1#!/bin/sh 2 3# Copyright (c) 2012 The Chromium Authors. All rights reserved. 4# Use of this source code is governed by a BSD-style license that can be 5# found in the LICENSE file. 6 7# This script generates two chains of test certificates: 8# 9# 1. A (end-entity) -> B -> C -> D (self-signed root) 10# 2. A (end-entity) -> B -> C2 (self-signed root) 11# 12# in which A, B, C, and D have distinct keypairs. C2 is a self-signed root 13# certificate that uses the same keypair as C. 14# 15# We use these cert chains in 16# SSLClientSocketTest.VerifyReturnChainProperlyOrdered to ensure that 17# SSLInfo objects see the certificate chain as validated rather than as 18# served by the server. The server serves chain 1. The client has C2, NOT D, 19# installed as a trusted root. Therefore, the chain will validate as chain 20# 2, even though the server served chain 1. 21 22try () { 23 echo "$@" 24 $@ || exit 1 25} 26 27generate_key_command () { 28 case "$1" in 29 rsa) 30 echo genrsa 31 ;; 32 *) 33 exit 1 34 esac 35} 36 37try rm -rf out 38try mkdir out 39 40echo Create the serial number files. 41serial=100 42for i in B C C2 D 43do 44 try echo $serial > out/$i-serial 45 serial=$(expr $serial + 1) 46done 47 48echo Generate the keys. 49try openssl genrsa -out out/A.key 2048 50try openssl genrsa -out out/B.key 2048 51try openssl genrsa -out out/C.key 2048 52try openssl genrsa -out out/D.key 2048 53 54echo Generate the D CSR. 55CA_COMMON_NAME="D Root CA" \ 56 CA_DIR=out \ 57 CA_NAME=req_env_dn \ 58 KEY_SIZE=2048 \ 59 ALGO=rsa \ 60 CERT_TYPE=root \ 61 TYPE=D CERTIFICATE=D \ 62 try openssl req \ 63 -new \ 64 -key out/D.key \ 65 -out out/D.csr \ 66 -config redundant-ca.cnf 67 68echo D signs itself. 69CA_COMMON_NAME="D Root CA" \ 70 CA_DIR=out \ 71 CA_NAME=req_env_dn \ 72 try openssl x509 \ 73 -req -days 3650 \ 74 -in out/D.csr \ 75 -extensions ca_cert \ 76 -signkey out/D.key \ 77 -out out/D.pem 78 79echo Generate the C2 root CSR. 80CA_COMMON_NAME="C CA" \ 81 CA_DIR=out \ 82 CA_NAME=req_env_dn \ 83 KEY_SIZE=2048 \ 84 ALGO=rsa \ 85 CERT_TYPE=root \ 86 TYPE=C2 CERTIFICATE=C2 \ 87 try openssl req \ 88 -new \ 89 -key out/C.key \ 90 -out out/C2.csr \ 91 -config redundant-ca.cnf 92 93echo C2 signs itself. 94CA_COMMON_NAME="C CA" \ 95 CA_DIR=out \ 96 CA_NAME=req_env_dn \ 97 try openssl x509 \ 98 -req -days 3650 \ 99 -in out/C2.csr \ 100 -extensions ca_cert \ 101 -signkey out/C.key \ 102 -out out/C2.pem 103 104echo Generate the B and C intermediaries\' CSRs. 105for i in B C 106do 107 name="$i Intermediate CA" 108 CA_COMMON_NAME="$i CA" \ 109 CA_DIR=out \ 110 CA_NAME=req_env_dn \ 111 KEY_SIZE=2048 \ 112 ALGO=rsa \ 113 CERT_TYPE=root \ 114 TYPE=$i CERTIFICATE=$i \ 115 try openssl req \ 116 -new \ 117 -key out/$i.key \ 118 -out out/$i.csr \ 119 -config redundant-ca.cnf 120done 121 122echo D signs the C intermediate. 123# Make sure the signer's DB file exists. 124touch out/D-index.txt 125CA_COMMON_NAME="D Root CA" \ 126 CA_DIR=out \ 127 CA_NAME=req_env_dn \ 128 KEY_SIZE=2048 \ 129 ALGO=rsa \ 130 CERT_TYPE=root \ 131 TYPE=D CERTIFICATE=D \ 132 try openssl ca \ 133 -batch \ 134 -extensions ca_cert \ 135 -in out/C.csr \ 136 -out out/C.pem \ 137 -config redundant-ca.cnf 138 139echo C signs the B intermediate. 140touch out/C-index.txt 141CA_COMMON_NAME="C CA" \ 142 CA_DIR=out \ 143 CA_NAME=req_env_dn \ 144 KEY_SIZE=2048 \ 145 ALGO=rsa \ 146 CERT_TYPE=root \ 147 TYPE=C CERTIFICATE=C \ 148 try openssl ca \ 149 -batch \ 150 -extensions ca_cert \ 151 -in out/B.csr \ 152 -out out/B.pem \ 153 -config redundant-ca.cnf 154 155echo Generate the A end-entity CSR. 156try openssl req \ 157 -new \ 158 -key out/A.key \ 159 -out out/A.csr \ 160 -config ee.cnf 161 162echo B signs A. 163touch out/B-index.txt 164CA_COMMON_NAME="B CA" \ 165 CA_DIR=out \ 166 CA_NAME=req_env_dn \ 167 KEY_SIZE=$signer_key_size \ 168 ALGO=$signer_algo \ 169 CERT_TYPE=intermediate \ 170 TYPE=B CERTIFICATE=B \ 171 try openssl ca \ 172 -batch \ 173 -extensions user_cert \ 174 -in out/A.csr \ 175 -out out/A.pem \ 176 -config redundant-ca.cnf 177 178echo Create redundant-server-chain.pem 179cat out/A.key out/A.pem out/B.pem out/C.pem out/D.pem \ 180 > redundant-server-chain.pem 181 182echo Create redundant-validated-chain.pem 183cat out/A.key out/A.pem out/B.pem out/C2.pem > redundant-validated-chain.pem 184 185echo Create redundant-validated-chain-root.pem 186cp out/C2.pem redundant-validated-chain-root.pem 187 188