From af1b448ab0dcb24ce608075a3495534252903810 Mon Sep 17 00:00:00 2001
From: Andrew Ayer <agwa@andrewayer.name>
Date: Thu, 4 Jun 2015 16:18:38 -0700
Subject: [PATCH] Add expired-ocsp.badssl.com subdomain

This subdomain sends an expired stapled OCSP response, which triggers
an SSL error in Firefox (and soon in Chrome as well).

The OCSP response, certs/wildcard.expired-ocsp.der, was generated by running:

	openssl ocsp -issuer certs/wildcard.issuer.pem -cert certs/wildcard.normal.pem -url http://ocsp.comodoca.com -noverify -respout certs/wildcard.expired-ocsp.der

where certs/wildcard.issuer.pem contains the certificate that issued
certs/wildcard.normal.pem (i.e. the first intermediate certificate in
the chain).  http://ocsp.comodoca.com was taken from the OCSP field as
output by `openssl x509 -in certs/wildcard.normal.pem -noout -text`.

certs/wildcard.expired-ocsp.der will need to be regenerated whenever
wildcard.normal.pem is reissued.

Note that, at the time of this commit, certs/wildcard.expired-ocsp.der
is not yet expired, but will expire on Jun 8, 2015 at 09:38:45 UTC.
---
 certs/cert-generator/cert-generator.sh        |  24 +++++++++++
 certs/self-signed/wildcard.expired-ocsp.der   | Bin 0 -> 2513 bytes
 certs/wildcard.expired-ocsp.der               | Bin 0 -> 471 bytes
 domains/misc/badssl.com/index.html            |   1 +
 domains/misc/expired-ocsp.badssl.com.conf     |  20 +++++++++
 .../misc/expired-ocsp.badssl.com/index.html   |  40 ++++++++++++++++++
 6 files changed, 85 insertions(+)
 create mode 100644 certs/self-signed/wildcard.expired-ocsp.der
 create mode 100644 certs/wildcard.expired-ocsp.der
 create mode 100644 domains/misc/expired-ocsp.badssl.com.conf
 create mode 100644 domains/misc/expired-ocsp.badssl.com/index.html

diff --git a/certs/cert-generator/cert-generator.sh b/certs/cert-generator/cert-generator.sh
index e351dfd9..4bfd2222 100755
--- a/certs/cert-generator/cert-generator.sh
+++ b/certs/cert-generator/cert-generator.sh
@@ -53,12 +53,30 @@ openssl x509 -req -days 730 -sha256 -CAcreateserial \
   -in badssl-wildcard.csr \
   -CA ../self-signed/badssl-intermediate.pem \
   -CAkey ../self-signed/badssl-intermediate.key \
+  -set_serial 01 \
   -extfile badssl-wildcard.conf \
   -extensions req_v3_usr \
   -out out.pem
 cat out.pem ../self-signed/badssl-intermediate.pem ../self-signed/badssl-root.pem > ../self-signed/wildcard.normal.pem
 echo
 
+echo "Generating expired OCSP response for BadSSL Default Certificate"
+printf "V\t\t\t01\t\t\n" > index.txt # 01 must match serial # of cert, as passed to -set_serial above
+echo "unique_subject = no" > index.txt.attr
+openssl ocsp \
+  -index index.txt \
+  -rsigner ../self-signed/badssl-intermediate.pem \
+  -rkey ../self-signed/badssl-intermediate.key \
+  -CA ../self-signed/badssl-intermediate.pem \
+  -issuer ../self-signed/badssl-intermediate.pem \
+  -CAfile ../self-signed/badssl-root.pem \
+  -serial 01 \
+  -nmin 1 \
+  -nrequest 1 \
+  -respout ../self-signed/wildcard.expired-ocsp.der
+rm index.txt index.txt.attr
+echo
+
 echo "Generating incomplete certificate chain"
 cp out.pem ../self-signed/wildcard.incomplete-chain.pem
 rm out.pem
@@ -69,6 +87,7 @@ openssl x509 -req -days $du2016 -sha1 -CAcreateserial \
   -in badssl-wildcard.csr \
   -CA ../self-signed/badssl-intermediate.pem \
   -CAkey ../self-signed/badssl-intermediate.key \
+  -set_serial 02 \
   -extfile badssl-wildcard.conf \
   -extensions req_v3_usr \
   -out out.pem
@@ -81,6 +100,7 @@ openssl x509 -req -days $du2017 -sha1 -CAcreateserial \
   -in badssl-wildcard.csr \
   -CA ../self-signed/badssl-intermediate.pem \
   -CAkey ../self-signed/badssl-intermediate.key \
+  -set_serial 03 \
   -extfile badssl-wildcard.conf \
   -extensions req_v3_usr \
   -out out.pem
@@ -96,6 +116,7 @@ if [ ! -f ../self-signed/wildcard.expired.pem ]
       -in badssl-wildcard.csr \
       -CA ../self-signed/badssl-intermediate.pem \
       -CAkey ../self-signed/badssl-intermediate.key \
+      -set_serial 04 \
       -extfile badssl-wildcard.conf \
       -extensions req_v3_usr \
       -out out.pem
@@ -110,6 +131,7 @@ echo "Self-signing BadSSL SHA-256 Certificate"
 openssl x509 -req -days 730 -sha256 -CAcreateserial \
   -in badssl-wildcard.csr \
   -signkey ../self-signed/badssl.com.key \
+  -set_serial 05 \
   -extfile badssl-wildcard.conf \
   -extensions req_v3_usr \
   -out out.pem
@@ -136,6 +158,7 @@ openssl x509 -req -days 730 -sha256 -CAcreateserial \
   -in rsa512.badssl-wildcard.csr \
   -CA ../self-signed/badssl-intermediate.pem \
   -CAkey ../self-signed/badssl-intermediate.key \
+  -set_serial 06 \
   -extfile badssl-wildcard.conf \
   -extensions req_v3_usr \
   -out out.pem
@@ -160,6 +183,7 @@ openssl x509 -req -days 730 -sha256 -CAcreateserial \
   -in rsa1024.badssl-wildcard.csr \
   -CA ../self-signed/badssl-intermediate.pem \
   -CAkey ../self-signed/badssl-intermediate.key \
+  -set_serial 07 \
   -extfile badssl-wildcard.conf \
   -extensions req_v3_usr \
   -out out.pem
diff --git a/certs/self-signed/wildcard.expired-ocsp.der b/certs/self-signed/wildcard.expired-ocsp.der
new file mode 100644
index 0000000000000000000000000000000000000000..4f4a977c59a20caaae982a15d0473c6101c7254d
GIT binary patch
literal 2513
zcmc(gc{J4PAIE1iW@3=Bq{WD8kmWm=LD^-Al<ZqHw#+nRt{E;<u4S^_?sY90vRp<H
zL!yuvSEVSWMb?lkjV<9f!cWL=+<VWt{m$?H`8((S@tpH~-p@JD^Z9(v=k<O77V^ao
zFo?rKwgW6=D;#+k4i*s+1;Ah!3t20assR>QwKzT=h{cHkNI29L21i3&opESj=XQWV
z@316NNWnCED2a%Z17x;EQ8db#7^-AVCx!-)7y&e#B!Jr1cc9@G#6V}~6F40J*cPB@
zwLb)<<Dua}bZSr_i5MQFWEn&cCk2xNw)f@{;UP3SDV(`WQU}1{0Rn&r09^pk@d79S
z8L$xMByv~+3fV0Jg2}x0-(|<gCI9#^zeBz6-h5!Lu~9EfrnTvW{YsVc#hb0YBop_x
z1Vq9L1A+wgUK7s}uO|~&p#Qm=v-7_soba_`6<|Mr`Kvz=m^4gkzY=k2X*o>A5KBQT
z_DBZ`%S5Ut*(R-`z``zqpezU&1n#2RD}2y8vN-|C;PGQ|ZwxA=>q0Ia8nb#R2kt>6
zckWtbtosd19>W^ZNX52AX4tRCQY-h`_?p>WxB>@0GZyz|snZO8+PCC-i49iyl>ROa
zsw!$|<PGbIqRi{R>W+o^nqcr>c~QFhxSp1Q@1!4J_21pv=3Ymf-pH1)zQs=Y&3@G@
zPqNskAgfiOc`&^}iu<haP=x9Wv@w5HeW!%H{!_KSLackH!*2v0U%sX6KwV}kyy}DM
zzo@dMG3V<QkTDkrAy)VkcS@zIG)4zm<_*jgKbYeNuLE;-PwghP%R*6f<@4i<x%meD
zeT?OvvRNcNWn{6lsDjo}>0q8apqi5{zd~=6=SDdVK@fy!5HKMg^i!AfFV`*og0bN}
z<yFdW+HN$>r|tAeVHy^%BzB^z10IZE)^4B8sg)@)CKN@4X51EV>#v4eJ$~KnZQ<J_
zW>%{(nrFvngR8x5j+9{ikq)t^b?@PySW@Gyek>QwJrZyq6-SxxnChxMWt~s&aa6{6
zG(g2~I&ON_Ntyv?AP5Q9`O|20|CKZv#)84_JgLL9K_7gXKkT6$)|ZpL;hQvKA^XV;
zYp6Rsy(Z8qST~89EY)spIX-s-)#bP+4($)gyst_*b}f2BTRZ)^k2djr%9BE=$1kZb
zZ#fuMyS%&VXBr^L<FMf80T%q6a0LJ?m^}vy0Ym;8Km4~dBPId@BLAP9sROEiaJK(X
z&YWnp@W1B^P?Sdr`N9J_00C#9r{^V)(!m3II);CS|F{7FEQs>A%>w@pm?TK3?|^KR
zR_Adcn_Ny^lFmBe6@TW3&+D2+ZtkmQ<)q6IJcRMEh~&zELo>$wu;ztzM40C}tq1!)
ztuJ#Tn332gOmqCe%`QE4YbOhIb+V(0t3O#E<UDeUOQu??-T5x<ihv?#oHHcn;v!!_
z*EDFybv{auWO?hG#%hrjRK_!vI~Y^9`wIERZ(HS)=DRxVVWGaSVx2w$(F++av@rJW
z8A7jhMOx?gxRM^?hWqlc5>NKVO}m()&Ll-ox4q2KEj=dM@zI&Kk(k=kMrG<M*KIg-
z&DOZcwt7=5PZgH|0ir?4wtJ|WD9*jR^p!?|hftzQTN2qV!_1WQL>z^waGF_u!~Y;c
zd~Maso_!R~=PKl%pNUHw=b6uqz0aPlO?r@bmwOUK@p9vVaKXKn{7O`ujal$z(zOh?
zoIq$BXY$%z_NMCVvOJac>0#~=c=aQ0VGp=CTqC*|)3xC{#n@_{dpqUB>8VRHHR7Wp
zUWjWh){v1?YO{q4mtMo>eehV#4-YRF0KaZ2B2w|{0|pmR=&)1o7B#%bOjCnwy}ul%
zp7)C`nOYC8D$|^DlN-Ac(>N&Dc-8EDjU*l@ml#QxFZEwPMs~12lq&t8zZ14hhYH-u
zY<yDGdo|mqM8&{f3Vji&(VvbJ(;X58m0;T=N8JP;{51~btUX^&hCqdGdp&*zh@S-Z
z3CDh)1WfMl-5-eOZl9~b;){X!!Z;c1)*<~lf3=z`{pbv^BW(J4MeM8MizUo|3`Q0b
zG|tlGW@S1R0OH%JqG2Kc6b#-1#I_?z7)<CQ@Na1lTF39-%~K8cSmu&pU-zDO6&^1?
zKJyeS|6%vZ$uil3nM7mzr-nW)!{QFfbAtzQA^n?Y8B*c;Bc^igGmoHAg!UyFU8|<%
zwKDqWeQPkcf6rR5YH-vPr9&2p74@`JpEO3~1_P<dx1%RrC&$<NjrA;@VlomahP+Cx
znK$xLrG@8$7wmddpKNR`XjL|hPbpTc4y|a<)$ptxjSfH0R@X#d%(W%6)9kw%d6%y=
z_L$}GiMvqFo^I9B`%1;6rp`@ZOx0@49N#on+T88^_`U?3H`lJuaccc#l~R`<!P@Yc
zNW6*4Jd(caGV1&e=35EBtpeaq`UF+cPQf_wxThDFa1i_1m){lEEI47^5f**&UT%8A
z&UV5hHxAkG%fgsmZZlt?TjF<&bJ~X~buu%Ig9Co<C}C8z**pno9M~#l+^S<dQy!F_
zmghFSJ*qDK$|ZzQbji4*>t_^$Gp1%cZh_&SHGi307*fzS%C}S=L-=rIJrP$W_S>-G
zJ*5avMz=qC5Cfiiedz#sL2Xt5$$uA3b-!94TXL6CaiGw<MAFV8A*y>N;jvo#QNQ}p
zWp|9o7{kPVZ57*8n*K!~D?T0sAMcExb)V72WI(#7?z4A;?-}zC1}=6)+lMqQ8`;z_
ibUx`nMM?3CcuT8Jo9S8^lB_I9%QG_L?0!g<$$tO>6Z?Gt

literal 0
HcmV?d00001

diff --git a/certs/wildcard.expired-ocsp.der b/certs/wildcard.expired-ocsp.der
new file mode 100644
index 0000000000000000000000000000000000000000..dddab906829f298330a001a0df176bab2fb3b5ef
GIT binary patch
literal 471
zcmXqLV!X`7$grS^@r*$e;|VrSZ8k<$R(1nMMwTYVoj{?j295I;iLr=GSf6DzC5rpT
zgjYgg#rK`JSZUmPF2QePU}$P!W?*7qX>4I)8f8#yP-x(3z{$p{&Bx3n#mc}UQuWa8
z#eySRI$JbOKVQb`Ch72K;Y;kMF$w6umQa<bkqT&YsCId}y>)2=1BML?1mQv!FiUya
zIJMe5+P?ELGIFyrFgGzWGDLgK51U+_bLXq1<n@;_YnLaM+|tUdJ0_+3YtAE`wBpMq
z|H1@Wmzf^CZ!#-aJ5>0fD{tS!K+En6Pww2iR};Ev!UWkJ1%EFD|DBxPYvyugHOo(B
z-h3V#FV-!_Q&0MTJHcGDyjZu~QC_9#Q~zzb?(O{IQ=H`23#4r--Yev_t*lzAKl`Xs
z*nvNVX&VwJrCItq2KZk5ADH>|y7Gqh8>^Ihr_Ay(xnDH<^6Zs)Zhkc>b9Q}uI`@-P
z#vfMUUZt?b`gNMeGC%1wJWYDY{K4T;-?0t`Yvq^?4FR(Kk-57}GOsPT5Sw|=BeR?#
e@K>*w#RY+-LGwgh827YEs#{j2FqBy_c>w@Q2)S7R

literal 0
HcmV?d00001

diff --git a/domains/misc/badssl.com/index.html b/domains/misc/badssl.com/index.html
index 586a7a3a..0e957ee9 100644
--- a/domains/misc/badssl.com/index.html
+++ b/domains/misc/badssl.com/index.html
@@ -164,6 +164,7 @@
     <a href="https://dh-small-subgroup.badssl.com/" class="more bad">dh-small-subgroup</a>
     <a href="https://dh-composite.badssl.com/" class="more bad">dh-composite</a>
     <a href="https://incomplete-chain.badssl.com/" class="more orange">incomplete-chain</a>
+    <a href="https://expired-ocsp.badssl.com/" class="more orange">expired-ocsp</a>
     <a href="https://very.badssl.com/" class="more dubious">very</a>
     <a href="https://rc4-md5.badssl.com/" class="more neutral">rc4-md5</a>
     <a href="http://http.badssl.com/" class="more neutral">http</a>
diff --git a/domains/misc/expired-ocsp.badssl.com.conf b/domains/misc/expired-ocsp.badssl.com.conf
new file mode 100644
index 00000000..c88fe3dc
--- /dev/null
+++ b/domains/misc/expired-ocsp.badssl.com.conf
@@ -0,0 +1,20 @@
+server {
+  listen 80;
+  server_name expired-ocsp.badssl.com;
+
+  return 301 https://$server_name$request_uri;
+}
+
+server {
+  listen 443;
+  server_name expired-ocsp.badssl.com;
+
+  include /var/www/badssl/nginx-includes/wildcard.normal.conf;
+  include /var/www/badssl/nginx-includes/tls-defaults.conf;
+  include /var/www/badssl/common/common.conf;
+
+  ssl_stapling on;
+  ssl_stapling_file /var/www/badssl/certs/wildcard.expired-ocsp.der;
+
+  root /var/www/badssl/domains/misc/expired-ocsp.badssl.com;
+}
diff --git a/domains/misc/expired-ocsp.badssl.com/index.html b/domains/misc/expired-ocsp.badssl.com/index.html
new file mode 100644
index 00000000..ae5e41aa
--- /dev/null
+++ b/domains/misc/expired-ocsp.badssl.com/index.html
@@ -0,0 +1,40 @@
+<!doctype html>
+<html>
+<head>
+  <title>expired-ocsp.badssl.com</title>
+  <link rel="shortcut icon" href="/icons/favicon-orange.ico"/>
+  <link rel="apple-touch-icon" href="/icon-orange.png"/>
+  <style>
+    html, body {
+      background: rgb(243, 121, 46);
+
+      margin: 0;
+      padding: 0;
+
+      height: 100%;
+      display: -webkit-flexbox;
+      display: -ms-flexbox;
+      display: -webkit-flex;
+      display: flex;
+      -webkit-align-items: center;
+      align-items: center;
+      -webkit-justify-content: center;
+      justify-content: center;
+    }
+    h1 {
+      color: white;
+      text-align: center;
+      font-family: "Source Code Pro", Monaco, Consolas, "Courier New", monospace, Impact;
+      font-size: 5em;
+      font-size: 8vw;
+      text-shadow:
+        0 0 20px rgba(255, 255, 255, 0.5),
+        0 0 40px rgba(255, 255, 255, 0.5),
+        0 0 60px rgba(255, 255, 255, 0.5);
+    }
+  </style>
+</head>
+<body>
+    <h1>expired-ocsp.<br>badssl.com</h1>
+</body>
+</html>