Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(280)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/data/ssl/scripts/generate-test-certs.sh

Issue 20628006: Reject certificates that are valid for too long. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Don't use arithmetic expressions in shell script. Created 6 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« net/cert/cert_verify_proc.cc ('K') | « net/data/ssl/certificates/twitter-chain.pem ('k') | net/test/test_certificate_data.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 #!/bin/sh 1 #!/bin/sh
2 2
3 # Copyright 2013 The Chromium Authors. All rights reserved. 3 # Copyright 2013 The Chromium Authors. All rights reserved.
4 # Use of this source code is governed by a BSD-style license that can be 4 # Use of this source code is governed by a BSD-style license that can be
5 # found in the LICENSE file. 5 # found in the LICENSE file.
6 6
7 # This script generates a set of test (end-entity, intermediate, root) 7 # This script generates a set of test (end-entity, intermediate, root)
8 # certificates that can be used to test fetching of an intermediate via AIA. 8 # certificates that can be used to test fetching of an intermediate via AIA.
9 9
10 try() { 10 try() {
(...skipping 106 matching lines...) Expand 10 before | Expand all | Expand 10 after
117 117
118 ## SubjectAltName parsing 118 ## SubjectAltName parsing
119 try openssl req -x509 -days 3650 -extensions req_san_sanity \ 119 try openssl req -x509 -days 3650 -extensions req_san_sanity \
120 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ 120 -config ../scripts/ee.cnf -newkey rsa:2048 -text \
121 -out ../certificates/subjectAltName_sanity_check.pem 121 -out ../certificates/subjectAltName_sanity_check.pem
122 122
123 ## Punycode handling 123 ## Punycode handling
124 SUBJECT_NAME="req_punycode_dn" \ 124 SUBJECT_NAME="req_punycode_dn" \
125 try openssl req -x509 -days 3650 -extensions req_punycode \ 125 try openssl req -x509 -days 3650 -extensions req_punycode \
126 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ 126 -config ../scripts/ee.cnf -newkey rsa:2048 -text \
127 -out ../certificates/punycodetest.pem 127 -out ../certificates/punycodetest.pem
128
129 ## Reject intranet hostnames in "publicly" trusted certs
130 # 365 * 3 = 1095
131 SUBJECT_NAME="req_dn" \
132 try openssl req -x509 -days 1095 \
133 -config ../scripts/ee.cnf -newkey rsa:2048 -text \
134 -out ../certificates/reject_intranet_hosts.pem
135
136 ## Validity too long
137 # 365 * 11 = 4015
138 try openssl req -config ../scripts/ee.cnf \
139 -newkey rsa:2048 -text -out ../certificates/11_year_validity.req
140 CA_COMMON_NAME="Test Root CA" \
141 try openssl ca \
142 -batch \
143 -extensions user_cert \
144 -startdate 141030000000Z \
145 -days 4015 \
146 -in ../certificates/11_year_validity.req \
147 -out ../certificates/11_year_validity.pem \
148 -config ca.cnf
149 try openssl req -config ../scripts/ee.cnf \
150 -newkey rsa:2048 -text -out ../certificates/40_months_after_2015_04.req
151 CA_COMMON_NAME="Test Root CA" \
152 try openssl ca \
153 -batch \
154 -extensions user_cert \
155 -startdate 150402000000Z \
156 -enddate 180901000000Z \
157 -in ../certificates/40_months_after_2015_04.req \
158 -out ../certificates/40_months_after_2015_04.pem \
159 -config ca.cnf
160 try openssl req -config ../scripts/ee.cnf \
161 -newkey rsa:2048 -text -out ../certificates/61_months_after_2012_07.req
162 # 30 * 61 = 1830
163 CA_COMMON_NAME="Test Root CA" \
164 try openssl ca \
165 -batch \
166 -extensions user_cert \
167 -startdate 141030000000Z \
168 -days 1830 \
169 -in ../certificates/61_months_after_2012_07.req \
170 -out ../certificates/61_months_after_2012_07.pem \
171 -config ca.cnf
128 172
129 # Regenerate CRLSets 173 # Regenerate CRLSets
130 ## Block a leaf cert directly by SPKI 174 ## Block a leaf cert directly by SPKI
131 try python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \ 175 try python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \
132 <<CRLBYLEAFSPKI 176 <<CRLBYLEAFSPKI
133 { 177 {
134 "BlockedBySPKI": ["../certificates/ok_cert.pem"] 178 "BlockedBySPKI": ["../certificates/ok_cert.pem"]
135 } 179 }
136 CRLBYLEAFSPKI 180 CRLBYLEAFSPKI
137 181
(...skipping 11 matching lines...) Expand all
149 ## Block a leaf cert by issuer-hash-and-serial. However, this will be issued 193 ## Block a leaf cert by issuer-hash-and-serial. However, this will be issued
150 ## from an intermediate CA issued underneath a root. 194 ## from an intermediate CA issued underneath a root.
151 try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \ 195 try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \
152 <<CRLSETBYINTERMEDIATESERIAL 196 <<CRLSETBYINTERMEDIATESERIAL
153 { 197 {
154 "BlockedByHash": { 198 "BlockedByHash": {
155 "../certificates/quic_intermediate.crt": [3] 199 "../certificates/quic_intermediate.crt": [3]
156 } 200 }
157 } 201 }
158 CRLSETBYINTERMEDIATESERIAL 202 CRLSETBYINTERMEDIATESERIAL
OLDNEW
« net/cert/cert_verify_proc.cc ('K') | « net/data/ssl/certificates/twitter-chain.pem ('k') | net/test/test_certificate_data.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698