1#!/bin/sh 2 3# Copyright 2014 The Chromium Authors. All rights reserved. 4# Use of this source code is governed by a BSD-style license that can be 5# found in the LICENSE file. 6 7# This script generates two chains of test certificates: 8# 9# 1. A (end-entity) -> B -> C -> D (self-signed root) 10# 2. A (end-entity) -> B -> C2 -> E (self-signed root) 11# 12# C and C2 have the same subject and keypair. 13# 14# We use these cert chains in CertVerifyProcChromeOSTest 15# to ensure that multiple verification paths are properly handled. 16 17try () { 18 echo "$@" 19 "$@" || exit 1 20} 21 22try rm -rf out 23try mkdir out 24 25echo Create the serial number files. 26serial=1000 27for i in B C C2 D E 28do 29 try /bin/sh -c "echo $serial > out/$i-serial" 30 serial=$(expr $serial + 1) 31done 32 33echo Generate the keys. 34try openssl genrsa -out out/A.key 2048 35try openssl genrsa -out out/B.key 2048 36try openssl genrsa -out out/C.key 2048 37try openssl genrsa -out out/D.key 2048 38try openssl genrsa -out out/E.key 2048 39 40echo Generate the D CSR. 41CA_COMMON_NAME="D Root CA" \ 42 CERTIFICATE=D \ 43 try openssl req \ 44 -new \ 45 -key out/D.key \ 46 -out out/D.csr \ 47 -config redundant-ca.cnf 48 49echo D signs itself. 50CA_COMMON_NAME="D Root CA" \ 51 try openssl x509 \ 52 -req -days 3650 \ 53 -in out/D.csr \ 54 -extensions ca_cert \ 55 -extfile redundant-ca.cnf \ 56 -signkey out/D.key \ 57 -out out/D.pem \ 58 -text 59 60echo Generate the E CSR. 61CA_COMMON_NAME="E Root CA" \ 62 CERTIFICATE=E \ 63 try openssl req \ 64 -new \ 65 -key out/E.key \ 66 -out out/E.csr \ 67 -config redundant-ca.cnf 68 69echo E signs itself. 70CA_COMMON_NAME="E Root CA" \ 71 try openssl x509 \ 72 -req -days 3650 \ 73 -in out/E.csr \ 74 -extensions ca_cert \ 75 -extfile redundant-ca.cnf \ 76 -signkey out/E.key \ 77 -out out/E.pem \ 78 -text 79 80echo Generate the C2 intermediary CSR. 81CA_COMMON_NAME="C CA" \ 82 CERTIFICATE=C2 \ 83 try openssl req \ 84 -new \ 85 -key out/C.key \ 86 -out out/C2.csr \ 87 -config redundant-ca.cnf 88 89echo Generate the B and C intermediaries\' CSRs. 90for i in B C 91do 92 CA_COMMON_NAME="$i CA" \ 93 CERTIFICATE="$i" \ 94 try openssl req \ 95 -new \ 96 -key "out/$i.key" \ 97 -out "out/$i.csr" \ 98 -config redundant-ca.cnf 99done 100 101echo D signs the C intermediate. 102# Make sure the signer's DB file exists. 103touch out/D-index.txt 104CA_COMMON_NAME="D Root CA" \ 105 CERTIFICATE=D \ 106 try openssl ca \ 107 -batch \ 108 -extensions ca_cert \ 109 -in out/C.csr \ 110 -out out/C.pem \ 111 -config redundant-ca.cnf 112 113echo E signs the C2 intermediate. 114# Make sure the signer's DB file exists. 115touch out/E-index.txt 116CA_COMMON_NAME="E Root CA" \ 117 CERTIFICATE=E \ 118 try openssl ca \ 119 -batch \ 120 -extensions ca_cert \ 121 -in out/C2.csr \ 122 -out out/C2.pem \ 123 -config redundant-ca.cnf 124 125echo C signs the B intermediate. 126touch out/C-index.txt 127CA_COMMON_NAME="C CA" \ 128 CERTIFICATE=C \ 129 try openssl ca \ 130 -batch \ 131 -extensions ca_cert \ 132 -in out/B.csr \ 133 -out out/B.pem \ 134 -config redundant-ca.cnf 135 136echo Generate the A end-entity CSR. 137try openssl req \ 138 -new \ 139 -key out/A.key \ 140 -out out/A.csr \ 141 -config ee.cnf 142 143echo B signs A. 144touch out/B-index.txt 145CA_COMMON_NAME="B CA" \ 146 CERTIFICATE=B \ 147 try openssl ca \ 148 -batch \ 149 -extensions user_cert \ 150 -in out/A.csr \ 151 -out out/A.pem \ 152 -config redundant-ca.cnf 153 154echo Create multi-root-chain1.pem 155try /bin/sh -c "cat out/A.key out/A.pem out/B.pem out/C.pem out/D.pem \ 156 > ../certificates/multi-root-chain1.pem" 157 158echo Create multi-root-chain2.pem 159try /bin/sh -c "cat out/A.key out/A.pem out/B.pem out/C2.pem out/E.pem \ 160 > ../certificates/multi-root-chain2.pem" 161 162