blob: 24eadf108552a1bde2e64fc6ecd8cc22a5d1d269 [file] [log] [blame]
#!/bin/sh
# Copyright 2013 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
# This script generates a set of test (end-entity, intermediate, root)
# certificates that can be used to test fetching of an intermediate via AIA.
try() {
echo "$@"
"$@" || exit 1
}
try rm -rf out
try mkdir out
try /bin/sh -c "echo 01 > out/2048-sha256-root-serial"
touch out/2048-sha256-root-index.txt
# Generate the key
try openssl genrsa -out out/2048-sha256-root.key 2048
# Generate the root certificate
CA_COMMON_NAME="Test Root CA" \
try openssl req \
-new \
-key out/2048-sha256-root.key \
-out out/2048-sha256-root.req \
-config ca.cnf
CA_COMMON_NAME="Test Root CA" \
try openssl x509 \
-req -days 3650 \
-in out/2048-sha256-root.req \
-out out/2048-sha256-root.pem \
-signkey out/2048-sha256-root.key \
-extfile ca.cnf \
-extensions ca_cert \
-text
# Generate the leaf certificate requests
try openssl req \
-new \
-keyout out/expired_cert.key \
-out out/expired_cert.req \
-config ee.cnf
try openssl req \
-new \
-keyout out/ok_cert.key \
-out out/ok_cert.req \
-config ee.cnf
# Generate the leaf certificates
CA_COMMON_NAME="Test Root CA" \
try openssl ca \
-batch \
-extensions user_cert \
-startdate 060101000000Z \
-enddate 070101000000Z \
-in out/expired_cert.req \
-out out/expired_cert.pem \
-config ca.cnf
CA_COMMON_NAME="Test Root CA" \
try openssl ca \
-batch \
-extensions user_cert \
-days 3650 \
-in out/ok_cert.req \
-out out/ok_cert.pem \
-config ca.cnf
CA_COMMON_NAME="Test Root CA" \
try openssl ca \
-batch \
-extensions name_constraint_bad \
-subj "/CN=Leaf certificate/" \
-days 3650 \
-in out/ok_cert.req \
-out out/name_constraint_bad.pem \
-config ca.cnf
CA_COMMON_NAME="Test Root CA" \
try openssl ca \
-batch \
-extensions name_constraint_good \
-subj "/CN=Leaf Certificate/" \
-days 3650 \
-in out/ok_cert.req \
-out out/name_constraint_good.pem \
-config ca.cnf
try /bin/sh -c "cat out/ok_cert.key out/ok_cert.pem \
> ../certificates/ok_cert.pem"
try /bin/sh -c "cat out/expired_cert.key out/expired_cert.pem \
> ../certificates/expired_cert.pem"
try /bin/sh -c "cat out/2048-sha256-root.key out/2048-sha256-root.pem \
> ../certificates/root_ca_cert.pem"
try /bin/sh -c "cat out/ok_cert.key out/name_constraint_bad.pem \
> ../certificates/name_constraint_bad.pem"
try /bin/sh -c "cat out/ok_cert.key out/name_constraint_good.pem \
> ../certificates/name_constraint_good.pem"
# Now generate the one-off certs
## SHA-256 general test cert
try openssl req -x509 -days 3650 \
-config ../scripts/ee.cnf -newkey rsa:2048 -text \
-sha256 \
-out sha256.pem
## Self-signed cert for SPDY/QUIC/HTTP2 pooling testing
try openssl req -x509 -days 3650 -extensions req_spdy_pooling \
-config ../scripts/ee.cnf -newkey rsa:2048 -text \
-out ../certificates/spdy_pooling.pem
## SubjectAltName parsing
try openssl req -x509 -days 3650 -extensions req_san_sanity \
-config ../scripts/ee.cnf -newkey rsa:2048 -text \
-out ../certificates/subjectAltName_sanity_check.pem
## Punycode handling
SUBJECT_NAME="req_punycode_dn" \
try openssl req -x509 -days 3650 -extensions req_punycode \
-config ../scripts/ee.cnf -newkey rsa:2048 -text \
-out ../certificates/punycodetest.pem
## Reject intranet hostnames in "publicly" trusted certs
# 365 * 3 = 1095
SUBJECT_NAME="req_dn" \
try openssl req -x509 -days 1095 \
-config ../scripts/ee.cnf -newkey rsa:2048 -text \
-out ../certificates/reject_intranet_hosts.pem
## Validity too long unit test support.
try openssl req -config ../scripts/ee.cnf \
-newkey rsa:2048 -text -out ../certificates/10_year_validity.req
CA_COMMON_NAME="Test Root CA" \
try openssl ca \
-batch \
-extensions user_cert \
-startdate 081030000000Z \
-enddate 181029000000Z \
-in ../certificates/10_year_validity.req \
-out ../certificates/10_year_validity.pem \
-config ca.cnf
# 365 * 11 = 4015
try openssl req -config ../scripts/ee.cnf \
-newkey rsa:2048 -text -out ../certificates/11_year_validity.req
CA_COMMON_NAME="Test Root CA" \
try openssl ca \
-batch \
-extensions user_cert \
-startdate 141030000000Z \
-days 4015 \
-in ../certificates/11_year_validity.req \
-out ../certificates/11_year_validity.pem \
-config ca.cnf
try openssl req -config ../scripts/ee.cnf \
-newkey rsa:2048 -text -out ../certificates/39_months_after_2015_04.req
CA_COMMON_NAME="Test Root CA" \
try openssl ca \
-batch \
-extensions user_cert \
-startdate 150402000000Z \
-enddate 180702000000Z \
-in ../certificates/39_months_after_2015_04.req \
-out ../certificates/39_months_after_2015_04.pem \
-config ca.cnf
try openssl req -config ../scripts/ee.cnf \
-newkey rsa:2048 -text -out ../certificates/40_months_after_2015_04.req
CA_COMMON_NAME="Test Root CA" \
try openssl ca \
-batch \
-extensions user_cert \
-startdate 150402000000Z \
-enddate 180801000000Z \
-in ../certificates/40_months_after_2015_04.req \
-out ../certificates/40_months_after_2015_04.pem \
-config ca.cnf
try openssl req -config ../scripts/ee.cnf \
-newkey rsa:2048 -text -out ../certificates/60_months_after_2012_07.req
CA_COMMON_NAME="Test Root CA" \
try openssl ca \
-batch \
-extensions user_cert \
-startdate 141030000000Z \
-enddate 190930000000Z \
-in ../certificates/60_months_after_2012_07.req \
-out ../certificates/60_months_after_2012_07.pem \
-config ca.cnf
try openssl req -config ../scripts/ee.cnf \
-newkey rsa:2048 -text -out ../certificates/61_months_after_2012_07.req
# 30 * 61 = 1830
CA_COMMON_NAME="Test Root CA" \
try openssl ca \
-batch \
-extensions user_cert \
-startdate 141030000000Z \
-days 1830 \
-in ../certificates/61_months_after_2012_07.req \
-out ../certificates/61_months_after_2012_07.pem \
-config ca.cnf
# start date after expiry date
try openssl req -config ../scripts/ee.cnf \
-newkey rsa:2048 -text -out ../certificates/start_after_expiry.req
CA_COMMON_NAME="Test Root CA" \
try openssl ca \
-batch \
-extensions user_cert \
-startdate 180901000000Z \
-enddate 150402000000Z \
-in ../certificates/start_after_expiry.req \
-out ../certificates/start_after_expiry.pem \
-config ca.cnf
try openssl req -config ../scripts/ee.cnf \
-newkey rsa:2048 -text -out ../certificates/start_after_expiry.req
# Issued pre-BRs, lifetime < 120 months, expires before 2019-07-01
try openssl req -config ../scripts/ee.cnf \
-newkey rsa:2048 -text -out ../certificates/pre_br_validity_ok.req
CA_COMMON_NAME="Test Root CA" \
try openssl ca \
-batch \
-extensions user_cert \
-startdate 080101000000Z \
-enddate 150101000000Z \
-in ../certificates/pre_br_validity_ok.req \
-out ../certificates/pre_br_validity_ok.pem \
-config ca.cnf
try openssl req -config ../scripts/ee.cnf \
-newkey rsa:2048 -text -out ../certificates/pre_br_validity_ok.req
# Issued pre-BRs, lifetime > 120 months, expires before 2019-07-01
try openssl req -config ../scripts/ee.cnf \
-newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_121.req
CA_COMMON_NAME="Test Root CA" \
try openssl ca \
-batch \
-extensions user_cert \
-startdate 080101000000Z \
-enddate 180501000000Z \
-in ../certificates/pre_br_validity_bad_121.req \
-out ../certificates/pre_br_validity_bad_121.pem \
-config ca.cnf
try openssl req -config ../scripts/ee.cnf \
-newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_121.req
# Issued pre-BRs, lifetime < 120 months, expires after 2019-07-01
try openssl req -config ../scripts/ee.cnf \
-newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_2020.req
CA_COMMON_NAME="Test Root CA" \
try openssl ca \
-batch \
-extensions user_cert \
-startdate 120501000000Z \
-enddate 190703000000Z \
-in ../certificates/pre_br_validity_bad_2020.req \
-out ../certificates/pre_br_validity_bad_2020.pem \
-config ca.cnf
try openssl req -config ../scripts/ee.cnf \
-newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_2020.req
# Regenerate CRLSets
## Block a leaf cert directly by SPKI
try python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \
<<CRLBYLEAFSPKI
{
"BlockedBySPKI": ["../certificates/ok_cert.pem"]
}
CRLBYLEAFSPKI
## Block a leaf cert by issuer-hash-and-serial (ok_cert.pem == serial 2, by
## virtue of the serial file and ordering above.
try python crlsetutil.py -o ../certificates/crlset_by_root_serial.raw \
<<CRLBYROOTSERIAL
{
"BlockedByHash": {
"../certificates/root_ca_cert.pem": [2]
}
}
CRLBYROOTSERIAL
## Block a leaf cert by issuer-hash-and-serial. However, this will be issued
## from an intermediate CA issued underneath a root.
try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \
<<CRLSETBYINTERMEDIATESERIAL
{
"BlockedByHash": {
"../certificates/quic_intermediate.crt": [3]
}
}
CRLSETBYINTERMEDIATESERIAL