1 #!/bin/sh 2 3 # Copyright 2013 The Chromium Authors. All rights reserved. 4 # Use of this source code is governed by a BSD-style license that can be 5 # found in the LICENSE file. 6 7 # This script generates a set of test (end-entity, intermediate, root) 8 # certificates that can be used to test fetching of an intermediate via AIA. 9 10 try() { 11 echo "$@" 12 "$@" || exit 1 13 } 14 15 try rm -rf out 16 try mkdir out 17 18 try /bin/sh -c "echo 01 > out/2048-sha256-root-serial" 19 touch out/2048-sha256-root-index.txt 20 21 # Generate the key 22 try openssl genrsa -out out/2048-sha256-root.key 2048 23 24 # Generate the root certificate 25 CA_COMMON_NAME="Test Root CA" \ 26 try openssl req \ 27 -new \ 28 -key out/2048-sha256-root.key \ 29 -out out/2048-sha256-root.req \ 30 -config ca.cnf 31 32 CA_COMMON_NAME="Test Root CA" \ 33 try openssl x509 \ 34 -req -days 3650 \ 35 -in out/2048-sha256-root.req \ 36 -out out/2048-sha256-root.pem \ 37 -signkey out/2048-sha256-root.key \ 38 -extfile ca.cnf \ 39 -extensions ca_cert \ 40 -text 41 42 # Generate the leaf certificate requests 43 try openssl req \ 44 -new \ 45 -keyout out/expired_cert.key \ 46 -out out/expired_cert.req \ 47 -config ee.cnf 48 49 try openssl req \ 50 -new \ 51 -keyout out/ok_cert.key \ 52 -out out/ok_cert.req \ 53 -config ee.cnf 54 55 # Generate the leaf certificates 56 CA_COMMON_NAME="Test Root CA" \ 57 try openssl ca \ 58 -batch \ 59 -extensions user_cert \ 60 -startdate 060101000000Z \ 61 -enddate 070101000000Z \ 62 -in out/expired_cert.req \ 63 -out out/expired_cert.pem \ 64 -config ca.cnf 65 66 CA_COMMON_NAME="Test Root CA" \ 67 try openssl ca \ 68 -batch \ 69 -extensions user_cert \ 70 -days 3650 \ 71 -in out/ok_cert.req \ 72 -out out/ok_cert.pem \ 73 -config ca.cnf 74 75 CA_COMMON_NAME="Test Root CA" \ 76 try openssl ca \ 77 -batch \ 78 -extensions name_constraint_bad \ 79 -subj "/CN=Leaf certificate/" \ 80 -days 3650 \ 81 -in out/ok_cert.req \ 82 -out out/name_constraint_bad.pem \ 83 -config ca.cnf 84 85 CA_COMMON_NAME="Test Root CA" \ 86 try openssl ca \ 87 -batch \ 88 -extensions name_constraint_good \ 89 -subj "/CN=Leaf Certificate/" \ 90 -days 3650 \ 91 -in out/ok_cert.req \ 92 -out out/name_constraint_good.pem \ 93 -config ca.cnf 94 95 try /bin/sh -c "cat out/ok_cert.key out/ok_cert.pem \ 96 > ../certificates/ok_cert.pem" 97 try /bin/sh -c "cat out/expired_cert.key out/expired_cert.pem \ 98 > ../certificates/expired_cert.pem" 99 try /bin/sh -c "cat out/2048-sha256-root.key out/2048-sha256-root.pem \ 100 > ../certificates/root_ca_cert.pem" 101 try /bin/sh -c "cat out/ok_cert.key out/name_constraint_bad.pem \ 102 > ../certificates/name_constraint_bad.pem" 103 try /bin/sh -c "cat out/ok_cert.key out/name_constraint_good.pem \ 104 > ../certificates/name_constraint_good.pem" 105 106 # Now generate the one-off certs 107 ## SHA-256 general test cert 108 try openssl req -x509 -days 3650 \ 109 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ 110 -sha256 \ 111 -out sha256.pem 112 113 ## Self-signed cert for SPDY/QUIC/HTTP2 pooling testing 114 try openssl req -x509 -days 3650 -extensions req_spdy_pooling \ 115 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ 116 -out ../certificates/spdy_pooling.pem 117 118 ## SubjectAltName parsing 119 try openssl req -x509 -days 3650 -extensions req_san_sanity \ 120 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ 121 -out ../certificates/subjectAltName_sanity_check.pem 122 123 ## Punycode handling 124 SUBJECT_NAME="req_punycode_dn" \ 125 try openssl req -x509 -days 3650 -extensions req_punycode \ 126 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ 127 -out ../certificates/punycodetest.pem 128 129 # Regenerate CRLSets 130 ## Block a leaf cert directly by SPKI 131 try python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \ 132 <<CRLBYLEAFSPKI 133 { 134 "BlockedBySPKI": ["../certificates/ok_cert.pem"] 135 } 136 CRLBYLEAFSPKI 137 138 ## Block a leaf cert by issuer-hash-and-serial (ok_cert.pem == serial 2, by 139 ## virtue of the serial file and ordering above. 140 try python crlsetutil.py -o ../certificates/crlset_by_root_serial.raw \ 141 <<CRLBYROOTSERIAL 142 { 143 "BlockedByHash": { 144 "../certificates/root_ca_cert.pem": [2] 145 } 146 } 147 CRLBYROOTSERIAL 148 149 ## Block a leaf cert by issuer-hash-and-serial. However, this will be issued 150 ## from an intermediate CA issued underneath a root. 151 try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \ 152 <<CRLSETBYINTERMEDIATESERIAL 153 { 154 "BlockedByHash": { 155 "../certificates/quic_intermediate.crt": [3] 156 } 157 } 158 CRLSETBYINTERMEDIATESERIAL 159