| OLD | NEW |
|---|
| 1 #!/bin/sh | 1 #!/bin/sh |
| 2 | 2 |
| 3 # Copyright 2014 The Chromium Authors. All rights reserved. | 3 # Copyright 2014 The Chromium Authors. All rights reserved. |
| 4 # Use of this source code is governed by a BSD-style license that can be | 4 # Use of this source code is governed by a BSD-style license that can be |
| 5 # found in the LICENSE file. | 5 # found in the LICENSE file. |
| 6 | 6 |
| 7 # The following documentation uses the annotation approach from RFC 4158. | 7 # The following documentation uses the annotation approach from RFC 4158. |
| 8 # CAs (entities that share the same name and public key) are denoted in boxes, | 8 # CAs (entities that share the same name and public key) are denoted in boxes, |
| 9 # while the indication that a CA Foo signed a certificate for CA Bar is denoted | 9 # while the indication that a CA Foo signed a certificate for CA Bar is denoted |
| 10 # by directed arrows. | 10 # by directed arrows. |
| (...skipping 48 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 59 echo Generate the keys. | 59 echo Generate the keys. |
| 60 for i in A B C D E F | 60 for i in A B C D E F |
| 61 do | 61 do |
| 62 openssl genrsa -out "out/${i}.key" 2048 | 62 openssl genrsa -out "out/${i}.key" 2048 |
| 63 done | 63 done |
| 64 | 64 |
| 65 echo "Generating the self-signed roots" | 65 echo "Generating the self-signed roots" |
| 66 for i in D E | 66 for i in D E |
| 67 do | 67 do |
| 68 echo "Generating CSR ${i}" | 68 echo "Generating CSR ${i}" |
| 69 CA_COMMON_NAME="${i} Root CA" \ | 69 CA_COMMON_NAME="${i} Root CA - Multi-root" \ |
| 70 CERTIFICATE="${i}" \ | 70 CERTIFICATE="${i}" \ |
| 71 openssl req \ | 71 openssl req \ |
| 72 -config redundant-ca.cnf \ | 72 -config redundant-ca.cnf \ |
| 73 -new \ | 73 -new \ |
| 74 -key "out/${i}.key" \ | 74 -key "out/${i}.key" \ |
| 75 -out "out/${i}.csr" | 75 -out "out/${i}.csr" |
| 76 | 76 |
| 77 echo "Generating self-signed ${i}" | 77 echo "Generating self-signed ${i}" |
| 78 CA_COMMON_NAME="${i} Root CA" \ | 78 CA_COMMON_NAME="${i} Root CA - Multi-root" \ |
| 79 CERTIFICATE="${i}" \ | 79 CERTIFICATE="${i}" \ |
| 80 openssl ca \ | 80 openssl ca \ |
| 81 -config redundant-ca.cnf \ | 81 -config redundant-ca.cnf \ |
| 82 -batch \ | 82 -batch \ |
| 83 -startdate 160102000000Z \ | 83 -startdate 160102000000Z \ |
| 84 -enddate 260102000000Z \ | 84 -enddate 260102000000Z \ |
| 85 -extensions ca_cert \ | 85 -extensions ca_cert \ |
| 86 -extfile redundant-ca.cnf \ | 86 -extfile redundant-ca.cnf \ |
| 87 -selfsign \ | 87 -selfsign \ |
| 88 -in "out/${i}.csr" \ | 88 -in "out/${i}.csr" \ |
| 89 -out "out/${i}.pem" | 89 -out "out/${i}.pem" |
| 90 done | 90 done |
| 91 | 91 |
| 92 echo "Generating intermediate CSRs" | 92 echo "Generating intermediate CSRs" |
| 93 for i in B C F | 93 for i in B C F |
| 94 do | 94 do |
| 95 echo "Generating CSR ${i}" | 95 echo "Generating CSR ${i}" |
| 96 CA_COMMON_NAME="${i} CA" \ | 96 CA_COMMON_NAME="${i} CA - Multi-root" \ |
| 97 CERTIFICATE="${i}" \ | 97 CERTIFICATE="${i}" \ |
| 98 openssl req \ | 98 openssl req \ |
| 99 -config redundant-ca.cnf \ | 99 -config redundant-ca.cnf \ |
| 100 -new \ | 100 -new \ |
| 101 -key "out/${i}.key" \ | 101 -key "out/${i}.key" \ |
| 102 -out "out/${i}.csr" | 102 -out "out/${i}.csr" |
| 103 done | 103 done |
| 104 | 104 |
| 105 echo D signs C | 105 echo D signs C |
| 106 CA_COMMON_NAME="D CA" \ | 106 CA_COMMON_NAME="D CA - Multi-root" \ |
| 107 CERTIFICATE=D \ | 107 CERTIFICATE=D \ |
| 108 openssl ca \ | 108 openssl ca \ |
| 109 -config redundant-ca.cnf \ | 109 -config redundant-ca.cnf \ |
| 110 -batch \ | 110 -batch \ |
| 111 -startdate 160103000000Z \ | 111 -startdate 160103000000Z \ |
| 112 -enddate 260102000000Z \ | 112 -enddate 260102000000Z \ |
| 113 -extensions ca_cert \ | 113 -extensions ca_cert \ |
| 114 -extfile redundant-ca.cnf \ | 114 -extfile redundant-ca.cnf \ |
| 115 -in out/C.csr \ | 115 -in out/C.csr \ |
| 116 -out out/C.pem | 116 -out out/C.pem |
| 117 | 117 |
| 118 echo C signs B | 118 echo C signs B |
| 119 CA_COMMON_NAME="C CA" \ | 119 CA_COMMON_NAME="C CA - Multi-root" \ |
| 120 CERTIFICATE=C \ | 120 CERTIFICATE=C \ |
| 121 openssl ca \ | 121 openssl ca \ |
| 122 -config redundant-ca.cnf \ | 122 -config redundant-ca.cnf \ |
| 123 -batch \ | 123 -batch \ |
| 124 -startdate 160104000000Z \ | 124 -startdate 160104000000Z \ |
| 125 -enddate 260102000000Z \ | 125 -enddate 260102000000Z \ |
| 126 -extensions ca_cert \ | 126 -extensions ca_cert \ |
| 127 -extfile redundant-ca.cnf \ | 127 -extfile redundant-ca.cnf \ |
| 128 -in out/B.csr \ | 128 -in out/B.csr \ |
| 129 -out out/B.pem | 129 -out out/B.pem |
| 130 | 130 |
| 131 echo E signs C2 | 131 echo E signs C2 |
| 132 CA_COMMON_NAME="E CA" \ | 132 CA_COMMON_NAME="E CA - Multi-root" \ |
| 133 CERTIFICATE=E \ | 133 CERTIFICATE=E \ |
| 134 openssl ca \ | 134 openssl ca \ |
| 135 -config redundant-ca.cnf \ | 135 -config redundant-ca.cnf \ |
| 136 -batch \ | 136 -batch \ |
| 137 -startdate 160105000000Z \ | 137 -startdate 160105000000Z \ |
| 138 -enddate 260102000000Z \ | 138 -enddate 260102000000Z \ |
| 139 -extensions ca_cert \ | 139 -extensions ca_cert \ |
| 140 -extfile redundant-ca.cnf \ | 140 -extfile redundant-ca.cnf \ |
| 141 -in out/C.csr \ | 141 -in out/C.csr \ |
| 142 -out out/C2.pem | 142 -out out/C2.pem |
| 143 | 143 |
| 144 echo E signs F | 144 echo E signs F |
| 145 CA_COMMON_NAME="E CA" \ | 145 CA_COMMON_NAME="E CA - Multi-root" \ |
| 146 CERTIFICATE=E \ | 146 CERTIFICATE=E \ |
| 147 openssl ca \ | 147 openssl ca \ |
| 148 -config redundant-ca.cnf \ | 148 -config redundant-ca.cnf \ |
| 149 -batch \ | 149 -batch \ |
| 150 -startdate 160102000000Z \ | 150 -startdate 160102000000Z \ |
| 151 -enddate 260102000000Z \ | 151 -enddate 260102000000Z \ |
| 152 -extensions ca_cert \ | 152 -extensions ca_cert \ |
| 153 -extfile redundant-ca.cnf \ | 153 -extfile redundant-ca.cnf \ |
| 154 -in out/F.csr \ | 154 -in out/F.csr \ |
| 155 -out out/F.pem | 155 -out out/F.pem |
| 156 | 156 |
| 157 # Note: The startdate for B-by-F MUST be different than that of B-by-C; to make | 157 # Note: The startdate for B-by-F MUST be different than that of B-by-C; to make |
| 158 # B-by-F more preferable, the startdate is chosen to be GREATER (later) than | 158 # B-by-F more preferable, the startdate is chosen to be GREATER (later) than |
| 159 # B-by-C. | 159 # B-by-C. |
| 160 echo F signs B2 | 160 echo F signs B2 |
| 161 CA_COMMON_NAME="F CA" \ | 161 CA_COMMON_NAME="F CA - Multi-root" \ |
| 162 CERTIFICATE=F \ | 162 CERTIFICATE=F \ |
| 163 openssl ca \ | 163 openssl ca \ |
| 164 -config redundant-ca.cnf \ | 164 -config redundant-ca.cnf \ |
| 165 -batch \ | 165 -batch \ |
| 166 -startdate 160105000000Z \ | 166 -startdate 160105000000Z \ |
| 167 -enddate 260102000000Z \ | 167 -enddate 260102000000Z \ |
| 168 -extensions ca_cert \ | 168 -extensions ca_cert \ |
| 169 -extfile redundant-ca.cnf \ | 169 -extfile redundant-ca.cnf \ |
| 170 -in out/B.csr \ | 170 -in out/B.csr \ |
| 171 -out out/B2.pem | 171 -out out/B2.pem |
| 172 | 172 |
| 173 echo "Generating leaf CSRs" | 173 echo "Generating leaf CSRs" |
| 174 for i in A | 174 for i in A |
| 175 do | 175 do |
| 176 echo "Generating leaf ${i}" | 176 echo "Generating leaf ${i}" |
| 177 openssl req \ | 177 openssl req \ |
| 178 -config ee.cnf \ | 178 -config ee.cnf \ |
| 179 -new \ | 179 -new \ |
| 180 -key "out/${i}.key" \ | 180 -key "out/${i}.key" \ |
| 181 -out "out/${i}.csr" | 181 -out "out/${i}.csr" |
| 182 done | 182 done |
| 183 | 183 |
| 184 echo "Signing leaves" | 184 echo "Signing leaves" |
| 185 CA_COMMON_NAME="B CA" \ | 185 CA_COMMON_NAME="B CA - Multi-root" \ |
| 186 CERTIFICATE=B \ | 186 CERTIFICATE=B \ |
| 187 openssl ca \ | 187 openssl ca \ |
| 188 -config redundant-ca.cnf \ | 188 -config redundant-ca.cnf \ |
| 189 -batch \ | 189 -batch \ |
| 190 -days 3650 \ | 190 -days 3650 \ |
| 191 -extensions user_cert \ | 191 -extensions user_cert \ |
| 192 -extfile redundant-ca.cnf \ | 192 -extfile redundant-ca.cnf \ |
| 193 -in out/A.csr \ | 193 -in out/A.csr \ |
| 194 -out out/A.pem | 194 -out out/A.pem |
| 195 | 195 |
| 196 echo "Copying outputs" | 196 echo "Copying outputs" |
| 197 /bin/sh -c "cat out/A.key out/A.pem > ../certificates/multi-root-A-by-B.pem" | 197 /bin/sh -c "cat out/A.key out/A.pem > ../certificates/multi-root-A-by-B.pem" |
| 198 /bin/sh -c "cat out/A.pem out/B.pem out/C.pem out/D.pem \ | 198 /bin/sh -c "cat out/A.pem out/B.pem out/C.pem out/D.pem \ |
| 199 > ../certificates/multi-root-chain1.pem" | 199 > ../certificates/multi-root-chain1.pem" |
| 200 /bin/sh -c "cat out/A.pem out/B.pem out/C2.pem out/E.pem \ | 200 /bin/sh -c "cat out/A.pem out/B.pem out/C2.pem out/E.pem \ |
| 201 > ../certificates/multi-root-chain2.pem" | 201 > ../certificates/multi-root-chain2.pem" |
| 202 cp out/B.pem ../certificates/multi-root-B-by-C.pem | 202 cp out/B.pem ../certificates/multi-root-B-by-C.pem |
| 203 cp out/B2.pem ../certificates/multi-root-B-by-F.pem | 203 cp out/B2.pem ../certificates/multi-root-B-by-F.pem |
| 204 cp out/C.pem ../certificates/multi-root-C-by-D.pem | 204 cp out/C.pem ../certificates/multi-root-C-by-D.pem |
| 205 cp out/C2.pem ../certificates/multi-root-C-by-E.pem | 205 cp out/C2.pem ../certificates/multi-root-C-by-E.pem |
| 206 cp out/F.pem ../certificates/multi-root-F-by-E.pem | 206 cp out/F.pem ../certificates/multi-root-F-by-E.pem |
| 207 cp out/D.pem ../certificates/multi-root-D-by-D.pem | 207 cp out/D.pem ../certificates/multi-root-D-by-D.pem |
| 208 cp out/E.pem ../certificates/multi-root-E-by-E.pem | 208 cp out/E.pem ../certificates/multi-root-E-by-E.pem |
| 209 | 209 |
| 210 echo "Generating CRLSets" | 210 echo "Generating CRLSets" |
| 211 # Block C-by-E (serial number 0x1001) by way of serial number. | 211 # Block D and E by SPKI; invalidates all paths. |
| 212 python crlsetutil.py -o ../certificates/multi-root-crlset-C-by-E.raw \ | 212 python crlsetutil.py -o ../certificates/multi-root-crlset-D-and-E.raw \ |
| 213 <<CRLSETBYSERIAL | 213 <<CRLSETDOCBLOCK |
| 214 { |
| 215 "BlockedBySPKI": [ |
| 216 "out/D.pem", |
| 217 "out/E.pem" |
| 218 ] |
| 219 } |
| 220 CRLSETDOCBLOCK |
| 221 |
| 222 # Block E by SPKI. |
| 223 python crlsetutil.py -o ../certificates/multi-root-crlset-E.raw \ |
| 224 <<CRLSETDOCBLOCK |
| 225 { |
| 226 "BlockedBySPKI": [ |
| 227 "out/E.pem" |
| 228 ] |
| 229 } |
| 230 CRLSETDOCBLOCK |
| 231 |
| 232 # Block C-by-D (serial number 0x1001) and F-by-E (serial number 0x1002) by |
| 233 # way of serial number. |
| 234 python crlsetutil.py -o ../certificates/multi-root-crlset-CD-and-FE.raw \ |
| 235 <<CRLSETDOCBLOCK |
| 214 { | 236 { |
| 215 "BlockedByHash": { | 237 "BlockedByHash": { |
| 216 "out/E.pem": [4097] | 238 "out/D.pem": [4097], |
| 239 "out/E.pem": [4098] |
| 217 } | 240 } |
| 218 } | 241 } |
| 219 CRLSETBYSERIAL | 242 CRLSETDOCBLOCK |
| 220 | 243 |
| 221 # Block F (all versions) by way of SPKI | 244 # Block C (all versions) by way of SPKI |
| 222 python crlsetutil.py -o ../certificates/multi-root-crlset-F.raw \ | 245 python crlsetutil.py -o ../certificates/multi-root-crlset-C.raw \ |
| 223 <<CRLSETBYSPKI | 246 <<CRLSETDOCBLOCK |
| 224 { | 247 { |
| 225 "BlockedBySPKI": [ "out/F.pem" ] | 248 "BlockedBySPKI": [ "out/C.pem" ] |
| 226 } | 249 } |
| 227 CRLSETBYSPKI | 250 CRLSETDOCBLOCK |
| 251 |
| 252 # Block an unrelated/unissued serial (0x0FFF) to enable all paths. |
| 253 python crlsetutil.py -o ../certificates/multi-root-crlset-unrelated.raw \ |
| 254 <<CRLSETDOCBLOCK |
| 255 { |
| 256 "BlockedByHash": { |
| 257 "out/E.pem": [4095] |
| 258 } |
| 259 } |
| 260 CRLSETDOCBLOCK |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1724413002:
Perform CRLSet evaluation during Path Building on NSS (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master