| Index: net/data/ssl/scripts/generate-foo-test-chains.sh
|
| diff --git a/net/data/ssl/scripts/generate-redundant-test-chains.sh b/net/data/ssl/scripts/generate-foo-test-chains.sh
|
| similarity index 69%
|
| copy from net/data/ssl/scripts/generate-redundant-test-chains.sh
|
| copy to net/data/ssl/scripts/generate-foo-test-chains.sh
|
| index 58768e84963dc5b7eddc49a97b0daa201677adb7..2574cfc34565c38375eca1a9a0b611a7469ebd6b 100755
|
| --- a/net/data/ssl/scripts/generate-redundant-test-chains.sh
|
| +++ b/net/data/ssl/scripts/generate-foo-test-chains.sh
|
| @@ -4,44 +4,30 @@
|
| # Use of this source code is governed by a BSD-style license that can be
|
| # found in the LICENSE file.
|
|
|
| -# This script generates two chains of test certificates:
|
| +# XXX This script generates two chains of test certificates:
|
| #
|
| # 1. A (end-entity) -> B -> C -> D (self-signed root)
|
| -# 2. A (end-entity) -> B -> C2 (self-signed root)
|
| +# 2. A (end-entity) -> B -> C2 -> E (self-signed root)
|
| #
|
| -# in which A, B, C, and D have distinct keypairs. C2 is a self-signed root
|
| -# certificate that uses the same keypair as C.
|
| +# C and C2 have the same subject and keypair.
|
| #
|
| -# We use these cert chains in
|
| -# SSLClientSocketTest.VerifyReturnChainProperlyOrdered to ensure that
|
| -# SSLInfo objects see the certificate chain as validated rather than as
|
| -# served by the server. The server serves chain 1. The client has C2, NOT D,
|
| -# installed as a trusted root. Therefore, the chain will validate as chain
|
| -# 2, even though the server served chain 1.
|
| +# We use these cert chains in CertVerifyProcChromeOSTest
|
| +# to ensure that multiple verification paths are properly handled.
|
|
|
| +set -x
|
| try () {
|
| echo "$@"
|
| $@ || exit 1
|
| }
|
|
|
| -generate_key_command () {
|
| - case "$1" in
|
| - rsa)
|
| - echo genrsa
|
| - ;;
|
| - *)
|
| - exit 1
|
| - esac
|
| -}
|
| -
|
| try rm -rf out
|
| try mkdir out
|
|
|
| echo Create the serial number files.
|
| -serial=100
|
| -for i in B C C2 D
|
| +serial=1000
|
| +for i in B C C2 D E
|
| do
|
| - try echo $serial > out/$i-serial
|
| + echo $serial > out/$i-serial
|
| serial=$(expr $serial + 1)
|
| done
|
|
|
| @@ -50,6 +36,7 @@ try openssl genrsa -out out/A.key 2048
|
| try openssl genrsa -out out/B.key 2048
|
| try openssl genrsa -out out/C.key 2048
|
| try openssl genrsa -out out/D.key 2048
|
| +try openssl genrsa -out out/E.key 2048
|
|
|
| echo Generate the D CSR.
|
| CA_COMMON_NAME="D Root CA" \
|
| @@ -76,35 +63,48 @@ CA_COMMON_NAME="D Root CA" \
|
| -signkey out/D.key \
|
| -out out/D.pem
|
|
|
| -echo Generate the C2 root CSR.
|
| -CA_COMMON_NAME="C CA" \
|
| +echo Generate the E CSR.
|
| +CA_COMMON_NAME="E Root CA" \
|
| CA_DIR=out \
|
| CA_NAME=req_env_dn \
|
| KEY_SIZE=2048 \
|
| ALGO=rsa \
|
| CERT_TYPE=root \
|
| - TYPE=C2 CERTIFICATE=C2 \
|
| + TYPE=E CERTIFICATE=E \
|
| try openssl req \
|
| -new \
|
| - -key out/C.key \
|
| - -out out/C2.csr \
|
| + -key out/E.key \
|
| + -out out/E.csr \
|
| -config redundant-ca.cnf
|
|
|
| -echo C2 signs itself.
|
| -CA_COMMON_NAME="C CA" \
|
| +echo E signs itself.
|
| +CA_COMMON_NAME="E Root CA" \
|
| CA_DIR=out \
|
| CA_NAME=req_env_dn \
|
| try openssl x509 \
|
| -req -days 3650 \
|
| - -in out/C2.csr \
|
| + -in out/E.csr \
|
| -extensions ca_cert \
|
| - -signkey out/C.key \
|
| - -out out/C2.pem
|
| + -signkey out/E.key \
|
| + -out out/E.pem
|
| +
|
| +echo Generate the C2 intermediary CSR.
|
| +CA_COMMON_NAME="C CA" \
|
| + CA_DIR=out \
|
| + CA_NAME=req_env_dn \
|
| + KEY_SIZE=2048 \
|
| + ALGO=rsa \
|
| + CERT_TYPE=root \
|
| + TYPE=C2 CERTIFICATE=C2 \
|
| + try openssl req \
|
| + -new \
|
| + -key out/C.key \
|
| + -out out/C2.csr \
|
| + -config redundant-ca.cnf
|
|
|
| echo Generate the B and C intermediaries\' CSRs.
|
| for i in B C
|
| do
|
| - name="$i Intermediate CA"
|
| CA_COMMON_NAME="$i CA" \
|
| CA_DIR=out \
|
| CA_NAME=req_env_dn \
|
| @@ -136,6 +136,23 @@ CA_COMMON_NAME="D Root CA" \
|
| -out out/C.pem \
|
| -config redundant-ca.cnf
|
|
|
| +echo E signs the C2 intermediate.
|
| +# Make sure the signer's DB file exists.
|
| +touch out/E-index.txt
|
| +CA_COMMON_NAME="E Root CA" \
|
| + CA_DIR=out \
|
| + CA_NAME=req_env_dn \
|
| + KEY_SIZE=2048 \
|
| + ALGO=rsa \
|
| + CERT_TYPE=root \
|
| + TYPE=E CERTIFICATE=E \
|
| + try openssl ca \
|
| + -batch \
|
| + -extensions ca_cert \
|
| + -in out/C2.csr \
|
| + -out out/C2.pem \
|
| + -config redundant-ca.cnf
|
| +
|
| echo C signs the B intermediate.
|
| touch out/C-index.txt
|
| CA_COMMON_NAME="C CA" \
|
| @@ -175,13 +192,11 @@ CA_COMMON_NAME="B CA" \
|
| -out out/A.pem \
|
| -config redundant-ca.cnf
|
|
|
| -echo Create redundant-server-chain.pem
|
| +echo Create foo-chain1.pem
|
| cat out/A.key out/A.pem out/B.pem out/C.pem out/D.pem \
|
| - > redundant-server-chain.pem
|
| -
|
| -echo Create redundant-validated-chain.pem
|
| -cat out/A.key out/A.pem out/B.pem out/C2.pem > redundant-validated-chain.pem
|
| + > foo-chain1.pem
|
|
|
| -echo Create redundant-validated-chain-root.pem
|
| -cp out/C2.pem redundant-validated-chain-root.pem
|
| +echo Create foo-chain2.pem
|
| +cat out/A.key out/A.pem out/B.pem out/C2.pem out/E.pem \
|
| + > foo-chain2.pem
|
|
|
|
|
Chromium Code Reviews
Issue 137553004:
NSS Cros multiprofile: trust roots added by a profile shouldn't apply to other profiles. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src