1#!/usr/bin/env python 2# Copyright 2019 The Chromium Authors 3# Use of this source code is governed by a BSD-style license that can be 4# found in the LICENSE file. 5 6"""Certificate chain where the target was signed by a different 7certificate with a different key. The target lacks an 8authorityKeyIdentifier extension as some verifiers will not try verifying with 9the bogus intermediate if the authorityKeyIdentifier does not match the 10intermediate's subjectKeyIdentifier. 11""" 12 13import sys 14sys.path += ['../..'] 15 16import gencerts 17 18# Self-signed root certificate. 19root = gencerts.create_self_signed_root_certificate('Root') 20 21# Intermediate certificate, which actually signed the leaf. 22intermediate = gencerts.create_intermediate_certificate('Intermediate', root) 23section = intermediate.config.get_section('signing_ca_ext') 24# Don't include authorityKeyIdentifier extension in the target issued by 25# the real intermediate, otherwise the verifier might not even try to validate 26# the signature against the bogus intermediate. 27section.remove_property('authorityKeyIdentifier') 28 29# Target certificate. 30target = gencerts.create_end_entity_certificate('Target', intermediate) 31# TODO(eroman): Set subjectAltName by default rather than specifically in 32# this test. 33target.get_extensions().set_property('subjectAltName', 'DNS:test.example') 34 35# Intermediate certificate issued by root, but which did not sign target. 36bogus_intermediate = gencerts.create_intermediate_certificate('Intermediate', 37 root) 38 39chain = [target, bogus_intermediate, root] 40gencerts.write_chain(__doc__, chain, 'chain.pem') 41