From ca758422e7d97ea7b44ba1e4216ac3c03aa37e85 Mon Sep 17 00:00:00 2001 From: Kazuki Yamaguchi Date: Mon, 25 Apr 2016 22:08:33 +0900 Subject: test/rubygems: regenerate certificates Regenerate test CA certificates with appropriate extensions Test certificates in test/rubygems lack the basic constraints extension. Here is the patch against rubygems' util/create_certs.rb. ruby util/create_certs.rb && cp test/rubygems/*.pem /path/to/ruby/test/rubygems/ && ruby util/create_encrypted_key.rb && cp test/rubygems/encrypted_private_key.pem /path/to/ruby/test/rubygems/ ------------------------ >8 ------------------------ diff --git a/util/create_certs.rb b/util/create_certs.rb index 4f6f9ea..313a724 100644 --- a/util/create_certs.rb +++ b/util/create_certs.rb @@ -4,37 +4,41 @@ require 'time' class CertificateBuilder - attr_reader :today + attr_reader :start def initialize key_size = 2048 - today = Time.now.utc - @today = Time.utc today.year, today.month, today.day + @start = Time.utc 2012, 01, 01, 00, 00, 00 @end_of_time = Time.utc 9999, 12, 31, 23, 59, 59 @end_of_time_32 = Time.utc 2038, 01, 19, 03, 14, 07 + @key_size = key_size @serial = 0 end - def create_certificates(key, subject, issuer_key = key, issuer = subject, - not_before: @today, not_after: :end_of_time) + def create_certificates(key, subject, issuer_key = key, issuer_cert = nil, + not_before: @start, not_after: :end_of_time, + is_ca: false) certificates = [] not_before, not_before_32 = validity_for not_before not_after, not_after_32 = validity_for not_after + issuer_cert, issuer_cert_32 = issuer_cert certificates << - create_certificate(key, subject, issuer_key, issuer, - not_before, not_after) + create_certificate(key, subject, issuer_key, issuer_cert, + not_before, not_after, is_ca) certificates << - create_certificate(key, subject, issuer_key, issuer, - not_before_32, not_after_32) + create_certificate(key, subject, issuer_key, issuer_cert_32, + not_before_32, not_after_32, is_ca) certificates end - def create_certificate key, subject, issuer_key, issuer, not_before, not_after - puts "creating cert - subject: #{subject}, issuer: #{issuer}" + def create_certificate(key, subject, issuer_key, issuer_cert, + not_before, not_after, is_ca) cert = OpenSSL::X509::Certificate.new + issuer_cert ||= cert # if not specified, create self signing cert + cert.version = 2 cert.serial = 0 @@ -45,32 +49,41 @@ class CertificateBuilder cert.public_key = key.public_key - cert.subject = - OpenSSL::X509::Name.new [%W[CN #{subject}], %w[DC example]] - cert.issuer = - OpenSSL::X509::Name.new [%W[CN #{issuer}], %w[DC example]] + cert.subject = OpenSSL::X509::Name.new [%W[CN #{subject}], %w[DC example]] + cert.issuer = issuer_cert.subject - ef = OpenSSL::X509::ExtensionFactory.new nil, cert + ef = OpenSSL::X509::ExtensionFactory.new issuer_cert, cert cert.extensions = [ - ef.create_extension('subjectAltName', "email:#{subject}@example") + ef.create_extension('subjectAltName', "email:#{subject}@example"), + ef.create_extension('subjectKeyIdentifier', 'hash') ] + if cert != issuer_cert # not self-signed cert + cert.add_extension ef.create_extension('authorityKeyIdentifier', 'keyid:always') + end + + if is_ca + cert.add_extension ef.create_extension('basicConstraints', 'CA:TRUE', true) + cert.add_extension ef.create_extension('keyUsage', 'keyCertSign', true) + end + cert.sign issuer_key, OpenSSL::Digest::SHA1.new + puts "created cert - subject: #{cert.subject}, issuer: #{cert.issuer}" cert end def create_key puts "creating key" - OpenSSL::PKey::RSA.new 2048 + OpenSSL::PKey::RSA.new @key_size end def create_keys names keys = {} names.each do |name| - keys[name] = create_key + keys[name] = OpenSSL::PKey::RSA.new File.read(File.join "test/rubygems/#{name}_key.pem") end keys @@ -108,37 +121,39 @@ keys = cb.create_keys [ keys[:public] = keys[:private].public_key -certs = { - alternate: - cb.create_certificates(keys[:alternate], 'alternate'), - child: - cb.create_certificates(keys[:child], 'child', - keys[:private], 'nobody'), - expired: - cb.create_certificates(keys[:private], 'nobody', - not_before: Time.at(0), - not_after: Time.at(0)), - future: - cb.create_certificates(keys[:private], 'nobody', - not_before: :end_of_time, - not_after: :end_of_time), - grandchild: - cb.create_certificates(keys[:grandchild], 'grandchild', - keys[:child], 'child'), - invalid_issuer: - cb.create_certificates(keys[:invalid], 'invalid', - keys[:invalid], 'nobody'), - invalid_signer: - cb.create_certificates(keys[:invalid], 'invalid', - keys[:private], 'invalid'), - invalidchild: - cb.create_certificates(keys[:invalidchild], 'invalidchild', - keys[:invalid], 'child'), - public: - cb.create_certificates(keys[:private], 'nobody'), - wrong_key: - cb.create_certificates(keys[:alternate], 'nobody'), -} +certs = {} +certs[:public] = + cb.create_certificates(keys[:private], 'nobody', + is_ca: true) +certs[:child] = + cb.create_certificates(keys[:child], 'child', + keys[:private], certs[:public], + is_ca: true) +certs[:alternate] = + cb.create_certificates(keys[:alternate], 'alternate') +certs[:expired] = + cb.create_certificates(keys[:private], 'nobody', + not_before: Time.at(0), + not_after: Time.at(0)) +certs[:future] = + cb.create_certificates(keys[:private], 'nobody', + not_before: :end_of_time, + not_after: :end_of_time) +certs[:invalid_issuer] = + cb.create_certificates(keys[:invalid], 'invalid', + keys[:invalid], certs[:public], + is_ca: true) +certs[:grandchild] = + cb.create_certificates(keys[:grandchild], 'grandchild', + keys[:child], certs[:child]) +certs[:invalid_signer] = + cb.create_certificates(keys[:invalid], 'invalid', + keys[:private], certs[:invalid]) +certs[:invalidchild] = + cb.create_certificates(keys[:invalidchild], 'invalidchild', + keys[:invalid], certs[:child]) +certs[:wrong_key] = + cb.create_certificates(keys[:alternate], 'nobody') base_dir = 'test/rubygems' --- test/rubygems/future_cert_32.pem | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) (limited to 'test/rubygems/future_cert_32.pem') diff --git a/test/rubygems/future_cert_32.pem b/test/rubygems/future_cert_32.pem index b7325f14b2..aa74bdffbc 100644 --- a/test/rubygems/future_cert_32.pem +++ b/test/rubygems/future_cert_32.pem @@ -1,5 +1,5 @@ -----BEGIN CERTIFICATE----- -MIIC7DCCAdSgAwIBAgIBBzANBgkqhkiG9w0BAQUFADAqMQ8wDQYDVQQDDAZub2Jv +MIIDCzCCAfOgAwIBAgIBCTANBgkqhkiG9w0BAQUFADAqMQ8wDQYDVQQDDAZub2Jv ZHkxFzAVBgoJkiaJk/IsZAEZFgdleGFtcGxlMB4XDTM4MDExOTAzMTQwN1oXDTM4 MDExOTAzMTQwN1owKjEPMA0GA1UEAwwGbm9ib2R5MRcwFQYKCZImiZPyLGQBGRYH ZXhhbXBsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKdlNYcvFB6x @@ -8,11 +8,12 @@ WhZADhn6rwCfNP03025vktOZ6iJfU60vytY/f3gkiGNkP21l0hz0+Ms15f+52gk+ sFXqwGBbDteI0x57UsHi+KAN67QuPDnthYDtwhXIA5pcdx2wH+NW8F82HEZvm1hc pA75BDVk4vPxnpDfvPOKSYn9dWghmUtaPmqyVvs8XkDxHDfY54/D3ziPehP+zQzE g8C07Sq/z6vLSOQ3uaYn0nBDuNE6XP3ijJ4Zvs2eJEdOMyS1H3CsnkWiePCrLtKd -w8d/F+D5bocCAwEAAaMdMBswGQYDVR0RBBIwEIEObm9ib2R5QGV4YW1wbGUwDQYJ -KoZIhvcNAQEFBQADggEBAGrtVuj/iourBMAH2bQI6sQsuCJcL5HN6IXCoAcQyQEI -LR/roZyHI3fg+FfTzUII7wxPSneo4soSKXYxQYuE1JYPxTcQE5lFv9jbzl6eplsN -LcAMnrjB4xJoRkSg4mbPxwEICngnWRQuY+lOsquSkRXAAl+5bW/OBfxr8XWcGjmG -ZRGmOwKzUiv7p7zyJkkEFb7m6ugg0GKop23jtv6Rou5+2lXLBqm8T0de30pM0arM -vAnd2a8UbPnmR0DzrCtksU62UIqhVoFFicntdaEiBF/Pk9YhLCfTXwInWL8+p48r -PBzrKMTb56YQZXVAG9aypn42pnPCMPC4ojCxfC0N3n0= +w8d/F+D5bocCAwEAAaM8MDowGQYDVR0RBBIwEIEObm9ib2R5QGV4YW1wbGUwHQYD +VR0OBBYEFF9DbvaajkUl6SLjfTdepNU2AoUbMA0GCSqGSIb3DQEBBQUAA4IBAQA6 +lip2nqmXyhz1uBDAxlNAv9nN2JPicWpRIvQ4KLNwmZKnagPWfleZ4TbLqsn723w8 +lD2VqFNX/Vj1XNuEJg8pXME+qxbMgtWxGsXC0z6k2Q3rT81QTdhXJ7nqdoe2i8y1 +423Fft2L6Dcgmx2USJwZsNy53pK9smxI9NipuRtL4W34PHHpaFsC2646daxZ2F8M +No3R9C4CtSFJDrM0XZoFiAnarbqoGCJs2q0NtcdV8D5m6xGeNShWJMLNbVx4DgsT +E90gVxVqPaqm5ytAIfdPWVUsyJBoD15jDVH5AZtkBmFRNoz60KPt3HpiRPspKWCd +tVabH2JRC0wDYRwEEMKB -----END CERTIFICATE----- -- cgit v1.2.3