| Index: net/data/ssl/scripts/generate-multi-root-test-chains.sh
|
| diff --git a/net/data/ssl/scripts/generate-redundant-test-chains.sh b/net/data/ssl/scripts/generate-multi-root-test-chains.sh
|
| similarity index 66%
|
| copy from net/data/ssl/scripts/generate-redundant-test-chains.sh
|
| copy to net/data/ssl/scripts/generate-multi-root-test-chains.sh
|
| index d7fd17bdc860f5b24b16f9e143237a8f79f9dc82..8c46cedb33a99f7241efd241ab7c0c3fa72d7c8c 100755
|
| --- a/net/data/ssl/scripts/generate-redundant-test-chains.sh
|
| +++ b/net/data/ssl/scripts/generate-multi-root-test-chains.sh
|
| @@ -1,23 +1,18 @@
|
| #!/bin/sh
|
|
|
| -# Copyright (c) 2012 The Chromium Authors. All rights reserved.
|
| +# Copyright (c) 2014 The Chromium Authors. All rights reserved.
|
| # Use of this source code is governed by a BSD-style license that can be
|
| # found in the LICENSE file.
|
|
|
| # This script generates two chains of test certificates:
|
| #
|
| # 1. A (end-entity) -> B -> C -> D (self-signed root)
|
| -# 2. A (end-entity) -> B -> C2 (self-signed root)
|
| +# 2. A (end-entity) -> B -> C2 -> E (self-signed root)
|
| #
|
| -# in which A, B, C, and D have distinct keypairs. C2 is a self-signed root
|
| -# certificate that uses the same keypair as C.
|
| +# C and C2 have the same subject and keypair.
|
| #
|
| -# We use these cert chains in
|
| -# SSLClientSocketTest.VerifyReturnChainProperlyOrdered to ensure that
|
| -# SSLInfo objects see the certificate chain as validated rather than as
|
| -# served by the server. The server serves chain 1. The client has C2, NOT D,
|
| -# installed as a trusted root. Therefore, the chain will validate as chain
|
| -# 2, even though the server served chain 1.
|
| +# We use these cert chains in CertVerifyProcChromeOSTest
|
| +# to ensure that multiple verification paths are properly handled.
|
|
|
| try () {
|
| echo "$@"
|
| @@ -29,7 +24,7 @@ try mkdir out
|
|
|
| echo Create the serial number files.
|
| serial=1000
|
| -for i in B C C2 D
|
| +for i in B C C2 D E
|
| do
|
| try /bin/sh -c "echo $serial > out/$i-serial"
|
| serial=$(expr $serial + 1)
|
| @@ -40,6 +35,7 @@ try openssl genrsa -out out/A.key 2048
|
| try openssl genrsa -out out/B.key 2048
|
| try openssl genrsa -out out/C.key 2048
|
| try openssl genrsa -out out/D.key 2048
|
| +try openssl genrsa -out out/E.key 2048
|
|
|
| echo Generate the D CSR.
|
| CA_COMMON_NAME="D Root CA" \
|
| @@ -61,36 +57,44 @@ CA_COMMON_NAME="D Root CA" \
|
| -out out/D.pem \
|
| -text
|
|
|
| -echo Generate the C2 root CSR.
|
| -CA_COMMON_NAME="C CA" \
|
| - CERTIFICATE=C2 \
|
| +echo Generate the E CSR.
|
| +CA_COMMON_NAME="E Root CA" \
|
| + CERTIFICATE=E \
|
| try openssl req \
|
| -new \
|
| - -key out/C.key \
|
| - -out out/C2.csr \
|
| + -key out/E.key \
|
| + -out out/E.csr \
|
| -config redundant-ca.cnf
|
|
|
| -echo C2 signs itself.
|
| -CA_COMMON_NAME="C CA" \
|
| +echo E signs itself.
|
| +CA_COMMON_NAME="E Root CA" \
|
| try openssl x509 \
|
| -req -days 3650 \
|
| - -in out/C2.csr \
|
| + -in out/E.csr \
|
| -extensions ca_cert \
|
| -extfile redundant-ca.cnf \
|
| - -signkey out/C.key \
|
| - -out out/C2.pem \
|
| + -signkey out/E.key \
|
| + -out out/E.pem \
|
| -text
|
|
|
| +echo Generate the C2 intermediary CSR.
|
| +CA_COMMON_NAME="C CA" \
|
| + CERTIFICATE=C2 \
|
| + try openssl req \
|
| + -new \
|
| + -key out/C.key \
|
| + -out out/C2.csr \
|
| + -config redundant-ca.cnf
|
| +
|
| echo Generate the B and C intermediaries\' CSRs.
|
| for i in B C
|
| do
|
| - name="$i Intermediate CA"
|
| CA_COMMON_NAME="$i CA" \
|
| - CERTIFICATE=$i \
|
| + CERTIFICATE="$i" \
|
| try openssl req \
|
| -new \
|
| - -key out/$i.key \
|
| - -out out/$i.csr \
|
| + -key "out/$i.key" \
|
| + -out "out/$i.csr" \
|
| -config redundant-ca.cnf
|
| done
|
|
|
| @@ -106,6 +110,18 @@ CA_COMMON_NAME="D Root CA" \
|
| -out out/C.pem \
|
| -config redundant-ca.cnf
|
|
|
| +echo E signs the C2 intermediate.
|
| +# Make sure the signer's DB file exists.
|
| +touch out/E-index.txt
|
| +CA_COMMON_NAME="E Root CA" \
|
| + CERTIFICATE=E \
|
| + try openssl ca \
|
| + -batch \
|
| + -extensions ca_cert \
|
| + -in out/C2.csr \
|
| + -out out/C2.pem \
|
| + -config redundant-ca.cnf
|
| +
|
| echo C signs the B intermediate.
|
| touch out/C-index.txt
|
| CA_COMMON_NAME="C CA" \
|
| @@ -135,14 +151,11 @@ CA_COMMON_NAME="B CA" \
|
| -out out/A.pem \
|
| -config redundant-ca.cnf
|
|
|
| -echo Create redundant-server-chain.pem
|
| +echo Create multi-root-chain1.pem
|
| try /bin/sh -c "cat out/A.key out/A.pem out/B.pem out/C.pem out/D.pem \
|
| - > ../certificates/redundant-server-chain.pem"
|
| -
|
| -echo Create redundant-validated-chain.pem
|
| -try /bin/sh -c "cat out/A.key out/A.pem out/B.pem out/C2.pem \
|
| - > ../certificates/redundant-validated-chain.pem"
|
| + > ../certificates/multi-root-chain1.pem"
|
|
|
| -echo Create redundant-validated-chain-root.pem
|
| -try cp out/C2.pem ../certificates/redundant-validated-chain-root.pem
|
| +echo Create multi-root-chain2.pem
|
| +try /bin/sh -c "cat out/A.key out/A.pem out/B.pem out/C2.pem out/E.pem \
|
| + > ../certificates/multi-root-chain2.pem"
|
|
|
|
|
Chromium Code Reviews
Issue 137553004:
NSS Cros multiprofile: trust roots added by a profile shouldn't apply to other profiles. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src