| Index: net/data/ssl/scripts/generate-test-certs.sh
|
| diff --git a/net/data/ssl/scripts/generate-test-certs.sh b/net/data/ssl/scripts/generate-test-certs.sh
|
| deleted file mode 100755
|
| index 24eadf108552a1bde2e64fc6ecd8cc22a5d1d269..0000000000000000000000000000000000000000
|
| --- a/net/data/ssl/scripts/generate-test-certs.sh
|
| +++ /dev/null
|
| @@ -1,291 +0,0 @@
|
| -#!/bin/sh
|
| -
|
| -# Copyright 2013 The Chromium Authors. All rights reserved.
|
| -# Use of this source code is governed by a BSD-style license that can be
|
| -# found in the LICENSE file.
|
| -
|
| -# This script generates a set of test (end-entity, intermediate, root)
|
| -# certificates that can be used to test fetching of an intermediate via AIA.
|
| -
|
| -try() {
|
| - echo "$@"
|
| - "$@" || exit 1
|
| -}
|
| -
|
| -try rm -rf out
|
| -try mkdir out
|
| -
|
| -try /bin/sh -c "echo 01 > out/2048-sha256-root-serial"
|
| -touch out/2048-sha256-root-index.txt
|
| -
|
| -# Generate the key
|
| -try openssl genrsa -out out/2048-sha256-root.key 2048
|
| -
|
| -# Generate the root certificate
|
| -CA_COMMON_NAME="Test Root CA" \
|
| - try openssl req \
|
| - -new \
|
| - -key out/2048-sha256-root.key \
|
| - -out out/2048-sha256-root.req \
|
| - -config ca.cnf
|
| -
|
| -CA_COMMON_NAME="Test Root CA" \
|
| - try openssl x509 \
|
| - -req -days 3650 \
|
| - -in out/2048-sha256-root.req \
|
| - -out out/2048-sha256-root.pem \
|
| - -signkey out/2048-sha256-root.key \
|
| - -extfile ca.cnf \
|
| - -extensions ca_cert \
|
| - -text
|
| -
|
| -# Generate the leaf certificate requests
|
| -try openssl req \
|
| - -new \
|
| - -keyout out/expired_cert.key \
|
| - -out out/expired_cert.req \
|
| - -config ee.cnf
|
| -
|
| -try openssl req \
|
| - -new \
|
| - -keyout out/ok_cert.key \
|
| - -out out/ok_cert.req \
|
| - -config ee.cnf
|
| -
|
| -# Generate the leaf certificates
|
| -CA_COMMON_NAME="Test Root CA" \
|
| - try openssl ca \
|
| - -batch \
|
| - -extensions user_cert \
|
| - -startdate 060101000000Z \
|
| - -enddate 070101000000Z \
|
| - -in out/expired_cert.req \
|
| - -out out/expired_cert.pem \
|
| - -config ca.cnf
|
| -
|
| -CA_COMMON_NAME="Test Root CA" \
|
| - try openssl ca \
|
| - -batch \
|
| - -extensions user_cert \
|
| - -days 3650 \
|
| - -in out/ok_cert.req \
|
| - -out out/ok_cert.pem \
|
| - -config ca.cnf
|
| -
|
| -CA_COMMON_NAME="Test Root CA" \
|
| - try openssl ca \
|
| - -batch \
|
| - -extensions name_constraint_bad \
|
| - -subj "/CN=Leaf certificate/" \
|
| - -days 3650 \
|
| - -in out/ok_cert.req \
|
| - -out out/name_constraint_bad.pem \
|
| - -config ca.cnf
|
| -
|
| -CA_COMMON_NAME="Test Root CA" \
|
| - try openssl ca \
|
| - -batch \
|
| - -extensions name_constraint_good \
|
| - -subj "/CN=Leaf Certificate/" \
|
| - -days 3650 \
|
| - -in out/ok_cert.req \
|
| - -out out/name_constraint_good.pem \
|
| - -config ca.cnf
|
| -
|
| -try /bin/sh -c "cat out/ok_cert.key out/ok_cert.pem \
|
| - > ../certificates/ok_cert.pem"
|
| -try /bin/sh -c "cat out/expired_cert.key out/expired_cert.pem \
|
| - > ../certificates/expired_cert.pem"
|
| -try /bin/sh -c "cat out/2048-sha256-root.key out/2048-sha256-root.pem \
|
| - > ../certificates/root_ca_cert.pem"
|
| -try /bin/sh -c "cat out/ok_cert.key out/name_constraint_bad.pem \
|
| - > ../certificates/name_constraint_bad.pem"
|
| -try /bin/sh -c "cat out/ok_cert.key out/name_constraint_good.pem \
|
| - > ../certificates/name_constraint_good.pem"
|
| -
|
| -# Now generate the one-off certs
|
| -## SHA-256 general test cert
|
| -try openssl req -x509 -days 3650 \
|
| - -config ../scripts/ee.cnf -newkey rsa:2048 -text \
|
| - -sha256 \
|
| - -out sha256.pem
|
| -
|
| -## Self-signed cert for SPDY/QUIC/HTTP2 pooling testing
|
| -try openssl req -x509 -days 3650 -extensions req_spdy_pooling \
|
| - -config ../scripts/ee.cnf -newkey rsa:2048 -text \
|
| - -out ../certificates/spdy_pooling.pem
|
| -
|
| -## SubjectAltName parsing
|
| -try openssl req -x509 -days 3650 -extensions req_san_sanity \
|
| - -config ../scripts/ee.cnf -newkey rsa:2048 -text \
|
| - -out ../certificates/subjectAltName_sanity_check.pem
|
| -
|
| -## Punycode handling
|
| -SUBJECT_NAME="req_punycode_dn" \
|
| - try openssl req -x509 -days 3650 -extensions req_punycode \
|
| - -config ../scripts/ee.cnf -newkey rsa:2048 -text \
|
| - -out ../certificates/punycodetest.pem
|
| -
|
| -## Reject intranet hostnames in "publicly" trusted certs
|
| -# 365 * 3 = 1095
|
| -SUBJECT_NAME="req_dn" \
|
| - try openssl req -x509 -days 1095 \
|
| - -config ../scripts/ee.cnf -newkey rsa:2048 -text \
|
| - -out ../certificates/reject_intranet_hosts.pem
|
| -
|
| -## Validity too long unit test support.
|
| -try openssl req -config ../scripts/ee.cnf \
|
| - -newkey rsa:2048 -text -out ../certificates/10_year_validity.req
|
| -CA_COMMON_NAME="Test Root CA" \
|
| - try openssl ca \
|
| - -batch \
|
| - -extensions user_cert \
|
| - -startdate 081030000000Z \
|
| - -enddate 181029000000Z \
|
| - -in ../certificates/10_year_validity.req \
|
| - -out ../certificates/10_year_validity.pem \
|
| - -config ca.cnf
|
| -# 365 * 11 = 4015
|
| -try openssl req -config ../scripts/ee.cnf \
|
| - -newkey rsa:2048 -text -out ../certificates/11_year_validity.req
|
| -CA_COMMON_NAME="Test Root CA" \
|
| - try openssl ca \
|
| - -batch \
|
| - -extensions user_cert \
|
| - -startdate 141030000000Z \
|
| - -days 4015 \
|
| - -in ../certificates/11_year_validity.req \
|
| - -out ../certificates/11_year_validity.pem \
|
| - -config ca.cnf
|
| -try openssl req -config ../scripts/ee.cnf \
|
| - -newkey rsa:2048 -text -out ../certificates/39_months_after_2015_04.req
|
| -CA_COMMON_NAME="Test Root CA" \
|
| - try openssl ca \
|
| - -batch \
|
| - -extensions user_cert \
|
| - -startdate 150402000000Z \
|
| - -enddate 180702000000Z \
|
| - -in ../certificates/39_months_after_2015_04.req \
|
| - -out ../certificates/39_months_after_2015_04.pem \
|
| - -config ca.cnf
|
| -try openssl req -config ../scripts/ee.cnf \
|
| - -newkey rsa:2048 -text -out ../certificates/40_months_after_2015_04.req
|
| -CA_COMMON_NAME="Test Root CA" \
|
| - try openssl ca \
|
| - -batch \
|
| - -extensions user_cert \
|
| - -startdate 150402000000Z \
|
| - -enddate 180801000000Z \
|
| - -in ../certificates/40_months_after_2015_04.req \
|
| - -out ../certificates/40_months_after_2015_04.pem \
|
| - -config ca.cnf
|
| -try openssl req -config ../scripts/ee.cnf \
|
| - -newkey rsa:2048 -text -out ../certificates/60_months_after_2012_07.req
|
| -CA_COMMON_NAME="Test Root CA" \
|
| - try openssl ca \
|
| - -batch \
|
| - -extensions user_cert \
|
| - -startdate 141030000000Z \
|
| - -enddate 190930000000Z \
|
| - -in ../certificates/60_months_after_2012_07.req \
|
| - -out ../certificates/60_months_after_2012_07.pem \
|
| - -config ca.cnf
|
| -try openssl req -config ../scripts/ee.cnf \
|
| - -newkey rsa:2048 -text -out ../certificates/61_months_after_2012_07.req
|
| -# 30 * 61 = 1830
|
| -CA_COMMON_NAME="Test Root CA" \
|
| - try openssl ca \
|
| - -batch \
|
| - -extensions user_cert \
|
| - -startdate 141030000000Z \
|
| - -days 1830 \
|
| - -in ../certificates/61_months_after_2012_07.req \
|
| - -out ../certificates/61_months_after_2012_07.pem \
|
| - -config ca.cnf
|
| -# start date after expiry date
|
| -try openssl req -config ../scripts/ee.cnf \
|
| - -newkey rsa:2048 -text -out ../certificates/start_after_expiry.req
|
| -CA_COMMON_NAME="Test Root CA" \
|
| - try openssl ca \
|
| - -batch \
|
| - -extensions user_cert \
|
| - -startdate 180901000000Z \
|
| - -enddate 150402000000Z \
|
| - -in ../certificates/start_after_expiry.req \
|
| - -out ../certificates/start_after_expiry.pem \
|
| - -config ca.cnf
|
| -try openssl req -config ../scripts/ee.cnf \
|
| - -newkey rsa:2048 -text -out ../certificates/start_after_expiry.req
|
| -# Issued pre-BRs, lifetime < 120 months, expires before 2019-07-01
|
| -try openssl req -config ../scripts/ee.cnf \
|
| - -newkey rsa:2048 -text -out ../certificates/pre_br_validity_ok.req
|
| -CA_COMMON_NAME="Test Root CA" \
|
| - try openssl ca \
|
| - -batch \
|
| - -extensions user_cert \
|
| - -startdate 080101000000Z \
|
| - -enddate 150101000000Z \
|
| - -in ../certificates/pre_br_validity_ok.req \
|
| - -out ../certificates/pre_br_validity_ok.pem \
|
| - -config ca.cnf
|
| -try openssl req -config ../scripts/ee.cnf \
|
| - -newkey rsa:2048 -text -out ../certificates/pre_br_validity_ok.req
|
| -# Issued pre-BRs, lifetime > 120 months, expires before 2019-07-01
|
| -try openssl req -config ../scripts/ee.cnf \
|
| - -newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_121.req
|
| -CA_COMMON_NAME="Test Root CA" \
|
| - try openssl ca \
|
| - -batch \
|
| - -extensions user_cert \
|
| - -startdate 080101000000Z \
|
| - -enddate 180501000000Z \
|
| - -in ../certificates/pre_br_validity_bad_121.req \
|
| - -out ../certificates/pre_br_validity_bad_121.pem \
|
| - -config ca.cnf
|
| -try openssl req -config ../scripts/ee.cnf \
|
| - -newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_121.req
|
| -# Issued pre-BRs, lifetime < 120 months, expires after 2019-07-01
|
| -try openssl req -config ../scripts/ee.cnf \
|
| - -newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_2020.req
|
| -CA_COMMON_NAME="Test Root CA" \
|
| - try openssl ca \
|
| - -batch \
|
| - -extensions user_cert \
|
| - -startdate 120501000000Z \
|
| - -enddate 190703000000Z \
|
| - -in ../certificates/pre_br_validity_bad_2020.req \
|
| - -out ../certificates/pre_br_validity_bad_2020.pem \
|
| - -config ca.cnf
|
| -try openssl req -config ../scripts/ee.cnf \
|
| - -newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_2020.req
|
| -
|
| -# Regenerate CRLSets
|
| -## Block a leaf cert directly by SPKI
|
| -try python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \
|
| -<<CRLBYLEAFSPKI
|
| -{
|
| - "BlockedBySPKI": ["../certificates/ok_cert.pem"]
|
| -}
|
| -CRLBYLEAFSPKI
|
| -
|
| -## Block a leaf cert by issuer-hash-and-serial (ok_cert.pem == serial 2, by
|
| -## virtue of the serial file and ordering above.
|
| -try python crlsetutil.py -o ../certificates/crlset_by_root_serial.raw \
|
| -<<CRLBYROOTSERIAL
|
| -{
|
| - "BlockedByHash": {
|
| - "../certificates/root_ca_cert.pem": [2]
|
| - }
|
| -}
|
| -CRLBYROOTSERIAL
|
| -
|
| -## Block a leaf cert by issuer-hash-and-serial. However, this will be issued
|
| -## from an intermediate CA issued underneath a root.
|
| -try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \
|
| -<<CRLSETBYINTERMEDIATESERIAL
|
| -{
|
| - "BlockedByHash": {
|
| - "../certificates/quic_intermediate.crt": [3]
|
| - }
|
| -}
|
| -CRLSETBYINTERMEDIATESERIAL
|
|
|
Chromium Code Reviews
Issue 992733002:
Remove //net (except for Android test stuff) and sdch (Closed)
Base URL: git@github.com:domokit/mojo.git@master