Upstream version 10.39.225.0

[platform/framework/web/crosswalk.git] / src / net / data / ssl / scripts / generate-test-certs.sh

diff --git a/src/net/data/ssl/scripts/generate-test-certs.sh b/src/net/data/ssl/scripts/generate-test-certs.sh
index 6323de3..d62bb98 100755 (executable)
--- a/src/net/data/ssl/scripts/generate-test-certs.sh
+++ b/src/net/data/ssl/scripts/generate-test-certs.sh
@@ -15,26 +15,26 @@ try() {
 try rm -rf out
 try mkdir out
 
-try /bin/sh -c "echo 01 > out/2048-sha1-root-serial"
-touch out/2048-sha1-root-index.txt
+try /bin/sh -c "echo 01 > out/2048-sha256-root-serial"
+touch out/2048-sha256-root-index.txt
 
 # Generate the key
-try openssl genrsa -out out/2048-sha1-root.key 2048
+try openssl genrsa -out out/2048-sha256-root.key 2048
 
 # Generate the root certificate
 CA_COMMON_NAME="Test Root CA" \
   try openssl req \
     -new \
-    -key out/2048-sha1-root.key \
-    -out out/2048-sha1-root.req \
+    -key out/2048-sha256-root.key \
+    -out out/2048-sha256-root.req \
     -config ca.cnf
 
 CA_COMMON_NAME="Test Root CA" \
   try openssl x509 \
     -req -days 3650 \
-    -in out/2048-sha1-root.req \
-    -out out/2048-sha1-root.pem \
-    -signkey out/2048-sha1-root.key \
+    -in out/2048-sha256-root.req \
+    -out out/2048-sha256-root.pem \
+    -signkey out/2048-sha256-root.key \
     -extfile ca.cnf \
     -extensions ca_cert \
     -text
@@ -72,10 +72,87 @@ CA_COMMON_NAME="Test Root CA" \
     -out out/ok_cert.pem \
     -config ca.cnf
 
+CA_COMMON_NAME="Test Root CA" \
+  try openssl ca \
+    -batch \
+    -extensions name_constraint_bad \
+    -subj "/CN=Leaf certificate/" \
+    -days 3650 \
+    -in out/ok_cert.req \
+    -out out/name_constraint_bad.pem \
+    -config ca.cnf
+
+CA_COMMON_NAME="Test Root CA" \
+  try openssl ca \
+    -batch \
+    -extensions name_constraint_good \
+    -subj "/CN=Leaf Certificate/" \
+    -days 3650 \
+    -in out/ok_cert.req \
+    -out out/name_constraint_good.pem \
+    -config ca.cnf
+
 try /bin/sh -c "cat out/ok_cert.key out/ok_cert.pem \
     > ../certificates/ok_cert.pem"
 try /bin/sh -c "cat out/expired_cert.key out/expired_cert.pem \
     > ../certificates/expired_cert.pem"
-try /bin/sh -c "cat out/2048-sha1-root.key out/2048-sha1-root.pem \
+try /bin/sh -c "cat out/2048-sha256-root.key out/2048-sha256-root.pem \
     > ../certificates/root_ca_cert.pem"
+try /bin/sh -c "cat out/ok_cert.key out/name_constraint_bad.pem \
+    > ../certificates/name_constraint_bad.pem"
+try /bin/sh -c "cat out/ok_cert.key out/name_constraint_good.pem \
+    > ../certificates/name_constraint_good.pem"
+
+# Now generate the one-off certs
+## SHA-256 general test cert
+try openssl req -x509 -days 3650 \
+    -config ../scripts/ee.cnf -newkey rsa:2048 -text \
+    -sha256 \
+    -out sha256.pem
+
+## Self-signed cert for SPDY/QUIC/HTTP2 pooling testing
+try openssl req -x509 -days 3650 -extensions req_spdy_pooling \
+    -config ../scripts/ee.cnf -newkey rsa:2048 -text \
+    -out ../certificates/spdy_pooling.pem
+
+## SubjectAltName parsing
+try openssl req -x509 -days 3650 -extensions req_san_sanity \
+    -config ../scripts/ee.cnf -newkey rsa:2048 -text \
+    -out ../certificates/subjectAltName_sanity_check.pem
+
+## Punycode handling
+SUBJECT_NAME="req_punycode_dn" \
+  try openssl req -x509 -days 3650 -extensions req_punycode \
+    -config ../scripts/ee.cnf -newkey rsa:2048 -text \
+     -out ../certificates/punycodetest.pem
 
+# Regenerate CRLSets
+## Block a leaf cert directly by SPKI
+try python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \
+<<CRLBYLEAFSPKI
+{
+  "BlockedBySPKI": ["../certificates/ok_cert.pem"]
+}
+CRLBYLEAFSPKI
+
+## Block a leaf cert by issuer-hash-and-serial (ok_cert.pem == serial 2, by
+## virtue of the serial file and ordering above.
+try python crlsetutil.py -o ../certificates/crlset_by_root_serial.raw \
+<<CRLBYROOTSERIAL
+{
+  "BlockedByHash": {
+    "../certificates/root_ca_cert.pem": [2]
+  }
+}
+CRLBYROOTSERIAL
+
+## Block a leaf cert by issuer-hash-and-serial. However, this will be issued
+## from an intermediate CA issued underneath a root.
+try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \
+<<CRLSETBYINTERMEDIATESERIAL
+{
+  "BlockedByHash": {
+    "../certificates/quic_intermediate.crt": [3]
+  }
+}
+CRLSETBYINTERMEDIATESERIAL