1#!/bin/sh 2 3# Copyright 2013 The Chromium Authors. All rights reserved. 4# Use of this source code is governed by a BSD-style license that can be 5# found in the LICENSE file. 6 7# This script generates a two roots - one legacy one signed with MD5, and 8# another (newer) one signed with SHA1 - and has a leaf certificate signed 9# by these without any distinguishers. 10# 11# The "cross-signed" comes from the fact that both the MD5 and SHA1 roots share 12# the same Authority Key ID, Subject Key ID, Subject, and Subject Public Key 13# Info. When the chain building algorithm is evaluating paths, if it prefers 14# untrusted over trusted, then it will see the MD5 certificate as a self-signed 15# cert that is "cross-signed" by the trusted SHA1 root. 16# 17# The SHA1 root should be (temporarily) trusted, and the resulting chain 18# should be leaf -> SHA1root, not leaf -> MD5root, leaf -> SHA1root -> MD5root, 19# or leaf -> MD5root -> SHA1root 20 21try() { 22 echo "$@" 23 "$@" || exit 1 24} 25 26try rm -rf out 27try mkdir out 28 29try /bin/sh -c "echo 01 > out/2048-sha1-root-serial" 30try /bin/sh -c "echo 02 > out/2048-md5-root-serial" 31touch out/2048-sha1-root-index.txt 32touch out/2048-md5-root-index.txt 33 34# Generate the key 35try openssl genrsa -out out/2048-sha1-root.key 2048 36 37# Generate the root certificate 38CA_COMMON_NAME="Test Dup-Hash Root CA" \ 39 try openssl req \ 40 -new \ 41 -key out/2048-sha1-root.key \ 42 -out out/2048-sha1-root.req \ 43 -config ca.cnf 44 45CA_COMMON_NAME="Test Dup-Hash Root CA" \ 46 try openssl x509 \ 47 -req -days 3650 \ 48 -sha1 \ 49 -in out/2048-sha1-root.req \ 50 -out out/2048-sha1-root.pem \ 51 -text \ 52 -signkey out/2048-sha1-root.key \ 53 -extfile ca.cnf \ 54 -extensions ca_cert 55 56CA_COMMON_NAME="Test Dup-Hash Root CA" \ 57 try openssl x509 \ 58 -req -days 3650 \ 59 -md5 \ 60 -in out/2048-sha1-root.req \ 61 -out out/2048-md5-root.pem \ 62 -text \ 63 -signkey out/2048-sha1-root.key \ 64 -extfile ca.cnf \ 65 -extensions ca_cert 66 67# Generate the leaf certificate request 68try openssl req \ 69 -new \ 70 -keyout out/ok_cert.key \ 71 -out out/ok_cert.req \ 72 -config ee.cnf 73 74# Generate the leaf certificates 75CA_COMMON_NAME="Test Dup-Hash Root CA" \ 76 try openssl ca \ 77 -batch \ 78 -extensions user_cert \ 79 -days 3650 \ 80 -in out/ok_cert.req \ 81 -out out/ok_cert.pem \ 82 -config ca.cnf 83 84try openssl x509 -text \ 85 -in out/2048-md5-root.pem \ 86 -out ../certificates/cross-signed-root-md5.pem 87try openssl x509 -text \ 88 -in out/2048-sha1-root.pem \ 89 -out ../certificates/cross-signed-root-sha1.pem 90try openssl x509 -text \ 91 -in out/ok_cert.pem \ 92 -out ../certificates/cross-signed-leaf.pem 93