blob: 299092da02ee790609c9120e61de8a45319fcb48 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
#!/bin/sh
# Copyright 2013 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
# This script generates a two roots - one legacy one signed with MD5, and
# another (newer) one signed with SHA1 - and has a leaf certificate signed
# by these without any distinguishers.
#
# The "cross-signed" comes from the fact that both the MD5 and SHA1 roots share
# the same Authority Key ID, Subject Key ID, Subject, and Subject Public Key
# Info. When the chain building algorithm is evaluating paths, if it prefers
# untrusted over trusted, then it will see the MD5 certificate as a self-signed
# cert that is "cross-signed" by the trusted SHA1 root.
#
# The SHA1 root should be (temporarily) trusted, and the resulting chain
# should be leaf -> SHA1root, not leaf -> MD5root, leaf -> SHA1root -> MD5root,
# or leaf -> MD5root -> SHA1root
try() {
echo "$@"
$@ || exit 1
}
try rm -rf out
try mkdir out
try echo 1 > out/2048-sha1-root-serial
try echo 2 > out/2048-md5-root-serial
touch out/2048-sha1-root-index.txt
touch out/2048-md5-root-index.txt
# Generate the key
try openssl genrsa -out out/2048-sha1-root.key 2048
# Generate the root certificate
CA_COMMON_NAME="Test Root CA" \
try openssl req \
-new \
-key out/2048-sha1-root.key \
-out out/2048-sha1-root.req \
-config ca.cnf
CA_COMMON_NAME="Test Root CA" \
try openssl x509 \
-req -days 3650 \
-sha1 \
-in out/2048-sha1-root.req \
-out out/2048-sha1-root.pem \
-text \
-signkey out/2048-sha1-root.key \
-extfile ca.cnf \
-extensions ca_cert
CA_COMMON_NAME="Test Root CA" \
try openssl x509 \
-req -days 3650 \
-md5 \
-in out/2048-sha1-root.req \
-out out/2048-md5-root.pem \
-text \
-signkey out/2048-sha1-root.key \
-extfile ca.cnf \
-extensions ca_cert
# Generate the leaf certificate request
try openssl req \
-new \
-keyout out/ok_cert.key \
-out out/ok_cert.req \
-config ee.cnf
# Generate the leaf certificates
CA_COMMON_NAME="Test Root CA" \
try openssl ca \
-batch \
-extensions user_cert \
-days 3650 \
-in out/ok_cert.req \
-out out/ok_cert.pem \
-config ca.cnf
cp out/2048-md5-root.pem ../certificates/cross-signed-root-md5.pem
cp out/2048-sha1-root.pem ../certificates/cross-signed-root-sha1.pem
cp out/ok_cert.pem ../certificates/cross-signed-leaf.pem
|
