Make it possible to run generate-test-certs.sh incrementally

Refreshing all the test certificates is tedious, however generate-test-certs.sh cannot be run incrementally right now: 1. Every time it is run, the CA private keys change, so all certificates have to be refreshed. This usually breaks pinning tests, etc., and is an unnecessary complication. 2. Serial numbers must not collide. Despite this, we try to manually run things anyway, with the result that the currently checked in certificates do not match the script output in serial number! I suspect we removed a certificate in the middle of the tower at some point. To make this a bit friendlier: 1. Preserving the root and intermeidate keys if already present. 2. Randomizing the certificate serial numbers rather than counting incrementally. This means that a developer can run the script and only check in the certificate they care about. Bug: 984685 Change-Id: I3c0b0e85654dd62f82fb83f90fd1252ebbaa3135 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1918385Reviewed-by: Matt Mueller <mattm@chromium.org> Commit-Queue: David Benjamin <davidben@chromium.org> Cr-Commit-Position: refs/heads/master@{#716029}

Make it possible to run generate-test-certs.sh incrementally
Refreshing all the test certificates is tedious, however generate-test-certs.sh cannot be run incrementally right now: 1. Every time it is run, the CA private keys change, so all certificates have to be refreshed. This usually breaks pinning tests, etc., and is an unnecessary complication. 2. Serial numbers must not collide. Despite this, we try to manually run things anyway, with the result that the currently checked in certificates do not match the script output in serial number! I suspect we removed a certificate in the middle of the tower at some point. To make this a bit friendlier: 1. Preserving the root and intermeidate keys if already present. 2. Randomizing the certificate serial numbers rather than counting incrementally. This means that a developer can run the script and only check in the certificate they care about. Bug: 984685 Change-Id: I3c0b0e85654dd62f82fb83f90fd1252ebbaa3135 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1918385Reviewed-by: Matt Mueller <mattm@chromium.org> Commit-Queue: David Benjamin <davidben@chromium.org> Cr-Commit-Position: refs/heads/master@{#716029}
39a93dde · David Benjamin · Commit Bot · d8881de7 · 39a93dde
Commit 39a93dde authored Nov 16, 2019 by David Benjamin Committed by Commit Bot Nov 16, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 17 additions and 5 deletions

net/data/ssl/scripts/generate-test-certs.sh net/data/ssl/scripts/generate-test-certs.sh +17 -5

No files found.
--- a/net/data/ssl/scripts/generate-test-certs.sh
+++ b/net/data/ssl/scripts/generate-test-certs.sh
@@ -12,11 +12,15 @@ rm -rf out
 mkdir out
 mkdir out/int

-/bin/sh -c "echo 01 > out/2048-sha256-root-serial"
+openssl rand -hex -out out/2048-sha256-root-serial 16
 touch out/2048-sha256-root-index.txt

-# Generate the key
-openssl genrsa -out out/2048-sha256-root.key 2048
+# Generate the key or copy over the existing one if present.
+if [ -f ../certificates/root_ca_cert.pem ]; then
+  openssl rsa -in ../certificates/root_ca_cert.pem -out out/2048-sha256-root.key
+else
+  openssl genrsa -out out/2048-sha256-root.key 2048
+fi

 # Generate the root certificate
 CA_NAME="req_ca_dn" \
@@ -36,13 +40,21 @@ CA_NAME="req_ca_dn" \
    -text > out/2048-sha256-root.pem

 # Generate the test intermediate
-/bin/sh -c "echo 01 > out/int/2048-sha256-int-serial"
+openssl rand -hex -out out/int/2048-sha256-int-serial 16
 touch out/int/2048-sha256-int-index.txt

+# Copy over an existing key if present.
+if [ -f ../certificates/intermediate_ca_cert.pem ]; then
+  openssl rsa -in ../certificates/intermediate_ca_cert.pem \
+    -out out/int/2048-sha256-int.key
+else
+  openssl genrsa -out out/int/2048-sha256-int.key 2048
+fi
+
 CA_NAME="req_intermediate_dn" \
  openssl req \
    -new \
-    -keyout out/int/2048-sha256-int.key \
+    -key out/int/2048-sha256-int.key \
    -out out/int/2048-sha256-int.req \
    -config ca.cnf