Add script that generates X509 certificates for testing dart:io SecureSocket

tests/standalone/io/create_sample_certificates

Index: tests/standalone/io/create_sample_certificates
diff --git a/tests/standalone/io/create_sample_certificates b/tests/standalone/io/create_sample_certificates
new file mode 100644
index 0000000000000000000000000000000000000000..57f68da54b1275c7ef4c887b8a15286341f83b15
--- /dev/null
+++ b/tests/standalone/io/create_sample_certificates
@@ -0,0 +1,60 @@
+#!/bin/bash
+# Copyright (c) 2015, the Dart project authors.  Please see the AUTHORS file
+# for details. All rights reserved. Use of this source code is governed by a
+# BSD-style license that can be found in the LICENSE file.

[Søren Gjesse, 2015/10/14 07:22:12]

nit: Add an empty line after the copyright message.

[Bill Hesse, 2015/10/14 08:50:11]

Done.

+# Script to create sample certificates for the dart:io SecureSocket tests.
+# Creates a root certificate authority, an intermediate authority,
+# and a server certificate,

[Søren Gjesse, 2015/10/14 07:22:12]

Add 'set -e'?

[Bill Hesse, 2015/10/14 08:50:11]

When I run this script with ., since it is not marked executable, then the set
-e persists into my shell, and causes my shell to quit the next time I run a
command that returns an error.

+
+password=pass:dartdart
+
+# We need a server certificate chain where we don't trust the root.  Take the
+# server certificate from the previous run of this script, for that purpose.
+if [ -d "certificates" ]; then
+  mv certificates/server_key.pem certificates/untrusted_server_key.pem
+  mv certificates/server_chain.pem certificates/untrusted_server_chain.pem
+fi
+
+mkdir certificate_authority > /dev/null 2>&1
+cd certificate_authority
+
+# Create a self-signed certificate authority.
+openssl req -subj /CN=rootauthority -set_serial 1 -batch -verbose \
+    -passout $password -new -x509 -keyout root_authority_key.pem \
+    -out root_authority.pem -days 3650
+
+# Create a certificate request for the intermediate authority.
+openssl req -subj /CN=intermediateauthority -batch -verbose \
+    -passout $password -new -keyout intermediate_authority_key.pem \
+    -out intermediate_authority_request.pem
+
+# Sign the certificate of the intermediate authority with the root authority.
+# Add the certificate extensions marking it as a certificate authority.
+openssl x509 -req -in intermediate_authority_request.pem \
+    -out intermediate_authority.pem -set_serial 1 \
+    -CA root_authority.pem -CAkey root_authority_key.pem \
+    -passin $password -extfile ../intermediate_authority_v3_extensions \
+    -days 3650
+
+# Create a certificate request for the server certificate
+openssl req -subj /CN=localhost -batch -verbose -passout $password -new \
+    -keyout localhost_key.pem -out localhost_request.pem
+
+# Sign the server certificate  with the intermediate authority.  Add the
+# certificate extensions for SubjectAltName and that it is not a CA itself.
+openssl x509 -req -in localhost_request.pem -out localhost.pem -set_serial 1 \
+    -CA intermediate_authority.pem -CAkey intermediate_authority_key.pem \
+    -passin $password -extfile ../localhost_v3_extensions -days 3650
+
+mkdir ../certificates > /dev/null 2>&1
+
+cat localhost.pem intermediate_authority.pem root_authority.pem \
+    > ../certificates/server_chain.pem
+
+# BoringSSL only accepts private keys signed with the PBE-SHA1-RC4-128 cipher.
+openssl pkcs8 -in localhost_key.pem -out ../certificates/server_key.pem \
+    -topk8 -v1 PBE-SHA1-RC4-128 -passin $password -passout $password
+
+cp root_authority.pem ../certificates/trusted_certs.pem

[Søren Gjesse, 2015/10/14 07:22:12]

You don't want to also keep the keys for the root an intermediate authorities?

[Bill Hesse, 2015/10/14 08:50:11]

No.  I only want what we will use in the tests.  When we need more, I'll copy it
in.

+
+cd ..