Skip to content

Commit

Permalink
limbo: add an explicit EC curve test
Browse files Browse the repository at this point in the history 
Signed-off-by: William Woodruff <[email protected]>
  • Loading branch information
@woodruffw
woodruffw committed Mar 12, 2024
1 parent e0e07f9 commit 58dcfc9
Show file tree
Hide file tree
Showing 10 changed files with 700 additions and 499 deletions.
1,014 changes: 519 additions & 495 deletions limbo.json
View file

Large diffs are not rendered by default.

13 changes: 13 additions & 0 deletions limbo/_assets/explicit_curve_ca.csr
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
-----BEGIN CERTIFICATE REQUEST-----
MIICCDCCAa4CAQAwJjEkMCIGA1UEAwwbeDUwOS1saW1iby1leHBsaWNpdC1lYy1y
b290MIIBSzCCAQMGByqGSM49AgEwgfcCAQEwLAYHKoZIzj0BAQIhAP////8AAAAB
AAAAAAAAAAAAAAAA////////////////MFsEIP////8AAAABAAAAAAAAAAAAAAAA
///////////////8BCBaxjXYqjqT57PrvVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMV
AMSdNgiG5wSTamZ44ROdJreBn36QBEEEaxfR8uEsQkf4vOblY6RA8ncDfYEt6zOg
9KE5RdiYwpZP40Li/hp/m47n60p8D54WK84zV2sxXs7LtkBoN79R9QIhAP////8A
AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBA0IABC2E3wiuGhZ3RF5Kw/3A
UaRHO5ybITRqrl8xWZJF8k1H9Vq+8PI7CIG/MYMJppYNH/slnK3s1RrkpffH5cJA
qB6gMjAwBgkqhkiG9w0BCQ4xIzAhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
BTADAQH/MAoGCCqGSM49BAMCA0gAMEUCIQCoHfXUd6P00rlOz+1E9lDnlWMsJIJ4
zZy+BT48HuNGWgIgQNgUznpUTH4+zR+jmAFha54FgUjaVf9zpXlpnS7MK6M=
-----END CERTIFICATE REQUEST-----
6 changes: 3 additions & 3 deletions limbo/_assets/explicit_curve.key → limbo/_assets/explicit_curve_ca.key
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
-----BEGIN EC PRIVATE KEY-----
MIIBaAIBAQQgayvHKYGhnU2CmjSWR7YLQl3E3y2x+bmUvgjQc/LvsO6ggfowgfcC
MIIBaAIBAQQgi3OjXw6++HS38iR1SFAo7lu29McivxVaUW/rYljBmm6ggfowgfcC
AQEwLAYHKoZIzj0BAQIhAP////8AAAABAAAAAAAAAAAAAAAA////////////////
MFsEIP////8AAAABAAAAAAAAAAAAAAAA///////////////8BCBaxjXYqjqT57Pr
vVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMVAMSdNgiG5wSTamZ44ROdJreBn36QBEEE
axfR8uEsQkf4vOblY6RA8ncDfYEt6zOg9KE5RdiYwpZP40Li/hp/m47n60p8D54W
K84zV2sxXs7LtkBoN79R9QIhAP////8AAAAA//////////+85vqtpxeehPO5ysL8
YyVRAgEBoUQDQgAEPLZcsLO78T1yM5EeELK1cm66GgAe+/+ebMzhkNZxC7/yrxXC
PfAhs4xAAueYE60iLqibwNYnFcy6NYoaDPHa5g==
YyVRAgEBoUQDQgAELYTfCK4aFndEXkrD/cBRpEc7nJshNGquXzFZkkXyTUf1Wr7w
8jsIgb8xgwmmlg0f+yWcrezVGuSl98flwkCoHg==
-----END EC PRIVATE KEY-----
15 changes: 15 additions & 0 deletions limbo/_assets/explicit_curve_ca.pem
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
-----BEGIN CERTIFICATE-----
MIICYzCCAgmgAwIBAgIUTvkSwGrvTMSxKnKlrrKYjhyWQCIwCgYIKoZIzj0EAwIw
JjEkMCIGA1UEAwwbeDUwOS1saW1iby1leHBsaWNpdC1lYy1yb290MB4XDTI0MDMx
MjE5MjUzM1oXDTI1MDMxMjE5MjUzM1owJjEkMCIGA1UEAwwbeDUwOS1saW1iby1l
eHBsaWNpdC1lYy1yb290MIIBSzCCAQMGByqGSM49AgEwgfcCAQEwLAYHKoZIzj0B
AQIhAP////8AAAABAAAAAAAAAAAAAAAA////////////////MFsEIP////8AAAAB
AAAAAAAAAAAAAAAA///////////////8BCBaxjXYqjqT57PrvVV2mIa8ZR0GsMxT
sPY7zjw+J9JgSwMVAMSdNgiG5wSTamZ44ROdJreBn36QBEEEaxfR8uEsQkf4vObl
Y6RA8ncDfYEt6zOg9KE5RdiYwpZP40Li/hp/m47n60p8D54WK84zV2sxXs7LtkBo
N79R9QIhAP////8AAAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBA0IABC2E
3wiuGhZ3RF5Kw/3AUaRHO5ybITRqrl8xWZJF8k1H9Vq+8PI7CIG/MYMJppYNH/sl
nK3s1RrkpffH5cJAqB6jITAfMB0GA1UdDgQWBBTtkZG9GKH0NpdP3t0IlXXzOxaY
xTAKBggqhkjOPQQDAgNIADBFAiBHdhK0CjraYBwFg1rKo2FNYxR/Kwdo+Xk79N/F
c6mwmgIhAKz8MDQ1rOqN5qxqWwLQPHaFMiTg0N93c8UxM+BOGNSP
-----END CERTIFICATE-----
14 changes: 14 additions & 0 deletions limbo/_assets/explicit_curve_leaf.csr
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
-----BEGIN CERTIFICATE REQUEST-----
MIICLDCCAdICAQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggFLMIIBAwYHKoZI
zj0CATCB9wIBATAsBgcqhkjOPQEBAiEA/////wAAAAEAAAAAAAAAAAAAAAD/////
//////////8wWwQg/////wAAAAEAAAAAAAAAAAAAAAD///////////////wEIFrG
NdiqOpPns+u9VXaYhrxlHQawzFOw9jvOPD4n0mBLAxUAxJ02CIbnBJNqZnjhE50m
t4GffpAEQQRrF9Hy4SxCR/i85uVjpEDydwN9gS3rM6D0oTlF2JjClk/jQuL+Gn+b
jufrSnwPnhYrzjNXazFezsu2QGg3v1H1AiEA/////wAAAAD//////////7zm+q2n
F56E87nKwvxjJVECAQEDQgAEfMmSp9aLYgFQMT8Hz9zOjqNTB58DBs9wrVoNstn4
Msduype5/8OGxHeUIS6tTgkh0Eh48R4ucFGUW/yAxadlNKBmMGQGCSqGSIb3DQEJ
DjFXMFUwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAMBgNVHRMBAf8EAjAAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqG
SM49BAMCA0gAMEUCIQCsupaxbPpYUtpXGabdniV8Ix5k31AFOAS90Ed6wzroAAIg
J2anxz75ktDPtHWBc7qnq051/Yjb4m/y39Y065heJs8=
-----END CERTIFICATE REQUEST-----
10 changes: 10 additions & 0 deletions limbo/_assets/explicit_curve_leaf.key
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
-----BEGIN EC PRIVATE KEY-----
MIIBaAIBAQQgIFOtVZ+XT8l0+e9Yv7XjpWUqqO9XpwApMg1njojbvvmggfowgfcC
AQEwLAYHKoZIzj0BAQIhAP////8AAAABAAAAAAAAAAAAAAAA////////////////
MFsEIP////8AAAABAAAAAAAAAAAAAAAA///////////////8BCBaxjXYqjqT57Pr
vVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMVAMSdNgiG5wSTamZ44ROdJreBn36QBEEE
axfR8uEsQkf4vOblY6RA8ncDfYEt6zOg9KE5RdiYwpZP40Li/hp/m47n60p8D54W
K84zV2sxXs7LtkBoN79R9QIhAP////8AAAAA//////////+85vqtpxeehPO5ysL8
YyVRAgEBoUQDQgAEfMmSp9aLYgFQMT8Hz9zOjqNTB58DBs9wrVoNstn4Msduype5
/8OGxHeUIS6tTgkh0Eh48R4ucFGUW/yAxadlNA==
-----END EC PRIVATE KEY-----
16 changes: 16 additions & 0 deletions limbo/_assets/explicit_curve_leaf.pem
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
-----BEGIN CERTIFICATE-----
MIICczCCAhqgAwIBAgIUBgdVsF5S6Qu4EHNX8QYETJmqjQcwCgYIKoZIzj0EAwIw
JjEkMCIGA1UEAwwbeDUwOS1saW1iby1leHBsaWNpdC1lYy1yb290MB4XDTI0MDMx
MjE5MjUzM1oXDTI1MDMxMjE5MjUzM1owFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20w
ggFLMIIBAwYHKoZIzj0CATCB9wIBATAsBgcqhkjOPQEBAiEA/////wAAAAEAAAAA
AAAAAAAAAAD///////////////8wWwQg/////wAAAAEAAAAAAAAAAAAAAAD/////
//////////wEIFrGNdiqOpPns+u9VXaYhrxlHQawzFOw9jvOPD4n0mBLAxUAxJ02
CIbnBJNqZnjhE50mt4GffpAEQQRrF9Hy4SxCR/i85uVjpEDydwN9gS3rM6D0oTlF
2JjClk/jQuL+Gn+bjufrSnwPnhYrzjNXazFezsu2QGg3v1H1AiEA/////wAAAAD/
/////////7zm+q2nF56E87nKwvxjJVECAQEDQgAEfMmSp9aLYgFQMT8Hz9zOjqNT
B58DBs9wrVoNstn4Msduype5/8OGxHeUIS6tTgkh0Eh48R4ucFGUW/yAxadlNKNC
MEAwHQYDVR0OBBYEFDNdrS5piqv/yUCBn4iSt+RkQcwgMB8GA1UdIwQYMBaAFO2R
kb0YofQ2l0/e3QiVdfM7FpjFMAoGCCqGSM49BAMCA0cAMEQCIArSlzlhF3rvnl79
hFkg1HkCX+UIgW+Fl+fj+58+MN0jAiBlZcZvRCZldOcFuOZql0MNQ81Yg2HkUvCP
r66E9+jPJw==
-----END CERTIFICATE-----
68 changes: 68 additions & 0 deletions limbo/_assets/scripts/generate_explicit_curve_cert.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
#!/usr/bin/env bash

set -e

ca_csr_conf='
[ req ]
default_md = sha256
prompt = no
req_extensions = req_ext
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
commonName = x509-limbo-explicit-ec-root
[ req_ext ]
keyUsage=critical,keyCertSign,cRLSign
basicConstraints=critical,CA:true
'

leaf_csr_conf='
[ req ]
default_md = sha256
prompt = no
req_extensions = req_ext
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
commonName = example.com
[ req_ext ]
keyUsage=critical,digitalSignature,keyEncipherment
extendedKeyUsage=serverAuth,clientAuth
basicConstraints=critical,CA:false
subjectAltName = @alt_names
[ alt_names ]
DNS.0 = example.com
'

# CA CSR
openssl req \
-new \
-noenc \
-key ../explicit_curve_ca.key \
-config <(echo "${ca_csr_conf}") \
-nameopt utf8 \
-utf8 \
-out ../explicit_curve_ca.csr

# Self-signed CA (with explicit EC encoding)
openssl x509 \
-signkey ../explicit_curve_ca.key \
-days 365 \
-req -in ../explicit_curve_ca.csr \
-out ../explicit_curve_ca.pem

# Leaf CSR
openssl req \
-new \
-noenc \
-key ../explicit_curve_leaf.key \
-config <(echo "${leaf_csr_conf}") \
-nameopt utf8 \
-utf8 \
-out ../explicit_curve_leaf.csr

# Leaf certificate (with explicit EC encoding)
openssl x509 \
-days 365 \
-req -in ../explicit_curve_leaf.csr \
-CA ../explicit_curve_ca.pem \
-CAkey ../explicit_curve_ca.key \
-out ../explicit_curve_leaf.pem
10 changes: 9 additions & 1 deletion limbo/_assets/scripts/generate_explicit_curve_key.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,12 @@ openssl ecparam \
-param_enc explicit \
-noout \
-outform PEM \
-out ../explicit_curve.key
-out ../explicit_curve_ca.key

openssl ecparam \
-name prime256v1 \
-genkey \
-param_enc explicit \
-noout \
-outform PEM \
-out ../explicit_curve_leaf.key
33 changes: 33 additions & 0 deletions limbo/testcases/webpki/__init__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,39 @@
from .san import * # noqa: F403


@testcase
def explicit_curve(builder: Builder) -> None:
"""
Produces the following **invalid** chain:
```
root -> EE
```
Both root and EE convey EC keys using the "explicit" curve encoding,
which is forbidden under CABF 7.1.3.1.2:
> The CA SHALL indicate an ECDSA key using the id‐ecPublicKey
> (OID: 1.2.840.10045.2.1) algorithm identifier. The parameters MUST use
> the namedCurve encoding.
"""

root_pem = ASSETS_PATH / "explicit_curve_ca.pem"
leaf_pem = ASSETS_PATH / "explicit_curve_leaf.pem"

root = Certificate(x509.load_pem_x509_certificate(root_pem.read_bytes()))
leaf = Certificate(x509.load_pem_x509_certificate(leaf_pem.read_bytes()))

builder = (
builder.server_validation()
.validation_time(datetime.fromisoformat("2024-03-13T00:00:00Z"))
.trusted_certs(root)
.peer_certificate(leaf)
.expected_peer_name(PeerName(kind="DNS", value="example.com"))
.fails()
)


@testcase
def cryptographydotio_chain(builder: Builder) -> None:
"""
Expand Down

0 comments on commit 58dcfc9

Please sign in to comment.