OLD | NEW |
1 #!/bin/bash | 1 #!/bin/bash |
2 # Copyright (c) 2015, the Dart project authors. Please see the AUTHORS file | 2 # Copyright (c) 2015, the Dart project authors. Please see the AUTHORS file |
3 # for details. All rights reserved. Use of this source code is governed by a | 3 # for details. All rights reserved. Use of this source code is governed by a |
4 # BSD-style license that can be found in the LICENSE file. | 4 # BSD-style license that can be found in the LICENSE file. |
5 | 5 |
6 # Script to create sample certificates for the dart:io SecureSocket tests. | 6 # Script to create sample certificates for the dart:io SecureSocket tests. |
7 # Creates a root certificate authority, an intermediate authority, | 7 # Creates a root certificate authority, an intermediate authority, |
8 # and a server certificate, | 8 # and a server certificate, |
9 | 9 |
10 password=pass:dartdart | 10 password=pass:dartdart |
(...skipping 16 matching lines...) Expand all Loading... |
27 -out root_authority.pem -days 3650 | 27 -out root_authority.pem -days 3650 |
28 | 28 |
29 # Create a certificate request for the intermediate authority. | 29 # Create a certificate request for the intermediate authority. |
30 openssl req -subj /CN=intermediateauthority -batch -verbose \ | 30 openssl req -subj /CN=intermediateauthority -batch -verbose \ |
31 -passout $password -new -keyout intermediate_authority_key.pem \ | 31 -passout $password -new -keyout intermediate_authority_key.pem \ |
32 -out intermediate_authority_request.pem | 32 -out intermediate_authority_request.pem |
33 | 33 |
34 # Sign the certificate of the intermediate authority with the root authority. | 34 # Sign the certificate of the intermediate authority with the root authority. |
35 # Add the certificate extensions marking it as a certificate authority. | 35 # Add the certificate extensions marking it as a certificate authority. |
36 openssl x509 -req -in intermediate_authority_request.pem \ | 36 openssl x509 -req -in intermediate_authority_request.pem \ |
37 -out intermediate_authority.pem -set_serial 1 \ | 37 -out intermediate_authority.pem -set_serial 2 \ |
38 -CA root_authority.pem -CAkey root_authority_key.pem \ | 38 -CA root_authority.pem -CAkey root_authority_key.pem \ |
39 -passin $password -extfile ../sample_certificate_v3_extensions \ | 39 -passin $password -extfile ../sample_certificate_v3_extensions \ |
40 -extensions intermediate_authority -days 3650 | 40 -extensions intermediate_authority -days 3650 |
41 | 41 |
42 # Create a certificate request for the server certificate | 42 # Create a certificate request for the server certificate |
43 openssl req -subj /CN=localhost -batch -verbose -passout $password -new \ | 43 openssl req -subj /CN=localhost -batch -verbose -passout $password -new \ |
44 -keyout localhost_key.pem -out localhost_request.pem | 44 -keyout localhost_key.pem -out localhost_request.pem |
45 | 45 |
46 # Sign the server certificate with the intermediate authority. Add the | 46 # Sign the server certificate with the intermediate authority. Add the |
47 # certificate extensions for SubjectAltName and that it is not a CA itself. | 47 # certificate extensions for SubjectAltName and that it is not a CA itself. |
48 openssl x509 -req -in localhost_request.pem -out localhost.pem -set_serial 1 \ | 48 openssl x509 -req -in localhost_request.pem -out localhost.pem -set_serial 1 \ |
49 -CA intermediate_authority.pem -CAkey intermediate_authority_key.pem \ | 49 -CA intermediate_authority.pem -CAkey intermediate_authority_key.pem \ |
50 -passin $password -extfile ../sample_certificate_v3_extensions \ | 50 -passin $password -extfile ../sample_certificate_v3_extensions \ |
51 -extensions localhost -days 3650 | 51 -extensions localhost -days 3650 |
52 | 52 |
53 # Create a self-signed client certificate authority. | 53 # Create a self-signed client certificate authority. |
54 openssl req -subj /CN=clientauthority -set_serial 1 -batch -verbose \ | 54 openssl req -subj /CN=clientauthority -set_serial 1 -batch -verbose \ |
55 -passout $password -new -x509 -keyout client_authority_key.pem \ | 55 -passout $password -new -x509 -keyout client_authority_key.pem \ |
56 -out client_authority.pem -config ../sample_certificate_v3_extensions \ | 56 -out client_authority.pem -config ../sample_certificate_v3_extensions \ |
57 -extensions client_authority -days 3650 | 57 -extensions client_authority -days 3650 |
58 | 58 |
59 # Create certificate requests for the client certificates | 59 # Create certificate requests for the client certificates |
60 openssl req -subj /CN=user1 -batch -verbose -passout $password -new \ | 60 openssl req -subj /CN=user1 -batch -verbose -passout $password -new \ |
61 -keyout client1_key.pem -out client1_request.pem | 61 -keyout client1_key.pem -out client1_request.pem |
62 openssl req -subj /CN=user2 -batch -verbose -passout $password -new \ | 62 openssl req -subj /CN=user2 -batch -verbose -passout $password -new \ |
63 -keyout client2_key.pem -out client2_request.pem | 63 -keyout client2_key.pem -out client2_request.pem |
64 | 64 |
65 # Sign the certificate requests with the client authority | 65 # Sign the certificate requests with the client authority |
66 openssl x509 -req -in client1_request.pem -out client1.pem -set_serial 1 \ | 66 openssl x509 -req -in client1_request.pem -out client1.pem -set_serial 2 \ |
67 -CA client_authority.pem -CAkey client_authority_key.pem \ | 67 -CA client_authority.pem -CAkey client_authority_key.pem \ |
68 -passin $password -extfile ../sample_certificate_v3_extensions \ | 68 -passin $password -extfile ../sample_certificate_v3_extensions \ |
69 -extensions client_certificate -days 3650 | 69 -extensions client_certificate -days 3650 |
70 openssl x509 -req -in client2_request.pem -out client2.pem -set_serial 1 \ | 70 openssl x509 -req -in client2_request.pem -out client2.pem -set_serial 3 \ |
71 -CA client_authority.pem -CAkey client_authority_key.pem \ | 71 -CA client_authority.pem -CAkey client_authority_key.pem \ |
72 -passin $password -extfile ../sample_certificate_v3_extensions \ | 72 -passin $password -extfile ../sample_certificate_v3_extensions \ |
73 -extensions client_certificate -days 3650 | 73 -extensions client_certificate -days 3650 |
74 | 74 |
| 75 # Delete all the signing keys for the authorities, so testers that add |
| 76 # them as trusted are less vulnerable: only the sample server certificate |
| 77 # and client certificates will be signed by them. No more certificates |
| 78 # will ever be signed. |
| 79 rm root_authority_key.pem |
| 80 rm intermediate_authority.pem |
| 81 rm client_authority_key.pem |
| 82 |
75 # Copy the certificates we will use to the 'certificates' directory. | 83 # Copy the certificates we will use to the 'certificates' directory. |
76 CERTS=../certificates | 84 CERTS=../certificates |
77 cat localhost.pem intermediate_authority.pem root_authority.pem \ | 85 cat localhost.pem intermediate_authority.pem root_authority.pem \ |
78 > $CERTS/server_chain.pem | 86 > $CERTS/server_chain.pem |
79 | 87 |
80 cat intermediate_authority.pem root_authority.pem client_authority.pem \ | 88 cat intermediate_authority.pem root_authority.pem client_authority.pem \ |
81 > $CERTS/server_trusted.pem | 89 > $CERTS/server_trusted.pem |
82 | 90 |
83 # BoringSSL only accepts private keys signed with the PBE-SHA1-RC4-128 cipher. | 91 # BoringSSL only accepts private keys signed with the PBE-SHA1-RC4-128 cipher. |
84 openssl pkcs8 -in localhost_key.pem -out $CERTS/server_key.pem \ | 92 openssl pkcs8 -in localhost_key.pem -out $CERTS/server_key.pem \ |
85 -topk8 -v1 PBE-SHA1-RC4-128 -passin $password -passout $password | 93 -topk8 -v1 PBE-SHA1-RC4-128 -passin $password -passout $password |
86 openssl pkcs8 -in client1_key.pem -out $CERTS/client1_key.pem \ | 94 openssl pkcs8 -in client1_key.pem -out $CERTS/client1_key.pem \ |
87 -topk8 -v1 PBE-SHA1-RC4-128 -passin $password -passout $password | 95 -topk8 -v1 PBE-SHA1-RC4-128 -passin $password -passout $password |
88 openssl pkcs8 -in client2_key.pem -out $CERTS/client2_key.pem \ | 96 openssl pkcs8 -in client2_key.pem -out $CERTS/client2_key.pem \ |
89 -topk8 -v1 PBE-SHA1-RC4-128 -passin $password -passout $password | 97 -topk8 -v1 PBE-SHA1-RC4-128 -passin $password -passout $password |
90 | 98 |
91 cp root_authority.pem $CERTS/trusted_certs.pem | 99 cp root_authority.pem $CERTS/trusted_certs.pem |
92 cp client_authority.pem $CERTS | 100 cp client_authority.pem $CERTS |
93 cp client1.pem $CERTS | 101 cp client1.pem $CERTS |
94 cp client2.pem $CERTS | 102 cp client2.pem $CERTS |
95 | 103 |
96 cd .. | 104 cd .. |
OLD | NEW |