xref: /aosp_15_r20/external/cronet/net/data/ssl/scripts/generate-bad-eku-certs.sh (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b) 
1#!/bin/sh
2
3# Copyright 2013 The Chromium Authors
4# Use of this source code is governed by a BSD-style license that can be
5# found in the LICENSE file.
6
7# This script generates a set of test (end-entity, root) certificate chains
8# whose EEs have (critical, non-critical) eKUs for codeSigning. We then try
9# to use them as EEs for a web server in unit tests, to make sure that we
10# don't accept such certs as web server certs.
11
12try () {
13  echo "$@"
14  "$@" || exit 1
15}
16
17try rm -rf out
18try mkdir out
19
20eku_test_root="2048-rsa-root"
21
22# Create the serial number files.
23try /bin/sh -c "echo 01 > \"out/$eku_test_root-serial\""
24
25# Make sure the signers' DB files exist.
26touch "out/$eku_test_root-index.txt"
27
28# Generate one root CA certificate.
29try openssl genrsa -out "out/$eku_test_root.key" 2048
30
31CA_COMMON_NAME="2048 RSA Test Root CA" \
32  CA_DIR=out \
33  CA_NAME=req_env_dn \
34  KEY_SIZE=2048 \
35  ALGO=rsa \
36  CERT_TYPE=root \
37  try openssl req \
38    -new \
39    -key "out/$eku_test_root.key" \
40    -extensions ca_cert \
41    -out "out/$eku_test_root.csr" \
42    -config ca.cnf
43
44CA_COMMON_NAME="2048 RSA Test Root CA" \
45  CA_DIR=out \
46  CA_NAME=req_env_dn \
47  try openssl x509 \
48    -req -days 3650 \
49    -in "out/$eku_test_root.csr" \
50    -extensions ca_cert \
51    -extfile ca.cnf \
52    -signkey "out/$eku_test_root.key" \
53    -out "out/$eku_test_root.pem" \
54    -text
55
56# Generate EE certs.
57for cert_type in non-crit-codeSigning crit-codeSigning
58do
59  try openssl genrsa -out "out/$cert_type.key" 2048
60
61  try openssl req \
62    -new \
63    -key "out/$cert_type.key" \
64    -out "out/$cert_type.csr" \
65    -config eku-test.cnf \
66    -reqexts "$cert_type"
67
68  CA_COMMON_NAME="2048 rsa Test Root CA" \
69    CA_DIR=out \
70    CA_NAME=req_env_dn \
71    KEY_SIZE=2048 \
72    ALGO=rsa \
73    CERT_TYPE=root \
74    try openssl ca \
75      -batch \
76      -in "out/$cert_type.csr" \
77      -out "out/$cert_type.pem" \
78      -config ca.cnf
79done
80
81# Copy to the file names that are actually checked in.
82try cp "out/$eku_test_root.pem" ../certificates/eku-test-root.pem
83try /bin/sh -c "cat out/crit-codeSigning.key out/crit-codeSigning.pem \
84  > ../certificates/crit-codeSigning-chain.pem"
85try /bin/sh -c "cat out/non-crit-codeSigning.key out/non-crit-codeSigning.pem \
86  > ../certificates/non-crit-codeSigning-chain.pem"
87