net/data/ssl/scripts/generate-duplicate-cn-certs.sh

   1 #!/bin/sh
   2
   3 # Copyright (c) 2013 The Chromium Authors. All rights reserved.
   4 # Use of this source code is governed by a BSD-style license that can be
   5 # found in the LICENSE file.
   6
   7 # This script generates two chains of test certificates:
   8 #    1. A1 (end-entity) -> B (self-signed root)
   9 #    2. A2 (end-entity) -> B (self-signed root)
  10 #
  11 # In which A1 and A2 share the same key, the same subject common name, but have
  12 # distinct O values in their subjects.
  13 #
  14 # This is used to test that NSS can properly generate unique certificate
  15 # nicknames for both certificates.
  16
  17 try () {
  18   echo "$@"
  19   $@ || exit 1
  20 }
  21
  22 generate_key_command () {
  23   case "$1" in
  24     rsa)
  25       echo genrsa
  26       ;;
  27     *)
  28       exit 1
  29   esac
  30 }
  31
  32 try rm -rf out
  33 try mkdir out
  34
  35 echo Create the serial number and index files.
  36 try echo 1 > out/B-serial
  37 try touch out/B-index.txt
  38
  39 echo Generate the keys.
  40 try openssl genrsa -out out/A.key 2048
  41 try openssl genrsa -out out/B.key 2048
  42
  43 echo Generate the B CSR.
  44 CA_COMMON_NAME="B Root CA" \
  45   CA_DIR=out \
  46   CA_NAME=req_env_dn \
  47   KEY_SIZE=2048 \
  48   ALGO=rsa \
  49   CERT_TYPE=root \
  50   TYPE=B CERTIFICATE=B \
  51   try openssl req \
  52     -new \
  53     -key out/B.key \
  54     -out out/B.csr \
  55     -config redundant-ca.cnf
  56
  57 echo B signs itself.
  58 CA_COMMON_NAME="B Root CA" \
  59   CA_DIR=out \
  60   CA_NAME=req_env_dn \
  61   try openssl x509 \
  62     -req -days 3650 \
  63     -in out/B.csr \
  64     -extfile redundant-ca.cnf \
  65     -extensions ca_cert \
  66     -signkey out/B.key \
  67     -out out/B.pem
  68
  69 echo Generate the A1 end-entity CSR.
  70 SUBJECT_NAME=req_duplicate_cn_1 \
  71   try openssl req \
  72     -new \
  73     -key out/A.key \
  74     -out out/A1.csr \
  75     -config ee.cnf
  76
  77 echo Generate the A2 end-entity CSR
  78 SUBJECT_NAME=req_duplicate_cn_2 \
  79   try openssl req \
  80     -new \
  81     -key out/A.key \
  82     -out out/A2.csr \
  83     -config ee.cnf
  84
  85
  86 echo B signs A1.
  87 CA_COMMON_NAME="B CA" \
  88   CA_DIR=out \
  89   CA_NAME=req_env_dn \
  90   KEY_SIZE=2048 \
  91   ALGO=sha1 \
  92   CERT_TYPE=intermediate \
  93   TYPE=B CERTIFICATE=B \
  94   try openssl ca \
  95     -batch \
  96     -extensions user_cert \
  97     -in out/A1.csr \
  98     -out out/A1.pem \
  99     -config redundant-ca.cnf
 100
 101 echo B signs A2.
 102 CA_COMMON_NAME="B CA" \
 103   CA_DIR=out \
 104   CA_NAME=req_env_dn \
 105   KEY_SIZE=2048 \
 106   ALGO=sha1 \
 107   CERT_TYPE=intermediate \
 108   TYPE=B CERTIFICATE=B \
 109   try openssl ca \
 110     -batch \
 111     -extensions user_cert \
 112     -in out/A2.csr \
 113     -out out/A2.pem \
 114     -config redundant-ca.cnf
 115
 116 echo Exporting the certificates to PKCS#12
 117 try openssl pkcs12 \
 118   -export \
 119   -inkey out/A.key \
 120   -in out/A1.pem \
 121   -out ../certificates/duplicate_cn_1.p12 \
 122   -passout pass:chrome
 123
 124 try openssl pkcs12 \
 125   -export \
 126   -inkey out/A.key \
 127   -in out/A2.pem \
 128   -out ../certificates/duplicate_cn_2.p12 \
 129   -passout pass:chrome
 130
 131 cp out/A1.pem ../certificates/duplicate_cn_1.pem
 132 cp out/A2.pem ../certificates/duplicate_cn_2.pem