// Copyright (c) 2020, Google Inc. // // Permission to use, copy, modify, and/or distribute this software for any // purpose with or without fee is hereby granted, provided that the above // copyright notice and this permission notice appear in all copies. // // THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES // WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF // MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY // SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES // WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. //go:build ignore // make_policy_certs.go generates certificates for testing policy handling. package main import ( "crypto/ecdsa" "crypto/rand" "crypto/x509" "crypto/x509/pkix" "encoding/asn1" "encoding/pem" "math/big" "os" "time" ) var ( // https://davidben.net/oid testOID1 = asn1.ObjectIdentifier([]int{1, 2, 840, 113554, 4, 1, 72585, 2, 1}) testOID2 = asn1.ObjectIdentifier([]int{1, 2, 840, 113554, 4, 1, 72585, 2, 2}) // https://www.rfc-editor.org/rfc/rfc5280.html#section-4.2.1.4 certificatePoliciesOID = asn1.ObjectIdentifier([]int{2, 5, 29, 32}) ) var leafKey, intermediateKey, rootKey *ecdsa.PrivateKey func init() { leafKey = mustParseECDSAKey(leafKeyPEM) intermediateKey = mustParseECDSAKey(intermediateKeyPEM) rootKey = mustParseECDSAKey(rootKeyPEM) } type templateAndKey struct { template x509.Certificate key *ecdsa.PrivateKey } func mustGenerateCertificate(path string, subject, issuer *templateAndKey) []byte { cert, err := x509.CreateCertificate(rand.Reader, &subject.template, &issuer.template, &subject.key.PublicKey, issuer.key) if err != nil { panic(err) } file, err := os.Create(path) if err != nil { panic(err) } defer file.Close() err = pem.Encode(file, &pem.Block{Type: "CERTIFICATE", Bytes: cert}) if err != nil { panic(err) } return cert } func main() { notBefore, err := time.Parse(time.RFC3339, "2000-01-01T00:00:00Z") if err != nil { panic(err) } notAfter, err := time.Parse(time.RFC3339, "2100-01-01T00:00:00Z") if err != nil { panic(err) } root := templateAndKey{ template: x509.Certificate{ SerialNumber: new(big.Int).SetInt64(1), Subject: pkix.Name{CommonName: "Policy Root"}, NotBefore: notBefore, NotAfter: notAfter, BasicConstraintsValid: true, IsCA: true, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, KeyUsage: x509.KeyUsageCertSign, SignatureAlgorithm: x509.ECDSAWithSHA256, }, key: rootKey, } intermediate := templateAndKey{ template: x509.Certificate{ SerialNumber: new(big.Int).SetInt64(2), Subject: pkix.Name{CommonName: "Policy Intermediate"}, NotBefore: notBefore, NotAfter: notAfter, BasicConstraintsValid: true, IsCA: true, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, KeyUsage: x509.KeyUsageCertSign, SignatureAlgorithm: x509.ECDSAWithSHA256, PolicyIdentifiers: []asn1.ObjectIdentifier{testOID1, testOID2}, }, key: intermediateKey, } leaf := templateAndKey{ template: x509.Certificate{ SerialNumber: new(big.Int).SetInt64(3), Subject: pkix.Name{CommonName: "www.example.com"}, NotBefore: notBefore, NotAfter: notAfter, BasicConstraintsValid: true, IsCA: false, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, KeyUsage: x509.KeyUsageCertSign, SignatureAlgorithm: x509.ECDSAWithSHA256, DNSNames: []string{"www.example.com"}, PolicyIdentifiers: []asn1.ObjectIdentifier{testOID1, testOID2}, }, key: leafKey, } // Generate a valid certificate chain from the templates. mustGenerateCertificate("policy_root.pem", &root, &root) mustGenerateCertificate("policy_intermediate.pem", &intermediate, &root) mustGenerateCertificate("policy_leaf.pem", &leaf, &intermediate) // Introduce syntax errors in the leaf and intermediate. leafInvalid := leaf leafInvalid.template.PolicyIdentifiers = nil leafInvalid.template.ExtraExtensions = []pkix.Extension{{Id: certificatePoliciesOID, Value: []byte("INVALID")}} mustGenerateCertificate("policy_leaf_invalid.pem", &leafInvalid, &root) intermediateInvalid := intermediate intermediateInvalid.template.PolicyIdentifiers = nil intermediateInvalid.template.ExtraExtensions = []pkix.Extension{{Id: certificatePoliciesOID, Value: []byte("INVALID")}} mustGenerateCertificate("policy_intermediate_invalid.pem", &intermediateInvalid, &root) // Duplicates are not allowed in certificatePolicies. leafDuplicate := leaf leafDuplicate.template.PolicyIdentifiers = []asn1.ObjectIdentifier{testOID1, testOID2, testOID2} mustGenerateCertificate("policy_leaf_duplicate.pem", &leafDuplicate, &root) intermediateDuplicate := intermediate intermediateDuplicate.template.PolicyIdentifiers = []asn1.ObjectIdentifier{testOID1, testOID2, testOID2} mustGenerateCertificate("policy_intermediate_duplicate.pem", &intermediateDuplicate, &root) // TODO(davidben): Generate more certificates to test policy validation more // extensively, including an intermediate with constraints. For now this // just tests the basic case. } const leafKeyPEM = `-----BEGIN PRIVATE KEY----- MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgoPUXNXuH9mgiS/nk 024SYxryxMa3CyGJldiHymLxSquhRANCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5 w8u3SSwm7HZREvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5X -----END PRIVATE KEY-----` const intermediateKeyPEM = `-----BEGIN PRIVATE KEY----- MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgWHKCKgY058ahE3t6 vpxVQgzlycgCVMogwjK0y3XMNfWhRANCAATiOnyojN4xS5C8gJ/PHL5cOEsMbsoE Y6KT9xRQSh8lEL4d1Vb36kqUgkpqedEImo0Og4Owk6VWVVR/m4Lk+yUw -----END PRIVATE KEY-----` const rootKeyPEM = `-----BEGIN PRIVATE KEY----- MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgBwND/eHytW0I417J Hr+qcPlp5N1jM3ACXys57bPujg+hRANCAAQmdqXYl1GvY7y3jcTTK6MVXIQr44Tq ChRYI6IeV9tIB6jIsOY+Qol1bk8x/7A5FGOnUWFVLEAPEPSJwPndjolt -----END PRIVATE KEY-----` func mustParseECDSAKey(in string) *ecdsa.PrivateKey { keyBlock, _ := pem.Decode([]byte(in)) if keyBlock == nil || keyBlock.Type != "PRIVATE KEY" { panic("could not decode private key") } key, err := x509.ParsePKCS8PrivateKey(keyBlock.Bytes) if err != nil { panic(err) } return key.(*ecdsa.PrivateKey) }