xref: /aosp_15_r20/external/cronet/net/data/ssl/scripts/generate-multi-root-test-chains.sh (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b) 
1*6777b538SAndroid Build Coastguard Worker#!/bin/sh
2*6777b538SAndroid Build Coastguard Worker
3*6777b538SAndroid Build Coastguard Worker# Copyright 2014 The Chromium Authors
4*6777b538SAndroid Build Coastguard Worker# Use of this source code is governed by a BSD-style license that can be
5*6777b538SAndroid Build Coastguard Worker# found in the LICENSE file.
6*6777b538SAndroid Build Coastguard Worker
7*6777b538SAndroid Build Coastguard Worker# The following documentation uses the annotation approach from RFC 4158.
8*6777b538SAndroid Build Coastguard Worker# CAs (entities that share the same name and public key) are denoted in boxes,
9*6777b538SAndroid Build Coastguard Worker# while the indication that a CA Foo signed a certificate for CA Bar is denoted
10*6777b538SAndroid Build Coastguard Worker# by directed arrows.
11*6777b538SAndroid Build Coastguard Worker#
12*6777b538SAndroid Build Coastguard Worker#   +---+    +-----+
13*6777b538SAndroid Build Coastguard Worker#   | D |    |  E  |
14*6777b538SAndroid Build Coastguard Worker#   +---+    +-----+
15*6777b538SAndroid Build Coastguard Worker#     |       |   |
16*6777b538SAndroid Build Coastguard Worker#     +--v v--+   |
17*6777b538SAndroid Build Coastguard Worker#       +---+   +---+
18*6777b538SAndroid Build Coastguard Worker#       | C |   | F |
19*6777b538SAndroid Build Coastguard Worker#       +---+   +---+
20*6777b538SAndroid Build Coastguard Worker#         |       |
21*6777b538SAndroid Build Coastguard Worker#         v   v---+
22*6777b538SAndroid Build Coastguard Worker#        +-----+
23*6777b538SAndroid Build Coastguard Worker#        |  B  |
24*6777b538SAndroid Build Coastguard Worker#        +-----+
25*6777b538SAndroid Build Coastguard Worker#           |
26*6777b538SAndroid Build Coastguard Worker#           v
27*6777b538SAndroid Build Coastguard Worker#         +---+
28*6777b538SAndroid Build Coastguard Worker#         | A |
29*6777b538SAndroid Build Coastguard Worker#         +---+
30*6777b538SAndroid Build Coastguard Worker#
31*6777b538SAndroid Build Coastguard Worker# To validate A, there are several possible paths, using A(B) to indicate
32*6777b538SAndroid Build Coastguard Worker# the certificate A signed by B:
33*6777b538SAndroid Build Coastguard Worker#
34*6777b538SAndroid Build Coastguard Worker# 1. A(B) -> B(C) -> C(D) -> D(D)
35*6777b538SAndroid Build Coastguard Worker# 3. A(B) -> B(C) -> C(E) -> E(E)
36*6777b538SAndroid Build Coastguard Worker# 4. A(B) -> B(F) -> F(E) -> E(E)
37*6777b538SAndroid Build Coastguard Worker#
38*6777b538SAndroid Build Coastguard Worker# That is, there are two different versions of C (signed by D and E) and
39*6777b538SAndroid Build Coastguard Worker# two versions of B (signed by C and F). Possible trust anchors are D and E,
40*6777b538SAndroid Build Coastguard Worker# which are both self-signed.
41*6777b538SAndroid Build Coastguard Worker#
42*6777b538SAndroid Build Coastguard Worker# The goal is to ensure that, as long as at least one of C or F is still valid,
43*6777b538SAndroid Build Coastguard Worker# clients are able to successfully build a valid path.
44*6777b538SAndroid Build Coastguard Worker
45*6777b538SAndroid Build Coastguard Worker# Exit script as soon a something fails.
46*6777b538SAndroid Build Coastguard Workerset -e
47*6777b538SAndroid Build Coastguard Worker
48*6777b538SAndroid Build Coastguard Workerrm -rf out
49*6777b538SAndroid Build Coastguard Workermkdir out
50*6777b538SAndroid Build Coastguard Worker
51*6777b538SAndroid Build Coastguard Workerecho Create the serial and index number files.
52*6777b538SAndroid Build Coastguard Workerfor i in B C D E F
53*6777b538SAndroid Build Coastguard Workerdo
54*6777b538SAndroid Build Coastguard Worker  openssl rand -hex -out "out/${i}-serial" 16
55*6777b538SAndroid Build Coastguard Worker  touch "out/${i}-index.txt"
56*6777b538SAndroid Build Coastguard Workerdone
57*6777b538SAndroid Build Coastguard Worker
58*6777b538SAndroid Build Coastguard Workerecho Generate the keys.
59*6777b538SAndroid Build Coastguard Workerfor i in A B C D E F
60*6777b538SAndroid Build Coastguard Workerdo
61*6777b538SAndroid Build Coastguard Worker  openssl genrsa -out "out/${i}.key" 2048
62*6777b538SAndroid Build Coastguard Workerdone
63*6777b538SAndroid Build Coastguard Worker
64*6777b538SAndroid Build Coastguard Workerecho "Generating the self-signed roots"
65*6777b538SAndroid Build Coastguard Workerfor i in D E
66*6777b538SAndroid Build Coastguard Workerdo
67*6777b538SAndroid Build Coastguard Worker  echo "Generating CSR ${i}"
68*6777b538SAndroid Build Coastguard Worker  CA_COMMON_NAME="${i} Root CA - Multi-root" \
69*6777b538SAndroid Build Coastguard Worker  CERTIFICATE="${i}" \
70*6777b538SAndroid Build Coastguard Worker  openssl req \
71*6777b538SAndroid Build Coastguard Worker    -config redundant-ca.cnf \
72*6777b538SAndroid Build Coastguard Worker    -new \
73*6777b538SAndroid Build Coastguard Worker    -key "out/${i}.key" \
74*6777b538SAndroid Build Coastguard Worker    -out "out/${i}.csr"
75*6777b538SAndroid Build Coastguard Worker
76*6777b538SAndroid Build Coastguard Worker  echo "Generating self-signed ${i}"
77*6777b538SAndroid Build Coastguard Worker  CA_COMMON_NAME="${i} Root CA - Multi-root" \
78*6777b538SAndroid Build Coastguard Worker  CERTIFICATE="${i}" \
79*6777b538SAndroid Build Coastguard Worker  openssl ca \
80*6777b538SAndroid Build Coastguard Worker    -config redundant-ca.cnf \
81*6777b538SAndroid Build Coastguard Worker    -batch \
82*6777b538SAndroid Build Coastguard Worker    -startdate 160102000000Z \
83*6777b538SAndroid Build Coastguard Worker    -enddate 260102000000Z \
84*6777b538SAndroid Build Coastguard Worker    -extensions ca_cert \
85*6777b538SAndroid Build Coastguard Worker    -extfile redundant-ca.cnf \
86*6777b538SAndroid Build Coastguard Worker    -selfsign \
87*6777b538SAndroid Build Coastguard Worker    -in "out/${i}.csr" \
88*6777b538SAndroid Build Coastguard Worker    -out "out/${i}.pem"
89*6777b538SAndroid Build Coastguard Workerdone
90*6777b538SAndroid Build Coastguard Worker
91*6777b538SAndroid Build Coastguard Workerecho "Generating intermediate CSRs"
92*6777b538SAndroid Build Coastguard Workerfor i in B C F
93*6777b538SAndroid Build Coastguard Workerdo
94*6777b538SAndroid Build Coastguard Worker  echo "Generating CSR ${i}"
95*6777b538SAndroid Build Coastguard Worker  CA_COMMON_NAME="${i} CA - Multi-root" \
96*6777b538SAndroid Build Coastguard Worker  CERTIFICATE="${i}" \
97*6777b538SAndroid Build Coastguard Worker  openssl req \
98*6777b538SAndroid Build Coastguard Worker    -config redundant-ca.cnf \
99*6777b538SAndroid Build Coastguard Worker    -new \
100*6777b538SAndroid Build Coastguard Worker    -key "out/${i}.key" \
101*6777b538SAndroid Build Coastguard Worker    -out "out/${i}.csr"
102*6777b538SAndroid Build Coastguard Workerdone
103*6777b538SAndroid Build Coastguard Worker
104*6777b538SAndroid Build Coastguard Workerecho D signs C
105*6777b538SAndroid Build Coastguard WorkerCA_COMMON_NAME="D CA - Multi-root" \
106*6777b538SAndroid Build Coastguard WorkerCERTIFICATE=D \
107*6777b538SAndroid Build Coastguard Workeropenssl ca \
108*6777b538SAndroid Build Coastguard Worker  -config redundant-ca.cnf \
109*6777b538SAndroid Build Coastguard Worker  -batch \
110*6777b538SAndroid Build Coastguard Worker  -startdate 160103000000Z \
111*6777b538SAndroid Build Coastguard Worker  -enddate 260102000000Z \
112*6777b538SAndroid Build Coastguard Worker  -extensions ca_cert \
113*6777b538SAndroid Build Coastguard Worker  -extfile redundant-ca.cnf \
114*6777b538SAndroid Build Coastguard Worker  -in out/C.csr \
115*6777b538SAndroid Build Coastguard Worker  -out out/C.pem
116*6777b538SAndroid Build Coastguard Worker
117*6777b538SAndroid Build Coastguard Workerecho C signs B
118*6777b538SAndroid Build Coastguard WorkerCA_COMMON_NAME="C CA - Multi-root" \
119*6777b538SAndroid Build Coastguard WorkerCERTIFICATE=C \
120*6777b538SAndroid Build Coastguard Workeropenssl ca \
121*6777b538SAndroid Build Coastguard Worker  -config redundant-ca.cnf \
122*6777b538SAndroid Build Coastguard Worker  -batch \
123*6777b538SAndroid Build Coastguard Worker  -startdate 160104000000Z \
124*6777b538SAndroid Build Coastguard Worker  -enddate 260102000000Z \
125*6777b538SAndroid Build Coastguard Worker  -extensions ca_cert \
126*6777b538SAndroid Build Coastguard Worker  -extfile redundant-ca.cnf \
127*6777b538SAndroid Build Coastguard Worker  -in out/B.csr \
128*6777b538SAndroid Build Coastguard Worker  -out out/B.pem
129*6777b538SAndroid Build Coastguard Worker
130*6777b538SAndroid Build Coastguard Workerecho E signs C2
131*6777b538SAndroid Build Coastguard WorkerCA_COMMON_NAME="E CA - Multi-root" \
132*6777b538SAndroid Build Coastguard WorkerCERTIFICATE=E \
133*6777b538SAndroid Build Coastguard Workeropenssl ca \
134*6777b538SAndroid Build Coastguard Worker  -config redundant-ca.cnf \
135*6777b538SAndroid Build Coastguard Worker  -batch \
136*6777b538SAndroid Build Coastguard Worker  -startdate 160105000000Z \
137*6777b538SAndroid Build Coastguard Worker  -enddate 260102000000Z \
138*6777b538SAndroid Build Coastguard Worker  -extensions ca_cert \
139*6777b538SAndroid Build Coastguard Worker  -extfile redundant-ca.cnf \
140*6777b538SAndroid Build Coastguard Worker  -in out/C.csr \
141*6777b538SAndroid Build Coastguard Worker  -out out/C2.pem
142*6777b538SAndroid Build Coastguard Worker
143*6777b538SAndroid Build Coastguard Workerecho E signs F
144*6777b538SAndroid Build Coastguard WorkerCA_COMMON_NAME="E CA - Multi-root" \
145*6777b538SAndroid Build Coastguard WorkerCERTIFICATE=E \
146*6777b538SAndroid Build Coastguard Workeropenssl ca \
147*6777b538SAndroid Build Coastguard Worker  -config redundant-ca.cnf \
148*6777b538SAndroid Build Coastguard Worker  -batch \
149*6777b538SAndroid Build Coastguard Worker  -startdate 160102000000Z \
150*6777b538SAndroid Build Coastguard Worker  -enddate 260102000000Z \
151*6777b538SAndroid Build Coastguard Worker  -extensions ca_cert \
152*6777b538SAndroid Build Coastguard Worker  -extfile redundant-ca.cnf \
153*6777b538SAndroid Build Coastguard Worker  -in out/F.csr \
154*6777b538SAndroid Build Coastguard Worker  -out out/F.pem
155*6777b538SAndroid Build Coastguard Worker
156*6777b538SAndroid Build Coastguard Worker# Note: The startdate for B-by-F MUST be different than that of B-by-C; to make
157*6777b538SAndroid Build Coastguard Worker# B-by-F more preferable, the startdate is chosen to be GREATER (later) than
158*6777b538SAndroid Build Coastguard Worker# B-by-C.
159*6777b538SAndroid Build Coastguard Workerecho F signs B2
160*6777b538SAndroid Build Coastguard WorkerCA_COMMON_NAME="F CA - Multi-root" \
161*6777b538SAndroid Build Coastguard WorkerCERTIFICATE=F \
162*6777b538SAndroid Build Coastguard Workeropenssl ca \
163*6777b538SAndroid Build Coastguard Worker  -config redundant-ca.cnf \
164*6777b538SAndroid Build Coastguard Worker  -batch \
165*6777b538SAndroid Build Coastguard Worker  -startdate 160105000000Z \
166*6777b538SAndroid Build Coastguard Worker  -enddate 260102000000Z \
167*6777b538SAndroid Build Coastguard Worker  -extensions ca_cert \
168*6777b538SAndroid Build Coastguard Worker  -extfile redundant-ca.cnf \
169*6777b538SAndroid Build Coastguard Worker  -in out/B.csr \
170*6777b538SAndroid Build Coastguard Worker  -out out/B2.pem
171*6777b538SAndroid Build Coastguard Worker
172*6777b538SAndroid Build Coastguard Workerecho "Generating leaf CSRs"
173*6777b538SAndroid Build Coastguard Workerfor i in A
174*6777b538SAndroid Build Coastguard Workerdo
175*6777b538SAndroid Build Coastguard Worker  echo "Generating leaf ${i}"
176*6777b538SAndroid Build Coastguard Worker  openssl req \
177*6777b538SAndroid Build Coastguard Worker    -config ee.cnf \
178*6777b538SAndroid Build Coastguard Worker    -new \
179*6777b538SAndroid Build Coastguard Worker    -key "out/${i}.key" \
180*6777b538SAndroid Build Coastguard Worker    -out "out/${i}.csr"
181*6777b538SAndroid Build Coastguard Workerdone
182*6777b538SAndroid Build Coastguard Worker
183*6777b538SAndroid Build Coastguard Workerecho "Signing leaves"
184*6777b538SAndroid Build Coastguard WorkerCA_COMMON_NAME="B CA - Multi-root" \
185*6777b538SAndroid Build Coastguard WorkerCERTIFICATE=B \
186*6777b538SAndroid Build Coastguard Workeropenssl ca \
187*6777b538SAndroid Build Coastguard Worker  -config redundant-ca.cnf \
188*6777b538SAndroid Build Coastguard Worker  -batch \
189*6777b538SAndroid Build Coastguard Worker  -days 3650 \
190*6777b538SAndroid Build Coastguard Worker  -extensions user_cert \
191*6777b538SAndroid Build Coastguard Worker  -extfile redundant-ca.cnf \
192*6777b538SAndroid Build Coastguard Worker  -in out/A.csr \
193*6777b538SAndroid Build Coastguard Worker  -out out/A.pem
194*6777b538SAndroid Build Coastguard Worker
195*6777b538SAndroid Build Coastguard Workerecho "Copying outputs"
196*6777b538SAndroid Build Coastguard Worker/bin/sh -c "cat out/A.key out/A.pem > ../certificates/multi-root-A-by-B.pem"
197*6777b538SAndroid Build Coastguard Worker/bin/sh -c "cat out/A.pem out/B.pem out/C.pem out/D.pem \
198*6777b538SAndroid Build Coastguard Worker    > ../certificates/multi-root-chain1.pem"
199*6777b538SAndroid Build Coastguard Worker/bin/sh -c "cat out/A.pem out/B.pem out/C2.pem out/E.pem \
200*6777b538SAndroid Build Coastguard Worker    > ../certificates/multi-root-chain2.pem"
201*6777b538SAndroid Build Coastguard Workercp out/B.pem ../certificates/multi-root-B-by-C.pem
202*6777b538SAndroid Build Coastguard Workercp out/B2.pem ../certificates/multi-root-B-by-F.pem
203*6777b538SAndroid Build Coastguard Workercp out/C.pem ../certificates/multi-root-C-by-D.pem
204*6777b538SAndroid Build Coastguard Workercp out/C2.pem ../certificates/multi-root-C-by-E.pem
205*6777b538SAndroid Build Coastguard Workercp out/F.pem ../certificates/multi-root-F-by-E.pem
206*6777b538SAndroid Build Coastguard Workercp out/D.pem ../certificates/multi-root-D-by-D.pem
207*6777b538SAndroid Build Coastguard Workercp out/E.pem ../certificates/multi-root-E-by-E.pem
208*6777b538SAndroid Build Coastguard Worker
209*6777b538SAndroid Build Coastguard Workerecho "Generating CRLSets"
210*6777b538SAndroid Build Coastguard Worker# Block D and E by SPKI; invalidates all paths.
211*6777b538SAndroid Build Coastguard Workerpython crlsetutil.py -o ../certificates/multi-root-crlset-D-and-E.raw \
212*6777b538SAndroid Build Coastguard Worker<<CRLSETDOCBLOCK
213*6777b538SAndroid Build Coastguard Worker{
214*6777b538SAndroid Build Coastguard Worker  "BlockedBySPKI": [
215*6777b538SAndroid Build Coastguard Worker    "out/D.pem",
216*6777b538SAndroid Build Coastguard Worker    "out/E.pem"
217*6777b538SAndroid Build Coastguard Worker  ]
218*6777b538SAndroid Build Coastguard Worker}
219*6777b538SAndroid Build Coastguard WorkerCRLSETDOCBLOCK
220*6777b538SAndroid Build Coastguard Worker
221*6777b538SAndroid Build Coastguard Worker# Block E by SPKI.
222*6777b538SAndroid Build Coastguard Workerpython crlsetutil.py -o ../certificates/multi-root-crlset-E.raw \
223*6777b538SAndroid Build Coastguard Worker<<CRLSETDOCBLOCK
224*6777b538SAndroid Build Coastguard Worker{
225*6777b538SAndroid Build Coastguard Worker  "BlockedBySPKI": [
226*6777b538SAndroid Build Coastguard Worker    "out/E.pem"
227*6777b538SAndroid Build Coastguard Worker  ]
228*6777b538SAndroid Build Coastguard Worker}
229*6777b538SAndroid Build Coastguard WorkerCRLSETDOCBLOCK
230*6777b538SAndroid Build Coastguard Worker
231*6777b538SAndroid Build Coastguard Worker# Block C-by-D and F-by-E by way of serial number.
232*6777b538SAndroid Build Coastguard Workerpython crlsetutil.py -o ../certificates/multi-root-crlset-CD-and-FE.raw \
233*6777b538SAndroid Build Coastguard Worker<<CRLSETDOCBLOCK
234*6777b538SAndroid Build Coastguard Worker{
235*6777b538SAndroid Build Coastguard Worker  "BlockedByHash": {
236*6777b538SAndroid Build Coastguard Worker    "out/D.pem": ["out/C.pem"],
237*6777b538SAndroid Build Coastguard Worker    "out/E.pem": ["out/F.pem"]
238*6777b538SAndroid Build Coastguard Worker  }
239*6777b538SAndroid Build Coastguard Worker}
240*6777b538SAndroid Build Coastguard WorkerCRLSETDOCBLOCK
241*6777b538SAndroid Build Coastguard Worker
242*6777b538SAndroid Build Coastguard Worker# Block C (all versions) by way of SPKI
243*6777b538SAndroid Build Coastguard Workerpython crlsetutil.py -o ../certificates/multi-root-crlset-C.raw \
244*6777b538SAndroid Build Coastguard Worker<<CRLSETDOCBLOCK
245*6777b538SAndroid Build Coastguard Worker{
246*6777b538SAndroid Build Coastguard Worker  "BlockedBySPKI": [ "out/C.pem" ]
247*6777b538SAndroid Build Coastguard Worker}
248*6777b538SAndroid Build Coastguard WorkerCRLSETDOCBLOCK
249*6777b538SAndroid Build Coastguard Worker
250*6777b538SAndroid Build Coastguard Worker# Block an unrelated/unissued serial (D, not issued by E) to enable all paths.
251*6777b538SAndroid Build Coastguard Workerpython crlsetutil.py -o ../certificates/multi-root-crlset-unrelated.raw \
252*6777b538SAndroid Build Coastguard Worker<<CRLSETDOCBLOCK
253*6777b538SAndroid Build Coastguard Worker{
254*6777b538SAndroid Build Coastguard Worker  "BlockedByHash": {
255*6777b538SAndroid Build Coastguard Worker    "out/E.pem": ["out/D.pem"]
256*6777b538SAndroid Build Coastguard Worker  }
257*6777b538SAndroid Build Coastguard Worker}
258*6777b538SAndroid Build Coastguard WorkerCRLSETDOCBLOCK
259