mirror of
https://github.com/openssl/openssl.git
synced 2025-03-31 20:10:45 +08:00
Create a new embeddedSCTs1 that's signed using SHA256
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> GH: #10786
This commit is contained in:
Kurt Roeckx
parent
d8d4e5fb32
commit
4d9e8c9554
4
test/certs/ct-server-key-public.pem
Normal file
4
test/certs/ct-server-key-public.pem
Normal file
@ -0,0 +1,4 @@
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmXg8sUUzwBYaWrRb+V0IopzQ6o3U
|
||||
yEJ04r5ZrRXGdpYM8K+hB0pXrGRLI0eeWz+3skXrS0IO83AhA3GpRL6s6w==
|
||||
-----END PUBLIC KEY-----
|
||||
5
test/certs/ct-server-key.pem
Normal file
5
test/certs/ct-server-key.pem
Normal file
@ -0,0 +1,5 @@
|
||||
-----BEGIN EC PRIVATE KEY-----
|
||||
MHcCAQEEIFLw4uhuCruGKjrS9MoNeXFbypqZe+Sgh+EL1gnRn1d4oAoGCCqGSM49
|
||||
AwEHoUQDQgAEmXg8sUUzwBYaWrRb+V0IopzQ6o3UyEJ04r5ZrRXGdpYM8K+hB0pX
|
||||
rGRLI0eeWz+3skXrS0IO83AhA3GpRL6s6w==
|
||||
-----END EC PRIVATE KEY-----
|
||||
@ -1,15 +1,27 @@
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIICWwIBAAKBgQC+75jnwmh3rjhfdTJaDB0ym+3xj6r015a/BH634c4VyVui+A7k
|
||||
WL19uG+KSyUhkaeb1wDDjpwDibRc1NyaEgqyHgy0HNDnKAWkEM2cW9tdSSdyba8X
|
||||
EPYBhzd+olsaHjnu0LiBGdwVTcaPfajjDK8VijPmyVCfSgWwFAn/Xdh+tQIDAQAB
|
||||
AoGAK/daG0vt6Fkqy/hdrtSJSKUVRoGRmS2nnba4Qzlwzh1+x2kdbMFuaOu2a37g
|
||||
PvmeQclheKZ3EG1+Jb4yShwLcBCV6pkRJhOKuhvqGnjngr6uBH4gMCjpZVj7GDMf
|
||||
flYHhdJCs3Cz/TY0wKN3o1Fldil2DHR/AEOc1nImeSp5/EUCQQDjKS3W957kYtTU
|
||||
X5BeRjvg03Ug8tJq6IFuhTFvUJ+XQ5bAc0DmxAbQVKqRS7Wje59zTknVvS+MFdeQ
|
||||
pz4dGuV7AkEA1y0X2yarIls+0A/S1uwkvwRTIkfS+QwFJ1zVya8sApRdKAcidIzA
|
||||
b70hkKLilU9+LrXg5iZdFp8l752qJiw9jwJAXjItN/7mfH4fExGto+or2kbVQxxt
|
||||
9LcFNPc2UJp2ExuL37HrL8YJrUnukOF8KJaSwBWuuFsC5GwKP4maUCdfEQJAUwBR
|
||||
83c3DEmmMRvpeH4erpA8gTyzZN3+HvDwhpvLnjMcvBQEdnDUykVqbSBnxrCjO+Fs
|
||||
n1qtDczWFVf8Cj2GgQJAQ14Awx32Cn9sF+3M+sEVtlAf6CqiEbkYeYdSCbsplMmZ
|
||||
1UoaxiwXY3z+B7epsRnnPR3KaceAlAxw2/zQJMFNOQ==
|
||||
MIIEpQIBAAKCAQEAuIjpA4/iCpDA2mjywI5zG6IBX6bNcRQYDsB7Cv0VonNXtJBw
|
||||
XxMENP4jVpvEmWpJ5iMBknGHV+XWBkngYapczIsY4LGn6aMU6ySABBVQpNOQSRfT
|
||||
48xGGPR9mzOBG/yplmpFOVq1j+b65lskvAXKYaLFpFn3oY/pBSdcCNBP8LypVXAJ
|
||||
b3IqEXsBL/ErgHG9bgIRP8VxBAaryCz77kLzAXkfHL2LfSGIfNONyEKB3xI94S4L
|
||||
eouOSoWL1VkEfJs87vG4G5xoXw3KOHyiueQUUlMnu8p+Bx0xPVKPEsLje3R9k0rG
|
||||
a5ca7dXAn9UypKKp25x4NXpnjGX5txVEYfNvqQIDAQABAoIBAE0zqhh9Z5n3+Vbm
|
||||
tTht4CZdXqm/xQ9b0rzJNjDgtN5j1vuJuhlsgUQSVoJzZIqydvw7BPtZV8AkPagf
|
||||
3Cm/9lb0kpHegVsziRrfCFes+zIZ+LE7sMAKxADIuIvnvkoRKHnvN8rI8lCj16/r
|
||||
zbCD06mJSZp6sSj8ZgZr8wsU63zRGt1TeGM67uVW4agphfzuKGlXstPLsSMwknpF
|
||||
nxFS2TYbitxa9oH76oCpEk5fywYsYgUP4TdzOzfVAgMzNSu0FobvWl0CECB+G3RQ
|
||||
XQ5VWbYkFoj5XbE5kYz6sYHMQWL1NQpglUp+tAQ1T8Nca0CvbSpD77doRGm7UqYw
|
||||
ziVQKokCgYEA6BtHwzyD1PHdAYtOcy7djrpnIMaiisSxEtMhctoxg8Vr2ePEvMpZ
|
||||
S1ka8A1Pa9GzjaUk+VWKWsTf+VkmMHGtpB1sv8S7HjujlEmeQe7p8EltjstvLDmi
|
||||
BhAA7ixvZpXXjQV4GCVdUVu0na6gFGGueZb2FHEXB8j1amVwleJj2lcCgYEAy4f3
|
||||
2wXqJfz15+YdJPpG9BbH9d/plKJm5ID3p2ojAGo5qvVuIJMNJA4elcfHDwzCWVmn
|
||||
MtR/WwtxYVVmy1BAnmk6HPSYc3CStvv1800vqN3fyJWtZ1P+8WBVZWZzIQdjdiaU
|
||||
JSRevPnjQGc+SAZQQIk1yVclbz5790yuXsdIxf8CgYEApqlABC5lsvfga4Vt1UMn
|
||||
j57FAkHe4KmPRCcZ83A88ZNGd/QWhkD9kR7wOsIz7wVqWiDkxavoZnjLIi4jP9HA
|
||||
jwEZ3zER8wl70bRy0IEOtZzj8A6fSzAu6Q+Au4RokU6yse3lZ+EcepjQvhBvnXLu
|
||||
ZxxAojj6AnsHzVf9WYJvlI0CgYEAoATIw/TEgRV/KNHs/BOiEWqP0Co5dVix2Nnk
|
||||
3EVAO6VIrbbE3OuAm2ZWeaBWSujXLHSmVfpoHubCP6prZVI1W9aTkAxmh+xsDV3P
|
||||
o3h+DiBTP1seuGx7tr7spQqFXeR3OH9gXktYCO/W0d3aQ7pjAjpehWv0zJ+ty2MI
|
||||
fQ/lkXUCgYEAgbP+P5UmY7Fqm/mi6TprEJ/eYktji4Ne11GDKGFQCfjF5RdKhdw1
|
||||
5+elGhZes+cpzu5Ak6zBDu4bviT+tRTWJu5lVLEzlHHv4nAU7Ks5Aj67ApH21AnP
|
||||
RtlATdhWOt5Dkdq1WSpDfz5bvWgvyBx9D66dSmQdbKKe2dH327eQll4=
|
||||
-----END RSA PRIVATE KEY-----
|
||||
|
||||
@ -1,20 +1,21 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDWTCCAsKgAwIBAgIBBzANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJHQjEk
|
||||
MIIDeDCCAuGgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJHQjEk
|
||||
MCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENBMQ4wDAYDVQQIEwVX
|
||||
YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAeFw0xMjA2MDEwMDAwMDBaFw0yMjA2MDEw
|
||||
MDAwMDBaMFIxCzAJBgNVBAYTAkdCMSEwHwYDVQQKExhDZXJ0aWZpY2F0ZSBUcmFu
|
||||
c3BhcmVuY3kxDjAMBgNVBAgTBVdhbGVzMRAwDgYDVQQHEwdFcncgV2VuMIGfMA0G
|
||||
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+75jnwmh3rjhfdTJaDB0ym+3xj6r015a/
|
||||
BH634c4VyVui+A7kWL19uG+KSyUhkaeb1wDDjpwDibRc1NyaEgqyHgy0HNDnKAWk
|
||||
EM2cW9tdSSdyba8XEPYBhzd+olsaHjnu0LiBGdwVTcaPfajjDK8VijPmyVCfSgWw
|
||||
FAn/Xdh+tQIDAQABo4IBOjCCATYwHQYDVR0OBBYEFCAxVBryXAX/2GWLaEN5T16Q
|
||||
Nve0MH0GA1UdIwR2MHSAFF+diA3Ic+ZU1PgN2OawwSS0R8NVoVmkVzBVMQswCQYD
|
||||
VQQGEwJHQjEkMCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENBMQ4w
|
||||
DAYDVQQIEwVXYWxlczEQMA4GA1UEBxMHRXJ3IFdlboIBADAJBgNVHRMEAjAAMIGK
|
||||
BgorBgEEAdZ5AgQCBHwEegB4AHYA3xwuwRUAlFJHqWFoMl3cXHlZ6PfG04j8AC4L
|
||||
vT9012QAAAE92yffkwAABAMARzBFAiBIL2dRrzXbplQ2vh/WZA89v5pBQpSVkkUw
|
||||
KI+j5eI+BgIhAOTtwNs6xXKx4vXoq2poBlOYfc9BAn3+/6EFUZ2J7b8IMA0GCSqG
|
||||
SIb3DQEBBQUAA4GBAIoMS+8JnUeSea+goo5on5HhxEIb4tJpoupspOghXd7dyhUE
|
||||
oR58h8S3foDw6XkDUmjyfKIOFmgErlVvMWmB+Wo5Srer/T4lWsAERRP+dlcMZ5Wr
|
||||
5HAxM9MD+J86+mu8/FFzGd/ZW5NCQSEfY0A1w9B4MHpoxgdaLiDInza4kQyg
|
||||
YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAgFw0yMDAxMjUxMTUwMTNaGA8yMTIwMDEy
|
||||
NjExNTAxM1owGTEXMBUGA1UEAwwOc2VydmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3
|
||||
DQEBAQUAA4IBDwAwggEKAoIBAQC4iOkDj+IKkMDaaPLAjnMbogFfps1xFBgOwHsK
|
||||
/RWic1e0kHBfEwQ0/iNWm8SZaknmIwGScYdX5dYGSeBhqlzMixjgsafpoxTrJIAE
|
||||
FVCk05BJF9PjzEYY9H2bM4Eb/KmWakU5WrWP5vrmWyS8BcphosWkWfehj+kFJ1wI
|
||||
0E/wvKlVcAlvcioRewEv8SuAcb1uAhE/xXEEBqvILPvuQvMBeR8cvYt9IYh8043I
|
||||
QoHfEj3hLgt6i45KhYvVWQR8mzzu8bgbnGhfDco4fKK55BRSUye7yn4HHTE9Uo8S
|
||||
wuN7dH2TSsZrlxrt1cCf1TKkoqnbnHg1emeMZfm3FURh82+pAgMBAAGjggEMMIIB
|
||||
CDAdBgNVHQ4EFgQUtMa8XD5ylrF9AqCdnPEhXa63H2owHwYDVR0jBBgwFoAUX52I
|
||||
Dchz5lTU+A3Y5rDBJLRHw1UwCQYDVR0TBAIwADATBgNVHSUEDDAKBggrBgEFBQcD
|
||||
ATCBigYKKwYBBAHWeQIEAgR8BHoAeAB2AN8cLsEVAJRSR6lhaDJd3Fx5Wej3xtOI
|
||||
/AAuC70/dNdkAAABb15m6AAAAAQDAEcwRQIgfDPo8RArm/vcSEZ608Q1u+XQ55QB
|
||||
u67SZEuZxLpbUM0CIQDRsgcTud4PDy8Cgg+lHeAS7UxgSKBbWAznYOuorwNewzAZ
|
||||
BgNVHREEEjAQgg5zZXJ2ZXIuZXhhbXBsZTANBgkqhkiG9w0BAQsFAAOBgQCWFKKR
|
||||
RNkDRzB25NK07OLkbzebhnpKtbP4i3blRx1HAvTSamf/3uuHI7kfiPJorJymJpT1
|
||||
IuJvSVKyMu1qONWBimiBfiyGL7+le1izHEJIP5lVTbddfzSIBIvrlHHcWIOL3H+W
|
||||
YT6yTEIzJuO07Xp61qnB1CE2TrinUWlyC46Zkw==
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
@ -2,11 +2,11 @@ Signed Certificate Timestamp:
|
||||
Version : v1 (0x0)
|
||||
Log ID : DF:1C:2E:C1:15:00:94:52:47:A9:61:68:32:5D:DC:5C:
|
||||
79:59:E8:F7:C6:D3:88:FC:00:2E:0B:BD:3F:74:D7:64
|
||||
Timestamp : Apr 5 17:04:16.275 2013 GMT
|
||||
Timestamp : Jan 1 00:00:00.000 2020 GMT
|
||||
Extensions: none
|
||||
Signature : ecdsa-with-SHA256
|
||||
30:45:02:20:48:2F:67:51:AF:35:DB:A6:54:36:BE:1F:
|
||||
D6:64:0F:3D:BF:9A:41:42:94:95:92:45:30:28:8F:A3:
|
||||
E5:E2:3E:06:02:21:00:E4:ED:C0:DB:3A:C5:72:B1:E2:
|
||||
F5:E8:AB:6A:68:06:53:98:7D:CF:41:02:7D:FE:FF:A1:
|
||||
05:51:9D:89:ED:BF:08
|
||||
30:45:02:20:7C:33:E8:F1:10:2B:9B:FB:DC:48:46:7A:
|
||||
D3:C4:35:BB:E5:D0:E7:94:01:BB:AE:D2:64:4B:99:C4:
|
||||
BA:5B:50:CD:02:21:00:D1:B2:07:13:B9:DE:0F:0F:2F:
|
||||
02:82:0F:A5:1D:E0:12:ED:4C:60:48:A0:5B:58:0C:E7:
|
||||
60:EB:A8:AF:03:5E:C3
|
||||
|
||||
BIN
test/certs/embeddedSCTs1.tlssct
Normal file
BIN
test/certs/embeddedSCTs1.tlssct
Normal file
Binary file not shown.
15
test/certs/embeddedSCTs1_issuer-key.pem
Normal file
15
test/certs/embeddedSCTs1_issuer-key.pem
Normal file
@ -0,0 +1,15 @@
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIICXAIBAAKBgQDVimhTYhCicRmTbneDIRgcKkATxtB7jHbrkVfT0PtLO1FuzsvR
|
||||
yY2RxS90P6tjXVUJnNE6uvMa5UFEJFGnTHgW8iQ8+EjPKDHM5nugSlojgZ88ujfm
|
||||
JNnDvbKZuDnd/iYx0ss6hPx7srXFL8/BT/9Ab1zURmnLsvfP34b7arnRsQIDAQAB
|
||||
AoGAJLR6xEJp+5IXRFlLn7WTkFvO0ddtxJ7bXhiIkTctyruyfqp7LF9Jv1G2m3PK
|
||||
QPUtBc73w/GYkfnwIwdfJbOmPHL7XyEGHZYmEXgIgEtw6LXvAv0G5JpUnNwsSBfL
|
||||
GfSQqI5Z5ytyzlJXkMcTGA2kTgNAYc73h4EnU+pwUnDPdAECQQD2aj+4LtYk1XPq
|
||||
r3gjgI6MoGvgYJfPmAtZhxxVbhXQKciFUCAcBiwlQdHIdLWE9j65ctmZRWidKifr
|
||||
4O4nz+TBAkEA3djNW/rTQq5fKZy+mCF1WYnIU/3yhJaptzRqLm7AHqe7+hdrGXJw
|
||||
+mCtU8T3L/Ms8bH1yFBZhmkp1PbR8gl48QJAQo70YyWThiN5yfxXcQ96cZWrTdIJ
|
||||
b3NcLXSHPLQdhDqlBQ1dfvRT3ERpC8IqfZ2d162kBPhwh3MpkVcSPQK0gQJAC/dY
|
||||
xGBYKt2a9nSk9zG+0bCT5Kvq++ngh6hFHfINXNnxUsEWns3EeEzkrIMQTj7QqszN
|
||||
lBt5aL2dawZRNrv6EQJBAOo4STF9KEwQG0HLC/ryh1FeB0OBA5yIepXze+eJVKei
|
||||
T0cCECOQJKfWHEzYJYDJhyEFF/sYp9TXwKSDjOifrsU=
|
||||
-----END RSA PRIVATE KEY-----
|
||||
@ -33,4 +33,4 @@ Signed Certificate Timestamp:
|
||||
55:83:D2:9D:E5:A1:8D:B6:3D:A6:73:89:42:32:9C:91:
|
||||
0F:3B:6A:74:02:21:00:86:EE:10:F9:10:E6:7B:17:65:
|
||||
D9:2D:37:53:4A:3B:F0:AE:03:E4:21:76:37:EF:AF:B4:
|
||||
44:2E:2B:F5:5C:C6:91
|
||||
44:2E:2B:F5:5C:C6:91
|
||||
|
||||
@ -288,4 +288,56 @@ gennocn() {
|
||||
cert "$cert" "" -signkey "${key}.pem" -set_serial 1 -days -1 "$@"
|
||||
}
|
||||
|
||||
genct() {
|
||||
local OPTIND=1
|
||||
local purpose=serverAuth
|
||||
|
||||
while getopts p: o
|
||||
do
|
||||
case $o in
|
||||
p) purpose="$OPTARG";;
|
||||
*) echo "Usage: $0 genct [-p EKU] cn keyname certname cakeyname cacertname ctlogkey" >&2
|
||||
return 1;;
|
||||
esac
|
||||
done
|
||||
|
||||
shift $((OPTIND - 1))
|
||||
local cn=$1; shift
|
||||
local key=$1; shift
|
||||
local cert=$1; shift
|
||||
local cakey=$1; shift
|
||||
local ca=$1; shift
|
||||
local logkey=$1; shift
|
||||
|
||||
exts=$(printf "%s\n%s\n%s\n%s\n%s\n%s\n[alts]\n%s\n" \
|
||||
"subjectKeyIdentifier = hash" \
|
||||
"authorityKeyIdentifier = keyid, issuer" \
|
||||
"basicConstraints = CA:false" \
|
||||
"extendedKeyUsage = $purpose" \
|
||||
"1.3.6.1.4.1.11129.2.4.3 = critical,ASN1:NULL"\
|
||||
"subjectAltName = @alts" "DNS=${cn}")
|
||||
csr=$(req "$key" "CN = $cn") || return 1
|
||||
echo "$csr" |
|
||||
cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
|
||||
-set_serial 2 -days "${DAYS}" "$@"
|
||||
cat ${cert}.pem ${ca}.pem > ${cert}-chain.pem
|
||||
go run github.com/google/certificate-transparency-go/ctutil/sctgen \
|
||||
--log_private_key ${logkey}.pem \
|
||||
--timestamp="2020-01-01T00:00:00Z" \
|
||||
--cert_chain ${cert}-chain.pem \
|
||||
--tls_out ${cert}.tlssct
|
||||
rm ${cert}-chain.pem
|
||||
filesize=$(wc -c <${cert}.tlssct)
|
||||
exts=$(printf "%s\n%s\n%s\n%s\n%s%04X%04X%s\n%s\n[alts]\n%s\n" \
|
||||
"subjectKeyIdentifier = hash" \
|
||||
"authorityKeyIdentifier = keyid, issuer" \
|
||||
"basicConstraints = CA:false" \
|
||||
"extendedKeyUsage = $purpose" \
|
||||
"1.3.6.1.4.1.11129.2.4.2 = ASN1:FORMAT:HEX,OCT:" $((filesize+2)) $filesize `xxd -p ${cert}.tlssct | tr -d '\n'` \
|
||||
"subjectAltName = @alts" "DNS=${cn}")
|
||||
echo "$csr" |
|
||||
cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
|
||||
-set_serial 2 -days "${DAYS}" "$@"
|
||||
}
|
||||
|
||||
"$@"
|
||||
|
||||
@ -375,3 +375,6 @@ openssl req -new -nodes -subj "/CN=localhost" \
|
||||
-pkeyopt rsa_pss_keygen_md:sha256 -pkeyopt rsa_pss_keygen_saltlen:32 | \
|
||||
./mkcert.sh geneenocsr "Server RSA-PSS restricted cert" \
|
||||
server-pss-restrict-cert rootkey rootcert
|
||||
|
||||
# CT entry
|
||||
./mkcert.sh genct server.example embeddedSCTs1-key embeddedSCTs1 embeddedSCTs1_issuer-key embeddedSCTs1_issuer ct-server-key
|
||||
|
||||
@ -63,7 +63,7 @@ static CT_TEST_FIXTURE *set_up(const char *const test_case_name)
|
||||
if (!TEST_ptr(fixture = OPENSSL_zalloc(sizeof(*fixture))))
|
||||
goto end;
|
||||
fixture->test_case_name = test_case_name;
|
||||
fixture->epoch_time_in_ms = 1473269626000ULL; /* Sep 7 17:33:46 2016 GMT */
|
||||
fixture->epoch_time_in_ms = 1580335307000ULL; /* Wed 29 Jan 2020 10:01:47 PM UTC */
|
||||
if (!TEST_ptr(fixture->ctlog_store = CTLOG_STORE_new())
|
||||
|| !TEST_int_eq(
|
||||
CTLOG_STORE_load_default_file(fixture->ctlog_store), 1))
|
||||
@ -160,6 +160,10 @@ static int compare_extension_printout(X509_EXTENSION *extension,
|
||||
X509V3_EXT_DEFAULT, 0)))
|
||||
goto end;
|
||||
|
||||
/* Append \n because it's easier to create files that end with one. */
|
||||
if (!TEST_true(BIO_write(text_buffer, "\n", 1)))
|
||||
goto end;
|
||||
|
||||
/* Append \0 because we're about to use the buffer contents as a string. */
|
||||
if (!TEST_true(BIO_write(text_buffer, "\0", 1)))
|
||||
goto end;
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user