Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(675)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/data/ssl/scripts/generate-bad-self-signed.sh

Issue 1988993002: Check self-signed certificate names and signatures (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: More Windows bugfixes Created 4 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« net/data/ssl/scripts/ee.cnf ('K') | « net/data/ssl/scripts/ee.cnf ('k') | net/net.gypi » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 #!/bin/bash
2
3 # Copyright 2013 The Chromium Authors. All rights reserved.
svaldez 2016/05/20 17:54:53 2016
dadrian 2016/05/20 19:01:22 Done.
4 # Use of this source code is governed by a BSD-style license that can be
5 # found in the LICENSE file.
6
7 # This script generates a set of test (end-entity, intermediate, root)
estark 2016/05/20 18:37:53 looks like this comment needs to be updated
dadrian 2016/05/20 19:01:21 Done.
8 # certificates that can be used to test fetching of an intermediate via AIA.
9
10 try() {
11 "$@" || (e=$?; echo "$@" > /dev/stderr; exit $e)
12 }
13
14 try rm -rf out
15 try mkdir out
16
17 openssl genrsa -out out/bad-self-signed.key 2048
18 touch out/bad-self-signed-index.txt
19
20 # Create two certificate requests with the same key, but different subjects
21 SUBJECT_NAME="req_self_signed_a" \
22 try openssl req \
23 -new \
24 -key out/bad-self-signed.key \
25 -out out/ss-a.req \
26 -config ee.cnf
27
28 SUBJECT_NAME="req_self_signed_b" \
29 try openssl req \
30 -new \
31 -key out/bad-self-signed.key \
32 -out out/ss-b.req \
33 -config ee.cnf
34
35 # Create a normal self-signed certificate from one of these requests
36 try openssl x509 \
37 -req \
38 -in out/ss-a.req \
39 -out out/bad-self-signed-root-a.pem \
40 -signkey out/bad-self-signed.key \
41 -days 3650
42
43 # Now, for the crazy part. We need to find a section of the signature to modify
44 # so that the names match but the signature doesn't. We do this by replacing the
45 # first four bytes of the signature with the bytes 0xdead.
46
47 # Find the first four hex-encoded bytes of the signature
48 bytes=$(
49 openssl x509 -in out/bad-self-signed-root-a.pem -text -noout \
50 | grep -A 1 sha256WithRSA \
51 | tail -n 1 \
52 | tr -d ' ' \
53 | tr -d ':' \
54 | head -c 4)
55
56 # Find those bytes in the DER-encoded certificate, and replace them with 'dead'
57 openssl x509 -in out/bad-self-signed-root-a.pem -outform DER \
58 | xxd \
59 | sed "s|$bytes|dead|g" \
60 | xxd -r \
61 | openssl x509 -inform DER -outform PEM -out out/self-signed-invalid-sig.pem
62
63 # Make a "self-signed" certificate with mismatched names
64 try openssl x509 \
65 -req \
66 -in out/ss-b.req \
67 -out out/self-signed-invalid-name.pem \
68 -days 3650 \
69 -CA out/bad-self-signed-root-a.pem \
70 -CAkey out/bad-self-signed.key \
71 -CAserial out/bad-self-signed-serial.txt \
72 -CAcreateserial
OLDNEW
« net/data/ssl/scripts/ee.cnf ('K') | « net/data/ssl/scripts/ee.cnf ('k') | net/net.gypi » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698