9ec824b9c1
Verify that unexpected p256 client certificate gets rejected if the server is configured to use Suite B at 192-bit level. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
68 lines
2.7 KiB
Bash
Executable file
68 lines
2.7 KiB
Bash
Executable file
#!/bin/sh
|
|
|
|
OPENSSL=openssl
|
|
|
|
CURVE=secp384r1
|
|
DIGEST="-sha384"
|
|
DIGEST_CA="-md sha384"
|
|
|
|
echo
|
|
echo "---[ Root CA ]----------------------------------------------------------"
|
|
echo
|
|
|
|
cat ec-ca-openssl.cnf |
|
|
sed "s/#@CN@/commonName_default = Suite B 192-bit Root CA/" \
|
|
> ec-ca-openssl.cnf.tmp
|
|
$OPENSSL ecparam -out ec2-ca.key -name $CURVE -genkey
|
|
$OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -x509 -new -key ec2-ca.key -out ec2-ca.pem -outform PEM -days 3650 $DIGEST
|
|
mkdir -p ec-ca/certs ec-ca/crl ec-ca/newcerts ec-ca/private
|
|
touch ec-ca/index.txt
|
|
rm ec-ca-openssl.cnf.tmp
|
|
|
|
echo
|
|
echo "---[ Server ]-----------------------------------------------------------"
|
|
echo
|
|
|
|
cat ec-ca-openssl.cnf |
|
|
sed "s/#@CN@/commonName_default = server.w1.fi/" |
|
|
sed "s/#@ALTNAME@/subjectAltName=critical,DNS:server.w1.fi/" \
|
|
> ec-ca-openssl.cnf.tmp
|
|
$OPENSSL ecparam -out ec2-server.key -name $CURVE -genkey
|
|
$OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -new -nodes -key ec2-server.key -out ec2-server.req -outform PEM $DIGEST
|
|
$OPENSSL ca -config ec-ca-openssl.cnf.tmp -batch -keyfile ec2-ca.key -cert ec2-ca.pem -create_serial -in ec2-server.req -out ec2-server.pem -extensions ext_server $DIGEST_CA
|
|
rm ec-ca-openssl.cnf.tmp
|
|
|
|
echo
|
|
echo "---[ User ]-------------------------------------------------------------"
|
|
echo
|
|
|
|
cat ec-ca-openssl.cnf |
|
|
sed "s/#@CN@/commonName_default = user/" |
|
|
sed "s/#@ALTNAME@/subjectAltName=email:user@w1.fi/" \
|
|
> ec-ca-openssl.cnf.tmp
|
|
$OPENSSL ecparam -out ec2-user.key -name $CURVE -genkey
|
|
$OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -new -nodes -key ec2-user.key -out ec2-user.req -outform PEM -extensions ext_client $DIGEST
|
|
$OPENSSL ca -config ec-ca-openssl.cnf.tmp -batch -keyfile ec2-ca.key -cert ec2-ca.pem -create_serial -in ec2-user.req -out ec2-user.pem -extensions ext_client $DIGEST_CA
|
|
rm ec-ca-openssl.cnf.tmp
|
|
|
|
echo
|
|
echo "---[ User p256 ]--------------------------------------------------------"
|
|
echo
|
|
|
|
cat ec-ca-openssl.cnf |
|
|
sed "s/#@CN@/commonName_default = user-p256/" |
|
|
sed "s/#@ALTNAME@/subjectAltName=email:user-p256@w1.fi/" \
|
|
> ec-ca-openssl.cnf.tmp
|
|
$OPENSSL ecparam -out ec2-user-p256.key -name prime256v1 -genkey
|
|
$OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -new -nodes -key ec2-user-p256.key -out ec2-user-p256.req -outform PEM -extensions ext_client -sha256
|
|
$OPENSSL ca -config ec-ca-openssl.cnf.tmp -batch -keyfile ec2-ca.key -cert ec2-ca.pem -create_serial -in ec2-user-p256.req -out ec2-user-p256.pem -extensions ext_client -md sha256
|
|
rm ec-ca-openssl.cnf.tmp
|
|
|
|
echo
|
|
echo "---[ Verify ]-----------------------------------------------------------"
|
|
echo
|
|
|
|
$OPENSSL verify -CAfile ec2-ca.pem ec2-server.pem
|
|
$OPENSSL verify -CAfile ec2-ca.pem ec2-user.pem
|
|
$OPENSSL verify -CAfile ec2-ca.pem ec2-user-p256.pem
|