8 files changed, 137 insertions, 24 deletions

diff --git a/net/data/ssl/scripts/aia-test.cnf b/net/data/ssl/scripts/aia-test.cnf
index f89d68a..635b033 100644
--- a/net/data/ssl/scripts/aia-test.cnf
+++ b/net/data/ssl/scripts/aia-test.cnf
@@ -9,7 +9,7 @@ preserve   = yes
 [CA_root]
 dir           = ${ENV::CA_DIR}
 key_size      = 2048
-algo          = sha1
+algo          = sha256
 database      = $dir/${ENV::CA_NAME}-index.txt
 new_certs_dir = $dir
 serial        = $dir/${ENV::CA_NAME}-serial
@@ -18,7 +18,7 @@ private_key   = $dir/${ENV::CA_NAME}.key
 RANDFILE      = $dir/.rand
 default_days     = 3650
 default_crl_days = 30
-default_md       = sha1
+default_md       = sha256
 policy           = policy_anything
 unique_subject   = no
 copy_extensions  = copy
@@ -44,7 +44,7 @@ emailAddress           = optional
 
 [req]
 default_bits       = 2048
-default_md         = sha1
+default_md         = sha256
 string_mask        = utf8only
 prompt             = no
 encrypt_key        = no
diff --git a/net/data/ssl/scripts/ca.cnf b/net/data/ssl/scripts/ca.cnf
index 8a1d1e7..1b78e01 100644
--- a/net/data/ssl/scripts/ca.cnf
+++ b/net/data/ssl/scripts/ca.cnf
@@ -1,7 +1,7 @@
 # Defaults in the event they're not set in the environment
 CA_DIR    = out
 KEY_SIZE  = 2048
-ALGO      = sha1
+ALGO      = sha256
 CERT_TYPE = root
 CA_NAME   = req_env_dn
 
@@ -24,7 +24,7 @@ private_key   = $dir/$type.key
 RANDFILE      = $dir/.rand
 default_days     = 3650
 default_crl_days = 30
-default_md       = sha1
+default_md       = sha256
 policy           = policy_anything
 unique_subject   = no
 copy_extensions  = copy
@@ -36,6 +36,30 @@ subjectKeyIdentifier   = hash
 authorityKeyIdentifier = keyid:always
 extendedKeyUsage       = serverAuth,clientAuth
 
+[name_constraint_bad]
+# A leaf cert that will violate the root's imposed name constraints
+basicConstraints       = critical, CA:false
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid:always
+extendedKeyUsage       = serverAuth,clientAuth
+subjectAltName         = @san_name_constraint_bad
+
+[name_constraint_good]
+# A leaf cert that will match the root's imposed name constraints
+basicConstraints       = critical, CA:false
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid:always
+extendedKeyUsage       = serverAuth,clientAuth
+subjectAltName         = @san_name_constraint_good
+
+[san_name_constraint_bad]
+DNS.1 = test.ExAmPlE.CoM
+DNS.2 = test.ExAmPlE.OrG
+
+[san_name_constraint_good]
+DNS.1 = test.ExAmPlE.CoM
+DNS.2 = example.notarealtld
+
 [ca_cert]
 # Extensions to add when signing a request for an intermediate/CA cert
 basicConstraints       = critical, CA:true
@@ -63,7 +87,7 @@ emailAddress           = optional
 # than the root CA, see README to find the appropriate configuration file
 # (ie: openssl_cert.cnf).
 default_bits       = $ENV::KEY_SIZE
-default_md         = sha1
+default_md         = sha256
 string_mask        = utf8only
 prompt             = no
 encrypt_key        = no
diff --git a/net/data/ssl/scripts/client-certs.cnf b/net/data/ssl/scripts/client-certs.cnf
index 1efa04a..044bab1 100644
--- a/net/data/ssl/scripts/client-certs.cnf
+++ b/net/data/ssl/scripts/client-certs.cnf
@@ -13,7 +13,7 @@ serial          = $dir/${ENV::ID}-serial
 certificate     = $dir/${ENV::ID}.pem
 private_key     = $dir/${ENV::ID}.key
 RANDFILE        = $dir/rand
-default_md      = sha1
+default_md      = sha256
 default_days    = 3650
 policy          = policy_anything
 unique_subject  = no
@@ -31,7 +31,7 @@ emailAddress           = optional
 
 [req]
 default_bits       = 2048
-default_md         = sha1
+default_md         = sha256
 string_mask        = utf8only
 prompt             = no
 encrypt_key        = no
diff --git a/net/data/ssl/scripts/ee.cnf b/net/data/ssl/scripts/ee.cnf
index 5214f9e..fa2a89b 100644
--- a/net/data/ssl/scripts/ee.cnf
+++ b/net/data/ssl/scripts/ee.cnf
@@ -3,7 +3,7 @@ KEY_SIZE = 2048
 
 [req]
 default_bits       = ${ENV::KEY_SIZE}
-default_md         = sha1
+default_md         = sha256
 string_mask        = utf8only
 prompt             = no
 encrypt_key        = no
@@ -25,9 +25,16 @@ CN = Duplicate
 O  = Bar
 CN = Duplicate
 
+[req_punycode_dn]
+CN = xn--wgv71a119e.com
+
 [req_extensions]
 subjectAltName = IP:127.0.0.1
 
+[req_punycode]
+basicConstraints = critical, CA:true
+subjectAltName   = @punycode_san
+
 [req_san_sanity]
 basicConstraints = critical, CA:true
 subjectAltName   = @san_sanity
@@ -50,3 +57,8 @@ CN=127.0.0.3
 DNS.1 = www.example.org
 DNS.2 = mail.example.org
 DNS.3 = mail.example.com
+
+[punycode_san]
+DNS.1 = xn--wgv71a119e.com
+DNS.2 = *.xn--wgv71a119e.com
+DNS.3 = blahblahblahblah.com
diff --git a/net/data/ssl/scripts/eku-test.cnf b/net/data/ssl/scripts/eku-test.cnf
index 7ced049..0138bac 100644
--- a/net/data/ssl/scripts/eku-test.cnf
+++ b/net/data/ssl/scripts/eku-test.cnf
@@ -1,6 +1,6 @@
 [req]
 default_bits       = 2048
-default_md         = sha1
+default_md         = sha256
 string_mask        = utf8only
 prompt             = no
 encrypt_key        = no
diff --git a/net/data/ssl/scripts/generate-test-certs.sh b/net/data/ssl/scripts/generate-test-certs.sh
index 6323de3..d62bb98 100755
--- a/net/data/ssl/scripts/generate-test-certs.sh
+++ b/net/data/ssl/scripts/generate-test-certs.sh
@@ -15,26 +15,26 @@ try() {
 try rm -rf out
 try mkdir out
 
-try /bin/sh -c "echo 01 > out/2048-sha1-root-serial"
-touch out/2048-sha1-root-index.txt
+try /bin/sh -c "echo 01 > out/2048-sha256-root-serial"
+touch out/2048-sha256-root-index.txt
 
 # Generate the key
-try openssl genrsa -out out/2048-sha1-root.key 2048
+try openssl genrsa -out out/2048-sha256-root.key 2048
 
 # Generate the root certificate
 CA_COMMON_NAME="Test Root CA" \
   try openssl req \
     -new \
-    -key out/2048-sha1-root.key \
-    -out out/2048-sha1-root.req \
+    -key out/2048-sha256-root.key \
+    -out out/2048-sha256-root.req \
     -config ca.cnf
 
 CA_COMMON_NAME="Test Root CA" \
   try openssl x509 \
     -req -days 3650 \
-    -in out/2048-sha1-root.req \
-    -out out/2048-sha1-root.pem \
-    -signkey out/2048-sha1-root.key \
+    -in out/2048-sha256-root.req \
+    -out out/2048-sha256-root.pem \
+    -signkey out/2048-sha256-root.key \
     -extfile ca.cnf \
     -extensions ca_cert \
     -text
@@ -72,10 +72,87 @@ CA_COMMON_NAME="Test Root CA" \
     -out out/ok_cert.pem \
     -config ca.cnf
 
+CA_COMMON_NAME="Test Root CA" \
+  try openssl ca \
+    -batch \
+    -extensions name_constraint_bad \
+    -subj "/CN=Leaf certificate/" \
+    -days 3650 \
+    -in out/ok_cert.req \
+    -out out/name_constraint_bad.pem \
+    -config ca.cnf
+
+CA_COMMON_NAME="Test Root CA" \
+  try openssl ca \
+    -batch \
+    -extensions name_constraint_good \
+    -subj "/CN=Leaf Certificate/" \
+    -days 3650 \
+    -in out/ok_cert.req \
+    -out out/name_constraint_good.pem \
+    -config ca.cnf
+
 try /bin/sh -c "cat out/ok_cert.key out/ok_cert.pem \
     > ../certificates/ok_cert.pem"
 try /bin/sh -c "cat out/expired_cert.key out/expired_cert.pem \
     > ../certificates/expired_cert.pem"
-try /bin/sh -c "cat out/2048-sha1-root.key out/2048-sha1-root.pem \
+try /bin/sh -c "cat out/2048-sha256-root.key out/2048-sha256-root.pem \
     > ../certificates/root_ca_cert.pem"
+try /bin/sh -c "cat out/ok_cert.key out/name_constraint_bad.pem \
+    > ../certificates/name_constraint_bad.pem"
+try /bin/sh -c "cat out/ok_cert.key out/name_constraint_good.pem \
+    > ../certificates/name_constraint_good.pem"
+
+# Now generate the one-off certs
+## SHA-256 general test cert
+try openssl req -x509 -days 3650 \
+    -config ../scripts/ee.cnf -newkey rsa:2048 -text \
+    -sha256 \
+    -out sha256.pem
+
+## Self-signed cert for SPDY/QUIC/HTTP2 pooling testing
+try openssl req -x509 -days 3650 -extensions req_spdy_pooling \
+    -config ../scripts/ee.cnf -newkey rsa:2048 -text \
+    -out ../certificates/spdy_pooling.pem
+
+## SubjectAltName parsing
+try openssl req -x509 -days 3650 -extensions req_san_sanity \
+    -config ../scripts/ee.cnf -newkey rsa:2048 -text \
+    -out ../certificates/subjectAltName_sanity_check.pem
+
+## Punycode handling
+SUBJECT_NAME="req_punycode_dn" \
+  try openssl req -x509 -days 3650 -extensions req_punycode \
+    -config ../scripts/ee.cnf -newkey rsa:2048 -text \
+     -out ../certificates/punycodetest.pem
 
+# Regenerate CRLSets
+## Block a leaf cert directly by SPKI
+try python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \
+<<CRLBYLEAFSPKI
+{
+  "BlockedBySPKI": ["../certificates/ok_cert.pem"]
+}
+CRLBYLEAFSPKI
+
+## Block a leaf cert by issuer-hash-and-serial (ok_cert.pem == serial 2, by
+## virtue of the serial file and ordering above.
+try python crlsetutil.py -o ../certificates/crlset_by_root_serial.raw \
+<<CRLBYROOTSERIAL
+{
+  "BlockedByHash": {
+    "../certificates/root_ca_cert.pem": [2]
+  }
+}
+CRLBYROOTSERIAL
+
+## Block a leaf cert by issuer-hash-and-serial. However, this will be issued
+## from an intermediate CA issued underneath a root.
+try python crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \
+<<CRLSETBYINTERMEDIATESERIAL
+{
+  "BlockedByHash": {
+    "../certificates/quic_intermediate.crt": [3]
+  }
+}
+CRLSETBYINTERMEDIATESERIAL
diff --git a/net/data/ssl/scripts/policy.cnf b/net/data/ssl/scripts/policy.cnf
index f5f1e0b..12af828 100644
--- a/net/data/ssl/scripts/policy.cnf
+++ b/net/data/ssl/scripts/policy.cnf
@@ -8,7 +8,7 @@ preserve   = yes
 [CA_root]
 dir           = ${ENV::CA_DIR}
 key_size      = 2048
-algo          = sha1
+algo          = sha256
 database      = $dir/${ENV::CA_NAME}-index.txt
 new_certs_dir = $dir
 serial        = $dir/${ENV::CA_NAME}-serial
@@ -17,7 +17,7 @@ private_key   = $dir/${ENV::CA_NAME}.key
 RANDFILE      = $dir/.rand
 default_days     = 3650
 default_crl_days = 30
-default_md       = sha1
+default_md       = sha256
 policy           = policy_anything
 unique_subject   = no
 copy_extensions  = copy
@@ -49,7 +49,7 @@ emailAddress           = optional
 
 [req]
 default_bits       = 2048
-default_md         = sha1
+default_md         = sha256
 string_mask        = utf8only
 prompt             = no
 encrypt_key        = no
diff --git a/net/data/ssl/scripts/redundant-ca.cnf b/net/data/ssl/scripts/redundant-ca.cnf
index b03eb81..5707b73 100644
--- a/net/data/ssl/scripts/redundant-ca.cnf
+++ b/net/data/ssl/scripts/redundant-ca.cnf
@@ -15,7 +15,7 @@ private_key   = ${dir}/${ENV::CERTIFICATE}.key
 RANDFILE      = ${dir}/rand
 default_days     = 3650
 default_crl_days = 30
-default_md       = sha1
+default_md       = sha256
 policy           = policy_anything
 unique_subject   = no
 
@@ -50,7 +50,7 @@ emailAddress           = optional
 [req]
 # The request section used to generate certificate requests.
 default_bits       = 2048
-default_md         = sha1
+default_md         = sha256
 string_mask        = utf8only
 prompt             = no
 encrypt_key        = no