net/data/ssl/scripts/generate-test-certs.sh - Issue 2560343002: Disable SHA-1 for Enterprise Certs

Unified Diff: net/data/ssl/scripts/generate-test-certs.sh

Issue 2560343002: Disable SHA-1 for Enterprise Certs (Closed)

Patch Set: Retweaked Created 4 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Index: net/data/ssl/scripts/generate-test-certs.sh

diff --git a/net/data/ssl/scripts/generate-test-certs.sh b/net/data/ssl/scripts/generate-test-certs.sh

index 55c54bb3ff6dbff40e8cbd4e97fac193f7538514..e02c028b8ab3e2244a9e5181d881522d10aff419 100755

--- a/net/data/ssl/scripts/generate-test-certs.sh

+++ b/net/data/ssl/scripts/generate-test-certs.sh

@@ -13,6 +13,7 @@ try() {

try rm -rf out

try mkdir out

+try mkdir out/int

try /bin/sh -c "echo 01 > out/2048-sha256-root-serial"

touch out/2048-sha256-root-index.txt

@@ -21,14 +22,14 @@ touch out/2048-sha256-root-index.txt

try openssl genrsa -out out/2048-sha256-root.key 2048

# Generate the root certificate

-CA_COMMON_NAME="Test Root CA" \

+CA_NAME="req_ca_dn" \

try openssl req \

-new \

-key out/2048-sha256-root.key \

-out out/2048-sha256-root.req \

-config ca.cnf

-CA_COMMON_NAME="Test Root CA" \

+CA_NAME="req_ca_dn" \

try openssl x509 \

-req -days 3650 \

-in out/2048-sha256-root.req \

@@ -37,6 +38,26 @@ CA_COMMON_NAME="Test Root CA" \

-extensions ca_cert \

-text > out/2048-sha256-root.pem

+# Generate the test intermediate

+try /bin/sh -c "echo 01 > out/int/2048-sha256-int-serial"

+touch out/int/2048-sha256-int-index.txt

+CA_NAME="req_intermediate_dn" \

+ try openssl req \

+ -new \

+ -keyout out/int/2048-sha256-int.key \

+ -out out/int/2048-sha256-int.req \

+ -config ca.cnf

+CA_NAME="req_intermediate_dn" \

+ try openssl ca \

+ -batch \

+ -extensions ca_cert \

+ -days 3650 \

+ -in out/int/2048-sha256-int.req \

+ -out out/int/2048-sha256-int.pem \

+ -config ca.cnf

# Generate the leaf certificate requests

try openssl req \

-new \

@@ -66,7 +87,7 @@ try openssl req \

-config ee.cnf

# Generate the leaf certificates

-CA_COMMON_NAME="Test Root CA" \

+CA_NAME="req_ca_dn" \

try openssl ca \

-batch \

-extensions user_cert \

@@ -76,7 +97,7 @@ CA_COMMON_NAME="Test Root CA" \

-out out/expired_cert.pem \

-config ca.cnf

-CA_COMMON_NAME="Test Root CA" \

+CA_NAME="req_ca_dn" \

try openssl ca \

-batch \

-extensions user_cert \

@@ -85,7 +106,18 @@ CA_COMMON_NAME="Test Root CA" \

-out out/ok_cert.pem \

-config ca.cnf

-CA_COMMON_NAME="Test Root CA" \

+CA_DIR="out/int" \

+CERT_TYPE="int" \

+CA_NAME="req_intermediate_dn" \

+ try openssl ca \

+ -batch \

+ -extensions user_cert \

+ -days 3650 \

+ -in out/ok_cert.req \

+ -out out/int/ok_cert.pem \

+ -config ca.cnf

+CA_NAME="req_ca_dn" \

try openssl ca \

-batch \

-extensions user_cert \

@@ -94,7 +126,7 @@ CA_COMMON_NAME="Test Root CA" \

-out out/wildcard.pem \

-config ca.cnf

-CA_COMMON_NAME="Test Root CA" \

+CA_NAME="req_ca_dn" \

try openssl ca \

-batch \

-extensions name_constraint_bad \

@@ -104,7 +136,7 @@ CA_COMMON_NAME="Test Root CA" \

-out out/name_constraint_bad.pem \

-config ca.cnf

-CA_COMMON_NAME="Test Root CA" \

+CA_NAME="req_ca_dn" \

try openssl ca \

-batch \

-extensions name_constraint_good \

@@ -114,7 +146,7 @@ CA_COMMON_NAME="Test Root CA" \

-out out/name_constraint_good.pem \

-config ca.cnf

-CA_COMMON_NAME="Test Root CA" \

+CA_NAME="req_ca_dn" \

try openssl ca \

-batch \

-extensions user_cert \

@@ -123,7 +155,7 @@ CA_COMMON_NAME="Test Root CA" \

-out out/localhost_cert.pem \

-config ca.cnf

-CA_COMMON_NAME="Test Root CA" \

+CA_NAME="req_ca_dn" \

try openssl ca \

-batch \

-extensions user_cert \

@@ -150,6 +182,13 @@ try /bin/sh -c "cat out/ok_cert.key out/name_constraint_good.pem \

> ../certificates/name_constraint_good.pem"

try /bin/sh -c "cat out/ok_cert.key out/bad_validity.pem \

> ../certificates/bad_validity.pem"

+try /bin/sh -c "cat out/ok_cert.key out/int/ok_cert.pem \

+ > ../certificates/ok_cert_by_intermediate.pem"

+try /bin/sh -c "cat out/int/2048-sha256-int.key out/int/2048-sha256-int.pem \

+ > ../certificates/intermediate_ca_cert.pem"

+try /bin/sh -c "cat out/int/ok_cert.pem out/int/2048-sha256-int.pem \

+ out/2048-sha256-root.pem \

+ > ../certificates/x509_verify_results.chain.pem"

# Now generate the one-off certs

## Self-signed cert for SPDY/QUIC/HTTP2 pooling testing

@@ -185,7 +224,7 @@ try openssl req -x509 -days 3650 \

## SHA1 certificate expiring in 2016.

try openssl req -config ../scripts/ee.cnf -sha1 \

-newkey rsa:2048 -text -out out/sha1_2016.req

-CA_COMMON_NAME="Test Root CA" \

+CA_NAME="req_ca_dn" \

try openssl ca \

-batch \

-extensions user_cert \

@@ -198,7 +237,7 @@ CA_COMMON_NAME="Test Root CA" \

## SHA1 certificate issued the last second before the SHA-1 deprecation date.

try openssl req -config ../scripts/ee.cnf -sha1 \

-newkey rsa:2048 -text -out out/sha1_dec_2015.req

-CA_COMMON_NAME="Test Root CA" \

+CA_NAME="req_ca_dn" \

try openssl ca \

-batch \

-extensions user_cert \

@@ -211,7 +250,7 @@ CA_COMMON_NAME="Test Root CA" \

## SHA1 certificate issued on the SHA-1 deprecation date.

try openssl req -config ../scripts/ee.cnf -sha1 \

-newkey rsa:2048 -text -out out/sha1_jan_2016.req

-CA_COMMON_NAME="Test Root CA" \

+CA_NAME="req_ca_dn" \

try openssl ca \

-batch \

-extensions user_cert \

@@ -224,7 +263,7 @@ CA_COMMON_NAME="Test Root CA" \

## Validity too long unit test support.

try openssl req -config ../scripts/ee.cnf \

-newkey rsa:2048 -text -out out/10_year_validity.req

-CA_COMMON_NAME="Test Root CA" \

+CA_NAME="req_ca_dn" \

try openssl ca \

-batch \

-extensions user_cert \

@@ -236,7 +275,7 @@ CA_COMMON_NAME="Test Root CA" \

# 365 * 11 = 4015

try openssl req -config ../scripts/ee.cnf \

-newkey rsa:2048 -text -out out/11_year_validity.req

-CA_COMMON_NAME="Test Root CA" \

+CA_NAME="req_ca_dn" \

try openssl ca \

-batch \

-extensions user_cert \

@@ -247,7 +286,7 @@ CA_COMMON_NAME="Test Root CA" \

-config ca.cnf

try openssl req -config ../scripts/ee.cnf \

-newkey rsa:2048 -text -out out/39_months_after_2015_04.req

-CA_COMMON_NAME="Test Root CA" \

+CA_NAME="req_ca_dn" \

try openssl ca \

-batch \

-extensions user_cert \

@@ -258,7 +297,7 @@ CA_COMMON_NAME="Test Root CA" \

-config ca.cnf

try openssl req -config ../scripts/ee.cnf \

-newkey rsa:2048 -text -out out/40_months_after_2015_04.req

-CA_COMMON_NAME="Test Root CA" \

+CA_NAME="req_ca_dn" \

try openssl ca \

-batch \

-extensions user_cert \

@@ -269,7 +308,7 @@ CA_COMMON_NAME="Test Root CA" \

-config ca.cnf

try openssl req -config ../scripts/ee.cnf \

-newkey rsa:2048 -text -out out/60_months_after_2012_07.req

-CA_COMMON_NAME="Test Root CA" \

+CA_NAME="req_ca_dn" \

try openssl ca \

-batch \

-extensions user_cert \

@@ -281,7 +320,7 @@ CA_COMMON_NAME="Test Root CA" \

try openssl req -config ../scripts/ee.cnf \

-newkey rsa:2048 -text -out out/61_months_after_2012_07.req

# 30 * 61 = 1830

-CA_COMMON_NAME="Test Root CA" \

+CA_NAME="req_ca_dn" \

try openssl ca \

-batch \

-extensions user_cert \

@@ -293,7 +332,7 @@ CA_COMMON_NAME="Test Root CA" \

# start date after expiry date

try openssl req -config ../scripts/ee.cnf \

-newkey rsa:2048 -text -out out/start_after_expiry.req

-CA_COMMON_NAME="Test Root CA" \

+CA_NAME="req_ca_dn" \

try openssl ca \

-batch \

-extensions user_cert \

@@ -307,7 +346,7 @@ try openssl req -config ../scripts/ee.cnf \

# Issued pre-BRs, lifetime < 120 months, expires before 2019-07-01

try openssl req -config ../scripts/ee.cnf \

-newkey rsa:2048 -text -out out/pre_br_validity_ok.req

-CA_COMMON_NAME="Test Root CA" \

+CA_NAME="req_ca_dn" \

try openssl ca \

-batch \

-extensions user_cert \

@@ -321,7 +360,7 @@ try openssl req -config ../scripts/ee.cnf \

# Issued pre-BRs, lifetime > 120 months, expires before 2019-07-01

try openssl req -config ../scripts/ee.cnf \

-newkey rsa:2048 -text -out out/pre_br_validity_bad_121.req

-CA_COMMON_NAME="Test Root CA" \

+CA_NAME="req_ca_dn" \

try openssl ca \

-batch \

-extensions user_cert \

@@ -335,7 +374,7 @@ try openssl req -config ../scripts/ee.cnf \

# Issued pre-BRs, lifetime < 120 months, expires after 2019-07-01

try openssl req -config ../scripts/ee.cnf \

-newkey rsa:2048 -text -out out/pre_br_validity_bad_2020.req

-CA_COMMON_NAME="Test Root CA" \

+CA_NAME="req_ca_dn" \

try openssl ca \

-batch \

-extensions user_cert \

@@ -348,7 +387,7 @@ CA_COMMON_NAME="Test Root CA" \

# Issued prior to 1 June 2016 (Symantec CT Enforcement Date)

try openssl req -config ../scripts/ee.cnf \

-newkey rsa:2048 -text -out out/pre_june_2016.req

-CA_COMMON_NAME="Test Root CA" \

+CA_NAME="req_ca_dn" \

try openssl ca \

-batch \

-extensions user_cert \

@@ -361,7 +400,7 @@ CA_COMMON_NAME="Test Root CA" \

# Issued after 1 June 2016 (Symantec CT Enforcement Date)

try openssl req -config ../scripts/ee.cnf \

-newkey rsa:2048 -text -out out/post_june_2016.req

-CA_COMMON_NAME="Test Root CA" \

+CA_NAME="req_ca_dn" \

try openssl ca \

-batch \

-extensions user_cert \

@@ -389,13 +428,13 @@ try python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \

}

CRLBYLEAFSPKI

-## Block a leaf cert by issuer-hash-and-serial (ok_cert.pem == serial 2, by

+## Block a leaf cert by issuer-hash-and-serial (ok_cert.pem == serial 3, by

## virtue of the serial file and ordering above.

try python crlsetutil.py -o ../certificates/crlset_by_root_serial.raw \

<<CRLBYROOTSERIAL

{

"BlockedByHash": {

- "../certificates/root_ca_cert.pem": [2]

+ "../certificates/root_ca_cert.pem": [3]

}

CRLBYROOTSERIAL

@@ -406,7 +445,7 @@ try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \

<<CRLSETBYINTERMEDIATESERIAL

{

"BlockedByHash": {

- "../certificates/quic_intermediate.crt": [3]

+ "../certificates/intermediate_ca_cert.pem": [1]

}

CRLSETBYINTERMEDIATESERIAL

« no previous file with comments | « net/data/ssl/scripts/ca.cnf ('k') | net/net.gypi » ('j') | no next file with comments »