| OLD | NEW |
|---|
| 1 #!/bin/sh | 1 #!/bin/sh |
| 2 | 2 |
| 3 # Copyright 2013 The Chromium Authors. All rights reserved. | 3 # Copyright 2013 The Chromium Authors. All rights reserved. |
| 4 # Use of this source code is governed by a BSD-style license that can be | 4 # Use of this source code is governed by a BSD-style license that can be |
| 5 # found in the LICENSE file. | 5 # found in the LICENSE file. |
| 6 | 6 |
| 7 # This script generates a set of test (end-entity, intermediate, root) | 7 # This script generates a set of test (end-entity, intermediate, root) |
| 8 # certificates that can be used to test fetching of an intermediate via AIA. | 8 # certificates that can be used to test fetching of an intermediate via AIA. |
| 9 | 9 |
| 10 try() { | 10 try() { |
| 11 "$@" || (e=$?; echo "$@" > /dev/stderr; exit $e) | 11 "$@" || (e=$?; echo "$@" > /dev/stderr; exit $e) |
| 12 } | 12 } |
| 13 | 13 |
| 14 try rm -rf out | 14 try rm -rf out |
| 15 try mkdir out | 15 try mkdir out |
| 16 try mkdir out/int |
| 16 | 17 |
| 17 try /bin/sh -c "echo 01 > out/2048-sha256-root-serial" | 18 try /bin/sh -c "echo 01 > out/2048-sha256-root-serial" |
| 18 touch out/2048-sha256-root-index.txt | 19 touch out/2048-sha256-root-index.txt |
| 19 | 20 |
| 20 # Generate the key | 21 # Generate the key |
| 21 try openssl genrsa -out out/2048-sha256-root.key 2048 | 22 try openssl genrsa -out out/2048-sha256-root.key 2048 |
| 22 | 23 |
| 23 # Generate the root certificate | 24 # Generate the root certificate |
| 24 CA_COMMON_NAME="Test Root CA" \ | 25 CA_NAME="req_ca_dn" \ |
| 25 try openssl req \ | 26 try openssl req \ |
| 26 -new \ | 27 -new \ |
| 27 -key out/2048-sha256-root.key \ | 28 -key out/2048-sha256-root.key \ |
| 28 -out out/2048-sha256-root.req \ | 29 -out out/2048-sha256-root.req \ |
| 29 -config ca.cnf | 30 -config ca.cnf |
| 30 | 31 |
| 31 CA_COMMON_NAME="Test Root CA" \ | 32 CA_NAME="req_ca_dn" \ |
| 32 try openssl x509 \ | 33 try openssl x509 \ |
| 33 -req -days 3650 \ | 34 -req -days 3650 \ |
| 34 -in out/2048-sha256-root.req \ | 35 -in out/2048-sha256-root.req \ |
| 35 -signkey out/2048-sha256-root.key \ | 36 -signkey out/2048-sha256-root.key \ |
| 36 -extfile ca.cnf \ | 37 -extfile ca.cnf \ |
| 37 -extensions ca_cert \ | 38 -extensions ca_cert \ |
| 38 -text > out/2048-sha256-root.pem | 39 -text > out/2048-sha256-root.pem |
| 39 | 40 |
| 41 # Generate the test intermediate |
| 42 try /bin/sh -c "echo 01 > out/int/2048-sha256-int-serial" |
| 43 touch out/int/2048-sha256-int-index.txt |
| 44 |
| 45 CA_NAME="req_intermediate_dn" \ |
| 46 try openssl req \ |
| 47 -new \ |
| 48 -keyout out/int/2048-sha256-int.key \ |
| 49 -out out/int/2048-sha256-int.req \ |
| 50 -config ca.cnf |
| 51 |
| 52 CA_NAME="req_intermediate_dn" \ |
| 53 try openssl ca \ |
| 54 -batch \ |
| 55 -extensions ca_cert \ |
| 56 -days 3650 \ |
| 57 -in out/int/2048-sha256-int.req \ |
| 58 -out out/int/2048-sha256-int.pem \ |
| 59 -config ca.cnf |
| 60 |
| 40 # Generate the leaf certificate requests | 61 # Generate the leaf certificate requests |
| 41 try openssl req \ | 62 try openssl req \ |
| 42 -new \ | 63 -new \ |
| 43 -keyout out/expired_cert.key \ | 64 -keyout out/expired_cert.key \ |
| 44 -out out/expired_cert.req \ | 65 -out out/expired_cert.req \ |
| 45 -config ee.cnf | 66 -config ee.cnf |
| 46 | 67 |
| 47 try openssl req \ | 68 try openssl req \ |
| 48 -new \ | 69 -new \ |
| 49 -keyout out/ok_cert.key \ | 70 -keyout out/ok_cert.key \ |
| 50 -out out/ok_cert.req \ | 71 -out out/ok_cert.req \ |
| 51 -config ee.cnf | 72 -config ee.cnf |
| 52 | 73 |
| 53 try openssl req \ | 74 try openssl req \ |
| 54 -new \ | 75 -new \ |
| 55 -keyout out/wildcard.key \ | 76 -keyout out/wildcard.key \ |
| 56 -out out/wildcard.req \ | 77 -out out/wildcard.req \ |
| 57 -reqexts req_wildcard \ | 78 -reqexts req_wildcard \ |
| 58 -config ee.cnf | 79 -config ee.cnf |
| 59 | 80 |
| 60 SUBJECT_NAME=req_localhost_cn \ | 81 SUBJECT_NAME=req_localhost_cn \ |
| 61 try openssl req \ | 82 try openssl req \ |
| 62 -new \ | 83 -new \ |
| 63 -keyout out/localhost_cert.key \ | 84 -keyout out/localhost_cert.key \ |
| 64 -out out/localhost_cert.req \ | 85 -out out/localhost_cert.req \ |
| 65 -reqexts req_localhost_san \ | 86 -reqexts req_localhost_san \ |
| 66 -config ee.cnf | 87 -config ee.cnf |
| 67 | 88 |
| 68 # Generate the leaf certificates | 89 # Generate the leaf certificates |
| 69 CA_COMMON_NAME="Test Root CA" \ | 90 CA_NAME="req_ca_dn" \ |
| 70 try openssl ca \ | 91 try openssl ca \ |
| 71 -batch \ | 92 -batch \ |
| 72 -extensions user_cert \ | 93 -extensions user_cert \ |
| 73 -startdate 060101000000Z \ | 94 -startdate 060101000000Z \ |
| 74 -enddate 070101000000Z \ | 95 -enddate 070101000000Z \ |
| 75 -in out/expired_cert.req \ | 96 -in out/expired_cert.req \ |
| 76 -out out/expired_cert.pem \ | 97 -out out/expired_cert.pem \ |
| 77 -config ca.cnf | 98 -config ca.cnf |
| 78 | 99 |
| 79 CA_COMMON_NAME="Test Root CA" \ | 100 CA_NAME="req_ca_dn" \ |
| 80 try openssl ca \ | 101 try openssl ca \ |
| 81 -batch \ | 102 -batch \ |
| 82 -extensions user_cert \ | 103 -extensions user_cert \ |
| 83 -days 3650 \ | 104 -days 3650 \ |
| 84 -in out/ok_cert.req \ | 105 -in out/ok_cert.req \ |
| 85 -out out/ok_cert.pem \ | 106 -out out/ok_cert.pem \ |
| 86 -config ca.cnf | 107 -config ca.cnf |
| 87 | 108 |
| 88 CA_COMMON_NAME="Test Root CA" \ | 109 CA_DIR="out/int" \ |
| 110 CERT_TYPE="int" \ |
| 111 CA_NAME="req_intermediate_dn" \ |
| 89 try openssl ca \ | 112 try openssl ca \ |
| 90 -batch \ | 113 -batch \ |
| 91 -extensions user_cert \ | 114 -extensions user_cert \ |
| 115 -days 3650 \ |
| 116 -in out/ok_cert.req \ |
| 117 -out out/int/ok_cert.pem \ |
| 118 -config ca.cnf |
| 119 |
| 120 CA_NAME="req_ca_dn" \ |
| 121 try openssl ca \ |
| 122 -batch \ |
| 123 -extensions user_cert \ |
| 92 -days 3650 \ | 124 -days 3650 \ |
| 93 -in out/wildcard.req \ | 125 -in out/wildcard.req \ |
| 94 -out out/wildcard.pem \ | 126 -out out/wildcard.pem \ |
| 95 -config ca.cnf | 127 -config ca.cnf |
| 96 | 128 |
| 97 CA_COMMON_NAME="Test Root CA" \ | 129 CA_NAME="req_ca_dn" \ |
| 98 try openssl ca \ | 130 try openssl ca \ |
| 99 -batch \ | 131 -batch \ |
| 100 -extensions name_constraint_bad \ | 132 -extensions name_constraint_bad \ |
| 101 -subj "/CN=Leaf certificate/" \ | 133 -subj "/CN=Leaf certificate/" \ |
| 102 -days 3650 \ | 134 -days 3650 \ |
| 103 -in out/ok_cert.req \ | 135 -in out/ok_cert.req \ |
| 104 -out out/name_constraint_bad.pem \ | 136 -out out/name_constraint_bad.pem \ |
| 105 -config ca.cnf | 137 -config ca.cnf |
| 106 | 138 |
| 107 CA_COMMON_NAME="Test Root CA" \ | 139 CA_NAME="req_ca_dn" \ |
| 108 try openssl ca \ | 140 try openssl ca \ |
| 109 -batch \ | 141 -batch \ |
| 110 -extensions name_constraint_good \ | 142 -extensions name_constraint_good \ |
| 111 -subj "/CN=Leaf Certificate/" \ | 143 -subj "/CN=Leaf Certificate/" \ |
| 112 -days 3650 \ | 144 -days 3650 \ |
| 113 -in out/ok_cert.req \ | 145 -in out/ok_cert.req \ |
| 114 -out out/name_constraint_good.pem \ | 146 -out out/name_constraint_good.pem \ |
| 115 -config ca.cnf | 147 -config ca.cnf |
| 116 | 148 |
| 117 CA_COMMON_NAME="Test Root CA" \ | 149 CA_NAME="req_ca_dn" \ |
| 118 try openssl ca \ | 150 try openssl ca \ |
| 119 -batch \ | 151 -batch \ |
| 120 -extensions user_cert \ | 152 -extensions user_cert \ |
| 121 -days 3650 \ | 153 -days 3650 \ |
| 122 -in out/localhost_cert.req \ | 154 -in out/localhost_cert.req \ |
| 123 -out out/localhost_cert.pem \ | 155 -out out/localhost_cert.pem \ |
| 124 -config ca.cnf | 156 -config ca.cnf |
| 125 | 157 |
| 126 CA_COMMON_NAME="Test Root CA" \ | 158 CA_NAME="req_ca_dn" \ |
| 127 try openssl ca \ | 159 try openssl ca \ |
| 128 -batch \ | 160 -batch \ |
| 129 -extensions user_cert \ | 161 -extensions user_cert \ |
| 130 -subj "/CN=Leaf Certificate/" \ | 162 -subj "/CN=Leaf Certificate/" \ |
| 131 -startdate 00010101000000Z \ | 163 -startdate 00010101000000Z \ |
| 132 -enddate 00010101000000Z \ | 164 -enddate 00010101000000Z \ |
| 133 -in out/ok_cert.req \ | 165 -in out/ok_cert.req \ |
| 134 -out out/bad_validity.pem \ | 166 -out out/bad_validity.pem \ |
| 135 -config ca.cnf | 167 -config ca.cnf |
| 136 | 168 |
| 137 try /bin/sh -c "cat out/ok_cert.key out/ok_cert.pem \ | 169 try /bin/sh -c "cat out/ok_cert.key out/ok_cert.pem \ |
| 138 > ../certificates/ok_cert.pem" | 170 > ../certificates/ok_cert.pem" |
| 139 try /bin/sh -c "cat out/wildcard.key out/wildcard.pem \ | 171 try /bin/sh -c "cat out/wildcard.key out/wildcard.pem \ |
| 140 > ../certificates/wildcard.pem" | 172 > ../certificates/wildcard.pem" |
| 141 try /bin/sh -c "cat out/localhost_cert.key out/localhost_cert.pem \ | 173 try /bin/sh -c "cat out/localhost_cert.key out/localhost_cert.pem \ |
| 142 > ../certificates/localhost_cert.pem" | 174 > ../certificates/localhost_cert.pem" |
| 143 try /bin/sh -c "cat out/expired_cert.key out/expired_cert.pem \ | 175 try /bin/sh -c "cat out/expired_cert.key out/expired_cert.pem \ |
| 144 > ../certificates/expired_cert.pem" | 176 > ../certificates/expired_cert.pem" |
| 145 try /bin/sh -c "cat out/2048-sha256-root.key out/2048-sha256-root.pem \ | 177 try /bin/sh -c "cat out/2048-sha256-root.key out/2048-sha256-root.pem \ |
| 146 > ../certificates/root_ca_cert.pem" | 178 > ../certificates/root_ca_cert.pem" |
| 147 try /bin/sh -c "cat out/ok_cert.key out/name_constraint_bad.pem \ | 179 try /bin/sh -c "cat out/ok_cert.key out/name_constraint_bad.pem \ |
| 148 > ../certificates/name_constraint_bad.pem" | 180 > ../certificates/name_constraint_bad.pem" |
| 149 try /bin/sh -c "cat out/ok_cert.key out/name_constraint_good.pem \ | 181 try /bin/sh -c "cat out/ok_cert.key out/name_constraint_good.pem \ |
| 150 > ../certificates/name_constraint_good.pem" | 182 > ../certificates/name_constraint_good.pem" |
| 151 try /bin/sh -c "cat out/ok_cert.key out/bad_validity.pem \ | 183 try /bin/sh -c "cat out/ok_cert.key out/bad_validity.pem \ |
| 152 > ../certificates/bad_validity.pem" | 184 > ../certificates/bad_validity.pem" |
| 185 try /bin/sh -c "cat out/ok_cert.key out/int/ok_cert.pem \ |
| 186 > ../certificates/ok_cert_by_intermediate.pem" |
| 187 try /bin/sh -c "cat out/int/2048-sha256-int.key out/int/2048-sha256-int.pem \ |
| 188 > ../certificates/intermediate_ca_cert.pem" |
| 189 try /bin/sh -c "cat out/int/ok_cert.pem out/int/2048-sha256-int.pem \ |
| 190 out/2048-sha256-root.pem \ |
| 191 > ../certificates/x509_verify_results.chain.pem" |
| 153 | 192 |
| 154 # Now generate the one-off certs | 193 # Now generate the one-off certs |
| 155 ## Self-signed cert for SPDY/QUIC/HTTP2 pooling testing | 194 ## Self-signed cert for SPDY/QUIC/HTTP2 pooling testing |
| 156 try openssl req -x509 -days 3650 -extensions req_spdy_pooling \ | 195 try openssl req -x509 -days 3650 -extensions req_spdy_pooling \ |
| 157 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ | 196 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ |
| 158 -out ../certificates/spdy_pooling.pem | 197 -out ../certificates/spdy_pooling.pem |
| 159 | 198 |
| 160 ## SubjectAltName parsing | 199 ## SubjectAltName parsing |
| 161 try openssl req -x509 -days 3650 -extensions req_san_sanity \ | 200 try openssl req -x509 -days 3650 -extensions req_san_sanity \ |
| 162 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ | 201 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ |
| (...skipping 15 matching lines...) Expand all Loading... |
| 178 ## Leaf certificate with a large key; Apple's certificate verifier rejects with | 217 ## Leaf certificate with a large key; Apple's certificate verifier rejects with |
| 179 ## a fatal error if the key is bigger than 8192 bits. | 218 ## a fatal error if the key is bigger than 8192 bits. |
| 180 try openssl req -x509 -days 3650 \ | 219 try openssl req -x509 -days 3650 \ |
| 181 -config ../scripts/ee.cnf -newkey rsa:8200 -text \ | 220 -config ../scripts/ee.cnf -newkey rsa:8200 -text \ |
| 182 -sha256 \ | 221 -sha256 \ |
| 183 -out ../certificates/large_key.pem | 222 -out ../certificates/large_key.pem |
| 184 | 223 |
| 185 ## SHA1 certificate expiring in 2016. | 224 ## SHA1 certificate expiring in 2016. |
| 186 try openssl req -config ../scripts/ee.cnf -sha1 \ | 225 try openssl req -config ../scripts/ee.cnf -sha1 \ |
| 187 -newkey rsa:2048 -text -out out/sha1_2016.req | 226 -newkey rsa:2048 -text -out out/sha1_2016.req |
| 188 CA_COMMON_NAME="Test Root CA" \ | 227 CA_NAME="req_ca_dn" \ |
| 189 try openssl ca \ | 228 try openssl ca \ |
| 190 -batch \ | 229 -batch \ |
| 191 -extensions user_cert \ | 230 -extensions user_cert \ |
| 192 -startdate 081030000000Z \ | 231 -startdate 081030000000Z \ |
| 193 -enddate 161230000000Z \ | 232 -enddate 161230000000Z \ |
| 194 -in out/sha1_2016.req \ | 233 -in out/sha1_2016.req \ |
| 195 -out ../certificates/sha1_2016.pem \ | 234 -out ../certificates/sha1_2016.pem \ |
| 196 -config ca.cnf | 235 -config ca.cnf |
| 197 | 236 |
| 198 ## SHA1 certificate issued the last second before the SHA-1 deprecation date. | 237 ## SHA1 certificate issued the last second before the SHA-1 deprecation date. |
| 199 try openssl req -config ../scripts/ee.cnf -sha1 \ | 238 try openssl req -config ../scripts/ee.cnf -sha1 \ |
| 200 -newkey rsa:2048 -text -out out/sha1_dec_2015.req | 239 -newkey rsa:2048 -text -out out/sha1_dec_2015.req |
| 201 CA_COMMON_NAME="Test Root CA" \ | 240 CA_NAME="req_ca_dn" \ |
| 202 try openssl ca \ | 241 try openssl ca \ |
| 203 -batch \ | 242 -batch \ |
| 204 -extensions user_cert \ | 243 -extensions user_cert \ |
| 205 -startdate 151231235959Z \ | 244 -startdate 151231235959Z \ |
| 206 -enddate 161230000000Z \ | 245 -enddate 161230000000Z \ |
| 207 -in out/sha1_dec_2015.req \ | 246 -in out/sha1_dec_2015.req \ |
| 208 -out ../certificates/sha1_dec_2015.pem \ | 247 -out ../certificates/sha1_dec_2015.pem \ |
| 209 -config ca.cnf | 248 -config ca.cnf |
| 210 | 249 |
| 211 ## SHA1 certificate issued on the SHA-1 deprecation date. | 250 ## SHA1 certificate issued on the SHA-1 deprecation date. |
| 212 try openssl req -config ../scripts/ee.cnf -sha1 \ | 251 try openssl req -config ../scripts/ee.cnf -sha1 \ |
| 213 -newkey rsa:2048 -text -out out/sha1_jan_2016.req | 252 -newkey rsa:2048 -text -out out/sha1_jan_2016.req |
| 214 CA_COMMON_NAME="Test Root CA" \ | 253 CA_NAME="req_ca_dn" \ |
| 215 try openssl ca \ | 254 try openssl ca \ |
| 216 -batch \ | 255 -batch \ |
| 217 -extensions user_cert \ | 256 -extensions user_cert \ |
| 218 -startdate 160101000000Z \ | 257 -startdate 160101000000Z \ |
| 219 -enddate 161230000000Z \ | 258 -enddate 161230000000Z \ |
| 220 -in out/sha1_jan_2016.req \ | 259 -in out/sha1_jan_2016.req \ |
| 221 -out ../certificates/sha1_jan_2016.pem \ | 260 -out ../certificates/sha1_jan_2016.pem \ |
| 222 -config ca.cnf | 261 -config ca.cnf |
| 223 | 262 |
| 224 ## Validity too long unit test support. | 263 ## Validity too long unit test support. |
| 225 try openssl req -config ../scripts/ee.cnf \ | 264 try openssl req -config ../scripts/ee.cnf \ |
| 226 -newkey rsa:2048 -text -out out/10_year_validity.req | 265 -newkey rsa:2048 -text -out out/10_year_validity.req |
| 227 CA_COMMON_NAME="Test Root CA" \ | 266 CA_NAME="req_ca_dn" \ |
| 228 try openssl ca \ | 267 try openssl ca \ |
| 229 -batch \ | 268 -batch \ |
| 230 -extensions user_cert \ | 269 -extensions user_cert \ |
| 231 -startdate 081030000000Z \ | 270 -startdate 081030000000Z \ |
| 232 -enddate 181029000000Z \ | 271 -enddate 181029000000Z \ |
| 233 -in out/10_year_validity.req \ | 272 -in out/10_year_validity.req \ |
| 234 -out ../certificates/10_year_validity.pem \ | 273 -out ../certificates/10_year_validity.pem \ |
| 235 -config ca.cnf | 274 -config ca.cnf |
| 236 # 365 * 11 = 4015 | 275 # 365 * 11 = 4015 |
| 237 try openssl req -config ../scripts/ee.cnf \ | 276 try openssl req -config ../scripts/ee.cnf \ |
| 238 -newkey rsa:2048 -text -out out/11_year_validity.req | 277 -newkey rsa:2048 -text -out out/11_year_validity.req |
| 239 CA_COMMON_NAME="Test Root CA" \ | 278 CA_NAME="req_ca_dn" \ |
| 240 try openssl ca \ | 279 try openssl ca \ |
| 241 -batch \ | 280 -batch \ |
| 242 -extensions user_cert \ | 281 -extensions user_cert \ |
| 243 -startdate 141030000000Z \ | 282 -startdate 141030000000Z \ |
| 244 -days 4015 \ | 283 -days 4015 \ |
| 245 -in out/11_year_validity.req \ | 284 -in out/11_year_validity.req \ |
| 246 -out ../certificates/11_year_validity.pem \ | 285 -out ../certificates/11_year_validity.pem \ |
| 247 -config ca.cnf | 286 -config ca.cnf |
| 248 try openssl req -config ../scripts/ee.cnf \ | 287 try openssl req -config ../scripts/ee.cnf \ |
| 249 -newkey rsa:2048 -text -out out/39_months_after_2015_04.req | 288 -newkey rsa:2048 -text -out out/39_months_after_2015_04.req |
| 250 CA_COMMON_NAME="Test Root CA" \ | 289 CA_NAME="req_ca_dn" \ |
| 251 try openssl ca \ | 290 try openssl ca \ |
| 252 -batch \ | 291 -batch \ |
| 253 -extensions user_cert \ | 292 -extensions user_cert \ |
| 254 -startdate 150402000000Z \ | 293 -startdate 150402000000Z \ |
| 255 -enddate 180702000000Z \ | 294 -enddate 180702000000Z \ |
| 256 -in out/39_months_after_2015_04.req \ | 295 -in out/39_months_after_2015_04.req \ |
| 257 -out ../certificates/39_months_after_2015_04.pem \ | 296 -out ../certificates/39_months_after_2015_04.pem \ |
| 258 -config ca.cnf | 297 -config ca.cnf |
| 259 try openssl req -config ../scripts/ee.cnf \ | 298 try openssl req -config ../scripts/ee.cnf \ |
| 260 -newkey rsa:2048 -text -out out/40_months_after_2015_04.req | 299 -newkey rsa:2048 -text -out out/40_months_after_2015_04.req |
| 261 CA_COMMON_NAME="Test Root CA" \ | 300 CA_NAME="req_ca_dn" \ |
| 262 try openssl ca \ | 301 try openssl ca \ |
| 263 -batch \ | 302 -batch \ |
| 264 -extensions user_cert \ | 303 -extensions user_cert \ |
| 265 -startdate 150402000000Z \ | 304 -startdate 150402000000Z \ |
| 266 -enddate 180801000000Z \ | 305 -enddate 180801000000Z \ |
| 267 -in out/40_months_after_2015_04.req \ | 306 -in out/40_months_after_2015_04.req \ |
| 268 -out ../certificates/40_months_after_2015_04.pem \ | 307 -out ../certificates/40_months_after_2015_04.pem \ |
| 269 -config ca.cnf | 308 -config ca.cnf |
| 270 try openssl req -config ../scripts/ee.cnf \ | 309 try openssl req -config ../scripts/ee.cnf \ |
| 271 -newkey rsa:2048 -text -out out/60_months_after_2012_07.req | 310 -newkey rsa:2048 -text -out out/60_months_after_2012_07.req |
| 272 CA_COMMON_NAME="Test Root CA" \ | 311 CA_NAME="req_ca_dn" \ |
| 273 try openssl ca \ | 312 try openssl ca \ |
| 274 -batch \ | 313 -batch \ |
| 275 -extensions user_cert \ | 314 -extensions user_cert \ |
| 276 -startdate 141030000000Z \ | 315 -startdate 141030000000Z \ |
| 277 -enddate 190930000000Z \ | 316 -enddate 190930000000Z \ |
| 278 -in out/60_months_after_2012_07.req \ | 317 -in out/60_months_after_2012_07.req \ |
| 279 -out ../certificates/60_months_after_2012_07.pem \ | 318 -out ../certificates/60_months_after_2012_07.pem \ |
| 280 -config ca.cnf | 319 -config ca.cnf |
| 281 try openssl req -config ../scripts/ee.cnf \ | 320 try openssl req -config ../scripts/ee.cnf \ |
| 282 -newkey rsa:2048 -text -out out/61_months_after_2012_07.req | 321 -newkey rsa:2048 -text -out out/61_months_after_2012_07.req |
| 283 # 30 * 61 = 1830 | 322 # 30 * 61 = 1830 |
| 284 CA_COMMON_NAME="Test Root CA" \ | 323 CA_NAME="req_ca_dn" \ |
| 285 try openssl ca \ | 324 try openssl ca \ |
| 286 -batch \ | 325 -batch \ |
| 287 -extensions user_cert \ | 326 -extensions user_cert \ |
| 288 -startdate 141030000000Z \ | 327 -startdate 141030000000Z \ |
| 289 -days 1830 \ | 328 -days 1830 \ |
| 290 -in out/61_months_after_2012_07.req \ | 329 -in out/61_months_after_2012_07.req \ |
| 291 -out ../certificates/61_months_after_2012_07.pem \ | 330 -out ../certificates/61_months_after_2012_07.pem \ |
| 292 -config ca.cnf | 331 -config ca.cnf |
| 293 # start date after expiry date | 332 # start date after expiry date |
| 294 try openssl req -config ../scripts/ee.cnf \ | 333 try openssl req -config ../scripts/ee.cnf \ |
| 295 -newkey rsa:2048 -text -out out/start_after_expiry.req | 334 -newkey rsa:2048 -text -out out/start_after_expiry.req |
| 296 CA_COMMON_NAME="Test Root CA" \ | 335 CA_NAME="req_ca_dn" \ |
| 297 try openssl ca \ | 336 try openssl ca \ |
| 298 -batch \ | 337 -batch \ |
| 299 -extensions user_cert \ | 338 -extensions user_cert \ |
| 300 -startdate 180901000000Z \ | 339 -startdate 180901000000Z \ |
| 301 -enddate 150402000000Z \ | 340 -enddate 150402000000Z \ |
| 302 -in out/start_after_expiry.req \ | 341 -in out/start_after_expiry.req \ |
| 303 -out ../certificates/start_after_expiry.pem \ | 342 -out ../certificates/start_after_expiry.pem \ |
| 304 -config ca.cnf | 343 -config ca.cnf |
| 305 try openssl req -config ../scripts/ee.cnf \ | 344 try openssl req -config ../scripts/ee.cnf \ |
| 306 -newkey rsa:2048 -text -out out/start_after_expiry.req | 345 -newkey rsa:2048 -text -out out/start_after_expiry.req |
| 307 # Issued pre-BRs, lifetime < 120 months, expires before 2019-07-01 | 346 # Issued pre-BRs, lifetime < 120 months, expires before 2019-07-01 |
| 308 try openssl req -config ../scripts/ee.cnf \ | 347 try openssl req -config ../scripts/ee.cnf \ |
| 309 -newkey rsa:2048 -text -out out/pre_br_validity_ok.req | 348 -newkey rsa:2048 -text -out out/pre_br_validity_ok.req |
| 310 CA_COMMON_NAME="Test Root CA" \ | 349 CA_NAME="req_ca_dn" \ |
| 311 try openssl ca \ | 350 try openssl ca \ |
| 312 -batch \ | 351 -batch \ |
| 313 -extensions user_cert \ | 352 -extensions user_cert \ |
| 314 -startdate 080101000000Z \ | 353 -startdate 080101000000Z \ |
| 315 -enddate 150101000000Z \ | 354 -enddate 150101000000Z \ |
| 316 -in out/pre_br_validity_ok.req \ | 355 -in out/pre_br_validity_ok.req \ |
| 317 -out ../certificates/pre_br_validity_ok.pem \ | 356 -out ../certificates/pre_br_validity_ok.pem \ |
| 318 -config ca.cnf | 357 -config ca.cnf |
| 319 try openssl req -config ../scripts/ee.cnf \ | 358 try openssl req -config ../scripts/ee.cnf \ |
| 320 -newkey rsa:2048 -text -out out/pre_br_validity_ok.req | 359 -newkey rsa:2048 -text -out out/pre_br_validity_ok.req |
| 321 # Issued pre-BRs, lifetime > 120 months, expires before 2019-07-01 | 360 # Issued pre-BRs, lifetime > 120 months, expires before 2019-07-01 |
| 322 try openssl req -config ../scripts/ee.cnf \ | 361 try openssl req -config ../scripts/ee.cnf \ |
| 323 -newkey rsa:2048 -text -out out/pre_br_validity_bad_121.req | 362 -newkey rsa:2048 -text -out out/pre_br_validity_bad_121.req |
| 324 CA_COMMON_NAME="Test Root CA" \ | 363 CA_NAME="req_ca_dn" \ |
| 325 try openssl ca \ | 364 try openssl ca \ |
| 326 -batch \ | 365 -batch \ |
| 327 -extensions user_cert \ | 366 -extensions user_cert \ |
| 328 -startdate 080101000000Z \ | 367 -startdate 080101000000Z \ |
| 329 -enddate 180501000000Z \ | 368 -enddate 180501000000Z \ |
| 330 -in out/pre_br_validity_bad_121.req \ | 369 -in out/pre_br_validity_bad_121.req \ |
| 331 -out ../certificates/pre_br_validity_bad_121.pem \ | 370 -out ../certificates/pre_br_validity_bad_121.pem \ |
| 332 -config ca.cnf | 371 -config ca.cnf |
| 333 try openssl req -config ../scripts/ee.cnf \ | 372 try openssl req -config ../scripts/ee.cnf \ |
| 334 -newkey rsa:2048 -text -out out/pre_br_validity_bad_121.req | 373 -newkey rsa:2048 -text -out out/pre_br_validity_bad_121.req |
| 335 # Issued pre-BRs, lifetime < 120 months, expires after 2019-07-01 | 374 # Issued pre-BRs, lifetime < 120 months, expires after 2019-07-01 |
| 336 try openssl req -config ../scripts/ee.cnf \ | 375 try openssl req -config ../scripts/ee.cnf \ |
| 337 -newkey rsa:2048 -text -out out/pre_br_validity_bad_2020.req | 376 -newkey rsa:2048 -text -out out/pre_br_validity_bad_2020.req |
| 338 CA_COMMON_NAME="Test Root CA" \ | 377 CA_NAME="req_ca_dn" \ |
| 339 try openssl ca \ | 378 try openssl ca \ |
| 340 -batch \ | 379 -batch \ |
| 341 -extensions user_cert \ | 380 -extensions user_cert \ |
| 342 -startdate 120501000000Z \ | 381 -startdate 120501000000Z \ |
| 343 -enddate 190703000000Z \ | 382 -enddate 190703000000Z \ |
| 344 -in out/pre_br_validity_bad_2020.req \ | 383 -in out/pre_br_validity_bad_2020.req \ |
| 345 -out ../certificates/pre_br_validity_bad_2020.pem \ | 384 -out ../certificates/pre_br_validity_bad_2020.pem \ |
| 346 -config ca.cnf | 385 -config ca.cnf |
| 347 | 386 |
| 348 # Issued prior to 1 June 2016 (Symantec CT Enforcement Date) | 387 # Issued prior to 1 June 2016 (Symantec CT Enforcement Date) |
| 349 try openssl req -config ../scripts/ee.cnf \ | 388 try openssl req -config ../scripts/ee.cnf \ |
| 350 -newkey rsa:2048 -text -out out/pre_june_2016.req | 389 -newkey rsa:2048 -text -out out/pre_june_2016.req |
| 351 CA_COMMON_NAME="Test Root CA" \ | 390 CA_NAME="req_ca_dn" \ |
| 352 try openssl ca \ | 391 try openssl ca \ |
| 353 -batch \ | 392 -batch \ |
| 354 -extensions user_cert \ | 393 -extensions user_cert \ |
| 355 -startdate 160501000000Z \ | 394 -startdate 160501000000Z \ |
| 356 -enddate 170703000000Z \ | 395 -enddate 170703000000Z \ |
| 357 -in out/pre_june_2016.req \ | 396 -in out/pre_june_2016.req \ |
| 358 -out ../certificates/pre_june_2016.pem \ | 397 -out ../certificates/pre_june_2016.pem \ |
| 359 -config ca.cnf | 398 -config ca.cnf |
| 360 | 399 |
| 361 # Issued after 1 June 2016 (Symantec CT Enforcement Date) | 400 # Issued after 1 June 2016 (Symantec CT Enforcement Date) |
| 362 try openssl req -config ../scripts/ee.cnf \ | 401 try openssl req -config ../scripts/ee.cnf \ |
| 363 -newkey rsa:2048 -text -out out/post_june_2016.req | 402 -newkey rsa:2048 -text -out out/post_june_2016.req |
| 364 CA_COMMON_NAME="Test Root CA" \ | 403 CA_NAME="req_ca_dn" \ |
| 365 try openssl ca \ | 404 try openssl ca \ |
| 366 -batch \ | 405 -batch \ |
| 367 -extensions user_cert \ | 406 -extensions user_cert \ |
| 368 -startdate 160601000000Z \ | 407 -startdate 160601000000Z \ |
| 369 -enddate 170703000000Z \ | 408 -enddate 170703000000Z \ |
| 370 -in out/post_june_2016.req \ | 409 -in out/post_june_2016.req \ |
| 371 -out ../certificates/post_june_2016.pem \ | 410 -out ../certificates/post_june_2016.pem \ |
| 372 -config ca.cnf | 411 -config ca.cnf |
| 373 | 412 |
| 374 # Includes the TLS feature extension | 413 # Includes the TLS feature extension |
| 375 try openssl req -x509 -newkey rsa:2048 \ | 414 try openssl req -x509 -newkey rsa:2048 \ |
| 376 -keyout out/tls_feature_extension.key \ | 415 -keyout out/tls_feature_extension.key \ |
| 377 -out ../certificates/tls_feature_extension.pem \ | 416 -out ../certificates/tls_feature_extension.pem \ |
| 378 -days 365 \ | 417 -days 365 \ |
| 379 -extensions req_extensions_with_tls_feature \ | 418 -extensions req_extensions_with_tls_feature \ |
| 380 -nodes -config ee.cnf | 419 -nodes -config ee.cnf |
| 381 | 420 |
| 382 | 421 |
| 383 # Regenerate CRLSets | 422 # Regenerate CRLSets |
| 384 ## Block a leaf cert directly by SPKI | 423 ## Block a leaf cert directly by SPKI |
| 385 try python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \ | 424 try python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \ |
| 386 <<CRLBYLEAFSPKI | 425 <<CRLBYLEAFSPKI |
| 387 { | 426 { |
| 388 "BlockedBySPKI": ["../certificates/ok_cert.pem"] | 427 "BlockedBySPKI": ["../certificates/ok_cert.pem"] |
| 389 } | 428 } |
| 390 CRLBYLEAFSPKI | 429 CRLBYLEAFSPKI |
| 391 | 430 |
| 392 ## Block a leaf cert by issuer-hash-and-serial (ok_cert.pem == serial 2, by | 431 ## Block a leaf cert by issuer-hash-and-serial (ok_cert.pem == serial 3, by |
| 393 ## virtue of the serial file and ordering above. | 432 ## virtue of the serial file and ordering above. |
| 394 try python crlsetutil.py -o ../certificates/crlset_by_root_serial.raw \ | 433 try python crlsetutil.py -o ../certificates/crlset_by_root_serial.raw \ |
| 395 <<CRLBYROOTSERIAL | 434 <<CRLBYROOTSERIAL |
| 396 { | 435 { |
| 397 "BlockedByHash": { | 436 "BlockedByHash": { |
| 398 "../certificates/root_ca_cert.pem": [2] | 437 "../certificates/root_ca_cert.pem": [3] |
| 399 } | 438 } |
| 400 } | 439 } |
| 401 CRLBYROOTSERIAL | 440 CRLBYROOTSERIAL |
| 402 | 441 |
| 403 ## Block a leaf cert by issuer-hash-and-serial. However, this will be issued | 442 ## Block a leaf cert by issuer-hash-and-serial. However, this will be issued |
| 404 ## from an intermediate CA issued underneath a root. | 443 ## from an intermediate CA issued underneath a root. |
| 405 try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \ | 444 try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \ |
| 406 <<CRLSETBYINTERMEDIATESERIAL | 445 <<CRLSETBYINTERMEDIATESERIAL |
| 407 { | 446 { |
| 408 "BlockedByHash": { | 447 "BlockedByHash": { |
| 409 "../certificates/quic_intermediate.crt": [3] | 448 "../certificates/intermediate_ca_cert.pem": [1] |
| 410 } | 449 } |
| 411 } | 450 } |
| 412 CRLSETBYINTERMEDIATESERIAL | 451 CRLSETBYINTERMEDIATESERIAL |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2560343002:
Disable SHA-1 for Enterprise Certs (Closed)
