Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(2318)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/tools/testserver/minica.py

Issue 2100303002: Add OCSPVerifyResult for tracking stapled OCSP responses cross-platform. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@ocsp-date-check
Patch Set: Add tests for REVOKED status Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« net/ssl/ssl_info.h ('K') | « net/test/spawned_test_server/base_test_server.cc ('k') | net/tools/testserver/testserver.py » ('j') | net/url_request/url_request_unittest.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/tools/testserver/minica.py
diff --git a/net/tools/testserver/minica.py b/net/tools/testserver/minica.py
index acf68fcbb935059182661b275a106bb3c74472ad..eb9a2d056f70782d75bab66de8bd051baf67f243 100644
--- a/net/tools/testserver/minica.py
+++ b/net/tools/testserver/minica.py
@@ -3,9 +3,23 @@
# found in the LICENSE file.
import asn1
+import datetime
import hashlib
import os
+import time
+GENERALIZED_TIME_FORMAT = "%Y%m%d%H%M%SZ"
+
+OCSP_STATE_GOOD = 1
+OCSP_STATE_REVOKED = 2
+OCSP_STATE_INVALID = 3
+OCSP_STATE_UNAUTHORIZED = 4
+OCSP_STATE_UNKNOWN = 5
+
+OCSP_DATE_VALID = 1
+OCSP_DATE_OLD = 2
+OCSP_DATE_EARLY = 3
+OCSP_DATE_LONG = 4
# This file implements very minimal certificate and OCSP generation. It's
# designed to test revocation checking.
@@ -245,8 +259,7 @@ def MakeCertificate(
asn1.BitString(privkey.Sign(tbsCert)),
]))
-
-def MakeOCSPResponse(issuer_cn, issuer_key, serial, ocsp_state):
+def MakeOCSPResponse(issuer_cn, issuer_key, serial, ocsp_state, ocsp_date):
# https://tools.ietf.org/html/rfc2560
issuer_name_hash = asn1.OCTETSTRING(
hashlib.sha1(asn1.ToDER(Name(cn = issuer_cn))).digest())
@@ -264,9 +277,26 @@ def MakeOCSPResponse(issuer_cn, issuer_key, serial, ocsp_state):
else:
raise ValueError('Bad OCSP state: ' + str(ocsp_state))
+ now = datetime.datetime.fromtimestamp(time.mktime(time.gmtime()))
+ if ocsp_date == OCSP_DATE_VALID:
+ thisUpdate = now - datetime.timedelta(days=1)
+ nextUpdate = thisUpdate + datetime.timedelta(weeks=1)
+ elif ocsp_date == OCSP_DATE_OLD:
+ thisUpdate = now - datetime.timedelta(hours=1, weeks=1)
+ nextUpdate = thisUpdate + datetime.timedelta(weeks=1)
+ elif ocsp_date == OCSP_DATE_EARLY:
+ thisUpdate = now + datetime.timedelta(hours=1)
+ nextUpdate = thisUpdate + datetime.timedelta(weeks=1)
+ elif ocsp_date == OCSP_DATE_LONG:
+ thisUpdate = now - datetime.timedelta(days=365)
+ nextUpdate = thisUpdate + datetime.timedelta(hours=1, days=365)
+ else:
+ raise ValueError('Bad OCSP date: ' + str(ocsp_date))
+ producedAt = thisUpdate
dadrian 2016/06/27 22:43:03 I had to modify producedAt because apparently NSS
svaldez 2016/06/29 14:41:23 From the RFC, the only requirement on producedAt i
dadrian 2016/06/30 21:52:43 I added a check to make sure notBefore <= produced
Ryan Sleevi 2016/06/30 22:14:50 There were some security bugs about this. From an
dadrian 2016/07/08 22:17:30 I mangled these down to one test class that _shoul
+
basic_resp_data_der = asn1.ToDER(asn1.SEQUENCE([
asn1.Explicit(2, issuer_key_hash),
- asn1.GeneralizedTime("20100101060000Z"), # producedAt
+ asn1.GeneralizedTime(producedAt.strftime(GENERALIZED_TIME_FORMAT)),
asn1.SEQUENCE([
asn1.SEQUENCE([ # SingleResponse
asn1.SEQUENCE([ # CertID
@@ -279,8 +309,13 @@ def MakeOCSPResponse(issuer_cn, issuer_key, serial, ocsp_state):
serial,
]),
cert_status,
- asn1.GeneralizedTime("20100101060000Z"), # thisUpdate
- asn1.Explicit(0, asn1.GeneralizedTime("20300101060000Z")), # nextUpdate
+ asn1.GeneralizedTime( # thisUpdate
+ thisUpdate.strftime(GENERALIZED_TIME_FORMAT)
+ ),
+ asn1.Explicit( # nextUpdate
+ 0,
+ asn1.GeneralizedTime(nextUpdate.strftime(GENERALIZED_TIME_FORMAT))
+ ),
]),
]),
]))
@@ -311,12 +346,6 @@ def DERToPEM(der):
pem += '-----END CERTIFICATE-----\n'
return pem
-OCSP_STATE_GOOD = 1
-OCSP_STATE_REVOKED = 2
-OCSP_STATE_INVALID = 3
-OCSP_STATE_UNAUTHORIZED = 4
-OCSP_STATE_UNKNOWN = 5
-
# unauthorizedDER is an OCSPResponse with a status of 6:
# SEQUENCE { ENUM(6) }
unauthorizedDER = '30030a0106'.decode('hex')
@@ -324,6 +353,7 @@ unauthorizedDER = '30030a0106'.decode('hex')
def GenerateCertKeyAndOCSP(subject = "127.0.0.1",
ocsp_url = "http://127.0.0.1",
ocsp_state = OCSP_STATE_GOOD,
+ ocsp_date = OCSP_DATE_VALID,
serial = 0):
'''GenerateCertKeyAndOCSP returns a (cert_and_key_pem, ocsp_der) where:
* cert_and_key_pem contains a certificate and private key in PEM format
@@ -344,6 +374,7 @@ def GenerateCertKeyAndOCSP(subject = "127.0.0.1",
elif ocsp_state == OCSP_STATE_INVALID:
ocsp_der = '3'
else:
- ocsp_der = MakeOCSPResponse(ISSUER_CN, KEY, serial, ocsp_state)
+ ocsp_der = MakeOCSPResponse(
+ ISSUER_CN, KEY, serial, ocsp_state, ocsp_date)
return (cert_pem + KEY_PEM, ocsp_der)
« net/ssl/ssl_info.h ('K') | « net/test/spawned_test_server/base_test_server.cc ('k') | net/tools/testserver/testserver.py » ('j') | net/url_request/url_request_unittest.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698