Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(156)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/data/ssl/scripts/generate-test-certs.sh

Issue 515583004: Update test cert generation scripts to use SHA-256 by default (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@test_cert_scripts
Patch Set: Rebased Created 6 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/data/ssl/scripts/eku-test.cnf ('k') | net/data/ssl/scripts/policy.cnf » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 #!/bin/sh 1 #!/bin/sh
2 2
3 # Copyright 2013 The Chromium Authors. All rights reserved. 3 # Copyright 2013 The Chromium Authors. All rights reserved.
4 # Use of this source code is governed by a BSD-style license that can be 4 # Use of this source code is governed by a BSD-style license that can be
5 # found in the LICENSE file. 5 # found in the LICENSE file.
6 6
7 # This script generates a set of test (end-entity, intermediate, root) 7 # This script generates a set of test (end-entity, intermediate, root)
8 # certificates that can be used to test fetching of an intermediate via AIA. 8 # certificates that can be used to test fetching of an intermediate via AIA.
9 9
10 try() { 10 try() {
11 echo "$@" 11 echo "$@"
12 "$@" || exit 1 12 "$@" || exit 1
13 } 13 }
14 14
15 try rm -rf out 15 try rm -rf out
16 try mkdir out 16 try mkdir out
17 17
18 try /bin/sh -c "echo 01 > out/2048-sha1-root-serial" 18 try /bin/sh -c "echo 01 > out/2048-sha256-root-serial"
19 touch out/2048-sha1-root-index.txt 19 touch out/2048-sha256-root-index.txt
20 20
21 # Generate the key 21 # Generate the key
22 try openssl genrsa -out out/2048-sha1-root.key 2048 22 try openssl genrsa -out out/2048-sha256-root.key 2048
23 23
24 # Generate the root certificate 24 # Generate the root certificate
25 CA_COMMON_NAME="Test Root CA" \ 25 CA_COMMON_NAME="Test Root CA" \
26 try openssl req \ 26 try openssl req \
27 -new \ 27 -new \
28 -key out/2048-sha1-root.key \ 28 -key out/2048-sha256-root.key \
29 -out out/2048-sha1-root.req \ 29 -out out/2048-sha256-root.req \
30 -config ca.cnf 30 -config ca.cnf
31 31
32 CA_COMMON_NAME="Test Root CA" \ 32 CA_COMMON_NAME="Test Root CA" \
33 try openssl x509 \ 33 try openssl x509 \
34 -req -days 3650 \ 34 -req -days 3650 \
35 -in out/2048-sha1-root.req \ 35 -in out/2048-sha256-root.req \
36 -out out/2048-sha1-root.pem \ 36 -out out/2048-sha256-root.pem \
37 -signkey out/2048-sha1-root.key \ 37 -signkey out/2048-sha256-root.key \
38 -extfile ca.cnf \ 38 -extfile ca.cnf \
39 -extensions ca_cert \ 39 -extensions ca_cert \
40 -text 40 -text
41 41
42 # Generate the leaf certificate requests 42 # Generate the leaf certificate requests
43 try openssl req \ 43 try openssl req \
44 -new \ 44 -new \
45 -keyout out/expired_cert.key \ 45 -keyout out/expired_cert.key \
46 -out out/expired_cert.req \ 46 -out out/expired_cert.req \
47 -config ee.cnf 47 -config ee.cnf
(...skipping 17 matching lines...) Expand all
65 65
66 CA_COMMON_NAME="Test Root CA" \ 66 CA_COMMON_NAME="Test Root CA" \
67 try openssl ca \ 67 try openssl ca \
68 -batch \ 68 -batch \
69 -extensions user_cert \ 69 -extensions user_cert \
70 -days 3650 \ 70 -days 3650 \
71 -in out/ok_cert.req \ 71 -in out/ok_cert.req \
72 -out out/ok_cert.pem \ 72 -out out/ok_cert.pem \
73 -config ca.cnf 73 -config ca.cnf
74 74
75 CA_COMMON_NAME="Test Root CA" \
76 try openssl ca \
77 -batch \
78 -extensions name_constraint_bad \
79 -subj "/CN=Leaf certificate/" \
80 -days 3650 \
81 -in out/ok_cert.req \
82 -out out/name_constraint_bad.pem \
83 -config ca.cnf
84
85 CA_COMMON_NAME="Test Root CA" \
86 try openssl ca \
87 -batch \
88 -extensions name_constraint_good \
89 -subj "/CN=Leaf Certificate/" \
90 -days 3650 \
91 -in out/ok_cert.req \
92 -out out/name_constraint_good.pem \
93 -config ca.cnf
94
75 try /bin/sh -c "cat out/ok_cert.key out/ok_cert.pem \ 95 try /bin/sh -c "cat out/ok_cert.key out/ok_cert.pem \
76 > ../certificates/ok_cert.pem" 96 > ../certificates/ok_cert.pem"
77 try /bin/sh -c "cat out/expired_cert.key out/expired_cert.pem \ 97 try /bin/sh -c "cat out/expired_cert.key out/expired_cert.pem \
78 > ../certificates/expired_cert.pem" 98 > ../certificates/expired_cert.pem"
79 try /bin/sh -c "cat out/2048-sha1-root.key out/2048-sha1-root.pem \ 99 try /bin/sh -c "cat out/2048-sha256-root.key out/2048-sha256-root.pem \
80 > ../certificates/root_ca_cert.pem" 100 > ../certificates/root_ca_cert.pem"
101 try /bin/sh -c "cat out/ok_cert.key out/name_constraint_bad.pem \
102 > ../certificates/name_constraint_bad.pem"
103 try /bin/sh -c "cat out/ok_cert.key out/name_constraint_good.pem \
104 > ../certificates/name_constraint_good.pem"
81 105
106 # Now generate the one-off certs
107 ## SHA-256 general test cert
108 try openssl req -x509 -days 3650 \
109 -config ../scripts/ee.cnf -newkey rsa:2048 -text \
110 -sha256 \
111 -out sha256.pem
112
113 ## Self-signed cert for SPDY/QUIC/HTTP2 pooling testing
114 try openssl req -x509 -days 3650 -extensions req_spdy_pooling \
115 -config ../scripts/ee.cnf -newkey rsa:2048 -text \
116 -out ../certificates/spdy_pooling.pem
117
118 ## SubjectAltName parsing
119 try openssl req -x509 -days 3650 -extensions req_san_sanity \
120 -config ../scripts/ee.cnf -newkey rsa:2048 -text \
121 -out ../certificates/subjectAltName_sanity_check.pem
122
123 ## Punycode handling
124 SUBJECT_NAME="req_punycode_dn" \
125 try openssl req -x509 -days 3650 -extensions req_punycode \
126 -config ../scripts/ee.cnf -newkey rsa:2048 -text \
127 -out ../certificates/punycodetest.pem
128
129 # Regenerate CRLSets
130 ## Block a leaf cert directly by SPKI
131 try python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \
132 <<CRLBYLEAFSPKI
133 {
134 "BlockedBySPKI": ["../certificates/ok_cert.pem"]
135 }
136 CRLBYLEAFSPKI
137
138 ## Block a leaf cert by issuer-hash-and-serial (ok_cert.pem == serial 2, by
139 ## virtue of the serial file and ordering above.
140 try python crlsetutil.py -o ../certificates/crlset_by_root_serial.raw \
141 <<CRLBYROOTSERIAL
142 {
143 "BlockedByHash": {
144 "../certificates/root_ca_cert.pem": [2]
145 }
146 }
147 CRLBYROOTSERIAL
148
149 ## Block a leaf cert by issuer-hash-and-serial. However, this will be issued
150 ## from an intermediate CA issued underneath a root.
151 try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \
152 <<CRLSETBYINTERMEDIATESERIAL
153 {
154 "BlockedByHash": {
155 "../certificates/quic_intermediate.crt": [3]
156 }
157 }
158 CRLSETBYINTERMEDIATESERIAL
OLDNEW
« no previous file with comments | « net/data/ssl/scripts/eku-test.cnf ('k') | net/data/ssl/scripts/policy.cnf » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698