Add test leaf template with serverAuth EKU #893

pav-kv · 2022-03-18T15:26:19Z

This change introduces leaf00.cert and leaf00.chain, a template cert/chain with the serverAuth EKU.

It was generated using $ make leaf00.cert leaf00.chain command.

$ openssl x509 -in leaf00.cert -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3735928559 (0xdeadbeef)
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: C = GB, ST = London, L = London, O = Google, OU = Eng, CN = FakeIntermediateAuthority
        Validity
            Not Before: Mar 18 15:39:22 2022 GMT
            Not After : Apr 30 15:39:22 2029 GMT
        Subject: C = GB, ST = London, O = Google, OU = Eng, CN = leaf00.csr.pem
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:eb:37:4e:52:45:9c:46:d5:a8:b8:c5:ed:58:b9:
                    30:29:a6:70:8a:69:a0:26:5c:9e:2f:6e:b8:6b:23:
                    6c:84:e1:46:3a:98:36:82:44:a5:8a:17:8b:41:82:
                    32:f4:2d:e0:08:5b:7e:07:38:52:fc:47:56:28:27:
                    9b:ed:60:8b:ac
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                3F:B2:2F:41:FC:11:9A:D3:8D:A6:85:80:84:86:AE:7E:73:2E:69:5D
            X509v3 Authority Key Identifier: 
                keyid:05:06:07:08

            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Encipher Only, Decipher Only
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
    Signature Algorithm: ecdsa-with-SHA256
         30:44:02:20:33:c6:78:70:56:30:0b:b8:34:72:19:ed:ad:f3:
         c9:b7:1f:02:ff:d9:25:f0:21:63:db:fe:e2:24:3b:be:8e:95:
         02:20:06:e6:7d:87:13:e6:2e:9d:20:3f:82:b1:02:c8:e4:fa:
         6f:3d:fe:b2:a0:e8:2f:5f:74:aa:76:0b:23:5e:1c:e5

Checklist

I have updated the CHANGELOG.
- Adjust the draft version number according to semantic versioning rules.
I have updated documentation accordingly.

pav-kv · 2022-03-18T17:28:50Z

/gcbrun

pav-kv · 2022-03-22T11:23:58Z

/gcbrun

AlCutter · 2022-04-07T11:23:43Z

trillian/testdata/int-ca.cfg

+[ v3_user_serverAuth ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, encipherOnly, decipherOnly


Nit/curiosity: was it intentional to have all these extra KU on here, or would digitalSignature be enough?

Not intentional, I just copy-pasted the v3_user option set from above, and added the EKU.

pav-kv requested review from pphaneuf, AlCutter and getagit March 18, 2022 15:26

Add test leaf template with serverAuth EKU

b1ba662

AlCutter approved these changes Apr 7, 2022

View reviewed changes

pphaneuf removed their request for review May 24, 2022 10:50

hickford merged commit 1a1f4e0 into google:master Aug 8, 2022

pav-kv deleted the add_serverauth_leaf branch September 22, 2022 00:52

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add test leaf template with serverAuth EKU #893

Add test leaf template with serverAuth EKU #893

pav-kv commented Mar 18, 2022 •

edited

pav-kv commented Mar 18, 2022

pav-kv commented Mar 22, 2022

AlCutter Apr 7, 2022

pav-kv May 3, 2022

Add test leaf template with serverAuth EKU #893

Add test leaf template with serverAuth EKU #893

Conversation

pav-kv commented Mar 18, 2022 • edited

Checklist

pav-kv commented Mar 18, 2022

pav-kv commented Mar 22, 2022

AlCutter Apr 7, 2022

Choose a reason for hiding this comment

pav-kv May 3, 2022

Choose a reason for hiding this comment

pav-kv commented Mar 18, 2022 •

edited