File: generate-duplicate-cn-certs.sh

package info (click to toggle)
chromium 139.0.7258.127-1
  • links: PTS, VCS
  • area: main
  • in suites:
  • size: 6,122,068 kB
  • sloc: cpp: 35,100,771; ansic: 7,163,530; javascript: 4,103,002; python: 1,436,920; asm: 946,517; xml: 746,709; pascal: 187,653; perl: 88,691; sh: 88,436; objc: 79,953; sql: 51,488; cs: 44,583; fortran: 24,137; makefile: 22,147; tcl: 15,277; php: 13,980; yacc: 8,984; ruby: 7,485; awk: 3,720; lisp: 3,096; lex: 1,327; ada: 727; jsp: 228; sed: 36
file content (105 lines) | stat: -rwxr-xr-x 2,361 bytes parent folder | download | duplicates (11) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
 
#!/bin/sh

# Copyright 2013 The Chromium Authors
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

# This script generates two chains of test certificates:
#    1. A1 (end-entity) -> B (self-signed root)
#    2. A2 (end-entity) -> B (self-signed root)
#
# In which A1 and A2 share the same key, the same subject common name, but have
# distinct O values in their subjects.
#
# This is used to test that NSS can properly generate unique certificate
# nicknames for both certificates.

try () {
  echo "$@"
  "$@" || exit 1
}

try rm -rf out
try mkdir out

echo Create the serial number and index files.
try /bin/sh -c "echo 01 > out/B-serial"
try touch out/B-index.txt

echo Generate the keys.
try openssl genrsa -out out/A.key 2048
try openssl genrsa -out out/B.key 2048

echo Generate the B CSR.
CA_COMMON_NAME="B Root CA" \
  CERTIFICATE=B \
  try openssl req \
    -new \
    -key out/B.key \
    -out out/B.csr \
    -config redundant-ca.cnf

echo B signs itself.
CA_COMMON_NAME="B Root CA" \
  try openssl x509 \
    -req -days 3650 \
    -in out/B.csr \
    -extfile redundant-ca.cnf \
    -extensions ca_cert \
    -signkey out/B.key \
    -out out/B.pem

echo Generate the A1 end-entity CSR.
SUBJECT_NAME=req_duplicate_cn_1 \
  try openssl req \
    -new \
    -key out/A.key \
    -out out/A1.csr \
    -config ee.cnf

echo Generate the A2 end-entity CSR
SUBJECT_NAME=req_duplicate_cn_2 \
  try openssl req \
    -new \
    -key out/A.key \
    -out out/A2.csr \
    -config ee.cnf


echo B signs A1.
CA_COMMON_NAME="B CA" \
  CERTIFICATE=B \
  try openssl ca \
    -batch \
    -extensions user_cert \
    -in out/A1.csr \
    -out out/A1.pem \
    -config redundant-ca.cnf

echo B signs A2.
CA_COMMON_NAME="B CA" \
  CERTIFICATE=B \
  try openssl ca \
    -batch \
    -extensions user_cert \
    -in out/A2.csr \
    -out out/A2.pem \
    -config redundant-ca.cnf

echo Exporting the certificates to PKCS#12
try openssl pkcs12 \
  -export \
  -inkey out/A.key \
  -in out/A1.pem \
  -out ../certificates/duplicate_cn_1.p12 \
  -passout pass:chrome

try openssl pkcs12 \
  -export \
  -inkey out/A.key \
  -in out/A2.pem \
  -out ../certificates/duplicate_cn_2.p12 \
  -passout pass:chrome

try cp out/A1.pem ../certificates/duplicate_cn_1.pem
try cp out/A2.pem ../certificates/duplicate_cn_2.pem