1eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch#!/bin/sh
2eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch
3eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch# Copyright 2013 The Chromium Authors. All rights reserved.
4eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch# Use of this source code is governed by a BSD-style license that can be
5eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch# found in the LICENSE file.
6eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch
7eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch# This script generates a set of test (end-entity, intermediate, root)
8eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch# certificates that can be used to test fetching of an intermediate via AIA.
9eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch
10eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdochtry() {
11eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch  echo "$@"
125d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)  "$@" || exit 1
13eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch}
14eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch
15eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdochtry rm -rf out
16eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdochtry mkdir out
17eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch
181320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tuccitry /bin/sh -c "echo 01 > out/2048-sha256-root-serial"
191320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tuccitouch out/2048-sha256-root-index.txt
20eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch
21eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch# Generate the key
221320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tuccitry openssl genrsa -out out/2048-sha256-root.key 2048
23eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch
24eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch# Generate the root certificate
25eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen MurdochCA_COMMON_NAME="Test Root CA" \
26eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch  try openssl req \
27eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch    -new \
281320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci    -key out/2048-sha256-root.key \
291320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci    -out out/2048-sha256-root.req \
30eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch    -config ca.cnf
31eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch
32eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen MurdochCA_COMMON_NAME="Test Root CA" \
33eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch  try openssl x509 \
34eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch    -req -days 3650 \
351320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci    -in out/2048-sha256-root.req \
361320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci    -out out/2048-sha256-root.pem \
371320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci    -signkey out/2048-sha256-root.key \
38eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch    -extfile ca.cnf \
395d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)    -extensions ca_cert \
405d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)    -text
41eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch
42eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch# Generate the leaf certificate requests
43eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdochtry openssl req \
44eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch  -new \
45eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch  -keyout out/expired_cert.key \
46eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch  -out out/expired_cert.req \
47eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch  -config ee.cnf
48eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch
49eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdochtry openssl req \
50eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch  -new \
51eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch  -keyout out/ok_cert.key \
52eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch  -out out/ok_cert.req \
53eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch  -config ee.cnf
54eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch
55eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch# Generate the leaf certificates
56eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen MurdochCA_COMMON_NAME="Test Root CA" \
57eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch  try openssl ca \
58eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch    -batch \
59eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch    -extensions user_cert \
60eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch    -startdate 060101000000Z \
61eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch    -enddate 070101000000Z \
62eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch    -in out/expired_cert.req \
63eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch    -out out/expired_cert.pem \
64eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch    -config ca.cnf
65eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch
66eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen MurdochCA_COMMON_NAME="Test Root CA" \
67eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch  try openssl ca \
68eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch    -batch \
69eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch    -extensions user_cert \
70eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch    -days 3650 \
71eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch    -in out/ok_cert.req \
72eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch    -out out/ok_cert.pem \
73eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch    -config ca.cnf
74eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch
751320f92c476a1ad9d19dba2a48c72b75566198e9Primiano TucciCA_COMMON_NAME="Test Root CA" \
761320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci  try openssl ca \
771320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci    -batch \
781320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci    -extensions name_constraint_bad \
791320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci    -subj "/CN=Leaf certificate/" \
801320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci    -days 3650 \
811320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci    -in out/ok_cert.req \
821320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci    -out out/name_constraint_bad.pem \
831320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci    -config ca.cnf
841320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci
851320f92c476a1ad9d19dba2a48c72b75566198e9Primiano TucciCA_COMMON_NAME="Test Root CA" \
861320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci  try openssl ca \
871320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci    -batch \
881320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci    -extensions name_constraint_good \
891320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci    -subj "/CN=Leaf Certificate/" \
901320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci    -days 3650 \
911320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci    -in out/ok_cert.req \
921320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci    -out out/name_constraint_good.pem \
931320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci    -config ca.cnf
941320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci
955d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)try /bin/sh -c "cat out/ok_cert.key out/ok_cert.pem \
965d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)    > ../certificates/ok_cert.pem"
975d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)try /bin/sh -c "cat out/expired_cert.key out/expired_cert.pem \
985d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)    > ../certificates/expired_cert.pem"
991320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tuccitry /bin/sh -c "cat out/2048-sha256-root.key out/2048-sha256-root.pem \
1005d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)    > ../certificates/root_ca_cert.pem"
1011320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tuccitry /bin/sh -c "cat out/ok_cert.key out/name_constraint_bad.pem \
1021320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci    > ../certificates/name_constraint_bad.pem"
1031320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tuccitry /bin/sh -c "cat out/ok_cert.key out/name_constraint_good.pem \
1041320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci    > ../certificates/name_constraint_good.pem"
1051320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci
1061320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci# Now generate the one-off certs
1071320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci## SHA-256 general test cert
1081320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tuccitry openssl req -x509 -days 3650 \
1091320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci    -config ../scripts/ee.cnf -newkey rsa:2048 -text \
1101320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci    -sha256 \
1111320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci    -out sha256.pem
1121320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci
1131320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci## Self-signed cert for SPDY/QUIC/HTTP2 pooling testing
1141320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tuccitry openssl req -x509 -days 3650 -extensions req_spdy_pooling \
1151320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci    -config ../scripts/ee.cnf -newkey rsa:2048 -text \
1161320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci    -out ../certificates/spdy_pooling.pem
1171320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci
1181320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci## SubjectAltName parsing
1191320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tuccitry openssl req -x509 -days 3650 -extensions req_san_sanity \
1201320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci    -config ../scripts/ee.cnf -newkey rsa:2048 -text \
1211320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci    -out ../certificates/subjectAltName_sanity_check.pem
1221320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci
1231320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci## Punycode handling
1241320f92c476a1ad9d19dba2a48c72b75566198e9Primiano TucciSUBJECT_NAME="req_punycode_dn" \
1251320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci  try openssl req -x509 -days 3650 -extensions req_punycode \
1261320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci    -config ../scripts/ee.cnf -newkey rsa:2048 -text \
1271320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci     -out ../certificates/punycodetest.pem
128eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch
1291320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci# Regenerate CRLSets
1301320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci## Block a leaf cert directly by SPKI
1311320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tuccitry python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \
1321320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci<<CRLBYLEAFSPKI
1331320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci{
1341320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci  "BlockedBySPKI": ["../certificates/ok_cert.pem"]
1351320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci}
1361320f92c476a1ad9d19dba2a48c72b75566198e9Primiano TucciCRLBYLEAFSPKI
1371320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci
1381320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci## Block a leaf cert by issuer-hash-and-serial (ok_cert.pem == serial 2, by
1391320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci## virtue of the serial file and ordering above.
1401320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tuccitry python crlsetutil.py -o ../certificates/crlset_by_root_serial.raw \
1411320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci<<CRLBYROOTSERIAL
1421320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci{
1431320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci  "BlockedByHash": {
1441320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci    "../certificates/root_ca_cert.pem": [2]
1451320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci  }
1461320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci}
1471320f92c476a1ad9d19dba2a48c72b75566198e9Primiano TucciCRLBYROOTSERIAL
1481320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci
1491320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci## Block a leaf cert by issuer-hash-and-serial. However, this will be issued
1501320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci## from an intermediate CA issued underneath a root.
1511320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tuccitry python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \
1521320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci<<CRLSETBYINTERMEDIATESERIAL
1531320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci{
1541320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci  "BlockedByHash": {
1551320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci    "../certificates/quic_intermediate.crt": [3]
1561320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci  }
1571320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci}
1581320f92c476a1ad9d19dba2a48c72b75566198e9Primiano TucciCRLSETBYINTERMEDIATESERIAL
159