1#!/usr/bin/env python 2# Copyright 2019 The Chromium Authors 3# Use of this source code is governed by a BSD-style license that can be 4# found in the LICENSE file. 5"""This script is called without any arguments to re-generate all of the *.pem 6files in the script's directory. 7 8The https://github.com/google/der-ascii tools must be in the PATH. 9 10These tests assume that the verification time will be 2017-03-09 00:00:00 GMT 11and verified with a max CRL age of 7 days. 12""" 13 14import datetime 15import subprocess 16import os 17 18from OpenSSL import crypto 19 20import base64 21 22 23HEADER = "Generated by %s. Do not edit." % os.path.split(__file__)[1] 24 25NEXT_SERIAL = 0 26 27# 2017-01-01 00:00 GMT 28CERT_DATE = datetime.datetime(2017, 1, 1, 0, 0) 29 30# 2018-01-01 00:00 GMT 31CERT_EXPIRE = CERT_DATE + datetime.timedelta(days=365) 32 33 34def DictUnion(a, b): 35 return dict(a.items() + b.items()) 36 37 38def Der2Ascii(txt): 39 p = subprocess.Popen(['der2ascii'], 40 stdin=subprocess.PIPE, 41 stdout=subprocess.PIPE, 42 stderr=subprocess.PIPE) 43 stdout_data, stderr_data = p.communicate(txt) 44 if p.returncode: 45 raise RuntimeError('der2ascii returned %i: %s' % (p.returncode, 46 stderr_data)) 47 return stdout_data 48 49 50def Ascii2Der(txt): 51 p = subprocess.Popen(['ascii2der'], 52 stdin=subprocess.PIPE, 53 stdout=subprocess.PIPE, 54 stderr=subprocess.PIPE) 55 stdout_data, stderr_data = p.communicate(txt) 56 if p.returncode: 57 raise RuntimeError('ascii2der returned %i: %s' % (p.returncode, 58 stderr_data)) 59 return stdout_data 60 61 62def Ascii2OpensslDer(txt): 63 der = Ascii2Der(txt) 64 return 'DER:' + ''.join(['%02X' % ord(b) for b in der]) 65 66 67def CreateCert(name, signer, pkey=None, crl_dp=None, key_usage=None, 68 is_ca=True, version=2): 69 global NEXT_SERIAL 70 if pkey is None: 71 pkey = crypto.PKey() 72 pkey.generate_key(crypto.TYPE_RSA, 1024) 73 cert = crypto.X509() 74 cert.set_version(version) 75 cert.get_subject().CN = name 76 cert.set_pubkey(pkey) 77 cert.set_serial_number(NEXT_SERIAL) 78 NEXT_SERIAL += 1 79 cert.set_notBefore(CERT_DATE.strftime('%Y%m%d%H%M%SZ')) 80 cert.set_notAfter(CERT_EXPIRE.strftime('%Y%m%d%H%M%SZ')) 81 if version == 2: 82 if crl_dp: 83 cert.add_extensions( 84 [crypto.X509Extension('crlDistributionPoints', False, crl_dp)]) 85 if key_usage: 86 cert.add_extensions( 87 [crypto.X509Extension('keyUsage', False, key_usage)]) 88 if is_ca is not None: 89 cert.add_extensions( 90 [crypto.X509Extension('basicConstraints', True, 91 'CA:%s' % ('TRUE' if is_ca else 'FALSE'))]) 92 if signer: 93 cert.set_issuer(signer['cert'].get_subject()) 94 cert.sign(signer['pkey'], 'sha256') 95 else: 96 cert.set_issuer(cert.get_subject()) 97 cert.sign(pkey, 'sha256') 98 99 result = dict(cert=cert, pkey=pkey) 100 if not signer: 101 signer = result 102 result['signer'] = signer 103 return result 104 105 106ROOT_CA = CreateCert('Test CA', None) 107 108# Multiple versions of the intermediate. All use the same name and private key. 109CA = CreateCert('Test Intermediate CA', ROOT_CA, 110 key_usage='critical, keyCertSign, cRLSign') 111CA_NO_KEYUSAGE = CreateCert('Test Intermediate CA', ROOT_CA, 112 pkey=CA['pkey'], key_usage=None) 113CA_KEYUSAGE_NOCRLSIGN = CreateCert('Test Intermediate CA', ROOT_CA, 114 pkey=CA['pkey'], 115 key_usage='critical, keyCertSign') 116 117# A different CA with a different name and key. 118OTHER_CA = CreateCert('Test Other Intermediate CA', ROOT_CA) 119 120# The target cert, with a simple crlDistributionPoints pointing to an arbitrary 121# URL, other crlDistributionPoints fields not set. 122LEAF = CreateCert('Test Cert', CA, crl_dp='URI:http://example.com/foo.crl', is_ca=False) 123 124# The target cert, with no basicConstraints. 125LEAF_NO_BASIC_CONSTRAINTS = CreateCert('Test Cert', CA, crl_dp='URI:http://example.com/foo.crl', is_ca=None) 126 127# The target cert, no crlDistributionPoints. 128LEAF_NO_CRLDP = CreateCert('Test Cert', CA, is_ca=False) 129 130# V1 target cert 131LEAF_V1 = CreateCert('Test Cert', CA, version=0, is_ca=None) 132 133# The target cert, crlDistributionPoints with crlIssuer and 134# crlDistributionPoints set. 135LEAF_CRLDP_CRLISSUER = CreateCert('Test Cert', CA, is_ca=False, 136 # It doesn't seem like you can set crlIssuers through the one-line openssl 137 # interface, so just do it manually. 138 crl_dp=Ascii2OpensslDer(''' 139 SEQUENCE { 140 SEQUENCE { 141 [0] { 142 [0] { 143 [6 PRIMITIVE] { "http://example.com/foo.crl" } 144 } 145 } 146 [2] { 147 [4] { 148 SEQUENCE { 149 SET { 150 SEQUENCE { 151 # commonName 152 OBJECT_IDENTIFIER { 2.5.4.3 } 153 UTF8String { "Test CRL Issuer CA" } 154 } 155 } 156 } 157 } 158 } 159 } 160 } 161 ''')) 162 163# Self-issued intermediate with a new key signed by the |CA| key. 164CA_NEW_BY_OLD = CreateCert('Test Intermediate CA', CA, 165 key_usage='critical, keyCertSign, cRLSign', 166 crl_dp='URI:http://example.com/foo.crl') 167 168# Target cert signed by |CA_NEW_BY_OLD|'s key. 169LEAF_BY_NEW = CreateCert( 170 'Test Cert', CA_NEW_BY_OLD, crl_dp='URI:http://example.com/foo.crl') 171 172 173def SignAsciiCRL(tbs_inner_txt, signer=CA): 174 tbs_txt = 'SEQUENCE {\n%s\n}' % tbs_inner_txt 175 tbs_der = Ascii2Der(tbs_txt) 176 signature = crypto.sign(signer['pkey'], tbs_der, 'sha256') 177 crl_text = ''' 178SEQUENCE { 179 %s 180 SEQUENCE { 181 # sha256WithRSAEncryption 182 OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 } 183 NULL {} 184 } 185 BIT_STRING { `00%s` } 186} 187''' % (tbs_txt, signature.encode('hex')) 188 CRL = Ascii2Der(crl_text) 189 190 return CRL 191 192 193def MakePemBlock(der, name): 194 text = Der2Ascii(der).rstrip('\n') 195 b64 = base64.b64encode(der) 196 wrapped = '\n'.join(b64[pos:pos + 64] for pos in xrange(0, len(b64), 64)) 197 return '%s\n-----BEGIN %s-----\n%s\n-----END %s-----' % ( 198 text, name, wrapped, name) 199 200 201def WriteStringToFile(data, path): 202 with open(path, "w") as f: 203 f.write(data) 204 205 206def Store(fname, description, leaf, ca, crl_der, ca2=None): 207 ca_cert_der = crypto.dump_certificate(crypto.FILETYPE_ASN1, ca['cert']) 208 cert_der = crypto.dump_certificate(crypto.FILETYPE_ASN1, leaf['cert']) 209 210 out = '\n\n'.join([ 211 HEADER, 212 description, 213 MakePemBlock(crl_der, 'CRL'), 214 MakePemBlock(ca_cert_der, 'CA CERTIFICATE'), 215 MakePemBlock(cert_der, 'CERTIFICATE')]) 216 217 if ca2: 218 ca_cert_2_der = crypto.dump_certificate(crypto.FILETYPE_ASN1, ca2['cert']) 219 out += '\n\n' + MakePemBlock(ca_cert_2_der, 'CA CERTIFICATE 2') 220 221 open('%s.pem' % fname, 'w').write(out) 222 223 224crl_strings = { 225 'sha256WithRSAEncryption': ''' 226 SEQUENCE { 227 OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 } 228 NULL {} 229 } 230 ''', 231 232 'sha384WithRSAEncryption': ''' 233 SEQUENCE { 234 OBJECT_IDENTIFIER { 1.2.840.113549.1.1.12 } 235 NULL {} 236 } 237 ''', 238 239 'CA_name': ''' 240 SEQUENCE { 241 SET { 242 SEQUENCE { 243 # commonName 244 OBJECT_IDENTIFIER { 2.5.4.3 } 245 UTF8String { "Test Intermediate CA" } 246 } 247 } 248 } 249 ''', 250 251 'thisUpdate': 'UTCTime { "170302001122Z" }', 252 'nextUpdate': 'UTCTime { "170602001122Z" }', 253 'thisUpdateGeneralized': 'GeneralizedTime { "20170302001122Z" }', 254 'nextUpdateGeneralized': 'GeneralizedTime { "20170602001122Z" }', 255 'thisUpdate_too_old': 'UTCTime { "170301001122Z" }', 256 'thisUpdate_in_future': 'UTCTime { "170310001122Z" }', 257 'nextUpdate_too_old': 'UTCTime { "170308001122Z" }', 258 259 'leaf_revoked': ''' 260 SEQUENCE { 261 SEQUENCE { 262 INTEGER { %i } 263 UTCTime { "170201001122Z" } 264 # no crlEntryExtensions 265 } 266 SEQUENCE { 267 INTEGER { %i } 268 UTCTime { "170201001122Z" } 269 # no crlEntryExtensions 270 } 271 SEQUENCE { 272 INTEGER { %i } 273 UTCTime { "170201001122Z" } 274 # no crlEntryExtensions 275 } 276 } 277 ''' % (LEAF['cert'].get_serial_number() + 100, 278 LEAF['cert'].get_serial_number(), 279 LEAF['cert'].get_serial_number() + 101), 280 281 'leaf_revoked_fake_extension': ''' 282 SEQUENCE { 283 SEQUENCE { 284 INTEGER { %i } 285 UTCTime { "170201001122Z" } 286 # no crlEntryExtensions 287 } 288 SEQUENCE { 289 INTEGER { %i } 290 UTCTime { "170201001122Z" } 291 SEQUENCE { 292 SEQUENCE { 293 OBJECT_IDENTIFIER { 1.2.3.4 } 294 OCTET_STRING { `5678` } 295 } 296 } 297 } 298 SEQUENCE { 299 INTEGER { %i } 300 UTCTime { "170201001122Z" } 301 # no crlEntryExtensions 302 } 303 } 304 ''' % (LEAF['cert'].get_serial_number() + 100, 305 LEAF['cert'].get_serial_number(), 306 LEAF['cert'].get_serial_number() + 101), 307 308 'leaf_revoked_before_fake_critical_extension': ''' 309 SEQUENCE { 310 SEQUENCE { 311 INTEGER { %i } 312 UTCTime { "170201001122Z" } 313 # leaf revocation entry has no crlEntryExtensions 314 } 315 SEQUENCE { 316 INTEGER { %i } 317 UTCTime { "170201001122Z" } 318 # next revocation entry has a critical crlEntryExtension 319 SEQUENCE { 320 SEQUENCE { 321 OBJECT_IDENTIFIER { 1.2.3.4 } 322 BOOLEAN { `ff` } 323 OCTET_STRING { `5678` } 324 } 325 } 326 } 327 } 328 ''' % (LEAF['cert'].get_serial_number(), 329 LEAF['cert'].get_serial_number() + 101), 330 331 'leaf_revoked_generalizedtime': ''' 332 SEQUENCE { 333 SEQUENCE { 334 INTEGER { %i } 335 GeneralizedTime { "20170201001122Z" } 336 # no crlEntryExtensions 337 } 338 SEQUENCE { 339 INTEGER { %i } 340 GeneralizedTime { "20170201001122Z" } 341 # no crlEntryExtensions 342 } 343 SEQUENCE { 344 INTEGER { %i } 345 GeneralizedTime { "20170201001122Z" } 346 # no crlEntryExtensions 347 } 348 } 349 ''' % (LEAF['cert'].get_serial_number() + 100, 350 LEAF['cert'].get_serial_number(), 351 LEAF['cert'].get_serial_number() + 101), 352 353 'fake_extension': ''' 354 SEQUENCE { 355 OBJECT_IDENTIFIER { 1.2.3.4 } 356 OCTET_STRING { `5678` } 357 } 358 ''', 359 360 'fake_critical_extension': ''' 361 SEQUENCE { 362 OBJECT_IDENTIFIER { 1.2.3.4 } 363 BOOLEAN { `ff` } 364 OCTET_STRING { `5678` } 365 } 366 ''', 367 368 # An issuingDistributionPoint with multiple fullName values, one of which 369 # matches the URI in |LEAF|'s crlDistributionPoints extension. 370 'issuingDistributionPoint': ''' 371 SEQUENCE { 372 OBJECT_IDENTIFIER { 2.5.29.28 } 373 BOOLEAN { `ff` } 374 OCTET_STRING { 375 SEQUENCE { 376 [0] { 377 [0] { 378 [1 PRIMITIVE] { "foo@example.com" } 379 [6 PRIMITIVE] { "http://zexample.com/foo.crl" } 380 [6 PRIMITIVE] { "http://example.com/foo.crl" } 381 [6 PRIMITIVE] { "http://aexample.com/foo.crl" } 382 } 383 } 384 } 385 } 386 } 387 ''', 388 389 'issuingDistributionPoint_wrong_uri': ''' 390 SEQUENCE { 391 OBJECT_IDENTIFIER { 2.5.29.28 } 392 BOOLEAN { `ff` } 393 OCTET_STRING { 394 SEQUENCE { 395 [0] { 396 [0] { 397 [6 PRIMITIVE] { "http://example.com/FOO.CRL" } 398 } 399 } 400 } 401 } 402 } 403 ''', 404 405 'issuingDistributionPoint_with_indirectCRL': ''' 406 SEQUENCE { 407 OBJECT_IDENTIFIER { 2.5.29.28 } 408 BOOLEAN { `ff` } 409 OCTET_STRING { 410 SEQUENCE { 411 [0] { 412 [0] { 413 [6 PRIMITIVE] { "http://example.com/foo.crl" } 414 } 415 } 416 [4 PRIMITIVE] { `ff` } 417 } 418 } 419 } 420 ''', 421 422 'issuingDistributionPoint_with_onlyContainsUserCerts': ''' 423 SEQUENCE { 424 OBJECT_IDENTIFIER { 2.5.29.28 } 425 BOOLEAN { `ff` } 426 OCTET_STRING { 427 SEQUENCE { 428 [1 PRIMITIVE] { `ff` } 429 } 430 } 431 } 432 ''', 433 434 'issuingDistributionPoint_with_uri_and_onlyContainsUserCerts': ''' 435 SEQUENCE { 436 OBJECT_IDENTIFIER { 2.5.29.28 } 437 BOOLEAN { `ff` } 438 OCTET_STRING { 439 SEQUENCE { 440 [0] { 441 [0] { 442 [6 PRIMITIVE] { "http://example.com/foo.crl" } 443 } 444 } 445 [1 PRIMITIVE] { `ff` } 446 } 447 } 448 } 449 ''', 450 451 'issuingDistributionPoint_with_uri_and_onlyContainsCACerts': ''' 452 SEQUENCE { 453 OBJECT_IDENTIFIER { 2.5.29.28 } 454 BOOLEAN { `ff` } 455 OCTET_STRING { 456 SEQUENCE { 457 [0] { 458 [0] { 459 [6 PRIMITIVE] { "http://example.com/foo.crl" } 460 } 461 } 462 [2 PRIMITIVE] { `ff` } 463 } 464 } 465 } 466 ''', 467 468 'issuingDistributionPoint_with_onlyContainsCACerts': ''' 469 SEQUENCE { 470 OBJECT_IDENTIFIER { 2.5.29.28 } 471 BOOLEAN { `ff` } 472 OCTET_STRING { 473 SEQUENCE { 474 [2 PRIMITIVE] { `ff` } 475 } 476 } 477 } 478 ''', 479} 480 481 482Store( 483 'good', 484 'Leaf covered by CRLs and not revoked', 485 LEAF, CA, 486 SignAsciiCRL(''' 487 INTEGER { 1 } 488 %(sha256WithRSAEncryption)s 489 %(CA_name)s 490 %(thisUpdate)s 491 %(nextUpdate)s 492 # no revoked certs list 493 # no crlExtensions 494''' % crl_strings)) 495 496 497Store( 498 'good_issuer_name_normalization', 499 'Good, non-revoked, but issuer name in CRL requires case folding', 500 LEAF, CA, 501 SignAsciiCRL(''' 502 INTEGER { 1 } 503 %(sha256WithRSAEncryption)s 504 SEQUENCE { 505 SET { 506 SEQUENCE { 507 # commonName 508 OBJECT_IDENTIFIER { 2.5.4.3 } 509 # Name that requires case folding and type conversion. 510 PrintableString { "tEST iNTERMEDIATE ca" } 511 } 512 } 513 } 514 %(thisUpdate)s 515 %(nextUpdate)s 516 # no revoked certs list 517 # no crlExtensions 518''' % crl_strings)) 519 520 521Store( 522 'good_issuer_no_keyusage', 523 'Leaf covered by CRLs and not revoked, issuer has no keyUsage extension', 524 LEAF, CA_NO_KEYUSAGE, 525 SignAsciiCRL(''' 526 INTEGER { 1 } 527 %(sha256WithRSAEncryption)s 528 %(CA_name)s 529 %(thisUpdate)s 530 %(nextUpdate)s 531 # no revoked certs list 532 # no crlExtensions 533''' % crl_strings, signer=CA_NO_KEYUSAGE)) 534 535 536Store( 537 'good_no_nextupdate', 538 'Leaf covered by CRLs and not revoked, optional nextUpdate field is absent', 539 LEAF, CA, 540 SignAsciiCRL(''' 541 INTEGER { 1 } 542 %(sha256WithRSAEncryption)s 543 %(CA_name)s 544 %(thisUpdate)s 545 # no nextUpdate 546 # no revoked certs list 547 # no crlExtensions 548''' % crl_strings)) 549 550 551Store( 552 'good_fake_extension', 553 'Leaf covered by CRLs and not revoked, CRL has an irrelevant non-critical ' 554 'extension', 555 LEAF, CA, 556 SignAsciiCRL(''' 557 INTEGER { 1 } 558 %(sha256WithRSAEncryption)s 559 %(CA_name)s 560 %(thisUpdate)s 561 %(nextUpdate)s 562 # no revoked certs list 563 [0] { 564 SEQUENCE { 565 %(fake_extension)s 566 } 567 } 568''' % crl_strings)) 569 570 571Store( 572 'good_fake_extension_no_nextupdate', 573 'Leaf covered by CRLs and not revoked, CRL has an irrelevant non-critical ' 574 'extension', 575 LEAF, CA, 576 SignAsciiCRL(''' 577 INTEGER { 1 } 578 %(sha256WithRSAEncryption)s 579 %(CA_name)s 580 %(thisUpdate)s 581 # no nextUpdate 582 # no revoked certs list 583 [0] { 584 SEQUENCE { 585 %(fake_extension)s 586 } 587 } 588''' % crl_strings)) 589 590 591Store( 592 'good_generalizedtime', 593 'Leaf covered by CRLs and not revoked, dates encoded as GeneralizedTime', 594 LEAF, CA, 595 SignAsciiCRL(''' 596 INTEGER { 1 } 597 %(sha256WithRSAEncryption)s 598 %(CA_name)s 599 %(thisUpdateGeneralized)s 600 %(nextUpdateGeneralized)s 601 # no revoked certs list 602 # no crlExtensions 603''' % crl_strings)) 604 605 606Store( 607 'good_no_version', 608 'Leaf covered by CRLs and not revoked, CRL is V1', 609 LEAF, CA, 610 SignAsciiCRL(''' 611 # no version 612 %(sha256WithRSAEncryption)s 613 %(CA_name)s 614 %(thisUpdate)s 615 %(nextUpdate)s 616 # no revoked certs list 617 # no crlExtensions 618''' % crl_strings)) 619 620 621Store( 622 'good_idp_contains_uri', 623 'Leaf covered by CRLs and not revoked, CRL has IDP with URI matching ' 624 'cert DP', 625 LEAF, CA, 626 SignAsciiCRL(''' 627 INTEGER { 1 } 628 %(sha256WithRSAEncryption)s 629 %(CA_name)s 630 %(thisUpdate)s 631 %(nextUpdate)s 632 # no revoked certs list 633 [0] { 634 SEQUENCE { 635 %(issuingDistributionPoint)s 636 } 637 } 638''' % crl_strings)) 639 640 641Store( 642 'good_idp_onlycontainsusercerts', 643 'Leaf covered by CRLs and not revoked, CRL has IDP with ' 644 'onlyContainsUserCerts', 645 LEAF, CA, 646 SignAsciiCRL(''' 647 INTEGER { 1 } 648 %(sha256WithRSAEncryption)s 649 %(CA_name)s 650 %(thisUpdate)s 651 %(nextUpdate)s 652 # no revoked certs list 653 [0] { 654 SEQUENCE { 655 %(issuingDistributionPoint_with_onlyContainsUserCerts)s 656 } 657 } 658''' % crl_strings)) 659 660 661Store( 662 'good_idp_onlycontainsusercerts_no_basic_constraints', 663 'Leaf covered by CRLs and not revoked, CRL has IDP with ' 664 'onlyContainsUserCerts, leaf has no basicConstraints', 665 LEAF_NO_BASIC_CONSTRAINTS, CA, 666 SignAsciiCRL(''' 667 INTEGER { 1 } 668 %(sha256WithRSAEncryption)s 669 %(CA_name)s 670 %(thisUpdate)s 671 %(nextUpdate)s 672 # no revoked certs list 673 [0] { 674 SEQUENCE { 675 %(issuingDistributionPoint_with_onlyContainsUserCerts)s 676 } 677 } 678''' % crl_strings)) 679 680 681Store( 682 'good_idp_onlycontainscacerts', 683 'CA_NEW_BY_OLD covered by CRLs and not revoked, CRL has IDP with ' 684 'onlyContainsCaCerts', 685 CA_NEW_BY_OLD, CA, 686 SignAsciiCRL(''' 687 INTEGER { 1 } 688 %(sha256WithRSAEncryption)s 689 %(CA_name)s 690 %(thisUpdate)s 691 %(nextUpdate)s 692 # no revoked certs list 693 [0] { 694 SEQUENCE { 695 %(issuingDistributionPoint_with_onlyContainsCACerts)s 696 } 697 } 698''' % crl_strings)) 699 700 701Store( 702 'good_idp_uri_and_onlycontainsusercerts', 703 'Leaf covered by CRLs and not revoked, CRL has IDP with URI and ' 704 'onlyContainsUserCerts', 705 LEAF, CA, 706 SignAsciiCRL(''' 707 INTEGER { 1 } 708 %(sha256WithRSAEncryption)s 709 %(CA_name)s 710 %(thisUpdate)s 711 %(nextUpdate)s 712 # no revoked certs list 713 [0] { 714 SEQUENCE { 715 %(issuingDistributionPoint_with_uri_and_onlyContainsUserCerts)s 716 } 717 } 718''' % crl_strings)) 719 720 721Store( 722 'good_idp_uri_and_onlycontainscacerts', 723 'CA_NEW_BY_OLD covered by CRLs and not revoked, CRL has IDP with URI and ' 724 'onlyContainsCACerts', 725 CA_NEW_BY_OLD, CA, 726 SignAsciiCRL(''' 727 INTEGER { 1 } 728 %(sha256WithRSAEncryption)s 729 %(CA_name)s 730 %(thisUpdate)s 731 %(nextUpdate)s 732 # no revoked certs list 733 [0] { 734 SEQUENCE { 735 %(issuingDistributionPoint_with_uri_and_onlyContainsCACerts)s 736 } 737 } 738''' % crl_strings)) 739 740 741Store( 742 'good_no_crldp', 743 'Leaf covered by CRLs and not revoked and has no crlDistributionPoints.\n' 744 'This tests the case where CheckCRL is called with a synthesized ' 745 'distributionPoint.', 746 LEAF_NO_CRLDP, CA, 747 SignAsciiCRL(''' 748 INTEGER { 1 } 749 %(sha256WithRSAEncryption)s 750 %(CA_name)s 751 %(thisUpdate)s 752 %(nextUpdate)s 753 # no revoked certs list 754 # no crlExtensions 755''' % crl_strings)) 756 757 758Store( 759 'good_key_rollover', 760 "Leaf issued by CA's new key but CRL is signed by old key", 761 LEAF_BY_NEW, CA_NEW_BY_OLD, ca2=CA, 762 crl_der=SignAsciiCRL(''' 763 INTEGER { 1 } 764 %(sha256WithRSAEncryption)s 765 %(CA_name)s 766 %(thisUpdate)s 767 %(nextUpdate)s 768 # no revoked certs list 769 # no crlExtensions 770''' % crl_strings)) 771 772 773Store( 774 'revoked', 775 'Leaf is revoked', 776 LEAF, CA, 777 SignAsciiCRL(''' 778 INTEGER { 1 } 779 %(sha256WithRSAEncryption)s 780 %(CA_name)s 781 %(thisUpdate)s 782 %(nextUpdate)s 783 %(leaf_revoked)s 784 # no crlExtensions 785''' % crl_strings)) 786 787 788Store( 789 'revoked_no_nextupdate', 790 'Leaf is revoked, optional nextUpdate field is absent', 791 LEAF, CA, 792 SignAsciiCRL(''' 793 INTEGER { 1 } 794 %(sha256WithRSAEncryption)s 795 %(CA_name)s 796 %(thisUpdate)s 797 # no nextUpdate 798 %(leaf_revoked)s 799 # no crlExtensions 800''' % crl_strings)) 801 802 803Store( 804 'revoked_fake_crlentryextension', 805 'Leaf is revoked, has non-critical crlEntryExtension', 806 LEAF, CA, 807 SignAsciiCRL(''' 808 INTEGER { 1 } 809 %(sha256WithRSAEncryption)s 810 %(CA_name)s 811 %(thisUpdate)s 812 %(nextUpdate)s 813 %(leaf_revoked_fake_extension)s 814 # no crlExtensions 815''' % crl_strings)) 816 817 818Store( 819 'revoked_generalized_revocationdate', 820 'Leaf is revoked, revocationDate is encoded as GeneralizedTime', 821 LEAF, CA, 822 SignAsciiCRL(''' 823 INTEGER { 1 } 824 %(sha256WithRSAEncryption)s 825 %(CA_name)s 826 %(thisUpdate)s 827 %(nextUpdate)s 828 %(leaf_revoked_generalizedtime)s 829 # no crlExtensions 830''' % crl_strings)) 831 832 833Store( 834 'revoked_key_rollover', 835 "Leaf issued by CA's new key but CRL is signed by old key", 836 LEAF_BY_NEW, CA_NEW_BY_OLD, ca2=CA, 837 crl_der=SignAsciiCRL(''' 838 INTEGER { 1 } 839 %(sha256WithRSAEncryption)s 840 %(CA_name)s 841 %(thisUpdate)s 842 %(nextUpdate)s 843 SEQUENCE { 844 SEQUENCE { 845 INTEGER { %(LEAF_SERIAL)i } 846 UTCTime { "170201001122Z" } 847 # no crlEntryExtensions 848 } 849 } 850 # no crlExtensions 851''' % DictUnion(crl_strings, 852 {'LEAF_SERIAL':LEAF_BY_NEW['cert'].get_serial_number()}))) 853 854 855Store( 856 'bad_crldp_has_crlissuer', 857 'Leaf covered by CRLs and not revoked, leaf has crlDistributionPoints ' 858 'with a crlIssuer', 859 LEAF_CRLDP_CRLISSUER, CA, 860 SignAsciiCRL(''' 861 INTEGER { 1 } 862 %(sha256WithRSAEncryption)s 863 %(CA_name)s 864 %(thisUpdate)s 865 %(nextUpdate)s 866 # no revoked certs list 867 # no crlExtensions 868''' % crl_strings)) 869 870 871Store( 872 'bad_fake_critical_extension', 873 'Leaf covered by CRLs and not revoked, but CRL has an unhandled critical ' 874 'extension', 875 LEAF, CA, 876 SignAsciiCRL(''' 877 INTEGER { 1 } 878 %(sha256WithRSAEncryption)s 879 %(CA_name)s 880 %(thisUpdate)s 881 # no nextUpdate 882 # no revoked certs list 883 [0] { 884 SEQUENCE { 885 %(fake_critical_extension)s 886 } 887 } 888''' % crl_strings)) 889 890 891Store( 892 'bad_fake_critical_crlentryextension', 893 'Leaf is revoked, but a later entry has a critical crlEntryExtension', 894 LEAF, CA, 895 SignAsciiCRL(''' 896 INTEGER { 1 } 897 %(sha256WithRSAEncryption)s 898 %(CA_name)s 899 %(thisUpdate)s 900 %(nextUpdate)s 901 %(leaf_revoked_before_fake_critical_extension)s 902 # no crlExtensions 903''' % crl_strings)) 904 905 906Store( 907 'bad_signature', 908 'No revoked certs, but CRL signed by a different key', 909 LEAF, CA, 910 SignAsciiCRL(''' 911 INTEGER { 1 } 912 %(sha256WithRSAEncryption)s 913 %(CA_name)s 914 %(thisUpdate)s 915 %(nextUpdate)s 916 # no revoked certs list 917 # no crlExtensions 918''' % crl_strings, signer=OTHER_CA)) 919 920 921Store( 922 'bad_thisupdate_in_future', 923 'Leaf covered by CRLs and not revoked, but thisUpdate is in the future', 924 LEAF, CA, 925 SignAsciiCRL(''' 926 INTEGER { 1 } 927 %(sha256WithRSAEncryption)s 928 %(CA_name)s 929 %(thisUpdate_in_future)s 930 %(nextUpdate)s 931 # no revoked certs list 932 # no crlExtensions 933''' % crl_strings)) 934 935 936Store( 937 'bad_thisupdate_too_old', 938 'Leaf covered by CRLs and not revoked, but thisUpdate time is more than ' 939 '7 days before verification time', 940 LEAF, CA, 941 SignAsciiCRL(''' 942 INTEGER { 1 } 943 %(sha256WithRSAEncryption)s 944 %(CA_name)s 945 %(thisUpdate_too_old)s 946 %(nextUpdate)s 947 # no revoked certs list 948 # no crlExtensions 949''' % crl_strings)) 950 951 952Store( 953 'bad_nextupdate_too_old', 954 'Leaf covered by CRLs and not revoked, but nextUpdate time is before ' 955 'verification time', 956 LEAF, CA, 957 SignAsciiCRL(''' 958 INTEGER { 1 } 959 %(sha256WithRSAEncryption)s 960 %(CA_name)s 961 %(thisUpdate)s 962 %(nextUpdate_too_old)s 963 # no revoked certs list 964 # no crlExtensions 965''' % crl_strings)) 966 967 968Store( 969 'bad_wrong_issuer', 970 'issuer name in CRL is different', 971 LEAF, CA, 972 SignAsciiCRL(''' 973 INTEGER { 1 } 974 %(sha256WithRSAEncryption)s 975 SEQUENCE { 976 SET { 977 SEQUENCE { 978 # commonName 979 OBJECT_IDENTIFIER { 2.5.4.3 } 980 PrintableString { "Test Unrelated CA" } 981 } 982 } 983 } 984 %(thisUpdate)s 985 %(nextUpdate)s 986 # no revoked certs list 987 # no crlExtensions 988''' % crl_strings)) 989 990 991Store( 992 'bad_key_rollover_signature', 993 "Leaf issued by CA's new key which is signed by old key, but CRL isn't " 994 "signed by either", 995 LEAF_BY_NEW, CA_NEW_BY_OLD, ca2=CA, 996 crl_der=SignAsciiCRL(''' 997 INTEGER { 1 } 998 %(sha256WithRSAEncryption)s 999 %(CA_name)s 1000 %(thisUpdate)s 1001 %(nextUpdate)s 1002 # no revoked certs list 1003 # no crlExtensions 1004''' % crl_strings, signer=OTHER_CA)) 1005 1006 1007Store( 1008 'bad_idp_contains_wrong_uri', 1009 'Leaf not covered by CRL (IDP with different URI)', 1010 LEAF, CA, 1011 SignAsciiCRL(''' 1012 INTEGER { 1 } 1013 %(sha256WithRSAEncryption)s 1014 %(CA_name)s 1015 %(thisUpdate)s 1016 %(nextUpdate)s 1017 # no revoked certs list 1018 [0] { 1019 SEQUENCE { 1020 %(issuingDistributionPoint_wrong_uri)s 1021 } 1022 } 1023''' % crl_strings)) 1024 1025 1026Store( 1027 'bad_idp_indirectcrl', 1028 'CRL IDP name matches, but has indirectCRL flag set', 1029 LEAF, CA, 1030 SignAsciiCRL(''' 1031 INTEGER { 1 } 1032 %(sha256WithRSAEncryption)s 1033 %(CA_name)s 1034 %(thisUpdate)s 1035 %(nextUpdate)s 1036 # no revoked certs list 1037 [0] { 1038 SEQUENCE { 1039 %(issuingDistributionPoint_with_indirectCRL)s 1040 } 1041 } 1042''' % crl_strings)) 1043 1044 1045Store( 1046 'bad_idp_onlycontainscacerts', 1047 'Leaf not covered by CRLs because IDP has onlyContainsCACerts', 1048 LEAF, CA, 1049 SignAsciiCRL(''' 1050 INTEGER { 1 } 1051 %(sha256WithRSAEncryption)s 1052 %(CA_name)s 1053 %(thisUpdate)s 1054 %(nextUpdate)s 1055 # no revoked certs list 1056 [0] { 1057 SEQUENCE { 1058 %(issuingDistributionPoint_with_onlyContainsCACerts)s 1059 } 1060 } 1061''' % crl_strings)) 1062 1063 1064Store( 1065 'bad_idp_onlycontainscacerts_no_basic_constraints', 1066 'Leaf not covered by CRLs because IDP has onlyContainsCACerts, ' 1067 'leaf has no basicConstraints', 1068 LEAF_NO_BASIC_CONSTRAINTS, CA, 1069 SignAsciiCRL(''' 1070 INTEGER { 1 } 1071 %(sha256WithRSAEncryption)s 1072 %(CA_name)s 1073 %(thisUpdate)s 1074 %(nextUpdate)s 1075 # no revoked certs list 1076 [0] { 1077 SEQUENCE { 1078 %(issuingDistributionPoint_with_onlyContainsCACerts)s 1079 } 1080 } 1081''' % crl_strings)) 1082 1083 1084Store( 1085 'bad_idp_onlycontainsusercerts', 1086 'CA_NEW_BY_OLD not covered by CRLs because IDP has ' 1087 'onlyContainsUserCerts', 1088 CA_NEW_BY_OLD, CA, 1089 SignAsciiCRL(''' 1090 INTEGER { 1 } 1091 %(sha256WithRSAEncryption)s 1092 %(CA_name)s 1093 %(thisUpdate)s 1094 %(nextUpdate)s 1095 # no revoked certs list 1096 [0] { 1097 SEQUENCE { 1098 %(issuingDistributionPoint_with_onlyContainsUserCerts)s 1099 } 1100 } 1101''' % crl_strings)) 1102 1103 1104Store( 1105 'bad_idp_uri_and_onlycontainsusercerts', 1106 'CA_NEW_BY_OLD not covered by CRLs because IDP has ' 1107 'onlyContainsUserCerts (and URI, but the URI matches)', 1108 CA_NEW_BY_OLD, CA, 1109 SignAsciiCRL(''' 1110 INTEGER { 1 } 1111 %(sha256WithRSAEncryption)s 1112 %(CA_name)s 1113 %(thisUpdate)s 1114 %(nextUpdate)s 1115 # no revoked certs list 1116 [0] { 1117 SEQUENCE { 1118 %(issuingDistributionPoint_with_uri_and_onlyContainsUserCerts)s 1119 } 1120 } 1121''' % crl_strings)) 1122 1123 1124Store( 1125 'bad_idp_uri_and_onlycontainscacerts', 1126 'Leaf not covered by CRLs because IDP has ' 1127 'onlyContainsCACerts (and URI, but the URI matches)', 1128 LEAF, CA, 1129 SignAsciiCRL(''' 1130 INTEGER { 1 } 1131 %(sha256WithRSAEncryption)s 1132 %(CA_name)s 1133 %(thisUpdate)s 1134 %(nextUpdate)s 1135 # no revoked certs list 1136 [0] { 1137 SEQUENCE { 1138 %(issuingDistributionPoint_with_uri_and_onlyContainsCACerts)s 1139 } 1140 } 1141''' % crl_strings)) 1142 1143 1144Store( 1145 'invalid_mismatched_signature_algorithm', 1146 'Leaf covered by CRLs and not revoked, but signatureAlgorithm in ' 1147 'CertificateList does not match the one in TBSCertList.', 1148 LEAF, CA, 1149 SignAsciiCRL(''' 1150 INTEGER { 1 } 1151 %(sha384WithRSAEncryption)s 1152 %(CA_name)s 1153 %(thisUpdate)s 1154 %(nextUpdate)s 1155 # no revoked certs list 1156 # no crlExtensions 1157''' % crl_strings)) 1158 1159 1160Store( 1161 'invalid_revoked_empty_sequence', 1162 'revokedCertificates is an empty sequence (should be omitted)', 1163 LEAF, CA, 1164 SignAsciiCRL(''' 1165 INTEGER { 1 } 1166 %(sha256WithRSAEncryption)s 1167 %(CA_name)s 1168 %(thisUpdate)s 1169 %(nextUpdate)s 1170 SEQUENCE { 1171 # no revoked certs. revokedCertificates should be omitted in this case. 1172 } 1173 # no crlExtensions 1174''' % crl_strings)) 1175 1176 1177Store( 1178 'invalid_v1_with_extension', 1179 'CRL is V1 and has crlExtensions', 1180 LEAF, CA, 1181 SignAsciiCRL(''' 1182 # no version 1183 %(sha256WithRSAEncryption)s 1184 %(CA_name)s 1185 %(thisUpdate)s 1186 # no nextUpdate 1187 # no revoked certs list 1188 [0] { 1189 SEQUENCE { 1190 %(fake_extension)s 1191 } 1192 } 1193''' % crl_strings)) 1194 1195 1196Store( 1197 'invalid_v1_with_crlentryextension', 1198 'Leaf is revoked, has non-critical crlEntryExtension, but CRL is V1', 1199 LEAF, CA, 1200 SignAsciiCRL(''' 1201 # no version 1202 %(sha256WithRSAEncryption)s 1203 %(CA_name)s 1204 %(thisUpdate)s 1205 %(nextUpdate)s 1206 %(leaf_revoked_fake_extension)s 1207 # no crlExtensions 1208''' % crl_strings)) 1209 1210 1211Store( 1212 'invalid_v1_explicit', 1213 'CRL has explicit V1 version', 1214 LEAF, CA, 1215 SignAsciiCRL(''' 1216 INTEGER { 0 } 1217 %(sha256WithRSAEncryption)s 1218 %(CA_name)s 1219 %(thisUpdate)s 1220 %(nextUpdate)s 1221 # no revoked certs list 1222 # no crlExtensions 1223''' % crl_strings)) 1224 1225 1226Store( 1227 'invalid_v3', 1228 'CRL has invalid V3 version', 1229 LEAF, CA, 1230 SignAsciiCRL(''' 1231 INTEGER { 2 } 1232 %(sha256WithRSAEncryption)s 1233 %(CA_name)s 1234 %(thisUpdate)s 1235 %(nextUpdate)s 1236 # no revoked certs list 1237 # no crlExtensions 1238''' % crl_strings)) 1239 1240 1241Store( 1242 'invalid_issuer_keyusage_no_crlsign', 1243 'Leaf covered by CRLs and not revoked, issuer has keyUsage extension ' 1244 'without the cRLSign bit set', 1245 LEAF, CA_KEYUSAGE_NOCRLSIGN, 1246 SignAsciiCRL(''' 1247 INTEGER { 1 } 1248 %(sha256WithRSAEncryption)s 1249 %(CA_name)s 1250 %(thisUpdate)s 1251 %(nextUpdate)s 1252 # no revoked certs list 1253 # no crlExtensions 1254''' % crl_strings, signer=CA_KEYUSAGE_NOCRLSIGN)) 1255 1256 1257Store( 1258 'invalid_key_rollover_issuer_keyusage_no_crlsign', 1259 "Leaf issued by CA's new key but CRL is signed by old key, and the old " 1260 "key cert has keyUsage extension without the cRLSign bit set", 1261 LEAF_BY_NEW, CA_NEW_BY_OLD, ca2=CA_KEYUSAGE_NOCRLSIGN, 1262 crl_der=SignAsciiCRL(''' 1263 INTEGER { 1 } 1264 %(sha256WithRSAEncryption)s 1265 %(CA_name)s 1266 %(thisUpdate)s 1267 %(nextUpdate)s 1268 # no revoked certs list 1269 # no crlExtensions 1270''' % crl_strings, signer=CA_KEYUSAGE_NOCRLSIGN)) 1271 1272 1273Store( 1274 'invalid_garbage_version', 1275 'CRL version is garbage', 1276 LEAF, CA, 1277 SignAsciiCRL(''' 1278 OCTET_STRING { `01` } 1279 %(sha256WithRSAEncryption)s 1280 %(CA_name)s 1281 %(thisUpdate)s 1282 %(nextUpdate)s 1283 # no revoked certs list 1284 # no crlExtensions 1285''' % crl_strings)) 1286 1287 1288Store( 1289 'invalid_garbage_tbs_signature_algorithm', 1290 'CRL tbs signature algorithm is garbage', 1291 LEAF, CA, 1292 SignAsciiCRL(''' 1293 INTEGER { 1 } 1294 INTEGER { 1 } 1295 %(CA_name)s 1296 %(thisUpdate)s 1297 %(nextUpdate)s 1298 # no revoked certs list 1299 # no crlExtensions 1300''' % crl_strings)) 1301 1302 1303Store( 1304 'invalid_garbage_issuer_name', 1305 'CRL issuer is garbage', 1306 LEAF, CA, 1307 SignAsciiCRL(''' 1308 INTEGER { 1 } 1309 %(sha256WithRSAEncryption)s 1310 INTEGER { 1 } 1311 %(thisUpdate)s 1312 # no revoked certs list 1313 # no crlExtensions 1314''' % crl_strings)) 1315 1316 1317Store( 1318 'invalid_garbage_thisupdate', 1319 'CRL thisUpdate is garbage', 1320 LEAF, CA, 1321 SignAsciiCRL(''' 1322 INTEGER { 1 } 1323 %(sha256WithRSAEncryption)s 1324 %(CA_name)s 1325 INTEGER { 1 } 1326 %(thisUpdate)s 1327 # no revoked certs list 1328 # no crlExtensions 1329''' % crl_strings)) 1330 1331 1332Store( 1333 'invalid_garbage_after_thisupdate', 1334 'CRL garbage after thisupdate', 1335 LEAF, CA, 1336 SignAsciiCRL(''' 1337 INTEGER { 1 } 1338 %(sha256WithRSAEncryption)s 1339 %(CA_name)s 1340 %(thisUpdate)s 1341 # garbage: 1342 INTEGER { 1 } 1343''' % crl_strings)) 1344 1345 1346Store( 1347 'invalid_garbage_after_nextupdate', 1348 'CRL garbage after nextUpdate', 1349 LEAF, CA, 1350 SignAsciiCRL(''' 1351 INTEGER { 1 } 1352 %(sha256WithRSAEncryption)s 1353 %(CA_name)s 1354 %(thisUpdate)s 1355 %(nextUpdate)s 1356 # garbage: 1357 INTEGER { 1 } 1358''' % crl_strings)) 1359 1360 1361Store( 1362 'invalid_garbage_after_revokedcerts', 1363 'CRL garbage after revokedCertificates', 1364 LEAF, CA, 1365 SignAsciiCRL(''' 1366 INTEGER { 1 } 1367 %(sha256WithRSAEncryption)s 1368 %(CA_name)s 1369 %(thisUpdate)s 1370 # no nextUpdate 1371 %(leaf_revoked)s 1372 # no crlExtensions 1373 # garbage: nextUpdate doesn't go here: 1374 %(nextUpdate)s 1375''' % crl_strings)) 1376 1377 1378Store( 1379 'invalid_garbage_after_extensions', 1380 'CRL garbage after extensions', 1381 LEAF, CA, 1382 SignAsciiCRL(''' 1383 INTEGER { 1 } 1384 %(sha256WithRSAEncryption)s 1385 %(CA_name)s 1386 %(thisUpdate)s 1387 %(nextUpdate)s 1388 # no revoked certs list 1389 [0] { 1390 SEQUENCE { 1391 %(fake_extension)s 1392 } 1393 } 1394 # Garbage: revoked certs sequence doesn't go here: 1395 %(leaf_revoked)s 1396''' % crl_strings)) 1397 1398 1399Store( 1400 'invalid_garbage_tbscertlist', 1401 'CRL garbage tbsCertList', 1402 LEAF, CA, 1403 Ascii2Der(''' 1404SEQUENCE { 1405 OCTET_STRING { `5678` } 1406 SEQUENCE { 1407 # sha256WithRSAEncryption 1408 OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 } 1409 NULL {} 1410 } 1411 # Actual signatureValue doesn't matter, shouldn't get to verifying signature. 1412 BIT_STRING { `001a` } 1413} 1414''')) 1415 1416 1417Store( 1418 'invalid_garbage_signaturealgorithm', 1419 'CRL garbage signatureAlgorithm', 1420 LEAF, CA, 1421 Ascii2Der(''' 1422SEQUENCE { 1423 SEQUENCE { 1424 INTEGER { 1 } 1425 # tbsCertList contents doesn't matter, parsing shouldn't get this far. 1426 } 1427 OCTET_STRING { `5678` } 1428 # Actual signatureValue doesn't matter, shouldn't get to verifying signature. 1429 BIT_STRING { `001a` } 1430} 1431''')) 1432 1433 1434Store( 1435 'invalid_garbage_signaturevalue', 1436 'CRL garbage signatureValue', 1437 LEAF, CA, 1438 Ascii2Der(''' 1439SEQUENCE { 1440 SEQUENCE { 1441 INTEGER { 1 } 1442 # tbsCertList contents doesn't matter, parsing shouldn't get this far. 1443 } 1444 SEQUENCE { 1445 # sha256WithRSAEncryption 1446 OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 } 1447 NULL {} 1448 } 1449 # Actual signatureValue contents don't matter, should be BIT_STRING rather 1450 # than OCTET_STRING. 1451 OCTET_STRING { `001a` } 1452} 1453''')) 1454 1455 1456Store( 1457 'invalid_garbage_after_signaturevalue', 1458 'CRL garbage after signatureValue', 1459 LEAF, CA, 1460 Ascii2Der(''' 1461SEQUENCE { 1462 SEQUENCE { 1463 INTEGER { 1 } 1464 # tbsCertList contents doesn't matter, parsing shouldn't get this far. 1465 } 1466 SEQUENCE { 1467 # sha256WithRSAEncryption 1468 OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 } 1469 NULL {} 1470 } 1471 # Actual signatureValue doesn't matter, shouldn't get to verifying signature. 1472 BIT_STRING { `001a` } 1473 SEQUENCE {} 1474} 1475''')) 1476 1477Store( 1478 'invalid_garbage_revoked_serial_number', 1479 'Leaf is revoked but a following crlentry is garbage', 1480 LEAF, CA, 1481 SignAsciiCRL(''' 1482 INTEGER { 1 } 1483 %(sha256WithRSAEncryption)s 1484 %(CA_name)s 1485 %(thisUpdate)s 1486 %(nextUpdate)s 1487 SEQUENCE { 1488 SEQUENCE { 1489 INTEGER { %(LEAF_SERIAL)i } 1490 UTCTime { "170201001122Z" } 1491 # no crlEntryExtensions 1492 } 1493 SEQUENCE { 1494 OCTET_STRING { `7F`} 1495 UTCTime { "170201001122Z" } 1496 # no crlEntryExtensions 1497 } 1498 } 1499 # no crlExtensions 1500''' % (DictUnion(crl_strings, 1501 {'LEAF_SERIAL':LEAF['cert'].get_serial_number()})))) 1502 1503 1504Store( 1505 'invalid_garbage_revocationdate', 1506 'Leaf is revoked but a following crlentry is garbage', 1507 LEAF, CA, 1508 SignAsciiCRL(''' 1509 INTEGER { 1 } 1510 %(sha256WithRSAEncryption)s 1511 %(CA_name)s 1512 %(thisUpdate)s 1513 %(nextUpdate)s 1514 SEQUENCE { 1515 SEQUENCE { 1516 INTEGER { %(LEAF_SERIAL)i } 1517 UTCTime { "170201001122Z" } 1518 # no crlEntryExtensions 1519 } 1520 SEQUENCE { 1521 INTEGER { 100001 } 1522 OCTET_STRING { "170201001122Z" } 1523 # no crlEntryExtensions 1524 } 1525 } 1526 # no crlExtensions 1527''' % (DictUnion(crl_strings, 1528 {'LEAF_SERIAL':LEAF['cert'].get_serial_number()})))) 1529 1530 1531Store( 1532 'invalid_garbage_after_revocationdate', 1533 'Leaf is revoked but a following crlentry is garbage', 1534 LEAF, CA, 1535 SignAsciiCRL(''' 1536 INTEGER { 1 } 1537 %(sha256WithRSAEncryption)s 1538 %(CA_name)s 1539 %(thisUpdate)s 1540 %(nextUpdate)s 1541 SEQUENCE { 1542 SEQUENCE { 1543 INTEGER { %(LEAF_SERIAL)i } 1544 UTCTime { "170201001122Z" } 1545 # no crlEntryExtensions 1546 } 1547 SEQUENCE { 1548 INTEGER { 100001 } 1549 UTCTime { "170201001122Z" } 1550 INTEGER { 01 } 1551 } 1552 } 1553 # no crlExtensions 1554''' % (DictUnion(crl_strings, 1555 {'LEAF_SERIAL':LEAF['cert'].get_serial_number()})))) 1556 1557 1558Store( 1559 'invalid_garbage_after_crlentryextensions', 1560 'Leaf is revoked but a following crlentry is garbage', 1561 LEAF, CA, 1562 SignAsciiCRL(''' 1563 INTEGER { 1 } 1564 %(sha256WithRSAEncryption)s 1565 %(CA_name)s 1566 %(thisUpdate)s 1567 %(nextUpdate)s 1568 SEQUENCE { 1569 SEQUENCE { 1570 INTEGER { %(LEAF_SERIAL)i } 1571 UTCTime { "170201001122Z" } 1572 # no crlEntryExtensions 1573 } 1574 SEQUENCE { 1575 INTEGER { 100001 } 1576 UTCTime { "170201001122Z" } 1577 SEQUENCE { 1578 SEQUENCE { 1579 OBJECT_IDENTIFIER { 1.2.3.4 } 1580 OCTET_STRING { `5678` } 1581 } 1582 } 1583 INTEGER { 01 } 1584 } 1585 } 1586 # no crlExtensions 1587''' % (DictUnion(crl_strings, 1588 {'LEAF_SERIAL':LEAF['cert'].get_serial_number()})))) 1589 1590 1591Store( 1592 'invalid_garbage_crlentry', 1593 'Leaf is revoked but a following crlentry is garbage', 1594 LEAF, CA, 1595 SignAsciiCRL(''' 1596 INTEGER { 1 } 1597 %(sha256WithRSAEncryption)s 1598 %(CA_name)s 1599 %(thisUpdate)s 1600 %(nextUpdate)s 1601 SEQUENCE { 1602 SEQUENCE { 1603 INTEGER { %(LEAF_SERIAL)i } 1604 UTCTime { "170201001122Z" } 1605 # no crlEntryExtensions 1606 } 1607 INTEGER { 01 } 1608 } 1609 # no crlExtensions 1610''' % (DictUnion(crl_strings, 1611 {'LEAF_SERIAL':LEAF['cert'].get_serial_number()})))) 1612 1613 1614Store( 1615 'invalid_idp_dpname_choice_extra_data', 1616 'IssuingDistributionPoint extension distributionPoint is invalid', 1617 LEAF, CA, 1618 SignAsciiCRL(''' 1619 INTEGER { 1 } 1620 %(sha256WithRSAEncryption)s 1621 %(CA_name)s 1622 %(thisUpdate)s 1623 %(nextUpdate)s 1624 # no revoked certs list 1625 [0] { 1626 SEQUENCE { 1627 SEQUENCE { 1628 OBJECT_IDENTIFIER { 2.5.29.28 } 1629 BOOLEAN { `ff` } 1630 OCTET_STRING { 1631 SEQUENCE { 1632 [0] { 1633 [0] { 1634 [6 PRIMITIVE] { "http://example.com/foo.crl" } 1635 } 1636 [1] { 1637 SET { 1638 SEQUENCE { 1639 # countryName 1640 OBJECT_IDENTIFIER { 2.5.4.6 } 1641 PrintableString { "US" } 1642 } 1643 } 1644 } 1645 } 1646 } 1647 } 1648 } 1649 } 1650 } 1651''' % crl_strings)) 1652 1653 1654Store( 1655 'invalid_idp_empty_sequence', 1656 'IssuingDistributionPoint extension is invalid', 1657 LEAF, CA, 1658 SignAsciiCRL(''' 1659 INTEGER { 1 } 1660 %(sha256WithRSAEncryption)s 1661 %(CA_name)s 1662 %(thisUpdate)s 1663 %(nextUpdate)s 1664 # no revoked certs list 1665 [0] { 1666 SEQUENCE { 1667 SEQUENCE { 1668 OBJECT_IDENTIFIER { 2.5.29.28 } 1669 BOOLEAN { `ff` } 1670 OCTET_STRING { 1671 SEQUENCE { 1672 } 1673 } 1674 } 1675 } 1676 } 1677''' % crl_strings)) 1678 1679 1680Store( 1681 'invalid_idp_onlycontains_user_and_ca_certs', 1682 'IssuingDistributionPoint extension is invalid, cannot specify more than ' 1683 'one of onlyContainsUserCerts and onlyContainsCACerts', 1684 LEAF, CA, 1685 SignAsciiCRL(''' 1686 INTEGER { 1 } 1687 %(sha256WithRSAEncryption)s 1688 %(CA_name)s 1689 %(thisUpdate)s 1690 %(nextUpdate)s 1691 # no revoked certs list 1692 [0] { 1693 SEQUENCE { 1694 SEQUENCE { 1695 OBJECT_IDENTIFIER { 2.5.29.28 } 1696 BOOLEAN { `ff` } 1697 OCTET_STRING { 1698 SEQUENCE { 1699 [1 PRIMITIVE] { `ff` } 1700 [2 PRIMITIVE] { `ff` } 1701 } 1702 } 1703 } 1704 } 1705 } 1706''' % crl_strings)) 1707 1708 1709Store( 1710 'invalid_idp_onlycontainsusercerts_v1_leaf', 1711 'v1 leaf is covered by CRL with onlyContainsUserCerts, which is invalid', 1712 LEAF_V1, CA, 1713 SignAsciiCRL(''' 1714 INTEGER { 1 } 1715 %(sha256WithRSAEncryption)s 1716 %(CA_name)s 1717 %(thisUpdate)s 1718 %(nextUpdate)s 1719 # no revoked certs list 1720 [0] { 1721 SEQUENCE { 1722 %(issuingDistributionPoint_with_onlyContainsUserCerts)s 1723 } 1724 } 1725''' % crl_strings)) 1726