1#!/bin/bash
2
3# Copyright (c) 2012 The Chromium Authors. All rights reserved.
4# Use of this source code is governed by a BSD-style license that can be
5# found in the LICENSE file.
6
7# This script generates certificates that can be used to test SSL client
8# authentication. Outputs for automated tests are stored in
9# net/data/ssl/certificates, but may be re-generated for manual testing.
10#
11# This script generates two chains of test client certificates:
12#
13#   1. A (end-entity) -> B -> C (self-signed root)
14#   2. D (end-entity) -> E -> C (self-signed root)
15#
16# In which A, B, C, D, and E all have distinct keypairs. Both client
17# certificates share the same root, but are issued by different
18# intermediates. The names of these intermediates are hardcoded within
19# unit tests, and thus should not be changed.
20
21try () {
22  echo "$@"
23  $@ || exit 1
24}
25
26try rm -rf out
27try mkdir out
28
29echo Create the serial number files and indices.
30serial = 100
31for i in B C E
32do
33  try echo $serial > out/$i-serial
34  serial=$(expr $serial + 1)
35  touch out/$i-index.txt
36  touch out/$i-index.txt.attr
37done
38
39echo Generate the keys.
40for i in A B C D E
41do
42  try openssl genrsa -out out/$i.key 2048
43done
44
45echo Generate the C CSR
46COMMON_NAME="C Root CA" \
47  CA_DIR=out \
48  ID=C \
49  try openssl req \
50    -new \
51    -key out/C.key \
52    -out out/C.csr \
53    -config client-certs.cnf
54
55echo C signs itself.
56COMMON_NAME="C Root CA" \
57  CA_DIR=out \
58  ID=C \
59  try openssl x509 \
60    -req -days 3650 \
61    -in out/C.csr \
62    -extensions ca_cert \
63    -signkey out/C.key \
64    -out out/C.pem
65
66echo Generate the intermediates
67COMMON_NAME="B CA" \
68  CA_DIR=out \
69  ID=B \
70  try openssl req \
71    -new \
72    -key out/B.key \
73    -out out/B.csr \
74    -config client-certs.cnf
75
76COMMON_NAME="C CA" \
77  CA_DIR=out \
78  ID=C \
79  try openssl ca \
80    -batch \
81    -extensions ca_cert \
82    -in out/B.csr \
83    -out out/B.pem \
84    -config client-certs.cnf
85
86COMMON_NAME="E CA" \
87  CA_DIR=out \
88  ID=E \
89  try openssl req \
90    -new \
91    -key out/E.key \
92    -out out/E.csr \
93    -config client-certs.cnf
94
95COMMON_NAME="C CA" \
96  CA_DIR=out \
97  ID=C \
98  try openssl ca \
99    -batch \
100    -extensions ca_cert \
101    -in out/E.csr \
102    -out out/E.pem \
103    -config client-certs.cnf
104
105echo Generate the leaf certs
106for id in A D
107do
108  COMMON_NAME="Client Cert $id" \
109  ID=$id \
110  try openssl req \
111    -new \
112    -key out/$id.key \
113    -out out/$id.csr \
114    -config client-certs.cnf
115done
116
117echo B signs A
118COMMON_NAME="B CA" \
119  CA_DIR=out \
120  ID=B \
121  try openssl ca \
122    -batch \
123    -extensions user_cert \
124    -in out/A.csr \
125    -out out/A.pem \
126    -config client-certs.cnf
127
128echo E signs D
129COMMON_NAME="E CA" \
130  CA_DIR=out \
131  ID=E \
132  try openssl ca \
133    -batch \
134    -extensions user_cert \
135    -in out/D.csr \
136    -out out/D.pem \
137    -config client-certs.cnf
138
139echo Package the client certs and private keys into PKCS12 files
140# This is done for easily importing all of the certs needed for clients.
141cat out/A.pem out/A.key out/B.pem out/C.pem > out/A-chain.pem
142cat out/D.pem out/D.key out/E.pem out/C.pem > out/D-chain.pem
143
144try openssl pkcs12 \
145  -in out/A-chain.pem \
146  -out client_1.p12 \
147  -export \
148  -passout pass:chrome
149
150try openssl pkcs12 \
151  -in out/D-chain.pem \
152  -out client_2.p12 \
153  -export \
154  -passout pass:chrome
155
156echo Package the client certs for unit tests
157cp out/A.pem client_1.pem
158cp out/A.key client_1.key
159cp out/B.pem client_1_ca.pem
160
161cp out/D.pem client_2.pem
162cp out/D.key client_2.key
163cp out/E.pem client_2_ca.pem
164