Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(455)

Unified Diff: net/data/ssl/scripts/generate-test-certs.sh

Issue 20628006: Reject certificates that are valid for too long. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Make a new cert for IntranetHostsRejected. Tests pass now. Created 6 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: net/data/ssl/scripts/generate-test-certs.sh
diff --git a/net/data/ssl/scripts/generate-test-certs.sh b/net/data/ssl/scripts/generate-test-certs.sh
index d62bb988a5ddc2730068b83e4a0ce1e036d2cdc2..fe690073a31457d6924fd690ce4b83374035cc61 100755
--- a/net/data/ssl/scripts/generate-test-certs.sh
+++ b/net/data/ssl/scripts/generate-test-certs.sh
@@ -67,7 +67,7 @@ CA_COMMON_NAME="Test Root CA" \
try openssl ca \
-batch \
-extensions user_cert \
- -days 3650 \
+ -days 1000 \
Ryan Sleevi 2014/11/04 21:48:27 Why was this change necessary? Unrelated? Why didn
palmer 2014/11/07 19:16:14 Yeah, reverted. I think it was from when I was try
-in out/ok_cert.req \
-out out/ok_cert.pem \
-config ca.cnf
@@ -124,7 +124,48 @@ try openssl req -x509 -days 3650 -extensions req_san_sanity \
SUBJECT_NAME="req_punycode_dn" \
try openssl req -x509 -days 3650 -extensions req_punycode \
-config ../scripts/ee.cnf -newkey rsa:2048 -text \
- -out ../certificates/punycodetest.pem
+ -out ../certificates/punycodetest.pem
+
+## Reject intranet hosts
Ryan Sleevi 2014/11/04 21:48:27 Reject intranet hostnames in "publicly" trusted ce
palmer 2014/11/07 19:16:14 Done.
+SUBJECT_NAME="req_dn" \
+ try openssl req -x509 -days $((365 * 3)) \
+ -config ../scripts/ee.cnf -newkey rsa:2048 -text \
+ -out ../certificates/reject_intranet_hosts.pem
+
+## Validity too long
+try openssl req -config ../scripts/ee.cnf \
+ -newkey rsa:2048 -text -out ../certificates/11_year_validity.req
+CA_COMMON_NAME="Test Root CA" \
+ try openssl ca \
+ -batch \
+ -extensions user_cert \
+ -startdate 141030000000Z \
+ -days $((365 * 11)) \
Ryan Sleevi 2014/11/04 21:48:27 ಠ_ಠ KISS. This is /bin/sh style we're dealing wit
palmer 2014/11/07 19:16:14 Done.
+ -in ../certificates/11_year_validity.req \
+ -out ../certificates/11_year_validity.pem \
+ -config ca.cnf
+try openssl req -config ../scripts/ee.cnf \
+ -newkey rsa:2048 -text -out ../certificates/40_months_after_2015_04.req
+CA_COMMON_NAME="Test Root CA" \
+ try openssl ca \
+ -batch \
+ -extensions user_cert \
+ -startdate 150402000000Z \
+ -enddate 180901000000Z \
+ -in ../certificates/40_months_after_2015_04.req \
+ -out ../certificates/40_months_after_2015_04.pem \
+ -config ca.cnf
+try openssl req -config ../scripts/ee.cnf \
+ -newkey rsa:2048 -text -out ../certificates/61_months_after_2012_07.req
+CA_COMMON_NAME="Test Root CA" \
+ try openssl ca \
+ -batch \
+ -extensions user_cert \
+ -startdate 141030000000Z \
+ -days $((30 * 61)) \
Ryan Sleevi 2014/11/04 21:48:27 Ditto
palmer 2014/11/07 19:16:14 Done and on line 131 too.
+ -in ../certificates/61_months_after_2012_07.req \
+ -out ../certificates/61_months_after_2012_07.pem \
+ -config ca.cnf
# Regenerate CRLSets
## Block a leaf cert directly by SPKI

Powered by Google App Engine
This is Rietveld 408576698