OLD | NEW |
1 #!/bin/sh | 1 #!/bin/sh |
2 | 2 |
3 # Copyright 2013 The Chromium Authors. All rights reserved. | 3 # Copyright 2013 The Chromium Authors. All rights reserved. |
4 # Use of this source code is governed by a BSD-style license that can be | 4 # Use of this source code is governed by a BSD-style license that can be |
5 # found in the LICENSE file. | 5 # found in the LICENSE file. |
6 | 6 |
7 # This script generates a set of test (end-entity, intermediate, root) | 7 # This script generates a set of test (end-entity, intermediate, root) |
8 # certificates that can be used to test fetching of an intermediate via AIA. | 8 # certificates that can be used to test fetching of an intermediate via AIA. |
9 | 9 |
10 try() { | 10 try() { |
(...skipping 106 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
117 | 117 |
118 ## SubjectAltName parsing | 118 ## SubjectAltName parsing |
119 try openssl req -x509 -days 3650 -extensions req_san_sanity \ | 119 try openssl req -x509 -days 3650 -extensions req_san_sanity \ |
120 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ | 120 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ |
121 -out ../certificates/subjectAltName_sanity_check.pem | 121 -out ../certificates/subjectAltName_sanity_check.pem |
122 | 122 |
123 ## Punycode handling | 123 ## Punycode handling |
124 SUBJECT_NAME="req_punycode_dn" \ | 124 SUBJECT_NAME="req_punycode_dn" \ |
125 try openssl req -x509 -days 3650 -extensions req_punycode \ | 125 try openssl req -x509 -days 3650 -extensions req_punycode \ |
126 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ | 126 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ |
127 -out ../certificates/punycodetest.pem | 127 -out ../certificates/punycodetest.pem |
| 128 |
| 129 ## Reject intranet hostnames in "publicly" trusted certs |
| 130 # 365 * 3 = 1095 |
| 131 SUBJECT_NAME="req_dn" \ |
| 132 try openssl req -x509 -days 1095 \ |
| 133 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ |
| 134 -out ../certificates/reject_intranet_hosts.pem |
| 135 |
| 136 ## Validity too long unit test support. |
| 137 try openssl req -config ../scripts/ee.cnf \ |
| 138 -newkey rsa:2048 -text -out ../certificates/10_year_validity.req |
| 139 CA_COMMON_NAME="Test Root CA" \ |
| 140 try openssl ca \ |
| 141 -batch \ |
| 142 -extensions user_cert \ |
| 143 -startdate 081030000000Z \ |
| 144 -enddate 181029000000Z \ |
| 145 -in ../certificates/10_year_validity.req \ |
| 146 -out ../certificates/10_year_validity.pem \ |
| 147 -config ca.cnf |
| 148 # 365 * 11 = 4015 |
| 149 try openssl req -config ../scripts/ee.cnf \ |
| 150 -newkey rsa:2048 -text -out ../certificates/11_year_validity.req |
| 151 CA_COMMON_NAME="Test Root CA" \ |
| 152 try openssl ca \ |
| 153 -batch \ |
| 154 -extensions user_cert \ |
| 155 -startdate 141030000000Z \ |
| 156 -days 4015 \ |
| 157 -in ../certificates/11_year_validity.req \ |
| 158 -out ../certificates/11_year_validity.pem \ |
| 159 -config ca.cnf |
| 160 try openssl req -config ../scripts/ee.cnf \ |
| 161 -newkey rsa:2048 -text -out ../certificates/39_months_after_2015_04.req |
| 162 CA_COMMON_NAME="Test Root CA" \ |
| 163 try openssl ca \ |
| 164 -batch \ |
| 165 -extensions user_cert \ |
| 166 -startdate 150402000000Z \ |
| 167 -enddate 180702000000Z \ |
| 168 -in ../certificates/39_months_after_2015_04.req \ |
| 169 -out ../certificates/39_months_after_2015_04.pem \ |
| 170 -config ca.cnf |
| 171 try openssl req -config ../scripts/ee.cnf \ |
| 172 -newkey rsa:2048 -text -out ../certificates/40_months_after_2015_04.req |
| 173 CA_COMMON_NAME="Test Root CA" \ |
| 174 try openssl ca \ |
| 175 -batch \ |
| 176 -extensions user_cert \ |
| 177 -startdate 150402000000Z \ |
| 178 -enddate 180801000000Z \ |
| 179 -in ../certificates/40_months_after_2015_04.req \ |
| 180 -out ../certificates/40_months_after_2015_04.pem \ |
| 181 -config ca.cnf |
| 182 try openssl req -config ../scripts/ee.cnf \ |
| 183 -newkey rsa:2048 -text -out ../certificates/60_months_after_2012_07.req |
| 184 CA_COMMON_NAME="Test Root CA" \ |
| 185 try openssl ca \ |
| 186 -batch \ |
| 187 -extensions user_cert \ |
| 188 -startdate 141030000000Z \ |
| 189 -enddate 190930000000Z \ |
| 190 -in ../certificates/60_months_after_2012_07.req \ |
| 191 -out ../certificates/60_months_after_2012_07.pem \ |
| 192 -config ca.cnf |
| 193 try openssl req -config ../scripts/ee.cnf \ |
| 194 -newkey rsa:2048 -text -out ../certificates/61_months_after_2012_07.req |
| 195 # 30 * 61 = 1830 |
| 196 CA_COMMON_NAME="Test Root CA" \ |
| 197 try openssl ca \ |
| 198 -batch \ |
| 199 -extensions user_cert \ |
| 200 -startdate 141030000000Z \ |
| 201 -days 1830 \ |
| 202 -in ../certificates/61_months_after_2012_07.req \ |
| 203 -out ../certificates/61_months_after_2012_07.pem \ |
| 204 -config ca.cnf |
| 205 # start date after expiry date |
| 206 try openssl req -config ../scripts/ee.cnf \ |
| 207 -newkey rsa:2048 -text -out ../certificates/start_after_expiry.req |
| 208 CA_COMMON_NAME="Test Root CA" \ |
| 209 try openssl ca \ |
| 210 -batch \ |
| 211 -extensions user_cert \ |
| 212 -startdate 180901000000Z \ |
| 213 -enddate 150402000000Z \ |
| 214 -in ../certificates/start_after_expiry.req \ |
| 215 -out ../certificates/start_after_expiry.pem \ |
| 216 -config ca.cnf |
| 217 try openssl req -config ../scripts/ee.cnf \ |
| 218 -newkey rsa:2048 -text -out ../certificates/start_after_expiry.req |
| 219 # Issued pre-BRs, lifetime < 120 months, expires before 2019-07-01 |
| 220 try openssl req -config ../scripts/ee.cnf \ |
| 221 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_ok.req |
| 222 CA_COMMON_NAME="Test Root CA" \ |
| 223 try openssl ca \ |
| 224 -batch \ |
| 225 -extensions user_cert \ |
| 226 -startdate 080101000000Z \ |
| 227 -enddate 150101000000Z \ |
| 228 -in ../certificates/pre_br_validity_ok.req \ |
| 229 -out ../certificates/pre_br_validity_ok.pem \ |
| 230 -config ca.cnf |
| 231 try openssl req -config ../scripts/ee.cnf \ |
| 232 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_ok.req |
| 233 # Issued pre-BRs, lifetime > 120 months, expires before 2019-07-01 |
| 234 try openssl req -config ../scripts/ee.cnf \ |
| 235 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_121.req |
| 236 CA_COMMON_NAME="Test Root CA" \ |
| 237 try openssl ca \ |
| 238 -batch \ |
| 239 -extensions user_cert \ |
| 240 -startdate 080101000000Z \ |
| 241 -enddate 180501000000Z \ |
| 242 -in ../certificates/pre_br_validity_bad_121.req \ |
| 243 -out ../certificates/pre_br_validity_bad_121.pem \ |
| 244 -config ca.cnf |
| 245 try openssl req -config ../scripts/ee.cnf \ |
| 246 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_121.req |
| 247 # Issued pre-BRs, lifetime < 120 months, expires after 2019-07-01 |
| 248 try openssl req -config ../scripts/ee.cnf \ |
| 249 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_2020.req |
| 250 CA_COMMON_NAME="Test Root CA" \ |
| 251 try openssl ca \ |
| 252 -batch \ |
| 253 -extensions user_cert \ |
| 254 -startdate 120501000000Z \ |
| 255 -enddate 190703000000Z \ |
| 256 -in ../certificates/pre_br_validity_bad_2020.req \ |
| 257 -out ../certificates/pre_br_validity_bad_2020.pem \ |
| 258 -config ca.cnf |
| 259 try openssl req -config ../scripts/ee.cnf \ |
| 260 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_2020.req |
128 | 261 |
129 # Regenerate CRLSets | 262 # Regenerate CRLSets |
130 ## Block a leaf cert directly by SPKI | 263 ## Block a leaf cert directly by SPKI |
131 try python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \ | 264 try python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \ |
132 <<CRLBYLEAFSPKI | 265 <<CRLBYLEAFSPKI |
133 { | 266 { |
134 "BlockedBySPKI": ["../certificates/ok_cert.pem"] | 267 "BlockedBySPKI": ["../certificates/ok_cert.pem"] |
135 } | 268 } |
136 CRLBYLEAFSPKI | 269 CRLBYLEAFSPKI |
137 | 270 |
(...skipping 11 matching lines...) Expand all Loading... |
149 ## Block a leaf cert by issuer-hash-and-serial. However, this will be issued | 282 ## Block a leaf cert by issuer-hash-and-serial. However, this will be issued |
150 ## from an intermediate CA issued underneath a root. | 283 ## from an intermediate CA issued underneath a root. |
151 try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \ | 284 try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \ |
152 <<CRLSETBYINTERMEDIATESERIAL | 285 <<CRLSETBYINTERMEDIATESERIAL |
153 { | 286 { |
154 "BlockedByHash": { | 287 "BlockedByHash": { |
155 "../certificates/quic_intermediate.crt": [3] | 288 "../certificates/quic_intermediate.crt": [3] |
156 } | 289 } |
157 } | 290 } |
158 CRLSETBYINTERMEDIATESERIAL | 291 CRLSETBYINTERMEDIATESERIAL |
OLD | NEW |