content/test/data/sxg/generate-test-certs.sh - chromium/src - Git at Google

 #!/bin/sh

 # Copyright 2018 The Chromium Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 set -e

 dumpSPKIHash() {
   openssl x509 -noout -pubkey -in $1 | \
       openssl pkey -pubin -outform der | \
       openssl dgst -sha256 -binary | \
       base64
 }

 rm -rf out
 mkdir out
 /bin/sh -c "echo 01 > out/serial"
 touch out/index.txt

 # Generate a "secp256r1 (== prime256v1) ecdsa with sha256" key/cert pair
 openssl ecparam -out prime256v1.key -name prime256v1 -genkey

 openssl req -new -sha256 -key prime256v1.key -out prime256v1-sha256.csr \
   -subj '/CN=test.example.org/O=Test/C=US'

 # Generate a certificate. This will be rejected after 2019-08-01, because
 # the validity period is more than 90 days.
 openssl ca -batch \
   -config ca.cnf \
   -extensions sxg_cert \
   -startdate 190101000000Z \
   -enddate   200101000000Z \
   -in  prime256v1-sha256.csr \
   -out prime256v1-sha256.public.pem

 # Generate a certificate without CanSignHttpExchangesDraft extension.
 openssl ca -batch \
   -config ca.cnf \
   -startdate 190101000000Z \
   -enddate   200101000000Z \
   -in  prime256v1-sha256.csr \
   -out prime256v1-sha256-noext.public.pem

 # Generate a certificate whose validity period starts at 2019-05-01 and
 # valid for 91 days.
 openssl ca -batch \
   -config ca.cnf \
   -extensions sxg_cert \
   -startdate 190501000000Z \
   -enddate   190731000000Z \
   -in  prime256v1-sha256.csr \
   -out prime256v1-sha256-validity-too-long.public.pem

 # Generate a certificate whose validity period starts at 2019-06-01 and
 # valid for 90 days.
 openssl ca -batch \
   -config ca.cnf \
   -extensions sxg_cert \
   -startdate 190601000000Z \
   -enddate   190830000000Z \
   -in  prime256v1-sha256.csr \
   -out prime256v1-sha256-valid-for-90-days.public.pem

 # Generate a "secp384r1 ecdsa with sha256" key/cert pair for negative test
 openssl ecparam -out secp384r1.key -name secp384r1 -genkey

 openssl req -new -sha256 -key secp384r1.key -out secp384r1-sha256.csr \
   --subj '/CN=test.example.org/O=Test/C=US'

 # Generate a certificate with the secp384r1-sha256 key.
 openssl ca -batch \
   -config ca.cnf \
   -extensions sxg_cert \
   -startdate 190101000000Z \
   -enddate   200101000000Z \
   -in  secp384r1-sha256.csr \
   -out secp384r1-sha256.public.pem

 echo
 echo "Update the test certs in signed_exchange_signature_verifier_unittest.cc"
 echo "with the followings:"
 echo "===="

 echo 'constexpr char kCertPEMECDSAP256[] = R"('
 cat ./prime256v1-sha256.public.pem
 echo ')";'
 echo 'constexpr char kCertPEMECDSAP384[] = R"('
 cat ./secp384r1-sha256.public.pem
 echo ')";'

 echo "constexpr char kPEMECDSAP256SPKIHash = "
 echo "    \"$(dumpSPKIHash ./prime256v1-sha256.public.pem)\";"
 echo "constexpr char kPEMECDSAP384SPKIHash = "
 echo "    \"$(dumpSPKIHash ./secp384r1-sha256.public.pem)\";"

 echo "===="
	#!/bin/sh

	# Copyright 2018 The Chromium Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	set -e

	dumpSPKIHash() {
	openssl x509 -noout -pubkey -in $1 \| \
	openssl pkey -pubin -outform der \| \
	openssl dgst -sha256 -binary \| \
	base64
	}

	rm -rf out
	mkdir out
	/bin/sh -c "echo 01 > out/serial"
	touch out/index.txt

	# Generate a "secp256r1 (== prime256v1) ecdsa with sha256" key/cert pair
	openssl ecparam -out prime256v1.key -name prime256v1 -genkey

	openssl req -new -sha256 -key prime256v1.key -out prime256v1-sha256.csr \
	-subj '/CN=test.example.org/O=Test/C=US'

	# Generate a certificate. This will be rejected after 2019-08-01, because
	# the validity period is more than 90 days.
	openssl ca -batch \
	-config ca.cnf \
	-extensions sxg_cert \
	-startdate 190101000000Z \
	-enddate 200101000000Z \
	-in prime256v1-sha256.csr \
	-out prime256v1-sha256.public.pem

	# Generate a certificate without CanSignHttpExchangesDraft extension.
	openssl ca -batch \
	-config ca.cnf \
	-startdate 190101000000Z \
	-enddate 200101000000Z \
	-in prime256v1-sha256.csr \
	-out prime256v1-sha256-noext.public.pem

	# Generate a certificate whose validity period starts at 2019-05-01 and
	# valid for 91 days.
	openssl ca -batch \
	-config ca.cnf \
	-extensions sxg_cert \
	-startdate 190501000000Z \
	-enddate 190731000000Z \
	-in prime256v1-sha256.csr \
	-out prime256v1-sha256-validity-too-long.public.pem

	# Generate a certificate whose validity period starts at 2019-06-01 and
	# valid for 90 days.
	openssl ca -batch \
	-config ca.cnf \
	-extensions sxg_cert \
	-startdate 190601000000Z \
	-enddate 190830000000Z \
	-in prime256v1-sha256.csr \
	-out prime256v1-sha256-valid-for-90-days.public.pem

	# Generate a "secp384r1 ecdsa with sha256" key/cert pair for negative test
	openssl ecparam -out secp384r1.key -name secp384r1 -genkey

	openssl req -new -sha256 -key secp384r1.key -out secp384r1-sha256.csr \
	--subj '/CN=test.example.org/O=Test/C=US'

	# Generate a certificate with the secp384r1-sha256 key.
	openssl ca -batch \
	-config ca.cnf \
	-extensions sxg_cert \
	-startdate 190101000000Z \
	-enddate 200101000000Z \
	-in secp384r1-sha256.csr \
	-out secp384r1-sha256.public.pem

	echo
	echo "Update the test certs in signed_exchange_signature_verifier_unittest.cc"
	echo "with the followings:"
	echo "===="

	echo 'constexpr char kCertPEMECDSAP256[] = R"('
	cat ./prime256v1-sha256.public.pem
	echo ')";'
	echo 'constexpr char kCertPEMECDSAP384[] = R"('
	cat ./secp384r1-sha256.public.pem
	echo ')";'

	echo "constexpr char kPEMECDSAP256SPKIHash = "
	echo " \"$(dumpSPKIHash ./prime256v1-sha256.public.pem)\";"
	echo "constexpr char kPEMECDSAP384SPKIHash = "
	echo " \"$(dumpSPKIHash ./secp384r1-sha256.public.pem)\";"

	echo "===="