Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(572)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/data/ssl/scripts/generate-multi-root-test-chains.sh

Issue 1724413002: Perform CRLSet evaluation during Path Building on NSS (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 4 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« net/cert/cert_verify_proc_nss.cc ('K') | « net/data/ssl/certificates/multi-root-crlset-unrelated.raw ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 #!/bin/sh 1 #!/bin/sh
2 2
3 # Copyright 2014 The Chromium Authors. All rights reserved. 3 # Copyright 2014 The Chromium Authors. All rights reserved.
4 # Use of this source code is governed by a BSD-style license that can be 4 # Use of this source code is governed by a BSD-style license that can be
5 # found in the LICENSE file. 5 # found in the LICENSE file.
6 6
7 # The following documentation uses the annotation approach from RFC 4158. 7 # The following documentation uses the annotation approach from RFC 4158.
8 # CAs (entities that share the same name and public key) are denoted in boxes, 8 # CAs (entities that share the same name and public key) are denoted in boxes,
9 # while the indication that a CA Foo signed a certificate for CA Bar is denoted 9 # while the indication that a CA Foo signed a certificate for CA Bar is denoted
10 # by directed arrows. 10 # by directed arrows.
(...skipping 190 matching lines...) Expand 10 before | Expand all | Expand 10 after
201 > ../certificates/multi-root-chain2.pem" 201 > ../certificates/multi-root-chain2.pem"
202 cp out/B.pem ../certificates/multi-root-B-by-C.pem 202 cp out/B.pem ../certificates/multi-root-B-by-C.pem
203 cp out/B2.pem ../certificates/multi-root-B-by-F.pem 203 cp out/B2.pem ../certificates/multi-root-B-by-F.pem
204 cp out/C.pem ../certificates/multi-root-C-by-D.pem 204 cp out/C.pem ../certificates/multi-root-C-by-D.pem
205 cp out/C2.pem ../certificates/multi-root-C-by-E.pem 205 cp out/C2.pem ../certificates/multi-root-C-by-E.pem
206 cp out/F.pem ../certificates/multi-root-F-by-E.pem 206 cp out/F.pem ../certificates/multi-root-F-by-E.pem
207 cp out/D.pem ../certificates/multi-root-D-by-D.pem 207 cp out/D.pem ../certificates/multi-root-D-by-D.pem
208 cp out/E.pem ../certificates/multi-root-E-by-E.pem 208 cp out/E.pem ../certificates/multi-root-E-by-E.pem
209 209
210 echo "Generating CRLSets" 210 echo "Generating CRLSets"
211 # Block C-by-E (serial number 0x1001) by way of serial number. 211 # Block D and E by SPKI; invalidates all paths.
212 python crlsetutil.py -o ../certificates/multi-root-crlset-C-by-E.raw \ 212 python crlsetutil.py -o ../certificates/multi-root-crlset-D-and-E.raw \
213 <<CRLSETBYSERIAL 213 <<CRLSETDOCBLOCK
214 {
215 "BlockedBySPKI": [
216 "out/D.pem",
217 "out/E.pem"
218 ]
219 }
220 CRLSETDOCBLOCK
221
222 # Block E by SPKI.
223 python crlsetutil.py -o ../certificates/multi-root-crlset-E.raw \
224 <<CRLSETDOCBLOCK
225 {
226 "BlockedBySPKI": [
227 "out/E.pem"
228 ]
229 }
230 CRLSETDOCBLOCK
231
232 # Block C-by-D (serial number 0x1000) and F-by-E (serial number 0x1001) by
233 # way of serial number.
234 python crlsetutil.py -o ../certificates/multi-root-crlset-CD-and-FE.raw \
235 <<CRLSETDOCBLOCK
214 { 236 {
215 "BlockedByHash": { 237 "BlockedByHash": {
238 "out/D.pem": [4096],
216 "out/E.pem": [4097] 239 "out/E.pem": [4097]
217 } 240 }
218 } 241 }
219 CRLSETBYSERIAL 242 CRLSETDOCBLOCK
220 243
221 # Block F (all versions) by way of SPKI 244 # Block C (all versions) by way of SPKI
222 python crlsetutil.py -o ../certificates/multi-root-crlset-F.raw \ 245 python crlsetutil.py -o ../certificates/multi-root-crlset-C.raw \
223 <<CRLSETBYSPKI 246 <<CRLSETDOCBLOCK
224 { 247 {
225 "BlockedBySPKI": [ "out/F.pem" ] 248 "BlockedBySPKI": [ "out/C.pem" ]
226 } 249 }
227 CRLSETBYSPKI 250 CRLSETDOCBLOCK
251
252 # Block an unrelated/unissued serial (0x0FFF) to enable all paths.
253 python crlsetutil.py -o ../certificates/multi-root-crlset-unrelated.raw \
254 <<CRLSETDOCBLOCK
255 {
256 "BlockedByHash": {
257 "out/E.pem": [4095]
258 }
259 }
260 CRLSETDOCBLOCK
OLDNEW
« net/cert/cert_verify_proc_nss.cc ('K') | « net/data/ssl/certificates/multi-root-crlset-unrelated.raw ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698