15d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)#!/bin/sh 25d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 35d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)# Copyright 2014 The Chromium Authors. All rights reserved. 45d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)# Use of this source code is governed by a BSD-style license that can be 55d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)# found in the LICENSE file. 65d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 75d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)# This script generates two chains of test certificates: 85d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)# 95d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)# 1. A (end-entity) -> B -> C -> D (self-signed root) 105d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)# 2. A (end-entity) -> B -> C2 -> E (self-signed root) 115d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)# 125d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)# C and C2 have the same subject and keypair. 135d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)# 145d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)# We use these cert chains in CertVerifyProcChromeOSTest 155d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)# to ensure that multiple verification paths are properly handled. 165d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 175d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)try () { 185d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) echo "$@" 195d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) "$@" || exit 1 205d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)} 215d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 225d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)try rm -rf out 235d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)try mkdir out 245d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 255d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)echo Create the serial number files. 265d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)serial=1000 275d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)for i in B C C2 D E 285d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)do 295d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) try /bin/sh -c "echo $serial > out/$i-serial" 305d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) serial=$(expr $serial + 1) 315d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)done 325d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 335d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)echo Generate the keys. 345d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)try openssl genrsa -out out/A.key 2048 355d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)try openssl genrsa -out out/B.key 2048 365d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)try openssl genrsa -out out/C.key 2048 375d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)try openssl genrsa -out out/D.key 2048 385d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)try openssl genrsa -out out/E.key 2048 395d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 405d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)echo Generate the D CSR. 415d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)CA_COMMON_NAME="D Root CA" \ 425d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) CERTIFICATE=D \ 435d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) try openssl req \ 445d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -new \ 455d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -key out/D.key \ 465d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -out out/D.csr \ 475d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -config redundant-ca.cnf 485d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 495d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)echo D signs itself. 505d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)CA_COMMON_NAME="D Root CA" \ 515d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) try openssl x509 \ 525d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -req -days 3650 \ 535d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -in out/D.csr \ 545d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -extensions ca_cert \ 555d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -extfile redundant-ca.cnf \ 565d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -signkey out/D.key \ 575d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -out out/D.pem \ 585d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -text 595d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 605d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)echo Generate the E CSR. 615d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)CA_COMMON_NAME="E Root CA" \ 625d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) CERTIFICATE=E \ 635d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) try openssl req \ 645d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -new \ 655d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -key out/E.key \ 665d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -out out/E.csr \ 675d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -config redundant-ca.cnf 685d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 695d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)echo E signs itself. 705d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)CA_COMMON_NAME="E Root CA" \ 715d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) try openssl x509 \ 725d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -req -days 3650 \ 735d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -in out/E.csr \ 745d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -extensions ca_cert \ 755d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -extfile redundant-ca.cnf \ 765d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -signkey out/E.key \ 775d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -out out/E.pem \ 785d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -text 795d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 805d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)echo Generate the C2 intermediary CSR. 815d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)CA_COMMON_NAME="C CA" \ 825d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) CERTIFICATE=C2 \ 835d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) try openssl req \ 845d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -new \ 855d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -key out/C.key \ 865d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -out out/C2.csr \ 875d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -config redundant-ca.cnf 885d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 895d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)echo Generate the B and C intermediaries\' CSRs. 905d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)for i in B C 915d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)do 925d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) CA_COMMON_NAME="$i CA" \ 935d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) CERTIFICATE="$i" \ 945d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) try openssl req \ 955d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -new \ 965d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -key "out/$i.key" \ 975d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -out "out/$i.csr" \ 985d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -config redundant-ca.cnf 995d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)done 1005d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 1015d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)echo D signs the C intermediate. 1025d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)# Make sure the signer's DB file exists. 1035d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)touch out/D-index.txt 1045d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)CA_COMMON_NAME="D Root CA" \ 1055d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) CERTIFICATE=D \ 1065d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) try openssl ca \ 1075d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -batch \ 1085d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -extensions ca_cert \ 1095d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -in out/C.csr \ 1105d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -out out/C.pem \ 1115d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -config redundant-ca.cnf 1125d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 1135d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)echo E signs the C2 intermediate. 1145d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)# Make sure the signer's DB file exists. 1155d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)touch out/E-index.txt 1165d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)CA_COMMON_NAME="E Root CA" \ 1175d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) CERTIFICATE=E \ 1185d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) try openssl ca \ 1195d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -batch \ 1205d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -extensions ca_cert \ 1215d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -in out/C2.csr \ 1225d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -out out/C2.pem \ 1235d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -config redundant-ca.cnf 1245d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 1255d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)echo C signs the B intermediate. 1265d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)touch out/C-index.txt 1275d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)CA_COMMON_NAME="C CA" \ 1285d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) CERTIFICATE=C \ 1295d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) try openssl ca \ 1305d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -batch \ 1315d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -extensions ca_cert \ 1325d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -in out/B.csr \ 1335d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -out out/B.pem \ 1345d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -config redundant-ca.cnf 1355d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 1365d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)echo Generate the A end-entity CSR. 1375d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)try openssl req \ 1385d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -new \ 1395d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -key out/A.key \ 1405d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -out out/A.csr \ 1415d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -config ee.cnf 1425d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 1435d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)echo B signs A. 1445d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)touch out/B-index.txt 1455d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)CA_COMMON_NAME="B CA" \ 1465d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) CERTIFICATE=B \ 1475d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) try openssl ca \ 1485d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -batch \ 1495d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -extensions user_cert \ 1505d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -in out/A.csr \ 1515d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -out out/A.pem \ 1525d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -config redundant-ca.cnf 1535d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 1545d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)echo Create multi-root-chain1.pem 1555d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)try /bin/sh -c "cat out/A.key out/A.pem out/B.pem out/C.pem out/D.pem \ 1565d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) > ../certificates/multi-root-chain1.pem" 1575d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 1585d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)echo Create multi-root-chain2.pem 1595d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)try /bin/sh -c "cat out/A.key out/A.pem out/B.pem out/C2.pem out/E.pem \ 1605d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) > ../certificates/multi-root-chain2.pem" 1615d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 162