| Index: net/data/ssl/scripts/generate-test-certs.sh
|
| diff --git a/net/data/ssl/scripts/generate-test-certs.sh b/net/data/ssl/scripts/generate-test-certs.sh
|
| index 6323de312fd76f872acbd7ac76536333752562ab..d62bb988a5ddc2730068b83e4a0ce1e036d2cdc2 100755
|
| --- a/net/data/ssl/scripts/generate-test-certs.sh
|
| +++ b/net/data/ssl/scripts/generate-test-certs.sh
|
| @@ -15,26 +15,26 @@ try() {
|
| try rm -rf out
|
| try mkdir out
|
|
|
| -try /bin/sh -c "echo 01 > out/2048-sha1-root-serial"
|
| -touch out/2048-sha1-root-index.txt
|
| +try /bin/sh -c "echo 01 > out/2048-sha256-root-serial"
|
| +touch out/2048-sha256-root-index.txt
|
|
|
| # Generate the key
|
| -try openssl genrsa -out out/2048-sha1-root.key 2048
|
| +try openssl genrsa -out out/2048-sha256-root.key 2048
|
|
|
| # Generate the root certificate
|
| CA_COMMON_NAME="Test Root CA" \
|
| try openssl req \
|
| -new \
|
| - -key out/2048-sha1-root.key \
|
| - -out out/2048-sha1-root.req \
|
| + -key out/2048-sha256-root.key \
|
| + -out out/2048-sha256-root.req \
|
| -config ca.cnf
|
|
|
| CA_COMMON_NAME="Test Root CA" \
|
| try openssl x509 \
|
| -req -days 3650 \
|
| - -in out/2048-sha1-root.req \
|
| - -out out/2048-sha1-root.pem \
|
| - -signkey out/2048-sha1-root.key \
|
| + -in out/2048-sha256-root.req \
|
| + -out out/2048-sha256-root.pem \
|
| + -signkey out/2048-sha256-root.key \
|
| -extfile ca.cnf \
|
| -extensions ca_cert \
|
| -text
|
| @@ -72,10 +72,87 @@ CA_COMMON_NAME="Test Root CA" \
|
| -out out/ok_cert.pem \
|
| -config ca.cnf
|
|
|
| +CA_COMMON_NAME="Test Root CA" \
|
| + try openssl ca \
|
| + -batch \
|
| + -extensions name_constraint_bad \
|
| + -subj "/CN=Leaf certificate/" \
|
| + -days 3650 \
|
| + -in out/ok_cert.req \
|
| + -out out/name_constraint_bad.pem \
|
| + -config ca.cnf
|
| +
|
| +CA_COMMON_NAME="Test Root CA" \
|
| + try openssl ca \
|
| + -batch \
|
| + -extensions name_constraint_good \
|
| + -subj "/CN=Leaf Certificate/" \
|
| + -days 3650 \
|
| + -in out/ok_cert.req \
|
| + -out out/name_constraint_good.pem \
|
| + -config ca.cnf
|
| +
|
| try /bin/sh -c "cat out/ok_cert.key out/ok_cert.pem \
|
| > ../certificates/ok_cert.pem"
|
| try /bin/sh -c "cat out/expired_cert.key out/expired_cert.pem \
|
| > ../certificates/expired_cert.pem"
|
| -try /bin/sh -c "cat out/2048-sha1-root.key out/2048-sha1-root.pem \
|
| +try /bin/sh -c "cat out/2048-sha256-root.key out/2048-sha256-root.pem \
|
| > ../certificates/root_ca_cert.pem"
|
| +try /bin/sh -c "cat out/ok_cert.key out/name_constraint_bad.pem \
|
| + > ../certificates/name_constraint_bad.pem"
|
| +try /bin/sh -c "cat out/ok_cert.key out/name_constraint_good.pem \
|
| + > ../certificates/name_constraint_good.pem"
|
| +
|
| +# Now generate the one-off certs
|
| +## SHA-256 general test cert
|
| +try openssl req -x509 -days 3650 \
|
| + -config ../scripts/ee.cnf -newkey rsa:2048 -text \
|
| + -sha256 \
|
| + -out sha256.pem
|
| +
|
| +## Self-signed cert for SPDY/QUIC/HTTP2 pooling testing
|
| +try openssl req -x509 -days 3650 -extensions req_spdy_pooling \
|
| + -config ../scripts/ee.cnf -newkey rsa:2048 -text \
|
| + -out ../certificates/spdy_pooling.pem
|
| +
|
| +## SubjectAltName parsing
|
| +try openssl req -x509 -days 3650 -extensions req_san_sanity \
|
| + -config ../scripts/ee.cnf -newkey rsa:2048 -text \
|
| + -out ../certificates/subjectAltName_sanity_check.pem
|
| +
|
| +## Punycode handling
|
| +SUBJECT_NAME="req_punycode_dn" \
|
| + try openssl req -x509 -days 3650 -extensions req_punycode \
|
| + -config ../scripts/ee.cnf -newkey rsa:2048 -text \
|
| + -out ../certificates/punycodetest.pem
|
|
|
| +# Regenerate CRLSets
|
| +## Block a leaf cert directly by SPKI
|
| +try python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \
|
| +<<CRLBYLEAFSPKI
|
| +{
|
| + "BlockedBySPKI": ["../certificates/ok_cert.pem"]
|
| +}
|
| +CRLBYLEAFSPKI
|
| +
|
| +## Block a leaf cert by issuer-hash-and-serial (ok_cert.pem == serial 2, by
|
| +## virtue of the serial file and ordering above.
|
| +try python crlsetutil.py -o ../certificates/crlset_by_root_serial.raw \
|
| +<<CRLBYROOTSERIAL
|
| +{
|
| + "BlockedByHash": {
|
| + "../certificates/root_ca_cert.pem": [2]
|
| + }
|
| +}
|
| +CRLBYROOTSERIAL
|
| +
|
| +## Block a leaf cert by issuer-hash-and-serial. However, this will be issued
|
| +## from an intermediate CA issued underneath a root.
|
| +try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \
|
| +<<CRLSETBYINTERMEDIATESERIAL
|
| +{
|
| + "BlockedByHash": {
|
| + "../certificates/quic_intermediate.crt": [3]
|
| + }
|
| +}
|
| +CRLSETBYINTERMEDIATESERIAL
|
|
|
Chromium Code Reviews
Issue 515583004:
Update test cert generation scripts to use SHA-256 by default (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@test_cert_scripts