hostap/tests/hwsim/auth_serv/update.sh

#!/bin/sh

OPENSSL=openssl

mkdir -p test-ca/newcerts

echo
echo "---[ DH parameters ]----------------------------------------------------"
echo

if [ -r dh.conf ]; then
    echo "Use already generated dh.conf"
else
    openssl dhparam -out dh.conf 2048
fi

echo
echo "---[ Root CA ]----------------------------------------------------------"
echo

if [ -r ca-key.pem ]; then
    echo "Use already generated Root CA"
else
    cat openssl2.cnf |
	sed "s/#@CN@/commonName_default = TEST - Incorrect Root CA/" \
	    > ca-openssl.cnf.tmp
    $OPENSSL req -config ca-openssl.cnf.tmp -batch -x509 -new -newkey rsa:2048 -nodes -keyout ca-incorrect-key.pem -out ca-incorrect.der -outform DER -days 3650 -sha256
    $OPENSSL x509 -in ca-incorrect.der -inform DER -out ca-incorrect.pem -outform PEM -text

    cat openssl2.cnf |
	sed "s/#@CN@/commonName_default = Root CA/" \
	    > ca-openssl.cnf.tmp
    $OPENSSL req -config ca-openssl.cnf.tmp -batch -x509 -new -newkey rsa:2048 -nodes -keyout ca-key.pem -out ca.der -outform DER -days 3650 -sha256
    $OPENSSL x509 -in ca.der -inform DER -out ca.pem -outform PEM -text
    mkdir -p test-ca/certs test-ca/crl test-ca/newcerts test-ca/private
    touch test-ca/index.txt
    echo 01 > test-ca/crlnumber
    cp ca.pem test-ca/cacert.pem
    cp ca-key.pem test-ca/private/cakey.pem
    $OPENSSL ca -config ca-openssl.cnf.tmp -gencrl -crldays 2922 -out crl.pem
    cat ca.pem crl.pem > ca-and-crl.pem
    faketime yesterday $OPENSSL ca -config ca-openssl.cnf.tmp -gencrl -crlhours 1 -out crl.pem
    cat ca.pem crl.pem > ca-and-crl-expired.pem
    rm crl.pem
    rm ca-openssl.cnf.tmp
fi

echo
echo "---[ Update server certificates ]---------------------------------------"
echo

cat openssl2.cnf |
	sed "s/#@CN@/commonName_default = server.w1.fi/" |
	sed "s/#@ALTNAME@/subjectAltName=DNS:server.w1.fi/" \
	> openssl.cnf.tmp
if [ ! -r server.csr ]; then
    $OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr -outform PEM -sha256
fi
$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -in server.csr -out server.pem -extensions ext_server

$OPENSSL pkcs12 -export -out server.pkcs12 -in server.pem -inkey server.key -passout pass:
$OPENSSL pkcs12 -export -out server-extra.pkcs12 -in server.pem -inkey server.key -descert -certfile user.pem -passout pass:whatever -name server

cat openssl2.cnf |
	sed "s/#@CN@/commonName_default = server3.w1.fi/" \
	> openssl.cnf.tmp
if [ ! -r server-no-dnsname.csr ]; then
    $OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout server-no-dnsname.key -out server-no-dnsname.csr -outform PEM -sha256
fi
$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -in server-no-dnsname.csr -out server-no-dnsname.pem -extensions ext_server

cat openssl2.cnf |
	sed "s/#@CN@/commonName_default = server4.w1.fi/" \
	> openssl.cnf.tmp
if [ ! -r server-expired.csr ]; then
    $OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout server-expired.key -out server-expired.csr -outform PEM -sha256
fi
$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -in server-expired.csr -out server-expired.pem -extensions ext_server -startdate 200101000000Z -enddate 200102000000Z

cat openssl2.cnf |
	sed "s/#@CN@/commonName_default = server5.w1.fi/" \
	> openssl.cnf.tmp
if [ ! -r server-eku-client.csr ]; then
    $OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout server-eku-client.key -out server-eku-client.csr -outform PEM -sha256
fi
$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -in server-eku-client.csr -out server-eku-client.pem -extensions ext_client

cat openssl2.cnf |
	sed "s/#@CN@/commonName_default = server6.w1.fi/" \
	> openssl.cnf.tmp
if [ ! -r server-eku-client-server.csr ]; then
    $OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout server-eku-client-server.key -out server-eku-client-server.csr -outform PEM -sha256
fi
$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -in server-eku-client-server.csr -out server-eku-client-server.pem -extensions ext_client_server

cat openssl2.cnf |
	sed "s/#@CN@/commonName_default = server7.w1.fi/" \
	> openssl.cnf.tmp
if [ ! -r server-long-duration.csr ]; then
    $OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:4096 -nodes -keyout server-long-duration.key -out server-long-duration.csr -outform PEM -sha256
fi
$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -in server-long-duration.csr -out server-long-duration.pem -extensions ext_server -days 18250

cat openssl2.cnf |
	sed "s/#@CN@/commonName_default = server-policies.w1.fi/" |
	sed "s/#@ALTNAME@/subjectAltName=DNS:server-policies.w1.fi/" |
	sed "s/#@CERTPOL@/certificatePolicies = 1.3.6.1.4.1.40808.1.3.1/" \
	> openssl.cnf.tmp
if [ ! -r server-certpol.csr ]; then
    $OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:3072 -nodes -keyout server-certpol.key -out server-certpol.csr -outform PEM -sha256
fi
$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -in server-certpol.csr -out server-certpol.pem -extensions ext_server

cat openssl2.cnf |
	sed "s/#@CN@/commonName_default = server-policies2.w1.fi/" |
	sed "s/#@ALTNAME@/subjectAltName=DNS:server-policies2.w1.fi/" |
	sed "s/#@CERTPOL@/certificatePolicies = 1.3.6.1.4.1.40808.1.3.2/" \
	> openssl.cnf.tmp
if [ ! -r server-certpol2.csr ]; then
    $OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:3072 -nodes -keyout server-certpol2.key -out server-certpol2.csr -outform PEM -sha256
fi
$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -in server-certpol2.csr -out server-certpol2.pem -extensions ext_server

echo
echo "---[ Update user certificates ]-----------------------------------------"
echo

cat openssl2.cnf | sed "s/#@CN@/commonName_default = Test User/" > openssl.cnf.tmp
if [ ! -r user.csr ]; then
    $OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout user.key -out user.csr -outform PEM -sha256
    $OPENSSL rsa -in user.key -out user.rsa-key
    $OPENSSL pkcs8 -topk8 -in user.key -out user.key.pkcs8 -inform PEM -v2 des-ede3-cbc -v2prf hmacWithSHA1 -passout pass:whatever
    $OPENSSL pkcs8 -topk8 -in user.key -out user.key.pkcs8.pkcs5v15 -inform PEM -v1 pbeWithMD5AndDES-CBC -passout pass:whatever
fi

$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -in user.csr -out user.pem -extensions ext_client
rm openssl.cnf.tmp

$OPENSSL pkcs12 -export -out user.pkcs12 -in user.pem -inkey user.key -descert -passout pass:whatever
$OPENSSL pkcs12 -export -out user2.pkcs12 -in user.pem -inkey user.key -descert -name Test -certfile server.pem -passout pass:whatever
$OPENSSL pkcs12 -export -out user3.pkcs12 -in user.pem -inkey user.key -descert -name "my certificates" -certfile ca.pem -passout pass:whatever

echo
echo "---[ Update OCSP ]------------------------------------------------------"
echo

cat openssl2.cnf |
	sed "s/#@CN@/commonName_default = ocsp.w1.fi/" \
	> openssl.cnf.tmp
if [ ! -r ocsp-responder.csr ]; then
    $OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout ocsp-responder.key -out ocsp-responder.csr -outform PEM -sha256
fi
$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -in ocsp-responder.csr -out ocsp-responder.pem -extensions v3_OCSP

$OPENSSL ocsp -CAfile test-ca/cacert.pem -issuer test-ca/cacert.pem -cert server.pem -reqout ocsp-req.der -no_nonce
$OPENSSL ocsp -index test-ca/index.txt -rsigner test-ca/cacert.pem -rkey test-ca/private/cakey.pem -CA test-ca/cacert.pem -resp_no_certs -reqin ocsp-req.der -respout ocsp-server-cache.der
SIZ=`ls -l ocsp-server-cache.der | cut -f5 -d' '`
(echo -n 000; echo "obase=16;$SIZ" | bc) | xxd -r -ps > ocsp-multi-server-cache.der
cat ocsp-server-cache.der >> ocsp-multi-server-cache.der

echo
echo "---[ Additional steps ]-------------------------------------------------"
echo

echo "test_ap_eap.py: ap_wpa2_eap_ttls_server_cert_hash srv_cert_hash"

$OPENSSL x509 -in server.pem -out server.der -outform DER
HASH=`sha256sum server.der | cut -f1 -d' '`
rm server.der
sed -i "s/srv_cert_hash =.*/srv_cert_hash = \"$HASH\"/" ../test_ap_eap.py

echo "index.txt: server time+serial"

grep -v CN=server.w1.fi index.txt > index.txt.new
grep CN=server.w1.fi test-ca/index.txt | tail -1 >> index.txt.new
mv index.txt.new index.txt

echo "start.sh: openssl ocsp -reqout serial"

SERIAL=`grep CN=server.w1.fi test-ca/index.txt | tail -1 | cut -f4`
sed -i "s/'-serial', '0x[^']*'/'-serial', '0x$SERIAL'/" ../test_ap_eap.py
tests: Update server and user certificates (2017) The previous versions expired, so need to re-sign these to fix number of the EAP test cases. In addition, add a shell script (update.sh) and the needed CA files to automate this full update process. Signed-off-by: Jouni Malinen <j@w1.fi> 2017-10-01 17:45:07 +02:00			`#!/bin/sh`

			`OPENSSL=openssl`

			`mkdir -p test-ca/newcerts`

tests: Move from 1024 bit private keys to 2048 bit keys Crypto libraries are starting to refuse to accept the old shorter keys, so move all test certificates and DH to use 2048 bit (or longer) keys. Signed-off-by: Jouni Malinen <j@w1.fi> 2020-05-02 19:58:40 +02:00			`echo`
			`echo "---[ DH parameters ]----------------------------------------------------"`
			`echo`

			`if [ -r dh.conf ]; then`
			`echo "Use already generated dh.conf"`
			`else`
			`openssl dhparam -out dh.conf 2048`
			`fi`

			`echo`
			`echo "---[ Root CA ]----------------------------------------------------------"`
			`echo`

			`if [ -r ca-key.pem ]; then`
			`echo "Use already generated Root CA"`
			`else`
			`cat openssl2.cnf \|`
			`sed "s/#@CN@/commonName_default = TEST - Incorrect Root CA/" \`
			`> ca-openssl.cnf.tmp`
			`$OPENSSL req -config ca-openssl.cnf.tmp -batch -x509 -new -newkey rsa:2048 -nodes -keyout ca-incorrect-key.pem -out ca-incorrect.der -outform DER -days 3650 -sha256`
			`$OPENSSL x509 -in ca-incorrect.der -inform DER -out ca-incorrect.pem -outform PEM -text`

			`cat openssl2.cnf \|`
			`sed "s/#@CN@/commonName_default = Root CA/" \`
			`> ca-openssl.cnf.tmp`
			`$OPENSSL req -config ca-openssl.cnf.tmp -batch -x509 -new -newkey rsa:2048 -nodes -keyout ca-key.pem -out ca.der -outform DER -days 3650 -sha256`
			`$OPENSSL x509 -in ca.der -inform DER -out ca.pem -outform PEM -text`
			`mkdir -p test-ca/certs test-ca/crl test-ca/newcerts test-ca/private`
			`touch test-ca/index.txt`
			`echo 01 > test-ca/crlnumber`
			`cp ca.pem test-ca/cacert.pem`
			`cp ca-key.pem test-ca/private/cakey.pem`
			`$OPENSSL ca -config ca-openssl.cnf.tmp -gencrl -crldays 2922 -out crl.pem`
			`cat ca.pem crl.pem > ca-and-crl.pem`
			`faketime yesterday $OPENSSL ca -config ca-openssl.cnf.tmp -gencrl -crlhours 1 -out crl.pem`
			`cat ca.pem crl.pem > ca-and-crl-expired.pem`
			`rm crl.pem`
			`rm ca-openssl.cnf.tmp`
			`fi`

tests: Update server and user certificates (2017) The previous versions expired, so need to re-sign these to fix number of the EAP test cases. In addition, add a shell script (update.sh) and the needed CA files to automate this full update process. Signed-off-by: Jouni Malinen <j@w1.fi> 2017-10-01 17:45:07 +02:00			`echo`
			`echo "---[ Update server certificates ]---------------------------------------"`
			`echo`

			`cat openssl2.cnf \|`
			`sed "s/#@CN@/commonName_default = server.w1.fi/" \|`
			`sed "s/#@ALTNAME@/subjectAltName=DNS:server.w1.fi/" \`
			`> openssl.cnf.tmp`
tests: Move from 1024 bit private keys to 2048 bit keys Crypto libraries are starting to refuse to accept the old shorter keys, so move all test certificates and DH to use 2048 bit (or longer) keys. Signed-off-by: Jouni Malinen <j@w1.fi> 2020-05-02 19:58:40 +02:00			`if [ ! -r server.csr ]; then`
			`$OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr -outform PEM -sha256`
			`fi`
tests: Update server and user certificates (2017) The previous versions expired, so need to re-sign these to fix number of the EAP test cases. In addition, add a shell script (update.sh) and the needed CA files to automate this full update process. Signed-off-by: Jouni Malinen <j@w1.fi> 2017-10-01 17:45:07 +02:00			`$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -in server.csr -out server.pem -extensions ext_server`

			`$OPENSSL pkcs12 -export -out server.pkcs12 -in server.pem -inkey server.key -passout pass:`
			`$OPENSSL pkcs12 -export -out server-extra.pkcs12 -in server.pem -inkey server.key -descert -certfile user.pem -passout pass:whatever -name server`

			`cat openssl2.cnf \|`
			`sed "s/#@CN@/commonName_default = server3.w1.fi/" \`
			`> openssl.cnf.tmp`
tests: Move from 1024 bit private keys to 2048 bit keys Crypto libraries are starting to refuse to accept the old shorter keys, so move all test certificates and DH to use 2048 bit (or longer) keys. Signed-off-by: Jouni Malinen <j@w1.fi> 2020-05-02 19:58:40 +02:00			`if [ ! -r server-no-dnsname.csr ]; then`
			`$OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout server-no-dnsname.key -out server-no-dnsname.csr -outform PEM -sha256`
			`fi`
tests: Update server and user certificates (2017) The previous versions expired, so need to re-sign these to fix number of the EAP test cases. In addition, add a shell script (update.sh) and the needed CA files to automate this full update process. Signed-off-by: Jouni Malinen <j@w1.fi> 2017-10-01 17:45:07 +02:00			`$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -in server-no-dnsname.csr -out server-no-dnsname.pem -extensions ext_server`

tests: Move from 1024 bit private keys to 2048 bit keys Crypto libraries are starting to refuse to accept the old shorter keys, so move all test certificates and DH to use 2048 bit (or longer) keys. Signed-off-by: Jouni Malinen <j@w1.fi> 2020-05-02 19:58:40 +02:00			`cat openssl2.cnf \|`
			`sed "s/#@CN@/commonName_default = server4.w1.fi/" \`
			`> openssl.cnf.tmp`
			`if [ ! -r server-expired.csr ]; then`
			`$OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout server-expired.key -out server-expired.csr -outform PEM -sha256`
			`fi`
			`$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -in server-expired.csr -out server-expired.pem -extensions ext_server -startdate 200101000000Z -enddate 200102000000Z`

tests: Update server and user certificates (2017) The previous versions expired, so need to re-sign these to fix number of the EAP test cases. In addition, add a shell script (update.sh) and the needed CA files to automate this full update process. Signed-off-by: Jouni Malinen <j@w1.fi> 2017-10-01 17:45:07 +02:00			`cat openssl2.cnf \|`
			`sed "s/#@CN@/commonName_default = server5.w1.fi/" \`
			`> openssl.cnf.tmp`
tests: Move from 1024 bit private keys to 2048 bit keys Crypto libraries are starting to refuse to accept the old shorter keys, so move all test certificates and DH to use 2048 bit (or longer) keys. Signed-off-by: Jouni Malinen <j@w1.fi> 2020-05-02 19:58:40 +02:00			`if [ ! -r server-eku-client.csr ]; then`
			`$OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout server-eku-client.key -out server-eku-client.csr -outform PEM -sha256`
			`fi`
tests: Update server and user certificates (2017) The previous versions expired, so need to re-sign these to fix number of the EAP test cases. In addition, add a shell script (update.sh) and the needed CA files to automate this full update process. Signed-off-by: Jouni Malinen <j@w1.fi> 2017-10-01 17:45:07 +02:00			`$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -in server-eku-client.csr -out server-eku-client.pem -extensions ext_client`

			`cat openssl2.cnf \|`
			`sed "s/#@CN@/commonName_default = server6.w1.fi/" \`
			`> openssl.cnf.tmp`
tests: Move from 1024 bit private keys to 2048 bit keys Crypto libraries are starting to refuse to accept the old shorter keys, so move all test certificates and DH to use 2048 bit (or longer) keys. Signed-off-by: Jouni Malinen <j@w1.fi> 2020-05-02 19:58:40 +02:00			`if [ ! -r server-eku-client-server.csr ]; then`
			`$OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout server-eku-client-server.key -out server-eku-client-server.csr -outform PEM -sha256`
			`fi`
tests: Update server and user certificates (2017) The previous versions expired, so need to re-sign these to fix number of the EAP test cases. In addition, add a shell script (update.sh) and the needed CA files to automate this full update process. Signed-off-by: Jouni Malinen <j@w1.fi> 2017-10-01 17:45:07 +02:00			`$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -in server-eku-client-server.csr -out server-eku-client-server.pem -extensions ext_client_server`

tests: Move from 1024 bit private keys to 2048 bit keys Crypto libraries are starting to refuse to accept the old shorter keys, so move all test certificates and DH to use 2048 bit (or longer) keys. Signed-off-by: Jouni Malinen <j@w1.fi> 2020-05-02 19:58:40 +02:00			`cat openssl2.cnf \|`
			`sed "s/#@CN@/commonName_default = server7.w1.fi/" \`
			`> openssl.cnf.tmp`
			`if [ ! -r server-long-duration.csr ]; then`
			`$OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:4096 -nodes -keyout server-long-duration.key -out server-long-duration.csr -outform PEM -sha256`
			`fi`
			`$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -in server-long-duration.csr -out server-long-duration.pem -extensions ext_server -days 18250`

tests: Add a server certificate with TOD policy Signed-off-by: Jouni Malinen <jouni@codeaurora.org> 2019-06-11 02:13:46 +02:00			`cat openssl2.cnf \|`
			`sed "s/#@CN@/commonName_default = server-policies.w1.fi/" \|`
			`sed "s/#@ALTNAME@/subjectAltName=DNS:server-policies.w1.fi/" \|`
			`sed "s/#@CERTPOL@/certificatePolicies = 1.3.6.1.4.1.40808.1.3.1/" \`
			`> openssl.cnf.tmp`
tests: Move from 1024 bit private keys to 2048 bit keys Crypto libraries are starting to refuse to accept the old shorter keys, so move all test certificates and DH to use 2048 bit (or longer) keys. Signed-off-by: Jouni Malinen <j@w1.fi> 2020-05-02 19:58:40 +02:00			`if [ ! -r server-certpol.csr ]; then`
			`$OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:3072 -nodes -keyout server-certpol.key -out server-certpol.csr -outform PEM -sha256`
			`fi`
tests: Add a server certificate with TOD policy Signed-off-by: Jouni Malinen <jouni@codeaurora.org> 2019-06-11 02:13:46 +02:00			`$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -in server-certpol.csr -out server-certpol.pem -extensions ext_server`

tests: Add a server certificate with TOD-TOFU policy Signed-off-by: Jouni Malinen <jouni@codeaurora.org> 2019-08-16 14:59:43 +02:00			`cat openssl2.cnf \|`
			`sed "s/#@CN@/commonName_default = server-policies2.w1.fi/" \|`
			`sed "s/#@ALTNAME@/subjectAltName=DNS:server-policies2.w1.fi/" \|`
			`sed "s/#@CERTPOL@/certificatePolicies = 1.3.6.1.4.1.40808.1.3.2/" \`
			`> openssl.cnf.tmp`
tests: Move from 1024 bit private keys to 2048 bit keys Crypto libraries are starting to refuse to accept the old shorter keys, so move all test certificates and DH to use 2048 bit (or longer) keys. Signed-off-by: Jouni Malinen <j@w1.fi> 2020-05-02 19:58:40 +02:00			`if [ ! -r server-certpol2.csr ]; then`
			`$OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:3072 -nodes -keyout server-certpol2.key -out server-certpol2.csr -outform PEM -sha256`
			`fi`
tests: Add a server certificate with TOD-TOFU policy Signed-off-by: Jouni Malinen <jouni@codeaurora.org> 2019-08-16 14:59:43 +02:00			`$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -in server-certpol2.csr -out server-certpol2.pem -extensions ext_server`

tests: Update server and user certificates (2017) The previous versions expired, so need to re-sign these to fix number of the EAP test cases. In addition, add a shell script (update.sh) and the needed CA files to automate this full update process. Signed-off-by: Jouni Malinen <j@w1.fi> 2017-10-01 17:45:07 +02:00			`echo`
			`echo "---[ Update user certificates ]-----------------------------------------"`
			`echo`

tests: Move from 1024 bit private keys to 2048 bit keys Crypto libraries are starting to refuse to accept the old shorter keys, so move all test certificates and DH to use 2048 bit (or longer) keys. Signed-off-by: Jouni Malinen <j@w1.fi> 2020-05-02 19:58:40 +02:00			`cat openssl2.cnf \| sed "s/#@CN@/commonName_default = Test User/" > openssl.cnf.tmp`
			`if [ ! -r user.csr ]; then`
			`$OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout user.key -out user.csr -outform PEM -sha256`
			`$OPENSSL rsa -in user.key -out user.rsa-key`
			`$OPENSSL pkcs8 -topk8 -in user.key -out user.key.pkcs8 -inform PEM -v2 des-ede3-cbc -v2prf hmacWithSHA1 -passout pass:whatever`
			`$OPENSSL pkcs8 -topk8 -in user.key -out user.key.pkcs8.pkcs5v15 -inform PEM -v1 pbeWithMD5AndDES-CBC -passout pass:whatever`
			`fi`

tests: Update server and user certificates (2017) The previous versions expired, so need to re-sign these to fix number of the EAP test cases. In addition, add a shell script (update.sh) and the needed CA files to automate this full update process. Signed-off-by: Jouni Malinen <j@w1.fi> 2017-10-01 17:45:07 +02:00			`$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -in user.csr -out user.pem -extensions ext_client`
			`rm openssl.cnf.tmp`

			`$OPENSSL pkcs12 -export -out user.pkcs12 -in user.pem -inkey user.key -descert -passout pass:whatever`
			`$OPENSSL pkcs12 -export -out user2.pkcs12 -in user.pem -inkey user.key -descert -name Test -certfile server.pem -passout pass:whatever`
			`$OPENSSL pkcs12 -export -out user3.pkcs12 -in user.pem -inkey user.key -descert -name "my certificates" -certfile ca.pem -passout pass:whatever`

			`echo`
			`echo "---[ Update OCSP ]------------------------------------------------------"`
			`echo`

tests: Move from 1024 bit private keys to 2048 bit keys Crypto libraries are starting to refuse to accept the old shorter keys, so move all test certificates and DH to use 2048 bit (or longer) keys. Signed-off-by: Jouni Malinen <j@w1.fi> 2020-05-02 19:58:40 +02:00			`cat openssl2.cnf \|`
			`sed "s/#@CN@/commonName_default = ocsp.w1.fi/" \`
			`> openssl.cnf.tmp`
			`if [ ! -r ocsp-responder.csr ]; then`
			`$OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout ocsp-responder.key -out ocsp-responder.csr -outform PEM -sha256`
			`fi`
			`$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -in ocsp-responder.csr -out ocsp-responder.pem -extensions v3_OCSP`

tests: Update server and user certificates (2017) The previous versions expired, so need to re-sign these to fix number of the EAP test cases. In addition, add a shell script (update.sh) and the needed CA files to automate this full update process. Signed-off-by: Jouni Malinen <j@w1.fi> 2017-10-01 17:45:07 +02:00			`$OPENSSL ocsp -CAfile test-ca/cacert.pem -issuer test-ca/cacert.pem -cert server.pem -reqout ocsp-req.der -no_nonce`
			`$OPENSSL ocsp -index test-ca/index.txt -rsigner test-ca/cacert.pem -rkey test-ca/private/cakey.pem -CA test-ca/cacert.pem -resp_no_certs -reqin ocsp-req.der -respout ocsp-server-cache.der`
tests: Fix multi-ocsp response conents These were not updated when the server certificates were updated the last time (or the previous time). Signed-off-by: Jouni Malinen <j@w1.fi> 2019-02-05 02:01:38 +01:00			SIZ=`ls -l ocsp-server-cache.der \| cut -f5 -d' '`
			`(echo -n 000; echo "obase=16;$SIZ" \| bc) \| xxd -r -ps > ocsp-multi-server-cache.der`
			`cat ocsp-server-cache.der >> ocsp-multi-server-cache.der`
tests: Update server and user certificates (2017) The previous versions expired, so need to re-sign these to fix number of the EAP test cases. In addition, add a shell script (update.sh) and the needed CA files to automate this full update process. Signed-off-by: Jouni Malinen <j@w1.fi> 2017-10-01 17:45:07 +02:00
			`echo`
			`echo "---[ Additional steps ]-------------------------------------------------"`
			`echo`

			`echo "test_ap_eap.py: ap_wpa2_eap_ttls_server_cert_hash srv_cert_hash"`

			`$OPENSSL x509 -in server.pem -out server.der -outform DER`
			HASH=`sha256sum server.der \| cut -f1 -d' '`
			`rm server.der`
			`sed -i "s/srv_cert_hash =.*/srv_cert_hash = \"$HASH\"/" ../test_ap_eap.py`

			`echo "index.txt: server time+serial"`

			`grep -v CN=server.w1.fi index.txt > index.txt.new`
			`grep CN=server.w1.fi test-ca/index.txt \| tail -1 >> index.txt.new`
			`mv index.txt.new index.txt`

			`echo "start.sh: openssl ocsp -reqout serial"`

			SERIAL=`grep CN=server.w1.fi test-ca/index.txt \| tail -1 \| cut -f4`
tests: Move from 1024 bit private keys to 2048 bit keys Crypto libraries are starting to refuse to accept the old shorter keys, so move all test certificates and DH to use 2048 bit (or longer) keys. Signed-off-by: Jouni Malinen <j@w1.fi> 2020-05-02 19:58:40 +02:00			`sed -i "s/'-serial', '0x[^']*'/'-serial', '0x$SERIAL'/" ../test_ap_eap.py`