blob: ddaf850bfbed7e6c30e47fca7dce75d8d6d76133 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
|
#!/bin/bash
# Set-up OpenSSL servers with test keys for EC, DSA and RSA.
# Author: Peter Wu <lekensteyn@gmail.com>
rsa_prv=server.pem
rsa_pub=server.crt
dsa_prv=dsa.pem
dsa_pub=dsa.crt
ecd_prv=secp384r1-dsa.pem
ecd_pub=secp384r1-dsa.crt
ecc_prv=secp384r1-rsa.pem
ecc_pub=secp384r1-rsa.crt
PSK=12345678
PSK=0102030405060708091011121314151617181920
pkdir=$1; shift
portbase=4430
if [ -z "$pkdir" ]; then
cat <<EOF
Usage: $0 path-to-certsdir [port base] [s_server options]"
openssl s_client will listen on three ports,
starting at 'port base' (default 4430)
EOF
exit 1
fi
# assume that openssl options always start with -
if [ -n "$1" ] && [[ $1 != -* ]]; then
portbase=$1; shift
if ! [[ $portbase -gt 0 ]] || ! [[ $portbase -le 65535 ]]; then
echo "Port must be between 1 and 65535" >&2
exit 1
fi
fi
[[ $pkdir == */ ]] || pkdir+=/
if ! mkdir -p "$pkdir"; then
echo "Could not create directory $pkdir" >&2
exit 1
fi
pids=()
gen_pk() {
local type keyfile crtfile x509_opts ca_key ca_crt
type=$1
keyfile=$2
crtfile=$3
# only necessary
ca_key=$4
ca_crt=$5
if [ -n "$ca_key" ]; then
x509_opts=(-CA "$ca_crt" -CAkey "$ca_key" -set_serial 1$RANDOM)
else
x509_opts=(-signkey "$keyfile")
fi
case $type in
RSA)
openssl genrsa -out "$keyfile"
;;
DSS)
openssl dsaparam 1024 | openssl gendsa /dev/stdin -out "$keyfile"
;;
ECDSA)
openssl ecparam -name secp384r1 -out "$keyfile" -genkey
;;
ECDH)
openssl ecparam -name secp384r1 -out "$keyfile" -genkey
;;
*)
echo "Invalid cert type $type" >&2
return 1
esac
openssl req -new -key "$keyfile" -subj "/CN=Test Certificate $type" |
openssl x509 -req -days 3650 -out "$crtfile" \
"${x509_opts[@]}"
}
start_server() {
local keyfile crtfile port auth ca_key= ca_crt= opts=()
auth=$1; shift
# remaining arguments should be passed to s_server
case $auth in
RSA)
crtfile=$rsa_pub
keyfile=$rsa_prv
port=$portbase
opts+=(-psk "$PSK")
;;
ECDSA)
crtfile=$ecd_pub
keyfile=$ecd_prv
port=$((portbase+1))
;;
ECDH)
crtfile=$ecc_pub
keyfile=$ecc_prv
ca_key=$pkdir$rsa_prv
ca_crt=$pkdir$rsa_pub
port=$((portbase+2))
;;
DSS)
crtfile=$dsa_pub
keyfile=$dsa_prv
port=$((portbase+3))
;;
*)
echo "Invalid cert type $auth" >&2
return 1
;;
esac
if [ ! -e "$pkdir$crtfile" ]; then
gen_pk "$auth" \
"$pkdir$keyfile" "$pkdir$crtfile" \
"$ca_key" "$ca_crt" || return 1
fi
# Enable insecure ciphers too, this script is for generating all possible
# test samples supported by openssl.
opts+=( -cipher ALL:NULL )
openssl s_server -accept $port \
"${opts[@]}" \
-cert "$pkdir$crtfile" -key "$pkdir$keyfile" -www "$@" &
pids+=($!)
}
cleanup() {
if [ ${#pids[@]} -gt 0 ]; then
echo "Killing: ${pids[*]}"
kill "${pids[@]}"
fi
}
trap cleanup EXIT
for auth in RSA ECDSA ECDH DSS; do
start_server $auth "$@"
done
wait
# vim: set et sw=4 ts=4:
|