Merge branch 'feature/add_generate_cert_script' into 'master'

add generate cert script See merge request espressif/esp-idf!24075
espressif · Jun 15, 2023 · 13c794f · 13c794f
2 parents 98bc3d7 + 864f763
commit 13c794f
Show file tree

Hide file tree

Showing 4 changed files with 263 additions and 12 deletions.
diff --git a/examples/wifi/wifi_enterprise/README.md b/examples/wifi/wifi_enterprise/README.md
@@ -12,13 +12,14 @@ This example shows how ESP32 connects to AP with Wi-Fi enterprise encryption. Th
 5. Enable wpa2 enterprise.
 6. Connect to AP.
 
-*Note:* 1. The certificates currently are generated and are present in examples/wifi/wifi_enterprise/main folder.
-        2. The expiration date of the certificates is 2027/06/05.
-        3. In case using suite-b, please use appropriate certificates such as RSA-3072 or p384 EC certificates.
+*Note:* 
+1. The certificates currently are generated and are present in examples/wifi/wifi_enterprise/main folder.
+2. The expiration date of the certificates is 2027/06/05.
+3. In case using suite-b, please go into `generate_certs` directory, then execute the script as `sh generate_certs.sh <type>` to create appropriate certificates such as RSA-3072 or p384 EC certificates.
 
 The steps to create new certificates are given below.
 
-## The file ca.pem, ca.key, server.pem, server.crt and server.key can be used to configure AP with enterprise encryption.
+The file ca.pem, ca.key, server.pem, server.crt and server.key can be used to configure AP with enterprise encryption.
 
 ## How to use Example
 
@@ -43,7 +44,7 @@ idf.py -p PORT flash monitor
 ## Steps to create enterprise openssl certs
 
 1. make directry tree
-
+```
   mkdir demoCA
   mkdir demoCA/newcerts
   mkdir demoCA/private
@@ -58,30 +59,36 @@ idf.py -p PORT flash monitor
 
       [ xpserver_ext ]
       extendedKeyUsage = 1.3.6.1.5.5.7.3.1
-
+```
 2. ca.pem: root certificate, foundation of certificate verigy
+```
   openssl req -new -x509 -keyout ca.key -out ca.pem
-
+```
 3. generate rsa keys for client and server
+```
   openssl genrsa -out client.key 2048
   openssl genrsa -out server.key 2048
-
+```
 4. generate certificate signing req for both client and server
+```
   openssl req -new -key client.key -out client.csr
   openssl req -new -key server.key -out server.csr
-
+```
 5. create certs (.crt) for client nd server
+```
   openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key (password) -out client.crt -extensions xpclient_ext -extfile xpextensions
   openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key (password) -out server.crt -extensions xpserver_ext -extfile xpextensions
-
+```
 6. export .p12 files
+```
   openssl pkcs12 -export -out client.p12 -inkey client.key -in client.crt
   openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt
-
+```
 7. create .pem files
+```
   openssl pkcs12 -in client.p12 -out client.pem
   openssl pkcs12 -in server.p12 -out server.pem
-
+```
 
 
 ### Example output

diff --git a/examples/wifi/wifi_enterprise/generate_certs/example-ca-openssl.cnf b/examples/wifi/wifi_enterprise/generate_certs/example-ca-openssl.cnf
@@ -0,0 +1,117 @@
+# OpenSSL configuration file
+
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+oid_section		= new_oids
+
+[ new_oids ]
+
+[ ca ]
+default_ca	= CA_default
+
+[ CA_default ]
+
+dir		= ./ca
+certs		= $dir/certs
+crl_dir		= $dir/crl
+database	= $dir/index.txt
+unique_subject	= no
+new_certs_dir	= $dir/newcerts
+certificate	= $dir/cacert.pem
+serial		= $dir/serial
+crlnumber	= $dir/crlnumber
+crl		= $dir/crl.pem
+private_key	= $dir/private/cakey.pem
+RANDFILE	= $dir/private/.rand
+
+x509_extensions	= usr_cert
+
+name_opt 	= ca_default
+cert_opt 	= ca_default
+
+copy_extensions = copy
+
+default_days	= 3650
+default_crl_days= 30
+default_md	= default
+preserve	= no
+
+policy		= policy_match
+
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= optional
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+#emailAddress		= optional
+
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+#emailAddress		= optional
+
+[ req ]
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca
+
+string_mask = utf8only
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= CN
+countryName_min			= 2
+countryName_max			= 2
+
+localityName			= Locality Name (eg, city)
+localityName_default		= Shanghai
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= espressif
+
+commonName			= Common Name (e.g. server FQDN or YOUR name)
+#@CN@
+commonName_max			= 64
+
+[ req_attributes ]
+
+[ v3_ca ]
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+basicConstraints = critical, CA:true
+#keyUsage = critical, cRLSign, keyCertSign
+
+[ crl_ext ]
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+[ usr_cert ]
+basicConstraints=CA:FALSE
+nsComment = "OpenSSL Generated Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:issuer
+
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ ext_client ]
+extendedKeyUsage = 1.3.6.1.5.5.7.3.2
+basicConstraints=CA:FALSE
+subjectKeyIdentifier = hash
+nsComment = "OpenSSL Generated Certificate"
+authorityKeyIdentifier = keyid:always, issuer
+
+[ ext_server ]
+extendedKeyUsage = 1.3.6.1.5.5.7.3.1
+basicConstraints=CA:FALSE
+subjectKeyIdentifier = hash
+nsComment = "OpenSSL Generated Certificate"
+authorityKeyIdentifier = keyid:always, issuer
diff --git a/examples/wifi/wifi_enterprise/generate_certs/generate_certs.sh b/examples/wifi/wifi_enterprise/generate_certs/generate_certs.sh
@@ -0,0 +1,126 @@
+#!/bin/bash
+
+help_text="
+Usage: generate_certs.sh <cert_type>\n
+<cert_type> only support p384, 2048, 3072, 4096\n
+example:\n
+sh generate_certs.sh p384\n
+sh generate_certs.sh 2048\n
+sh generate_certs.sh 3072\n
+sh generate_certs.sh 4096\n
+"
+
+DIGEST="-sha256"
+DIGEST_CA="-md sha256"
+CERT_TYPE="2048"
+CERT="2048-ca"
+
+show_help() {
+    echo -e $help_text
+}
+
+init_param() {
+    if [ $(basename "$(pwd)") != "generate_certs" ]; then
+        echo "path is incorrect, please go into generate_certs directory"
+        exit
+    fi
+
+    CERT_TYPE=$1
+    CERT=${CERT_TYPE}-ca
+
+    if [ -d "$CERT" ]; then
+        rm -rf "$CERT"
+    fi
+
+    if [ $1 = "p384" ] || [ $1 = "3072" ]; then
+        DIGEST="-sha384"
+        DIGEST_CA="-md sha384"
+    elif [ $1 = "2048" ] || [ $1 = "4096" ]; then
+        DIGEST="-sha256"
+        DIGEST_CA="-md sha256"
+    else
+        echo "parameter error"
+        exit
+    fi
+}
+
+create_ca() {
+    echo
+    echo "---[ Root CA ]----------------------------------------------------------"
+
+    if [ -d $CERT ]; then
+        rm $CERT
+    fi
+
+    mkdir -p $CERT
+    cat example-ca-openssl.cnf |
+    sed "s/#@CN@/commonName_default = Root CA/" |
+    sed s%\./ca$%./$CERT% \
+    > ${CERT}-openssl.cnf.tmp
+    mkdir -p $CERT/certs $CERT/crl $CERT/newcerts $CERT/private
+    case "$CERT_TYPE" in
+        "p384") openssl ecparam -out $CERT/ca.key -name secp384r1 -genkey;;
+        "2048") openssl genrsa -out $CERT/ca.key 2048;;
+        "3072") openssl genrsa -out $CERT/ca.key 3072;;
+        "4096") openssl genrsa -out $CERT/ca.key 4096;;
+    esac
+    openssl req -config ${CERT}-openssl.cnf.tmp -batch -new -x509 -key $CERT/ca.key -out $CERT/ca.pem $DIGEST
+    touch $CERT/index.txt
+    rm ${CERT}-openssl.cnf.tmp
+}
+
+create_certs() {
+    echo
+    echo "---[ Server ]-----------------------------------------------------------"
+    echo
+
+    cat example-ca-openssl.cnf |
+    	sed "s/#@CN@/commonName_default = $CERT_TYPE.$1/" |
+        sed s%\./ca$%./$CERT% \
+        > ${CERT}-openssl.cnf.tmp
+    echo "---[ Generate $1 Key]----------------------------------------------"
+    case "$CERT_TYPE" in
+        "p384") openssl ecparam -out $CERT/$1.key -name secp384r1 -genkey;;
+        "2048") openssl genrsa -out $CERT/$1.key 2048;;
+        "3072") openssl genrsa -out $CERT/$1.key 3072;;
+        "4096") openssl genrsa -out $CERT/$1.key 4096;;
+    esac
+    echo "---[ Generate $1 Req]----------------------------------------------"
+    openssl req -config ${CERT}-openssl.cnf.tmp -batch -new -key $CERT/$1.key -out $CERT/$1.req $DIGEST
+    openssl ca -config ${CERT_TYPE}-ca-openssl.cnf.tmp -batch -keyfile $CERT/ca.key -cert $CERT/ca.pem -create_serial -in $CERT/$1.req -out $CERT/$1.pem -extensions ext_$1 ${DIGEST_CA}
+    cp $CERT/$1.pem $CERT/$1.crt
+    rm ${CERT_TYPE}-ca-openssl.cnf.tmp
+}
+
+verify() {
+    echo
+    echo "---[ Verify ]-----------------------------------------------------------"
+    echo
+
+    openssl verify -CAfile $CERT/ca.pem $CERT/server.pem
+    openssl verify -CAfile $CERT/ca.pem $CERT/server.crt
+    openssl verify -CAfile $CERT/ca.pem $CERT/client.pem
+    openssl verify -CAfile $CERT/ca.pem $CERT/client.crt
+}
+
+clean() {
+    rm $CERT/*.req
+    rm $CERT/index*
+    rm $CERT/serial*
+    rm -rf $CERT/certs
+    rm -rf $CERT/newcerts
+    rm -rf $CERT/private
+    rm -rf $CERT/crl
+}
+
+if [ "$1" = "--help" ] || [ "$1" = "-h" ] || [ -z "$1" ]; then
+    show_help
+    exit 0
+else
+    init_param $1
+    create_ca
+    create_certs "server"
+    create_certs "client"
+    verify
+    clean
+fi
diff --git a/tools/ci/executable-list.txt b/tools/ci/executable-list.txt
@@ -43,6 +43,7 @@ examples/storage/parttool/parttool_example.sh
 examples/system/ota/otatool/get_running_partition.py
 examples/system/ota/otatool/otatool_example.py
 examples/system/ota/otatool/otatool_example.sh
+examples/wifi/wifi_enterprise/generate_certs/generate_certs.sh
 install.fish
 install.sh
 tools/check_python_dependencies.py