1*6777b538SAndroid Build Coastguard Worker#!/bin/bash 2*6777b538SAndroid Build Coastguard Worker 3*6777b538SAndroid Build Coastguard Worker# Copyright 2016 The Chromium Authors 4*6777b538SAndroid Build Coastguard Worker# Use of this source code is governed by a BSD-style license that can be 5*6777b538SAndroid Build Coastguard Worker# found in the LICENSE file. 6*6777b538SAndroid Build Coastguard Worker 7*6777b538SAndroid Build Coastguard Worker# This script generates self-signed-invalid-name.pem and 8*6777b538SAndroid Build Coastguard Worker# self-signed-invalid-sig.pem, which are "self-signed" test certificates with 9*6777b538SAndroid Build Coastguard Worker# invalid names/signatures, respectively. 10*6777b538SAndroid Build Coastguard Workerset -e 11*6777b538SAndroid Build Coastguard Worker 12*6777b538SAndroid Build Coastguard Worker rm -rf out 13*6777b538SAndroid Build Coastguard Worker mkdir out 14*6777b538SAndroid Build Coastguard Worker 15*6777b538SAndroid Build Coastguard Workeropenssl genrsa -out out/bad-self-signed.key 2048 16*6777b538SAndroid Build Coastguard Workertouch out/bad-self-signed-index.txt 17*6777b538SAndroid Build Coastguard Worker 18*6777b538SAndroid Build Coastguard Worker# Create two certificate requests with the same key, but different subjects 19*6777b538SAndroid Build Coastguard WorkerSUBJECT_NAME="req_self_signed_a" \ 20*6777b538SAndroid Build Coastguard Workeropenssl req \ 21*6777b538SAndroid Build Coastguard Worker -new \ 22*6777b538SAndroid Build Coastguard Worker -key out/bad-self-signed.key \ 23*6777b538SAndroid Build Coastguard Worker -out out/ss-a.req \ 24*6777b538SAndroid Build Coastguard Worker -config ee.cnf 25*6777b538SAndroid Build Coastguard Worker 26*6777b538SAndroid Build Coastguard WorkerSUBJECT_NAME="req_self_signed_b" \ 27*6777b538SAndroid Build Coastguard Workeropenssl req \ 28*6777b538SAndroid Build Coastguard Worker -new \ 29*6777b538SAndroid Build Coastguard Worker -key out/bad-self-signed.key \ 30*6777b538SAndroid Build Coastguard Worker -out out/ss-b.req \ 31*6777b538SAndroid Build Coastguard Worker -config ee.cnf 32*6777b538SAndroid Build Coastguard Worker 33*6777b538SAndroid Build Coastguard Worker# Create a normal self-signed certificate from one of these requests 34*6777b538SAndroid Build Coastguard Workeropenssl x509 \ 35*6777b538SAndroid Build Coastguard Worker -req \ 36*6777b538SAndroid Build Coastguard Worker -in out/ss-a.req \ 37*6777b538SAndroid Build Coastguard Worker -out out/bad-self-signed-root-a.pem \ 38*6777b538SAndroid Build Coastguard Worker -signkey out/bad-self-signed.key \ 39*6777b538SAndroid Build Coastguard Worker -days 3650 40*6777b538SAndroid Build Coastguard Worker 41*6777b538SAndroid Build Coastguard Worker# To invalidate the signature without changing names, replace two bytes from the 42*6777b538SAndroid Build Coastguard Worker# end of the certificate with 0xdead. 43*6777b538SAndroid Build Coastguard Workeropenssl x509 -in out/bad-self-signed-root-a.pem -outform DER \ 44*6777b538SAndroid Build Coastguard Worker | head -c -2 \ 45*6777b538SAndroid Build Coastguard Worker > out/bad-sig.der.1 46*6777b538SAndroid Build Coastguard Workerecho -n -e "\xde\xad" > out/bad-sig.der.2 47*6777b538SAndroid Build Coastguard Workercat out/bad-sig.der.1 out/bad-sig.der.2 \ 48*6777b538SAndroid Build Coastguard Worker | openssl x509 \ 49*6777b538SAndroid Build Coastguard Worker -inform DER \ 50*6777b538SAndroid Build Coastguard Worker -outform PEM \ 51*6777b538SAndroid Build Coastguard Worker -out out/cert-self-signed-invalid-sig.pem 52*6777b538SAndroid Build Coastguard Worker 53*6777b538SAndroid Build Coastguard Workeropenssl x509 \ 54*6777b538SAndroid Build Coastguard Worker -text \ 55*6777b538SAndroid Build Coastguard Worker -noout \ 56*6777b538SAndroid Build Coastguard Worker -in out/cert-self-signed-invalid-sig.pem \ 57*6777b538SAndroid Build Coastguard Worker > out/self-signed-invalid-sig.pem 58*6777b538SAndroid Build Coastguard Workercat out/cert-self-signed-invalid-sig.pem >> out/self-signed-invalid-sig.pem 59*6777b538SAndroid Build Coastguard Worker 60*6777b538SAndroid Build Coastguard Worker# Make a "self-signed" certificate with mismatched names 61*6777b538SAndroid Build Coastguard Workeropenssl x509 \ 62*6777b538SAndroid Build Coastguard Worker -req \ 63*6777b538SAndroid Build Coastguard Worker -in out/ss-b.req \ 64*6777b538SAndroid Build Coastguard Worker -out out/cert-self-signed-invalid-name.pem \ 65*6777b538SAndroid Build Coastguard Worker -days 3650 \ 66*6777b538SAndroid Build Coastguard Worker -CA out/bad-self-signed-root-a.pem \ 67*6777b538SAndroid Build Coastguard Worker -CAkey out/bad-self-signed.key \ 68*6777b538SAndroid Build Coastguard Worker -CAserial out/bad-self-signed-serial.txt \ 69*6777b538SAndroid Build Coastguard Worker -CAcreateserial 70*6777b538SAndroid Build Coastguard Worker 71*6777b538SAndroid Build Coastguard Workeropenssl x509 \ 72*6777b538SAndroid Build Coastguard Worker -text \ 73*6777b538SAndroid Build Coastguard Worker -noout \ 74*6777b538SAndroid Build Coastguard Worker -in out/cert-self-signed-invalid-name.pem \ 75*6777b538SAndroid Build Coastguard Worker > out/self-signed-invalid-name.pem 76*6777b538SAndroid Build Coastguard Workercat out/cert-self-signed-invalid-name.pem >> out/self-signed-invalid-name.pem 77*6777b538SAndroid Build Coastguard Worker 78