From 5a1df162464d0696f87387849d9dadf7b12d8dcc Mon Sep 17 00:00:00 2001
From: Lucas Garron <lgarron@chromium.org>
Date: Thu, 16 Mar 2017 16:18:25 -0700
Subject: [PATCH] Add no-subject and no-common-name subdomains. Addresses #268.

---
 certs/Makefile                               | 18 ++++++++++++++++++
 certs/src/conf/subdomain-no-common-name.conf | 19 +++++++++++++++++++
 certs/src/conf/subdomain-no-subject.conf     | 14 ++++++++++++++
 certs/tool                                   |  7 +++++++
 domains/cert/no-common-name.conf             | 19 +++++++++++++++++++
 domains/cert/no-common-name/index.html       | 16 ++++++++++++++++
 domains/cert/no-subject.conf                 | 19 +++++++++++++++++++
 domains/cert/no-subject/index.html           | 16 ++++++++++++++++
 nginx-includes/subdomain-no-common-name.conf |  6 ++++++
 nginx-includes/subdomain-no-subject.conf     |  6 ++++++
 10 files changed, 140 insertions(+)
 create mode 100644 certs/src/conf/subdomain-no-common-name.conf
 create mode 100644 certs/src/conf/subdomain-no-subject.conf
 create mode 100644 domains/cert/no-common-name.conf
 create mode 100644 domains/cert/no-common-name/index.html
 create mode 100644 domains/cert/no-subject.conf
 create mode 100644 domains/cert/no-subject/index.html
 create mode 100644 nginx-includes/subdomain-no-common-name.conf
 create mode 100644 nginx-includes/subdomain-no-subject.conf

diff --git a/certs/Makefile b/certs/Makefile
index 6178a775..c44393e7 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -218,6 +218,15 @@ CHAINS_PROD += $(O)/gen/chain/wildcard-ecc384.pem
 $(O)/gen/chain/wildcard-ecc384.pem: $(O)/gen/crt/wildcard-ecc384.crt $(O)/gen/crt/ca-intermediate.crt
 	./tool chain $@ $(D) $^
 
+################################
+$(O)/gen/csr/subdomain-no-common-name.csr: src/conf/subdomain-no-common-name.conf $(O)/gen/key/leaf-main.key
+	./tool gen-csr $@ $(D) $^
+$(O)/gen/crt/subdomain-no-common-name.crt: src/conf/subdomain-no-common-name.conf $(O)/gen/csr/subdomain-no-common-name.csr $(O)/gen/key/ca-intermediate.key $(O)/gen/crt/ca-intermediate.crt
+	./tool sign $@ $(D) $(SIGN_LEAF_DEFAULTS) $^
+CHAINS_PROD += $(O)/gen/chain/subdomain-no-common-name.pem
+$(O)/gen/chain/subdomain-no-common-name.pem: $(O)/gen/crt/subdomain-no-common-name.crt $(O)/gen/crt/ca-intermediate.crt
+	./tool chain $@ $(D) $^
+
 ################################
 $(O)/gen/csr/subdomain-no-san.csr: src/conf/subdomain-no-san.conf $(O)/gen/key/leaf-main.key
 	./tool gen-csr $@ $(D) $^
@@ -227,6 +236,15 @@ CHAINS_LOCAL_ONLY += $(O)/gen/chain/subdomain-no-san.pem
 $(O)/gen/chain/subdomain-no-san.pem: $(O)/gen/crt/subdomain-no-san.crt $(O)/gen/crt/ca-intermediate.crt
 	./tool chain $@ $(D) $^
 
+################################
+$(O)/gen/csr/subdomain-no-subject.csr: src/conf/subdomain-no-subject.conf $(O)/gen/key/leaf-main.key
+	./tool gen-csr-no-subject $@ $(D) $^
+$(O)/gen/crt/subdomain-no-subject.crt: src/conf/subdomain-no-subject.conf $(O)/gen/csr/subdomain-no-subject.csr $(O)/gen/key/ca-intermediate.key $(O)/gen/crt/ca-intermediate.crt
+	./tool sign $@ $(D) $(SIGN_LEAF_DEFAULTS) $^
+CHAINS_PROD += $(O)/gen/chain/subdomain-no-subject.pem
+$(O)/gen/chain/subdomain-no-subject.pem: $(O)/gen/crt/subdomain-no-subject.crt $(O)/gen/crt/ca-intermediate.crt
+	./tool chain $@ $(D) $^
+
 ################################
 $(O)/gen/csr/subdomain-1000-sans.csr: src/conf/subdomain-1000-sans.conf $(O)/gen/key/leaf-main.key
 	./tool gen-csr $@ $(D) $^
diff --git a/certs/src/conf/subdomain-no-common-name.conf b/certs/src/conf/subdomain-no-common-name.conf
new file mode 100644
index 00000000..8463a3ac
--- /dev/null
+++ b/certs/src/conf/subdomain-no-common-name.conf
@@ -0,0 +1,19 @@
+[ req ]
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+encrypt_key         = no
+prompt              = no
+req_extensions      = req_v3_usr
+
+[ req_distinguished_name ]
+countryName         = US
+stateOrProvinceName = California
+localityName        = San Francisco
+organizationName    = BadSSL
+
+[ req_v3_usr ]
+basicConstraints = CA:FALSE
+subjectAltName = @alt_names
+
+[ alt_names ]
+DNS.1 = no-subject.__DOMAIN__
diff --git a/certs/src/conf/subdomain-no-subject.conf b/certs/src/conf/subdomain-no-subject.conf
new file mode 100644
index 00000000..7a68c951
--- /dev/null
+++ b/certs/src/conf/subdomain-no-subject.conf
@@ -0,0 +1,14 @@
+[ req ]
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+encrypt_key         = no
+req_extensions      = req_v3_usr
+
+[ req_distinguished_name ]
+
+[ req_v3_usr ]
+basicConstraints = CA:FALSE
+subjectAltName = critical, @alt_names
+
+[ alt_names ]
+DNS.1 = no-subject.__DOMAIN__
diff --git a/certs/tool b/certs/tool
index 993d920a..1cfb3079 100755
--- a/certs/tool
+++ b/certs/tool
@@ -31,6 +31,13 @@ gen-csr)
     -config <(cat $1 | sed "s/__DOMAIN__/$DOMAIN/g") \
     -key $2
   ;;
+gen-csr-no-subject)
+  openssl req -new \
+    -subj / \
+    -out $OUT \
+    -config <(cat $1 | sed "s/__DOMAIN__/$DOMAIN/g") \
+    -key $2
+  ;;
 gen-ca)
   openssl req -new -x509 -days 7300 \
     -out $OUT \
diff --git a/domains/cert/no-common-name.conf b/domains/cert/no-common-name.conf
new file mode 100644
index 00000000..f1175ff2
--- /dev/null
+++ b/domains/cert/no-common-name.conf
@@ -0,0 +1,19 @@
+---
+---
+server {
+  listen 80;
+  server_name no-common-name.{{ site.domain }};
+
+  return 301 https://$server_name$request_uri;
+}
+
+server {
+  listen 443;
+  server_name no-common-name.{{ site.domain }};
+
+  include {{ site.serving-path }}/nginx-includes/subdomain-no-common-name.conf;
+  include {{ site.serving-path }}/nginx-includes/tls-defaults.conf;
+  include {{ site.serving-path }}/common/common.conf;
+
+  root {{ site.serving-path }}/domains/cert/no-common-name;
+}
diff --git a/domains/cert/no-common-name/index.html b/domains/cert/no-common-name/index.html
new file mode 100644
index 00000000..e995a75b
--- /dev/null
+++ b/domains/cert/no-common-name/index.html
@@ -0,0 +1,16 @@
+---
+subdomain: no-common-name
+layout: page
+favicon: gray
+background: gray
+---
+
+<div id="content">
+  <h1>
+    {{ page.subdomain }}.<br>{{ site.domain }}
+  </h1>
+</div>
+
+<div id="footer">
+  This site uses a certificate without a common name.
+</div>
diff --git a/domains/cert/no-subject.conf b/domains/cert/no-subject.conf
new file mode 100644
index 00000000..773e17b6
--- /dev/null
+++ b/domains/cert/no-subject.conf
@@ -0,0 +1,19 @@
+---
+---
+server {
+  listen 80;
+  server_name no-subject.{{ site.domain }};
+
+  return 301 https://$server_name$request_uri;
+}
+
+server {
+  listen 443;
+  server_name no-subject.{{ site.domain }};
+
+  include {{ site.serving-path }}/nginx-includes/subdomain-no-subject.conf;
+  include {{ site.serving-path }}/nginx-includes/tls-defaults.conf;
+  include {{ site.serving-path }}/common/common.conf;
+
+  root {{ site.serving-path }}/domains/cert/no-subject;
+}
diff --git a/domains/cert/no-subject/index.html b/domains/cert/no-subject/index.html
new file mode 100644
index 00000000..dea3e55f
--- /dev/null
+++ b/domains/cert/no-subject/index.html
@@ -0,0 +1,16 @@
+---
+subdomain: no-subject
+layout: page
+favicon: gray
+background: gray
+---
+
+<div id="content">
+  <h1>
+    {{ page.subdomain }}.<br>{{ site.domain }}
+  </h1>
+</div>
+
+<div id="footer">
+  This site uses a certificate without a subject.
+</div>
diff --git a/nginx-includes/subdomain-no-common-name.conf b/nginx-includes/subdomain-no-common-name.conf
new file mode 100644
index 00000000..9ce05b32
--- /dev/null
+++ b/nginx-includes/subdomain-no-common-name.conf
@@ -0,0 +1,6 @@
+---
+---
+
+ssl on;
+ssl_certificate {{ site.cert-path }}/subdomain-no-common-name.pem;
+ssl_certificate_key /etc/keys/leaf-main.key;
diff --git a/nginx-includes/subdomain-no-subject.conf b/nginx-includes/subdomain-no-subject.conf
new file mode 100644
index 00000000..00d9fe4d
--- /dev/null
+++ b/nginx-includes/subdomain-no-subject.conf
@@ -0,0 +1,6 @@
+---
+---
+
+ssl on;
+ssl_certificate {{ site.cert-path }}/subdomain-no-subject.pem;
+ssl_certificate_key /etc/keys/leaf-main.key;