github.com/zmap/zcrypto@v0.0.0-20240512203510-0fef58d9a9db/x509/testdata/gen_zcrypto.sh (about)

     1  #!/bin/bash
     2  
     3  # Copyright 2017 The Go Authors. All rights reserved.
     4  # Use of this source code is governed by a BSD-style
     5  # license that can be found in the LICENSE file.
     6  
     7  # This script generates extra test certificates not in the Golang X.509 stdlib
     8  # package. It writes copy/pastable output to out/zcrypto_roots_test.go, which
     9  # can be appended to verify_test.go.
    10  
    11  # It generates the following certificates:
    12  #
    13  # - A root valid from 2017-01-01 to 2027-01-01
    14  # - An intermediate (signed by the root) valid from 2020-01-01 to 2026-12-31
    15  # - A leaf (signed by intermediate) with reversed NotBefore/NotAfter
    16  #    + NotBefore: 2022-01-01
    17  #    + NotAFter: 2021-01-01
    18  # - A leaf (signed by intermediate) that is valid in a window before the
    19  #   intermediate: 2018-01-01 to 2019-01-01
    20  
    21  set -e
    22  
    23  rm -rf out
    24  mkdir out
    25  
    26  GO_TEST_FILE=out/zcrypto_roots_test.go
    27  
    28  ROOT_KEY_PATH=out/root.key
    29  ROOT_REQ_PATH=out/root.req
    30  ROOT_CERT_PATH=out/root.pem
    31  
    32  INTERMEDIATE_KEY_PATH=out/intermediate.key
    33  INTERMEDIATE_REQ_PATH=out/intermediate.req
    34  INTERMEDIATE_CERT_PATH=out/intermediate.pem
    35  
    36  LEAF_NEVER_VALID_KEY_PATH=out/leaf-never-valid.key
    37  LEAF_NEVER_VALID_REQ_PATH=out/leaf-never-valid.req
    38  LEAF_NEVER_VALID_CERT_PATH=out/leaf-never-valid.pem
    39  
    40  LEAF_BEFORE_INTERMEDIATE_KEY_PATH=out/leaf-before-intermediate.key
    41  LEAF_BEFORE_INTERMEDIATE_REQ_PATH=out/leaf-before-intermediate.req
    42  LEAF_BEFORE_INTERMEDIATE_CERT_PATH=out/leaf-before-intermediate.pem
    43  
    44  openssl genrsa -out $ROOT_KEY_PATH 2048
    45  openssl genrsa -out $INTERMEDIATE_KEY_PATH 2048
    46  openssl genrsa -out $LEAF_NEVER_VALID_KEY_PATH 2048
    47  openssl genrsa -out $LEAF_BEFORE_INTERMEDIATE_KEY_PATH 2048
    48  
    49  touch out/root.index
    50  touch out/intermediate.index
    51  echo "00" > out/root.serial
    52  echo "FF" > out/intermediate.serial
    53  
    54  # Create a self-signed root certificate request
    55  SUBJECT_NAME="root_subject" \
    56  openssl req \
    57    -new \
    58    -key $ROOT_KEY_PATH \
    59    -out $ROOT_REQ_PATH \
    60    -extensions root_extensions \
    61    -config ca.cnf
    62  
    63  # Create the self-signed root from the request
    64  openssl ca \
    65    -selfsign \
    66    -config ca.cnf \
    67    -name root_ca \
    68    -keyfile $ROOT_KEY_PATH \
    69    -startdate 170101000000Z \
    70    -enddate 270101000000Z \
    71    -extensions root_extensions \
    72    -in $ROOT_REQ_PATH \
    73    -out $ROOT_CERT_PATH \
    74    -batch
    75  
    76  # Create the req for the intermediate certificate
    77  SUBJECT_NAME="intermediate_subject" \
    78  openssl req \
    79    -new \
    80    -key $INTERMEDIATE_KEY_PATH \
    81    -out $INTERMEDIATE_REQ_PATH \
    82    -extensions intermediate_extensions \
    83    -config ca.cnf
    84  
    85  # Sign the interemediate certificate
    86  openssl ca \
    87    -config ca.cnf \
    88    -name root_ca \
    89    -keyfile $ROOT_KEY_PATH \
    90    -cert $ROOT_CERT_PATH \
    91    -startdate 200101000000Z \
    92    -enddate 261231000000Z \
    93    -extensions intermediate_extensions \
    94    -in $INTERMEDIATE_REQ_PATH \
    95    -out $INTERMEDIATE_CERT_PATH \
    96    -batch
    97  
    98  # Create a request for the never-valid leaf
    99  SUBJECT_NAME="leaf_never_valid" \
   100  openssl req \
   101    -new \
   102    -key $LEAF_NEVER_VALID_KEY_PATH \
   103    -out $LEAF_NEVER_VALID_REQ_PATH \
   104    -extensions leaf_extensions \
   105    -config ca.cnf
   106  
   107  # Sign the never-valid leaf with the intermediate. Set NotAfter before
   108  # NotBefore.
   109  openssl ca \
   110    -config ca.cnf \
   111    -name intermediate_ca \
   112    -keyfile $INTERMEDIATE_KEY_PATH \
   113    -cert $INTERMEDIATE_CERT_PATH \
   114    -out $LEAF_NEVER_VALID_CERT_PATH \
   115    -in $LEAF_NEVER_VALID_REQ_PATH \
   116    -extensions leaf_extensions \
   117    -startdate 220101010000Z \
   118    -enddate 210101010000Z \
   119    -batch
   120  
   121  # Create a request for the valid-before-intermediate leaf
   122  SUBJECT_NAME="leaf_never_valid" \
   123  openssl req \
   124    -new \
   125    -key $LEAF_BEFORE_INTERMEDIATE_KEY_PATH \
   126    -out $LEAF_BEFORE_INTERMEDIATE_REQ_PATH \
   127    -extensions leaf_extensions \
   128    -config ca.cnf
   129  
   130  # Sign the leaf with an intermediate whose validity begins after the leaf
   131  # expires.
   132  openssl ca \
   133    -config ca.cnf \
   134    -name intermediate_ca \
   135    -keyfile $INTERMEDIATE_KEY_PATH \
   136    -cert $INTERMEDIATE_CERT_PATH \
   137    -out $LEAF_BEFORE_INTERMEDIATE_CERT_PATH \
   138    -in $LEAF_BEFORE_INTERMEDIATE_REQ_PATH \
   139    -extensions leaf_extensions \
   140    -startdate 180101010000Z \
   141    -enddate 190101010000Z \
   142    -batch
   143  
   144  echo 'const zcryptoRoot = `' >> $GO_TEST_FILE
   145  cat $ROOT_CERT_PATH >> $GO_TEST_FILE
   146  echo '`' >> $GO_TEST_FILE
   147  
   148  echo 'const zcryptoIntermediate = `' >> $GO_TEST_FILE
   149  cat $INTERMEDIATE_CERT_PATH >> $GO_TEST_FILE
   150  echo '`' >> $GO_TEST_FILE
   151  
   152  echo 'const zcryptoNeverValid = `' >> $GO_TEST_FILE
   153  cat $LEAF_NEVER_VALID_CERT_PATH >> $GO_TEST_FILE
   154  echo '`' >> $GO_TEST_FILE
   155  
   156  echo 'const zcryptoValidBeforeIntermediate = `' >> $GO_TEST_FILE
   157  cat $LEAF_BEFORE_INTERMEDIATE_CERT_PATH >> $GO_TEST_FILE
   158  echo '`' >> $GO_TEST_FILE