Mirror of BoringSSL (grpc依赖)
https://boringssl.googlesource.com/boringssl
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
…
|
||
---|---|---|
.. | ||
README.md | ||
chain.pem | ||
main.test |
README.md
This test verifies behavior when a certificate has an unparseable/unsupported SPKI. It should be handled equivalently to a certificate with a failed signature verification: further processing should be shortcircuited. The certificate chain has 2 problems:
- leaf is expired
- intermediate has invalid SPKI
The verification should fail with only the SPKI parsing error, since further processing should be short-circuited.
Instructions for generating test certificate chain:
cp ../expired-target/chain.pem .
- extract intermediate cert to
int-pre.pem
print_certificates --output=der2ascii int-pre.pem > int.derascii
- edit
int.derascii
to replace SPKI OID with something invalid - extract the TBSCertificate part of the certificate to
int.tbs.derascii
ascii2der < int.tbs.derascii > int.tbs.der
- generate new signature:
openssl pkeyutl -sign -rawin -in int.tbs.der -digest sha256 -inkey ../expired-target/keys/Root.key -out - | xxd -p -c 0
- replace the signature hex in
int.derascii
ascii2der < int.derascii > int.der
print_certificates --output=openssl_text,pem int.der > int.pem
- replace the intermediate certificate in
chain.pem
with the contents ofint.pem