OLD | NEW |
---|---|
1 #!/bin/sh | 1 #!/bin/sh |
2 | 2 |
3 # Copyright 2014 The Chromium Authors. All rights reserved. | 3 # Copyright 2014 The Chromium Authors. All rights reserved. |
4 # Use of this source code is governed by a BSD-style license that can be | 4 # Use of this source code is governed by a BSD-style license that can be |
5 # found in the LICENSE file. | 5 # found in the LICENSE file. |
6 | 6 |
7 # This script generates two chains of test certificates: | 7 # The following documentation uses the annotation approach from RFC 4158. |
8 # | 8 # CAs (entities that share the same name and public key) are denoted in boxes, |
9 # 1. A (end-entity) -> B -> C -> D (self-signed root) | 9 # while the indication that a CA Foo signed a certificate for CA Bar is denoted |
10 # 2. A (end-entity) -> B -> C2 -> E (self-signed root) | 10 # by directed arrows. |
11 # | 11 # |
12 # C and C2 have the same subject and keypair. | 12 # +---+ +-----+ |
13 # | 13 # | D | | E | |
14 # We use these cert chains in CertVerifyProcChromeOSTest | 14 # +---+ +-----+ |
15 # to ensure that multiple verification paths are properly handled. | 15 # | | | |
16 | 16 # +--v v--+ | |
17 try () { | 17 # +---+ +---+ |
18 echo "$@" | 18 # | C | | F | |
19 "$@" || exit 1 | 19 # +---+ +---+ |
20 } | 20 # | | |
21 | 21 # v v---+ |
22 try rm -rf out | 22 # +-----+ |
23 try mkdir out | 23 # | B | |
24 | 24 # +-----+ |
25 echo Create the serial number files. | 25 # | |
26 # v | |
27 # +---+ | |
28 # | A | | |
29 # +---+ | |
30 # | |
31 # To validate A, there are several possible paths, using A(B) to indicate | |
32 # the certificate A signed by B: | |
33 # | |
34 # 1. A(B) -> B(C) -> C(D) -> D(D) | |
35 # 3. A(B) -> B(C) -> C(E) -> E(E) | |
36 # 4. A(B) -> B(F) -> F(E) -> E(E) | |
37 # | |
38 # That is, there are two different versions of C (signed by D and E) and | |
39 # two versions of B (signed by C and F). Possible trust anchors are D and E, | |
40 # which are bth self-signed. | |
davidben
2016/01/28 20:52:32
Nit: bth -> both
| |
41 # | |
42 # The goal is to ensure that, regardless of the revocation status of C or F, | |
43 # clients are able to successfully build a valid path. | |
davidben
2016/01/28 20:52:32
Nit: "regardless of the revocation status of C or
| |
44 | |
45 # Exit script as soon a something fails. | |
46 set -e | |
47 | |
48 rm -rf out | |
49 mkdir out | |
50 | |
51 echo Create the serial and index number files. | |
26 serial=1000 | 52 serial=1000 |
27 for i in B C C2 D E | 53 for i in B C D E F |
28 do | 54 do |
29 try /bin/sh -c "echo $serial > out/$i-serial" | 55 /bin/sh -c "echo ${serial} > out/${i}-serial" |
30 serial=$(expr $serial + 1) | 56 touch "out/${i}-index.txt" |
31 done | 57 done |
32 | 58 |
33 echo Generate the keys. | 59 echo Generate the keys. |
34 try openssl genrsa -out out/A.key 2048 | 60 for i in A B C D E F |
35 try openssl genrsa -out out/B.key 2048 | 61 do |
36 try openssl genrsa -out out/C.key 2048 | 62 openssl genrsa -out "out/${i}.key" 2048 |
37 try openssl genrsa -out out/D.key 2048 | 63 done |
38 try openssl genrsa -out out/E.key 2048 | 64 |
39 | 65 echo "Generating the self-signed roots" |
40 echo Generate the D CSR. | 66 for i in D E |
41 CA_COMMON_NAME="D Root CA" \ | 67 do |
42 CERTIFICATE=D \ | 68 echo "Generating CSR ${i}" |
43 try openssl req \ | 69 CA_COMMON_NAME="${i} Root CA" \ |
70 CERTIFICATE="${i}" \ | |
71 openssl req \ | |
72 -config redundant-ca.cnf \ | |
44 -new \ | 73 -new \ |
45 -key out/D.key \ | 74 -key "out/${i}.key" \ |
46 -out out/D.csr \ | 75 -out "out/${i}.csr" |
47 -config redundant-ca.cnf | 76 |
48 | 77 echo "Generating self-signed ${i}" |
49 echo D signs itself. | 78 CA_COMMON_NAME="${i} Root CA" \ |
50 CA_COMMON_NAME="D Root CA" \ | 79 CERTIFICATE="${i}" \ |
51 try openssl x509 \ | 80 openssl ca \ |
52 -req -days 3650 \ | 81 -config redundant-ca.cnf \ |
53 -in out/D.csr \ | 82 -batch \ |
83 -startdate 160102000000Z \ | |
84 -enddate 260102000000Z \ | |
54 -extensions ca_cert \ | 85 -extensions ca_cert \ |
55 -extfile redundant-ca.cnf \ | 86 -extfile redundant-ca.cnf \ |
56 -signkey out/D.key \ | 87 -selfsign \ |
57 -out out/D.pem \ | 88 -in "out/${i}.csr" \ |
58 -text | 89 -out "out/${i}.pem" |
59 | 90 done |
60 echo Generate the E CSR. | 91 |
61 CA_COMMON_NAME="E Root CA" \ | 92 echo "Generating intermediate CSRs" |
62 CERTIFICATE=E \ | 93 for i in B C F |
63 try openssl req \ | 94 do |
95 echo "Generating CSR ${i}" | |
96 CA_COMMON_NAME="${i} CA" \ | |
97 CERTIFICATE="${i}" \ | |
98 openssl req \ | |
99 -config redundant-ca.cnf \ | |
64 -new \ | 100 -new \ |
65 -key out/E.key \ | 101 -key "out/${i}.key" \ |
66 -out out/E.csr \ | 102 -out "out/${i}.csr" |
67 -config redundant-ca.cnf | 103 done |
68 | 104 |
69 echo E signs itself. | 105 echo D signs C |
70 CA_COMMON_NAME="E Root CA" \ | 106 CA_COMMON_NAME="D CA" \ |
71 try openssl x509 \ | 107 CERTIFICATE=D \ |
72 -req -days 3650 \ | 108 openssl ca \ |
73 -in out/E.csr \ | 109 -config redundant-ca.cnf \ |
74 -extensions ca_cert \ | 110 -batch \ |
75 -extfile redundant-ca.cnf \ | 111 -startdate 160103000000Z \ |
76 -signkey out/E.key \ | 112 -enddate 260102000000Z \ |
77 -out out/E.pem \ | 113 -extensions ca_cert \ |
78 -text | 114 -extfile redundant-ca.cnf \ |
79 | 115 -in out/C.csr \ |
80 echo Generate the C2 intermediary CSR. | 116 -out out/C.pem |
117 | |
118 echo C signs B | |
81 CA_COMMON_NAME="C CA" \ | 119 CA_COMMON_NAME="C CA" \ |
82 CERTIFICATE=C2 \ | 120 CERTIFICATE=C \ |
83 try openssl req \ | 121 openssl ca \ |
122 -config redundant-ca.cnf \ | |
123 -batch \ | |
124 -startdate 160104000000Z \ | |
125 -enddate 260102000000Z \ | |
126 -extensions ca_cert \ | |
127 -extfile redundant-ca.cnf \ | |
128 -in out/B.csr \ | |
129 -out out/B.pem | |
130 | |
131 echo E signs C2 | |
132 CA_COMMON_NAME="E CA" \ | |
133 CERTIFICATE=E \ | |
134 openssl ca \ | |
135 -config redundant-ca.cnf \ | |
136 -batch \ | |
137 -startdate 160105000000Z \ | |
138 -enddate 260102000000Z \ | |
139 -extensions ca_cert \ | |
140 -extfile redundant-ca.cnf \ | |
141 -in out/C.csr \ | |
142 -out out/C2.pem | |
143 | |
144 echo E signs F | |
145 CA_COMMON_NAME="E CA" \ | |
146 CERTIFICATE=E \ | |
147 openssl ca \ | |
148 -config redundant-ca.cnf \ | |
149 -batch \ | |
150 -startdate 160102000000Z \ | |
151 -enddate 260102000000Z \ | |
152 -extensions ca_cert \ | |
153 -extfile redundant-ca.cnf \ | |
154 -in out/F.csr \ | |
155 -out out/F.pem | |
156 | |
157 # Note: The startdate for B-by-F MUST be different than that of B-by-C; to make | |
158 # B-by-F more preferable, the startdate is chosen to be GREATER (later) than | |
159 # B-by-C | |
davidben
2016/01/28 20:52:32
Nit: period
| |
160 echo F signs B2 | |
161 CA_COMMON_NAME="F CA" \ | |
162 CERTIFICATE=F \ | |
163 openssl ca \ | |
164 -config redundant-ca.cnf \ | |
165 -batch \ | |
166 -startdate 160105000000Z \ | |
167 -enddate 260102000000Z \ | |
168 -extensions ca_cert \ | |
169 -extfile redundant-ca.cnf \ | |
170 -in out/B.csr \ | |
171 -out out/B2.pem | |
172 | |
173 echo "Generating leaf CSRs" | |
174 for i in A | |
175 do | |
176 echo "Generating leaf ${i}" | |
177 openssl req \ | |
178 -config ee.cnf \ | |
84 -new \ | 179 -new \ |
85 -key out/C.key \ | 180 -key "out/${i}.key" \ |
86 -out out/C2.csr \ | 181 -out "out/${i}.csr" |
87 -config redundant-ca.cnf | 182 done |
88 | 183 |
89 echo Generate the B and C intermediaries\' CSRs. | 184 echo "Signing leaves" |
90 for i in B C | |
91 do | |
92 CA_COMMON_NAME="$i CA" \ | |
93 CERTIFICATE="$i" \ | |
94 try openssl req \ | |
95 -new \ | |
96 -key "out/$i.key" \ | |
97 -out "out/$i.csr" \ | |
98 -config redundant-ca.cnf | |
99 done | |
100 | |
101 echo D signs the C intermediate. | |
102 # Make sure the signer's DB file exists. | |
103 touch out/D-index.txt | |
104 CA_COMMON_NAME="D Root CA" \ | |
105 CERTIFICATE=D \ | |
106 try openssl ca \ | |
107 -batch \ | |
108 -extensions ca_cert \ | |
109 -in out/C.csr \ | |
110 -out out/C.pem \ | |
111 -config redundant-ca.cnf | |
112 | |
113 echo E signs the C2 intermediate. | |
114 # Make sure the signer's DB file exists. | |
115 touch out/E-index.txt | |
116 CA_COMMON_NAME="E Root CA" \ | |
117 CERTIFICATE=E \ | |
118 try openssl ca \ | |
119 -batch \ | |
120 -extensions ca_cert \ | |
121 -in out/C2.csr \ | |
122 -out out/C2.pem \ | |
123 -config redundant-ca.cnf | |
124 | |
125 echo C signs the B intermediate. | |
126 touch out/C-index.txt | |
127 CA_COMMON_NAME="C CA" \ | |
128 CERTIFICATE=C \ | |
129 try openssl ca \ | |
130 -batch \ | |
131 -extensions ca_cert \ | |
132 -in out/B.csr \ | |
133 -out out/B.pem \ | |
134 -config redundant-ca.cnf | |
135 | |
136 echo Generate the A end-entity CSR. | |
137 try openssl req \ | |
138 -new \ | |
139 -key out/A.key \ | |
140 -out out/A.csr \ | |
141 -config ee.cnf | |
142 | |
143 echo B signs A. | |
144 touch out/B-index.txt | |
145 CA_COMMON_NAME="B CA" \ | 185 CA_COMMON_NAME="B CA" \ |
146 CERTIFICATE=B \ | 186 CERTIFICATE=B \ |
147 try openssl ca \ | 187 openssl ca \ |
148 -batch \ | 188 -config redundant-ca.cnf \ |
149 -extensions user_cert \ | 189 -batch \ |
150 -in out/A.csr \ | 190 -days 3650 \ |
151 -out out/A.pem \ | 191 -extensions user_cert \ |
152 -config redundant-ca.cnf | 192 -extfile redundant-ca.cnf \ |
153 | 193 -in out/A.csr \ |
154 echo Create multi-root-chain1.pem | 194 -out out/A.pem |
155 try /bin/sh -c "cat out/A.key out/A.pem out/B.pem out/C.pem out/D.pem \ | 195 |
156 > ../certificates/multi-root-chain1.pem" | 196 echo "Copying outputs" |
157 | 197 /bin/sh -c "cat out/A.key out/A.pem > ../certificates/multi-root-A-by-B.pem" |
158 echo Create multi-root-chain2.pem | 198 cp out/B.pem ../certificates/multi-root-B-by-C.pem |
159 try /bin/sh -c "cat out/A.key out/A.pem out/B.pem out/C2.pem out/E.pem \ | 199 cp out/B2.pem ../certificates/multi-root-B-by-F.pem |
160 > ../certificates/multi-root-chain2.pem" | 200 cp out/C.pem ../certificates/multi-root-C-by-D.pem |
161 | 201 cp out/C2.pem ../certificates/multi-root-C-by-E.pem |
202 cp out/F.pem ../certificates/multi-root-F-by-E.pem | |
203 cp out/D.pem ../certificates/multi-root-D-by-D.pem | |
204 cp out/E.pem ../certificates/multi-root-E-by-E.pem | |
205 | |
206 echo "Generating CRLSets" | |
207 # Block C-by-E (serial number 0x1001) by way of serial number. | |
208 python crlsetutil.py -o ../certificates/multi-root-crlset-C-by-E.raw \ | |
209 <<CRLSETBYSERIAL | |
210 { | |
211 "BlockedByHash": { | |
212 "out/E.pem": [4097] | |
213 } | |
214 } | |
215 CRLSETBYSERIAL | |
216 | |
217 # Block F (all versions) by way of SPKI | |
218 python crlsetutil.py -o ../certificates/multi-root-crlset-F.raw \ | |
219 <<CRLSETBYSPKI | |
220 { | |
221 "BlockedBySPKI": [ "out/F.pem" ] | |
222 } | |
223 CRLSETBYSPKI | |
OLD | NEW |