• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#!/bin/sh
2
3# Copyright 2013 The Chromium Authors
4# Use of this source code is governed by a BSD-style license that can be
5# found in the LICENSE file.
6
7# This script generates a two roots - one legacy one signed with MD5, and
8# another (newer) one signed with SHA256 - and has a leaf certificate signed
9# by these without any distinguishers.
10#
11# The "cross-signed" comes from the fact that both the MD5 and SHA256 roots
12# share the same Authority Key ID, Subject Key ID, Subject, and Subject Public
13# Key Info. When the chain building algorithm is evaluating paths, if it prefers
14# untrusted over trusted, then it will see the MD5 certificate as a self-signed
15# cert that is "cross-signed" by the trusted SHA256 root.
16#
17# The SHA256 root should be (temporarily) trusted, and the resulting chain
18# should be leaf -> SHA256root, not leaf -> MD5root, leaf -> SHA256root ->
19# MD5root, or leaf -> MD5root -> SHA256root
20
21try() {
22  "$@" || (e=$?; echo "$@" > /dev/stderr; exit $e)
23}
24
25try rm -rf out
26try mkdir out
27
28try /bin/sh -c "echo 01 > out/2048-sha256-root-serial"
29try /bin/sh -c "echo 02 > out/2048-md5-root-serial"
30touch out/2048-sha256-root-index.txt
31touch out/2048-md5-root-index.txt
32
33# Generate the key
34try openssl genrsa -out out/2048-sha256-root.key 2048
35
36# Generate the root certificate
37CA_COMMON_NAME="Test Dup-Hash Root CA" \
38  try openssl req \
39    -new \
40    -key out/2048-sha256-root.key \
41    -out out/2048-sha256-root.req \
42    -config ca.cnf
43
44CA_COMMON_NAME="Test Dup-Hash Root CA" \
45  try openssl x509 \
46    -req -days 3650 \
47    -sha256 \
48    -in out/2048-sha256-root.req \
49    -out out/2048-sha256-root.pem \
50    -text \
51    -signkey out/2048-sha256-root.key \
52    -extfile ca.cnf \
53    -extensions ca_cert
54
55CA_COMMON_NAME="Test Dup-Hash Root CA" \
56  try openssl x509 \
57    -req -days 3650 \
58    -md5 \
59    -in out/2048-sha256-root.req \
60    -out out/2048-md5-root.pem \
61    -text \
62    -signkey out/2048-sha256-root.key \
63    -extfile ca.cnf \
64    -extensions ca_cert
65
66# Generate the leaf certificate request
67try openssl req \
68  -new \
69  -keyout out/ok_cert.key \
70  -out out/ok_cert.req \
71  -config ee.cnf
72
73# Generate the leaf certificates
74CA_COMMON_NAME="Test Dup-Hash Root CA" \
75  try openssl ca \
76    -batch \
77    -extensions user_cert \
78    -days 3650 \
79    -in out/ok_cert.req \
80    -out out/ok_cert.pem \
81    -config ca.cnf
82
83try openssl x509 -text \
84    -in out/2048-md5-root.pem > ../certificates/cross-signed-root-md5.pem
85try openssl x509 -text \
86    -in out/2048-sha256-root.pem > ../certificates/cross-signed-root-sha256.pem
87try openssl x509 -text \
88    -in out/ok_cert.pem > ../certificates/cross-signed-leaf.pem
89