net/data/ssl/scripts/generate-bad-self-signed.sh - Issue 1988993002: Check self-signed certificate names and signatures

Side by Side Diff

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Side by Side Diff: net/data/ssl/scripts/generate-bad-self-signed.sh

Issue 1988993002: Check self-signed certificate names and signatures (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Bugfixes for changes from initial comments Created 4 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
(Empty)
	1 #!/bin/bash

	2

	3 # Copyright 2016 The Chromium Authors. All rights reserved.

	4 # Use of this source code is governed by a BSD-style license that can be

	5 # found in the LICENSE file.

	6

	7 # This script generates self-signed-invalid-name.pem and

	8 # self-signed-invalid-sig.pem, which are "self-signed" test certificates with

	9 # invalid names/signatures, respectively.

	10

	11 try() {

	12 "$@" \|\| (e=$?; echo "$@" > /dev/stderr; exit $e)

	13 }

	14

	15 try rm -rf out

	16 try mkdir out

	17

	18 openssl genrsa -out out/bad-self-signed.key 2048

	19 touch out/bad-self-signed-index.txt

	20

	21 # Create two certificate requests with the same key, but different subjects

	22 SUBJECT_NAME="req_self_signed_a" \

	23 try openssl req \

	24 -new \

	25 -key out/bad-self-signed.key \

	26 -out out/ss-a.req \

	27 -config ee.cnf

	28

	29 SUBJECT_NAME="req_self_signed_b" \

	30 try openssl req \

	31 -new \

	32 -key out/bad-self-signed.key \

	33 -out out/ss-b.req \

	34 -config ee.cnf

	35

	36 # Create a normal self-signed certificate from one of these requests

	37 try openssl x509 \

	38 -req \

	39 -in out/ss-a.req \

	40 -out out/bad-self-signed-root-a.pem \

	41 -signkey out/bad-self-signed.key \

	42 -days 3650

	43

	44 # Now, for the crazy part. We need to find a section of the signature to modify

	45 # so that the names match but the signature doesn't. We do this by replacing the

	46 # first four bytes of the signature with the bytes 0xdead.

	47

	48 # Find the first four hex-encoded bytes of the signature

	49 bytes=$(

	50 openssl x509 -in out/bad-self-signed-root-a.pem -text -noout \

	51 \| grep -A 1 sha256WithRSA \

	52 \| tail -n 1 \

	53 \| tr -d ' ' \

	54 \| tr -d ':' \

	55 \| head -c 4)

	56

	57 # Find those bytes in the DER-encoded certificate, and replace them with 'dead'

	58 openssl x509 -in out/bad-self-signed-root-a.pem -outform DER \

	59 \| xxd \

	60 \| sed "s\|$bytes\|dead\|g" \

	61 \| xxd -r \

	62 \| openssl x509 -inform DER -outform PEM -out out/self-signed-invalid-sig.pem

	63

	64 # Make a "self-signed" certificate with mismatched names

	65 try openssl x509 \

	66 -req \

	67 -in out/ss-b.req \

	68 -out out/self-signed-invalid-name.pem \

	69 -days 3650 \

	70 -CA out/bad-self-signed-root-a.pem \

	71 -CAkey out/bad-self-signed.key \

	72 -CAserial out/bad-self-signed-serial.txt \

	73 -CAcreateserial

OLD	NEW

« net/cert/x509_certificate_nss.cc ('K') | « net/data/ssl/scripts/ee.cnf ('k') | net/net.gypi » ('j') | no next file with comments »