1#!/bin/sh 2 3# Copyright (c) 2011 The Chromium Authors. All rights reserved. 4# Use of this source code is governed by a BSD-style license that can be 5# found in the LICENSE file. 6 7# This script generates a set of test (end-entity, intermediate, root) 8# certificates with (weak, strong), (RSA, DSA, ECDSA) key pairs. 9 10key_types="768-rsa 1024-rsa 2048-rsa prime256v1-ecdsa" 11 12try () { 13 echo "$@" 14 $@ || exit 1 15} 16 17generate_key_command () { 18 case "$1" in 19 dsa) 20 echo "dsaparam -genkey" 21 ;; 22 ecdsa) 23 echo "ecparam -genkey" 24 ;; 25 rsa) 26 echo genrsa 27 ;; 28 *) 29 exit 1 30 esac 31} 32 33try rm -rf out 34try mkdir out 35 36# Create the serial number files. 37try echo 1 > out/2048-rsa-root-serial 38for key_type in $key_types 39do 40 try echo 1 > out/$key_type-intermediate-serial 41done 42 43# Generate one root CA certificate. 44try openssl genrsa -out out/2048-rsa-root.key 2048 45 46CA_COMMON_NAME="2048 RSA Test Root CA" \ 47 CA_DIR=out \ 48 CA_NAME=req_env_dn \ 49 KEY_SIZE=2048 \ 50 ALGO=rsa \ 51 CERT_TYPE=root \ 52 try openssl req \ 53 -new \ 54 -key out/2048-rsa-root.key \ 55 -extensions ca_cert \ 56 -out out/2048-rsa-root.csr \ 57 -config ca.cnf 58 59CA_COMMON_NAME="2048 RSA Test Root CA" \ 60 CA_DIR=out \ 61 CA_NAME=req_env_dn \ 62 try openssl x509 \ 63 -req -days 3650 \ 64 -in out/2048-rsa-root.csr \ 65 -extensions ca_cert \ 66 -signkey out/2048-rsa-root.key \ 67 -out out/2048-rsa-root.pem 68 69# Generate private keys of all types and strengths for intermediate CAs and 70# end-entities. 71for key_type in $key_types 72do 73 key_size=$(echo "$key_type" | sed -E 's/-.+//') 74 algo=$(echo "$key_type" | sed -E 's/.+-//') 75 76 if [ ecdsa = $algo ] 77 then 78 key_size="-name $key_size" 79 fi 80 81 try openssl $(generate_key_command $algo) \ 82 -out out/$key_type-intermediate.key $key_size 83done 84 85for key_type in $key_types 86do 87 key_size=$(echo "$key_type" | sed -E 's/-.+//') 88 algo=$(echo "$key_type" | sed -E 's/.+-//') 89 90 if [ ecdsa = $algo ] 91 then 92 key_size="-name $key_size" 93 fi 94 95 for signer_key_type in $key_types 96 do 97 try openssl $(generate_key_command $algo) \ 98 -out out/$key_type-ee-by-$signer_key_type-intermediate.key $key_size 99 done 100done 101 102# The root signs the intermediates. 103for key_type in $key_types 104do 105 key_size=$(echo "$key_type" | sed -E 's/-.+//') 106 algo=$(echo "$key_type" | sed -E 's/.+-//') 107 108 CA_COMMON_NAME="$key_size $algo Test intermediate CA" \ 109 CA_DIR=out \ 110 CA_NAME=req_env_dn \ 111 KEY_SIZE=$key_size \ 112 ALGO=$algo \ 113 CERT_TYPE=intermediate \ 114 try openssl req \ 115 -new \ 116 -key out/$key_type-intermediate.key \ 117 -out out/$key_type-intermediate.csr \ 118 -config ca.cnf 119 120 # Make sure the signer's DB file exists. 121 touch out/2048-rsa-root-index.txt 122 123 CA_COMMON_NAME="2048 RSA Test Root CA" \ 124 CA_DIR=out \ 125 CA_NAME=req_env_dn \ 126 KEY_SIZE=2048 \ 127 ALGO=rsa \ 128 CERT_TYPE=root \ 129 try openssl ca \ 130 -batch \ 131 -extensions ca_cert \ 132 -in out/$key_type-intermediate.csr \ 133 -out out/$key_type-intermediate.pem \ 134 -config ca.cnf 135done 136 137# The intermediates sign the end-entities. 138for key_type in $key_types 139do 140 for signer_key_type in $key_types 141 do 142 key_size=$(echo "$key_type" | sed -E 's/-.+//') 143 algo=$(echo "$key_type" | sed -E 's/.+-//') 144 signer_key_size=$(echo "$signer_key_type" | sed -E 's/-.+//') 145 signer_algo=$(echo "$signer_key_type" | sed -E 's/.+-//') 146 touch out/$signer_key_type-intermediate-index.txt 147 148 KEY_SIZE=$key_size \ 149 try openssl req \ 150 -new \ 151 -key out/$key_type-ee-by-$signer_key_type-intermediate.key \ 152 -out out/$key_type-ee-by-$signer_key_type-intermediate.csr \ 153 -config ee.cnf 154 155 CA_COMMON_NAME="$signer_key_size $algo Test intermediate CA" \ 156 CA_DIR=out \ 157 CA_NAME=req_env_dn \ 158 KEY_SIZE=$signer_key_size \ 159 ALGO=$signer_algo \ 160 CERT_TYPE=intermediate \ 161 try openssl ca \ 162 -batch \ 163 -in out/$key_type-ee-by-$signer_key_type-intermediate.csr \ 164 -out out/$key_type-ee-by-$signer_key_type-intermediate.pem \ 165 -config ca.cnf 166 done 167done 168 169