1*6777b538SAndroid Build Coastguard Worker#!/bin/sh 2*6777b538SAndroid Build Coastguard Worker 3*6777b538SAndroid Build Coastguard Worker# Copyright 2013 The Chromium Authors 4*6777b538SAndroid Build Coastguard Worker# Use of this source code is governed by a BSD-style license that can be 5*6777b538SAndroid Build Coastguard Worker# found in the LICENSE file. 6*6777b538SAndroid Build Coastguard Worker 7*6777b538SAndroid Build Coastguard Worker# This script generates a set of test (end-entity, intermediate, root) 8*6777b538SAndroid Build Coastguard Worker# certificates that can be used to test fetching of an intermediate via AIA. 9*6777b538SAndroid Build Coastguard Workerset -e -x 10*6777b538SAndroid Build Coastguard Worker 11*6777b538SAndroid Build Coastguard Worker# The maximum lifetime for any certificates that may go through a "real" 12*6777b538SAndroid Build Coastguard Worker# cert verifier. This is effectively: 13*6777b538SAndroid Build Coastguard Worker# min(OS verifier max lifetime for local certs, built-in verifier max lifetime 14*6777b538SAndroid Build Coastguard Worker# for local certs) 15*6777b538SAndroid Build Coastguard Worker# 16*6777b538SAndroid Build Coastguard Worker# The current built-in verifier max lifetime is 39 months 17*6777b538SAndroid Build Coastguard Worker# The current OS verifier max lifetime is 825 days, which comes from 18*6777b538SAndroid Build Coastguard Worker# iOS 13/macOS 10.15 - https://support.apple.com/en-us/HT210176 19*6777b538SAndroid Build Coastguard Worker# 730 is used here as just a short-hand for 2 years 20*6777b538SAndroid Build Coastguard WorkerCERT_LIFETIME=730 21*6777b538SAndroid Build Coastguard Worker 22*6777b538SAndroid Build Coastguard Workerrm -rf out 23*6777b538SAndroid Build Coastguard Workermkdir out 24*6777b538SAndroid Build Coastguard Workermkdir out/int 25*6777b538SAndroid Build Coastguard Worker 26*6777b538SAndroid Build Coastguard Workeropenssl rand -hex -out out/2048-sha256-root-serial 16 27*6777b538SAndroid Build Coastguard Workertouch out/2048-sha256-root-index.txt 28*6777b538SAndroid Build Coastguard Worker 29*6777b538SAndroid Build Coastguard Worker# Generate the key or copy over the existing one if present. 30*6777b538SAndroid Build Coastguard Workerfunction copy_or_generate_key { 31*6777b538SAndroid Build Coastguard Worker existing_pem_filename="$1" 32*6777b538SAndroid Build Coastguard Worker out_key_filename="$2" 33*6777b538SAndroid Build Coastguard Worker if grep -q -- '-----BEGIN.*PRIVATE KEY-----' "$existing_pem_filename" ; then 34*6777b538SAndroid Build Coastguard Worker openssl pkey -in "$existing_pem_filename" -out "$out_key_filename" 35*6777b538SAndroid Build Coastguard Worker else 36*6777b538SAndroid Build Coastguard Worker openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 \ 37*6777b538SAndroid Build Coastguard Worker -out "$out_key_filename" 38*6777b538SAndroid Build Coastguard Worker fi 39*6777b538SAndroid Build Coastguard Worker} 40*6777b538SAndroid Build Coastguard Worker 41*6777b538SAndroid Build Coastguard Worker# Generate the key or copy over the existing one if present. 42*6777b538SAndroid Build Coastguard Workercopy_or_generate_key ../certificates/root_ca_cert.pem out/2048-sha256-root.key 43*6777b538SAndroid Build Coastguard Worker 44*6777b538SAndroid Build Coastguard Worker# Generate the root certificate 45*6777b538SAndroid Build Coastguard WorkerCA_NAME="req_ca_dn" \ 46*6777b538SAndroid Build Coastguard Worker openssl req \ 47*6777b538SAndroid Build Coastguard Worker -new \ 48*6777b538SAndroid Build Coastguard Worker -key out/2048-sha256-root.key \ 49*6777b538SAndroid Build Coastguard Worker -out out/2048-sha256-root.req \ 50*6777b538SAndroid Build Coastguard Worker -config ca.cnf 51*6777b538SAndroid Build Coastguard Worker 52*6777b538SAndroid Build Coastguard WorkerCA_NAME="req_ca_dn" \ 53*6777b538SAndroid Build Coastguard Worker openssl x509 \ 54*6777b538SAndroid Build Coastguard Worker -req -days 3650 \ 55*6777b538SAndroid Build Coastguard Worker -in out/2048-sha256-root.req \ 56*6777b538SAndroid Build Coastguard Worker -signkey out/2048-sha256-root.key \ 57*6777b538SAndroid Build Coastguard Worker -extfile ca.cnf \ 58*6777b538SAndroid Build Coastguard Worker -extensions ca_cert \ 59*6777b538SAndroid Build Coastguard Worker -text > out/2048-sha256-root.pem 60*6777b538SAndroid Build Coastguard Worker 61*6777b538SAndroid Build Coastguard Worker# Generate the test intermediate 62*6777b538SAndroid Build Coastguard Workeropenssl rand -hex -out out/int/2048-sha256-int-serial 16 63*6777b538SAndroid Build Coastguard Workertouch out/int/2048-sha256-int-index.txt 64*6777b538SAndroid Build Coastguard Worker 65*6777b538SAndroid Build Coastguard Worker# Copy over an existing key if present. 66*6777b538SAndroid Build Coastguard Workercopy_or_generate_key ../certificates/intermediate_ca_cert.pem \ 67*6777b538SAndroid Build Coastguard Worker out/int/2048-sha256-int.key 68*6777b538SAndroid Build Coastguard Worker 69*6777b538SAndroid Build Coastguard WorkerCA_NAME="req_intermediate_dn" \ 70*6777b538SAndroid Build Coastguard Worker openssl req \ 71*6777b538SAndroid Build Coastguard Worker -new \ 72*6777b538SAndroid Build Coastguard Worker -key out/int/2048-sha256-int.key \ 73*6777b538SAndroid Build Coastguard Worker -out out/int/2048-sha256-int.req \ 74*6777b538SAndroid Build Coastguard Worker -config ca.cnf 75*6777b538SAndroid Build Coastguard Worker 76*6777b538SAndroid Build Coastguard WorkerCA_NAME="req_intermediate_dn" \ 77*6777b538SAndroid Build Coastguard Worker openssl ca \ 78*6777b538SAndroid Build Coastguard Worker -batch \ 79*6777b538SAndroid Build Coastguard Worker -extensions ca_cert \ 80*6777b538SAndroid Build Coastguard Worker -days 3650 \ 81*6777b538SAndroid Build Coastguard Worker -in out/int/2048-sha256-int.req \ 82*6777b538SAndroid Build Coastguard Worker -out out/int/2048-sha256-int.pem \ 83*6777b538SAndroid Build Coastguard Worker -config ca.cnf 84*6777b538SAndroid Build Coastguard Worker 85*6777b538SAndroid Build Coastguard Worker# Generate the leaf certificate requests 86*6777b538SAndroid Build Coastguard Worker 87*6777b538SAndroid Build Coastguard Workercopy_or_generate_key ../certificates/expired_cert.pem out/expired_cert.key 88*6777b538SAndroid Build Coastguard Workeropenssl req \ 89*6777b538SAndroid Build Coastguard Worker -new \ 90*6777b538SAndroid Build Coastguard Worker -key out/expired_cert.key \ 91*6777b538SAndroid Build Coastguard Worker -out out/expired_cert.req \ 92*6777b538SAndroid Build Coastguard Worker -config ee.cnf 93*6777b538SAndroid Build Coastguard Worker 94*6777b538SAndroid Build Coastguard Workercopy_or_generate_key ../certificates/ok_cert.pem out/ok_cert.key 95*6777b538SAndroid Build Coastguard Workeropenssl req \ 96*6777b538SAndroid Build Coastguard Worker -new \ 97*6777b538SAndroid Build Coastguard Worker -key out/ok_cert.key \ 98*6777b538SAndroid Build Coastguard Worker -out out/ok_cert.req \ 99*6777b538SAndroid Build Coastguard Worker -config ee.cnf 100*6777b538SAndroid Build Coastguard Worker 101*6777b538SAndroid Build Coastguard Workercopy_or_generate_key ../certificates/wildcard.pem out/wildcard.key 102*6777b538SAndroid Build Coastguard Workeropenssl req \ 103*6777b538SAndroid Build Coastguard Worker -new \ 104*6777b538SAndroid Build Coastguard Worker -key out/wildcard.key \ 105*6777b538SAndroid Build Coastguard Worker -out out/wildcard.req \ 106*6777b538SAndroid Build Coastguard Worker -reqexts req_wildcard \ 107*6777b538SAndroid Build Coastguard Worker -config ee.cnf 108*6777b538SAndroid Build Coastguard Worker 109*6777b538SAndroid Build Coastguard Workercopy_or_generate_key ../certificates/localhost_cert.pem out/localhost_cert.key 110*6777b538SAndroid Build Coastguard WorkerSUBJECT_NAME="req_localhost_cn" \ 111*6777b538SAndroid Build Coastguard Workeropenssl req \ 112*6777b538SAndroid Build Coastguard Worker -new \ 113*6777b538SAndroid Build Coastguard Worker -key out/localhost_cert.key \ 114*6777b538SAndroid Build Coastguard Worker -out out/localhost_cert.req \ 115*6777b538SAndroid Build Coastguard Worker -reqexts req_localhost_san \ 116*6777b538SAndroid Build Coastguard Worker -config ee.cnf 117*6777b538SAndroid Build Coastguard Worker 118*6777b538SAndroid Build Coastguard Workercopy_or_generate_key ../certificates/test_names.pem out/test_names.key 119*6777b538SAndroid Build Coastguard Workeropenssl req \ 120*6777b538SAndroid Build Coastguard Worker -new \ 121*6777b538SAndroid Build Coastguard Worker -key out/test_names.key \ 122*6777b538SAndroid Build Coastguard Worker -out out/test_names.req \ 123*6777b538SAndroid Build Coastguard Worker -reqexts req_test_names \ 124*6777b538SAndroid Build Coastguard Worker -config ee.cnf 125*6777b538SAndroid Build Coastguard Worker 126*6777b538SAndroid Build Coastguard Worker# Generate the leaf certificates 127*6777b538SAndroid Build Coastguard WorkerCA_NAME="req_ca_dn" \ 128*6777b538SAndroid Build Coastguard Worker openssl ca \ 129*6777b538SAndroid Build Coastguard Worker -batch \ 130*6777b538SAndroid Build Coastguard Worker -extensions user_cert \ 131*6777b538SAndroid Build Coastguard Worker -startdate 060101000000Z \ 132*6777b538SAndroid Build Coastguard Worker -enddate 070101000000Z \ 133*6777b538SAndroid Build Coastguard Worker -in out/expired_cert.req \ 134*6777b538SAndroid Build Coastguard Worker -out out/expired_cert.pem \ 135*6777b538SAndroid Build Coastguard Worker -config ca.cnf 136*6777b538SAndroid Build Coastguard Worker 137*6777b538SAndroid Build Coastguard WorkerCA_NAME="req_ca_dn" \ 138*6777b538SAndroid Build Coastguard Worker openssl ca \ 139*6777b538SAndroid Build Coastguard Worker -batch \ 140*6777b538SAndroid Build Coastguard Worker -extensions user_cert \ 141*6777b538SAndroid Build Coastguard Worker -days ${CERT_LIFETIME} \ 142*6777b538SAndroid Build Coastguard Worker -in out/ok_cert.req \ 143*6777b538SAndroid Build Coastguard Worker -out out/ok_cert.pem \ 144*6777b538SAndroid Build Coastguard Worker -config ca.cnf 145*6777b538SAndroid Build Coastguard Worker 146*6777b538SAndroid Build Coastguard WorkerCA_DIR="out/int" \ 147*6777b538SAndroid Build Coastguard WorkerCERT_TYPE="int" \ 148*6777b538SAndroid Build Coastguard WorkerCA_NAME="req_intermediate_dn" \ 149*6777b538SAndroid Build Coastguard Worker openssl ca \ 150*6777b538SAndroid Build Coastguard Worker -batch \ 151*6777b538SAndroid Build Coastguard Worker -extensions user_cert \ 152*6777b538SAndroid Build Coastguard Worker -days ${CERT_LIFETIME} \ 153*6777b538SAndroid Build Coastguard Worker -in out/ok_cert.req \ 154*6777b538SAndroid Build Coastguard Worker -out out/int/ok_cert.pem \ 155*6777b538SAndroid Build Coastguard Worker -config ca.cnf 156*6777b538SAndroid Build Coastguard Worker 157*6777b538SAndroid Build Coastguard WorkerCA_NAME="req_ca_dn" \ 158*6777b538SAndroid Build Coastguard Worker openssl ca \ 159*6777b538SAndroid Build Coastguard Worker -batch \ 160*6777b538SAndroid Build Coastguard Worker -extensions user_cert \ 161*6777b538SAndroid Build Coastguard Worker -in out/wildcard.req \ 162*6777b538SAndroid Build Coastguard Worker -out out/wildcard.pem \ 163*6777b538SAndroid Build Coastguard Worker -config ca.cnf 164*6777b538SAndroid Build Coastguard Worker 165*6777b538SAndroid Build Coastguard WorkerCA_NAME="req_ca_dn" \ 166*6777b538SAndroid Build Coastguard Worker openssl ca \ 167*6777b538SAndroid Build Coastguard Worker -batch \ 168*6777b538SAndroid Build Coastguard Worker -extensions user_cert \ 169*6777b538SAndroid Build Coastguard Worker -days ${CERT_LIFETIME} \ 170*6777b538SAndroid Build Coastguard Worker -in out/localhost_cert.req \ 171*6777b538SAndroid Build Coastguard Worker -out out/localhost_cert.pem \ 172*6777b538SAndroid Build Coastguard Worker -config ca.cnf 173*6777b538SAndroid Build Coastguard Worker 174*6777b538SAndroid Build Coastguard WorkerCA_NAME="req_ca_dn" \ 175*6777b538SAndroid Build Coastguard Worker openssl ca \ 176*6777b538SAndroid Build Coastguard Worker -batch \ 177*6777b538SAndroid Build Coastguard Worker -extensions user_cert \ 178*6777b538SAndroid Build Coastguard Worker -subj "/CN=Leaf Certificate/" \ 179*6777b538SAndroid Build Coastguard Worker -startdate 00010101000000Z \ 180*6777b538SAndroid Build Coastguard Worker -enddate 00010101000000Z \ 181*6777b538SAndroid Build Coastguard Worker -in out/ok_cert.req \ 182*6777b538SAndroid Build Coastguard Worker -out out/bad_validity.pem \ 183*6777b538SAndroid Build Coastguard Worker -config ca.cnf 184*6777b538SAndroid Build Coastguard Worker 185*6777b538SAndroid Build Coastguard WorkerCA_NAME="req_ca_dn" \ 186*6777b538SAndroid Build Coastguard Worker openssl ca \ 187*6777b538SAndroid Build Coastguard Worker -batch \ 188*6777b538SAndroid Build Coastguard Worker -extensions user_cert \ 189*6777b538SAndroid Build Coastguard Worker -days ${CERT_LIFETIME} \ 190*6777b538SAndroid Build Coastguard Worker -in out/test_names.req \ 191*6777b538SAndroid Build Coastguard Worker -out out/test_names.pem \ 192*6777b538SAndroid Build Coastguard Worker -config ca.cnf 193*6777b538SAndroid Build Coastguard Worker 194*6777b538SAndroid Build Coastguard Worker/bin/sh -c "cat out/ok_cert.key out/ok_cert.pem \ 195*6777b538SAndroid Build Coastguard Worker > ../certificates/ok_cert.pem" 196*6777b538SAndroid Build Coastguard Worker/bin/sh -c "cat out/wildcard.key out/wildcard.pem \ 197*6777b538SAndroid Build Coastguard Worker > ../certificates/wildcard.pem" 198*6777b538SAndroid Build Coastguard Worker/bin/sh -c "cat out/localhost_cert.key out/localhost_cert.pem \ 199*6777b538SAndroid Build Coastguard Worker > ../certificates/localhost_cert.pem" 200*6777b538SAndroid Build Coastguard Worker/bin/sh -c "cat out/expired_cert.key out/expired_cert.pem \ 201*6777b538SAndroid Build Coastguard Worker > ../certificates/expired_cert.pem" 202*6777b538SAndroid Build Coastguard Worker/bin/sh -c "cat out/2048-sha256-root.key out/2048-sha256-root.pem \ 203*6777b538SAndroid Build Coastguard Worker > ../certificates/root_ca_cert.pem" 204*6777b538SAndroid Build Coastguard Worker/bin/sh -c "cat out/ok_cert.key out/bad_validity.pem \ 205*6777b538SAndroid Build Coastguard Worker > ../certificates/bad_validity.pem" 206*6777b538SAndroid Build Coastguard Worker/bin/sh -c "cat out/ok_cert.key out/int/ok_cert.pem \ 207*6777b538SAndroid Build Coastguard Worker out/int/2048-sha256-int.pem \ 208*6777b538SAndroid Build Coastguard Worker > ../certificates/ok_cert_by_intermediate.pem" 209*6777b538SAndroid Build Coastguard Worker/bin/sh -c "cat out/int/2048-sha256-int.key out/int/2048-sha256-int.pem \ 210*6777b538SAndroid Build Coastguard Worker > ../certificates/intermediate_ca_cert.pem" 211*6777b538SAndroid Build Coastguard Worker/bin/sh -c "cat out/int/ok_cert.pem out/int/2048-sha256-int.pem \ 212*6777b538SAndroid Build Coastguard Worker out/2048-sha256-root.pem \ 213*6777b538SAndroid Build Coastguard Worker > ../certificates/x509_verify_results.chain.pem" 214*6777b538SAndroid Build Coastguard Worker/bin/sh -c "cat out/test_names.key out/test_names.pem \ 215*6777b538SAndroid Build Coastguard Worker > ../certificates/test_names.pem" 216*6777b538SAndroid Build Coastguard Worker 217*6777b538SAndroid Build Coastguard Worker# Now generate the one-off certs 218*6777b538SAndroid Build Coastguard Worker## Self-signed cert for SPDY/QUIC/HTTP2 pooling testing 219*6777b538SAndroid Build Coastguard Workeropenssl req -x509 -days 3650 -extensions req_spdy_pooling \ 220*6777b538SAndroid Build Coastguard Worker -config ../scripts/ee.cnf -newkey rsa:2048 -text \ 221*6777b538SAndroid Build Coastguard Worker -out ../certificates/spdy_pooling.pem 222*6777b538SAndroid Build Coastguard Worker 223*6777b538SAndroid Build Coastguard Worker## SubjectAltName parsing 224*6777b538SAndroid Build Coastguard Workeropenssl req -x509 -days 3650 -extensions req_san_sanity \ 225*6777b538SAndroid Build Coastguard Worker -config ../scripts/ee.cnf -newkey rsa:2048 -text \ 226*6777b538SAndroid Build Coastguard Worker -out ../certificates/subjectAltName_sanity_check.pem 227*6777b538SAndroid Build Coastguard Worker 228*6777b538SAndroid Build Coastguard Worker## SubjectAltName containing www.example.com 229*6777b538SAndroid Build Coastguard Workeropenssl req -x509 -days 3650 -extensions req_san_example \ 230*6777b538SAndroid Build Coastguard Worker -config ../scripts/ee.cnf -newkey rsa:2048 -text \ 231*6777b538SAndroid Build Coastguard Worker -out ../certificates/subjectAltName_www_example_com.pem 232*6777b538SAndroid Build Coastguard Worker 233*6777b538SAndroid Build Coastguard Worker## certificatePolicies parsing 234*6777b538SAndroid Build Coastguard Workeropenssl req -x509 -days 3650 -extensions req_policies_sanity \ 235*6777b538SAndroid Build Coastguard Worker -config ../scripts/ee.cnf -newkey rsa:2048 -text \ 236*6777b538SAndroid Build Coastguard Worker -out ../certificates/policies_sanity_check.pem 237*6777b538SAndroid Build Coastguard Worker 238*6777b538SAndroid Build Coastguard Worker## Punycode handling 239*6777b538SAndroid Build Coastguard WorkerSUBJECT_NAME="req_punycode_dn" \ 240*6777b538SAndroid Build Coastguard Worker openssl req -x509 -days 3650 -extensions req_punycode \ 241*6777b538SAndroid Build Coastguard Worker -config ../scripts/ee.cnf -newkey rsa:2048 -text \ 242*6777b538SAndroid Build Coastguard Worker -out ../certificates/punycodetest.pem 243*6777b538SAndroid Build Coastguard Worker 244*6777b538SAndroid Build Coastguard Worker## SHA1 certificate expiring in 2016. 245*6777b538SAndroid Build Coastguard Workeropenssl req -config ../scripts/ee.cnf \ 246*6777b538SAndroid Build Coastguard Worker -newkey rsa:2048 -text -out out/sha1_2016.req 247*6777b538SAndroid Build Coastguard WorkerCA_NAME="req_ca_dn" \ 248*6777b538SAndroid Build Coastguard Worker openssl ca \ 249*6777b538SAndroid Build Coastguard Worker -batch \ 250*6777b538SAndroid Build Coastguard Worker -extensions user_cert \ 251*6777b538SAndroid Build Coastguard Worker -startdate 081030000000Z \ 252*6777b538SAndroid Build Coastguard Worker -enddate 161230000000Z \ 253*6777b538SAndroid Build Coastguard Worker -in out/sha1_2016.req \ 254*6777b538SAndroid Build Coastguard Worker -out ../certificates/sha1_2016.pem \ 255*6777b538SAndroid Build Coastguard Worker -config ca.cnf \ 256*6777b538SAndroid Build Coastguard Worker -md sha1 257*6777b538SAndroid Build Coastguard Worker 258*6777b538SAndroid Build Coastguard Worker## Validity too long unit test support. 259*6777b538SAndroid Build Coastguard Workeropenssl req -config ../scripts/ee.cnf \ 260*6777b538SAndroid Build Coastguard Worker -newkey rsa:2048 -text -out out/10_year_validity.req 261*6777b538SAndroid Build Coastguard WorkerCA_NAME="req_ca_dn" \ 262*6777b538SAndroid Build Coastguard Worker openssl ca \ 263*6777b538SAndroid Build Coastguard Worker -batch \ 264*6777b538SAndroid Build Coastguard Worker -extensions user_cert \ 265*6777b538SAndroid Build Coastguard Worker -startdate 081030000000Z \ 266*6777b538SAndroid Build Coastguard Worker -enddate 181029000000Z \ 267*6777b538SAndroid Build Coastguard Worker -in out/10_year_validity.req \ 268*6777b538SAndroid Build Coastguard Worker -out ../certificates/10_year_validity.pem \ 269*6777b538SAndroid Build Coastguard Worker -config ca.cnf 270*6777b538SAndroid Build Coastguard Workeropenssl req -config ../scripts/ee.cnf \ 271*6777b538SAndroid Build Coastguard Worker -newkey rsa:2048 -text -out out/11_year_validity.req 272*6777b538SAndroid Build Coastguard WorkerCA_NAME="req_ca_dn" \ 273*6777b538SAndroid Build Coastguard Worker openssl ca \ 274*6777b538SAndroid Build Coastguard Worker -batch \ 275*6777b538SAndroid Build Coastguard Worker -extensions user_cert \ 276*6777b538SAndroid Build Coastguard Worker -startdate 141030000000Z \ 277*6777b538SAndroid Build Coastguard Worker -enddate 251030000000Z \ 278*6777b538SAndroid Build Coastguard Worker -in out/11_year_validity.req \ 279*6777b538SAndroid Build Coastguard Worker -out ../certificates/11_year_validity.pem \ 280*6777b538SAndroid Build Coastguard Worker -config ca.cnf 281*6777b538SAndroid Build Coastguard Workeropenssl req -config ../scripts/ee.cnf \ 282*6777b538SAndroid Build Coastguard Worker -newkey rsa:2048 -text -out out/39_months_after_2015_04.req 283*6777b538SAndroid Build Coastguard WorkerCA_NAME="req_ca_dn" \ 284*6777b538SAndroid Build Coastguard Worker openssl ca \ 285*6777b538SAndroid Build Coastguard Worker -batch \ 286*6777b538SAndroid Build Coastguard Worker -extensions user_cert \ 287*6777b538SAndroid Build Coastguard Worker -startdate 150402000000Z \ 288*6777b538SAndroid Build Coastguard Worker -enddate 180702000000Z \ 289*6777b538SAndroid Build Coastguard Worker -in out/39_months_after_2015_04.req \ 290*6777b538SAndroid Build Coastguard Worker -out ../certificates/39_months_after_2015_04.pem \ 291*6777b538SAndroid Build Coastguard Worker -config ca.cnf 292*6777b538SAndroid Build Coastguard Workeropenssl req -config ../scripts/ee.cnf \ 293*6777b538SAndroid Build Coastguard Worker -newkey rsa:2048 -text -out out/40_months_after_2015_04.req 294*6777b538SAndroid Build Coastguard WorkerCA_NAME="req_ca_dn" \ 295*6777b538SAndroid Build Coastguard Worker openssl ca \ 296*6777b538SAndroid Build Coastguard Worker -batch \ 297*6777b538SAndroid Build Coastguard Worker -extensions user_cert \ 298*6777b538SAndroid Build Coastguard Worker -startdate 150402000000Z \ 299*6777b538SAndroid Build Coastguard Worker -enddate 180801000000Z \ 300*6777b538SAndroid Build Coastguard Worker -in out/40_months_after_2015_04.req \ 301*6777b538SAndroid Build Coastguard Worker -out ../certificates/40_months_after_2015_04.pem \ 302*6777b538SAndroid Build Coastguard Worker -config ca.cnf 303*6777b538SAndroid Build Coastguard Workeropenssl req -config ../scripts/ee.cnf \ 304*6777b538SAndroid Build Coastguard Worker -newkey rsa:2048 -text -out out/60_months_after_2012_07.req 305*6777b538SAndroid Build Coastguard WorkerCA_NAME="req_ca_dn" \ 306*6777b538SAndroid Build Coastguard Worker openssl ca \ 307*6777b538SAndroid Build Coastguard Worker -batch \ 308*6777b538SAndroid Build Coastguard Worker -extensions user_cert \ 309*6777b538SAndroid Build Coastguard Worker -startdate 141030000000Z \ 310*6777b538SAndroid Build Coastguard Worker -enddate 190930000000Z \ 311*6777b538SAndroid Build Coastguard Worker -in out/60_months_after_2012_07.req \ 312*6777b538SAndroid Build Coastguard Worker -out ../certificates/60_months_after_2012_07.pem \ 313*6777b538SAndroid Build Coastguard Worker -config ca.cnf 314*6777b538SAndroid Build Coastguard Workeropenssl req -config ../scripts/ee.cnf \ 315*6777b538SAndroid Build Coastguard Worker -newkey rsa:2048 -text -out out/61_months_after_2012_07.req 316*6777b538SAndroid Build Coastguard WorkerCA_NAME="req_ca_dn" \ 317*6777b538SAndroid Build Coastguard Worker openssl ca \ 318*6777b538SAndroid Build Coastguard Worker -batch \ 319*6777b538SAndroid Build Coastguard Worker -extensions user_cert \ 320*6777b538SAndroid Build Coastguard Worker -startdate 141030000000Z \ 321*6777b538SAndroid Build Coastguard Worker -enddate 191103000000Z \ 322*6777b538SAndroid Build Coastguard Worker -in out/61_months_after_2012_07.req \ 323*6777b538SAndroid Build Coastguard Worker -out ../certificates/61_months_after_2012_07.pem \ 324*6777b538SAndroid Build Coastguard Worker -config ca.cnf 325*6777b538SAndroid Build Coastguard Worker# 39 months, based on a CA calculating one month as 'last day of Month 0' to 326*6777b538SAndroid Build Coastguard Worker# last day of 'Month 1'. 327*6777b538SAndroid Build Coastguard Workeropenssl req -config ../scripts/ee.cnf \ 328*6777b538SAndroid Build Coastguard Worker -newkey rsa:2048 -text -out out/39_months_based_on_last_day.req 329*6777b538SAndroid Build Coastguard WorkerCA_NAME="req_ca_dn" \ 330*6777b538SAndroid Build Coastguard Worker openssl ca \ 331*6777b538SAndroid Build Coastguard Worker -batch \ 332*6777b538SAndroid Build Coastguard Worker -extensions user_cert \ 333*6777b538SAndroid Build Coastguard Worker -startdate 170228000000Z \ 334*6777b538SAndroid Build Coastguard Worker -enddate 200530000000Z \ 335*6777b538SAndroid Build Coastguard Worker -in out/39_months_based_on_last_day.req \ 336*6777b538SAndroid Build Coastguard Worker -out ../certificates/39_months_based_on_last_day.pem \ 337*6777b538SAndroid Build Coastguard Worker -config ca.cnf 338*6777b538SAndroid Build Coastguard Worker# start date after expiry date 339*6777b538SAndroid Build Coastguard Workeropenssl req -config ../scripts/ee.cnf \ 340*6777b538SAndroid Build Coastguard Worker -newkey rsa:2048 -text -out out/start_after_expiry.req 341*6777b538SAndroid Build Coastguard WorkerCA_NAME="req_ca_dn" \ 342*6777b538SAndroid Build Coastguard Worker openssl ca \ 343*6777b538SAndroid Build Coastguard Worker -batch \ 344*6777b538SAndroid Build Coastguard Worker -extensions user_cert \ 345*6777b538SAndroid Build Coastguard Worker -startdate 180901000000Z \ 346*6777b538SAndroid Build Coastguard Worker -enddate 150402000000Z \ 347*6777b538SAndroid Build Coastguard Worker -in out/start_after_expiry.req \ 348*6777b538SAndroid Build Coastguard Worker -out ../certificates/start_after_expiry.pem \ 349*6777b538SAndroid Build Coastguard Worker -config ca.cnf 350*6777b538SAndroid Build Coastguard Workeropenssl req -config ../scripts/ee.cnf \ 351*6777b538SAndroid Build Coastguard Worker -newkey rsa:2048 -text -out out/start_after_expiry.req 352*6777b538SAndroid Build Coastguard Worker# Issued pre-BRs, lifetime < 120 months, expires before 2019-07-01 353*6777b538SAndroid Build Coastguard Workeropenssl req -config ../scripts/ee.cnf \ 354*6777b538SAndroid Build Coastguard Worker -newkey rsa:2048 -text -out out/pre_br_validity_ok.req 355*6777b538SAndroid Build Coastguard WorkerCA_NAME="req_ca_dn" \ 356*6777b538SAndroid Build Coastguard Worker openssl ca \ 357*6777b538SAndroid Build Coastguard Worker -batch \ 358*6777b538SAndroid Build Coastguard Worker -extensions user_cert \ 359*6777b538SAndroid Build Coastguard Worker -startdate 080101000000Z \ 360*6777b538SAndroid Build Coastguard Worker -enddate 150101000000Z \ 361*6777b538SAndroid Build Coastguard Worker -in out/pre_br_validity_ok.req \ 362*6777b538SAndroid Build Coastguard Worker -out ../certificates/pre_br_validity_ok.pem \ 363*6777b538SAndroid Build Coastguard Worker -config ca.cnf 364*6777b538SAndroid Build Coastguard Workeropenssl req -config ../scripts/ee.cnf \ 365*6777b538SAndroid Build Coastguard Worker -newkey rsa:2048 -text -out out/pre_br_validity_ok.req 366*6777b538SAndroid Build Coastguard Worker# Issued pre-BRs, lifetime > 120 months, expires before 2019-07-01 367*6777b538SAndroid Build Coastguard Workeropenssl req -config ../scripts/ee.cnf \ 368*6777b538SAndroid Build Coastguard Worker -newkey rsa:2048 -text -out out/pre_br_validity_bad_121.req 369*6777b538SAndroid Build Coastguard WorkerCA_NAME="req_ca_dn" \ 370*6777b538SAndroid Build Coastguard Worker openssl ca \ 371*6777b538SAndroid Build Coastguard Worker -batch \ 372*6777b538SAndroid Build Coastguard Worker -extensions user_cert \ 373*6777b538SAndroid Build Coastguard Worker -startdate 080101000000Z \ 374*6777b538SAndroid Build Coastguard Worker -enddate 180501000000Z \ 375*6777b538SAndroid Build Coastguard Worker -in out/pre_br_validity_bad_121.req \ 376*6777b538SAndroid Build Coastguard Worker -out ../certificates/pre_br_validity_bad_121.pem \ 377*6777b538SAndroid Build Coastguard Worker -config ca.cnf 378*6777b538SAndroid Build Coastguard Workeropenssl req -config ../scripts/ee.cnf \ 379*6777b538SAndroid Build Coastguard Worker -newkey rsa:2048 -text -out out/pre_br_validity_bad_121.req 380*6777b538SAndroid Build Coastguard Worker# Issued pre-BRs, lifetime < 120 months, expires after 2019-07-01 381*6777b538SAndroid Build Coastguard Workeropenssl req -config ../scripts/ee.cnf \ 382*6777b538SAndroid Build Coastguard Worker -newkey rsa:2048 -text -out out/pre_br_validity_bad_2020.req 383*6777b538SAndroid Build Coastguard WorkerCA_NAME="req_ca_dn" \ 384*6777b538SAndroid Build Coastguard Worker openssl ca \ 385*6777b538SAndroid Build Coastguard Worker -batch \ 386*6777b538SAndroid Build Coastguard Worker -extensions user_cert \ 387*6777b538SAndroid Build Coastguard Worker -startdate 120501000000Z \ 388*6777b538SAndroid Build Coastguard Worker -enddate 190703000000Z \ 389*6777b538SAndroid Build Coastguard Worker -in out/pre_br_validity_bad_2020.req \ 390*6777b538SAndroid Build Coastguard Worker -out ../certificates/pre_br_validity_bad_2020.pem \ 391*6777b538SAndroid Build Coastguard Worker -config ca.cnf 392*6777b538SAndroid Build Coastguard Worker# Issued after 2018-03-01, lifetime == 826 days (bad) 393*6777b538SAndroid Build Coastguard Workeropenssl req -config ../scripts/ee.cnf \ 394*6777b538SAndroid Build Coastguard Worker -newkey rsa:2048 -text -out out/826_days_after_2018_03_01.req 395*6777b538SAndroid Build Coastguard WorkerCA_NAME="req_ca_dn" \ 396*6777b538SAndroid Build Coastguard Worker openssl ca \ 397*6777b538SAndroid Build Coastguard Worker -batch \ 398*6777b538SAndroid Build Coastguard Worker -extensions user_cert \ 399*6777b538SAndroid Build Coastguard Worker -startdate 180302000000Z \ 400*6777b538SAndroid Build Coastguard Worker -enddate 200605000000Z \ 401*6777b538SAndroid Build Coastguard Worker -in out/826_days_after_2018_03_01.req \ 402*6777b538SAndroid Build Coastguard Worker -out ../certificates/826_days_after_2018_03_01.pem \ 403*6777b538SAndroid Build Coastguard Worker -config ca.cnf 404*6777b538SAndroid Build Coastguard Worker# Issued after 2018-03-01, lifetime == 825 days (good) 405*6777b538SAndroid Build Coastguard Workeropenssl req -config ../scripts/ee.cnf \ 406*6777b538SAndroid Build Coastguard Worker -newkey rsa:2048 -text -out out/825_days_after_2018_03_01.req 407*6777b538SAndroid Build Coastguard WorkerCA_NAME="req_ca_dn" \ 408*6777b538SAndroid Build Coastguard Worker openssl ca \ 409*6777b538SAndroid Build Coastguard Worker -batch \ 410*6777b538SAndroid Build Coastguard Worker -extensions user_cert \ 411*6777b538SAndroid Build Coastguard Worker -startdate 180302000000Z \ 412*6777b538SAndroid Build Coastguard Worker -enddate 200604000000Z \ 413*6777b538SAndroid Build Coastguard Worker -in out/825_days_after_2018_03_01.req \ 414*6777b538SAndroid Build Coastguard Worker -out ../certificates/825_days_after_2018_03_01.pem \ 415*6777b538SAndroid Build Coastguard Worker -config ca.cnf 416*6777b538SAndroid Build Coastguard Worker# Issued after 2018-03-01, lifetime == 825 days and one second (bad) 417*6777b538SAndroid Build Coastguard Workeropenssl req -config ../scripts/ee.cnf \ 418*6777b538SAndroid Build Coastguard Worker -newkey rsa:2048 -text -out out/825_days_1_second_after_2018_03_01.req 419*6777b538SAndroid Build Coastguard WorkerCA_NAME="req_ca_dn" \ 420*6777b538SAndroid Build Coastguard Worker openssl ca \ 421*6777b538SAndroid Build Coastguard Worker -batch \ 422*6777b538SAndroid Build Coastguard Worker -extensions user_cert \ 423*6777b538SAndroid Build Coastguard Worker -startdate 180302000000Z \ 424*6777b538SAndroid Build Coastguard Worker -enddate 200604000001Z \ 425*6777b538SAndroid Build Coastguard Worker -in out/825_days_1_second_after_2018_03_01.req \ 426*6777b538SAndroid Build Coastguard Worker -out ../certificates/825_days_1_second_after_2018_03_01.pem \ 427*6777b538SAndroid Build Coastguard Worker -config ca.cnf 428*6777b538SAndroid Build Coastguard Worker 429*6777b538SAndroid Build Coastguard Worker# Issued after 2020-09-01, lifetime == 399 days (bad) 430*6777b538SAndroid Build Coastguard Workeropenssl req -config ../scripts/ee.cnf \ 431*6777b538SAndroid Build Coastguard Worker -newkey rsa:2048 -text -out out/399_days_after_2020_09_01.req 432*6777b538SAndroid Build Coastguard WorkerCA_NAME="req_ca_dn" \ 433*6777b538SAndroid Build Coastguard Worker openssl ca \ 434*6777b538SAndroid Build Coastguard Worker -batch \ 435*6777b538SAndroid Build Coastguard Worker -extensions user_cert \ 436*6777b538SAndroid Build Coastguard Worker -startdate 200902000000Z \ 437*6777b538SAndroid Build Coastguard Worker -enddate 211006000000Z \ 438*6777b538SAndroid Build Coastguard Worker -in out/399_days_after_2020_09_01.req \ 439*6777b538SAndroid Build Coastguard Worker -out ../certificates/399_days_after_2020_09_01.pem \ 440*6777b538SAndroid Build Coastguard Worker -config ca.cnf 441*6777b538SAndroid Build Coastguard Worker# Issued after 2020-09-01, lifetime == 398 days (good) 442*6777b538SAndroid Build Coastguard Workeropenssl req -config ../scripts/ee.cnf \ 443*6777b538SAndroid Build Coastguard Worker -newkey rsa:2048 -text -out out/398_days_after_2020_09_01.req 444*6777b538SAndroid Build Coastguard WorkerCA_NAME="req_ca_dn" \ 445*6777b538SAndroid Build Coastguard Worker openssl ca \ 446*6777b538SAndroid Build Coastguard Worker -batch \ 447*6777b538SAndroid Build Coastguard Worker -extensions user_cert \ 448*6777b538SAndroid Build Coastguard Worker -startdate 200902000000Z \ 449*6777b538SAndroid Build Coastguard Worker -enddate 211005000000Z \ 450*6777b538SAndroid Build Coastguard Worker -in out/398_days_after_2020_09_01.req \ 451*6777b538SAndroid Build Coastguard Worker -out ../certificates/398_days_after_2020_09_01.pem \ 452*6777b538SAndroid Build Coastguard Worker -config ca.cnf 453*6777b538SAndroid Build Coastguard Worker# Issued after 2020-09-01, lifetime == 825 days and one second (bad) 454*6777b538SAndroid Build Coastguard Workeropenssl req -config ../scripts/ee.cnf \ 455*6777b538SAndroid Build Coastguard Worker -newkey rsa:2048 -text -out out/398_days_1_second_after_2020_09_01.req 456*6777b538SAndroid Build Coastguard WorkerCA_NAME="req_ca_dn" \ 457*6777b538SAndroid Build Coastguard Worker openssl ca \ 458*6777b538SAndroid Build Coastguard Worker -batch \ 459*6777b538SAndroid Build Coastguard Worker -extensions user_cert \ 460*6777b538SAndroid Build Coastguard Worker -startdate 200902000000Z \ 461*6777b538SAndroid Build Coastguard Worker -enddate 211005000001Z \ 462*6777b538SAndroid Build Coastguard Worker -in out/398_days_1_second_after_2020_09_01.req \ 463*6777b538SAndroid Build Coastguard Worker -out ../certificates/398_days_1_second_after_2020_09_01.pem \ 464*6777b538SAndroid Build Coastguard Worker -config ca.cnf 465*6777b538SAndroid Build Coastguard Worker 466*6777b538SAndroid Build Coastguard Worker 467*6777b538SAndroid Build Coastguard Worker# Includes the canSignHttpExchangesDraft extension 468*6777b538SAndroid Build Coastguard Workeropenssl req -x509 -newkey rsa:2048 \ 469*6777b538SAndroid Build Coastguard Worker -keyout out/can_sign_http_exchanges_draft_extension.key \ 470*6777b538SAndroid Build Coastguard Worker -out ../certificates/can_sign_http_exchanges_draft_extension.pem \ 471*6777b538SAndroid Build Coastguard Worker -days 365 \ 472*6777b538SAndroid Build Coastguard Worker -extensions req_extensions_with_can_sign_http_exchanges_draft \ 473*6777b538SAndroid Build Coastguard Worker -nodes -config ee.cnf 474*6777b538SAndroid Build Coastguard Worker 475*6777b538SAndroid Build Coastguard Worker# Includes the canSignHttpExchangesDraft extension, but with a SEQUENCE in the 476*6777b538SAndroid Build Coastguard Worker# body rather than a NULL. 477*6777b538SAndroid Build Coastguard Workeropenssl req -x509 -newkey rsa:2048 \ 478*6777b538SAndroid Build Coastguard Worker -keyout out/can_sign_http_exchanges_draft_extension_invalid.key \ 479*6777b538SAndroid Build Coastguard Worker -out ../certificates/can_sign_http_exchanges_draft_extension_invalid.pem \ 480*6777b538SAndroid Build Coastguard Worker -days 365 \ 481*6777b538SAndroid Build Coastguard Worker -extensions req_extensions_with_can_sign_http_exchanges_draft_invalid \ 482*6777b538SAndroid Build Coastguard Worker -nodes -config ee.cnf 483*6777b538SAndroid Build Coastguard Worker 484*6777b538SAndroid Build Coastguard Worker# SHA-1 certificate issued by locally trusted CA 485*6777b538SAndroid Build Coastguard Workercopy_or_generate_key ../certificates/sha1_leaf.pem out/sha1_leaf.key 486*6777b538SAndroid Build Coastguard Workeropenssl req \ 487*6777b538SAndroid Build Coastguard Worker -config ../scripts/ee.cnf \ 488*6777b538SAndroid Build Coastguard Worker -new \ 489*6777b538SAndroid Build Coastguard Worker -text \ 490*6777b538SAndroid Build Coastguard Worker -key out/sha1_leaf.key \ 491*6777b538SAndroid Build Coastguard Worker -out out/sha1_leaf.req 492*6777b538SAndroid Build Coastguard WorkerCA_NAME="req_ca_dn" \ 493*6777b538SAndroid Build Coastguard Worker openssl ca \ 494*6777b538SAndroid Build Coastguard Worker -batch \ 495*6777b538SAndroid Build Coastguard Worker -extensions user_cert \ 496*6777b538SAndroid Build Coastguard Worker -days ${CERT_LIFETIME} \ 497*6777b538SAndroid Build Coastguard Worker -in out/sha1_leaf.req \ 498*6777b538SAndroid Build Coastguard Worker -out out/sha1_leaf.pem \ 499*6777b538SAndroid Build Coastguard Worker -config ca.cnf \ 500*6777b538SAndroid Build Coastguard Worker -md sha1 501*6777b538SAndroid Build Coastguard Worker/bin/sh -c "cat out/sha1_leaf.key out/sha1_leaf.pem \ 502*6777b538SAndroid Build Coastguard Worker > ../certificates/sha1_leaf.pem" 503*6777b538SAndroid Build Coastguard Worker 504*6777b538SAndroid Build Coastguard Worker# Certificate with only a common name (no SAN) issued by a locally trusted CA 505*6777b538SAndroid Build Coastguard Workercopy_or_generate_key ../certificates/common_name_only.pem \ 506*6777b538SAndroid Build Coastguard Worker out/common_name_only.key 507*6777b538SAndroid Build Coastguard Workeropenssl req \ 508*6777b538SAndroid Build Coastguard Worker -config ../scripts/ee.cnf \ 509*6777b538SAndroid Build Coastguard Worker -reqexts req_no_san \ 510*6777b538SAndroid Build Coastguard Worker -new \ 511*6777b538SAndroid Build Coastguard Worker -text \ 512*6777b538SAndroid Build Coastguard Worker -key out/common_name_only.key \ 513*6777b538SAndroid Build Coastguard Worker -out out/common_name_only.req 514*6777b538SAndroid Build Coastguard WorkerCA_NAME="req_ca_dn" \ 515*6777b538SAndroid Build Coastguard Worker openssl ca \ 516*6777b538SAndroid Build Coastguard Worker -batch \ 517*6777b538SAndroid Build Coastguard Worker -extensions user_cert \ 518*6777b538SAndroid Build Coastguard Worker -startdate 171220000000Z \ 519*6777b538SAndroid Build Coastguard Worker -enddate 201220000000Z \ 520*6777b538SAndroid Build Coastguard Worker -in out/common_name_only.req \ 521*6777b538SAndroid Build Coastguard Worker -out out/common_name_only.pem \ 522*6777b538SAndroid Build Coastguard Worker -config ca.cnf 523*6777b538SAndroid Build Coastguard Worker/bin/sh -c "cat out/common_name_only.key out/common_name_only.pem \ 524*6777b538SAndroid Build Coastguard Worker > ../certificates/common_name_only.pem" 525*6777b538SAndroid Build Coastguard Worker 526*6777b538SAndroid Build Coastguard Worker# Issued on 1 May 2018 (after the 30 Apr 2018 CT Requirement date) 527*6777b538SAndroid Build Coastguard Workeropenssl req \ 528*6777b538SAndroid Build Coastguard Worker -config ../scripts/ee.cnf \ 529*6777b538SAndroid Build Coastguard Worker -newkey rsa:2048 \ 530*6777b538SAndroid Build Coastguard Worker -text \ 531*6777b538SAndroid Build Coastguard Worker -out out/may_2018.req 532*6777b538SAndroid Build Coastguard WorkerCA_NAME="req_ca_dn" \ 533*6777b538SAndroid Build Coastguard Worker openssl ca \ 534*6777b538SAndroid Build Coastguard Worker -batch \ 535*6777b538SAndroid Build Coastguard Worker -extensions user_cert \ 536*6777b538SAndroid Build Coastguard Worker -startdate 180501000000Z \ 537*6777b538SAndroid Build Coastguard Worker -enddate 200803000000Z \ 538*6777b538SAndroid Build Coastguard Worker -in out/may_2018.req \ 539*6777b538SAndroid Build Coastguard Worker -out ../certificates/may_2018.pem \ 540*6777b538SAndroid Build Coastguard Worker -config ca.cnf 541*6777b538SAndroid Build Coastguard Worker 542*6777b538SAndroid Build Coastguard Worker# Issued after 1 July 2019 (The macOS 10.15+ date for additional 543*6777b538SAndroid Build Coastguard Worker# policies for locally-trusted certificates - see 544*6777b538SAndroid Build Coastguard Worker# https://support.apple.com/en-us/HT210176 ) and valid for >825 545*6777b538SAndroid Build Coastguard Worker# days, even accounting for rounding issues. 546*6777b538SAndroid Build Coastguard Workeropenssl req \ 547*6777b538SAndroid Build Coastguard Worker -config ../scripts/ee.cnf \ 548*6777b538SAndroid Build Coastguard Worker -newkey rsa:2048 \ 549*6777b538SAndroid Build Coastguard Worker -text \ 550*6777b538SAndroid Build Coastguard Worker -out out/900_days_after_2019_07_01.req 551*6777b538SAndroid Build Coastguard WorkerCA_NAME="req_ca_dn" \ 552*6777b538SAndroid Build Coastguard Worker openssl ca \ 553*6777b538SAndroid Build Coastguard Worker -batch \ 554*6777b538SAndroid Build Coastguard Worker -extensions user_cert \ 555*6777b538SAndroid Build Coastguard Worker -days 900 \ 556*6777b538SAndroid Build Coastguard Worker -in out/900_days_after_2019_07_01.req \ 557*6777b538SAndroid Build Coastguard Worker -out ../certificates/900_days_after_2019_07_01.pem \ 558*6777b538SAndroid Build Coastguard Worker -config ca.cnf 559*6777b538SAndroid Build Coastguard Worker 560*6777b538SAndroid Build Coastguard Worker## Certificates for testing EV display (DN set with different variations) 561*6777b538SAndroid Build Coastguard WorkerSUBJECT_NAME="req_ev_dn" \ 562*6777b538SAndroid Build Coastguard Worker openssl req -x509 -days ${CERT_LIFETIME} \ 563*6777b538SAndroid Build Coastguard Worker --config ../scripts/ee.cnf -newkey rsa:2048 -text \ 564*6777b538SAndroid Build Coastguard Worker -out ../certificates/ev_test.pem 565*6777b538SAndroid Build Coastguard Worker 566*6777b538SAndroid Build Coastguard WorkerSUBJECT_NAME="req_ev_state_only_dn" \ 567*6777b538SAndroid Build Coastguard Worker openssl req -x509 -days ${CERT_LIFETIME} \ 568*6777b538SAndroid Build Coastguard Worker --config ../scripts/ee.cnf -newkey rsa:2048 -text \ 569*6777b538SAndroid Build Coastguard Worker -out ../certificates/ev_test_state_only.pem 570*6777b538SAndroid Build Coastguard Worker 571*6777b538SAndroid Build Coastguard Worker# Regenerate CRLSets 572*6777b538SAndroid Build Coastguard Worker## Block a leaf cert directly by SPKI 573*6777b538SAndroid Build Coastguard Workerpython3 crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \ 574*6777b538SAndroid Build Coastguard Worker<<CRLBYLEAFSPKI 575*6777b538SAndroid Build Coastguard Worker{ 576*6777b538SAndroid Build Coastguard Worker "BlockedBySPKI": ["../certificates/ok_cert.pem"] 577*6777b538SAndroid Build Coastguard Worker} 578*6777b538SAndroid Build Coastguard WorkerCRLBYLEAFSPKI 579*6777b538SAndroid Build Coastguard Worker 580*6777b538SAndroid Build Coastguard Worker## Block a root cert directly by SPKI 581*6777b538SAndroid Build Coastguard Workerpython3 crlsetutil.py -o ../certificates/crlset_by_root_spki.raw \ 582*6777b538SAndroid Build Coastguard Worker<<CRLBYROOTSPKI 583*6777b538SAndroid Build Coastguard Worker{ 584*6777b538SAndroid Build Coastguard Worker "BlockedBySPKI": ["../certificates/root_ca_cert.pem"] 585*6777b538SAndroid Build Coastguard Worker} 586*6777b538SAndroid Build Coastguard WorkerCRLBYROOTSPKI 587*6777b538SAndroid Build Coastguard Worker 588*6777b538SAndroid Build Coastguard Worker## Block a leaf cert by issuer-hash-and-serial 589*6777b538SAndroid Build Coastguard Workerpython3 crlsetutil.py -o ../certificates/crlset_by_root_serial.raw \ 590*6777b538SAndroid Build Coastguard Worker<<CRLBYROOTSERIAL 591*6777b538SAndroid Build Coastguard Worker{ 592*6777b538SAndroid Build Coastguard Worker "BlockedByHash": { 593*6777b538SAndroid Build Coastguard Worker "../certificates/root_ca_cert.pem": [ 594*6777b538SAndroid Build Coastguard Worker "../certificates/ok_cert.pem" 595*6777b538SAndroid Build Coastguard Worker ] 596*6777b538SAndroid Build Coastguard Worker } 597*6777b538SAndroid Build Coastguard Worker} 598*6777b538SAndroid Build Coastguard WorkerCRLBYROOTSERIAL 599*6777b538SAndroid Build Coastguard Worker 600*6777b538SAndroid Build Coastguard Worker## Block a leaf cert by issuer-hash-and-serial. However, this will be issued 601*6777b538SAndroid Build Coastguard Worker## from an intermediate CA issued underneath a root. 602*6777b538SAndroid Build Coastguard Workerpython3 crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \ 603*6777b538SAndroid Build Coastguard Worker<<CRLSETBYINTERMEDIATESERIAL 604*6777b538SAndroid Build Coastguard Worker{ 605*6777b538SAndroid Build Coastguard Worker "BlockedByHash": { 606*6777b538SAndroid Build Coastguard Worker "../certificates/intermediate_ca_cert.pem": [ 607*6777b538SAndroid Build Coastguard Worker "../certificates/ok_cert_by_intermediate.pem" 608*6777b538SAndroid Build Coastguard Worker ] 609*6777b538SAndroid Build Coastguard Worker } 610*6777b538SAndroid Build Coastguard Worker} 611*6777b538SAndroid Build Coastguard WorkerCRLSETBYINTERMEDIATESERIAL 612*6777b538SAndroid Build Coastguard Worker 613*6777b538SAndroid Build Coastguard Worker## Block a subject with a single-entry allowlist of SPKI hashes. 614*6777b538SAndroid Build Coastguard Workerpython3 crlsetutil.py -o ../certificates/crlset_by_root_subject.raw \ 615*6777b538SAndroid Build Coastguard Worker<<CRLSETBYROOTSUBJECT 616*6777b538SAndroid Build Coastguard Worker{ 617*6777b538SAndroid Build Coastguard Worker "LimitedSubjects": { 618*6777b538SAndroid Build Coastguard Worker "../certificates/root_ca_cert.pem": [ 619*6777b538SAndroid Build Coastguard Worker "../certificates/root_ca_cert.pem" 620*6777b538SAndroid Build Coastguard Worker ] 621*6777b538SAndroid Build Coastguard Worker } 622*6777b538SAndroid Build Coastguard Worker} 623*6777b538SAndroid Build Coastguard WorkerCRLSETBYROOTSUBJECT 624*6777b538SAndroid Build Coastguard Worker 625*6777b538SAndroid Build Coastguard Worker## Block a subject with an empty allowlist of SPKI hashes. 626*6777b538SAndroid Build Coastguard Workerpython3 crlsetutil.py -o ../certificates/crlset_by_root_subject_no_spki.raw \ 627*6777b538SAndroid Build Coastguard Worker<<CRLSETBYROOTSUBJECTNOSPKI 628*6777b538SAndroid Build Coastguard Worker{ 629*6777b538SAndroid Build Coastguard Worker "LimitedSubjects": { 630*6777b538SAndroid Build Coastguard Worker "../certificates/root_ca_cert.pem": [] 631*6777b538SAndroid Build Coastguard Worker }, 632*6777b538SAndroid Build Coastguard Worker "Sequence": 2 633*6777b538SAndroid Build Coastguard Worker} 634*6777b538SAndroid Build Coastguard WorkerCRLSETBYROOTSUBJECTNOSPKI 635*6777b538SAndroid Build Coastguard Worker 636*6777b538SAndroid Build Coastguard Worker## Block a subject with an empty allowlist of SPKI hashes. 637*6777b538SAndroid Build Coastguard Workerpython3 crlsetutil.py -o ../certificates/crlset_by_leaf_subject_no_spki.raw \ 638*6777b538SAndroid Build Coastguard Worker<<CRLSETBYLEAFSUBJECTNOSPKI 639*6777b538SAndroid Build Coastguard Worker{ 640*6777b538SAndroid Build Coastguard Worker "LimitedSubjects": { 641*6777b538SAndroid Build Coastguard Worker "../certificates/ok_cert.pem": [] 642*6777b538SAndroid Build Coastguard Worker } 643*6777b538SAndroid Build Coastguard Worker} 644*6777b538SAndroid Build Coastguard WorkerCRLSETBYLEAFSUBJECTNOSPKI 645*6777b538SAndroid Build Coastguard Worker 646*6777b538SAndroid Build Coastguard Worker## Mark a given root as blocked for interception. 647*6777b538SAndroid Build Coastguard Workerpython3 crlsetutil.py -o \ 648*6777b538SAndroid Build Coastguard Worker ../certificates/crlset_blocked_interception_by_root.raw \ 649*6777b538SAndroid Build Coastguard Worker<<CRLSETINTERCEPTIONBYROOT 650*6777b538SAndroid Build Coastguard Worker{ 651*6777b538SAndroid Build Coastguard Worker "BlockedInterceptionSPKIs": [ 652*6777b538SAndroid Build Coastguard Worker "../certificates/root_ca_cert.pem" 653*6777b538SAndroid Build Coastguard Worker ] 654*6777b538SAndroid Build Coastguard Worker} 655*6777b538SAndroid Build Coastguard WorkerCRLSETINTERCEPTIONBYROOT 656*6777b538SAndroid Build Coastguard Worker 657*6777b538SAndroid Build Coastguard Worker## Mark a given intermediate as blocked for interception. 658*6777b538SAndroid Build Coastguard Workerpython3 crlsetutil.py -o \ 659*6777b538SAndroid Build Coastguard Worker ../certificates/crlset_blocked_interception_by_intermediate.raw \ 660*6777b538SAndroid Build Coastguard Worker<<CRLSETINTERCEPTIONBYINTERMEDIATE 661*6777b538SAndroid Build Coastguard Worker{ 662*6777b538SAndroid Build Coastguard Worker "BlockedInterceptionSPKIs": [ 663*6777b538SAndroid Build Coastguard Worker "../certificates/intermediate_ca_cert.pem" 664*6777b538SAndroid Build Coastguard Worker ] 665*6777b538SAndroid Build Coastguard Worker} 666*6777b538SAndroid Build Coastguard WorkerCRLSETINTERCEPTIONBYINTERMEDIATE 667*6777b538SAndroid Build Coastguard Worker 668*6777b538SAndroid Build Coastguard Worker## Mark a given root as known for interception, but not blocked. 669*6777b538SAndroid Build Coastguard Workerpython3 crlsetutil.py -o \ 670*6777b538SAndroid Build Coastguard Worker ../certificates/crlset_known_interception_by_root.raw \ 671*6777b538SAndroid Build Coastguard Worker<<CRLSETINTERCEPTIONBYROOT 672*6777b538SAndroid Build Coastguard Worker{ 673*6777b538SAndroid Build Coastguard Worker "KnownInterceptionSPKIs": [ 674*6777b538SAndroid Build Coastguard Worker "../certificates/root_ca_cert.pem" 675*6777b538SAndroid Build Coastguard Worker ] 676*6777b538SAndroid Build Coastguard Worker} 677*6777b538SAndroid Build Coastguard WorkerCRLSETINTERCEPTIONBYROOT 678