diff options
Diffstat (limited to 'net/data/ssl/scripts/generate-multi-root-test-chains.sh')
| -rwxr-xr-x | net/data/ssl/scripts/generate-multi-root-test-chains.sh | 161 |
1 files changed, 161 insertions, 0 deletions
diff --git a/net/data/ssl/scripts/generate-multi-root-test-chains.sh b/net/data/ssl/scripts/generate-multi-root-test-chains.sh new file mode 100755 index 0000000..6f88325 --- /dev/null +++ b/net/data/ssl/scripts/generate-multi-root-test-chains.sh @@ -0,0 +1,161 @@ +#!/bin/sh + +# Copyright 2014 The Chromium Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +# This script generates two chains of test certificates: +# +# 1. A (end-entity) -> B -> C -> D (self-signed root) +# 2. A (end-entity) -> B -> C2 -> E (self-signed root) +# +# C and C2 have the same subject and keypair. +# +# We use these cert chains in CertVerifyProcChromeOSTest +# to ensure that multiple verification paths are properly handled. + +try () { + echo "$@" + "$@" || exit 1 +} + +try rm -rf out +try mkdir out + +echo Create the serial number files. +serial=1000 +for i in B C C2 D E +do + try /bin/sh -c "echo $serial > out/$i-serial" + serial=$(expr $serial + 1) +done + +echo Generate the keys. +try openssl genrsa -out out/A.key 2048 +try openssl genrsa -out out/B.key 2048 +try openssl genrsa -out out/C.key 2048 +try openssl genrsa -out out/D.key 2048 +try openssl genrsa -out out/E.key 2048 + +echo Generate the D CSR. +CA_COMMON_NAME="D Root CA" \ + CERTIFICATE=D \ + try openssl req \ + -new \ + -key out/D.key \ + -out out/D.csr \ + -config redundant-ca.cnf + +echo D signs itself. +CA_COMMON_NAME="D Root CA" \ + try openssl x509 \ + -req -days 3650 \ + -in out/D.csr \ + -extensions ca_cert \ + -extfile redundant-ca.cnf \ + -signkey out/D.key \ + -out out/D.pem \ + -text + +echo Generate the E CSR. +CA_COMMON_NAME="E Root CA" \ + CERTIFICATE=E \ + try openssl req \ + -new \ + -key out/E.key \ + -out out/E.csr \ + -config redundant-ca.cnf + +echo E signs itself. +CA_COMMON_NAME="E Root CA" \ + try openssl x509 \ + -req -days 3650 \ + -in out/E.csr \ + -extensions ca_cert \ + -extfile redundant-ca.cnf \ + -signkey out/E.key \ + -out out/E.pem \ + -text + +echo Generate the C2 intermediary CSR. +CA_COMMON_NAME="C CA" \ + CERTIFICATE=C2 \ + try openssl req \ + -new \ + -key out/C.key \ + -out out/C2.csr \ + -config redundant-ca.cnf + +echo Generate the B and C intermediaries\' CSRs. +for i in B C +do + CA_COMMON_NAME="$i CA" \ + CERTIFICATE="$i" \ + try openssl req \ + -new \ + -key "out/$i.key" \ + -out "out/$i.csr" \ + -config redundant-ca.cnf +done + +echo D signs the C intermediate. +# Make sure the signer's DB file exists. +touch out/D-index.txt +CA_COMMON_NAME="D Root CA" \ + CERTIFICATE=D \ + try openssl ca \ + -batch \ + -extensions ca_cert \ + -in out/C.csr \ + -out out/C.pem \ + -config redundant-ca.cnf + +echo E signs the C2 intermediate. +# Make sure the signer's DB file exists. +touch out/E-index.txt +CA_COMMON_NAME="E Root CA" \ + CERTIFICATE=E \ + try openssl ca \ + -batch \ + -extensions ca_cert \ + -in out/C2.csr \ + -out out/C2.pem \ + -config redundant-ca.cnf + +echo C signs the B intermediate. +touch out/C-index.txt +CA_COMMON_NAME="C CA" \ + CERTIFICATE=C \ + try openssl ca \ + -batch \ + -extensions ca_cert \ + -in out/B.csr \ + -out out/B.pem \ + -config redundant-ca.cnf + +echo Generate the A end-entity CSR. +try openssl req \ + -new \ + -key out/A.key \ + -out out/A.csr \ + -config ee.cnf + +echo B signs A. +touch out/B-index.txt +CA_COMMON_NAME="B CA" \ + CERTIFICATE=B \ + try openssl ca \ + -batch \ + -extensions user_cert \ + -in out/A.csr \ + -out out/A.pem \ + -config redundant-ca.cnf + +echo Create multi-root-chain1.pem +try /bin/sh -c "cat out/A.key out/A.pem out/B.pem out/C.pem out/D.pem \ + > ../certificates/multi-root-chain1.pem" + +echo Create multi-root-chain2.pem +try /bin/sh -c "cat out/A.key out/A.pem out/B.pem out/C2.pem out/E.pem \ + > ../certificates/multi-root-chain2.pem" + |