net/data/ssl/scripts/generate-test-certs.sh - Issue 1059303002: Don't process HSTS/HPKP headers when host is an IP address

Side by Side Diff: net/data/ssl/scripts/generate-test-certs.sh

Issue 1059303002: Don't process HSTS/HPKP headers when host is an IP address (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: add tests for HPKP/HSTS headers on IPs Created 5 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« no previous file with comments | « net/data/ssl/scripts/ee.cnf ('k') | net/data/url_request_unittest/hpkp-headers.html.mock-http-headers » ('j') | net/test/spawned_test_server/base_test_server.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 #!/bin/sh	1 #!/bin/sh

2	2

3 # Copyright 2013 The Chromium Authors. All rights reserved.	3 # Copyright 2013 The Chromium Authors. All rights reserved.

4 # Use of this source code is governed by a BSD-style license that can be	4 # Use of this source code is governed by a BSD-style license that can be

5 # found in the LICENSE file.	5 # found in the LICENSE file.

6	6

7 # This script generates a set of test (end-entity, intermediate, root)	7 # This script generates a set of test (end-entity, intermediate, root)

8 # certificates that can be used to test fetching of an intermediate via AIA.	8 # certificates that can be used to test fetching of an intermediate via AIA.

9	9

10 try() {	10 try() {

11 echo "$@"	11 echo "$@"

12 "$@" \|\| exit 1	12 "$@" \|\| exit 1

13 }	13 }

14	14

	15 quiet_try() {

	16 "$@" \|\| exit 1
	palmer 2015/04/03 21:04:51 Idea (take it or leave it): Unify try and quiet_tr Idea (take it or leave it): Unify try and quiet_try: try() { "$@" \|\| (echo "$@" > /dev/stderr && exit 1) } estark 2015/04/03 21:22:30 Done. Show quoted text On 2015/04/03 21:04:51, palmer wrote: > Idea (take it or leave it): Unify try and quiet_try: > > try() { > "$@" \|\| (echo "$@" > /dev/stderr && exit 1) > } Done.
	17 }

	18

15 try rm -rf out	19 try rm -rf out

16 try mkdir out	20 try mkdir out

17	21

18 try /bin/sh -c "echo 01 > out/2048-sha256-root-serial"	22 try /bin/sh -c "echo 01 > out/2048-sha256-root-serial"

19 touch out/2048-sha256-root-index.txt	23 touch out/2048-sha256-root-index.txt

20	24

21 # Generate the key	25 # Generate the key

22 try openssl genrsa -out out/2048-sha256-root.key 2048	26 try openssl genrsa -out out/2048-sha256-root.key 2048

23	27

24 # Generate the root certificate	28 # Generate the root certificate

25 CA_COMMON_NAME="Test Root CA" \	29 CA_COMMON_NAME="Test Root CA" \

26 try openssl req \	30 try openssl req \

27 -new \	31 -new \

28 -key out/2048-sha256-root.key \	32 -key out/2048-sha256-root.key \

29 -out out/2048-sha256-root.req \	33 -out out/2048-sha256-root.req \

30 -config ca.cnf	34 -config ca.cnf

31	35

32 CA_COMMON_NAME="Test Root CA" \	36 CA_COMMON_NAME="Test Root CA" \

33 try openssl x509 \	37 quiet_try openssl x509 \

34 -req -days 3650 \	38 -req -days 3650 \

35 -in out/2048-sha256-root.req \	39 -in out/2048-sha256-root.req \

36 -out out/2048-sha256-root.pem \

37 -signkey out/2048-sha256-root.key \	40 -signkey out/2048-sha256-root.key \

38 -extfile ca.cnf \	41 -extfile ca.cnf \

39 -extensions ca_cert \	42 -extensions ca_cert \

40 -text	43 -text > out/2048-sha256-root.pem

41	44

42 # Generate the leaf certificate requests	45 # Generate the leaf certificate requests

43 try openssl req \	46 try openssl req \

44 -new \	47 -new \

45 -keyout out/expired_cert.key \	48 -keyout out/expired_cert.key \

46 -out out/expired_cert.req \	49 -out out/expired_cert.req \

47 -config ee.cnf	50 -config ee.cnf

48	51

49 try openssl req \	52 try openssl req \

50 -new \	53 -new \

51 -keyout out/ok_cert.key \	54 -keyout out/ok_cert.key \

52 -out out/ok_cert.req \	55 -out out/ok_cert.req \

53 -config ee.cnf	56 -config ee.cnf

54	57

	58 SUBJECT_NAME=req_localhost_cn \

	59 try openssl req \

	60 -new \

	61 -keyout out/localhost_cert.key \

	62 -out out/localhost_cert.req \

	63 -reqexts req_extensions_none \

	64 -config ee.cnf

	65

55 # Generate the leaf certificates	66 # Generate the leaf certificates

56 CA_COMMON_NAME="Test Root CA" \	67 CA_COMMON_NAME="Test Root CA" \

57 try openssl ca \	68 try openssl ca \

58 -batch \	69 -batch \

59 -extensions user_cert \	70 -extensions user_cert \

60 -startdate 060101000000Z \	71 -startdate 060101000000Z \

61 -enddate 070101000000Z \	72 -enddate 070101000000Z \

62 -in out/expired_cert.req \	73 -in out/expired_cert.req \

63 -out out/expired_cert.pem \	74 -out out/expired_cert.pem \

64 -config ca.cnf	75 -config ca.cnf

(...skipping 20 matching lines...) Expand all Loading...
85 CA_COMMON_NAME="Test Root CA" \	96 CA_COMMON_NAME="Test Root CA" \

86 try openssl ca \	97 try openssl ca \

87 -batch \	98 -batch \

88 -extensions name_constraint_good \	99 -extensions name_constraint_good \

89 -subj "/CN=Leaf Certificate/" \	100 -subj "/CN=Leaf Certificate/" \

90 -days 3650 \	101 -days 3650 \

91 -in out/ok_cert.req \	102 -in out/ok_cert.req \

92 -out out/name_constraint_good.pem \	103 -out out/name_constraint_good.pem \

93 -config ca.cnf	104 -config ca.cnf

94	105

	106 CA_COMMON_NAME="Test Root CA" \

	107 try openssl ca \

	108 -batch \

	109 -extensions user_cert \

	110 -days 3650 \

	111 -in out/localhost_cert.req \

	112 -out out/localhost_cert.pem \

	113 -config ca.cnf

	114

95 try /bin/sh -c "cat out/ok_cert.key out/ok_cert.pem \	115 try /bin/sh -c "cat out/ok_cert.key out/ok_cert.pem \

96 > ../certificates/ok_cert.pem"	116 > ../certificates/ok_cert.pem"

	117 try /bin/sh -c "cat out/localhost_cert.key out/localhost_cert.pem \

	118 > ../certificates/localhost_cert.pem"

97 try /bin/sh -c "cat out/expired_cert.key out/expired_cert.pem \	119 try /bin/sh -c "cat out/expired_cert.key out/expired_cert.pem \

98 > ../certificates/expired_cert.pem"	120 > ../certificates/expired_cert.pem"

99 try /bin/sh -c "cat out/2048-sha256-root.key out/2048-sha256-root.pem \	121 try /bin/sh -c "cat out/2048-sha256-root.key out/2048-sha256-root.pem \

100 > ../certificates/root_ca_cert.pem"	122 > ../certificates/root_ca_cert.pem"

101 try /bin/sh -c "cat out/ok_cert.key out/name_constraint_bad.pem \	123 try /bin/sh -c "cat out/ok_cert.key out/name_constraint_bad.pem \

102 > ../certificates/name_constraint_bad.pem"	124 > ../certificates/name_constraint_bad.pem"

103 try /bin/sh -c "cat out/ok_cert.key out/name_constraint_good.pem \	125 try /bin/sh -c "cat out/ok_cert.key out/name_constraint_good.pem \

104 > ../certificates/name_constraint_good.pem"	126 > ../certificates/name_constraint_good.pem"

105	127

106 # Now generate the one-off certs	128 # Now generate the one-off certs

107 ## SHA-256 general test cert	129 ## SHA-256 general test cert

108 try openssl req -x509 -days 3650 \	130 try openssl req -x509 -days 3650 \

109 -config ../scripts/ee.cnf -newkey rsa:2048 -text \	131 -config ../scripts/ee.cnf -newkey rsa:2048 -text \

110 -sha256 \	132 -sha256 \

111 -out sha256.pem	133 -out ../certificates/sha256.pem

112	134

113 ## Self-signed cert for SPDY/QUIC/HTTP2 pooling testing	135 ## Self-signed cert for SPDY/QUIC/HTTP2 pooling testing

114 try openssl req -x509 -days 3650 -extensions req_spdy_pooling \	136 try openssl req -x509 -days 3650 -extensions req_spdy_pooling \

115 -config ../scripts/ee.cnf -newkey rsa:2048 -text \	137 -config ../scripts/ee.cnf -newkey rsa:2048 -text \

116 -out ../certificates/spdy_pooling.pem	138 -out ../certificates/spdy_pooling.pem

117	139

118 ## SubjectAltName parsing	140 ## SubjectAltName parsing

119 try openssl req -x509 -days 3650 -extensions req_san_sanity \	141 try openssl req -x509 -days 3650 -extensions req_san_sanity \

120 -config ../scripts/ee.cnf -newkey rsa:2048 -text \	142 -config ../scripts/ee.cnf -newkey rsa:2048 -text \

121 -out ../certificates/subjectAltName_sanity_check.pem	143 -out ../certificates/subjectAltName_sanity_check.pem

(...skipping 160 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
282 ## Block a leaf cert by issuer-hash-and-serial. However, this will be issued	304 ## Block a leaf cert by issuer-hash-and-serial. However, this will be issued

283 ## from an intermediate CA issued underneath a root.	305 ## from an intermediate CA issued underneath a root.

284 try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \	306 try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \

285 <<CRLSETBYINTERMEDIATESERIAL	307 <<CRLSETBYINTERMEDIATESERIAL

286 {	308 {

287 "BlockedByHash": {	309 "BlockedByHash": {

288 "../certificates/quic_intermediate.crt": [3]	310 "../certificates/quic_intermediate.crt": [3]

289 }	311 }

290 }	312 }

291 CRLSETBYINTERMEDIATESERIAL	313 CRLSETBYINTERMEDIATESERIAL

OLD	NEW