868214b85e
Add the Issuing Distribution Point extension to all of our end-entity
CRLs. The extension contains the Distribution Point, the URL from
which this CRL is meant to be downloaded. Because our CRLs are
sharded, this URL prevents an on-path attacker from substituting a
different shard than the client expected in order to hide a revocation.
The extension also contains the OnlyContainsUserCerts boolean,
because our CRLs only contain end-entity certificates.
The Distribution Point url is constructed from a configurable base URI,
the issuer's NameID, the shard index, and the suffix ".crl". The base
URI must use the "http://" scheme and must not end with a slash.
openssl displays the IDP extension as:
```
X509v3 Issuing Distribution Point: critical
Full Name:
URI:http://c.boulder.test/66283756913588288/0.crl Only User Certificates
```
Fixes #6410
|
||
|---|---|---|
| .. | ||
| README.md | ||
| ee-e1.cert.pem | ||
| ee-e1.key.pem | ||
| ee-e2.cert.pem | ||
| ee-e2.key.pem | ||
| ee-r3.cert.pem | ||
| ee-r3.key.pem | ||
| ee-r4.cert.pem | ||
| ee-r4.key.pem | ||
| int-e1.cert.pem | ||
| int-e1.crl.pem | ||
| int-e1.key.pem | ||
| int-e2.cert.pem | ||
| int-e2.key.pem | ||
| int-r3-cross.cert.pem | ||
| int-r3.cert.pem | ||
| int-r3.key.pem | ||
| int-r4-cross.cert.pem | ||
| int-r4.cert.pem | ||
| int-r4.key.pem | ||
| root-dst.cert.pem | ||
| root-x1-cross.cert.pem | ||
| root-x1.cert.pem | ||
| root-x2-cross.cert.pem | ||
| root-x2.cert.pem | ||
README.md
Boulder Test Hierarchy
This directory contains certificates which are analogues of Let's Encrypt's active hierarchy. These are useful for ensuring that our tests cover all of our actual situations, such as cross-signed intermediates, cross-signed roots, both RSA and ECDSA roots and intermediates, and having issuance chains with more than one intermediate in them. Also included are a selection of fake end-entity certificates, issued from each of the intermediates. This directory does not include private keys for the roots, as Boulder should never perform any operations which require access to root private keys.
Usage
These certificates (particularly their subject info and public key info) are
subject to change at any time. Values derived from these certificates, such as
their Serial, IssuerID, Fingerprint, or IssuerNameID should never be
hard-coded in tests or mocks. If you need to assert facts about those values
in a test, load the cert from disk and compute those values dynamically.
In general, loading and using one of these certificates for a test might look like:
ee, _ := CA.IssuePrecertificate(...)
cert, _ := issuance.LoadCertificate("test/hierarchy/int-e1.cert.pem")
test.AssertEqual(t, issuance.GetIssuerNameID(ee), issuer.NameID())