| blob | feb24532b4d325bd34941501c9fe08d389d6754b |
1 #!/bin/sh
3 # Copyright 2013 The Chromium Authors. All rights reserved.
4 # Use of this source code is governed by a BSD-style license that can be
5 # found in the LICENSE file.
7 # This script generates a set of test (end-entity, intermediate, root)
8 # certificates that can be used to test fetching of an intermediate via AIA.
10 try() {
12 }
15 try mkdir out
20 # Generate the key
23 # Generate the root certificate
25 try openssl req \
26 -new \
29 -config ca.cnf
32 try openssl x509 \
36 -extfile ca.cnf \
37 -extensions ca_cert \
40 # Generate the leaf certificate requests
41 try openssl req \
42 -new \
45 -config ee.cnf
47 try openssl req \
48 -new \
51 -config ee.cnf
53 SUBJECT_NAME=req_localhost_cn \
54 try openssl req \
55 -new \
58 -reqexts req_localhost_san \
59 -config ee.cnf
61 # Generate the leaf certificates
63 try openssl ca \
64 -batch \
65 -extensions user_cert \
70 -config ca.cnf
73 try openssl ca \
74 -batch \
75 -extensions user_cert \
79 -config ca.cnf
82 try openssl ca \
83 -batch \
84 -extensions name_constraint_bad \
89 -config ca.cnf
92 try openssl ca \
93 -batch \
94 -extensions name_constraint_good \
99 -config ca.cnf
102 try openssl ca \
103 -batch \
104 -extensions user_cert \
108 -config ca.cnf
111 try openssl ca \
112 -batch \
113 -extensions user_cert \
119 -config ca.cnf
122 > ../certificates/ok_cert.pem"
124 > ../certificates/localhost_cert.pem"
126 > ../certificates/expired_cert.pem"
128 > ../certificates/root_ca_cert.pem"
130 > ../certificates/name_constraint_bad.pem"
132 > ../certificates/name_constraint_good.pem"
134 > ../certificates/bad_validity.pem"
136 # Now generate the one-off certs
137 ## SHA-256 general test cert
140 -sha256 \
143 ## Self-signed cert for SPDY/QUIC/HTTP2 pooling testing
148 ## SubjectAltName parsing
153 ## Punycode handling
159 ## Reject intranet hostnames in "publicly" trusted certs
160 # 365 * 3 = 1095
166 ## Leaf certificate with a large key; Apple's certificate verifier rejects with
167 ## a fatal error if the key is bigger than 4096 bits.
170 -sha256 \
173 ## Validity too long unit test support.
177 try openssl ca \
178 -batch \
179 -extensions user_cert \
184 -config ca.cnf
185 # 365 * 11 = 4015
189 try openssl ca \
190 -batch \
191 -extensions user_cert \
196 -config ca.cnf
200 try openssl ca \
201 -batch \
202 -extensions user_cert \
207 -config ca.cnf
211 try openssl ca \
212 -batch \
213 -extensions user_cert \
218 -config ca.cnf
222 try openssl ca \
223 -batch \
224 -extensions user_cert \
229 -config ca.cnf
232 # 30 * 61 = 1830
234 try openssl ca \
235 -batch \
236 -extensions user_cert \
241 -config ca.cnf
242 # start date after expiry date
246 try openssl ca \
247 -batch \
248 -extensions user_cert \
253 -config ca.cnf
256 # Issued pre-BRs, lifetime < 120 months, expires before 2019-07-01
260 try openssl ca \
261 -batch \
262 -extensions user_cert \
267 -config ca.cnf
270 # Issued pre-BRs, lifetime > 120 months, expires before 2019-07-01
274 try openssl ca \
275 -batch \
276 -extensions user_cert \
281 -config ca.cnf
284 # Issued pre-BRs, lifetime < 120 months, expires after 2019-07-01
288 try openssl ca \
289 -batch \
290 -extensions user_cert \
295 -config ca.cnf
299 # Regenerate CRLSets
300 ## Block a leaf cert directly by SPKI
302 <<CRLBYLEAFSPKI
303 {
304 "BlockedBySPKI": ["../certificates/ok_cert.pem"]
305 }
306 CRLBYLEAFSPKI
308 ## Block a leaf cert by issuer-hash-and-serial (ok_cert.pem == serial 2, by
309 ## virtue of the serial file and ordering above.
311 <<CRLBYROOTSERIAL
312 {
313 "BlockedByHash": {
314 "../certificates/root_ca_cert.pem": [2]
315 }
316 }
317 CRLBYROOTSERIAL
319 ## Block a leaf cert by issuer-hash-and-serial. However, this will be issued
320 ## from an intermediate CA issued underneath a root.
322 <<CRLSETBYINTERMEDIATESERIAL
323 {
324 "BlockedByHash": {
325 "../certificates/quic_intermediate.crt": [3]
326 }
327 }
328 CRLSETBYINTERMEDIATESERIAL