| Index: net/data/ssl/scripts/generate-test-certs.sh
|
| diff --git a/net/data/ssl/scripts/generate-test-certs.sh b/net/data/ssl/scripts/generate-test-certs.sh
|
| index abb9bd1a430853feebcbf0ccaa4a69a14719aac9..ca8a3ca7ea6917e208d1cafbe728be6bd33f3e11 100755
|
| --- a/net/data/ssl/scripts/generate-test-certs.sh
|
| +++ b/net/data/ssl/scripts/generate-test-certs.sh
|
| @@ -6,31 +6,28 @@
|
|
|
| # This script generates a set of test (end-entity, intermediate, root)
|
| # certificates that can be used to test fetching of an intermediate via AIA.
|
| +set -e -x
|
|
|
| -try() {
|
| - "$@" || (e=$?; echo "$@" > /dev/stderr; exit $e)
|
| -}
|
| -
|
| -try rm -rf out
|
| -try mkdir out
|
| -try mkdir out/int
|
| +rm -rf out
|
| +mkdir out
|
| +mkdir out/int
|
|
|
| -try /bin/sh -c "echo 01 > out/2048-sha256-root-serial"
|
| +/bin/sh -c "echo 01 > out/2048-sha256-root-serial"
|
| touch out/2048-sha256-root-index.txt
|
|
|
| # Generate the key
|
| -try openssl genrsa -out out/2048-sha256-root.key 2048
|
| +openssl genrsa -out out/2048-sha256-root.key 2048
|
|
|
| # Generate the root certificate
|
| CA_NAME="req_ca_dn" \
|
| - try openssl req \
|
| + openssl req \
|
| -new \
|
| -key out/2048-sha256-root.key \
|
| -out out/2048-sha256-root.req \
|
| -config ca.cnf
|
|
|
| CA_NAME="req_ca_dn" \
|
| - try openssl x509 \
|
| + openssl x509 \
|
| -req -days 3650 \
|
| -in out/2048-sha256-root.req \
|
| -signkey out/2048-sha256-root.key \
|
| @@ -39,18 +36,18 @@ CA_NAME="req_ca_dn" \
|
| -text > out/2048-sha256-root.pem
|
|
|
| # Generate the test intermediate
|
| -try /bin/sh -c "echo 01 > out/int/2048-sha256-int-serial"
|
| +/bin/sh -c "echo 01 > out/int/2048-sha256-int-serial"
|
| touch out/int/2048-sha256-int-index.txt
|
|
|
| CA_NAME="req_intermediate_dn" \
|
| - try openssl req \
|
| + openssl req \
|
| -new \
|
| -keyout out/int/2048-sha256-int.key \
|
| -out out/int/2048-sha256-int.req \
|
| -config ca.cnf
|
|
|
| CA_NAME="req_intermediate_dn" \
|
| - try openssl ca \
|
| + openssl ca \
|
| -batch \
|
| -extensions ca_cert \
|
| -days 3650 \
|
| @@ -59,27 +56,27 @@ CA_NAME="req_intermediate_dn" \
|
| -config ca.cnf
|
|
|
| # Generate the leaf certificate requests
|
| -try openssl req \
|
| +openssl req \
|
| -new \
|
| -keyout out/expired_cert.key \
|
| -out out/expired_cert.req \
|
| -config ee.cnf
|
|
|
| -try openssl req \
|
| +openssl req \
|
| -new \
|
| -keyout out/ok_cert.key \
|
| -out out/ok_cert.req \
|
| -config ee.cnf
|
|
|
| -try openssl req \
|
| +openssl req \
|
| -new \
|
| -keyout out/wildcard.key \
|
| -out out/wildcard.req \
|
| -reqexts req_wildcard \
|
| -config ee.cnf
|
|
|
| -SUBJECT_NAME=req_localhost_cn \
|
| -try openssl req \
|
| +SUBJECT_NAME="req_localhost_cn" \
|
| +openssl req \
|
| -new \
|
| -keyout out/localhost_cert.key \
|
| -out out/localhost_cert.req \
|
| @@ -88,7 +85,7 @@ try openssl req \
|
|
|
| # Generate the leaf certificates
|
| CA_NAME="req_ca_dn" \
|
| - try openssl ca \
|
| + openssl ca \
|
| -batch \
|
| -extensions user_cert \
|
| -startdate 060101000000Z \
|
| @@ -98,7 +95,7 @@ CA_NAME="req_ca_dn" \
|
| -config ca.cnf
|
|
|
| CA_NAME="req_ca_dn" \
|
| - try openssl ca \
|
| + openssl ca \
|
| -batch \
|
| -extensions user_cert \
|
| -days 3650 \
|
| @@ -109,7 +106,7 @@ CA_NAME="req_ca_dn" \
|
| CA_DIR="out/int" \
|
| CERT_TYPE="int" \
|
| CA_NAME="req_intermediate_dn" \
|
| - try openssl ca \
|
| + openssl ca \
|
| -batch \
|
| -extensions user_cert \
|
| -days 3650 \
|
| @@ -118,7 +115,7 @@ CA_NAME="req_intermediate_dn" \
|
| -config ca.cnf
|
|
|
| CA_NAME="req_ca_dn" \
|
| - try openssl ca \
|
| + openssl ca \
|
| -batch \
|
| -extensions user_cert \
|
| -days 3650 \
|
| @@ -127,7 +124,7 @@ CA_NAME="req_ca_dn" \
|
| -config ca.cnf
|
|
|
| CA_NAME="req_ca_dn" \
|
| - try openssl ca \
|
| + openssl ca \
|
| -batch \
|
| -extensions name_constraint_bad \
|
| -subj "/CN=Leaf certificate/" \
|
| @@ -137,7 +134,7 @@ CA_NAME="req_ca_dn" \
|
| -config ca.cnf
|
|
|
| CA_NAME="req_ca_dn" \
|
| - try openssl ca \
|
| + openssl ca \
|
| -batch \
|
| -extensions name_constraint_good \
|
| -subj "/CN=Leaf Certificate/" \
|
| @@ -147,7 +144,7 @@ CA_NAME="req_ca_dn" \
|
| -config ca.cnf
|
|
|
| CA_NAME="req_ca_dn" \
|
| - try openssl ca \
|
| + openssl ca \
|
| -batch \
|
| -extensions user_cert \
|
| -days 3650 \
|
| @@ -156,7 +153,7 @@ CA_NAME="req_ca_dn" \
|
| -config ca.cnf
|
|
|
| CA_NAME="req_ca_dn" \
|
| - try openssl ca \
|
| + openssl ca \
|
| -batch \
|
| -extensions user_cert \
|
| -subj "/CN=Leaf Certificate/" \
|
| @@ -166,71 +163,71 @@ CA_NAME="req_ca_dn" \
|
| -out out/bad_validity.pem \
|
| -config ca.cnf
|
|
|
| -try /bin/sh -c "cat out/ok_cert.key out/ok_cert.pem \
|
| +/bin/sh -c "cat out/ok_cert.key out/ok_cert.pem \
|
| > ../certificates/ok_cert.pem"
|
| -try /bin/sh -c "cat out/wildcard.key out/wildcard.pem \
|
| +/bin/sh -c "cat out/wildcard.key out/wildcard.pem \
|
| > ../certificates/wildcard.pem"
|
| -try /bin/sh -c "cat out/localhost_cert.key out/localhost_cert.pem \
|
| +/bin/sh -c "cat out/localhost_cert.key out/localhost_cert.pem \
|
| > ../certificates/localhost_cert.pem"
|
| -try /bin/sh -c "cat out/expired_cert.key out/expired_cert.pem \
|
| +/bin/sh -c "cat out/expired_cert.key out/expired_cert.pem \
|
| > ../certificates/expired_cert.pem"
|
| -try /bin/sh -c "cat out/2048-sha256-root.key out/2048-sha256-root.pem \
|
| +/bin/sh -c "cat out/2048-sha256-root.key out/2048-sha256-root.pem \
|
| > ../certificates/root_ca_cert.pem"
|
| -try /bin/sh -c "cat out/ok_cert.key out/name_constraint_bad.pem \
|
| +/bin/sh -c "cat out/ok_cert.key out/name_constraint_bad.pem \
|
| > ../certificates/name_constraint_bad.pem"
|
| -try /bin/sh -c "cat out/ok_cert.key out/name_constraint_good.pem \
|
| +/bin/sh -c "cat out/ok_cert.key out/name_constraint_good.pem \
|
| > ../certificates/name_constraint_good.pem"
|
| -try /bin/sh -c "cat out/ok_cert.key out/bad_validity.pem \
|
| +/bin/sh -c "cat out/ok_cert.key out/bad_validity.pem \
|
| > ../certificates/bad_validity.pem"
|
| -try /bin/sh -c "cat out/ok_cert.key out/int/ok_cert.pem \
|
| +/bin/sh -c "cat out/ok_cert.key out/int/ok_cert.pem \
|
| > ../certificates/ok_cert_by_intermediate.pem"
|
| -try /bin/sh -c "cat out/int/2048-sha256-int.key out/int/2048-sha256-int.pem \
|
| +/bin/sh -c "cat out/int/2048-sha256-int.key out/int/2048-sha256-int.pem \
|
| > ../certificates/intermediate_ca_cert.pem"
|
| -try /bin/sh -c "cat out/int/ok_cert.pem out/int/2048-sha256-int.pem \
|
| +/bin/sh -c "cat out/int/ok_cert.pem out/int/2048-sha256-int.pem \
|
| out/2048-sha256-root.pem \
|
| > ../certificates/x509_verify_results.chain.pem"
|
|
|
| # Now generate the one-off certs
|
| ## Self-signed cert for SPDY/QUIC/HTTP2 pooling testing
|
| -try openssl req -x509 -days 3650 -extensions req_spdy_pooling \
|
| +openssl req -x509 -days 3650 -extensions req_spdy_pooling \
|
| -config ../scripts/ee.cnf -newkey rsa:2048 -text \
|
| -out ../certificates/spdy_pooling.pem
|
|
|
| ## SubjectAltName parsing
|
| -try openssl req -x509 -days 3650 -extensions req_san_sanity \
|
| +openssl req -x509 -days 3650 -extensions req_san_sanity \
|
| -config ../scripts/ee.cnf -newkey rsa:2048 -text \
|
| -out ../certificates/subjectAltName_sanity_check.pem
|
|
|
| ## SubjectAltName containing www.example.com
|
| -try openssl req -x509 -days 3650 -extensions req_san_example \
|
| +openssl req -x509 -days 3650 -extensions req_san_example \
|
| -config ../scripts/ee.cnf -newkey rsa:2048 -text \
|
| -out ../certificates/subjectAltName_www_example_com.pem
|
|
|
| ## Punycode handling
|
| SUBJECT_NAME="req_punycode_dn" \
|
| - try openssl req -x509 -days 3650 -extensions req_punycode \
|
| + openssl req -x509 -days 3650 -extensions req_punycode \
|
| -config ../scripts/ee.cnf -newkey rsa:2048 -text \
|
| -out ../certificates/punycodetest.pem
|
|
|
| ## Reject intranet hostnames in "publicly" trusted certs
|
| # 365 * 3 = 1095
|
| SUBJECT_NAME="req_intranet_dn" \
|
| - try openssl req -x509 -days 1095 -extensions req_intranet_san \
|
| + openssl req -x509 -days 1095 -extensions req_intranet_san \
|
| -config ../scripts/ee.cnf -newkey rsa:2048 -text \
|
| -out ../certificates/reject_intranet_hosts.pem
|
|
|
| ## Leaf certificate with a large key; Apple's certificate verifier rejects with
|
| ## a fatal error if the key is bigger than 8192 bits.
|
| -try openssl req -x509 -days 3650 \
|
| +openssl req -x509 -days 3650 \
|
| -config ../scripts/ee.cnf -newkey rsa:8200 -text \
|
| -sha256 \
|
| -out ../certificates/large_key.pem
|
|
|
| ## SHA1 certificate expiring in 2016.
|
| -try openssl req -config ../scripts/ee.cnf \
|
| +openssl req -config ../scripts/ee.cnf \
|
| -newkey rsa:2048 -text -out out/sha1_2016.req
|
| CA_NAME="req_ca_dn" \
|
| - try openssl ca \
|
| + openssl ca \
|
| -batch \
|
| -extensions user_cert \
|
| -startdate 081030000000Z \
|
| @@ -241,10 +238,10 @@ CA_NAME="req_ca_dn" \
|
| -md sha1
|
|
|
| ## SHA1 certificate issued the last second before the SHA-1 deprecation date.
|
| -try openssl req -config ../scripts/ee.cnf \
|
| +openssl req -config ../scripts/ee.cnf \
|
| -newkey rsa:2048 -text -out out/sha1_dec_2015.req
|
| CA_NAME="req_ca_dn" \
|
| - try openssl ca \
|
| + openssl ca \
|
| -batch \
|
| -extensions user_cert \
|
| -startdate 151231235959Z \
|
| @@ -255,10 +252,10 @@ CA_NAME="req_ca_dn" \
|
| -md sha1
|
|
|
| ## SHA1 certificate issued on the SHA-1 deprecation date.
|
| -try openssl req -config ../scripts/ee.cnf \
|
| +openssl req -config ../scripts/ee.cnf \
|
| -newkey rsa:2048 -text -out out/sha1_jan_2016.req
|
| CA_NAME="req_ca_dn" \
|
| - try openssl ca \
|
| + openssl ca \
|
| -batch \
|
| -extensions user_cert \
|
| -startdate 160101000000Z \
|
| @@ -269,10 +266,10 @@ CA_NAME="req_ca_dn" \
|
| -md sha1
|
|
|
| ## Validity too long unit test support.
|
| -try openssl req -config ../scripts/ee.cnf \
|
| +openssl req -config ../scripts/ee.cnf \
|
| -newkey rsa:2048 -text -out out/10_year_validity.req
|
| CA_NAME="req_ca_dn" \
|
| - try openssl ca \
|
| + openssl ca \
|
| -batch \
|
| -extensions user_cert \
|
| -startdate 081030000000Z \
|
| @@ -281,10 +278,10 @@ CA_NAME="req_ca_dn" \
|
| -out ../certificates/10_year_validity.pem \
|
| -config ca.cnf
|
| # 365 * 11 = 4015
|
| -try openssl req -config ../scripts/ee.cnf \
|
| +openssl req -config ../scripts/ee.cnf \
|
| -newkey rsa:2048 -text -out out/11_year_validity.req
|
| CA_NAME="req_ca_dn" \
|
| - try openssl ca \
|
| + openssl ca \
|
| -batch \
|
| -extensions user_cert \
|
| -startdate 141030000000Z \
|
| @@ -292,10 +289,10 @@ CA_NAME="req_ca_dn" \
|
| -in out/11_year_validity.req \
|
| -out ../certificates/11_year_validity.pem \
|
| -config ca.cnf
|
| -try openssl req -config ../scripts/ee.cnf \
|
| +openssl req -config ../scripts/ee.cnf \
|
| -newkey rsa:2048 -text -out out/39_months_after_2015_04.req
|
| CA_NAME="req_ca_dn" \
|
| - try openssl ca \
|
| + openssl ca \
|
| -batch \
|
| -extensions user_cert \
|
| -startdate 150402000000Z \
|
| @@ -303,10 +300,10 @@ CA_NAME="req_ca_dn" \
|
| -in out/39_months_after_2015_04.req \
|
| -out ../certificates/39_months_after_2015_04.pem \
|
| -config ca.cnf
|
| -try openssl req -config ../scripts/ee.cnf \
|
| +openssl req -config ../scripts/ee.cnf \
|
| -newkey rsa:2048 -text -out out/40_months_after_2015_04.req
|
| CA_NAME="req_ca_dn" \
|
| - try openssl ca \
|
| + openssl ca \
|
| -batch \
|
| -extensions user_cert \
|
| -startdate 150402000000Z \
|
| @@ -314,10 +311,10 @@ CA_NAME="req_ca_dn" \
|
| -in out/40_months_after_2015_04.req \
|
| -out ../certificates/40_months_after_2015_04.pem \
|
| -config ca.cnf
|
| -try openssl req -config ../scripts/ee.cnf \
|
| +openssl req -config ../scripts/ee.cnf \
|
| -newkey rsa:2048 -text -out out/60_months_after_2012_07.req
|
| CA_NAME="req_ca_dn" \
|
| - try openssl ca \
|
| + openssl ca \
|
| -batch \
|
| -extensions user_cert \
|
| -startdate 141030000000Z \
|
| @@ -325,11 +322,11 @@ CA_NAME="req_ca_dn" \
|
| -in out/60_months_after_2012_07.req \
|
| -out ../certificates/60_months_after_2012_07.pem \
|
| -config ca.cnf
|
| -try openssl req -config ../scripts/ee.cnf \
|
| +openssl req -config ../scripts/ee.cnf \
|
| -newkey rsa:2048 -text -out out/61_months_after_2012_07.req
|
| # 30 * 61 = 1830
|
| CA_NAME="req_ca_dn" \
|
| - try openssl ca \
|
| + openssl ca \
|
| -batch \
|
| -extensions user_cert \
|
| -startdate 141030000000Z \
|
| @@ -338,10 +335,10 @@ CA_NAME="req_ca_dn" \
|
| -out ../certificates/61_months_after_2012_07.pem \
|
| -config ca.cnf
|
| # start date after expiry date
|
| -try openssl req -config ../scripts/ee.cnf \
|
| +openssl req -config ../scripts/ee.cnf \
|
| -newkey rsa:2048 -text -out out/start_after_expiry.req
|
| CA_NAME="req_ca_dn" \
|
| - try openssl ca \
|
| + openssl ca \
|
| -batch \
|
| -extensions user_cert \
|
| -startdate 180901000000Z \
|
| @@ -349,13 +346,13 @@ CA_NAME="req_ca_dn" \
|
| -in out/start_after_expiry.req \
|
| -out ../certificates/start_after_expiry.pem \
|
| -config ca.cnf
|
| -try openssl req -config ../scripts/ee.cnf \
|
| +openssl req -config ../scripts/ee.cnf \
|
| -newkey rsa:2048 -text -out out/start_after_expiry.req
|
| # Issued pre-BRs, lifetime < 120 months, expires before 2019-07-01
|
| -try openssl req -config ../scripts/ee.cnf \
|
| +openssl req -config ../scripts/ee.cnf \
|
| -newkey rsa:2048 -text -out out/pre_br_validity_ok.req
|
| CA_NAME="req_ca_dn" \
|
| - try openssl ca \
|
| + openssl ca \
|
| -batch \
|
| -extensions user_cert \
|
| -startdate 080101000000Z \
|
| @@ -363,13 +360,13 @@ CA_NAME="req_ca_dn" \
|
| -in out/pre_br_validity_ok.req \
|
| -out ../certificates/pre_br_validity_ok.pem \
|
| -config ca.cnf
|
| -try openssl req -config ../scripts/ee.cnf \
|
| +openssl req -config ../scripts/ee.cnf \
|
| -newkey rsa:2048 -text -out out/pre_br_validity_ok.req
|
| # Issued pre-BRs, lifetime > 120 months, expires before 2019-07-01
|
| -try openssl req -config ../scripts/ee.cnf \
|
| +openssl req -config ../scripts/ee.cnf \
|
| -newkey rsa:2048 -text -out out/pre_br_validity_bad_121.req
|
| CA_NAME="req_ca_dn" \
|
| - try openssl ca \
|
| + openssl ca \
|
| -batch \
|
| -extensions user_cert \
|
| -startdate 080101000000Z \
|
| @@ -377,13 +374,13 @@ CA_NAME="req_ca_dn" \
|
| -in out/pre_br_validity_bad_121.req \
|
| -out ../certificates/pre_br_validity_bad_121.pem \
|
| -config ca.cnf
|
| -try openssl req -config ../scripts/ee.cnf \
|
| +openssl req -config ../scripts/ee.cnf \
|
| -newkey rsa:2048 -text -out out/pre_br_validity_bad_121.req
|
| # Issued pre-BRs, lifetime < 120 months, expires after 2019-07-01
|
| -try openssl req -config ../scripts/ee.cnf \
|
| +openssl req -config ../scripts/ee.cnf \
|
| -newkey rsa:2048 -text -out out/pre_br_validity_bad_2020.req
|
| CA_NAME="req_ca_dn" \
|
| - try openssl ca \
|
| + openssl ca \
|
| -batch \
|
| -extensions user_cert \
|
| -startdate 120501000000Z \
|
| @@ -393,10 +390,10 @@ CA_NAME="req_ca_dn" \
|
| -config ca.cnf
|
|
|
| # Issued prior to 1 June 2016 (Symantec CT Enforcement Date)
|
| -try openssl req -config ../scripts/ee.cnf \
|
| +openssl req -config ../scripts/ee.cnf \
|
| -newkey rsa:2048 -text -out out/pre_june_2016.req
|
| CA_NAME="req_ca_dn" \
|
| - try openssl ca \
|
| + openssl ca \
|
| -batch \
|
| -extensions user_cert \
|
| -startdate 160501000000Z \
|
| @@ -406,10 +403,10 @@ CA_NAME="req_ca_dn" \
|
| -config ca.cnf
|
|
|
| # Issued after 1 June 2016 (Symantec CT Enforcement Date)
|
| -try openssl req -config ../scripts/ee.cnf \
|
| +openssl req -config ../scripts/ee.cnf \
|
| -newkey rsa:2048 -text -out out/post_june_2016.req
|
| CA_NAME="req_ca_dn" \
|
| - try openssl ca \
|
| + openssl ca \
|
| -batch \
|
| -extensions user_cert \
|
| -startdate 160601000000Z \
|
| @@ -419,7 +416,7 @@ CA_NAME="req_ca_dn" \
|
| -config ca.cnf
|
|
|
| # Includes the TLS feature extension
|
| -try openssl req -x509 -newkey rsa:2048 \
|
| +openssl req -x509 -newkey rsa:2048 \
|
| -keyout out/tls_feature_extension.key \
|
| -out ../certificates/tls_feature_extension.pem \
|
| -days 365 \
|
| @@ -429,7 +426,7 @@ try openssl req -x509 -newkey rsa:2048 \
|
|
|
| # Regenerate CRLSets
|
| ## Block a leaf cert directly by SPKI
|
| -try python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \
|
| +python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \
|
| <<CRLBYLEAFSPKI
|
| {
|
| "BlockedBySPKI": ["../certificates/ok_cert.pem"]
|
| @@ -438,7 +435,7 @@ CRLBYLEAFSPKI
|
|
|
| ## Block a leaf cert by issuer-hash-and-serial (ok_cert.pem == serial 3, by
|
| ## virtue of the serial file and ordering above.
|
| -try python crlsetutil.py -o ../certificates/crlset_by_root_serial.raw \
|
| +python crlsetutil.py -o ../certificates/crlset_by_root_serial.raw \
|
| <<CRLBYROOTSERIAL
|
| {
|
| "BlockedByHash": {
|
| @@ -449,7 +446,7 @@ CRLBYROOTSERIAL
|
|
|
| ## Block a leaf cert by issuer-hash-and-serial. However, this will be issued
|
| ## from an intermediate CA issued underneath a root.
|
| -try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \
|
| +python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \
|
| <<CRLSETBYINTERMEDIATESERIAL
|
| {
|
| "BlockedByHash": {
|
|
|
Chromium Code Reviews
Issue 2926463002:
Fix TransportSecurityState unittests to run in --single-process mode. (Closed)
