• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#!/bin/sh
2
3# Copyright 2013 The Chromium Authors
4# Use of this source code is governed by a BSD-style license that can be
5# found in the LICENSE file.
6
7# This script generates a set of test (end-entity, intermediate, root)
8# certificates that can be used to test fetching of an intermediate via AIA.
9set -e -x
10
11# The maximum lifetime for any certificates that may go through a "real"
12# cert verifier. This is effectively:
13# min(OS verifier max lifetime for local certs, built-in verifier max lifetime
14#     for local certs)
15#
16# The current built-in verifier max lifetime is 39 months
17# The current OS verifier max lifetime is 825 days, which comes from
18#   iOS 13/macOS 10.15 - https://support.apple.com/en-us/HT210176
19# 730 is used here as just a short-hand for 2 years
20CERT_LIFETIME=730
21
22rm -rf out
23mkdir out
24mkdir out/int
25
26openssl rand -hex -out out/2048-sha256-root-serial 16
27touch out/2048-sha256-root-index.txt
28
29# Generate the key or copy over the existing one if present.
30function copy_or_generate_key {
31  existing_pem_filename="$1"
32  out_key_filename="$2"
33  if grep -q -- '-----BEGIN.*PRIVATE KEY-----' "$existing_pem_filename" ; then
34    openssl pkey -in "$existing_pem_filename" -out "$out_key_filename"
35  else
36    openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 \
37      -out "$out_key_filename"
38  fi
39}
40
41# Generate the key or copy over the existing one if present.
42copy_or_generate_key ../certificates/root_ca_cert.pem out/2048-sha256-root.key
43
44# Generate the root certificate
45CA_NAME="req_ca_dn" \
46  openssl req \
47    -new \
48    -key out/2048-sha256-root.key \
49    -out out/2048-sha256-root.req \
50    -config ca.cnf
51
52CA_NAME="req_ca_dn" \
53  openssl x509 \
54    -req -days 3650 \
55    -in out/2048-sha256-root.req \
56    -signkey out/2048-sha256-root.key \
57    -extfile ca.cnf \
58    -extensions ca_cert \
59    -text > out/2048-sha256-root.pem
60
61# Generate the test intermediate
62openssl rand -hex -out out/int/2048-sha256-int-serial 16
63touch out/int/2048-sha256-int-index.txt
64
65# Copy over an existing key if present.
66copy_or_generate_key ../certificates/intermediate_ca_cert.pem \
67  out/int/2048-sha256-int.key
68
69CA_NAME="req_intermediate_dn" \
70  openssl req \
71    -new \
72    -key out/int/2048-sha256-int.key \
73    -out out/int/2048-sha256-int.req \
74    -config ca.cnf
75
76CA_NAME="req_intermediate_dn" \
77  openssl ca \
78    -batch \
79    -extensions ca_cert \
80    -days 3650 \
81    -in out/int/2048-sha256-int.req \
82    -out out/int/2048-sha256-int.pem \
83    -config ca.cnf
84
85# Generate the leaf certificate requests
86
87copy_or_generate_key ../certificates/expired_cert.pem out/expired_cert.key
88openssl req \
89  -new \
90  -key out/expired_cert.key \
91  -out out/expired_cert.req \
92  -config ee.cnf
93
94copy_or_generate_key ../certificates/ok_cert.pem out/ok_cert.key
95openssl req \
96  -new \
97  -key out/ok_cert.key \
98  -out out/ok_cert.req \
99  -config ee.cnf
100
101copy_or_generate_key ../certificates/wildcard.pem out/wildcard.key
102openssl req \
103  -new \
104  -key out/wildcard.key \
105  -out out/wildcard.req \
106  -reqexts req_wildcard \
107  -config ee.cnf
108
109copy_or_generate_key ../certificates/localhost_cert.pem out/localhost_cert.key
110SUBJECT_NAME="req_localhost_cn" \
111openssl req \
112  -new \
113  -key out/localhost_cert.key \
114  -out out/localhost_cert.req \
115  -reqexts req_localhost_san \
116  -config ee.cnf
117
118copy_or_generate_key ../certificates/test_names.pem out/test_names.key
119openssl req \
120  -new \
121  -key out/test_names.key \
122  -out out/test_names.req \
123  -reqexts req_test_names \
124  -config ee.cnf
125
126# Generate the leaf certificates
127CA_NAME="req_ca_dn" \
128  openssl ca \
129    -batch \
130    -extensions user_cert \
131    -startdate 060101000000Z \
132    -enddate 070101000000Z \
133    -in out/expired_cert.req \
134    -out out/expired_cert.pem \
135    -config ca.cnf
136
137CA_NAME="req_ca_dn" \
138  openssl ca \
139    -batch \
140    -extensions user_cert \
141    -days ${CERT_LIFETIME} \
142    -in out/ok_cert.req \
143    -out out/ok_cert.pem \
144    -config ca.cnf
145
146CA_DIR="out/int" \
147CERT_TYPE="int" \
148CA_NAME="req_intermediate_dn" \
149  openssl ca \
150    -batch \
151    -extensions user_cert \
152    -days ${CERT_LIFETIME} \
153    -in out/ok_cert.req \
154    -out out/int/ok_cert.pem \
155    -config ca.cnf
156
157CA_NAME="req_ca_dn" \
158  openssl ca \
159    -batch \
160    -extensions user_cert \
161    -in out/wildcard.req \
162    -out out/wildcard.pem \
163    -config ca.cnf
164
165CA_NAME="req_ca_dn" \
166  openssl ca \
167    -batch \
168    -extensions user_cert \
169    -days ${CERT_LIFETIME} \
170    -in out/localhost_cert.req \
171    -out out/localhost_cert.pem \
172    -config ca.cnf
173
174CA_NAME="req_ca_dn" \
175  openssl ca \
176    -batch \
177    -extensions user_cert \
178    -subj "/CN=Leaf Certificate/" \
179    -startdate 00010101000000Z \
180    -enddate   00010101000000Z \
181    -in out/ok_cert.req \
182    -out out/bad_validity.pem \
183    -config ca.cnf
184
185CA_NAME="req_ca_dn" \
186  openssl ca \
187    -batch \
188    -extensions user_cert \
189    -days ${CERT_LIFETIME} \
190    -in out/test_names.req \
191    -out out/test_names.pem \
192    -config ca.cnf
193
194/bin/sh -c "cat out/ok_cert.key out/ok_cert.pem \
195    > ../certificates/ok_cert.pem"
196/bin/sh -c "cat out/wildcard.key out/wildcard.pem \
197    > ../certificates/wildcard.pem"
198/bin/sh -c "cat out/localhost_cert.key out/localhost_cert.pem \
199    > ../certificates/localhost_cert.pem"
200/bin/sh -c "cat out/expired_cert.key out/expired_cert.pem \
201    > ../certificates/expired_cert.pem"
202/bin/sh -c "cat out/2048-sha256-root.key out/2048-sha256-root.pem \
203    > ../certificates/root_ca_cert.pem"
204/bin/sh -c "cat out/ok_cert.key out/bad_validity.pem \
205    > ../certificates/bad_validity.pem"
206/bin/sh -c "cat out/ok_cert.key out/int/ok_cert.pem \
207    out/int/2048-sha256-int.pem \
208    > ../certificates/ok_cert_by_intermediate.pem"
209/bin/sh -c "cat out/int/2048-sha256-int.key out/int/2048-sha256-int.pem \
210    > ../certificates/intermediate_ca_cert.pem"
211/bin/sh -c "cat out/int/ok_cert.pem out/int/2048-sha256-int.pem \
212    out/2048-sha256-root.pem \
213    > ../certificates/x509_verify_results.chain.pem"
214/bin/sh -c "cat out/test_names.key out/test_names.pem \
215    > ../certificates/test_names.pem"
216
217# Now generate the one-off certs
218## Self-signed cert for SPDY/QUIC/HTTP2 pooling testing
219openssl req -x509 -days 3650 -extensions req_spdy_pooling \
220    -config ../scripts/ee.cnf -newkey rsa:2048 -text \
221    -out ../certificates/spdy_pooling.pem
222
223## SubjectAltName parsing
224openssl req -x509 -days 3650 -extensions req_san_sanity \
225    -config ../scripts/ee.cnf -newkey rsa:2048 -text \
226    -out ../certificates/subjectAltName_sanity_check.pem
227
228## SubjectAltName containing www.example.com
229openssl req -x509 -days 3650 -extensions req_san_example \
230    -config ../scripts/ee.cnf -newkey rsa:2048 -text \
231    -out ../certificates/subjectAltName_www_example_com.pem
232
233## certificatePolicies parsing
234openssl req -x509 -days 3650 -extensions req_policies_sanity \
235    -config ../scripts/ee.cnf -newkey rsa:2048 -text \
236    -out ../certificates/policies_sanity_check.pem
237
238## Punycode handling
239SUBJECT_NAME="req_punycode_dn" \
240  openssl req -x509 -days 3650 -extensions req_punycode \
241    -config ../scripts/ee.cnf -newkey rsa:2048 -text \
242    -out ../certificates/punycodetest.pem
243
244## SHA1 certificate expiring in 2016.
245openssl req -config ../scripts/ee.cnf \
246  -newkey rsa:2048 -text -out out/sha1_2016.req
247CA_NAME="req_ca_dn" \
248  openssl ca \
249    -batch \
250    -extensions user_cert \
251    -startdate 081030000000Z \
252    -enddate   161230000000Z \
253    -in out/sha1_2016.req \
254    -out ../certificates/sha1_2016.pem \
255    -config ca.cnf \
256    -md sha1
257
258# Includes the canSignHttpExchangesDraft extension
259openssl req -x509 -newkey rsa:2048 \
260  -keyout out/can_sign_http_exchanges_draft_extension.key \
261  -out ../certificates/can_sign_http_exchanges_draft_extension.pem \
262  -days 365 \
263  -extensions req_extensions_with_can_sign_http_exchanges_draft \
264  -nodes -config ee.cnf
265
266# Includes the canSignHttpExchangesDraft extension, but with a SEQUENCE in the
267# body rather than a NULL.
268openssl req -x509 -newkey rsa:2048 \
269  -keyout out/can_sign_http_exchanges_draft_extension_invalid.key \
270  -out ../certificates/can_sign_http_exchanges_draft_extension_invalid.pem \
271  -days 365 \
272  -extensions req_extensions_with_can_sign_http_exchanges_draft_invalid \
273  -nodes -config ee.cnf
274
275# SHA-1 certificate issued by locally trusted CA
276copy_or_generate_key ../certificates/sha1_leaf.pem out/sha1_leaf.key
277openssl req \
278  -config ../scripts/ee.cnf \
279  -new \
280  -text \
281  -key out/sha1_leaf.key \
282  -out out/sha1_leaf.req
283CA_NAME="req_ca_dn" \
284  openssl ca \
285    -batch \
286    -extensions user_cert \
287    -days ${CERT_LIFETIME} \
288    -in out/sha1_leaf.req \
289    -out out/sha1_leaf.pem \
290    -config ca.cnf \
291    -md sha1
292/bin/sh -c "cat out/sha1_leaf.key out/sha1_leaf.pem \
293    > ../certificates/sha1_leaf.pem"
294
295# Certificate with only a common name (no SAN) issued by a locally trusted CA
296copy_or_generate_key ../certificates/common_name_only.pem \
297  out/common_name_only.key
298openssl req \
299  -config ../scripts/ee.cnf \
300  -reqexts req_no_san \
301  -new \
302  -text \
303  -key out/common_name_only.key \
304  -out out/common_name_only.req
305CA_NAME="req_ca_dn" \
306  openssl ca \
307    -batch \
308    -extensions user_cert \
309    -startdate 171220000000Z \
310    -enddate   201220000000Z \
311    -in out/common_name_only.req \
312    -out out/common_name_only.pem \
313    -config ca.cnf
314/bin/sh -c "cat out/common_name_only.key out/common_name_only.pem \
315    > ../certificates/common_name_only.pem"
316
317# Issued on 1 May 2018 (after the 30 Apr 2018 CT Requirement date)
318openssl req \
319  -config ../scripts/ee.cnf \
320  -newkey rsa:2048 \
321  -text \
322  -out out/may_2018.req
323CA_NAME="req_ca_dn" \
324  openssl ca \
325    -batch \
326    -extensions user_cert \
327    -startdate 180501000000Z \
328    -enddate   200803000000Z \
329    -in out/may_2018.req \
330    -out ../certificates/may_2018.pem \
331    -config ca.cnf
332
333## Certificates for testing EV display (DN set with different variations)
334SUBJECT_NAME="req_ev_dn" \
335  openssl req -x509 -days ${CERT_LIFETIME} \
336    --config ../scripts/ee.cnf -newkey rsa:2048 -text \
337    -out ../certificates/ev_test.pem
338
339SUBJECT_NAME="req_ev_state_only_dn" \
340  openssl req -x509 -days ${CERT_LIFETIME} \
341    --config ../scripts/ee.cnf -newkey rsa:2048 -text \
342    -out ../certificates/ev_test_state_only.pem
343
344# Regenerate CRLSets
345## Block a leaf cert directly by SPKI
346python3 crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \
347<<CRLBYLEAFSPKI
348{
349  "BlockedBySPKI": ["../certificates/ok_cert.pem"]
350}
351CRLBYLEAFSPKI
352
353## Block a root cert directly by SPKI
354python3 crlsetutil.py -o ../certificates/crlset_by_root_spki.raw \
355<<CRLBYROOTSPKI
356{
357  "BlockedBySPKI": ["../certificates/root_ca_cert.pem"]
358}
359CRLBYROOTSPKI
360
361## Block a leaf cert by issuer-hash-and-serial
362python3 crlsetutil.py -o ../certificates/crlset_by_root_serial.raw \
363<<CRLBYROOTSERIAL
364{
365  "BlockedByHash": {
366    "../certificates/root_ca_cert.pem": [
367      "../certificates/ok_cert.pem"
368    ]
369  }
370}
371CRLBYROOTSERIAL
372
373## Block a leaf cert by issuer-hash-and-serial. However, this will be issued
374## from an intermediate CA issued underneath a root.
375python3 crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \
376<<CRLSETBYINTERMEDIATESERIAL
377{
378  "BlockedByHash": {
379    "../certificates/intermediate_ca_cert.pem": [
380      "../certificates/ok_cert_by_intermediate.pem"
381    ]
382  }
383}
384CRLSETBYINTERMEDIATESERIAL
385
386## Block a subject with a single-entry allowlist of SPKI hashes.
387python3 crlsetutil.py -o ../certificates/crlset_by_root_subject.raw \
388<<CRLSETBYROOTSUBJECT
389{
390  "LimitedSubjects": {
391    "../certificates/root_ca_cert.pem": [
392      "../certificates/root_ca_cert.pem"
393    ]
394  }
395}
396CRLSETBYROOTSUBJECT
397
398## Block a subject with an empty allowlist of SPKI hashes.
399python3 crlsetutil.py -o ../certificates/crlset_by_root_subject_no_spki.raw \
400<<CRLSETBYROOTSUBJECTNOSPKI
401{
402  "LimitedSubjects": {
403    "../certificates/root_ca_cert.pem": []
404  },
405  "Sequence": 2
406}
407CRLSETBYROOTSUBJECTNOSPKI
408
409## Block a subject with an empty allowlist of SPKI hashes.
410python3 crlsetutil.py -o ../certificates/crlset_by_leaf_subject_no_spki.raw \
411<<CRLSETBYLEAFSUBJECTNOSPKI
412{
413  "LimitedSubjects": {
414    "../certificates/ok_cert.pem": []
415  }
416}
417CRLSETBYLEAFSUBJECTNOSPKI
418
419## Mark a given root as blocked for interception.
420python3 crlsetutil.py -o \
421  ../certificates/crlset_blocked_interception_by_root.raw \
422<<CRLSETINTERCEPTIONBYROOT
423{
424  "BlockedInterceptionSPKIs": [
425    "../certificates/root_ca_cert.pem"
426  ]
427}
428CRLSETINTERCEPTIONBYROOT
429
430## Mark a given intermediate as blocked for interception.
431python3 crlsetutil.py -o \
432  ../certificates/crlset_blocked_interception_by_intermediate.raw \
433<<CRLSETINTERCEPTIONBYINTERMEDIATE
434{
435  "BlockedInterceptionSPKIs": [
436    "../certificates/intermediate_ca_cert.pem"
437  ]
438}
439CRLSETINTERCEPTIONBYINTERMEDIATE
440
441## Mark a given root as known for interception, but not blocked.
442python3 crlsetutil.py -o \
443  ../certificates/crlset_known_interception_by_root.raw \
444<<CRLSETINTERCEPTIONBYROOT
445{
446  "KnownInterceptionSPKIs": [
447    "../certificates/root_ca_cert.pem"
448  ]
449}
450CRLSETINTERCEPTIONBYROOT
451