1c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)#!/bin/sh 2c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 3c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)# Copyright 2013 The Chromium Authors. All rights reserved. 4c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)# Use of this source code is governed by a BSD-style license that can be 5c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)# found in the LICENSE file. 6c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 7c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)# This script generates a set of test (end-entity, root) certificate chains 8c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)# whose EEs have (critical, non-critical) eKUs for codeSigning. We then try 9c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)# to use them as EEs for a web server in unit tests, to make sure that we 10c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)# don't accept such certs as web server certs. 11c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 12c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)try () { 13c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) echo "$@" 145d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) "$@" || exit 1 15c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)} 16c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 17c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)try rm -rf out 18c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)try mkdir out 19c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 205d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)eku_test_root="2048-rsa-root" 21c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 22c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)# Create the serial number files. 235d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)try /bin/sh -c "echo 01 > \"out/$eku_test_root-serial\"" 24c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 25c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)# Make sure the signers' DB files exist. 265d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)touch "out/$eku_test_root-index.txt" 27c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 28c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)# Generate one root CA certificate. 295d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)try openssl genrsa -out "out/$eku_test_root.key" 2048 30c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 31c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)CA_COMMON_NAME="2048 RSA Test Root CA" \ 32c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) CA_DIR=out \ 33c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) CA_NAME=req_env_dn \ 34c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) KEY_SIZE=2048 \ 35c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) ALGO=rsa \ 36c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) CERT_TYPE=root \ 37c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) try openssl req \ 38c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -new \ 395d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -key "out/$eku_test_root.key" \ 40c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -extensions ca_cert \ 415d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -out "out/$eku_test_root.csr" \ 42c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -config ca.cnf 43c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 44c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)CA_COMMON_NAME="2048 RSA Test Root CA" \ 45c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) CA_DIR=out \ 46c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) CA_NAME=req_env_dn \ 47c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) try openssl x509 \ 48c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -req -days 3650 \ 495d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -in "out/$eku_test_root.csr" \ 50c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -extensions ca_cert \ 515d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -extfile ca.cnf \ 525d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -signkey "out/$eku_test_root.key" \ 535d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -out "out/$eku_test_root.pem" \ 545d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -text 55c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 56c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)# Generate EE certs. 57c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)for cert_type in non-crit-codeSigning crit-codeSigning 58c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)do 595d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) try openssl genrsa -out "out/$cert_type.key" 2048 60c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 61c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) try openssl req \ 62c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -new \ 635d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -key "out/$cert_type.key" \ 645d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -out "out/$cert_type.csr" \ 65c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -config eku-test.cnf \ 66c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -reqexts "$cert_type" 67c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 68c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) CA_COMMON_NAME="2048 rsa Test Root CA" \ 69c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) CA_DIR=out \ 70c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) CA_NAME=req_env_dn \ 71c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) KEY_SIZE=2048 \ 72c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) ALGO=rsa \ 73c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) CERT_TYPE=root \ 74c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) try openssl ca \ 75c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -batch \ 765d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -in "out/$cert_type.csr" \ 775d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -out "out/$cert_type.pem" \ 78c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -config ca.cnf 79c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)done 805d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 815d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)# Copy to the file names that are actually checked in. 825d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)try cp "out/$eku_test_root.pem" ../certificates/eku-test-root.pem 835d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)try /bin/sh -c "cat out/crit-codeSigning.key out/crit-codeSigning.pem \ 845d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) > ../certificates/crit-codeSigning-chain.pem" 855d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)try /bin/sh -c "cat out/non-crit-codeSigning.key out/non-crit-codeSigning.pem \ 865d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) > ../certificates/non-crit-codeSigning-chain.pem" 87