OLD | NEW |
1 #!/bin/sh | 1 #!/bin/sh |
2 | 2 |
3 # Copyright 2014 The Chromium Authors. All rights reserved. | 3 # Copyright 2014 The Chromium Authors. All rights reserved. |
4 # Use of this source code is governed by a BSD-style license that can be | 4 # Use of this source code is governed by a BSD-style license that can be |
5 # found in the LICENSE file. | 5 # found in the LICENSE file. |
6 | 6 |
7 # This script generates two chains of test certificates: | 7 # The following documentation uses the annotation approach from RFC 4158. |
8 # | 8 # CAs (entities that share the same name and public key) are denoted in boxes, |
9 # 1. A (end-entity) -> B -> C -> D (self-signed root) | 9 # while the indication that a CA Foo signed a certificate for CA Bar is denoted |
10 # 2. A (end-entity) -> B -> C2 -> E (self-signed root) | 10 # by directed arrows. |
11 # | 11 # |
12 # C and C2 have the same subject and keypair. | 12 # +---+ +-----+ |
13 # | 13 # | D | | E | |
14 # We use these cert chains in CertVerifyProcChromeOSTest | 14 # +---+ +-----+ |
15 # to ensure that multiple verification paths are properly handled. | 15 # | | | |
16 | 16 # +--v v--+ | |
17 try () { | 17 # +---+ +---+ |
18 echo "$@" | 18 # | C | | F | |
19 "$@" || exit 1 | 19 # +---+ +---+ |
20 } | 20 # | | |
21 | 21 # v v---+ |
22 try rm -rf out | 22 # +-----+ |
23 try mkdir out | 23 # | B | |
24 | 24 # +-----+ |
25 echo Create the serial number files. | 25 # | |
| 26 # v |
| 27 # +---+ |
| 28 # | A | |
| 29 # +---+ |
| 30 # |
| 31 # To validate A, there are several possible paths, using A(B) to indicate |
| 32 # the certificate A signed by B: |
| 33 # |
| 34 # 1. A(B) -> B(C) -> C(D) -> D(D) |
| 35 # 3. A(B) -> B(C) -> C(E) -> E(E) |
| 36 # 4. A(B) -> B(F) -> F(E) -> E(E) |
| 37 # |
| 38 # That is, there are two different versions of C (signed by D and E) and |
| 39 # two versions of B (signed by C and F). Possible trust anchors are D and E, |
| 40 # which are both self-signed. |
| 41 # |
| 42 # The goal is to ensure that, as long as at least one of C or F is still valid, |
| 43 # clients are able to successfully build a valid path. |
| 44 |
| 45 # Exit script as soon a something fails. |
| 46 set -e |
| 47 |
| 48 rm -rf out |
| 49 mkdir out |
| 50 |
| 51 echo Create the serial and index number files. |
26 serial=1000 | 52 serial=1000 |
27 for i in B C C2 D E | 53 for i in B C D E F |
28 do | 54 do |
29 try /bin/sh -c "echo $serial > out/$i-serial" | 55 /bin/sh -c "echo ${serial} > out/${i}-serial" |
30 serial=$(expr $serial + 1) | 56 touch "out/${i}-index.txt" |
31 done | 57 done |
32 | 58 |
33 echo Generate the keys. | 59 echo Generate the keys. |
34 try openssl genrsa -out out/A.key 2048 | 60 for i in A B C D E F |
35 try openssl genrsa -out out/B.key 2048 | 61 do |
36 try openssl genrsa -out out/C.key 2048 | 62 openssl genrsa -out "out/${i}.key" 2048 |
37 try openssl genrsa -out out/D.key 2048 | 63 done |
38 try openssl genrsa -out out/E.key 2048 | 64 |
39 | 65 echo "Generating the self-signed roots" |
40 echo Generate the D CSR. | 66 for i in D E |
41 CA_COMMON_NAME="D Root CA" \ | 67 do |
42 CERTIFICATE=D \ | 68 echo "Generating CSR ${i}" |
43 try openssl req \ | 69 CA_COMMON_NAME="${i} Root CA" \ |
| 70 CERTIFICATE="${i}" \ |
| 71 openssl req \ |
| 72 -config redundant-ca.cnf \ |
44 -new \ | 73 -new \ |
45 -key out/D.key \ | 74 -key "out/${i}.key" \ |
46 -out out/D.csr \ | 75 -out "out/${i}.csr" |
47 -config redundant-ca.cnf | 76 |
48 | 77 echo "Generating self-signed ${i}" |
49 echo D signs itself. | 78 CA_COMMON_NAME="${i} Root CA" \ |
50 CA_COMMON_NAME="D Root CA" \ | 79 CERTIFICATE="${i}" \ |
51 try openssl x509 \ | 80 openssl ca \ |
52 -req -days 3650 \ | 81 -config redundant-ca.cnf \ |
53 -in out/D.csr \ | 82 -batch \ |
| 83 -startdate 160102000000Z \ |
| 84 -enddate 260102000000Z \ |
54 -extensions ca_cert \ | 85 -extensions ca_cert \ |
55 -extfile redundant-ca.cnf \ | 86 -extfile redundant-ca.cnf \ |
56 -signkey out/D.key \ | 87 -selfsign \ |
57 -out out/D.pem \ | 88 -in "out/${i}.csr" \ |
58 -text | 89 -out "out/${i}.pem" |
59 | 90 done |
60 echo Generate the E CSR. | 91 |
61 CA_COMMON_NAME="E Root CA" \ | 92 echo "Generating intermediate CSRs" |
62 CERTIFICATE=E \ | 93 for i in B C F |
63 try openssl req \ | 94 do |
| 95 echo "Generating CSR ${i}" |
| 96 CA_COMMON_NAME="${i} CA" \ |
| 97 CERTIFICATE="${i}" \ |
| 98 openssl req \ |
| 99 -config redundant-ca.cnf \ |
64 -new \ | 100 -new \ |
65 -key out/E.key \ | 101 -key "out/${i}.key" \ |
66 -out out/E.csr \ | 102 -out "out/${i}.csr" |
67 -config redundant-ca.cnf | 103 done |
68 | 104 |
69 echo E signs itself. | 105 echo D signs C |
70 CA_COMMON_NAME="E Root CA" \ | 106 CA_COMMON_NAME="D CA" \ |
71 try openssl x509 \ | 107 CERTIFICATE=D \ |
72 -req -days 3650 \ | 108 openssl ca \ |
73 -in out/E.csr \ | 109 -config redundant-ca.cnf \ |
74 -extensions ca_cert \ | 110 -batch \ |
75 -extfile redundant-ca.cnf \ | 111 -startdate 160103000000Z \ |
76 -signkey out/E.key \ | 112 -enddate 260102000000Z \ |
77 -out out/E.pem \ | 113 -extensions ca_cert \ |
78 -text | 114 -extfile redundant-ca.cnf \ |
79 | 115 -in out/C.csr \ |
80 echo Generate the C2 intermediary CSR. | 116 -out out/C.pem |
| 117 |
| 118 echo C signs B |
81 CA_COMMON_NAME="C CA" \ | 119 CA_COMMON_NAME="C CA" \ |
82 CERTIFICATE=C2 \ | 120 CERTIFICATE=C \ |
83 try openssl req \ | 121 openssl ca \ |
| 122 -config redundant-ca.cnf \ |
| 123 -batch \ |
| 124 -startdate 160104000000Z \ |
| 125 -enddate 260102000000Z \ |
| 126 -extensions ca_cert \ |
| 127 -extfile redundant-ca.cnf \ |
| 128 -in out/B.csr \ |
| 129 -out out/B.pem |
| 130 |
| 131 echo E signs C2 |
| 132 CA_COMMON_NAME="E CA" \ |
| 133 CERTIFICATE=E \ |
| 134 openssl ca \ |
| 135 -config redundant-ca.cnf \ |
| 136 -batch \ |
| 137 -startdate 160105000000Z \ |
| 138 -enddate 260102000000Z \ |
| 139 -extensions ca_cert \ |
| 140 -extfile redundant-ca.cnf \ |
| 141 -in out/C.csr \ |
| 142 -out out/C2.pem |
| 143 |
| 144 echo E signs F |
| 145 CA_COMMON_NAME="E CA" \ |
| 146 CERTIFICATE=E \ |
| 147 openssl ca \ |
| 148 -config redundant-ca.cnf \ |
| 149 -batch \ |
| 150 -startdate 160102000000Z \ |
| 151 -enddate 260102000000Z \ |
| 152 -extensions ca_cert \ |
| 153 -extfile redundant-ca.cnf \ |
| 154 -in out/F.csr \ |
| 155 -out out/F.pem |
| 156 |
| 157 # Note: The startdate for B-by-F MUST be different than that of B-by-C; to make |
| 158 # B-by-F more preferable, the startdate is chosen to be GREATER (later) than |
| 159 # B-by-C. |
| 160 echo F signs B2 |
| 161 CA_COMMON_NAME="F CA" \ |
| 162 CERTIFICATE=F \ |
| 163 openssl ca \ |
| 164 -config redundant-ca.cnf \ |
| 165 -batch \ |
| 166 -startdate 160105000000Z \ |
| 167 -enddate 260102000000Z \ |
| 168 -extensions ca_cert \ |
| 169 -extfile redundant-ca.cnf \ |
| 170 -in out/B.csr \ |
| 171 -out out/B2.pem |
| 172 |
| 173 echo "Generating leaf CSRs" |
| 174 for i in A |
| 175 do |
| 176 echo "Generating leaf ${i}" |
| 177 openssl req \ |
| 178 -config ee.cnf \ |
84 -new \ | 179 -new \ |
85 -key out/C.key \ | 180 -key "out/${i}.key" \ |
86 -out out/C2.csr \ | 181 -out "out/${i}.csr" |
87 -config redundant-ca.cnf | 182 done |
88 | 183 |
89 echo Generate the B and C intermediaries\' CSRs. | 184 echo "Signing leaves" |
90 for i in B C | |
91 do | |
92 CA_COMMON_NAME="$i CA" \ | |
93 CERTIFICATE="$i" \ | |
94 try openssl req \ | |
95 -new \ | |
96 -key "out/$i.key" \ | |
97 -out "out/$i.csr" \ | |
98 -config redundant-ca.cnf | |
99 done | |
100 | |
101 echo D signs the C intermediate. | |
102 # Make sure the signer's DB file exists. | |
103 touch out/D-index.txt | |
104 CA_COMMON_NAME="D Root CA" \ | |
105 CERTIFICATE=D \ | |
106 try openssl ca \ | |
107 -batch \ | |
108 -extensions ca_cert \ | |
109 -in out/C.csr \ | |
110 -out out/C.pem \ | |
111 -config redundant-ca.cnf | |
112 | |
113 echo E signs the C2 intermediate. | |
114 # Make sure the signer's DB file exists. | |
115 touch out/E-index.txt | |
116 CA_COMMON_NAME="E Root CA" \ | |
117 CERTIFICATE=E \ | |
118 try openssl ca \ | |
119 -batch \ | |
120 -extensions ca_cert \ | |
121 -in out/C2.csr \ | |
122 -out out/C2.pem \ | |
123 -config redundant-ca.cnf | |
124 | |
125 echo C signs the B intermediate. | |
126 touch out/C-index.txt | |
127 CA_COMMON_NAME="C CA" \ | |
128 CERTIFICATE=C \ | |
129 try openssl ca \ | |
130 -batch \ | |
131 -extensions ca_cert \ | |
132 -in out/B.csr \ | |
133 -out out/B.pem \ | |
134 -config redundant-ca.cnf | |
135 | |
136 echo Generate the A end-entity CSR. | |
137 try openssl req \ | |
138 -new \ | |
139 -key out/A.key \ | |
140 -out out/A.csr \ | |
141 -config ee.cnf | |
142 | |
143 echo B signs A. | |
144 touch out/B-index.txt | |
145 CA_COMMON_NAME="B CA" \ | 185 CA_COMMON_NAME="B CA" \ |
146 CERTIFICATE=B \ | 186 CERTIFICATE=B \ |
147 try openssl ca \ | 187 openssl ca \ |
148 -batch \ | 188 -config redundant-ca.cnf \ |
149 -extensions user_cert \ | 189 -batch \ |
150 -in out/A.csr \ | 190 -days 3650 \ |
151 -out out/A.pem \ | 191 -extensions user_cert \ |
152 -config redundant-ca.cnf | 192 -extfile redundant-ca.cnf \ |
153 | 193 -in out/A.csr \ |
154 echo Create multi-root-chain1.pem | 194 -out out/A.pem |
155 try /bin/sh -c "cat out/A.key out/A.pem out/B.pem out/C.pem out/D.pem \ | 195 |
| 196 echo "Copying outputs" |
| 197 /bin/sh -c "cat out/A.key out/A.pem > ../certificates/multi-root-A-by-B.pem" |
| 198 /bin/sh -c "cat out/A.pem out/B.pem out/C.pem out/D.pem \ |
156 > ../certificates/multi-root-chain1.pem" | 199 > ../certificates/multi-root-chain1.pem" |
157 | 200 /bin/sh -c "cat out/A.pem out/B.pem out/C2.pem out/E.pem \ |
158 echo Create multi-root-chain2.pem | |
159 try /bin/sh -c "cat out/A.key out/A.pem out/B.pem out/C2.pem out/E.pem \ | |
160 > ../certificates/multi-root-chain2.pem" | 201 > ../certificates/multi-root-chain2.pem" |
161 | 202 cp out/B.pem ../certificates/multi-root-B-by-C.pem |
| 203 cp out/B2.pem ../certificates/multi-root-B-by-F.pem |
| 204 cp out/C.pem ../certificates/multi-root-C-by-D.pem |
| 205 cp out/C2.pem ../certificates/multi-root-C-by-E.pem |
| 206 cp out/F.pem ../certificates/multi-root-F-by-E.pem |
| 207 cp out/D.pem ../certificates/multi-root-D-by-D.pem |
| 208 cp out/E.pem ../certificates/multi-root-E-by-E.pem |
| 209 |
| 210 echo "Generating CRLSets" |
| 211 # Block C-by-E (serial number 0x1001) by way of serial number. |
| 212 python crlsetutil.py -o ../certificates/multi-root-crlset-C-by-E.raw \ |
| 213 <<CRLSETBYSERIAL |
| 214 { |
| 215 "BlockedByHash": { |
| 216 "out/E.pem": [4097] |
| 217 } |
| 218 } |
| 219 CRLSETBYSERIAL |
| 220 |
| 221 # Block F (all versions) by way of SPKI |
| 222 python crlsetutil.py -o ../certificates/multi-root-crlset-F.raw \ |
| 223 <<CRLSETBYSPKI |
| 224 { |
| 225 "BlockedBySPKI": [ "out/F.pem" ] |
| 226 } |
| 227 CRLSETBYSPKI |
OLD | NEW |