Home | History | Annotate | Download | only in scripts 
      1 #!/bin/sh
      2 
      3 # Copyright 2013 The Chromium Authors. All rights reserved.
      4 # Use of this source code is governed by a BSD-style license that can be
      5 # found in the LICENSE file.
      6 
      7 # This script generates a set of test (end-entity, intermediate, root)
      8 # certificates that can be used to test fetching of an intermediate via AIA.
      9 
     10 try() {
     11   echo "$@"
     12   "$@" || exit 1
     13 }
     14 
     15 try rm -rf out
     16 try mkdir out
     17 
     18 try /bin/sh -c "echo 01 > out/2048-sha256-root-serial"
     19 touch out/2048-sha256-root-index.txt
     20 
     21 # Generate the key
     22 try openssl genrsa -out out/2048-sha256-root.key 2048
     23 
     24 # Generate the root certificate
     25 CA_COMMON_NAME="Test Root CA" \
     26   try openssl req \
     27     -new \
     28     -key out/2048-sha256-root.key \
     29     -out out/2048-sha256-root.req \
     30     -config ca.cnf
     31 
     32 CA_COMMON_NAME="Test Root CA" \
     33   try openssl x509 \
     34     -req -days 3650 \
     35     -in out/2048-sha256-root.req \
     36     -out out/2048-sha256-root.pem \
     37     -signkey out/2048-sha256-root.key \
     38     -extfile ca.cnf \
     39     -extensions ca_cert \
     40     -text
     41 
     42 # Generate the leaf certificate requests
     43 try openssl req \
     44   -new \
     45   -keyout out/expired_cert.key \
     46   -out out/expired_cert.req \
     47   -config ee.cnf
     48 
     49 try openssl req \
     50   -new \
     51   -keyout out/ok_cert.key \
     52   -out out/ok_cert.req \
     53   -config ee.cnf
     54 
     55 # Generate the leaf certificates
     56 CA_COMMON_NAME="Test Root CA" \
     57   try openssl ca \
     58     -batch \
     59     -extensions user_cert \
     60     -startdate 060101000000Z \
     61     -enddate 070101000000Z \
     62     -in out/expired_cert.req \
     63     -out out/expired_cert.pem \
     64     -config ca.cnf
     65 
     66 CA_COMMON_NAME="Test Root CA" \
     67   try openssl ca \
     68     -batch \
     69     -extensions user_cert \
     70     -days 3650 \
     71     -in out/ok_cert.req \
     72     -out out/ok_cert.pem \
     73     -config ca.cnf
     74 
     75 CA_COMMON_NAME="Test Root CA" \
     76   try openssl ca \
     77     -batch \
     78     -extensions name_constraint_bad \
     79     -subj "/CN=Leaf certificate/" \
     80     -days 3650 \
     81     -in out/ok_cert.req \
     82     -out out/name_constraint_bad.pem \
     83     -config ca.cnf
     84 
     85 CA_COMMON_NAME="Test Root CA" \
     86   try openssl ca \
     87     -batch \
     88     -extensions name_constraint_good \
     89     -subj "/CN=Leaf Certificate/" \
     90     -days 3650 \
     91     -in out/ok_cert.req \
     92     -out out/name_constraint_good.pem \
     93     -config ca.cnf
     94 
     95 try /bin/sh -c "cat out/ok_cert.key out/ok_cert.pem \
     96     > ../certificates/ok_cert.pem"
     97 try /bin/sh -c "cat out/expired_cert.key out/expired_cert.pem \
     98     > ../certificates/expired_cert.pem"
     99 try /bin/sh -c "cat out/2048-sha256-root.key out/2048-sha256-root.pem \
    100     > ../certificates/root_ca_cert.pem"
    101 try /bin/sh -c "cat out/ok_cert.key out/name_constraint_bad.pem \
    102     > ../certificates/name_constraint_bad.pem"
    103 try /bin/sh -c "cat out/ok_cert.key out/name_constraint_good.pem \
    104     > ../certificates/name_constraint_good.pem"
    105 
    106 # Now generate the one-off certs
    107 ## SHA-256 general test cert
    108 try openssl req -x509 -days 3650 \
    109     -config ../scripts/ee.cnf -newkey rsa:2048 -text \
    110     -sha256 \
    111     -out sha256.pem
    112 
    113 ## Self-signed cert for SPDY/QUIC/HTTP2 pooling testing
    114 try openssl req -x509 -days 3650 -extensions req_spdy_pooling \
    115     -config ../scripts/ee.cnf -newkey rsa:2048 -text \
    116     -out ../certificates/spdy_pooling.pem
    117 
    118 ## SubjectAltName parsing
    119 try openssl req -x509 -days 3650 -extensions req_san_sanity \
    120     -config ../scripts/ee.cnf -newkey rsa:2048 -text \
    121     -out ../certificates/subjectAltName_sanity_check.pem
    122 
    123 ## Punycode handling
    124 SUBJECT_NAME="req_punycode_dn" \
    125   try openssl req -x509 -days 3650 -extensions req_punycode \
    126     -config ../scripts/ee.cnf -newkey rsa:2048 -text \
    127      -out ../certificates/punycodetest.pem
    128 
    129 # Regenerate CRLSets
    130 ## Block a leaf cert directly by SPKI
    131 try python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \
    132 <<CRLBYLEAFSPKI
    133 {
    134   "BlockedBySPKI": ["../certificates/ok_cert.pem"]
    135 }
    136 CRLBYLEAFSPKI
    137 
    138 ## Block a leaf cert by issuer-hash-and-serial (ok_cert.pem == serial 2, by
    139 ## virtue of the serial file and ordering above.
    140 try python crlsetutil.py -o ../certificates/crlset_by_root_serial.raw \
    141 <<CRLBYROOTSERIAL
    142 {
    143   "BlockedByHash": {
    144     "../certificates/root_ca_cert.pem": [2]
    145   }
    146 }
    147 CRLBYROOTSERIAL
    148 
    149 ## Block a leaf cert by issuer-hash-and-serial. However, this will be issued
    150 ## from an intermediate CA issued underneath a root.
    151 try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \
    152 <<CRLSETBYINTERMEDIATESERIAL
    153 {
    154   "BlockedByHash": {
    155     "../certificates/quic_intermediate.crt": [3]
    156   }
    157 }
    158 CRLSETBYINTERMEDIATESERIAL
    159