| blob | 92d8f22868b191eeab7860a28e75f3ea09dba9f4 |
1 #!/bin/sh
3 # Copyright 2013 The Chromium Authors. All rights reserved.
4 # Use of this source code is governed by a BSD-style license that can be
5 # found in the LICENSE file.
7 # This script generates a set of test (end-entity, intermediate, root)
8 # certificates that can be used to test fetching of an intermediate via AIA.
10 try() {
12 }
15 try mkdir out
20 # Generate the key
23 # Generate the root certificate
25 try openssl req \
26 -new \
29 -config ca.cnf
32 try openssl x509 \
36 -extfile ca.cnf \
37 -extensions ca_cert \
40 # Generate the leaf certificate requests
41 try openssl req \
42 -new \
45 -config ee.cnf
47 try openssl req \
48 -new \
51 -config ee.cnf
53 SUBJECT_NAME=req_localhost_cn \
54 try openssl req \
55 -new \
58 -reqexts req_localhost_san \
59 -config ee.cnf
61 # Generate the leaf certificates
63 try openssl ca \
64 -batch \
65 -extensions user_cert \
70 -config ca.cnf
73 try openssl ca \
74 -batch \
75 -extensions user_cert \
79 -config ca.cnf
82 try openssl ca \
83 -batch \
84 -extensions name_constraint_bad \
89 -config ca.cnf
92 try openssl ca \
93 -batch \
94 -extensions name_constraint_good \
99 -config ca.cnf
102 try openssl ca \
103 -batch \
104 -extensions user_cert \
108 -config ca.cnf
111 > ../certificates/ok_cert.pem"
113 > ../certificates/localhost_cert.pem"
115 > ../certificates/expired_cert.pem"
117 > ../certificates/root_ca_cert.pem"
119 > ../certificates/name_constraint_bad.pem"
121 > ../certificates/name_constraint_good.pem"
123 # Now generate the one-off certs
124 ## SHA-256 general test cert
127 -sha256 \
130 ## Self-signed cert for SPDY/QUIC/HTTP2 pooling testing
135 ## SubjectAltName parsing
140 ## Punycode handling
146 ## Reject intranet hostnames in "publicly" trusted certs
147 # 365 * 3 = 1095
153 ## Leaf certificate with a large key; Apple's certificate verifier rejects with
154 ## a fatal error if the key is bigger than 4096 bits.
157 -sha256 \
160 ## Validity too long unit test support.
164 try openssl ca \
165 -batch \
166 -extensions user_cert \
171 -config ca.cnf
172 # 365 * 11 = 4015
176 try openssl ca \
177 -batch \
178 -extensions user_cert \
183 -config ca.cnf
187 try openssl ca \
188 -batch \
189 -extensions user_cert \
194 -config ca.cnf
198 try openssl ca \
199 -batch \
200 -extensions user_cert \
205 -config ca.cnf
209 try openssl ca \
210 -batch \
211 -extensions user_cert \
216 -config ca.cnf
219 # 30 * 61 = 1830
221 try openssl ca \
222 -batch \
223 -extensions user_cert \
228 -config ca.cnf
229 # start date after expiry date
233 try openssl ca \
234 -batch \
235 -extensions user_cert \
240 -config ca.cnf
243 # Issued pre-BRs, lifetime < 120 months, expires before 2019-07-01
247 try openssl ca \
248 -batch \
249 -extensions user_cert \
254 -config ca.cnf
257 # Issued pre-BRs, lifetime > 120 months, expires before 2019-07-01
261 try openssl ca \
262 -batch \
263 -extensions user_cert \
268 -config ca.cnf
271 # Issued pre-BRs, lifetime < 120 months, expires after 2019-07-01
275 try openssl ca \
276 -batch \
277 -extensions user_cert \
282 -config ca.cnf
286 # Regenerate CRLSets
287 ## Block a leaf cert directly by SPKI
289 <<CRLBYLEAFSPKI
290 {
291 "BlockedBySPKI": ["../certificates/ok_cert.pem"]
292 }
293 CRLBYLEAFSPKI
295 ## Block a leaf cert by issuer-hash-and-serial (ok_cert.pem == serial 2, by
296 ## virtue of the serial file and ordering above.
298 <<CRLBYROOTSERIAL
299 {
300 "BlockedByHash": {
301 "../certificates/root_ca_cert.pem": [2]
302 }
303 }
304 CRLBYROOTSERIAL
306 ## Block a leaf cert by issuer-hash-and-serial. However, this will be issued
307 ## from an intermediate CA issued underneath a root.
309 <<CRLSETBYINTERMEDIATESERIAL
310 {
311 "BlockedByHash": {
312 "../certificates/quic_intermediate.crt": [3]
313 }
314 }
315 CRLSETBYINTERMEDIATESERIAL