Add info about ca cert used to verify chain. (grpc#32215)

* Add info about ca cert used to verify chain. The tsi_peer object will now contain the subject of the root/ca cert that was used to verify the peer's chain during a handshake. * temp investigation * Fix issues relating to overlapping CRL callback * formatting on ssl_transport_security.cc * Swap ca_cert naming * Use preverify_ok instead of numbers * Continue some renaming, addressing pr comments * Removed early return if peer property setting fails * Continue renaming * clang-tidy * Fix clang problem * clang fixes * Add null check in tests * More PR changes. Behavior change to include root cert extract when TSI_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY * Add intermediate ca, leaf cert, and test with them * clang-tidy * Basic formatting * Add new keys to build for export * Add new cert files to test BUILD * build file style fix * changes for chain test * clang-format * build clean * Add $ to lines of code in README * Add directive about X509_STORE_CTX_get0_chain * formatting
umegaya · Feb 7, 2023 · 1d8fac3 · 1d8fac3
1 parent df25447
commit 1d8fac3
Show file tree

Hide file tree

Showing 13 changed files with 390 additions and 32 deletions.
diff --git a/src/core/tsi/ssl_transport_security.cc b/src/core/tsi/ssl_transport_security.cc
@@ -144,6 +144,7 @@ struct tsi_ssl_frame_protector {
 static gpr_once g_init_openssl_once = GPR_ONCE_INIT;
 static int g_ssl_ctx_ex_factory_index = -1;
 static const unsigned char kSslSessionIdContext[] = {'g', 'r', 'p', 'c'};
+static int g_ssl_ex_verified_root_cert_index = -1;
 #if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_NO_ENGINE)
 static const char kSslEnginePrefix[] = "engine:";
 #endif
@@ -193,6 +194,10 @@ static void init_openssl(void) {
   g_ssl_ctx_ex_factory_index =
       SSL_CTX_get_ex_new_index(0, nullptr, nullptr, nullptr, nullptr);
   GPR_ASSERT(g_ssl_ctx_ex_factory_index != -1);
+
+  g_ssl_ex_verified_root_cert_index =
+      SSL_get_ex_new_index(0, nullptr, nullptr, nullptr, nullptr);
+  GPR_ASSERT(g_ssl_ex_verified_root_cert_index != -1);
 }
 
 // --- Ssl utils. ---
@@ -306,7 +311,8 @@ static tsi_result peer_property_from_x509_common_name(
 
 // Gets the subject of an X509 cert as a tsi_peer_property.
 static tsi_result peer_property_from_x509_subject(X509* cert,
-                                                  tsi_peer_property* property) {
+                                                  tsi_peer_property* property,
+                                                  bool is_verified_root_cert) {
   X509_NAME* subject_name = X509_get_subject_name(cert);
   if (subject_name == nullptr) {
     gpr_log(GPR_INFO, "Could not get subject name from certificate.");
@@ -321,9 +327,16 @@ static tsi_result peer_property_from_x509_subject(X509* cert,
     BIO_free(bio);
     return TSI_INTERNAL_ERROR;
   }
-  tsi_result result = tsi_construct_string_peer_property(
-      TSI_X509_SUBJECT_PEER_PROPERTY, contents, static_cast<size_t>(len),
-      property);
+  tsi_result result;
+  if (!is_verified_root_cert) {
+    result = tsi_construct_string_peer_property(
+        TSI_X509_SUBJECT_PEER_PROPERTY, contents, static_cast<size_t>(len),
+        property);
+  } else {
+    result = tsi_construct_string_peer_property(
+        TSI_X509_VERIFIED_ROOT_CERT_SUBECT_PEER_PROPERTY, contents,
+        static_cast<size_t>(len), property);
+  }
   BIO_free(bio);
   return result;
 }
@@ -472,7 +485,8 @@ static tsi_result peer_from_x509(X509* cert, int include_certificate_type,
     }
 
     result = peer_property_from_x509_subject(
-        cert, &peer->properties[current_insert_index++]);
+        cert, &peer->properties[current_insert_index++],
+        /*is_verified_root_cert=*/false);
     if (result != TSI_OK) break;
 
     result = peer_property_from_x509_common_name(
@@ -845,6 +859,22 @@ static tsi_result build_alpn_protocol_name_list(
   return TSI_OK;
 }
 
+// This callback is invoked when the CRL has been verified and will soft-fail
+// errors in verification depending on certain error types.
+static int verify_cb(int ok, X509_STORE_CTX* ctx) {
+  int cert_error = X509_STORE_CTX_get_error(ctx);
+  if (cert_error == X509_V_ERR_UNABLE_TO_GET_CRL) {
+    gpr_log(
+        GPR_INFO,
+        "Certificate verification failed to get CRL files. Ignoring error.");
+    return 1;
+  }
+  if (cert_error != 0) {
+    gpr_log(GPR_ERROR, "Certificate verify failed with code %d", cert_error);
+  }
+  return ok;
+}
+
 // The verification callback is used for clients that don't really care about
 // the server's certificate, but we need to pull it anyway, in case a higher
 // layer wants to look at it. In this case the verification may fail, but
@@ -853,6 +883,64 @@ static int NullVerifyCallback(int /*preverify_ok*/, X509_STORE_CTX* /*ctx*/) {
   return 1;
 }
 
+static int RootCertExtractCallback(int preverify_ok, X509_STORE_CTX* ctx) {
+  if (ctx == nullptr) {
+    return preverify_ok;
+  }
+
+  // There's a case where this function is set in SSL_CTX_set_verify and a CRL
+  // related callback is set with X509_STORE_set_verify_cb. They overlap and
+  // this will take precedence, thus we need to ensure the CRL related callback
+  // is still called
+  X509_VERIFY_PARAM* param = X509_STORE_CTX_get0_param(ctx);
+  auto flags = X509_VERIFY_PARAM_get_flags(param);
+  if (flags & X509_V_FLAG_CRL_CHECK) {
+    preverify_ok = verify_cb(preverify_ok, ctx);
+  }
+
+  // If preverify_ok == 0, verification failed. We shouldn't expect to have a
+  // verified chain, so there is no need to attempt to extract the root cert
+  // from it
+  if (preverify_ok == 0) {
+    return preverify_ok;
+  }
+
+  // If we're here, verification was successful
+  // Get the verified chain from the X509_STORE_CTX and put it on the SSL object
+  // so that we have access to it when populating the tsi_peer
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+  STACK_OF(X509)* chain = X509_STORE_CTX_get0_chain(ctx);
+#else
+  STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(ctx);
+#endif
+
+  if (chain == nullptr) {
+    return preverify_ok;
+  }
+
+  // The root cert is the last in the chain
+  size_t chain_length = sk_X509_num(chain);
+  if (chain_length == 0) {
+    return preverify_ok;
+  }
+  X509* root_cert = sk_X509_value(chain, chain_length - 1);
+  if (root_cert == nullptr) {
+    return preverify_ok;
+  }
+
+  SSL* ssl = static_cast<SSL*>(
+      X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()));
+  if (ssl == nullptr) {
+    return preverify_ok;
+  }
+  int success =
+      SSL_set_ex_data(ssl, g_ssl_ex_verified_root_cert_index, root_cert);
+  if (success == 0) {
+    gpr_log(GPR_INFO, "Could not set verified root cert in SSL's ex_data");
+  }
+  return preverify_ok;
+}
+
 // Sets the min and max TLS version of |ssl_context| to |min_tls_version| and
 // |max_tls_version|, respectively. Calling this method is a no-op when using
 // OpenSSL versions < 1.1.
@@ -1107,10 +1195,14 @@ static tsi_result ssl_handshaker_result_extract_peer(
   // peer's certificate; When called on the server side,
   // the peer's certificate is not present in the stack
   STACK_OF(X509)* peer_chain = SSL_get_peer_cert_chain(impl->ssl);
+
+  X509* verified_root_cert = static_cast<X509*>(
+      SSL_get_ex_data(impl->ssl, g_ssl_ex_verified_root_cert_index));
   // 1 is for session reused property.
   size_t new_property_count = peer->property_count + 3;
   if (alpn_selected != nullptr) new_property_count++;
   if (peer_chain != nullptr) new_property_count++;
+  if (verified_root_cert != nullptr) new_property_count++;
   tsi_peer_property* new_properties = static_cast<tsi_peer_property*>(
       gpr_zalloc(sizeof(*new_properties) * new_property_count));
   for (size_t i = 0; i < peer->property_count; i++) {
@@ -1146,6 +1238,18 @@ static tsi_result ssl_handshaker_result_extract_peer(
       &peer->properties[peer->property_count]);
   if (result != TSI_OK) return result;
   peer->property_count++;
+
+  if (verified_root_cert != nullptr) {
+    result = peer_property_from_x509_subject(
+        verified_root_cert, &peer->properties[peer->property_count], true);
+    if (result != TSI_OK) {
+      gpr_log(GPR_DEBUG,
+              "Problem extracting subject from verified_root_cert. result: %d",
+              static_cast<int>(result));
+    }
+    peer->property_count++;
+  }
+
   return result;
 }
 
@@ -1808,22 +1912,6 @@ static void ssl_keylogging_callback(const SSL* ssl, const char* info) {
   factory->key_logger->LogSessionKeys(ssl_context, info);
 }
 
-// This callback is invoked when the CRL has been verified and will soft-fail
-// errors in verification depending on certain error types.
-static int verify_cb(int ok, X509_STORE_CTX* ctx) {
-  int cert_error = X509_STORE_CTX_get_error(ctx);
-  if (cert_error == X509_V_ERR_UNABLE_TO_GET_CRL) {
-    gpr_log(
-        GPR_INFO,
-        "Certificate verification failed to get CRL files. Ignoring error.");
-    return 1;
-  }
-  if (cert_error != 0) {
-    gpr_log(GPR_ERROR, "Certificate verify failed with code %d", cert_error);
-  }
-  return ok;
-}
-
 // --- tsi_ssl_handshaker_factory constructors. ---
 
 static tsi_ssl_handshaker_factory_vtable client_handshaker_factory_vtable = {
@@ -1957,7 +2045,7 @@ tsi_result tsi_create_ssl_client_handshaker_factory_with_options(
   if (options->skip_server_certificate_verification) {
     SSL_CTX_set_verify(ssl_context, SSL_VERIFY_PEER, NullVerifyCallback);
   } else {
-    SSL_CTX_set_verify(ssl_context, SSL_VERIFY_PEER, nullptr);
+    SSL_CTX_set_verify(ssl_context, SSL_VERIFY_PEER, RootCertExtractCallback);
   }
 
 #if OPENSSL_VERSION_NUMBER >= 0x10100000
@@ -2129,7 +2217,8 @@ tsi_result tsi_create_ssl_server_handshaker_factory_with_options(
                              NullVerifyCallback);
           break;
         case TSI_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY:
-          SSL_CTX_set_verify(impl->ssl_contexts[i], SSL_VERIFY_PEER, nullptr);
+          SSL_CTX_set_verify(impl->ssl_contexts[i], SSL_VERIFY_PEER,
+                             RootCertExtractCallback);
           break;
         case TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DONT_VERIFY:
           SSL_CTX_set_verify(impl->ssl_contexts[i],
@@ -2139,7 +2228,7 @@ tsi_result tsi_create_ssl_server_handshaker_factory_with_options(
         case TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY:
           SSL_CTX_set_verify(impl->ssl_contexts[i],
                              SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
-                             nullptr);
+                             RootCertExtractCallback);
           break;
       }
 

diff --git a/src/core/tsi/ssl_transport_security.h b/src/core/tsi/ssl_transport_security.h
@@ -47,6 +47,8 @@
 #define TSI_X509_URI_PEER_PROPERTY "x509_uri"
 #define TSI_X509_EMAIL_PEER_PROPERTY "x509_email"
 #define TSI_X509_IP_PEER_PROPERTY "x509_ip"
+#define TSI_X509_VERIFIED_ROOT_CERT_SUBECT_PEER_PROPERTY \
+  "x509_verified_root_cert_subject"
 
 // --- tsi_ssl_root_certs_store object ---
 

diff --git a/src/core/tsi/test_creds/BUILD b/src/core/tsi/test_creds/BUILD
@@ -28,4 +28,6 @@ exports_files([
     "badclient.pem",
     "multi-domain.key",
     "multi-domain.pem",
+    "leaf_signed_by_intermediate.key",
+    "leaf_and_intermediate_chain.pem",
 ])
diff --git a/src/core/tsi/test_creds/README b/src/core/tsi/test_creds/README
@@ -99,6 +99,28 @@ multi-domain-openssl.cnf
 $ openssl req -x509 -new -extensions v3_req -key multi-domain.key -out
 multi-domain.pem -days 3650 -config multi-domain-openssl.cnf
 
+
+Generate a chain with a leaf cert signed by an intermediate CA
+----------------------------------------------------------------------------
+
+The fully verified chain will be root_ca -> intermediate_ca -> leaf
+
+Generating the intermediate CA
+$ openssl genrsa -out temp.rsa 2048
+$ openssl pkcs8 -topk8 -in temp.rsa -out intermediate_ca.key -nocrypt
+$ rm temp.rsa
+$ openssl req -key intermediate_ca.key -new -out temp.csr -config intermediate.cnf
+$ openssl x509 -req -days 3650 -in temp.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out intermediate_ca.pem -extfile intermediate.cnf -extensions 'v3_req'
+
+Generating the leaf and chain
+$ openssl genrsa -out temp.rsa 2048
+$ openssl pkcs8 -topk8 -in temp.rsa -out leaf_signed_by_intermediate.key -nocrypt
+$ openssl req -key leaf_signed_by_intermediate.key -new -out temp.csr -config leaf_signed_by_intermediate.cnf
+$ openssl x509 -req -days 3650 -in temp.csr -CA intermediate_ca.pem -CAkey intermediate_ca.key -CAcreateserial -out leaf_signed_by_intermediate.pem -extfile leaf_signed_by_intermediate.cnf -extensions 'v3_req'
+$ cat leaf_signed_by_intermediate.pem intermediate_ca.pem > leaf_and_intermediate_chain.pem
+
+
+
 Clean up:
 ---------
 $ rm *.rsa

diff --git a/src/core/tsi/test_creds/intermediate.cnf b/src/core/tsi/test_creds/intermediate.cnf
@@ -0,0 +1,12 @@
+[req]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+
+[req_distinguished_name]
+CN = intermediatecert.example.com
+
+[v3_req]
+keyUsage = critical, digitalSignature, keyEncipherment, keyCertSign
+extendedKeyUsage = clientAuth, serverAuth
+basicConstraints = critical, CA:true
diff --git a/src/core/tsi/test_creds/intermediate_ca.key b/src/core/tsi/test_creds/intermediate_ca.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDDJQn9645j1RuQ
+Y2TIj5OFlFrNs90CwUBpsQW/Skk9F6tRevONeRxKbBtDuzzAhFd2MxX2lvvwA/Z7
+ZsMbPQ8/zBaWjFocOB1iZCXTRohDWFG0Vp5EPyDXj1pUBC0C4eKxhoeNdu3SXPlW
+qGPdDbV3xqHDUml4NRhMKBsUoAXXUk2ri39nXPCljN+oqVsfJJq4ukk68fpugEGW
+CnXMzHynX5OKznwP6LAzh1e+xPI6qsgyNUl8pEqpkLKHhPRCYyp0NTTHcr6oZx2L
+N+AXRi3gC9KXlgJ59vBl9F/RRAkyVLwfPh/lqPFK9V58urgbCzlnRLaartDyGrdJ
+2zkRSrrRAgMBAAECggEAPzWEIwdlu9iPcRmAz6YR9razIuYbtIS8RH/eiLObPXqp
+N19H/I86JrEVs762UvWLDvJFLvaA7KGb+SS0FeKVSejleCZGGdXjTrd5uRGjmYzG
+Ck/0O87m6Gu6qnQf0EsyjqYwyhW3uuf6q6MnlbaXDRD93LKZDyLDmAd1nhynR7MD
+m1j17AqDPin1/p/mghvREbTQ8FKosUtGcjjU+DrzA7nWB0JxsEXNhkcErXDAMVHO
+KBC1QY8UpxUbraipSJSQbT8wyX5P24TmBpJImIGKLTiOqqpkae5se47hjldua/go
+6CPAg83gCsMVk4f6Z9EROQ62SspdQw/hCNkL8G4zMQKBgQD1tiRVM6sKZXbADKDt
+OfsV5W3xpW9vgm3onwtO0fBWr1vjscuTCGtl5jbo2XFH1WUEAwIxVhANPFv8BKSs
+ykXJm5biRKnzFLxcp47qndq59yT7eDQzctOXfE1dktYbbb9Rz5SblWc/RvOHUaNa
+61z3oYlzoMrJ6pm50VYUfM+d3wKBgQDLUNsQ3WQ+nVD43f/5U9c8A/78A6R9dtpx
+TpsdtJPx4zanS9xbRdG7zjM2pQITPYxkss6ZKRVYzL6Xs7BkNEUEl8p75Bd0lNDL
+dbixz4wgO0JyK2FvFAgco6qc+ikVbUonNVDxlAz5EBPH8RcZdlshSFAh6jSVpwOF
+fmFK3QFdTwKBgF2720ZpjIFNzaxb5PQ6ny9uM6/whX9LiXQpYB30drQK94n4JIn1
+t0rLNP1FHjLiFEQghbCefUcfVJPijZOhIlhTs46j1RV3Ppg2D44vI+a3gnMwGvHZ
+hyCN+dGNl4IlLswd3ToxF48LGRHxMdkYWoHZLN9gYpv+lCBP3H+6UVWPAoGALuNk
+wgzss2wAYoSAJfXp61NYmLIWW0Dvu7XPHBirDdvCnO5n0TzW06MIOI/xXJKTMB30
+e2n4HFSLl9y+zz0mtZpz/gJqTl6LkICDqa4duMkx17adb8qE3GX6UN14YBKmSUiI
+dE4ad833YeL92sdq2NAeetPScLjlnQG6WlOBnw0CgYBt9vem2OgBXXmIPLA0ToV6
+hlUCIl4yvH5xIr0W96ArH3DRfOzaLKqazmo3pMCvDJZ2HpG5Q9giJYy8yXdE47tt
+0hw5fuZoyUsCacyuZ0mcuFDxtstxIV0uwXRCm+TbR51eeskoSccLOc/lk5eH3hAW
+j7Qioq2Hjm1D8F2NDL/+bw==
+-----END PRIVATE KEY-----
diff --git a/src/core/tsi/test_creds/intermediate_ca.pem b/src/core/tsi/test_creds/intermediate_ca.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID6zCCAtOgAwIBAgIUTQupv13Bqn8iNMcv/42ZmkdaxG0wDQYJKoZIhvcNAQEL
+BQAwVjELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEPMA0GA1UEAwwGdGVzdGNhMB4XDTIz
+MDEzMTIwNTQ1OVoXDTMzMDEyODIwNTQ1OVowJzElMCMGA1UEAwwcaW50ZXJtZWRp
+YXRlY2VydC5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAMMlCf3rjmPVG5BjZMiPk4WUWs2z3QLBQGmxBb9KST0Xq1F68415HEpsG0O7
+PMCEV3YzFfaW+/AD9ntmwxs9Dz/MFpaMWhw4HWJkJdNGiENYUbRWnkQ/INePWlQE
+LQLh4rGGh4127dJc+VaoY90NtXfGocNSaXg1GEwoGxSgBddSTauLf2dc8KWM36ip
+Wx8kmri6STrx+m6AQZYKdczMfKdfk4rOfA/osDOHV77E8jqqyDI1SXykSqmQsoeE
+9EJjKnQ1NMdyvqhnHYs34BdGLeAL0peWAnn28GX0X9FECTJUvB8+H+Wo8Ur1Xny6
+uBsLOWdEtpqu0PIat0nbORFKutECAwEAAaOB3zCB3DAOBgNVHQ8BAf8EBAMCAqQw
+HQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8w
+HQYDVR0OBBYEFMjifzpR+IqD7GsHjgKiGgzrWWeHMHsGA1UdIwR0MHKhWqRYMFYx
+CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl
+cm5ldCBXaWRnaXRzIFB0eSBMdGQxDzANBgNVBAMMBnRlc3RjYYIUWrP0VvHcy+LP
+6UuYNtiL9gBhD5owDQYJKoZIhvcNAQELBQADggEBAJz9Z8So2WPgks158QsKZOK7
+VJKj020HqDoEmZ7aQMkTRBmTketZpRYeDP9FzFvhlYBhC9yiZnmYgPA/vmFa0nJa
+hTvKy1BFkWA2md6JUrxwzMWdWPzznXzHbwAnweWZF5vRaA1+HTtoxfGvTcTT3Kb5
+bOlGtS/IAJtiOcovhsAfdrAlK/Vcu0yTJ+z0n61I3rD75wnUuWypf5ZCyd+H901C
+0OOzGiu0y9+0Xlu2otArXHSYPUBQJDpeRd7/cFMsPziWR0j6FQMDzgaHxnbILDnU
+gnPyrya+R7nET2dyCtisEfQEiUV8M8nhLIkxXgCBhL3HFp6ApnA6wPnan/jeBhM=
+-----END CERTIFICATE-----
diff --git a/src/core/tsi/test_creds/leaf_and_intermediate_chain.pem b/src/core/tsi/test_creds/leaf_and_intermediate_chain.pem
@@ -0,0 +1,43 @@
+-----BEGIN CERTIFICATE-----
+MIIDUzCCAjugAwIBAgIUINnPPxoFKc/TgXkL/xlSsbGKyTEwDQYJKoZIhvcNAQEL
+BQAwJzElMCMGA1UEAwwcaW50ZXJtZWRpYXRlY2VydC5leGFtcGxlLmNvbTAeFw0y
+MzAyMDEyMjI4MTBaFw0zMzAxMjkyMjI4MTBaMB8xHTAbBgNVBAMMFCoudGVzdC5n
+b29nbGUuY29tLmF1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAldlK
+ffAVAcKyk218C9Lie8YAPp1/jEOpeaJFLDa69w+ooHcmyxGLLTzEy2cnIkP9gw7k
+30wkk6AwK9mAL3Uqq/FxrtYrsAFAulL62IvlGF2AbFMwlQd6NFbwQSrGx2J9xokM
+/CMUOw07QlGCGxna34/pPUG1C0lnLlvUhYk2YoghZjhQq4OI8zJMnCDj4LYcRt9h
+VSljFJ2y4hDxwxndmS9R0A6X1o/D6/14RlroCfF/09aKA28OPVFktSm48xpFOuYB
++D9Qcr9v4jKBwkJjIwUH5rZKYhJyxyBYeHDHSOfzJpLKeHNheg4RwKwiXBOZ2Ziw
+Uu+8IzxH3b3pwCx11QIDAQABo38wfTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYw
+FAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFBjU
+W5gtY1VGUssCoTl8UT/ompgsMB8GA1UdIwQYMBaAFMjifzpR+IqD7GsHjgKiGgzr
+WWeHMA0GCSqGSIb3DQEBCwUAA4IBAQCCkT3eWKeIZ2zd26ylkGZB/CBJbSIIl+4X
+W69U8UQLHDvzz+lDyIjOikKQSZ+dtgp2VVO6n6bpk4jm9tVFWDXXLk28jw6e3hXQ
+mBXat282GqPaJVwyx/HY5JsZ6WooHYAMRHX7hS1hyfG4x+4Qmx7SQogdvVMiRTx1
+JAeUyjAILGYS62rIuTB1LeD8D5RmIIXwoAx5iCrGl80yMhXBPxPwzufphX/MziMY
+jScAxUnyybUqV3WrvrR74+nJ1Rr+9eJ3n97T1HpCldJXolhAsrSuStrH1g0RzdVz
+Ing260GSZ/QL7rhc0r60H8kzrDhC0oxTbpvZIb4lMWPiaetPqX6b
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIID6zCCAtOgAwIBAgIUTQupv13Bqn8iNMcv/42ZmkdaxG0wDQYJKoZIhvcNAQEL
+BQAwVjELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEPMA0GA1UEAwwGdGVzdGNhMB4XDTIz
+MDEzMTIwNTQ1OVoXDTMzMDEyODIwNTQ1OVowJzElMCMGA1UEAwwcaW50ZXJtZWRp
+YXRlY2VydC5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAMMlCf3rjmPVG5BjZMiPk4WUWs2z3QLBQGmxBb9KST0Xq1F68415HEpsG0O7
+PMCEV3YzFfaW+/AD9ntmwxs9Dz/MFpaMWhw4HWJkJdNGiENYUbRWnkQ/INePWlQE
+LQLh4rGGh4127dJc+VaoY90NtXfGocNSaXg1GEwoGxSgBddSTauLf2dc8KWM36ip
+Wx8kmri6STrx+m6AQZYKdczMfKdfk4rOfA/osDOHV77E8jqqyDI1SXykSqmQsoeE
+9EJjKnQ1NMdyvqhnHYs34BdGLeAL0peWAnn28GX0X9FECTJUvB8+H+Wo8Ur1Xny6
+uBsLOWdEtpqu0PIat0nbORFKutECAwEAAaOB3zCB3DAOBgNVHQ8BAf8EBAMCAqQw
+HQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8w
+HQYDVR0OBBYEFMjifzpR+IqD7GsHjgKiGgzrWWeHMHsGA1UdIwR0MHKhWqRYMFYx
+CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl
+cm5ldCBXaWRnaXRzIFB0eSBMdGQxDzANBgNVBAMMBnRlc3RjYYIUWrP0VvHcy+LP
+6UuYNtiL9gBhD5owDQYJKoZIhvcNAQELBQADggEBAJz9Z8So2WPgks158QsKZOK7
+VJKj020HqDoEmZ7aQMkTRBmTketZpRYeDP9FzFvhlYBhC9yiZnmYgPA/vmFa0nJa
+hTvKy1BFkWA2md6JUrxwzMWdWPzznXzHbwAnweWZF5vRaA1+HTtoxfGvTcTT3Kb5
+bOlGtS/IAJtiOcovhsAfdrAlK/Vcu0yTJ+z0n61I3rD75wnUuWypf5ZCyd+H901C
+0OOzGiu0y9+0Xlu2otArXHSYPUBQJDpeRd7/cFMsPziWR0j6FQMDzgaHxnbILDnU
+gnPyrya+R7nET2dyCtisEfQEiUV8M8nhLIkxXgCBhL3HFp6ApnA6wPnan/jeBhM=
+-----END CERTIFICATE-----
diff --git a/src/core/tsi/test_creds/leaf_signed_by_intermediate.cnf b/src/core/tsi/test_creds/leaf_signed_by_intermediate.cnf
@@ -0,0 +1,12 @@
+[req]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+
+[req_distinguished_name]
+CN = *.test.google.com.au
+
+[v3_req]
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, serverAuth
+basicConstraints = critical, CA:false