diff options
Diffstat (limited to 'CryptoPkg/Library/OpensslLib/openssl/demos/certs')
8 files changed, 381 insertions, 0 deletions
diff --git a/CryptoPkg/Library/OpensslLib/openssl/demos/certs/README b/CryptoPkg/Library/OpensslLib/openssl/demos/certs/README new file mode 100644 index 00000000..126663a1 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/demos/certs/README @@ -0,0 +1,21 @@ +There is often a need to generate test certificates automatically using +a script. This is often a cause for confusion which can result in incorrect +CA certificates, obsolete V1 certificates or duplicate serial numbers. +The range of command line options can be daunting for a beginner. + +The mkcerts.sh script is an example of how to generate certificates +automatically using scripts. Example creates a root CA, an intermediate CA +signed by the root and several certificates signed by the intermediate CA. + +The script then creates an empty index.txt file and adds entries for the +certificates and generates a CRL. Then one certificate is revoked and a +second CRL generated. + +The script ocsprun.sh runs the test responder on port 8888 covering the +client certificates. + +The script ocspquery.sh queries the status of the certificates using the +test responder. + + + diff --git a/CryptoPkg/Library/OpensslLib/openssl/demos/certs/apps/apps.cnf b/CryptoPkg/Library/OpensslLib/openssl/demos/certs/apps/apps.cnf new file mode 100644 index 00000000..531afe64 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/demos/certs/apps/apps.cnf @@ -0,0 +1,69 @@ +# +# OpenSSL configuration file to create apps directory certificates +# + +# This definition stops the following lines choking if HOME or CN +# is undefined. +HOME = . +RANDFILE = $ENV::HOME/.rnd +CN = "Not Defined" + +#################################################################### +[ req ] +default_bits = 2048 +default_keyfile = privkey.pem +# Don't prompt for fields: use those in section directly +prompt = no +distinguished_name = req_distinguished_name +x509_extensions = v3_ca # The extensions to add to the self signed cert +string_mask = utf8only + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = UK + +organizationName = OpenSSL Group +organizationalUnitName = FOR TESTING PURPOSES ONLY +# Take CN from environment so it can come from a script. +commonName = $ENV::CN + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request for an end entity +# certificate + +basicConstraints=critical, CA:FALSE +keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +[ ec_cert ] + +# These extensions are added when 'ca' signs a request for an end entity +# certificate + +basicConstraints=critical, CA:FALSE +keyUsage=critical, nonRepudiation, digitalSignature, keyAgreement + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid + +[ v3_ca ] + + +# Extensions for a typical CA + +# PKIX recommendation. + +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always +basicConstraints = critical,CA:true +keyUsage = critical, cRLSign, keyCertSign + + diff --git a/CryptoPkg/Library/OpensslLib/openssl/demos/certs/apps/mkacerts.sh b/CryptoPkg/Library/OpensslLib/openssl/demos/certs/apps/mkacerts.sh new file mode 100644 index 00000000..70984969 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/demos/certs/apps/mkacerts.sh @@ -0,0 +1,45 @@ +#!/bin/sh + +# Recreate the demo certificates in the apps directory. + +OPENSSL=openssl + +# Root CA: create certificate directly +CN="OpenSSL Test Root CA" $OPENSSL req -config apps.cnf -x509 -nodes \ + -keyout root.pem -out root.pem -key rootkey.pem -new -days 3650 +# Intermediate CA: request first +CN="OpenSSL Test Intermediate CA" $OPENSSL req -config apps.cnf -nodes \ + -key intkey.pem -out intreq.pem -new +# Sign request: CA extensions +$OPENSSL x509 -req -in intreq.pem -CA root.pem -CAkey rootkey.pem -days 3630 \ + -extfile apps.cnf -extensions v3_ca -CAcreateserial -out intca.pem +# Client certificate: request first +CN="Test Client Cert" $OPENSSL req -config apps.cnf -nodes \ + -key ckey.pem -out creq.pem -new +# Sign using intermediate CA +$OPENSSL x509 -req -in creq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ + -extfile apps.cnf -extensions usr_cert -CAcreateserial | \ + $OPENSSL x509 -nameopt oneline -subject -issuer >client.pem +# Server certificate: request first +CN="Test Server Cert" $OPENSSL req -config apps.cnf -nodes \ + -key skey.pem -out sreq.pem -new +# Sign using intermediate CA +$OPENSSL x509 -req -in sreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ + -extfile apps.cnf -extensions usr_cert -CAcreateserial | \ + $OPENSSL x509 -nameopt oneline -subject -issuer >server.pem +# Server certificate #2: request first +CN="Test Server Cert #2" $OPENSSL req -config apps.cnf -nodes \ + -key skey2.pem -out sreq2.pem -new +# Sign using intermediate CA +$OPENSSL x509 -req -in sreq2.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ + -extfile apps.cnf -extensions usr_cert -CAcreateserial | \ + $OPENSSL x509 -nameopt oneline -subject -issuer >server2.pem + +# Append keys to file. + +cat skey.pem >>server.pem +cat skey2.pem >>server2.pem +cat ckey.pem >>client.pem + +$OPENSSL verify -CAfile root.pem -untrusted intca.pem \ + server2.pem server.pem client.pem diff --git a/CryptoPkg/Library/OpensslLib/openssl/demos/certs/apps/mkxcerts.sh b/CryptoPkg/Library/OpensslLib/openssl/demos/certs/apps/mkxcerts.sh new file mode 100644 index 00000000..0f88a48f --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/demos/certs/apps/mkxcerts.sh @@ -0,0 +1,29 @@ + +# Create certificates using various algorithms to test multi-certificate +# functionality. + +OPENSSL=../../../apps/openssl +CN="OpenSSL Test RSA SHA-1 cert" $OPENSSL req \ + -config apps.cnf -extensions usr_cert -x509 -nodes \ + -keyout tsha1.pem -out tsha1.pem -new -days 3650 -sha1 +CN="OpenSSL Test RSA SHA-256 cert" $OPENSSL req \ + -config apps.cnf -extensions usr_cert -x509 -nodes \ + -keyout tsha256.pem -out tsha256.pem -new -days 3650 -sha256 +CN="OpenSSL Test RSA SHA-512 cert" $OPENSSL req \ + -config apps.cnf -extensions usr_cert -x509 -nodes \ + -keyout tsha512.pem -out tsha512.pem -new -days 3650 -sha512 + +# Create EC parameters + +$OPENSSL ecparam -name P-256 -out ecp256.pem +$OPENSSL ecparam -name P-384 -out ecp384.pem + +CN="OpenSSL Test P-256 SHA-256 cert" $OPENSSL req \ + -config apps.cnf -extensions ec_cert -x509 -nodes \ + -nodes -keyout tecp256.pem -out tecp256.pem -newkey ec:ecp256.pem \ + -days 3650 -sha256 + +CN="OpenSSL Test P-384 SHA-384 cert" $OPENSSL req \ + -config apps.cnf -extensions ec_cert -x509 -nodes \ + -nodes -keyout tecp384.pem -out tecp384.pem -newkey ec:ecp384.pem \ + -days 3650 -sha384 diff --git a/CryptoPkg/Library/OpensslLib/openssl/demos/certs/ca.cnf b/CryptoPkg/Library/OpensslLib/openssl/demos/certs/ca.cnf new file mode 100644 index 00000000..5a8a5f29 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/demos/certs/ca.cnf @@ -0,0 +1,86 @@ +# +# OpenSSL example configuration file for automated certificate creation. +# + +# This definition stops the following lines choking if HOME or CN +# is undefined. +HOME = . +RANDFILE = $ENV::HOME/.rnd +CN = "Not Defined" +default_ca = ca + +#################################################################### +[ req ] +default_bits = 1024 +default_keyfile = privkey.pem +# Don't prompt for fields: use those in section directly +prompt = no +distinguished_name = req_distinguished_name +x509_extensions = v3_ca # The extensions to add to the self signed cert +string_mask = utf8only + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = UK + +organizationName = OpenSSL Group +# Take CN from environment so it can come from a script. +commonName = $ENV::CN + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request for an end entity +# certificate + +basicConstraints=critical, CA:FALSE +keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid +# OCSP responder certificate +[ ocsp_cert ] + +basicConstraints=critical, CA:FALSE +keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid +extendedKeyUsage=OCSPSigning + +[ dh_cert ] + +# These extensions are added when 'ca' signs a request for an end entity +# DH certificate + +basicConstraints=critical, CA:FALSE +keyUsage=critical, keyAgreement + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid + +[ v3_ca ] + + +# Extensions for a typical CA + +# PKIX recommendation. + +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always +basicConstraints = critical,CA:true +keyUsage = critical, cRLSign, keyCertSign + +# Minimal CA entry to allow generation of CRLs. +[ca] +database=index.txt +crlnumber=crlnum.txt diff --git a/CryptoPkg/Library/OpensslLib/openssl/demos/certs/mkcerts.sh b/CryptoPkg/Library/OpensslLib/openssl/demos/certs/mkcerts.sh new file mode 100644 index 00000000..18daa6bc --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/demos/certs/mkcerts.sh @@ -0,0 +1,96 @@ +#!/bin/sh + +OPENSSL=../../apps/openssl +OPENSSL_CONF=../../apps/openssl.cnf +export OPENSSL_CONF + +# Root CA: create certificate directly +CN="Test Root CA" $OPENSSL req -config ca.cnf -x509 -nodes \ + -keyout root.pem -out root.pem -newkey rsa:2048 -days 3650 +# Intermediate CA: request first +CN="Test Intermediate CA" $OPENSSL req -config ca.cnf -nodes \ + -keyout intkey.pem -out intreq.pem -newkey rsa:2048 +# Sign request: CA extensions +$OPENSSL x509 -req -in intreq.pem -CA root.pem -days 3600 \ + -extfile ca.cnf -extensions v3_ca -CAcreateserial -out intca.pem + +# Server certificate: create request first +CN="Test Server Cert" $OPENSSL req -config ca.cnf -nodes \ + -keyout skey.pem -out req.pem -newkey rsa:1024 +# Sign request: end entity extensions +$OPENSSL x509 -req -in req.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ + -extfile ca.cnf -extensions usr_cert -CAcreateserial -out server.pem + +# Client certificate: request first +CN="Test Client Cert" $OPENSSL req -config ca.cnf -nodes \ + -keyout ckey.pem -out creq.pem -newkey rsa:1024 +# Sign using intermediate CA +$OPENSSL x509 -req -in creq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ + -extfile ca.cnf -extensions usr_cert -CAcreateserial -out client.pem + +# Revoked certificate: request first +CN="Test Revoked Cert" $OPENSSL req -config ca.cnf -nodes \ + -keyout revkey.pem -out rreq.pem -newkey rsa:1024 +# Sign using intermediate CA +$OPENSSL x509 -req -in rreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ + -extfile ca.cnf -extensions usr_cert -CAcreateserial -out rev.pem + +# OCSP responder certificate: request first +CN="Test OCSP Responder Cert" $OPENSSL req -config ca.cnf -nodes \ + -keyout respkey.pem -out respreq.pem -newkey rsa:1024 +# Sign using intermediate CA and responder extensions +$OPENSSL x509 -req -in respreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ + -extfile ca.cnf -extensions ocsp_cert -CAcreateserial -out resp.pem + +# Example creating a PKCS#3 DH certificate. + +# First DH parameters + +[ -f dhp.pem ] || $OPENSSL genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dhp.pem + +# Now a DH private key +$OPENSSL genpkey -paramfile dhp.pem -out dhskey.pem +# Create DH public key file +$OPENSSL pkey -in dhskey.pem -pubout -out dhspub.pem +# Certificate request, key just reuses old one as it is ignored when the +# request is signed. +CN="Test Server DH Cert" $OPENSSL req -config ca.cnf -new \ + -key skey.pem -out dhsreq.pem +# Sign request: end entity DH extensions +$OPENSSL x509 -req -in dhsreq.pem -CA root.pem -days 3600 \ + -force_pubkey dhspub.pem \ + -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhserver.pem + +# DH client certificate + +$OPENSSL genpkey -paramfile dhp.pem -out dhckey.pem +$OPENSSL pkey -in dhckey.pem -pubout -out dhcpub.pem +CN="Test Client DH Cert" $OPENSSL req -config ca.cnf -new \ + -key skey.pem -out dhcreq.pem +$OPENSSL x509 -req -in dhcreq.pem -CA root.pem -days 3600 \ + -force_pubkey dhcpub.pem \ + -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhclient.pem + +# Examples of CRL generation without the need to use 'ca' to issue +# certificates. +# Create zero length index file +>index.txt +# Create initial crl number file +echo 01 >crlnum.txt +# Add entries for server and client certs +$OPENSSL ca -valid server.pem -keyfile root.pem -cert root.pem \ + -config ca.cnf -md sha1 +$OPENSSL ca -valid client.pem -keyfile root.pem -cert root.pem \ + -config ca.cnf -md sha1 +$OPENSSL ca -valid rev.pem -keyfile root.pem -cert root.pem \ + -config ca.cnf -md sha1 +# Generate a CRL. +$OPENSSL ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \ + -md sha1 -crldays 1 -out crl1.pem +# Revoke a certificate +openssl ca -revoke rev.pem -crl_reason superseded \ + -keyfile root.pem -cert root.pem -config ca.cnf -md sha1 +# Generate another CRL +$OPENSSL ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \ + -md sha1 -crldays 1 -out crl2.pem + diff --git a/CryptoPkg/Library/OpensslLib/openssl/demos/certs/ocspquery.sh b/CryptoPkg/Library/OpensslLib/openssl/demos/certs/ocspquery.sh new file mode 100644 index 00000000..f6641133 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/demos/certs/ocspquery.sh @@ -0,0 +1,21 @@ +# Example querying OpenSSL test responder. Assumes ocsprun.sh has been +# called. + +OPENSSL=../../apps/openssl +OPENSSL_CONF=../../apps/openssl.cnf +export OPENSSL_CONF + +# Send responder queries for each certificate. + +echo "Requesting OCSP status for each certificate" +$OPENSSL ocsp -issuer intca.pem -cert client.pem -CAfile root.pem \ + -url http://127.0.0.1:8888/ +$OPENSSL ocsp -issuer intca.pem -cert server.pem -CAfile root.pem \ + -url http://127.0.0.1:8888/ +$OPENSSL ocsp -issuer intca.pem -cert rev.pem -CAfile root.pem \ + -url http://127.0.0.1:8888/ +# One query for all three certificates. +echo "Requesting OCSP status for three certificates in one request" +$OPENSSL ocsp -issuer intca.pem \ + -cert client.pem -cert server.pem -cert rev.pem \ + -CAfile root.pem -url http://127.0.0.1:8888/ diff --git a/CryptoPkg/Library/OpensslLib/openssl/demos/certs/ocsprun.sh b/CryptoPkg/Library/OpensslLib/openssl/demos/certs/ocsprun.sh new file mode 100644 index 00000000..a65e5f2f --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/demos/certs/ocsprun.sh @@ -0,0 +1,14 @@ +# Example of running an querying OpenSSL test OCSP responder. +# This assumes "mkcerts.sh" or similar has been run to set up the +# necessary file structure. + +OPENSSL=../../apps/openssl +OPENSSL_CONF=../../apps/openssl.cnf +export OPENSSL_CONF + +# Run OCSP responder. + +PORT=8888 + +$OPENSSL ocsp -port $PORT -index index.txt -CA intca.pem \ + -rsigner resp.pem -rkey respkey.pem -rother intca.pem $* |