net/data/ssl/scripts/generate-bad-eku-certs.sh

   1 #!/bin/sh
   2
   3 # Copyright 2013 The Chromium Authors. All rights reserved.
   4 # Use of this source code is governed by a BSD-style license that can be
   5 # found in the LICENSE file.
   6
   7 # This script generates a set of test (end-entity, root) certificate chains
   8 # whose EEs have (critical, non-critical) eKUs for codeSigning. We then try
   9 # to use them as EEs for a web server in unit tests, to make sure that we
  10 # don't accept such certs as web server certs.
  11
  12 try () {
  13   echo "$@"
  14   "$@" || exit 1
  15 }
  16
  17 try rm -rf out
  18 try mkdir out
  19
  20 eku_test_root="2048-rsa-root"
  21
  22 # Create the serial number files.
  23 try /bin/sh -c "echo 01 > \"out/$eku_test_root-serial\""
  24
  25 # Make sure the signers' DB files exist.
  26 touch "out/$eku_test_root-index.txt"
  27
  28 # Generate one root CA certificate.
  29 try openssl genrsa -out "out/$eku_test_root.key" 2048
  30
  31 CA_COMMON_NAME="2048 RSA Test Root CA" \
  32   CA_DIR=out \
  33   CA_NAME=req_env_dn \
  34   KEY_SIZE=2048 \
  35   ALGO=rsa \
  36   CERT_TYPE=root \
  37   try openssl req \
  38     -new \
  39     -key "out/$eku_test_root.key" \
  40     -extensions ca_cert \
  41     -out "out/$eku_test_root.csr" \
  42     -config ca.cnf
  43
  44 CA_COMMON_NAME="2048 RSA Test Root CA" \
  45   CA_DIR=out \
  46   CA_NAME=req_env_dn \
  47   try openssl x509 \
  48     -req -days 3650 \
  49     -in "out/$eku_test_root.csr" \
  50     -extensions ca_cert \
  51     -extfile ca.cnf \
  52     -signkey "out/$eku_test_root.key" \
  53     -out "out/$eku_test_root.pem" \
  54     -text
  55
  56 # Generate EE certs.
  57 for cert_type in non-crit-codeSigning crit-codeSigning
  58 do
  59   try openssl genrsa -out "out/$cert_type.key" 2048
  60
  61   try openssl req \
  62     -new \
  63     -key "out/$cert_type.key" \
  64     -out "out/$cert_type.csr" \
  65     -config eku-test.cnf \
  66     -reqexts "$cert_type"
  67
  68   CA_COMMON_NAME="2048 rsa Test Root CA" \
  69     CA_DIR=out \
  70     CA_NAME=req_env_dn \
  71     KEY_SIZE=2048 \
  72     ALGO=rsa \
  73     CERT_TYPE=root \
  74     try openssl ca \
  75       -batch \
  76       -in "out/$cert_type.csr" \
  77       -out "out/$cert_type.pem" \
  78       -config ca.cnf
  79 done
  80
  81 # Copy to the file names that are actually checked in.
  82 try cp "out/$eku_test_root.pem" ../certificates/eku-test-root.pem
  83 try /bin/sh -c "cat out/crit-codeSigning.key out/crit-codeSigning.pem \
  84   > ../certificates/crit-codeSigning-chain.pem"
  85 try /bin/sh -c "cat out/non-crit-codeSigning.key out/non-crit-codeSigning.pem \
  86   > ../certificates/non-crit-codeSigning-chain.pem"