Pin Chrome's shortcut to the Win10 Start menu on install and OS upgrade.

[chromium-blink-merge.git] / net / data / ssl / scripts / generate-multi-root-test-chains.sh

#!/bin/sh

# Copyright 2014 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

# This script generates two chains of test certificates:
#
#     1. A (end-entity) -> B -> C -> D (self-signed root)
#     2. A (end-entity) -> B -> C2 -> E (self-signed root)
#
# C and C2 have the same subject and keypair.
#
# We use these cert chains in CertVerifyProcChromeOSTest
# to ensure that multiple verification paths are properly handled.

try () {
  echo "$@"
  "$@" || exit 1
}

try rm -rf out
try mkdir out

echo Create the serial number files.
serial=1000
for i in B C C2 D E
do
  try /bin/sh -c "echo $serial > out/$i-serial"
  serial=$(expr $serial + 1)
done

echo Generate the keys.
try openssl genrsa -out out/A.key 2048
try openssl genrsa -out out/B.key 2048
try openssl genrsa -out out/C.key 2048
try openssl genrsa -out out/D.key 2048
try openssl genrsa -out out/E.key 2048

echo Generate the D CSR.
CA_COMMON_NAME="D Root CA" \
  CERTIFICATE=D \
  try openssl req \
    -new \
    -key out/D.key \
    -out out/D.csr \
    -config redundant-ca.cnf

echo D signs itself.
CA_COMMON_NAME="D Root CA" \
  try openssl x509 \
    -req -days 3650 \
    -in out/D.csr \
    -extensions ca_cert \
    -extfile redundant-ca.cnf \
    -signkey out/D.key \
    -out out/D.pem \
    -text

echo Generate the E CSR.
CA_COMMON_NAME="E Root CA" \
  CERTIFICATE=E \
  try openssl req \
    -new \
    -key out/E.key \
    -out out/E.csr \
    -config redundant-ca.cnf

echo E signs itself.
CA_COMMON_NAME="E Root CA" \
  try openssl x509 \
    -req -days 3650 \
    -in out/E.csr \
    -extensions ca_cert \
    -extfile redundant-ca.cnf \
    -signkey out/E.key \
    -out out/E.pem \
    -text

echo Generate the C2 intermediary CSR.
CA_COMMON_NAME="C CA" \
  CERTIFICATE=C2 \
  try openssl req \
    -new \
    -key out/C.key \
    -out out/C2.csr \
    -config redundant-ca.cnf

echo Generate the B and C intermediaries\' CSRs.
for i in B C
do
  CA_COMMON_NAME="$i CA" \
    CERTIFICATE="$i" \
    try openssl req \
      -new \
      -key "out/$i.key" \
      -out "out/$i.csr" \
      -config redundant-ca.cnf
done

echo D signs the C intermediate.
# Make sure the signer's DB file exists.
touch out/D-index.txt
CA_COMMON_NAME="D Root CA" \
  CERTIFICATE=D \
  try openssl ca \
    -batch \
    -extensions ca_cert \
    -in out/C.csr \
    -out out/C.pem \
    -config redundant-ca.cnf

echo E signs the C2 intermediate.
# Make sure the signer's DB file exists.
touch out/E-index.txt
CA_COMMON_NAME="E Root CA" \
  CERTIFICATE=E \
  try openssl ca \
    -batch \
    -extensions ca_cert \
    -in out/C2.csr \
    -out out/C2.pem \
    -config redundant-ca.cnf

echo C signs the B intermediate.
touch out/C-index.txt
CA_COMMON_NAME="C CA" \
  CERTIFICATE=C \
  try openssl ca \
    -batch \
    -extensions ca_cert \
    -in out/B.csr \
    -out out/B.pem \
    -config redundant-ca.cnf

echo Generate the A end-entity CSR.
try openssl req \
  -new \
  -key out/A.key \
  -out out/A.csr \
  -config ee.cnf

echo B signs A.
touch out/B-index.txt
CA_COMMON_NAME="B CA" \
  CERTIFICATE=B \
  try openssl ca \
    -batch \
    -extensions user_cert \
    -in out/A.csr \
    -out out/A.pem \
    -config redundant-ca.cnf

echo Create multi-root-chain1.pem
try /bin/sh -c "cat out/A.key out/A.pem out/B.pem out/C.pem out/D.pem \
    > ../certificates/multi-root-chain1.pem"

echo Create multi-root-chain2.pem
try /bin/sh -c "cat out/A.key out/A.pem out/B.pem out/C2.pem out/E.pem \
    > ../certificates/multi-root-chain2.pem"