1 #!/bin/sh 2 3 # Copyright 2013 The Chromium Authors. All rights reserved. 4 # Use of this source code is governed by a BSD-style license that can be 5 # found in the LICENSE file. 6 7 # This script generates a set of test (end-entity, root) certificate chains 8 # whose EEs have (critical, non-critical) eKUs for codeSigning. We then try 9 # to use them as EEs for a web server in unit tests, to make sure that we 10 # don't accept such certs as web server certs. 11 12 try () { 13 echo "$@" 14 $@ || exit 1 15 } 16 17 try rm -rf out 18 try mkdir out 19 20 eku_test_root="eku-test-root" 21 22 # Create the serial number files. 23 try echo 1 > out/$eku_test_root-serial 24 25 # Make sure the signers' DB files exist. 26 touch out/$eku_test_root-index.txt 27 28 # Generate one root CA certificate. 29 try openssl genrsa -out out/$eku_test_root.key 2048 30 31 CA_COMMON_NAME="2048 RSA Test Root CA" \ 32 CA_DIR=out \ 33 CA_NAME=req_env_dn \ 34 KEY_SIZE=2048 \ 35 ALGO=rsa \ 36 CERT_TYPE=root \ 37 try openssl req \ 38 -new \ 39 -key out/$eku_test_root.key \ 40 -extensions ca_cert \ 41 -out out/$eku_test_root.csr \ 42 -config ca.cnf 43 44 CA_COMMON_NAME="2048 RSA Test Root CA" \ 45 CA_DIR=out \ 46 CA_NAME=req_env_dn \ 47 try openssl x509 \ 48 -req -days 3650 \ 49 -in out/$eku_test_root.csr \ 50 -extensions ca_cert \ 51 -signkey out/$eku_test_root.key \ 52 -out out/$eku_test_root.pem 53 54 # Generate EE certs. 55 for cert_type in non-crit-codeSigning crit-codeSigning 56 do 57 try openssl genrsa -out out/$cert_type.key 2048 58 59 try openssl req \ 60 -new \ 61 -key out/$cert_type.key \ 62 -out out/$cert_type.csr \ 63 -config eku-test.cnf \ 64 -reqexts "$cert_type" 65 66 CA_COMMON_NAME="2048 rsa Test Root CA" \ 67 CA_DIR=out \ 68 CA_NAME=req_env_dn \ 69 KEY_SIZE=2048 \ 70 ALGO=rsa \ 71 CERT_TYPE=root \ 72 try openssl ca \ 73 -batch \ 74 -in out/$cert_type.csr \ 75 -out out/$cert_type.pem \ 76 -config ca.cnf 77 done 78
