| OLD | NEW |
|---|
| 1 #!/bin/sh | 1 #!/bin/sh |
| 2 | 2 |
| 3 # Copyright 2013 The Chromium Authors. All rights reserved. | 3 # Copyright 2013 The Chromium Authors. All rights reserved. |
| 4 # Use of this source code is governed by a BSD-style license that can be | 4 # Use of this source code is governed by a BSD-style license that can be |
| 5 # found in the LICENSE file. | 5 # found in the LICENSE file. |
| 6 | 6 |
| 7 # This script generates a set of test (end-entity, intermediate, root) | 7 # This script generates a set of test (end-entity, intermediate, root) |
| 8 # certificates that can be used to test fetching of an intermediate via AIA. | 8 # certificates that can be used to test fetching of an intermediate via AIA. |
| 9 | 9 |
| 10 try() { | 10 try() { |
| (...skipping 106 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 117 | 117 |
| 118 ## SubjectAltName parsing | 118 ## SubjectAltName parsing |
| 119 try openssl req -x509 -days 3650 -extensions req_san_sanity \ | 119 try openssl req -x509 -days 3650 -extensions req_san_sanity \ |
| 120 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ | 120 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ |
| 121 -out ../certificates/subjectAltName_sanity_check.pem | 121 -out ../certificates/subjectAltName_sanity_check.pem |
| 122 | 122 |
| 123 ## Punycode handling | 123 ## Punycode handling |
| 124 SUBJECT_NAME="req_punycode_dn" \ | 124 SUBJECT_NAME="req_punycode_dn" \ |
| 125 try openssl req -x509 -days 3650 -extensions req_punycode \ | 125 try openssl req -x509 -days 3650 -extensions req_punycode \ |
| 126 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ | 126 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ |
| 127 -out ../certificates/punycodetest.pem | 127 -out ../certificates/punycodetest.pem |
| 128 |
| 129 ## Reject intranet hostnames in "publicly" trusted certs |
| 130 # 365 * 3 = 1095 |
| 131 SUBJECT_NAME="req_dn" \ |
| 132 try openssl req -x509 -days 1095 \ |
| 133 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ |
| 134 -out ../certificates/reject_intranet_hosts.pem |
| 135 |
| 136 ## Validity too long |
| 137 # 365 * 11 = 4015 |
| 138 try openssl req -config ../scripts/ee.cnf \ |
| 139 -newkey rsa:2048 -text -out ../certificates/11_year_validity.req |
| 140 CA_COMMON_NAME="Test Root CA" \ |
| 141 try openssl ca \ |
| 142 -batch \ |
| 143 -extensions user_cert \ |
| 144 -startdate 141030000000Z \ |
| 145 -days 4015 \ |
| 146 -in ../certificates/11_year_validity.req \ |
| 147 -out ../certificates/11_year_validity.pem \ |
| 148 -config ca.cnf |
| 149 try openssl req -config ../scripts/ee.cnf \ |
| 150 -newkey rsa:2048 -text -out ../certificates/40_months_after_2015_04.req |
| 151 CA_COMMON_NAME="Test Root CA" \ |
| 152 try openssl ca \ |
| 153 -batch \ |
| 154 -extensions user_cert \ |
| 155 -startdate 150402000000Z \ |
| 156 -enddate 180901000000Z \ |
| 157 -in ../certificates/40_months_after_2015_04.req \ |
| 158 -out ../certificates/40_months_after_2015_04.pem \ |
| 159 -config ca.cnf |
| 160 try openssl req -config ../scripts/ee.cnf \ |
| 161 -newkey rsa:2048 -text -out ../certificates/61_months_after_2012_07.req |
| 162 # 30 * 61 = 1830 |
| 163 CA_COMMON_NAME="Test Root CA" \ |
| 164 try openssl ca \ |
| 165 -batch \ |
| 166 -extensions user_cert \ |
| 167 -startdate 141030000000Z \ |
| 168 -days 1830 \ |
| 169 -in ../certificates/61_months_after_2012_07.req \ |
| 170 -out ../certificates/61_months_after_2012_07.pem \ |
| 171 -config ca.cnf |
| 172 # start date after expiry date |
| 173 try openssl req -config ../scripts/ee.cnf \ |
| 174 -newkey rsa:2048 -text -out ../certificates/start_after_expiry.req |
| 175 CA_COMMON_NAME="Test Root CA" \ |
| 176 try openssl ca \ |
| 177 -batch \ |
| 178 -extensions user_cert \ |
| 179 -startdate 180901000000Z \ |
| 180 -enddate 150402000000Z \ |
| 181 -in ../certificates/start_after_expiry.req \ |
| 182 -out ../certificates/start_after_expiry.pem \ |
| 183 -config ca.cnf |
| 184 try openssl req -config ../scripts/ee.cnf \ |
| 185 -newkey rsa:2048 -text -out ../certificates/start_after_expiry.req |
| 186 # Issued pre-BRs, lifetime < 120 months, expires before 2019-07-01 |
| 187 try openssl req -config ../scripts/ee.cnf \ |
| 188 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_ok.req |
| 189 CA_COMMON_NAME="Test Root CA" \ |
| 190 try openssl ca \ |
| 191 -batch \ |
| 192 -extensions user_cert \ |
| 193 -startdate 080101000000Z \ |
| 194 -enddate 150101000000Z \ |
| 195 -in ../certificates/pre_br_validity_ok.req \ |
| 196 -out ../certificates/pre_br_validity_ok.pem \ |
| 197 -config ca.cnf |
| 198 try openssl req -config ../scripts/ee.cnf \ |
| 199 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_ok.req |
| 200 # Issued pre-BRs, lifetime > 120 months, expires before 2019-07-01 |
| 201 try openssl req -config ../scripts/ee.cnf \ |
| 202 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_121.req |
| 203 CA_COMMON_NAME="Test Root CA" \ |
| 204 try openssl ca \ |
| 205 -batch \ |
| 206 -extensions user_cert \ |
| 207 -startdate 080101000000Z \ |
| 208 -enddate 180501000000Z \ |
| 209 -in ../certificates/pre_br_validity_bad_121.req \ |
| 210 -out ../certificates/pre_br_validity_bad_121.pem \ |
| 211 -config ca.cnf |
| 212 try openssl req -config ../scripts/ee.cnf \ |
| 213 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_121.req |
| 214 # Issued pre-BRs, lifetime < 120 months, expires after 2019-07-01 |
| 215 try openssl req -config ../scripts/ee.cnf \ |
| 216 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_2020.req |
| 217 CA_COMMON_NAME="Test Root CA" \ |
| 218 try openssl ca \ |
| 219 -batch \ |
| 220 -extensions user_cert \ |
| 221 -startdate 120501000000Z \ |
| 222 -enddate 190703000000Z \ |
| 223 -in ../certificates/pre_br_validity_bad_2020.req \ |
| 224 -out ../certificates/pre_br_validity_bad_2020.pem \ |
| 225 -config ca.cnf |
| 226 try openssl req -config ../scripts/ee.cnf \ |
| 227 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_2020.req |
| 128 | 228 |
| 129 # Regenerate CRLSets | 229 # Regenerate CRLSets |
| 130 ## Block a leaf cert directly by SPKI | 230 ## Block a leaf cert directly by SPKI |
| 131 try python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \ | 231 try python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \ |
| 132 <<CRLBYLEAFSPKI | 232 <<CRLBYLEAFSPKI |
| 133 { | 233 { |
| 134 "BlockedBySPKI": ["../certificates/ok_cert.pem"] | 234 "BlockedBySPKI": ["../certificates/ok_cert.pem"] |
| 135 } | 235 } |
| 136 CRLBYLEAFSPKI | 236 CRLBYLEAFSPKI |
| 137 | 237 |
| (...skipping 11 matching lines...) Expand all Loading... |
| 149 ## Block a leaf cert by issuer-hash-and-serial. However, this will be issued | 249 ## Block a leaf cert by issuer-hash-and-serial. However, this will be issued |
| 150 ## from an intermediate CA issued underneath a root. | 250 ## from an intermediate CA issued underneath a root. |
| 151 try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \ | 251 try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \ |
| 152 <<CRLSETBYINTERMEDIATESERIAL | 252 <<CRLSETBYINTERMEDIATESERIAL |
| 153 { | 253 { |
| 154 "BlockedByHash": { | 254 "BlockedByHash": { |
| 155 "../certificates/quic_intermediate.crt": [3] | 255 "../certificates/quic_intermediate.crt": [3] |
| 156 } | 256 } |
| 157 } | 257 } |
| 158 CRLSETBYINTERMEDIATESERIAL | 258 CRLSETBYINTERMEDIATESERIAL |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 724543002:
Reject certificates that are valid for too long. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master