Merge pull request italia#732 from italia/x509-fix

fix: x509 chain example. Added x509 chain gen util

Author: peppelinux

docs/en/trust.rst

@@ -802,156 +802,10 @@ When a participant self-issues an X.509 Certificate, it adheres to the following
      - ``DNS=example.net``
      - ``DNS=*.example.org``
 
-Below a non-normative example of an X.509 Certificate Chain without intermediaries and in plain text, to facilitate the reading.
+Below is a non-normative example, in plain text (OpenSSL format), of an X.509 certificate chain with an intermediate CA, starting from the Leaf certificate.
 
-
-.. code-block:: text
-
-    Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 1 (0x1)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: CN=trust-anchor.example.com, O=Example Trust Anchor, C=IT
-        Validity
-            Not Before: Sep 1 00:00:00 2023 GMT
-            Not After : Sep 1 00:00:00 2033 GMT
-        Subject: CN=trust-anchor.example.com, O=Example Trust Anchor, C=IT
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (4096 bit)
-                Modulus:
-                    00:af:82:3b:...
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints:
-                CA:TRUE
-            X509v3 Key Usage:
-                Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier:
-                12:34:56:78:90:ab:cd:ef:12:34:56:78:90:ab:cd:ef
-            X509v3 Authority Key Identifier:
-                keyid:12:34:56:78:90:ab:cd:ef:12:34:56:78:90:ab:cd:ef
-            X509v3 CRL Distribution Points:
-                Full Name:
-                  URI:https://trust-anchors.example.com/crl/ca.crl
-
-    Signature Algorithm: sha256WithRSAEncryption
-         5c:4f:3b:...
-
-
-    Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 1234567890 (0x499602d2)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: CN=trust-anchor.example.com, O=Example Trust Anchor, C=IT
-        Validity
-            Not Before: Sep 1 00:00:00 2023 GMT
-            Not After : Sep 1 00:00:00 2024 GMT
-        Subject: CN=leaf.example.org, O=Leaf, C=IT
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:af:82:3b:...
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints:
-                CA:TRUE, pathlen:1
-            X509v3 Key Usage:
-                Digital Signature, Key Encipherment
-            X509v3 Subject Alternative Name:
-                URI:https://leaf.example.com
-            X509v3 Name Constraints:
-                Permitted:
-                  URI.1=https://leaf.example.com
-                  DNS.1=leaf.example.com
-                Excluded:
-                  DNS=localhost
-                  DNS=localhost.localdomain
-                  DNS=127.0.0.1
-                  DNS=example.com
-                  DNS=example.org
-                  DNS=example.net
-                  DNS=*.example.org
-            X509v3 CRL Distribution Points:
-                Full Name:
-                  URI:https://trust-ancor.example.com/crl/leaf.example.org.crl
-
-    Signature Algorithm: sha256WithRSAEncryption
-         5c:4f:3b:...
-
-
-    Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 987654321 (0x3ade68b1)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: CN=https://leaf.example.org, O=Leaf, C=IT
-        Validity
-            Not Before: Sep 1 00:00:00 2023 GMT
-            Not After : Sep 1 00:00:00 2024 GMT
-        Subject: CN=https://leaf.example.org, O=Leaf, C=IT
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:af:82:3b:...
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints:
-                CA:FALSE
-            X509v3 Key Usage:
-                Digital Signature, Key Encipherment
-            X509v3 Subject Alternative Name:
-                URI:https://leaf.example.org
-            X509v3 Name Constraints:
-                Permitted:
-                  URI.1=https://leaf.example.com
-                  DNS.1=leaf.example.com
-            X509v3 CRL Distribution Points:
-                Full Name:
-                  URI:https://leaf.example.org/crl/self.crl
-
-    Signature Algorithm: sha256WithRSAEncryption
-         7d:6e:5f:...
-
-
-Federation participants can ensure that their certificates are consistent, enabling interoperability and security across the federation. This approach, enabling X.509 certificate issuance delegation, introduces innovative practices for certificate management using the underlying Trust Relationships established within the OpenID Federation.
-
-
-X.509 Certificate Revocation
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-An X.509 Certificate can be revoked by its Issuer.
-Revocation lists, and or any other revocation check mechanisms, are required only for X.509 Certificate with expiration time superior to 24 hours, otherwise they are not required.
-
-When the X.509 Certificate issuer is the Leaf and therefore the X.509 Certificate is about itself, if the certificate expiration time is superior than 24 hours from the ``X509_NOT_VALID_BEFORE`` time, it MUST implement a CRL about the issued certificate and keep it updated.
-When the X.509 Certificate issuer is an Immediate superior, such as the Trust Anchor or a Intermediate, and it revokes the certificate about the Leaf, therefore the X.509 Certificate about one of the Leaves Federation Entity Key. This action invalidates the entire Trust Chain associated with that Leaf's cryptographic public key, effectively removing its ability to issue further X.509 Certificates about itself. This hierarchical revocation mechanism ensures that any compromise or misbehavior by a Leaf entity can be swiftly addressed.
-
-Below a non-normative example, in plain text, examplify the content of a CRL.
-
-.. code-block:: text
-
-    Certificate Revocation List (CRL):
-    Version: 2 (0x1)
-    Signature Algorithm: sha256WithRSAEncryption
-    Issuer: CN=https://leaf.example.org, O=Leaf, C=IT
-    Last Update: Sep 1 00:00:00 2023 GMT
-    Next Update: Sep 8 00:00:00 2023 GMT
-    Revoked Certificates:
-        Serial Number: 987654320
-            Revocation Date: Aug 25 12:00:00 2023 GMT
-            CRL Entry Extensions:
-                Reason Code: Key Compromise
-        Serial Number: 987654321
-            Revocation Date: Aug 30 15:00:00 2023 GMT
-            CRL Entry Extensions:
-                Reason Code: Cessation of Operation
-    Signature Algorithm: sha256WithRSAEncryption
-    Signature:
-        5c:4f:3b:...
+.. literalinclude:: ../../examples/x5c.json
+  :language: text
 
 Using the underlying layer established with OpenID Federation 1.0, all X.509 certificates are issued in a properly decentralized manner using the delegation pattern.
 

examples/x5c.json

@@ -0,0 +1,180 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 631900975802917176051117802358049194750736752223 (0x6eaf6b7456ab3c0a4b38f02bb6073db7ce925e5f)
+    Signature Algorithm: sha256
+        Issuer: commonName=https://intermediate.example.net, organizationName=Example INT, countryName=IT
+        Validity
+            Not Before: May 27 09:13:33 2025 GMT
+            Not After : May 28 09:13:33 2026 GMT
+        Subject: commonName=CN=leaf.example.com, O=Example Leaf, C=IT, organizationName=Example Leaf, countryName=IT
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey (EC)
+                Public-Key: (256 bit)
+                Curve: secp256r1
+                X: 69976109031737194756970051761651042204906873292535726068007861307666294009468
+                Y: 30041520431409736411496718565679258429461229569083348196905050642324938424017
+        X509v3 extensions:
+            X509v3 Basic Constraints:
+                CA:TRUE, pathlen:0
+            X509v3 Subject Alternative Name:
+                DNS:leaf.example.org
+                URI:leaf.example.org
+            X509v3 Key Usage:
+                Digital Signature, Key Encipherment, Certificate Sign, CRL Sign
+            X509v3 CRL Distribution Points:
+                Full Name:
+                  URI:https://leaf.example.com/crl/leaf.example.com.crl
+            X509v3 Name Constraints:
+                Permitted:
+                  URI.1=https://leaf.example.com
+                  DNS.2=leaf.example.com
+                Excluded:
+                  DNS.1=localhost
+                  DNS.2=localhost.localdomain
+                  DNS.3=127.0.0.1
+                  DNS.4=example.com
+                  DNS.5=example.org
+                  DNS.6=example.net
+
+    Signature Algorithm: sha256
+     30:45:02:21:00:ee:0c:24:4c:ea:57:db:f8:54:68:77
+     92:bd:d7:e3:3d:ec:80:4e:84:b4:36:70:f3:00:0b:f0
+     cf:bf:07:c1:4a:02:20:70:1e:12:e4:c4:97:ba:95:36
+     e8:20:82:d6:f1:7f:4d:0d:41:4a:51:0a:c5:b2:5d:62
+     33:45:c5:b0:dc:28:0a
+
+-----BEGIN CERTIFICATE-----
+MIIC6jCCApCgAwIBAgIUbq9rdFarPApLOPArtgc9t86SXl8wCgYIKoZIzj0EAwIw
+TjEpMCcGA1UEAwwgaHR0cHM6Ly9pbnRlcm1lZGlhdGUuZXhhbXBsZS5uZXQxFDAS
+BgNVBAoMC0V4YW1wbGUgSU5UMQswCQYDVQQGEwJJVDAeFw0yNTA1MjcwOTEzMzNa
+Fw0yNjA1MjgwOTEzMzNaMFgxMjAwBgNVBAMMKUNOPWxlYWYuZXhhbXBsZS5jb20s
+IE89RXhhbXBsZSBMZWFmLCBDPUlUMRUwEwYDVQQKDAxFeGFtcGxlIExlYWYxCzAJ
+BgNVBAYTAklUMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmrUS/DeI3q5nTl0y
+U5nmAydnP8U4VQxoLb5EVXgCbnxCauXjmhQKpwjlACbOXY7iCBgdqq+1g8OWqMg2
+o5H+0aOCAUAwggE8MBIGA1UdEwEB/wQIMAYBAf8CAQAwLQYDVR0RBCYwJIIQbGVh
+Zi5leGFtcGxlLm9yZ4YQbGVhZi5leGFtcGxlLm9yZzAOBgNVHQ8BAf8EBAMCAaYw
+QgYDVR0fBDswOTA3oDWgM4YxaHR0cHM6Ly9sZWFmLmV4YW1wbGUuY29tL2NybC9s
+ZWFmLmV4YW1wbGUuY29tLmNybDCBogYDVR0eAQH/BIGXMIGUoDAwGoYYaHR0cHM6
+Ly9sZWFmLmV4YW1wbGUuY29tMBKCEGxlYWYuZXhhbXBsZS5jb22hYDALgglsb2Nh
+bGhvc3QwF4IVbG9jYWxob3N0LmxvY2FsZG9tYWluMAuCCTEyNy4wLjAuMTANggtl
+eGFtcGxlLmNvbTANggtleGFtcGxlLm9yZzANggtleGFtcGxlLm5ldDAKBggqhkjO
+PQQDAgNIADBFAiEA7gwkTOpX2/hUaHeSvdfjPeyAToS0NnDzAAvwz78HwUoCIHAe
+EuTEl7qVNugggtbxf00NQUpRCsWyXWIzRcWw3CgK
+-----END CERTIFICATE-----
+
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 396534572491127113022787686743653095280228078403 (0x457539a6ac314749fa5ec658f76ed225fd769343)
+    Signature Algorithm: sha256
+        Issuer: commonName=CN=ca.example.com, O=Example CA, C=IT, organizationName=Example CA, countryName=IT
+        Validity
+            Not Before: May 27 09:13:33 2025 GMT
+            Not After : May 28 09:13:33 2026 GMT
+        Subject: commonName=https://intermediate.example.net, organizationName=Example INT, countryName=IT
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey (EC)
+                Public-Key: (256 bit)
+                Curve: secp256r1
+                X: 25156074883156693989891139993064608529947553342874167037412394938695986639833
+                Y: 37747901399770759266458300753958501018530290808445029579181649667235295170256
+        X509v3 extensions:
+            X509v3 Basic Constraints:
+                CA:TRUE, pathlen:1
+            X509v3 Key Usage:
+                Digital Signature, Key Encipherment, Certificate Sign, CRL Sign
+            X509v3 CRL Distribution Points:
+                Full Name:
+                  URI:https://intermediate.example.net/crl/intermediate.example.net.crl
+            X509v3 Name Constraints:
+                Excluded:
+                  DNS.1=localhost
+                  DNS.2=localhost.localdomain
+                  DNS.3=127.0.0.1
+                  DNS.4=example.com
+                  DNS.5=example.org
+                  DNS.6=example.net
+
+    Signature Algorithm: sha256
+     30:46:02:21:00:cb:1d:01:ee:1b:bf:a1:4d:36:42:d2
+     0a:7e:80:37:44:e6:e0:ae:6c:70:58:ea:4c:60:00:af
+     53:3b:11:f6:66:02:21:00:c6:08:73:d8:45:7e:e8:e9
+     5e:be:5b:68:9e:12:e9:a2:8e:95:31:01:1d:9e:99:04
+     17:d3:f3:54:71:1b:9f:ac
+
+-----BEGIN CERTIFICATE-----
+MIICjzCCAjSgAwIBAgIURXU5pqwxR0n6XsZY927SJf12k0MwCgYIKoZIzj0EAwIw
+UjEuMCwGA1UEAwwlQ049Y2EuZXhhbXBsZS5jb20sIE89RXhhbXBsZSBDQSwgQz1J
+VDETMBEGA1UECgwKRXhhbXBsZSBDQTELMAkGA1UEBhMCSVQwHhcNMjUwNTI3MDkx
+MzMzWhcNMjYwNTI4MDkxMzMzWjBOMSkwJwYDVQQDDCBodHRwczovL2ludGVybWVk
+aWF0ZS5leGFtcGxlLm5ldDEUMBIGA1UECgwLRXhhbXBsZSBJTlQxCzAJBgNVBAYT
+AklUMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEN53VdNZrwDIEoleHOjbgNAA9
+Ab6PeLajowvmkPNm89lTdI4YecjNJYS35wyhMEt+opXZukysBjRRO84M8I6O0KOB
+6zCB6DASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBpjBSBgNVHR8E
+SzBJMEegRaBDhkFodHRwczovL2ludGVybWVkaWF0ZS5leGFtcGxlLm5ldC9jcmwv
+aW50ZXJtZWRpYXRlLmV4YW1wbGUubmV0LmNybDBuBgNVHR4BAf8EZDBioWAwC4IJ
+bG9jYWxob3N0MBeCFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjALggkxMjcuMC4wLjEw
+DYILZXhhbXBsZS5jb20wDYILZXhhbXBsZS5vcmcwDYILZXhhbXBsZS5uZXQwCgYI
+KoZIzj0EAwIDSQAwRgIhAMsdAe4bv6FNNkLSCn6AN0Tm4K5scFjqTGAAr1M7EfZm
+AiEAxghz2EV+6OlevltonhLpoo6VMQEdnpkEF9PzVHEbn6w=
+-----END CERTIFICATE-----
+
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 284423255585370380375410701638165198317432410917 (0x31d1fad9752ce503dbbacd0bf76abc930d651325)
+    Signature Algorithm: sha256
+        Issuer: commonName=CN=ca.example.com, O=Example CA, C=IT, organizationName=Example CA, countryName=IT
+        Validity
+            Not Before: May 27 09:13:33 2025 GMT
+            Not After : May 28 09:13:33 2026 GMT
+        Subject: commonName=CN=ca.example.com, O=Example CA, C=IT, organizationName=Example CA, countryName=IT
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey (EC)
+                Public-Key: (256 bit)
+                Curve: secp256r1
+                X: 7607860515366991947250115130866123391572079251785604713950047686319787674406
+                Y: 74493290682810963932331564302963289249956540428755890573822716633130571216251
+        X509v3 extensions:
+            X509v3 Basic Constraints:
+                CA:TRUE, pathlen:2
+            X509v3 Subject Alternative Name:
+                DNS:ca.example.com
+            X509v3 Key Usage:
+                Digital Signature, Key Encipherment, Certificate Sign, CRL Sign
+            X509v3 CRL Distribution Points:
+                Full Name:
+                  URI:https://ca.example.com/crl/ca.example.com.crl
+            X509v3 Name Constraints:
+                Excluded:
+                  DNS.1=localhost
+                  DNS.2=localhost.localdomain
+                  DNS.3=127.0.0.1
+                  DNS.4=example.com
+                  DNS.5=example.org
+                  DNS.6=example.net
+
+    Signature Algorithm: sha256
+     30:46:02:21:00:b9:6c:2c:6f:9a:18:b8:04:d6:39:d3
+     50:dd:e6:a6:ce:9b:f0:d8:64:48:7b:4b:33:2e:fe:d9
+     3d:13:81:4c:d4:02:21:00:ab:10:9d:f1:0f:64:d8:dc
+     76:53:d1:e3:32:b1:65:b7:97:83:d7:69:0f:5a:da:9b
+     1e:a4:a9:a3:88:98:6b:5f
+
+-----BEGIN CERTIFICATE-----
+MIICmjCCAj+gAwIBAgIUMdH62XUs5QPbus0L92q8kw1lEyUwCgYIKoZIzj0EAwIw
+UjEuMCwGA1UEAwwlQ049Y2EuZXhhbXBsZS5jb20sIE89RXhhbXBsZSBDQSwgQz1J
+VDETMBEGA1UECgwKRXhhbXBsZSBDQTELMAkGA1UEBhMCSVQwHhcNMjUwNTI3MDkx
+MzMzWhcNMjYwNTI4MDkxMzMzWjBSMS4wLAYDVQQDDCVDTj1jYS5leGFtcGxlLmNv
+bSwgTz1FeGFtcGxlIENBLCBDPUlUMRMwEQYDVQQKDApFeGFtcGxlIENBMQswCQYD
+VQQGEwJJVDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBDR5X4r9VUDnU5X2rIf
+xDo7DFNodgP2AD4jzqrETwsmpLG1V9s1bu+zyFrnGVvKmoqR0kOeZ1/vyN5vhMcx
+NXujgfIwge8wEgYDVR0TAQH/BAgwBgEB/wIBAjAZBgNVHREEEjAQgg5jYS5leGFt
+cGxlLmNvbTAOBgNVHQ8BAf8EBAMCAaYwPgYDVR0fBDcwNTAzoDGgL4YtaHR0cHM6
+Ly9jYS5leGFtcGxlLmNvbS9jcmwvY2EuZXhhbXBsZS5jb20uY3JsMG4GA1UdHgEB
+/wRkMGKhYDALgglsb2NhbGhvc3QwF4IVbG9jYWxob3N0LmxvY2FsZG9tYWluMAuC
+CTEyNy4wLjAuMTANggtleGFtcGxlLmNvbTANggtleGFtcGxlLm9yZzANggtleGFt
+cGxlLm5ldDAKBggqhkjOPQQDAgNJADBGAiEAuWwsb5oYuATWOdNQ3eamzpvw2GRI
+e0szLv7ZPROBTNQCIQCrEJ3xD2TY3HZT0eMysWW3l4PXaQ9a2psepKmjiJhrXw==
+-----END CERTIFICATE-----