Home | History | Annotate | Download | only in scripts 
      1 #!/bin/sh
      2 
      3 # Copyright (c) 2011 The Chromium Authors. All rights reserved.
      4 # Use of this source code is governed by a BSD-style license that can be
      5 # found in the LICENSE file.
      6 
      7 # This script generates a set of test (end-entity, intermediate, root)
      8 # certificates with (weak, strong), (RSA, DSA, ECDSA) key pairs.
      9 
     10 key_types="768-rsa 1024-rsa 2048-rsa prime256v1-ecdsa"
     11 
     12 try () {
     13   echo "$@"
     14   "$@" || exit 1
     15 }
     16 
     17 generate_key_command () {
     18   case "$1" in
     19     dsa)
     20       echo "dsaparam -genkey"
     21       ;;
     22     ecdsa)
     23       echo "ecparam -genkey"
     24       ;;
     25     rsa)
     26       echo genrsa
     27       ;;
     28     *)
     29       exit 1
     30   esac
     31 }
     32 
     33 try rm -rf out
     34 try mkdir out
     35 
     36 # Create the serial number files.
     37 try /bin/sh -c "echo 01 > out/2048-rsa-root-serial"
     38 for key_type in $key_types
     39 do
     40   try /bin/sh -c "echo 01 > out/$key_type-intermediate-serial"
     41 done
     42 
     43 # Generate one root CA certificate.
     44 try openssl genrsa -out out/2048-rsa-root.key 2048
     45 
     46 CA_COMMON_NAME="2048 RSA Test Root CA" \
     47   CA_DIR=out \
     48   CA_NAME=req_env_dn \
     49   KEY_SIZE=2048 \
     50   ALGO=rsa \
     51   CERT_TYPE=root \
     52   try openssl req \
     53     -new \
     54     -key out/2048-rsa-root.key \
     55     -extensions ca_cert \
     56     -out out/2048-rsa-root.csr \
     57     -config ca.cnf
     58 
     59 CA_COMMON_NAME="2048 RSA Test Root CA" \
     60   CA_DIR=out \
     61   CA_NAME=req_env_dn \
     62   try openssl x509 \
     63     -req -days 3650 \
     64     -in out/2048-rsa-root.csr \
     65     -extensions ca_cert \
     66     -extfile ca.cnf \
     67     -signkey out/2048-rsa-root.key \
     68     -out out/2048-rsa-root.pem \
     69     -text
     70 
     71 # Generate private keys of all types and strengths for intermediate CAs and
     72 # end-entities.
     73 for key_type in $key_types
     74 do
     75   key_size=$(echo "$key_type" | sed -E 's/-.+//')
     76   algo=$(echo "$key_type" | sed -E 's/.+-//')
     77 
     78   if [ ecdsa = $algo ]
     79   then
     80     key_size="-name $key_size"
     81   fi
     82 
     83   try openssl $(generate_key_command $algo) \
     84     -out out/$key_type-intermediate.key $key_size
     85 done
     86 
     87 for key_type in $key_types
     88 do
     89   key_size=$(echo "$key_type" | sed -E 's/-.+//')
     90   algo=$(echo "$key_type" | sed -E 's/.+-//')
     91 
     92   if [ ecdsa = $algo ]
     93   then
     94     key_size="-name $key_size"
     95   fi
     96 
     97   for signer_key_type in $key_types
     98   do
     99     try openssl $(generate_key_command $algo) \
    100       -out out/$key_type-ee-by-$signer_key_type-intermediate.key $key_size
    101   done
    102 done
    103 
    104 # The root signs the intermediates.
    105 for key_type in $key_types
    106 do
    107   key_size=$(echo "$key_type" | sed -E 's/-.+//')
    108   algo=$(echo "$key_type" | sed -E 's/.+-//')
    109 
    110   CA_COMMON_NAME="$key_size $algo Test intermediate CA" \
    111     CA_DIR=out \
    112     CA_NAME=req_env_dn \
    113     KEY_SIZE=$key_size \
    114     ALGO=$algo \
    115     CERT_TYPE=intermediate \
    116     try openssl req \
    117       -new \
    118       -key out/$key_type-intermediate.key \
    119       -out out/$key_type-intermediate.csr \
    120       -config ca.cnf
    121 
    122   # Make sure the signer's DB file exists.
    123   touch out/2048-rsa-root-index.txt
    124 
    125   CA_COMMON_NAME="2048 RSA Test Root CA" \
    126     CA_DIR=out \
    127     CA_NAME=req_env_dn \
    128     KEY_SIZE=2048 \
    129     ALGO=rsa \
    130     CERT_TYPE=root \
    131     try openssl ca \
    132       -batch \
    133       -extensions ca_cert \
    134       -in out/$key_type-intermediate.csr \
    135       -out out/$key_type-intermediate.pem \
    136       -config ca.cnf
    137 done
    138 
    139 # The intermediates sign the end-entities.
    140 for key_type in $key_types
    141 do
    142   for signer_key_type in $key_types
    143   do
    144     key_size=$(echo "$key_type" | sed -E 's/-.+//')
    145     algo=$(echo "$key_type" | sed -E 's/.+-//')
    146     signer_key_size=$(echo "$signer_key_type" | sed -E 's/-.+//')
    147     signer_algo=$(echo "$signer_key_type" | sed -E 's/.+-//')
    148     touch out/$signer_key_type-intermediate-index.txt
    149 
    150     KEY_SIZE=$key_size \
    151       try openssl req \
    152         -new \
    153         -key out/$key_type-ee-by-$signer_key_type-intermediate.key \
    154         -out out/$key_type-ee-by-$signer_key_type-intermediate.csr \
    155         -config ee.cnf
    156 
    157     CA_COMMON_NAME="$signer_key_size $algo Test intermediate CA" \
    158       CA_DIR=out \
    159       CA_NAME=req_env_dn \
    160       KEY_SIZE=$signer_key_size \
    161       ALGO=$signer_algo \
    162       CERT_TYPE=intermediate \
    163       try openssl ca \
    164         -batch \
    165         -in out/$key_type-ee-by-$signer_key_type-intermediate.csr \
    166         -out out/$key_type-ee-by-$signer_key_type-intermediate.pem \
    167         -config ca.cnf
    168   done
    169 done
    170 
    171 # Copy final outputs.
    172 try cp out/*root*pem out/*intermediate*pem ../certificates
    173