OLD | NEW |
1 #!/bin/sh | 1 #!/bin/sh |
2 | 2 |
3 # Copyright 2013 The Chromium Authors. All rights reserved. | 3 # Copyright 2013 The Chromium Authors. All rights reserved. |
4 # Use of this source code is governed by a BSD-style license that can be | 4 # Use of this source code is governed by a BSD-style license that can be |
5 # found in the LICENSE file. | 5 # found in the LICENSE file. |
6 | 6 |
7 # This script generates a set of test (end-entity, intermediate, root) | 7 # This script generates a set of test (end-entity, intermediate, root) |
8 # certificates that can be used to test fetching of an intermediate via AIA. | 8 # certificates that can be used to test fetching of an intermediate via AIA. |
9 | 9 |
10 try() { | 10 try() { |
(...skipping 106 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
117 | 117 |
118 ## SubjectAltName parsing | 118 ## SubjectAltName parsing |
119 try openssl req -x509 -days 3650 -extensions req_san_sanity \ | 119 try openssl req -x509 -days 3650 -extensions req_san_sanity \ |
120 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ | 120 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ |
121 -out ../certificates/subjectAltName_sanity_check.pem | 121 -out ../certificates/subjectAltName_sanity_check.pem |
122 | 122 |
123 ## Punycode handling | 123 ## Punycode handling |
124 SUBJECT_NAME="req_punycode_dn" \ | 124 SUBJECT_NAME="req_punycode_dn" \ |
125 try openssl req -x509 -days 3650 -extensions req_punycode \ | 125 try openssl req -x509 -days 3650 -extensions req_punycode \ |
126 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ | 126 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ |
127 -out ../certificates/punycodetest.pem | 127 -out ../certificates/punycodetest.pem |
| 128 |
| 129 ## Reject intranet hostnames in "publicly" trusted certs |
| 130 # 365 * 3 = 1095 |
| 131 SUBJECT_NAME="req_dn" \ |
| 132 try openssl req -x509 -days 1095 \ |
| 133 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ |
| 134 -out ../certificates/reject_intranet_hosts.pem |
| 135 |
| 136 ## Validity too long |
| 137 # 365 * 11 = 4015 |
| 138 try openssl req -config ../scripts/ee.cnf \ |
| 139 -newkey rsa:2048 -text -out ../certificates/11_year_validity.req |
| 140 CA_COMMON_NAME="Test Root CA" \ |
| 141 try openssl ca \ |
| 142 -batch \ |
| 143 -extensions user_cert \ |
| 144 -startdate 141030000000Z \ |
| 145 -days 4015 \ |
| 146 -in ../certificates/11_year_validity.req \ |
| 147 -out ../certificates/11_year_validity.pem \ |
| 148 -config ca.cnf |
| 149 try openssl req -config ../scripts/ee.cnf \ |
| 150 -newkey rsa:2048 -text -out ../certificates/40_months_after_2015_04.req |
| 151 CA_COMMON_NAME="Test Root CA" \ |
| 152 try openssl ca \ |
| 153 -batch \ |
| 154 -extensions user_cert \ |
| 155 -startdate 150402000000Z \ |
| 156 -enddate 180901000000Z \ |
| 157 -in ../certificates/40_months_after_2015_04.req \ |
| 158 -out ../certificates/40_months_after_2015_04.pem \ |
| 159 -config ca.cnf |
| 160 try openssl req -config ../scripts/ee.cnf \ |
| 161 -newkey rsa:2048 -text -out ../certificates/61_months_after_2012_07.req |
| 162 # 30 * 61 = 1830 |
| 163 CA_COMMON_NAME="Test Root CA" \ |
| 164 try openssl ca \ |
| 165 -batch \ |
| 166 -extensions user_cert \ |
| 167 -startdate 141030000000Z \ |
| 168 -days 1830 \ |
| 169 -in ../certificates/61_months_after_2012_07.req \ |
| 170 -out ../certificates/61_months_after_2012_07.pem \ |
| 171 -config ca.cnf |
128 | 172 |
129 # Regenerate CRLSets | 173 # Regenerate CRLSets |
130 ## Block a leaf cert directly by SPKI | 174 ## Block a leaf cert directly by SPKI |
131 try python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \ | 175 try python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \ |
132 <<CRLBYLEAFSPKI | 176 <<CRLBYLEAFSPKI |
133 { | 177 { |
134 "BlockedBySPKI": ["../certificates/ok_cert.pem"] | 178 "BlockedBySPKI": ["../certificates/ok_cert.pem"] |
135 } | 179 } |
136 CRLBYLEAFSPKI | 180 CRLBYLEAFSPKI |
137 | 181 |
(...skipping 11 matching lines...) Expand all Loading... |
149 ## Block a leaf cert by issuer-hash-and-serial. However, this will be issued | 193 ## Block a leaf cert by issuer-hash-and-serial. However, this will be issued |
150 ## from an intermediate CA issued underneath a root. | 194 ## from an intermediate CA issued underneath a root. |
151 try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \ | 195 try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \ |
152 <<CRLSETBYINTERMEDIATESERIAL | 196 <<CRLSETBYINTERMEDIATESERIAL |
153 { | 197 { |
154 "BlockedByHash": { | 198 "BlockedByHash": { |
155 "../certificates/quic_intermediate.crt": [3] | 199 "../certificates/quic_intermediate.crt": [3] |
156 } | 200 } |
157 } | 201 } |
158 CRLSETBYINTERMEDIATESERIAL | 202 CRLSETBYINTERMEDIATESERIAL |
OLD | NEW |