summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorrsleevi <rsleevi@chromium.org>2014-09-26 15:02:53 -0700
committerCommit bot <commit-bot@chromium.org>2014-09-26 22:03:21 +0000
commit04b34e02245194b01c08cd5cfb350378797e8681 (patch)
treecc59d00fd4b7e79a3e0938e241bbfd64c0f8bb12 /net
parent2d00e9e85555a42000205dab41284bca5a28a579 (diff)
downloadchromium_src-04b34e02245194b01c08cd5cfb350378797e8681.zip
chromium_src-04b34e02245194b01c08cd5cfb350378797e8681.tar.gz
chromium_src-04b34e02245194b01c08cd5cfb350378797e8681.tar.bz2
Update test cert generation scripts to use SHA-256 by default
This cleans up the README file to clearly indicate which certificates are real world certificates, which are generated by hand / by other sources, and which are generated via script (and which script). Additionally, several test certificates that were previously generated by hand and several test CRLSets that were hardcoded are now generated automatically by the scripts. BUG=401365 Review URL: https://codereview.chromium.org/515583004 Cr-Commit-Position: refs/heads/master@{#297047}
Diffstat (limited to 'net')
-rw-r--r--net/data/ssl/certificates/README243
-rw-r--r--net/data/ssl/scripts/aia-test.cnf6
-rw-r--r--net/data/ssl/scripts/ca.cnf30
-rw-r--r--net/data/ssl/scripts/client-certs.cnf4
-rw-r--r--net/data/ssl/scripts/ee.cnf14
-rw-r--r--net/data/ssl/scripts/eku-test.cnf2
-rwxr-xr-xnet/data/ssl/scripts/generate-test-certs.sh95
-rw-r--r--net/data/ssl/scripts/policy.cnf6
-rw-r--r--net/data/ssl/scripts/redundant-ca.cnf4
9 files changed, 260 insertions, 144 deletions
diff --git a/net/data/ssl/certificates/README b/net/data/ssl/certificates/README
index a3a94c8..5d1faf2 100644
--- a/net/data/ssl/certificates/README
+++ b/net/data/ssl/certificates/README
@@ -1,6 +1,7 @@
This directory contains various certificates for use with SSL-related
unit tests.
+===== Real-world certificates that need manual updating
- google.binary.p7b
- google.chain.pem
- google.pem_cert.p7b
@@ -25,15 +26,57 @@ unit tests.
- unosoft_hu_cert : Certificate used by X509CertificateTest.UnoSoftCertParsing.
+- google_diginotar.pem
+- diginotar_public_ca_2025.pem : A certificate chain for the regression test
+ of http://crbug.com/94673
+
+- salesforce_com_test.pem
+- verisign_intermediate_ca_2011.pem
+- verisign_intermediate_ca_2016.pem : Certificates for testing two
+ X509Certificate objects that contain the same server certificate but
+ different intermediate CA certificates. The two intermediate CA
+ certificates actually represent the same intermediate CA but have
+ different validity periods.
+
+- cybertrust_gte_root.pem
+- cybertrust_baltimore_root.pem
+- cybertrust_omniroot_chain.pem
+- cybertrust_baltimore_cross_certified_1.pem
+- cybertrust_baltimore_cross_certified_2.pem
+ These certificates are reflect a portion of the CyberTrust (Verizon
+ Business) CA hierarchy. _gte_root.pem is a legacy 1024-bit root that is
+ still widely supported, while _baltimore_root.pem reflects the newer
+ 2048-bit root. For clients that only support the GTE root, two versions
+ of the Baltimore root were cross-signed by GTE, namely
+ _cross_certified_[1,2].pem. _omniroot_chain.pem contains a certificate
+ chain that was issued under the Baltimore root. Combined, these
+ certificates can be used to test real-world cross-signing; in practice,
+ they are used to test certain workarounds for OS X's chain building code.
+
+- ndn.ca.crt: "New Dream Network Certificate Authority" root certificate.
+ This is an X.509 v1 certificate that omits the version field. Used to
+ test that the certificate version gets the default value v1.
+
+- ct-test-embedded-cert.pem
+- ct-test-embedded-with-intermediate-chain.pem
+- ct-test-embedded-with-intermediate-preca-chain.pem
+- ct-test-embedded-with-preca-chain.pem
+ Test certificate chains for Certificate Transparency: Each of these
+ files contains a leaf certificate as the first certificate, which has
+ embedded SCTs, followed by the issuer certificates chain.
+ All files are from the src/test/testdada directory in
+ https://code.google.com/p/certificate-transparency/
+
+- comodo.chain.pem : A certificate chain for www.comodo.com which should be
+ recognised as EV. Expires Jun 20 2015.
+
+===== Manually generated certificates
- client.p12 : A PKCS #12 file containing a client certificate and a private
key created for testing. The password is "12345".
- client-nokey.p12 : A PKCS #12 file containing a client certificate (the same
as the one in client.p12) but no private key. The password is "12345".
-- punycodetest.der : A test self-signed server certificate with punycode name.
- The common name is "xn--wgv71a119e.com" (日本語.com)
-
- unittest.selfsigned.der : A self-signed certificate generated using private
key in unittest.key.bin. The common name is "unittest".
@@ -48,23 +91,11 @@ unit tests.
verification, regardless of the order in which the intermediate/root CA
certificates are provided.
-- google_diginotar.pem
-- diginotar_public_ca_2025.pem : A certificate chain for the regression test
- of http://crbug.com/94673
-
- test_mail_google_com.pem : A certificate signed by the test CA for
"mail.google.com". Because it is signed by that CA instead of the true CA
for that host, it will fail the
TransportSecurityState::IsChainOfPublicKeysPermitted test.
-- salesforce_com_test.pem
-- verisign_intermediate_ca_2011.pem
-- verisign_intermediate_ca_2016.pem : Certificates for testing two
- X509Certificate objects that contain the same server certificate but
- different intermediate CA certificates. The two intermediate CA
- certificates actually represent the same intermediate CA but have
- different validity periods.
-
- multivalue_rdn.pem : A regression test for http://crbug.com/101009. A
certificate with all of the AttributeTypeAndValues stored within a single
RelativeDistinguishedName, rather than one AVA per RDN as normally seen.
@@ -73,20 +104,63 @@ unit tests.
characters such as '=' and '"' that would normally be escaped when
converting a subject/issuer name to their stringized form.
+- ocsp-test-root.pem : A root certificate for the code in
+ net/tools/testserver/minica.py
+
+- websocket_cacert.pem : The testing root CA for testing WebSocket client
+ certificate authentication.
+ This file is used in SSLUITest.TestWSSClientCert.
+
+- websocket_client_cert.p12 : A PKCS #12 file containing a client certificate
+ and a private key created for WebSocket testing. The password is "".
+ This file is used in SSLUITest.TestWSSClientCert.
+
+- no_subject_common_name_cert.pem: Used to test the function that generates a
+ NSS certificate nickname for a user certificate. This certificate's Subject
+ field doesn't have a common name.
+
+- quic_intermediate.crt
+- quic_test_ecc.example.com.crt
+- quic_test.example.com.crt
+- quic_root.crt
+ These certificates are used by the ProofVerifier's unit tests of QUIC.
+
+===== From net/data/ssl/scripts/generate-test-certs.sh
+- expired_cert.pem
+- ok_cert.pem
+- root_ca_cert.pem
+ These certificates are the common certificates used by the Python test
+ server for simulating HTTPS connections.
+
+- name_constraint_bad.pem
+- name_constraint_good.pem
+ Two certificates used to test the built-in ability to restrict a root to
+ a particular namespace.
+
+- sha256.pem: Used to test the handling of SHA-256 certs on Windows.
+
+- spdy_pooling.pem : Used to test the handling of spdy IP connection pooling
+
+- subjectAltName_sanity_check.pem : Used to test the handling of various types
+ within the subjectAltName extension of a certificate.
+
+- punycodetest.pem : A test self-signed server certificate with punycode name.
+ The common name is "xn--wgv71a119e.com" (日本語.com)
+
+===== From net/data/ssl/scripts/generate-weak-test-chains.sh
- 2048-rsa-root.pem
- {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-intermediate.pem
- {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-ee-by-
{768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-intermediate.pem
- These certficates are generated by
- net/data/ssl/scripts/generate-weak-test-chains.sh and used in the
- RejectWeakKeys test in net/base/x509_certificate_unittest.cc.
+ Test certificates used to ensure that weak keys are detected and rejected
+===== From net/data/ssl/scripts/generate-cross-signed-certs.sh
- cross-signed-leaf.pem
- cross-signed-root-md5.pem
- cross-signed-root-sha1.pem
- A certificate chain for regression testing http://crbug.com/108514,
- generated via scripts/generate-cross-signed-certs.sh
+ A certificate chain for regression testing http://crbug.com/108514
+===== From net/data/ssl/scripts/generate-redundant-test-chains.sh
- redundant-validated-chain.pem
- redundant-server-chain.pem
- redundant-validated-chain-root.pem
@@ -99,59 +173,13 @@ unit tests.
26 Feb 2022 and are generated by
net/data/ssl/scripts/generate-redundant-test-chains.sh.
-- multi-root-chain1.pem
-- multi-root-chain2.pem
- Two chains, A -> B -> C -> D and A -> B -> C2 -> E (C and C2 share the
- same public key) to test that certificate validation caching does not
- interfere with the chain_verify_callback used by CertVerifyProcChromeOS.
- See CertVerifyProcChromeOSTest.
-
-- comodo.chain.pem : A certificate chain for www.comodo.com which should be
- recognised as EV. Expires Jun 21 2013.
-
-- ocsp-test-root.pem : A root certificate for the code in
- net/tools/testserver/minica.py
-
-- sha256.pem: Used to test the handling of SHA-256 certs on Windows.
- Generated by using the command:
- "openssl req -x509 -days 3650 -sha256 -newkey rsa:2048 -text \
- -config ../scripts/ee.cnf -out sha256.pem"
-
-- spdy_pooling.pem : Used to test the handling of spdy IP connection pooling
- Generated by using the command
- "openssl req -x509 -days 3650 -sha1 -extensions req_spdy_pooling \
- -config ../scripts/ee.cnf -newkey rsa:1024 -text \
- -out spdy_pooling.pem"
-
-- subjectAltName_sanity_check.pem : Used to test the handling of various types
- within the subjectAltName extension of a certificate. Generated by using
- the command
- "openssl req -x509 -days 3650 -sha1 -extensions req_san_sanity \
- -config ../scripts/ee.cnf -newkey rsa:1024 -text \
- -out subjectAltName_sanity_check.pem"
-
-- ndn.ca.crt: "New Dream Network Certificate Authority" root certificate.
- This is an X.509 v1 certificate that omits the version field. Used to
- test that the certificate version gets the default value v1.
-
-- websocket_cacert.pem : The testing root CA for testing WebSocket client
- certificate authentication.
- This file is used in SSLUITest.TestWSSClientCert.
-
-- websocket_client_cert.p12 : A PKCS #12 file containing a client certificate
- and a private key created for WebSocket testing. The password is "".
- This file is used in SSLUITest.TestWSSClientCert.
-
-- android-test-key-rsa.pem
-- android-test-key-dsa.pem
-- android-test-key-dsa-public.pem
-- android-test-key-ecdsa.pem
-- android-test-key-ecdsa-public.pem
- This is a set of test RSA/DSA/ECDSA keys used by the Android-specific
- unit test in net/android/keystore_unittest.c. They are used to verify
- that the OpenSSL-specific wrapper for platform PrivateKey objects
- works properly. See the generate-android-test-keys.sh script.
+===== From net/data/ssl/scripts/generate-policy-certs.sh
+- explicit-policy-chain.pem
+ A test certificate chain with requireExplicitPolicy field set on the
+ intermediate, with SkipCerts=0. This is used for regression testing
+ http://crbug.com/31497.
+===== From net/data/ssl/scripts/generate-client-certificates.sh
- client_1.pem
- client_1.key
- client_1.pk8
@@ -161,8 +189,7 @@ unit tests.
- client_2.pk8
- client_2_ca.pem
This is a set of files used to unit test SSL client certificate
- authentication. These are generated by
- net/data/ssl/scripts/generate-client-certificates.sh
+ authentication.
- client_1_ca.pem and client_2_ca.pem are the certificates of
two distinct signing CAs.
- client_1.pem and client_1.key correspond to the certificate and
@@ -172,6 +199,18 @@ unit tests.
- each .pk8 file contains the same key as the corresponding .key file
as PKCS#8 PrivateKeyInfo in DER encoding.
+===== From net/data/ssl/scripts/generate-android-test-key.sh
+- android-test-key-rsa.pem
+- android-test-key-dsa.pem
+- android-test-key-dsa-public.pem
+- android-test-key-ecdsa.pem
+- android-test-key-ecdsa-public.pem
+ This is a set of test RSA/DSA/ECDSA keys used by the Android-specific
+ unit test in net/android/keystore_unittest.c. They are used to verify
+ that the OpenSSL-specific wrapper for platform PrivateKey objects
+ works properly. See the generate-android-test-keys.sh script.
+
+===== From net/data/ssl/scripts/generate-bad-eku-certs.sh
- eku-test-root.pem
- non-crit-codeSigning-chain.pem
- crit-codeSigning-chain.pem
@@ -181,6 +220,15 @@ unit tests.
present). Since codeSigning is not valid for web server auth, the checks
should fail.
+===== From net/data/ssl/scripts/generate-multi-root-test-chains.sh
+- multi-root-chain1.pem
+- multi-root-chain2.pem
+ Two chains, A -> B -> C -> D and A -> B -> C2 -> E (C and C2 share the
+ same public key) to test that certificate validation caching does not
+ interfere with the chain_verify_callback used by CertVerifyProcChromeOS.
+ See CertVerifyProcChromeOSTest.
+
+===== From net/data/ssl/scripts/generate-duplicate-cn-certs.sh
- duplicate_cn_1.p12
- duplicate_cn_1.pem
- duplicate_cn_2.p12
@@ -194,6 +242,7 @@ unit tests.
both the cert and a private key, since there are multiple ways to import
certificates into NSS.
+===== From net/data/ssl/scripts/generate-aia-certs.sh
- aia-cert.pem
- aia-intermediate.der
- aia-root.pem
@@ -204,50 +253,4 @@ unit tests.
aia-intermediate.der is stored in DER form for convenience, since that is
the form expected of certificates discovered via AIA.
-- cybertrust_gte_root.pem
-- cybertrust_baltimore_root.pem
-- cybertrust_omniroot_chain.pem
-- cybertrust_baltimore_cross_certified_1.pem
-- cybertrust_baltimore_cross_certified_2.pem
- These certificates are reflect a portion of the CyberTrust (Verizon
- Business) CA hierarchy. _gte_root.pem is a legacy 1024-bit root that is
- still widely supported, while _baltimore_root.pem reflects the newer
- 2048-bit root. For clients that only support the GTE root, two versions
- of the Baltimore root were cross-signed by GTE, namely
- _cross_certified_[1,2].pem. _omniroot_chain.pem contains a certificate
- chain that was issued under the Baltimore root. Combined, these
- certificates can be used to test real-world cross-signing; in practice,
- they are used to test certain workarounds for OS X's chain building code.
-
-- no_subject_common_name_cert.pem: Used to test the function that generates a
- NSS certificate nickname for a user certificate. This certificate's Subject
- field doesn't have a common name.
-
-- expired_cert.pem
-- ok_cert.pem
-- root_ca_cert.pem
- These certificates are the common certificates used by the Python test
- server for simulating HTTPS connections. They are generated by running
- the script net/data/ssl/scripts/generate-test-certs.sh.
-
-- quic_intermediate.crt
-- quic_test_ecc.example.com.crt
-- quic_test.example.com.crt
-- quic_root.crt
- These certificates are used by the ProofVerifier's unit tests of QUIC.
-
-- explicit-policy-chain.pem
- A test certificate chain with requireExplicitPolicy field set on the
- intermediate, with SkipCerts=0. This is used for regression testing
- http://crbug.com/31497. It is generated by running the script
- net/data/ssl/scripts/generate-policy-certs.sh
-- ct-test-embedded-cert.pem
-- ct-test-embedded-with-intermediate-chain.pem
-- ct-test-embedded-with-intermediate-preca-chain.pem
-- ct-test-embedded-with-preca-chain.pem
- Test certificate chains for Certificate Transparency: Each of these
- files contains a leaf certificate as the first certificate, which has
- embedded SCTs, followed by the issuer certificates chain.
- All files are from the src/test/testdada directory in
- https://code.google.com/p/certificate-transparency/
diff --git a/net/data/ssl/scripts/aia-test.cnf b/net/data/ssl/scripts/aia-test.cnf
index f89d68a..635b033 100644
--- a/net/data/ssl/scripts/aia-test.cnf
+++ b/net/data/ssl/scripts/aia-test.cnf
@@ -9,7 +9,7 @@ preserve = yes
[CA_root]
dir = ${ENV::CA_DIR}
key_size = 2048
-algo = sha1
+algo = sha256
database = $dir/${ENV::CA_NAME}-index.txt
new_certs_dir = $dir
serial = $dir/${ENV::CA_NAME}-serial
@@ -18,7 +18,7 @@ private_key = $dir/${ENV::CA_NAME}.key
RANDFILE = $dir/.rand
default_days = 3650
default_crl_days = 30
-default_md = sha1
+default_md = sha256
policy = policy_anything
unique_subject = no
copy_extensions = copy
@@ -44,7 +44,7 @@ emailAddress = optional
[req]
default_bits = 2048
-default_md = sha1
+default_md = sha256
string_mask = utf8only
prompt = no
encrypt_key = no
diff --git a/net/data/ssl/scripts/ca.cnf b/net/data/ssl/scripts/ca.cnf
index 8a1d1e7..1b78e01 100644
--- a/net/data/ssl/scripts/ca.cnf
+++ b/net/data/ssl/scripts/ca.cnf
@@ -1,7 +1,7 @@
# Defaults in the event they're not set in the environment
CA_DIR = out
KEY_SIZE = 2048
-ALGO = sha1
+ALGO = sha256
CERT_TYPE = root
CA_NAME = req_env_dn
@@ -24,7 +24,7 @@ private_key = $dir/$type.key
RANDFILE = $dir/.rand
default_days = 3650
default_crl_days = 30
-default_md = sha1
+default_md = sha256
policy = policy_anything
unique_subject = no
copy_extensions = copy
@@ -36,6 +36,30 @@ subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
extendedKeyUsage = serverAuth,clientAuth
+[name_constraint_bad]
+# A leaf cert that will violate the root's imposed name constraints
+basicConstraints = critical, CA:false
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+extendedKeyUsage = serverAuth,clientAuth
+subjectAltName = @san_name_constraint_bad
+
+[name_constraint_good]
+# A leaf cert that will match the root's imposed name constraints
+basicConstraints = critical, CA:false
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+extendedKeyUsage = serverAuth,clientAuth
+subjectAltName = @san_name_constraint_good
+
+[san_name_constraint_bad]
+DNS.1 = test.ExAmPlE.CoM
+DNS.2 = test.ExAmPlE.OrG
+
+[san_name_constraint_good]
+DNS.1 = test.ExAmPlE.CoM
+DNS.2 = example.notarealtld
+
[ca_cert]
# Extensions to add when signing a request for an intermediate/CA cert
basicConstraints = critical, CA:true
@@ -63,7 +87,7 @@ emailAddress = optional
# than the root CA, see README to find the appropriate configuration file
# (ie: openssl_cert.cnf).
default_bits = $ENV::KEY_SIZE
-default_md = sha1
+default_md = sha256
string_mask = utf8only
prompt = no
encrypt_key = no
diff --git a/net/data/ssl/scripts/client-certs.cnf b/net/data/ssl/scripts/client-certs.cnf
index 1efa04a..044bab1 100644
--- a/net/data/ssl/scripts/client-certs.cnf
+++ b/net/data/ssl/scripts/client-certs.cnf
@@ -13,7 +13,7 @@ serial = $dir/${ENV::ID}-serial
certificate = $dir/${ENV::ID}.pem
private_key = $dir/${ENV::ID}.key
RANDFILE = $dir/rand
-default_md = sha1
+default_md = sha256
default_days = 3650
policy = policy_anything
unique_subject = no
@@ -31,7 +31,7 @@ emailAddress = optional
[req]
default_bits = 2048
-default_md = sha1
+default_md = sha256
string_mask = utf8only
prompt = no
encrypt_key = no
diff --git a/net/data/ssl/scripts/ee.cnf b/net/data/ssl/scripts/ee.cnf
index 5214f9e..fa2a89b 100644
--- a/net/data/ssl/scripts/ee.cnf
+++ b/net/data/ssl/scripts/ee.cnf
@@ -3,7 +3,7 @@ KEY_SIZE = 2048
[req]
default_bits = ${ENV::KEY_SIZE}
-default_md = sha1
+default_md = sha256
string_mask = utf8only
prompt = no
encrypt_key = no
@@ -25,9 +25,16 @@ CN = Duplicate
O = Bar
CN = Duplicate
+[req_punycode_dn]
+CN = xn--wgv71a119e.com
+
[req_extensions]
subjectAltName = IP:127.0.0.1
+[req_punycode]
+basicConstraints = critical, CA:true
+subjectAltName = @punycode_san
+
[req_san_sanity]
basicConstraints = critical, CA:true
subjectAltName = @san_sanity
@@ -50,3 +57,8 @@ CN=127.0.0.3
DNS.1 = www.example.org
DNS.2 = mail.example.org
DNS.3 = mail.example.com
+
+[punycode_san]
+DNS.1 = xn--wgv71a119e.com
+DNS.2 = *.xn--wgv71a119e.com
+DNS.3 = blahblahblahblah.com
diff --git a/net/data/ssl/scripts/eku-test.cnf b/net/data/ssl/scripts/eku-test.cnf
index 7ced049..0138bac 100644
--- a/net/data/ssl/scripts/eku-test.cnf
+++ b/net/data/ssl/scripts/eku-test.cnf
@@ -1,6 +1,6 @@
[req]
default_bits = 2048
-default_md = sha1
+default_md = sha256
string_mask = utf8only
prompt = no
encrypt_key = no
diff --git a/net/data/ssl/scripts/generate-test-certs.sh b/net/data/ssl/scripts/generate-test-certs.sh
index 6323de3..d62bb98 100755
--- a/net/data/ssl/scripts/generate-test-certs.sh
+++ b/net/data/ssl/scripts/generate-test-certs.sh
@@ -15,26 +15,26 @@ try() {
try rm -rf out
try mkdir out
-try /bin/sh -c "echo 01 > out/2048-sha1-root-serial"
-touch out/2048-sha1-root-index.txt
+try /bin/sh -c "echo 01 > out/2048-sha256-root-serial"
+touch out/2048-sha256-root-index.txt
# Generate the key
-try openssl genrsa -out out/2048-sha1-root.key 2048
+try openssl genrsa -out out/2048-sha256-root.key 2048
# Generate the root certificate
CA_COMMON_NAME="Test Root CA" \
try openssl req \
-new \
- -key out/2048-sha1-root.key \
- -out out/2048-sha1-root.req \
+ -key out/2048-sha256-root.key \
+ -out out/2048-sha256-root.req \
-config ca.cnf
CA_COMMON_NAME="Test Root CA" \
try openssl x509 \
-req -days 3650 \
- -in out/2048-sha1-root.req \
- -out out/2048-sha1-root.pem \
- -signkey out/2048-sha1-root.key \
+ -in out/2048-sha256-root.req \
+ -out out/2048-sha256-root.pem \
+ -signkey out/2048-sha256-root.key \
-extfile ca.cnf \
-extensions ca_cert \
-text
@@ -72,10 +72,87 @@ CA_COMMON_NAME="Test Root CA" \
-out out/ok_cert.pem \
-config ca.cnf
+CA_COMMON_NAME="Test Root CA" \
+ try openssl ca \
+ -batch \
+ -extensions name_constraint_bad \
+ -subj "/CN=Leaf certificate/" \
+ -days 3650 \
+ -in out/ok_cert.req \
+ -out out/name_constraint_bad.pem \
+ -config ca.cnf
+
+CA_COMMON_NAME="Test Root CA" \
+ try openssl ca \
+ -batch \
+ -extensions name_constraint_good \
+ -subj "/CN=Leaf Certificate/" \
+ -days 3650 \
+ -in out/ok_cert.req \
+ -out out/name_constraint_good.pem \
+ -config ca.cnf
+
try /bin/sh -c "cat out/ok_cert.key out/ok_cert.pem \
> ../certificates/ok_cert.pem"
try /bin/sh -c "cat out/expired_cert.key out/expired_cert.pem \
> ../certificates/expired_cert.pem"
-try /bin/sh -c "cat out/2048-sha1-root.key out/2048-sha1-root.pem \
+try /bin/sh -c "cat out/2048-sha256-root.key out/2048-sha256-root.pem \
> ../certificates/root_ca_cert.pem"
+try /bin/sh -c "cat out/ok_cert.key out/name_constraint_bad.pem \
+ > ../certificates/name_constraint_bad.pem"
+try /bin/sh -c "cat out/ok_cert.key out/name_constraint_good.pem \
+ > ../certificates/name_constraint_good.pem"
+
+# Now generate the one-off certs
+## SHA-256 general test cert
+try openssl req -x509 -days 3650 \
+ -config ../scripts/ee.cnf -newkey rsa:2048 -text \
+ -sha256 \
+ -out sha256.pem
+
+## Self-signed cert for SPDY/QUIC/HTTP2 pooling testing
+try openssl req -x509 -days 3650 -extensions req_spdy_pooling \
+ -config ../scripts/ee.cnf -newkey rsa:2048 -text \
+ -out ../certificates/spdy_pooling.pem
+
+## SubjectAltName parsing
+try openssl req -x509 -days 3650 -extensions req_san_sanity \
+ -config ../scripts/ee.cnf -newkey rsa:2048 -text \
+ -out ../certificates/subjectAltName_sanity_check.pem
+
+## Punycode handling
+SUBJECT_NAME="req_punycode_dn" \
+ try openssl req -x509 -days 3650 -extensions req_punycode \
+ -config ../scripts/ee.cnf -newkey rsa:2048 -text \
+ -out ../certificates/punycodetest.pem
+# Regenerate CRLSets
+## Block a leaf cert directly by SPKI
+try python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \
+<<CRLBYLEAFSPKI
+{
+ "BlockedBySPKI": ["../certificates/ok_cert.pem"]
+}
+CRLBYLEAFSPKI
+
+## Block a leaf cert by issuer-hash-and-serial (ok_cert.pem == serial 2, by
+## virtue of the serial file and ordering above.
+try python crlsetutil.py -o ../certificates/crlset_by_root_serial.raw \
+<<CRLBYROOTSERIAL
+{
+ "BlockedByHash": {
+ "../certificates/root_ca_cert.pem": [2]
+ }
+}
+CRLBYROOTSERIAL
+
+## Block a leaf cert by issuer-hash-and-serial. However, this will be issued
+## from an intermediate CA issued underneath a root.
+try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \
+<<CRLSETBYINTERMEDIATESERIAL
+{
+ "BlockedByHash": {
+ "../certificates/quic_intermediate.crt": [3]
+ }
+}
+CRLSETBYINTERMEDIATESERIAL
diff --git a/net/data/ssl/scripts/policy.cnf b/net/data/ssl/scripts/policy.cnf
index f5f1e0b..12af828 100644
--- a/net/data/ssl/scripts/policy.cnf
+++ b/net/data/ssl/scripts/policy.cnf
@@ -8,7 +8,7 @@ preserve = yes
[CA_root]
dir = ${ENV::CA_DIR}
key_size = 2048
-algo = sha1
+algo = sha256
database = $dir/${ENV::CA_NAME}-index.txt
new_certs_dir = $dir
serial = $dir/${ENV::CA_NAME}-serial
@@ -17,7 +17,7 @@ private_key = $dir/${ENV::CA_NAME}.key
RANDFILE = $dir/.rand
default_days = 3650
default_crl_days = 30
-default_md = sha1
+default_md = sha256
policy = policy_anything
unique_subject = no
copy_extensions = copy
@@ -49,7 +49,7 @@ emailAddress = optional
[req]
default_bits = 2048
-default_md = sha1
+default_md = sha256
string_mask = utf8only
prompt = no
encrypt_key = no
diff --git a/net/data/ssl/scripts/redundant-ca.cnf b/net/data/ssl/scripts/redundant-ca.cnf
index b03eb81..5707b73 100644
--- a/net/data/ssl/scripts/redundant-ca.cnf
+++ b/net/data/ssl/scripts/redundant-ca.cnf
@@ -15,7 +15,7 @@ private_key = ${dir}/${ENV::CERTIFICATE}.key
RANDFILE = ${dir}/rand
default_days = 3650
default_crl_days = 30
-default_md = sha1
+default_md = sha256
policy = policy_anything
unique_subject = no
@@ -50,7 +50,7 @@ emailAddress = optional
[req]
# The request section used to generate certificate requests.
default_bits = 2048
-default_md = sha1
+default_md = sha256
string_mask = utf8only
prompt = no
encrypt_key = no