| #!/bin/bash |
| |
| # Copyright 2016 The Chromium Authors |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| # This script generates self-signed-invalid-name.pem and |
| # self-signed-invalid-sig.pem, which are "self-signed" test certificates with |
| # invalid names/signatures, respectively. |
| set -e |
| |
| rm -rf out |
| mkdir out |
| |
| openssl genrsa -out out/bad-self-signed.key 2048 |
| touch out/bad-self-signed-index.txt |
| |
| # Create two certificate requests with the same key, but different subjects |
| SUBJECT_NAME="req_self_signed_a" \ |
| openssl req \ |
| -new \ |
| -key out/bad-self-signed.key \ |
| -out out/ss-a.req \ |
| -config ee.cnf |
| |
| SUBJECT_NAME="req_self_signed_b" \ |
| openssl req \ |
| -new \ |
| -key out/bad-self-signed.key \ |
| -out out/ss-b.req \ |
| -config ee.cnf |
| |
| # Create a normal self-signed certificate from one of these requests |
| openssl x509 \ |
| -req \ |
| -in out/ss-a.req \ |
| -out out/bad-self-signed-root-a.pem \ |
| -signkey out/bad-self-signed.key \ |
| -days 3650 |
| |
| # To invalidate the signature without changing names, replace two bytes from the |
| # end of the certificate with 0xdead. |
| openssl x509 -in out/bad-self-signed-root-a.pem -outform DER \ |
| | head -c -2 \ |
| > out/bad-sig.der.1 |
| echo -n -e "\xde\xad" > out/bad-sig.der.2 |
| cat out/bad-sig.der.1 out/bad-sig.der.2 \ |
| | openssl x509 \ |
| -inform DER \ |
| -outform PEM \ |
| -out out/cert-self-signed-invalid-sig.pem |
| |
| openssl x509 \ |
| -text \ |
| -noout \ |
| -in out/cert-self-signed-invalid-sig.pem \ |
| > out/self-signed-invalid-sig.pem |
| cat out/cert-self-signed-invalid-sig.pem >> out/self-signed-invalid-sig.pem |
| |
| # Make a "self-signed" certificate with mismatched names |
| openssl x509 \ |
| -req \ |
| -in out/ss-b.req \ |
| -out out/cert-self-signed-invalid-name.pem \ |
| -days 3650 \ |
| -CA out/bad-self-signed-root-a.pem \ |
| -CAkey out/bad-self-signed.key \ |
| -CAserial out/bad-self-signed-serial.txt \ |
| -CAcreateserial |
| |
| openssl x509 \ |
| -text \ |
| -noout \ |
| -in out/cert-self-signed-invalid-name.pem \ |
| > out/self-signed-invalid-name.pem |
| cat out/cert-self-signed-invalid-name.pem >> out/self-signed-invalid-name.pem |
| |