xref: /aosp_15_r20/external/cronet/net/data/ssl/scripts/generate-test-certs.sh (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b) 
1#!/bin/sh
2
3# Copyright 2013 The Chromium Authors
4# Use of this source code is governed by a BSD-style license that can be
5# found in the LICENSE file.
6
7# This script generates a set of test (end-entity, intermediate, root)
8# certificates that can be used to test fetching of an intermediate via AIA.
9set -e -x
10
11# The maximum lifetime for any certificates that may go through a "real"
12# cert verifier. This is effectively:
13# min(OS verifier max lifetime for local certs, built-in verifier max lifetime
14#     for local certs)
15#
16# The current built-in verifier max lifetime is 39 months
17# The current OS verifier max lifetime is 825 days, which comes from
18#   iOS 13/macOS 10.15 - https://support.apple.com/en-us/HT210176
19# 730 is used here as just a short-hand for 2 years
20CERT_LIFETIME=730
21
22rm -rf out
23mkdir out
24mkdir out/int
25
26openssl rand -hex -out out/2048-sha256-root-serial 16
27touch out/2048-sha256-root-index.txt
28
29# Generate the key or copy over the existing one if present.
30function copy_or_generate_key {
31  existing_pem_filename="$1"
32  out_key_filename="$2"
33  if grep -q -- '-----BEGIN.*PRIVATE KEY-----' "$existing_pem_filename" ; then
34    openssl pkey -in "$existing_pem_filename" -out "$out_key_filename"
35  else
36    openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 \
37      -out "$out_key_filename"
38  fi
39}
40
41# Generate the key or copy over the existing one if present.
42copy_or_generate_key ../certificates/root_ca_cert.pem out/2048-sha256-root.key
43
44# Generate the root certificate
45CA_NAME="req_ca_dn" \
46  openssl req \
47    -new \
48    -key out/2048-sha256-root.key \
49    -out out/2048-sha256-root.req \
50    -config ca.cnf
51
52CA_NAME="req_ca_dn" \
53  openssl x509 \
54    -req -days 3650 \
55    -in out/2048-sha256-root.req \
56    -signkey out/2048-sha256-root.key \
57    -extfile ca.cnf \
58    -extensions ca_cert \
59    -text > out/2048-sha256-root.pem
60
61# Generate the test intermediate
62openssl rand -hex -out out/int/2048-sha256-int-serial 16
63touch out/int/2048-sha256-int-index.txt
64
65# Copy over an existing key if present.
66copy_or_generate_key ../certificates/intermediate_ca_cert.pem \
67  out/int/2048-sha256-int.key
68
69CA_NAME="req_intermediate_dn" \
70  openssl req \
71    -new \
72    -key out/int/2048-sha256-int.key \
73    -out out/int/2048-sha256-int.req \
74    -config ca.cnf
75
76CA_NAME="req_intermediate_dn" \
77  openssl ca \
78    -batch \
79    -extensions ca_cert \
80    -days 3650 \
81    -in out/int/2048-sha256-int.req \
82    -out out/int/2048-sha256-int.pem \
83    -config ca.cnf
84
85# Generate the leaf certificate requests
86
87copy_or_generate_key ../certificates/expired_cert.pem out/expired_cert.key
88openssl req \
89  -new \
90  -key out/expired_cert.key \
91  -out out/expired_cert.req \
92  -config ee.cnf
93
94copy_or_generate_key ../certificates/ok_cert.pem out/ok_cert.key
95openssl req \
96  -new \
97  -key out/ok_cert.key \
98  -out out/ok_cert.req \
99  -config ee.cnf
100
101copy_or_generate_key ../certificates/wildcard.pem out/wildcard.key
102openssl req \
103  -new \
104  -key out/wildcard.key \
105  -out out/wildcard.req \
106  -reqexts req_wildcard \
107  -config ee.cnf
108
109copy_or_generate_key ../certificates/localhost_cert.pem out/localhost_cert.key
110SUBJECT_NAME="req_localhost_cn" \
111openssl req \
112  -new \
113  -key out/localhost_cert.key \
114  -out out/localhost_cert.req \
115  -reqexts req_localhost_san \
116  -config ee.cnf
117
118copy_or_generate_key ../certificates/test_names.pem out/test_names.key
119openssl req \
120  -new \
121  -key out/test_names.key \
122  -out out/test_names.req \
123  -reqexts req_test_names \
124  -config ee.cnf
125
126# Generate the leaf certificates
127CA_NAME="req_ca_dn" \
128  openssl ca \
129    -batch \
130    -extensions user_cert \
131    -startdate 060101000000Z \
132    -enddate 070101000000Z \
133    -in out/expired_cert.req \
134    -out out/expired_cert.pem \
135    -config ca.cnf
136
137CA_NAME="req_ca_dn" \
138  openssl ca \
139    -batch \
140    -extensions user_cert \
141    -days ${CERT_LIFETIME} \
142    -in out/ok_cert.req \
143    -out out/ok_cert.pem \
144    -config ca.cnf
145
146CA_DIR="out/int" \
147CERT_TYPE="int" \
148CA_NAME="req_intermediate_dn" \
149  openssl ca \
150    -batch \
151    -extensions user_cert \
152    -days ${CERT_LIFETIME} \
153    -in out/ok_cert.req \
154    -out out/int/ok_cert.pem \
155    -config ca.cnf
156
157CA_NAME="req_ca_dn" \
158  openssl ca \
159    -batch \
160    -extensions user_cert \
161    -in out/wildcard.req \
162    -out out/wildcard.pem \
163    -config ca.cnf
164
165CA_NAME="req_ca_dn" \
166  openssl ca \
167    -batch \
168    -extensions user_cert \
169    -days ${CERT_LIFETIME} \
170    -in out/localhost_cert.req \
171    -out out/localhost_cert.pem \
172    -config ca.cnf
173
174CA_NAME="req_ca_dn" \
175  openssl ca \
176    -batch \
177    -extensions user_cert \
178    -subj "/CN=Leaf Certificate/" \
179    -startdate 00010101000000Z \
180    -enddate   00010101000000Z \
181    -in out/ok_cert.req \
182    -out out/bad_validity.pem \
183    -config ca.cnf
184
185CA_NAME="req_ca_dn" \
186  openssl ca \
187    -batch \
188    -extensions user_cert \
189    -days ${CERT_LIFETIME} \
190    -in out/test_names.req \
191    -out out/test_names.pem \
192    -config ca.cnf
193
194/bin/sh -c "cat out/ok_cert.key out/ok_cert.pem \
195    > ../certificates/ok_cert.pem"
196/bin/sh -c "cat out/wildcard.key out/wildcard.pem \
197    > ../certificates/wildcard.pem"
198/bin/sh -c "cat out/localhost_cert.key out/localhost_cert.pem \
199    > ../certificates/localhost_cert.pem"
200/bin/sh -c "cat out/expired_cert.key out/expired_cert.pem \
201    > ../certificates/expired_cert.pem"
202/bin/sh -c "cat out/2048-sha256-root.key out/2048-sha256-root.pem \
203    > ../certificates/root_ca_cert.pem"
204/bin/sh -c "cat out/ok_cert.key out/bad_validity.pem \
205    > ../certificates/bad_validity.pem"
206/bin/sh -c "cat out/ok_cert.key out/int/ok_cert.pem \
207    out/int/2048-sha256-int.pem \
208    > ../certificates/ok_cert_by_intermediate.pem"
209/bin/sh -c "cat out/int/2048-sha256-int.key out/int/2048-sha256-int.pem \
210    > ../certificates/intermediate_ca_cert.pem"
211/bin/sh -c "cat out/int/ok_cert.pem out/int/2048-sha256-int.pem \
212    out/2048-sha256-root.pem \
213    > ../certificates/x509_verify_results.chain.pem"
214/bin/sh -c "cat out/test_names.key out/test_names.pem \
215    > ../certificates/test_names.pem"
216
217# Now generate the one-off certs
218## Self-signed cert for SPDY/QUIC/HTTP2 pooling testing
219openssl req -x509 -days 3650 -extensions req_spdy_pooling \
220    -config ../scripts/ee.cnf -newkey rsa:2048 -text \
221    -out ../certificates/spdy_pooling.pem
222
223## SubjectAltName parsing
224openssl req -x509 -days 3650 -extensions req_san_sanity \
225    -config ../scripts/ee.cnf -newkey rsa:2048 -text \
226    -out ../certificates/subjectAltName_sanity_check.pem
227
228## SubjectAltName containing www.example.com
229openssl req -x509 -days 3650 -extensions req_san_example \
230    -config ../scripts/ee.cnf -newkey rsa:2048 -text \
231    -out ../certificates/subjectAltName_www_example_com.pem
232
233## certificatePolicies parsing
234openssl req -x509 -days 3650 -extensions req_policies_sanity \
235    -config ../scripts/ee.cnf -newkey rsa:2048 -text \
236    -out ../certificates/policies_sanity_check.pem
237
238## Punycode handling
239SUBJECT_NAME="req_punycode_dn" \
240  openssl req -x509 -days 3650 -extensions req_punycode \
241    -config ../scripts/ee.cnf -newkey rsa:2048 -text \
242    -out ../certificates/punycodetest.pem
243
244## SHA1 certificate expiring in 2016.
245openssl req -config ../scripts/ee.cnf \
246  -newkey rsa:2048 -text -out out/sha1_2016.req
247CA_NAME="req_ca_dn" \
248  openssl ca \
249    -batch \
250    -extensions user_cert \
251    -startdate 081030000000Z \
252    -enddate   161230000000Z \
253    -in out/sha1_2016.req \
254    -out ../certificates/sha1_2016.pem \
255    -config ca.cnf \
256    -md sha1
257
258## Validity too long unit test support.
259openssl req -config ../scripts/ee.cnf \
260  -newkey rsa:2048 -text -out out/10_year_validity.req
261CA_NAME="req_ca_dn" \
262  openssl ca \
263    -batch \
264    -extensions user_cert \
265    -startdate 081030000000Z \
266    -enddate   181029000000Z \
267    -in out/10_year_validity.req \
268    -out ../certificates/10_year_validity.pem \
269    -config ca.cnf
270openssl req -config ../scripts/ee.cnf \
271  -newkey rsa:2048 -text -out out/11_year_validity.req
272CA_NAME="req_ca_dn" \
273  openssl ca \
274    -batch \
275    -extensions user_cert \
276    -startdate 141030000000Z \
277    -enddate   251030000000Z \
278    -in out/11_year_validity.req \
279    -out ../certificates/11_year_validity.pem \
280    -config ca.cnf
281openssl req -config ../scripts/ee.cnf \
282  -newkey rsa:2048 -text -out out/39_months_after_2015_04.req
283CA_NAME="req_ca_dn" \
284  openssl ca \
285    -batch \
286    -extensions user_cert \
287    -startdate 150402000000Z \
288    -enddate   180702000000Z \
289    -in out/39_months_after_2015_04.req \
290    -out ../certificates/39_months_after_2015_04.pem \
291    -config ca.cnf
292openssl req -config ../scripts/ee.cnf \
293  -newkey rsa:2048 -text -out out/40_months_after_2015_04.req
294CA_NAME="req_ca_dn" \
295  openssl ca \
296    -batch \
297    -extensions user_cert \
298    -startdate 150402000000Z \
299    -enddate   180801000000Z \
300    -in out/40_months_after_2015_04.req \
301    -out ../certificates/40_months_after_2015_04.pem \
302    -config ca.cnf
303openssl req -config ../scripts/ee.cnf \
304  -newkey rsa:2048 -text -out out/60_months_after_2012_07.req
305CA_NAME="req_ca_dn" \
306  openssl ca \
307    -batch \
308    -extensions user_cert \
309    -startdate 141030000000Z \
310    -enddate   190930000000Z \
311    -in out/60_months_after_2012_07.req \
312    -out ../certificates/60_months_after_2012_07.pem \
313    -config ca.cnf
314openssl req -config ../scripts/ee.cnf \
315  -newkey rsa:2048 -text -out out/61_months_after_2012_07.req
316CA_NAME="req_ca_dn" \
317  openssl ca \
318    -batch \
319    -extensions user_cert \
320    -startdate 141030000000Z \
321    -enddate   191103000000Z \
322    -in out/61_months_after_2012_07.req \
323    -out ../certificates/61_months_after_2012_07.pem \
324    -config ca.cnf
325# 39 months, based on a CA calculating one month as 'last day of Month 0' to
326# last day of 'Month 1'.
327openssl req -config ../scripts/ee.cnf \
328  -newkey rsa:2048 -text -out out/39_months_based_on_last_day.req
329CA_NAME="req_ca_dn" \
330  openssl ca \
331    -batch \
332    -extensions user_cert \
333    -startdate 170228000000Z \
334    -enddate   200530000000Z \
335    -in out/39_months_based_on_last_day.req \
336    -out ../certificates/39_months_based_on_last_day.pem \
337    -config ca.cnf
338# start date after expiry date
339openssl req -config ../scripts/ee.cnf \
340  -newkey rsa:2048 -text -out out/start_after_expiry.req
341CA_NAME="req_ca_dn" \
342  openssl ca \
343    -batch \
344    -extensions user_cert \
345    -startdate 180901000000Z \
346    -enddate   150402000000Z \
347    -in out/start_after_expiry.req \
348    -out ../certificates/start_after_expiry.pem \
349    -config ca.cnf
350openssl req -config ../scripts/ee.cnf \
351  -newkey rsa:2048 -text -out out/start_after_expiry.req
352# Issued pre-BRs, lifetime < 120 months, expires before 2019-07-01
353openssl req -config ../scripts/ee.cnf \
354  -newkey rsa:2048 -text -out out/pre_br_validity_ok.req
355CA_NAME="req_ca_dn" \
356  openssl ca \
357    -batch \
358    -extensions user_cert \
359    -startdate 080101000000Z \
360    -enddate   150101000000Z \
361    -in out/pre_br_validity_ok.req \
362    -out ../certificates/pre_br_validity_ok.pem \
363    -config ca.cnf
364openssl req -config ../scripts/ee.cnf \
365  -newkey rsa:2048 -text -out out/pre_br_validity_ok.req
366# Issued pre-BRs, lifetime > 120 months, expires before 2019-07-01
367openssl req -config ../scripts/ee.cnf \
368  -newkey rsa:2048 -text -out out/pre_br_validity_bad_121.req
369CA_NAME="req_ca_dn" \
370  openssl ca \
371    -batch \
372    -extensions user_cert \
373    -startdate 080101000000Z \
374    -enddate   180501000000Z \
375    -in out/pre_br_validity_bad_121.req \
376    -out ../certificates/pre_br_validity_bad_121.pem \
377    -config ca.cnf
378openssl req -config ../scripts/ee.cnf \
379  -newkey rsa:2048 -text -out out/pre_br_validity_bad_121.req
380# Issued pre-BRs, lifetime < 120 months, expires after 2019-07-01
381openssl req -config ../scripts/ee.cnf \
382  -newkey rsa:2048 -text -out out/pre_br_validity_bad_2020.req
383CA_NAME="req_ca_dn" \
384  openssl ca \
385    -batch \
386    -extensions user_cert \
387    -startdate 120501000000Z \
388    -enddate   190703000000Z \
389    -in out/pre_br_validity_bad_2020.req \
390    -out ../certificates/pre_br_validity_bad_2020.pem \
391    -config ca.cnf
392# Issued after 2018-03-01, lifetime == 826 days (bad)
393openssl req -config ../scripts/ee.cnf \
394  -newkey rsa:2048 -text -out out/826_days_after_2018_03_01.req
395CA_NAME="req_ca_dn" \
396  openssl ca \
397    -batch \
398    -extensions user_cert \
399    -startdate 180302000000Z \
400    -enddate   200605000000Z \
401    -in out/826_days_after_2018_03_01.req \
402    -out ../certificates/826_days_after_2018_03_01.pem \
403    -config ca.cnf
404# Issued after 2018-03-01, lifetime == 825 days (good)
405openssl req -config ../scripts/ee.cnf \
406  -newkey rsa:2048 -text -out out/825_days_after_2018_03_01.req
407CA_NAME="req_ca_dn" \
408  openssl ca \
409    -batch \
410    -extensions user_cert \
411    -startdate 180302000000Z \
412    -enddate   200604000000Z \
413    -in out/825_days_after_2018_03_01.req \
414    -out ../certificates/825_days_after_2018_03_01.pem \
415    -config ca.cnf
416# Issued after 2018-03-01, lifetime == 825 days and one second (bad)
417openssl req -config ../scripts/ee.cnf \
418  -newkey rsa:2048 -text -out out/825_days_1_second_after_2018_03_01.req
419CA_NAME="req_ca_dn" \
420  openssl ca \
421    -batch \
422    -extensions user_cert \
423    -startdate 180302000000Z \
424    -enddate   200604000001Z \
425    -in out/825_days_1_second_after_2018_03_01.req \
426    -out ../certificates/825_days_1_second_after_2018_03_01.pem \
427    -config ca.cnf
428
429# Issued after 2020-09-01, lifetime == 399 days (bad)
430openssl req -config ../scripts/ee.cnf \
431  -newkey rsa:2048 -text -out out/399_days_after_2020_09_01.req
432CA_NAME="req_ca_dn" \
433  openssl ca \
434    -batch \
435    -extensions user_cert \
436    -startdate 200902000000Z \
437    -enddate   211006000000Z \
438    -in out/399_days_after_2020_09_01.req \
439    -out ../certificates/399_days_after_2020_09_01.pem \
440    -config ca.cnf
441# Issued after 2020-09-01, lifetime == 398 days (good)
442openssl req -config ../scripts/ee.cnf \
443  -newkey rsa:2048 -text -out out/398_days_after_2020_09_01.req
444CA_NAME="req_ca_dn" \
445  openssl ca \
446    -batch \
447    -extensions user_cert \
448    -startdate 200902000000Z \
449    -enddate   211005000000Z \
450    -in out/398_days_after_2020_09_01.req \
451    -out ../certificates/398_days_after_2020_09_01.pem \
452    -config ca.cnf
453# Issued after 2020-09-01, lifetime == 825 days and one second (bad)
454openssl req -config ../scripts/ee.cnf \
455  -newkey rsa:2048 -text -out out/398_days_1_second_after_2020_09_01.req
456CA_NAME="req_ca_dn" \
457  openssl ca \
458    -batch \
459    -extensions user_cert \
460    -startdate 200902000000Z \
461    -enddate   211005000001Z \
462    -in out/398_days_1_second_after_2020_09_01.req \
463    -out ../certificates/398_days_1_second_after_2020_09_01.pem \
464    -config ca.cnf
465
466
467# Includes the canSignHttpExchangesDraft extension
468openssl req -x509 -newkey rsa:2048 \
469  -keyout out/can_sign_http_exchanges_draft_extension.key \
470  -out ../certificates/can_sign_http_exchanges_draft_extension.pem \
471  -days 365 \
472  -extensions req_extensions_with_can_sign_http_exchanges_draft \
473  -nodes -config ee.cnf
474
475# Includes the canSignHttpExchangesDraft extension, but with a SEQUENCE in the
476# body rather than a NULL.
477openssl req -x509 -newkey rsa:2048 \
478  -keyout out/can_sign_http_exchanges_draft_extension_invalid.key \
479  -out ../certificates/can_sign_http_exchanges_draft_extension_invalid.pem \
480  -days 365 \
481  -extensions req_extensions_with_can_sign_http_exchanges_draft_invalid \
482  -nodes -config ee.cnf
483
484# SHA-1 certificate issued by locally trusted CA
485copy_or_generate_key ../certificates/sha1_leaf.pem out/sha1_leaf.key
486openssl req \
487  -config ../scripts/ee.cnf \
488  -new \
489  -text \
490  -key out/sha1_leaf.key \
491  -out out/sha1_leaf.req
492CA_NAME="req_ca_dn" \
493  openssl ca \
494    -batch \
495    -extensions user_cert \
496    -days ${CERT_LIFETIME} \
497    -in out/sha1_leaf.req \
498    -out out/sha1_leaf.pem \
499    -config ca.cnf \
500    -md sha1
501/bin/sh -c "cat out/sha1_leaf.key out/sha1_leaf.pem \
502    > ../certificates/sha1_leaf.pem"
503
504# Certificate with only a common name (no SAN) issued by a locally trusted CA
505copy_or_generate_key ../certificates/common_name_only.pem \
506  out/common_name_only.key
507openssl req \
508  -config ../scripts/ee.cnf \
509  -reqexts req_no_san \
510  -new \
511  -text \
512  -key out/common_name_only.key \
513  -out out/common_name_only.req
514CA_NAME="req_ca_dn" \
515  openssl ca \
516    -batch \
517    -extensions user_cert \
518    -startdate 171220000000Z \
519    -enddate   201220000000Z \
520    -in out/common_name_only.req \
521    -out out/common_name_only.pem \
522    -config ca.cnf
523/bin/sh -c "cat out/common_name_only.key out/common_name_only.pem \
524    > ../certificates/common_name_only.pem"
525
526# Issued on 1 May 2018 (after the 30 Apr 2018 CT Requirement date)
527openssl req \
528  -config ../scripts/ee.cnf \
529  -newkey rsa:2048 \
530  -text \
531  -out out/may_2018.req
532CA_NAME="req_ca_dn" \
533  openssl ca \
534    -batch \
535    -extensions user_cert \
536    -startdate 180501000000Z \
537    -enddate   200803000000Z \
538    -in out/may_2018.req \
539    -out ../certificates/may_2018.pem \
540    -config ca.cnf
541
542# Issued after 1 July 2019 (The macOS 10.15+ date for additional
543# policies for locally-trusted certificates - see
544# https://support.apple.com/en-us/HT210176 ) and valid for >825
545# days, even accounting for rounding issues.
546openssl req \
547  -config ../scripts/ee.cnf \
548  -newkey rsa:2048 \
549  -text \
550  -out out/900_days_after_2019_07_01.req
551CA_NAME="req_ca_dn" \
552  openssl ca \
553    -batch \
554    -extensions user_cert \
555    -days 900 \
556    -in out/900_days_after_2019_07_01.req \
557    -out ../certificates/900_days_after_2019_07_01.pem \
558    -config ca.cnf
559
560## Certificates for testing EV display (DN set with different variations)
561SUBJECT_NAME="req_ev_dn" \
562  openssl req -x509 -days ${CERT_LIFETIME} \
563    --config ../scripts/ee.cnf -newkey rsa:2048 -text \
564    -out ../certificates/ev_test.pem
565
566SUBJECT_NAME="req_ev_state_only_dn" \
567  openssl req -x509 -days ${CERT_LIFETIME} \
568    --config ../scripts/ee.cnf -newkey rsa:2048 -text \
569    -out ../certificates/ev_test_state_only.pem
570
571# Regenerate CRLSets
572## Block a leaf cert directly by SPKI
573python3 crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \
574<<CRLBYLEAFSPKI
575{
576  "BlockedBySPKI": ["../certificates/ok_cert.pem"]
577}
578CRLBYLEAFSPKI
579
580## Block a root cert directly by SPKI
581python3 crlsetutil.py -o ../certificates/crlset_by_root_spki.raw \
582<<CRLBYROOTSPKI
583{
584  "BlockedBySPKI": ["../certificates/root_ca_cert.pem"]
585}
586CRLBYROOTSPKI
587
588## Block a leaf cert by issuer-hash-and-serial
589python3 crlsetutil.py -o ../certificates/crlset_by_root_serial.raw \
590<<CRLBYROOTSERIAL
591{
592  "BlockedByHash": {
593    "../certificates/root_ca_cert.pem": [
594      "../certificates/ok_cert.pem"
595    ]
596  }
597}
598CRLBYROOTSERIAL
599
600## Block a leaf cert by issuer-hash-and-serial. However, this will be issued
601## from an intermediate CA issued underneath a root.
602python3 crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \
603<<CRLSETBYINTERMEDIATESERIAL
604{
605  "BlockedByHash": {
606    "../certificates/intermediate_ca_cert.pem": [
607      "../certificates/ok_cert_by_intermediate.pem"
608    ]
609  }
610}
611CRLSETBYINTERMEDIATESERIAL
612
613## Block a subject with a single-entry allowlist of SPKI hashes.
614python3 crlsetutil.py -o ../certificates/crlset_by_root_subject.raw \
615<<CRLSETBYROOTSUBJECT
616{
617  "LimitedSubjects": {
618    "../certificates/root_ca_cert.pem": [
619      "../certificates/root_ca_cert.pem"
620    ]
621  }
622}
623CRLSETBYROOTSUBJECT
624
625## Block a subject with an empty allowlist of SPKI hashes.
626python3 crlsetutil.py -o ../certificates/crlset_by_root_subject_no_spki.raw \
627<<CRLSETBYROOTSUBJECTNOSPKI
628{
629  "LimitedSubjects": {
630    "../certificates/root_ca_cert.pem": []
631  },
632  "Sequence": 2
633}
634CRLSETBYROOTSUBJECTNOSPKI
635
636## Block a subject with an empty allowlist of SPKI hashes.
637python3 crlsetutil.py -o ../certificates/crlset_by_leaf_subject_no_spki.raw \
638<<CRLSETBYLEAFSUBJECTNOSPKI
639{
640  "LimitedSubjects": {
641    "../certificates/ok_cert.pem": []
642  }
643}
644CRLSETBYLEAFSUBJECTNOSPKI
645
646## Mark a given root as blocked for interception.
647python3 crlsetutil.py -o \
648  ../certificates/crlset_blocked_interception_by_root.raw \
649<<CRLSETINTERCEPTIONBYROOT
650{
651  "BlockedInterceptionSPKIs": [
652    "../certificates/root_ca_cert.pem"
653  ]
654}
655CRLSETINTERCEPTIONBYROOT
656
657## Mark a given intermediate as blocked for interception.
658python3 crlsetutil.py -o \
659  ../certificates/crlset_blocked_interception_by_intermediate.raw \
660<<CRLSETINTERCEPTIONBYINTERMEDIATE
661{
662  "BlockedInterceptionSPKIs": [
663    "../certificates/intermediate_ca_cert.pem"
664  ]
665}
666CRLSETINTERCEPTIONBYINTERMEDIATE
667
668## Mark a given root as known for interception, but not blocked.
669python3 crlsetutil.py -o \
670  ../certificates/crlset_known_interception_by_root.raw \
671<<CRLSETINTERCEPTIONBYROOT
672{
673  "KnownInterceptionSPKIs": [
674    "../certificates/root_ca_cert.pem"
675  ]
676}
677CRLSETINTERCEPTIONBYROOT
678