OLD | NEW |
---|---|
1 #!/bin/sh | 1 #!/bin/sh |
2 | 2 |
3 # Copyright 2013 The Chromium Authors. All rights reserved. | 3 # Copyright 2013 The Chromium Authors. All rights reserved. |
4 # Use of this source code is governed by a BSD-style license that can be | 4 # Use of this source code is governed by a BSD-style license that can be |
5 # found in the LICENSE file. | 5 # found in the LICENSE file. |
6 | 6 |
7 # This script generates a set of test (end-entity, intermediate, root) | 7 # This script generates a set of test (end-entity, intermediate, root) |
8 # certificates that can be used to test fetching of an intermediate via AIA. | 8 # certificates that can be used to test fetching of an intermediate via AIA. |
9 | 9 |
10 try() { | 10 try() { |
(...skipping 49 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
60 -startdate 060101000000Z \ | 60 -startdate 060101000000Z \ |
61 -enddate 070101000000Z \ | 61 -enddate 070101000000Z \ |
62 -in out/expired_cert.req \ | 62 -in out/expired_cert.req \ |
63 -out out/expired_cert.pem \ | 63 -out out/expired_cert.pem \ |
64 -config ca.cnf | 64 -config ca.cnf |
65 | 65 |
66 CA_COMMON_NAME="Test Root CA" \ | 66 CA_COMMON_NAME="Test Root CA" \ |
67 try openssl ca \ | 67 try openssl ca \ |
68 -batch \ | 68 -batch \ |
69 -extensions user_cert \ | 69 -extensions user_cert \ |
70 -days 3650 \ | 70 -days 1000 \ |
Ryan Sleevi
2014/11/04 21:48:27
Why was this change necessary? Unrelated? Why didn
palmer
2014/11/07 19:16:14
Yeah, reverted. I think it was from when I was try
| |
71 -in out/ok_cert.req \ | 71 -in out/ok_cert.req \ |
72 -out out/ok_cert.pem \ | 72 -out out/ok_cert.pem \ |
73 -config ca.cnf | 73 -config ca.cnf |
74 | 74 |
75 CA_COMMON_NAME="Test Root CA" \ | 75 CA_COMMON_NAME="Test Root CA" \ |
76 try openssl ca \ | 76 try openssl ca \ |
77 -batch \ | 77 -batch \ |
78 -extensions name_constraint_bad \ | 78 -extensions name_constraint_bad \ |
79 -subj "/CN=Leaf certificate/" \ | 79 -subj "/CN=Leaf certificate/" \ |
80 -days 3650 \ | 80 -days 3650 \ |
(...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
117 | 117 |
118 ## SubjectAltName parsing | 118 ## SubjectAltName parsing |
119 try openssl req -x509 -days 3650 -extensions req_san_sanity \ | 119 try openssl req -x509 -days 3650 -extensions req_san_sanity \ |
120 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ | 120 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ |
121 -out ../certificates/subjectAltName_sanity_check.pem | 121 -out ../certificates/subjectAltName_sanity_check.pem |
122 | 122 |
123 ## Punycode handling | 123 ## Punycode handling |
124 SUBJECT_NAME="req_punycode_dn" \ | 124 SUBJECT_NAME="req_punycode_dn" \ |
125 try openssl req -x509 -days 3650 -extensions req_punycode \ | 125 try openssl req -x509 -days 3650 -extensions req_punycode \ |
126 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ | 126 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ |
127 -out ../certificates/punycodetest.pem | 127 -out ../certificates/punycodetest.pem |
128 | |
129 ## Reject intranet hosts | |
Ryan Sleevi
2014/11/04 21:48:27
Reject intranet hostnames in "publicly" trusted ce
palmer
2014/11/07 19:16:14
Done.
| |
130 SUBJECT_NAME="req_dn" \ | |
131 try openssl req -x509 -days $((365 * 3)) \ | |
132 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ | |
133 -out ../certificates/reject_intranet_hosts.pem | |
134 | |
135 ## Validity too long | |
136 try openssl req -config ../scripts/ee.cnf \ | |
137 -newkey rsa:2048 -text -out ../certificates/11_year_validity.req | |
138 CA_COMMON_NAME="Test Root CA" \ | |
139 try openssl ca \ | |
140 -batch \ | |
141 -extensions user_cert \ | |
142 -startdate 141030000000Z \ | |
143 -days $((365 * 11)) \ | |
Ryan Sleevi
2014/11/04 21:48:27
ಠ_ಠ
KISS. This is /bin/sh style we're dealing wit
palmer
2014/11/07 19:16:14
Done.
| |
144 -in ../certificates/11_year_validity.req \ | |
145 -out ../certificates/11_year_validity.pem \ | |
146 -config ca.cnf | |
147 try openssl req -config ../scripts/ee.cnf \ | |
148 -newkey rsa:2048 -text -out ../certificates/40_months_after_2015_04.req | |
149 CA_COMMON_NAME="Test Root CA" \ | |
150 try openssl ca \ | |
151 -batch \ | |
152 -extensions user_cert \ | |
153 -startdate 150402000000Z \ | |
154 -enddate 180901000000Z \ | |
155 -in ../certificates/40_months_after_2015_04.req \ | |
156 -out ../certificates/40_months_after_2015_04.pem \ | |
157 -config ca.cnf | |
158 try openssl req -config ../scripts/ee.cnf \ | |
159 -newkey rsa:2048 -text -out ../certificates/61_months_after_2012_07.req | |
160 CA_COMMON_NAME="Test Root CA" \ | |
161 try openssl ca \ | |
162 -batch \ | |
163 -extensions user_cert \ | |
164 -startdate 141030000000Z \ | |
165 -days $((30 * 61)) \ | |
Ryan Sleevi
2014/11/04 21:48:27
Ditto
palmer
2014/11/07 19:16:14
Done and on line 131 too.
| |
166 -in ../certificates/61_months_after_2012_07.req \ | |
167 -out ../certificates/61_months_after_2012_07.pem \ | |
168 -config ca.cnf | |
128 | 169 |
129 # Regenerate CRLSets | 170 # Regenerate CRLSets |
130 ## Block a leaf cert directly by SPKI | 171 ## Block a leaf cert directly by SPKI |
131 try python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \ | 172 try python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \ |
132 <<CRLBYLEAFSPKI | 173 <<CRLBYLEAFSPKI |
133 { | 174 { |
134 "BlockedBySPKI": ["../certificates/ok_cert.pem"] | 175 "BlockedBySPKI": ["../certificates/ok_cert.pem"] |
135 } | 176 } |
136 CRLBYLEAFSPKI | 177 CRLBYLEAFSPKI |
137 | 178 |
(...skipping 11 matching lines...) Expand all Loading... | |
149 ## Block a leaf cert by issuer-hash-and-serial. However, this will be issued | 190 ## Block a leaf cert by issuer-hash-and-serial. However, this will be issued |
150 ## from an intermediate CA issued underneath a root. | 191 ## from an intermediate CA issued underneath a root. |
151 try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \ | 192 try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \ |
152 <<CRLSETBYINTERMEDIATESERIAL | 193 <<CRLSETBYINTERMEDIATESERIAL |
153 { | 194 { |
154 "BlockedByHash": { | 195 "BlockedByHash": { |
155 "../certificates/quic_intermediate.crt": [3] | 196 "../certificates/quic_intermediate.crt": [3] |
156 } | 197 } |
157 } | 198 } |
158 CRLSETBYINTERMEDIATESERIAL | 199 CRLSETBYINTERMEDIATESERIAL |
OLD | NEW |