search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Add more checks to investigate SupervisedUserPrefStore crash at startup.
[chromium-blink-merge.git] / net / data / ssl / scripts / generate-test-certs.sh
blob24eadf108552a1bde2e64fc6ecd8cc22a5d1d269
1 #!/bin/sh
2
3 # Copyright 2013 The Chromium Authors. All rights reserved.
4 # Use of this source code is governed by a BSD-style license that can be
5 # found in the LICENSE file.
6
7 # This script generates a set of test (end-entity, intermediate, root)
8 # certificates that can be used to test fetching of an intermediate via AIA.
9
10 try() {
11 echo "$@"
12 "$@" || exit 1
13 }
14
15 try rm -rf out
16 try mkdir out
17
18 try /bin/sh -c "echo 01 > out/2048-sha256-root-serial"
19 touch out/2048-sha256-root-index.txt
20
21 # Generate the key
22 try openssl genrsa -out out/2048-sha256-root.key 2048
23
24 # Generate the root certificate
25 CA_COMMON_NAME="Test Root CA" \
26 try openssl req \
27 -new \
28 -key out/2048-sha256-root.key \
29 -out out/2048-sha256-root.req \
30 -config ca.cnf
31
32 CA_COMMON_NAME="Test Root CA" \
33 try openssl x509 \
34 -req -days 3650 \
35 -in out/2048-sha256-root.req \
36 -out out/2048-sha256-root.pem \
37 -signkey out/2048-sha256-root.key \
38 -extfile ca.cnf \
39 -extensions ca_cert \
40 -text
41
42 # Generate the leaf certificate requests
43 try openssl req \
44 -new \
45 -keyout out/expired_cert.key \
46 -out out/expired_cert.req \
47 -config ee.cnf
48
49 try openssl req \
50 -new \
51 -keyout out/ok_cert.key \
52 -out out/ok_cert.req \
53 -config ee.cnf
54
55 # Generate the leaf certificates
56 CA_COMMON_NAME="Test Root CA" \
57 try openssl ca \
58 -batch \
59 -extensions user_cert \
60 -startdate 060101000000Z \
61 -enddate 070101000000Z \
62 -in out/expired_cert.req \
63 -out out/expired_cert.pem \
64 -config ca.cnf
65
66 CA_COMMON_NAME="Test Root CA" \
67 try openssl ca \
68 -batch \
69 -extensions user_cert \
70 -days 3650 \
71 -in out/ok_cert.req \
72 -out out/ok_cert.pem \
73 -config ca.cnf
74
75 CA_COMMON_NAME="Test Root CA" \
76 try openssl ca \
77 -batch \
78 -extensions name_constraint_bad \
79 -subj "/CN=Leaf certificate/" \
80 -days 3650 \
81 -in out/ok_cert.req \
82 -out out/name_constraint_bad.pem \
83 -config ca.cnf
84
85 CA_COMMON_NAME="Test Root CA" \
86 try openssl ca \
87 -batch \
88 -extensions name_constraint_good \
89 -subj "/CN=Leaf Certificate/" \
90 -days 3650 \
91 -in out/ok_cert.req \
92 -out out/name_constraint_good.pem \
93 -config ca.cnf
94
95 try /bin/sh -c "cat out/ok_cert.key out/ok_cert.pem \
96 > ../certificates/ok_cert.pem"
97 try /bin/sh -c "cat out/expired_cert.key out/expired_cert.pem \
98 > ../certificates/expired_cert.pem"
99 try /bin/sh -c "cat out/2048-sha256-root.key out/2048-sha256-root.pem \
100 > ../certificates/root_ca_cert.pem"
101 try /bin/sh -c "cat out/ok_cert.key out/name_constraint_bad.pem \
102 > ../certificates/name_constraint_bad.pem"
103 try /bin/sh -c "cat out/ok_cert.key out/name_constraint_good.pem \
104 > ../certificates/name_constraint_good.pem"
105
106 # Now generate the one-off certs
107 ## SHA-256 general test cert
108 try openssl req -x509 -days 3650 \
109 -config ../scripts/ee.cnf -newkey rsa:2048 -text \
110 -sha256 \
111 -out sha256.pem
112
113 ## Self-signed cert for SPDY/QUIC/HTTP2 pooling testing
114 try openssl req -x509 -days 3650 -extensions req_spdy_pooling \
115 -config ../scripts/ee.cnf -newkey rsa:2048 -text \
116 -out ../certificates/spdy_pooling.pem
117
118 ## SubjectAltName parsing
119 try openssl req -x509 -days 3650 -extensions req_san_sanity \
120 -config ../scripts/ee.cnf -newkey rsa:2048 -text \
121 -out ../certificates/subjectAltName_sanity_check.pem
122
123 ## Punycode handling
124 SUBJECT_NAME="req_punycode_dn" \
125 try openssl req -x509 -days 3650 -extensions req_punycode \
126 -config ../scripts/ee.cnf -newkey rsa:2048 -text \
127 -out ../certificates/punycodetest.pem
128
129 ## Reject intranet hostnames in "publicly" trusted certs
130 # 365 * 3 = 1095
131 SUBJECT_NAME="req_dn" \
132 try openssl req -x509 -days 1095 \
133 -config ../scripts/ee.cnf -newkey rsa:2048 -text \
134 -out ../certificates/reject_intranet_hosts.pem
135
136 ## Validity too long unit test support.
137 try openssl req -config ../scripts/ee.cnf \
138 -newkey rsa:2048 -text -out ../certificates/10_year_validity.req
139 CA_COMMON_NAME="Test Root CA" \
140 try openssl ca \
141 -batch \
142 -extensions user_cert \
143 -startdate 081030000000Z \
144 -enddate 181029000000Z \
145 -in ../certificates/10_year_validity.req \
146 -out ../certificates/10_year_validity.pem \
147 -config ca.cnf
148 # 365 * 11 = 4015
149 try openssl req -config ../scripts/ee.cnf \
150 -newkey rsa:2048 -text -out ../certificates/11_year_validity.req
151 CA_COMMON_NAME="Test Root CA" \
152 try openssl ca \
153 -batch \
154 -extensions user_cert \
155 -startdate 141030000000Z \
156 -days 4015 \
157 -in ../certificates/11_year_validity.req \
158 -out ../certificates/11_year_validity.pem \
159 -config ca.cnf
160 try openssl req -config ../scripts/ee.cnf \
161 -newkey rsa:2048 -text -out ../certificates/39_months_after_2015_04.req
162 CA_COMMON_NAME="Test Root CA" \
163 try openssl ca \
164 -batch \
165 -extensions user_cert \
166 -startdate 150402000000Z \
167 -enddate 180702000000Z \
168 -in ../certificates/39_months_after_2015_04.req \
169 -out ../certificates/39_months_after_2015_04.pem \
170 -config ca.cnf
171 try openssl req -config ../scripts/ee.cnf \
172 -newkey rsa:2048 -text -out ../certificates/40_months_after_2015_04.req
173 CA_COMMON_NAME="Test Root CA" \
174 try openssl ca \
175 -batch \
176 -extensions user_cert \
177 -startdate 150402000000Z \
178 -enddate 180801000000Z \
179 -in ../certificates/40_months_after_2015_04.req \
180 -out ../certificates/40_months_after_2015_04.pem \
181 -config ca.cnf
182 try openssl req -config ../scripts/ee.cnf \
183 -newkey rsa:2048 -text -out ../certificates/60_months_after_2012_07.req
184 CA_COMMON_NAME="Test Root CA" \
185 try openssl ca \
186 -batch \
187 -extensions user_cert \
188 -startdate 141030000000Z \
189 -enddate 190930000000Z \
190 -in ../certificates/60_months_after_2012_07.req \
191 -out ../certificates/60_months_after_2012_07.pem \
192 -config ca.cnf
193 try openssl req -config ../scripts/ee.cnf \
194 -newkey rsa:2048 -text -out ../certificates/61_months_after_2012_07.req
195 # 30 * 61 = 1830
196 CA_COMMON_NAME="Test Root CA" \
197 try openssl ca \
198 -batch \
199 -extensions user_cert \
200 -startdate 141030000000Z \
201 -days 1830 \
202 -in ../certificates/61_months_after_2012_07.req \
203 -out ../certificates/61_months_after_2012_07.pem \
204 -config ca.cnf
205 # start date after expiry date
206 try openssl req -config ../scripts/ee.cnf \
207 -newkey rsa:2048 -text -out ../certificates/start_after_expiry.req
208 CA_COMMON_NAME="Test Root CA" \
209 try openssl ca \
210 -batch \
211 -extensions user_cert \
212 -startdate 180901000000Z \
213 -enddate 150402000000Z \
214 -in ../certificates/start_after_expiry.req \
215 -out ../certificates/start_after_expiry.pem \
216 -config ca.cnf
217 try openssl req -config ../scripts/ee.cnf \
218 -newkey rsa:2048 -text -out ../certificates/start_after_expiry.req
219 # Issued pre-BRs, lifetime < 120 months, expires before 2019-07-01
220 try openssl req -config ../scripts/ee.cnf \
221 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_ok.req
222 CA_COMMON_NAME="Test Root CA" \
223 try openssl ca \
224 -batch \
225 -extensions user_cert \
226 -startdate 080101000000Z \
227 -enddate 150101000000Z \
228 -in ../certificates/pre_br_validity_ok.req \
229 -out ../certificates/pre_br_validity_ok.pem \
230 -config ca.cnf
231 try openssl req -config ../scripts/ee.cnf \
232 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_ok.req
233 # Issued pre-BRs, lifetime > 120 months, expires before 2019-07-01
234 try openssl req -config ../scripts/ee.cnf \
235 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_121.req
236 CA_COMMON_NAME="Test Root CA" \
237 try openssl ca \
238 -batch \
239 -extensions user_cert \
240 -startdate 080101000000Z \
241 -enddate 180501000000Z \
242 -in ../certificates/pre_br_validity_bad_121.req \
243 -out ../certificates/pre_br_validity_bad_121.pem \
244 -config ca.cnf
245 try openssl req -config ../scripts/ee.cnf \
246 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_121.req
247 # Issued pre-BRs, lifetime < 120 months, expires after 2019-07-01
248 try openssl req -config ../scripts/ee.cnf \
249 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_2020.req
250 CA_COMMON_NAME="Test Root CA" \
251 try openssl ca \
252 -batch \
253 -extensions user_cert \
254 -startdate 120501000000Z \
255 -enddate 190703000000Z \
256 -in ../certificates/pre_br_validity_bad_2020.req \
257 -out ../certificates/pre_br_validity_bad_2020.pem \
258 -config ca.cnf
259 try openssl req -config ../scripts/ee.cnf \
260 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_2020.req
261
262 # Regenerate CRLSets
263 ## Block a leaf cert directly by SPKI
264 try python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \
265 <<CRLBYLEAFSPKI
266 {
267 "BlockedBySPKI": ["../certificates/ok_cert.pem"]
268 }
269 CRLBYLEAFSPKI
270
271 ## Block a leaf cert by issuer-hash-and-serial (ok_cert.pem == serial 2, by
272 ## virtue of the serial file and ordering above.
273 try python crlsetutil.py -o ../certificates/crlset_by_root_serial.raw \
274 <<CRLBYROOTSERIAL
275 {
276 "BlockedByHash": {
277 "../certificates/root_ca_cert.pem": [2]
278 }
279 }
280 CRLBYROOTSERIAL
281
282 ## Block a leaf cert by issuer-hash-and-serial. However, this will be issued
283 ## from an intermediate CA issued underneath a root.
284 try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \
285 <<CRLSETBYINTERMEDIATESERIAL
286 {
287 "BlockedByHash": {
288 "../certificates/quic_intermediate.crt": [3]
289 }
290 }
291 CRLSETBYINTERMEDIATESERIAL