| OLD | NEW |
|---|
| 1 #!/bin/sh | 1 #!/bin/sh |
| 2 | 2 |
| 3 # Copyright 2013 The Chromium Authors. All rights reserved. | 3 # Copyright 2013 The Chromium Authors. All rights reserved. |
| 4 # Use of this source code is governed by a BSD-style license that can be | 4 # Use of this source code is governed by a BSD-style license that can be |
| 5 # found in the LICENSE file. | 5 # found in the LICENSE file. |
| 6 | 6 |
| 7 # This script generates a set of test (end-entity, intermediate, root) | 7 # This script generates a set of test (end-entity, intermediate, root) |
| 8 # certificates that can be used to test fetching of an intermediate via AIA. | 8 # certificates that can be used to test fetching of an intermediate via AIA. |
| 9 | 9 |
| 10 try() { | 10 try() { |
| (...skipping 205 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 216 -batch \ | 216 -batch \ |
| 217 -extensions user_cert \ | 217 -extensions user_cert \ |
| 218 -startdate 160101000000Z \ | 218 -startdate 160101000000Z \ |
| 219 -enddate 161230000000Z \ | 219 -enddate 161230000000Z \ |
| 220 -in out/sha1_jan_2016.req \ | 220 -in out/sha1_jan_2016.req \ |
| 221 -out ../certificates/sha1_jan_2016.pem \ | 221 -out ../certificates/sha1_jan_2016.pem \ |
| 222 -config ca.cnf | 222 -config ca.cnf |
| 223 | 223 |
| 224 ## Validity too long unit test support. | 224 ## Validity too long unit test support. |
| 225 try openssl req -config ../scripts/ee.cnf \ | 225 try openssl req -config ../scripts/ee.cnf \ |
| 226 -newkey rsa:2048 -text -out ../certificates/10_year_validity.req | 226 -newkey rsa:2048 -text -out out/10_year_validity.req |
| 227 CA_COMMON_NAME="Test Root CA" \ | 227 CA_COMMON_NAME="Test Root CA" \ |
| 228 try openssl ca \ | 228 try openssl ca \ |
| 229 -batch \ | 229 -batch \ |
| 230 -extensions user_cert \ | 230 -extensions user_cert \ |
| 231 -startdate 081030000000Z \ | 231 -startdate 081030000000Z \ |
| 232 -enddate 181029000000Z \ | 232 -enddate 181029000000Z \ |
| 233 -in ../certificates/10_year_validity.req \ | 233 -in out/10_year_validity.req \ |
| 234 -out ../certificates/10_year_validity.pem \ | 234 -out ../certificates/10_year_validity.pem \ |
| 235 -config ca.cnf | 235 -config ca.cnf |
| 236 # 365 * 11 = 4015 | 236 # 365 * 11 = 4015 |
| 237 try openssl req -config ../scripts/ee.cnf \ | 237 try openssl req -config ../scripts/ee.cnf \ |
| 238 -newkey rsa:2048 -text -out ../certificates/11_year_validity.req | 238 -newkey rsa:2048 -text -out out/11_year_validity.req |
| 239 CA_COMMON_NAME="Test Root CA" \ | 239 CA_COMMON_NAME="Test Root CA" \ |
| 240 try openssl ca \ | 240 try openssl ca \ |
| 241 -batch \ | 241 -batch \ |
| 242 -extensions user_cert \ | 242 -extensions user_cert \ |
| 243 -startdate 141030000000Z \ | 243 -startdate 141030000000Z \ |
| 244 -days 4015 \ | 244 -days 4015 \ |
| 245 -in ../certificates/11_year_validity.req \ | 245 -in out/11_year_validity.req \ |
| 246 -out ../certificates/11_year_validity.pem \ | 246 -out ../certificates/11_year_validity.pem \ |
| 247 -config ca.cnf | 247 -config ca.cnf |
| 248 try openssl req -config ../scripts/ee.cnf \ | 248 try openssl req -config ../scripts/ee.cnf \ |
| 249 -newkey rsa:2048 -text -out ../certificates/39_months_after_2015_04.req | 249 -newkey rsa:2048 -text -out out/39_months_after_2015_04.req |
| 250 CA_COMMON_NAME="Test Root CA" \ | 250 CA_COMMON_NAME="Test Root CA" \ |
| 251 try openssl ca \ | 251 try openssl ca \ |
| 252 -batch \ | 252 -batch \ |
| 253 -extensions user_cert \ | 253 -extensions user_cert \ |
| 254 -startdate 150402000000Z \ | 254 -startdate 150402000000Z \ |
| 255 -enddate 180702000000Z \ | 255 -enddate 180702000000Z \ |
| 256 -in ../certificates/39_months_after_2015_04.req \ | 256 -in out/39_months_after_2015_04.req \ |
| 257 -out ../certificates/39_months_after_2015_04.pem \ | 257 -out ../certificates/39_months_after_2015_04.pem \ |
| 258 -config ca.cnf | 258 -config ca.cnf |
| 259 try openssl req -config ../scripts/ee.cnf \ | 259 try openssl req -config ../scripts/ee.cnf \ |
| 260 -newkey rsa:2048 -text -out ../certificates/40_months_after_2015_04.req | 260 -newkey rsa:2048 -text -out out/40_months_after_2015_04.req |
| 261 CA_COMMON_NAME="Test Root CA" \ | 261 CA_COMMON_NAME="Test Root CA" \ |
| 262 try openssl ca \ | 262 try openssl ca \ |
| 263 -batch \ | 263 -batch \ |
| 264 -extensions user_cert \ | 264 -extensions user_cert \ |
| 265 -startdate 150402000000Z \ | 265 -startdate 150402000000Z \ |
| 266 -enddate 180801000000Z \ | 266 -enddate 180801000000Z \ |
| 267 -in ../certificates/40_months_after_2015_04.req \ | 267 -in out/40_months_after_2015_04.req \ |
| 268 -out ../certificates/40_months_after_2015_04.pem \ | 268 -out ../certificates/40_months_after_2015_04.pem \ |
| 269 -config ca.cnf | 269 -config ca.cnf |
| 270 try openssl req -config ../scripts/ee.cnf \ | 270 try openssl req -config ../scripts/ee.cnf \ |
| 271 -newkey rsa:2048 -text -out ../certificates/60_months_after_2012_07.req | 271 -newkey rsa:2048 -text -out out/60_months_after_2012_07.req |
| 272 CA_COMMON_NAME="Test Root CA" \ | 272 CA_COMMON_NAME="Test Root CA" \ |
| 273 try openssl ca \ | 273 try openssl ca \ |
| 274 -batch \ | 274 -batch \ |
| 275 -extensions user_cert \ | 275 -extensions user_cert \ |
| 276 -startdate 141030000000Z \ | 276 -startdate 141030000000Z \ |
| 277 -enddate 190930000000Z \ | 277 -enddate 190930000000Z \ |
| 278 -in ../certificates/60_months_after_2012_07.req \ | 278 -in out/60_months_after_2012_07.req \ |
| 279 -out ../certificates/60_months_after_2012_07.pem \ | 279 -out ../certificates/60_months_after_2012_07.pem \ |
| 280 -config ca.cnf | 280 -config ca.cnf |
| 281 try openssl req -config ../scripts/ee.cnf \ | 281 try openssl req -config ../scripts/ee.cnf \ |
| 282 -newkey rsa:2048 -text -out ../certificates/61_months_after_2012_07.req | 282 -newkey rsa:2048 -text -out out/61_months_after_2012_07.req |
| 283 # 30 * 61 = 1830 | 283 # 30 * 61 = 1830 |
| 284 CA_COMMON_NAME="Test Root CA" \ | 284 CA_COMMON_NAME="Test Root CA" \ |
| 285 try openssl ca \ | 285 try openssl ca \ |
| 286 -batch \ | 286 -batch \ |
| 287 -extensions user_cert \ | 287 -extensions user_cert \ |
| 288 -startdate 141030000000Z \ | 288 -startdate 141030000000Z \ |
| 289 -days 1830 \ | 289 -days 1830 \ |
| 290 -in ../certificates/61_months_after_2012_07.req \ | 290 -in out/61_months_after_2012_07.req \ |
| 291 -out ../certificates/61_months_after_2012_07.pem \ | 291 -out ../certificates/61_months_after_2012_07.pem \ |
| 292 -config ca.cnf | 292 -config ca.cnf |
| 293 # start date after expiry date | 293 # start date after expiry date |
| 294 try openssl req -config ../scripts/ee.cnf \ | 294 try openssl req -config ../scripts/ee.cnf \ |
| 295 -newkey rsa:2048 -text -out ../certificates/start_after_expiry.req | 295 -newkey rsa:2048 -text -out out/start_after_expiry.req |
| 296 CA_COMMON_NAME="Test Root CA" \ | 296 CA_COMMON_NAME="Test Root CA" \ |
| 297 try openssl ca \ | 297 try openssl ca \ |
| 298 -batch \ | 298 -batch \ |
| 299 -extensions user_cert \ | 299 -extensions user_cert \ |
| 300 -startdate 180901000000Z \ | 300 -startdate 180901000000Z \ |
| 301 -enddate 150402000000Z \ | 301 -enddate 150402000000Z \ |
| 302 -in ../certificates/start_after_expiry.req \ | 302 -in out/start_after_expiry.req \ |
| 303 -out ../certificates/start_after_expiry.pem \ | 303 -out ../certificates/start_after_expiry.pem \ |
| 304 -config ca.cnf | 304 -config ca.cnf |
| 305 try openssl req -config ../scripts/ee.cnf \ | 305 try openssl req -config ../scripts/ee.cnf \ |
| 306 -newkey rsa:2048 -text -out ../certificates/start_after_expiry.req | 306 -newkey rsa:2048 -text -out out/start_after_expiry.req |
| 307 # Issued pre-BRs, lifetime < 120 months, expires before 2019-07-01 | 307 # Issued pre-BRs, lifetime < 120 months, expires before 2019-07-01 |
| 308 try openssl req -config ../scripts/ee.cnf \ | 308 try openssl req -config ../scripts/ee.cnf \ |
| 309 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_ok.req | 309 -newkey rsa:2048 -text -out out/pre_br_validity_ok.req |
| 310 CA_COMMON_NAME="Test Root CA" \ | 310 CA_COMMON_NAME="Test Root CA" \ |
| 311 try openssl ca \ | 311 try openssl ca \ |
| 312 -batch \ | 312 -batch \ |
| 313 -extensions user_cert \ | 313 -extensions user_cert \ |
| 314 -startdate 080101000000Z \ | 314 -startdate 080101000000Z \ |
| 315 -enddate 150101000000Z \ | 315 -enddate 150101000000Z \ |
| 316 -in ../certificates/pre_br_validity_ok.req \ | 316 -in out/pre_br_validity_ok.req \ |
| 317 -out ../certificates/pre_br_validity_ok.pem \ | 317 -out ../certificates/pre_br_validity_ok.pem \ |
| 318 -config ca.cnf | 318 -config ca.cnf |
| 319 try openssl req -config ../scripts/ee.cnf \ | 319 try openssl req -config ../scripts/ee.cnf \ |
| 320 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_ok.req | 320 -newkey rsa:2048 -text -out out/pre_br_validity_ok.req |
| 321 # Issued pre-BRs, lifetime > 120 months, expires before 2019-07-01 | 321 # Issued pre-BRs, lifetime > 120 months, expires before 2019-07-01 |
| 322 try openssl req -config ../scripts/ee.cnf \ | 322 try openssl req -config ../scripts/ee.cnf \ |
| 323 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_121.req | 323 -newkey rsa:2048 -text -out out/pre_br_validity_bad_121.req |
| 324 CA_COMMON_NAME="Test Root CA" \ | 324 CA_COMMON_NAME="Test Root CA" \ |
| 325 try openssl ca \ | 325 try openssl ca \ |
| 326 -batch \ | 326 -batch \ |
| 327 -extensions user_cert \ | 327 -extensions user_cert \ |
| 328 -startdate 080101000000Z \ | 328 -startdate 080101000000Z \ |
| 329 -enddate 180501000000Z \ | 329 -enddate 180501000000Z \ |
| 330 -in ../certificates/pre_br_validity_bad_121.req \ | 330 -in out/pre_br_validity_bad_121.req \ |
| 331 -out ../certificates/pre_br_validity_bad_121.pem \ | 331 -out ../certificates/pre_br_validity_bad_121.pem \ |
| 332 -config ca.cnf | 332 -config ca.cnf |
| 333 try openssl req -config ../scripts/ee.cnf \ | 333 try openssl req -config ../scripts/ee.cnf \ |
| 334 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_121.req | 334 -newkey rsa:2048 -text -out out/pre_br_validity_bad_121.req |
| 335 # Issued pre-BRs, lifetime < 120 months, expires after 2019-07-01 | 335 # Issued pre-BRs, lifetime < 120 months, expires after 2019-07-01 |
| 336 try openssl req -config ../scripts/ee.cnf \ | 336 try openssl req -config ../scripts/ee.cnf \ |
| 337 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_2020.req | 337 -newkey rsa:2048 -text -out out/pre_br_validity_bad_2020.req |
| 338 CA_COMMON_NAME="Test Root CA" \ | 338 CA_COMMON_NAME="Test Root CA" \ |
| 339 try openssl ca \ | 339 try openssl ca \ |
| 340 -batch \ | 340 -batch \ |
| 341 -extensions user_cert \ | 341 -extensions user_cert \ |
| 342 -startdate 120501000000Z \ | 342 -startdate 120501000000Z \ |
| 343 -enddate 190703000000Z \ | 343 -enddate 190703000000Z \ |
| 344 -in ../certificates/pre_br_validity_bad_2020.req \ | 344 -in out/pre_br_validity_bad_2020.req \ |
| 345 -out ../certificates/pre_br_validity_bad_2020.pem \ | 345 -out ../certificates/pre_br_validity_bad_2020.pem \ |
| 346 -config ca.cnf | 346 -config ca.cnf |
| 347 |
| 348 # Issued prior to 1 June 2016 (Symantec CT Enforcement Date) |
| 347 try openssl req -config ../scripts/ee.cnf \ | 349 try openssl req -config ../scripts/ee.cnf \ |
| 348 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_2020.req | 350 -newkey rsa:2048 -text -out out/pre_june_2016.req |
| 351 CA_COMMON_NAME="Test Root CA" \ |
| 352 try openssl ca \ |
| 353 -batch \ |
| 354 -extensions user_cert \ |
| 355 -startdate 160501000000Z \ |
| 356 -enddate 170703000000Z \ |
| 357 -in out/pre_june_2016.req \ |
| 358 -out ../certificates/pre_june_2016.pem \ |
| 359 -config ca.cnf |
| 360 |
| 361 # Issued after 1 June 2016 (Symantec CT Enforcement Date) |
| 362 try openssl req -config ../scripts/ee.cnf \ |
| 363 -newkey rsa:2048 -text -out out/post_june_2016.req |
| 364 CA_COMMON_NAME="Test Root CA" \ |
| 365 try openssl ca \ |
| 366 -batch \ |
| 367 -extensions user_cert \ |
| 368 -startdate 160601000000Z \ |
| 369 -enddate 170703000000Z \ |
| 370 -in out/post_june_2016.req \ |
| 371 -out ../certificates/post_june_2016.pem \ |
| 372 -config ca.cnf |
| 373 |
| 349 | 374 |
| 350 # Regenerate CRLSets | 375 # Regenerate CRLSets |
| 351 ## Block a leaf cert directly by SPKI | 376 ## Block a leaf cert directly by SPKI |
| 352 try python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \ | 377 try python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \ |
| 353 <<CRLBYLEAFSPKI | 378 <<CRLBYLEAFSPKI |
| 354 { | 379 { |
| 355 "BlockedBySPKI": ["../certificates/ok_cert.pem"] | 380 "BlockedBySPKI": ["../certificates/ok_cert.pem"] |
| 356 } | 381 } |
| 357 CRLBYLEAFSPKI | 382 CRLBYLEAFSPKI |
| 358 | 383 |
| (...skipping 11 matching lines...) Expand all Loading... |
| 370 ## Block a leaf cert by issuer-hash-and-serial. However, this will be issued | 395 ## Block a leaf cert by issuer-hash-and-serial. However, this will be issued |
| 371 ## from an intermediate CA issued underneath a root. | 396 ## from an intermediate CA issued underneath a root. |
| 372 try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \ | 397 try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \ |
| 373 <<CRLSETBYINTERMEDIATESERIAL | 398 <<CRLSETBYINTERMEDIATESERIAL |
| 374 { | 399 { |
| 375 "BlockedByHash": { | 400 "BlockedByHash": { |
| 376 "../certificates/quic_intermediate.crt": [3] | 401 "../certificates/quic_intermediate.crt": [3] |
| 377 } | 402 } |
| 378 } | 403 } |
| 379 CRLSETBYINTERMEDIATESERIAL | 404 CRLSETBYINTERMEDIATESERIAL |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2109913004:
Require Certificate Transparency for Symantec-operated roots (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@wire_up_policy