diff options
Diffstat (limited to 'openssl/trunk/demos/ssltest-ecc')
| -rwxr-xr-x | openssl/trunk/demos/ssltest-ecc/ECC-RSAcertgen.sh | 98 | ||||
| -rwxr-xr-x | openssl/trunk/demos/ssltest-ecc/ECCcertgen.sh | 164 | ||||
| -rw-r--r-- | openssl/trunk/demos/ssltest-ecc/README | 15 | ||||
| -rwxr-xr-x | openssl/trunk/demos/ssltest-ecc/RSAcertgen.sh | 121 | ||||
| -rwxr-xr-x | openssl/trunk/demos/ssltest-ecc/ssltest.sh | 188 |
5 files changed, 0 insertions, 586 deletions
diff --git a/openssl/trunk/demos/ssltest-ecc/ECC-RSAcertgen.sh b/openssl/trunk/demos/ssltest-ecc/ECC-RSAcertgen.sh deleted file mode 100755 index b31a4f1e..00000000 --- a/openssl/trunk/demos/ssltest-ecc/ECC-RSAcertgen.sh +++ /dev/null @@ -1,98 +0,0 @@ -#!/bin/sh - -# For a list of supported curves, use "apps/openssl ecparam -list_curves". - -# Path to the openssl distribution -OPENSSL_DIR=../.. -# Path to the openssl program -OPENSSL_CMD=$OPENSSL_DIR/apps/openssl -# Option to find configuration file -OPENSSL_CNF="-config $OPENSSL_DIR/apps/openssl.cnf" -# Directory where certificates are stored -CERTS_DIR=./Certs -# Directory where private key files are stored -KEYS_DIR=$CERTS_DIR -# Directory where combo files (containing a certificate and corresponding -# private key together) are stored -COMBO_DIR=$CERTS_DIR -# cat command -CAT=/bin/cat -# rm command -RM=/bin/rm -# mkdir command -MKDIR=/bin/mkdir -# The certificate will expire these many days after the issue date. -DAYS=1500 -TEST_CA_FILE=rsa1024TestCA - -TEST_SERVER_CURVE=sect163r1 -TEST_SERVER_FILE=sect163r1-rsaTestServer -TEST_SERVER_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (sect163r1 key signed with RSA)" - -TEST_CLIENT_CURVE=sect163r1 -TEST_CLIENT_FILE=sect163r1-rsaTestClient -TEST_CLIENT_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Client (sect163r1 key signed with RSA)" - -# Generating an EC certificate involves the following main steps -# 1. Generating curve parameters (if needed) -# 2. Generating a certificate request -# 3. Signing the certificate request -# 4. [Optional] One can combine the cert and private key into a single -# file and also delete the certificate request - -$MKDIR -p $CERTS_DIR -$MKDIR -p $KEYS_DIR -$MKDIR -p $COMBO_DIR - -echo "GENERATING A TEST SERVER CERTIFICATE (ECC key signed with RSA)" -echo "==============================================================" -$OPENSSL_CMD ecparam -name $TEST_SERVER_CURVE -out $TEST_SERVER_CURVE.pem - -$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_SERVER_DN" \ - -keyout $KEYS_DIR/$TEST_SERVER_FILE.key.pem \ - -newkey ec:$TEST_SERVER_CURVE.pem -new \ - -out $CERTS_DIR/$TEST_SERVER_FILE.req.pem - -$OPENSSL_CMD x509 -req -days $DAYS \ - -in $CERTS_DIR/$TEST_SERVER_FILE.req.pem \ - -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \ - -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ - -out $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -CAcreateserial - -# Display the certificate -$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -text - -# Place the certificate and key in a common file -$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -issuer -subject \ - > $COMBO_DIR/$TEST_SERVER_FILE.pem -$CAT $KEYS_DIR/$TEST_SERVER_FILE.key.pem >> $COMBO_DIR/$TEST_SERVER_FILE.pem - -# Remove the cert request file (no longer needed) -$RM $CERTS_DIR/$TEST_SERVER_FILE.req.pem - -echo "GENERATING A TEST CLIENT CERTIFICATE (ECC key signed with RSA)" -echo "==============================================================" -$OPENSSL_CMD ecparam -name $TEST_CLIENT_CURVE -out $TEST_CLIENT_CURVE.pem - -$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CLIENT_DN" \ - -keyout $KEYS_DIR/$TEST_CLIENT_FILE.key.pem \ - -newkey ec:$TEST_CLIENT_CURVE.pem -new \ - -out $CERTS_DIR/$TEST_CLIENT_FILE.req.pem - -$OPENSSL_CMD x509 -req -days $DAYS \ - -in $CERTS_DIR/$TEST_CLIENT_FILE.req.pem \ - -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \ - -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ - -out $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -CAcreateserial - -# Display the certificate -$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -text - -# Place the certificate and key in a common file -$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -issuer -subject \ - > $COMBO_DIR/$TEST_CLIENT_FILE.pem -$CAT $KEYS_DIR/$TEST_CLIENT_FILE.key.pem >> $COMBO_DIR/$TEST_CLIENT_FILE.pem - -# Remove the cert request file (no longer needed) -$RM $CERTS_DIR/$TEST_CLIENT_FILE.req.pem - diff --git a/openssl/trunk/demos/ssltest-ecc/ECCcertgen.sh b/openssl/trunk/demos/ssltest-ecc/ECCcertgen.sh deleted file mode 100755 index a47b8bb0..00000000 --- a/openssl/trunk/demos/ssltest-ecc/ECCcertgen.sh +++ /dev/null @@ -1,164 +0,0 @@ -#!/bin/sh - -# For a list of supported curves, use "apps/openssl ecparam -list_curves". - -# Path to the openssl distribution -OPENSSL_DIR=../.. -# Path to the openssl program -OPENSSL_CMD=$OPENSSL_DIR/apps/openssl -# Option to find configuration file -OPENSSL_CNF="-config $OPENSSL_DIR/apps/openssl.cnf" -# Directory where certificates are stored -CERTS_DIR=./Certs -# Directory where private key files are stored -KEYS_DIR=$CERTS_DIR -# Directory where combo files (containing a certificate and corresponding -# private key together) are stored -COMBO_DIR=$CERTS_DIR -# cat command -CAT=/bin/cat -# rm command -RM=/bin/rm -# mkdir command -MKDIR=/bin/mkdir -# The certificate will expire these many days after the issue date. -DAYS=1500 -TEST_CA_CURVE=secp160r1 -TEST_CA_FILE=secp160r1TestCA -TEST_CA_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test CA (Elliptic curve secp160r1)" - -TEST_SERVER_CURVE=secp160r2 -TEST_SERVER_FILE=secp160r2TestServer -TEST_SERVER_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (Elliptic curve secp160r2)" - -TEST_CLIENT_CURVE=secp160r2 -TEST_CLIENT_FILE=secp160r2TestClient -TEST_CLIENT_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Client (Elliptic curve secp160r2)" - -# Generating an EC certificate involves the following main steps -# 1. Generating curve parameters (if needed) -# 2. Generating a certificate request -# 3. Signing the certificate request -# 4. [Optional] One can combine the cert and private key into a single -# file and also delete the certificate request - -$MKDIR -p $CERTS_DIR -$MKDIR -p $KEYS_DIR -$MKDIR -p $COMBO_DIR - -echo "Generating self-signed CA certificate (on curve $TEST_CA_CURVE)" -echo "===============================================================" -$OPENSSL_CMD ecparam -name $TEST_CA_CURVE -out $TEST_CA_CURVE.pem - -# Generate a new certificate request in $TEST_CA_FILE.req.pem. A -# new ecdsa (actually ECC) key pair is generated on the parameters in -# $TEST_CA_CURVE.pem and the private key is saved in $TEST_CA_FILE.key.pem -# WARNING: By using the -nodes option, we force the private key to be -# stored in the clear (rather than encrypted with a password). -$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CA_DN" \ - -keyout $KEYS_DIR/$TEST_CA_FILE.key.pem \ - -newkey ec:$TEST_CA_CURVE.pem -new \ - -out $CERTS_DIR/$TEST_CA_FILE.req.pem - -# Sign the certificate request in $TEST_CA_FILE.req.pem using the -# private key in $TEST_CA_FILE.key.pem and include the CA extension. -# Make the certificate valid for 1500 days from the time of signing. -# The certificate is written into $TEST_CA_FILE.cert.pem -$OPENSSL_CMD x509 -req -days $DAYS \ - -in $CERTS_DIR/$TEST_CA_FILE.req.pem \ - -extfile $OPENSSL_DIR/apps/openssl.cnf \ - -extensions v3_ca \ - -signkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ - -out $CERTS_DIR/$TEST_CA_FILE.cert.pem - -# Display the certificate -$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -text - -# Place the certificate and key in a common file -$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -issuer -subject \ - > $COMBO_DIR/$TEST_CA_FILE.pem -$CAT $KEYS_DIR/$TEST_CA_FILE.key.pem >> $COMBO_DIR/$TEST_CA_FILE.pem - -# Remove the cert request file (no longer needed) -$RM $CERTS_DIR/$TEST_CA_FILE.req.pem - -echo "GENERATING A TEST SERVER CERTIFICATE (on elliptic curve $TEST_SERVER_CURVE)" -echo "==========================================================================" -# Generate parameters for curve $TEST_SERVER_CURVE, if needed -$OPENSSL_CMD ecparam -name $TEST_SERVER_CURVE -out $TEST_SERVER_CURVE.pem - -# Generate a new certificate request in $TEST_SERVER_FILE.req.pem. A -# new ecdsa (actually ECC) key pair is generated on the parameters in -# $TEST_SERVER_CURVE.pem and the private key is saved in -# $TEST_SERVER_FILE.key.pem -# WARNING: By using the -nodes option, we force the private key to be -# stored in the clear (rather than encrypted with a password). -$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_SERVER_DN" \ - -keyout $KEYS_DIR/$TEST_SERVER_FILE.key.pem \ - -newkey ec:$TEST_SERVER_CURVE.pem -new \ - -out $CERTS_DIR/$TEST_SERVER_FILE.req.pem - -# Sign the certificate request in $TEST_SERVER_FILE.req.pem using the -# CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in -# $TEST_CA_FILE.key.pem. Since we do not have an existing serial number -# file for this CA, create one. Make the certificate valid for $DAYS days -# from the time of signing. The certificate is written into -# $TEST_SERVER_FILE.cert.pem -$OPENSSL_CMD x509 -req -days $DAYS \ - -in $CERTS_DIR/$TEST_SERVER_FILE.req.pem \ - -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \ - -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ - -out $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -CAcreateserial - -# Display the certificate -$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -text - -# Place the certificate and key in a common file -$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -issuer -subject \ - > $COMBO_DIR/$TEST_SERVER_FILE.pem -$CAT $KEYS_DIR/$TEST_SERVER_FILE.key.pem >> $COMBO_DIR/$TEST_SERVER_FILE.pem - -# Remove the cert request file (no longer needed) -$RM $CERTS_DIR/$TEST_SERVER_FILE.req.pem - -echo "GENERATING A TEST CLIENT CERTIFICATE (on elliptic curve $TEST_CLIENT_CURVE)" -echo "==========================================================================" -# Generate parameters for curve $TEST_CLIENT_CURVE, if needed -$OPENSSL_CMD ecparam -name $TEST_CLIENT_CURVE -out $TEST_CLIENT_CURVE.pem - -# Generate a new certificate request in $TEST_CLIENT_FILE.req.pem. A -# new ecdsa (actually ECC) key pair is generated on the parameters in -# $TEST_CLIENT_CURVE.pem and the private key is saved in -# $TEST_CLIENT_FILE.key.pem -# WARNING: By using the -nodes option, we force the private key to be -# stored in the clear (rather than encrypted with a password). -$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CLIENT_DN" \ - -keyout $KEYS_DIR/$TEST_CLIENT_FILE.key.pem \ - -newkey ec:$TEST_CLIENT_CURVE.pem -new \ - -out $CERTS_DIR/$TEST_CLIENT_FILE.req.pem - -# Sign the certificate request in $TEST_CLIENT_FILE.req.pem using the -# CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in -# $TEST_CA_FILE.key.pem. Since we do not have an existing serial number -# file for this CA, create one. Make the certificate valid for $DAYS days -# from the time of signing. The certificate is written into -# $TEST_CLIENT_FILE.cert.pem -$OPENSSL_CMD x509 -req -days $DAYS \ - -in $CERTS_DIR/$TEST_CLIENT_FILE.req.pem \ - -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \ - -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ - -out $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -CAcreateserial - -# Display the certificate -$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -text - -# Place the certificate and key in a common file -$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -issuer -subject \ - > $COMBO_DIR/$TEST_CLIENT_FILE.pem -$CAT $KEYS_DIR/$TEST_CLIENT_FILE.key.pem >> $COMBO_DIR/$TEST_CLIENT_FILE.pem - -# Remove the cert request file (no longer needed) -$RM $CERTS_DIR/$TEST_CLIENT_FILE.req.pem - - - diff --git a/openssl/trunk/demos/ssltest-ecc/README b/openssl/trunk/demos/ssltest-ecc/README deleted file mode 100644 index 71c070af..00000000 --- a/openssl/trunk/demos/ssltest-ecc/README +++ /dev/null @@ -1,15 +0,0 @@ -Scripts for using ECC ciphersuites with test/testssl -(these ciphersuites are described in the Internet Draft available at -http://www.ietf.org/internet-drafts/draft-ietf-tls-ecc-03.txt). - -Use ECCcertgen.sh, RSAcertgen.sh, ECC-RSAcertgen.sh to generate -root, client and server certs of the following types: - - ECC certs signed with ECDSA - RSA certs signed with RSA - ECC certs signed with RSA - -Afterwards, you can use ssltest.sh to run the various tests; -specify one of the following options: - - aecdh, ecdh-ecdsa, ecdhe-ecdsa, ecdh-rsa, ecdhe-rsa diff --git a/openssl/trunk/demos/ssltest-ecc/RSAcertgen.sh b/openssl/trunk/demos/ssltest-ecc/RSAcertgen.sh deleted file mode 100755 index 0cb01535..00000000 --- a/openssl/trunk/demos/ssltest-ecc/RSAcertgen.sh +++ /dev/null @@ -1,121 +0,0 @@ -#!/bin/sh - -# For a list of supported curves, use "apps/openssl ecparam -list_curves". - -# Path to the openssl distribution -OPENSSL_DIR=../.. -# Path to the openssl program -OPENSSL_CMD=$OPENSSL_DIR/apps/openssl -# Option to find configuration file -OPENSSL_CNF="-config $OPENSSL_DIR/apps/openssl.cnf" -# Directory where certificates are stored -CERTS_DIR=./Certs -# Directory where private key files are stored -KEYS_DIR=$CERTS_DIR -# Directory where combo files (containing a certificate and corresponding -# private key together) are stored -COMBO_DIR=$CERTS_DIR -# cat command -CAT=/bin/cat -# rm command -RM=/bin/rm -# mkdir command -MKDIR=/bin/mkdir -# The certificate will expire these many days after the issue date. -DAYS=1500 -TEST_CA_FILE=rsa1024TestCA -TEST_CA_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test CA (1024 bit RSA)" - -TEST_SERVER_FILE=rsa1024TestServer -TEST_SERVER_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (1024 bit RSA)" - -TEST_CLIENT_FILE=rsa1024TestClient -TEST_CLIENT_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Client (1024 bit RSA)" - -# Generating an EC certificate involves the following main steps -# 1. Generating curve parameters (if needed) -# 2. Generating a certificate request -# 3. Signing the certificate request -# 4. [Optional] One can combine the cert and private key into a single -# file and also delete the certificate request - -$MKDIR -p $CERTS_DIR -$MKDIR -p $KEYS_DIR -$MKDIR -p $COMBO_DIR - -echo "Generating self-signed CA certificate (RSA)" -echo "===========================================" - -$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CA_DN" \ - -keyout $KEYS_DIR/$TEST_CA_FILE.key.pem \ - -newkey rsa:1024 -new \ - -out $CERTS_DIR/$TEST_CA_FILE.req.pem - -$OPENSSL_CMD x509 -req -days $DAYS \ - -in $CERTS_DIR/$TEST_CA_FILE.req.pem \ - -extfile $OPENSSL_DIR/apps/openssl.cnf \ - -extensions v3_ca \ - -signkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ - -out $CERTS_DIR/$TEST_CA_FILE.cert.pem - -# Display the certificate -$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -text - -# Place the certificate and key in a common file -$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -issuer -subject \ - > $COMBO_DIR/$TEST_CA_FILE.pem -$CAT $KEYS_DIR/$TEST_CA_FILE.key.pem >> $COMBO_DIR/$TEST_CA_FILE.pem - -# Remove the cert request file (no longer needed) -$RM $CERTS_DIR/$TEST_CA_FILE.req.pem - -echo "GENERATING A TEST SERVER CERTIFICATE (RSA)" -echo "==========================================" - -$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_SERVER_DN" \ - -keyout $KEYS_DIR/$TEST_SERVER_FILE.key.pem \ - -newkey rsa:1024 -new \ - -out $CERTS_DIR/$TEST_SERVER_FILE.req.pem - -$OPENSSL_CMD x509 -req -days $DAYS \ - -in $CERTS_DIR/$TEST_SERVER_FILE.req.pem \ - -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \ - -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ - -out $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -CAcreateserial - -# Display the certificate -$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -text - -# Place the certificate and key in a common file -$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -issuer -subject \ - > $COMBO_DIR/$TEST_SERVER_FILE.pem -$CAT $KEYS_DIR/$TEST_SERVER_FILE.key.pem >> $COMBO_DIR/$TEST_SERVER_FILE.pem - -# Remove the cert request file (no longer needed) -$RM $CERTS_DIR/$TEST_SERVER_FILE.req.pem - -echo "GENERATING A TEST CLIENT CERTIFICATE (RSA)" -echo "==========================================" - -$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CLIENT_DN" \ - -keyout $KEYS_DIR/$TEST_CLIENT_FILE.key.pem \ - -newkey rsa:1024 -new \ - -out $CERTS_DIR/$TEST_CLIENT_FILE.req.pem - -$OPENSSL_CMD x509 -req -days $DAYS \ - -in $CERTS_DIR/$TEST_CLIENT_FILE.req.pem \ - -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \ - -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ - -out $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -CAcreateserial - -# Display the certificate -$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -text - -# Place the certificate and key in a common file -$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -issuer -subject \ - > $COMBO_DIR/$TEST_CLIENT_FILE.pem -$CAT $KEYS_DIR/$TEST_CLIENT_FILE.key.pem >> $COMBO_DIR/$TEST_CLIENT_FILE.pem - -# Remove the cert request file (no longer needed) -$RM $CERTS_DIR/$TEST_CLIENT_FILE.req.pem - diff --git a/openssl/trunk/demos/ssltest-ecc/ssltest.sh b/openssl/trunk/demos/ssltest-ecc/ssltest.sh deleted file mode 100755 index 923ca438..00000000 --- a/openssl/trunk/demos/ssltest-ecc/ssltest.sh +++ /dev/null @@ -1,188 +0,0 @@ -#! /bin/sh -# Tests ECC cipher suites using ssltest. Requires one argument which could -# be aecdh or ecdh-ecdsa or ecdhe-ecdsa or ecdh-rsa or ecdhe-rsa. -# A second optional argument can be one of ssl2 ssl3 or tls1 - -if [ "$1" = "" ]; then - (echo "Usage: $0 test [ protocol ]" - echo " where test is one of aecdh, ecdh-ecdsa, ecdhe-ecdsa, ecdh-rsa, ecdhe-rsa" - echo " and protocol (optional) is one of ssl2, ssl3, tls1" - echo "Run RSAcertgen.sh, ECC-RSAcertgen.sh, ECCcertgen.sh first." - ) >&2 - exit 1 -fi - - -OPENSSL_DIR=../.. -CERTS_DIR=./Certs -SSLTEST=$OPENSSL_DIR/test/ssltest -# SSL protocol version to test (one of ssl2 ssl3 or tls1)" -SSLVERSION= - -# These don't really require any certificates -AECDH_CIPHER_LIST="AECDH-AES256-SHA AECDH-AES128-SHA AECDH-DES-CBC3-SHA AECDH-RC4-SHA AECDH-NULL-SHA" - -# These require ECC certificates signed with ECDSA -# The EC public key must be authorized for key agreement. -ECDH_ECDSA_CIPHER_LIST="ECDH-ECDSA-AES256-SHA ECDH-ECDSA-AES128-SHA ECDH-ECDSA-DES-CBC3-SHA ECDH-ECDSA-RC4-SHA ECDH-ECDSA-NULL-SHA" - -# These require ECC certificates. -# The EC public key must be authorized for digital signature. -ECDHE_ECDSA_CIPHER_LIST="ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-DES-CBC3-SHA ECDHE-ECDSA-RC4-SHA ECDHE-ECDSA-NULL-SHA" - -# These require ECC certificates signed with RSA. -# The EC public key must be authorized for key agreement. -ECDH_RSA_CIPHER_LIST="ECDH-RSA-AES256-SHA ECDH-RSA-AES128-SHA ECDH-RSA-DES-CBC3-SHA ECDH-RSA-RC4-SHA ECDH-RSA-NULL-SHA" - -# These require RSA certificates. -# The RSA public key must be authorized for digital signature. -ECDHE_RSA_CIPHER_LIST="ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-RC4-SHA ECDHE-RSA-NULL-SHA" - -# List of Elliptic curves over which we wish to test generation of -# ephemeral ECDH keys when using AECDH or ECDHE ciphers -# NOTE: secp192r1 = prime192v1 and secp256r1 = prime256v1 -#ELLIPTIC_CURVE_LIST="secp112r1 sect113r2 secp128r1 sect131r1 secp160k1 sect163r2 wap-wsg-idm-ecid-wtls7 c2pnb163v3 c2pnb176v3 c2tnb191v3 secp192r1 prime192v3 sect193r2 secp224r1 wap-wsg-idm-ecid-wtls10 sect239k1 prime239v2 secp256r1 prime256v1 sect283k1 secp384r1 sect409r1 secp521r1 sect571r1" -ELLIPTIC_CURVE_LIST="sect163k1 sect163r1 sect163r2 sect193r1 sect193r2 sect233k1 sect233r1 sect239k1 sect283k1 sect283r1 sect409k1 sect409r1 sect571k1 sect571r1 secp160k1 secp160r1 secp160r2 secp192k1 prime192v1 secp224k1 secp224r1 secp256k1 prime256v1 secp384r1 secp521r1" - -DEFAULT_CURVE="sect163r2" - -if [ "$2" = "" ]; then - if [ "$SSL_VERSION" = "" ]; then - SSL_VERSION="" - else - SSL_VERSION="-$SSL_VERSION" - fi -else - SSL_VERSION="-$2" -fi - -#============================================================== -# Anonymous cipher suites do not require key or certificate files -# but ssltest expects a cert file and complains if it can't -# open the default one. -SERVER_PEM=$OPENSSL_DIR/apps/server.pem - -if [ "$1" = "aecdh" ]; then -for cipher in $AECDH_CIPHER_LIST -do - echo "Testing $cipher" - $SSLTEST $SSL_VERSION -cert $SERVER_PEM -cipher $cipher -done -#-------------------------------------------------------------- -for curve in $ELLIPTIC_CURVE_LIST -do - echo "Testing AECDH-NULL-SHA (with $curve)" - $SSLTEST $SSL_VERSION -cert $SERVER_PEM \ - -named_curve $curve -cipher AECDH-NULL-SHA -done - -for curve in $ELLIPTIC_CURVE_LIST -do - echo "Testing AECDH-RC4-SHA (with $curve)" - $SSLTEST $SSL_VERSION -cert $SERVER_PEM \ - -named_curve $curve -cipher AECDH-RC4-SHA -done -fi - -#============================================================== -# Both ECDH-ECDSA and ECDHE-ECDSA cipher suites require -# the server to have an ECC certificate signed with ECDSA. -CA_PEM=$CERTS_DIR/secp160r1TestCA.pem -SERVER_PEM=$CERTS_DIR/secp160r2TestServer.pem -CLIENT_PEM=$CERTS_DIR/secp160r2TestClient.pem - -if [ "$1" = "ecdh-ecdsa" ]; then -for cipher in $ECDH_ECDSA_CIPHER_LIST -do - echo "Testing $cipher (with server authentication)" - $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ - -cert $SERVER_PEM -server_auth \ - -cipher $cipher - - echo "Testing $cipher (with server and client authentication)" - $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ - -cert $SERVER_PEM -server_auth \ - -c_cert $CLIENT_PEM -client_auth \ - -cipher $cipher -done -fi - -#============================================================== -if [ "$1" = "ecdhe-ecdsa" ]; then -for cipher in $ECDHE_ECDSA_CIPHER_LIST -do - echo "Testing $cipher (with server authentication)" - $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ - -cert $SERVER_PEM -server_auth \ - -cipher $cipher -named_curve $DEFAULT_CURVE - - echo "Testing $cipher (with server and client authentication)" - $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ - -cert $SERVER_PEM -server_auth \ - -c_cert $CLIENT_PEM -client_auth \ - -cipher $cipher -named_curve $DEFAULT_CURVE -done - -#-------------------------------------------------------------- -for curve in $ELLIPTIC_CURVE_LIST -do - echo "Testing ECDHE-ECDSA-AES128-SHA (2-way auth with $curve)" - $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ - -cert $SERVER_PEM -server_auth \ - -c_cert $CLIENT_PEM -client_auth \ - -cipher ECDHE-ECDSA-AES128-SHA -named_curve $curve -done -fi - -#============================================================== -# ECDH-RSA cipher suites require the server to have an ECC -# certificate signed with RSA. -CA_PEM=$CERTS_DIR/rsa1024TestCA.pem -SERVER_PEM=$CERTS_DIR/sect163r1-rsaTestServer.pem -CLIENT_PEM=$CERTS_DIR/sect163r1-rsaTestClient.pem - -if [ "$1" = "ecdh-rsa" ]; then -for cipher in $ECDH_RSA_CIPHER_LIST -do - echo "Testing $cipher (with server authentication)" - $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ - -cert $SERVER_PEM -server_auth \ - -cipher $cipher - - echo "Testing $cipher (with server and client authentication)" - $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ - -cert $SERVER_PEM -server_auth \ - -c_cert $CLIENT_PEM -client_auth \ - -cipher $cipher -done -fi - -#============================================================== -# ECDHE-RSA cipher suites require the server to have an RSA cert. -CA_PEM=$CERTS_DIR/rsa1024TestCA.pem -SERVER_PEM=$CERTS_DIR/rsa1024TestServer.pem -CLIENT_PEM=$CERTS_DIR/rsa1024TestClient.pem - -if [ "$1" = "ecdhe-rsa" ]; then -for cipher in $ECDHE_RSA_CIPHER_LIST -do - echo "Testing $cipher (with server authentication)" - echo $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ - -cert $SERVER_PEM -server_auth \ - -cipher $cipher -named_curve $DEFAULT_CURVE - $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ - -cert $SERVER_PEM -server_auth \ - -cipher $cipher -named_curve $DEFAULT_CURVE - - echo "Testing $cipher (with server and client authentication)" - $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ - -cert $SERVER_PEM -server_auth \ - -c_cert $CLIENT_PEM -client_auth \ - -cipher $cipher -named_curve $DEFAULT_CURVE -done -fi -#============================================================== - - - - |