[Security - CrlProvider] Add AKID to CertificateInfo (#35931)
This PR adds the Authority Key Identifier to CertificateInfo. This value _can be_ important in finding the right CRLs to use if there are Issuer name overlaps or a more complicated CA setup with multiple signing keys.
We should observe no behavior change in our `CrlProvider` implementations, this is just adding an important field for users who implement it themselves.
Closes #35931
COPYBARA_INTEGRATE_REVIEW=https://github.com/grpc/grpc/pull/35931 from gtcooke94:AkidCheck dd048a53b6
PiperOrigin-RevId: 611143198
pull/36022/head
Gregory Cooke
1 year ago
committed by
Copybara-Service
parent
d4b5e8d11d
commit
d6089c336c
15 changed files with 276 additions and 4 deletions
@ -0,0 +1,32 @@ |
||||
[req] |
||||
distinguished_name = req_distinguished_name |
||||
req_extensions = v3_req |
||||
|
||||
[req_distinguished_name] |
||||
countryName = Country Name (2 letter code) |
||||
countryName_default = AU |
||||
stateOrProvinceName = State or Province Name (full name) |
||||
stateOrProvinceName_default = Some-State |
||||
organizationName = Organization Name (eg, company) |
||||
organizationName_default = Internet Widgits Pty Ltd |
||||
commonName = Common Name (eg, YOUR name) |
||||
commonName_default = testca |
||||
|
||||
[v3_req] |
||||
basicConstraints = CA:true |
||||
keyUsage = critical, keyCertSign, cRLSign |
||||
authorityKeyIdentifier=keyid:always,issuer:always |
||||
|
||||
[ ca ] |
||||
default_ca = my_ca |
||||
|
||||
[ my_ca ] |
||||
default_md = sha256 |
||||
database = index.txt |
||||
crlnumber = crlnumber |
||||
default_crl_days = 3650 |
||||
crl_extensions = crl_ext |
||||
|
||||
[crl_ext] |
||||
# Authority Key Identifier extension |
||||
authorityKeyIdentifier=keyid:always,issuer:always |
||||
@ -0,0 +1,28 @@ |
||||
-----BEGIN PRIVATE KEY----- |
||||
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDZZZIO2gh52M/8 |
||||
nBhrq6mhBRDPtXKOaFZXLhW02Z/fGdP3cm7L2j9irCPXm6Lew6e/NhjsqWIIXhev |
||||
xXdHZ5Hm+8r6+IN4RRSzO5Qkpzb/7IQleaIqJlAqcU7N3qHZpGweswznoqg/5D1E |
||||
AiLc4ZDyTQa71rrrYXaABI95xddkjjThac1mzfgg0mYKy8FRMWsnxyyZMeTHMGtR |
||||
uenyUR+CZdiQooi1TaJvLh70Kh9h2r2mpZHW82N6DlHWLMrIw0wbfVewebj4I0Kg |
||||
aNGZacwawcxvZrucEDmxM84bB72oRsPi2uP27XftQv+sgwUO/9LpU2O7QTBKY3T8 |
||||
2xul5FnfAgMBAAECggEADeP/CqLk0sBHPdlNeCe+TXMQ6WyrFq1VAvoHWghjvjIc |
||||
yJ1PtgfKcAgWvDKOHBS9Varjuc9y250Df3ArGG1mNa+V/yY85ETptzAR3auviHe4 |
||||
09orQe0zxxp5Ug8tIUZvwCBprS1H+dkgDwXh62IgTFMeoIbuZ5bRJwnjjwDUq/CK |
||||
BRrfOCeUlic3UhhPjkiNe+ky4PIPU7tr6C7op8RWvCoEr/7YyopmWnfF2AM75E1W |
||||
hVXIESVT32Eo/938HOHTKw3Donk0B2O2Q4cHW15xExbpkdolGTuh2Mic1urndnih |
||||
vXziacOffyOj16u8gWJ+swfYtRXg0nhiK3ami6SIuQKBgQD123dQPvz5rr3FRb/R |
||||
LZj+kDLhcduQlk1bfrm5yzdVZ8PyfbSQ9Iualxpabfyc57vpxmpGHBW2QhqhVToU |
||||
ZZLog+eZjLVAWTDgLWy6qhPx7/dh4SfIVOreXHmsjDJMoGpSSmX1QwSwY2f36bxB |
||||
lAmzcpCORxsvUIFG6LuHOlmQNwKBgQDiXYdcmZGssdsSVpl0bY+yOfDdIjSoYroQ |
||||
D/aCF7H7tuBTcUH6uZAe9f6oQzseLxg0lG/oa/Ks1s616ZSY7cjLOORZlvwqFpJs |
||||
xCc6F+kJXGbpDpWUpkG/sCfrujGUCaimaIUT9H7ZKONgU1LfaUsn1nbMeJskkMfx |
||||
3uLnRQ2fmQKBgQDOgEXY6u8EsJbIiWsxwQDOYEO8RCvNZ9EV1n0c5ulVHNDibl8p |
||||
mZ1gfSYvak5RY/rbwkIlHRXHfgJsG++qjh40mgX/XMYohEGfKcg3iP8zqQC5/6mw |
||||
hFK57iZsnVzqK5rh/4df16iqlvQOsQ3kbvku9j0go+zbct0CuBw62vG7RQKBgCIK |
||||
DHPZR/WfHSFJ0nOWkhgr7FNkdGSpy+7kZ54yb/o5CsyhaFmKk+iD91JYIcitLkeh |
||||
1p4ttWVWO+lRAZ5pi1s75+Ks+Khfko82g+uRcuKMeZEsN0QOKC7qD2a8Lf5j4W98 |
||||
oh5ZEsYXBvISNZEQ5VNNRboDnNjHyLlPWfGLCbxpAoGAZ0Q4Nq5ubm6FS3IdsXes |
||||
DBoXh9Hc4xiM3AMX0mK9cpLYzK0Ot4ouuYF2aZNLzPilYJLPnSyJ9D5Waxb7Ygpy |
||||
O28+oeg8FKTIQoizTGh4OCCEqWsczBdRhLF4EFixY+8O2X6EtwzMEwx0tXPalZ+x |
||||
jtbKjvkafVw+Q84xMuiIfcY= |
||||
-----END PRIVATE KEY----- |
||||
@ -0,0 +1,24 @@ |
||||
-----BEGIN CERTIFICATE----- |
||||
MIIEETCCAvmgAwIBAgIUL5bnlxnEnAXfHgVRwjkpFaSqXNcwDQYJKoZIhvcNAQEL |
||||
BQAwVjELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM |
||||
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEPMA0GA1UEAwwGdGVzdGNhMB4XDTI0 |
||||
MDIxNDIxMTkxOFoXDTM0MDIxMTIxMTkxOFowVjELMAkGA1UEBhMCQVUxEzARBgNV |
||||
BAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0 |
||||
ZDEPMA0GA1UEAwwGdGVzdGNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC |
||||
AQEA2WWSDtoIedjP/JwYa6upoQUQz7VyjmhWVy4VtNmf3xnT93Juy9o/Yqwj15ui |
||||
3sOnvzYY7KliCF4Xr8V3R2eR5vvK+viDeEUUszuUJKc2/+yEJXmiKiZQKnFOzd6h |
||||
2aRsHrMM56KoP+Q9RAIi3OGQ8k0Gu9a662F2gASPecXXZI404WnNZs34INJmCsvB |
||||
UTFrJ8csmTHkxzBrUbnp8lEfgmXYkKKItU2iby4e9CofYdq9pqWR1vNjeg5R1izK |
||||
yMNMG31XsHm4+CNCoGjRmWnMGsHMb2a7nBA5sTPOGwe9qEbD4trj9u137UL/rIMF |
||||
Dv/S6VNju0EwSmN0/NsbpeRZ3wIDAQABo4HWMIHTMAwGA1UdEwQFMAMBAf8wDgYD |
||||
VR0PAQH/BAQDAgEGMIGTBgNVHSMEgYswgYiAFC2LQNwfnL4NfSeNh6J1dsKS7z4z |
||||
oVqkWDBWMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UE |
||||
CgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQ8wDQYDVQQDDAZ0ZXN0Y2GCFC+W |
||||
55cZxJwF3x4FUcI5KRWkqlzXMB0GA1UdDgQWBBQti0DcH5y+DX0njYeidXbCku8+ |
||||
MzANBgkqhkiG9w0BAQsFAAOCAQEAcJnNStIat0i8ZthQLgFrJVqcvMRQ6LYLWLX9 |
||||
fBkoQNcgmMl2jD9oQU19YTTQ2SSFuTihxcZdstMTRpO5+s8Cqf4G6r7XIcFD75/X |
||||
UItis5YF2lmxd1Ivrd0uUoWqjPghiiAyx6o3oUA2h+v6XJCebhHoG4KwGpeX0/9F |
||||
SsbYdS4c8gn4jf3fzUZD3/fo0dXFjFB10xd9ac8wn7pP63Wtgu/ZA28bfe8rS/kv |
||||
jsuXnlIYNYIlcKRvGrtmRPOieqoxPygZudDwSUnmttvjkt01UKrYzKdqO4Wf7sLa |
||||
9YqPr6srTmz+GfF5Cp89Txy11sF8155PeJBrodnEjVO+8mQ+pg== |
||||
-----END CERTIFICATE----- |
||||
@ -0,0 +1,35 @@ |
||||
#!/bin/bash |
||||
# Copyright 2024 gRPC authors. |
||||
# |
||||
# Licensed under the Apache License, Version 2.0 (the "License"); |
||||
# you may not use this file except in compliance with the License. |
||||
# You may obtain a copy of the License at |
||||
# |
||||
# http://www.apache.org/licenses/LICENSE-2.0 |
||||
# |
||||
# Unless required by applicable law or agreed to in writing, software |
||||
# distributed under the License is distributed on an "AS IS" BASIS, |
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
# See the License for the specific language governing permissions and |
||||
# limitations under the License. |
||||
|
||||
rm -rf ca_with_akid/ |
||||
mkdir ca_with_akid/ |
||||
cp ca-with-akid.cnf ca_with_akid/ |
||||
pushd ca_with_akid/ || exit |
||||
touch index.txt |
||||
echo 1 > ./serial |
||||
echo 1000 > ./crlnumber |
||||
|
||||
openssl req -x509 -new -newkey rsa:2048 -nodes -keyout ca_with_akid.key -out ca_with_akid.pem \ |
||||
-config ca-with-akid.cnf -days 3650 -extensions v3_req |
||||
|
||||
openssl ca -gencrl -out crl_with_akid.crl -keyfile ca_with_akid.key -cert ca_with_akid.pem -crldays 3650 -config ca-with-akid.cnf |
||||
|
||||
popd || exit |
||||
|
||||
cp "./ca_with_akid/ca_with_akid.key" ./ |
||||
cp "./ca_with_akid/ca_with_akid.pem" ./ |
||||
cp "./ca_with_akid/crl_with_akid.crl" ./ |
||||
|
||||
rm -rf ca_with_akid |
||||
@ -0,0 +1,15 @@ |
||||
-----BEGIN X509 CRL----- |
||||
MIICSTCCATECAQEwDQYJKoZIhvcNAQELBQAwVjELMAkGA1UEBhMCQVUxEzARBgNV |
||||
BAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0 |
||||
ZDEPMA0GA1UEAwwGdGVzdGNhFw0yNDAyMTQyMTE5MThaFw0zNDAyMTEyMTE5MTha |
||||
oIGmMIGjMIGTBgNVHSMEgYswgYiAFC2LQNwfnL4NfSeNh6J1dsKS7z4zoVqkWDBW |
||||
MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50 |
||||
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQ8wDQYDVQQDDAZ0ZXN0Y2GCFC+W55cZxJwF |
||||
3x4FUcI5KRWkqlzXMAsGA1UdFAQEAgIQADANBgkqhkiG9w0BAQsFAAOCAQEAd6hA |
||||
m5fO0ebf2YuqFKr1CQ60R089xCl9ezyklLp5VnIoFkrUPYFyk9866jkVh8ckuZEF |
||||
OoOFDte5HicWm5SuDV8qtsHIo8TV+KgFKEdVJ60CTGtK/wsfIhxsrlmqIfa+U88e |
||||
hSWsfFB+vWCP9XOE4CERQJwdMNCXFB7DAEzsrygsyn8owRLuFaHSDkJERc0ZAXQv |
||||
sOhhBlsyReqLQMqycnm0X8p5HxnxELmLwmn8Gt6610CrN/ql+N3QEp9dxaATbNcz |
||||
AjAm8RyPEA+VWYsZOTgMVcS9+guR8a17E+BY1rr1z9VOFWIR0VFqrGL71nn1TL2n |
||||
iXVUyJFbTZwE2hZR6w== |
||||
-----END X509 CRL----- |
||||
Loading…
Reference in new issue