net/data/ssl/scripts/generate-cross-signed-certs.sh

   1 #!/bin/sh
   2
   3 # Copyright 2013 The Chromium Authors. All rights reserved.
   4 # Use of this source code is governed by a BSD-style license that can be
   5 # found in the LICENSE file.
   6
   7 # This script generates a two roots - one legacy one signed with MD5, and
   8 # another (newer) one signed with SHA256 - and has a leaf certificate signed
   9 # by these without any distinguishers.
  10 #
  11 # The "cross-signed" comes from the fact that both the MD5 and SHA256 roots
  12 # share the same Authority Key ID, Subject Key ID, Subject, and Subject Public
  13 # Key Info. When the chain building algorithm is evaluating paths, if it prefers
  14 # untrusted over trusted, then it will see the MD5 certificate as a self-signed
  15 # cert that is "cross-signed" by the trusted SHA256 root.
  16 #
  17 # The SHA256 root should be (temporarily) trusted, and the resulting chain
  18 # should be leaf -> SHA256root, not leaf -> MD5root, leaf -> SHA256root ->
  19 # MD5root, or leaf -> MD5root -> SHA256root
  20
  21 try() {
  22   "$@" || (e=$?; echo "$@" > /dev/stderr; exit $e)
  23 }
  24
  25 try rm -rf out
  26 try mkdir out
  27
  28 try /bin/sh -c "echo 01 > out/2048-sha256-root-serial"
  29 try /bin/sh -c "echo 02 > out/2048-md5-root-serial"
  30 touch out/2048-sha256-root-index.txt
  31 touch out/2048-md5-root-index.txt
  32
  33 # Generate the key
  34 try openssl genrsa -out out/2048-sha256-root.key 2048
  35
  36 # Generate the root certificate
  37 CA_COMMON_NAME="Test Dup-Hash Root CA" \
  38   try openssl req \
  39     -new \
  40     -key out/2048-sha256-root.key \
  41     -out out/2048-sha256-root.req \
  42     -config ca.cnf
  43
  44 CA_COMMON_NAME="Test Dup-Hash Root CA" \
  45   try openssl x509 \
  46     -req -days 3650 \
  47     -sha256 \
  48     -in out/2048-sha256-root.req \
  49     -out out/2048-sha256-root.pem \
  50     -text \
  51     -signkey out/2048-sha256-root.key \
  52     -extfile ca.cnf \
  53     -extensions ca_cert
  54
  55 CA_COMMON_NAME="Test Dup-Hash Root CA" \
  56   try openssl x509 \
  57     -req -days 3650 \
  58     -md5 \
  59     -in out/2048-sha256-root.req \
  60     -out out/2048-md5-root.pem \
  61     -text \
  62     -signkey out/2048-sha256-root.key \
  63     -extfile ca.cnf \
  64     -extensions ca_cert
  65
  66 # Generate the leaf certificate request
  67 try openssl req \
  68   -new \
  69   -keyout out/ok_cert.key \
  70   -out out/ok_cert.req \
  71   -config ee.cnf
  72
  73 # Generate the leaf certificates
  74 CA_COMMON_NAME="Test Dup-Hash Root CA" \
  75   try openssl ca \
  76     -batch \
  77     -extensions user_cert \
  78     -days 3650 \
  79     -in out/ok_cert.req \
  80     -out out/ok_cert.pem \
  81     -config ca.cnf
  82
  83 try openssl x509 -text \
  84     -in out/2048-md5-root.pem > ../certificates/cross-signed-root-md5.pem
  85 try openssl x509 -text \
  86     -in out/2048-sha256-root.pem > ../certificates/cross-signed-root-sha256.pem
  87 try openssl x509 -text \
  88     -in out/ok_cert.pem > ../certificates/cross-signed-leaf.pem