github.com/zmap/zcrypto@v0.0.0-20240512203510-0fef58d9a9db/x509/testdata/gen_zcrypto.sh (about) 1 #!/bin/bash 2 3 # Copyright 2017 The Go Authors. All rights reserved. 4 # Use of this source code is governed by a BSD-style 5 # license that can be found in the LICENSE file. 6 7 # This script generates extra test certificates not in the Golang X.509 stdlib 8 # package. It writes copy/pastable output to out/zcrypto_roots_test.go, which 9 # can be appended to verify_test.go. 10 11 # It generates the following certificates: 12 # 13 # - A root valid from 2017-01-01 to 2027-01-01 14 # - An intermediate (signed by the root) valid from 2020-01-01 to 2026-12-31 15 # - A leaf (signed by intermediate) with reversed NotBefore/NotAfter 16 # + NotBefore: 2022-01-01 17 # + NotAFter: 2021-01-01 18 # - A leaf (signed by intermediate) that is valid in a window before the 19 # intermediate: 2018-01-01 to 2019-01-01 20 21 set -e 22 23 rm -rf out 24 mkdir out 25 26 GO_TEST_FILE=out/zcrypto_roots_test.go 27 28 ROOT_KEY_PATH=out/root.key 29 ROOT_REQ_PATH=out/root.req 30 ROOT_CERT_PATH=out/root.pem 31 32 INTERMEDIATE_KEY_PATH=out/intermediate.key 33 INTERMEDIATE_REQ_PATH=out/intermediate.req 34 INTERMEDIATE_CERT_PATH=out/intermediate.pem 35 36 LEAF_NEVER_VALID_KEY_PATH=out/leaf-never-valid.key 37 LEAF_NEVER_VALID_REQ_PATH=out/leaf-never-valid.req 38 LEAF_NEVER_VALID_CERT_PATH=out/leaf-never-valid.pem 39 40 LEAF_BEFORE_INTERMEDIATE_KEY_PATH=out/leaf-before-intermediate.key 41 LEAF_BEFORE_INTERMEDIATE_REQ_PATH=out/leaf-before-intermediate.req 42 LEAF_BEFORE_INTERMEDIATE_CERT_PATH=out/leaf-before-intermediate.pem 43 44 openssl genrsa -out $ROOT_KEY_PATH 2048 45 openssl genrsa -out $INTERMEDIATE_KEY_PATH 2048 46 openssl genrsa -out $LEAF_NEVER_VALID_KEY_PATH 2048 47 openssl genrsa -out $LEAF_BEFORE_INTERMEDIATE_KEY_PATH 2048 48 49 touch out/root.index 50 touch out/intermediate.index 51 echo "00" > out/root.serial 52 echo "FF" > out/intermediate.serial 53 54 # Create a self-signed root certificate request 55 SUBJECT_NAME="root_subject" \ 56 openssl req \ 57 -new \ 58 -key $ROOT_KEY_PATH \ 59 -out $ROOT_REQ_PATH \ 60 -extensions root_extensions \ 61 -config ca.cnf 62 63 # Create the self-signed root from the request 64 openssl ca \ 65 -selfsign \ 66 -config ca.cnf \ 67 -name root_ca \ 68 -keyfile $ROOT_KEY_PATH \ 69 -startdate 170101000000Z \ 70 -enddate 270101000000Z \ 71 -extensions root_extensions \ 72 -in $ROOT_REQ_PATH \ 73 -out $ROOT_CERT_PATH \ 74 -batch 75 76 # Create the req for the intermediate certificate 77 SUBJECT_NAME="intermediate_subject" \ 78 openssl req \ 79 -new \ 80 -key $INTERMEDIATE_KEY_PATH \ 81 -out $INTERMEDIATE_REQ_PATH \ 82 -extensions intermediate_extensions \ 83 -config ca.cnf 84 85 # Sign the interemediate certificate 86 openssl ca \ 87 -config ca.cnf \ 88 -name root_ca \ 89 -keyfile $ROOT_KEY_PATH \ 90 -cert $ROOT_CERT_PATH \ 91 -startdate 200101000000Z \ 92 -enddate 261231000000Z \ 93 -extensions intermediate_extensions \ 94 -in $INTERMEDIATE_REQ_PATH \ 95 -out $INTERMEDIATE_CERT_PATH \ 96 -batch 97 98 # Create a request for the never-valid leaf 99 SUBJECT_NAME="leaf_never_valid" \ 100 openssl req \ 101 -new \ 102 -key $LEAF_NEVER_VALID_KEY_PATH \ 103 -out $LEAF_NEVER_VALID_REQ_PATH \ 104 -extensions leaf_extensions \ 105 -config ca.cnf 106 107 # Sign the never-valid leaf with the intermediate. Set NotAfter before 108 # NotBefore. 109 openssl ca \ 110 -config ca.cnf \ 111 -name intermediate_ca \ 112 -keyfile $INTERMEDIATE_KEY_PATH \ 113 -cert $INTERMEDIATE_CERT_PATH \ 114 -out $LEAF_NEVER_VALID_CERT_PATH \ 115 -in $LEAF_NEVER_VALID_REQ_PATH \ 116 -extensions leaf_extensions \ 117 -startdate 220101010000Z \ 118 -enddate 210101010000Z \ 119 -batch 120 121 # Create a request for the valid-before-intermediate leaf 122 SUBJECT_NAME="leaf_never_valid" \ 123 openssl req \ 124 -new \ 125 -key $LEAF_BEFORE_INTERMEDIATE_KEY_PATH \ 126 -out $LEAF_BEFORE_INTERMEDIATE_REQ_PATH \ 127 -extensions leaf_extensions \ 128 -config ca.cnf 129 130 # Sign the leaf with an intermediate whose validity begins after the leaf 131 # expires. 132 openssl ca \ 133 -config ca.cnf \ 134 -name intermediate_ca \ 135 -keyfile $INTERMEDIATE_KEY_PATH \ 136 -cert $INTERMEDIATE_CERT_PATH \ 137 -out $LEAF_BEFORE_INTERMEDIATE_CERT_PATH \ 138 -in $LEAF_BEFORE_INTERMEDIATE_REQ_PATH \ 139 -extensions leaf_extensions \ 140 -startdate 180101010000Z \ 141 -enddate 190101010000Z \ 142 -batch 143 144 echo 'const zcryptoRoot = `' >> $GO_TEST_FILE 145 cat $ROOT_CERT_PATH >> $GO_TEST_FILE 146 echo '`' >> $GO_TEST_FILE 147 148 echo 'const zcryptoIntermediate = `' >> $GO_TEST_FILE 149 cat $INTERMEDIATE_CERT_PATH >> $GO_TEST_FILE 150 echo '`' >> $GO_TEST_FILE 151 152 echo 'const zcryptoNeverValid = `' >> $GO_TEST_FILE 153 cat $LEAF_NEVER_VALID_CERT_PATH >> $GO_TEST_FILE 154 echo '`' >> $GO_TEST_FILE 155 156 echo 'const zcryptoValidBeforeIntermediate = `' >> $GO_TEST_FILE 157 cat $LEAF_BEFORE_INTERMEDIATE_CERT_PATH >> $GO_TEST_FILE 158 echo '`' >> $GO_TEST_FILE