]> git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/auth_serv/update.sh
projects / thirdparty / hostap.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
tests: Add a server certificate with TOD-TOFU policy
[thirdparty/hostap.git] / tests / hwsim / auth_serv / update.sh
1 #!/bin/sh
2
3 OPENSSL=openssl
4
5 mkdir -p test-ca/newcerts
6
7 echo
8 echo "---[ Update server certificates ]---------------------------------------"
9 echo
10
11 cat openssl2.cnf |
12 sed "s/#@CN@/commonName_default = server.w1.fi/" |
13 sed "s/#@ALTNAME@/subjectAltName=DNS:server.w1.fi/" \
14 > openssl.cnf.tmp
15 $OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -in server.csr -out server.pem -extensions ext_server
16
17 $OPENSSL pkcs12 -export -out server.pkcs12 -in server.pem -inkey server.key -passout pass:
18 $OPENSSL pkcs12 -export -out server-extra.pkcs12 -in server.pem -inkey server.key -descert -certfile user.pem -passout pass:whatever -name server
19
20 cat openssl2.cnf |
21 sed "s/#@CN@/commonName_default = server3.w1.fi/" \
22 > openssl.cnf.tmp
23 $OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -in server-no-dnsname.csr -out server-no-dnsname.pem -extensions ext_server
24
25 cat openssl2.cnf |
26 sed "s/#@CN@/commonName_default = server5.w1.fi/" \
27 > openssl.cnf.tmp
28 $OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -in server-eku-client.csr -out server-eku-client.pem -extensions ext_client
29
30 cat openssl2.cnf |
31 sed "s/#@CN@/commonName_default = server6.w1.fi/" \
32 > openssl.cnf.tmp
33 $OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -in server-eku-client-server.csr -out server-eku-client-server.pem -extensions ext_client_server
34
35 cat openssl2.cnf |
36 sed "s/#@CN@/commonName_default = server-policies.w1.fi/" |
37 sed "s/#@ALTNAME@/subjectAltName=DNS:server-policies.w1.fi/" |
38 sed "s/#@CERTPOL@/certificatePolicies = 1.3.6.1.4.1.40808.1.3.1/" \
39 > openssl.cnf.tmp
40 #$OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:3072 -nodes -keyout server-certpol.key -out server-certpol.csr -outform PEM -sha256
41 $OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -in server-certpol.csr -out server-certpol.pem -extensions ext_server
42
43 cat openssl2.cnf |
44 sed "s/#@CN@/commonName_default = server-policies2.w1.fi/" |
45 sed "s/#@ALTNAME@/subjectAltName=DNS:server-policies2.w1.fi/" |
46 sed "s/#@CERTPOL@/certificatePolicies = 1.3.6.1.4.1.40808.1.3.2/" \
47 > openssl.cnf.tmp
48 #$OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:3072 -nodes -keyout server-certpol2.key -out server-certpol2.csr -outform PEM -sha256
49 $OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -in server-certpol2.csr -out server-certpol2.pem -extensions ext_server
50
51 echo
52 echo "---[ Update user certificates ]-----------------------------------------"
53 echo
54
55 cat openssl2.cnf | sed "s/#@CN@/commonName_default = User/" > openssl.cnf.tmp
56 $OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -in user.csr -out user.pem -extensions ext_client
57 rm openssl.cnf.tmp
58
59 $OPENSSL pkcs12 -export -out user.pkcs12 -in user.pem -inkey user.key -descert -passout pass:whatever
60 $OPENSSL pkcs12 -export -out user2.pkcs12 -in user.pem -inkey user.key -descert -name Test -certfile server.pem -passout pass:whatever
61 $OPENSSL pkcs12 -export -out user3.pkcs12 -in user.pem -inkey user.key -descert -name "my certificates" -certfile ca.pem -passout pass:whatever
62
63 echo
64 echo "---[ Update OCSP ]------------------------------------------------------"
65 echo
66
67 $OPENSSL ocsp -CAfile test-ca/cacert.pem -issuer test-ca/cacert.pem -cert server.pem -reqout ocsp-req.der -no_nonce
68 $OPENSSL ocsp -index test-ca/index.txt -rsigner test-ca/cacert.pem -rkey test-ca/private/cakey.pem -CA test-ca/cacert.pem -resp_no_certs -reqin ocsp-req.der -respout ocsp-server-cache.der
69 SIZ=`ls -l ocsp-server-cache.der | cut -f5 -d' '`
70 (echo -n 000; echo "obase=16;$SIZ" | bc) | xxd -r -ps > ocsp-multi-server-cache.der
71 cat ocsp-server-cache.der >> ocsp-multi-server-cache.der
72
73 echo
74 echo "---[ Additional steps ]-------------------------------------------------"
75 echo
76
77 echo "test_ap_eap.py: ap_wpa2_eap_ttls_server_cert_hash srv_cert_hash"
78
79 $OPENSSL x509 -in server.pem -out server.der -outform DER
80 HASH=`sha256sum server.der | cut -f1 -d' '`
81 rm server.der
82 sed -i "s/srv_cert_hash =.*/srv_cert_hash = \"$HASH\"/" ../test_ap_eap.py
83
84 echo "index.txt: server time+serial"
85
86 grep -v CN=server.w1.fi index.txt > index.txt.new
87 grep CN=server.w1.fi test-ca/index.txt | tail -1 >> index.txt.new
88 mv index.txt.new index.txt
89
90 echo "start.sh: openssl ocsp -reqout serial"
91
92 SERIAL=`grep CN=server.w1.fi test-ca/index.txt | tail -1 | cut -f4`
93 sed -i "s/serial 0x[^ ]* -no_nonce/serial 0x$SERIAL -no_nonce/" ../start.sh
Unnamed repository; edit this file 'description' to name the repository.