1eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch#!/bin/sh 2eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch 3eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch# Copyright 2013 The Chromium Authors. All rights reserved. 4eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch# Use of this source code is governed by a BSD-style license that can be 5eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch# found in the LICENSE file. 6eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch 7eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch# This script generates a set of test (end-entity, intermediate, root) 8eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch# certificates that can be used to test fetching of an intermediate via AIA. 9eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch 10eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdochtry() { 11eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch echo "$@" 125d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) "$@" || exit 1 13eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch} 14eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch 15eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdochtry rm -rf out 16eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdochtry mkdir out 17eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch 181320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tuccitry /bin/sh -c "echo 01 > out/2048-sha256-root-serial" 191320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tuccitouch out/2048-sha256-root-index.txt 20eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch 21eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch# Generate the key 221320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tuccitry openssl genrsa -out out/2048-sha256-root.key 2048 23eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch 24eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch# Generate the root certificate 25eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen MurdochCA_COMMON_NAME="Test Root CA" \ 26eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch try openssl req \ 27eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch -new \ 281320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci -key out/2048-sha256-root.key \ 291320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci -out out/2048-sha256-root.req \ 30eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch -config ca.cnf 31eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch 32eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen MurdochCA_COMMON_NAME="Test Root CA" \ 33eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch try openssl x509 \ 34eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch -req -days 3650 \ 351320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci -in out/2048-sha256-root.req \ 361320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci -out out/2048-sha256-root.pem \ 371320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci -signkey out/2048-sha256-root.key \ 38eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch -extfile ca.cnf \ 395d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -extensions ca_cert \ 405d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) -text 41eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch 42eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch# Generate the leaf certificate requests 43eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdochtry openssl req \ 44eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch -new \ 45eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch -keyout out/expired_cert.key \ 46eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch -out out/expired_cert.req \ 47eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch -config ee.cnf 48eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch 49eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdochtry openssl req \ 50eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch -new \ 51eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch -keyout out/ok_cert.key \ 52eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch -out out/ok_cert.req \ 53eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch -config ee.cnf 54eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch 55eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch# Generate the leaf certificates 56eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen MurdochCA_COMMON_NAME="Test Root CA" \ 57eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch try openssl ca \ 58eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch -batch \ 59eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch -extensions user_cert \ 60eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch -startdate 060101000000Z \ 61eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch -enddate 070101000000Z \ 62eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch -in out/expired_cert.req \ 63eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch -out out/expired_cert.pem \ 64eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch -config ca.cnf 65eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch 66eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen MurdochCA_COMMON_NAME="Test Root CA" \ 67eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch try openssl ca \ 68eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch -batch \ 69eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch -extensions user_cert \ 70eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch -days 3650 \ 71eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch -in out/ok_cert.req \ 72eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch -out out/ok_cert.pem \ 73eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch -config ca.cnf 74eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch 751320f92c476a1ad9d19dba2a48c72b75566198e9Primiano TucciCA_COMMON_NAME="Test Root CA" \ 761320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci try openssl ca \ 771320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci -batch \ 781320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci -extensions name_constraint_bad \ 791320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci -subj "/CN=Leaf certificate/" \ 801320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci -days 3650 \ 811320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci -in out/ok_cert.req \ 821320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci -out out/name_constraint_bad.pem \ 831320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci -config ca.cnf 841320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci 851320f92c476a1ad9d19dba2a48c72b75566198e9Primiano TucciCA_COMMON_NAME="Test Root CA" \ 861320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci try openssl ca \ 871320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci -batch \ 881320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci -extensions name_constraint_good \ 891320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci -subj "/CN=Leaf Certificate/" \ 901320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci -days 3650 \ 911320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci -in out/ok_cert.req \ 921320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci -out out/name_constraint_good.pem \ 931320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci -config ca.cnf 941320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci 955d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)try /bin/sh -c "cat out/ok_cert.key out/ok_cert.pem \ 965d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) > ../certificates/ok_cert.pem" 975d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)try /bin/sh -c "cat out/expired_cert.key out/expired_cert.pem \ 985d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) > ../certificates/expired_cert.pem" 991320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tuccitry /bin/sh -c "cat out/2048-sha256-root.key out/2048-sha256-root.pem \ 1005d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) > ../certificates/root_ca_cert.pem" 1011320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tuccitry /bin/sh -c "cat out/ok_cert.key out/name_constraint_bad.pem \ 1021320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci > ../certificates/name_constraint_bad.pem" 1031320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tuccitry /bin/sh -c "cat out/ok_cert.key out/name_constraint_good.pem \ 1041320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci > ../certificates/name_constraint_good.pem" 1051320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci 1061320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci# Now generate the one-off certs 1071320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci## SHA-256 general test cert 1081320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tuccitry openssl req -x509 -days 3650 \ 1091320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci -config ../scripts/ee.cnf -newkey rsa:2048 -text \ 1101320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci -sha256 \ 1111320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci -out sha256.pem 1121320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci 1131320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci## Self-signed cert for SPDY/QUIC/HTTP2 pooling testing 1141320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tuccitry openssl req -x509 -days 3650 -extensions req_spdy_pooling \ 1151320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci -config ../scripts/ee.cnf -newkey rsa:2048 -text \ 1161320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci -out ../certificates/spdy_pooling.pem 1171320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci 1181320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci## SubjectAltName parsing 1191320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tuccitry openssl req -x509 -days 3650 -extensions req_san_sanity \ 1201320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci -config ../scripts/ee.cnf -newkey rsa:2048 -text \ 1211320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci -out ../certificates/subjectAltName_sanity_check.pem 1221320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci 1231320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci## Punycode handling 1241320f92c476a1ad9d19dba2a48c72b75566198e9Primiano TucciSUBJECT_NAME="req_punycode_dn" \ 1251320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci try openssl req -x509 -days 3650 -extensions req_punycode \ 1261320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci -config ../scripts/ee.cnf -newkey rsa:2048 -text \ 1271320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci -out ../certificates/punycodetest.pem 128eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch 1291320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci# Regenerate CRLSets 1301320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci## Block a leaf cert directly by SPKI 1311320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tuccitry python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \ 1321320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci<<CRLBYLEAFSPKI 1331320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci{ 1341320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci "BlockedBySPKI": ["../certificates/ok_cert.pem"] 1351320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci} 1361320f92c476a1ad9d19dba2a48c72b75566198e9Primiano TucciCRLBYLEAFSPKI 1371320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci 1381320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci## Block a leaf cert by issuer-hash-and-serial (ok_cert.pem == serial 2, by 1391320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci## virtue of the serial file and ordering above. 1401320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tuccitry python crlsetutil.py -o ../certificates/crlset_by_root_serial.raw \ 1411320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci<<CRLBYROOTSERIAL 1421320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci{ 1431320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci "BlockedByHash": { 1441320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci "../certificates/root_ca_cert.pem": [2] 1451320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci } 1461320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci} 1471320f92c476a1ad9d19dba2a48c72b75566198e9Primiano TucciCRLBYROOTSERIAL 1481320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci 1491320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci## Block a leaf cert by issuer-hash-and-serial. However, this will be issued 1501320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci## from an intermediate CA issued underneath a root. 1511320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tuccitry python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \ 1521320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci<<CRLSETBYINTERMEDIATESERIAL 1531320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci{ 1541320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci "BlockedByHash": { 1551320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci "../certificates/quic_intermediate.crt": [3] 1561320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci } 1571320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci} 1581320f92c476a1ad9d19dba2a48c72b75566198e9Primiano TucciCRLSETBYINTERMEDIATESERIAL 159