mirror of https://github.com/grpc/grpc.git
TlsCreds: Support revocation of intermediate in chain. (#32544)
This PR is a small code change with a lot of new test data. [In OpenSSL, there are two flags that configure CRL checks. Coping relevant section:](https://www.openssl.org/docs/man1.0.2/man3/X509_VERIFY_PARAM_get_depth.html) > - X509_V_FLAG_CRL_CHECK enables CRL checking for the certificate chain leaf certificate. An error occurs if a suitable CRL cannot be found. > - X509_V_FLAG_CRL_CHECK_ALL enables CRL checking for the entire certificate chain. We currently only set `X509_V_FLAG_CRL_CHECK`, so we will only ever check if the leaf certificate is revoked. We should check the whole chain. I am open to making this a user configuration if we want to do it that way, but we certainly need to be able to check the whole chain. So, this PR contains the small code change in `ssl_transport_security.cc` to use the `X509_V_FLAG_CRL_CHECK_ALL` flag. Then the rest of the changes are in tests. I've added all the necessary files to have a chain built that looks as follows `Root CA -> Revoked Intermediate CA -> Leaf Certificate`, and added a test for this case as well. You can verify that on master this new test will fail (i.e. the handshake will succeed even though the intermediate CA is revoked) by checking out this branch, running `git checkout master -- ./src/core/tsi/ssl_transport_security.cc`, then running the test. I also slightly reorganized test/core/tsi/test_creds/ so that the CRLs are in their own directory, which is the way our API intends to accept CRLs.pull/32693/head
Gregory Cooke
2 years ago
committed by
GitHub
parent
3679f5ee75
commit
a4f345ff96
32 changed files with 530 additions and 32 deletions
@ -1 +0,0 @@ |
||||
valid.pem |
||||
@ -1 +0,0 @@ |
||||
ca.pem |
||||
@ -1 +0,0 @@ |
||||
revoked.pem |
||||
@ -0,0 +1,20 @@ |
||||
# Copyright 2021 gRPC authors. |
||||
# |
||||
# Licensed under the Apache License, Version 2.0 (the "License"); |
||||
# you may not use this file except in compliance with the License. |
||||
# You may obtain a copy of the License at |
||||
# |
||||
# http://www.apache.org/licenses/LICENSE-2.0 |
||||
# |
||||
# Unless required by applicable law or agreed to in writing, software |
||||
# distributed under the License is distributed on an "AS IS" BASIS, |
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
# See the License for the specific language governing permissions and |
||||
# limitations under the License. |
||||
|
||||
licenses(["notice"]) |
||||
|
||||
exports_files([ |
||||
"ab06acdd.r0", |
||||
"b9322cac.r0", |
||||
]) |
||||
@ -0,0 +1 @@ |
||||
intermediate.crl |
||||
@ -0,0 +1,15 @@ |
||||
-----BEGIN X509 CRL----- |
||||
MIICUDCCATgCAQEwDQYJKoZIhvcNAQELBQAwVjELMAkGA1UEBhMCQVUxEzARBgNV |
||||
BAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0 |
||||
ZDEPMA0GA1UEAwwGdGVzdGNhFw0yMzAzMDMxODA2NDNaFw0zMzAyMjgxODA2NDNa |
||||
MIGcMCUCFEpMyQOrk+uXDu20PhHwDJeua83mFw0yMzAzMDMxNjU5NTNaMCUCFEpM |
||||
yQOrk+uXDu20PhHwDJeua83nFw0yMzAzMDMxNzMxNDBaMCUCFEpMyQOrk+uXDu20 |
||||
PhHwDJeua83xFw0yMzAzMDMxODA2NDNaMCUCFFIgumScY9chZ0u8tUhjsOUh38hB |
||||
Fw0yMjAyMDQyMjExMTFaoA8wDTALBgNVHRQEBAICEAgwDQYJKoZIhvcNAQELBQAD |
||||
ggEBADohIZwm/gWLIc2yFJJbKzkdRmOq1s/MqnJxi5NutNumXTIPrZJqGzk8O4U6 |
||||
VasicIB2YD0o3arzUxCDyHv7VyJI7SVS0lqlmOxoOEOv2+CB6MxAOdKItkzbVVxu |
||||
0erx5HcKAGa7ZIAeekX1F1DcAgpN5Gt5uGhkMw3ObTCpEFRw+ZKET3WFQ6bG4AJ6 |
||||
GwOnNYG1LjaNigxG/k4K7A+grs/XnsNcpULbCROl7Qw4kyf1esrjS9utEO0YQQz4 |
||||
LgBTPZzQHlsirmxp+e5WR8LiDsKmbmAaBL+gV1Bkjj73c4pNJvoV/V1Ubdv0LCvH |
||||
DjrJtp10F0RGMRm6m9OuZYUSFzs= |
||||
-----END X509 CRL----- |
||||
@ -0,0 +1,11 @@ |
||||
-----BEGIN X509 CRL----- |
||||
MIIBojCBiwIBATANBgkqhkiG9w0BAQsFADAnMSUwIwYDVQQDDBxpbnRlcm1lZGlh |
||||
dGVjZXJ0LmV4YW1wbGUuY29tFw0yMzAzMDMxODA2NDNaFw0zMzAyMjgxODA2NDNa |
||||
oDAwLjAfBgNVHSMEGDAWgBQntaYTZK7gR27u8WK7r/uIsnctozALBgNVHRQEBAIC |
||||
EAAwDQYJKoZIhvcNAQELBQADggEBAFrJtN/19+NMpZxNkm3FrJpcCNIRtyE/oVo/ |
||||
Hympoe7BJjvaCVd5R0xBye+18X2woBMC4/ejTAI/6UF7FuFf6VakGJjEcg5A6616 |
||||
DDEaAvyWzX85Gv+ZF4ahYFNSrJtNZtHwT9ws0vgveeLFRJX8eYiPzVUAwKunh8n1 |
||||
Q9AefCUjspcXlCd6L5mI3BILeIxgBW+2/njtQsFZGp/gqsyjsHA/FGOXrRhhwH7y |
||||
BJSvFFrrQMKasgZBJ9f4ZN85//H397erNYenDPximpSg99IP84eODuO4opZaKiTk |
||||
CUKMjLTM5lUvLVmM/Qr3IsmzphGqHHzwkgfHVPl7xCRoBx2hzPU= |
||||
-----END X509 CRL----- |
||||
@ -0,0 +1,19 @@ |
||||
# Copyright 2021 gRPC authors. |
||||
# |
||||
# Licensed under the Apache License, Version 2.0 (the "License"); |
||||
# you may not use this file except in compliance with the License. |
||||
# You may obtain a copy of the License at |
||||
# |
||||
# http://www.apache.org/licenses/LICENSE-2.0 |
||||
# |
||||
# Unless required by applicable law or agreed to in writing, software |
||||
# distributed under the License is distributed on an "AS IS" BASIS, |
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
# See the License for the specific language governing permissions and |
||||
# limitations under the License. |
||||
|
||||
licenses(["notice"]) |
||||
|
||||
exports_files([ |
||||
"ab06acdd.r0", |
||||
]) |
||||
@ -0,0 +1 @@ |
||||
current.crl |
||||
@ -0,0 +1,15 @@ |
||||
-----BEGIN X509 CRL----- |
||||
MIICUDCCATgCAQEwDQYJKoZIhvcNAQELBQAwVjELMAkGA1UEBhMCQVUxEzARBgNV |
||||
BAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0 |
||||
ZDEPMA0GA1UEAwwGdGVzdGNhFw0yMzAzMDMxODA2NDNaFw0zMzAyMjgxODA2NDNa |
||||
MIGcMCUCFEpMyQOrk+uXDu20PhHwDJeua83mFw0yMzAzMDMxNjU5NTNaMCUCFEpM |
||||
yQOrk+uXDu20PhHwDJeua83nFw0yMzAzMDMxNzMxNDBaMCUCFEpMyQOrk+uXDu20 |
||||
PhHwDJeua83xFw0yMzAzMDMxODA2NDNaMCUCFFIgumScY9chZ0u8tUhjsOUh38hB |
||||
Fw0yMjAyMDQyMjExMTFaoA8wDTALBgNVHRQEBAICEAgwDQYJKoZIhvcNAQELBQAD |
||||
ggEBADohIZwm/gWLIc2yFJJbKzkdRmOq1s/MqnJxi5NutNumXTIPrZJqGzk8O4U6 |
||||
VasicIB2YD0o3arzUxCDyHv7VyJI7SVS0lqlmOxoOEOv2+CB6MxAOdKItkzbVVxu |
||||
0erx5HcKAGa7ZIAeekX1F1DcAgpN5Gt5uGhkMw3ObTCpEFRw+ZKET3WFQ6bG4AJ6 |
||||
GwOnNYG1LjaNigxG/k4K7A+grs/XnsNcpULbCROl7Qw4kyf1esrjS9utEO0YQQz4 |
||||
LgBTPZzQHlsirmxp+e5WR8LiDsKmbmAaBL+gV1Bkjj73c4pNJvoV/V1Ubdv0LCvH |
||||
DjrJtp10F0RGMRm6m9OuZYUSFzs= |
||||
-----END X509 CRL----- |
||||
@ -0,0 +1,19 @@ |
||||
# Copyright 2021 gRPC authors. |
||||
# |
||||
# Licensed under the Apache License, Version 2.0 (the "License"); |
||||
# you may not use this file except in compliance with the License. |
||||
# You may obtain a copy of the License at |
||||
# |
||||
# http://www.apache.org/licenses/LICENSE-2.0 |
||||
# |
||||
# Unless required by applicable law or agreed to in writing, software |
||||
# distributed under the License is distributed on an "AS IS" BASIS, |
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
# See the License for the specific language governing permissions and |
||||
# limitations under the License. |
||||
|
||||
licenses(["notice"]) |
||||
|
||||
exports_files([ |
||||
"b9322cac.r0", |
||||
]) |
||||
@ -0,0 +1 @@ |
||||
intermediate.crl |
||||
@ -0,0 +1,11 @@ |
||||
-----BEGIN X509 CRL----- |
||||
MIIBojCBiwIBATANBgkqhkiG9w0BAQsFADAnMSUwIwYDVQQDDBxpbnRlcm1lZGlh |
||||
dGVjZXJ0LmV4YW1wbGUuY29tFw0yMzAzMDMxODA2NDNaFw0zMzAyMjgxODA2NDNa |
||||
oDAwLjAfBgNVHSMEGDAWgBQntaYTZK7gR27u8WK7r/uIsnctozALBgNVHRQEBAIC |
||||
EAAwDQYJKoZIhvcNAQELBQADggEBAFrJtN/19+NMpZxNkm3FrJpcCNIRtyE/oVo/ |
||||
Hympoe7BJjvaCVd5R0xBye+18X2woBMC4/ejTAI/6UF7FuFf6VakGJjEcg5A6616 |
||||
DDEaAvyWzX85Gv+ZF4ahYFNSrJtNZtHwT9ws0vgveeLFRJX8eYiPzVUAwKunh8n1 |
||||
Q9AefCUjspcXlCd6L5mI3BILeIxgBW+2/njtQsFZGp/gqsyjsHA/FGOXrRhhwH7y |
||||
BJSvFFrrQMKasgZBJ9f4ZN85//H397erNYenDPximpSg99IP84eODuO4opZaKiTk |
||||
CUKMjLTM5lUvLVmM/Qr3IsmzphGqHHzwkgfHVPl7xCRoBx2hzPU= |
||||
-----END X509 CRL----- |
||||
@ -1,12 +1,15 @@ |
||||
-----BEGIN X509 CRL----- |
||||
MIIB2TCBwgIBATANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJBVTETMBEGA1UE |
||||
CAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk |
||||
MQ8wDQYDVQQDDAZ0ZXN0Y2EXDTIyMDIwNDIyMTI1MFoXDTMyMDIwMjIyMTI1MFow |
||||
JzAlAhRSILpknGPXIWdLvLVIY7DlId/IQRcNMjIwMjA0MjIxMTExWqAPMA0wCwYD |
||||
VR0UBAQCAhABMA0GCSqGSIb3DQEBCwUAA4IBAQAZXNfxSjT/EZDTGV71eE0jKKsg |
||||
Ur8TNkRGypZXbV8cQ+YFlqt2Zp+dsWEP2FLsc048QGVe4sRuJrPOm7eSmvgZUHSX |
||||
l1yI2T6si1wxhX2DKIKDZGWWYx6rOyocL9EjhxZjLSeJ43eLxzD6TnGE29cbDLXv |
||||
bs9slsGyc+UZaD9KY9RpeJjQEV0Yh7+iwIG3PBVKNSFR2R2m8XK+Ioc5Z7zsWwZu |
||||
7gCZ/CW/07/SXfFxM6Q8XTRFStIjqb3cuwivc+ig/X+RbpxDygy0SQA/oJXuABIh |
||||
0y4+YxRUQauODK4vxLPeC1m7tHyh1poVY/jnp3tAn3ax6uFbwDz1wbNtTOeT |
||||
MIICUDCCATgCAQEwDQYJKoZIhvcNAQELBQAwVjELMAkGA1UEBhMCQVUxEzARBgNV |
||||
BAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0 |
||||
ZDEPMA0GA1UEAwwGdGVzdGNhFw0yMzAzMDMxODA2NDNaFw0zMzAyMjgxODA2NDNa |
||||
MIGcMCUCFEpMyQOrk+uXDu20PhHwDJeua83mFw0yMzAzMDMxNjU5NTNaMCUCFEpM |
||||
yQOrk+uXDu20PhHwDJeua83nFw0yMzAzMDMxNzMxNDBaMCUCFEpMyQOrk+uXDu20 |
||||
PhHwDJeua83xFw0yMzAzMDMxODA2NDNaMCUCFFIgumScY9chZ0u8tUhjsOUh38hB |
||||
Fw0yMjAyMDQyMjExMTFaoA8wDTALBgNVHRQEBAICEAgwDQYJKoZIhvcNAQELBQAD |
||||
ggEBADohIZwm/gWLIc2yFJJbKzkdRmOq1s/MqnJxi5NutNumXTIPrZJqGzk8O4U6 |
||||
VasicIB2YD0o3arzUxCDyHv7VyJI7SVS0lqlmOxoOEOv2+CB6MxAOdKItkzbVVxu |
||||
0erx5HcKAGa7ZIAeekX1F1DcAgpN5Gt5uGhkMw3ObTCpEFRw+ZKET3WFQ6bG4AJ6 |
||||
GwOnNYG1LjaNigxG/k4K7A+grs/XnsNcpULbCROl7Qw4kyf1esrjS9utEO0YQQz4 |
||||
LgBTPZzQHlsirmxp+e5WR8LiDsKmbmAaBL+gV1Bkjj73c4pNJvoV/V1Ubdv0LCvH |
||||
DjrJtp10F0RGMRm6m9OuZYUSFzs= |
||||
-----END X509 CRL----- |
||||
|
||||
@ -1 +1 @@ |
||||
1002 |
||||
1009 |
||||
|
||||
@ -1 +1,4 @@ |
||||
R 311201211735Z 220204221111Z 5220BA649C63D721674BBCB54863B0E521DFC841 unknown /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=revoked |
||||
R 330228163732Z 230303165953Z 4A4CC903AB93EB970EEDB43E11F00C97AE6BCDE6 unknown /CN=intermediatecert.example.com |
||||
R 330228173104Z 230303173140Z 4A4CC903AB93EB970EEDB43E11F00C97AE6BCDE7 unknown /CN=intermediatecert.example.com |
||||
R 330228180643Z 230303180643Z 4A4CC903AB93EB970EEDB43E11F00C97AE6BCDF1 unknown /CN=intermediatecert.example.com |
||||
|
||||
@ -0,0 +1,38 @@ |
||||
[ca] |
||||
default_ca = CA_intermediate |
||||
|
||||
[CA_intermediate] |
||||
dir = . |
||||
certs = $dir/certs |
||||
crl_dir = $dir/crl |
||||
new_certs_dir = $dir/newcerts |
||||
database = $dir/index.txt |
||||
serial = $dir/serial |
||||
RANDFILE = $dir/private/.rand |
||||
private_key = $dir/intermediate_ca.key |
||||
certificate = $dir/intermediate_ca.pem |
||||
crl = $dir/intermediate.crl |
||||
|
||||
# For certificate revocation lists. |
||||
crlnumber = $dir/crlnumber |
||||
crl = $dir/crl/intermediate.crl |
||||
crl_extensions = crl_ext |
||||
default_crl_days = 3650 |
||||
|
||||
default_md = sha256 |
||||
|
||||
[req] |
||||
distinguished_name = req_distinguished_name |
||||
req_extensions = v3_req |
||||
prompt = no |
||||
|
||||
[req_distinguished_name] |
||||
CN = intermediatecert.example.com |
||||
|
||||
[crl_ext] |
||||
authorityKeyIdentifier=keyid:always |
||||
|
||||
[v3_req] |
||||
keyUsage = critical, digitalSignature, keyEncipherment, keyCertSign, cRLSign |
||||
extendedKeyUsage = clientAuth, serverAuth |
||||
basicConstraints = critical, CA:true |
||||
@ -0,0 +1,28 @@ |
||||
-----BEGIN PRIVATE KEY----- |
||||
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDRURiGLzjbPAG1 |
||||
VHMVEz7xF8/bHRnNAMIBodJlUWh28cfXvk2Le5XP8K/PXuHtWvEodcV6yL1ZDitp |
||||
Pv1iX9WywJ/moYjBIIzNHWt/TxWpinMtot9ppgGrG1Ae6dSLFDl/3ylXnbQ8pHq+ |
||||
CtkbkLvb1j0r9EHoA/qLq2r1qwfnVzVyOet76u0+anT22yQhVsxnTT/lVHcLbzX/ |
||||
AwYgycETKx9Ph1+oIr78Z0gIp/yy75G0yGvoZ/9vssCIKWy+ObuZVlPLlZ8gJAUh |
||||
JK+ytgImZ7GxDG8gXSFMDuJ217ZVgkYYND7pTSEzIQB72l4phZFvuG2iiNA0a3Q7 |
||||
Kxeu0S3xAgMBAAECggEALi1P1bpxNpxkXBaHVOzsA9AXAOXInVs/cZC7k7KD80mf |
||||
ps7K2Kyo/jjA8GSkPvLDJQPmTxIeA5mGpi9JQvyVblvkasLUIpcFuPJ2lp1h0AdF |
||||
JZo641nGIHNkF43KX+xUSwt2WWfnLUGz+lz2TIh/iR4YXKwEJiVKjqmAbTYQBk7m |
||||
xHLr1lpER7qUNRllxeV/oHWJT6Ak35yWG5rbtKRa4PliLkd/894jutKKvFVaxNwQ |
||||
ncAe+WV3EnGxgs6hedf/gO+K9GEnM913vfNQJfFin1pp0GdNzc2yhzc9jHRqMw84 |
||||
K8votcLA2ouGq8NB842naBhyQsUtfk+b+Ur81re4YQKBgQDhG2r5kDlVHuL7mAoe |
||||
XbN3r7vdHLc9duKT16d14iRuvGIW5G8HHH4cQuuYtB0JmAE+Tj9nuqEtYvaqQnyr |
||||
OX2uzaPp7eB9K/xQKSpneRV86WtroRZdx8PzFj/ayMQ5IhlaHpeVUALdtf/188dw |
||||
hjCZQpv5w/jjaHpfRkWs+YE6/QKBgQDuCuyLjgZTfjVIJvEgaEAKokywWlAEE19h |
||||
c3Fj2IOL03gzPRBftcho6eNGhyVvylD+1nZgVO+AbLCvUWTc2U9YCBfEaxLy6Eeo |
||||
BJDkO3D8fvD94FiwZryoi7BrcY5cPZ560BI5c7DqMJhTY3VPeDS6B+4gTwsoQ5Uc |
||||
BfK60UdTBQKBgQCZyyin/pAdBrAfIj3vhycBI3AfXeoXNS0RwumnUWyAt3Xwm/r7 |
||||
Cc1jM5lQx+V6034t+jm5fbl2j8Fki24vcWTb06UkQp/4BOAqSCWvcftrTvJUI0dr |
||||
pPrMDqxrpnThb9mQR4xat8JthVWtzPK6fwOfAfIcj3Zwr8XDZ/hceE6BZQKBgBlu |
||||
vVsjr3VYNKUi0/xcZws7z+m/nHDzCOvGg8ThKxzTWTJQQeGX8HOVGZ09bziEaybv |
||||
DvK34GbeNfplPduCtEF5i+CGeB3Px2giJMDdwPKZNXJKd+9Q6rMvSYgRN96PDtGc |
||||
TXYp8Cr1SjEOnUgCVc/SbRSynUSOA+5cjFR9a5tpAoGBANwrAUON/wCpRUU5JEnM |
||||
3w89v3/d7YJvce065FVybNdBjE6Xofh9slOO4GJ6AWIzfOVeqYfBR0J4IK2jCjtX |
||||
pCHk5GI3tCHuF3xaVct1m8tr4TpC5gxsOXlxHAUVQzMfQh2jvD0qAKm4isH2jGGk |
||||
sj3cvdQldHQSlTJl01Ex5EjS |
||||
-----END PRIVATE KEY----- |
||||
@ -0,0 +1,23 @@ |
||||
-----BEGIN CERTIFICATE----- |
||||
MIID6zCCAtOgAwIBAgIUSkzJA6uT65cO7bQ+EfAMl65rzfEwDQYJKoZIhvcNAQEL |
||||
BQAwVjELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM |
||||
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEPMA0GA1UEAwwGdGVzdGNhMB4XDTIz |
||||
MDMwMzE4MDY0M1oXDTMzMDIyODE4MDY0M1owJzElMCMGA1UEAwwcaW50ZXJtZWRp |
||||
YXRlY2VydC5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC |
||||
ggEBANFRGIYvONs8AbVUcxUTPvEXz9sdGc0AwgGh0mVRaHbxx9e+TYt7lc/wr89e |
||||
4e1a8Sh1xXrIvVkOK2k+/WJf1bLAn+ahiMEgjM0da39PFamKcy2i32mmAasbUB7p |
||||
1IsUOX/fKVedtDyker4K2RuQu9vWPSv0QegD+ouravWrB+dXNXI563vq7T5qdPbb |
||||
JCFWzGdNP+VUdwtvNf8DBiDJwRMrH0+HX6givvxnSAin/LLvkbTIa+hn/2+ywIgp |
||||
bL45u5lWU8uVnyAkBSEkr7K2AiZnsbEMbyBdIUwO4nbXtlWCRhg0PulNITMhAHva |
||||
XimFkW+4baKI0DRrdDsrF67RLfECAwEAAaOB3zCB3DAOBgNVHQ8BAf8EBAMCAaYw |
||||
HQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8w |
||||
HQYDVR0OBBYEFCe1phNkruBHbu7xYruv+4iydy2jMHsGA1UdIwR0MHKhWqRYMFYx |
||||
CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl |
||||
cm5ldCBXaWRnaXRzIFB0eSBMdGQxDzANBgNVBAMMBnRlc3RjYYIUKnHtxUGUlsyz |
||||
9jW7POo/RqJKKTswDQYJKoZIhvcNAQELBQADggEBAHMB89zLQTZhvSBpCZpSFIBt |
||||
z0ebZk4APrEskCZRJ0coWglT7/RjJTEi8fVYfFUVbUXOwFIT4jvtlkcp1LUZDT5X |
||||
qazTRa7ECFzw1TrO+IJadVczKBTRFxlYOWgOTHTXZlU8QV53Vi+g7dbYrEYxu5TO |
||||
NUggqSoxUhl4901NdMGTSiKXeuye4EdHAKI9RYO6suxYMo9wctm/es3OFd5kjPlh |
||||
CqoUId3Lgc7Lb1xcfBSZ9n2dWcFDf32GPYYPlBbxuba0VVZlKZSd3yV36v4gKdSI |
||||
MjdluRpwdoyTcsLi6ysPduOfkWSbQJ3bbvpeTNiagn5o9oeF1DO5LDvVVo1RZ2A= |
||||
-----END CERTIFICATE----- |
||||
@ -0,0 +1,73 @@ |
||||
#!/bin/bash |
||||
# Copyright 2023 gRPC authors. |
||||
# |
||||
# Licensed under the Apache License, Version 2.0 (the "License"); |
||||
# you may not use this file except in compliance with the License. |
||||
# You may obtain a copy of the License at |
||||
# |
||||
# http://www.apache.org/licenses/LICENSE-2.0 |
||||
# |
||||
# Unless required by applicable law or agreed to in writing, software |
||||
# distributed under the License is distributed on an "AS IS" BASIS, |
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
# See the License for the specific language governing permissions and |
||||
# limitations under the License. |
||||
|
||||
set -e |
||||
|
||||
# Meant to be run from test/core/tsi/test_creds/crl_data |
||||
# Sets up an intermediate ca, generates certificates and crl files, then copies then up and deletes unnecessary files |
||||
|
||||
rm -rf intermediate_ca |
||||
mkdir intermediate_ca |
||||
cp intermediate.cnf intermediate_ca/ |
||||
cp leaf_signed_by_intermediate.cnf intermediate_ca/ |
||||
pushd intermediate_ca |
||||
touch index.txt |
||||
echo 1 > ./serial |
||||
echo 1000 > ./crlnumber |
||||
|
||||
# Generating the intermediate CA |
||||
openssl genrsa -out temp.rsa 2048 |
||||
openssl pkcs8 -topk8 -in temp.rsa -out intermediate_ca.key -nocrypt |
||||
rm temp.rsa |
||||
openssl req -key intermediate_ca.key -new -out temp.csr -config intermediate.cnf |
||||
openssl x509 -req -days 3650 -in temp.csr -CA "../ca.pem" -CAkey "../ca.key" -CAcreateserial -out intermediate_ca.pem -extfile intermediate.cnf -extensions 'v3_req' |
||||
|
||||
# Generating the leaf and chain |
||||
openssl genrsa -out temp.rsa 2048 |
||||
openssl pkcs8 -topk8 -in temp.rsa -out leaf_signed_by_intermediate.key -nocrypt |
||||
openssl req -key leaf_signed_by_intermediate.key -new -out temp.csr -config leaf_signed_by_intermediate.cnf |
||||
openssl x509 -req -days 3650 -in temp.csr -CA intermediate_ca.pem -CAkey intermediate_ca.key -CAcreateserial -out leaf_signed_by_intermediate.pem -extfile leaf_signed_by_intermediate.cnf -extensions 'v3_req' |
||||
cat leaf_signed_by_intermediate.pem intermediate_ca.pem > leaf_and_intermediate_chain.pem |
||||
|
||||
# Generate empty CRL for the intermediate |
||||
openssl ca -config=intermediate.cnf -gencrl -out intermediate.crl -keyfile intermediate_ca.key -cert intermediate_ca.pem -crldays 3650 |
||||
popd |
||||
|
||||
# Copy files up to the higher directory |
||||
cp "./intermediate_ca/leaf_signed_by_intermediate.key" ./ |
||||
cp "./intermediate_ca/leaf_signed_by_intermediate.pem" ./ |
||||
cp "./intermediate_ca/leaf_and_intermediate_chain.pem" ./ |
||||
cp "./intermediate_ca/intermediate_ca.key" ./ |
||||
cp "./intermediate_ca/intermediate_ca.pem" ./ |
||||
|
||||
# Revoke the intermediate |
||||
openssl ca -revoke intermediate_ca.pem -keyfile ca.key -cert ca.pem -days 3650 |
||||
openssl ca -gencrl -out current.crl -keyfile ca.key -cert ca.pem -crldays 3650 |
||||
|
||||
|
||||
# Copy CRLs into their own directory and run rehash |
||||
cp "./intermediate_ca/intermediate.crl" ./crls |
||||
cp current.crl ./crls/ |
||||
openssl rehash ./crls/ |
||||
|
||||
mkdir crls_missing_intermediate |
||||
cp current.crl ./crls_missing_intermediate/ |
||||
openssl rehash ./crls_missing_intermediate/ |
||||
|
||||
mkdir crls_missing_root |
||||
cp intermediate.crl ./crls_missing_root/ |
||||
openssl rehash ./crls_missing_root/ |
||||
|
||||
rm intermediate_ca |
||||
@ -0,0 +1,43 @@ |
||||
-----BEGIN CERTIFICATE----- |
||||
MIIDUzCCAjugAwIBAgIUIkXUE1956T996LuTKMiv5nci6X0wDQYJKoZIhvcNAQEL |
||||
BQAwJzElMCMGA1UEAwwcaW50ZXJtZWRpYXRlY2VydC5leGFtcGxlLmNvbTAeFw0y |
||||
MzAzMDMxODA2NDNaFw0zMzAyMjgxODA2NDNaMB8xHTAbBgNVBAMMFCoudGVzdC5n |
||||
b29nbGUuY29tLmF1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2NNY |
||||
lYVfOBbDwRlBzw997mTck19zxCqEoqGDBE4p2zpSdo4D5fhp/o7f4T0S58EF95Q3 |
||||
6nsTruLlz0OBj1hsOYYUecOM8gYPYOh6Q4kEpS3G7Up36bdAXpsgdAWUgA5Zcsb7 |
||||
dvnZeGPymbmn1IySlo0/8TMnCcLJf3V0jUVvBZI/oawwAZd4Rpb1lh/kIxRqNiU5 |
||||
WFW7hZzjOnA1m5gmXJnDox0mLth7RLb9YQHmz5czxC+aBQ1e3iTc1BJ4ETPAvIwo |
||||
XH3UI47Zg/YFW8rZPym9qdSGydxw23g9XVawWXJUyBQz5e/iCPDFMHM//l3hBBLZ |
||||
jP+QRZUIiRpzISGitwIDAQABo38wfTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYw |
||||
FAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFCwG |
||||
luxpu/XDakGPtEnuIiW0rk/oMB8GA1UdIwQYMBaAFCe1phNkruBHbu7xYruv+4iy |
||||
dy2jMA0GCSqGSIb3DQEBCwUAA4IBAQBoUzdASVjpUN31jw4h3K5rWC2+CVhguyhb |
||||
BcFXNr73ySryPZwJDrCZINXMpjM+GGKrFKjC3hemlUpnTYiOgaHseN5NB3pZYJma |
||||
48DZzZ51wEI3vzmqOyjD0Eh2LytI+p87bJhBEwWR+okADWDB9vdZKiJi/7iHfvxs |
||||
NIasCagJgJ5XeMiTehRksKuQv3w8KhUzRCjy0wsTwjmrQw+8kMS0WnRC4EVA76IZ |
||||
HnLfoMGg/R1w/NrrAmQfx+W0qnJAvkQddqfEptITJbqoOfFASgngVBhHnogOLod/ |
||||
es3Tbls2qrJg0GnMScJYHJAvlp6Lke6a8kf8jyT+yN2opWVll1tK |
||||
-----END CERTIFICATE----- |
||||
-----BEGIN CERTIFICATE----- |
||||
MIID6zCCAtOgAwIBAgIUSkzJA6uT65cO7bQ+EfAMl65rzfEwDQYJKoZIhvcNAQEL |
||||
BQAwVjELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM |
||||
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEPMA0GA1UEAwwGdGVzdGNhMB4XDTIz |
||||
MDMwMzE4MDY0M1oXDTMzMDIyODE4MDY0M1owJzElMCMGA1UEAwwcaW50ZXJtZWRp |
||||
YXRlY2VydC5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC |
||||
ggEBANFRGIYvONs8AbVUcxUTPvEXz9sdGc0AwgGh0mVRaHbxx9e+TYt7lc/wr89e |
||||
4e1a8Sh1xXrIvVkOK2k+/WJf1bLAn+ahiMEgjM0da39PFamKcy2i32mmAasbUB7p |
||||
1IsUOX/fKVedtDyker4K2RuQu9vWPSv0QegD+ouravWrB+dXNXI563vq7T5qdPbb |
||||
JCFWzGdNP+VUdwtvNf8DBiDJwRMrH0+HX6givvxnSAin/LLvkbTIa+hn/2+ywIgp |
||||
bL45u5lWU8uVnyAkBSEkr7K2AiZnsbEMbyBdIUwO4nbXtlWCRhg0PulNITMhAHva |
||||
XimFkW+4baKI0DRrdDsrF67RLfECAwEAAaOB3zCB3DAOBgNVHQ8BAf8EBAMCAaYw |
||||
HQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8w |
||||
HQYDVR0OBBYEFCe1phNkruBHbu7xYruv+4iydy2jMHsGA1UdIwR0MHKhWqRYMFYx |
||||
CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl |
||||
cm5ldCBXaWRnaXRzIFB0eSBMdGQxDzANBgNVBAMMBnRlc3RjYYIUKnHtxUGUlsyz |
||||
9jW7POo/RqJKKTswDQYJKoZIhvcNAQELBQADggEBAHMB89zLQTZhvSBpCZpSFIBt |
||||
z0ebZk4APrEskCZRJ0coWglT7/RjJTEi8fVYfFUVbUXOwFIT4jvtlkcp1LUZDT5X |
||||
qazTRa7ECFzw1TrO+IJadVczKBTRFxlYOWgOTHTXZlU8QV53Vi+g7dbYrEYxu5TO |
||||
NUggqSoxUhl4901NdMGTSiKXeuye4EdHAKI9RYO6suxYMo9wctm/es3OFd5kjPlh |
||||
CqoUId3Lgc7Lb1xcfBSZ9n2dWcFDf32GPYYPlBbxuba0VVZlKZSd3yV36v4gKdSI |
||||
MjdluRpwdoyTcsLi6ysPduOfkWSbQJ3bbvpeTNiagn5o9oeF1DO5LDvVVo1RZ2A= |
||||
-----END CERTIFICATE----- |
||||
@ -0,0 +1,12 @@ |
||||
[req] |
||||
distinguished_name = req_distinguished_name |
||||
req_extensions = v3_req |
||||
prompt = no |
||||
|
||||
[req_distinguished_name] |
||||
CN = *.test.google.com.au |
||||
|
||||
[v3_req] |
||||
keyUsage = critical, digitalSignature, keyEncipherment |
||||
extendedKeyUsage = clientAuth, serverAuth |
||||
basicConstraints = critical, CA:false |
||||
@ -0,0 +1,28 @@ |
||||
-----BEGIN PRIVATE KEY----- |
||||
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDY01iVhV84FsPB |
||||
GUHPD33uZNyTX3PEKoSioYMETinbOlJ2jgPl+Gn+jt/hPRLnwQX3lDfqexOu4uXP |
||||
Q4GPWGw5hhR5w4zyBg9g6HpDiQSlLcbtSnfpt0BemyB0BZSADllyxvt2+dl4Y/KZ |
||||
uafUjJKWjT/xMycJwsl/dXSNRW8Fkj+hrDABl3hGlvWWH+QjFGo2JTlYVbuFnOM6 |
||||
cDWbmCZcmcOjHSYu2HtEtv1hAebPlzPEL5oFDV7eJNzUEngRM8C8jChcfdQjjtmD |
||||
9gVbytk/Kb2p1IbJ3HDbeD1dVrBZclTIFDPl7+II8MUwcz/+XeEEEtmM/5BFlQiJ |
||||
GnMhIaK3AgMBAAECggEANLtNn2uEyUzMBdHBLfzcCRbRiCveKTaX9D9ocCscRdtM |
||||
w9VtAEhmasjPjOVADEnmzBvpb2bIVi+LaVlHEJgWFfVUVHqo9BFiOxS+617O2Ocl |
||||
qn8CY74z8u4yOdVDlNMokN/wtzIzX/KaxSUgOnKHkgK/KsdgdqC/RXbIxjS9N/Kz |
||||
SycN2+4M+63A90+j3EZsBEHFOfs16CwJ+cLbUzeqIl7XwUgDEGoqj7cL3xI3RDpE |
||||
s2MCGMrjlbLAOC250AJlZQUHI4GUFuBmfkDh+9RPoSU8cTPNk/sDknigkZ5T2MEl |
||||
p9VccGsbRRLqjuVdnsZwiFCWpJoiYH3iuF+EOmryoQKBgQDj8Dg2nr5zEw+eQxnn |
||||
qoteBhHQciFyvyWF4bonttHyN/sfgWW2tObIlBf+4s9ZODIYnVYJ5BZfpXQG2TFs |
||||
6nreQgoWRqn4ISewAi+eM5lhCHlYkllfvmvsRTxKcCcj+wQ+2csg9msZqC1VJQl6 |
||||
HsRvRtrmeEHIx208MdBJERliYQKBgQDzhORl6mDMs0/iuRwuR5c3p/Cg2rJvWXK2 |
||||
XzX3875ywEpY3UoMqmw7vyOfXYzzfvj2qj9g7TCnDJRwpcr7n7Ij6ljixE+Ork3L |
||||
cmn4zSqo+k6eHrJmgAOeVYSq9Tv9GtmxViHhAuFgKJOUYRZz0d2a+Ts183T60vca |
||||
iIwYmsVMFwKBgQCbr6kFjZmxibRiOZzJAlCc0PJ7+GhmMq7TaiE3HQT7N0db9ord |
||||
p2P2XkihfJN5cgutilGJAfRSMfU09EZxCRsREfRH0M4pP6QW8PdLTB0YDKytVZCb |
||||
97lJMOUERuRFDB+TOjkm84ilhpwoCtsVQUyUYMYFIuBz3dr7gV6teXNoIQKBgQDt |
||||
I6B3TsJtFMDafIDg4H51iGlfexkALg7zYcxgZVA01uSPnQ8bPmqf1AaQjr1P8Xno |
||||
WunVLaWPR0TWXd1JI76KEw/z5E/FFiBT2lswGjtMylP8zs/T2R2s9oJ3KND+LUOI |
||||
2eOsBu4KgfkVKWZ/6wLug34Rj79+8ioIAKjM3Qr8iQKBgQDONSP+75QpvN1xrTwY |
||||
bQTFY6AF9CLWp/0WPMQQtWI1Y/3uprpnj1/zK9yL0VVYYD33qyttjOVyGPimhQA+ |
||||
/AzlGtvdI+SNiNaFA9i0a5skWJoJoo00Fdi3Mg3o5UBcamYKcFkqtSbCIoz8yVJd |
||||
7HSdJ94o4+Yw1818aNB6VjxkrA== |
||||
-----END PRIVATE KEY----- |
||||
@ -0,0 +1,20 @@ |
||||
-----BEGIN CERTIFICATE----- |
||||
MIIDUzCCAjugAwIBAgIUIkXUE1956T996LuTKMiv5nci6X0wDQYJKoZIhvcNAQEL |
||||
BQAwJzElMCMGA1UEAwwcaW50ZXJtZWRpYXRlY2VydC5leGFtcGxlLmNvbTAeFw0y |
||||
MzAzMDMxODA2NDNaFw0zMzAyMjgxODA2NDNaMB8xHTAbBgNVBAMMFCoudGVzdC5n |
||||
b29nbGUuY29tLmF1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2NNY |
||||
lYVfOBbDwRlBzw997mTck19zxCqEoqGDBE4p2zpSdo4D5fhp/o7f4T0S58EF95Q3 |
||||
6nsTruLlz0OBj1hsOYYUecOM8gYPYOh6Q4kEpS3G7Up36bdAXpsgdAWUgA5Zcsb7 |
||||
dvnZeGPymbmn1IySlo0/8TMnCcLJf3V0jUVvBZI/oawwAZd4Rpb1lh/kIxRqNiU5 |
||||
WFW7hZzjOnA1m5gmXJnDox0mLth7RLb9YQHmz5czxC+aBQ1e3iTc1BJ4ETPAvIwo |
||||
XH3UI47Zg/YFW8rZPym9qdSGydxw23g9XVawWXJUyBQz5e/iCPDFMHM//l3hBBLZ |
||||
jP+QRZUIiRpzISGitwIDAQABo38wfTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYw |
||||
FAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFCwG |
||||
luxpu/XDakGPtEnuIiW0rk/oMB8GA1UdIwQYMBaAFCe1phNkruBHbu7xYruv+4iy |
||||
dy2jMA0GCSqGSIb3DQEBCwUAA4IBAQBoUzdASVjpUN31jw4h3K5rWC2+CVhguyhb |
||||
BcFXNr73ySryPZwJDrCZINXMpjM+GGKrFKjC3hemlUpnTYiOgaHseN5NB3pZYJma |
||||
48DZzZ51wEI3vzmqOyjD0Eh2LytI+p87bJhBEwWR+okADWDB9vdZKiJi/7iHfvxs |
||||
NIasCagJgJ5XeMiTehRksKuQv3w8KhUzRCjy0wsTwjmrQw+8kMS0WnRC4EVA76IZ |
||||
HnLfoMGg/R1w/NrrAmQfx+W0qnJAvkQddqfEptITJbqoOfFASgngVBhHnogOLod/ |
||||
es3Tbls2qrJg0GnMScJYHJAvlp6Lke6a8kf8jyT+yN2opWVll1tK |
||||
-----END CERTIFICATE----- |
||||
Loading…
Reference in new issue