1558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch#!/bin/sh 2558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch 3558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch# Copyright 2013 The Chromium Authors. All rights reserved. 4558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch# Use of this source code is governed by a BSD-style license that can be 5558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch# found in the LICENSE file. 6558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch 7558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch# This script generates a (end-entity, intermediate, root) certificate, where 8558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch# the root has no explicit policies associated, the intermediate has multiple 9558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch# policies, and the leaf has a single policy. 10558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch# 11558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch# When validating, supplying no policy OID should not result in an error. 12558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch 13558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdochtry() { 14558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch echo "$@" 155d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) "$@" || exit 1 16558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch} 17558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch 18558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdochtry rm -rf out 19558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdochtry mkdir out 20558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch 21558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch# Create the serial number files. 225d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)try /bin/sh -c "echo 01 > out/policy-root-serial" 235d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)try /bin/sh -c "echo 01 > out/policy-intermediate-serial" 24558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch 25558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch# Create the signers' DB files. 26558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdochtouch out/policy-root-index.txt 27558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdochtouch out/policy-intermediate-index.txt 28558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch 29558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch# Generate the keys 30558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdochtry openssl genrsa -out out/policy-root.key 2048 31558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdochtry openssl genrsa -out out/policy-intermediate.key 2048 32558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdochtry openssl genrsa -out out/policy-cert.key 2048 33558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch 34558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch# Generate the root certificate 35558790d6acca3451cf3a6b497803a5f07d0bec58Ben MurdochCOMMON_NAME="Policy Test Root CA" \ 36558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch CA_DIR=out \ 37558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch CA_NAME=policy-root \ 38558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch try openssl req \ 39558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch -new \ 40558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch -key out/policy-root.key \ 41558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch -out out/policy-root.csr \ 42558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch -config policy.cnf 43558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch 44558790d6acca3451cf3a6b497803a5f07d0bec58Ben MurdochCOMMON_NAME="Policy Test Root CA" \ 45558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch CA_DIR=out \ 46558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch CA_NAME=policy-root \ 47558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch try openssl x509 \ 48558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch -req -days 3650 \ 49558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch -in out/policy-root.csr \ 50558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch -out out/policy-root.pem \ 51558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch -signkey out/policy-root.key \ 52558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch -extfile policy.cnf \ 535d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -extensions ca_cert \ 545d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -text 55558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch 56558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch# Generate the intermediate 57558790d6acca3451cf3a6b497803a5f07d0bec58Ben MurdochCOMMON_NAME="Policy Test Intermediate CA" \ 58558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch CA_DIR=out \ 59558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch try openssl req \ 60558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch -new \ 61558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch -key out/policy-intermediate.key \ 62558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch -out out/policy-intermediate.csr \ 63558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch -config policy.cnf 64558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch 65558790d6acca3451cf3a6b497803a5f07d0bec58Ben MurdochCOMMON_NAME="UNUSED" \ 66558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch CA_DIR=out \ 67558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch CA_NAME=policy-root \ 68558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch try openssl ca \ 69558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch -batch \ 70558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch -in out/policy-intermediate.csr \ 71558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch -out out/policy-intermediate.pem \ 72558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch -config policy.cnf \ 73558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch -extensions intermediate_cert 74558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch 75558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch# Generate the leaf 76558790d6acca3451cf3a6b497803a5f07d0bec58Ben MurdochCOMMON_NAME="policy_test.example" \ 77558790d6acca3451cf3a6b497803a5f07d0bec58Ben MurdochCA_DIR=out \ 78558790d6acca3451cf3a6b497803a5f07d0bec58Ben MurdochCA_NAME=policy-intermediate \ 79558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdochtry openssl req \ 80558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch -new \ 81558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch -key out/policy-cert.key \ 82558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch -out out/policy-cert.csr \ 83558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch -config policy.cnf 84558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch 85558790d6acca3451cf3a6b497803a5f07d0bec58Ben MurdochCOMMON_NAME="Policy Test Intermediate CA" \ 86558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch CA_DIR=out \ 87558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch CA_NAME=policy-intermediate \ 88558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch try openssl ca \ 89558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch -batch \ 90558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch -in out/policy-cert.csr \ 91558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch -out out/policy-cert.pem \ 92558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch -config policy.cnf \ 93558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch -extensions user_cert 94558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch 955d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)try /bin/sh -c "cat out/policy-cert.pem \ 96558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch out/policy-intermediate.pem \ 975d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) out/policy-root.pem >../certificates/explicit-policy-chain.pem" 98