| OLD | NEW |
|---|
| (Empty) |
| 1 #!/bin/sh | |
| 2 | |
| 3 # Copyright 2013 The Chromium Authors. All rights reserved. | |
| 4 # Use of this source code is governed by a BSD-style license that can be | |
| 5 # found in the LICENSE file. | |
| 6 | |
| 7 # This script generates a two roots - one legacy one signed with MD5, and | |
| 8 # another (newer) one signed with SHA1 - and has a leaf certificate signed | |
| 9 # by these without any distinguishers. | |
| 10 # | |
| 11 # The "cross-signed" comes from the fact that both the MD5 and SHA1 roots share | |
| 12 # the same Authority Key ID, Subject Key ID, Subject, and Subject Public Key | |
| 13 # Info. When the chain building algorithm is evaluating paths, if it prefers | |
| 14 # untrusted over trusted, then it will see the MD5 certificate as a self-signed | |
| 15 # cert that is "cross-signed" by the trusted SHA1 root. | |
| 16 # | |
| 17 # The SHA1 root should be (temporarily) trusted, and the resulting chain | |
| 18 # should be leaf -> SHA1root, not leaf -> MD5root, leaf -> SHA1root -> MD5root, | |
| 19 # or leaf -> MD5root -> SHA1root | |
| 20 | |
| 21 try() { | |
| 22 echo "$@" | |
| 23 "$@" || exit 1 | |
| 24 } | |
| 25 | |
| 26 try rm -rf out | |
| 27 try mkdir out | |
| 28 | |
| 29 try /bin/sh -c "echo 01 > out/2048-sha1-root-serial" | |
| 30 try /bin/sh -c "echo 02 > out/2048-md5-root-serial" | |
| 31 touch out/2048-sha1-root-index.txt | |
| 32 touch out/2048-md5-root-index.txt | |
| 33 | |
| 34 # Generate the key | |
| 35 try openssl genrsa -out out/2048-sha1-root.key 2048 | |
| 36 | |
| 37 # Generate the root certificate | |
| 38 CA_COMMON_NAME="Test Dup-Hash Root CA" \ | |
| 39 try openssl req \ | |
| 40 -new \ | |
| 41 -key out/2048-sha1-root.key \ | |
| 42 -out out/2048-sha1-root.req \ | |
| 43 -config ca.cnf | |
| 44 | |
| 45 CA_COMMON_NAME="Test Dup-Hash Root CA" \ | |
| 46 try openssl x509 \ | |
| 47 -req -days 3650 \ | |
| 48 -sha1 \ | |
| 49 -in out/2048-sha1-root.req \ | |
| 50 -out out/2048-sha1-root.pem \ | |
| 51 -text \ | |
| 52 -signkey out/2048-sha1-root.key \ | |
| 53 -extfile ca.cnf \ | |
| 54 -extensions ca_cert | |
| 55 | |
| 56 CA_COMMON_NAME="Test Dup-Hash Root CA" \ | |
| 57 try openssl x509 \ | |
| 58 -req -days 3650 \ | |
| 59 -md5 \ | |
| 60 -in out/2048-sha1-root.req \ | |
| 61 -out out/2048-md5-root.pem \ | |
| 62 -text \ | |
| 63 -signkey out/2048-sha1-root.key \ | |
| 64 -extfile ca.cnf \ | |
| 65 -extensions ca_cert | |
| 66 | |
| 67 # Generate the leaf certificate request | |
| 68 try openssl req \ | |
| 69 -new \ | |
| 70 -keyout out/ok_cert.key \ | |
| 71 -out out/ok_cert.req \ | |
| 72 -config ee.cnf | |
| 73 | |
| 74 # Generate the leaf certificates | |
| 75 CA_COMMON_NAME="Test Dup-Hash Root CA" \ | |
| 76 try openssl ca \ | |
| 77 -batch \ | |
| 78 -extensions user_cert \ | |
| 79 -days 3650 \ | |
| 80 -in out/ok_cert.req \ | |
| 81 -out out/ok_cert.pem \ | |
| 82 -config ca.cnf | |
| 83 | |
| 84 try openssl x509 -text \ | |
| 85 -in out/2048-md5-root.pem \ | |
| 86 -out ../certificates/cross-signed-root-md5.pem | |
| 87 try openssl x509 -text \ | |
| 88 -in out/2048-sha1-root.pem \ | |
| 89 -out ../certificates/cross-signed-root-sha1.pem | |
| 90 try openssl x509 -text \ | |
| 91 -in out/ok_cert.pem \ | |
| 92 -out ../certificates/cross-signed-leaf.pem | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 992733002:
Remove //net (except for Android test stuff) and sdch (Closed)
Base URL: git@github.com:domokit/mojo.git@master