Add script for generating certificates that require an explicit policy

net/data/ssl/scripts/generate-policy-certs.sh

Index: net/data/ssl/scripts/generate-policy-certs.sh
diff --git a/net/data/ssl/scripts/generate-policy-certs.sh b/net/data/ssl/scripts/generate-policy-certs.sh
new file mode 100755
index 0000000000000000000000000000000000000000..a23d22e7a1a7b0691f9cf39507a4dc3fd950bbca
--- /dev/null
+++ b/net/data/ssl/scripts/generate-policy-certs.sh
@@ -0,0 +1,96 @@
+#!/bin/sh
+
+# Copyright 2013 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# This script generates a (end-entity, intermediate, root) certificate, where
+# the root has no explicit policies associated, the intermediate has multiple
+# policies, and the leaf has a single policy.
+#
+# When validating, supplying no policy OID should not result in an error.
+
+try() {
+  echo "$@"
+  $@ || exit 1
+}
+
+try rm -rf out
+try mkdir out
+
+# Create the serial number files.
+try echo 1 > out/policy-root-serial
+try echo 1 > out/policy-intermediate-serial
+
+# Create the signers' DB files.
+touch out/policy-root-index.txt
+touch out/policy-intermediate-index.txt
+
+# Generate the keys
+try openssl genrsa -out out/policy-root.key 2048
+try openssl genrsa -out out/policy-intermediate.key 2048
+try openssl genrsa -out out/policy-cert.key 2048
+
+# Generate the root certificate
+CA_COMMON_NAME="Policy Test Root CA" \
+  CA_DIR=out \
+  CA_NAME=policy-root \
+  try openssl req \
+    -new \
+    -key out/policy-root.key \
+    -out out/policy-root.csr \
+    -config policy.cnf
+
+CA_COMMON_NAME="Policy Test Root CA" \
+  CA_DIR=out \
+  CA_NAME=policy-root \
+  try openssl x509 \
+    -req -days 3650 \
+    -in out/policy-root.csr \
+    -out out/policy-root.pem \
+    -signkey out/policy-root.key \
+    -extfile policy.cnf \
+    -extensions ca_cert
+
+# Generate the intermediate
+CA_COMMON_NAME="Policy Test Intermediate CA" \
+  CA_DIR=out \
+  try openssl req \
+    -new \
+    -key out/policy-intermediate.key \
+    -out out/policy-intermediate.csr \
+    -config policy.cnf
+
+CA_COMMON_NAME="Policy Test Intermediate CA" \

[wtc, 2013/07/01 19:46:53]

Should this be "Policy Test Root CA"? I don't know whether this CA_COMMON_NAME
is referring to the intermediate CA or the root CA.

[Ryan Sleevi, 2013/07/03 21:29:44]

No, it's unused.

+  CA_DIR=out \
+  CA_NAME=policy-root \
+  try openssl ca \
+    -batch \
+    -in out/policy-intermediate.csr \
+    -out out/policy-intermediate.pem \
+    -config policy.cnf \
+    -extensions intermediate_cert
+
+# Generate the leaf
+CA_COMMON_NAME="policy_test.example" \

[wtc, 2013/07/01 19:46:53]

Should this be "Policy Test Intermediate CA"? "policy_test.example" is clearly
not a CA.

[Ryan Sleevi, 2013/07/03 21:29:44]

No, this is really the 'common name'. It's an inherited artifact of policy.cnf
being copied from ca.cnf, as in that workflow, ee certs come from ee.cnf.

Renamed the field COMMON_NAME, and updated line 64 to indicate "UNUSED"

+CA_DIR=out \
+CA_NAME=policy-intermediate \
+try openssl req \
+  -new \
+  -key out/policy-cert.key \
+  -out out/policy-cert.csr \
+  -config policy.cnf
+
+CA_COMMON_NAME="Policy Test Intermediate CA" \
+  CA_DIR=out \
+  CA_NAME=policy-intermediate \
+  try openssl ca \
+    -batch \
+    -in out/policy-cert.csr \
+    -out out/policy-cert.pem \
+    -config policy.cnf \
+    -extensions user_cert
+
+cat out/policy-cert.pem \
+    out/policy-intermediate.pem \
+    out/policy-root.pem >../certificates/explicit-policy-chain.pem