Chromium Code Reviews Chromium Code Reviews
Issue 18223006:
Add script for generating certificates that require an explicit policy (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| (Empty) | |
| 1 #!/bin/sh | |
| 2 | |
| 3 # Copyright 2013 The Chromium Authors. All rights reserved. | |
| 4 # Use of this source code is governed by a BSD-style license that can be | |
| 5 # found in the LICENSE file. | |
| 6 | |
| 7 # This script generates a (end-entity, intermediate, root) certificate, where | |
| 8 # the root has no explicit policies associated, the intermediate has multiple | |
| 9 # policies, and the leaf has a single policy. | |
| 10 # | |
| 11 # When validating, supplying no policy OID should not result in an error. | |
| 12 | |
| 13 try() { | |
| 14 echo "$@" | |
| 15 $@ || exit 1 | |
| 16 } | |
| 17 | |
| 18 try rm -rf out | |
| 19 try mkdir out | |
| 20 | |
| 21 # Create the serial number files. | |
| 22 try echo 1 > out/policy-root-serial | |
| 23 try echo 1 > out/policy-intermediate-serial | |
| 24 | |
| 25 # Create the signers' DB files. | |
| 26 touch out/policy-root-index.txt | |
| 27 touch out/policy-intermediate-index.txt | |
| 28 | |
| 29 # Generate the keys | |
| 30 try openssl genrsa -out out/policy-root.key 2048 | |
| 31 try openssl genrsa -out out/policy-intermediate.key 2048 | |
| 32 try openssl genrsa -out out/policy-cert.key 2048 | |
| 33 | |
| 34 # Generate the root certificate | |
| 35 CA_COMMON_NAME="Policy Test Root CA" \ | |
| 36 CA_DIR=out \ | |
| 37 CA_NAME=policy-root \ | |
| 38 try openssl req \ | |
| 39 -new \ | |
| 40 -key out/policy-root.key \ | |
| 41 -out out/policy-root.csr \ | |
| 42 -config policy.cnf | |
| 43 | |
| 44 CA_COMMON_NAME="Policy Test Root CA" \ | |
| 45 CA_DIR=out \ | |
| 46 CA_NAME=policy-root \ | |
| 47 try openssl x509 \ | |
| 48 -req -days 3650 \ | |
| 49 -in out/policy-root.csr \ | |
| 50 -out out/policy-root.pem \ | |
| 51 -signkey out/policy-root.key \ | |
| 52 -extfile policy.cnf \ | |
| 53 -extensions ca_cert | |
| 54 | |
| 55 # Generate the intermediate | |
| 56 CA_COMMON_NAME="Policy Test Intermediate CA" \ | |
| 57 CA_DIR=out \ | |
| 58 try openssl req \ | |
| 59 -new \ | |
| 60 -key out/policy-intermediate.key \ | |
| 61 -out out/policy-intermediate.csr \ | |
| 62 -config policy.cnf | |
| 63 | |
| 64 CA_COMMON_NAME="Policy Test Intermediate CA" \ | |
|
wtc
2013/07/01 19:46:53
Should this be "Policy Test Root CA"? I don't know
Ryan Sleevi
2013/07/03 21:29:44
No, it's unused.
| |
| 65 CA_DIR=out \ | |
| 66 CA_NAME=policy-root \ | |
| 67 try openssl ca \ | |
| 68 -batch \ | |
| 69 -in out/policy-intermediate.csr \ | |
| 70 -out out/policy-intermediate.pem \ | |
| 71 -config policy.cnf \ | |
| 72 -extensions intermediate_cert | |
| 73 | |
| 74 # Generate the leaf | |
| 75 CA_COMMON_NAME="policy_test.example" \ | |
|
wtc
2013/07/01 19:46:53
Should this be "Policy Test Intermediate CA"? "pol
Ryan Sleevi
2013/07/03 21:29:44
No, this is really the 'common name'. It's an inhe
| |
| 76 CA_DIR=out \ | |
| 77 CA_NAME=policy-intermediate \ | |
| 78 try openssl req \ | |
| 79 -new \ | |
| 80 -key out/policy-cert.key \ | |
| 81 -out out/policy-cert.csr \ | |
| 82 -config policy.cnf | |
| 83 | |
| 84 CA_COMMON_NAME="Policy Test Intermediate CA" \ | |
| 85 CA_DIR=out \ | |
| 86 CA_NAME=policy-intermediate \ | |
| 87 try openssl ca \ | |
| 88 -batch \ | |
| 89 -in out/policy-cert.csr \ | |
| 90 -out out/policy-cert.pem \ | |
| 91 -config policy.cnf \ | |
| 92 -extensions user_cert | |
| 93 | |
| 94 cat out/policy-cert.pem \ | |
| 95 out/policy-intermediate.pem \ | |
| 96 out/policy-root.pem >../certificates/explicit-policy-chain.pem | |
| OLD | NEW |
