add several new x509 test vectors

[reaperhulk]

Slightly reorganized the test vector page too.

[reaperhulk]

The best way to verify the custom vectors is to pull them down and parse them to confirm they contain what is claimed. To verify UTCTime you can use openssl asn1parse.

[jenkins-cryptography]

Test PASSed.
Refer to this link for build results: https://jenkins.cryptography.io/job/cryptography-pr-experimental/2580/

[reaperhulk]

This still needs review/merge before #1499 can land

[jenkins-cryptography]

Test PASSed.
Refer to this link for build results: https://jenkins.cryptography.io/job/cryptography-pr-experimental/2623/

[lvh]

There should be a link here to verify that 0x7 is in fact an invalid version.

[reaperhulk]

Hmm, suggestions on where to link? RFC 5280 describes v3 and hasn't been obsoleted, but that isn't very obvious.

[lvh]

This should specify the path where I can find these unambiguously. (It appears to be in PEM_Serialization):

vectors/cryptography_vectors/asymmetric/PEM_Serialization

[reaperhulk]

I've filed this as a separate issue since these are not related to the current PR. #1521

[jenkins-cryptography]

Test PASSed.
Refer to this link for build results: https://jenkins.cryptography.io/job/cryptography-pr-experimental/2630/

[lvh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I saw commit:

commit d317baeba44c1cd35a4254712ae5a9a51f89ce1b
Author: Paul Kehrer <paul.l.kehrer@gmail.com>
Date:   Fri Dec 12 11:42:31 2014 -0600

    add ECDSA certificate that does not have a named curve OID

Following directory: cryptography/vectors/cryptography_vectors/x509

[x509] shasum -a 512 **/*.pem                                                                                                                                                        11:34:31  ☁  d317bae ☀
7c4a1f8d2f941daae8edcc62939bba0cdb0b8f04bc439840eae03b07b128bb32936c4d1e7065d0f80ed090292a14a8b123069f4c07b41ea749625fd8af426749  custom/dsa_root.pem
1d2e45baed9e847e68a1eea0cba1e2d6d2794991883ac299321f52aefe1b28648d71e7dc62f4eb282f7af935f913b2d0d9bc2ba38bd0746a3a4a64a59c58f3d7  custom/ec_no_named_curve.pem
53bed3414457188c50e1f7d772dd68dc8f2c09bd2ec0d4eab7b089daa0c7bca9d342ab16665272e52bf6ddbf1785bb89ba85215a3774140c6d67c0a86137cc0b  custom/invalid_version.pem
38a25337c08d1be629ff414aad0fce7a2c985bb47aff8fe05050dc9769679233644cd3120ae29404b6385e6a9870b5fd97d707e42e660c6a33dadc09b8424241  custom/post2000utctime.pem
064566dded69aea19998c38d6eab047d42c48dbf48346dc359f51c3671d17f2f8bd272e796761037cab16f8a181feaea439a1f0a0ab6a56d1d14950d3268fd81  ecdsa_root.pem
efbcd785d2c8506e1adf123db7f5de50532465f3989bec8ce672a225c480ba9b56e4a418619752081bbfe860eb946c23f5abae834f1ae89270c54c745cf68c39  v1_cert.pem

ecdsa_root.pem contained DigiCert Global Root G3. I confirmed this by verifying against the trusted one on my OS X machine:

security find-certificate -c "DigiCert Global Root G3" -p /System/Library/Keychains/SystemRootCertificates.keychain | shasum -a 512
064566dded69aea19998c38d6eab047d42c48dbf48346dc359f51c3671d17f2f8bd272e796761037cab16f8a181feaea439a1f0a0ab6a56d1d14950d3268fd81  -

v1_cert.ppem ostensibly came from the openssl source tree as test/testx509.pem, *or* both git.openssl.org and github are colluding, *or* my machine has been compromised:

curl https://git.openssl.org/gitweb/?p=openssl.git;a=blob_plain;f=test/testx509.pem;h=8a85d14964f8392cc46b5e9fee8446754136187f;hb=refs/heads/master | shasum -a 512
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100   530    0   530    0     0    441      0 --:--:--  0:00:01 --:--:--   441
efbcd785d2c8506e1adf123db7f5de50532465f3989bec8ce672a225c480ba9b56e4a418619752081bbfe860eb946c23f5abae834f1ae89270c54c745cf68c39  -

curl https://raw.githubusercontent.com/openssl/openssl/master/test/testx509.pem | shasum -a 512
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   530  100   530    0     0   2182      0 --:--:-- --:--:-- --:--:--  2190
efbcd785d2c8506e1adf123db7f5de50532465f3989bec8ce672a225c480ba9b56e4a418619752081bbfe860eb946c23f5abae834f1ae89270c54c745cf68c39  -

custom/invalid_version.pem indeed contains a cert with version 8 (0x7).

[custom] openssl x509 -noout -text < invalid_version.pem | grep Version       12:04:42  ☁  d317bae ☀
        Version: 8 (0x7)

custom/post2000utctime.pem indeed contains a cert with notBefore and notAfter after 2000:

[custom] openssl x509 -noout -text < post2000utctime.pem | grep -A 2 Validity 12:07:36  ☁  d317bae ☀
        Validity
            Not Before: Nov 26 21:41:20 2014 GMT
            Not After : Dec 26 21:41:20 2014 GMT

custom/dsa_root.pem does indeed contain a CA certificate:

[custom] openssl x509 -noout -text < dsa_root.pem | grep -A 1 "Basic Constraints"
            X509v3 Basic Constraints:
                CA:TRUE

It is a DSA certificate:

[custom] openssl x509 -noout -text < dsa_root.pem | grep "Signature Algorithm"
        Signature Algorithm: dsaWithSHA1
    Signature Algorithm: dsaWithSHA1

It is indeed self-signed:

[custom] openssl verify -check_ss_sig dsa_root.pem                            12:16:20  ☁  d317bae ☀
dsa_root.pem: /C=US/ST=Texas/L=Austin/O=Internet Widgits Pty Ltd/CN=PyCA DSA CA
error 18 at 0 depth lookup:self signed certificate
OK

ec_no_named_curve.pem is indeed an ECDSA cert with an ad-hoc curve spec:

[custom] openssl x509 -noout -text < ec_no_named_curve.pem                    12:17:33  ☁  d317bae ☀
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN=XYLI:ZB3L:5JH6:EUVX:WUKJ:KL6Y:RHCO:TESY:ISXM:2YVE:FNHU:ZI6Q
        Validity
            Not Before: Dec 12 08:02:17 2014 GMT
            Not After : Dec 13 08:02:17 2014 GMT
        Subject: CN=XYLI:ZB3L:5JH6:EUVX:WUKJ:KL6Y:RHCO:TESY:ISXM:2YVE:FNHU:ZI6Q
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
            EC Public Key:
                pub:
                    04:ee:5c:a8:d3:17:53:83:d6:0f:dc:76:7d:f6:bf:
                    07:dc:6f:a7:0d:e9:a1:33:80:41:8a:51:1d:29:46:
                    57:b2:53:62:eb:9b:79:91:26:da:f4:51:2d:70:3d:
                    9f:59:7b:f8:90:5f:7f:16:42:af:ec:a3:4b:62:47:
                    36:ea:be:d2:48
                Field Type: prime-field
                Prime:
                    00:ff:ff:ff:ff:00:00:00:01:00:00:00:00:00:00:
                    00:00:00:00:00:00:ff:ff:ff:ff:ff:ff:ff:ff:ff:
                    ff:ff:ff
                A:
                    00:ff:ff:ff:ff:00:00:00:01:00:00:00:00:00:00:
                    00:00:00:00:00:00:ff:ff:ff:ff:ff:ff:ff:ff:ff:
                    ff:ff:fc
                B:
                    5a:c6:35:d8:aa:3a:93:e7:b3:eb:bd:55:76:98:86:
                    bc:65:1d:06:b0:cc:53:b0:f6:3b:ce:3c:3e:27:d2:
                    60:4b
                Generator (uncompressed):
                    04:6b:17:d1:f2:e1:2c:42:47:f8:bc:e6:e5:63:a4:
                    40:f2:77:03:7d:81:2d:eb:33:a0:f4:a1:39:45:d8:
                    98:c2:96:4f:e3:42:e2:fe:1a:7f:9b:8e:e7:eb:4a:
                    7c:0f:9e:16:2b:ce:33:57:6b:31:5e:ce:cb:b6:40:
                    68:37:bf:51:f5
                Order:
                    00:ff:ff:ff:ff:00:00:00:00:ff:ff:ff:ff:ff:ff:
                    ff:ff:bc:e6:fa:ad:a7:17:9e:84:f3:b9:ca:c2:fc:
                    63:25:51
                Cofactor:  1 (0x1)
                Seed:
                    c4:9d:36:08:86:e7:04:93:6a:66:78:e1:13:9d:26:
                    b7:81:9f:7e:90
    Signature Algorithm: ecdsa-with-SHA256
        30:45:02:21:00:a6:28:73:b0:33:b7:f1:b0:4d:e2:c5:06:58:
        5a:2e:94:83:b1:e0:77:aa:c3:75:91:d6:47:e1:bc:f2:96:89:
        e3:02:20:3d:fe:75:62:ed:f6:d8:c9:da:72:9b:98:e7:5b:80:
        e9:1e:77:a7:a1:97:19:75:67:83:56:78:44:d0:9e:1c:58

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJUi1LbAAoJEISZopctIA+8cQ4P/1u8V3OqvUM4fBF5ly6HSwvi
MkEOwnNyoOf2CFapTdG/M9Xr7Faskhy2vrg6seuOH4Dc6owsRVhTLorxZZ3yladK
UMylH7qSYPMTk3M15C+8ybnqWDDXWp6XmFWr/adT7Yon0w73MGbKm89gAbdSHTtS
fXXW0HGa2ju55WqxZ8ur6ab4MQxBMv3wPZ0u5X+ux10pK7C3+BRI7MG8wA2hc56f
sYZdqSTRyF1Vb3WZoL8Lh7a5Y67OooLyZsyO3xRpcED1pcoMA+ZDk7oe0SA7VbLS
k88U2eAqZD8UPHQ65qbC2ms5TmLbFbR1NvTq2RRxZt0v/P259cR0I+jiKnbg8AK+
AmTGDJo+oleuoylvV07PdgM9x4fT4aS++ws8i/MicK73OBvZXNyU+8D1Egx/mlLL
vsKGO0YGgOIzNi4gQKvPfa1kFdPVaqLv9g1SLlXCRvkRfz6AoiJqdRoX9hBGlYBv
GNE15A96Ck7DHkGfWPna0q+9RE5HQWACy16LSF9estpzuf2rDVDc+Pfk47hFbvl8
5Q4G68+ge1KY/NhFPry5zd+humlDVzlNpFZPiKNcxq7rKsbA0JiPqb9O/fVQil87
nwrtKvU2mM3Sv3EqZ/+L74n9oiCZGWfA5UPo18GiepEBuzeYB8vX0ml0DZVu96D1
Z1cYuCJTSfX7s/Dih5Yq
=wrPN
-----END PGP SIGNATURE-----

[lvh]

+1 :)

[alex]

@lvh, patch authors aren't allowed to merge their own work, so if you think
this is merge ready, you need to push the button yourself

On Fri Dec 12 2014 at 8:32:52 PM lvh notifications@github.com wrote:

+1 :)

—
Reply to this email directly or view it on GitHub
#1498 (comment).