net/data/ssl/scripts/generate-bad-self-signed.sh - Issue 1988993002: Check self-signed certificate names and signatures

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: net/data/ssl/scripts/generate-bad-self-signed.sh

Issue 1988993002: Check self-signed certificate names and signatures (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Remove dependency on openssl -text format Created 4 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: net/data/ssl/scripts/generate-bad-self-signed.sh

diff --git a/net/data/ssl/scripts/generate-bad-self-signed.sh b/net/data/ssl/scripts/generate-bad-self-signed.sh

new file mode 100755

index 0000000000000000000000000000000000000000..175553cdd4187a6e91fb4f1035a182d494a1e4a1

--- /dev/null

+++ b/net/data/ssl/scripts/generate-bad-self-signed.sh

@@ -0,0 +1,77 @@

+#!/bin/bash

+# Use of this source code is governed by a BSD-style license that can be

+# found in the LICENSE file.

+# This script generates self-signed-invalid-name.pem and

+# self-signed-invalid-sig.pem, which are "self-signed" test certificates with

+# invalid names/signatures, respectively.

+set -e

+ rm -rf out

+ mkdir out

+openssl genrsa -out out/bad-self-signed.key 2048

+touch out/bad-self-signed-index.txt

+# Create two certificate requests with the same key, but different subjects

+SUBJECT_NAME="req_self_signed_a" \

+openssl req \

+ -new \

+ -key out/bad-self-signed.key \

+ -out out/ss-a.req \

+ -config ee.cnf

+SUBJECT_NAME="req_self_signed_b" \

+openssl req \

+ -new \

+ -key out/bad-self-signed.key \

+ -out out/ss-b.req \

+ -config ee.cnf

+# Create a normal self-signed certificate from one of these requests

+openssl x509 \

+ -req \

+ -in out/ss-a.req \

+ -out out/bad-self-signed-root-a.pem \

+ -signkey out/bad-self-signed.key \

+ -days 3650

+# To invalidate the signature without changing names, replace two bytes from the

+# end of the certificate with 0xdead.

+openssl x509 -in out/bad-self-signed-root-a.pem -outform DER \

+ | head -c -2 \

+ > out/bad-sig.der.1

+echo -n -e "\xde\xad" > out/bad-sig.der.2

+cat out/bad-sig.der.1 out/bad-sig.der.2 \

+ | openssl x509 \

+ -inform DER \

+ -outform PEM \

+ -out out/cert-self-signed-invalid-sig.pem

+openssl x509 \

+ -text \

+ -noout \

+ -in out/cert-self-signed-invalid-sig.pem \

+ > out/self-signed-invalid-sig.pem

+cat out/cert-self-signed-invalid-sig.pem >> out/self-signed-invalid-sig.pem

+# Make a "self-signed" certificate with mismatched names

+openssl x509 \

+ -req \

+ -in out/ss-b.req \

+ -out out/cert-self-signed-invalid-name.pem \

+ -days 3650 \

+ -CA out/bad-self-signed-root-a.pem \

+ -CAkey out/bad-self-signed.key \

+ -CAserial out/bad-self-signed-serial.txt \

+ -CAcreateserial

+openssl x509 \

+ -text \

+ -noout \

+ -in out/cert-self-signed-invalid-name.pem \

+ > out/self-signed-invalid-name.pem

+cat out/cert-self-signed-invalid-name.pem >> out/self-signed-invalid-name.pem

« no previous file with comments | « net/data/ssl/scripts/ee.cnf ('k') | net/net.gypi » ('j') | no next file with comments »