• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#!/bin/sh
2
3# Copyright (c) 2011 The Chromium Authors. All rights reserved.
4# Use of this source code is governed by a BSD-style license that can be
5# found in the LICENSE file.
6
7# This script generates a set of test (end-entity, intermediate, root)
8# certificates with (weak, strong), (RSA, DSA, ECDSA) key pairs.
9
10key_types="768-rsa 1024-rsa 2048-rsa prime256v1-ecdsa"
11
12try () {
13  echo "$@"
14  "$@" || exit 1
15}
16
17generate_key_command () {
18  case "$1" in
19    dsa)
20      echo "dsaparam -genkey"
21      ;;
22    ecdsa)
23      echo "ecparam -genkey"
24      ;;
25    rsa)
26      echo genrsa
27      ;;
28    *)
29      exit 1
30  esac
31}
32
33try rm -rf out
34try mkdir out
35
36# Create the serial number files.
37try /bin/sh -c "echo 01 > out/2048-rsa-root-serial"
38for key_type in $key_types
39do
40  try /bin/sh -c "echo 01 > out/$key_type-intermediate-serial"
41done
42
43# Generate one root CA certificate.
44try openssl genrsa -out out/2048-rsa-root.key 2048
45
46CA_COMMON_NAME="2048 RSA Test Root CA" \
47  CA_DIR=out \
48  CA_NAME=req_env_dn \
49  KEY_SIZE=2048 \
50  ALGO=rsa \
51  CERT_TYPE=root \
52  try openssl req \
53    -new \
54    -key out/2048-rsa-root.key \
55    -extensions ca_cert \
56    -out out/2048-rsa-root.csr \
57    -config ca.cnf
58
59CA_COMMON_NAME="2048 RSA Test Root CA" \
60  CA_DIR=out \
61  CA_NAME=req_env_dn \
62  try openssl x509 \
63    -req -days 3650 \
64    -in out/2048-rsa-root.csr \
65    -extensions ca_cert \
66    -extfile ca.cnf \
67    -signkey out/2048-rsa-root.key \
68    -out out/2048-rsa-root.pem \
69    -text
70
71# Generate private keys of all types and strengths for intermediate CAs and
72# end-entities.
73for key_type in $key_types
74do
75  key_size=$(echo "$key_type" | sed -E 's/-.+//')
76  algo=$(echo "$key_type" | sed -E 's/.+-//')
77
78  if [ ecdsa = $algo ]
79  then
80    key_size="-name $key_size"
81  fi
82
83  try openssl $(generate_key_command $algo) \
84    -out out/$key_type-intermediate.key $key_size
85done
86
87for key_type in $key_types
88do
89  key_size=$(echo "$key_type" | sed -E 's/-.+//')
90  algo=$(echo "$key_type" | sed -E 's/.+-//')
91
92  if [ ecdsa = $algo ]
93  then
94    key_size="-name $key_size"
95  fi
96
97  for signer_key_type in $key_types
98  do
99    try openssl $(generate_key_command $algo) \
100      -out out/$key_type-ee-by-$signer_key_type-intermediate.key $key_size
101  done
102done
103
104# The root signs the intermediates.
105for key_type in $key_types
106do
107  key_size=$(echo "$key_type" | sed -E 's/-.+//')
108  algo=$(echo "$key_type" | sed -E 's/.+-//')
109
110  CA_COMMON_NAME="$key_size $algo Test intermediate CA" \
111    CA_DIR=out \
112    CA_NAME=req_env_dn \
113    KEY_SIZE=$key_size \
114    ALGO=$algo \
115    CERT_TYPE=intermediate \
116    try openssl req \
117      -new \
118      -key out/$key_type-intermediate.key \
119      -out out/$key_type-intermediate.csr \
120      -config ca.cnf
121
122  # Make sure the signer's DB file exists.
123  touch out/2048-rsa-root-index.txt
124
125  CA_COMMON_NAME="2048 RSA Test Root CA" \
126    CA_DIR=out \
127    CA_NAME=req_env_dn \
128    KEY_SIZE=2048 \
129    ALGO=rsa \
130    CERT_TYPE=root \
131    try openssl ca \
132      -batch \
133      -extensions ca_cert \
134      -in out/$key_type-intermediate.csr \
135      -out out/$key_type-intermediate.pem \
136      -config ca.cnf
137done
138
139# The intermediates sign the end-entities.
140for key_type in $key_types
141do
142  for signer_key_type in $key_types
143  do
144    key_size=$(echo "$key_type" | sed -E 's/-.+//')
145    algo=$(echo "$key_type" | sed -E 's/.+-//')
146    signer_key_size=$(echo "$signer_key_type" | sed -E 's/-.+//')
147    signer_algo=$(echo "$signer_key_type" | sed -E 's/.+-//')
148    touch out/$signer_key_type-intermediate-index.txt
149
150    KEY_SIZE=$key_size \
151      try openssl req \
152        -new \
153        -key out/$key_type-ee-by-$signer_key_type-intermediate.key \
154        -out out/$key_type-ee-by-$signer_key_type-intermediate.csr \
155        -config ee.cnf
156
157    CA_COMMON_NAME="$signer_key_size $algo Test intermediate CA" \
158      CA_DIR=out \
159      CA_NAME=req_env_dn \
160      KEY_SIZE=$signer_key_size \
161      ALGO=$signer_algo \
162      CERT_TYPE=intermediate \
163      try openssl ca \
164        -batch \
165        -in out/$key_type-ee-by-$signer_key_type-intermediate.csr \
166        -out out/$key_type-ee-by-$signer_key_type-intermediate.pem \
167        -config ca.cnf
168  done
169done
170
171# Copy final outputs.
172try cp out/*root*pem out/*intermediate*pem ../certificates
173