12a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#!/bin/bash 22a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 32a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)# Copyright (c) 2012 The Chromium Authors. All rights reserved. 42a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)# Use of this source code is governed by a BSD-style license that can be 52a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)# found in the LICENSE file. 62a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 7c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)# This script generates certificates that can be used to test SSL client 8c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)# authentication. Outputs for automated tests are stored in 9c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)# net/data/ssl/certificates, but may be re-generated for manual testing. 10c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)# 11c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)# This script generates two chains of test client certificates: 12c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)# 13c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)# 1. A (end-entity) -> B -> C (self-signed root) 14c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)# 2. D (end-entity) -> E -> C (self-signed root) 15c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)# 16c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)# In which A, B, C, D, and E all have distinct keypairs. Both client 17c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)# certificates share the same root, but are issued by different 18c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)# intermediates. The names of these intermediates are hardcoded within 19c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)# unit tests, and thus should not be changed. 202a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 212a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)try () { 222a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) echo "$@" 235d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) "$@" || exit 1 242a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)} 252a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 262a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)try rm -rf out 272a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)try mkdir out 282a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 29c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)echo Create the serial number files and indices. 305d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)serial=1000 31c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)for i in B C E 322a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)do 335d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) try /bin/sh -c "echo $serial > out/$i-serial" 34c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) serial=$(expr $serial + 1) 35c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) touch out/$i-index.txt 36c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) touch out/$i-index.txt.attr 37c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)done 382a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 39c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)echo Generate the keys. 40c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)for i in A B C D E 41c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)do 42c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) try openssl genrsa -out out/$i.key 2048 43c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)done 44c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 45c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)echo Generate the C CSR 46c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)COMMON_NAME="C Root CA" \ 47c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) CA_DIR=out \ 48c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) ID=C \ 492a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) try openssl req \ 502a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) -new \ 51c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -key out/C.key \ 52c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -out out/C.csr \ 53c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -config client-certs.cnf 542a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 55c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)echo C signs itself. 56c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)COMMON_NAME="C Root CA" \ 57c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) CA_DIR=out \ 58c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) ID=C \ 592a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) try openssl x509 \ 602a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) -req -days 3650 \ 61c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -in out/C.csr \ 62c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -extensions ca_cert \ 635d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -extfile client-certs.cnf \ 64c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -signkey out/C.key \ 65c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -out out/C.pem 662a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 67c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)echo Generate the intermediates 68c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)COMMON_NAME="B CA" \ 69c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) CA_DIR=out \ 70c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) ID=B \ 71c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) try openssl req \ 72c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -new \ 73c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -key out/B.key \ 74c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -out out/B.csr \ 75c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -config client-certs.cnf 762a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 77c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)COMMON_NAME="C CA" \ 78c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) CA_DIR=out \ 79c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) ID=C \ 80c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) try openssl ca \ 81c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -batch \ 82c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -extensions ca_cert \ 83c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -in out/B.csr \ 84c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -out out/B.pem \ 85c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -config client-certs.cnf 86c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 87c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)COMMON_NAME="E CA" \ 88c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) CA_DIR=out \ 89c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) ID=E \ 902a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) try openssl req \ 912a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) -new \ 92c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -key out/E.key \ 93c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -out out/E.csr \ 94c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -config client-certs.cnf 952a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 96c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)COMMON_NAME="C CA" \ 97c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) CA_DIR=out \ 98c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) ID=C \ 99c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) try openssl ca \ 100c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -batch \ 101c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -extensions ca_cert \ 102c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -in out/E.csr \ 103c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -out out/E.pem \ 104c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -config client-certs.cnf 1052a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 106c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)echo Generate the leaf certs 107c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)for id in A D 108c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)do 109c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) COMMON_NAME="Client Cert $id" \ 1102a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) ID=$id \ 111c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) try openssl req \ 112c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -new \ 113c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -key out/$id.key \ 114c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -out out/$id.csr \ 115c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -config client-certs.cnf 116116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch # Store the private key also in PKCS#8 format. 117116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch try openssl pkcs8 \ 118116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch -topk8 -nocrypt \ 119116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch -in out/$id.key \ 120116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch -outform DER \ 121116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch -out out/$id.pk8 122c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)done 123c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 124c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)echo B signs A 125c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)COMMON_NAME="B CA" \ 126c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) CA_DIR=out \ 127c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) ID=B \ 1282a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) try openssl ca \ 1292a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) -batch \ 130c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -extensions user_cert \ 131c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -in out/A.csr \ 132c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -out out/A.pem \ 133c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -config client-certs.cnf 134c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 135c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)echo E signs D 136c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)COMMON_NAME="E CA" \ 137c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) CA_DIR=out \ 138c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) ID=E \ 139c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) try openssl ca \ 140c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -batch \ 141c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -extensions user_cert \ 142c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -in out/D.csr \ 143c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -out out/D.pem \ 144c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -config client-certs.cnf 145c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 146c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)echo Package the client certs and private keys into PKCS12 files 147c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)# This is done for easily importing all of the certs needed for clients. 1485d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)try /bin/sh -c "cat out/A.pem out/A.key out/B.pem out/C.pem > out/A-chain.pem" 1495d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)try /bin/sh -c "cat out/D.pem out/D.key out/E.pem out/C.pem > out/D-chain.pem" 150c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 151c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)try openssl pkcs12 \ 152c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -in out/A-chain.pem \ 153c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -out client_1.p12 \ 154c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -export \ 155c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -passout pass:chrome 156c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 157c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)try openssl pkcs12 \ 158c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -in out/D-chain.pem \ 159c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -out client_2.p12 \ 160c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -export \ 161c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) -passout pass:chrome 162c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 163c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)echo Package the client certs for unit tests 1645d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)try cp out/A.pem ../certificates/client_1.pem 1655d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)try cp out/A.key ../certificates/client_1.key 166116680a4aac90f2aa7413d9095a592090648e557Ben Murdochtry cp out/A.pk8 ../certificates/client_1.pk8 1675d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)try cp out/B.pem ../certificates/client_1_ca.pem 168c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 1695d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)try cp out/D.pem ../certificates/client_2.pem 1705d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)try cp out/D.key ../certificates/client_2.key 171116680a4aac90f2aa7413d9095a592090648e557Ben Murdochtry cp out/D.pk8 ../certificates/client_2.pk8 1725d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)try cp out/E.pem ../certificates/client_2_ca.pem 173