ssl/scripts/generate-bad-self-signed.sh

#!/bin/bash

# Copyright 2016 The Chromium Authors
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

# This script generates self-signed-invalid-name.pem and
# self-signed-invalid-sig.pem, which are "self-signed" test certificates with
# invalid names/signatures, respectively.
set -e

 rm -rf out
 mkdir out

openssl genrsa -out out/bad-self-signed.key 2048
touch out/bad-self-signed-index.txt

# Create two certificate requests with the same key, but different subjects
SUBJECT_NAME="req_self_signed_a" \
openssl req \
  -new \
  -key out/bad-self-signed.key \
  -out out/ss-a.req \
  -config ee.cnf

SUBJECT_NAME="req_self_signed_b" \
openssl req \
  -new \
  -key out/bad-self-signed.key \
  -out out/ss-b.req \
  -config ee.cnf

# Create a normal self-signed certificate from one of these requests
openssl x509 \
  -req \
  -in out/ss-a.req \
  -out out/bad-self-signed-root-a.pem \
  -signkey out/bad-self-signed.key \
  -days 3650

# To invalidate the signature without changing names, replace two bytes from the
# end of the certificate with 0xdead.
openssl x509 -in out/bad-self-signed-root-a.pem -outform DER \
  | head -c -2 \
  > out/bad-sig.der.1
echo -n -e "\xde\xad" > out/bad-sig.der.2
cat out/bad-sig.der.1 out/bad-sig.der.2 \
  | openssl x509 \
      -inform DER \
      -outform PEM \
      -out out/cert-self-signed-invalid-sig.pem

openssl x509 \
  -text \
  -noout \
  -in out/cert-self-signed-invalid-sig.pem \
  > out/self-signed-invalid-sig.pem
cat out/cert-self-signed-invalid-sig.pem >> out/self-signed-invalid-sig.pem

# Make a "self-signed" certificate with mismatched names
openssl x509 \
  -req \
  -in out/ss-b.req \
  -out out/cert-self-signed-invalid-name.pem \
  -days 3650 \
  -CA out/bad-self-signed-root-a.pem \
  -CAkey out/bad-self-signed.key \
  -CAserial out/bad-self-signed-serial.txt \
  -CAcreateserial

openssl x509 \
  -text \
  -noout \
  -in out/cert-self-signed-invalid-name.pem \
  > out/self-signed-invalid-name.pem
cat out/cert-self-signed-invalid-name.pem >> out/self-signed-invalid-name.pem