blob: 5b7a3fcecc47e4e5f58e5f39d63ba90420f6221c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
|
#!/bin/sh
# Copyright (c) 2011 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
# This script generates a set of test (end-entity, intermediate, root)
# certificates with (weak, strong), (RSA, DSA, ECDSA) key pairs.
key_types="768-rsa 1024-rsa 2048-rsa prime256v1-ecdsa"
try () {
echo "$@"
"$@" || exit 1
}
generate_key_command () {
case "$1" in
dsa)
echo "dsaparam -genkey"
;;
ecdsa)
echo "ecparam -genkey"
;;
rsa)
echo genrsa
;;
*)
exit 1
esac
}
try rm -rf out
try mkdir out
# Create the serial number files.
try /bin/sh -c "echo 01 > out/2048-rsa-root-serial"
for key_type in $key_types
do
try /bin/sh -c "echo 01 > out/$key_type-intermediate-serial"
done
# Generate one root CA certificate.
try openssl genrsa -out out/2048-rsa-root.key 2048
CA_COMMON_NAME="2048 RSA Test Root CA" \
CA_DIR=out \
CA_NAME=req_env_dn \
KEY_SIZE=2048 \
ALGO=rsa \
CERT_TYPE=root \
try openssl req \
-new \
-key out/2048-rsa-root.key \
-extensions ca_cert \
-out out/2048-rsa-root.csr \
-config ca.cnf
CA_COMMON_NAME="2048 RSA Test Root CA" \
CA_DIR=out \
CA_NAME=req_env_dn \
try openssl x509 \
-req -days 3650 \
-in out/2048-rsa-root.csr \
-extensions ca_cert \
-signkey out/2048-rsa-root.key \
-out out/2048-rsa-root.pem \
-text
# Generate private keys of all types and strengths for intermediate CAs and
# end-entities.
for key_type in $key_types
do
key_size=$(echo "$key_type" | sed -E 's/-.+//')
algo=$(echo "$key_type" | sed -E 's/.+-//')
if [ ecdsa = $algo ]
then
key_size="-name $key_size"
fi
try openssl $(generate_key_command $algo) \
-out out/$key_type-intermediate.key $key_size
done
for key_type in $key_types
do
key_size=$(echo "$key_type" | sed -E 's/-.+//')
algo=$(echo "$key_type" | sed -E 's/.+-//')
if [ ecdsa = $algo ]
then
key_size="-name $key_size"
fi
for signer_key_type in $key_types
do
try openssl $(generate_key_command $algo) \
-out out/$key_type-ee-by-$signer_key_type-intermediate.key $key_size
done
done
# The root signs the intermediates.
for key_type in $key_types
do
key_size=$(echo "$key_type" | sed -E 's/-.+//')
algo=$(echo "$key_type" | sed -E 's/.+-//')
CA_COMMON_NAME="$key_size $algo Test intermediate CA" \
CA_DIR=out \
CA_NAME=req_env_dn \
KEY_SIZE=$key_size \
ALGO=$algo \
CERT_TYPE=intermediate \
try openssl req \
-new \
-key out/$key_type-intermediate.key \
-out out/$key_type-intermediate.csr \
-config ca.cnf
# Make sure the signer's DB file exists.
touch out/2048-rsa-root-index.txt
CA_COMMON_NAME="2048 RSA Test Root CA" \
CA_DIR=out \
CA_NAME=req_env_dn \
KEY_SIZE=2048 \
ALGO=rsa \
CERT_TYPE=root \
try openssl ca \
-batch \
-extensions ca_cert \
-in out/$key_type-intermediate.csr \
-out out/$key_type-intermediate.pem \
-config ca.cnf
done
# The intermediates sign the end-entities.
for key_type in $key_types
do
for signer_key_type in $key_types
do
key_size=$(echo "$key_type" | sed -E 's/-.+//')
algo=$(echo "$key_type" | sed -E 's/.+-//')
signer_key_size=$(echo "$signer_key_type" | sed -E 's/-.+//')
signer_algo=$(echo "$signer_key_type" | sed -E 's/.+-//')
touch out/$signer_key_type-intermediate-index.txt
KEY_SIZE=$key_size \
try openssl req \
-new \
-key out/$key_type-ee-by-$signer_key_type-intermediate.key \
-out out/$key_type-ee-by-$signer_key_type-intermediate.csr \
-config ee.cnf
CA_COMMON_NAME="$signer_key_size $algo Test intermediate CA" \
CA_DIR=out \
CA_NAME=req_env_dn \
KEY_SIZE=$signer_key_size \
ALGO=$signer_algo \
CERT_TYPE=intermediate \
try openssl ca \
-batch \
-in out/$key_type-ee-by-$signer_key_type-intermediate.csr \
-out out/$key_type-ee-by-$signer_key_type-intermediate.pem \
-config ca.cnf
done
done
# Copy final outputs.
try cp out/*root*pem out/*intermediate*pem ../certificates
|
