Perform CRLSet evaluation during Path Building on NSS

When using NSS for certificate verification, add CRLSet checking by injecting a revocation callback function which will examine the CRLSet and reject the certificate. If the CRLSet does not affirmatively reject it, continue invoking the originally supplied application callback (such as the ChromeOS callback) and allow it an opportunity to reject. Because of how NSS caches virtually everything, horribly so, this restructures the unittests to no longer depend on how the underlying library will select the path (since with NSS, it's fundamentally non-determistic), and instead tests that as long as a singular certificate path is still valid and un-revoked, it can be discovered. BUG=589336 TEST=CertVerifyProcTest.CRLSet* TBR=mattm@chromium.org Review URL: https://codereview.chromium.org/1724413002 Cr-Commit-Position: refs/heads/master@{#380590}
author: rsleevi <rsleevi@chromium.org> 2016-03-11 02:06:47 -0800
committer: Commit bot <commit-bot@chromium.org> 2016-03-11 10:08:46 +0000
commit: 56139459f834b6b4ac3aad37b466d9ae997ff15c (patch)
tree: 23a650f9618fa8114e9a8a7f54bbee3ebcb768e3 /net/data/ssl/scripts/generate-multi-root-test-chains.sh
parent: c37a6804b0a4f14d336c31165412715846bd4fdd (diff)
download: chromium_src-56139459f834b6b4ac3aad37b466d9ae997ff15c.zip
chromium_src-56139459f834b6b4ac3aad37b466d9ae997ff15c.tar.gz
chromium_src-56139459f834b6b4ac3aad37b466d9ae997ff15c.tar.bz2
1 files changed, 52 insertions, 19 deletions
diff --git a/net/data/ssl/scripts/generate-multi-root-test-chains.sh b/net/data/ssl/scripts/generate-multi-root-test-chains.sh
index 5de08df..c4d1792 100755
--- a/net/data/ssl/scripts/generate-multi-root-test-chains.sh
+++ b/net/data/ssl/scripts/generate-multi-root-test-chains.sh
@@ -66,7 +66,7 @@ echo "Generating the self-signed roots"
 for i in D E
 do
   echo "Generating CSR ${i}"
-  CA_COMMON_NAME="${i} Root CA" \
+  CA_COMMON_NAME="${i} Root CA - Multi-root" \
   CERTIFICATE="${i}" \
   openssl req \
     -config redundant-ca.cnf \
@@ -75,7 +75,7 @@ do
     -out "out/${i}.csr"
 
   echo "Generating self-signed ${i}"
-  CA_COMMON_NAME="${i} Root CA" \
+  CA_COMMON_NAME="${i} Root CA - Multi-root" \
   CERTIFICATE="${i}" \
   openssl ca \
     -config redundant-ca.cnf \
@@ -93,7 +93,7 @@ echo "Generating intermediate CSRs"
 for i in B C F
 do
   echo "Generating CSR ${i}"
-  CA_COMMON_NAME="${i} CA" \
+  CA_COMMON_NAME="${i} CA - Multi-root" \
   CERTIFICATE="${i}" \
   openssl req \
     -config redundant-ca.cnf \
@@ -103,7 +103,7 @@ do
 done
 
 echo D signs C
-CA_COMMON_NAME="D CA" \
+CA_COMMON_NAME="D CA - Multi-root" \
 CERTIFICATE=D \
 openssl ca \
   -config redundant-ca.cnf \
@@ -116,7 +116,7 @@ openssl ca \
   -out out/C.pem
 
 echo C signs B
-CA_COMMON_NAME="C CA" \
+CA_COMMON_NAME="C CA - Multi-root" \
 CERTIFICATE=C \
 openssl ca \
   -config redundant-ca.cnf \
@@ -129,7 +129,7 @@ openssl ca \
   -out out/B.pem
 
 echo E signs C2
-CA_COMMON_NAME="E CA" \
+CA_COMMON_NAME="E CA - Multi-root" \
 CERTIFICATE=E \
 openssl ca \
   -config redundant-ca.cnf \
@@ -142,7 +142,7 @@ openssl ca \
   -out out/C2.pem
 
 echo E signs F
-CA_COMMON_NAME="E CA" \
+CA_COMMON_NAME="E CA - Multi-root" \
 CERTIFICATE=E \
 openssl ca \
   -config redundant-ca.cnf \
@@ -158,7 +158,7 @@ openssl ca \
 # B-by-F more preferable, the startdate is chosen to be GREATER (later) than
 # B-by-C.
 echo F signs B2
-CA_COMMON_NAME="F CA" \
+CA_COMMON_NAME="F CA - Multi-root" \
 CERTIFICATE=F \
 openssl ca \
   -config redundant-ca.cnf \
@@ -182,7 +182,7 @@ do
 done
 
 echo "Signing leaves"
-CA_COMMON_NAME="B CA" \
+CA_COMMON_NAME="B CA - Multi-root" \
 CERTIFICATE=B \
 openssl ca \
   -config redundant-ca.cnf \
@@ -208,20 +208,53 @@ cp out/D.pem ../certificates/multi-root-D-by-D.pem
 cp out/E.pem ../certificates/multi-root-E-by-E.pem
 
 echo "Generating CRLSets"
-# Block C-by-E (serial number 0x1001) by way of serial number.
-python crlsetutil.py -o ../certificates/multi-root-crlset-C-by-E.raw \
-<<CRLSETBYSERIAL
+# Block D and E by SPKI; invalidates all paths.
+python crlsetutil.py -o ../certificates/multi-root-crlset-D-and-E.raw \
+<<CRLSETDOCBLOCK
+{
+  "BlockedBySPKI": [
+    "out/D.pem",
+    "out/E.pem"
+  ]
+}
+CRLSETDOCBLOCK
+
+# Block E by SPKI.
+python crlsetutil.py -o ../certificates/multi-root-crlset-E.raw \
+<<CRLSETDOCBLOCK
+{
+  "BlockedBySPKI": [
+    "out/E.pem"
+  ]
+}
+CRLSETDOCBLOCK
+
+# Block C-by-D (serial number 0x1001) and F-by-E (serial number 0x1002) by
+# way of serial number.
+python crlsetutil.py -o ../certificates/multi-root-crlset-CD-and-FE.raw \
+<<CRLSETDOCBLOCK
 {
   "BlockedByHash": {
-    "out/E.pem": [4097]
+    "out/D.pem": [4097],
+    "out/E.pem": [4098]
   }
 }
-CRLSETBYSERIAL
+CRLSETDOCBLOCK
 
-# Block F (all versions) by way of SPKI
-python crlsetutil.py -o ../certificates/multi-root-crlset-F.raw \
-<<CRLSETBYSPKI
+# Block C (all versions) by way of SPKI
+python crlsetutil.py -o ../certificates/multi-root-crlset-C.raw \
+<<CRLSETDOCBLOCK
 {
-  "BlockedBySPKI": [ "out/F.pem" ]
+  "BlockedBySPKI": [ "out/C.pem" ]
+}
+CRLSETDOCBLOCK
+
+# Block an unrelated/unissued serial (0x0FFF) to enable all paths.
+python crlsetutil.py -o ../certificates/multi-root-crlset-unrelated.raw \
+<<CRLSETDOCBLOCK
+{
+  "BlockedByHash": {
+    "out/E.pem": [4095]
+  }
 }
-CRLSETBYSPKI
-\ No newline at end of file
+CRLSETDOCBLOCK
author	rsleevi <rsleevi@chromium.org>	2016-03-11 02:06:47 -0800
committer	Commit bot <commit-bot@chromium.org>	2016-03-11 10:08:46 +0000
commit	56139459f834b6b4ac3aad37b466d9ae997ff15c (patch)
tree	23a650f9618fa8114e9a8a7f54bbee3ebcb768e3 /net/data/ssl/scripts/generate-multi-root-test-chains.sh
parent	c37a6804b0a4f14d336c31165412715846bd4fdd (diff)
download	chromium_src-56139459f834b6b4ac3aad37b466d9ae997ff15c.zip chromium_src-56139459f834b6b4ac3aad37b466d9ae997ff15c.tar.gz chromium_src-56139459f834b6b4ac3aad37b466d9ae997ff15c.tar.bz2