From 18a31aa861fdea063686a93ec2d52a0dcc23633a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bodo=20M=C3=B6ller?= Date: Mon, 12 Aug 2002 15:18:48 +0000 Subject: [PATCH] Scripts for testing ECC ciphersuites. Submitted by: Sun Microsystems Labs --- demos/ssltest-ecc/ECC-RSAcertgen.sh | 93 ++++++++++++++ demos/ssltest-ecc/ECCcertgen.sh | 173 ++++++++++++++++++++++++++ demos/ssltest-ecc/README | 13 ++ demos/ssltest-ecc/RSAcertgen.sh | 115 +++++++++++++++++ demos/ssltest-ecc/ssltest.sh | 185 ++++++++++++++++++++++++++++ 5 files changed, 579 insertions(+) create mode 100755 demos/ssltest-ecc/ECC-RSAcertgen.sh create mode 100755 demos/ssltest-ecc/ECCcertgen.sh create mode 100644 demos/ssltest-ecc/README create mode 100755 demos/ssltest-ecc/RSAcertgen.sh create mode 100755 demos/ssltest-ecc/ssltest.sh diff --git a/demos/ssltest-ecc/ECC-RSAcertgen.sh b/demos/ssltest-ecc/ECC-RSAcertgen.sh new file mode 100755 index 0000000000..ce182e313d --- /dev/null +++ b/demos/ssltest-ecc/ECC-RSAcertgen.sh @@ -0,0 +1,93 @@ +#!/bin/sh + +# For a list of supported curves, use "apps/openssl ecparam -list_curves". + +# Path to the openssl distribution +OPENSSL_DIR=../.. +# Path to the openssl program +OPENSSL_CMD=$OPENSSL_DIR/apps/openssl +# Option to find configuration file +OPENSSL_CNF="-config $OPENSSL_DIR/apps/openssl.cnf" +# Directory where certificates are stored +CERTS_DIR=./Certs +# Directory where private key files are stored +KEYS_DIR=$CERTS_DIR +# Directory where combo files (containing a certificate and corresponding +# private key together) are stored +COMBO_DIR=$CERTS_DIR +# cat command +CAT=/bin/cat +# rm command +RM=/bin/rm +# The certificate will expire these many days after the issue date. +DAYS=1500 +TEST_CA_FILE=rsa1024TestCA + +TEST_SERVER_CURVE=sect163r1 +TEST_SERVER_FILE=sect163r1-rsaTestServer +TEST_SERVER_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (sect163r1 key signed with RSA)" + +TEST_CLIENT_CURVE=sect163r1 +TEST_CLIENT_FILE=sect163r1-rsaTestClient +TEST_CLIENT_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Client (sect163r1 key signed with RSA)" + +# Generating an EC certificate involves the following main steps +# 1. Generating curve parameters (if needed) +# 2. Generating a certificate request +# 3. Signing the certificate request +# 4. [Optional] One can combine the cert and private key into a single +# file and also delete the certificate request + + +echo "GENERATING A TEST SERVER CERTIFICATE (ECC key signed with RSA)" +echo "==============================================================" +$OPENSSL_CMD ecparam -name $TEST_SERVER_CURVE -out $TEST_SERVER_CURVE.pem + +$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_SERVER_DN" \ + -keyout $KEYS_DIR/$TEST_SERVER_FILE.key.pem \ + -newkey ecdsa:$TEST_SERVER_CURVE.pem -new \ + -out $CERTS_DIR/$TEST_SERVER_FILE.req.pem + +$OPENSSL_CMD x509 -req -days $DAYS \ + -in $CERTS_DIR/$TEST_SERVER_FILE.req.pem \ + -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \ + -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ + -out $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -CAcreateserial + +# Display the certificate +$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -text + +# Place the certificate and key in a common file +$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -issuer -subject \ + > $COMBO_DIR/$TEST_SERVER_FILE.pem +$CAT $KEYS_DIR/$TEST_SERVER_FILE.key.pem >> $COMBO_DIR/$TEST_SERVER_FILE.pem + +# Remove the cert request file (no longer needed) +$RM $CERTS_DIR/$TEST_SERVER_FILE.req.pem + +echo "GENERATING A TEST CLIENT CERTIFICATE (ECC key signed with RSA)" +echo "==============================================================" +$OPENSSL_CMD ecparam -name $TEST_CLIENT_CURVE -out $TEST_CLIENT_CURVE.pem + +$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CLIENT_DN" \ + -keyout $KEYS_DIR/$TEST_CLIENT_FILE.key.pem \ + -newkey ecdsa:$TEST_CLIENT_CURVE.pem -new \ + -out $CERTS_DIR/$TEST_CLIENT_FILE.req.pem + +$OPENSSL_CMD x509 -req -days $DAYS \ + -in $CERTS_DIR/$TEST_CLIENT_FILE.req.pem \ + -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \ + -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ + -out $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -CAcreateserial + +# Display the certificate +$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -text + +# Place the certificate and key in a common file +$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -issuer -subject \ + > $COMBO_DIR/$TEST_CLIENT_FILE.pem +$CAT $KEYS_DIR/$TEST_CLIENT_FILE.key.pem >> $COMBO_DIR/$TEST_CLIENT_FILE.pem + +# Remove the cert request file (no longer needed) +$RM $CERTS_DIR/$TEST_CLIENT_FILE.req.pem + diff --git a/demos/ssltest-ecc/ECCcertgen.sh b/demos/ssltest-ecc/ECCcertgen.sh new file mode 100755 index 0000000000..b99a9b9387 --- /dev/null +++ b/demos/ssltest-ecc/ECCcertgen.sh @@ -0,0 +1,173 @@ +#!/bin/sh + +# For a list of supported curves, use "apps/openssl ecparam -list_curves". + +# Path to the openssl distribution +OPENSSL_DIR=../.. +# Path to the openssl program +OPENSSL_CMD=$OPENSSL_DIR/apps/openssl +# Option to find configuration file +OPENSSL_CNF="-config $OPENSSL_DIR/apps/openssl.cnf" +# Directory where certificates are stored +CERTS_DIR=./Certs +# Directory where private key files are stored +KEYS_DIR=$CERTS_DIR +# Directory where combo files (containing a certificate and corresponding +# private key together) are stored +COMBO_DIR=$CERTS_DIR +# cat command +CAT=/bin/cat +# rm command +RM=/bin/rm +# The certificate will expire these many days after the issue date. +DAYS=1500 +TEST_CA_CURVE=secp160r1 +TEST_CA_FILE=secp160r1TestCA +TEST_CA_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test CA (Elliptic curve secp160r1)" + +TEST_SERVER_CURVE=secp160r2 +TEST_SERVER_FILE=secp160r2TestServer +TEST_SERVER_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (Elliptic curve secp160r2)" + +TEST_CLIENT_CURVE=secp160r2 +TEST_CLIENT_FILE=secp160r2TestClient +TEST_CLIENT_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Client (Elliptic curve secp160r2)" + +# Generating an EC certificate involves the following main steps +# 1. Generating curve parameters (if needed) +# 2. Generating a certificate request +# 3. Signing the certificate request +# 4. [Optional] One can combine the cert and private key into a single +# file and also delete the certificate request + +echo "Generating self-signed CA certificate (on curve $TEST_CA_CURVE)" +echo "===============================================================" +$OPENSSL_CMD ecparam -name $TEST_CA_CURVE -out $TEST_CA_CURVE.pem + +# Generate a new certificate request in $TEST_CA_FILE.req.pem. A +# new ecdsa (actually ECC) key pair is generated on the parameters in +# $TEST_CA_CURVE.pem and the private key is saved in $TEST_CA_FILE.key.pem +# WARNING: By using the -nodes option, we force the private key to be +# stored in the clear (rather than encrypted with a password). +$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CA_DN" \ + -keyout $KEYS_DIR/$TEST_CA_FILE.key.pem \ + -newkey ecdsa:$TEST_CA_CURVE.pem -new \ + -out $CERTS_DIR/$TEST_CA_FILE.req.pem + +# Sign the certificate request in $TEST_CA_FILE.req.pem using the +# private key in $TEST_CA_FILE.key.pem and include the CA extension. +# Make the certificate valid for 1500 days from the time of signing. +# The certificate is written into $TEST_CA_FILE.cert.pem +$OPENSSL_CMD x509 -req -days $DAYS \ + -in $CERTS_DIR/$TEST_CA_FILE.req.pem \ + -extfile $OPENSSL_DIR/apps/openssl.cnf \ + -extensions v3_ca \ + -signkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ + -out $CERTS_DIR/$TEST_CA_FILE.cert.pem + +# Display the certificate +$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -text + +# Place the certificate and key in a common file +$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -issuer -subject \ + > $COMBO_DIR/$TEST_CA_FILE.pem +$CAT $KEYS_DIR/$TEST_CA_FILE.key.pem >> $COMBO_DIR/$TEST_CA_FILE.pem + +# Remove the cert request file (no longer needed) +$RM $CERTS_DIR/$TEST_CA_FILE.req.pem + +echo "GENERATING A TEST SERVER CERTIFICATE (on elliptic curve $TEST_SERVER_CURVE)" +echo "==========================================================================" +# Generate parameters for curve $TEST_SERVER_CURVE, if needed +$OPENSSL_CMD ecparam -name $TEST_SERVER_CURVE -out $TEST_SERVER_CURVE.pem + +# Generate a new certificate request in $TEST_SERVER_FILE.req.pem. A +# new ecdsa (actually ECC) key pair is generated on the parameters in +# $TEST_SERVER_CURVE.pem and the private key is saved in +# $TEST_SERVER_FILE.key.pem +# WARNING: By using the -nodes option, we force the private key to be +# stored in the clear (rather than encrypted with a password). +$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_SERVER_DN" \ + -keyout $KEYS_DIR/$TEST_SERVER_FILE.key.pem \ + -newkey ecdsa:$TEST_SERVER_CURVE.pem -new \ + -out $CERTS_DIR/$TEST_SERVER_FILE.req.pem + +# Sign the certificate request in $TEST_SERVER_FILE.req.pem using the +# CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in +# $TEST_CA_FILE.key.pem. Since we do not have an existing serial number +# file for this CA, create one. Make the certificate valid for $DAYS days +# from the time of signing. The certificate is written into +# $TEST_SERVER_FILE.cert.pem +$OPENSSL_CMD x509 -req -days $DAYS \ + -in $CERTS_DIR/$TEST_SERVER_FILE.req.pem \ + -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \ + -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ + -out $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -CAcreateserial + +# Display the certificate +$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -text + +# Place the certificate and key in a common file +$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -issuer -subject \ + > $COMBO_DIR/$TEST_SERVER_FILE.pem +$CAT $KEYS_DIR/$TEST_SERVER_FILE.key.pem >> $COMBO_DIR/$TEST_SERVER_FILE.pem + +# Remove the cert request file (no longer needed) +$RM $CERTS_DIR/$TEST_SERVER_FILE.req.pem + +echo "GENERATING A TEST CLIENT CERTIFICATE (on elliptic curve $TEST_CLIENT_CURVE)" +echo "==========================================================================" +# Generate parameters for curve $TEST_CLIENT_CURVE, if needed +$OPENSSL_CMD ecparam -name $TEST_CLIENT_CURVE -out $TEST_CLIENT_CURVE.pem + +# Generate a new certificate request in $TEST_CLIENT_FILE.req.pem. A +# new ecdsa (actually ECC) key pair is generated on the parameters in +# $TEST_CLIENT_CURVE.pem and the private key is saved in +# $TEST_CLIENT_FILE.key.pem +# WARNING: By using the -nodes option, we force the private key to be +# stored in the clear (rather than encrypted with a password). +$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CLIENT_DN" \ + -keyout $KEYS_DIR/$TEST_CLIENT_FILE.key.pem \ + -newkey ecdsa:$TEST_CLIENT_CURVE.pem -new \ + -out $CERTS_DIR/$TEST_CLIENT_FILE.req.pem + +# Sign the certificate request in $TEST_CLIENT_FILE.req.pem using the +# CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in +# $TEST_CA_FILE.key.pem. Since we do not have an existing serial number +# file for this CA, create one. Make the certificate valid for $DAYS days +# from the time of signing. The certificate is written into +# $TEST_CLIENT_FILE.cert.pem +$OPENSSL_CMD x509 -req -days $DAYS \ + -in $CERTS_DIR/$TEST_CLIENT_FILE.req.pem \ + -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \ + -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ + -out $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -CAcreateserial + +# Display the certificate +$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -text + +# Place the certificate and key in a common file +$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -issuer -subject \ + > $COMBO_DIR/$TEST_CLIENT_FILE.pem +$CAT $KEYS_DIR/$TEST_CLIENT_FILE.key.pem >> $COMBO_DIR/$TEST_CLIENT_FILE.pem + +# Remove the cert request file (no longer needed) +$RM $CERTS_DIR/$TEST_CLIENT_FILE.req.pem + +############################################################################ +#OLD STUFF (ignore this) +# +#These are the commands I used, but you may wish to add -named_curve to the first command per our discussion about parameter encoding in certificates. +# +#apps/openssl ecdsaparam -out nist192.param.pem -NIST_192 +# +#apps/openssl ecdsaparam -out nistB163.param.pem -named_curve -NIST_B163 +# the nodes option causes output key to be stored unencrypted +#apps/openssl req -nodes -keyout nistB163.priv.pem -newkey ecdsa:nistB163.param.pem -new -out nistB163.req.pem +#apps/openssl x509 -req -in nistB163.req.pem -extfile apps/cert.cnf -extensions v3_ca -signkey nistB163.priv.pem -out nistB163.cert.pem +# +#crypto/x509/x509_ext.c has X509_EXTENSION *X509_get_ext(X509 *x, int loc) +#crypto/asn1/t_x509.c has code to print certificates +#crypto/x509v3/v3_prn.c has code to print extensions X509V3_extensions_print + + diff --git a/demos/ssltest-ecc/README b/demos/ssltest-ecc/README new file mode 100644 index 0000000000..3e2c95cbec --- /dev/null +++ b/demos/ssltest-ecc/README @@ -0,0 +1,13 @@ +Scripts for using ECC ciphersuites with test/testssl. + +Use ECCcertgen.sh, RSAcertgen.sh, ECC-RSAcertgen.sh to generate +root, client and server certs of the following types: + + ECC certs signed with ECDSA + RSA certs signed with RSA + ECC certs signed with RSA + +Afterwards, you can use ssltest.sh to run the various tests; +specify one of the following options: + + aecdh, ecdh-ecdsa, ecdhe-ecdsa, ecdh-rsa, ecdhe-rsa diff --git a/demos/ssltest-ecc/RSAcertgen.sh b/demos/ssltest-ecc/RSAcertgen.sh new file mode 100755 index 0000000000..ea7984bae3 --- /dev/null +++ b/demos/ssltest-ecc/RSAcertgen.sh @@ -0,0 +1,115 @@ +#!/bin/sh + +# For a list of supported curves, use "apps/openssl ecparam -list_curves". + +# Path to the openssl distribution +OPENSSL_DIR=../.. +# Path to the openssl program +OPENSSL_CMD=$OPENSSL_DIR/apps/openssl +# Option to find configuration file +OPENSSL_CNF="-config $OPENSSL_DIR/apps/openssl.cnf" +# Directory where certificates are stored +CERTS_DIR=./Certs +# Directory where private key files are stored +KEYS_DIR=$CERTS_DIR +# Directory where combo files (containing a certificate and corresponding +# private key together) are stored +COMBO_DIR=$CERTS_DIR +# cat command +CAT=/bin/cat +# rm command +RM=/bin/rm +# The certificate will expire these many days after the issue date. +DAYS=1500 +TEST_CA_FILE=rsa1024TestCA +TEST_CA_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test CA (1024 bit RSA)" + +TEST_SERVER_FILE=rsa1024TestServer +TEST_SERVER_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (1024 bit RSA)" + +TEST_CLIENT_FILE=rsa1024TestClient +TEST_CLIENT_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Client (1024 bit RSA)" + +# Generating an EC certificate involves the following main steps +# 1. Generating curve parameters (if needed) +# 2. Generating a certificate request +# 3. Signing the certificate request +# 4. [Optional] One can combine the cert and private key into a single +# file and also delete the certificate request + +echo "Generating self-signed CA certificate (RSA)" +echo "===========================================" + +$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CA_DN" \ + -keyout $KEYS_DIR/$TEST_CA_FILE.key.pem \ + -newkey rsa:1024 -new \ + -out $CERTS_DIR/$TEST_CA_FILE.req.pem + +$OPENSSL_CMD x509 -req -days $DAYS \ + -in $CERTS_DIR/$TEST_CA_FILE.req.pem \ + -extfile $OPENSSL_DIR/apps/openssl.cnf \ + -extensions v3_ca \ + -signkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ + -out $CERTS_DIR/$TEST_CA_FILE.cert.pem + +# Display the certificate +$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -text + +# Place the certificate and key in a common file +$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -issuer -subject \ + > $COMBO_DIR/$TEST_CA_FILE.pem +$CAT $KEYS_DIR/$TEST_CA_FILE.key.pem >> $COMBO_DIR/$TEST_CA_FILE.pem + +# Remove the cert request file (no longer needed) +$RM $CERTS_DIR/$TEST_CA_FILE.req.pem + +echo "GENERATING A TEST SERVER CERTIFICATE (RSA)" +echo "==========================================" + +$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_SERVER_DN" \ + -keyout $KEYS_DIR/$TEST_SERVER_FILE.key.pem \ + -newkey rsa:1024 -new \ + -out $CERTS_DIR/$TEST_SERVER_FILE.req.pem + +$OPENSSL_CMD x509 -req -days $DAYS \ + -in $CERTS_DIR/$TEST_SERVER_FILE.req.pem \ + -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \ + -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ + -out $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -CAcreateserial + +# Display the certificate +$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -text + +# Place the certificate and key in a common file +$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -issuer -subject \ + > $COMBO_DIR/$TEST_SERVER_FILE.pem +$CAT $KEYS_DIR/$TEST_SERVER_FILE.key.pem >> $COMBO_DIR/$TEST_SERVER_FILE.pem + +# Remove the cert request file (no longer needed) +$RM $CERTS_DIR/$TEST_SERVER_FILE.req.pem + +echo "GENERATING A TEST CLIENT CERTIFICATE (RSA)" +echo "==========================================" + +$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CLIENT_DN" \ + -keyout $KEYS_DIR/$TEST_CLIENT_FILE.key.pem \ + -newkey rsa:1024 -new \ + -out $CERTS_DIR/$TEST_CLIENT_FILE.req.pem + +$OPENSSL_CMD x509 -req -days $DAYS \ + -in $CERTS_DIR/$TEST_CLIENT_FILE.req.pem \ + -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \ + -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ + -out $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -CAcreateserial + +# Display the certificate +$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -text + +# Place the certificate and key in a common file +$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -issuer -subject \ + > $COMBO_DIR/$TEST_CLIENT_FILE.pem +$CAT $KEYS_DIR/$TEST_CLIENT_FILE.key.pem >> $COMBO_DIR/$TEST_CLIENT_FILE.pem + +# Remove the cert request file (no longer needed) +$RM $CERTS_DIR/$TEST_CLIENT_FILE.req.pem + diff --git a/demos/ssltest-ecc/ssltest.sh b/demos/ssltest-ecc/ssltest.sh new file mode 100755 index 0000000000..2d6ff167f5 --- /dev/null +++ b/demos/ssltest-ecc/ssltest.sh @@ -0,0 +1,185 @@ +#! /bin/sh +# Tests ECC cipher suites using ssltest. Requires one argument which could +# be aecdh or ecdh-ecdsa or ecdhe-ecdsa or ecdh-rsa or ecdhe-rsa. +# A second optional argument can be one of ssl2 ssl3 or tls1 + +if [ "$1" = "" ]; then + (echo "Usage: $0 test [ protocol ]" + echo " where test is one of aecdh, ecdh-ecdsa, ecdhe-ecdsa, ecdh-rsa, ecdhe-rsa" + echo " and protocol (optional) is one of ssl2, ssl3, tls1" + echo "Run RSAcertgen.sh, ECC-RSAcertgen.sh, ECCcertgen.sh first." + ) >&2 + exit 1 +fi + + +OPENSSL_DIR=../.. +CERTS_DIR=./Certs +SSLTEST=$OPENSSL_DIR/test/ssltest +# SSL protocol version to test (one of ssl2 ssl3 or tls1)" +SSLVERSION= + +# These don't really require any certificates +AECDH_CIPHER_LIST="EXP-AECDH-RC4-40-SHA EXP-AECDH-DES-40-CBC-SHA AECDH-DES-CBC3-SHA AECDH-DES-CBC-SHA AECDH-RC4-SHA AECDH-NULL-SHA" + +# These require ECC certificates signed with ECDSA +# The EC public key must be authorized for key agreement. +ECDH_ECDSA_CIPHER_LIST="EXP-ECDH-ECDSA-RC4-56-SHA EXP-ECDH-ECDSA-RC4-40-SHA ECDH-ECDSA-AES256-SHA ECDH-ECDSA-AES128-SHA ECDH-ECDSA-DES-CBC3-SHA ECDH-ECDSA-DES-CBC-SHA ECDH-ECDSA-RC4-SHA ECDH-ECDSA-NULL-SHA" + +# These require ECC certificates. +# The EC public key must be authorized for digital signature. +ECDHE_ECDSA_CIPHER_LIST="ECDHE-ECDSA-AES128-SHA" + +# These require ECC certificates signed with RSA. +# The EC public key must be authorized for key agreement. +ECDH_RSA_CIPHER_LIST="EXP-ECDH-RSA-RC4-56-SHA EXP-ECDH-RSA-RC4-40-SHA ECDH-RSA-AES256-SHA ECDH-RSA-AES128-SHA ECDH-RSA-DES-CBC3-SHA ECDH-RSA-DES-CBC-SHA ECDH-RSA-RC4-SHA ECDH-RSA-NULL-SHA" + +# These require RSA certificates. +# The RSA public key must be authorized for digital signature. +ECDHE_RSA_CIPHER_LIST="ECDHE-RSA-AES128-SHA" + +# List of Elliptic curves over which we wish to test generation of +# ephemeral ECDH keys when using AECDH or ECDHE ciphers +# NOTE: secp192r1 = prime192v1 and secp256r1 = prime256v1 +#ELLIPTIC_CURVE_LIST="secp112r1 sect113r2 secp128r1 sect131r1 secp160k1 sect163r2 wap-wsg-idm-ecid-wtls7 c2pnb163v3 c2pnb176v3 c2tnb191v3 secp192r1 prime192v3 sect193r2 secp224r1 wap-wsg-idm-ecid-wtls10 sect239k1 prime239v2 secp256r1 prime256v1 sect283k1 secp384r1 sect409r1 secp521r1 sect571r1" +ELLIPTIC_CURVE_LIST="sect163k1 sect163r1 sect163r2 sect193r1 sect193r2 sect233k1 sect233r1 sect239k1 sect283k1 sect283r1 sect409k1 sect409r1 sect571k1 sect571r1 secp160k1 secp160r1 secp160r2 secp192k1 prime192v1 secp224k1 secp224r1 secp256k1 prime256v1 secp384r1 secp521r1" + +DEFAULT_CURVE="sect163r2" + +if [ "$2" = "" ]; then + if [ "$SSL_VERSION" = "" ]; then + SSL_VERSION="" + else + SSL_VERSION="-$SSL_VERSION" + fi +else + SSL_VERSION="-$2" +fi + +#============================================================== +# Anonymous cipher suites do not require key or certificate files +# but ssltest expects a cert file and complains if it can't +# open the default one. +SERVER_PEM=$OPENSSL_DIR/apps/server.pem + +if [ "$1" = "aecdh" ]; then +for cipher in $AECDH_CIPHER_LIST +do + echo "Testing $cipher" + $SSLTEST $SSL_VERSION -cert $SERVER_PEM -cipher $cipher +done +#-------------------------------------------------------------- +for curve in $ELLIPTIC_CURVE_LIST +do + echo "Testing AECDH-NULL-SHA (with $curve)" + $SSLTEST $SSL_VERSION -cert $SERVER_PEM \ + -named_curve $curve -cipher AECDH-NULL-SHA +done + +for curve in $ELLIPTIC_CURVE_LIST +do + echo "Testing EXP-AECDH-RC4-40-SHA (with $curve)" + $SSLTEST $SSL_VERSION -cert $SERVER_PEM \ + -named_curve $curve -cipher EXP-AECDH-RC4-40-SHA +done +fi + +#============================================================== +# Both ECDH-ECDSA and ECDHE-ECDSA cipher suites require +# the server to have an ECC certificate signed with ECDSA. +CA_PEM=$CERTS_DIR/secp160r1TestCA.pem +SERVER_PEM=$CERTS_DIR/secp160r2TestServer.pem +CLIENT_PEM=$CERTS_DIR/secp160r2TestClient.pem + +if [ "$1" = "ecdh-ecdsa" ]; then +for cipher in $ECDH_ECDSA_CIPHER_LIST +do + echo "Testing $cipher (with server authentication)" + $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ + -cert $SERVER_PEM -server_auth \ + -cipher $cipher + + echo "Testing $cipher (with server and client authentication)" + $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ + -cert $SERVER_PEM -server_auth \ + -c_cert $CLIENT_PEM -client_auth \ + -cipher $cipher +done +fi + +#============================================================== +if [ "$1" = "ecdhe-ecdsa" ]; then +for cipher in $ECDHE_ECDSA_CIPHER_LIST +do + echo "Testing $cipher (with server authentication)" + $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ + -cert $SERVER_PEM -server_auth \ + -cipher $cipher -named_curve $DEFAULT_CURVE + + echo "Testing $cipher (with server and client authentication)" + $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ + -cert $SERVER_PEM -server_auth \ + -c_cert $CLIENT_PEM -client_auth \ + -cipher $cipher -named_curve $DEFAULT_CURVE +done + +#-------------------------------------------------------------- +for curve in $ELLIPTIC_CURVE_LIST +do + echo "Testing ECDHE-ECDSA-AES128-SHA (2-way auth with $curve)" + $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ + -cert $SERVER_PEM -server_auth \ + -c_cert $CLIENT_PEM -client_auth \ + -cipher ECDHE-ECDSA-AES128-SHA -named_curve $curve +done +fi + +#============================================================== +# ECDH-RSA cipher suites require the server to have an ECC +# certificate signed with RSA. +CA_PEM=$CERTS_DIR/rsa1024TestCA.pem +SERVER_PEM=$CERTS_DIR/sect163r1-rsaTestServer.pem +CLIENT_PEM=$CERTS_DIR/sect163r1-rsaTestClient.pem + +if [ "$1" = "ecdh-rsa" ]; then +for cipher in $ECDH_RSA_CIPHER_LIST +do + echo "Testing $cipher (with server authentication)" + $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ + -cert $SERVER_PEM -server_auth \ + -cipher $cipher + + echo "Testing $cipher (with server and client authentication)" + $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ + -cert $SERVER_PEM -server_auth \ + -c_cert $CLIENT_PEM -client_auth \ + -cipher $cipher +done +fi + +#============================================================== +# ECDHE-RSA cipher suites require the server to have an RSA cert. +CA_PEM=$CERTS_DIR/rsa1024TestCA.pem +SERVER_PEM=$CERTS_DIR/rsa1024TestServer.pem +CLIENT_PEM=$CERTS_DIR/rsa1024TestClient.pem + +if [ "$1" = "ecdhe-rsa" ]; then +for cipher in $ECDHE_RSA_CIPHER_LIST +do + echo "Testing $cipher (with server authentication)" + $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ + -cert $SERVER_PEM -server_auth \ + -cipher $cipher -named_curve $DEFAULT_CURVE + + echo "Testing $cipher (with server and client authentication)" + $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ + -cert $SERVER_PEM -server_auth \ + -c_cert $CLIENT_PEM -client_auth \ + -cipher $cipher -named_curve $DEFAULT_CURVE +done +fi +#============================================================== + + + +