Tidy up ssl_platform_key_android_unittest.cc.

net/data/ssl/scripts/generate-client-certificates.sh

 #!/bin/bash
 
 # Copyright (c) 2012 The Chromium Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
 # This script generates certificates that can be used to test SSL client
 # authentication. Outputs for automated tests are stored in
 # net/data/ssl/certificates, but may be re-generated for manual testing.
 #
-# This script generates two chains of test client certificates:
+# This script generates several chains of test client certificates:
 #
 #   1. A (end-entity) -> B -> C (self-signed root)
 #   2. D (end-entity) -> E -> C (self-signed root)
+#   3. F (end-entity) -> E -> C (self-signed root)
+#   4. G (end-entity, P-256) -> E -> C (self-signed root)
 #
-# In which A, B, C, D, and E all have distinct keypairs. Both client
+# In which the certificates all have distinct keypairs. The client
 # certificates share the same root, but are issued by different
 # intermediates. The names of these intermediates are hardcoded within
 # unit tests, and thus should not be changed.
 
 try () {
   echo "$@"
   "$@" || exit 1
 }
 
 try rm -rf out
 try mkdir out
 
 echo Create the serial number files and indices.
 serial=1000
 for i in B C E
 do
   try /bin/sh -c "echo $serial > out/$i-serial"
   serial=$(expr $serial + 1)
   touch out/$i-index.txt
   touch out/$i-index.txt.attr
 done
 
 echo Generate the keys.
 for i in A B C D E F
 do
   try openssl genrsa -out out/$i.key 2048
 done
 
+try openssl ecparam -name prime256v1 -genkey -noout -out out/G.key
+
 echo Generate the C CSR
 COMMON_NAME="C Root CA" \
   CA_DIR=out \
   ID=C \
   try openssl req \
     -new \
     -key out/C.key \
     -out out/C.csr \
     -config client-certs.cnf
 
@@ skipping 42 matching lines @@
   CA_DIR=out \
   ID=C \
   try openssl ca \
     -batch \
     -extensions ca_cert \
     -in out/E.csr \
     -out out/E.pem \
     -config client-certs.cnf
 
 echo Generate the leaf certs
-for id in A D F
+for id in A D F G
 do
   COMMON_NAME="Client Cert $id" \
   ID=$id \
   try openssl req \
     -new \
     -key out/$id.key \
     -out out/$id.csr \
     -config client-certs.cnf
   # Store the private key also in PKCS#8 format.
   try openssl pkcs8 \
@@ skipping 29 matching lines @@
 COMMON_NAME="E CA" \
   CA_DIR=out \
   ID=E \
   try openssl ca \
     -batch \
     -extensions san_user_cert \
     -in out/F.csr \
     -out out/F.pem \
     -config client-certs.cnf
 
+echo E signs G
+COMMON_NAME="E CA" \
+  CA_DIR=out \
+  ID=E \
+  try openssl ca \
+    -batch \
+    -extensions user_cert \
+    -in out/G.csr \
+    -out out/G.pem \
+    -config client-certs.cnf
+
 echo Package the client certs and private keys into PKCS12 files
 # This is done for easily importing all of the certs needed for clients.
 try /bin/sh -c "cat out/A.pem out/A.key out/B.pem out/C.pem > out/A-chain.pem"
 try /bin/sh -c "cat out/D.pem out/D.key out/E.pem out/C.pem > out/D-chain.pem"
 try /bin/sh -c "cat out/F.pem out/F.key out/E.pem out/C.pem > out/F-chain.pem"
+try /bin/sh -c "cat out/G.pem out/G.key out/E.pem out/C.pem > out/G-chain.pem"
 
 try openssl pkcs12 \
   -in out/A-chain.pem \
   -out client_1.p12 \
   -export \
   -passout pass:chrome
 
 try openssl pkcs12 \
   -in out/D-chain.pem \
   -out client_2.p12 \
   -export \
   -passout pass:chrome
 
 try openssl pkcs12 \
   -in out/F-chain.pem \
   -out client_3.p12 \
   -export \
   -passout pass:chrome
 
+try openssl pkcs12 \
+  -in out/G-chain.pem \
+  -out client_4.p12 \
+  -export \
+  -passout pass:chrome

[mattm, 2016/10/03 22:51:04]

I wonder why this script generates the .p12 files but doesn't actually save them
to certificates and nothing uses them..

[davidben, 2016/10/04 18:56:31]

No idea. I've found them useful at times, but I've just run the script anew each
time.

+
 echo Package the client certs for unit tests

[mattm, 2016/10/03 22:51:04]

While you're here.. would you mind making this copy the root cert (C.pem) into
certificates also? Would be helpful for manual testing client cert stuff. (I ran
into this on the client cert bug I was working on recently, had to regenerate
the certs for my testing since the root wasn't checked in.)

[davidben, 2016/10/04 18:56:31]

Done.

 try cp out/A.pem ../certificates/client_1.pem
 try cp out/A.key ../certificates/client_1.key
 try cp out/A.pk8 ../certificates/client_1.pk8
 try cp out/B.pem ../certificates/client_1_ca.pem
 
 try cp out/D.pem ../certificates/client_2.pem
 try cp out/D.key ../certificates/client_2.key
 try cp out/D.pk8 ../certificates/client_2.pk8
 try cp out/E.pem ../certificates/client_2_ca.pem
 
 try cp out/F.pem ../certificates/client_3.pem
 try cp out/F.key ../certificates/client_3.key
 try cp out/F.pk8 ../certificates/client_3.pk8
 try cp out/E.pem ../certificates/client_3_ca.pem
+
+try cp out/G.pem ../certificates/client_4.pem
+try cp out/G.key ../certificates/client_4.key
+try cp out/G.pk8 ../certificates/client_4.pk8
+try cp out/E.pem ../certificates/client_4_ca.pem