c03c218190
First, I spelled the wildcard name constraint in many_constraints.pem wrong. It's .test, not *.test for name constraints. (This doesn't matter for some_names*.pem, but it does to avoid a false negative in many_names3.pem.) Second, the CN of certs should be a host, not "Leaf". OpenSSL 1.1.0 checks "host-like" CNs against name constraints too and "Leaf" is host-like. I've also made the generator deterministic and checked it in, as PEM blobs are not reviewable. Change-Id: I195d9846315168a792cca829aff25c986339b8f5 Reviewed-on: https://boringssl-review.googlesource.com/20584 Reviewed-by: David Benjamin <davidben@google.com>
179 lines
6.0 KiB
Go
179 lines
6.0 KiB
Go
/* Copyright (c) 2017, Google Inc.
|
|
*
|
|
* Permission to use, copy, modify, and/or distribute this software for any
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
* copyright notice and this permission notice appear in all copies.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
|
|
* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
|
|
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
|
|
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
|
|
|
|
// make_many_constraints.go generates test certificates many_constraints.pem,
|
|
// many_names*.pem, and some_names*.pem for x509_test.cc
|
|
package main
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"crypto/rsa"
|
|
"crypto/x509"
|
|
"crypto/x509/pkix"
|
|
"encoding/asn1"
|
|
"encoding/pem"
|
|
"fmt"
|
|
"math/big"
|
|
"os"
|
|
"time"
|
|
)
|
|
|
|
const privateKeyPEM = `-----BEGIN PRIVATE KEY-----
|
|
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC6C9qEGRIBQXV8
|
|
Lj29vVu+U+tyXzSSinWIumK5ijPhCm3DLnv4RayxkFwemtnkGRZ/o94ZnsXkBfU/
|
|
IlsYdkuq8wK9WI/ql3gwWjH+KARIhIQcSLGiJcLN6kGuG2nlRBKMcPgPiEq2B0yB
|
|
XFf4tG3CBbeae7+8G7uvOmv8NLyKj32neWpnUCTL5o2VwyPoxjLxT5gUR69v9XSV
|
|
Fj2irCZbsEedeKSb++LqyMhLfnRTzNv+ZHNh4izZHrktR25MvnT5QyBq32hx7AjZ
|
|
2/xo70OmH7w10a2DwsVjJNMdxTEmgyvU9M6CeYRPX1Ykfg+sXCTtkTVAlBDUviIq
|
|
Y95CKy25AgMBAAECggEAHPvvxRiqx2tNRFVn5QF1I4erbJwMcrADc5OmAcXYIz0e
|
|
sIOzaJBiQR9+Wn5BZ9nIuYXr+g3UQpvzAyz1CDCVxUIqsRj1AtUqMk4675+IW0vZ
|
|
0RY6Jkq/uJjANsGqk78xLJQE8VaIXSdx8c1THznsx4dgfT6+Ni4T5U6yuA33OZaw
|
|
4NdYZYtEkqNiqK6VYe4mAxxVh5qscihVVMGkBVqJNiiEotctm1lph8ow+7o8ggXO
|
|
W9xm+RHHPcH7Epx7hjkb/helANcYOK950W5/R+2zWV9R6kxo6R+/hfGFFmCvl4k5
|
|
+i8Y0IlEv3fze1E0Lwyf379i3C/cKcuaE5gwR54BAQKBgQDxlsNy9M37HgguglHt
|
|
8W+cuPNtxNjFCWIjNR9dSvdr1Oi28Z1AY+BBPSv6UBKnT5PpOFjqxfMY/j/zoKdI
|
|
aYX1phgeQHXcHrB1pS8yoaF/pTJSN2Yb8v9kl/Ch1yeYXaNVGmeBLkH9H6wIcUxD
|
|
Mas1i8VUzshzhcluCNGoJj9wUQKBgQDFJOoWncssfWCrsuDWEoeU71Zh3+bD96GF
|
|
s29CdIbHpcbxhWYjA9RM8yxbGPopexzoGcV1HX6j8E1s0xfYZJV23rxoM9Zj9l5D
|
|
mZAJQPxYXIdu3h4PslhZLd3p+DEHjbsLC/avk3M4iZim1FMPBJMswKSL23ysqXoY
|
|
/ynor+W06QKBgHYeu6M6NHgCYAe1ai+Hq4WaHFNgOohkJRqHv7USkVSkvb+s9LDl
|
|
5GChcx4pBmXNj8ko5rirXkerEEOjGgdaqMfJlOM9qyKb0rVCtYfw5RCPCcKPGZqy
|
|
vdJGQ74tf0uNBO34QgE0R8lmMevS0XHNGCPPGgV0MSfikvD82N15De1xAoGAbsZM
|
|
RsMJfAlDPZc4oPEuf/BwMHTYPTsy5map2MSTSzGKdQHJH1myfD6TqOiDALXtyzlX
|
|
63PUShfn2YNPvcbe+Tk00rR1/htcYk2yUpDSenAbpZ9ncth6rjmInURZgG4SMKXb
|
|
SlLnBljCjtN1jFW8wQPKMc/14SslsVAHY3ka8KkCgYB58QNT1YfH3jS62+mT2pXq
|
|
qLjLqvsD742VYnFoHR+HBOnN8ry0dda4lgwM106L5FgSg9DOZvASZ+QGFk+QVQv+
|
|
c77ASWpuhmBmamZCrwZXrq9Xc92RDPkKFqnP9MVv06hYKNp0moSdM8dIaM6uSows
|
|
/r/aDs4oudubz26o5GDKmA==
|
|
-----END PRIVATE KEY-----`
|
|
|
|
var privateKey *rsa.PrivateKey
|
|
|
|
func init() {
|
|
in := []byte(privateKeyPEM)
|
|
keyBlock, in := pem.Decode(in)
|
|
if keyBlock == nil || keyBlock.Type != "PRIVATE KEY" {
|
|
panic("could not decode private key")
|
|
}
|
|
key, err := x509.ParsePKCS8PrivateKey(keyBlock.Bytes)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
privateKey = key.(*rsa.PrivateKey)
|
|
}
|
|
|
|
func randOrDie(out []byte) {
|
|
if _, err := rand.Reader.Read(out); err != nil {
|
|
panic(err)
|
|
}
|
|
}
|
|
|
|
func writePEM(path string, in []byte) {
|
|
file, err := os.Create(path)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
defer file.Close()
|
|
err = pem.Encode(file, &pem.Block{Type: "CERTIFICATE", Bytes: in})
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
}
|
|
|
|
func main() {
|
|
notBefore, err := time.Parse(time.RFC3339, "2000-01-01T00:00:00Z")
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
notAfter, err := time.Parse(time.RFC3339, "2100-01-01T00:00:00Z")
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
caTemplate := x509.Certificate{
|
|
SerialNumber: new(big.Int).SetInt64(1),
|
|
Subject: pkix.Name{CommonName: "CA"},
|
|
NotBefore: notBefore,
|
|
NotAfter: notAfter,
|
|
BasicConstraintsValid: true,
|
|
IsCA: true,
|
|
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
|
|
KeyUsage: x509.KeyUsageCertSign,
|
|
SignatureAlgorithm: x509.SHA256WithRSA,
|
|
}
|
|
for i := 0; i < 513; i++ {
|
|
caTemplate.ExcludedDNSDomains = append(caTemplate.ExcludedDNSDomains, fmt.Sprintf("x%d.test", i))
|
|
}
|
|
for i := 0; i < 513; i++ {
|
|
caTemplate.PermittedDNSDomains = append(caTemplate.PermittedDNSDomains, fmt.Sprintf("t%d.test", i))
|
|
}
|
|
caTemplate.PermittedDNSDomains = append(caTemplate.PermittedDNSDomains, ".test")
|
|
caBytes, err := x509.CreateCertificate(rand.Reader, &caTemplate, &caTemplate, &privateKey.PublicKey, privateKey)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
writePEM("many_constraints.pem", caBytes)
|
|
|
|
ca, err := x509.ParseCertificate(caBytes)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
leaves := []struct {
|
|
path string
|
|
names int
|
|
emails int
|
|
}{
|
|
{"many_names1.pem", 513, 513},
|
|
{"many_names2.pem", 1025, 0},
|
|
{"many_names3.pem", 0, 1025},
|
|
{"some_names1.pem", 256, 256},
|
|
{"some_names2.pem", 513, 0},
|
|
{"some_names3.pem", 0, 513},
|
|
}
|
|
for i, leaf := range leaves {
|
|
leafTemplate := x509.Certificate{
|
|
SerialNumber: new(big.Int).SetInt64(int64(i + 2)),
|
|
Subject: pkix.Name{CommonName: "t0.test"},
|
|
NotBefore: notBefore,
|
|
NotAfter: notAfter,
|
|
BasicConstraintsValid: true,
|
|
IsCA: false,
|
|
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
|
|
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
|
|
SignatureAlgorithm: x509.SHA256WithRSA,
|
|
}
|
|
for i := 0; i < leaf.names; i++ {
|
|
leafTemplate.DNSNames = append(leafTemplate.DNSNames, fmt.Sprintf("t%d.test", i))
|
|
}
|
|
for i := 0; i < leaf.emails; i++ {
|
|
leafTemplate.Subject.ExtraNames = append(leafTemplate.Subject.ExtraNames, pkix.AttributeTypeAndValue{
|
|
Type: []int{1, 2, 840, 113549, 1, 9, 1},
|
|
Value: asn1.RawValue{
|
|
Class: asn1.ClassUniversal,
|
|
Tag: asn1.TagIA5String,
|
|
IsCompound: false,
|
|
Bytes: []byte(fmt.Sprintf("t%d@test", i)),
|
|
},
|
|
})
|
|
}
|
|
leafBytes, err := x509.CreateCertificate(rand.Reader, &leafTemplate, ca, &privateKey.PublicKey, privateKey)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
writePEM(leaf.path, leafBytes)
|
|
}
|
|
}
|