Golang SHA1DeprecationMessages Exemples

Langage de programmation: Golang

Espace de nommage/Pack: github.com/cloudflare/cfssl/ubiquity

Méthode/Fonction: SHA1DeprecationMessages

Exemples au hotexamples.com: 2

Golang SHA1DeprecationMessages - 2 exemples trouvés. Ce sont les exemples réels les mieux notés de github.com/cloudflare/cfssl/ubiquity.SHA1DeprecationMessages extraits de projets open source. Vous pouvez noter les exemples pour nous aider à en améliorer la qualité.

Associées

GenDeps

NewDefaultingCodecForScheme

OpenROM

IsolationLevel

NewUser

CreateUserByEmailAddress

BindFramebuffer

ListRoles

Configuration

CheckError

Related in langs

ComposerAutoloaderInit1c30b4178a589383fb80a4aff64ad160 (PHP)

bd_wp_post_rate (PHP)

CommandeAchat (C#)

UCommand (C#)

read_input (C++)

setServiceFlags (C++)

PlayPlane (Java)

Watcher (Java)

hedge_ratio (Python)

Membership (Python)

Exemple #1

0

Afficher le fichier

Fichier : bundler_sha1_deprecation_test.go Projet : nathany/cfssl

func TestChromeWarning(t *testing.T) { b := newCustomizedBundlerFromFile(t, sha1CA, sha1Intermediate, "") s, err := local.NewSignerFromFile(sha1Intermediate, intermediateKey, nil) if err != nil { t.Fatal(err) } csrBytes, err := ioutil.ReadFile(leafCSR) if err != nil { t.Fatal(err) } signingRequest := signer.SignRequest{Request: string(csrBytes)} certBytes, err := s.Sign(signingRequest) if err != nil { t.Fatal(err) } // Bundle a leaf cert with default 1 year expiration bundle, err := b.BundleFromPEMorDER(certBytes, nil, Ubiquitous, "") if err != nil { t.Fatal("bundling failed: ", err) } // should be not ubiquitous due to SHA2 and ECDSA support issues in legacy platforms if bundle.Status.Code&errors.BundleNotUbiquitousBit != errors.BundleNotUbiquitousBit { t.Fatal("Incorrect bundle status code. Bundle status code:", bundle.Status.Code) } fullChain := append(bundle.Chain, bundle.Root) sha1Msgs := ubiquity.SHA1DeprecationMessages(fullChain) // Since the new SHA-1 cert is expired after 2015, it definitely trigger Chrome's deprecation policies. if len(sha1Msgs) == 0 { t.Fatal("SHA1 Deprecation Message should not be empty") } // check SHA1 deprecation warnings var sha1MsgNotFound bool for _, sha1Msg := range sha1Msgs { foundMsg := false for _, message := range bundle.Status.Messages { if message == sha1Msg { foundMsg = true } } if !foundMsg { sha1MsgNotFound = true break } } if sha1MsgNotFound { t.Fatalf("Incorrect bundle status messages. Bundle status messages:%v, expected to contain: %v\n", bundle.Status.Messages, sha1Msgs) } }

Exemple #2

0

Afficher le fichier

Fichier : bundler.go Projet : jgeromero/cfssl

// Bundle takes an X509 certificate (already in the // Certificate structure), a private key as crypto.Signer in one of the appropriate // formats (i.e. *rsa.PrivateKey or *ecdsa.PrivateKey, or even a opaque key), using them to // build a certificate bundle. func (b *Bundler) Bundle(certs []*x509.Certificate, key crypto.Signer, flavor BundleFlavor) (*Bundle, error) { log.Infof("bundling certificate for %+v", certs[0].Subject) if len(certs) == 0 { return nil, nil } // Detect reverse ordering of the cert chain. if len(certs) > 1 && !partialVerify(certs) { rcerts := reverse(certs) if partialVerify(rcerts) { certs = rcerts } } var ok bool cert := certs[0] if key != nil { switch { case cert.PublicKeyAlgorithm == x509.RSA: var rsaPublicKey *rsa.PublicKey if rsaPublicKey, ok = key.Public().(*rsa.PublicKey); !ok { return nil, errors.New(errors.PrivateKeyError, errors.KeyMismatch) } if cert.PublicKey.(*rsa.PublicKey).N.Cmp(rsaPublicKey.N) != 0 { return nil, errors.New(errors.PrivateKeyError, errors.KeyMismatch) } case cert.PublicKeyAlgorithm == x509.ECDSA: var ecdsaPublicKey *ecdsa.PublicKey if ecdsaPublicKey, ok = key.Public().(*ecdsa.PublicKey); !ok { return nil, errors.New(errors.PrivateKeyError, errors.KeyMismatch) } if cert.PublicKey.(*ecdsa.PublicKey).X.Cmp(ecdsaPublicKey.X) != 0 { return nil, errors.New(errors.PrivateKeyError, errors.KeyMismatch) } default: return nil, errors.New(errors.PrivateKeyError, errors.NotRSAOrECC) } } else { switch { case cert.PublicKeyAlgorithm == x509.RSA: case cert.PublicKeyAlgorithm == x509.ECDSA: default: return nil, errors.New(errors.PrivateKeyError, errors.NotRSAOrECC) } } if cert.CheckSignatureFrom(cert) == nil { return nil, errors.New(errors.CertificateError, errors.SelfSigned) } bundle := new(Bundle) bundle.Cert = cert bundle.Key = key bundle.Issuer = &cert.Issuer bundle.Subject = &cert.Subject bundle.buildHostnames() // verify and store input intermediates to the intermediate pool. // Ignore the returned error here, will treat it in the second call. b.fetchIntermediates(certs) chains, err := cert.Verify(b.VerifyOptions()) if err != nil { log.Debugf("verification failed: %v", err) // If the error was an unknown authority, try to fetch // the intermediate specified in the AIA and add it to // the intermediates bundle. switch err := err.(type) { case x509.UnknownAuthorityError: // Do nothing -- have the default case return out. default: return nil, errors.Wrap(errors.CertificateError, errors.VerifyFailed, err) } log.Debugf("searching for intermediates via AIA issuer") err = b.fetchIntermediates(certs) if err != nil { log.Debugf("search failed: %v", err) return nil, errors.Wrap(errors.CertificateError, errors.VerifyFailed, err) } log.Debugf("verifying new chain") chains, err = cert.Verify(b.VerifyOptions()) if err != nil { log.Debugf("failed to verify chain: %v", err) return nil, errors.Wrap(errors.CertificateError, errors.VerifyFailed, err) } log.Debugf("verify ok") } var matchingChains [][]*x509.Certificate switch flavor { case Optimal: matchingChains = optimalChains(chains) case Ubiquitous: if len(ubiquity.Platforms) == 0 { log.Warning("No metadata, Ubiquitous falls back to Optimal.") } matchingChains = ubiquitousChains(chains) case Force: matchingChains = forceChains(certs, chains) default: matchingChains = ubiquitousChains(chains) } bundle.Chain = matchingChains[0] // Include at least one intermediate if the leaf has enabled OCSP and is not CA. if bundle.Cert.OCSPServer != nil && !bundle.Cert.IsCA && len(bundle.Chain) <= 2 { // No op. Return one intermediate if there is one. } else { // do not include the root. bundle.Chain = bundle.Chain[:len(bundle.Chain)-1] } statusCode := int(errors.Success) var messages []string // Check if bundle is expiring. expiringCerts := checkExpiringCerts(bundle.Chain) bundle.Expires = helpers.ExpiryTime(bundle.Chain) if len(expiringCerts) > 0 { statusCode |= errors.BundleExpiringBit messages = append(messages, expirationWarning(expiringCerts)) } // Check if bundle contains SHA2 certs. if ubiquity.ChainHashUbiquity(matchingChains[0]) <= ubiquity.SHA2Ubiquity { statusCode |= errors.BundleNotUbiquitousBit messages = append(messages, sha2Warning) } // Check if bundle contains ECDSA signatures. if ubiquity.ChainKeyAlgoUbiquity(matchingChains[0]) <= ubiquity.ECDSA256Ubiquity { statusCode |= errors.BundleNotUbiquitousBit messages = append(messages, ecdsaWarning) } // Add root store presence info root := matchingChains[0][len(matchingChains[0])-1] bundle.Root = root log.Infof("the anchoring root is %v", root.Subject) // Check if there is any platform that doesn't trust the chain. // Also, an warning will be generated if ubiquity.Platforms is nil, untrusted := ubiquity.UntrustedPlatforms(root) untrustedMsg := untrustedPlatformsWarning(untrusted) if len(untrustedMsg) > 0 { log.Debug("Populate untrusted platform warning.") statusCode |= errors.BundleNotUbiquitousBit messages = append(messages, untrustedMsg) } // Check if there is any platform that rejects the chain because of SHA1 deprecation. sha1Msgs := ubiquity.SHA1DeprecationMessages(matchingChains[0]) if len(sha1Msgs) > 0 { log.Debug("Populate SHA1 deprecation warning.") statusCode |= errors.BundleNotUbiquitousBit messages = append(messages, sha1Msgs...) } bundle.Status = &BundleStatus{ExpiringSKIs: getSKIs(bundle.Chain, expiringCerts), Code: statusCode, Messages: messages, Untrusted: untrusted} bundle.Status.IsRebundled = diff(bundle.Chain, certs) log.Debugf("bundle complete") return bundle, nil }