1#!/bin/sh 2 3# Copyright (c) 2011 The Chromium Authors. All rights reserved. 4# Use of this source code is governed by a BSD-style license that can be 5# found in the LICENSE file. 6 7# This script generates a set of test (end-entity, intermediate, root) 8# certificates with (weak, strong), (RSA, DSA, ECDSA) key pairs. 9 10key_types="768-rsa 1024-rsa 2048-rsa prime256v1-ecdsa" 11 12try () { 13 echo "$@" 14 "$@" || exit 1 15} 16 17generate_key_command () { 18 case "$1" in 19 dsa) 20 echo "dsaparam -genkey" 21 ;; 22 ecdsa) 23 echo "ecparam -genkey" 24 ;; 25 rsa) 26 echo genrsa 27 ;; 28 *) 29 exit 1 30 esac 31} 32 33try rm -rf out 34try mkdir out 35 36# Create the serial number files. 37try /bin/sh -c "echo 01 > out/2048-rsa-root-serial" 38for key_type in $key_types 39do 40 try /bin/sh -c "echo 01 > out/$key_type-intermediate-serial" 41done 42 43# Generate one root CA certificate. 44try openssl genrsa -out out/2048-rsa-root.key 2048 45 46CA_COMMON_NAME="2048 RSA Test Root CA" \ 47 CA_DIR=out \ 48 CA_NAME=req_env_dn \ 49 KEY_SIZE=2048 \ 50 ALGO=rsa \ 51 CERT_TYPE=root \ 52 try openssl req \ 53 -new \ 54 -key out/2048-rsa-root.key \ 55 -extensions ca_cert \ 56 -out out/2048-rsa-root.csr \ 57 -config ca.cnf 58 59CA_COMMON_NAME="2048 RSA Test Root CA" \ 60 CA_DIR=out \ 61 CA_NAME=req_env_dn \ 62 try openssl x509 \ 63 -req -days 3650 \ 64 -in out/2048-rsa-root.csr \ 65 -extensions ca_cert \ 66 -extfile ca.cnf \ 67 -signkey out/2048-rsa-root.key \ 68 -out out/2048-rsa-root.pem \ 69 -text 70 71# Generate private keys of all types and strengths for intermediate CAs and 72# end-entities. 73for key_type in $key_types 74do 75 key_size=$(echo "$key_type" | sed -E 's/-.+//') 76 algo=$(echo "$key_type" | sed -E 's/.+-//') 77 78 if [ ecdsa = $algo ] 79 then 80 key_size="-name $key_size" 81 fi 82 83 try openssl $(generate_key_command $algo) \ 84 -out out/$key_type-intermediate.key $key_size 85done 86 87for key_type in $key_types 88do 89 key_size=$(echo "$key_type" | sed -E 's/-.+//') 90 algo=$(echo "$key_type" | sed -E 's/.+-//') 91 92 if [ ecdsa = $algo ] 93 then 94 key_size="-name $key_size" 95 fi 96 97 for signer_key_type in $key_types 98 do 99 try openssl $(generate_key_command $algo) \ 100 -out out/$key_type-ee-by-$signer_key_type-intermediate.key $key_size 101 done 102done 103 104# The root signs the intermediates. 105for key_type in $key_types 106do 107 key_size=$(echo "$key_type" | sed -E 's/-.+//') 108 algo=$(echo "$key_type" | sed -E 's/.+-//') 109 110 CA_COMMON_NAME="$key_size $algo Test intermediate CA" \ 111 CA_DIR=out \ 112 CA_NAME=req_env_dn \ 113 KEY_SIZE=$key_size \ 114 ALGO=$algo \ 115 CERT_TYPE=intermediate \ 116 try openssl req \ 117 -new \ 118 -key out/$key_type-intermediate.key \ 119 -out out/$key_type-intermediate.csr \ 120 -config ca.cnf 121 122 # Make sure the signer's DB file exists. 123 touch out/2048-rsa-root-index.txt 124 125 CA_COMMON_NAME="2048 RSA Test Root CA" \ 126 CA_DIR=out \ 127 CA_NAME=req_env_dn \ 128 KEY_SIZE=2048 \ 129 ALGO=rsa \ 130 CERT_TYPE=root \ 131 try openssl ca \ 132 -batch \ 133 -extensions ca_cert \ 134 -in out/$key_type-intermediate.csr \ 135 -out out/$key_type-intermediate.pem \ 136 -config ca.cnf 137done 138 139# The intermediates sign the end-entities. 140for key_type in $key_types 141do 142 for signer_key_type in $key_types 143 do 144 key_size=$(echo "$key_type" | sed -E 's/-.+//') 145 algo=$(echo "$key_type" | sed -E 's/.+-//') 146 signer_key_size=$(echo "$signer_key_type" | sed -E 's/-.+//') 147 signer_algo=$(echo "$signer_key_type" | sed -E 's/.+-//') 148 touch out/$signer_key_type-intermediate-index.txt 149 150 KEY_SIZE=$key_size \ 151 try openssl req \ 152 -new \ 153 -key out/$key_type-ee-by-$signer_key_type-intermediate.key \ 154 -out out/$key_type-ee-by-$signer_key_type-intermediate.csr \ 155 -config ee.cnf 156 157 CA_COMMON_NAME="$signer_key_size $algo Test intermediate CA" \ 158 CA_DIR=out \ 159 CA_NAME=req_env_dn \ 160 KEY_SIZE=$signer_key_size \ 161 ALGO=$signer_algo \ 162 CERT_TYPE=intermediate \ 163 try openssl ca \ 164 -batch \ 165 -in out/$key_type-ee-by-$signer_key_type-intermediate.csr \ 166 -out out/$key_type-ee-by-$signer_key_type-intermediate.pem \ 167 -config ca.cnf 168 done 169done 170 171# Copy final outputs. 172try cp out/*root*pem out/*intermediate*pem ../certificates 173