1#!/bin/sh 2 3# Copyright (c) 2013 The Chromium Authors. All rights reserved. 4# Use of this source code is governed by a BSD-style license that can be 5# found in the LICENSE file. 6 7# This script generates two chains of test certificates: 8# 1. A1 (end-entity) -> B (self-signed root) 9# 2. A2 (end-entity) -> B (self-signed root) 10# 11# In which A1 and A2 share the same key, the same subject common name, but have 12# distinct O values in their subjects. 13# 14# This is used to test that NSS can properly generate unique certificate 15# nicknames for both certificates. 16 17try () { 18 echo "$@" 19 $@ || exit 1 20} 21 22generate_key_command () { 23 case "$1" in 24 rsa) 25 echo genrsa 26 ;; 27 *) 28 exit 1 29 esac 30} 31 32try rm -rf out 33try mkdir out 34 35echo Create the serial number and index files. 36try echo 1 > out/B-serial 37try touch out/B-index.txt 38 39echo Generate the keys. 40try openssl genrsa -out out/A.key 2048 41try openssl genrsa -out out/B.key 2048 42 43echo Generate the B CSR. 44CA_COMMON_NAME="B Root CA" \ 45 CA_DIR=out \ 46 CA_NAME=req_env_dn \ 47 KEY_SIZE=2048 \ 48 ALGO=rsa \ 49 CERT_TYPE=root \ 50 TYPE=B CERTIFICATE=B \ 51 try openssl req \ 52 -new \ 53 -key out/B.key \ 54 -out out/B.csr \ 55 -config redundant-ca.cnf 56 57echo B signs itself. 58CA_COMMON_NAME="B Root CA" \ 59 CA_DIR=out \ 60 CA_NAME=req_env_dn \ 61 try openssl x509 \ 62 -req -days 3650 \ 63 -in out/B.csr \ 64 -extfile redundant-ca.cnf \ 65 -extensions ca_cert \ 66 -signkey out/B.key \ 67 -out out/B.pem 68 69echo Generate the A1 end-entity CSR. 70SUBJECT_NAME=req_duplicate_cn_1 \ 71 try openssl req \ 72 -new \ 73 -key out/A.key \ 74 -out out/A1.csr \ 75 -config ee.cnf 76 77echo Generate the A2 end-entity CSR 78SUBJECT_NAME=req_duplicate_cn_2 \ 79 try openssl req \ 80 -new \ 81 -key out/A.key \ 82 -out out/A2.csr \ 83 -config ee.cnf 84 85 86echo B signs A1. 87CA_COMMON_NAME="B CA" \ 88 CA_DIR=out \ 89 CA_NAME=req_env_dn \ 90 KEY_SIZE=2048 \ 91 ALGO=sha1 \ 92 CERT_TYPE=intermediate \ 93 TYPE=B CERTIFICATE=B \ 94 try openssl ca \ 95 -batch \ 96 -extensions user_cert \ 97 -in out/A1.csr \ 98 -out out/A1.pem \ 99 -config redundant-ca.cnf 100 101echo B signs A2. 102CA_COMMON_NAME="B CA" \ 103 CA_DIR=out \ 104 CA_NAME=req_env_dn \ 105 KEY_SIZE=2048 \ 106 ALGO=sha1 \ 107 CERT_TYPE=intermediate \ 108 TYPE=B CERTIFICATE=B \ 109 try openssl ca \ 110 -batch \ 111 -extensions user_cert \ 112 -in out/A2.csr \ 113 -out out/A2.pem \ 114 -config redundant-ca.cnf 115 116echo Exporting the certificates to PKCS#12 117try openssl pkcs12 \ 118 -export \ 119 -inkey out/A.key \ 120 -in out/A1.pem \ 121 -out ../certificates/duplicate_cn_1.p12 \ 122 -passout pass:chrome 123 124try openssl pkcs12 \ 125 -export \ 126 -inkey out/A.key \ 127 -in out/A2.pem \ 128 -out ../certificates/duplicate_cn_2.p12 \ 129 -passout pass:chrome 130 131cp out/A1.pem ../certificates/duplicate_cn_1.pem 132cp out/A2.pem ../certificates/duplicate_cn_2.pem 133