#!/usr/bin/env bash # Copyright (c) 2015, the Dart project authors. Please see the AUTHORS file # for details. All rights reserved. Use of this source code is governed by a # BSD-style license that can be found in the LICENSE file. # Script to create sample certificates for the dart:io SecureSocket tests. # Creates a root certificate authority, an intermediate authority, # and a server certificate, global password := 'pass:dartdart' # We need a server certificate chain where we don't trust the root. Take the # server certificate from the previous run of this script, for that purpose. if test -d "certificates" { mv certificates/server_key.pem certificates/untrusted_server_key.pem mv certificates/server_chain.pem certificates/untrusted_server_chain.pem } else { mkdir certificates } mkdir -p certificate_authority cd certificate_authority # Create a self-signed certificate authority. openssl req -subj /CN=rootauthority -set_serial 1 -batch -verbose \ -passout $password -new -x509 -keyout root_authority_key.pem \ -out root_authority.pem -days 3650 # Create a certificate request for the intermediate authority. openssl req -subj /CN=intermediateauthority -batch -verbose \ -passout $password -new -keyout intermediate_authority_key.pem \ -out intermediate_authority_request.pem # Sign the certificate of the intermediate authority with the root authority. # Add the certificate extensions marking it as a certificate authority. openssl x509 -req -in intermediate_authority_request.pem \ -out intermediate_authority.pem -set_serial 2 \ -CA root_authority.pem -CAkey root_authority_key.pem \ -passin $password -extfile ../sample_certificate_v3_extensions \ -extensions intermediate_authority -days 3650 # Create a certificate request for the server certificate openssl req -subj /CN=localhost -batch -verbose -passout $password -new \ -keyout localhost_key.pem -out localhost_request.pem # Sign the server certificate with the intermediate authority. Add the # certificate extensions for SubjectAltName and that it is not a CA itself. openssl x509 -req -in localhost_request.pem -out localhost.pem -set_serial 1 \ -CA intermediate_authority.pem -CAkey intermediate_authority_key.pem \ -passin $password -extfile ../sample_certificate_v3_extensions \ -extensions localhost -days 3650 # Create a self-signed client certificate authority. openssl req -subj /CN=clientauthority -set_serial 1 -batch -verbose \ -passout $password -new -x509 -keyout client_authority_key.pem \ -out client_authority.pem -config ../sample_certificate_v3_extensions \ -extensions client_authority -days 3650 # Create certificate requests for the client certificates openssl req -subj /CN=user1 -batch -verbose -passout $password -new \ -keyout client1_key.pem -out client1_request.pem openssl req -subj /CN=user2 -batch -verbose -passout $password -new \ -keyout client2_key.pem -out client2_request.pem # Sign the certificate requests with the client authority openssl x509 -req -in client1_request.pem -out client1.pem -set_serial 2 \ -CA client_authority.pem -CAkey client_authority_key.pem \ -passin $password -extfile ../sample_certificate_v3_extensions \ -extensions client_certificate -days 3650 openssl x509 -req -in client2_request.pem -out client2.pem -set_serial 3 \ -CA client_authority.pem -CAkey client_authority_key.pem \ -passin $password -extfile ../sample_certificate_v3_extensions \ -extensions client_certificate -days 3650 # Delete all the signing keys for the authorities, so testers that add # them as trusted are less vulnerable: only the sample server certificate # and client certificates will be signed by them. No more certificates # will ever be signed. rm root_authority_key.pem rm intermediate_authority.pem rm client_authority_key.pem # Copy the certificates we will use to the 'certificates' directory. global CERTS := '../certificates' cat localhost.pem intermediate_authority.pem root_authority.pem \ > $CERTS/server_chain.pem cat intermediate_authority.pem root_authority.pem client_authority.pem \ > $CERTS/server_trusted.pem # BoringSSL only accepts private keys signed with the PBE-SHA1-RC4-128 cipher. openssl pkcs8 -in localhost_key.pem -out $CERTS/server_key.pem \ -topk8 -v1 PBE-SHA1-RC4-128 -passin $password -passout $password openssl pkcs8 -in client1_key.pem -out $CERTS/client1_key.pem \ -topk8 -v1 PBE-SHA1-RC4-128 -passin $password -passout $password openssl pkcs8 -in client2_key.pem -out $CERTS/client2_key.pem \ -topk8 -v1 PBE-SHA1-RC4-128 -passin $password -passout $password cp root_authority.pem $CERTS/trusted_certs.pem cp client_authority.pem $CERTS cp client1.pem $CERTS cp client2.pem $CERTS cd .. (CommandList children: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:password) op: Equal rhs: {(pass) (Lit_Other ":") (dartdart)} spids: [23] ) ] spids: [23] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other "[")} {(-d)} {(DQ (certificates))} {(Lit_Other "]")}) terminator: ) ] action: [ (C {(mv)} {(certificates/server_key.pem)} {(certificates/untrusted_server_key.pem)}) (C {(mv)} {(certificates/server_chain.pem)} {(certificates/untrusted_server_chain.pem)}) ] spids: [-1 48] ) ] else_action: [(C {(mkdir)} {(certificates)})] spids: [64 71] ) (C {(mkdir)} {(-p)} {(certificate_authority)}) (C {(cd)} {(certificate_authority)}) (C {(openssl)} {(req)} {(-subj)} {(/CN) (Lit_Other "=") (rootauthority)} {(-set_serial)} {(1)} {(-batch)} {(-verbose)} {(-passout)} {($ VSub_Name "$password")} {(-new)} {(-x509)} {(-keyout)} {(root_authority_key.pem)} {(-out)} {(root_authority.pem)} {(-days)} {(3650)} ) (C {(openssl)} {(req)} {(-subj)} {(/CN) (Lit_Other "=") (intermediateauthority)} {(-batch)} {(-verbose)} {(-passout)} {($ VSub_Name "$password")} {(-new)} {(-keyout)} {(intermediate_authority_key.pem)} {(-out)} {(intermediate_authority_request.pem)} ) (C {(openssl)} {(x509)} {(-req)} {(-in)} {(intermediate_authority_request.pem)} {(-out)} {(intermediate_authority.pem)} {(-set_serial)} {(2)} {(-CA)} {(root_authority.pem)} {(-CAkey)} {(root_authority_key.pem)} {(-passin)} {($ VSub_Name "$password")} {(-extfile)} {(../sample_certificate_v3_extensions)} {(-extensions)} {(intermediate_authority)} {(-days)} {(3650)} ) (C {(openssl)} {(req)} {(-subj)} {(/CN) (Lit_Other "=") (localhost)} {(-batch)} {(-verbose)} {(-passout)} {($ VSub_Name "$password")} {(-new)} {(-keyout)} {(localhost_key.pem)} {(-out)} {(localhost_request.pem)} ) (C {(openssl)} {(x509)} {(-req)} {(-in)} {(localhost_request.pem)} {(-out)} {(localhost.pem)} {(-set_serial)} {(1)} {(-CA)} {(intermediate_authority.pem)} {(-CAkey)} {(intermediate_authority_key.pem)} {(-passin)} {($ VSub_Name "$password")} {(-extfile)} {(../sample_certificate_v3_extensions)} {(-extensions)} {(localhost)} {(-days)} {(3650)} ) (C {(openssl)} {(req)} {(-subj)} {(/CN) (Lit_Other "=") (clientauthority)} {(-set_serial)} {(1)} {(-batch)} {(-verbose)} {(-passout)} {($ VSub_Name "$password")} {(-new)} {(-x509)} {(-keyout)} {(client_authority_key.pem)} {(-out)} {(client_authority.pem)} {(-config)} {(../sample_certificate_v3_extensions)} {(-extensions)} {(client_authority)} {(-days)} {(3650)} ) (C {(openssl)} {(req)} {(-subj)} {(/CN) (Lit_Other "=") (user1)} {(-batch)} {(-verbose)} {(-passout)} {($ VSub_Name "$password")} {(-new)} {(-keyout)} {(client1_key.pem)} {(-out)} {(client1_request.pem)} ) (C {(openssl)} {(req)} {(-subj)} {(/CN) (Lit_Other "=") (user2)} {(-batch)} {(-verbose)} {(-passout)} {($ VSub_Name "$password")} {(-new)} {(-keyout)} {(client2_key.pem)} {(-out)} {(client2_request.pem)} ) (C {(openssl)} {(x509)} {(-req)} {(-in)} {(client1_request.pem)} {(-out)} {(client1.pem)} {(-set_serial)} {(2)} {(-CA)} {(client_authority.pem)} {(-CAkey)} {(client_authority_key.pem)} {(-passin)} {($ VSub_Name "$password")} {(-extfile)} {(../sample_certificate_v3_extensions)} {(-extensions)} {(client_certificate)} {(-days)} {(3650)} ) (C {(openssl)} {(x509)} {(-req)} {(-in)} {(client2_request.pem)} {(-out)} {(client2.pem)} {(-set_serial)} {(3)} {(-CA)} {(client_authority.pem)} {(-CAkey)} {(client_authority_key.pem)} {(-passin)} {($ VSub_Name "$password")} {(-extfile)} {(../sample_certificate_v3_extensions)} {(-extensions)} {(client_certificate)} {(-days)} {(3650)} ) (C {(rm)} {(root_authority_key.pem)}) (C {(rm)} {(intermediate_authority.pem)}) (C {(rm)} {(client_authority_key.pem)}) (Assignment keyword: Assign_None pairs: [(assign_pair lhs:(LhsName name:CERTS) op:Equal rhs:{(../certificates)} spids:[561])] spids: [561] ) (SimpleCommand words: [{(cat)} {(localhost.pem)} {(intermediate_authority.pem)} {(root_authority.pem)}] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name "$CERTS") (/server_chain.pem)} spids: [574] ) ] ) (SimpleCommand words: [{(cat)} {(intermediate_authority.pem)} {(root_authority.pem)} {(client_authority.pem)}] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name "$CERTS") (/server_trusted.pem)} spids: [590] ) ] ) (C {(openssl)} {(pkcs8)} {(-in)} {(localhost_key.pem)} {(-out)} {($ VSub_Name "$CERTS") (/server_key.pem)} {(-topk8)} {(-v1)} {(PBE-SHA1-RC4-128)} {(-passin)} {($ VSub_Name "$password")} {(-passout)} {($ VSub_Name "$password")} ) (C {(openssl)} {(pkcs8)} {(-in)} {(client1_key.pem)} {(-out)} {($ VSub_Name "$CERTS") (/client1_key.pem)} {(-topk8)} {(-v1)} {(PBE-SHA1-RC4-128)} {(-passin)} {($ VSub_Name "$password")} {(-passout)} {($ VSub_Name "$password")} ) (C {(openssl)} {(pkcs8)} {(-in)} {(client2_key.pem)} {(-out)} {($ VSub_Name "$CERTS") (/client2_key.pem)} {(-topk8)} {(-v1)} {(PBE-SHA1-RC4-128)} {(-passin)} {($ VSub_Name "$password")} {(-passout)} {($ VSub_Name "$password")} ) (C {(cp)} {(root_authority.pem)} {($ VSub_Name "$CERTS") (/trusted_certs.pem)}) (C {(cp)} {(client_authority.pem)} {($ VSub_Name "$CERTS")}) (C {(cp)} {(client1.pem)} {($ VSub_Name "$CERTS")}) (C {(cp)} {(client2.pem)} {($ VSub_Name "$CERTS")}) (C {(cd)} {(..)}) ] )