216 lines
6.8 KiB
Bash
Executable File
216 lines
6.8 KiB
Bash
Executable File
# * Redistributions in binary form must reproduce the above copyright
|
|
# notice, this list of conditions and the following disclaimer in the
|
|
# documentation and/or other materials provided with the distribution.
|
|
# * Neither the name of the axTLS project nor the names of its
|
|
# contributors may be used to endorse or promote products derived
|
|
# from this software without specific prior written permission.
|
|
#
|
|
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
|
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
|
|
# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
|
|
# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
|
|
# OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
|
# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
#
|
|
PROJECT_NAME="TLS Project"
|
|
mkdir ca
|
|
mkdir bin
|
|
TrueCA=-1
|
|
if [ -f "ca.crt" ]; then
|
|
echo ca.crt is found, generating esp_ca_cert.bin...
|
|
TrueCA=1
|
|
else
|
|
echo ca.crt not exist\! We would generate self-signed CA certificate,and generating esp_ca_cert.bin...
|
|
TrueCA=0
|
|
|
|
# Generate the openssl configuration files.
|
|
cat > ca_cert.conf << EOF
|
|
[ req ]
|
|
distinguished_name = req_distinguished_name
|
|
prompt = no
|
|
|
|
[ req_distinguished_name ]
|
|
O = $PROJECT_NAME Dodgy Certificate Authority
|
|
EOF
|
|
|
|
|
|
openssl genrsa -out ca.key 1024 #you can change number 1024 if encryption bits is required
|
|
openssl req -out ca.req -key ca.key -new -config ./ca_cert.conf
|
|
|
|
# generate the actual self-signed ca certs.
|
|
openssl x509 -req -in ca.req -out ca.crt -sha1 -days 5000 -signkey ca.key
|
|
|
|
cp ca.key ca/
|
|
|
|
fi
|
|
|
|
openssl x509 -in ca.crt -outform DER -out TLS.ca_x509.cer
|
|
cp TLS.ca_x509.cer ca/
|
|
cp make_cacert.py ca/
|
|
cd ca/
|
|
python make_cacert.py
|
|
cd ..
|
|
cp ca/esp_ca_cert.bin bin/
|
|
cp ca.crt ca/
|
|
|
|
echo esp_ca_cert.bin generated OK\!
|
|
|
|
if [ $TrueCA -eq 1 ];then
|
|
echo trust CA
|
|
if [ -f "client.crt" ] && [ -f "client.key" ]; then
|
|
echo client.crt \&\& client.key are found, generating esp_cert_private_key.bin
|
|
mkdir client
|
|
mkdir include
|
|
openssl rsa -in client.key -out TLS.key_1024 -outform DER
|
|
openssl x509 -in client.crt -outform DER -out TLS.x509_1024.cer
|
|
cp TLS.x509_1024.cer client/
|
|
cp TLS.key_1024 client/
|
|
mv client/TLS.x509_1024.cer client/certificate.cer
|
|
mv client/TLS.key_1024 client/private_key.key_1024
|
|
cp make_cert.py client/
|
|
cd client
|
|
|
|
python make_cert.py
|
|
rm make_cert.py
|
|
mv esp_cert_private_key.bin ../bin/
|
|
cd ..
|
|
|
|
# set default cert for use in the client
|
|
xxd -i TLS.x509_1024.cer | sed -e \
|
|
"s/TLS_x509_1024_cer/default_certificate/" > cert.h
|
|
# set default key for use in the server
|
|
xxd -i TLS.key_1024 | sed -e \
|
|
"s/TLS_key_1024/default_private_key/" > private_key.h
|
|
cp cert.h private_key.h include/
|
|
cp client.crt client.key client/
|
|
|
|
elif [ -f "server.crt" ] && [ -f "server.key" ]; then
|
|
echo server.crt \&\& server.key are found, generating esp_cert_private_key.bin
|
|
mkdir server
|
|
mkdir include
|
|
openssl rsa -in server.key -out TLS.key_1024 -outform DER
|
|
openssl x509 -in server.crt -outform DER -out TLS.x509_1024.cer
|
|
cp TLS.x509_1024.cer server/
|
|
cp TLS.key_1024 server/
|
|
mv server/TLS.x509_1024.cer server/certificate.cer
|
|
mv server/TLS.key_1024 server/private_key.key_1024
|
|
cp make_cert.py server/
|
|
cd server
|
|
|
|
python make_cert.py
|
|
rm make_cert.py
|
|
mv esp_cert_private_key.bin ../bin/
|
|
cd ..
|
|
|
|
# set default cert for use in the client
|
|
xxd -i TLS.x509_1024.cer | sed -e \
|
|
"s/TLS_x509_1024_cer/default_certificate/" > cert.h
|
|
# set default key for use in the server
|
|
xxd -i TLS.key_1024 | sed -e \
|
|
"s/TLS_key_1024/default_private_key/" > private_key.h
|
|
cp cert.h private_key.h include/
|
|
cp server.crt server.key server/
|
|
else
|
|
echo we would not generate certificate \for ESP chip when trust CA exist and [client.crt \&\& client.key] or [server.crt \&\& server.key] could not be found.
|
|
fi
|
|
elif [ $TrueCA -eq 0 ];then
|
|
echo generate cerificate and private key with self-signed CA
|
|
mkdir server
|
|
mkdir client
|
|
mkdir include
|
|
|
|
cat > server_cert.conf << EOF
|
|
[ req ]
|
|
distinguished_name = req_distinguished_name
|
|
prompt = no
|
|
|
|
[ req_distinguished_name ]
|
|
O = $PROJECT_NAME
|
|
CN = 192.168.111.104
|
|
EOF
|
|
|
|
cat > client_cert.conf << EOF
|
|
[ req ]
|
|
distinguished_name = req_distinguished_name
|
|
prompt = no
|
|
|
|
[ req_distinguished_name ]
|
|
O = $PROJECT_NAME Device Certificate
|
|
CN = 192.168.111.111
|
|
EOF
|
|
|
|
openssl genrsa -out server.key 1024
|
|
openssl genrsa -out client.key 1024
|
|
|
|
openssl rsa -in client.key -out TLS.key_1024 -outform DER
|
|
openssl req -out server.req -key server.key -new -config ./server_cert.conf
|
|
openssl req -out client.req -key client.key -new -config ./client_cert.conf
|
|
|
|
openssl x509 -req -in server.req -out server.crt -sha1 -CAcreateserial -days 5000 -CA ca.crt -CAkey ca.key
|
|
openssl x509 -req -in client.req -out client.crt -sha1 -CAcreateserial -days 5000 -CA ca.crt -CAkey ca.key
|
|
cp server.crt server.key server/
|
|
|
|
openssl x509 -in client.crt -outform DER -out TLS.x509_1024.cer
|
|
cp TLS.x509_1024.cer client/
|
|
cp TLS.key_1024 client/
|
|
mv client/TLS.x509_1024.cer client/certificate.cer
|
|
mv client/TLS.key_1024 client/private_key.key_1024
|
|
cp make_cert.py client/
|
|
cd client
|
|
|
|
python make_cert.py
|
|
rm make_cert.py
|
|
mv esp_cert_private_key.bin ../bin/
|
|
cd ..
|
|
|
|
# set default cert for use in the client
|
|
xxd -i TLS.x509_1024.cer | sed -e \
|
|
"s/TLS_x509_1024_cer/default_certificate/" > cert.h
|
|
# set default key for use in the server
|
|
xxd -i TLS.key_1024 | sed -e \
|
|
"s/TLS_key_1024/default_private_key/" > private_key.h
|
|
mv cert.h private_key.h include/
|
|
cp client.crt client.key client/
|
|
rm *.crt
|
|
rm *.key
|
|
|
|
else
|
|
echo error happened\!TrueCA didnot initialize.
|
|
fi
|
|
|
|
#delete intermediate file
|
|
|
|
rm ca/make_cacert.py ca/esp_ca_cert.bin -rf
|
|
rm *.conf -rf
|
|
rm *.req -rf
|
|
rm *.h -rf
|
|
|
|
rm *.srl -rf
|
|
|
|
find -name \*.cer | xargs rm -f
|
|
find -name \*.key_1024 | xargs rm -f
|
|
|
|
echo esp_ca_cert.bin \&\& esp_cert_private_key.bin was generated under bin\/ directory
|
|
|
|
# set ca crt for use in the client
|
|
cp ca/ca.crt ./
|
|
cp client/client.crt ./
|
|
cp client/client.key ./
|
|
|
|
xxd -i ca.crt | sed -e "s/ca_crt/ca_crt/" > ssl_client_crt.h
|
|
|
|
# set client crt for use in the client
|
|
xxd -i client.crt | sed -e "s/client_crt/client_crt/" >> ssl_client_crt.h
|
|
|
|
# set private key for use in the client
|
|
xxd -i client.key | sed -e "s/client_key/client_key/" >> ssl_client_crt.h
|
|
|
|
mv ssl_client_crt.h ../include/
|
|
rm ca.crt client.crt client.key
|
|
|