Handle extendedKeyUsage field in end-entity certs.

The equivalent patch in Android is pending, but we would like to patch Chrome as well since Chrome updates faster than the base Android system. BUG=167607 Review URL: https://chromiumcodereview.appspot.com/11778008 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@191962 0039d316-1c4b-4281-b951-d872f2087c98
author: palmer@chromium.org <palmer@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2013-04-03 03:45:35 +0000
committer: palmer@chromium.org <palmer@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2013-04-03 03:45:35 +0000
commit: ba57a65092dc32ef2120e3e92926d69b2b65e660 (patch)
tree: 8cba744458845603db6601ff823974e5d8313089 /net/data
parent: a6c38b5825fad232626ef8169404e9b09dc1f56e (diff)
download: chromium_src-ba57a65092dc32ef2120e3e92926d69b2b65e660.zip
chromium_src-ba57a65092dc32ef2120e3e92926d69b2b65e660.tar.gz
chromium_src-ba57a65092dc32ef2120e3e92926d69b2b65e660.tar.bz2
6 files changed, 389 insertions, 0 deletions
diff --git a/net/data/ssl/certificates/README b/net/data/ssl/certificates/README
index 7916daf..cc7c91d 100644
--- a/net/data/ssl/certificates/README
+++ b/net/data/ssl/certificates/README
@@ -161,3 +161,13 @@ unit tests.
        private key for a first certificate signed by client_1_root.pem.
      - client_2.pem and client_2.key correspond to the certificate and
        private key for a second certificate signed by client_2_root.pem.
+
+- eku-test-root.pem
+- non-crit-codeSigning-chain.pem
+- crit-codeSigning-chain.pem
+     Two code-signing certificates (eKU: codeSigning; eKU: critical,
+     codeSigning) which we use to test that clients are making sure that web
+     server certs are checked for correct eKU fields (when an eKU field is
+     present). Since codeSigning is not valid for web server auth, the checks
+     should fail.
+
diff --git a/net/data/ssl/certificates/crit-codeSigning-chain.pem b/net/data/ssl/certificates/crit-codeSigning-chain.pem
new file mode 100644
index 0000000..516f840
--- /dev/null
+++ b/net/data/ssl/certificates/crit-codeSigning-chain.pem
@@ -0,0 +1,105 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAvzKDpx0x9sOsDZBKBUMVs4yo7pXQT1lsfXeJTNiVErcCeSF9
+Igu2jYI3+qn03TYCcWpcgwJ86DWSuloTCOi/+xD4DKxQErJzFcl3hq8Q00r9tCNg
+7hmOup2hNYXOaC+U1tqC/TID9Gc8neJLHGkh2tfgbqemkFq6ObtYlA+hXy3kK+Tc
+7g7r+FHHWpOgj7ihc82EX+y4VT6GQov2tQqZXYSOQOcPcEru0AhGY+wOgJ2Ge4m8
+UNQmLxbmQDfqBplyRsUDqbTAjIE2nXpg9DT/vRufNW4ccSik4q1Wf/H2jAzONuL9
+79bhpBJdFad1bxJE6SOLVW2WLJQlD3VR2aUiUQIDAQABAoIBAQC7k6tlwFbMaZva
+kryL/QzFYjI6H/CGaIzvat7g7XsTKUjb3ecOB7/JhP+2hBcfD2XGLzsjrMUua6DQ
+Ap66Ft6CSluQ01ybe0c9ELKbCBXRtbjBihQGhDxrCUqnX+bogAXd4/KuxOrsVHw7
+yU83SE1WjoQ5C3F2Hgylpw938v22iXPvc+V6QjCGY1Apw75I/M3rmBHfyfVyUUYT
+Pt1UOZmhWq/gt0S5ACWDkFAxN/Ld2fyUTQM4q1PV1qR73KmxJr8y+SMTMVtx4V8n
+MFSiUeNan6xQUuI3iK4UCvi8TAFf8sKqM9vDte8wSaiC6TkJJTl+rnJtsyItVs5n
+eropLKIBAoGBAO8X374KqWREiFt/BKsjhs1upuyko7AgwHhSpkxHKqDSsOUITkym
+88+Pav/C/oExMIqRCMbz8F2V72Tu15sowVk4aFe35U+HxnWjhjCi1tI3Ujm0SGl0
+HPmEryhx6TuIj4Z901VH3mL9C8zab08n0ANYxn4aaQEOe1SOhX+KvnnZAoGBAMy3
+nbUMlVyactn757teQ0GHLnBERLYKOp7pmjx+SIUYrnPCPE2A+8ZF6Ron+5UvxtSu
+Kx4MRsOHbzI/4m+erbNX+OKN/4thLbzlokfAOJnV6n7kHeKZPVZVY3PQqr4WbN2a
+EwsVJ6gyBwGTqtXXRY7rJNPInN7i8U1ffKrkEmk5AoGBAIinqphiW6MVkKJLHQ38
+BkZQolPLXkuCzL947dfXLUQyaCzf7HDfU6ckn9GDUBfjV407jDq6nn2+/s8/vDfQ
+uYIXPXw1fXlRb1s5la8iw4nvWK3mnyS22wC6l6qUQOxoBzClpi6uHyuQ2jfB+bDS
+XpArI3hb+/xAnLkdpKvbTzcxAoGANWl22UT2N1oIuz0RQf6fF5q4kAwPzVsv3kRe
+vIfKTgeZhJRZ/XK4vguBfRSPfGYhv13N3CIh2GQerAKlBrBk65T5V8rqsKfjMhTL
+2WKaofCBJShJb9TBfyP6Nb5svfnF36+SZmLXnPeogk3P1ck72cUaL7N40mJtyN0v
+/rpQ32kCgYAF9pEUVyEmIFyPJCDyPqD8c4ZisONKd/MnLs6tYEYwxSkJq6QUTZe6
+0LWDp1Ohcg5V5Upg0pQotAPmLTQ77XPlLl92ByFdbakH/p8Q73Lv0j/y6c1BYeSn
+JQm2/uLDW4Zrp+UzD7z6km2GjyeVDxfbpaEHsXRhMfJLZdrI1ZJvyA==
+-----END RSA PRIVATE KEY-----
+Certificate:
+    Data:
+        Version: 1 (0x0)
+        Serial Number: 237 (0xed)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: CN=2048 RSA Test Root CA
+        Validity
+            Not Before: Jan 23 23:51:05 2013 GMT
+            Not After : Jan 21 23:51:05 2023 GMT
+        Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:bf:32:83:a7:1d:31:f6:c3:ac:0d:90:4a:05:43:
+                    15:b3:8c:a8:ee:95:d0:4f:59:6c:7d:77:89:4c:d8:
+                    95:12:b7:02:79:21:7d:22:0b:b6:8d:82:37:fa:a9:
+                    f4:dd:36:02:71:6a:5c:83:02:7c:e8:35:92:ba:5a:
+                    13:08:e8:bf:fb:10:f8:0c:ac:50:12:b2:73:15:c9:
+                    77:86:af:10:d3:4a:fd:b4:23:60:ee:19:8e:ba:9d:
+                    a1:35:85:ce:68:2f:94:d6:da:82:fd:32:03:f4:67:
+                    3c:9d:e2:4b:1c:69:21:da:d7:e0:6e:a7:a6:90:5a:
+                    ba:39:bb:58:94:0f:a1:5f:2d:e4:2b:e4:dc:ee:0e:
+                    eb:f8:51:c7:5a:93:a0:8f:b8:a1:73:cd:84:5f:ec:
+                    b8:55:3e:86:42:8b:f6:b5:0a:99:5d:84:8e:40:e7:
+                    0f:70:4a:ee:d0:08:46:63:ec:0e:80:9d:86:7b:89:
+                    bc:50:d4:26:2f:16:e6:40:37:ea:06:99:72:46:c5:
+                    03:a9:b4:c0:8c:81:36:9d:7a:60:f4:34:ff:bd:1b:
+                    9f:35:6e:1c:71:28:a4:e2:ad:56:7f:f1:f6:8c:0c:
+                    ce:36:e2:fd:ef:d6:e1:a4:12:5d:15:a7:75:6f:12:
+                    44:e9:23:8b:55:6d:96:2c:94:25:0f:75:51:d9:a5:
+                    22:51
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Alternative Name: 
+                IP Address:127.0.0.1
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                A2:2A:EC:DD:31:B9:D2:D1:6A:21:8D:11:C1:2B:E5:1E:92:85:C4:06
+            X509v3 Extended Key Usage: critical
+                Code Signing
+    Signature Algorithm: sha1WithRSAEncryption
+         6c:46:ce:18:06:16:77:8a:81:dc:aa:f9:b9:0d:af:ce:61:bf:
+         3e:60:2c:c9:58:97:54:41:a9:14:44:4d:e7:b7:fa:3c:6f:09:
+         92:d6:d2:5d:89:60:ef:ec:3d:62:f7:22:d9:df:e4:05:3b:23:
+         2a:3c:f1:6f:f3:e9:9c:61:8f:b0:92:d2:67:81:aa:43:dc:37:
+         bc:27:e7:d8:59:ce:f9:cc:fd:b0:30:c3:8d:68:f0:bf:91:7c:
+         3b:1a:7c:af:ef:23:1a:c2:1d:bc:be:c2:eb:06:9a:57:be:ed:
+         b6:9f:81:6f:86:35:22:68:2d:89:47:d6:80:ca:4a:91:05:6d:
+         49:aa:88:9e:4b:3a:90:0b:72:4f:b4:af:44:5d:67:52:11:cf:
+         6b:52:ac:db:48:23:aa:e0:53:f0:4c:49:98:62:70:d7:dc:2d:
+         c9:8d:5d:35:7c:e4:a9:50:d4:50:56:e1:d9:9a:7a:35:f7:11:
+         b6:98:f6:76:6d:33:7c:8b:1a:82:20:2c:ae:b5:93:f0:55:77:
+         da:f0:a2:86:e8:d4:4d:7f:e9:c0:e3:21:6e:bc:e9:af:9a:9a:
+         f3:cd:36:4f:db:6f:fe:de:1f:fa:20:de:ec:f6:63:d2:98:01:
+         f4:45:29:1f:88:a0:0b:5c:a8:4a:0e:87:c5:94:07:fb:60:79:
+         13:a9:ce:1f
+-----BEGIN CERTIFICATE-----
+MIIDTzCCAjcCAgDtMA0GCSqGSIb3DQEBBQUAMCAxHjAcBgNVBAMMFTIwNDggUlNB
+IFRlc3QgUm9vdCBDQTAeFw0xMzAxMjMyMzUxMDVaFw0yMzAxMjEyMzUxMDVaMGAx
+CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3Vu
+dGFpbiBWaWV3MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/MoOnHTH2w6wNkEoFQxWz
+jKjuldBPWWx9d4lM2JUStwJ5IX0iC7aNgjf6qfTdNgJxalyDAnzoNZK6WhMI6L/7
+EPgMrFASsnMVyXeGrxDTSv20I2DuGY66naE1hc5oL5TW2oL9MgP0Zzyd4kscaSHa
+1+Bup6aQWro5u1iUD6FfLeQr5NzuDuv4Ucdak6CPuKFzzYRf7LhVPoZCi/a1Cpld
+hI5A5w9wSu7QCEZj7A6AnYZ7ibxQ1CYvFuZAN+oGmXJGxQOptMCMgTademD0NP+9
+G581bhxxKKTirVZ/8faMDM424v3v1uGkEl0Vp3VvEkTpI4tVbZYslCUPdVHZpSJR
+AgMBAAGjWDBWMA8GA1UdEQQIMAaHBH8AAAEwDAYDVR0TAQH/BAIwADAdBgNVHQ4E
+FgQUoirs3TG50tFqIY0RwSvlHpKFxAYwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwMw
+DQYJKoZIhvcNAQEFBQADggEBAGxGzhgGFneKgdyq+bkNr85hvz5gLMlYl1RBqRRE
+Tee3+jxvCZLW0l2JYO/sPWL3Itnf5AU7Iyo88W/z6Zxhj7CS0meBqkPcN7wn59hZ
+zvnM/bAww41o8L+RfDsafK/vIxrCHby+wusGmle+7bafgW+GNSJoLYlH1oDKSpEF
+bUmqiJ5LOpALck+0r0RdZ1IRz2tSrNtII6rgU/BMSZhicNfcLcmNXTV85KlQ1FBW
+4dmaejX3EbaY9nZtM3yLGoIgLK61k/BVd9rwoobo1E1/6cDjIW686a+amvPNNk/b
+b/7eH/og3uz2Y9KYAfRFKR+IoAtcqEoOh8WUB/tgeROpzh8=
+-----END CERTIFICATE-----
diff --git a/net/data/ssl/certificates/eku-test-root.pem b/net/data/ssl/certificates/eku-test-root.pem
new file mode 100644
index 0000000..faeb997
--- /dev/null
+++ b/net/data/ssl/certificates/eku-test-root.pem
@@ -0,0 +1,66 @@
+Certificate:
+    Data:
+        Version: 1 (0x0)
+        Serial Number: 17699587613995562877 (0xf5a19128931bf77d)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: CN=2048 RSA Test Root CA
+        Validity
+            Not Before: Jan 23 23:51:05 2013 GMT
+            Not After : Jan 21 23:51:05 2023 GMT
+        Subject: CN=2048 RSA Test Root CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:b3:86:f9:ec:39:f5:63:1b:16:17:c9:fa:04:1a:
+                    32:1b:d8:ff:01:7c:55:2f:90:66:da:be:8a:b6:1e:
+                    68:ad:08:60:dc:63:40:c3:9c:fc:17:e9:5b:1f:bf:
+                    a0:c7:de:42:7d:d8:cf:7b:56:9e:c7:17:65:65:45:
+                    c5:e0:b0:80:c9:8a:b2:a5:a3:6e:af:14:96:56:9a:
+                    12:b1:2b:d6:ef:e6:03:79:96:70:9b:6b:01:9e:42:
+                    66:1f:8d:4b:bb:c7:60:09:df:2f:cc:b6:92:32:58:
+                    91:2d:80:c5:0c:d5:e0:a7:48:1e:5a:3a:e0:68:34:
+                    67:c0:67:59:2f:0d:fd:53:4c:5e:15:2a:2c:c2:ba:
+                    8e:1e:61:86:88:cc:84:74:9f:05:ed:7b:10:c2:b5:
+                    dc:57:8f:9f:cc:ad:a4:bd:a0:97:90:2a:a8:8e:fc:
+                    e3:13:2d:ef:a6:6b:41:54:4a:60:d3:d6:18:8f:4e:
+                    4f:fb:db:42:c3:5f:14:56:cd:e8:29:d1:f5:9b:55:
+                    66:c1:d5:3c:c0:6b:04:1a:a8:51:89:36:c9:43:eb:
+                    f6:5d:4f:74:3b:4d:ff:9c:9b:00:49:31:8c:bb:c3:
+                    29:49:9e:08:6a:2b:41:a0:75:95:44:2d:28:6e:eb:
+                    f9:4f:6c:2f:db:23:37:ef:f2:2a:3b:5e:e4:e4:0a:
+                    e8:8d
+                Exponent: 65537 (0x10001)
+    Signature Algorithm: sha1WithRSAEncryption
+         49:b1:97:48:72:dc:fb:97:56:f8:e7:80:81:9e:be:4b:9a:6a:
+         d8:5e:b0:59:a1:45:65:f8:1d:ad:c3:de:41:c9:33:17:66:47:
+         36:54:7f:3c:e8:84:a0:81:40:79:7a:4f:09:1c:88:11:e4:b7:
+         b9:b1:ef:43:7b:70:67:21:81:9c:87:50:b0:1f:f6:fa:28:a4:
+         62:e5:7d:e4:33:1c:50:11:7d:61:60:e4:bb:95:ba:0d:95:e8:
+         a3:44:07:58:47:c8:e2:57:dc:a6:80:12:62:a4:a4:73:a1:9b:
+         fc:6b:da:4d:44:44:8c:fc:c0:03:b2:6a:41:90:cd:db:53:17:
+         05:74:7d:dd:3a:88:c6:ec:5d:d4:80:37:22:7f:b0:d2:eb:db:
+         6e:1d:d5:fd:d7:1d:ee:29:c3:11:85:94:07:0d:f6:8b:7f:c6:
+         35:39:08:74:87:3c:35:28:18:7c:dc:71:6c:e7:6c:a6:34:77:
+         27:e7:0a:a8:dc:cf:b7:73:3c:45:b0:26:c3:09:d6:f9:ce:70:
+         5a:7c:eb:5e:a5:60:97:55:f2:e2:87:8c:96:00:03:a9:20:2a:
+         4d:b3:10:96:26:1c:c8:dc:58:30:62:95:05:a5:45:d8:07:d2:
+         0d:47:a9:e8:2e:d0:75:f1:36:c1:d1:ca:9a:2e:5d:75:f7:69:
+         3e:00:ae:9d
+-----BEGIN CERTIFICATE-----
+MIICvDCCAaQCCQD1oZEokxv3fTANBgkqhkiG9w0BAQUFADAgMR4wHAYDVQQDDBUy
+MDQ4IFJTQSBUZXN0IFJvb3QgQ0EwHhcNMTMwMTIzMjM1MTA1WhcNMjMwMTIxMjM1
+MTA1WjAgMR4wHAYDVQQDDBUyMDQ4IFJTQSBUZXN0IFJvb3QgQ0EwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzhvnsOfVjGxYXyfoEGjIb2P8BfFUvkGba
+voq2HmitCGDcY0DDnPwX6Vsfv6DH3kJ92M97Vp7HF2VlRcXgsIDJirKlo26vFJZW
+mhKxK9bv5gN5lnCbawGeQmYfjUu7x2AJ3y/MtpIyWJEtgMUM1eCnSB5aOuBoNGfA
+Z1kvDf1TTF4VKizCuo4eYYaIzIR0nwXtexDCtdxXj5/MraS9oJeQKqiO/OMTLe+m
+a0FUSmDT1hiPTk/720LDXxRWzegp0fWbVWbB1TzAawQaqFGJNslD6/ZdT3Q7Tf+c
+mwBJMYy7wylJnghqK0GgdZVELShu6/lPbC/bIzfv8io7XuTkCuiNAgMBAAEwDQYJ
+KoZIhvcNAQEFBQADggEBAEmxl0hy3PuXVvjngIGevkuaathesFmhRWX4Ha3D3kHJ
+MxdmRzZUfzzohKCBQHl6TwkciBHkt7mx70N7cGchgZyHULAf9voopGLlfeQzHFAR
+fWFg5LuVug2V6KNEB1hHyOJX3KaAEmKkpHOhm/xr2k1ERIz8wAOyakGQzdtTFwV0
+fd06iMbsXdSANyJ/sNLr224d1f3XHe4pwxGFlAcN9ot/xjU5CHSHPDUoGHzccWzn
+bKY0dyfnCqjcz7dzPEWwJsMJ1vnOcFp8616lYJdV8uKHjJYAA6kgKk2zEJYmHMjc
+WDBilQWlRdgH0g1Hqegu0HXxNsHRypouXXX3aT4Arp0=
+-----END CERTIFICATE-----
diff --git a/net/data/ssl/certificates/non-crit-codeSigning-chain.pem b/net/data/ssl/certificates/non-crit-codeSigning-chain.pem
new file mode 100644
index 0000000..d4565d1
--- /dev/null
+++ b/net/data/ssl/certificates/non-crit-codeSigning-chain.pem
@@ -0,0 +1,105 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpgIBAAKCAQEA9qqEx3tA2pheek7aVb/16FY4NyumZ0fhyXn60xmhUPkRESbR
+0JGUNfWEk1KJgGZHL/fkwRW4hCPQMmBzBdAFjCUR/V2QGUVu4dEcNFHrhGsdFiLb
+o2T+9a4mqmtYSRZFqHpBqBv8Uy0ec4Et/FzDACLK3CY7Ut+BDW+qcBLYEvXYx3oJ
+UGQW71yB7XuBgFjd5R3yq3pHXQXSrZboz2hGd3adYU6xRFiWAEgxOlMm4CmLgqXW
+3ywEW4XAmf93jDxjRPCiQqjUFFKu+O9gFIKjNq+apifuVZA5DXI8DmrJfxNQk4g1
+iJFZp6FzfyUr/eCV5iHjkjfVpWDr663yy4xAQwIDAQABAoIBAQDGovraSX8oiZtL
+k0Rv2W4F86jBhP00HsbMoNZEOVeXBXug/EnqU9GuwlBI8yaXp8Wb81zbwMoeX1jB
+uLnn7GULPq8GAdqQ/0ETyHmWCIJI2JlLwjZtll9bKSsqAdfOw4jE6+8DmcXQlXz4
+Nwb5OxotedczAfaz/hjG4S23ovUuDggSUtNXNxvXOyzk9FjN87vvl9HWLOLuKzDB
+LXYOm0UcEY833XNhnoV3V9GZPHKyZO7HsPLNbCRLwKgVOEqBVwWS+M+QMR8uxrEk
++GVto05gJ6fZ+PXzIVKMOFBST7fx6tBOEAFwmxbYovv7N653rzz/lXQ0SbIPRmcB
+VqBDCWOBAoGBAPu1nPTneCX4EdP7ml+RNreRcOce1/9VxOATp7msDghOfBGjwV01
+3VYzn7YVxBHxadb0kMiJ6rwEmLroiJsnp2zZpoK8K7Kzkr3Bv2E19CDNNKNo2iAp
+WbjTwtPKuj3dWEuLHfQ+FYRb6IkAWfif/u3DFGd5ntMLhhbNbjoRiudbAoGBAPre
+5dxxQMFcEw0YaEOlG/hxTh6wsMAd2P4u1vkjz841mNFP04MECJVWUIEdHiN9hCIU
+n07V8HE9t5GFEahO1+hIwq35vOQQ0hqGk3s2NvvHZjRtiQXgqX4uOULhyHo9LAyi
+bsJHC/+TYyImr/1kLdkdfdjfIwylnFM8wvQ/Bcc5AoGBAK0JO75MhZcsgy0EUSqT
+jFcDf+cSmBBq6O3V9T653eet9LK3rU0jo2YIFSo6qlBfcpAYDpQd46WfT1NmWcq3
+puw4b7R+IVg3BJC4aZUtXwdRqncPtKvZYVmjEdNBEWlICdPc7hmiuG4GNMRB3pgB
+fWH78sHzpNCWonZ4gOcgeinzAoGBAODeGzvVaC3p0knSruKzhLbVGSj5R/Vsy6xL
+X/ZB22sDL8+utfCiFO+HRvH0n6dAQsgppAKOUc+venO9y24J/g3/6kD3shDb4vhT
+2K6AkhhtS3eDF2dlUYgA9uK0b3bijjFlB9KszFxySFG8S9PdkBslDEDxAgG8ELur
+ozQ7qXpBAoGBAOwbkTFGJNCLyirSkyEdPIFDv7GmfKKUNFl5rbRopoQ4q/yjRNKw
+fsF7TE9/hqkanVfRCpKM78NtrKGPgTXHPq8kCtdL5yDIQzz/EVC30ar2HzZmnMgX
+2AXhOHYT8iXDHcad0HE58gRReb2pPzoxyLDXgEZftI6vbyojfi46NtC4
+-----END RSA PRIVATE KEY-----
+Certificate:
+    Data:
+        Version: 1 (0x0)
+        Serial Number: 236 (0xec)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: CN=2048 RSA Test Root CA
+        Validity
+            Not Before: Jan 23 23:51:05 2013 GMT
+            Not After : Jan 21 23:51:05 2023 GMT
+        Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:f6:aa:84:c7:7b:40:da:98:5e:7a:4e:da:55:bf:
+                    f5:e8:56:38:37:2b:a6:67:47:e1:c9:79:fa:d3:19:
+                    a1:50:f9:11:11:26:d1:d0:91:94:35:f5:84:93:52:
+                    89:80:66:47:2f:f7:e4:c1:15:b8:84:23:d0:32:60:
+                    73:05:d0:05:8c:25:11:fd:5d:90:19:45:6e:e1:d1:
+                    1c:34:51:eb:84:6b:1d:16:22:db:a3:64:fe:f5:ae:
+                    26:aa:6b:58:49:16:45:a8:7a:41:a8:1b:fc:53:2d:
+                    1e:73:81:2d:fc:5c:c3:00:22:ca:dc:26:3b:52:df:
+                    81:0d:6f:aa:70:12:d8:12:f5:d8:c7:7a:09:50:64:
+                    16:ef:5c:81:ed:7b:81:80:58:dd:e5:1d:f2:ab:7a:
+                    47:5d:05:d2:ad:96:e8:cf:68:46:77:76:9d:61:4e:
+                    b1:44:58:96:00:48:31:3a:53:26:e0:29:8b:82:a5:
+                    d6:df:2c:04:5b:85:c0:99:ff:77:8c:3c:63:44:f0:
+                    a2:42:a8:d4:14:52:ae:f8:ef:60:14:82:a3:36:af:
+                    9a:a6:27:ee:55:90:39:0d:72:3c:0e:6a:c9:7f:13:
+                    50:93:88:35:88:91:59:a7:a1:73:7f:25:2b:fd:e0:
+                    95:e6:21:e3:92:37:d5:a5:60:eb:eb:ad:f2:cb:8c:
+                    40:43
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Alternative Name: 
+                IP Address:127.0.0.1
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                F1:CF:56:60:86:22:7B:5F:E3:00:7E:D8:73:A2:F2:C4:1D:A9:EB:43
+            X509v3 Extended Key Usage: 
+                Code Signing
+    Signature Algorithm: sha1WithRSAEncryption
+         93:70:2e:48:e9:19:55:22:e8:c4:18:9c:2a:cb:4f:3c:e5:88:
+         08:a8:8e:8c:49:d5:3e:6a:bc:77:d7:8d:22:03:78:9a:1f:01:
+         43:85:e6:ec:d3:ec:90:05:47:a3:23:e8:04:e4:6d:7a:ef:45:
+         af:b1:6c:17:7c:e1:3e:be:10:bd:c1:05:12:98:c7:3c:87:49:
+         9e:79:30:ca:8a:44:95:ce:00:be:81:26:0e:84:83:ab:16:91:
+         f3:33:30:ef:09:50:3e:4b:7b:f8:5b:6c:90:47:f9:55:f6:4c:
+         cb:be:50:2d:f1:c1:96:c0:c2:4f:2c:ee:cb:8b:aa:d6:c2:dd:
+         28:89:bc:b3:d1:dc:d1:ec:c0:fe:bf:b9:7b:0a:ab:aa:96:ce:
+         08:89:d8:c7:50:5d:b0:16:ea:90:15:f0:20:d3:e6:bb:3b:18:
+         87:12:71:b7:b8:56:eb:9c:85:be:82:7c:53:4b:88:22:08:59:
+         63:ee:75:42:7c:10:69:e9:4c:fe:b0:77:52:81:17:f3:42:b5:
+         60:e5:2a:1b:03:21:a0:df:bb:ab:21:46:6b:fb:78:76:ac:80:
+         ec:c3:9d:58:a7:27:af:8a:b0:60:a1:c7:8c:f9:e3:d6:f9:1b:
+         e8:44:67:3f:bc:43:e6:32:e1:d9:ca:29:78:20:8c:45:42:0c:
+         76:39:c2:c0
+-----BEGIN CERTIFICATE-----
+MIIDTDCCAjQCAgDsMA0GCSqGSIb3DQEBBQUAMCAxHjAcBgNVBAMMFTIwNDggUlNB
+IFRlc3QgUm9vdCBDQTAeFw0xMzAxMjMyMzUxMDVaFw0yMzAxMjEyMzUxMDVaMGAx
+CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3Vu
+dGFpbiBWaWV3MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD2qoTHe0DamF56TtpVv/Xo
+Vjg3K6ZnR+HJefrTGaFQ+RERJtHQkZQ19YSTUomAZkcv9+TBFbiEI9AyYHMF0AWM
+JRH9XZAZRW7h0Rw0UeuEax0WItujZP71riaqa1hJFkWoekGoG/xTLR5zgS38XMMA
+IsrcJjtS34ENb6pwEtgS9djHeglQZBbvXIHte4GAWN3lHfKrekddBdKtlujPaEZ3
+dp1hTrFEWJYASDE6UybgKYuCpdbfLARbhcCZ/3eMPGNE8KJCqNQUUq7472AUgqM2
+r5qmJ+5VkDkNcjwOasl/E1CTiDWIkVmnoXN/JSv94JXmIeOSN9WlYOvrrfLLjEBD
+AgMBAAGjVTBTMA8GA1UdEQQIMAaHBH8AAAEwDAYDVR0TAQH/BAIwADAdBgNVHQ4E
+FgQU8c9WYIYie1/jAH7Yc6LyxB2p60MwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJ
+KoZIhvcNAQEFBQADggEBAJNwLkjpGVUi6MQYnCrLTzzliAiojoxJ1T5qvHfXjSID
+eJofAUOF5uzT7JAFR6Mj6ATkbXrvRa+xbBd84T6+EL3BBRKYxzyHSZ55MMqKRJXO
+AL6BJg6Eg6sWkfMzMO8JUD5Le/hbbJBH+VX2TMu+UC3xwZbAwk8s7suLqtbC3SiJ
+vLPR3NHswP6/uXsKq6qWzgiJ2MdQXbAW6pAV8CDT5rs7GIcScbe4Vuuchb6CfFNL
+iCIIWWPudUJ8EGnpTP6wd1KBF/NCtWDlKhsDIaDfu6shRmv7eHasgOzDnVinJ6+K
+sGChx4z549b5G+hEZz+8Q+Yy4dnKKXggjEVCDHY5wsA=
+-----END CERTIFICATE-----
diff --git a/net/data/ssl/scripts/eku-test.cnf b/net/data/ssl/scripts/eku-test.cnf
new file mode 100644
index 0000000..7ced049
--- /dev/null
+++ b/net/data/ssl/scripts/eku-test.cnf
@@ -0,0 +1,26 @@
+[req]
+default_bits       = 2048
+default_md         = sha1
+string_mask        = utf8only
+prompt             = no
+encrypt_key        = no
+distinguished_name = req_dn
+
+[req_dn]
+C  = US
+ST = California
+L  = Mountain View
+O  = Test CA
+CN = 127.0.0.1
+
+[crit-codeSigning]
+subjectAltName         = IP:127.0.0.1
+basicConstraints       = critical, CA:false
+subjectKeyIdentifier   = hash
+extendedKeyUsage       = critical, codeSigning
+
+[non-crit-codeSigning]
+subjectAltName         = IP:127.0.0.1
+basicConstraints       = critical, CA:false
+subjectKeyIdentifier   = hash
+extendedKeyUsage       = codeSigning
diff --git a/net/data/ssl/scripts/generate-bad-eku-certs.sh b/net/data/ssl/scripts/generate-bad-eku-certs.sh
new file mode 100755
index 0000000..11e41d4
--- /dev/null
+++ b/net/data/ssl/scripts/generate-bad-eku-certs.sh
@@ -0,0 +1,77 @@
+#!/bin/sh
+
+# Copyright 2013 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# This script generates a set of test (end-entity, root) certificate chains
+# whose EEs have (critical, non-critical) eKUs for codeSigning. We then try
+# to use them as EEs for a web server in unit tests, to make sure that we
+# don't accept such certs as web server certs.
+
+try () {
+  echo "$@"
+  $@ || exit 1
+}
+
+try rm -rf out
+try mkdir out
+
+eku_test_root="eku-test-root"
+
+# Create the serial number files.
+try echo 1 > out/$eku_test_root-serial
+
+# Make sure the signers' DB files exist.
+touch out/$eku_test_root-index.txt
+
+# Generate one root CA certificate.
+try openssl genrsa -out out/$eku_test_root.key 2048
+
+CA_COMMON_NAME="2048 RSA Test Root CA" \
+  CA_DIR=out \
+  CA_NAME=req_env_dn \
+  KEY_SIZE=2048 \
+  ALGO=rsa \
+  CERT_TYPE=root \
+  try openssl req \
+    -new \
+    -key out/$eku_test_root.key \
+    -extensions ca_cert \
+    -out out/$eku_test_root.csr \
+    -config ca.cnf
+
+CA_COMMON_NAME="2048 RSA Test Root CA" \
+  CA_DIR=out \
+  CA_NAME=req_env_dn \
+  try openssl x509 \
+    -req -days 3650 \
+    -in out/$eku_test_root.csr \
+    -extensions ca_cert \
+    -signkey out/$eku_test_root.key \
+    -out out/$eku_test_root.pem
+
+# Generate EE certs.
+for cert_type in non-crit-codeSigning crit-codeSigning
+do
+  try openssl genrsa -out out/$cert_type.key 2048
+
+  try openssl req \
+    -new \
+    -key out/$cert_type.key \
+    -out out/$cert_type.csr \
+    -config eku-test.cnf \
+    -reqexts "$cert_type"
+
+  CA_COMMON_NAME="2048 rsa Test Root CA" \
+    CA_DIR=out \
+    CA_NAME=req_env_dn \
+    KEY_SIZE=2048 \
+    ALGO=rsa \
+    CERT_TYPE=root \
+    try openssl ca \
+      -batch \
+      -in out/$cert_type.csr \
+      -out out/$cert_type.pem \
+      -config ca.cnf
+done
author	palmer@chromium.org <palmer@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2013-04-03 03:45:35 +0000
committer	palmer@chromium.org <palmer@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2013-04-03 03:45:35 +0000
commit	ba57a65092dc32ef2120e3e92926d69b2b65e660 (patch)
tree	8cba744458845603db6601ff823974e5d8313089 /net/data
parent	a6c38b5825fad232626ef8169404e9b09dc1f56e (diff)
download	chromium_src-ba57a65092dc32ef2120e3e92926d69b2b65e660.zip chromium_src-ba57a65092dc32ef2120e3e92926d69b2b65e660.tar.gz chromium_src-ba57a65092dc32ef2120e3e92926d69b2b65e660.tar.bz2