| Name | Date | Size | #Lines | LOC | ||
|---|---|---|---|---|---|---|
| .. | 22-Aug-2025 | - | ||||
| README.md | A D | 22-Aug-2025 | 1.2 KiB | 23 | 20 | |
| chain.pem | A D | 22-Aug-2025 | 12.9 KiB | 253 | 240 | |
| main.test | A D | 22-Aug-2025 | 213 | 9 | 7 |
README.md
1This test verifies behavior when a certificate has an unparseable/unsupported 2SPKI. It should be handled equivalently to a certificate with a failed 3signature verification: further processing should be shortcircuited. 4The certificate chain has 2 problems: 5* leaf is expired 6* intermediate has invalid SPKI 7 8The verification should fail with only the SPKI parsing error, since further 9processing should be short-circuited. 10 11Instructions for generating test certificate chain: 12* `cp ../expired-target/chain.pem .` 13* extract intermediate cert to `int-pre.pem` 14* `print_certificates --output=der2ascii int-pre.pem > int.derascii` 15* edit `int.derascii` to replace SPKI OID with something invalid 16* extract the TBSCertificate part of the certificate to `int.tbs.derascii` 17 `ascii2der < int.tbs.derascii > int.tbs.der` 18* generate new signature: `openssl pkeyutl -sign -rawin -in int.tbs.der -digest sha256 -inkey ../expired-target/keys/Root.key -out - | xxd -p -c 0` 19* replace the signature hex in `int.derascii` 20* `ascii2der < int.derascii > int.der` 21* `print_certificates --output=openssl_text,pem int.der > int.pem` 22* replace the intermediate certificate in `chain.pem` with the contents of `int.pem` 23