net/data/ssl/certificates/README - Issue 1286793002: Treat failure to parse certificates as SSL protocol errors.

Side by Side Diff: net/data/ssl/certificates/README

Issue 1286793002: Treat failure to parse certificates as SSL protocol errors. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: sleevi comments Created 5 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 This directory contains various certificates for use with SSL-related	1 This directory contains various certificates for use with SSL-related

2 unit tests.	2 unit tests.

3	3

4 ===== Real-world certificates that need manual updating	4 ===== Real-world certificates that need manual updating

5 - google.binary.p7b	5 - google.binary.p7b

6 - google.chain.pem	6 - google.chain.pem

7 - google.pem_cert.p7b	7 - google.pem_cert.p7b

8 - google.pem_pkcs7.p7b	8 - google.pem_pkcs7.p7b

9 - google.pkcs7.p7b	9 - google.pkcs7.p7b

10 - google.single.der	10 - google.single.der

(...skipping 111 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
122 - no_subject_common_name_cert.pem: Used to test the function that generates a	122 - no_subject_common_name_cert.pem: Used to test the function that generates a

123 NSS certificate nickname for a user certificate. This certificate's Subject	123 NSS certificate nickname for a user certificate. This certificate's Subject

124 field doesn't have a common name.	124 field doesn't have a common name.

125	125

126 - quic_intermediate.crt	126 - quic_intermediate.crt

127 - quic_test_ecc.example.com.crt	127 - quic_test_ecc.example.com.crt

128 - quic_test.example.com.crt	128 - quic_test.example.com.crt

129 - quic_root.crt	129 - quic_root.crt

130 These certificates are used by the ProofVerifier's unit tests of QUIC.	130 These certificates are used by the ProofVerifier's unit tests of QUIC.

131	131

	132 - bad_validity.pem : A certificate with bogus notBefore and notAfter fields.

	133 Windows refuses to parse this certificate.
	Ryan Sleevi 2015/08/12 22:03:19 It'd be preferable to not manually generate this. It'd be preferable to not manually generate this. Can you add it to one of the test scripts? davidben 2015/08/12 22:14:05 This was generated from the Go program attached in Show quoted text On 2015/08/12 22:03:19, Ryan Sleevi wrote: > It'd be preferable to not manually generate this. Can you add it to one of the > test scripts? This was generated from the Go program attached in the bug. There's no reason to ever regenerate it since it will never expire. If you give me an OpenSSL command-line to generate such a certificate, I'll include it, but I as a general rule try to avoid that tool. :-P Generating certificates with anything but Go is just a pain. Ryan Sleevi 2015/08/13 22:54:57 Eh, that's what we said about the certs until we s Show quoted text On 2015/08/12 22:14:05, David Benjamin wrote: > On 2015/08/12 22:03:19, Ryan Sleevi wrote: > > It'd be preferable to not manually generate this. Can you add it to one of the > > test scripts? > > This was generated from the Go program attached in the bug. There's no reason to > ever regenerate it since it will never expire. Eh, that's what we said about the certs until we switched SHA-1 to SHA-256 ;) Show quoted text > If you give me an OpenSSL > command-line to generate such a certificate, I'll include it, but I as a general > rule try to avoid that tool. :-P Generating certificates with anything but Go is > just a pain. That may be, but it's also the consistent way that multiple developers can collaborate (especially developers who hate Go :P). Load up net/data/ssl/scripts/generate-test-certs.sh . You can see explicit date assignment at https://code.google.com/p/chromium/codesearch#chromium/src/net/data/ssl/scrip... as an example. You can see explicit name assignment at https://code.google.com/p/chromium/codesearch#chromium/src/net/data/ssl/scrip... It uses ASN1_TIME_set_string, which should handle dates even outside the representation of a time_t davidben 2015/08/14 22:42:36 Done. Yeah, I really don't like using openssl x509 Show quoted text On 2015/08/13 22:54:57, Ryan Sleevi (out until 8-24) wrote: > On 2015/08/12 22:14:05, David Benjamin wrote: > > On 2015/08/12 22:03:19, Ryan Sleevi wrote: > > > It'd be preferable to not manually generate this. Can you add it to one of > the > > > test scripts? > > > > This was generated from the Go program attached in the bug. There's no reason > to > > ever regenerate it since it will never expire. > > Eh, that's what we said about the certs until we switched SHA-1 to SHA-256 ;) > > > If you give me an OpenSSL > > command-line to generate such a certificate, I'll include it, but I as a > general > > rule try to avoid that tool. :-P Generating certificates with anything but Go > is > > just a pain. > > That may be, but it's also the consistent way that multiple developers can > collaborate (especially developers who hate Go :P). > > Load up net/data/ssl/scripts/generate-test-certs.sh . You can see explicit date > assignment at > https://code.google.com/p/chromium/codesearch#chromium/src/net/data/ssl/scrip... > as an example. > > You can see explicit name assignment at > https://code.google.com/p/chromium/codesearch#chromium/src/net/data/ssl/scrip... > > It uses ASN1_TIME_set_string, which should handle dates even outside the > representation of a time_t Done. Yeah, I really don't like using openssl x509. It's obnoxious. :-) Used Go to do CVE-2015-1793 as well.
	134

132 ===== From net/data/ssl/scripts/generate-test-certs.sh	135 ===== From net/data/ssl/scripts/generate-test-certs.sh

133 - expired_cert.pem	136 - expired_cert.pem

134 - ok_cert.pem	137 - ok_cert.pem

135 - root_ca_cert.pem	138 - root_ca_cert.pem

136 These certificates are the common certificates used by the Python test	139 These certificates are the common certificates used by the Python test

137 server for simulating HTTPS connections.	140 server for simulating HTTPS connections.

138	141

139 - name_constraint_bad.pem	142 - name_constraint_bad.pem

140 - name_constraint_good.pem	143 - name_constraint_good.pem

141 Two certificates used to test the built-in ability to restrict a root to	144 Two certificates used to test the built-in ability to restrict a root to

(...skipping 124 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
266 ===== From net/data/ssl/scripts/generate-aia-certs.sh	269 ===== From net/data/ssl/scripts/generate-aia-certs.sh

267 - aia-cert.pem	270 - aia-cert.pem

268 - aia-intermediate.der	271 - aia-intermediate.der

269 - aia-root.pem	272 - aia-root.pem

270 A certificate chain which we use to ensure AIA fetching works correctly	273 A certificate chain which we use to ensure AIA fetching works correctly

271 when using NSS to verify certificates (which uses our HTTP stack).	274 when using NSS to verify certificates (which uses our HTTP stack).

272 aia-cert.pem has a caIssuers that points to "aia-test.invalid" as the URL	275 aia-cert.pem has a caIssuers that points to "aia-test.invalid" as the URL

273 containing the intermediate, which can be served via a URLRequestFilter.	276 containing the intermediate, which can be served via a URLRequestFilter.

274 aia-intermediate.der is stored in DER form for convenience, since that is	277 aia-intermediate.der is stored in DER form for convenience, since that is

275 the form expected of certificates discovered via AIA.	278 the form expected of certificates discovered via AIA.

OLD	NEW

« no previous file with comments | « net/base/net_error_list.h ('k') | net/data/ssl/certificates/bad_validity.pem » ('j') | net/socket/ssl_client_socket_unittest.cc » ('J')