• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#!/bin/sh
2
3# Copyright 2013 The Chromium Authors
4# Use of this source code is governed by a BSD-style license that can be
5# found in the LICENSE file.
6
7# This script generates a set of test (end-entity, intermediate, root)
8# certificates that can be used to test fetching of an intermediate via AIA.
9set -e -x
10
11# The maximum lifetime for any certificates that may go through a "real"
12# cert verifier. This is effectively:
13# min(OS verifier max lifetime for local certs, built-in verifier max lifetime
14#     for local certs)
15#
16# The current built-in verifier max lifetime is 39 months
17# The current OS verifier max lifetime is 825 days, which comes from
18#   iOS 13/macOS 10.15 - https://support.apple.com/en-us/HT210176
19# 730 is used here as just a short-hand for 2 years
20CERT_LIFETIME=730
21
22rm -rf out
23mkdir out
24mkdir out/int
25
26openssl rand -hex -out out/2048-sha256-root-serial 16
27touch out/2048-sha256-root-index.txt
28
29# Generate the key or copy over the existing one if present.
30function copy_or_generate_key {
31  existing_pem_filename="$1"
32  out_key_filename="$2"
33  if grep -q -- '-----BEGIN.*PRIVATE KEY-----' "$existing_pem_filename" ; then
34    openssl pkey -in "$existing_pem_filename" -out "$out_key_filename"
35  else
36    openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 \
37      -out "$out_key_filename"
38  fi
39}
40
41# Generate the key or copy over the existing one if present.
42copy_or_generate_key ../certificates/root_ca_cert.pem out/2048-sha256-root.key
43
44# Generate the root certificate
45CA_NAME="req_ca_dn" \
46  openssl req \
47    -new \
48    -key out/2048-sha256-root.key \
49    -out out/2048-sha256-root.req \
50    -config ca.cnf
51
52CA_NAME="req_ca_dn" \
53  openssl x509 \
54    -req -days 3650 \
55    -in out/2048-sha256-root.req \
56    -signkey out/2048-sha256-root.key \
57    -extfile ca.cnf \
58    -extensions ca_cert \
59    -text > out/2048-sha256-root.pem
60
61# Generate the test intermediate
62openssl rand -hex -out out/int/2048-sha256-int-serial 16
63touch out/int/2048-sha256-int-index.txt
64
65# Copy over an existing key if present.
66copy_or_generate_key ../certificates/intermediate_ca_cert.pem \
67  out/int/2048-sha256-int.key
68
69CA_NAME="req_intermediate_dn" \
70  openssl req \
71    -new \
72    -key out/int/2048-sha256-int.key \
73    -out out/int/2048-sha256-int.req \
74    -config ca.cnf
75
76CA_NAME="req_intermediate_dn" \
77  openssl ca \
78    -batch \
79    -extensions ca_cert \
80    -days 3650 \
81    -in out/int/2048-sha256-int.req \
82    -out out/int/2048-sha256-int.pem \
83    -config ca.cnf
84
85# Generate the leaf certificate requests
86
87copy_or_generate_key ../certificates/expired_cert.pem out/expired_cert.key
88openssl req \
89  -new \
90  -key out/expired_cert.key \
91  -out out/expired_cert.req \
92  -config ee.cnf
93
94copy_or_generate_key ../certificates/ok_cert.pem out/ok_cert.key
95openssl req \
96  -new \
97  -key out/ok_cert.key \
98  -out out/ok_cert.req \
99  -config ee.cnf
100
101copy_or_generate_key ../certificates/wildcard.pem out/wildcard.key
102openssl req \
103  -new \
104  -key out/wildcard.key \
105  -out out/wildcard.req \
106  -reqexts req_wildcard \
107  -config ee.cnf
108
109copy_or_generate_key ../certificates/localhost_cert.pem out/localhost_cert.key
110SUBJECT_NAME="req_localhost_cn" \
111openssl req \
112  -new \
113  -key out/localhost_cert.key \
114  -out out/localhost_cert.req \
115  -reqexts req_localhost_san \
116  -config ee.cnf
117
118copy_or_generate_key ../certificates/test_names.pem out/test_names.key
119openssl req \
120  -new \
121  -key out/test_names.key \
122  -out out/test_names.req \
123  -reqexts req_test_names \
124  -config ee.cnf
125
126# Generate the leaf certificates
127CA_NAME="req_ca_dn" \
128  openssl ca \
129    -batch \
130    -extensions user_cert \
131    -startdate 060101000000Z \
132    -enddate 070101000000Z \
133    -in out/expired_cert.req \
134    -out out/expired_cert.pem \
135    -config ca.cnf
136
137CA_NAME="req_ca_dn" \
138  openssl ca \
139    -batch \
140    -extensions user_cert \
141    -days ${CERT_LIFETIME} \
142    -in out/ok_cert.req \
143    -out out/ok_cert.pem \
144    -config ca.cnf
145
146CA_DIR="out/int" \
147CERT_TYPE="int" \
148CA_NAME="req_intermediate_dn" \
149  openssl ca \
150    -batch \
151    -extensions user_cert \
152    -days ${CERT_LIFETIME} \
153    -in out/ok_cert.req \
154    -out out/int/ok_cert.pem \
155    -config ca.cnf
156
157CA_NAME="req_ca_dn" \
158  openssl ca \
159    -batch \
160    -extensions user_cert \
161    -in out/wildcard.req \
162    -out out/wildcard.pem \
163    -config ca.cnf
164
165CA_NAME="req_ca_dn" \
166  openssl ca \
167    -batch \
168    -extensions user_cert \
169    -days ${CERT_LIFETIME} \
170    -in out/localhost_cert.req \
171    -out out/localhost_cert.pem \
172    -config ca.cnf
173
174CA_NAME="req_ca_dn" \
175  openssl ca \
176    -batch \
177    -extensions user_cert \
178    -subj "/CN=Leaf Certificate/" \
179    -startdate 00010101000000Z \
180    -enddate   00010101000000Z \
181    -in out/ok_cert.req \
182    -out out/bad_validity.pem \
183    -config ca.cnf
184
185CA_NAME="req_ca_dn" \
186  openssl ca \
187    -batch \
188    -extensions user_cert \
189    -days ${CERT_LIFETIME} \
190    -in out/test_names.req \
191    -out out/test_names.pem \
192    -config ca.cnf
193
194/bin/sh -c "cat out/ok_cert.key out/ok_cert.pem \
195    > ../certificates/ok_cert.pem"
196/bin/sh -c "cat out/wildcard.key out/wildcard.pem \
197    > ../certificates/wildcard.pem"
198/bin/sh -c "cat out/localhost_cert.key out/localhost_cert.pem \
199    > ../certificates/localhost_cert.pem"
200/bin/sh -c "cat out/expired_cert.key out/expired_cert.pem \
201    > ../certificates/expired_cert.pem"
202/bin/sh -c "cat out/2048-sha256-root.key out/2048-sha256-root.pem \
203    > ../certificates/root_ca_cert.pem"
204/bin/sh -c "cat out/ok_cert.key out/bad_validity.pem \
205    > ../certificates/bad_validity.pem"
206/bin/sh -c "cat out/ok_cert.key out/int/ok_cert.pem \
207    out/int/2048-sha256-int.pem \
208    > ../certificates/ok_cert_by_intermediate.pem"
209/bin/sh -c "cat out/int/2048-sha256-int.key out/int/2048-sha256-int.pem \
210    > ../certificates/intermediate_ca_cert.pem"
211/bin/sh -c "cat out/int/ok_cert.pem out/int/2048-sha256-int.pem \
212    out/2048-sha256-root.pem \
213    > ../certificates/x509_verify_results.chain.pem"
214/bin/sh -c "cat out/test_names.key out/test_names.pem \
215    > ../certificates/test_names.pem"
216
217# Now generate the one-off certs
218## Self-signed cert for SPDY/QUIC/HTTP2 pooling testing
219openssl req -x509 -days 3650 -extensions req_spdy_pooling \
220    -config ../scripts/ee.cnf -newkey rsa:2048 -text \
221    -out ../certificates/spdy_pooling.pem
222
223## SubjectAltName parsing
224openssl req -x509 -days 3650 -extensions req_san_sanity \
225    -config ../scripts/ee.cnf -newkey rsa:2048 -text \
226    -out ../certificates/subjectAltName_sanity_check.pem
227
228## SubjectAltName containing www.example.com
229openssl req -x509 -days 3650 -extensions req_san_example \
230    -config ../scripts/ee.cnf -newkey rsa:2048 -text \
231    -out ../certificates/subjectAltName_www_example_com.pem
232
233## certificatePolicies parsing
234openssl req -x509 -days 3650 -extensions req_policies_sanity \
235    -config ../scripts/ee.cnf -newkey rsa:2048 -text \
236    -out ../certificates/policies_sanity_check.pem
237
238## Punycode handling
239SUBJECT_NAME="req_punycode_dn" \
240  openssl req -x509 -days 3650 -extensions req_punycode \
241    -config ../scripts/ee.cnf -newkey rsa:2048 -text \
242    -out ../certificates/punycodetest.pem
243
244## Leaf certificate with a large key; Apple's certificate verifier rejects with
245## a fatal error if the key is bigger than 8192 bits.
246openssl req -x509 -days 3650 \
247    -config ../scripts/ee.cnf -newkey rsa:8200 -text \
248    -sha256 \
249    -out ../certificates/large_key.pem
250
251## SHA1 certificate expiring in 2016.
252openssl req -config ../scripts/ee.cnf \
253  -newkey rsa:2048 -text -out out/sha1_2016.req
254CA_NAME="req_ca_dn" \
255  openssl ca \
256    -batch \
257    -extensions user_cert \
258    -startdate 081030000000Z \
259    -enddate   161230000000Z \
260    -in out/sha1_2016.req \
261    -out ../certificates/sha1_2016.pem \
262    -config ca.cnf \
263    -md sha1
264
265## Validity too long unit test support.
266openssl req -config ../scripts/ee.cnf \
267  -newkey rsa:2048 -text -out out/10_year_validity.req
268CA_NAME="req_ca_dn" \
269  openssl ca \
270    -batch \
271    -extensions user_cert \
272    -startdate 081030000000Z \
273    -enddate   181029000000Z \
274    -in out/10_year_validity.req \
275    -out ../certificates/10_year_validity.pem \
276    -config ca.cnf
277openssl req -config ../scripts/ee.cnf \
278  -newkey rsa:2048 -text -out out/11_year_validity.req
279CA_NAME="req_ca_dn" \
280  openssl ca \
281    -batch \
282    -extensions user_cert \
283    -startdate 141030000000Z \
284    -enddate   251030000000Z \
285    -in out/11_year_validity.req \
286    -out ../certificates/11_year_validity.pem \
287    -config ca.cnf
288openssl req -config ../scripts/ee.cnf \
289  -newkey rsa:2048 -text -out out/39_months_after_2015_04.req
290CA_NAME="req_ca_dn" \
291  openssl ca \
292    -batch \
293    -extensions user_cert \
294    -startdate 150402000000Z \
295    -enddate   180702000000Z \
296    -in out/39_months_after_2015_04.req \
297    -out ../certificates/39_months_after_2015_04.pem \
298    -config ca.cnf
299openssl req -config ../scripts/ee.cnf \
300  -newkey rsa:2048 -text -out out/40_months_after_2015_04.req
301CA_NAME="req_ca_dn" \
302  openssl ca \
303    -batch \
304    -extensions user_cert \
305    -startdate 150402000000Z \
306    -enddate   180801000000Z \
307    -in out/40_months_after_2015_04.req \
308    -out ../certificates/40_months_after_2015_04.pem \
309    -config ca.cnf
310openssl req -config ../scripts/ee.cnf \
311  -newkey rsa:2048 -text -out out/60_months_after_2012_07.req
312CA_NAME="req_ca_dn" \
313  openssl ca \
314    -batch \
315    -extensions user_cert \
316    -startdate 141030000000Z \
317    -enddate   190930000000Z \
318    -in out/60_months_after_2012_07.req \
319    -out ../certificates/60_months_after_2012_07.pem \
320    -config ca.cnf
321openssl req -config ../scripts/ee.cnf \
322  -newkey rsa:2048 -text -out out/61_months_after_2012_07.req
323CA_NAME="req_ca_dn" \
324  openssl ca \
325    -batch \
326    -extensions user_cert \
327    -startdate 141030000000Z \
328    -enddate   191103000000Z \
329    -in out/61_months_after_2012_07.req \
330    -out ../certificates/61_months_after_2012_07.pem \
331    -config ca.cnf
332# 39 months, based on a CA calculating one month as 'last day of Month 0' to
333# last day of 'Month 1'.
334openssl req -config ../scripts/ee.cnf \
335  -newkey rsa:2048 -text -out out/39_months_based_on_last_day.req
336CA_NAME="req_ca_dn" \
337  openssl ca \
338    -batch \
339    -extensions user_cert \
340    -startdate 170228000000Z \
341    -enddate   200530000000Z \
342    -in out/39_months_based_on_last_day.req \
343    -out ../certificates/39_months_based_on_last_day.pem \
344    -config ca.cnf
345# start date after expiry date
346openssl req -config ../scripts/ee.cnf \
347  -newkey rsa:2048 -text -out out/start_after_expiry.req
348CA_NAME="req_ca_dn" \
349  openssl ca \
350    -batch \
351    -extensions user_cert \
352    -startdate 180901000000Z \
353    -enddate   150402000000Z \
354    -in out/start_after_expiry.req \
355    -out ../certificates/start_after_expiry.pem \
356    -config ca.cnf
357openssl req -config ../scripts/ee.cnf \
358  -newkey rsa:2048 -text -out out/start_after_expiry.req
359# Issued pre-BRs, lifetime < 120 months, expires before 2019-07-01
360openssl req -config ../scripts/ee.cnf \
361  -newkey rsa:2048 -text -out out/pre_br_validity_ok.req
362CA_NAME="req_ca_dn" \
363  openssl ca \
364    -batch \
365    -extensions user_cert \
366    -startdate 080101000000Z \
367    -enddate   150101000000Z \
368    -in out/pre_br_validity_ok.req \
369    -out ../certificates/pre_br_validity_ok.pem \
370    -config ca.cnf
371openssl req -config ../scripts/ee.cnf \
372  -newkey rsa:2048 -text -out out/pre_br_validity_ok.req
373# Issued pre-BRs, lifetime > 120 months, expires before 2019-07-01
374openssl req -config ../scripts/ee.cnf \
375  -newkey rsa:2048 -text -out out/pre_br_validity_bad_121.req
376CA_NAME="req_ca_dn" \
377  openssl ca \
378    -batch \
379    -extensions user_cert \
380    -startdate 080101000000Z \
381    -enddate   180501000000Z \
382    -in out/pre_br_validity_bad_121.req \
383    -out ../certificates/pre_br_validity_bad_121.pem \
384    -config ca.cnf
385openssl req -config ../scripts/ee.cnf \
386  -newkey rsa:2048 -text -out out/pre_br_validity_bad_121.req
387# Issued pre-BRs, lifetime < 120 months, expires after 2019-07-01
388openssl req -config ../scripts/ee.cnf \
389  -newkey rsa:2048 -text -out out/pre_br_validity_bad_2020.req
390CA_NAME="req_ca_dn" \
391  openssl ca \
392    -batch \
393    -extensions user_cert \
394    -startdate 120501000000Z \
395    -enddate   190703000000Z \
396    -in out/pre_br_validity_bad_2020.req \
397    -out ../certificates/pre_br_validity_bad_2020.pem \
398    -config ca.cnf
399# Issued after 2018-03-01, lifetime == 826 days (bad)
400openssl req -config ../scripts/ee.cnf \
401  -newkey rsa:2048 -text -out out/826_days_after_2018_03_01.req
402CA_NAME="req_ca_dn" \
403  openssl ca \
404    -batch \
405    -extensions user_cert \
406    -startdate 180302000000Z \
407    -enddate   200605000000Z \
408    -in out/826_days_after_2018_03_01.req \
409    -out ../certificates/826_days_after_2018_03_01.pem \
410    -config ca.cnf
411# Issued after 2018-03-01, lifetime == 825 days (good)
412openssl req -config ../scripts/ee.cnf \
413  -newkey rsa:2048 -text -out out/825_days_after_2018_03_01.req
414CA_NAME="req_ca_dn" \
415  openssl ca \
416    -batch \
417    -extensions user_cert \
418    -startdate 180302000000Z \
419    -enddate   200604000000Z \
420    -in out/825_days_after_2018_03_01.req \
421    -out ../certificates/825_days_after_2018_03_01.pem \
422    -config ca.cnf
423# Issued after 2018-03-01, lifetime == 825 days and one second (bad)
424openssl req -config ../scripts/ee.cnf \
425  -newkey rsa:2048 -text -out out/825_days_1_second_after_2018_03_01.req
426CA_NAME="req_ca_dn" \
427  openssl ca \
428    -batch \
429    -extensions user_cert \
430    -startdate 180302000000Z \
431    -enddate   200604000001Z \
432    -in out/825_days_1_second_after_2018_03_01.req \
433    -out ../certificates/825_days_1_second_after_2018_03_01.pem \
434    -config ca.cnf
435
436# Issued prior to 1 June 2016 (Symantec CT Enforcement Date)
437openssl req -config ../scripts/ee.cnf \
438  -newkey rsa:2048 -text -out out/pre_june_2016.req
439CA_NAME="req_ca_dn" \
440  openssl ca \
441    -batch \
442    -extensions user_cert \
443    -startdate 160501000000Z \
444    -enddate   170703000000Z \
445    -in out/pre_june_2016.req \
446    -out ../certificates/pre_june_2016.pem \
447    -config ca.cnf
448
449# Issued after 2020-09-01, lifetime == 399 days (bad)
450openssl req -config ../scripts/ee.cnf \
451  -newkey rsa:2048 -text -out out/399_days_after_2020_09_01.req
452CA_NAME="req_ca_dn" \
453  openssl ca \
454    -batch \
455    -extensions user_cert \
456    -startdate 200902000000Z \
457    -enddate   211006000000Z \
458    -in out/399_days_after_2020_09_01.req \
459    -out ../certificates/399_days_after_2020_09_01.pem \
460    -config ca.cnf
461# Issued after 2020-09-01, lifetime == 398 days (good)
462openssl req -config ../scripts/ee.cnf \
463  -newkey rsa:2048 -text -out out/398_days_after_2020_09_01.req
464CA_NAME="req_ca_dn" \
465  openssl ca \
466    -batch \
467    -extensions user_cert \
468    -startdate 200902000000Z \
469    -enddate   211005000000Z \
470    -in out/398_days_after_2020_09_01.req \
471    -out ../certificates/398_days_after_2020_09_01.pem \
472    -config ca.cnf
473# Issued after 2020-09-01, lifetime == 825 days and one second (bad)
474openssl req -config ../scripts/ee.cnf \
475  -newkey rsa:2048 -text -out out/398_days_1_second_after_2020_09_01.req
476CA_NAME="req_ca_dn" \
477  openssl ca \
478    -batch \
479    -extensions user_cert \
480    -startdate 200902000000Z \
481    -enddate   211005000001Z \
482    -in out/398_days_1_second_after_2020_09_01.req \
483    -out ../certificates/398_days_1_second_after_2020_09_01.pem \
484    -config ca.cnf
485
486
487# Issued after 1 June 2016 (Symantec CT Enforcement Date)
488openssl req -config ../scripts/ee.cnf \
489  -newkey rsa:2048 -text -out out/post_june_2016.req
490CA_NAME="req_ca_dn" \
491  openssl ca \
492    -batch \
493    -extensions user_cert \
494    -startdate 160601000000Z \
495    -enddate   170703000000Z \
496    -in out/post_june_2016.req \
497    -out ../certificates/post_june_2016.pem \
498    -config ca.cnf
499
500# Includes the canSignHttpExchangesDraft extension
501openssl req -x509 -newkey rsa:2048 \
502  -keyout out/can_sign_http_exchanges_draft_extension.key \
503  -out ../certificates/can_sign_http_exchanges_draft_extension.pem \
504  -days 365 \
505  -extensions req_extensions_with_can_sign_http_exchanges_draft \
506  -nodes -config ee.cnf
507
508# Includes the canSignHttpExchangesDraft extension, but with a SEQUENCE in the
509# body rather than a NULL.
510openssl req -x509 -newkey rsa:2048 \
511  -keyout out/can_sign_http_exchanges_draft_extension_invalid.key \
512  -out ../certificates/can_sign_http_exchanges_draft_extension_invalid.pem \
513  -days 365 \
514  -extensions req_extensions_with_can_sign_http_exchanges_draft_invalid \
515  -nodes -config ee.cnf
516
517# SHA-1 certificate issued by locally trusted CA
518copy_or_generate_key ../certificates/sha1_leaf.pem out/sha1_leaf.key
519openssl req \
520  -config ../scripts/ee.cnf \
521  -new \
522  -text \
523  -key out/sha1_leaf.key \
524  -out out/sha1_leaf.req
525CA_NAME="req_ca_dn" \
526  openssl ca \
527    -batch \
528    -extensions user_cert \
529    -days ${CERT_LIFETIME} \
530    -in out/sha1_leaf.req \
531    -out out/sha1_leaf.pem \
532    -config ca.cnf \
533    -md sha1
534/bin/sh -c "cat out/sha1_leaf.key out/sha1_leaf.pem \
535    > ../certificates/sha1_leaf.pem"
536
537# Certificate with only a common name (no SAN) issued by a locally trusted CA
538copy_or_generate_key ../certificates/common_name_only.pem \
539  out/common_name_only.key
540openssl req \
541  -config ../scripts/ee.cnf \
542  -reqexts req_no_san \
543  -new \
544  -text \
545  -key out/common_name_only.key \
546  -out out/common_name_only.req
547CA_NAME="req_ca_dn" \
548  openssl ca \
549    -batch \
550    -extensions user_cert \
551    -startdate 171220000000Z \
552    -enddate   201220000000Z \
553    -in out/common_name_only.req \
554    -out out/common_name_only.pem \
555    -config ca.cnf
556/bin/sh -c "cat out/common_name_only.key out/common_name_only.pem \
557    > ../certificates/common_name_only.pem"
558
559# Issued after 1 Dec 2017 (Symantec Legacy Distrust Date)
560openssl req \
561  -config ../scripts/ee.cnf \
562  -newkey rsa:2048 \
563  -text \
564  -out out/dec_2017.req
565CA_NAME="req_ca_dn" \
566  openssl ca \
567    -batch \
568    -extensions user_cert \
569    -startdate 171220000000Z \
570    -enddate   201220000000Z \
571    -in out/dec_2017.req \
572    -out ../certificates/dec_2017.pem \
573    -config ca.cnf
574
575# Issued on 1 May 2018 (after the 30 Apr 2018 CT Requirement date)
576openssl req \
577  -config ../scripts/ee.cnf \
578  -newkey rsa:2048 \
579  -text \
580  -out out/may_2018.req
581CA_NAME="req_ca_dn" \
582  openssl ca \
583    -batch \
584    -extensions user_cert \
585    -startdate 180501000000Z \
586    -enddate   200803000000Z \
587    -in out/may_2018.req \
588    -out ../certificates/may_2018.pem \
589    -config ca.cnf
590
591# Issued after 1 July 2019 (The macOS 10.15+ date for additional
592# policies for locally-trusted certificates - see
593# https://support.apple.com/en-us/HT210176 ) and valid for >825
594# days, even accounting for rounding issues.
595openssl req \
596  -config ../scripts/ee.cnf \
597  -newkey rsa:2048 \
598  -text \
599  -out out/900_days_after_2019_07_01.req
600CA_NAME="req_ca_dn" \
601  openssl ca \
602    -batch \
603    -extensions user_cert \
604    -days 900 \
605    -in out/900_days_after_2019_07_01.req \
606    -out ../certificates/900_days_after_2019_07_01.pem \
607    -config ca.cnf
608
609## Certificates for testing EV display (DN set with different variations)
610SUBJECT_NAME="req_ev_dn" \
611  openssl req -x509 -days ${CERT_LIFETIME} \
612    --config ../scripts/ee.cnf -newkey rsa:2048 -text \
613    -out ../certificates/ev_test.pem
614
615SUBJECT_NAME="req_ev_state_only_dn" \
616  openssl req -x509 -days ${CERT_LIFETIME} \
617    --config ../scripts/ee.cnf -newkey rsa:2048 -text \
618    -out ../certificates/ev_test_state_only.pem
619
620# Regenerate CRLSets
621## Block a leaf cert directly by SPKI
622python3 crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \
623<<CRLBYLEAFSPKI
624{
625  "BlockedBySPKI": ["../certificates/ok_cert.pem"]
626}
627CRLBYLEAFSPKI
628
629## Block a root cert directly by SPKI
630python3 crlsetutil.py -o ../certificates/crlset_by_root_spki.raw \
631<<CRLBYROOTSPKI
632{
633  "BlockedBySPKI": ["../certificates/root_ca_cert.pem"]
634}
635CRLBYROOTSPKI
636
637## Block a leaf cert by issuer-hash-and-serial
638python3 crlsetutil.py -o ../certificates/crlset_by_root_serial.raw \
639<<CRLBYROOTSERIAL
640{
641  "BlockedByHash": {
642    "../certificates/root_ca_cert.pem": [
643      "../certificates/ok_cert.pem"
644    ]
645  }
646}
647CRLBYROOTSERIAL
648
649## Block a leaf cert by issuer-hash-and-serial. However, this will be issued
650## from an intermediate CA issued underneath a root.
651python3 crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \
652<<CRLSETBYINTERMEDIATESERIAL
653{
654  "BlockedByHash": {
655    "../certificates/intermediate_ca_cert.pem": [
656      "../certificates/ok_cert_by_intermediate.pem"
657    ]
658  }
659}
660CRLSETBYINTERMEDIATESERIAL
661
662## Block a subject with a single-entry allowlist of SPKI hashes.
663python3 crlsetutil.py -o ../certificates/crlset_by_root_subject.raw \
664<<CRLSETBYROOTSUBJECT
665{
666  "LimitedSubjects": {
667    "../certificates/root_ca_cert.pem": [
668      "../certificates/root_ca_cert.pem"
669    ]
670  }
671}
672CRLSETBYROOTSUBJECT
673
674## Block a subject with an empty allowlist of SPKI hashes.
675python3 crlsetutil.py -o ../certificates/crlset_by_root_subject_no_spki.raw \
676<<CRLSETBYROOTSUBJECTNOSPKI
677{
678  "LimitedSubjects": {
679    "../certificates/root_ca_cert.pem": []
680  },
681  "Sequence": 2
682}
683CRLSETBYROOTSUBJECTNOSPKI
684
685## Block a subject with an empty allowlist of SPKI hashes.
686python3 crlsetutil.py -o ../certificates/crlset_by_leaf_subject_no_spki.raw \
687<<CRLSETBYLEAFSUBJECTNOSPKI
688{
689  "LimitedSubjects": {
690    "../certificates/ok_cert.pem": []
691  }
692}
693CRLSETBYLEAFSUBJECTNOSPKI
694
695## Mark a given root as blocked for interception.
696python3 crlsetutil.py -o \
697  ../certificates/crlset_blocked_interception_by_root.raw \
698<<CRLSETINTERCEPTIONBYROOT
699{
700  "BlockedInterceptionSPKIs": [
701    "../certificates/root_ca_cert.pem"
702  ]
703}
704CRLSETINTERCEPTIONBYROOT
705
706## Mark a given intermediate as blocked for interception.
707python3 crlsetutil.py -o \
708  ../certificates/crlset_blocked_interception_by_intermediate.raw \
709<<CRLSETINTERCEPTIONBYINTERMEDIATE
710{
711  "BlockedInterceptionSPKIs": [
712    "../certificates/intermediate_ca_cert.pem"
713  ]
714}
715CRLSETINTERCEPTIONBYINTERMEDIATE
716
717## Mark a given root as known for interception, but not blocked.
718python3 crlsetutil.py -o \
719  ../certificates/crlset_known_interception_by_root.raw \
720<<CRLSETINTERCEPTIONBYROOT
721{
722  "KnownInterceptionSPKIs": [
723    "../certificates/root_ca_cert.pem"
724  ]
725}
726CRLSETINTERCEPTIONBYROOT
727