| OLD | NEW |
|---|
| 1 #!/bin/bash | 1 #!/bin/bash |
| 2 # Copyright (c) 2015, the Dart project authors. Please see the AUTHORS file | 2 # Copyright (c) 2015, the Dart project authors. Please see the AUTHORS file |
| 3 # for details. All rights reserved. Use of this source code is governed by a | 3 # for details. All rights reserved. Use of this source code is governed by a |
| 4 # BSD-style license that can be found in the LICENSE file. | 4 # BSD-style license that can be found in the LICENSE file. |
| 5 | 5 |
| 6 # Script to create sample certificates for the dart:io SecureSocket tests. | 6 # Script to create sample certificates for the dart:io SecureSocket tests. |
| 7 # Creates a root certificate authority, an intermediate authority, | 7 # Creates a root certificate authority, an intermediate authority, |
| 8 # and a server certificate, | 8 # and a server certificate, |
| 9 | 9 |
| 10 password=pass:dartdart | 10 password=pass:dartdart |
| (...skipping 16 matching lines...) Expand all Loading... |
| 27 -out root_authority.pem -days 3650 | 27 -out root_authority.pem -days 3650 |
| 28 | 28 |
| 29 # Create a certificate request for the intermediate authority. | 29 # Create a certificate request for the intermediate authority. |
| 30 openssl req -subj /CN=intermediateauthority -batch -verbose \ | 30 openssl req -subj /CN=intermediateauthority -batch -verbose \ |
| 31 -passout $password -new -keyout intermediate_authority_key.pem \ | 31 -passout $password -new -keyout intermediate_authority_key.pem \ |
| 32 -out intermediate_authority_request.pem | 32 -out intermediate_authority_request.pem |
| 33 | 33 |
| 34 # Sign the certificate of the intermediate authority with the root authority. | 34 # Sign the certificate of the intermediate authority with the root authority. |
| 35 # Add the certificate extensions marking it as a certificate authority. | 35 # Add the certificate extensions marking it as a certificate authority. |
| 36 openssl x509 -req -in intermediate_authority_request.pem \ | 36 openssl x509 -req -in intermediate_authority_request.pem \ |
| 37 -out intermediate_authority.pem -set_serial 1 \ | 37 -out intermediate_authority.pem -set_serial 2 \ |
| 38 -CA root_authority.pem -CAkey root_authority_key.pem \ | 38 -CA root_authority.pem -CAkey root_authority_key.pem \ |
| 39 -passin $password -extfile ../sample_certificate_v3_extensions \ | 39 -passin $password -extfile ../sample_certificate_v3_extensions \ |
| 40 -extensions intermediate_authority -days 3650 | 40 -extensions intermediate_authority -days 3650 |
| 41 | 41 |
| 42 # Create a certificate request for the server certificate | 42 # Create a certificate request for the server certificate |
| 43 openssl req -subj /CN=localhost -batch -verbose -passout $password -new \ | 43 openssl req -subj /CN=localhost -batch -verbose -passout $password -new \ |
| 44 -keyout localhost_key.pem -out localhost_request.pem | 44 -keyout localhost_key.pem -out localhost_request.pem |
| 45 | 45 |
| 46 # Sign the server certificate with the intermediate authority. Add the | 46 # Sign the server certificate with the intermediate authority. Add the |
| 47 # certificate extensions for SubjectAltName and that it is not a CA itself. | 47 # certificate extensions for SubjectAltName and that it is not a CA itself. |
| 48 openssl x509 -req -in localhost_request.pem -out localhost.pem -set_serial 1 \ | 48 openssl x509 -req -in localhost_request.pem -out localhost.pem -set_serial 1 \ |
| 49 -CA intermediate_authority.pem -CAkey intermediate_authority_key.pem \ | 49 -CA intermediate_authority.pem -CAkey intermediate_authority_key.pem \ |
| 50 -passin $password -extfile ../sample_certificate_v3_extensions \ | 50 -passin $password -extfile ../sample_certificate_v3_extensions \ |
| 51 -extensions localhost -days 3650 | 51 -extensions localhost -days 3650 |
| 52 | 52 |
| 53 # Create a self-signed client certificate authority. | 53 # Create a self-signed client certificate authority. |
| 54 openssl req -subj /CN=clientauthority -set_serial 1 -batch -verbose \ | 54 openssl req -subj /CN=clientauthority -set_serial 1 -batch -verbose \ |
| 55 -passout $password -new -x509 -keyout client_authority_key.pem \ | 55 -passout $password -new -x509 -keyout client_authority_key.pem \ |
| 56 -out client_authority.pem -config ../sample_certificate_v3_extensions \ | 56 -out client_authority.pem -config ../sample_certificate_v3_extensions \ |
| 57 -extensions client_authority -days 3650 | 57 -extensions client_authority -days 3650 |
| 58 | 58 |
| 59 # Create certificate requests for the client certificates | 59 # Create certificate requests for the client certificates |
| 60 openssl req -subj /CN=user1 -batch -verbose -passout $password -new \ | 60 openssl req -subj /CN=user1 -batch -verbose -passout $password -new \ |
| 61 -keyout client1_key.pem -out client1_request.pem | 61 -keyout client1_key.pem -out client1_request.pem |
| 62 openssl req -subj /CN=user2 -batch -verbose -passout $password -new \ | 62 openssl req -subj /CN=user2 -batch -verbose -passout $password -new \ |
| 63 -keyout client2_key.pem -out client2_request.pem | 63 -keyout client2_key.pem -out client2_request.pem |
| 64 | 64 |
| 65 # Sign the certificate requests with the client authority | 65 # Sign the certificate requests with the client authority |
| 66 openssl x509 -req -in client1_request.pem -out client1.pem -set_serial 1 \ | 66 openssl x509 -req -in client1_request.pem -out client1.pem -set_serial 2 \ |
| 67 -CA client_authority.pem -CAkey client_authority_key.pem \ | 67 -CA client_authority.pem -CAkey client_authority_key.pem \ |
| 68 -passin $password -extfile ../sample_certificate_v3_extensions \ | 68 -passin $password -extfile ../sample_certificate_v3_extensions \ |
| 69 -extensions client_certificate -days 3650 | 69 -extensions client_certificate -days 3650 |
| 70 openssl x509 -req -in client2_request.pem -out client2.pem -set_serial 1 \ | 70 openssl x509 -req -in client2_request.pem -out client2.pem -set_serial 3 \ |
| 71 -CA client_authority.pem -CAkey client_authority_key.pem \ | 71 -CA client_authority.pem -CAkey client_authority_key.pem \ |
| 72 -passin $password -extfile ../sample_certificate_v3_extensions \ | 72 -passin $password -extfile ../sample_certificate_v3_extensions \ |
| 73 -extensions client_certificate -days 3650 | 73 -extensions client_certificate -days 3650 |
| 74 | 74 |
| 75 # Delete all the signing keys for the authorities, so testers that add |
| 76 # them as trusted are less vulnerable: only the sample server certificate |
| 77 # and client certificates will be signed by them. No more certificates |
| 78 # will ever be signed. |
| 79 rm root_authority_key.pem |
| 80 rm intermediate_authority.pem |
| 81 rm client_authority_key.pem |
| 82 |
| 75 # Copy the certificates we will use to the 'certificates' directory. | 83 # Copy the certificates we will use to the 'certificates' directory. |
| 76 CERTS=../certificates | 84 CERTS=../certificates |
| 77 cat localhost.pem intermediate_authority.pem root_authority.pem \ | 85 cat localhost.pem intermediate_authority.pem root_authority.pem \ |
| 78 > $CERTS/server_chain.pem | 86 > $CERTS/server_chain.pem |
| 79 | 87 |
| 80 cat intermediate_authority.pem root_authority.pem client_authority.pem \ | 88 cat intermediate_authority.pem root_authority.pem client_authority.pem \ |
| 81 > $CERTS/server_trusted.pem | 89 > $CERTS/server_trusted.pem |
| 82 | 90 |
| 83 # BoringSSL only accepts private keys signed with the PBE-SHA1-RC4-128 cipher. | 91 # BoringSSL only accepts private keys signed with the PBE-SHA1-RC4-128 cipher. |
| 84 openssl pkcs8 -in localhost_key.pem -out $CERTS/server_key.pem \ | 92 openssl pkcs8 -in localhost_key.pem -out $CERTS/server_key.pem \ |
| 85 -topk8 -v1 PBE-SHA1-RC4-128 -passin $password -passout $password | 93 -topk8 -v1 PBE-SHA1-RC4-128 -passin $password -passout $password |
| 86 openssl pkcs8 -in client1_key.pem -out $CERTS/client1_key.pem \ | 94 openssl pkcs8 -in client1_key.pem -out $CERTS/client1_key.pem \ |
| 87 -topk8 -v1 PBE-SHA1-RC4-128 -passin $password -passout $password | 95 -topk8 -v1 PBE-SHA1-RC4-128 -passin $password -passout $password |
| 88 openssl pkcs8 -in client2_key.pem -out $CERTS/client2_key.pem \ | 96 openssl pkcs8 -in client2_key.pem -out $CERTS/client2_key.pem \ |
| 89 -topk8 -v1 PBE-SHA1-RC4-128 -passin $password -passout $password | 97 -topk8 -v1 PBE-SHA1-RC4-128 -passin $password -passout $password |
| 90 | 98 |
| 91 cp root_authority.pem $CERTS/trusted_certs.pem | 99 cp root_authority.pem $CERTS/trusted_certs.pem |
| 92 cp client_authority.pem $CERTS | 100 cp client_authority.pem $CERTS |
| 93 cp client1.pem $CERTS | 101 cp client1.pem $CERTS |
| 94 cp client2.pem $CERTS | 102 cp client2.pem $CERTS |
| 95 | 103 |
| 96 cd .. | 104 cd .. |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1420923006:
Add unique serial numbers to sample X509 certificates. Remove the "sendClientCertificate" parameter… (Closed)
Base URL: git@github.com:dart-lang/sdk.git@master