OLD | NEW |
1 #!/bin/sh | 1 #!/bin/sh |
2 | 2 |
3 # Copyright 2013 The Chromium Authors. All rights reserved. | 3 # Copyright 2013 The Chromium Authors. All rights reserved. |
4 # Use of this source code is governed by a BSD-style license that can be | 4 # Use of this source code is governed by a BSD-style license that can be |
5 # found in the LICENSE file. | 5 # found in the LICENSE file. |
6 | 6 |
7 # This script generates a set of test (end-entity, intermediate, root) | 7 # This script generates a set of test (end-entity, intermediate, root) |
8 # certificates that can be used to test fetching of an intermediate via AIA. | 8 # certificates that can be used to test fetching of an intermediate via AIA. |
9 | 9 |
10 try() { | 10 try() { |
11 echo "$@" | 11 echo "$@" |
12 "$@" || exit 1 | 12 "$@" || exit 1 |
13 } | 13 } |
14 | 14 |
15 try rm -rf out | 15 try rm -rf out |
16 try mkdir out | 16 try mkdir out |
17 | 17 |
18 try /bin/sh -c "echo 01 > out/2048-sha1-root-serial" | 18 try /bin/sh -c "echo 01 > out/2048-sha256-root-serial" |
19 touch out/2048-sha1-root-index.txt | 19 touch out/2048-sha256-root-index.txt |
20 | 20 |
21 # Generate the key | 21 # Generate the key |
22 try openssl genrsa -out out/2048-sha1-root.key 2048 | 22 try openssl genrsa -out out/2048-sha256-root.key 2048 |
23 | 23 |
24 # Generate the root certificate | 24 # Generate the root certificate |
25 CA_COMMON_NAME="Test Root CA" \ | 25 CA_COMMON_NAME="Test Root CA" \ |
26 try openssl req \ | 26 try openssl req \ |
27 -new \ | 27 -new \ |
28 -key out/2048-sha1-root.key \ | 28 -key out/2048-sha256-root.key \ |
29 -out out/2048-sha1-root.req \ | 29 -out out/2048-sha256-root.req \ |
30 -config ca.cnf | 30 -config ca.cnf |
31 | 31 |
32 CA_COMMON_NAME="Test Root CA" \ | 32 CA_COMMON_NAME="Test Root CA" \ |
33 try openssl x509 \ | 33 try openssl x509 \ |
34 -req -days 3650 \ | 34 -req -days 3650 \ |
35 -in out/2048-sha1-root.req \ | 35 -in out/2048-sha256-root.req \ |
36 -out out/2048-sha1-root.pem \ | 36 -out out/2048-sha256-root.pem \ |
37 -signkey out/2048-sha1-root.key \ | 37 -signkey out/2048-sha256-root.key \ |
38 -extfile ca.cnf \ | 38 -extfile ca.cnf \ |
39 -extensions ca_cert \ | 39 -extensions ca_cert \ |
40 -text | 40 -text |
41 | 41 |
42 # Generate the leaf certificate requests | 42 # Generate the leaf certificate requests |
43 try openssl req \ | 43 try openssl req \ |
44 -new \ | 44 -new \ |
45 -keyout out/expired_cert.key \ | 45 -keyout out/expired_cert.key \ |
46 -out out/expired_cert.req \ | 46 -out out/expired_cert.req \ |
47 -config ee.cnf | 47 -config ee.cnf |
(...skipping 17 matching lines...) Expand all Loading... |
65 | 65 |
66 CA_COMMON_NAME="Test Root CA" \ | 66 CA_COMMON_NAME="Test Root CA" \ |
67 try openssl ca \ | 67 try openssl ca \ |
68 -batch \ | 68 -batch \ |
69 -extensions user_cert \ | 69 -extensions user_cert \ |
70 -days 3650 \ | 70 -days 3650 \ |
71 -in out/ok_cert.req \ | 71 -in out/ok_cert.req \ |
72 -out out/ok_cert.pem \ | 72 -out out/ok_cert.pem \ |
73 -config ca.cnf | 73 -config ca.cnf |
74 | 74 |
| 75 CA_COMMON_NAME="Test Root CA" \ |
| 76 try openssl ca \ |
| 77 -batch \ |
| 78 -extensions name_constraint_bad \ |
| 79 -subj "/CN=Leaf certificate/" \ |
| 80 -days 3650 \ |
| 81 -in out/ok_cert.req \ |
| 82 -out out/name_constraint_bad.pem \ |
| 83 -config ca.cnf |
| 84 |
| 85 CA_COMMON_NAME="Test Root CA" \ |
| 86 try openssl ca \ |
| 87 -batch \ |
| 88 -extensions name_constraint_good \ |
| 89 -subj "/CN=Leaf Certificate/" \ |
| 90 -days 3650 \ |
| 91 -in out/ok_cert.req \ |
| 92 -out out/name_constraint_good.pem \ |
| 93 -config ca.cnf |
| 94 |
75 try /bin/sh -c "cat out/ok_cert.key out/ok_cert.pem \ | 95 try /bin/sh -c "cat out/ok_cert.key out/ok_cert.pem \ |
76 > ../certificates/ok_cert.pem" | 96 > ../certificates/ok_cert.pem" |
77 try /bin/sh -c "cat out/expired_cert.key out/expired_cert.pem \ | 97 try /bin/sh -c "cat out/expired_cert.key out/expired_cert.pem \ |
78 > ../certificates/expired_cert.pem" | 98 > ../certificates/expired_cert.pem" |
79 try /bin/sh -c "cat out/2048-sha1-root.key out/2048-sha1-root.pem \ | 99 try /bin/sh -c "cat out/2048-sha256-root.key out/2048-sha256-root.pem \ |
80 > ../certificates/root_ca_cert.pem" | 100 > ../certificates/root_ca_cert.pem" |
| 101 try /bin/sh -c "cat out/ok_cert.key out/name_constraint_bad.pem \ |
| 102 > ../certificates/name_constraint_bad.pem" |
| 103 try /bin/sh -c "cat out/ok_cert.key out/name_constraint_good.pem \ |
| 104 > ../certificates/name_constraint_good.pem" |
81 | 105 |
| 106 # Now generate the one-off certs |
| 107 ## SHA-256 general test cert |
| 108 try openssl req -x509 -days 3650 \ |
| 109 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ |
| 110 -sha256 \ |
| 111 -out sha256.pem |
| 112 |
| 113 ## Self-signed cert for SPDY/QUIC/HTTP2 pooling testing |
| 114 try openssl req -x509 -days 3650 -extensions req_spdy_pooling \ |
| 115 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ |
| 116 -out ../certificates/spdy_pooling.pem |
| 117 |
| 118 ## SubjectAltName parsing |
| 119 try openssl req -x509 -days 3650 -extensions req_san_sanity \ |
| 120 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ |
| 121 -out ../certificates/subjectAltName_sanity_check.pem |
| 122 |
| 123 ## Punycode handling |
| 124 SUBJECT_NAME="req_punycode_dn" \ |
| 125 try openssl req -x509 -days 3650 -extensions req_punycode \ |
| 126 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ |
| 127 -out ../certificates/punycodetest.pem |
| 128 |
| 129 # Regenerate CRLSets |
| 130 ## Block a leaf cert directly by SPKI |
| 131 try python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \ |
| 132 <<CRLBYLEAFSPKI |
| 133 { |
| 134 "BlockedBySPKI": ["../certificates/ok_cert.pem"] |
| 135 } |
| 136 CRLBYLEAFSPKI |
| 137 |
| 138 ## Block a leaf cert by issuer-hash-and-serial (ok_cert.pem == serial 2, by |
| 139 ## virtue of the serial file and ordering above. |
| 140 try python crlsetutil.py -o ../certificates/crlset_by_root_serial.raw \ |
| 141 <<CRLBYROOTSERIAL |
| 142 { |
| 143 "BlockedByHash": { |
| 144 "../certificates/root_ca_cert.pem": [2] |
| 145 } |
| 146 } |
| 147 CRLBYROOTSERIAL |
| 148 |
| 149 ## Block a leaf cert by issuer-hash-and-serial. However, this will be issued |
| 150 ## from an intermediate CA issued underneath a root. |
| 151 try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \ |
| 152 <<CRLSETBYINTERMEDIATESERIAL |
| 153 { |
| 154 "BlockedByHash": { |
| 155 "../certificates/quic_intermediate.crt": [3] |
| 156 } |
| 157 } |
| 158 CRLSETBYINTERMEDIATESERIAL |
OLD | NEW |