diff options
author | btolsch <btolsch@chromium.org> | 2019-08-07 17:48:33 -0700 |
---|---|---|
committer | Commit Bot <commit-bot@chromium.org> | 2019-08-09 00:00:55 +0000 |
commit | d4510d05605bc750f39074a2114c8c3bae3731f6 (patch) | |
tree | 6756cdeae922225cd118334b9ad8ede287d2a14f /test | |
parent | 1503c993681a5bb75913325121cd6261cdd28bbd (diff) | |
download | openscreen-d4510d05605bc750f39074a2114c8c3bae3731f6.tar.gz |
Address remaining RFC 5280 TODOs in certificate chain verification
This change fixes the remaining TODOs for supporting basic Cast
certificate chain verification according to RFC 5280.
Bug: openscreen:58
Change-Id: Ie779b052470b3872b029ce7a8050dbe2cf1240e8
Reviewed-on: https://chromium-review.googlesource.com/c/openscreen/+/1737531
Reviewed-by: Ryan Keane <rwkeane@google.com>
Reviewed-by: Max Yakimakha <yakimakha@chromium.org>
Commit-Queue: Brandon Tolsch <btolsch@chromium.org>
Diffstat (limited to 'test')
4 files changed, 158 insertions, 0 deletions
diff --git a/test/data/cast/common/certificate/certificates/README.md b/test/data/cast/common/certificate/certificates/README.md new file mode 100644 index 00000000..6060388d --- /dev/null +++ b/test/data/cast/common/certificate/certificates/README.md @@ -0,0 +1,21 @@ +# Generating Certificates + +## Name Constraints Examples + +The following commands were used along with `extensions.conf` to generate the +certificates in `nc.pem` and `nc_fail.pem`. + +``` bash +# Once for each certificate. +$ openssl genrsa -out keyN.pem 2048 +$ openssl req -new -key keyN.pem -out certN.csr + +# <extension> will be v3_ca_nc for the intermediate and v3_req for the device. +$ openssl x509 -req -in certN.csr -CA certN-1.pem -CAkey keyN-1.pem + -CAcreateserial -extensions <extension> -extfile extensions.conf -out + certN.pem -days 365 -sha256 +``` + +Note: it looks like `openssl req` also accepts extensions via `-reqexts` but +there is a known bug in openssl where extensions are transferred between CSRs +and X509 certs. diff --git a/test/data/cast/common/certificate/certificates/extensions.conf b/test/data/cast/common/certificate/certificates/extensions.conf new file mode 100644 index 00000000..e536ac6c --- /dev/null +++ b/test/data/cast/common/certificate/certificates/extensions.conf @@ -0,0 +1,13 @@ +[v3_ca_nc] +basicConstraints=CA:TRUE +keyUsage=digitalSignature, keyEncipherment, keyCertSign +nameConstraints=permitted;dirName:dn + +[dn] +C=US +ST=California +O=Google Inc + +[v3_req] +basicConstraints=CA:FALSE +keyUsage=digitalSignature, keyEncipherment diff --git a/test/data/cast/common/certificate/certificates/nc.pem b/test/data/cast/common/certificate/certificates/nc.pem new file mode 100644 index 00000000..bee2ae8a --- /dev/null +++ b/test/data/cast/common/certificate/certificates/nc.pem @@ -0,0 +1,62 @@ +-----BEGIN CERTIFICATE----- +MIIDNzCCAh+gAwIBAgIUaF+tYp/hmPb2cjFbuBNTiyEw9jAwDQYJKoZIhvcNAQEL +BQAwRzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEzARBgNVBAoM +Ckdvb2dsZSBJbmMxDjAMBgNVBAMMBUludGVyMB4XDTE5MDgwNjAwMTIzNloXDTIw +MDgwNTAwMTIzNlowSDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx +EzARBgNVBAoMCkdvb2dsZSBJbmMxDzANBgNVBAMMBkRldmljZTCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBAMzdSv58B3VeDrXMPi707OC5dsTcipVoVbb6 +3Jyz8whV+1GmMhyepoIL9ta4O18J7WgpMpvjYBrjzjkQIUgqxWwqovZBXnQ1D4EY +OveDHnbC125HiJWoA07Yil/Vc+TmnK+eoR1EXY6LbfsrA8BfjD+kbUbyFKa1f5No +x/A4ALV7fqCM0llww9AEEnXWPBGWVIxXTDHM7gJknRZE4wNxl++Xad1CNjbWW3PB +zLm26SqKtkh/aVhKxaYAfcMnN+8JlQ3lS0caNCB8N3/jqFLeAucjtyI1gq70m0SL +VhDnJjWBCY7fJPOfyJQ/J9E3te4aUj6xW1Z3uq1MWj7lZiLe0aMCAwEAAaMaMBgw +CQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwDQYJKoZIhvcNAQELBQADggEBAEYuudUx +wPaLD/nHg/gb09l2kugZuwZHjLT/+eO6x5RhVC6UfajCJOwRkhm01EZbbj1wvIoT +fJaBBTFlg4Ac3kiu+AD6fZO6y3HXVj4PB8Gv4Eps9ZdmjCCh9AlL1etozIeEZj9/ +8tKGbcqvJWhnecCSpdTBBk0MLWuCfOl2CrZnHx3dT/g3zBwYZ9bCLvUJsLpvLcsE +ZNs7txmnA7GalqTSssPPXpWmEA58xw302AvueWI9gVK9moB4uFYm7LHf7a97lNgB +jaiZBVgksLeo97lRD7Pb8cn2k/TuvxiQRr/YOgkKTVAUzQ9b0lmfqEDae3MXcZ23 +Ad8nzgaPgQFhd9I= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDfzCCAmegAwIBAgIUZ/OxvKAECjI257V5oss81xnc2XAwDQYJKoZIhvcNAQEL +BQAwQzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRMwEQYDVQQKDApHb29nbGUg +SW5jMRIwEAYDVQQDDAlDYXN0IFJvb3QwHhcNMTkwODA2MDAxMTQ1WhcNMjAwODA1 +MDAxMTQ1WjBHMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTETMBEG +A1UECgwKR29vZ2xlIEluYzEOMAwGA1UEAwwFSW50ZXIwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQC952VfCxoOegDWMs8xSuWFR13T05YPLFJnKGcyV7Bx +uAkekUKiHTaKIa6rC9Ewbd0ypN4+zDkF0rp9yMQ4tDbbda5T270ZP34qkNUyD8Uk +0DOfYqr6viNqjW74ju1zx/3FsH1e3B0cPY0iW5oLonp2Q+0T7EBPDcu7zajnydYc +bttzMwT6yJU7yQyEKsCNzCQPWiTHOmES2miZ+Gz15orSfwNuhoBiXNQ4A1ykIC1Y +wjXj41Sb+eWJ2sjuvm3Nn5juNJ6IowHb5AEyDUI0wVZWBA2xq1KO2HE+NqY4tXfv +E/xGECEFVLkuONqAoA5hkeBvz8o8H9E5UD05f/HtigihAgMBAAGjZzBlMAwGA1Ud +EwQFMAMBAf8wCwYDVR0PBAQDAgKkMEgGA1UdHgRBMD+gPTA7pDkwNzELMAkGA1UE +BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEzARBgNVBAoMCkdvb2dsZSBJbmMw +DQYJKoZIhvcNAQELBQADggEBAJ7xX5PtwrZqomPgzXvQ5eK3R2NPeOyHUZBLjXPw +Fj4G/0nXVhTjr0i+W2a2qFSz410jze7iFTSO0Q1ERgx8RMXblDbIz4j9sQ7N/IZW +RmZm4F2uL0n5h/d0Qiox8GcbNf6fF0rNkVor9WQ/6WWWdi8zaMK4vLEG5AIXSuwZ +ajFJuw60T8wo+Z9zH6vURiQ6y9LiWE9/rdotNKL3+hTErdBzjoPGNs+H/NenV0cN +Xg/L8LJZ4Ga/AYgE6ropu2KFHgVCDhkPAkKzYM0j7XcuSBhbuVJHDyz6lgGmmris +uXbxKKCP3kfmYWyW7kLvfxNx33JNDQA8blaMjGGtTp9ExKE= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDZzCCAk+gAwIBAgIUDPf4B2sjkZwIF6Y52sSwuJ4vVM0wDQYJKoZIhvcNAQEL +BQAwQzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRMwEQYDVQQKDApHb29nbGUg +SW5jMRIwEAYDVQQDDAlDYXN0IFJvb3QwHhcNMTkwODA1MjMyNDAxWhcNMjAwODA0 +MjMyNDAxWjBDMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExEzARBgNVBAoMCkdv +b2dsZSBJbmMxEjAQBgNVBAMMCUNhc3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAMMVKzwrle/8d5Zk+pHXYDEf4PPhzH9pHYo1GqZfT3MPwzBy +/Eic0OvDOALvW3uKvG1mHCwVCpA0U2ca04vNfpuJO40aM6qboK+FRAQvIOOMcqct +IkEO2Kpdi1EbNMdiK+q0Y3NZE4sj/KQPLsbZDDWZwZnOZ0O+/lKPQgCLxhcd4NA8 +BxtSRYT91eKhuTxT3b2D2RkQXgXeipZcUbhxWPghSw7RJBzZgYVTy0KTgEMNa4MR +s004npf85OY0KI8jMVvL0k8qDWrycBmxdfGnq/v4PEmF+/509YdL3xBmy/oWkv/U +r7L5t54VCoJxV8ctO+ENYhzwDoJ+hBmetc0xxX0CAwEAAaNTMFEwHQYDVR0OBBYE +FPfGZ1MjpJ9JBm0gzEPjCBAsUU7eMB8GA1UdIwQYMBaAFPfGZ1MjpJ9JBm0gzEPj +CBAsUU7eMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAIXNSXFB +SlhsWvzWcO6OEXPqLfhbfaRoRep6AKB8qKOOZy4FG7IldsKFdcwtgBMb2zyNsy1v +NqdTSTsmeSuDftVlfB7HZjtYf1tPIu8YSY4434a6C1V9MzsOdXiyTDuQsP0uXQ6a +3zlF1Hcg7vvsKHbzMUVyDlrW3zFAoq56o/Sr4IYDdbF0pY1F35Q9QMrzV2g6ojBN +geC02ZVNHR+gXcKQNS0K2DoARL3YXsR16LYHuExjr4jVo52xGUQuhksz+6BxNgRa +z0SBA/MVy49PyoNg249Fk7qERCPFZblYums9gOr+ugEzKLEb0GKqFGY30sGVrca9 +iJM3zymJBA5WzzM= +-----END CERTIFICATE----- diff --git a/test/data/cast/common/certificate/certificates/nc_fail.pem b/test/data/cast/common/certificate/certificates/nc_fail.pem new file mode 100644 index 00000000..ef9348db --- /dev/null +++ b/test/data/cast/common/certificate/certificates/nc_fail.pem @@ -0,0 +1,62 @@ +-----BEGIN CERTIFICATE----- +MIIDNzCCAh+gAwIBAgIUaF+tYp/hmPb2cjFbuBNTiyEw9i8wDQYJKoZIhvcNAQEL +BQAwRzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEzARBgNVBAoM +Ckdvb2dsZSBJbmMxDjAMBgNVBAMMBUludGVyMB4XDTE5MDgwNjAwMTIyNloXDTIw +MDgwNTAwMTIyNlowSDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24x +EzARBgNVBAoMCkdvb2dsZSBJbmMxDzANBgNVBAMMBkRldmljZTCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBAMzdSv58B3VeDrXMPi707OC5dsTcipVoVbb6 +3Jyz8whV+1GmMhyepoIL9ta4O18J7WgpMpvjYBrjzjkQIUgqxWwqovZBXnQ1D4EY +OveDHnbC125HiJWoA07Yil/Vc+TmnK+eoR1EXY6LbfsrA8BfjD+kbUbyFKa1f5No +x/A4ALV7fqCM0llww9AEEnXWPBGWVIxXTDHM7gJknRZE4wNxl++Xad1CNjbWW3PB +zLm26SqKtkh/aVhKxaYAfcMnN+8JlQ3lS0caNCB8N3/jqFLeAucjtyI1gq70m0SL +VhDnJjWBCY7fJPOfyJQ/J9E3te4aUj6xW1Z3uq1MWj7lZiLe0aMCAwEAAaMaMBgw +CQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwDQYJKoZIhvcNAQELBQADggEBADx7HAgT +nWOMvbYPzReenQpo5QbTKyhnazgLsuRZX/bgrdGfhEU7045fWWtbcGknd112Wqzq +PpV9mobkmmzrQ7TfMJq3hARSSvQEiByZuvO3+lteK7BUZonDTNGE4aNeVYXeNpNt +Ud3PTF4wK5Gw4euwl9Zf818HWjqn16XrYR0/jFb3MAGl1mFTyjQixqHR7bNMgxPL +z8NklTWi9jexaiM5HV7ZilhXAoUXy7I1kTp9saqXtiLZ1iP7KiIBHeXUN8WXt+3x +FXjEr+5b7Av5PuQyFnKorEiCRFh0gHmTK7/zvby4HDGMq9uPx38zYQ+/ZTNHvM98 +awZ4PHf/zljpzwA= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDfzCCAmegAwIBAgIUZ/OxvKAECjI257V5oss81xnc2XAwDQYJKoZIhvcNAQEL +BQAwQzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRMwEQYDVQQKDApHb29nbGUg +SW5jMRIwEAYDVQQDDAlDYXN0IFJvb3QwHhcNMTkwODA2MDAxMTQ1WhcNMjAwODA1 +MDAxMTQ1WjBHMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTETMBEG +A1UECgwKR29vZ2xlIEluYzEOMAwGA1UEAwwFSW50ZXIwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQC952VfCxoOegDWMs8xSuWFR13T05YPLFJnKGcyV7Bx +uAkekUKiHTaKIa6rC9Ewbd0ypN4+zDkF0rp9yMQ4tDbbda5T270ZP34qkNUyD8Uk +0DOfYqr6viNqjW74ju1zx/3FsH1e3B0cPY0iW5oLonp2Q+0T7EBPDcu7zajnydYc +bttzMwT6yJU7yQyEKsCNzCQPWiTHOmES2miZ+Gz15orSfwNuhoBiXNQ4A1ykIC1Y +wjXj41Sb+eWJ2sjuvm3Nn5juNJ6IowHb5AEyDUI0wVZWBA2xq1KO2HE+NqY4tXfv +E/xGECEFVLkuONqAoA5hkeBvz8o8H9E5UD05f/HtigihAgMBAAGjZzBlMAwGA1Ud +EwQFMAMBAf8wCwYDVR0PBAQDAgKkMEgGA1UdHgRBMD+gPTA7pDkwNzELMAkGA1UE +BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEzARBgNVBAoMCkdvb2dsZSBJbmMw +DQYJKoZIhvcNAQELBQADggEBAJ7xX5PtwrZqomPgzXvQ5eK3R2NPeOyHUZBLjXPw +Fj4G/0nXVhTjr0i+W2a2qFSz410jze7iFTSO0Q1ERgx8RMXblDbIz4j9sQ7N/IZW +RmZm4F2uL0n5h/d0Qiox8GcbNf6fF0rNkVor9WQ/6WWWdi8zaMK4vLEG5AIXSuwZ +ajFJuw60T8wo+Z9zH6vURiQ6y9LiWE9/rdotNKL3+hTErdBzjoPGNs+H/NenV0cN +Xg/L8LJZ4Ga/AYgE6ropu2KFHgVCDhkPAkKzYM0j7XcuSBhbuVJHDyz6lgGmmris +uXbxKKCP3kfmYWyW7kLvfxNx33JNDQA8blaMjGGtTp9ExKE= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDZzCCAk+gAwIBAgIUDPf4B2sjkZwIF6Y52sSwuJ4vVM0wDQYJKoZIhvcNAQEL +BQAwQzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRMwEQYDVQQKDApHb29nbGUg +SW5jMRIwEAYDVQQDDAlDYXN0IFJvb3QwHhcNMTkwODA1MjMyNDAxWhcNMjAwODA0 +MjMyNDAxWjBDMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExEzARBgNVBAoMCkdv +b2dsZSBJbmMxEjAQBgNVBAMMCUNhc3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAMMVKzwrle/8d5Zk+pHXYDEf4PPhzH9pHYo1GqZfT3MPwzBy +/Eic0OvDOALvW3uKvG1mHCwVCpA0U2ca04vNfpuJO40aM6qboK+FRAQvIOOMcqct +IkEO2Kpdi1EbNMdiK+q0Y3NZE4sj/KQPLsbZDDWZwZnOZ0O+/lKPQgCLxhcd4NA8 +BxtSRYT91eKhuTxT3b2D2RkQXgXeipZcUbhxWPghSw7RJBzZgYVTy0KTgEMNa4MR +s004npf85OY0KI8jMVvL0k8qDWrycBmxdfGnq/v4PEmF+/509YdL3xBmy/oWkv/U +r7L5t54VCoJxV8ctO+ENYhzwDoJ+hBmetc0xxX0CAwEAAaNTMFEwHQYDVR0OBBYE +FPfGZ1MjpJ9JBm0gzEPjCBAsUU7eMB8GA1UdIwQYMBaAFPfGZ1MjpJ9JBm0gzEPj +CBAsUU7eMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAIXNSXFB +SlhsWvzWcO6OEXPqLfhbfaRoRep6AKB8qKOOZy4FG7IldsKFdcwtgBMb2zyNsy1v +NqdTSTsmeSuDftVlfB7HZjtYf1tPIu8YSY4434a6C1V9MzsOdXiyTDuQsP0uXQ6a +3zlF1Hcg7vvsKHbzMUVyDlrW3zFAoq56o/Sr4IYDdbF0pY1F35Q9QMrzV2g6ojBN +geC02ZVNHR+gXcKQNS0K2DoARL3YXsR16LYHuExjr4jVo52xGUQuhksz+6BxNgRa +z0SBA/MVy49PyoNg249Fk7qERCPFZblYums9gOr+ugEzKLEb0GKqFGY30sGVrca9 +iJM3zymJBA5WzzM= +-----END CERTIFICATE----- |