1#!/bin/sh
2
3# Copyright (c) 2012 The Chromium Authors. All rights reserved.
4# Use of this source code is governed by a BSD-style license that can be
5# found in the LICENSE file.
6
7# This script generates two chains of test certificates:
8#
9#     1. A (end-entity) -> B -> C -> D (self-signed root)
10#     2. A (end-entity) -> B -> C2 (self-signed root)
11#
12# in which A, B, C, and D have distinct keypairs. C2 is a self-signed root
13# certificate that uses the same keypair as C.
14#
15# We use these cert chains in
16# SSLClientSocketTest.VerifyReturnChainProperlyOrdered to ensure that
17# SSLInfo objects see the certificate chain as validated rather than as
18# served by the server. The server serves chain 1. The client has C2, NOT D,
19# installed as a trusted root. Therefore, the chain will validate as chain
20# 2, even though the server served chain 1.
21
22try () {
23  echo "$@"
24  "$@" || exit 1
25}
26
27try rm -rf out
28try mkdir out
29
30echo Create the serial number files.
31serial=1000
32for i in B C C2 D
33do
34  try /bin/sh -c "echo $serial > out/$i-serial"
35  serial=$(expr $serial + 1)
36done
37
38echo Generate the keys.
39try openssl genrsa -out out/A.key 2048
40try openssl genrsa -out out/B.key 2048
41try openssl genrsa -out out/C.key 2048
42try openssl genrsa -out out/D.key 2048
43
44echo Generate the D CSR.
45CA_COMMON_NAME="D Root CA" \
46  CERTIFICATE=D \
47  try openssl req \
48    -new \
49    -key out/D.key \
50    -out out/D.csr \
51    -config redundant-ca.cnf
52
53echo D signs itself.
54CA_COMMON_NAME="D Root CA" \
55  try openssl x509 \
56    -req -days 3650 \
57    -in out/D.csr \
58    -extensions ca_cert \
59    -extfile redundant-ca.cnf \
60    -signkey out/D.key \
61    -out out/D.pem \
62    -text
63
64echo Generate the C2 root CSR.
65CA_COMMON_NAME="C CA" \
66  CERTIFICATE=C2 \
67  try openssl req \
68    -new \
69    -key out/C.key \
70    -out out/C2.csr \
71    -config redundant-ca.cnf
72
73echo C2 signs itself.
74CA_COMMON_NAME="C CA" \
75  try openssl x509 \
76    -req -days 3650 \
77    -in out/C2.csr \
78    -extensions ca_cert \
79    -extfile redundant-ca.cnf \
80    -signkey out/C.key \
81    -out out/C2.pem \
82    -text
83
84echo Generate the B and C intermediaries\' CSRs.
85for i in B C
86do
87  name="$i Intermediate CA"
88  CA_COMMON_NAME="$i CA" \
89    CERTIFICATE=$i \
90    try openssl req \
91      -new \
92      -key out/$i.key \
93      -out out/$i.csr \
94      -config redundant-ca.cnf
95done
96
97echo D signs the C intermediate.
98# Make sure the signer's DB file exists.
99touch out/D-index.txt
100CA_COMMON_NAME="D Root CA" \
101  CERTIFICATE=D \
102  try openssl ca \
103    -batch \
104    -extensions ca_cert \
105    -in out/C.csr \
106    -out out/C.pem \
107    -config redundant-ca.cnf
108
109echo C signs the B intermediate.
110touch out/C-index.txt
111CA_COMMON_NAME="C CA" \
112  CERTIFICATE=C \
113  try openssl ca \
114    -batch \
115    -extensions ca_cert \
116    -in out/B.csr \
117    -out out/B.pem \
118    -config redundant-ca.cnf
119
120echo Generate the A end-entity CSR.
121try openssl req \
122  -new \
123  -key out/A.key \
124  -out out/A.csr \
125  -config ee.cnf
126
127echo B signs A.
128touch out/B-index.txt
129CA_COMMON_NAME="B CA" \
130  CERTIFICATE=B \
131  try openssl ca \
132    -batch \
133    -extensions user_cert \
134    -in out/A.csr \
135    -out out/A.pem \
136    -config redundant-ca.cnf
137
138echo Create redundant-server-chain.pem
139try /bin/sh -c "cat out/A.key out/A.pem out/B.pem out/C.pem out/D.pem \
140    > ../certificates/redundant-server-chain.pem"
141
142echo Create redundant-validated-chain.pem
143try /bin/sh -c "cat out/A.key out/A.pem out/B.pem out/C2.pem \
144  > ../certificates/redundant-validated-chain.pem"
145
146echo Create redundant-validated-chain-root.pem
147try cp out/C2.pem ../certificates/redundant-validated-chain-root.pem
148
149