1#!/bin/sh
2
3# Copyright (c) 2013 The Chromium Authors. All rights reserved.
4# Use of this source code is governed by a BSD-style license that can be
5# found in the LICENSE file.
6
7# This script generates two chains of test certificates:
8#    1. A1 (end-entity) -> B (self-signed root)
9#    2. A2 (end-entity) -> B (self-signed root)
10#
11# In which A1 and A2 share the same key, the same subject common name, but have
12# distinct O values in their subjects.
13#
14# This is used to test that NSS can properly generate unique certificate
15# nicknames for both certificates.
16
17try () {
18  echo "$@"
19  $@ || exit 1
20}
21
22generate_key_command () {
23  case "$1" in
24    rsa)
25      echo genrsa
26      ;;
27    *)
28      exit 1
29  esac
30}
31
32try rm -rf out
33try mkdir out
34
35echo Create the serial number and index files.
36try echo 1 > out/B-serial
37try touch out/B-index.txt
38
39echo Generate the keys.
40try openssl genrsa -out out/A.key 2048
41try openssl genrsa -out out/B.key 2048
42
43echo Generate the B CSR.
44CA_COMMON_NAME="B Root CA" \
45  CA_DIR=out \
46  CA_NAME=req_env_dn \
47  KEY_SIZE=2048 \
48  ALGO=rsa \
49  CERT_TYPE=root \
50  TYPE=B CERTIFICATE=B \
51  try openssl req \
52    -new \
53    -key out/B.key \
54    -out out/B.csr \
55    -config redundant-ca.cnf
56
57echo B signs itself.
58CA_COMMON_NAME="B Root CA" \
59  CA_DIR=out \
60  CA_NAME=req_env_dn \
61  try openssl x509 \
62    -req -days 3650 \
63    -in out/B.csr \
64    -extfile redundant-ca.cnf \
65    -extensions ca_cert \
66    -signkey out/B.key \
67    -out out/B.pem
68
69echo Generate the A1 end-entity CSR.
70SUBJECT_NAME=req_duplicate_cn_1 \
71  try openssl req \
72    -new \
73    -key out/A.key \
74    -out out/A1.csr \
75    -config ee.cnf
76
77echo Generate the A2 end-entity CSR
78SUBJECT_NAME=req_duplicate_cn_2 \
79  try openssl req \
80    -new \
81    -key out/A.key \
82    -out out/A2.csr \
83    -config ee.cnf
84
85
86echo B signs A1.
87CA_COMMON_NAME="B CA" \
88  CA_DIR=out \
89  CA_NAME=req_env_dn \
90  KEY_SIZE=2048 \
91  ALGO=sha1 \
92  CERT_TYPE=intermediate \
93  TYPE=B CERTIFICATE=B \
94  try openssl ca \
95    -batch \
96    -extensions user_cert \
97    -in out/A1.csr \
98    -out out/A1.pem \
99    -config redundant-ca.cnf
100
101echo B signs A2.
102CA_COMMON_NAME="B CA" \
103  CA_DIR=out \
104  CA_NAME=req_env_dn \
105  KEY_SIZE=2048 \
106  ALGO=sha1 \
107  CERT_TYPE=intermediate \
108  TYPE=B CERTIFICATE=B \
109  try openssl ca \
110    -batch \
111    -extensions user_cert \
112    -in out/A2.csr \
113    -out out/A2.pem \
114    -config redundant-ca.cnf
115
116echo Exporting the certificates to PKCS#12
117try openssl pkcs12 \
118  -export \
119  -inkey out/A.key \
120  -in out/A1.pem \
121  -out ../certificates/duplicate_cn_1.p12 \
122  -passout pass:chrome
123
124try openssl pkcs12 \
125  -export \
126  -inkey out/A.key \
127  -in out/A2.pem \
128  -out ../certificates/duplicate_cn_2.p12 \
129  -passout pass:chrome
130
131cp out/A1.pem ../certificates/duplicate_cn_1.pem
132cp out/A2.pem ../certificates/duplicate_cn_2.pem
133