Provide a subdomain with a reversed certificate chain (#443)

* Change Ruby version to 2.4

Jekyll requires Ruby 2.4. Update Dockerfile to include it per comment by @shawn-lo on #405 .

* Do not run `docker-run` before `docker-build` or `certs-test` have concluded

* Provide a subdomain with a disorderly certificate chain

* Improve naming of misorderly certificate chain

Rename it from disorderly certificate chain, as suggested by lgarron.

* Improve naming of reverse certificate chain

Ideally, a misorderly chain would leverage 3 or more certificates; since
there may be some obstacles to doing so with the live website,
simplify the expectations of our use case by renaming it to reverse
certificate chain.

* Fix typo in naming of reversed certificate chain

It's _reversed_ rather than reverse.

Co-authored-by: Brad <[email protected]>

Dockerfile

@@ -2,14 +2,18 @@
 FROM ubuntu:16.04
 MAINTAINER April King <[email protected]>
 EXPOSE 80 443
+RUN apt-get update && apt-get install -y apt-transport-https
+RUN apt-get install -y software-properties-common
+RUN apt-add-repository ppa:brightbox/ruby-ng
 RUN apt-get update && apt-get install -y \
     build-essential \
     git \
     libffi-dev \
     make \
     nginx \
-    ruby \
-    ruby-dev
+    ruby2.4 \
+    ruby2.4-dev
+RUN gem update --system
 RUN gem install jekyll
 
 # Install badssl.com

Makefile

@@ -8,6 +8,7 @@ export PROD_DOMAIN = badssl.com
 # This should bring up a full test server in docker from a bare repo.
 # Certs are generated outside the docker container, for persistence.
 .PHONY: test
+.NOTPARALLEL: test
 test: certs-test docker-build docker-run
 
 # Convenience alias.

certs/Makefile

@@ -119,6 +119,15 @@ CHAINS_PROD += $(O)/gen/chain/wildcard-incomplete-chain.pem
 $(O)/gen/chain/wildcard-incomplete-chain.pem: $(O)/gen/crt/wildcard-main.crt
 	./tool chain $@ $(D) $^
 
+################################
+$(O)/gen/csr/subdomain-reversed-chain.csr: src/conf/subdomain-reversed-chain.conf $(O)/gen/key/leaf-main.key
+	./tool gen-csr $@ $(D) $^
+$(O)/gen/crt/subdomain-reversed-chain.crt: src/conf/subdomain-reversed-chain.conf $(O)/gen/csr/subdomain-reversed-chain.csr $(O)/gen/key/ca-intermediate.key $(O)/gen/crt/ca-intermediate.crt
+	./tool sign $@ $(D) $(SIGN_LEAF_DEFAULTS) $^
+CHAINS_PROD += $(O)/gen/chain/subdomain-reversed-chain.pem
+$(O)/gen/chain/subdomain-reversed-chain.pem: $(O)/gen/crt/ca-intermediate.crt $(O)/gen/crt/subdomain-reversed-chain.crt
+	./tool chain $@ $(D) $^
+
 ################################
 $(O)/gen/crt/wildcard-sha1-2016.crt: src/conf/wildcard.conf $(O)/gen/csr/wildcard-main.csr $(O)/gen/key/ca-intermediate.key $(O)/gen/crt/ca-intermediate.crt
 	# TODO: date calculations

certs/src/conf/subdomain-reversed-chain.conf

@@ -0,0 +1,20 @@
+[ req ]
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+encrypt_key         = no
+prompt              = no
+req_extensions      = req_v3_usr
+
+[ req_distinguished_name ]
+countryName         = US
+stateOrProvinceName = California
+localityName        = San Francisco
+organizationName    = BadSSL
+commonName          = reversed-chain.__DOMAIN__
+
+[ req_v3_usr ]
+basicConstraints = CA:FALSE
+subjectAltName = @alt_names
+
+[ alt_names ]
+DNS.1 = reversed-chain.__DOMAIN__

domains/cert/reversed-chain.conf

@@ -0,0 +1,19 @@
+---
+---
+server {
+  listen 80;
+  server_name reversed-chain.{{ site.domain }};
+
+  return 301 https://$server_name$request_uri;
+}
+
+server {
+  listen 443;
+  server_name reversed-chain.{{ site.domain }};
+
+  include {{ site.serving-path }}/nginx-includes/subdomain-reversed-chain.conf;
+  include {{ site.serving-path }}/nginx-includes/tls-defaults.conf;
+  include {{ site.serving-path }}/common/common.conf;
+
+  root {{ site.serving-path }}/domains/cert/reversed-chain;
+}

domains/cert/reversed-chain/index.html

@@ -0,0 +1,16 @@
+---
+subdomain: reversed-chain
+layout: page
+favicon: orange
+background: rgb(243, 121, 46)
+---
+
+<div id="content">
+  <h1 style="font-size: 8vw;">
+    {{ page.subdomain }}.<br>{{ site.domain }}
+  </h1>
+</div>
+
+<div id="footer" style="font-size: 1.5vw">
+  The certificate chain sent by this site is not hierarchically ordered. This will cause a certificate error unless the browser knows how to walk a reversed chain.
+</div>

domains/misc/badssl.com/dashboard/sets.js

@@ -91,7 +91,8 @@ var sets = [
       {subdomain: "ecc256"},
       {subdomain: "ecc384"},
       {subdomain: "extended-validation"},
-      {subdomain: "mozilla-modern"}
+      {subdomain: "mozilla-modern"},
+      {subdomain: "reversed-chain"}
     ]
   }
 ];

domains/misc/badssl.com/index.html

@@ -42,6 +42,7 @@ <h2 id="certificate"><span class="emoji">🎫</span>Certificate</h2>
     <a href="https://no-common-name.{{ site.domain }}/" class="dubious"><span class="icon"></span>no-common-name</a>
     <a href="https://no-subject.{{ site.domain }}/" class="dubious"><span class="icon"></span>no-subject</a>
     <a href="https://incomplete-chain.{{ site.domain }}/" class="dubious"><span class="icon"></span>incomplete-chain</a>
+    <a href="https://reversed-chain.{{ site.domain }}/" class="dubious"><span class="icon"></span>reversed-chain</a>
     <hr>
     <a href="https://sha256.{{ site.domain }}/" class="good"><span class="icon"></span>sha256</a>
     <a href="https://sha384.{{ site.domain }}/" class="good"><span class="icon"></span>sha384</a>

nginx-includes/subdomain-reversed-chain.conf

@@ -0,0 +1,6 @@
+---
+---
+
+ssl on;
+ssl_certificate {{ site.cert-path }}/subdomain-reversed-chain.pem;
+ssl_certificate_key /etc/keys/ca-intermediate.key;