Add (known|blocked)-interception.badssl.com tests (#423)

Author: christhompson

certs/Makefile

@@ -448,6 +448,34 @@ CHAINS_PROD += $(O)/gen/chain/subdomain-captive-portal.pem
 $(O)/gen/chain/subdomain-captive-portal.pem: $(O)/gen/crt/subdomain-captive-portal.crt $(O)/gen/crt/ca-intermediate.crt
 	./tool chain $@ $(D) $^
 
+################################
+$(O)/gen/key/leaf-blocked-interception.key:
+	./tool gen-key $@ $(D) 2048
+
+################################
+# Note: this is just a regular cert in `test`
+$(O)/gen/csr/subdomain-blocked-interception.csr: src/conf/subdomain-blocked-interception.conf $(O)/gen/key/leaf-blocked-interception.key
+	./tool gen-csr $@ $(D) $^
+$(O)/gen/crt/subdomain-blocked-interception.crt: src/conf/subdomain-blocked-interception.conf $(O)/gen/csr/subdomain-blocked-interception.csr $(O)/gen/key/ca-intermediate.key $(O)/gen/crt/ca-intermediate.crt
+	./tool sign $@ $(D) $(SIGN_LEAF_DEFAULTS) $^
+CHAINS_PROD += $(O)/gen/chain/subdomain-blocked-interception.pem
+$(O)/gen/chain/subdomain-blocked-interception.pem: $(O)/gen/crt/subdomain-blocked-interception.crt $(O)/gen/crt/ca-intermediate.crt
+	./tool chain $@ $(D) $^
+
+################################
+$(O)/gen/key/leaf-known-interception.key:
+	./tool gen-key $@ $(D) 2048
+
+################################
+# Note: this is just a regular cert in `test`
+$(O)/gen/csr/subdomain-known-interception.csr: src/conf/subdomain-known-interception.conf $(O)/gen/key/leaf-known-interception.key
+	./tool gen-csr $@ $(D) $^
+$(O)/gen/crt/subdomain-known-interception.crt: src/conf/subdomain-known-interception.conf $(O)/gen/csr/subdomain-known-interception.csr $(O)/gen/key/ca-intermediate.key $(O)/gen/crt/ca-intermediate.crt
+	./tool sign $@ $(D) $(SIGN_LEAF_DEFAULTS) $^
+CHAINS_PROD += $(O)/gen/chain/subdomain-known-interception.pem
+$(O)/gen/chain/subdomain-known-interception.pem: $(O)/gen/crt/subdomain-known-interception.crt $(O)/gen/crt/ca-intermediate.crt
+	./tool chain $@ $(D) $^
+
 
 ################################
 $(O)/gen/dhparam/dh480.pem:

certs/src/conf/subdomain-blocked-interception.conf

@@ -0,0 +1,20 @@
+[ req ]
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+encrypt_key         = no
+prompt              = no
+req_extensions      = req_v3_usr
+
+[ req_distinguished_name ]
+countryName         = US
+stateOrProvinceName = California
+localityName        = San Francisco
+organizationName    = BadSSL
+commonName          = blocked-interception.__DOMAIN__
+
+[ req_v3_usr ]
+basicConstraints = CA:FALSE
+subjectAltName = @alt_names
+
+[ alt_names ]
+DNS.1 = blocked-interception.__DOMAIN__

certs/src/conf/subdomain-known-interception.conf

@@ -0,0 +1,20 @@
+[ req ]
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+encrypt_key         = no
+prompt              = no
+req_extensions      = req_v3_usr
+
+[ req_distinguished_name ]
+countryName         = US
+stateOrProvinceName = California
+localityName        = San Francisco
+organizationName    = BadSSL
+commonName          = known-interception.__DOMAIN__
+
+[ req_v3_usr ]
+basicConstraints = CA:FALSE
+subjectAltName = @alt_names
+
+[ alt_names ]
+DNS.1 = known-interception.__DOMAIN__

domains/cert/blocked-interception.conf

@@ -0,0 +1,19 @@
+---
+---
+server {
+  listen 80;
+  server_name blocked-interception.{{ site.domain }};
+
+  return 301 https://$server_name$request_uri;
+}
+
+server {
+  listen 443;
+  server_name blocked-interception.{{ site.domain }};
+
+  include {{ site.serving-path }}/nginx-includes/subdomain-blocked-interception.conf;
+  include {{ site.serving-path }}/nginx-includes/tls-defaults.conf;
+  include {{ site.serving-path }}/common/common.conf;
+
+  root {{ site.serving-path }}/domains/cert/blocked-interception;
+}

domains/cert/blocked-interception/index.html

@@ -0,0 +1,16 @@
+---
+subdomain: blocked-interception
+layout: page
+favicon: red
+background: red
+---
+
+<div id="content">
+  <h1 style="font-size: 10vw;">
+    {{ page.subdomain }}.<br>{{ site.domain }}
+  </h1>
+</div>
+
+<div id="footer">
+  The certificate for this site is associated with network interception.
+</div>

domains/cert/known-interception.conf

@@ -0,0 +1,19 @@
+---
+---
+server {
+  listen 80;
+  server_name known-interception.{{ site.domain }};
+
+  return 301 https://$server_name$request_uri;
+}
+
+server {
+  listen 443;
+  server_name known-interception.{{ site.domain }};
+
+  include {{ site.serving-path }}/nginx-includes/subdomain-known-interception.conf;
+  include {{ site.serving-path }}/nginx-includes/tls-defaults.conf;
+  include {{ site.serving-path }}/common/common.conf;
+
+  root {{ site.serving-path }}/domains/cert/known-interception;
+}

domains/cert/known-interception/index.html

@@ -0,0 +1,16 @@
+---
+subdomain: blocked-interception
+layout: page
+favicon: gray
+background: gray
+---
+
+<div id="content">
+  <h1 style="font-size: 10vw;">
+    {{ page.subdomain }}.<br>{{ site.domain }}
+  </h1>
+</div>
+
+<div id="footer">
+  The certificate for this site is associated with network interception.
+</div>

nginx-includes/subdomain-blocked-interception.conf

@@ -0,0 +1,6 @@
+---
+---
+
+ssl on;
+ssl_certificate {{ site.cert-path }}/subdomain-blocked-interception.pem;
+ssl_certificate_key /etc/keys/leaf-blocked-interception.key;

nginx-includes/subdomain-known-interception.conf

@@ -0,0 +1,6 @@
+---
+---
+
+ssl on;
+ssl_certificate {{ site.cert-path }}/subdomain-known-interception.pem;
+ssl_certificate_key /etc/keys/leaf-known-interception.key;