net/data/ssl/scripts/generate-duplicate-cn-certs.sh

   1 #!/bin/sh
   2
   3 # Copyright (c) 2013 The Chromium Authors. All rights reserved.
   4 # Use of this source code is governed by a BSD-style license that can be
   5 # found in the LICENSE file.
   6
   7 # This script generates two chains of test certificates:
   8 #    1. A1 (end-entity) -> B (self-signed root)
   9 #    2. A2 (end-entity) -> B (self-signed root)
  10 #
  11 # In which A1 and A2 share the same key, the same subject common name, but have
  12 # distinct O values in their subjects.
  13 #
  14 # This is used to test that NSS can properly generate unique certificate
  15 # nicknames for both certificates.
  16
  17 try () {
  18   echo "$@"
  19   "$@" || exit 1
  20 }
  21
  22 try rm -rf out
  23 try mkdir out
  24
  25 echo Create the serial number and index files.
  26 try /bin/sh -c "echo 01 > out/B-serial"
  27 try touch out/B-index.txt
  28
  29 echo Generate the keys.
  30 try openssl genrsa -out out/A.key 2048
  31 try openssl genrsa -out out/B.key 2048
  32
  33 echo Generate the B CSR.
  34 CA_COMMON_NAME="B Root CA" \
  35   CERTIFICATE=B \
  36   try openssl req \
  37     -new \
  38     -key out/B.key \
  39     -out out/B.csr \
  40     -config redundant-ca.cnf
  41
  42 echo B signs itself.
  43 CA_COMMON_NAME="B Root CA" \
  44   try openssl x509 \
  45     -req -days 3650 \
  46     -in out/B.csr \
  47     -extfile redundant-ca.cnf \
  48     -extensions ca_cert \
  49     -signkey out/B.key \
  50     -out out/B.pem
  51
  52 echo Generate the A1 end-entity CSR.
  53 SUBJECT_NAME=req_duplicate_cn_1 \
  54   try openssl req \
  55     -new \
  56     -key out/A.key \
  57     -out out/A1.csr \
  58     -config ee.cnf
  59
  60 echo Generate the A2 end-entity CSR
  61 SUBJECT_NAME=req_duplicate_cn_2 \
  62   try openssl req \
  63     -new \
  64     -key out/A.key \
  65     -out out/A2.csr \
  66     -config ee.cnf
  67
  68
  69 echo B signs A1.
  70 CA_COMMON_NAME="B CA" \
  71   CERTIFICATE=B \
  72   try openssl ca \
  73     -batch \
  74     -extensions user_cert \
  75     -in out/A1.csr \
  76     -out out/A1.pem \
  77     -config redundant-ca.cnf
  78
  79 echo B signs A2.
  80 CA_COMMON_NAME="B CA" \
  81   CERTIFICATE=B \
  82   try openssl ca \
  83     -batch \
  84     -extensions user_cert \
  85     -in out/A2.csr \
  86     -out out/A2.pem \
  87     -config redundant-ca.cnf
  88
  89 echo Exporting the certificates to PKCS#12
  90 try openssl pkcs12 \
  91   -export \
  92   -inkey out/A.key \
  93   -in out/A1.pem \
  94   -out ../certificates/duplicate_cn_1.p12 \
  95   -passout pass:chrome
  96
  97 try openssl pkcs12 \
  98   -export \
  99   -inkey out/A.key \
 100   -in out/A2.pem \
 101   -out ../certificates/duplicate_cn_2.p12 \
 102   -passout pass:chrome
 103
 104 try cp out/A1.pem ../certificates/duplicate_cn_1.pem
 105 try cp out/A2.pem ../certificates/duplicate_cn_2.pem