Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1140)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/tools/testserver/minica.py

Issue 2719273002: Disable commonName matching for certificates (Closed)
Patch Set: More ChromeOS fixes Created 3 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/ssl/ssl_config_service_unittest.cc ('k') | tools/metrics/histograms/histograms.xml » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/tools/testserver/minica.py
diff --git a/net/tools/testserver/minica.py b/net/tools/testserver/minica.py
index 3395daf97ac7301bd34bfd1ae57f321197de4a62..62991ffba2ea385c559366253339e87372a26554 100644
--- a/net/tools/testserver/minica.py
+++ b/net/tools/testserver/minica.py
@@ -216,11 +216,12 @@ OCSP_TYPE_BASIC = asn1.OID([1, 3, 6, 1, 5, 5, 7, 48, 1, 1])
ORGANIZATION = asn1.OID([2, 5, 4, 10])
PUBLIC_KEY_RSA = asn1.OID([1, 2, 840, 113549, 1, 1, 1])
SHA256_WITH_RSA_ENCRYPTION = asn1.OID([1, 2, 840, 113549, 1, 1, 11])
-
+SUBJECT_ALTERNATIVE_NAME = asn1.OID([2, 5, 29, 17])
def MakeCertificate(
issuer_cn, subject_cn, serial, pubkey, privkey, ocsp_url = None,
- ca_issuers_url = None, is_ca=False, path_len=None):
+ ca_issuers_url = None, is_ca=False, path_len=None, ip_sans=None,
+ dns_sans=None):
'''MakeCertificate returns a DER encoded certificate, signed by privkey.'''
extensions = asn1.SEQUENCE([])
@@ -242,6 +243,24 @@ def MakeCertificate(
))),
]))
+ if ip_sans is not None or dns_sans is not None:
+ sans = []
+ if dns_sans is not None:
+ for dns_name in dns_sans:
+ sans.append(
+ asn1.Raw(asn1.TagAndLength(0x82, len(dns_name)) + dns_name))
+ if ip_sans is not None:
+ for ip_addr in ip_sans:
+ sans.append(
+ asn1.Raw(asn1.TagAndLength(0x87, len(ip_addr)) + ip_addr))
+ extensions.children.append(
+ asn1.SEQUENCE([
+ SUBJECT_ALTERNATIVE_NAME,
+ # There is implicitly a critical=False here. Since false is the
+ # default, encoding the value would be invalid DER.
+ asn1.OCTETSTRING(asn1.ToDER(asn1.SEQUENCE(sans)))
+ ]))
+
if ocsp_url is not None or ca_issuers_url is not None:
aia_entries = []
if ocsp_url is not None:
@@ -426,6 +445,8 @@ def GenerateCertKeyAndOCSP(subject = "127.0.0.1",
ocsp_states = None,
ocsp_dates = None,
ocsp_produced = OCSP_PRODUCED_VALID,
+ ip_sans = ["\x7F\x00\x00\x01"],
+ dns_sans = None,
serial = 0):
'''GenerateCertKeyAndOCSP returns a (cert_and_key_pem, ocsp_der) where:
* cert_and_key_pem contains a certificate and private key in PEM format
@@ -441,7 +462,8 @@ def GenerateCertKeyAndOCSP(subject = "127.0.0.1",
if serial == 0:
serial = RandomNumber(16)
cert_der = MakeCertificate(ROOT_CN, bytes(subject), serial, LEAF_KEY,
- ROOT_KEY, bytes(ocsp_url))
+ ROOT_KEY, bytes(ocsp_url), ip_sans=ip_sans,
+ dns_sans=dns_sans)
cert_pem = DERToPEM(cert_der)
ocsp_der = None
« no previous file with comments | « net/ssl/ssl_config_service_unittest.cc ('k') | tools/metrics/histograms/histograms.xml » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698