15821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#!/bin/sh 25821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 35821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)# Copyright (c) 2012 The Chromium Authors. All rights reserved. 45821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)# Use of this source code is governed by a BSD-style license that can be 55821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)# found in the LICENSE file. 65821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 75821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)# This script generates two chains of test certificates: 85821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)# 95821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)# 1. A (end-entity) -> B -> C -> D (self-signed root) 105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)# 2. A (end-entity) -> B -> C2 (self-signed root) 115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)# 125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)# in which A, B, C, and D have distinct keypairs. C2 is a self-signed root 135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)# certificate that uses the same keypair as C. 145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)# 155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)# We use these cert chains in 165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)# SSLClientSocketTest.VerifyReturnChainProperlyOrdered to ensure that 175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)# SSLInfo objects see the certificate chain as validated rather than as 185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)# served by the server. The server serves chain 1. The client has C2, NOT D, 195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)# installed as a trusted root. Therefore, the chain will validate as chain 205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)# 2, even though the server served chain 1. 215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)try () { 235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) echo "$@" 245d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) "$@" || exit 1 255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)try rm -rf out 285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)try mkdir out 295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)echo Create the serial number files. 315d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)serial=1000 325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)for i in B C C2 D 335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)do 345d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) try /bin/sh -c "echo $serial > out/$i-serial" 355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) serial=$(expr $serial + 1) 365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)done 375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)echo Generate the keys. 395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)try openssl genrsa -out out/A.key 2048 405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)try openssl genrsa -out out/B.key 2048 415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)try openssl genrsa -out out/C.key 2048 425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)try openssl genrsa -out out/D.key 2048 435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)echo Generate the D CSR. 455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)CA_COMMON_NAME="D Root CA" \ 465d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) CERTIFICATE=D \ 475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) try openssl req \ 485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) -new \ 495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) -key out/D.key \ 505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) -out out/D.csr \ 515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) -config redundant-ca.cnf 525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)echo D signs itself. 545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)CA_COMMON_NAME="D Root CA" \ 555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) try openssl x509 \ 565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) -req -days 3650 \ 575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) -in out/D.csr \ 585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) -extensions ca_cert \ 595d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -extfile redundant-ca.cnf \ 605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) -signkey out/D.key \ 615d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -out out/D.pem \ 625d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -text 635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)echo Generate the C2 root CSR. 655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)CA_COMMON_NAME="C CA" \ 665d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) CERTIFICATE=C2 \ 675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) try openssl req \ 685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) -new \ 695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) -key out/C.key \ 705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) -out out/C2.csr \ 715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) -config redundant-ca.cnf 725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)echo C2 signs itself. 745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)CA_COMMON_NAME="C CA" \ 755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) try openssl x509 \ 765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) -req -days 3650 \ 775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) -in out/C2.csr \ 785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) -extensions ca_cert \ 795d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -extfile redundant-ca.cnf \ 805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) -signkey out/C.key \ 815d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -out out/C2.pem \ 825d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -text 835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)echo Generate the B and C intermediaries\' CSRs. 855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)for i in B C 865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)do 875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) name="$i Intermediate CA" 885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CA_COMMON_NAME="$i CA" \ 895d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) CERTIFICATE=$i \ 905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) try openssl req \ 915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) -new \ 925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) -key out/$i.key \ 935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) -out out/$i.csr \ 945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) -config redundant-ca.cnf 955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)done 965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)echo D signs the C intermediate. 985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)# Make sure the signer's DB file exists. 995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)touch out/D-index.txt 1005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)CA_COMMON_NAME="D Root CA" \ 1015d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) CERTIFICATE=D \ 1025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) try openssl ca \ 1035821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) -batch \ 1045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) -extensions ca_cert \ 1055821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) -in out/C.csr \ 1065821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) -out out/C.pem \ 1075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) -config redundant-ca.cnf 1085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)echo C signs the B intermediate. 1105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)touch out/C-index.txt 1115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)CA_COMMON_NAME="C CA" \ 1125d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) CERTIFICATE=C \ 1135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) try openssl ca \ 1145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) -batch \ 1155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) -extensions ca_cert \ 1165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) -in out/B.csr \ 1175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) -out out/B.pem \ 1185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) -config redundant-ca.cnf 1195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)echo Generate the A end-entity CSR. 1215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)try openssl req \ 1225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) -new \ 1235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) -key out/A.key \ 1245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) -out out/A.csr \ 1255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) -config ee.cnf 1265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)echo B signs A. 1285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)touch out/B-index.txt 1295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)CA_COMMON_NAME="B CA" \ 1305d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) CERTIFICATE=B \ 1315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) try openssl ca \ 1325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) -batch \ 1335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) -extensions user_cert \ 1345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) -in out/A.csr \ 1355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) -out out/A.pem \ 1365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) -config redundant-ca.cnf 1375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)echo Create redundant-server-chain.pem 1395d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)try /bin/sh -c "cat out/A.key out/A.pem out/B.pem out/C.pem out/D.pem \ 1405d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) > ../certificates/redundant-server-chain.pem" 1415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)echo Create redundant-validated-chain.pem 1435d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)try /bin/sh -c "cat out/A.key out/A.pem out/B.pem out/C2.pem \ 1445d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) > ../certificates/redundant-validated-chain.pem" 1455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)echo Create redundant-validated-chain-root.pem 1475d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)try cp out/C2.pem ../certificates/redundant-validated-chain-root.pem 1485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 149