Scripts for testing ECC ciphersuites.
Submitted by: Sun Microsystems Labs
This commit is contained in:
parent
b2a4e959c9
commit
18a31aa861
5 changed files with 579 additions and 0 deletions
93
demos/ssltest-ecc/ECC-RSAcertgen.sh
Executable file
93
demos/ssltest-ecc/ECC-RSAcertgen.sh
Executable file
|
@ -0,0 +1,93 @@
|
|||
#!/bin/sh
|
||||
|
||||
# For a list of supported curves, use "apps/openssl ecparam -list_curves".
|
||||
|
||||
# Path to the openssl distribution
|
||||
OPENSSL_DIR=../..
|
||||
# Path to the openssl program
|
||||
OPENSSL_CMD=$OPENSSL_DIR/apps/openssl
|
||||
# Option to find configuration file
|
||||
OPENSSL_CNF="-config $OPENSSL_DIR/apps/openssl.cnf"
|
||||
# Directory where certificates are stored
|
||||
CERTS_DIR=./Certs
|
||||
# Directory where private key files are stored
|
||||
KEYS_DIR=$CERTS_DIR
|
||||
# Directory where combo files (containing a certificate and corresponding
|
||||
# private key together) are stored
|
||||
COMBO_DIR=$CERTS_DIR
|
||||
# cat command
|
||||
CAT=/bin/cat
|
||||
# rm command
|
||||
RM=/bin/rm
|
||||
# The certificate will expire these many days after the issue date.
|
||||
DAYS=1500
|
||||
TEST_CA_FILE=rsa1024TestCA
|
||||
|
||||
TEST_SERVER_CURVE=sect163r1
|
||||
TEST_SERVER_FILE=sect163r1-rsaTestServer
|
||||
TEST_SERVER_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (sect163r1 key signed with RSA)"
|
||||
|
||||
TEST_CLIENT_CURVE=sect163r1
|
||||
TEST_CLIENT_FILE=sect163r1-rsaTestClient
|
||||
TEST_CLIENT_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Client (sect163r1 key signed with RSA)"
|
||||
|
||||
# Generating an EC certificate involves the following main steps
|
||||
# 1. Generating curve parameters (if needed)
|
||||
# 2. Generating a certificate request
|
||||
# 3. Signing the certificate request
|
||||
# 4. [Optional] One can combine the cert and private key into a single
|
||||
# file and also delete the certificate request
|
||||
|
||||
|
||||
echo "GENERATING A TEST SERVER CERTIFICATE (ECC key signed with RSA)"
|
||||
echo "=============================================================="
|
||||
$OPENSSL_CMD ecparam -name $TEST_SERVER_CURVE -out $TEST_SERVER_CURVE.pem
|
||||
|
||||
$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_SERVER_DN" \
|
||||
-keyout $KEYS_DIR/$TEST_SERVER_FILE.key.pem \
|
||||
-newkey ecdsa:$TEST_SERVER_CURVE.pem -new \
|
||||
-out $CERTS_DIR/$TEST_SERVER_FILE.req.pem
|
||||
|
||||
$OPENSSL_CMD x509 -req -days $DAYS \
|
||||
-in $CERTS_DIR/$TEST_SERVER_FILE.req.pem \
|
||||
-CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \
|
||||
-CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
|
||||
-out $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -CAcreateserial
|
||||
|
||||
# Display the certificate
|
||||
$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -text
|
||||
|
||||
# Place the certificate and key in a common file
|
||||
$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -issuer -subject \
|
||||
> $COMBO_DIR/$TEST_SERVER_FILE.pem
|
||||
$CAT $KEYS_DIR/$TEST_SERVER_FILE.key.pem >> $COMBO_DIR/$TEST_SERVER_FILE.pem
|
||||
|
||||
# Remove the cert request file (no longer needed)
|
||||
$RM $CERTS_DIR/$TEST_SERVER_FILE.req.pem
|
||||
|
||||
echo "GENERATING A TEST CLIENT CERTIFICATE (ECC key signed with RSA)"
|
||||
echo "=============================================================="
|
||||
$OPENSSL_CMD ecparam -name $TEST_CLIENT_CURVE -out $TEST_CLIENT_CURVE.pem
|
||||
|
||||
$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CLIENT_DN" \
|
||||
-keyout $KEYS_DIR/$TEST_CLIENT_FILE.key.pem \
|
||||
-newkey ecdsa:$TEST_CLIENT_CURVE.pem -new \
|
||||
-out $CERTS_DIR/$TEST_CLIENT_FILE.req.pem
|
||||
|
||||
$OPENSSL_CMD x509 -req -days $DAYS \
|
||||
-in $CERTS_DIR/$TEST_CLIENT_FILE.req.pem \
|
||||
-CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \
|
||||
-CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
|
||||
-out $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -CAcreateserial
|
||||
|
||||
# Display the certificate
|
||||
$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -text
|
||||
|
||||
# Place the certificate and key in a common file
|
||||
$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -issuer -subject \
|
||||
> $COMBO_DIR/$TEST_CLIENT_FILE.pem
|
||||
$CAT $KEYS_DIR/$TEST_CLIENT_FILE.key.pem >> $COMBO_DIR/$TEST_CLIENT_FILE.pem
|
||||
|
||||
# Remove the cert request file (no longer needed)
|
||||
$RM $CERTS_DIR/$TEST_CLIENT_FILE.req.pem
|
||||
|
173
demos/ssltest-ecc/ECCcertgen.sh
Executable file
173
demos/ssltest-ecc/ECCcertgen.sh
Executable file
|
@ -0,0 +1,173 @@
|
|||
#!/bin/sh
|
||||
|
||||
# For a list of supported curves, use "apps/openssl ecparam -list_curves".
|
||||
|
||||
# Path to the openssl distribution
|
||||
OPENSSL_DIR=../..
|
||||
# Path to the openssl program
|
||||
OPENSSL_CMD=$OPENSSL_DIR/apps/openssl
|
||||
# Option to find configuration file
|
||||
OPENSSL_CNF="-config $OPENSSL_DIR/apps/openssl.cnf"
|
||||
# Directory where certificates are stored
|
||||
CERTS_DIR=./Certs
|
||||
# Directory where private key files are stored
|
||||
KEYS_DIR=$CERTS_DIR
|
||||
# Directory where combo files (containing a certificate and corresponding
|
||||
# private key together) are stored
|
||||
COMBO_DIR=$CERTS_DIR
|
||||
# cat command
|
||||
CAT=/bin/cat
|
||||
# rm command
|
||||
RM=/bin/rm
|
||||
# The certificate will expire these many days after the issue date.
|
||||
DAYS=1500
|
||||
TEST_CA_CURVE=secp160r1
|
||||
TEST_CA_FILE=secp160r1TestCA
|
||||
TEST_CA_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test CA (Elliptic curve secp160r1)"
|
||||
|
||||
TEST_SERVER_CURVE=secp160r2
|
||||
TEST_SERVER_FILE=secp160r2TestServer
|
||||
TEST_SERVER_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (Elliptic curve secp160r2)"
|
||||
|
||||
TEST_CLIENT_CURVE=secp160r2
|
||||
TEST_CLIENT_FILE=secp160r2TestClient
|
||||
TEST_CLIENT_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Client (Elliptic curve secp160r2)"
|
||||
|
||||
# Generating an EC certificate involves the following main steps
|
||||
# 1. Generating curve parameters (if needed)
|
||||
# 2. Generating a certificate request
|
||||
# 3. Signing the certificate request
|
||||
# 4. [Optional] One can combine the cert and private key into a single
|
||||
# file and also delete the certificate request
|
||||
|
||||
echo "Generating self-signed CA certificate (on curve $TEST_CA_CURVE)"
|
||||
echo "==============================================================="
|
||||
$OPENSSL_CMD ecparam -name $TEST_CA_CURVE -out $TEST_CA_CURVE.pem
|
||||
|
||||
# Generate a new certificate request in $TEST_CA_FILE.req.pem. A
|
||||
# new ecdsa (actually ECC) key pair is generated on the parameters in
|
||||
# $TEST_CA_CURVE.pem and the private key is saved in $TEST_CA_FILE.key.pem
|
||||
# WARNING: By using the -nodes option, we force the private key to be
|
||||
# stored in the clear (rather than encrypted with a password).
|
||||
$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CA_DN" \
|
||||
-keyout $KEYS_DIR/$TEST_CA_FILE.key.pem \
|
||||
-newkey ecdsa:$TEST_CA_CURVE.pem -new \
|
||||
-out $CERTS_DIR/$TEST_CA_FILE.req.pem
|
||||
|
||||
# Sign the certificate request in $TEST_CA_FILE.req.pem using the
|
||||
# private key in $TEST_CA_FILE.key.pem and include the CA extension.
|
||||
# Make the certificate valid for 1500 days from the time of signing.
|
||||
# The certificate is written into $TEST_CA_FILE.cert.pem
|
||||
$OPENSSL_CMD x509 -req -days $DAYS \
|
||||
-in $CERTS_DIR/$TEST_CA_FILE.req.pem \
|
||||
-extfile $OPENSSL_DIR/apps/openssl.cnf \
|
||||
-extensions v3_ca \
|
||||
-signkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
|
||||
-out $CERTS_DIR/$TEST_CA_FILE.cert.pem
|
||||
|
||||
# Display the certificate
|
||||
$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -text
|
||||
|
||||
# Place the certificate and key in a common file
|
||||
$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -issuer -subject \
|
||||
> $COMBO_DIR/$TEST_CA_FILE.pem
|
||||
$CAT $KEYS_DIR/$TEST_CA_FILE.key.pem >> $COMBO_DIR/$TEST_CA_FILE.pem
|
||||
|
||||
# Remove the cert request file (no longer needed)
|
||||
$RM $CERTS_DIR/$TEST_CA_FILE.req.pem
|
||||
|
||||
echo "GENERATING A TEST SERVER CERTIFICATE (on elliptic curve $TEST_SERVER_CURVE)"
|
||||
echo "=========================================================================="
|
||||
# Generate parameters for curve $TEST_SERVER_CURVE, if needed
|
||||
$OPENSSL_CMD ecparam -name $TEST_SERVER_CURVE -out $TEST_SERVER_CURVE.pem
|
||||
|
||||
# Generate a new certificate request in $TEST_SERVER_FILE.req.pem. A
|
||||
# new ecdsa (actually ECC) key pair is generated on the parameters in
|
||||
# $TEST_SERVER_CURVE.pem and the private key is saved in
|
||||
# $TEST_SERVER_FILE.key.pem
|
||||
# WARNING: By using the -nodes option, we force the private key to be
|
||||
# stored in the clear (rather than encrypted with a password).
|
||||
$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_SERVER_DN" \
|
||||
-keyout $KEYS_DIR/$TEST_SERVER_FILE.key.pem \
|
||||
-newkey ecdsa:$TEST_SERVER_CURVE.pem -new \
|
||||
-out $CERTS_DIR/$TEST_SERVER_FILE.req.pem
|
||||
|
||||
# Sign the certificate request in $TEST_SERVER_FILE.req.pem using the
|
||||
# CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in
|
||||
# $TEST_CA_FILE.key.pem. Since we do not have an existing serial number
|
||||
# file for this CA, create one. Make the certificate valid for $DAYS days
|
||||
# from the time of signing. The certificate is written into
|
||||
# $TEST_SERVER_FILE.cert.pem
|
||||
$OPENSSL_CMD x509 -req -days $DAYS \
|
||||
-in $CERTS_DIR/$TEST_SERVER_FILE.req.pem \
|
||||
-CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \
|
||||
-CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
|
||||
-out $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -CAcreateserial
|
||||
|
||||
# Display the certificate
|
||||
$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -text
|
||||
|
||||
# Place the certificate and key in a common file
|
||||
$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -issuer -subject \
|
||||
> $COMBO_DIR/$TEST_SERVER_FILE.pem
|
||||
$CAT $KEYS_DIR/$TEST_SERVER_FILE.key.pem >> $COMBO_DIR/$TEST_SERVER_FILE.pem
|
||||
|
||||
# Remove the cert request file (no longer needed)
|
||||
$RM $CERTS_DIR/$TEST_SERVER_FILE.req.pem
|
||||
|
||||
echo "GENERATING A TEST CLIENT CERTIFICATE (on elliptic curve $TEST_CLIENT_CURVE)"
|
||||
echo "=========================================================================="
|
||||
# Generate parameters for curve $TEST_CLIENT_CURVE, if needed
|
||||
$OPENSSL_CMD ecparam -name $TEST_CLIENT_CURVE -out $TEST_CLIENT_CURVE.pem
|
||||
|
||||
# Generate a new certificate request in $TEST_CLIENT_FILE.req.pem. A
|
||||
# new ecdsa (actually ECC) key pair is generated on the parameters in
|
||||
# $TEST_CLIENT_CURVE.pem and the private key is saved in
|
||||
# $TEST_CLIENT_FILE.key.pem
|
||||
# WARNING: By using the -nodes option, we force the private key to be
|
||||
# stored in the clear (rather than encrypted with a password).
|
||||
$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CLIENT_DN" \
|
||||
-keyout $KEYS_DIR/$TEST_CLIENT_FILE.key.pem \
|
||||
-newkey ecdsa:$TEST_CLIENT_CURVE.pem -new \
|
||||
-out $CERTS_DIR/$TEST_CLIENT_FILE.req.pem
|
||||
|
||||
# Sign the certificate request in $TEST_CLIENT_FILE.req.pem using the
|
||||
# CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in
|
||||
# $TEST_CA_FILE.key.pem. Since we do not have an existing serial number
|
||||
# file for this CA, create one. Make the certificate valid for $DAYS days
|
||||
# from the time of signing. The certificate is written into
|
||||
# $TEST_CLIENT_FILE.cert.pem
|
||||
$OPENSSL_CMD x509 -req -days $DAYS \
|
||||
-in $CERTS_DIR/$TEST_CLIENT_FILE.req.pem \
|
||||
-CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \
|
||||
-CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
|
||||
-out $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -CAcreateserial
|
||||
|
||||
# Display the certificate
|
||||
$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -text
|
||||
|
||||
# Place the certificate and key in a common file
|
||||
$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -issuer -subject \
|
||||
> $COMBO_DIR/$TEST_CLIENT_FILE.pem
|
||||
$CAT $KEYS_DIR/$TEST_CLIENT_FILE.key.pem >> $COMBO_DIR/$TEST_CLIENT_FILE.pem
|
||||
|
||||
# Remove the cert request file (no longer needed)
|
||||
$RM $CERTS_DIR/$TEST_CLIENT_FILE.req.pem
|
||||
|
||||
############################################################################
|
||||
#OLD STUFF (ignore this)
|
||||
#
|
||||
#These are the commands I used, but you may wish to add -named_curve to the first command per our discussion about parameter encoding in certificates.
|
||||
#
|
||||
#apps/openssl ecdsaparam -out nist192.param.pem -NIST_192
|
||||
#
|
||||
#apps/openssl ecdsaparam -out nistB163.param.pem -named_curve -NIST_B163
|
||||
# the nodes option causes output key to be stored unencrypted
|
||||
#apps/openssl req -nodes -keyout nistB163.priv.pem -newkey ecdsa:nistB163.param.pem -new -out nistB163.req.pem
|
||||
#apps/openssl x509 -req -in nistB163.req.pem -extfile apps/cert.cnf -extensions v3_ca -signkey nistB163.priv.pem -out nistB163.cert.pem
|
||||
#
|
||||
#crypto/x509/x509_ext.c has X509_EXTENSION *X509_get_ext(X509 *x, int loc)
|
||||
#crypto/asn1/t_x509.c has code to print certificates
|
||||
#crypto/x509v3/v3_prn.c has code to print extensions X509V3_extensions_print
|
||||
|
||||
|
13
demos/ssltest-ecc/README
Normal file
13
demos/ssltest-ecc/README
Normal file
|
@ -0,0 +1,13 @@
|
|||
Scripts for using ECC ciphersuites with test/testssl.
|
||||
|
||||
Use ECCcertgen.sh, RSAcertgen.sh, ECC-RSAcertgen.sh to generate
|
||||
root, client and server certs of the following types:
|
||||
|
||||
ECC certs signed with ECDSA
|
||||
RSA certs signed with RSA
|
||||
ECC certs signed with RSA
|
||||
|
||||
Afterwards, you can use ssltest.sh to run the various tests;
|
||||
specify one of the following options:
|
||||
|
||||
aecdh, ecdh-ecdsa, ecdhe-ecdsa, ecdh-rsa, ecdhe-rsa
|
115
demos/ssltest-ecc/RSAcertgen.sh
Executable file
115
demos/ssltest-ecc/RSAcertgen.sh
Executable file
|
@ -0,0 +1,115 @@
|
|||
#!/bin/sh
|
||||
|
||||
# For a list of supported curves, use "apps/openssl ecparam -list_curves".
|
||||
|
||||
# Path to the openssl distribution
|
||||
OPENSSL_DIR=../..
|
||||
# Path to the openssl program
|
||||
OPENSSL_CMD=$OPENSSL_DIR/apps/openssl
|
||||
# Option to find configuration file
|
||||
OPENSSL_CNF="-config $OPENSSL_DIR/apps/openssl.cnf"
|
||||
# Directory where certificates are stored
|
||||
CERTS_DIR=./Certs
|
||||
# Directory where private key files are stored
|
||||
KEYS_DIR=$CERTS_DIR
|
||||
# Directory where combo files (containing a certificate and corresponding
|
||||
# private key together) are stored
|
||||
COMBO_DIR=$CERTS_DIR
|
||||
# cat command
|
||||
CAT=/bin/cat
|
||||
# rm command
|
||||
RM=/bin/rm
|
||||
# The certificate will expire these many days after the issue date.
|
||||
DAYS=1500
|
||||
TEST_CA_FILE=rsa1024TestCA
|
||||
TEST_CA_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test CA (1024 bit RSA)"
|
||||
|
||||
TEST_SERVER_FILE=rsa1024TestServer
|
||||
TEST_SERVER_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (1024 bit RSA)"
|
||||
|
||||
TEST_CLIENT_FILE=rsa1024TestClient
|
||||
TEST_CLIENT_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Client (1024 bit RSA)"
|
||||
|
||||
# Generating an EC certificate involves the following main steps
|
||||
# 1. Generating curve parameters (if needed)
|
||||
# 2. Generating a certificate request
|
||||
# 3. Signing the certificate request
|
||||
# 4. [Optional] One can combine the cert and private key into a single
|
||||
# file and also delete the certificate request
|
||||
|
||||
echo "Generating self-signed CA certificate (RSA)"
|
||||
echo "==========================================="
|
||||
|
||||
$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CA_DN" \
|
||||
-keyout $KEYS_DIR/$TEST_CA_FILE.key.pem \
|
||||
-newkey rsa:1024 -new \
|
||||
-out $CERTS_DIR/$TEST_CA_FILE.req.pem
|
||||
|
||||
$OPENSSL_CMD x509 -req -days $DAYS \
|
||||
-in $CERTS_DIR/$TEST_CA_FILE.req.pem \
|
||||
-extfile $OPENSSL_DIR/apps/openssl.cnf \
|
||||
-extensions v3_ca \
|
||||
-signkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
|
||||
-out $CERTS_DIR/$TEST_CA_FILE.cert.pem
|
||||
|
||||
# Display the certificate
|
||||
$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -text
|
||||
|
||||
# Place the certificate and key in a common file
|
||||
$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -issuer -subject \
|
||||
> $COMBO_DIR/$TEST_CA_FILE.pem
|
||||
$CAT $KEYS_DIR/$TEST_CA_FILE.key.pem >> $COMBO_DIR/$TEST_CA_FILE.pem
|
||||
|
||||
# Remove the cert request file (no longer needed)
|
||||
$RM $CERTS_DIR/$TEST_CA_FILE.req.pem
|
||||
|
||||
echo "GENERATING A TEST SERVER CERTIFICATE (RSA)"
|
||||
echo "=========================================="
|
||||
|
||||
$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_SERVER_DN" \
|
||||
-keyout $KEYS_DIR/$TEST_SERVER_FILE.key.pem \
|
||||
-newkey rsa:1024 -new \
|
||||
-out $CERTS_DIR/$TEST_SERVER_FILE.req.pem
|
||||
|
||||
$OPENSSL_CMD x509 -req -days $DAYS \
|
||||
-in $CERTS_DIR/$TEST_SERVER_FILE.req.pem \
|
||||
-CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \
|
||||
-CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
|
||||
-out $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -CAcreateserial
|
||||
|
||||
# Display the certificate
|
||||
$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -text
|
||||
|
||||
# Place the certificate and key in a common file
|
||||
$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -issuer -subject \
|
||||
> $COMBO_DIR/$TEST_SERVER_FILE.pem
|
||||
$CAT $KEYS_DIR/$TEST_SERVER_FILE.key.pem >> $COMBO_DIR/$TEST_SERVER_FILE.pem
|
||||
|
||||
# Remove the cert request file (no longer needed)
|
||||
$RM $CERTS_DIR/$TEST_SERVER_FILE.req.pem
|
||||
|
||||
echo "GENERATING A TEST CLIENT CERTIFICATE (RSA)"
|
||||
echo "=========================================="
|
||||
|
||||
$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CLIENT_DN" \
|
||||
-keyout $KEYS_DIR/$TEST_CLIENT_FILE.key.pem \
|
||||
-newkey rsa:1024 -new \
|
||||
-out $CERTS_DIR/$TEST_CLIENT_FILE.req.pem
|
||||
|
||||
$OPENSSL_CMD x509 -req -days $DAYS \
|
||||
-in $CERTS_DIR/$TEST_CLIENT_FILE.req.pem \
|
||||
-CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \
|
||||
-CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
|
||||
-out $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -CAcreateserial
|
||||
|
||||
# Display the certificate
|
||||
$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -text
|
||||
|
||||
# Place the certificate and key in a common file
|
||||
$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -issuer -subject \
|
||||
> $COMBO_DIR/$TEST_CLIENT_FILE.pem
|
||||
$CAT $KEYS_DIR/$TEST_CLIENT_FILE.key.pem >> $COMBO_DIR/$TEST_CLIENT_FILE.pem
|
||||
|
||||
# Remove the cert request file (no longer needed)
|
||||
$RM $CERTS_DIR/$TEST_CLIENT_FILE.req.pem
|
||||
|
185
demos/ssltest-ecc/ssltest.sh
Executable file
185
demos/ssltest-ecc/ssltest.sh
Executable file
|
@ -0,0 +1,185 @@
|
|||
#! /bin/sh
|
||||
# Tests ECC cipher suites using ssltest. Requires one argument which could
|
||||
# be aecdh or ecdh-ecdsa or ecdhe-ecdsa or ecdh-rsa or ecdhe-rsa.
|
||||
# A second optional argument can be one of ssl2 ssl3 or tls1
|
||||
|
||||
if [ "$1" = "" ]; then
|
||||
(echo "Usage: $0 test [ protocol ]"
|
||||
echo " where test is one of aecdh, ecdh-ecdsa, ecdhe-ecdsa, ecdh-rsa, ecdhe-rsa"
|
||||
echo " and protocol (optional) is one of ssl2, ssl3, tls1"
|
||||
echo "Run RSAcertgen.sh, ECC-RSAcertgen.sh, ECCcertgen.sh first."
|
||||
) >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
||||
OPENSSL_DIR=../..
|
||||
CERTS_DIR=./Certs
|
||||
SSLTEST=$OPENSSL_DIR/test/ssltest
|
||||
# SSL protocol version to test (one of ssl2 ssl3 or tls1)"
|
||||
SSLVERSION=
|
||||
|
||||
# These don't really require any certificates
|
||||
AECDH_CIPHER_LIST="EXP-AECDH-RC4-40-SHA EXP-AECDH-DES-40-CBC-SHA AECDH-DES-CBC3-SHA AECDH-DES-CBC-SHA AECDH-RC4-SHA AECDH-NULL-SHA"
|
||||
|
||||
# These require ECC certificates signed with ECDSA
|
||||
# The EC public key must be authorized for key agreement.
|
||||
ECDH_ECDSA_CIPHER_LIST="EXP-ECDH-ECDSA-RC4-56-SHA EXP-ECDH-ECDSA-RC4-40-SHA ECDH-ECDSA-AES256-SHA ECDH-ECDSA-AES128-SHA ECDH-ECDSA-DES-CBC3-SHA ECDH-ECDSA-DES-CBC-SHA ECDH-ECDSA-RC4-SHA ECDH-ECDSA-NULL-SHA"
|
||||
|
||||
# These require ECC certificates.
|
||||
# The EC public key must be authorized for digital signature.
|
||||
ECDHE_ECDSA_CIPHER_LIST="ECDHE-ECDSA-AES128-SHA"
|
||||
|
||||
# These require ECC certificates signed with RSA.
|
||||
# The EC public key must be authorized for key agreement.
|
||||
ECDH_RSA_CIPHER_LIST="EXP-ECDH-RSA-RC4-56-SHA EXP-ECDH-RSA-RC4-40-SHA ECDH-RSA-AES256-SHA ECDH-RSA-AES128-SHA ECDH-RSA-DES-CBC3-SHA ECDH-RSA-DES-CBC-SHA ECDH-RSA-RC4-SHA ECDH-RSA-NULL-SHA"
|
||||
|
||||
# These require RSA certificates.
|
||||
# The RSA public key must be authorized for digital signature.
|
||||
ECDHE_RSA_CIPHER_LIST="ECDHE-RSA-AES128-SHA"
|
||||
|
||||
# List of Elliptic curves over which we wish to test generation of
|
||||
# ephemeral ECDH keys when using AECDH or ECDHE ciphers
|
||||
# NOTE: secp192r1 = prime192v1 and secp256r1 = prime256v1
|
||||
#ELLIPTIC_CURVE_LIST="secp112r1 sect113r2 secp128r1 sect131r1 secp160k1 sect163r2 wap-wsg-idm-ecid-wtls7 c2pnb163v3 c2pnb176v3 c2tnb191v3 secp192r1 prime192v3 sect193r2 secp224r1 wap-wsg-idm-ecid-wtls10 sect239k1 prime239v2 secp256r1 prime256v1 sect283k1 secp384r1 sect409r1 secp521r1 sect571r1"
|
||||
ELLIPTIC_CURVE_LIST="sect163k1 sect163r1 sect163r2 sect193r1 sect193r2 sect233k1 sect233r1 sect239k1 sect283k1 sect283r1 sect409k1 sect409r1 sect571k1 sect571r1 secp160k1 secp160r1 secp160r2 secp192k1 prime192v1 secp224k1 secp224r1 secp256k1 prime256v1 secp384r1 secp521r1"
|
||||
|
||||
DEFAULT_CURVE="sect163r2"
|
||||
|
||||
if [ "$2" = "" ]; then
|
||||
if [ "$SSL_VERSION" = "" ]; then
|
||||
SSL_VERSION=""
|
||||
else
|
||||
SSL_VERSION="-$SSL_VERSION"
|
||||
fi
|
||||
else
|
||||
SSL_VERSION="-$2"
|
||||
fi
|
||||
|
||||
#==============================================================
|
||||
# Anonymous cipher suites do not require key or certificate files
|
||||
# but ssltest expects a cert file and complains if it can't
|
||||
# open the default one.
|
||||
SERVER_PEM=$OPENSSL_DIR/apps/server.pem
|
||||
|
||||
if [ "$1" = "aecdh" ]; then
|
||||
for cipher in $AECDH_CIPHER_LIST
|
||||
do
|
||||
echo "Testing $cipher"
|
||||
$SSLTEST $SSL_VERSION -cert $SERVER_PEM -cipher $cipher
|
||||
done
|
||||
#--------------------------------------------------------------
|
||||
for curve in $ELLIPTIC_CURVE_LIST
|
||||
do
|
||||
echo "Testing AECDH-NULL-SHA (with $curve)"
|
||||
$SSLTEST $SSL_VERSION -cert $SERVER_PEM \
|
||||
-named_curve $curve -cipher AECDH-NULL-SHA
|
||||
done
|
||||
|
||||
for curve in $ELLIPTIC_CURVE_LIST
|
||||
do
|
||||
echo "Testing EXP-AECDH-RC4-40-SHA (with $curve)"
|
||||
$SSLTEST $SSL_VERSION -cert $SERVER_PEM \
|
||||
-named_curve $curve -cipher EXP-AECDH-RC4-40-SHA
|
||||
done
|
||||
fi
|
||||
|
||||
#==============================================================
|
||||
# Both ECDH-ECDSA and ECDHE-ECDSA cipher suites require
|
||||
# the server to have an ECC certificate signed with ECDSA.
|
||||
CA_PEM=$CERTS_DIR/secp160r1TestCA.pem
|
||||
SERVER_PEM=$CERTS_DIR/secp160r2TestServer.pem
|
||||
CLIENT_PEM=$CERTS_DIR/secp160r2TestClient.pem
|
||||
|
||||
if [ "$1" = "ecdh-ecdsa" ]; then
|
||||
for cipher in $ECDH_ECDSA_CIPHER_LIST
|
||||
do
|
||||
echo "Testing $cipher (with server authentication)"
|
||||
$SSLTEST $SSL_VERSION -CAfile $CA_PEM \
|
||||
-cert $SERVER_PEM -server_auth \
|
||||
-cipher $cipher
|
||||
|
||||
echo "Testing $cipher (with server and client authentication)"
|
||||
$SSLTEST $SSL_VERSION -CAfile $CA_PEM \
|
||||
-cert $SERVER_PEM -server_auth \
|
||||
-c_cert $CLIENT_PEM -client_auth \
|
||||
-cipher $cipher
|
||||
done
|
||||
fi
|
||||
|
||||
#==============================================================
|
||||
if [ "$1" = "ecdhe-ecdsa" ]; then
|
||||
for cipher in $ECDHE_ECDSA_CIPHER_LIST
|
||||
do
|
||||
echo "Testing $cipher (with server authentication)"
|
||||
$SSLTEST $SSL_VERSION -CAfile $CA_PEM \
|
||||
-cert $SERVER_PEM -server_auth \
|
||||
-cipher $cipher -named_curve $DEFAULT_CURVE
|
||||
|
||||
echo "Testing $cipher (with server and client authentication)"
|
||||
$SSLTEST $SSL_VERSION -CAfile $CA_PEM \
|
||||
-cert $SERVER_PEM -server_auth \
|
||||
-c_cert $CLIENT_PEM -client_auth \
|
||||
-cipher $cipher -named_curve $DEFAULT_CURVE
|
||||
done
|
||||
|
||||
#--------------------------------------------------------------
|
||||
for curve in $ELLIPTIC_CURVE_LIST
|
||||
do
|
||||
echo "Testing ECDHE-ECDSA-AES128-SHA (2-way auth with $curve)"
|
||||
$SSLTEST $SSL_VERSION -CAfile $CA_PEM \
|
||||
-cert $SERVER_PEM -server_auth \
|
||||
-c_cert $CLIENT_PEM -client_auth \
|
||||
-cipher ECDHE-ECDSA-AES128-SHA -named_curve $curve
|
||||
done
|
||||
fi
|
||||
|
||||
#==============================================================
|
||||
# ECDH-RSA cipher suites require the server to have an ECC
|
||||
# certificate signed with RSA.
|
||||
CA_PEM=$CERTS_DIR/rsa1024TestCA.pem
|
||||
SERVER_PEM=$CERTS_DIR/sect163r1-rsaTestServer.pem
|
||||
CLIENT_PEM=$CERTS_DIR/sect163r1-rsaTestClient.pem
|
||||
|
||||
if [ "$1" = "ecdh-rsa" ]; then
|
||||
for cipher in $ECDH_RSA_CIPHER_LIST
|
||||
do
|
||||
echo "Testing $cipher (with server authentication)"
|
||||
$SSLTEST $SSL_VERSION -CAfile $CA_PEM \
|
||||
-cert $SERVER_PEM -server_auth \
|
||||
-cipher $cipher
|
||||
|
||||
echo "Testing $cipher (with server and client authentication)"
|
||||
$SSLTEST $SSL_VERSION -CAfile $CA_PEM \
|
||||
-cert $SERVER_PEM -server_auth \
|
||||
-c_cert $CLIENT_PEM -client_auth \
|
||||
-cipher $cipher
|
||||
done
|
||||
fi
|
||||
|
||||
#==============================================================
|
||||
# ECDHE-RSA cipher suites require the server to have an RSA cert.
|
||||
CA_PEM=$CERTS_DIR/rsa1024TestCA.pem
|
||||
SERVER_PEM=$CERTS_DIR/rsa1024TestServer.pem
|
||||
CLIENT_PEM=$CERTS_DIR/rsa1024TestClient.pem
|
||||
|
||||
if [ "$1" = "ecdhe-rsa" ]; then
|
||||
for cipher in $ECDHE_RSA_CIPHER_LIST
|
||||
do
|
||||
echo "Testing $cipher (with server authentication)"
|
||||
$SSLTEST $SSL_VERSION -CAfile $CA_PEM \
|
||||
-cert $SERVER_PEM -server_auth \
|
||||
-cipher $cipher -named_curve $DEFAULT_CURVE
|
||||
|
||||
echo "Testing $cipher (with server and client authentication)"
|
||||
$SSLTEST $SSL_VERSION -CAfile $CA_PEM \
|
||||
-cert $SERVER_PEM -server_auth \
|
||||
-c_cert $CLIENT_PEM -client_auth \
|
||||
-cipher $cipher -named_curve $DEFAULT_CURVE
|
||||
done
|
||||
fi
|
||||
#==============================================================
|
||||
|
||||
|
||||
|
||||
|
Loading…
Reference in a new issue