1#!/bin/sh
2
3# Copyright (c) 2013 The Chromium Authors. All rights reserved.
4# Use of this source code is governed by a BSD-style license that can be
5# found in the LICENSE file.
6
7# This script generates two chains of test certificates:
8#    1. A1 (end-entity) -> B (self-signed root)
9#    2. A2 (end-entity) -> B (self-signed root)
10#
11# In which A1 and A2 share the same key, the same subject common name, but have
12# distinct O values in their subjects.
13#
14# This is used to test that NSS can properly generate unique certificate
15# nicknames for both certificates.
16
17try () {
18  echo "$@"
19  "$@" || exit 1
20}
21
22try rm -rf out
23try mkdir out
24
25echo Create the serial number and index files.
26try /bin/sh -c "echo 01 > out/B-serial"
27try touch out/B-index.txt
28
29echo Generate the keys.
30try openssl genrsa -out out/A.key 2048
31try openssl genrsa -out out/B.key 2048
32
33echo Generate the B CSR.
34CA_COMMON_NAME="B Root CA" \
35  CERTIFICATE=B \
36  try openssl req \
37    -new \
38    -key out/B.key \
39    -out out/B.csr \
40    -config redundant-ca.cnf
41
42echo B signs itself.
43CA_COMMON_NAME="B Root CA" \
44  try openssl x509 \
45    -req -days 3650 \
46    -in out/B.csr \
47    -extfile redundant-ca.cnf \
48    -extensions ca_cert \
49    -signkey out/B.key \
50    -out out/B.pem
51
52echo Generate the A1 end-entity CSR.
53SUBJECT_NAME=req_duplicate_cn_1 \
54  try openssl req \
55    -new \
56    -key out/A.key \
57    -out out/A1.csr \
58    -config ee.cnf
59
60echo Generate the A2 end-entity CSR
61SUBJECT_NAME=req_duplicate_cn_2 \
62  try openssl req \
63    -new \
64    -key out/A.key \
65    -out out/A2.csr \
66    -config ee.cnf
67
68
69echo B signs A1.
70CA_COMMON_NAME="B CA" \
71  CERTIFICATE=B \
72  try openssl ca \
73    -batch \
74    -extensions user_cert \
75    -in out/A1.csr \
76    -out out/A1.pem \
77    -config redundant-ca.cnf
78
79echo B signs A2.
80CA_COMMON_NAME="B CA" \
81  CERTIFICATE=B \
82  try openssl ca \
83    -batch \
84    -extensions user_cert \
85    -in out/A2.csr \
86    -out out/A2.pem \
87    -config redundant-ca.cnf
88
89echo Exporting the certificates to PKCS#12
90try openssl pkcs12 \
91  -export \
92  -inkey out/A.key \
93  -in out/A1.pem \
94  -out ../certificates/duplicate_cn_1.p12 \
95  -passout pass:chrome
96
97try openssl pkcs12 \
98  -export \
99  -inkey out/A.key \
100  -in out/A2.pem \
101  -out ../certificates/duplicate_cn_2.p12 \
102  -passout pass:chrome
103
104try cp out/A1.pem ../certificates/duplicate_cn_1.pem
105try cp out/A2.pem ../certificates/duplicate_cn_2.pem
106