xref: /aosp_15_r20/external/cronet/net/data/ssl/scripts/generate-quic-chain.sh (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b)
1#!/bin/sh
2
3# Copyright 2017 The Chromium Authors
4# Use of this source code is governed by a BSD-style license that can be
5# found in the LICENSE file.
6
7# This script generates a test chain of (end-entity, intermediate, root)
8# certificates used to run a test QUIC server.
9
10try() {
11  "$@" || (e=$?; echo "$@" > /dev/stderr; exit $e)
12}
13
14try rm -rf out
15try mkdir out
16
17# Create the serial number files.
18try /bin/sh -c "echo 01 > out/quic-test-root-serial"
19try /bin/sh -c "echo 01 > out/quic-test-intermediate-serial"
20
21# Create the signers' DB files.
22touch out/quic-test-root-index.txt
23touch out/quic-test-intermediate-index.txt
24
25# Generate the keys
26try openssl genrsa -out out/quic-test-root.key 2048
27try openssl genrsa -out out/quic-test-intermediate.key 2048
28try openssl genrsa -out out/quic-test-cert.key 2048
29
30# Generate the root certificate
31CA_COMMON_NAME="Test Root CA" \
32  CA_DIR=out \
33  CA_NAME=test-root \
34  try openssl req \
35    -new \
36    -key out/quic-test-root.key \
37    -out out/quic-test-root.csr \
38    -config quic-test.cnf
39
40CA_COMMON_NAME="Test Root CA" \
41  CA_DIR=out \
42  CA_NAME=quic-test-root \
43  try openssl x509 \
44    -req -days 3650 \
45    -in out/quic-test-root.csr \
46    -out out/quic-test-root.pem \
47    -signkey out/quic-test-root.key \
48    -extfile quic-test.cnf \
49    -extensions ca_cert \
50    -text
51
52# Generate the intermediate
53CA_COMMON_NAME="Test Intermediate CA" \
54  CA_DIR=out \
55  CA_NAME=quic-test-root \
56  try openssl req \
57    -new \
58    -key out/quic-test-intermediate.key \
59    -out out/quic-test-intermediate.csr \
60    -config quic-test.cnf
61
62CA_COMMON_NAME="Test Intermediate CA" \
63  CA_DIR=out \
64  CA_NAME=quic-test-root \
65  try openssl ca \
66    -batch \
67    -in out/quic-test-intermediate.csr \
68    -out out/quic-test-intermediate.pem \
69    -config quic-test.cnf \
70    -extensions ca_cert
71
72# Generate the leaf
73CA_COMMON_NAME="test.example.com" \
74CA_DIR=out \
75CA_NAME=quic-test-intermediate \
76try openssl req \
77  -new \
78  -key out/quic-test-cert.key \
79  -out out/quic-test-cert.csr \
80  -config quic-test.cnf
81
82CA_COMMON_NAME="Test Intermediate CA" \
83  HOST_NAME="test.example.com" \
84  CA_DIR=out \
85  CA_NAME=quic-test-intermediate \
86  try openssl ca \
87    -batch \
88    -in out/quic-test-cert.csr \
89    -out out/quic-test-cert.pem \
90    -config quic-test.cnf \
91    -extensions user_cert
92
93# Copy to the file names that are actually checked in.
94try openssl pkcs8 -topk8 -inform pem -outform der -in out/quic-test-cert.key -out ../certificates/quic-leaf-cert.key -nocrypt
95try cat out/quic-test-cert.pem out/quic-test-intermediate.pem > ../certificates/quic-chain.pem
96try cp out/quic-test-root.pem ../certificates/quic-root.pem
97try openssl pkcs8 -nocrypt -inform der -outform pem -in ../certificates/quic-leaf-cert.key -out ../certificates/quic-leaf-cert.key.pkcs8.pem
98