Add no-subject and no-common-name subdomains. Addresses #268.

chromium · Mar 16, 2017 · 5a1df16 · 5a1df16
1 parent b65fe50
commit 5a1df16
Show file tree

Hide file tree

Showing 10 changed files with 140 additions and 0 deletions.
diff --git a/certs/Makefile b/certs/Makefile
@@ -218,6 +218,15 @@ CHAINS_PROD += $(O)/gen/chain/wildcard-ecc384.pem
 $(O)/gen/chain/wildcard-ecc384.pem: $(O)/gen/crt/wildcard-ecc384.crt $(O)/gen/crt/ca-intermediate.crt
 	./tool chain $@ $(D) $^
 
+################################
+$(O)/gen/csr/subdomain-no-common-name.csr: src/conf/subdomain-no-common-name.conf $(O)/gen/key/leaf-main.key
+	./tool gen-csr $@ $(D) $^
+$(O)/gen/crt/subdomain-no-common-name.crt: src/conf/subdomain-no-common-name.conf $(O)/gen/csr/subdomain-no-common-name.csr $(O)/gen/key/ca-intermediate.key $(O)/gen/crt/ca-intermediate.crt
+	./tool sign $@ $(D) $(SIGN_LEAF_DEFAULTS) $^
+CHAINS_PROD += $(O)/gen/chain/subdomain-no-common-name.pem
+$(O)/gen/chain/subdomain-no-common-name.pem: $(O)/gen/crt/subdomain-no-common-name.crt $(O)/gen/crt/ca-intermediate.crt
+	./tool chain $@ $(D) $^
+
 ################################
 $(O)/gen/csr/subdomain-no-san.csr: src/conf/subdomain-no-san.conf $(O)/gen/key/leaf-main.key
 	./tool gen-csr $@ $(D) $^
@@ -227,6 +236,15 @@ CHAINS_LOCAL_ONLY += $(O)/gen/chain/subdomain-no-san.pem
 $(O)/gen/chain/subdomain-no-san.pem: $(O)/gen/crt/subdomain-no-san.crt $(O)/gen/crt/ca-intermediate.crt
 	./tool chain $@ $(D) $^
 
+################################
+$(O)/gen/csr/subdomain-no-subject.csr: src/conf/subdomain-no-subject.conf $(O)/gen/key/leaf-main.key
+	./tool gen-csr-no-subject $@ $(D) $^
+$(O)/gen/crt/subdomain-no-subject.crt: src/conf/subdomain-no-subject.conf $(O)/gen/csr/subdomain-no-subject.csr $(O)/gen/key/ca-intermediate.key $(O)/gen/crt/ca-intermediate.crt
+	./tool sign $@ $(D) $(SIGN_LEAF_DEFAULTS) $^
+CHAINS_PROD += $(O)/gen/chain/subdomain-no-subject.pem
+$(O)/gen/chain/subdomain-no-subject.pem: $(O)/gen/crt/subdomain-no-subject.crt $(O)/gen/crt/ca-intermediate.crt
+	./tool chain $@ $(D) $^
+
 ################################
 $(O)/gen/csr/subdomain-1000-sans.csr: src/conf/subdomain-1000-sans.conf $(O)/gen/key/leaf-main.key
 	./tool gen-csr $@ $(D) $^

diff --git a/certs/src/conf/subdomain-no-common-name.conf b/certs/src/conf/subdomain-no-common-name.conf
@@ -0,0 +1,19 @@
+[ req ]
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+encrypt_key         = no
+prompt              = no
+req_extensions      = req_v3_usr
+
+[ req_distinguished_name ]
+countryName         = US
+stateOrProvinceName = California
+localityName        = San Francisco
+organizationName    = BadSSL
+
+[ req_v3_usr ]
+basicConstraints = CA:FALSE
+subjectAltName = @alt_names
+
+[ alt_names ]
+DNS.1 = no-subject.__DOMAIN__
diff --git a/certs/src/conf/subdomain-no-subject.conf b/certs/src/conf/subdomain-no-subject.conf
@@ -0,0 +1,14 @@
+[ req ]
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+encrypt_key         = no
+req_extensions      = req_v3_usr
+
+[ req_distinguished_name ]
+
+[ req_v3_usr ]
+basicConstraints = CA:FALSE
+subjectAltName = critical, @alt_names
+
+[ alt_names ]
+DNS.1 = no-subject.__DOMAIN__
diff --git a/certs/tool b/certs/tool
@@ -31,6 +31,13 @@ gen-csr)
     -config <(cat $1 | sed "s/__DOMAIN__/$DOMAIN/g") \
     -key $2
   ;;
+gen-csr-no-subject)
+  openssl req -new \
+    -subj / \
+    -out $OUT \
+    -config <(cat $1 | sed "s/__DOMAIN__/$DOMAIN/g") \
+    -key $2
+  ;;
 gen-ca)
   openssl req -new -x509 -days 7300 \
     -out $OUT \

diff --git a/domains/cert/no-common-name.conf b/domains/cert/no-common-name.conf
@@ -0,0 +1,19 @@
+---
+---
+server {
+  listen 80;
+  server_name no-common-name.{{ site.domain }};
+
+  return 301 https://$server_name$request_uri;
+}
+
+server {
+  listen 443;
+  server_name no-common-name.{{ site.domain }};
+
+  include {{ site.serving-path }}/nginx-includes/subdomain-no-common-name.conf;
+  include {{ site.serving-path }}/nginx-includes/tls-defaults.conf;
+  include {{ site.serving-path }}/common/common.conf;
+
+  root {{ site.serving-path }}/domains/cert/no-common-name;
+}
diff --git a/domains/cert/no-common-name/index.html b/domains/cert/no-common-name/index.html
@@ -0,0 +1,16 @@
+---
+subdomain: no-common-name
+layout: page
+favicon: gray
+background: gray
+---
+
+<div id="content">
+  <h1>
+    {{ page.subdomain }}.<br>{{ site.domain }}
+  </h1>
+</div>
+
+<div id="footer">
+  This site uses a certificate without a common name.
+</div>
diff --git a/domains/cert/no-subject.conf b/domains/cert/no-subject.conf
@@ -0,0 +1,19 @@
+---
+---
+server {
+  listen 80;
+  server_name no-subject.{{ site.domain }};
+
+  return 301 https://$server_name$request_uri;
+}
+
+server {
+  listen 443;
+  server_name no-subject.{{ site.domain }};
+
+  include {{ site.serving-path }}/nginx-includes/subdomain-no-subject.conf;
+  include {{ site.serving-path }}/nginx-includes/tls-defaults.conf;
+  include {{ site.serving-path }}/common/common.conf;
+
+  root {{ site.serving-path }}/domains/cert/no-subject;
+}
diff --git a/domains/cert/no-subject/index.html b/domains/cert/no-subject/index.html
@@ -0,0 +1,16 @@
+---
+subdomain: no-subject
+layout: page
+favicon: gray
+background: gray
+---
+
+<div id="content">
+  <h1>
+    {{ page.subdomain }}.<br>{{ site.domain }}
+  </h1>
+</div>
+
+<div id="footer">
+  This site uses a certificate without a subject.
+</div>
diff --git a/nginx-includes/subdomain-no-common-name.conf b/nginx-includes/subdomain-no-common-name.conf
@@ -0,0 +1,6 @@
+---
+---
+
+ssl on;
+ssl_certificate {{ site.cert-path }}/subdomain-no-common-name.pem;
+ssl_certificate_key /etc/keys/leaf-main.key;
diff --git a/nginx-includes/subdomain-no-subject.conf b/nginx-includes/subdomain-no-subject.conf
@@ -0,0 +1,6 @@
+---
+---
+
+ssl on;
+ssl_certificate {{ site.cert-path }}/subdomain-no-subject.pem;
+ssl_certificate_key /etc/keys/leaf-main.key;