c7014dfd29
Add a collection of lints (structured similarly, but not identically, to zlint's certificate lints) which check a variety of requirements based on RFC 5280, the Baseline Requirements, and the Mozilla Root Store Policy. Add a method to lint CRLs to the existing linter package which uses its fake issuer to sign the CRL, calls all of the above lints, and returns all of their findings. Call this new method from within the CA's new GenerateCRL method immediately before signing the real CRL using the real issuer. Fixes #6188 |
||
|---|---|---|
| .. | ||
| README.md | ||
| ee-e1.cert.pem | ||
| ee-e1.key.pem | ||
| ee-e2.cert.pem | ||
| ee-e2.key.pem | ||
| ee-r3.cert.pem | ||
| ee-r3.key.pem | ||
| ee-r4.cert.pem | ||
| ee-r4.key.pem | ||
| int-e1.cert.pem | ||
| int-e1.crl.pem | ||
| int-e1.key.pem | ||
| int-e2.cert.pem | ||
| int-e2.key.pem | ||
| int-r3-cross.cert.pem | ||
| int-r3.cert.pem | ||
| int-r3.key.pem | ||
| int-r4-cross.cert.pem | ||
| int-r4.cert.pem | ||
| int-r4.key.pem | ||
| root-dst.cert.pem | ||
| root-x1-cross.cert.pem | ||
| root-x1.cert.pem | ||
| root-x2-cross.cert.pem | ||
| root-x2.cert.pem | ||
README.md
Boulder Test Hierarchy
This directory contains certificates which are analogues of Let's Encrypt's active hierarchy. These are useful for ensuring that our tests cover all of our actual situations, such as cross-signed intermediates, cross-signed roots, both RSA and ECDSA roots and intermediates, and having issuance chains with more than one intermediate in them. Also included are a selection of fake end-entity certificates, issued from each of the intermediates. This directory does not include private keys for the roots, as Boulder should never perform any operations which require access to root private keys.
Usage
These certificates (particularly their subject info and public key info) are
subject to change at any time. Values derived from these certificates, such as
their Serial, IssuerID, Fingerprint, or IssuerNameID should never be
hard-coded in tests or mocks. If you need to assert facts about those values
in a test, load the cert from disk and compute those values dynamically.
In general, loading and using one of these certificates for a test might look like:
ee, _ := CA.IssuePrecertificate(...)
cert, _ := issuance.LoadCertificate("test/hierarchy/int-e1.cert.pem")
test.AssertEqual(t, issuance.GetIssuerNameID(ee), issuer.NameID())