From 864f7632a4b46f735e477a30f101517776d5f1fa Mon Sep 17 00:00:00 2001 From: Ding Huan Date: Thu, 15 Jun 2023 20:32:57 +0800 Subject: [PATCH] add generate cert script --- examples/wifi/wifi_enterprise/README.md | 31 +++-- .../generate_certs/example-ca-openssl.cnf | 117 ++++++++++++++++ .../generate_certs/generate_certs.sh | 126 ++++++++++++++++++ tools/ci/executable-list.txt | 1 + 4 files changed, 263 insertions(+), 12 deletions(-) create mode 100644 examples/wifi/wifi_enterprise/generate_certs/example-ca-openssl.cnf create mode 100755 examples/wifi/wifi_enterprise/generate_certs/generate_certs.sh diff --git a/examples/wifi/wifi_enterprise/README.md b/examples/wifi/wifi_enterprise/README.md index e13410cd53c6..5de19a26923d 100644 --- a/examples/wifi/wifi_enterprise/README.md +++ b/examples/wifi/wifi_enterprise/README.md @@ -12,13 +12,14 @@ This example shows how ESP32 connects to AP with Wi-Fi enterprise encryption. Th 5. Enable wpa2 enterprise. 6. Connect to AP. -*Note:* 1. The certificates currently are generated and are present in examples/wifi/wifi_enterprise/main folder. - 2. The expiration date of the certificates is 2027/06/05. - 3. In case using suite-b, please use appropriate certificates such as RSA-3072 or p384 EC certificates. +*Note:* +1. The certificates currently are generated and are present in examples/wifi/wifi_enterprise/main folder. +2. The expiration date of the certificates is 2027/06/05. +3. In case using suite-b, please go into `generate_certs` directory, then execute the script as `sh generate_certs.sh ` to create appropriate certificates such as RSA-3072 or p384 EC certificates. The steps to create new certificates are given below. -## The file ca.pem, ca.key, server.pem, server.crt and server.key can be used to configure AP with enterprise encryption. +The file ca.pem, ca.key, server.pem, server.crt and server.key can be used to configure AP with enterprise encryption. ## How to use Example @@ -43,7 +44,7 @@ idf.py -p PORT flash monitor ## Steps to create enterprise openssl certs 1. make directry tree - +``` mkdir demoCA mkdir demoCA/newcerts mkdir demoCA/private @@ -58,30 +59,36 @@ idf.py -p PORT flash monitor [ xpserver_ext ] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 - +``` 2. ca.pem: root certificate, foundation of certificate verigy +``` openssl req -new -x509 -keyout ca.key -out ca.pem - +``` 3. generate rsa keys for client and server +``` openssl genrsa -out client.key 2048 openssl genrsa -out server.key 2048 - +``` 4. generate certificate signing req for both client and server +``` openssl req -new -key client.key -out client.csr openssl req -new -key server.key -out server.csr - +``` 5. create certs (.crt) for client nd server +``` openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key (password) -out client.crt -extensions xpclient_ext -extfile xpextensions openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key (password) -out server.crt -extensions xpserver_ext -extfile xpextensions - +``` 6. export .p12 files +``` openssl pkcs12 -export -out client.p12 -inkey client.key -in client.crt openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt - +``` 7. create .pem files +``` openssl pkcs12 -in client.p12 -out client.pem openssl pkcs12 -in server.p12 -out server.pem - +``` ### Example output diff --git a/examples/wifi/wifi_enterprise/generate_certs/example-ca-openssl.cnf b/examples/wifi/wifi_enterprise/generate_certs/example-ca-openssl.cnf new file mode 100644 index 000000000000..084ddbaf4b8d --- /dev/null +++ b/examples/wifi/wifi_enterprise/generate_certs/example-ca-openssl.cnf @@ -0,0 +1,117 @@ +# OpenSSL configuration file + +HOME = . +RANDFILE = $ENV::HOME/.rnd +oid_section = new_oids + +[ new_oids ] + +[ ca ] +default_ca = CA_default + +[ CA_default ] + +dir = ./ca +certs = $dir/certs +crl_dir = $dir/crl +database = $dir/index.txt +unique_subject = no +new_certs_dir = $dir/newcerts +certificate = $dir/cacert.pem +serial = $dir/serial +crlnumber = $dir/crlnumber +crl = $dir/crl.pem +private_key = $dir/private/cakey.pem +RANDFILE = $dir/private/.rand + +x509_extensions = usr_cert + +name_opt = ca_default +cert_opt = ca_default + +copy_extensions = copy + +default_days = 3650 +default_crl_days= 30 +default_md = default +preserve = no + +policy = policy_match + +[ policy_match ] +countryName = match +stateOrProvinceName = optional +organizationName = match +organizationalUnitName = optional +commonName = supplied +#emailAddress = optional + +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +#emailAddress = optional + +[ req ] +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca + +string_mask = utf8only + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = CN +countryName_min = 2 +countryName_max = 2 + +localityName = Locality Name (eg, city) +localityName_default = Shanghai + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = espressif + +commonName = Common Name (e.g. server FQDN or YOUR name) +#@CN@ +commonName_max = 64 + +[ req_attributes ] + +[ v3_ca ] + +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer +basicConstraints = critical, CA:true +#keyUsage = critical, cRLSign, keyCertSign + +[ crl_ext ] + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always + +[ usr_cert ] +basicConstraints=CA:FALSE +nsComment = "OpenSSL Generated Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:issuer + +[ v3_req ] +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ ext_client ] +extendedKeyUsage = 1.3.6.1.5.5.7.3.2 +basicConstraints=CA:FALSE +subjectKeyIdentifier = hash +nsComment = "OpenSSL Generated Certificate" +authorityKeyIdentifier = keyid:always, issuer + +[ ext_server ] +extendedKeyUsage = 1.3.6.1.5.5.7.3.1 +basicConstraints=CA:FALSE +subjectKeyIdentifier = hash +nsComment = "OpenSSL Generated Certificate" +authorityKeyIdentifier = keyid:always, issuer diff --git a/examples/wifi/wifi_enterprise/generate_certs/generate_certs.sh b/examples/wifi/wifi_enterprise/generate_certs/generate_certs.sh new file mode 100755 index 000000000000..fd1e175025e2 --- /dev/null +++ b/examples/wifi/wifi_enterprise/generate_certs/generate_certs.sh @@ -0,0 +1,126 @@ +#!/bin/bash + +help_text=" +Usage: generate_certs.sh \n + only support p384, 2048, 3072, 4096\n +example:\n +sh generate_certs.sh p384\n +sh generate_certs.sh 2048\n +sh generate_certs.sh 3072\n +sh generate_certs.sh 4096\n +" + +DIGEST="-sha256" +DIGEST_CA="-md sha256" +CERT_TYPE="2048" +CERT="2048-ca" + +show_help() { + echo -e $help_text +} + +init_param() { + if [ $(basename "$(pwd)") != "generate_certs" ]; then + echo "path is incorrect, please go into generate_certs directory" + exit + fi + + CERT_TYPE=$1 + CERT=${CERT_TYPE}-ca + + if [ -d "$CERT" ]; then + rm -rf "$CERT" + fi + + if [ $1 = "p384" ] || [ $1 = "3072" ]; then + DIGEST="-sha384" + DIGEST_CA="-md sha384" + elif [ $1 = "2048" ] || [ $1 = "4096" ]; then + DIGEST="-sha256" + DIGEST_CA="-md sha256" + else + echo "parameter error" + exit + fi +} + +create_ca() { + echo + echo "---[ Root CA ]----------------------------------------------------------" + + if [ -d $CERT ]; then + rm $CERT + fi + + mkdir -p $CERT + cat example-ca-openssl.cnf | + sed "s/#@CN@/commonName_default = Root CA/" | + sed s%\./ca$%./$CERT% \ + > ${CERT}-openssl.cnf.tmp + mkdir -p $CERT/certs $CERT/crl $CERT/newcerts $CERT/private + case "$CERT_TYPE" in + "p384") openssl ecparam -out $CERT/ca.key -name secp384r1 -genkey;; + "2048") openssl genrsa -out $CERT/ca.key 2048;; + "3072") openssl genrsa -out $CERT/ca.key 3072;; + "4096") openssl genrsa -out $CERT/ca.key 4096;; + esac + openssl req -config ${CERT}-openssl.cnf.tmp -batch -new -x509 -key $CERT/ca.key -out $CERT/ca.pem $DIGEST + touch $CERT/index.txt + rm ${CERT}-openssl.cnf.tmp +} + +create_certs() { + echo + echo "---[ Server ]-----------------------------------------------------------" + echo + + cat example-ca-openssl.cnf | + sed "s/#@CN@/commonName_default = $CERT_TYPE.$1/" | + sed s%\./ca$%./$CERT% \ + > ${CERT}-openssl.cnf.tmp + echo "---[ Generate $1 Key]----------------------------------------------" + case "$CERT_TYPE" in + "p384") openssl ecparam -out $CERT/$1.key -name secp384r1 -genkey;; + "2048") openssl genrsa -out $CERT/$1.key 2048;; + "3072") openssl genrsa -out $CERT/$1.key 3072;; + "4096") openssl genrsa -out $CERT/$1.key 4096;; + esac + echo "---[ Generate $1 Req]----------------------------------------------" + openssl req -config ${CERT}-openssl.cnf.tmp -batch -new -key $CERT/$1.key -out $CERT/$1.req $DIGEST + openssl ca -config ${CERT_TYPE}-ca-openssl.cnf.tmp -batch -keyfile $CERT/ca.key -cert $CERT/ca.pem -create_serial -in $CERT/$1.req -out $CERT/$1.pem -extensions ext_$1 ${DIGEST_CA} + cp $CERT/$1.pem $CERT/$1.crt + rm ${CERT_TYPE}-ca-openssl.cnf.tmp +} + +verify() { + echo + echo "---[ Verify ]-----------------------------------------------------------" + echo + + openssl verify -CAfile $CERT/ca.pem $CERT/server.pem + openssl verify -CAfile $CERT/ca.pem $CERT/server.crt + openssl verify -CAfile $CERT/ca.pem $CERT/client.pem + openssl verify -CAfile $CERT/ca.pem $CERT/client.crt +} + +clean() { + rm $CERT/*.req + rm $CERT/index* + rm $CERT/serial* + rm -rf $CERT/certs + rm -rf $CERT/newcerts + rm -rf $CERT/private + rm -rf $CERT/crl +} + +if [ "$1" = "--help" ] || [ "$1" = "-h" ] || [ -z "$1" ]; then + show_help + exit 0 +else + init_param $1 + create_ca + create_certs "server" + create_certs "client" + verify + clean +fi diff --git a/tools/ci/executable-list.txt b/tools/ci/executable-list.txt index 1e8f299e7192..98a82aad8c24 100644 --- a/tools/ci/executable-list.txt +++ b/tools/ci/executable-list.txt @@ -43,6 +43,7 @@ examples/storage/parttool/parttool_example.sh examples/system/ota/otatool/get_running_partition.py examples/system/ota/otatool/otatool_example.py examples/system/ota/otatool/otatool_example.sh +examples/wifi/wifi_enterprise/generate_certs/generate_certs.sh install.fish install.sh tools/check_python_dependencies.py