Home | History | Annotate | Download | only in scripts 
      1 #!/bin/sh
      2 
      3 # Copyright (c) 2012 The Chromium Authors. All rights reserved.
      4 # Use of this source code is governed by a BSD-style license that can be
      5 # found in the LICENSE file.
      6 
      7 # This script generates two chains of test certificates:
      8 #
      9 #     1. A (end-entity) -> B -> C -> D (self-signed root)
     10 #     2. A (end-entity) -> B -> C2 (self-signed root)
     11 #
     12 # in which A, B, C, and D have distinct keypairs. C2 is a self-signed root
     13 # certificate that uses the same keypair as C.
     14 #
     15 # We use these cert chains in
     16 # SSLClientSocketTest.VerifyReturnChainProperlyOrdered to ensure that
     17 # SSLInfo objects see the certificate chain as validated rather than as
     18 # served by the server. The server serves chain 1. The client has C2, NOT D,
     19 # installed as a trusted root. Therefore, the chain will validate as chain
     20 # 2, even though the server served chain 1.
     21 
     22 try () {
     23   echo "$@"
     24   $@ || exit 1
     25 }
     26 
     27 generate_key_command () {
     28   case "$1" in
     29     rsa)
     30       echo genrsa
     31       ;;
     32     *)
     33       exit 1
     34   esac
     35 }
     36 
     37 try rm -rf out
     38 try mkdir out
     39 
     40 echo Create the serial number files.
     41 serial=100
     42 for i in B C C2 D
     43 do
     44   try echo $serial > out/$i-serial
     45   serial=$(expr $serial + 1)
     46 done
     47 
     48 echo Generate the keys.
     49 try openssl genrsa -out out/A.key 2048
     50 try openssl genrsa -out out/B.key 2048
     51 try openssl genrsa -out out/C.key 2048
     52 try openssl genrsa -out out/D.key 2048
     53 
     54 echo Generate the D CSR.
     55 CA_COMMON_NAME="D Root CA" \
     56   CA_DIR=out \
     57   CA_NAME=req_env_dn \
     58   KEY_SIZE=2048 \
     59   ALGO=rsa \
     60   CERT_TYPE=root \
     61   TYPE=D CERTIFICATE=D \
     62   try openssl req \
     63     -new \
     64     -key out/D.key \
     65     -out out/D.csr \
     66     -config redundant-ca.cnf
     67 
     68 echo D signs itself.
     69 CA_COMMON_NAME="D Root CA" \
     70   CA_DIR=out \
     71   CA_NAME=req_env_dn \
     72   try openssl x509 \
     73     -req -days 3650 \
     74     -in out/D.csr \
     75     -extensions ca_cert \
     76     -signkey out/D.key \
     77     -out out/D.pem
     78 
     79 echo Generate the C2 root CSR.
     80 CA_COMMON_NAME="C CA" \
     81   CA_DIR=out \
     82   CA_NAME=req_env_dn \
     83   KEY_SIZE=2048 \
     84   ALGO=rsa \
     85   CERT_TYPE=root \
     86   TYPE=C2 CERTIFICATE=C2 \
     87   try openssl req \
     88     -new \
     89     -key out/C.key \
     90     -out out/C2.csr \
     91     -config redundant-ca.cnf
     92 
     93 echo C2 signs itself.
     94 CA_COMMON_NAME="C CA" \
     95   CA_DIR=out \
     96   CA_NAME=req_env_dn \
     97   try openssl x509 \
     98     -req -days 3650 \
     99     -in out/C2.csr \
    100     -extensions ca_cert \
    101     -signkey out/C.key \
    102     -out out/C2.pem
    103 
    104 echo Generate the B and C intermediaries\' CSRs.
    105 for i in B C
    106 do
    107   name="$i Intermediate CA"
    108   CA_COMMON_NAME="$i CA" \
    109     CA_DIR=out \
    110     CA_NAME=req_env_dn \
    111     KEY_SIZE=2048 \
    112     ALGO=rsa \
    113     CERT_TYPE=root \
    114     TYPE=$i CERTIFICATE=$i \
    115     try openssl req \
    116       -new \
    117       -key out/$i.key \
    118       -out out/$i.csr \
    119       -config redundant-ca.cnf
    120 done
    121 
    122 echo D signs the C intermediate.
    123 # Make sure the signer's DB file exists.
    124 touch out/D-index.txt
    125 CA_COMMON_NAME="D Root CA" \
    126   CA_DIR=out \
    127   CA_NAME=req_env_dn \
    128   KEY_SIZE=2048 \
    129   ALGO=rsa \
    130   CERT_TYPE=root \
    131   TYPE=D CERTIFICATE=D \
    132   try openssl ca \
    133     -batch \
    134     -extensions ca_cert \
    135     -in out/C.csr \
    136     -out out/C.pem \
    137     -config redundant-ca.cnf
    138 
    139 echo C signs the B intermediate.
    140 touch out/C-index.txt
    141 CA_COMMON_NAME="C CA" \
    142   CA_DIR=out \
    143   CA_NAME=req_env_dn \
    144   KEY_SIZE=2048 \
    145   ALGO=rsa \
    146   CERT_TYPE=root \
    147   TYPE=C CERTIFICATE=C \
    148   try openssl ca \
    149     -batch \
    150     -extensions ca_cert \
    151     -in out/B.csr \
    152     -out out/B.pem \
    153     -config redundant-ca.cnf
    154 
    155 echo Generate the A end-entity CSR.
    156 try openssl req \
    157   -new \
    158   -key out/A.key \
    159   -out out/A.csr \
    160   -config ee.cnf
    161 
    162 echo B signs A.
    163 touch out/B-index.txt
    164 CA_COMMON_NAME="B CA" \
    165   CA_DIR=out \
    166   CA_NAME=req_env_dn \
    167   KEY_SIZE=$signer_key_size \
    168   ALGO=$signer_algo \
    169   CERT_TYPE=intermediate \
    170   TYPE=B CERTIFICATE=B \
    171   try openssl ca \
    172     -batch \
    173     -extensions user_cert \
    174     -in out/A.csr \
    175     -out out/A.pem \
    176     -config redundant-ca.cnf
    177 
    178 echo Create redundant-server-chain.pem
    179 cat out/A.key out/A.pem out/B.pem out/C.pem out/D.pem \
    180     > redundant-server-chain.pem
    181 
    182 echo Create redundant-validated-chain.pem
    183 cat out/A.key out/A.pem out/B.pem out/C2.pem > redundant-validated-chain.pem
    184 
    185 echo Create redundant-validated-chain-root.pem
    186 cp out/C2.pem redundant-validated-chain-root.pem
    187 
    188