Index: net/data/ssl/scripts/generate-test-certs.sh |
diff --git a/net/data/ssl/scripts/generate-test-certs.sh b/net/data/ssl/scripts/generate-test-certs.sh |
index 6323de312fd76f872acbd7ac76536333752562ab..d62bb988a5ddc2730068b83e4a0ce1e036d2cdc2 100755 |
--- a/net/data/ssl/scripts/generate-test-certs.sh |
+++ b/net/data/ssl/scripts/generate-test-certs.sh |
@@ -15,26 +15,26 @@ try() { |
try rm -rf out |
try mkdir out |
-try /bin/sh -c "echo 01 > out/2048-sha1-root-serial" |
-touch out/2048-sha1-root-index.txt |
+try /bin/sh -c "echo 01 > out/2048-sha256-root-serial" |
+touch out/2048-sha256-root-index.txt |
# Generate the key |
-try openssl genrsa -out out/2048-sha1-root.key 2048 |
+try openssl genrsa -out out/2048-sha256-root.key 2048 |
# Generate the root certificate |
CA_COMMON_NAME="Test Root CA" \ |
try openssl req \ |
-new \ |
- -key out/2048-sha1-root.key \ |
- -out out/2048-sha1-root.req \ |
+ -key out/2048-sha256-root.key \ |
+ -out out/2048-sha256-root.req \ |
-config ca.cnf |
CA_COMMON_NAME="Test Root CA" \ |
try openssl x509 \ |
-req -days 3650 \ |
- -in out/2048-sha1-root.req \ |
- -out out/2048-sha1-root.pem \ |
- -signkey out/2048-sha1-root.key \ |
+ -in out/2048-sha256-root.req \ |
+ -out out/2048-sha256-root.pem \ |
+ -signkey out/2048-sha256-root.key \ |
-extfile ca.cnf \ |
-extensions ca_cert \ |
-text |
@@ -72,10 +72,87 @@ CA_COMMON_NAME="Test Root CA" \ |
-out out/ok_cert.pem \ |
-config ca.cnf |
+CA_COMMON_NAME="Test Root CA" \ |
+ try openssl ca \ |
+ -batch \ |
+ -extensions name_constraint_bad \ |
+ -subj "/CN=Leaf certificate/" \ |
+ -days 3650 \ |
+ -in out/ok_cert.req \ |
+ -out out/name_constraint_bad.pem \ |
+ -config ca.cnf |
+ |
+CA_COMMON_NAME="Test Root CA" \ |
+ try openssl ca \ |
+ -batch \ |
+ -extensions name_constraint_good \ |
+ -subj "/CN=Leaf Certificate/" \ |
+ -days 3650 \ |
+ -in out/ok_cert.req \ |
+ -out out/name_constraint_good.pem \ |
+ -config ca.cnf |
+ |
try /bin/sh -c "cat out/ok_cert.key out/ok_cert.pem \ |
> ../certificates/ok_cert.pem" |
try /bin/sh -c "cat out/expired_cert.key out/expired_cert.pem \ |
> ../certificates/expired_cert.pem" |
-try /bin/sh -c "cat out/2048-sha1-root.key out/2048-sha1-root.pem \ |
+try /bin/sh -c "cat out/2048-sha256-root.key out/2048-sha256-root.pem \ |
> ../certificates/root_ca_cert.pem" |
+try /bin/sh -c "cat out/ok_cert.key out/name_constraint_bad.pem \ |
+ > ../certificates/name_constraint_bad.pem" |
+try /bin/sh -c "cat out/ok_cert.key out/name_constraint_good.pem \ |
+ > ../certificates/name_constraint_good.pem" |
+ |
+# Now generate the one-off certs |
+## SHA-256 general test cert |
+try openssl req -x509 -days 3650 \ |
+ -config ../scripts/ee.cnf -newkey rsa:2048 -text \ |
+ -sha256 \ |
+ -out sha256.pem |
+ |
+## Self-signed cert for SPDY/QUIC/HTTP2 pooling testing |
+try openssl req -x509 -days 3650 -extensions req_spdy_pooling \ |
+ -config ../scripts/ee.cnf -newkey rsa:2048 -text \ |
+ -out ../certificates/spdy_pooling.pem |
+ |
+## SubjectAltName parsing |
+try openssl req -x509 -days 3650 -extensions req_san_sanity \ |
+ -config ../scripts/ee.cnf -newkey rsa:2048 -text \ |
+ -out ../certificates/subjectAltName_sanity_check.pem |
+ |
+## Punycode handling |
+SUBJECT_NAME="req_punycode_dn" \ |
+ try openssl req -x509 -days 3650 -extensions req_punycode \ |
+ -config ../scripts/ee.cnf -newkey rsa:2048 -text \ |
+ -out ../certificates/punycodetest.pem |
+# Regenerate CRLSets |
+## Block a leaf cert directly by SPKI |
+try python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \ |
+<<CRLBYLEAFSPKI |
+{ |
+ "BlockedBySPKI": ["../certificates/ok_cert.pem"] |
+} |
+CRLBYLEAFSPKI |
+ |
+## Block a leaf cert by issuer-hash-and-serial (ok_cert.pem == serial 2, by |
+## virtue of the serial file and ordering above. |
+try python crlsetutil.py -o ../certificates/crlset_by_root_serial.raw \ |
+<<CRLBYROOTSERIAL |
+{ |
+ "BlockedByHash": { |
+ "../certificates/root_ca_cert.pem": [2] |
+ } |
+} |
+CRLBYROOTSERIAL |
+ |
+## Block a leaf cert by issuer-hash-and-serial. However, this will be issued |
+## from an intermediate CA issued underneath a root. |
+try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \ |
+<<CRLSETBYINTERMEDIATESERIAL |
+{ |
+ "BlockedByHash": { |
+ "../certificates/quic_intermediate.crt": [3] |
+ } |
+} |
+CRLSETBYINTERMEDIATESERIAL |