1 #!/bin/sh 2 3 # Copyright 2014 The Chromium Authors. All rights reserved. 4 # Use of this source code is governed by a BSD-style license that can be 5 # found in the LICENSE file. 6 7 # This script generates two chains of test certificates: 8 # 9 # 1. A (end-entity) -> B -> C -> D (self-signed root) 10 # 2. A (end-entity) -> B -> C2 -> E (self-signed root) 11 # 12 # C and C2 have the same subject and keypair. 13 # 14 # We use these cert chains in CertVerifyProcChromeOSTest 15 # to ensure that multiple verification paths are properly handled. 16 17 try () { 18 echo "$@" 19 "$@" || exit 1 20 } 21 22 try rm -rf out 23 try mkdir out 24 25 echo Create the serial number files. 26 serial=1000 27 for i in B C C2 D E 28 do 29 try /bin/sh -c "echo $serial > out/$i-serial" 30 serial=$(expr $serial + 1) 31 done 32 33 echo Generate the keys. 34 try openssl genrsa -out out/A.key 2048 35 try openssl genrsa -out out/B.key 2048 36 try openssl genrsa -out out/C.key 2048 37 try openssl genrsa -out out/D.key 2048 38 try openssl genrsa -out out/E.key 2048 39 40 echo Generate the D CSR. 41 CA_COMMON_NAME="D Root CA" \ 42 CERTIFICATE=D \ 43 try openssl req \ 44 -new \ 45 -key out/D.key \ 46 -out out/D.csr \ 47 -config redundant-ca.cnf 48 49 echo D signs itself. 50 CA_COMMON_NAME="D Root CA" \ 51 try openssl x509 \ 52 -req -days 3650 \ 53 -in out/D.csr \ 54 -extensions ca_cert \ 55 -extfile redundant-ca.cnf \ 56 -signkey out/D.key \ 57 -out out/D.pem \ 58 -text 59 60 echo Generate the E CSR. 61 CA_COMMON_NAME="E Root CA" \ 62 CERTIFICATE=E \ 63 try openssl req \ 64 -new \ 65 -key out/E.key \ 66 -out out/E.csr \ 67 -config redundant-ca.cnf 68 69 echo E signs itself. 70 CA_COMMON_NAME="E Root CA" \ 71 try openssl x509 \ 72 -req -days 3650 \ 73 -in out/E.csr \ 74 -extensions ca_cert \ 75 -extfile redundant-ca.cnf \ 76 -signkey out/E.key \ 77 -out out/E.pem \ 78 -text 79 80 echo Generate the C2 intermediary CSR. 81 CA_COMMON_NAME="C CA" \ 82 CERTIFICATE=C2 \ 83 try openssl req \ 84 -new \ 85 -key out/C.key \ 86 -out out/C2.csr \ 87 -config redundant-ca.cnf 88 89 echo Generate the B and C intermediaries\' CSRs. 90 for i in B C 91 do 92 CA_COMMON_NAME="$i CA" \ 93 CERTIFICATE="$i" \ 94 try openssl req \ 95 -new \ 96 -key "out/$i.key" \ 97 -out "out/$i.csr" \ 98 -config redundant-ca.cnf 99 done 100 101 echo D signs the C intermediate. 102 # Make sure the signer's DB file exists. 103 touch out/D-index.txt 104 CA_COMMON_NAME="D Root CA" \ 105 CERTIFICATE=D \ 106 try openssl ca \ 107 -batch \ 108 -extensions ca_cert \ 109 -in out/C.csr \ 110 -out out/C.pem \ 111 -config redundant-ca.cnf 112 113 echo E signs the C2 intermediate. 114 # Make sure the signer's DB file exists. 115 touch out/E-index.txt 116 CA_COMMON_NAME="E Root CA" \ 117 CERTIFICATE=E \ 118 try openssl ca \ 119 -batch \ 120 -extensions ca_cert \ 121 -in out/C2.csr \ 122 -out out/C2.pem \ 123 -config redundant-ca.cnf 124 125 echo C signs the B intermediate. 126 touch out/C-index.txt 127 CA_COMMON_NAME="C CA" \ 128 CERTIFICATE=C \ 129 try openssl ca \ 130 -batch \ 131 -extensions ca_cert \ 132 -in out/B.csr \ 133 -out out/B.pem \ 134 -config redundant-ca.cnf 135 136 echo Generate the A end-entity CSR. 137 try openssl req \ 138 -new \ 139 -key out/A.key \ 140 -out out/A.csr \ 141 -config ee.cnf 142 143 echo B signs A. 144 touch out/B-index.txt 145 CA_COMMON_NAME="B CA" \ 146 CERTIFICATE=B \ 147 try openssl ca \ 148 -batch \ 149 -extensions user_cert \ 150 -in out/A.csr \ 151 -out out/A.pem \ 152 -config redundant-ca.cnf 153 154 echo Create multi-root-chain1.pem 155 try /bin/sh -c "cat out/A.key out/A.pem out/B.pem out/C.pem out/D.pem \ 156 > ../certificates/multi-root-chain1.pem" 157 158 echo Create multi-root-chain2.pem 159 try /bin/sh -c "cat out/A.key out/A.pem out/B.pem out/C2.pem out/E.pem \ 160 > ../certificates/multi-root-chain2.pem" 161 162