| Index: net/data/ssl/scripts/generate-test-certs.sh
|
| diff --git a/net/data/ssl/scripts/generate-test-certs.sh b/net/data/ssl/scripts/generate-test-certs.sh
|
| index d62bb988a5ddc2730068b83e4a0ce1e036d2cdc2..24eadf108552a1bde2e64fc6ecd8cc22a5d1d269 100755
|
| --- a/net/data/ssl/scripts/generate-test-certs.sh
|
| +++ b/net/data/ssl/scripts/generate-test-certs.sh
|
| @@ -124,7 +124,140 @@ try openssl req -x509 -days 3650 -extensions req_san_sanity \
|
| SUBJECT_NAME="req_punycode_dn" \
|
| try openssl req -x509 -days 3650 -extensions req_punycode \
|
| -config ../scripts/ee.cnf -newkey rsa:2048 -text \
|
| - -out ../certificates/punycodetest.pem
|
| + -out ../certificates/punycodetest.pem
|
| +
|
| +## Reject intranet hostnames in "publicly" trusted certs
|
| +# 365 * 3 = 1095
|
| +SUBJECT_NAME="req_dn" \
|
| + try openssl req -x509 -days 1095 \
|
| + -config ../scripts/ee.cnf -newkey rsa:2048 -text \
|
| + -out ../certificates/reject_intranet_hosts.pem
|
| +
|
| +## Validity too long unit test support.
|
| +try openssl req -config ../scripts/ee.cnf \
|
| + -newkey rsa:2048 -text -out ../certificates/10_year_validity.req
|
| +CA_COMMON_NAME="Test Root CA" \
|
| + try openssl ca \
|
| + -batch \
|
| + -extensions user_cert \
|
| + -startdate 081030000000Z \
|
| + -enddate 181029000000Z \
|
| + -in ../certificates/10_year_validity.req \
|
| + -out ../certificates/10_year_validity.pem \
|
| + -config ca.cnf
|
| +# 365 * 11 = 4015
|
| +try openssl req -config ../scripts/ee.cnf \
|
| + -newkey rsa:2048 -text -out ../certificates/11_year_validity.req
|
| +CA_COMMON_NAME="Test Root CA" \
|
| + try openssl ca \
|
| + -batch \
|
| + -extensions user_cert \
|
| + -startdate 141030000000Z \
|
| + -days 4015 \
|
| + -in ../certificates/11_year_validity.req \
|
| + -out ../certificates/11_year_validity.pem \
|
| + -config ca.cnf
|
| +try openssl req -config ../scripts/ee.cnf \
|
| + -newkey rsa:2048 -text -out ../certificates/39_months_after_2015_04.req
|
| +CA_COMMON_NAME="Test Root CA" \
|
| + try openssl ca \
|
| + -batch \
|
| + -extensions user_cert \
|
| + -startdate 150402000000Z \
|
| + -enddate 180702000000Z \
|
| + -in ../certificates/39_months_after_2015_04.req \
|
| + -out ../certificates/39_months_after_2015_04.pem \
|
| + -config ca.cnf
|
| +try openssl req -config ../scripts/ee.cnf \
|
| + -newkey rsa:2048 -text -out ../certificates/40_months_after_2015_04.req
|
| +CA_COMMON_NAME="Test Root CA" \
|
| + try openssl ca \
|
| + -batch \
|
| + -extensions user_cert \
|
| + -startdate 150402000000Z \
|
| + -enddate 180801000000Z \
|
| + -in ../certificates/40_months_after_2015_04.req \
|
| + -out ../certificates/40_months_after_2015_04.pem \
|
| + -config ca.cnf
|
| +try openssl req -config ../scripts/ee.cnf \
|
| + -newkey rsa:2048 -text -out ../certificates/60_months_after_2012_07.req
|
| +CA_COMMON_NAME="Test Root CA" \
|
| + try openssl ca \
|
| + -batch \
|
| + -extensions user_cert \
|
| + -startdate 141030000000Z \
|
| + -enddate 190930000000Z \
|
| + -in ../certificates/60_months_after_2012_07.req \
|
| + -out ../certificates/60_months_after_2012_07.pem \
|
| + -config ca.cnf
|
| +try openssl req -config ../scripts/ee.cnf \
|
| + -newkey rsa:2048 -text -out ../certificates/61_months_after_2012_07.req
|
| +# 30 * 61 = 1830
|
| +CA_COMMON_NAME="Test Root CA" \
|
| + try openssl ca \
|
| + -batch \
|
| + -extensions user_cert \
|
| + -startdate 141030000000Z \
|
| + -days 1830 \
|
| + -in ../certificates/61_months_after_2012_07.req \
|
| + -out ../certificates/61_months_after_2012_07.pem \
|
| + -config ca.cnf
|
| +# start date after expiry date
|
| +try openssl req -config ../scripts/ee.cnf \
|
| + -newkey rsa:2048 -text -out ../certificates/start_after_expiry.req
|
| +CA_COMMON_NAME="Test Root CA" \
|
| + try openssl ca \
|
| + -batch \
|
| + -extensions user_cert \
|
| + -startdate 180901000000Z \
|
| + -enddate 150402000000Z \
|
| + -in ../certificates/start_after_expiry.req \
|
| + -out ../certificates/start_after_expiry.pem \
|
| + -config ca.cnf
|
| +try openssl req -config ../scripts/ee.cnf \
|
| + -newkey rsa:2048 -text -out ../certificates/start_after_expiry.req
|
| +# Issued pre-BRs, lifetime < 120 months, expires before 2019-07-01
|
| +try openssl req -config ../scripts/ee.cnf \
|
| + -newkey rsa:2048 -text -out ../certificates/pre_br_validity_ok.req
|
| +CA_COMMON_NAME="Test Root CA" \
|
| + try openssl ca \
|
| + -batch \
|
| + -extensions user_cert \
|
| + -startdate 080101000000Z \
|
| + -enddate 150101000000Z \
|
| + -in ../certificates/pre_br_validity_ok.req \
|
| + -out ../certificates/pre_br_validity_ok.pem \
|
| + -config ca.cnf
|
| +try openssl req -config ../scripts/ee.cnf \
|
| + -newkey rsa:2048 -text -out ../certificates/pre_br_validity_ok.req
|
| +# Issued pre-BRs, lifetime > 120 months, expires before 2019-07-01
|
| +try openssl req -config ../scripts/ee.cnf \
|
| + -newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_121.req
|
| +CA_COMMON_NAME="Test Root CA" \
|
| + try openssl ca \
|
| + -batch \
|
| + -extensions user_cert \
|
| + -startdate 080101000000Z \
|
| + -enddate 180501000000Z \
|
| + -in ../certificates/pre_br_validity_bad_121.req \
|
| + -out ../certificates/pre_br_validity_bad_121.pem \
|
| + -config ca.cnf
|
| +try openssl req -config ../scripts/ee.cnf \
|
| + -newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_121.req
|
| +# Issued pre-BRs, lifetime < 120 months, expires after 2019-07-01
|
| +try openssl req -config ../scripts/ee.cnf \
|
| + -newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_2020.req
|
| +CA_COMMON_NAME="Test Root CA" \
|
| + try openssl ca \
|
| + -batch \
|
| + -extensions user_cert \
|
| + -startdate 120501000000Z \
|
| + -enddate 190703000000Z \
|
| + -in ../certificates/pre_br_validity_bad_2020.req \
|
| + -out ../certificates/pre_br_validity_bad_2020.pem \
|
| + -config ca.cnf
|
| +try openssl req -config ../scripts/ee.cnf \
|
| + -newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_2020.req
|
|
|
| # Regenerate CRLSets
|
| ## Block a leaf cert directly by SPKI
|
|
|
Chromium Code Reviews
Issue 724543002:
Reject certificates that are valid for too long. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master