Home | History | Annotate | Download | only in scripts 
      1 #!/bin/sh
      2 
      3 # Copyright (c) 2011 The Chromium Authors. All rights reserved.
      4 # Use of this source code is governed by a BSD-style license that can be
      5 # found in the LICENSE file.
      6 
      7 # This script generates a set of test (end-entity, intermediate, root)
      8 # certificates with (weak, strong), (RSA, DSA, ECDSA) key pairs.
      9 
     10 key_types="768-rsa 1024-rsa 2048-rsa prime256v1-ecdsa"
     11 
     12 try () {
     13   echo "$@"
     14   $@ || exit 1
     15 }
     16 
     17 generate_key_command () {
     18   case "$1" in
     19     dsa)
     20       echo "dsaparam -genkey"
     21       ;;
     22     ecdsa)
     23       echo "ecparam -genkey"
     24       ;;
     25     rsa)
     26       echo genrsa
     27       ;;
     28     *)
     29       exit 1
     30   esac
     31 }
     32 
     33 try rm -rf out
     34 try mkdir out
     35 
     36 # Create the serial number files.
     37 try echo 1 > out/2048-rsa-root-serial
     38 for key_type in $key_types
     39 do
     40   try echo 1 > out/$key_type-intermediate-serial
     41 done
     42 
     43 # Generate one root CA certificate.
     44 try openssl genrsa -out out/2048-rsa-root.key 2048
     45 
     46 CA_COMMON_NAME="2048 RSA Test Root CA" \
     47   CA_DIR=out \
     48   CA_NAME=req_env_dn \
     49   KEY_SIZE=2048 \
     50   ALGO=rsa \
     51   CERT_TYPE=root \
     52   try openssl req \
     53     -new \
     54     -key out/2048-rsa-root.key \
     55     -extensions ca_cert \
     56     -out out/2048-rsa-root.csr \
     57     -config ca.cnf
     58 
     59 CA_COMMON_NAME="2048 RSA Test Root CA" \
     60   CA_DIR=out \
     61   CA_NAME=req_env_dn \
     62   try openssl x509 \
     63     -req -days 3650 \
     64     -in out/2048-rsa-root.csr \
     65     -extensions ca_cert \
     66     -signkey out/2048-rsa-root.key \
     67     -out out/2048-rsa-root.pem
     68 
     69 # Generate private keys of all types and strengths for intermediate CAs and
     70 # end-entities.
     71 for key_type in $key_types
     72 do
     73   key_size=$(echo "$key_type" | sed -E 's/-.+//')
     74   algo=$(echo "$key_type" | sed -E 's/.+-//')
     75 
     76   if [ ecdsa = $algo ]
     77   then
     78     key_size="-name $key_size"
     79   fi
     80 
     81   try openssl $(generate_key_command $algo) \
     82     -out out/$key_type-intermediate.key $key_size
     83 done
     84 
     85 for key_type in $key_types
     86 do
     87   key_size=$(echo "$key_type" | sed -E 's/-.+//')
     88   algo=$(echo "$key_type" | sed -E 's/.+-//')
     89 
     90   if [ ecdsa = $algo ]
     91   then
     92     key_size="-name $key_size"
     93   fi
     94 
     95   for signer_key_type in $key_types
     96   do
     97     try openssl $(generate_key_command $algo) \
     98       -out out/$key_type-ee-by-$signer_key_type-intermediate.key $key_size
     99   done
    100 done
    101 
    102 # The root signs the intermediates.
    103 for key_type in $key_types
    104 do
    105   key_size=$(echo "$key_type" | sed -E 's/-.+//')
    106   algo=$(echo "$key_type" | sed -E 's/.+-//')
    107 
    108   CA_COMMON_NAME="$key_size $algo Test intermediate CA" \
    109     CA_DIR=out \
    110     CA_NAME=req_env_dn \
    111     KEY_SIZE=$key_size \
    112     ALGO=$algo \
    113     CERT_TYPE=intermediate \
    114     try openssl req \
    115       -new \
    116       -key out/$key_type-intermediate.key \
    117       -out out/$key_type-intermediate.csr \
    118       -config ca.cnf
    119 
    120   # Make sure the signer's DB file exists.
    121   touch out/2048-rsa-root-index.txt
    122 
    123   CA_COMMON_NAME="2048 RSA Test Root CA" \
    124     CA_DIR=out \
    125     CA_NAME=req_env_dn \
    126     KEY_SIZE=2048 \
    127     ALGO=rsa \
    128     CERT_TYPE=root \
    129     try openssl ca \
    130       -batch \
    131       -extensions ca_cert \
    132       -in out/$key_type-intermediate.csr \
    133       -out out/$key_type-intermediate.pem \
    134       -config ca.cnf
    135 done
    136 
    137 # The intermediates sign the end-entities.
    138 for key_type in $key_types
    139 do
    140   for signer_key_type in $key_types
    141   do
    142     key_size=$(echo "$key_type" | sed -E 's/-.+//')
    143     algo=$(echo "$key_type" | sed -E 's/.+-//')
    144     signer_key_size=$(echo "$signer_key_type" | sed -E 's/-.+//')
    145     signer_algo=$(echo "$signer_key_type" | sed -E 's/.+-//')
    146     touch out/$signer_key_type-intermediate-index.txt
    147 
    148     KEY_SIZE=$key_size \
    149       try openssl req \
    150         -new \
    151         -key out/$key_type-ee-by-$signer_key_type-intermediate.key \
    152         -out out/$key_type-ee-by-$signer_key_type-intermediate.csr \
    153         -config ee.cnf
    154 
    155     CA_COMMON_NAME="$signer_key_size $algo Test intermediate CA" \
    156       CA_DIR=out \
    157       CA_NAME=req_env_dn \
    158       KEY_SIZE=$signer_key_size \
    159       ALGO=$signer_algo \
    160       CERT_TYPE=intermediate \
    161       try openssl ca \
    162         -batch \
    163         -in out/$key_type-ee-by-$signer_key_type-intermediate.csr \
    164         -out out/$key_type-ee-by-$signer_key_type-intermediate.pem \
    165         -config ca.cnf
    166   done
    167 done
    168 
    169