Chromium Code Reviews Chromium Code Reviews
Issue 724543002:
Reject certificates that are valid for too long. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 #!/bin/sh | 1 #!/bin/sh |
| 2 | 2 |
| 3 # Copyright 2013 The Chromium Authors. All rights reserved. | 3 # Copyright 2013 The Chromium Authors. All rights reserved. |
| 4 # Use of this source code is governed by a BSD-style license that can be | 4 # Use of this source code is governed by a BSD-style license that can be |
| 5 # found in the LICENSE file. | 5 # found in the LICENSE file. |
| 6 | 6 |
| 7 # This script generates a set of test (end-entity, intermediate, root) | 7 # This script generates a set of test (end-entity, intermediate, root) |
| 8 # certificates that can be used to test fetching of an intermediate via AIA. | 8 # certificates that can be used to test fetching of an intermediate via AIA. |
| 9 | 9 |
| 10 try() { | 10 try() { |
| (...skipping 106 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 117 | 117 |
| 118 ## SubjectAltName parsing | 118 ## SubjectAltName parsing |
| 119 try openssl req -x509 -days 3650 -extensions req_san_sanity \ | 119 try openssl req -x509 -days 3650 -extensions req_san_sanity \ |
| 120 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ | 120 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ |
| 121 -out ../certificates/subjectAltName_sanity_check.pem | 121 -out ../certificates/subjectAltName_sanity_check.pem |
| 122 | 122 |
| 123 ## Punycode handling | 123 ## Punycode handling |
| 124 SUBJECT_NAME="req_punycode_dn" \ | 124 SUBJECT_NAME="req_punycode_dn" \ |
| 125 try openssl req -x509 -days 3650 -extensions req_punycode \ | 125 try openssl req -x509 -days 3650 -extensions req_punycode \ |
| 126 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ | 126 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ |
| 127 -out ../certificates/punycodetest.pem | 127 -out ../certificates/punycodetest.pem |
| 128 | |
| 129 ## Reject intranet hostnames in "publicly" trusted certs | |
| 130 # 365 * 3 = 1095 | |
| 131 SUBJECT_NAME="req_dn" \ | |
| 132 try openssl req -x509 -days 1095 \ | |
| 133 -config ../scripts/ee.cnf -newkey rsa:2048 -text \ | |
| 134 -out ../certificates/reject_intranet_hosts.pem | |
| 135 | |
| 136 ## Validity too long unit test support. | |
| 137 try openssl req -config ../scripts/ee.cnf \ | |
| 138 -newkey rsa:2048 -text -out ../certificates/10_year_validity.req | |
| 139 CA_COMMON_NAME="Test Root CA" \ | |
| 140 try openssl ca \ | |
| 141 -batch \ | |
| 142 -extensions user_cert \ | |
| 143 -startdate 081030000000Z \ | |
| 144 -enddate 181029000000Z \ | |
| 145 -in ../certificates/10_year_validity.req \ | |
| 146 -out ../certificates/10_year_validity.pem \ | |
| 147 -config ca.cnf | |
| 148 # 365 * 11 = 4015 | |
| 149 try openssl req -config ../scripts/ee.cnf \ | |
| 150 -newkey rsa:2048 -text -out ../certificates/11_year_validity.req | |
| 151 CA_COMMON_NAME="Test Root CA" \ | |
| 152 try openssl ca \ | |
| 153 -batch \ | |
| 154 -extensions user_cert \ | |
| 155 -startdate 141030000000Z \ | |
| 156 -days 4015 \ | |
| 157 -in ../certificates/11_year_validity.req \ | |
| 158 -out ../certificates/11_year_validity.pem \ | |
| 159 -config ca.cnf | |
| 160 try openssl req -config ../scripts/ee.cnf \ | |
| 161 -newkey rsa:2048 -text -out ../certificates/39_months_after_2015_04.req | |
| 162 CA_COMMON_NAME="Test Root CA" \ | |
| 163 try openssl ca \ | |
| 164 -batch \ | |
| 165 -extensions user_cert \ | |
| 166 -startdate 150402000000Z \ | |
| 167 -enddate 180702000000Z \ | |
| 168 -in ../certificates/39_months_after_2015_04.req \ | |
| 169 -out ../certificates/39_months_after_2015_04.pem \ | |
| 170 -config ca.cnf | |
| 171 try openssl req -config ../scripts/ee.cnf \ | |
| 172 -newkey rsa:2048 -text -out ../certificates/40_months_after_2015_04.req | |
| 173 CA_COMMON_NAME="Test Root CA" \ | |
| 174 try openssl ca \ | |
| 175 -batch \ | |
| 176 -extensions user_cert \ | |
| 177 -startdate 150402000000Z \ | |
| 178 -enddate 180801000000Z \ | |
| 179 -in ../certificates/40_months_after_2015_04.req \ | |
| 180 -out ../certificates/40_months_after_2015_04.pem \ | |
| 181 -config ca.cnf | |
| 182 try openssl req -config ../scripts/ee.cnf \ | |
| 183 -newkey rsa:2048 -text -out ../certificates/60_months_after_2012_07.req | |
| 184 CA_COMMON_NAME="Test Root CA" \ | |
| 185 try openssl ca \ | |
| 186 -batch \ | |
| 187 -extensions user_cert \ | |
| 188 -startdate 141030000000Z \ | |
| 189 -enddate 190930000000Z \ | |
| 190 -in ../certificates/60_months_after_2012_07.req \ | |
| 191 -out ../certificates/60_months_after_2012_07.pem \ | |
| 192 -config ca.cnf | |
| 193 try openssl req -config ../scripts/ee.cnf \ | |
| 194 -newkey rsa:2048 -text -out ../certificates/61_months_after_2012_07.req | |
| 195 # 30 * 61 = 1830 | |
| 196 CA_COMMON_NAME="Test Root CA" \ | |
| 197 try openssl ca \ | |
| 198 -batch \ | |
| 199 -extensions user_cert \ | |
| 200 -startdate 141030000000Z \ | |
| 201 -days 1830 \ | |
| 202 -in ../certificates/61_months_after_2012_07.req \ | |
| 203 -out ../certificates/61_months_after_2012_07.pem \ | |
| 204 -config ca.cnf | |
| 205 # start date after expiry date | |
| 206 try openssl req -config ../scripts/ee.cnf \ | |
| 207 -newkey rsa:2048 -text -out ../certificates/start_after_expiry.req | |
| 208 CA_COMMON_NAME="Test Root CA" \ | |
| 209 try openssl ca \ | |
| 210 -batch \ | |
| 211 -extensions user_cert \ | |
| 212 -startdate 180901000000Z \ | |
| 213 -enddate 150402000000Z \ | |
|
Ryan Sleevi
2015/01/22 02:04:40
You inconsistently align these dates in the file.
palmer
2015/01/22 20:05:05
Done.
| |
| 214 -in ../certificates/start_after_expiry.req \ | |
| 215 -out ../certificates/start_after_expiry.pem \ | |
| 216 -config ca.cnf | |
| 217 try openssl req -config ../scripts/ee.cnf \ | |
| 218 -newkey rsa:2048 -text -out ../certificates/start_after_expiry.req | |
| 219 # Issued pre-BRs, lifetime < 120 months, expires before 2019-07-01 | |
| 220 try openssl req -config ../scripts/ee.cnf \ | |
| 221 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_ok.req | |
| 222 CA_COMMON_NAME="Test Root CA" \ | |
| 223 try openssl ca \ | |
| 224 -batch \ | |
| 225 -extensions user_cert \ | |
| 226 -startdate 080101000000Z \ | |
| 227 -enddate 150101000000Z \ | |
| 228 -in ../certificates/pre_br_validity_ok.req \ | |
| 229 -out ../certificates/pre_br_validity_ok.pem \ | |
| 230 -config ca.cnf | |
| 231 try openssl req -config ../scripts/ee.cnf \ | |
| 232 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_ok.req | |
| 233 # Issued pre-BRs, lifetime > 120 months, expires before 2019-07-01 | |
| 234 try openssl req -config ../scripts/ee.cnf \ | |
| 235 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_121.req | |
| 236 CA_COMMON_NAME="Test Root CA" \ | |
| 237 try openssl ca \ | |
| 238 -batch \ | |
| 239 -extensions user_cert \ | |
| 240 -startdate 080101000000Z \ | |
| 241 -enddate 180501000000Z \ | |
| 242 -in ../certificates/pre_br_validity_bad_121.req \ | |
| 243 -out ../certificates/pre_br_validity_bad_121.pem \ | |
| 244 -config ca.cnf | |
| 245 try openssl req -config ../scripts/ee.cnf \ | |
| 246 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_121.req | |
| 247 # Issued pre-BRs, lifetime < 120 months, expires after 2019-07-01 | |
| 248 try openssl req -config ../scripts/ee.cnf \ | |
| 249 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_2020.req | |
| 250 CA_COMMON_NAME="Test Root CA" \ | |
| 251 try openssl ca \ | |
| 252 -batch \ | |
| 253 -extensions user_cert \ | |
| 254 -startdate 120501000000Z \ | |
| 255 -enddate 190703000000Z \ | |
| 256 -in ../certificates/pre_br_validity_bad_2020.req \ | |
| 257 -out ../certificates/pre_br_validity_bad_2020.pem \ | |
| 258 -config ca.cnf | |
| 259 try openssl req -config ../scripts/ee.cnf \ | |
| 260 -newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_2020.req | |
| 128 | 261 |
| 129 # Regenerate CRLSets | 262 # Regenerate CRLSets |
| 130 ## Block a leaf cert directly by SPKI | 263 ## Block a leaf cert directly by SPKI |
| 131 try python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \ | 264 try python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \ |
| 132 <<CRLBYLEAFSPKI | 265 <<CRLBYLEAFSPKI |
| 133 { | 266 { |
| 134 "BlockedBySPKI": ["../certificates/ok_cert.pem"] | 267 "BlockedBySPKI": ["../certificates/ok_cert.pem"] |
| 135 } | 268 } |
| 136 CRLBYLEAFSPKI | 269 CRLBYLEAFSPKI |
| 137 | 270 |
| (...skipping 11 matching lines...) Expand all Loading... | |
| 149 ## Block a leaf cert by issuer-hash-and-serial. However, this will be issued | 282 ## Block a leaf cert by issuer-hash-and-serial. However, this will be issued |
| 150 ## from an intermediate CA issued underneath a root. | 283 ## from an intermediate CA issued underneath a root. |
| 151 try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \ | 284 try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \ |
| 152 <<CRLSETBYINTERMEDIATESERIAL | 285 <<CRLSETBYINTERMEDIATESERIAL |
| 153 { | 286 { |
| 154 "BlockedByHash": { | 287 "BlockedByHash": { |
| 155 "../certificates/quic_intermediate.crt": [3] | 288 "../certificates/quic_intermediate.crt": [3] |
| 156 } | 289 } |
| 157 } | 290 } |
| 158 CRLSETBYINTERMEDIATESERIAL | 291 CRLSETBYINTERMEDIATESERIAL |
| OLD | NEW |
