1#!/bin/sh 2 3# Copyright 2013 The Chromium Authors. All rights reserved. 4# Use of this source code is governed by a BSD-style license that can be 5# found in the LICENSE file. 6 7# This script generates a set of test (end-entity, root) certificate chains 8# whose EEs have (critical, non-critical) eKUs for codeSigning. We then try 9# to use them as EEs for a web server in unit tests, to make sure that we 10# don't accept such certs as web server certs. 11 12try () { 13 echo "$@" 14 $@ || exit 1 15} 16 17try rm -rf out 18try mkdir out 19 20eku_test_root="eku-test-root" 21 22# Create the serial number files. 23try echo 1 > out/$eku_test_root-serial 24 25# Make sure the signers' DB files exist. 26touch out/$eku_test_root-index.txt 27 28# Generate one root CA certificate. 29try openssl genrsa -out out/$eku_test_root.key 2048 30 31CA_COMMON_NAME="2048 RSA Test Root CA" \ 32 CA_DIR=out \ 33 CA_NAME=req_env_dn \ 34 KEY_SIZE=2048 \ 35 ALGO=rsa \ 36 CERT_TYPE=root \ 37 try openssl req \ 38 -new \ 39 -key out/$eku_test_root.key \ 40 -extensions ca_cert \ 41 -out out/$eku_test_root.csr \ 42 -config ca.cnf 43 44CA_COMMON_NAME="2048 RSA Test Root CA" \ 45 CA_DIR=out \ 46 CA_NAME=req_env_dn \ 47 try openssl x509 \ 48 -req -days 3650 \ 49 -in out/$eku_test_root.csr \ 50 -extensions ca_cert \ 51 -signkey out/$eku_test_root.key \ 52 -out out/$eku_test_root.pem 53 54# Generate EE certs. 55for cert_type in non-crit-codeSigning crit-codeSigning 56do 57 try openssl genrsa -out out/$cert_type.key 2048 58 59 try openssl req \ 60 -new \ 61 -key out/$cert_type.key \ 62 -out out/$cert_type.csr \ 63 -config eku-test.cnf \ 64 -reqexts "$cert_type" 65 66 CA_COMMON_NAME="2048 rsa Test Root CA" \ 67 CA_DIR=out \ 68 CA_NAME=req_env_dn \ 69 KEY_SIZE=2048 \ 70 ALGO=rsa \ 71 CERT_TYPE=root \ 72 try openssl ca \ 73 -batch \ 74 -in out/$cert_type.csr \ 75 -out out/$cert_type.pem \ 76 -config ca.cnf 77done 78