| Index: net/data/ssl/scripts/generate-weak-test-chains.sh
|
| ===================================================================
|
| --- net/data/ssl/scripts/generate-weak-test-chains.sh (revision 0)
|
| +++ net/data/ssl/scripts/generate-weak-test-chains.sh (revision 0)
|
| @@ -0,0 +1,168 @@
|
| +#!/bin/sh
|
| +
|
| +# Copyright (c) 2011 The Chromium Authors. All rights reserved.
|
| +# Use of this source code is governed by a BSD-style license that can be
|
| +# found in the LICENSE file.
|
| +
|
| +# This script generates a set of test (end-entity, intermediate, root)
|
| +# certificates with (weak, strong), (RSA, DSA, ECDSA) key pairs.
|
| +
|
| +key_types="768-rsa 1024-rsa 2048-rsa prime256v1-ecdsa"
|
| +
|
| +try () {
|
| + echo "$@"
|
| + $@ || exit 1
|
| +}
|
| +
|
| +generate_key_command () {
|
| + case "$1" in
|
| + dsa)
|
| + echo "dsaparam -genkey"
|
| + ;;
|
| + ecdsa)
|
| + echo "ecparam -genkey"
|
| + ;;
|
| + rsa)
|
| + echo genrsa
|
| + ;;
|
| + *)
|
| + exit 1
|
| + esac
|
| +}
|
| +
|
| +try rm -rf out
|
| +try mkdir out
|
| +
|
| +# Create the serial number files.
|
| +try echo 1 > out/2048-rsa-root-serial
|
| +for key_type in $key_types
|
| +do
|
| + try echo 1 > out/$key_type-intermediate-serial
|
| +done
|
| +
|
| +# Generate one root CA certificate.
|
| +try openssl genrsa -out out/2048-rsa-root.key 2048
|
| +
|
| +CA_COMMON_NAME="2048 RSA Test Root CA" \
|
| + CA_DIR=out \
|
| + CA_NAME=req_env_dn \
|
| + KEY_SIZE=2048 \
|
| + ALGO=rsa \
|
| + CERT_TYPE=root \
|
| + try openssl req \
|
| + -new \
|
| + -key out/2048-rsa-root.key \
|
| +-extensions ca_cert \
|
| + -out out/2048-rsa-root.csr \
|
| + -config ca.cnf
|
| +
|
| +CA_COMMON_NAME="2048 RSA Test Root CA" \
|
| + CA_DIR=out \
|
| + CA_NAME=req_env_dn \
|
| + try openssl x509 \
|
| + -req -days 3650 \
|
| + -in out/2048-rsa-root.csr \
|
| +-extensions ca_cert \
|
| + -signkey out/2048-rsa-root.key \
|
| + -out out/2048-rsa-root.pem
|
| +
|
| +# Generate private keys of all types and strengths for intermediate CAs and
|
| +# end-entities.
|
| +for key_type in $key_types
|
| +do
|
| + key_size=$(echo "$key_type" | sed -E 's/-.+//')
|
| + algo=$(echo "$key_type" | sed -E 's/.+-//')
|
| +
|
| + if [ ecdsa = $algo ]
|
| + then
|
| + key_size="-name $key_size"
|
| + fi
|
| +
|
| + try openssl $(generate_key_command $algo) \
|
| + -out out/$key_type-intermediate.key $key_size
|
| +done
|
| +
|
| +for key_type in $key_types
|
| +do
|
| + key_size=$(echo "$key_type" | sed -E 's/-.+//')
|
| + algo=$(echo "$key_type" | sed -E 's/.+-//')
|
| +
|
| + if [ ecdsa = $algo ]
|
| + then
|
| + key_size="-name $key_size"
|
| + fi
|
| +
|
| + for signer_key_type in $key_types
|
| + do
|
| + try openssl $(generate_key_command $algo) \
|
| + -out out/$key_type-ee-by-$signer_key_type-intermediate.key $key_size
|
| + done
|
| +done
|
| +
|
| +# The root signs the intermediates.
|
| +for key_type in $key_types
|
| +do
|
| + key_size=$(echo "$key_type" | sed -E 's/-.+//')
|
| + algo=$(echo "$key_type" | sed -E 's/.+-//')
|
| +
|
| + CA_COMMON_NAME="$key_size $algo Test intermediate CA" \
|
| + CA_DIR=out \
|
| + CA_NAME=req_env_dn \
|
| + KEY_SIZE=$key_size \
|
| + ALGO=$algo \
|
| + CERT_TYPE=intermediate \
|
| + try openssl req \
|
| + -new \
|
| + -key out/$key_type-intermediate.key \
|
| + -out out/$key_type-intermediate.csr \
|
| + -config ca.cnf
|
| +
|
| + # Make sure the signer's DB file exists.
|
| + touch out/2048-rsa-root-index.txt
|
| +
|
| + CA_COMMON_NAME="2048 RSA Test Root CA" \
|
| + CA_DIR=out \
|
| + CA_NAME=req_env_dn \
|
| + KEY_SIZE=2048 \
|
| + ALGO=rsa \
|
| + CERT_TYPE=root \
|
| + try openssl ca \
|
| + -batch \
|
| + -extensions ca_cert \
|
| + -in out/$key_type-intermediate.csr \
|
| + -out out/$key_type-intermediate.pem \
|
| + -config ca.cnf
|
| +done
|
| +
|
| +# The intermediates sign the end-entities.
|
| +for key_type in $key_types
|
| +do
|
| + for signer_key_type in $key_types
|
| + do
|
| + key_size=$(echo "$key_type" | sed -E 's/-.+//')
|
| + algo=$(echo "$key_type" | sed -E 's/.+-//')
|
| + signer_key_size=$(echo "$signer_key_type" | sed -E 's/-.+//')
|
| + signer_algo=$(echo "$signer_key_type" | sed -E 's/.+-//')
|
| + touch out/$signer_key_type-intermediate-index.txt
|
| +
|
| + KEY_SIZE=$key_size \
|
| + try openssl req \
|
| + -new \
|
| + -key out/$key_type-ee-by-$signer_key_type-intermediate.key \
|
| + -out out/$key_type-ee-by-$signer_key_type-intermediate.csr \
|
| + -config ee.cnf
|
| +
|
| + CA_COMMON_NAME="$signer_key_size $algo Test intermediate CA" \
|
| + CA_DIR=out \
|
| + CA_NAME=req_env_dn \
|
| + KEY_SIZE=$signer_key_size \
|
| + ALGO=$signer_algo \
|
| + CERT_TYPE=intermediate \
|
| + try openssl ca \
|
| + -batch \
|
| + -in out/$key_type-ee-by-$signer_key_type-intermediate.csr \
|
| + -out out/$key_type-ee-by-$signer_key_type-intermediate.pem \
|
| + -config ca.cnf
|
| + done
|
| +done
|
| +
|
|
|
| Property changes on: net/data/ssl/scripts/generate-weak-test-chains.sh
|
| ___________________________________________________________________
|
| Added: svn:executable
|
| + *
|
| Added: svn:eol-style
|
| + LF
|
|
|
|
|
Chromium Code Reviews
Issue 8568040:
Refuse to accept certificate chains containing any RSA public key smaller (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/