grpc
/
grpc-go
mirror of https://github.com/grpc/grpc-go.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
grpc-go/security/advancedtls/testdata/crl/README.md

3.1 KiB
Raw Permalink Blame History

CRL Test Data

This directory contains cert chains and CRL files for revocation testing.

To print the chain, use a command like,

openssl crl2pkcs7 -nocrl -certfile security/crl/x509/client/testdata/revokedLeaf.pem | openssl pkcs7 -print_certs -text -noout

The crl file symlinks are generated with openssl rehash

unrevoked.pem

A certificate chain with CRL files and unrevoked certs

  • Subject: C=US, ST=California, L=Mountain View, O=Google LLC, OU=Production, OU=campus-sln, CN=Root CA (2021-02-02T07:30:36-08:00)
    • 1.crl

NOTE: 1.crl file is symlinked with 5.crl to simulate two issuers that hash to the same value to test that loading multiple files works.

  • Subject: C=US, ST=California, L=Mountain View, O=Google LLC, OU=Production, OU=campus-sln, CN=node CA (2021-02-02T07:30:36-08:00)
    • 2.crl

revokedInt.pem

Certificate chain where the intermediate is revoked

  • Subject: C=US, ST=California, L=Mountain View, O=Google LLC, OU=Production, OU=campus-sln, CN=Root CA (2021-02-02T07:31:54-08:00)
    • 3.crl
  • Subject: C=US, ST=California, L=Mountain View, O=Google LLC, OU=Production, OU=campus-sln, CN=node CA (2021-02-02T07:31:54-08:00)
    • 4.crl

revokedLeaf.pem

Certificate chain where the leaf is revoked

  • Subject: C=US, ST=California, L=Mountain View, O=Google LLC, OU=Production, OU=campus-sln, CN=Root CA (2021-02-02T07:32:57-08:00)
    • 5.crl
  • Subject: C=US, ST=California, L=Mountain View, O=Google LLC, OU=Production, OU=campus-sln, CN=node CA (2021-02-02T07:32:57-08:00)
    • 6.crl

Test Data for testing CRL providers functionality

To generate test data please run provider_create.sh script. All the files have provider_ prefix.

We need to generate the following artifacts for testing CRL provider:

  • server self signed CA cert
  • client self signed CA cert
  • server cert signed by client CA
  • client cert signed by server CA
  • empty crl file
  • crl file containing information about revoked server cert
  • crl file by 'malicious' CA which contains the same issuer with original CA

All the commands are provided in provider_create.sh script. Please find the description below.

  1. The first two commands generate self signed CAs for client and server:

    • provider_server_trust_key.pem
    • provider_server_trust_cert.pem
    • provider_client_trust_key.pem
    • provider_client_trust_cert.pem

  2. Generate client and server certs signed by the CAs above:

    • provider_server_cert.pem
    • provider_client_cert.pem

  3. The next 2 commands create 2 files needed for CRL issuing:

    • provider_crlnumber.txt
    • provider_index.txt

  4. The next 3 commands generate an empty CRL file and a CRL file containing revoked server cert:

    • provider_crl_empty.pem
    • provider_crl_server_revoked.pem

  5. The final section contains commands to generate CRL file by 'malicious' CA. Note that we use Subject Key Identifier from previously created provider_client_trust_cert.pem to generate malicious certs / CRL.

    • provider_malicious_client_trust_key.pem
    • provider_malicious_client_trust_cert.pem
    • provider_malicious_crl_empty.pem