Roll src/third_party/WebKit eac3800:0237a66 (svn 202606:202607)
[chromium-blink-merge.git] / net / data / ssl / scripts / generate-test-certs.sh
blobfeb24532b4d325bd34941501c9fe08d389d6754b
1 #!/bin/sh
3 # Copyright 2013 The Chromium Authors. All rights reserved.
4 # Use of this source code is governed by a BSD-style license that can be
5 # found in the LICENSE file.
7 # This script generates a set of test (end-entity, intermediate, root)
8 # certificates that can be used to test fetching of an intermediate via AIA.
10 try() {
11 "$@" || (e=$?; echo "$@" > /dev/stderr; exit $e)
14 try rm -rf out
15 try mkdir out
17 try /bin/sh -c "echo 01 > out/2048-sha256-root-serial"
18 touch out/2048-sha256-root-index.txt
20 # Generate the key
21 try openssl genrsa -out out/2048-sha256-root.key 2048
23 # Generate the root certificate
24 CA_COMMON_NAME="Test Root CA" \
25 try openssl req \
26 -new \
27 -key out/2048-sha256-root.key \
28 -out out/2048-sha256-root.req \
29 -config ca.cnf
31 CA_COMMON_NAME="Test Root CA" \
32 try openssl x509 \
33 -req -days 3650 \
34 -in out/2048-sha256-root.req \
35 -signkey out/2048-sha256-root.key \
36 -extfile ca.cnf \
37 -extensions ca_cert \
38 -text > out/2048-sha256-root.pem
40 # Generate the leaf certificate requests
41 try openssl req \
42 -new \
43 -keyout out/expired_cert.key \
44 -out out/expired_cert.req \
45 -config ee.cnf
47 try openssl req \
48 -new \
49 -keyout out/ok_cert.key \
50 -out out/ok_cert.req \
51 -config ee.cnf
53 SUBJECT_NAME=req_localhost_cn \
54 try openssl req \
55 -new \
56 -keyout out/localhost_cert.key \
57 -out out/localhost_cert.req \
58 -reqexts req_localhost_san \
59 -config ee.cnf
61 # Generate the leaf certificates
62 CA_COMMON_NAME="Test Root CA" \
63 try openssl ca \
64 -batch \
65 -extensions user_cert \
66 -startdate 060101000000Z \
67 -enddate 070101000000Z \
68 -in out/expired_cert.req \
69 -out out/expired_cert.pem \
70 -config ca.cnf
72 CA_COMMON_NAME="Test Root CA" \
73 try openssl ca \
74 -batch \
75 -extensions user_cert \
76 -days 3650 \
77 -in out/ok_cert.req \
78 -out out/ok_cert.pem \
79 -config ca.cnf
81 CA_COMMON_NAME="Test Root CA" \
82 try openssl ca \
83 -batch \
84 -extensions name_constraint_bad \
85 -subj "/CN=Leaf certificate/" \
86 -days 3650 \
87 -in out/ok_cert.req \
88 -out out/name_constraint_bad.pem \
89 -config ca.cnf
91 CA_COMMON_NAME="Test Root CA" \
92 try openssl ca \
93 -batch \
94 -extensions name_constraint_good \
95 -subj "/CN=Leaf Certificate/" \
96 -days 3650 \
97 -in out/ok_cert.req \
98 -out out/name_constraint_good.pem \
99 -config ca.cnf
101 CA_COMMON_NAME="Test Root CA" \
102 try openssl ca \
103 -batch \
104 -extensions user_cert \
105 -days 3650 \
106 -in out/localhost_cert.req \
107 -out out/localhost_cert.pem \
108 -config ca.cnf
110 CA_COMMON_NAME="Test Root CA" \
111 try openssl ca \
112 -batch \
113 -extensions user_cert \
114 -subj "/CN=Leaf Certificate/" \
115 -startdate 00010101000000Z \
116 -enddate 00010101000000Z \
117 -in out/ok_cert.req \
118 -out out/bad_validity.pem \
119 -config ca.cnf
121 try /bin/sh -c "cat out/ok_cert.key out/ok_cert.pem \
122 > ../certificates/ok_cert.pem"
123 try /bin/sh -c "cat out/localhost_cert.key out/localhost_cert.pem \
124 > ../certificates/localhost_cert.pem"
125 try /bin/sh -c "cat out/expired_cert.key out/expired_cert.pem \
126 > ../certificates/expired_cert.pem"
127 try /bin/sh -c "cat out/2048-sha256-root.key out/2048-sha256-root.pem \
128 > ../certificates/root_ca_cert.pem"
129 try /bin/sh -c "cat out/ok_cert.key out/name_constraint_bad.pem \
130 > ../certificates/name_constraint_bad.pem"
131 try /bin/sh -c "cat out/ok_cert.key out/name_constraint_good.pem \
132 > ../certificates/name_constraint_good.pem"
133 try /bin/sh -c "cat out/ok_cert.key out/bad_validity.pem \
134 > ../certificates/bad_validity.pem"
136 # Now generate the one-off certs
137 ## SHA-256 general test cert
138 try openssl req -x509 -days 3650 \
139 -config ../scripts/ee.cnf -newkey rsa:2048 -text \
140 -sha256 \
141 -out ../certificates/sha256.pem
143 ## Self-signed cert for SPDY/QUIC/HTTP2 pooling testing
144 try openssl req -x509 -days 3650 -extensions req_spdy_pooling \
145 -config ../scripts/ee.cnf -newkey rsa:2048 -text \
146 -out ../certificates/spdy_pooling.pem
148 ## SubjectAltName parsing
149 try openssl req -x509 -days 3650 -extensions req_san_sanity \
150 -config ../scripts/ee.cnf -newkey rsa:2048 -text \
151 -out ../certificates/subjectAltName_sanity_check.pem
153 ## Punycode handling
154 SUBJECT_NAME="req_punycode_dn" \
155 try openssl req -x509 -days 3650 -extensions req_punycode \
156 -config ../scripts/ee.cnf -newkey rsa:2048 -text \
157 -out ../certificates/punycodetest.pem
159 ## Reject intranet hostnames in "publicly" trusted certs
160 # 365 * 3 = 1095
161 SUBJECT_NAME="req_dn" \
162 try openssl req -x509 -days 1095 \
163 -config ../scripts/ee.cnf -newkey rsa:2048 -text \
164 -out ../certificates/reject_intranet_hosts.pem
166 ## Leaf certificate with a large key; Apple's certificate verifier rejects with
167 ## a fatal error if the key is bigger than 4096 bits.
168 try openssl req -x509 -days 3650 \
169 -config ../scripts/ee.cnf -newkey rsa:4104 -text \
170 -sha256 \
171 -out ../certificates/large_key.pem
173 ## Validity too long unit test support.
174 try openssl req -config ../scripts/ee.cnf \
175 -newkey rsa:2048 -text -out ../certificates/10_year_validity.req
176 CA_COMMON_NAME="Test Root CA" \
177 try openssl ca \
178 -batch \
179 -extensions user_cert \
180 -startdate 081030000000Z \
181 -enddate 181029000000Z \
182 -in ../certificates/10_year_validity.req \
183 -out ../certificates/10_year_validity.pem \
184 -config ca.cnf
185 # 365 * 11 = 4015
186 try openssl req -config ../scripts/ee.cnf \
187 -newkey rsa:2048 -text -out ../certificates/11_year_validity.req
188 CA_COMMON_NAME="Test Root CA" \
189 try openssl ca \
190 -batch \
191 -extensions user_cert \
192 -startdate 141030000000Z \
193 -days 4015 \
194 -in ../certificates/11_year_validity.req \
195 -out ../certificates/11_year_validity.pem \
196 -config ca.cnf
197 try openssl req -config ../scripts/ee.cnf \
198 -newkey rsa:2048 -text -out ../certificates/39_months_after_2015_04.req
199 CA_COMMON_NAME="Test Root CA" \
200 try openssl ca \
201 -batch \
202 -extensions user_cert \
203 -startdate 150402000000Z \
204 -enddate 180702000000Z \
205 -in ../certificates/39_months_after_2015_04.req \
206 -out ../certificates/39_months_after_2015_04.pem \
207 -config ca.cnf
208 try openssl req -config ../scripts/ee.cnf \
209 -newkey rsa:2048 -text -out ../certificates/40_months_after_2015_04.req
210 CA_COMMON_NAME="Test Root CA" \
211 try openssl ca \
212 -batch \
213 -extensions user_cert \
214 -startdate 150402000000Z \
215 -enddate 180801000000Z \
216 -in ../certificates/40_months_after_2015_04.req \
217 -out ../certificates/40_months_after_2015_04.pem \
218 -config ca.cnf
219 try openssl req -config ../scripts/ee.cnf \
220 -newkey rsa:2048 -text -out ../certificates/60_months_after_2012_07.req
221 CA_COMMON_NAME="Test Root CA" \
222 try openssl ca \
223 -batch \
224 -extensions user_cert \
225 -startdate 141030000000Z \
226 -enddate 190930000000Z \
227 -in ../certificates/60_months_after_2012_07.req \
228 -out ../certificates/60_months_after_2012_07.pem \
229 -config ca.cnf
230 try openssl req -config ../scripts/ee.cnf \
231 -newkey rsa:2048 -text -out ../certificates/61_months_after_2012_07.req
232 # 30 * 61 = 1830
233 CA_COMMON_NAME="Test Root CA" \
234 try openssl ca \
235 -batch \
236 -extensions user_cert \
237 -startdate 141030000000Z \
238 -days 1830 \
239 -in ../certificates/61_months_after_2012_07.req \
240 -out ../certificates/61_months_after_2012_07.pem \
241 -config ca.cnf
242 # start date after expiry date
243 try openssl req -config ../scripts/ee.cnf \
244 -newkey rsa:2048 -text -out ../certificates/start_after_expiry.req
245 CA_COMMON_NAME="Test Root CA" \
246 try openssl ca \
247 -batch \
248 -extensions user_cert \
249 -startdate 180901000000Z \
250 -enddate 150402000000Z \
251 -in ../certificates/start_after_expiry.req \
252 -out ../certificates/start_after_expiry.pem \
253 -config ca.cnf
254 try openssl req -config ../scripts/ee.cnf \
255 -newkey rsa:2048 -text -out ../certificates/start_after_expiry.req
256 # Issued pre-BRs, lifetime < 120 months, expires before 2019-07-01
257 try openssl req -config ../scripts/ee.cnf \
258 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_ok.req
259 CA_COMMON_NAME="Test Root CA" \
260 try openssl ca \
261 -batch \
262 -extensions user_cert \
263 -startdate 080101000000Z \
264 -enddate 150101000000Z \
265 -in ../certificates/pre_br_validity_ok.req \
266 -out ../certificates/pre_br_validity_ok.pem \
267 -config ca.cnf
268 try openssl req -config ../scripts/ee.cnf \
269 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_ok.req
270 # Issued pre-BRs, lifetime > 120 months, expires before 2019-07-01
271 try openssl req -config ../scripts/ee.cnf \
272 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_121.req
273 CA_COMMON_NAME="Test Root CA" \
274 try openssl ca \
275 -batch \
276 -extensions user_cert \
277 -startdate 080101000000Z \
278 -enddate 180501000000Z \
279 -in ../certificates/pre_br_validity_bad_121.req \
280 -out ../certificates/pre_br_validity_bad_121.pem \
281 -config ca.cnf
282 try openssl req -config ../scripts/ee.cnf \
283 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_121.req
284 # Issued pre-BRs, lifetime < 120 months, expires after 2019-07-01
285 try openssl req -config ../scripts/ee.cnf \
286 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_2020.req
287 CA_COMMON_NAME="Test Root CA" \
288 try openssl ca \
289 -batch \
290 -extensions user_cert \
291 -startdate 120501000000Z \
292 -enddate 190703000000Z \
293 -in ../certificates/pre_br_validity_bad_2020.req \
294 -out ../certificates/pre_br_validity_bad_2020.pem \
295 -config ca.cnf
296 try openssl req -config ../scripts/ee.cnf \
297 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_2020.req
299 # Regenerate CRLSets
300 ## Block a leaf cert directly by SPKI
301 try python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \
302 <<CRLBYLEAFSPKI
304 "BlockedBySPKI": ["../certificates/ok_cert.pem"]
306 CRLBYLEAFSPKI
308 ## Block a leaf cert by issuer-hash-and-serial (ok_cert.pem == serial 2, by
309 ## virtue of the serial file and ordering above.
310 try python crlsetutil.py -o ../certificates/crlset_by_root_serial.raw \
311 <<CRLBYROOTSERIAL
313 "BlockedByHash": {
314 "../certificates/root_ca_cert.pem": [2]
317 CRLBYROOTSERIAL
319 ## Block a leaf cert by issuer-hash-and-serial. However, this will be issued
320 ## from an intermediate CA issued underneath a root.
321 try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \
322 <<CRLSETBYINTERMEDIATESERIAL
324 "BlockedByHash": {
325 "../certificates/quic_intermediate.crt": [3]
328 CRLSETBYINTERMEDIATESERIAL