Home | History | Annotate | Download | only in scripts 
      1 #!/bin/sh
      2 
      3 # Copyright 2013 The Chromium Authors. All rights reserved.
      4 # Use of this source code is governed by a BSD-style license that can be
      5 # found in the LICENSE file.
      6 
      7 # This script generates a two roots - one legacy one signed with MD5, and
      8 # another (newer) one signed with SHA1 - and has a leaf certificate signed
      9 # by these without any distinguishers.
     10 #
     11 # The "cross-signed" comes from the fact that both the MD5 and SHA1 roots share
     12 # the same Authority Key ID, Subject Key ID, Subject, and Subject Public Key
     13 # Info. When the chain building algorithm is evaluating paths, if it prefers
     14 # untrusted over trusted, then it will see the MD5 certificate as a self-signed
     15 # cert that is "cross-signed" by the trusted SHA1 root.
     16 #
     17 # The SHA1 root should be (temporarily) trusted, and the resulting chain
     18 # should be leaf -> SHA1root, not leaf -> MD5root, leaf -> SHA1root -> MD5root,
     19 # or leaf -> MD5root -> SHA1root
     20 
     21 try() {
     22   echo "$@"
     23   $@ || exit 1
     24 }
     25 
     26 try rm -rf out
     27 try mkdir out
     28 
     29 try echo 1 > out/2048-sha1-root-serial
     30 try echo 2 > out/2048-md5-root-serial
     31 touch out/2048-sha1-root-index.txt
     32 touch out/2048-md5-root-index.txt
     33 
     34 # Generate the key
     35 try openssl genrsa -out out/2048-sha1-root.key 2048
     36 
     37 # Generate the root certificate
     38 CA_COMMON_NAME="Test Dup-Hash Root CA" \
     39   try openssl req \
     40     -new \
     41     -key out/2048-sha1-root.key \
     42     -out out/2048-sha1-root.req \
     43     -config ca.cnf
     44 
     45 CA_COMMON_NAME="Test Dup-Hash Root CA" \
     46   try openssl x509 \
     47     -req -days 3650 \
     48     -sha1 \
     49     -in out/2048-sha1-root.req \
     50     -out out/2048-sha1-root.pem \
     51     -text \
     52     -signkey out/2048-sha1-root.key \
     53     -extfile ca.cnf \
     54     -extensions ca_cert
     55 
     56 CA_COMMON_NAME="Test Dup-Hash Root CA" \
     57   try openssl x509 \
     58     -req -days 3650 \
     59     -md5 \
     60     -in out/2048-sha1-root.req \
     61     -out out/2048-md5-root.pem \
     62     -text \
     63     -signkey out/2048-sha1-root.key \
     64     -extfile ca.cnf \
     65     -extensions ca_cert
     66 
     67 # Generate the leaf certificate request
     68 try openssl req \
     69   -new \
     70   -keyout out/ok_cert.key \
     71   -out out/ok_cert.req \
     72   -config ee.cnf
     73 
     74 # Generate the leaf certificates
     75 CA_COMMON_NAME="Test Dup-Hash Root CA" \
     76   try openssl ca \
     77     -batch \
     78     -extensions user_cert \
     79     -days 3650 \
     80     -in out/ok_cert.req \
     81     -out out/ok_cert.pem \
     82     -config ca.cnf
     83 
     84 try openssl x509 -text \
     85   -in out/2048-md5-root.pem \
     86   -out ../certificates/cross-signed-root-md5.pem
     87 try openssl x509 -text \
     88   -in out/2048-sha1-root.pem \
     89   -out ../certificates/cross-signed-root-sha1.pem
     90 try openssl x509 -text \
     91   -in out/ok_cert.pem \
     92   -out ../certificates/cross-signed-leaf.pem
     93