Merge pull request #335 from april/extended-validation

Add support for an extended validation certificate

_plugins/environment_variable.rb

@@ -6,6 +6,7 @@ class EnvironmentVariablesGenerator < Generator
 
     def generate(site)
       site.config['domain'] = ENV['DOMAIN'] || 'badssl.com'
+      site.config['prod'] = ENV['DOMAIN'] == ENV['PROD_DOMAIN']
       site.config['http-domain'] = ENV['HTTP_DOMAIN'] || 'http.badssl.com'
       site.config['serving-path'] = ENV['SERVING_PATH'] || '/var/www/badssl/_site'
 

certs/Makefile

@@ -316,6 +316,15 @@ CHAINS_PROD += $(O)/gen/chain/subdomain-xn--n1aae7f7o.pem
 $(O)/gen/chain/subdomain-xn--n1aae7f7o.pem: $(O)/gen/crt/subdomain-xn--n1aae7f7o.crt $(O)/gen/crt/ca-intermediate.crt
 	./tool chain $@ $(D) $^
 
+################################
+$(O)/gen/csr/subdomain-extended-validation.csr: src/conf/subdomain-extended-validation.conf $(O)/gen/key/leaf-main.key
+	./tool gen-csr $@ $(D) $^
+$(O)/gen/crt/subdomain-extended-validation.crt: src/conf/subdomain-extended-validation.conf $(O)/gen/csr/subdomain-extended-validation.csr $(O)/gen/key/ca-intermediate.key $(O)/gen/crt/ca-intermediate.crt
+	./tool sign $@ $(D) $(SIGN_LEAF_DEFAULTS) $^
+CHAINS_PROD += $(O)/gen/chain/subdomain-extended-validation.pem
+$(O)/gen/chain/subdomain-extended-validation.pem: $(O)/gen/crt/subdomain-extended-validation.crt $(O)/gen/crt/ca-intermediate.crt
+	./tool chain $@ $(D) $^
+
 ################################
 # Note: this is just a regular cert in `test`.
 # Getting a real-world cert without SCTs may be extra work in the future.

certs/src/conf/subdomain-extended-validation.conf

@@ -0,0 +1,30 @@
+[ req ]
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+encrypt_key         = no
+prompt              = no
+req_extensions      = req_v3_usr
+certificatePolicies = @policy
+
+[ req_distinguished_name ]
+countryName         = US
+stateOrProvinceName = California
+localityName        = San Francisco
+organizationName    = BadSSL
+commonName          = extended-validation.__DOMAIN__
+
+[ req_v3_usr ]
+basicConstraints = CA:FALSE
+subjectAltName = @alt_names
+certificatePolicies = @policy
+
+[ alt_names ]
+DNS.1 = extended-validation.__DOMAIN__
+
+[ policy ]
+policyIdentifier=1.3.1.1.1.1
+CPS.1 = "https://no-csp-statement.__DOMAIN__/"
+userNotice.1 = @notice
+
+[ notice ]
+explicitText = "This certificate is used solely for BadSSL."

domains/cert/extended-validation.conf

@@ -0,0 +1,38 @@
+---
+---
+server {
+  listen 80;
+  server_name extended-validation.{{ site.domain }};
+
+  return 301 https://$server_name$request_uri;
+}
+
+server {
+  listen 443;
+  server_name extended-validation.{{ site.domain }};
+
+  include {{ site.serving-path }}/nginx-includes/subdomain-extended-validation.conf;
+  include {{ site.serving-path }}/nginx-includes/tls-defaults.conf;
+  include {{ site.serving-path }}/common/common.conf;
+
+  root {{ site.serving-path }}/domains/cert/extended-validation;
+}
+
+# Redirect from ev -> extended-validation
+server {
+  listen 80;
+  server_name ev.{{ site.domain }};
+
+  return 301 https://ev.{{ site.domain }}$request_uri;
+}
+
+server {
+  listen 443;
+  server_name ev.{{ site.domain }};
+
+  include {{ site.serving-path }}/nginx-includes/wildcard-normal.conf;
+  include {{ site.serving-path }}/nginx-includes/tls-defaults.conf;
+  include {{ site.serving-path }}/common/common.conf;
+
+  return 301 https://extended-validation.{{ site.domain }}$request_uri;
+}

domains/cert/extended-validation/index.html

@@ -0,0 +1,20 @@
+---
+subdomain: extended-validation
+layout: page
+favicon: green
+background: green
+---
+
+<div id="content">
+  <h1 style="font-size: 12vw;">
+    {{ page.subdomain }}.<br>{{ site.domain }}
+  </h1>
+</div>
+
+<div id="footer">
+  {% if site.prod %}
+    This site uses an EV (<a href="https://en.wikipedia.org/wiki/Extended_Validation_Certificate">Extended Validation</a>) digital certificate.
+  {% else %}
+    This site&#8217;s EV (<a href="https://en.wikipedia.org/wiki/Extended_Validation_Certificate">Extended Validation</a>) digital certificate is<br>treated like a DV cert because it is not issued by a trusted CA.
+  {% endif %}
+</div>

domains/misc/badssl.com/dashboard/sets.js

@@ -56,6 +56,7 @@ var sets = [
       {subdomain: "rsa2048"},
       {subdomain: "ecc256"},
       {subdomain: "ecc384"},
+      {subdomain: "extended-validation"},
       {subdomain: "mozilla-modern"}
     ]
   },

domains/misc/badssl.com/index.html

@@ -56,6 +56,8 @@ <h2 id="certificate"><span class="emoji">🎫</span>Certificate</h2>
     <hr>
     <a href="https://rsa2048.{{ site.domain }}/" class="good"><span class="icon"></span>rsa2048</a>
     <a href="https://rsa8192.{{ site.domain }}/" class="dubious"><span class="icon"></span>rsa8192</a> 
+    <hr>
+    <a href="https://extended-validation.{{ site.domain }}/" class="good"><span class="icon"></span>extended-validation</a>
   </div>
   <div class="group">
     <h2 id="client-certificate"><span class="emoji">🎟</span>Client Certificate</h2>

nginx-includes/subdomain-extended-validation.conf

@@ -0,0 +1,6 @@
+---
+---
+
+ssl on;
+ssl_certificate {{ site.cert-path }}/subdomain-extended-validation.pem;
+ssl_certificate_key /etc/keys/leaf-main.key;