| #!/bin/sh |
| |
| # Copyright 2013 The Chromium Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| # This script generates a two roots - one legacy one signed with MD5, and |
| # another (newer) one signed with SHA1 - and has a leaf certificate signed |
| # by these without any distinguishers. |
| # |
| # The "cross-signed" comes from the fact that both the MD5 and SHA1 roots share |
| # the same Authority Key ID, Subject Key ID, Subject, and Subject Public Key |
| # Info. When the chain building algorithm is evaluating paths, if it prefers |
| # untrusted over trusted, then it will see the MD5 certificate as a self-signed |
| # cert that is "cross-signed" by the trusted SHA1 root. |
| # |
| # The SHA1 root should be (temporarily) trusted, and the resulting chain |
| # should be leaf -> SHA1root, not leaf -> MD5root, leaf -> SHA1root -> MD5root, |
| # or leaf -> MD5root -> SHA1root |
| |
| try() { |
| echo "$@" |
| "$@" || exit 1 |
| } |
| |
| try rm -rf out |
| try mkdir out |
| |
| try /bin/sh -c "echo 01 > out/2048-sha1-root-serial" |
| try /bin/sh -c "echo 02 > out/2048-md5-root-serial" |
| touch out/2048-sha1-root-index.txt |
| touch out/2048-md5-root-index.txt |
| |
| # Generate the key |
| try openssl genrsa -out out/2048-sha1-root.key 2048 |
| |
| # Generate the root certificate |
| CA_COMMON_NAME="Test Dup-Hash Root CA" \ |
| try openssl req \ |
| -new \ |
| -key out/2048-sha1-root.key \ |
| -out out/2048-sha1-root.req \ |
| -config ca.cnf |
| |
| CA_COMMON_NAME="Test Dup-Hash Root CA" \ |
| try openssl x509 \ |
| -req -days 3650 \ |
| -sha1 \ |
| -in out/2048-sha1-root.req \ |
| -out out/2048-sha1-root.pem \ |
| -text \ |
| -signkey out/2048-sha1-root.key \ |
| -extfile ca.cnf \ |
| -extensions ca_cert |
| |
| CA_COMMON_NAME="Test Dup-Hash Root CA" \ |
| try openssl x509 \ |
| -req -days 3650 \ |
| -md5 \ |
| -in out/2048-sha1-root.req \ |
| -out out/2048-md5-root.pem \ |
| -text \ |
| -signkey out/2048-sha1-root.key \ |
| -extfile ca.cnf \ |
| -extensions ca_cert |
| |
| # Generate the leaf certificate request |
| try openssl req \ |
| -new \ |
| -keyout out/ok_cert.key \ |
| -out out/ok_cert.req \ |
| -config ee.cnf |
| |
| # Generate the leaf certificates |
| CA_COMMON_NAME="Test Dup-Hash Root CA" \ |
| try openssl ca \ |
| -batch \ |
| -extensions user_cert \ |
| -days 3650 \ |
| -in out/ok_cert.req \ |
| -out out/ok_cert.pem \ |
| -config ca.cnf |
| |
| try openssl x509 -text \ |
| -in out/2048-md5-root.pem \ |
| -out ../certificates/cross-signed-root-md5.pem |
| try openssl x509 -text \ |
| -in out/2048-sha1-root.pem \ |
| -out ../certificates/cross-signed-root-sha1.pem |
| try openssl x509 -text \ |
| -in out/ok_cert.pem \ |
| -out ../certificates/cross-signed-leaf.pem |