Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(18)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/data/ssl/scripts/generate-test-certs.sh

Issue 717653002: Revert "Reject certificates that are valid for too long." (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 6 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/data/ssl/certificates/twitter-chain.pem ('k') | net/test/test_certificate_data.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 #!/bin/sh 1 #!/bin/sh
2 2
3 # Copyright 2013 The Chromium Authors. All rights reserved. 3 # Copyright 2013 The Chromium Authors. All rights reserved.
4 # Use of this source code is governed by a BSD-style license that can be 4 # Use of this source code is governed by a BSD-style license that can be
5 # found in the LICENSE file. 5 # found in the LICENSE file.
6 6
7 # This script generates a set of test (end-entity, intermediate, root) 7 # This script generates a set of test (end-entity, intermediate, root)
8 # certificates that can be used to test fetching of an intermediate via AIA. 8 # certificates that can be used to test fetching of an intermediate via AIA.
9 9
10 try() { 10 try() {
(...skipping 106 matching lines...) Expand 10 before | Expand all | Expand 10 after
117 117
118 ## SubjectAltName parsing 118 ## SubjectAltName parsing
119 try openssl req -x509 -days 3650 -extensions req_san_sanity \ 119 try openssl req -x509 -days 3650 -extensions req_san_sanity \
120 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ 120 -config ../scripts/ee.cnf -newkey rsa:2048 -text \
121 -out ../certificates/subjectAltName_sanity_check.pem 121 -out ../certificates/subjectAltName_sanity_check.pem
122 122
123 ## Punycode handling 123 ## Punycode handling
124 SUBJECT_NAME="req_punycode_dn" \ 124 SUBJECT_NAME="req_punycode_dn" \
125 try openssl req -x509 -days 3650 -extensions req_punycode \ 125 try openssl req -x509 -days 3650 -extensions req_punycode \
126 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ 126 -config ../scripts/ee.cnf -newkey rsa:2048 -text \
127 -out ../certificates/punycodetest.pem 127 -out ../certificates/punycodetest.pem
128
129 ## Reject intranet hostnames in "publicly" trusted certs
130 # 365 * 3 = 1095
131 SUBJECT_NAME="req_dn" \
132 try openssl req -x509 -days 1095 \
133 -config ../scripts/ee.cnf -newkey rsa:2048 -text \
134 -out ../certificates/reject_intranet_hosts.pem
135
136 ## Validity too long
137 # 365 * 11 = 4015
138 try openssl req -config ../scripts/ee.cnf \
139 -newkey rsa:2048 -text -out ../certificates/11_year_validity.req
140 CA_COMMON_NAME="Test Root CA" \
141 try openssl ca \
142 -batch \
143 -extensions user_cert \
144 -startdate 141030000000Z \
145 -days 4015 \
146 -in ../certificates/11_year_validity.req \
147 -out ../certificates/11_year_validity.pem \
148 -config ca.cnf
149 try openssl req -config ../scripts/ee.cnf \
150 -newkey rsa:2048 -text -out ../certificates/40_months_after_2015_04.req
151 CA_COMMON_NAME="Test Root CA" \
152 try openssl ca \
153 -batch \
154 -extensions user_cert \
155 -startdate 150402000000Z \
156 -enddate 180901000000Z \
157 -in ../certificates/40_months_after_2015_04.req \
158 -out ../certificates/40_months_after_2015_04.pem \
159 -config ca.cnf
160 try openssl req -config ../scripts/ee.cnf \
161 -newkey rsa:2048 -text -out ../certificates/61_months_after_2012_07.req
162 # 30 * 61 = 1830
163 CA_COMMON_NAME="Test Root CA" \
164 try openssl ca \
165 -batch \
166 -extensions user_cert \
167 -startdate 141030000000Z \
168 -days 1830 \
169 -in ../certificates/61_months_after_2012_07.req \
170 -out ../certificates/61_months_after_2012_07.pem \
171 -config ca.cnf
172 128
173 # Regenerate CRLSets 129 # Regenerate CRLSets
174 ## Block a leaf cert directly by SPKI 130 ## Block a leaf cert directly by SPKI
175 try python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \ 131 try python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \
176 <<CRLBYLEAFSPKI 132 <<CRLBYLEAFSPKI
177 { 133 {
178 "BlockedBySPKI": ["../certificates/ok_cert.pem"] 134 "BlockedBySPKI": ["../certificates/ok_cert.pem"]
179 } 135 }
180 CRLBYLEAFSPKI 136 CRLBYLEAFSPKI
181 137
(...skipping 11 matching lines...) Expand all
193 ## Block a leaf cert by issuer-hash-and-serial. However, this will be issued 149 ## Block a leaf cert by issuer-hash-and-serial. However, this will be issued
194 ## from an intermediate CA issued underneath a root. 150 ## from an intermediate CA issued underneath a root.
195 try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \ 151 try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \
196 <<CRLSETBYINTERMEDIATESERIAL 152 <<CRLSETBYINTERMEDIATESERIAL
197 { 153 {
198 "BlockedByHash": { 154 "BlockedByHash": {
199 "../certificates/quic_intermediate.crt": [3] 155 "../certificates/quic_intermediate.crt": [3]
200 } 156 }
201 } 157 }
202 CRLSETBYINTERMEDIATESERIAL 158 CRLSETBYINTERMEDIATESERIAL
OLDNEW
« no previous file with comments | « net/data/ssl/certificates/twitter-chain.pem ('k') | net/test/test_certificate_data.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698