Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(528)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/data/ssl/scripts/generate-test-certs.sh

Issue 724543002: Reject certificates that are valid for too long. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Whitespace nit(s). Created 5 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/data/ssl/certificates/twitter-chain.pem ('k') | net/test/test_certificate_data.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 #!/bin/sh 1 #!/bin/sh
2 2
3 # Copyright 2013 The Chromium Authors. All rights reserved. 3 # Copyright 2013 The Chromium Authors. All rights reserved.
4 # Use of this source code is governed by a BSD-style license that can be 4 # Use of this source code is governed by a BSD-style license that can be
5 # found in the LICENSE file. 5 # found in the LICENSE file.
6 6
7 # This script generates a set of test (end-entity, intermediate, root) 7 # This script generates a set of test (end-entity, intermediate, root)
8 # certificates that can be used to test fetching of an intermediate via AIA. 8 # certificates that can be used to test fetching of an intermediate via AIA.
9 9
10 try() { 10 try() {
(...skipping 106 matching lines...) Expand 10 before | Expand all | Expand 10 after
117 117
118 ## SubjectAltName parsing 118 ## SubjectAltName parsing
119 try openssl req -x509 -days 3650 -extensions req_san_sanity \ 119 try openssl req -x509 -days 3650 -extensions req_san_sanity \
120 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ 120 -config ../scripts/ee.cnf -newkey rsa:2048 -text \
121 -out ../certificates/subjectAltName_sanity_check.pem 121 -out ../certificates/subjectAltName_sanity_check.pem
122 122
123 ## Punycode handling 123 ## Punycode handling
124 SUBJECT_NAME="req_punycode_dn" \ 124 SUBJECT_NAME="req_punycode_dn" \
125 try openssl req -x509 -days 3650 -extensions req_punycode \ 125 try openssl req -x509 -days 3650 -extensions req_punycode \
126 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ 126 -config ../scripts/ee.cnf -newkey rsa:2048 -text \
127 -out ../certificates/punycodetest.pem 127 -out ../certificates/punycodetest.pem
128
129 ## Reject intranet hostnames in "publicly" trusted certs
130 # 365 * 3 = 1095
131 SUBJECT_NAME="req_dn" \
132 try openssl req -x509 -days 1095 \
133 -config ../scripts/ee.cnf -newkey rsa:2048 -text \
134 -out ../certificates/reject_intranet_hosts.pem
135
136 ## Validity too long unit test support.
137 try openssl req -config ../scripts/ee.cnf \
138 -newkey rsa:2048 -text -out ../certificates/10_year_validity.req
139 CA_COMMON_NAME="Test Root CA" \
140 try openssl ca \
141 -batch \
142 -extensions user_cert \
143 -startdate 081030000000Z \
144 -enddate 181029000000Z \
145 -in ../certificates/10_year_validity.req \
146 -out ../certificates/10_year_validity.pem \
147 -config ca.cnf
148 # 365 * 11 = 4015
149 try openssl req -config ../scripts/ee.cnf \
150 -newkey rsa:2048 -text -out ../certificates/11_year_validity.req
151 CA_COMMON_NAME="Test Root CA" \
152 try openssl ca \
153 -batch \
154 -extensions user_cert \
155 -startdate 141030000000Z \
156 -days 4015 \
157 -in ../certificates/11_year_validity.req \
158 -out ../certificates/11_year_validity.pem \
159 -config ca.cnf
160 try openssl req -config ../scripts/ee.cnf \
161 -newkey rsa:2048 -text -out ../certificates/39_months_after_2015_04.req
162 CA_COMMON_NAME="Test Root CA" \
163 try openssl ca \
164 -batch \
165 -extensions user_cert \
166 -startdate 150402000000Z \
167 -enddate 180702000000Z \
168 -in ../certificates/39_months_after_2015_04.req \
169 -out ../certificates/39_months_after_2015_04.pem \
170 -config ca.cnf
171 try openssl req -config ../scripts/ee.cnf \
172 -newkey rsa:2048 -text -out ../certificates/40_months_after_2015_04.req
173 CA_COMMON_NAME="Test Root CA" \
174 try openssl ca \
175 -batch \
176 -extensions user_cert \
177 -startdate 150402000000Z \
178 -enddate 180801000000Z \
179 -in ../certificates/40_months_after_2015_04.req \
180 -out ../certificates/40_months_after_2015_04.pem \
181 -config ca.cnf
182 try openssl req -config ../scripts/ee.cnf \
183 -newkey rsa:2048 -text -out ../certificates/60_months_after_2012_07.req
184 CA_COMMON_NAME="Test Root CA" \
185 try openssl ca \
186 -batch \
187 -extensions user_cert \
188 -startdate 141030000000Z \
189 -enddate 190930000000Z \
190 -in ../certificates/60_months_after_2012_07.req \
191 -out ../certificates/60_months_after_2012_07.pem \
192 -config ca.cnf
193 try openssl req -config ../scripts/ee.cnf \
194 -newkey rsa:2048 -text -out ../certificates/61_months_after_2012_07.req
195 # 30 * 61 = 1830
196 CA_COMMON_NAME="Test Root CA" \
197 try openssl ca \
198 -batch \
199 -extensions user_cert \
200 -startdate 141030000000Z \
201 -days 1830 \
202 -in ../certificates/61_months_after_2012_07.req \
203 -out ../certificates/61_months_after_2012_07.pem \
204 -config ca.cnf
205 # start date after expiry date
206 try openssl req -config ../scripts/ee.cnf \
207 -newkey rsa:2048 -text -out ../certificates/start_after_expiry.req
208 CA_COMMON_NAME="Test Root CA" \
209 try openssl ca \
210 -batch \
211 -extensions user_cert \
212 -startdate 180901000000Z \
213 -enddate 150402000000Z \
214 -in ../certificates/start_after_expiry.req \
215 -out ../certificates/start_after_expiry.pem \
216 -config ca.cnf
217 try openssl req -config ../scripts/ee.cnf \
218 -newkey rsa:2048 -text -out ../certificates/start_after_expiry.req
219 # Issued pre-BRs, lifetime < 120 months, expires before 2019-07-01
220 try openssl req -config ../scripts/ee.cnf \
221 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_ok.req
222 CA_COMMON_NAME="Test Root CA" \
223 try openssl ca \
224 -batch \
225 -extensions user_cert \
226 -startdate 080101000000Z \
227 -enddate 150101000000Z \
228 -in ../certificates/pre_br_validity_ok.req \
229 -out ../certificates/pre_br_validity_ok.pem \
230 -config ca.cnf
231 try openssl req -config ../scripts/ee.cnf \
232 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_ok.req
233 # Issued pre-BRs, lifetime > 120 months, expires before 2019-07-01
234 try openssl req -config ../scripts/ee.cnf \
235 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_121.req
236 CA_COMMON_NAME="Test Root CA" \
237 try openssl ca \
238 -batch \
239 -extensions user_cert \
240 -startdate 080101000000Z \
241 -enddate 180501000000Z \
242 -in ../certificates/pre_br_validity_bad_121.req \
243 -out ../certificates/pre_br_validity_bad_121.pem \
244 -config ca.cnf
245 try openssl req -config ../scripts/ee.cnf \
246 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_121.req
247 # Issued pre-BRs, lifetime < 120 months, expires after 2019-07-01
248 try openssl req -config ../scripts/ee.cnf \
249 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_2020.req
250 CA_COMMON_NAME="Test Root CA" \
251 try openssl ca \
252 -batch \
253 -extensions user_cert \
254 -startdate 120501000000Z \
255 -enddate 190703000000Z \
256 -in ../certificates/pre_br_validity_bad_2020.req \
257 -out ../certificates/pre_br_validity_bad_2020.pem \
258 -config ca.cnf
259 try openssl req -config ../scripts/ee.cnf \
260 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_2020.req
128 261
129 # Regenerate CRLSets 262 # Regenerate CRLSets
130 ## Block a leaf cert directly by SPKI 263 ## Block a leaf cert directly by SPKI
131 try python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \ 264 try python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \
132 <<CRLBYLEAFSPKI 265 <<CRLBYLEAFSPKI
133 { 266 {
134 "BlockedBySPKI": ["../certificates/ok_cert.pem"] 267 "BlockedBySPKI": ["../certificates/ok_cert.pem"]
135 } 268 }
136 CRLBYLEAFSPKI 269 CRLBYLEAFSPKI
137 270
(...skipping 11 matching lines...) Expand all
149 ## Block a leaf cert by issuer-hash-and-serial. However, this will be issued 282 ## Block a leaf cert by issuer-hash-and-serial. However, this will be issued
150 ## from an intermediate CA issued underneath a root. 283 ## from an intermediate CA issued underneath a root.
151 try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \ 284 try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \
152 <<CRLSETBYINTERMEDIATESERIAL 285 <<CRLSETBYINTERMEDIATESERIAL
153 { 286 {
154 "BlockedByHash": { 287 "BlockedByHash": {
155 "../certificates/quic_intermediate.crt": [3] 288 "../certificates/quic_intermediate.crt": [3]
156 } 289 }
157 } 290 }
158 CRLSETBYINTERMEDIATESERIAL 291 CRLSETBYINTERMEDIATESERIAL
OLDNEW
« no previous file with comments | « net/data/ssl/certificates/twitter-chain.pem ('k') | net/test/test_certificate_data.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698