAltName=critical,DNS:user.w1.fi/" \
|
|
> openssl.cnf.tmp
|
|
$OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout iCA-user/user.key -out iCA-user/user.req -outform PEM -sha256
|
|
$OPENSSL ca -config openssl.cnf.tmp -batch -keyfile iCA-user/private/cakey.pem -cert iCA-user/cacert.pem -create_serial -in iCA-user/user.req -out iCA-user/user.pem -extensions ext_client -md sha256
|
|
cat iCA-user/user.pem iCA-user/cacert.pem > iCA-user/user_and_ica.pem
|
|
rm openssl.cnf.tmp
|
|
|
|
echo
|
|
echo "---[ Verify ]-----------------------------------------------------------"
|
|
echo
|
|
|
|
$OPENSSL verify -CAfile ca.pem iCA-server/cacert.pem
|
|
$OPENSSL verify -CAfile ca.pem iCA-user/cacert.pem
|
|
$OPENSSL verify -CAfile ca.pem -untrusted iCA-server/cacert.pem iCA-server/server.pem
|
|
$OPENSSL verify -CAfile ca.pem -untrusted iCA-server/cacert.pem iCA-server/server-revoked.pem
|
|
$OPENSSL verify -CAfile ca.pem iCA-user/cacert.pem
|
|
$OPENSSL verify -CAfile ca.pem -untrusted iCA-user/cacert.pem iCA-user/user.pem
|