1#!/bin/sh 2 3# Copyright 2013 The Chromium Authors 4# Use of this source code is governed by a BSD-style license that can be 5# found in the LICENSE file. 6 7# This script generates two chains of test certificates: 8# 1. A1 (end-entity) -> B (self-signed root) 9# 2. A2 (end-entity) -> B (self-signed root) 10# 11# In which A1 and A2 share the same key, the same subject common name, but have 12# distinct O values in their subjects. 13# 14# This is used to test that NSS can properly generate unique certificate 15# nicknames for both certificates. 16 17try () { 18 echo "$@" 19 "$@" || exit 1 20} 21 22try rm -rf out 23try mkdir out 24 25echo Create the serial number and index files. 26try /bin/sh -c "echo 01 > out/B-serial" 27try touch out/B-index.txt 28 29echo Generate the keys. 30try openssl genrsa -out out/A.key 2048 31try openssl genrsa -out out/B.key 2048 32 33echo Generate the B CSR. 34CA_COMMON_NAME="B Root CA" \ 35 CERTIFICATE=B \ 36 try openssl req \ 37 -new \ 38 -key out/B.key \ 39 -out out/B.csr \ 40 -config redundant-ca.cnf 41 42echo B signs itself. 43CA_COMMON_NAME="B Root CA" \ 44 try openssl x509 \ 45 -req -days 3650 \ 46 -in out/B.csr \ 47 -extfile redundant-ca.cnf \ 48 -extensions ca_cert \ 49 -signkey out/B.key \ 50 -out out/B.pem 51 52echo Generate the A1 end-entity CSR. 53SUBJECT_NAME=req_duplicate_cn_1 \ 54 try openssl req \ 55 -new \ 56 -key out/A.key \ 57 -out out/A1.csr \ 58 -config ee.cnf 59 60echo Generate the A2 end-entity CSR 61SUBJECT_NAME=req_duplicate_cn_2 \ 62 try openssl req \ 63 -new \ 64 -key out/A.key \ 65 -out out/A2.csr \ 66 -config ee.cnf 67 68 69echo B signs A1. 70CA_COMMON_NAME="B CA" \ 71 CERTIFICATE=B \ 72 try openssl ca \ 73 -batch \ 74 -extensions user_cert \ 75 -in out/A1.csr \ 76 -out out/A1.pem \ 77 -config redundant-ca.cnf 78 79echo B signs A2. 80CA_COMMON_NAME="B CA" \ 81 CERTIFICATE=B \ 82 try openssl ca \ 83 -batch \ 84 -extensions user_cert \ 85 -in out/A2.csr \ 86 -out out/A2.pem \ 87 -config redundant-ca.cnf 88 89echo Exporting the certificates to PKCS#12 90try openssl pkcs12 \ 91 -export \ 92 -inkey out/A.key \ 93 -in out/A1.pem \ 94 -out ../certificates/duplicate_cn_1.p12 \ 95 -passout pass:chrome 96 97try openssl pkcs12 \ 98 -export \ 99 -inkey out/A.key \ 100 -in out/A2.pem \ 101 -out ../certificates/duplicate_cn_2.p12 \ 102 -passout pass:chrome 103 104try cp out/A1.pem ../certificates/duplicate_cn_1.pem 105try cp out/A2.pem ../certificates/duplicate_cn_2.pem 106