grpc-go/security/advancedtls/testdata/crl
eshitachandwani cbb5c2f5f9
advancedtls: update CRL provider certificates (#8073)
2025-02-11 14:53:12 +05:30
..
0b35a562.r0 advancedtls: CRL checking for golang gRPC (#4489) 2021-07-15 09:53:31 -07:00
0b35a562.r1 advancedtls: CRL checking for golang gRPC (#4489) 2021-07-15 09:53:31 -07:00
1.crl advancedtls: CRL checking for golang gRPC (#4489) 2021-07-15 09:53:31 -07:00
1ab871c8.r0 advancedtls: CRL checking for golang gRPC (#4489) 2021-07-15 09:53:31 -07:00
2.crl advancedtls: CRL checking for golang gRPC (#4489) 2021-07-15 09:53:31 -07:00
2f11f022.r0 security/advancedtls: fix CRL issuer comparison (#5130) 2022-01-25 13:32:27 -08:00
3.crl advancedtls: CRL checking for golang gRPC (#4489) 2021-07-15 09:53:31 -07:00
4.crl advancedtls: CRL checking for golang gRPC (#4489) 2021-07-15 09:53:31 -07:00
5.crl advancedtls: CRL checking for golang gRPC (#4489) 2021-07-15 09:53:31 -07:00
6.crl advancedtls: CRL checking for golang gRPC (#4489) 2021-07-15 09:53:31 -07:00
7a1799af.r0 advancedtls: CRL checking for golang gRPC (#4489) 2021-07-15 09:53:31 -07:00
71eac5a2.r0 advancedtls: CRL checking for golang gRPC (#4489) 2021-07-15 09:53:31 -07:00
8828a7e6.r0 advancedtls: CRL checking for golang gRPC (#4489) 2021-07-15 09:53:31 -07:00
README.md vet: add check for trailing spaces (#7576) 2024-09-12 11:40:38 +05:30
deee447d.r0 advancedtls: CRL checking for golang gRPC (#4489) 2021-07-15 09:53:31 -07:00
provider_client_cert.key advancedtls: update CRL provider certificates (#8073) 2025-02-11 14:53:12 +05:30
provider_client_cert.pem advancedtls: update CRL provider certificates (#8073) 2025-02-11 14:53:12 +05:30
provider_client_trust_cert.pem advancedtls: update CRL provider certificates (#8073) 2025-02-11 14:53:12 +05:30
provider_client_trust_key.pem advancedtls: update CRL provider certificates (#8073) 2025-02-11 14:53:12 +05:30
provider_create.sh security/advancedtls: CRL checks improvement (#6968) 2024-02-14 15:33:38 -08:00
provider_crl.cnf crl provider: Static and FileWatcher provider implementations (#6670) 2023-10-30 20:41:22 -04:00
provider_crl_empty.pem advancedtls: update CRL provider certificates (#8073) 2025-02-11 14:53:12 +05:30
provider_crl_server_revoked.pem advancedtls: update CRL provider certificates (#8073) 2025-02-11 14:53:12 +05:30
provider_extensions.conf security/advancedtls: CRL checks improvement (#6968) 2024-02-14 15:33:38 -08:00
provider_malicious_client_trust_cert.pem advancedtls: update CRL provider certificates (#8073) 2025-02-11 14:53:12 +05:30
provider_malicious_client_trust_key.pem advancedtls: update CRL provider certificates (#8073) 2025-02-11 14:53:12 +05:30
provider_malicious_crl_empty.pem advancedtls: update CRL provider certificates (#8073) 2025-02-11 14:53:12 +05:30
provider_server_cert.key advancedtls: update CRL provider certificates (#8073) 2025-02-11 14:53:12 +05:30
provider_server_cert.pem advancedtls: update CRL provider certificates (#8073) 2025-02-11 14:53:12 +05:30
provider_server_trust_cert.pem advancedtls: update CRL provider certificates (#8073) 2025-02-11 14:53:12 +05:30
provider_server_trust_key.pem advancedtls: update CRL provider certificates (#8073) 2025-02-11 14:53:12 +05:30
revokedInt.pem advancedtls: CRL checking for golang gRPC (#4489) 2021-07-15 09:53:31 -07:00
revokedLeaf.pem advancedtls: CRL checking for golang gRPC (#4489) 2021-07-15 09:53:31 -07:00
unrevoked.pem advancedtls: CRL checking for golang gRPC (#4489) 2021-07-15 09:53:31 -07:00

README.md

CRL Test Data

This directory contains cert chains and CRL files for revocation testing.

To print the chain, use a command like,

openssl crl2pkcs7 -nocrl -certfile security/crl/x509/client/testdata/revokedLeaf.pem | openssl pkcs7 -print_certs -text -noout

The crl file symlinks are generated with openssl rehash

unrevoked.pem

A certificate chain with CRL files and unrevoked certs

  • Subject: C=US, ST=California, L=Mountain View, O=Google LLC, OU=Production, OU=campus-sln, CN=Root CA (2021-02-02T07:30:36-08:00)
    • 1.crl

NOTE: 1.crl file is symlinked with 5.crl to simulate two issuers that hash to the same value to test that loading multiple files works.

  • Subject: C=US, ST=California, L=Mountain View, O=Google LLC, OU=Production, OU=campus-sln, CN=node CA (2021-02-02T07:30:36-08:00)
    • 2.crl

revokedInt.pem

Certificate chain where the intermediate is revoked

  • Subject: C=US, ST=California, L=Mountain View, O=Google LLC, OU=Production, OU=campus-sln, CN=Root CA (2021-02-02T07:31:54-08:00)
    • 3.crl
  • Subject: C=US, ST=California, L=Mountain View, O=Google LLC, OU=Production, OU=campus-sln, CN=node CA (2021-02-02T07:31:54-08:00)
    • 4.crl

revokedLeaf.pem

Certificate chain where the leaf is revoked

  • Subject: C=US, ST=California, L=Mountain View, O=Google LLC, OU=Production, OU=campus-sln, CN=Root CA (2021-02-02T07:32:57-08:00)
    • 5.crl
  • Subject: C=US, ST=California, L=Mountain View, O=Google LLC, OU=Production, OU=campus-sln, CN=node CA (2021-02-02T07:32:57-08:00)
    • 6.crl

Test Data for testing CRL providers functionality

To generate test data please run provider_create.sh script. All the files have provider_ prefix.

We need to generate the following artifacts for testing CRL provider:

  • server self signed CA cert
  • client self signed CA cert
  • server cert signed by client CA
  • client cert signed by server CA
  • empty crl file
  • crl file containing information about revoked server cert
  • crl file by 'malicious' CA which contains the same issuer with original CA

All the commands are provided in provider_create.sh script. Please find the description below.

  1. The first two commands generate self signed CAs for client and server:

    • provider_server_trust_key.pem
    • provider_server_trust_cert.pem
    • provider_client_trust_key.pem
    • provider_client_trust_cert.pem
  2. Generate client and server certs signed by the CAs above:

    • provider_server_cert.pem
    • provider_client_cert.pem
  3. The next 2 commands create 2 files needed for CRL issuing:

    • provider_crlnumber.txt
    • provider_index.txt
  4. The next 3 commands generate an empty CRL file and a CRL file containing revoked server cert:

    • provider_crl_empty.pem
    • provider_crl_server_revoked.pem
  5. The final section contains commands to generate CRL file by 'malicious' CA. Note that we use Subject Key Identifier from previously created provider_client_trust_cert.pem to generate malicious certs / CRL.

    • provider_malicious_client_trust_key.pem
    • provider_malicious_client_trust_cert.pem
    • provider_malicious_crl_empty.pem