net/data/ssl/scripts/generate-test-certs.sh - Issue 20628006: Reject certificates that are valid for too long.

Side by Side Diff: net/data/ssl/scripts/generate-test-certs.sh

Issue 20628006: Reject certificates that are valid for too long. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Make a new cert for IntranetHostsRejected. Tests pass now. Created 6 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 #!/bin/sh	1 #!/bin/sh

2	2

3 # Copyright 2013 The Chromium Authors. All rights reserved.	3 # Copyright 2013 The Chromium Authors. All rights reserved.

4 # Use of this source code is governed by a BSD-style license that can be	4 # Use of this source code is governed by a BSD-style license that can be

5 # found in the LICENSE file.	5 # found in the LICENSE file.

6	6

7 # This script generates a set of test (end-entity, intermediate, root)	7 # This script generates a set of test (end-entity, intermediate, root)

8 # certificates that can be used to test fetching of an intermediate via AIA.	8 # certificates that can be used to test fetching of an intermediate via AIA.

9	9

10 try() {	10 try() {

(...skipping 49 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
60 -startdate 060101000000Z \	60 -startdate 060101000000Z \

61 -enddate 070101000000Z \	61 -enddate 070101000000Z \

62 -in out/expired_cert.req \	62 -in out/expired_cert.req \

63 -out out/expired_cert.pem \	63 -out out/expired_cert.pem \

64 -config ca.cnf	64 -config ca.cnf

65	65

66 CA_COMMON_NAME="Test Root CA" \	66 CA_COMMON_NAME="Test Root CA" \

67 try openssl ca \	67 try openssl ca \

68 -batch \	68 -batch \

69 -extensions user_cert \	69 -extensions user_cert \

70 -days 3650 \	70 -days 1000 \
	Ryan Sleevi 2014/11/04 21:48:27 Why was this change necessary? Unrelated? Why didn Why was this change necessary? Unrelated? Why didn't you change line 80? Seems like this was unnecessary given your new code to avoid ok_cert palmer 2014/11/07 19:16:14 Yeah, reverted. I think it was from when I was try Show quoted text > Seems like this was unnecessary given your new code to avoid ok_cert Yeah, reverted. I think it was from when I was trying to get ok_cert to work for me.
71 -in out/ok_cert.req \	71 -in out/ok_cert.req \

72 -out out/ok_cert.pem \	72 -out out/ok_cert.pem \

73 -config ca.cnf	73 -config ca.cnf

74	74

75 CA_COMMON_NAME="Test Root CA" \	75 CA_COMMON_NAME="Test Root CA" \

76 try openssl ca \	76 try openssl ca \

77 -batch \	77 -batch \

78 -extensions name_constraint_bad \	78 -extensions name_constraint_bad \

79 -subj "/CN=Leaf certificate/" \	79 -subj "/CN=Leaf certificate/" \

80 -days 3650 \	80 -days 3650 \

(...skipping 36 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
117	117

118 ## SubjectAltName parsing	118 ## SubjectAltName parsing

119 try openssl req -x509 -days 3650 -extensions req_san_sanity \	119 try openssl req -x509 -days 3650 -extensions req_san_sanity \

120 -config ../scripts/ee.cnf -newkey rsa:2048 -text \	120 -config ../scripts/ee.cnf -newkey rsa:2048 -text \

121 -out ../certificates/subjectAltName_sanity_check.pem	121 -out ../certificates/subjectAltName_sanity_check.pem

122	122

123 ## Punycode handling	123 ## Punycode handling

124 SUBJECT_NAME="req_punycode_dn" \	124 SUBJECT_NAME="req_punycode_dn" \

125 try openssl req -x509 -days 3650 -extensions req_punycode \	125 try openssl req -x509 -days 3650 -extensions req_punycode \

126 -config ../scripts/ee.cnf -newkey rsa:2048 -text \	126 -config ../scripts/ee.cnf -newkey rsa:2048 -text \

127 -out ../certificates/punycodetest.pem	127 -out ../certificates/punycodetest.pem

	128

	129 ## Reject intranet hosts
	Ryan Sleevi 2014/11/04 21:48:27 Reject intranet hostnames in "publicly" trusted ce Reject intranet hostnames in "publicly" trusted certs palmer 2014/11/07 19:16:14 Done. Show quoted text On 2014/11/04 21:48:27, Ryan Sleevi wrote: > Reject intranet hostnames in "publicly" trusted certs Done.
	130 SUBJECT_NAME="req_dn" \

	131 try openssl req -x509 -days $((365 * 3)) \

	132 -config ../scripts/ee.cnf -newkey rsa:2048 -text \

	133 -out ../certificates/reject_intranet_hosts.pem

	134

	135 ## Validity too long

	136 try openssl req -config ../scripts/ee.cnf \

	137 -newkey rsa:2048 -text -out ../certificates/11_year_validity.req

	138 CA_COMMON_NAME="Test Root CA" \

	139 try openssl ca \

	140 -batch \

	141 -extensions user_cert \

	142 -startdate 141030000000Z \

	143 -days $((365 * 11)) \
	Ryan Sleevi 2014/11/04 21:48:27 ಠ_ಠ KISS. This is /bin/sh style we're dealing wit ಠ_ಠ KISS. This is /bin/sh style we're dealing with. palmer 2014/11/07 19:16:14 Done. Show quoted text On 2014/11/04 21:48:27, Ryan Sleevi wrote: > ಠ_ಠ > > KISS. This is /bin/sh style we're dealing with. Done.
	144 -in ../certificates/11_year_validity.req \

	145 -out ../certificates/11_year_validity.pem \

	146 -config ca.cnf

	147 try openssl req -config ../scripts/ee.cnf \

	148 -newkey rsa:2048 -text -out ../certificates/40_months_after_2015_04.req

	149 CA_COMMON_NAME="Test Root CA" \

	150 try openssl ca \

	151 -batch \

	152 -extensions user_cert \

	153 -startdate 150402000000Z \

	154 -enddate 180901000000Z \

	155 -in ../certificates/40_months_after_2015_04.req \

	156 -out ../certificates/40_months_after_2015_04.pem \

	157 -config ca.cnf

	158 try openssl req -config ../scripts/ee.cnf \

	159 -newkey rsa:2048 -text -out ../certificates/61_months_after_2012_07.req

	160 CA_COMMON_NAME="Test Root CA" \

	161 try openssl ca \

	162 -batch \

	163 -extensions user_cert \

	164 -startdate 141030000000Z \

	165 -days $((30 * 61)) \
	Ryan Sleevi 2014/11/04 21:48:27 Ditto Ditto palmer 2014/11/07 19:16:14 Done and on line 131 too. Done and on line 131 too.
	166 -in ../certificates/61_months_after_2012_07.req \

	167 -out ../certificates/61_months_after_2012_07.pem \

	168 -config ca.cnf

128	169

129 # Regenerate CRLSets	170 # Regenerate CRLSets

130 ## Block a leaf cert directly by SPKI	171 ## Block a leaf cert directly by SPKI

131 try python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \	172 try python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \

132 <<CRLBYLEAFSPKI	173 <<CRLBYLEAFSPKI

133 {	174 {

134 "BlockedBySPKI": ["../certificates/ok_cert.pem"]	175 "BlockedBySPKI": ["../certificates/ok_cert.pem"]

135 }	176 }

136 CRLBYLEAFSPKI	177 CRLBYLEAFSPKI

137	178

(...skipping 11 matching lines...) Expand all Loading...
149 ## Block a leaf cert by issuer-hash-and-serial. However, this will be issued	190 ## Block a leaf cert by issuer-hash-and-serial. However, this will be issued

150 ## from an intermediate CA issued underneath a root.	191 ## from an intermediate CA issued underneath a root.

151 try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \	192 try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \

152 <<CRLSETBYINTERMEDIATESERIAL	193 <<CRLSETBYINTERMEDIATESERIAL

153 {	194 {

154 "BlockedByHash": {	195 "BlockedByHash": {

155 "../certificates/quic_intermediate.crt": [3]	196 "../certificates/quic_intermediate.crt": [3]

156 }	197 }

157 }	198 }

158 CRLSETBYINTERMEDIATESERIAL	199 CRLSETBYINTERMEDIATESERIAL

OLD	NEW

« net/data/ssl/certificates/README ('K') | « net/data/ssl/certificates/twitter-chain.pem ('k') | net/test/test_certificate_data.h » ('j') | no next file with comments »