Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1119)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/data/ssl/scripts/generate-test-certs.sh

Issue 2926463002: Fix TransportSecurityState unittests to run in --single-process mode. (Closed)
Patch Set: Fixup model tests Created 3 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/data/ssl/certificates/x509_verify_results.chain.pem ('k') | net/data/url_request_unittest/hpkp-headers-report-only.html.mock-http-headers » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 #!/bin/sh 1 #!/bin/sh
2 2
3 # Copyright 2013 The Chromium Authors. All rights reserved. 3 # Copyright 2013 The Chromium Authors. All rights reserved.
4 # Use of this source code is governed by a BSD-style license that can be 4 # Use of this source code is governed by a BSD-style license that can be
5 # found in the LICENSE file. 5 # found in the LICENSE file.
6 6
7 # This script generates a set of test (end-entity, intermediate, root) 7 # This script generates a set of test (end-entity, intermediate, root)
8 # certificates that can be used to test fetching of an intermediate via AIA. 8 # certificates that can be used to test fetching of an intermediate via AIA.
9 set -e -x
9 10
10 try() { 11 rm -rf out
11 "$@" || (e=$?; echo "$@" > /dev/stderr; exit $e) 12 mkdir out
12 } 13 mkdir out/int
13 14
14 try rm -rf out 15 /bin/sh -c "echo 01 > out/2048-sha256-root-serial"
15 try mkdir out
16 try mkdir out/int
17
18 try /bin/sh -c "echo 01 > out/2048-sha256-root-serial"
19 touch out/2048-sha256-root-index.txt 16 touch out/2048-sha256-root-index.txt
20 17
21 # Generate the key 18 # Generate the key
22 try openssl genrsa -out out/2048-sha256-root.key 2048 19 openssl genrsa -out out/2048-sha256-root.key 2048
23 20
24 # Generate the root certificate 21 # Generate the root certificate
25 CA_NAME="req_ca_dn" \ 22 CA_NAME="req_ca_dn" \
26 try openssl req \ 23 openssl req \
27 -new \ 24 -new \
28 -key out/2048-sha256-root.key \ 25 -key out/2048-sha256-root.key \
29 -out out/2048-sha256-root.req \ 26 -out out/2048-sha256-root.req \
30 -config ca.cnf 27 -config ca.cnf
31 28
32 CA_NAME="req_ca_dn" \ 29 CA_NAME="req_ca_dn" \
33 try openssl x509 \ 30 openssl x509 \
34 -req -days 3650 \ 31 -req -days 3650 \
35 -in out/2048-sha256-root.req \ 32 -in out/2048-sha256-root.req \
36 -signkey out/2048-sha256-root.key \ 33 -signkey out/2048-sha256-root.key \
37 -extfile ca.cnf \ 34 -extfile ca.cnf \
38 -extensions ca_cert \ 35 -extensions ca_cert \
39 -text > out/2048-sha256-root.pem 36 -text > out/2048-sha256-root.pem
40 37
41 # Generate the test intermediate 38 # Generate the test intermediate
42 try /bin/sh -c "echo 01 > out/int/2048-sha256-int-serial" 39 /bin/sh -c "echo 01 > out/int/2048-sha256-int-serial"
43 touch out/int/2048-sha256-int-index.txt 40 touch out/int/2048-sha256-int-index.txt
44 41
45 CA_NAME="req_intermediate_dn" \ 42 CA_NAME="req_intermediate_dn" \
46 try openssl req \ 43 openssl req \
47 -new \ 44 -new \
48 -keyout out/int/2048-sha256-int.key \ 45 -keyout out/int/2048-sha256-int.key \
49 -out out/int/2048-sha256-int.req \ 46 -out out/int/2048-sha256-int.req \
50 -config ca.cnf 47 -config ca.cnf
51 48
52 CA_NAME="req_intermediate_dn" \ 49 CA_NAME="req_intermediate_dn" \
53 try openssl ca \ 50 openssl ca \
54 -batch \ 51 -batch \
55 -extensions ca_cert \ 52 -extensions ca_cert \
56 -days 3650 \ 53 -days 3650 \
57 -in out/int/2048-sha256-int.req \ 54 -in out/int/2048-sha256-int.req \
58 -out out/int/2048-sha256-int.pem \ 55 -out out/int/2048-sha256-int.pem \
59 -config ca.cnf 56 -config ca.cnf
60 57
61 # Generate the leaf certificate requests 58 # Generate the leaf certificate requests
62 try openssl req \ 59 openssl req \
63 -new \ 60 -new \
64 -keyout out/expired_cert.key \ 61 -keyout out/expired_cert.key \
65 -out out/expired_cert.req \ 62 -out out/expired_cert.req \
66 -config ee.cnf 63 -config ee.cnf
67 64
68 try openssl req \ 65 openssl req \
69 -new \ 66 -new \
70 -keyout out/ok_cert.key \ 67 -keyout out/ok_cert.key \
71 -out out/ok_cert.req \ 68 -out out/ok_cert.req \
72 -config ee.cnf 69 -config ee.cnf
73 70
74 try openssl req \ 71 openssl req \
75 -new \ 72 -new \
76 -keyout out/wildcard.key \ 73 -keyout out/wildcard.key \
77 -out out/wildcard.req \ 74 -out out/wildcard.req \
78 -reqexts req_wildcard \ 75 -reqexts req_wildcard \
79 -config ee.cnf 76 -config ee.cnf
80 77
81 SUBJECT_NAME=req_localhost_cn \ 78 SUBJECT_NAME="req_localhost_cn" \
82 try openssl req \ 79 openssl req \
83 -new \ 80 -new \
84 -keyout out/localhost_cert.key \ 81 -keyout out/localhost_cert.key \
85 -out out/localhost_cert.req \ 82 -out out/localhost_cert.req \
86 -reqexts req_localhost_san \ 83 -reqexts req_localhost_san \
87 -config ee.cnf 84 -config ee.cnf
88 85
89 # Generate the leaf certificates 86 # Generate the leaf certificates
90 CA_NAME="req_ca_dn" \ 87 CA_NAME="req_ca_dn" \
91 try openssl ca \ 88 openssl ca \
92 -batch \ 89 -batch \
93 -extensions user_cert \ 90 -extensions user_cert \
94 -startdate 060101000000Z \ 91 -startdate 060101000000Z \
95 -enddate 070101000000Z \ 92 -enddate 070101000000Z \
96 -in out/expired_cert.req \ 93 -in out/expired_cert.req \
97 -out out/expired_cert.pem \ 94 -out out/expired_cert.pem \
98 -config ca.cnf 95 -config ca.cnf
99 96
100 CA_NAME="req_ca_dn" \ 97 CA_NAME="req_ca_dn" \
101 try openssl ca \ 98 openssl ca \
102 -batch \ 99 -batch \
103 -extensions user_cert \ 100 -extensions user_cert \
104 -days 3650 \ 101 -days 3650 \
105 -in out/ok_cert.req \ 102 -in out/ok_cert.req \
106 -out out/ok_cert.pem \ 103 -out out/ok_cert.pem \
107 -config ca.cnf 104 -config ca.cnf
108 105
109 CA_DIR="out/int" \ 106 CA_DIR="out/int" \
110 CERT_TYPE="int" \ 107 CERT_TYPE="int" \
111 CA_NAME="req_intermediate_dn" \ 108 CA_NAME="req_intermediate_dn" \
112 try openssl ca \ 109 openssl ca \
113 -batch \ 110 -batch \
114 -extensions user_cert \ 111 -extensions user_cert \
115 -days 3650 \ 112 -days 3650 \
116 -in out/ok_cert.req \ 113 -in out/ok_cert.req \
117 -out out/int/ok_cert.pem \ 114 -out out/int/ok_cert.pem \
118 -config ca.cnf 115 -config ca.cnf
119 116
120 CA_NAME="req_ca_dn" \ 117 CA_NAME="req_ca_dn" \
121 try openssl ca \ 118 openssl ca \
122 -batch \ 119 -batch \
123 -extensions user_cert \ 120 -extensions user_cert \
124 -days 3650 \ 121 -days 3650 \
125 -in out/wildcard.req \ 122 -in out/wildcard.req \
126 -out out/wildcard.pem \ 123 -out out/wildcard.pem \
127 -config ca.cnf 124 -config ca.cnf
128 125
129 CA_NAME="req_ca_dn" \ 126 CA_NAME="req_ca_dn" \
130 try openssl ca \ 127 openssl ca \
131 -batch \ 128 -batch \
132 -extensions name_constraint_bad \ 129 -extensions name_constraint_bad \
133 -subj "/CN=Leaf certificate/" \ 130 -subj "/CN=Leaf certificate/" \
134 -days 3650 \ 131 -days 3650 \
135 -in out/ok_cert.req \ 132 -in out/ok_cert.req \
136 -out out/name_constraint_bad.pem \ 133 -out out/name_constraint_bad.pem \
137 -config ca.cnf 134 -config ca.cnf
138 135
139 CA_NAME="req_ca_dn" \ 136 CA_NAME="req_ca_dn" \
140 try openssl ca \ 137 openssl ca \
141 -batch \ 138 -batch \
142 -extensions name_constraint_good \ 139 -extensions name_constraint_good \
143 -subj "/CN=Leaf Certificate/" \ 140 -subj "/CN=Leaf Certificate/" \
144 -days 3650 \ 141 -days 3650 \
145 -in out/ok_cert.req \ 142 -in out/ok_cert.req \
146 -out out/name_constraint_good.pem \ 143 -out out/name_constraint_good.pem \
147 -config ca.cnf 144 -config ca.cnf
148 145
149 CA_NAME="req_ca_dn" \ 146 CA_NAME="req_ca_dn" \
150 try openssl ca \ 147 openssl ca \
151 -batch \ 148 -batch \
152 -extensions user_cert \ 149 -extensions user_cert \
153 -days 3650 \ 150 -days 3650 \
154 -in out/localhost_cert.req \ 151 -in out/localhost_cert.req \
155 -out out/localhost_cert.pem \ 152 -out out/localhost_cert.pem \
156 -config ca.cnf 153 -config ca.cnf
157 154
158 CA_NAME="req_ca_dn" \ 155 CA_NAME="req_ca_dn" \
159 try openssl ca \ 156 openssl ca \
160 -batch \ 157 -batch \
161 -extensions user_cert \ 158 -extensions user_cert \
162 -subj "/CN=Leaf Certificate/" \ 159 -subj "/CN=Leaf Certificate/" \
163 -startdate 00010101000000Z \ 160 -startdate 00010101000000Z \
164 -enddate 00010101000000Z \ 161 -enddate 00010101000000Z \
165 -in out/ok_cert.req \ 162 -in out/ok_cert.req \
166 -out out/bad_validity.pem \ 163 -out out/bad_validity.pem \
167 -config ca.cnf 164 -config ca.cnf
168 165
169 try /bin/sh -c "cat out/ok_cert.key out/ok_cert.pem \ 166 /bin/sh -c "cat out/ok_cert.key out/ok_cert.pem \
170 > ../certificates/ok_cert.pem" 167 > ../certificates/ok_cert.pem"
171 try /bin/sh -c "cat out/wildcard.key out/wildcard.pem \ 168 /bin/sh -c "cat out/wildcard.key out/wildcard.pem \
172 > ../certificates/wildcard.pem" 169 > ../certificates/wildcard.pem"
173 try /bin/sh -c "cat out/localhost_cert.key out/localhost_cert.pem \ 170 /bin/sh -c "cat out/localhost_cert.key out/localhost_cert.pem \
174 > ../certificates/localhost_cert.pem" 171 > ../certificates/localhost_cert.pem"
175 try /bin/sh -c "cat out/expired_cert.key out/expired_cert.pem \ 172 /bin/sh -c "cat out/expired_cert.key out/expired_cert.pem \
176 > ../certificates/expired_cert.pem" 173 > ../certificates/expired_cert.pem"
177 try /bin/sh -c "cat out/2048-sha256-root.key out/2048-sha256-root.pem \ 174 /bin/sh -c "cat out/2048-sha256-root.key out/2048-sha256-root.pem \
178 > ../certificates/root_ca_cert.pem" 175 > ../certificates/root_ca_cert.pem"
179 try /bin/sh -c "cat out/ok_cert.key out/name_constraint_bad.pem \ 176 /bin/sh -c "cat out/ok_cert.key out/name_constraint_bad.pem \
180 > ../certificates/name_constraint_bad.pem" 177 > ../certificates/name_constraint_bad.pem"
181 try /bin/sh -c "cat out/ok_cert.key out/name_constraint_good.pem \ 178 /bin/sh -c "cat out/ok_cert.key out/name_constraint_good.pem \
182 > ../certificates/name_constraint_good.pem" 179 > ../certificates/name_constraint_good.pem"
183 try /bin/sh -c "cat out/ok_cert.key out/bad_validity.pem \ 180 /bin/sh -c "cat out/ok_cert.key out/bad_validity.pem \
184 > ../certificates/bad_validity.pem" 181 > ../certificates/bad_validity.pem"
185 try /bin/sh -c "cat out/ok_cert.key out/int/ok_cert.pem \ 182 /bin/sh -c "cat out/ok_cert.key out/int/ok_cert.pem \
186 > ../certificates/ok_cert_by_intermediate.pem" 183 > ../certificates/ok_cert_by_intermediate.pem"
187 try /bin/sh -c "cat out/int/2048-sha256-int.key out/int/2048-sha256-int.pem \ 184 /bin/sh -c "cat out/int/2048-sha256-int.key out/int/2048-sha256-int.pem \
188 > ../certificates/intermediate_ca_cert.pem" 185 > ../certificates/intermediate_ca_cert.pem"
189 try /bin/sh -c "cat out/int/ok_cert.pem out/int/2048-sha256-int.pem \ 186 /bin/sh -c "cat out/int/ok_cert.pem out/int/2048-sha256-int.pem \
190 out/2048-sha256-root.pem \ 187 out/2048-sha256-root.pem \
191 > ../certificates/x509_verify_results.chain.pem" 188 > ../certificates/x509_verify_results.chain.pem"
192 189
193 # Now generate the one-off certs 190 # Now generate the one-off certs
194 ## Self-signed cert for SPDY/QUIC/HTTP2 pooling testing 191 ## Self-signed cert for SPDY/QUIC/HTTP2 pooling testing
195 try openssl req -x509 -days 3650 -extensions req_spdy_pooling \ 192 openssl req -x509 -days 3650 -extensions req_spdy_pooling \
196 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ 193 -config ../scripts/ee.cnf -newkey rsa:2048 -text \
197 -out ../certificates/spdy_pooling.pem 194 -out ../certificates/spdy_pooling.pem
198 195
199 ## SubjectAltName parsing 196 ## SubjectAltName parsing
200 try openssl req -x509 -days 3650 -extensions req_san_sanity \ 197 openssl req -x509 -days 3650 -extensions req_san_sanity \
201 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ 198 -config ../scripts/ee.cnf -newkey rsa:2048 -text \
202 -out ../certificates/subjectAltName_sanity_check.pem 199 -out ../certificates/subjectAltName_sanity_check.pem
203 200
204 ## SubjectAltName containing www.example.com 201 ## SubjectAltName containing www.example.com
205 try openssl req -x509 -days 3650 -extensions req_san_example \ 202 openssl req -x509 -days 3650 -extensions req_san_example \
206 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ 203 -config ../scripts/ee.cnf -newkey rsa:2048 -text \
207 -out ../certificates/subjectAltName_www_example_com.pem 204 -out ../certificates/subjectAltName_www_example_com.pem
208 205
209 ## Punycode handling 206 ## Punycode handling
210 SUBJECT_NAME="req_punycode_dn" \ 207 SUBJECT_NAME="req_punycode_dn" \
211 try openssl req -x509 -days 3650 -extensions req_punycode \ 208 openssl req -x509 -days 3650 -extensions req_punycode \
212 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ 209 -config ../scripts/ee.cnf -newkey rsa:2048 -text \
213 -out ../certificates/punycodetest.pem 210 -out ../certificates/punycodetest.pem
214 211
215 ## Reject intranet hostnames in "publicly" trusted certs 212 ## Reject intranet hostnames in "publicly" trusted certs
216 # 365 * 3 = 1095 213 # 365 * 3 = 1095
217 SUBJECT_NAME="req_intranet_dn" \ 214 SUBJECT_NAME="req_intranet_dn" \
218 try openssl req -x509 -days 1095 -extensions req_intranet_san \ 215 openssl req -x509 -days 1095 -extensions req_intranet_san \
219 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ 216 -config ../scripts/ee.cnf -newkey rsa:2048 -text \
220 -out ../certificates/reject_intranet_hosts.pem 217 -out ../certificates/reject_intranet_hosts.pem
221 218
222 ## Leaf certificate with a large key; Apple's certificate verifier rejects with 219 ## Leaf certificate with a large key; Apple's certificate verifier rejects with
223 ## a fatal error if the key is bigger than 8192 bits. 220 ## a fatal error if the key is bigger than 8192 bits.
224 try openssl req -x509 -days 3650 \ 221 openssl req -x509 -days 3650 \
225 -config ../scripts/ee.cnf -newkey rsa:8200 -text \ 222 -config ../scripts/ee.cnf -newkey rsa:8200 -text \
226 -sha256 \ 223 -sha256 \
227 -out ../certificates/large_key.pem 224 -out ../certificates/large_key.pem
228 225
229 ## SHA1 certificate expiring in 2016. 226 ## SHA1 certificate expiring in 2016.
230 try openssl req -config ../scripts/ee.cnf \ 227 openssl req -config ../scripts/ee.cnf \
231 -newkey rsa:2048 -text -out out/sha1_2016.req 228 -newkey rsa:2048 -text -out out/sha1_2016.req
232 CA_NAME="req_ca_dn" \ 229 CA_NAME="req_ca_dn" \
233 try openssl ca \ 230 openssl ca \
234 -batch \ 231 -batch \
235 -extensions user_cert \ 232 -extensions user_cert \
236 -startdate 081030000000Z \ 233 -startdate 081030000000Z \
237 -enddate 161230000000Z \ 234 -enddate 161230000000Z \
238 -in out/sha1_2016.req \ 235 -in out/sha1_2016.req \
239 -out ../certificates/sha1_2016.pem \ 236 -out ../certificates/sha1_2016.pem \
240 -config ca.cnf \ 237 -config ca.cnf \
241 -md sha1 238 -md sha1
242 239
243 ## SHA1 certificate issued the last second before the SHA-1 deprecation date. 240 ## SHA1 certificate issued the last second before the SHA-1 deprecation date.
244 try openssl req -config ../scripts/ee.cnf \ 241 openssl req -config ../scripts/ee.cnf \
245 -newkey rsa:2048 -text -out out/sha1_dec_2015.req 242 -newkey rsa:2048 -text -out out/sha1_dec_2015.req
246 CA_NAME="req_ca_dn" \ 243 CA_NAME="req_ca_dn" \
247 try openssl ca \ 244 openssl ca \
248 -batch \ 245 -batch \
249 -extensions user_cert \ 246 -extensions user_cert \
250 -startdate 151231235959Z \ 247 -startdate 151231235959Z \
251 -enddate 161230000000Z \ 248 -enddate 161230000000Z \
252 -in out/sha1_dec_2015.req \ 249 -in out/sha1_dec_2015.req \
253 -out ../certificates/sha1_dec_2015.pem \ 250 -out ../certificates/sha1_dec_2015.pem \
254 -config ca.cnf \ 251 -config ca.cnf \
255 -md sha1 252 -md sha1
256 253
257 ## SHA1 certificate issued on the SHA-1 deprecation date. 254 ## SHA1 certificate issued on the SHA-1 deprecation date.
258 try openssl req -config ../scripts/ee.cnf \ 255 openssl req -config ../scripts/ee.cnf \
259 -newkey rsa:2048 -text -out out/sha1_jan_2016.req 256 -newkey rsa:2048 -text -out out/sha1_jan_2016.req
260 CA_NAME="req_ca_dn" \ 257 CA_NAME="req_ca_dn" \
261 try openssl ca \ 258 openssl ca \
262 -batch \ 259 -batch \
263 -extensions user_cert \ 260 -extensions user_cert \
264 -startdate 160101000000Z \ 261 -startdate 160101000000Z \
265 -enddate 161230000000Z \ 262 -enddate 161230000000Z \
266 -in out/sha1_jan_2016.req \ 263 -in out/sha1_jan_2016.req \
267 -out ../certificates/sha1_jan_2016.pem \ 264 -out ../certificates/sha1_jan_2016.pem \
268 -config ca.cnf \ 265 -config ca.cnf \
269 -md sha1 266 -md sha1
270 267
271 ## Validity too long unit test support. 268 ## Validity too long unit test support.
272 try openssl req -config ../scripts/ee.cnf \ 269 openssl req -config ../scripts/ee.cnf \
273 -newkey rsa:2048 -text -out out/10_year_validity.req 270 -newkey rsa:2048 -text -out out/10_year_validity.req
274 CA_NAME="req_ca_dn" \ 271 CA_NAME="req_ca_dn" \
275 try openssl ca \ 272 openssl ca \
276 -batch \ 273 -batch \
277 -extensions user_cert \ 274 -extensions user_cert \
278 -startdate 081030000000Z \ 275 -startdate 081030000000Z \
279 -enddate 181029000000Z \ 276 -enddate 181029000000Z \
280 -in out/10_year_validity.req \ 277 -in out/10_year_validity.req \
281 -out ../certificates/10_year_validity.pem \ 278 -out ../certificates/10_year_validity.pem \
282 -config ca.cnf 279 -config ca.cnf
283 # 365 * 11 = 4015 280 # 365 * 11 = 4015
284 try openssl req -config ../scripts/ee.cnf \ 281 openssl req -config ../scripts/ee.cnf \
285 -newkey rsa:2048 -text -out out/11_year_validity.req 282 -newkey rsa:2048 -text -out out/11_year_validity.req
286 CA_NAME="req_ca_dn" \ 283 CA_NAME="req_ca_dn" \
287 try openssl ca \ 284 openssl ca \
288 -batch \ 285 -batch \
289 -extensions user_cert \ 286 -extensions user_cert \
290 -startdate 141030000000Z \ 287 -startdate 141030000000Z \
291 -days 4015 \ 288 -days 4015 \
292 -in out/11_year_validity.req \ 289 -in out/11_year_validity.req \
293 -out ../certificates/11_year_validity.pem \ 290 -out ../certificates/11_year_validity.pem \
294 -config ca.cnf 291 -config ca.cnf
295 try openssl req -config ../scripts/ee.cnf \ 292 openssl req -config ../scripts/ee.cnf \
296 -newkey rsa:2048 -text -out out/39_months_after_2015_04.req 293 -newkey rsa:2048 -text -out out/39_months_after_2015_04.req
297 CA_NAME="req_ca_dn" \ 294 CA_NAME="req_ca_dn" \
298 try openssl ca \ 295 openssl ca \
299 -batch \ 296 -batch \
300 -extensions user_cert \ 297 -extensions user_cert \
301 -startdate 150402000000Z \ 298 -startdate 150402000000Z \
302 -enddate 180702000000Z \ 299 -enddate 180702000000Z \
303 -in out/39_months_after_2015_04.req \ 300 -in out/39_months_after_2015_04.req \
304 -out ../certificates/39_months_after_2015_04.pem \ 301 -out ../certificates/39_months_after_2015_04.pem \
305 -config ca.cnf 302 -config ca.cnf
306 try openssl req -config ../scripts/ee.cnf \ 303 openssl req -config ../scripts/ee.cnf \
307 -newkey rsa:2048 -text -out out/40_months_after_2015_04.req 304 -newkey rsa:2048 -text -out out/40_months_after_2015_04.req
308 CA_NAME="req_ca_dn" \ 305 CA_NAME="req_ca_dn" \
309 try openssl ca \ 306 openssl ca \
310 -batch \ 307 -batch \
311 -extensions user_cert \ 308 -extensions user_cert \
312 -startdate 150402000000Z \ 309 -startdate 150402000000Z \
313 -enddate 180801000000Z \ 310 -enddate 180801000000Z \
314 -in out/40_months_after_2015_04.req \ 311 -in out/40_months_after_2015_04.req \
315 -out ../certificates/40_months_after_2015_04.pem \ 312 -out ../certificates/40_months_after_2015_04.pem \
316 -config ca.cnf 313 -config ca.cnf
317 try openssl req -config ../scripts/ee.cnf \ 314 openssl req -config ../scripts/ee.cnf \
318 -newkey rsa:2048 -text -out out/60_months_after_2012_07.req 315 -newkey rsa:2048 -text -out out/60_months_after_2012_07.req
319 CA_NAME="req_ca_dn" \ 316 CA_NAME="req_ca_dn" \
320 try openssl ca \ 317 openssl ca \
321 -batch \ 318 -batch \
322 -extensions user_cert \ 319 -extensions user_cert \
323 -startdate 141030000000Z \ 320 -startdate 141030000000Z \
324 -enddate 190930000000Z \ 321 -enddate 190930000000Z \
325 -in out/60_months_after_2012_07.req \ 322 -in out/60_months_after_2012_07.req \
326 -out ../certificates/60_months_after_2012_07.pem \ 323 -out ../certificates/60_months_after_2012_07.pem \
327 -config ca.cnf 324 -config ca.cnf
328 try openssl req -config ../scripts/ee.cnf \ 325 openssl req -config ../scripts/ee.cnf \
329 -newkey rsa:2048 -text -out out/61_months_after_2012_07.req 326 -newkey rsa:2048 -text -out out/61_months_after_2012_07.req
330 # 30 * 61 = 1830 327 # 30 * 61 = 1830
331 CA_NAME="req_ca_dn" \ 328 CA_NAME="req_ca_dn" \
332 try openssl ca \ 329 openssl ca \
333 -batch \ 330 -batch \
334 -extensions user_cert \ 331 -extensions user_cert \
335 -startdate 141030000000Z \ 332 -startdate 141030000000Z \
336 -days 1830 \ 333 -days 1830 \
337 -in out/61_months_after_2012_07.req \ 334 -in out/61_months_after_2012_07.req \
338 -out ../certificates/61_months_after_2012_07.pem \ 335 -out ../certificates/61_months_after_2012_07.pem \
339 -config ca.cnf 336 -config ca.cnf
340 # start date after expiry date 337 # start date after expiry date
341 try openssl req -config ../scripts/ee.cnf \ 338 openssl req -config ../scripts/ee.cnf \
342 -newkey rsa:2048 -text -out out/start_after_expiry.req 339 -newkey rsa:2048 -text -out out/start_after_expiry.req
343 CA_NAME="req_ca_dn" \ 340 CA_NAME="req_ca_dn" \
344 try openssl ca \ 341 openssl ca \
345 -batch \ 342 -batch \
346 -extensions user_cert \ 343 -extensions user_cert \
347 -startdate 180901000000Z \ 344 -startdate 180901000000Z \
348 -enddate 150402000000Z \ 345 -enddate 150402000000Z \
349 -in out/start_after_expiry.req \ 346 -in out/start_after_expiry.req \
350 -out ../certificates/start_after_expiry.pem \ 347 -out ../certificates/start_after_expiry.pem \
351 -config ca.cnf 348 -config ca.cnf
352 try openssl req -config ../scripts/ee.cnf \ 349 openssl req -config ../scripts/ee.cnf \
353 -newkey rsa:2048 -text -out out/start_after_expiry.req 350 -newkey rsa:2048 -text -out out/start_after_expiry.req
354 # Issued pre-BRs, lifetime < 120 months, expires before 2019-07-01 351 # Issued pre-BRs, lifetime < 120 months, expires before 2019-07-01
355 try openssl req -config ../scripts/ee.cnf \ 352 openssl req -config ../scripts/ee.cnf \
356 -newkey rsa:2048 -text -out out/pre_br_validity_ok.req 353 -newkey rsa:2048 -text -out out/pre_br_validity_ok.req
357 CA_NAME="req_ca_dn" \ 354 CA_NAME="req_ca_dn" \
358 try openssl ca \ 355 openssl ca \
359 -batch \ 356 -batch \
360 -extensions user_cert \ 357 -extensions user_cert \
361 -startdate 080101000000Z \ 358 -startdate 080101000000Z \
362 -enddate 150101000000Z \ 359 -enddate 150101000000Z \
363 -in out/pre_br_validity_ok.req \ 360 -in out/pre_br_validity_ok.req \
364 -out ../certificates/pre_br_validity_ok.pem \ 361 -out ../certificates/pre_br_validity_ok.pem \
365 -config ca.cnf 362 -config ca.cnf
366 try openssl req -config ../scripts/ee.cnf \ 363 openssl req -config ../scripts/ee.cnf \
367 -newkey rsa:2048 -text -out out/pre_br_validity_ok.req 364 -newkey rsa:2048 -text -out out/pre_br_validity_ok.req
368 # Issued pre-BRs, lifetime > 120 months, expires before 2019-07-01 365 # Issued pre-BRs, lifetime > 120 months, expires before 2019-07-01
369 try openssl req -config ../scripts/ee.cnf \ 366 openssl req -config ../scripts/ee.cnf \
370 -newkey rsa:2048 -text -out out/pre_br_validity_bad_121.req 367 -newkey rsa:2048 -text -out out/pre_br_validity_bad_121.req
371 CA_NAME="req_ca_dn" \ 368 CA_NAME="req_ca_dn" \
372 try openssl ca \ 369 openssl ca \
373 -batch \ 370 -batch \
374 -extensions user_cert \ 371 -extensions user_cert \
375 -startdate 080101000000Z \ 372 -startdate 080101000000Z \
376 -enddate 180501000000Z \ 373 -enddate 180501000000Z \
377 -in out/pre_br_validity_bad_121.req \ 374 -in out/pre_br_validity_bad_121.req \
378 -out ../certificates/pre_br_validity_bad_121.pem \ 375 -out ../certificates/pre_br_validity_bad_121.pem \
379 -config ca.cnf 376 -config ca.cnf
380 try openssl req -config ../scripts/ee.cnf \ 377 openssl req -config ../scripts/ee.cnf \
381 -newkey rsa:2048 -text -out out/pre_br_validity_bad_121.req 378 -newkey rsa:2048 -text -out out/pre_br_validity_bad_121.req
382 # Issued pre-BRs, lifetime < 120 months, expires after 2019-07-01 379 # Issued pre-BRs, lifetime < 120 months, expires after 2019-07-01
383 try openssl req -config ../scripts/ee.cnf \ 380 openssl req -config ../scripts/ee.cnf \
384 -newkey rsa:2048 -text -out out/pre_br_validity_bad_2020.req 381 -newkey rsa:2048 -text -out out/pre_br_validity_bad_2020.req
385 CA_NAME="req_ca_dn" \ 382 CA_NAME="req_ca_dn" \
386 try openssl ca \ 383 openssl ca \
387 -batch \ 384 -batch \
388 -extensions user_cert \ 385 -extensions user_cert \
389 -startdate 120501000000Z \ 386 -startdate 120501000000Z \
390 -enddate 190703000000Z \ 387 -enddate 190703000000Z \
391 -in out/pre_br_validity_bad_2020.req \ 388 -in out/pre_br_validity_bad_2020.req \
392 -out ../certificates/pre_br_validity_bad_2020.pem \ 389 -out ../certificates/pre_br_validity_bad_2020.pem \
393 -config ca.cnf 390 -config ca.cnf
394 391
395 # Issued prior to 1 June 2016 (Symantec CT Enforcement Date) 392 # Issued prior to 1 June 2016 (Symantec CT Enforcement Date)
396 try openssl req -config ../scripts/ee.cnf \ 393 openssl req -config ../scripts/ee.cnf \
397 -newkey rsa:2048 -text -out out/pre_june_2016.req 394 -newkey rsa:2048 -text -out out/pre_june_2016.req
398 CA_NAME="req_ca_dn" \ 395 CA_NAME="req_ca_dn" \
399 try openssl ca \ 396 openssl ca \
400 -batch \ 397 -batch \
401 -extensions user_cert \ 398 -extensions user_cert \
402 -startdate 160501000000Z \ 399 -startdate 160501000000Z \
403 -enddate 170703000000Z \ 400 -enddate 170703000000Z \
404 -in out/pre_june_2016.req \ 401 -in out/pre_june_2016.req \
405 -out ../certificates/pre_june_2016.pem \ 402 -out ../certificates/pre_june_2016.pem \
406 -config ca.cnf 403 -config ca.cnf
407 404
408 # Issued after 1 June 2016 (Symantec CT Enforcement Date) 405 # Issued after 1 June 2016 (Symantec CT Enforcement Date)
409 try openssl req -config ../scripts/ee.cnf \ 406 openssl req -config ../scripts/ee.cnf \
410 -newkey rsa:2048 -text -out out/post_june_2016.req 407 -newkey rsa:2048 -text -out out/post_june_2016.req
411 CA_NAME="req_ca_dn" \ 408 CA_NAME="req_ca_dn" \
412 try openssl ca \ 409 openssl ca \
413 -batch \ 410 -batch \
414 -extensions user_cert \ 411 -extensions user_cert \
415 -startdate 160601000000Z \ 412 -startdate 160601000000Z \
416 -enddate 170703000000Z \ 413 -enddate 170703000000Z \
417 -in out/post_june_2016.req \ 414 -in out/post_june_2016.req \
418 -out ../certificates/post_june_2016.pem \ 415 -out ../certificates/post_june_2016.pem \
419 -config ca.cnf 416 -config ca.cnf
420 417
421 # Includes the TLS feature extension 418 # Includes the TLS feature extension
422 try openssl req -x509 -newkey rsa:2048 \ 419 openssl req -x509 -newkey rsa:2048 \
423 -keyout out/tls_feature_extension.key \ 420 -keyout out/tls_feature_extension.key \
424 -out ../certificates/tls_feature_extension.pem \ 421 -out ../certificates/tls_feature_extension.pem \
425 -days 365 \ 422 -days 365 \
426 -extensions req_extensions_with_tls_feature \ 423 -extensions req_extensions_with_tls_feature \
427 -nodes -config ee.cnf 424 -nodes -config ee.cnf
428 425
429 426
430 # Regenerate CRLSets 427 # Regenerate CRLSets
431 ## Block a leaf cert directly by SPKI 428 ## Block a leaf cert directly by SPKI
432 try python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \ 429 python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \
433 <<CRLBYLEAFSPKI 430 <<CRLBYLEAFSPKI
434 { 431 {
435 "BlockedBySPKI": ["../certificates/ok_cert.pem"] 432 "BlockedBySPKI": ["../certificates/ok_cert.pem"]
436 } 433 }
437 CRLBYLEAFSPKI 434 CRLBYLEAFSPKI
438 435
439 ## Block a leaf cert by issuer-hash-and-serial (ok_cert.pem == serial 3, by 436 ## Block a leaf cert by issuer-hash-and-serial (ok_cert.pem == serial 3, by
440 ## virtue of the serial file and ordering above. 437 ## virtue of the serial file and ordering above.
441 try python crlsetutil.py -o ../certificates/crlset_by_root_serial.raw \ 438 python crlsetutil.py -o ../certificates/crlset_by_root_serial.raw \
442 <<CRLBYROOTSERIAL 439 <<CRLBYROOTSERIAL
443 { 440 {
444 "BlockedByHash": { 441 "BlockedByHash": {
445 "../certificates/root_ca_cert.pem": [3] 442 "../certificates/root_ca_cert.pem": [3]
446 } 443 }
447 } 444 }
448 CRLBYROOTSERIAL 445 CRLBYROOTSERIAL
449 446
450 ## Block a leaf cert by issuer-hash-and-serial. However, this will be issued 447 ## Block a leaf cert by issuer-hash-and-serial. However, this will be issued
451 ## from an intermediate CA issued underneath a root. 448 ## from an intermediate CA issued underneath a root.
452 try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \ 449 python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \
453 <<CRLSETBYINTERMEDIATESERIAL 450 <<CRLSETBYINTERMEDIATESERIAL
454 { 451 {
455 "BlockedByHash": { 452 "BlockedByHash": {
456 "../certificates/intermediate_ca_cert.pem": [1] 453 "../certificates/intermediate_ca_cert.pem": [1]
457 } 454 }
458 } 455 }
459 CRLSETBYINTERMEDIATESERIAL 456 CRLSETBYINTERMEDIATESERIAL
OLDNEW
« no previous file with comments | « net/data/ssl/certificates/x509_verify_results.chain.pem ('k') | net/data/url_request_unittest/hpkp-headers-report-only.html.mock-http-headers » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698