Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(339)

Unified Diff: net/data/ssl/scripts/generate-test-certs.sh

Issue 2560343002: Disable SHA-1 for Enterprise Certs (Closed)
Patch Set: Retweaked Created 4 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/data/ssl/scripts/ca.cnf ('k') | net/net.gypi » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/data/ssl/scripts/generate-test-certs.sh
diff --git a/net/data/ssl/scripts/generate-test-certs.sh b/net/data/ssl/scripts/generate-test-certs.sh
index 55c54bb3ff6dbff40e8cbd4e97fac193f7538514..e02c028b8ab3e2244a9e5181d881522d10aff419 100755
--- a/net/data/ssl/scripts/generate-test-certs.sh
+++ b/net/data/ssl/scripts/generate-test-certs.sh
@@ -13,6 +13,7 @@ try() {
try rm -rf out
try mkdir out
+try mkdir out/int
try /bin/sh -c "echo 01 > out/2048-sha256-root-serial"
touch out/2048-sha256-root-index.txt
@@ -21,14 +22,14 @@ touch out/2048-sha256-root-index.txt
try openssl genrsa -out out/2048-sha256-root.key 2048
# Generate the root certificate
-CA_COMMON_NAME="Test Root CA" \
+CA_NAME="req_ca_dn" \
try openssl req \
-new \
-key out/2048-sha256-root.key \
-out out/2048-sha256-root.req \
-config ca.cnf
-CA_COMMON_NAME="Test Root CA" \
+CA_NAME="req_ca_dn" \
try openssl x509 \
-req -days 3650 \
-in out/2048-sha256-root.req \
@@ -37,6 +38,26 @@ CA_COMMON_NAME="Test Root CA" \
-extensions ca_cert \
-text > out/2048-sha256-root.pem
+# Generate the test intermediate
+try /bin/sh -c "echo 01 > out/int/2048-sha256-int-serial"
+touch out/int/2048-sha256-int-index.txt
+
+CA_NAME="req_intermediate_dn" \
+ try openssl req \
+ -new \
+ -keyout out/int/2048-sha256-int.key \
+ -out out/int/2048-sha256-int.req \
+ -config ca.cnf
+
+CA_NAME="req_intermediate_dn" \
+ try openssl ca \
+ -batch \
+ -extensions ca_cert \
+ -days 3650 \
+ -in out/int/2048-sha256-int.req \
+ -out out/int/2048-sha256-int.pem \
+ -config ca.cnf
+
# Generate the leaf certificate requests
try openssl req \
-new \
@@ -66,7 +87,7 @@ try openssl req \
-config ee.cnf
# Generate the leaf certificates
-CA_COMMON_NAME="Test Root CA" \
+CA_NAME="req_ca_dn" \
try openssl ca \
-batch \
-extensions user_cert \
@@ -76,7 +97,7 @@ CA_COMMON_NAME="Test Root CA" \
-out out/expired_cert.pem \
-config ca.cnf
-CA_COMMON_NAME="Test Root CA" \
+CA_NAME="req_ca_dn" \
try openssl ca \
-batch \
-extensions user_cert \
@@ -85,7 +106,18 @@ CA_COMMON_NAME="Test Root CA" \
-out out/ok_cert.pem \
-config ca.cnf
-CA_COMMON_NAME="Test Root CA" \
+CA_DIR="out/int" \
+CERT_TYPE="int" \
+CA_NAME="req_intermediate_dn" \
+ try openssl ca \
+ -batch \
+ -extensions user_cert \
+ -days 3650 \
+ -in out/ok_cert.req \
+ -out out/int/ok_cert.pem \
+ -config ca.cnf
+
+CA_NAME="req_ca_dn" \
try openssl ca \
-batch \
-extensions user_cert \
@@ -94,7 +126,7 @@ CA_COMMON_NAME="Test Root CA" \
-out out/wildcard.pem \
-config ca.cnf
-CA_COMMON_NAME="Test Root CA" \
+CA_NAME="req_ca_dn" \
try openssl ca \
-batch \
-extensions name_constraint_bad \
@@ -104,7 +136,7 @@ CA_COMMON_NAME="Test Root CA" \
-out out/name_constraint_bad.pem \
-config ca.cnf
-CA_COMMON_NAME="Test Root CA" \
+CA_NAME="req_ca_dn" \
try openssl ca \
-batch \
-extensions name_constraint_good \
@@ -114,7 +146,7 @@ CA_COMMON_NAME="Test Root CA" \
-out out/name_constraint_good.pem \
-config ca.cnf
-CA_COMMON_NAME="Test Root CA" \
+CA_NAME="req_ca_dn" \
try openssl ca \
-batch \
-extensions user_cert \
@@ -123,7 +155,7 @@ CA_COMMON_NAME="Test Root CA" \
-out out/localhost_cert.pem \
-config ca.cnf
-CA_COMMON_NAME="Test Root CA" \
+CA_NAME="req_ca_dn" \
try openssl ca \
-batch \
-extensions user_cert \
@@ -150,6 +182,13 @@ try /bin/sh -c "cat out/ok_cert.key out/name_constraint_good.pem \
> ../certificates/name_constraint_good.pem"
try /bin/sh -c "cat out/ok_cert.key out/bad_validity.pem \
> ../certificates/bad_validity.pem"
+try /bin/sh -c "cat out/ok_cert.key out/int/ok_cert.pem \
+ > ../certificates/ok_cert_by_intermediate.pem"
+try /bin/sh -c "cat out/int/2048-sha256-int.key out/int/2048-sha256-int.pem \
+ > ../certificates/intermediate_ca_cert.pem"
+try /bin/sh -c "cat out/int/ok_cert.pem out/int/2048-sha256-int.pem \
+ out/2048-sha256-root.pem \
+ > ../certificates/x509_verify_results.chain.pem"
# Now generate the one-off certs
## Self-signed cert for SPDY/QUIC/HTTP2 pooling testing
@@ -185,7 +224,7 @@ try openssl req -x509 -days 3650 \
## SHA1 certificate expiring in 2016.
try openssl req -config ../scripts/ee.cnf -sha1 \
-newkey rsa:2048 -text -out out/sha1_2016.req
-CA_COMMON_NAME="Test Root CA" \
+CA_NAME="req_ca_dn" \
try openssl ca \
-batch \
-extensions user_cert \
@@ -198,7 +237,7 @@ CA_COMMON_NAME="Test Root CA" \
## SHA1 certificate issued the last second before the SHA-1 deprecation date.
try openssl req -config ../scripts/ee.cnf -sha1 \
-newkey rsa:2048 -text -out out/sha1_dec_2015.req
-CA_COMMON_NAME="Test Root CA" \
+CA_NAME="req_ca_dn" \
try openssl ca \
-batch \
-extensions user_cert \
@@ -211,7 +250,7 @@ CA_COMMON_NAME="Test Root CA" \
## SHA1 certificate issued on the SHA-1 deprecation date.
try openssl req -config ../scripts/ee.cnf -sha1 \
-newkey rsa:2048 -text -out out/sha1_jan_2016.req
-CA_COMMON_NAME="Test Root CA" \
+CA_NAME="req_ca_dn" \
try openssl ca \
-batch \
-extensions user_cert \
@@ -224,7 +263,7 @@ CA_COMMON_NAME="Test Root CA" \
## Validity too long unit test support.
try openssl req -config ../scripts/ee.cnf \
-newkey rsa:2048 -text -out out/10_year_validity.req
-CA_COMMON_NAME="Test Root CA" \
+CA_NAME="req_ca_dn" \
try openssl ca \
-batch \
-extensions user_cert \
@@ -236,7 +275,7 @@ CA_COMMON_NAME="Test Root CA" \
# 365 * 11 = 4015
try openssl req -config ../scripts/ee.cnf \
-newkey rsa:2048 -text -out out/11_year_validity.req
-CA_COMMON_NAME="Test Root CA" \
+CA_NAME="req_ca_dn" \
try openssl ca \
-batch \
-extensions user_cert \
@@ -247,7 +286,7 @@ CA_COMMON_NAME="Test Root CA" \
-config ca.cnf
try openssl req -config ../scripts/ee.cnf \
-newkey rsa:2048 -text -out out/39_months_after_2015_04.req
-CA_COMMON_NAME="Test Root CA" \
+CA_NAME="req_ca_dn" \
try openssl ca \
-batch \
-extensions user_cert \
@@ -258,7 +297,7 @@ CA_COMMON_NAME="Test Root CA" \
-config ca.cnf
try openssl req -config ../scripts/ee.cnf \
-newkey rsa:2048 -text -out out/40_months_after_2015_04.req
-CA_COMMON_NAME="Test Root CA" \
+CA_NAME="req_ca_dn" \
try openssl ca \
-batch \
-extensions user_cert \
@@ -269,7 +308,7 @@ CA_COMMON_NAME="Test Root CA" \
-config ca.cnf
try openssl req -config ../scripts/ee.cnf \
-newkey rsa:2048 -text -out out/60_months_after_2012_07.req
-CA_COMMON_NAME="Test Root CA" \
+CA_NAME="req_ca_dn" \
try openssl ca \
-batch \
-extensions user_cert \
@@ -281,7 +320,7 @@ CA_COMMON_NAME="Test Root CA" \
try openssl req -config ../scripts/ee.cnf \
-newkey rsa:2048 -text -out out/61_months_after_2012_07.req
# 30 * 61 = 1830
-CA_COMMON_NAME="Test Root CA" \
+CA_NAME="req_ca_dn" \
try openssl ca \
-batch \
-extensions user_cert \
@@ -293,7 +332,7 @@ CA_COMMON_NAME="Test Root CA" \
# start date after expiry date
try openssl req -config ../scripts/ee.cnf \
-newkey rsa:2048 -text -out out/start_after_expiry.req
-CA_COMMON_NAME="Test Root CA" \
+CA_NAME="req_ca_dn" \
try openssl ca \
-batch \
-extensions user_cert \
@@ -307,7 +346,7 @@ try openssl req -config ../scripts/ee.cnf \
# Issued pre-BRs, lifetime < 120 months, expires before 2019-07-01
try openssl req -config ../scripts/ee.cnf \
-newkey rsa:2048 -text -out out/pre_br_validity_ok.req
-CA_COMMON_NAME="Test Root CA" \
+CA_NAME="req_ca_dn" \
try openssl ca \
-batch \
-extensions user_cert \
@@ -321,7 +360,7 @@ try openssl req -config ../scripts/ee.cnf \
# Issued pre-BRs, lifetime > 120 months, expires before 2019-07-01
try openssl req -config ../scripts/ee.cnf \
-newkey rsa:2048 -text -out out/pre_br_validity_bad_121.req
-CA_COMMON_NAME="Test Root CA" \
+CA_NAME="req_ca_dn" \
try openssl ca \
-batch \
-extensions user_cert \
@@ -335,7 +374,7 @@ try openssl req -config ../scripts/ee.cnf \
# Issued pre-BRs, lifetime < 120 months, expires after 2019-07-01
try openssl req -config ../scripts/ee.cnf \
-newkey rsa:2048 -text -out out/pre_br_validity_bad_2020.req
-CA_COMMON_NAME="Test Root CA" \
+CA_NAME="req_ca_dn" \
try openssl ca \
-batch \
-extensions user_cert \
@@ -348,7 +387,7 @@ CA_COMMON_NAME="Test Root CA" \
# Issued prior to 1 June 2016 (Symantec CT Enforcement Date)
try openssl req -config ../scripts/ee.cnf \
-newkey rsa:2048 -text -out out/pre_june_2016.req
-CA_COMMON_NAME="Test Root CA" \
+CA_NAME="req_ca_dn" \
try openssl ca \
-batch \
-extensions user_cert \
@@ -361,7 +400,7 @@ CA_COMMON_NAME="Test Root CA" \
# Issued after 1 June 2016 (Symantec CT Enforcement Date)
try openssl req -config ../scripts/ee.cnf \
-newkey rsa:2048 -text -out out/post_june_2016.req
-CA_COMMON_NAME="Test Root CA" \
+CA_NAME="req_ca_dn" \
try openssl ca \
-batch \
-extensions user_cert \
@@ -389,13 +428,13 @@ try python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \
}
CRLBYLEAFSPKI
-## Block a leaf cert by issuer-hash-and-serial (ok_cert.pem == serial 2, by
+## Block a leaf cert by issuer-hash-and-serial (ok_cert.pem == serial 3, by
## virtue of the serial file and ordering above.
try python crlsetutil.py -o ../certificates/crlset_by_root_serial.raw \
<<CRLBYROOTSERIAL
{
"BlockedByHash": {
- "../certificates/root_ca_cert.pem": [2]
+ "../certificates/root_ca_cert.pem": [3]
}
}
CRLBYROOTSERIAL
@@ -406,7 +445,7 @@ try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \
<<CRLSETBYINTERMEDIATESERIAL
{
"BlockedByHash": {
- "../certificates/quic_intermediate.crt": [3]
+ "../certificates/intermediate_ca_cert.pem": [1]
}
}
CRLSETBYINTERMEDIATESERIAL
« no previous file with comments | « net/data/ssl/scripts/ca.cnf ('k') | net/net.gypi » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698