xref: /external/chromium_org/net/data/ssl/scripts/generate-weak-test-chains.sh

#!/bin/sh

# Copyright (c) 2011 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

# This script generates a set of test (end-entity, intermediate, root)
# certificates with (weak, strong), (RSA, DSA, ECDSA) key pairs.

key_types="768-rsa 1024-rsa 2048-rsa prime256v1-ecdsa"

try () {
  echo "$@"
  "$@" || exit 1
}

generate_key_command () {
  case "$1" in
    dsa)
      echo "dsaparam -genkey"
      ;;
    ecdsa)
      echo "ecparam -genkey"
      ;;
    rsa)
      echo genrsa
      ;;
    *)
      exit 1
  esac
}

try rm -rf out
try mkdir out

# Create the serial number files.
try /bin/sh -c "echo 01 > out/2048-rsa-root-serial"
for key_type in $key_types
do
  try /bin/sh -c "echo 01 > out/$key_type-intermediate-serial"
done

# Generate one root CA certificate.
try openssl genrsa -out out/2048-rsa-root.key 2048

CA_COMMON_NAME="2048 RSA Test Root CA" \
  CA_DIR=out \
  CA_NAME=req_env_dn \
  KEY_SIZE=2048 \
  ALGO=rsa \
  CERT_TYPE=root \
  try openssl req \
    -new \
    -key out/2048-rsa-root.key \
    -extensions ca_cert \
    -out out/2048-rsa-root.csr \
    -config ca.cnf

CA_COMMON_NAME="2048 RSA Test Root CA" \
  CA_DIR=out \
  CA_NAME=req_env_dn \
  try openssl x509 \
    -req -days 3650 \
    -in out/2048-rsa-root.csr \
    -extensions ca_cert \
    -extfile ca.cnf \
    -signkey out/2048-rsa-root.key \
    -out out/2048-rsa-root.pem \
    -text

# Generate private keys of all types and strengths for intermediate CAs and
# end-entities.
for key_type in $key_types
do
  key_size=$(echo "$key_type" | sed -E 's/-.+//')
  algo=$(echo "$key_type" | sed -E 's/.+-//')

  if [ ecdsa = $algo ]
  then
    key_size="-name $key_size"
  fi

  try openssl $(generate_key_command $algo) \
    -out out/$key_type-intermediate.key $key_size
done

for key_type in $key_types
do
  key_size=$(echo "$key_type" | sed -E 's/-.+//')
  algo=$(echo "$key_type" | sed -E 's/.+-//')

  if [ ecdsa = $algo ]
  then
    key_size="-name $key_size"
  fi

  for signer_key_type in $key_types
  do
    try openssl $(generate_key_command $algo) \
      -out out/$key_type-ee-by-$signer_key_type-intermediate.key $key_size
  done
done

# The root signs the intermediates.
for key_type in $key_types
do
  key_size=$(echo "$key_type" | sed -E 's/-.+//')
  algo=$(echo "$key_type" | sed -E 's/.+-//')

  CA_COMMON_NAME="$key_size $algo Test intermediate CA" \
    CA_DIR=out \
    CA_NAME=req_env_dn \
    KEY_SIZE=$key_size \
    ALGO=$algo \
    CERT_TYPE=intermediate \
    try openssl req \
      -new \
      -key out/$key_type-intermediate.key \
      -out out/$key_type-intermediate.csr \
      -config ca.cnf

  # Make sure the signer's DB file exists.
  touch out/2048-rsa-root-index.txt

  CA_COMMON_NAME="2048 RSA Test Root CA" \
    CA_DIR=out \
    CA_NAME=req_env_dn \
    KEY_SIZE=2048 \
    ALGO=rsa \
    CERT_TYPE=root \
    try openssl ca \
      -batch \
      -extensions ca_cert \
      -in out/$key_type-intermediate.csr \
      -out out/$key_type-intermediate.pem \
      -config ca.cnf
done

# The intermediates sign the end-entities.
for key_type in $key_types
do
  for signer_key_type in $key_types
  do
    key_size=$(echo "$key_type" | sed -E 's/-.+//')
    algo=$(echo "$key_type" | sed -E 's/.+-//')
    signer_key_size=$(echo "$signer_key_type" | sed -E 's/-.+//')
    signer_algo=$(echo "$signer_key_type" | sed -E 's/.+-//')
    touch out/$signer_key_type-intermediate-index.txt

    KEY_SIZE=$key_size \
      try openssl req \
        -new \
        -key out/$key_type-ee-by-$signer_key_type-intermediate.key \
        -out out/$key_type-ee-by-$signer_key_type-intermediate.csr \
        -config ee.cnf

    CA_COMMON_NAME="$signer_key_size $algo Test intermediate CA" \
      CA_DIR=out \
      CA_NAME=req_env_dn \
      KEY_SIZE=$signer_key_size \
      ALGO=$signer_algo \
      CERT_TYPE=intermediate \
      try openssl ca \
        -batch \
        -in out/$key_type-ee-by-$signer_key_type-intermediate.csr \
        -out out/$key_type-ee-by-$signer_key_type-intermediate.pem \
        -config ca.cnf
  done
done

# Copy final outputs.
try cp out/*root*pem out/*intermediate*pem ../certificates