xref: /aosp_15_r20/external/cronet/net/data/ssl/scripts/generate-bad-eku-certs.sh (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b) 
1*6777b538SAndroid Build Coastguard Worker#!/bin/sh
2*6777b538SAndroid Build Coastguard Worker
3*6777b538SAndroid Build Coastguard Worker# Copyright 2013 The Chromium Authors
4*6777b538SAndroid Build Coastguard Worker# Use of this source code is governed by a BSD-style license that can be
5*6777b538SAndroid Build Coastguard Worker# found in the LICENSE file.
6*6777b538SAndroid Build Coastguard Worker
7*6777b538SAndroid Build Coastguard Worker# This script generates a set of test (end-entity, root) certificate chains
8*6777b538SAndroid Build Coastguard Worker# whose EEs have (critical, non-critical) eKUs for codeSigning. We then try
9*6777b538SAndroid Build Coastguard Worker# to use them as EEs for a web server in unit tests, to make sure that we
10*6777b538SAndroid Build Coastguard Worker# don't accept such certs as web server certs.
11*6777b538SAndroid Build Coastguard Worker
12*6777b538SAndroid Build Coastguard Workertry () {
13*6777b538SAndroid Build Coastguard Worker  echo "$@"
14*6777b538SAndroid Build Coastguard Worker  "$@" || exit 1
15*6777b538SAndroid Build Coastguard Worker}
16*6777b538SAndroid Build Coastguard Worker
17*6777b538SAndroid Build Coastguard Workertry rm -rf out
18*6777b538SAndroid Build Coastguard Workertry mkdir out
19*6777b538SAndroid Build Coastguard Worker
20*6777b538SAndroid Build Coastguard Workereku_test_root="2048-rsa-root"
21*6777b538SAndroid Build Coastguard Worker
22*6777b538SAndroid Build Coastguard Worker# Create the serial number files.
23*6777b538SAndroid Build Coastguard Workertry /bin/sh -c "echo 01 > \"out/$eku_test_root-serial\""
24*6777b538SAndroid Build Coastguard Worker
25*6777b538SAndroid Build Coastguard Worker# Make sure the signers' DB files exist.
26*6777b538SAndroid Build Coastguard Workertouch "out/$eku_test_root-index.txt"
27*6777b538SAndroid Build Coastguard Worker
28*6777b538SAndroid Build Coastguard Worker# Generate one root CA certificate.
29*6777b538SAndroid Build Coastguard Workertry openssl genrsa -out "out/$eku_test_root.key" 2048
30*6777b538SAndroid Build Coastguard Worker
31*6777b538SAndroid Build Coastguard WorkerCA_COMMON_NAME="2048 RSA Test Root CA" \
32*6777b538SAndroid Build Coastguard Worker  CA_DIR=out \
33*6777b538SAndroid Build Coastguard Worker  CA_NAME=req_env_dn \
34*6777b538SAndroid Build Coastguard Worker  KEY_SIZE=2048 \
35*6777b538SAndroid Build Coastguard Worker  ALGO=rsa \
36*6777b538SAndroid Build Coastguard Worker  CERT_TYPE=root \
37*6777b538SAndroid Build Coastguard Worker  try openssl req \
38*6777b538SAndroid Build Coastguard Worker    -new \
39*6777b538SAndroid Build Coastguard Worker    -key "out/$eku_test_root.key" \
40*6777b538SAndroid Build Coastguard Worker    -extensions ca_cert \
41*6777b538SAndroid Build Coastguard Worker    -out "out/$eku_test_root.csr" \
42*6777b538SAndroid Build Coastguard Worker    -config ca.cnf
43*6777b538SAndroid Build Coastguard Worker
44*6777b538SAndroid Build Coastguard WorkerCA_COMMON_NAME="2048 RSA Test Root CA" \
45*6777b538SAndroid Build Coastguard Worker  CA_DIR=out \
46*6777b538SAndroid Build Coastguard Worker  CA_NAME=req_env_dn \
47*6777b538SAndroid Build Coastguard Worker  try openssl x509 \
48*6777b538SAndroid Build Coastguard Worker    -req -days 3650 \
49*6777b538SAndroid Build Coastguard Worker    -in "out/$eku_test_root.csr" \
50*6777b538SAndroid Build Coastguard Worker    -extensions ca_cert \
51*6777b538SAndroid Build Coastguard Worker    -extfile ca.cnf \
52*6777b538SAndroid Build Coastguard Worker    -signkey "out/$eku_test_root.key" \
53*6777b538SAndroid Build Coastguard Worker    -out "out/$eku_test_root.pem" \
54*6777b538SAndroid Build Coastguard Worker    -text
55*6777b538SAndroid Build Coastguard Worker
56*6777b538SAndroid Build Coastguard Worker# Generate EE certs.
57*6777b538SAndroid Build Coastguard Workerfor cert_type in non-crit-codeSigning crit-codeSigning
58*6777b538SAndroid Build Coastguard Workerdo
59*6777b538SAndroid Build Coastguard Worker  try openssl genrsa -out "out/$cert_type.key" 2048
60*6777b538SAndroid Build Coastguard Worker
61*6777b538SAndroid Build Coastguard Worker  try openssl req \
62*6777b538SAndroid Build Coastguard Worker    -new \
63*6777b538SAndroid Build Coastguard Worker    -key "out/$cert_type.key" \
64*6777b538SAndroid Build Coastguard Worker    -out "out/$cert_type.csr" \
65*6777b538SAndroid Build Coastguard Worker    -config eku-test.cnf \
66*6777b538SAndroid Build Coastguard Worker    -reqexts "$cert_type"
67*6777b538SAndroid Build Coastguard Worker
68*6777b538SAndroid Build Coastguard Worker  CA_COMMON_NAME="2048 rsa Test Root CA" \
69*6777b538SAndroid Build Coastguard Worker    CA_DIR=out \
70*6777b538SAndroid Build Coastguard Worker    CA_NAME=req_env_dn \
71*6777b538SAndroid Build Coastguard Worker    KEY_SIZE=2048 \
72*6777b538SAndroid Build Coastguard Worker    ALGO=rsa \
73*6777b538SAndroid Build Coastguard Worker    CERT_TYPE=root \
74*6777b538SAndroid Build Coastguard Worker    try openssl ca \
75*6777b538SAndroid Build Coastguard Worker      -batch \
76*6777b538SAndroid Build Coastguard Worker      -in "out/$cert_type.csr" \
77*6777b538SAndroid Build Coastguard Worker      -out "out/$cert_type.pem" \
78*6777b538SAndroid Build Coastguard Worker      -config ca.cnf
79*6777b538SAndroid Build Coastguard Workerdone
80*6777b538SAndroid Build Coastguard Worker
81*6777b538SAndroid Build Coastguard Worker# Copy to the file names that are actually checked in.
82*6777b538SAndroid Build Coastguard Workertry cp "out/$eku_test_root.pem" ../certificates/eku-test-root.pem
83*6777b538SAndroid Build Coastguard Workertry /bin/sh -c "cat out/crit-codeSigning.key out/crit-codeSigning.pem \
84*6777b538SAndroid Build Coastguard Worker  > ../certificates/crit-codeSigning-chain.pem"
85*6777b538SAndroid Build Coastguard Workertry /bin/sh -c "cat out/non-crit-codeSigning.key out/non-crit-codeSigning.pem \
86*6777b538SAndroid Build Coastguard Worker  > ../certificates/non-crit-codeSigning-chain.pem"
87