Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
89 changes: 67 additions & 22 deletions .github/scripts/openssl-ech.sh
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,13 @@ if [ "$FORCE_HRR" -ne 0 ] && [ -n "$PQC" ]; then
exit 1
fi

# corrupt_ech_config() flips the first public-key byte, this is valid only for
# the default X25519 KEM so consider --suite and --reject mutually exclusive
if [ "$REJECT" -ne 0 ] && [ -n "$SUITE" ]; then
echo "ERROR: --reject only supports the default X25519 suite"
exit 1
fi

# Pick exactly one test variant. The variant decides which -groups go to
# each side and any extra flags needed to drive the desired handshake.
# default - both sides use secp256r1 (no HRR)
Expand All @@ -89,18 +96,35 @@ WOLFSSL_CLIENT=${WOLFSSL_CLIENT:-"$WORKSPACE/examples/client/client"}
WOLFSSL_SERVER=${WOLFSSL_SERVER:-"$WORKSPACE/examples/server/server"}
CERT_DIR=${CERT_DIR:-"$WORKSPACE/certs"}

# correct ECH config, but it's old, ECH will be rejected
REJECT_ECH_CONFIG="AD7+DQA6rAAgACCATZdDlHed6GlDeiYsu3r7sdWUkLVHZuTa3lbOf+hIbAAEAAEAAQALZXhhbXBsZS5jb20AAA=="

TMP_LOG="$WORKSPACE/tmp_file.log"
# Will need to look into validating the name against the cert for the OSSL cli.
# This is fine, but should be upgraded to use a second cert in the future.
PRIV_NAME="ech-private-name.com"
# example.com is taken from the server certificate,
# echConfigs needs to authenticate against the cert with this name to succeed
PUB_NAME="example.com"
# private inner name; matches the private cert swapped in once ECH is accepted
PRIV_NAME="example.com"
# ECH public name; matches certs/ech-public-cert.pem, the public-facing cert the
# outer (or a rejected) handshake authenticates against
PUB_NAME="public.com"
MAX_WAIT=50

# --------------------------------------------------------------------------
# Flip a bit in the HPKE public key of the config the server published. The
# client will offer ECH, but the server can't decrypt so ECH is rejected.
# --------------------------------------------------------------------------
corrupt_ech_config() {
local config="$1"
local bytes=()
local b

mapfile -t bytes < <(printf '%s' "$config" | base64 -d | od -An -tx1 -v \
| tr -s ' ' '\n' | grep -v '^$')

# list len (2) + version (2) + config len (2) + config_id (1) +
# kem_id (2) + public key len (2), so byte 11 is the first key byte
bytes[11]=$(printf '%02x' $(( 0x${bytes[11]} ^ 0x01 )))

for b in "${bytes[@]}"; do
printf "\\x$b"
done | base64 -w 0
}

# --------------------------------------------------------------------------
# server mode -- OpenSSL is the server, wolfSSL is the client
# --------------------------------------------------------------------------
Expand Down Expand Up @@ -140,16 +164,22 @@ openssl_server(){

# parse ECH config from file
ech_config=$(sed -n '/BEGIN ECHCONFIG/,/END ECHCONFIG/{/BEGIN ECHCONFIG\|END ECHCONFIG/d;p}' "$ech_file" | tr -d '\n')
# reject overrides the config the client connects with
[ "$REJECT" -ne 0 ] && ech_config="$REJECT_ECH_CONFIG"
echo "parsed ech config: $ech_config" &>> "$TMP_LOG"

# reject: corrupt the config so the server can't decrypt the client's ECH
if [ "$REJECT" -ne 0 ]; then
ech_config=$(corrupt_ech_config "$ech_config")
echo "bad ech config : $ech_config" &>> "$TMP_LOG"
fi

# start OpenSSL ECH server with ephemeral port; line-buffer so the
# log can be grepped
stdbuf -oL $OPENSSL s_server \
# -cert/-key is the public-name cert served on the outer/rejected handshake;
# -cert2/-key2 is the private inner cert switched to on ECH acceptance.
timeout 30 stdbuf -oL $OPENSSL s_server \
-tls1_3 \
-cert "$CERT_DIR/server-cert.pem" \
-key "$CERT_DIR/server-key.pem" \
-cert "$CERT_DIR/ech-public-cert.pem" \
-key "$CERT_DIR/ech-public-key.pem" \
-cert2 "$CERT_DIR/server-cert.pem" \
-key2 "$CERT_DIR/server-key.pem" \
-ech_key "$ech_file" \
Expand Down Expand Up @@ -184,11 +214,16 @@ openssl_server(){
$wolfssl_extra \
&>> "$TMP_LOG" || [ "$REJECT" -ne 0 ]

# let s_server finish writing its ech_success= line before grepping;
# on reject it sees a fatal alert, so tolerate a nonzero exit
wait || [ "$REJECT" -ne 0 ]

if [ "$REJECT" -ne 0 ]; then
grep -q "ECH offered but rejected by server" "$TMP_LOG" && \
grep -q "ech_success=0" "$TMP_LOG"
grep -q "ech_success=0" "$TMP_LOG" && \
grep -q "ECH status: rejected" "$TMP_LOG"
else
grep -q "ech_success=1" "$TMP_LOG"
grep -q "ech_success=1" "$TMP_LOG" && \
grep -q "ECH status: accepted" "$TMP_LOG"
fi
}

Expand Down Expand Up @@ -231,7 +266,7 @@ openssl_client(){

# start server with ephemeral port + ready file; line-buffer so the
# log can be grepped
stdbuf -oL $WOLFSSL_SERVER \
timeout 30 stdbuf -oL $WOLFSSL_SERVER \
-v 4 \
-R "$ready_file" \
-p "$port" \
Expand Down Expand Up @@ -267,10 +302,14 @@ openssl_client(){
exit 1
fi
done
# reject overrides the config the client connects with
[ "$REJECT" -ne 0 ] && ech_config="$REJECT_ECH_CONFIG"
echo "parsed ech config: $ech_config" &>> "$TMP_LOG"

# reject: corrupt the config so the server can't decrypt the client's ECH
if [ "$REJECT" -ne 0 ]; then
ech_config=$(corrupt_ech_config "$ech_config")
echo "bad ech config : $ech_config" &>> "$TMP_LOG"
fi

# test with OpenSSL s_client using ECH
# in reject mode the s_client is expected to error out, so tolerate a
# nonzero exit
Expand All @@ -285,10 +324,16 @@ openssl_client(){
$openssl_groups \
&>> "$TMP_LOG" || [ "$REJECT" -ne 0 ]

# let the wolfSSL server finish writing its ECH status line before
# grepping; on reject it errors out, so tolerate a nonzero exit
wait || [ "$REJECT" -ne 0 ]

if [ "$REJECT" -ne 0 ]; then
grep -q "ECH: Got 1 retry-configs" "$TMP_LOG"
grep -q "ECH: Got 1 retry-configs" "$TMP_LOG" && \
grep -q "ECH status: rejected" "$TMP_LOG"
else
grep -q "ECH: success: 1" "$TMP_LOG"
grep -q "ECH: success: 1" "$TMP_LOG" && \
grep -q "ECH status: accepted" "$TMP_LOG"
fi
}

Expand Down
Binary file added certs/ech-public-cert.der
Binary file not shown.
91 changes: 91 additions & 0 deletions certs/ech-public-cert.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 35 (0x23)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com, emailAddress=facts@wolfssl.com
Validity
Not Before: Jul 10 20:54:16 2026 GMT
Not After : Apr 5 20:54:16 2029 GMT
Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL, OU=ECH, CN=public.com, emailAddress=info@wolfssl.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d1:42:85:b2:a7:81:6f:e7:1b:26:c6:f2:53:d1:
42:ff:18:f1:0b:3f:75:a0:01:fa:5c:8f:b2:c7:b4:
06:f5:a5:6e:e2:ae:cc:a5:5d:35:b4:56:28:21:d3:
59:b1:6e:81:3f:69:7d:85:e9:33:0a:cd:7a:32:8a:
fc:41:5a:52:1e:23:9e:2a:22:d4:c9:20:7e:46:db:
6c:4d:56:e8:18:aa:79:b7:e7:20:b9:f3:97:28:1d:
63:44:03:b4:05:7b:03:93:4c:3f:83:8e:21:c4:4e:
f2:ee:28:8c:01:39:de:aa:64:57:34:9a:58:35:89:
c1:eb:4e:fc:8e:23:fd:10:ad:1e:ca:97:4e:a9:8f:
5d:d7:f9:52:fd:3a:45:90:cd:21:97:bc:b4:e2:8e:
c2:60:16:43:51:b3:71:e6:54:ec:60:00:76:b7:f6:
06:b1:0c:c9:93:d7:6c:c6:9e:ab:0d:4d:58:f9:d5:
c7:fc:d1:d9:53:66:b7:47:4b:4a:12:6b:37:23:b4:
df:f6:21:d4:23:6b:92:2d:f7:ca:e5:90:53:c7:84:
29:c0:a0:ac:d5:31:73:72:05:27:55:f6:4d:1a:c9:
e5:da:d9:8e:54:37:77:9c:3b:7f:2a:b9:72:6f:ed:
2e:a9:36:66:cf:f2:4f:29:6e:a0:92:10:05:6a:37:
2c:79
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
6B:D8:10:65:C9:94:68:23:2A:1E:67:67:CE:90:1E:92:8D:90:52:29
X509v3 Authority Key Identifier:
keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=facts@wolfssl.com
serial:67:19:D2:A8:7F:E3:2D:FA:75:7A:4F:E7:B2:02:D9:AD:C4:77:5E:F8
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Alternative Name:
DNS:public.com
X509v3 Extended Key Usage:
TLS Web Server Authentication
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
63:8a:f1:b3:a2:e4:e6:28:6a:63:c5:39:56:71:65:95:3d:08:
86:f6:ee:aa:a2:61:9d:f3:77:31:f2:e1:61:a8:d7:47:7e:dc:
2c:70:44:cd:b3:0a:ed:ae:5b:5b:bf:d6:4c:70:47:98:66:40:
8f:f4:0e:4b:f4:7e:fa:45:87:9e:fb:70:fc:e4:7a:3b:ff:da:
5f:57:8b:32:75:4f:ec:6b:ad:95:58:44:18:31:b7:45:77:76:
d4:e6:96:66:b1:63:42:df:86:c1:f4:0b:53:f8:51:8a:71:b0:
99:ea:7a:16:27:0e:22:5a:ac:e9:c5:46:0b:06:16:e9:ba:85:
ae:2f:ae:56:f9:cc:de:69:8c:e1:0c:e6:38:93:f2:21:88:a9:
0d:25:9b:5a:cc:45:f6:6a:e8:d5:d8:f6:69:2e:fa:b0:cc:09:
76:3b:9a:fc:ab:4e:9a:a9:2a:28:a0:d5:3a:3c:f7:e2:cf:de:
0c:18:40:34:65:cd:93:47:db:30:8f:6b:16:42:39:7e:ec:47:
bd:9a:3e:19:09:96:6a:88:b9:99:92:5d:de:af:f5:fb:69:b8:
43:f0:27:2e:d5:5a:d9:c9:30:c4:f8:43:01:ea:41:04:eb:fd:
5f:2c:0e:7c:28:11:41:4e:c9:d3:67:3c:48:89:02:2b:4c:e6:
54:b7:00:0c
-----BEGIN CERTIFICATE-----
MIIEzTCCA7WgAwIBAgIBIzANBgkqhkiG9w0BAQsFADCBlTELMAkGA1UEBhMCVVMx
EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
bC5jb20xIDAeBgkqhkiG9w0BCQEWEWZhY3RzQHdvbGZzc2wuY29tMB4XDTI2MDcx
MDIwNTQxNloXDTI5MDQwNTIwNTQxNlowgYcxCzAJBgNVBAYTAlVTMRAwDgYDVQQI
DAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRAwDgYDVQQKDAd3b2xmU1NMMQww
CgYDVQQLDANFQ0gxEzARBgNVBAMMCnB1YmxpYy5jb20xHzAdBgkqhkiG9w0BCQEW
EGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDRQoWyp4Fv5xsmxvJT0UL/GPELP3WgAfpcj7LHtAb1pW7irsylXTW0Vigh01mx
boE/aX2F6TMKzXoyivxBWlIeI54qItTJIH5G22xNVugYqnm35yC585coHWNEA7QF
ewOTTD+DjiHETvLuKIwBOd6qZFc0mlg1icHrTvyOI/0QrR7Kl06pj13X+VL9OkWQ
zSGXvLTijsJgFkNRs3HmVOxgAHa39gaxDMmT12zGnqsNTVj51cf80dlTZrdHS0oS
azcjtN/2IdQja5It98rlkFPHhCnAoKzVMXNyBSdV9k0ayeXa2Y5UN3ecO38quXJv
7S6pNmbP8k8pbqCSEAVqNyx5AgMBAAGjggEyMIIBLjAdBgNVHQ4EFgQUa9gQZcmU
aCMqHmdnzpAeko2QUikwgdUGA1UdIwSBzTCByoAUJ45nEXTDJh0/7TNjs6TYHTDl
6NWhgZukgZgwgZUxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYD
VQQHDAdCb3plbWFuMREwDwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3Vs
dGluZzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMSAwHgYJKoZIhvcNAQkBFhFm
YWN0c0B3b2xmc3NsLmNvbYIUZxnSqH/jLfp1ek/nsgLZrcR3XvgwCQYDVR0TBAIw
ADAVBgNVHREEDjAMggpwdWJsaWMuY29tMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0G
CSqGSIb3DQEBCwUAA4IBAQBjivGzouTmKGpjxTlWcWWVPQiG9u6qomGd83cx8uFh
qNdHftwscETNswrtrltbv9ZMcEeYZkCP9A5L9H76RYee+3D85Ho7/9pfV4sydU/s
a62VWEQYMbdFd3bU5pZmsWNC34bB9AtT+FGKcbCZ6noWJw4iWqzpxUYLBhbpuoWu
L65W+czeaYzhDOY4k/IhiKkNJZtazEX2aujV2PZpLvqwzAl2O5r8q06aqSoooNU6
PPfiz94MGEA0Zc2TR9swj2sWQjl+7Ee9mj4ZCZZqiLmZkl3er/X7abhD8Ccu1VrZ
yTDE+EMB6kEE6/1fLA58KBFBTsnTZzxIiQIrTOZUtwAM
-----END CERTIFICATE-----
Binary file added certs/ech-public-key.der
Binary file not shown.
28 changes: 28 additions & 0 deletions certs/ech-public-key.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDRQoWyp4Fv5xsm
xvJT0UL/GPELP3WgAfpcj7LHtAb1pW7irsylXTW0Vigh01mxboE/aX2F6TMKzXoy
ivxBWlIeI54qItTJIH5G22xNVugYqnm35yC585coHWNEA7QFewOTTD+DjiHETvLu
KIwBOd6qZFc0mlg1icHrTvyOI/0QrR7Kl06pj13X+VL9OkWQzSGXvLTijsJgFkNR
s3HmVOxgAHa39gaxDMmT12zGnqsNTVj51cf80dlTZrdHS0oSazcjtN/2IdQja5It
98rlkFPHhCnAoKzVMXNyBSdV9k0ayeXa2Y5UN3ecO38quXJv7S6pNmbP8k8pbqCS
EAVqNyx5AgMBAAECggEAZaAUVRCTRFisr3bTzc/lZQTkXy2I/tWnFFe3H9Q2wwp+
IPl6Kl7ri3KCF/dP6mL7wuOE0clQgBENJMmpu0VVdwyeLeFvjGPK37eFT8QCgKQd
66mEE7qQcKtg/3F69mRo9pqDh+y5SmB7Cx1G7PuBPyfuz/2bFBkcQ54++frRVkyT
hZ8Zl74MUyNCWVunT9M43o5JbbcapLegxG9kWcQChUHVU5U7ZjiSG2eKOWbY7qY0
8/lwNnr6X1x/SViS07p0tNy02cXBsVWItZb50LtpSdtMSfJkE8Ed6Z5wQWggDle9
ll6dOUSUvK0zrzq1nk7X/iJ71837/A9ZTFzpEKOyHwKBgQD7J2QjP+u44v/Gn4PK
5f6p3WMvIfqs2dzuXwLR1eq+uUs01H5fOeCe0+l8TuxIlkR9rOncR7iayRFtxing
ccE0RD3UHivr7RCdTryA60CJ8CgVkN7U9x1wc7SJIWE3Oh1Plk8tfI+n16AI2ErF
lVzGb9jEOzkvSOZWLAx7UDDpmwKBgQDVTDCbJfL/5c3pxtPR6egJNLdQ8pVwxgzC
eloaxLAKZy7Jr2wgz+EC3/489+pY/nOTOfv+btmz9F+ytGuNBiQPybl6il2M0J33
JKwlZygXHJSDj5vEChkQyz6rlS8evuXQ6C5ZdaUNfJRZVZQAa4vCeYo2KH47lQK3
OCtFLHc9ewKBgGG9zcHOIY2dgg8pix/ObFJtHyl7ntPgIZP/E9jX2HiLIhKYU+n5
W0pUjDxddqU1HciPH6AjpVtPvuGqyidX/em6WRmQ+GTjqKCfwMqnQ0GrXd4uuBnH
ZgSacvsfK3dTvY54n63DGSEn0FdA3bCRVT7Azmpn5fRZ+ZI1qFHhPnfbAoGAJOXG
LsCU1bGiOkOb1t84tYb6AzXDpjuMb4QM3D6UGWiaDmebM93iFcY7y74zOuvhgGFy
dyQj4t5uQ5K0XDPovxZtUIZpAngAK4WbhejfZYgbJNsN3g7FIUOXdsUa3p21Ubso
cW9JexjG7OFB9gSkq6KsxwugMpxnWNyNl6zGf8sCgYBS7BjgAf6yKbzSs6eZaD3N
dq9Y5GLB/bg6EktrXYmdGZJAb44we3Yf3ssVh1u4SmUC0nUmHbwmuZw7NU+c+oKH
IjBPCQNEdftHrJ5T3aHAQGTvaxgzt6dMaS50S+iwsNqVr1pfjUiZJ+QiB8peqlHU
3klKawNgdytJZS1s6jl1/g==
-----END PRIVATE KEY-----
8 changes: 8 additions & 0 deletions certs/include.am
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,10 @@ EXTRA_DIST += \
certs/tsa-ecc-cert.pem \
certs/tsa-ecc-key.pem \
certs/tsa-key.pem \
certs/ech-public-cert.pem \
certs/ech-public-key.pem \
certs/tenant-a-cert.pem \
certs/tenant-b-cert.pem \
certs/server-ecc.pem \
certs/server-ecc-self.pem \
certs/server-ecc-comp.pem \
Expand Down Expand Up @@ -135,6 +139,10 @@ EXTRA_DIST += \
certs/tsa-extra-eku-cert.der \
certs/tsa-chain-cert.der \
certs/tsa-chain-key.der \
certs/ech-public-cert.der \
certs/ech-public-key.der \
certs/tenant-a-cert.der \
certs/tenant-b-cert.der \
certs/server-ecc-comp.der \
certs/server-ecc.der \
certs/server-ecc-self.der \
Expand Down
75 changes: 75 additions & 0 deletions certs/renewcerts.sh
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,12 @@
# tsa-chain-cert.pem
# tsa-chain-cert.der
# intermediate/ca-int-cert.der
# ech-public-cert.pem
# ech-public-cert.der
# tenant-a-cert.pem
# tenant-a-cert.der
# tenant-b-cert.pem
# tenant-b-cert.der
# updates the following crls:
# crl/cliCrl.pem
# crl/crl.pem
Expand Down Expand Up @@ -1184,6 +1190,75 @@ EOF
echo "End of section"
echo "---------------------------------------------------------------------"

############################################################
########## update and sign ech-public-cert.pem ############
############################################################
echo "Updating ech-public-cert.pem"
echo ""
openssl genrsa -out ech-public-key.pem 2048
check_result $? "Step 1"

echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\nECH\\npublic.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ech-public-key.pem -config ./wolfssl.cnf -nodes > ech-public-req.pem
check_result $? "Step 2"

openssl x509 -req -in ech-public-req.pem -extfile wolfssl.cnf -extensions ech_public_opts -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 0x23 > ech-public-cert.pem
check_result $? "Step 3"

rm ech-public-req.pem

openssl x509 -in ech-public-cert.pem -text > tmp.pem
check_result $? "Step 4"
mv tmp.pem ech-public-cert.pem

openssl x509 -inform PEM -in ech-public-cert.pem -outform DER -out ech-public-cert.der
check_result $? "Step 5"
openssl rsa -inform PEM -in ech-public-key.pem -outform DER -out ech-public-key.der
check_result $? "Step 6"
echo "End of section"
echo "---------------------------------------------------------------------"

############################################################
########## update and sign tenant-a-cert.pem ##############
############################################################
echo "Updating tenant-a-cert.pem"
echo ""
echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\nECH demo\\ntenant-a.example\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key server-key.pem -config ./wolfssl.cnf -nodes > tenant-a-req.pem
check_result $? "Step 1"

openssl x509 -req -in tenant-a-req.pem -extfile wolfssl.cnf -extensions ech_tenant_a_opts -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 0x21 > tenant-a-cert.pem
check_result $? "Step 2"
rm tenant-a-req.pem

openssl x509 -in tenant-a-cert.pem -text > tmp.pem
check_result $? "Step 3"
mv tmp.pem tenant-a-cert.pem

openssl x509 -inform PEM -in tenant-a-cert.pem -outform DER -out tenant-a-cert.der
check_result $? "Step 4"
echo "End of section"
echo "---------------------------------------------------------------------"

############################################################
########## update and sign tenant-b-cert.pem ##############
############################################################
echo "Updating tenant-b-cert.pem"
echo ""
echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\nECH demo\\ntenant-b.example\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key server-key.pem -config ./wolfssl.cnf -nodes > tenant-b-req.pem
check_result $? "Step 1"

openssl x509 -req -in tenant-b-req.pem -extfile wolfssl.cnf -extensions ech_tenant_b_opts -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 0x22 > tenant-b-cert.pem
check_result $? "Step 2"
rm tenant-b-req.pem

openssl x509 -in tenant-b-cert.pem -text > tmp.pem
check_result $? "Step 3"
mv tmp.pem tenant-b-cert.pem

openssl x509 -inform PEM -in tenant-b-cert.pem -outform DER -out tenant-b-cert.der
check_result $? "Step 4"
echo "End of section"
echo "---------------------------------------------------------------------"

############################################################
#### ML-DSA (FIPS 204) self-signed certificates ###
############################################################
Expand Down
Loading
Loading