blob: 8e48454342f35a74f154fbde21fd982654750b71 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
|
#!/bin/sh
# Copyright (c) 2013 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
# This script generates two chains of test certificates:
# 1. A1 (end-entity) -> B (self-signed root)
# 2. A2 (end-entity) -> B (self-signed root)
#
# In which A1 and A2 share the same key, the same subject common name, but have
# distinct O values in their subjects.
#
# This is used to test that NSS can properly generate unique certificate
# nicknames for both certificates.
try () {
echo "$@"
$@ || exit 1
}
generate_key_command () {
case "$1" in
rsa)
echo genrsa
;;
*)
exit 1
esac
}
try rm -rf out
try mkdir out
echo Create the serial number and index files.
try echo 1 > out/B-serial
try touch out/B-index.txt
echo Generate the keys.
try openssl genrsa -out out/A.key 2048
try openssl genrsa -out out/B.key 2048
echo Generate the B CSR.
CA_COMMON_NAME="B Root CA" \
CA_DIR=out \
CA_NAME=req_env_dn \
KEY_SIZE=2048 \
ALGO=rsa \
CERT_TYPE=root \
TYPE=B CERTIFICATE=B \
try openssl req \
-new \
-key out/B.key \
-out out/B.csr \
-config redundant-ca.cnf
echo B signs itself.
CA_COMMON_NAME="B Root CA" \
CA_DIR=out \
CA_NAME=req_env_dn \
try openssl x509 \
-req -days 3650 \
-in out/B.csr \
-extfile redundant-ca.cnf \
-extensions ca_cert \
-signkey out/B.key \
-out out/B.pem
echo Generate the A1 end-entity CSR.
SUBJECT_NAME=req_duplicate_cn_1 \
try openssl req \
-new \
-key out/A.key \
-out out/A1.csr \
-config ee.cnf
echo Generate the A2 end-entity CSR
SUBJECT_NAME=req_duplicate_cn_2 \
try openssl req \
-new \
-key out/A.key \
-out out/A2.csr \
-config ee.cnf
echo B signs A1.
CA_COMMON_NAME="B CA" \
CA_DIR=out \
CA_NAME=req_env_dn \
KEY_SIZE=2048 \
ALGO=sha1 \
CERT_TYPE=intermediate \
TYPE=B CERTIFICATE=B \
try openssl ca \
-batch \
-extensions user_cert \
-in out/A1.csr \
-out out/A1.pem \
-config redundant-ca.cnf
echo B signs A2.
CA_COMMON_NAME="B CA" \
CA_DIR=out \
CA_NAME=req_env_dn \
KEY_SIZE=2048 \
ALGO=sha1 \
CERT_TYPE=intermediate \
TYPE=B CERTIFICATE=B \
try openssl ca \
-batch \
-extensions user_cert \
-in out/A2.csr \
-out out/A2.pem \
-config redundant-ca.cnf
echo Exporting the certificates to PKCS#12
try openssl pkcs12 \
-export \
-inkey out/A.key \
-in out/A1.pem \
-out ../certificates/duplicate_cn_1.p12 \
-passout pass:chrome
try openssl pkcs12 \
-export \
-inkey out/A.key \
-in out/A2.pem \
-out ../certificates/duplicate_cn_2.p12 \
-passout pass:chrome
cp out/A1.pem ../certificates/duplicate_cn_1.pem
cp out/A2.pem ../certificates/duplicate_cn_2.pem
|
