• file
• revisions
• annotate
• diff
• comparison
• raw

security/manager/ssl/tests/unit/test_certificate_usages/generate.pl@b8a032363ba2 (annotated)

security/manager/ssl/tests/unit/test_certificate_usages/generate.pl

Thu, 22 Jan 2015 13:21:57 +0100

author

Michael Schloh von Bennewitz <michael@schloh.com>

date

Thu, 22 Jan 2015 13:21:57 +0100

branch

TOR_BUG_9701

changeset 15

b8a032363ba2

permissions

-rwxr-xr-x

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

michael@0	1	#!/usr/bin/perl
michael@0	2	# Usage:
michael@0	3	# PATH=$NSS_PREFIX/bin:$NSS_PREFIX/lib:$PATH ./generate.pl
michael@0	4
michael@0	5	use Cwd;
michael@0	6	use File::Temp qw/ tempfile tempdir /;
michael@0	7
michael@0	8	use strict;
michael@0	9
michael@0	10	my $srcdir=getcwd();
michael@0	11	my $db = tempdir( CLEANUP => 1 );
michael@0	12	my $noisefile=$db."/noise";
michael@0	13	my $passwordfile=$db."/passwordfile";
michael@0	14	my $ca_responses=$srcdir."/ca_responses";
michael@0	15	my $ee_responses=$srcdir."/ee_responses";
michael@0	16
michael@0	17	#my $db=$tmpdir;
michael@0	18
michael@0	19	my @base_usages=("",
michael@0	20	"certSigning,crlSigning",
michael@0	21	"digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,certSigning,crlSigning",
michael@0	22	"digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,crlSigning");
michael@0	23
michael@0	24	my @ee_usages=("",
michael@0	25	"digitalSignature,keyEncipherment,dataEncipherment",
michael@0	26	"digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement",
michael@0	27	"certSigning");
michael@0	28	my @eku_usages=("serverAuth,clientAuth,codeSigning,emailProtection,timeStamp,ocspResponder,stepUp,msTrustListSign",
michael@0	29	"serverAuth,clientAuth",
michael@0	30	"codeSigning,emailProtection",
michael@0	31	"timeStamp,ocspResponder,stepUp,msTrustListSign"
michael@0	32	);
michael@0	33
michael@0	34	sub dsystem{
michael@0	35	my @args = @_;
michael@0	36	system(@args) == 0
michael@0	37	or die "system @args failed: $?";
michael@0	38	}
michael@0	39
michael@0	40	sub generate_certs(){
michael@0	41	for (my $i = 1; $i < scalar(@base_usages) + 1; $i++) {
michael@0	42	my $ca_name = "ca-$i";
michael@0	43	my $ca_key_usage = $base_usages[$i - 1];
michael@0	44	if (length($ca_key_usage) > 1) {
michael@0	45	$ca_key_usage = " --keyUsage $ca_key_usage,critical";
michael@0	46	}
michael@0	47	my $ca_email = "$ca_name\@example.com";
michael@0	48	my $ca_subject = "CN=$ca_name, E=$ca_email";
michael@0	49	print "key_usage=$ca_key_usage\n";
michael@0	50	dsystem("certutil -S -s '$ca_name' -s '$ca_subject' -t 'C,,' -x -m $i -v 120 -n '$ca_name' $ca_key_usage -Z SHA256 -2 -d $db -f $passwordfile -z $noisefile < $ca_responses");
michael@0	51
michael@0	52	#and now export
michael@0	53	dsystem("certutil -d $db -f $passwordfile -L -n $ca_name -r -o $srcdir/$ca_name.der");
michael@0	54
michael@0	55	for (my $j = 1; $j < scalar(@ee_usages) + 1; $j++) {
michael@0	56	##do ee certs
michael@0	57	my $ee_name = "ee-$j-ca-$i";
michael@0	58	my $ee_key_usage = $ee_usages[$j - 1];
michael@0	59	if (length($ee_key_usage) > 1) {
michael@0	60	$ee_key_usage=" --keyUsage $ee_key_usage,critical";
michael@0	61	}
michael@0	62	my $serial = (scalar(@base_usages) + 1) * $j + $i;
michael@0	63	dsystem("certutil -S -n '$ee_name' -s 'CN=$ee_name' -c '$ca_name' $ee_key_usage -t 'P,,' -k rsa -g 1024 -Z SHA256 -m $serial -v 120 -d $db -f $passwordfile -z $noisefile < $ee_responses");
michael@0	64	#and export
michael@0	65	dsystem("certutil -d $db -f $passwordfile -L -n $ee_name -r -o $srcdir/$ee_name.der");
michael@0	66	}
michael@0	67	for (my $j = 1; $j < scalar(@eku_usages) + 1; $j++){
michael@0	68	my $ee_name = "ee-" . ($j + scalar(@ee_usages)) . "-ca-$i";
michael@0	69	my $eku_key_usage = $eku_usages[$j - 1];
michael@0	70	$eku_key_usage = " --extKeyUsage $eku_key_usage,critical";
michael@0	71	my $serial = 10000 + (scalar(@base_usages) + 1) * $j + $i;
michael@0	72	dsystem("certutil -S -n '$ee_name' -s 'CN=$ee_name' -c '$ca_name' $eku_key_usage -t 'P,,' -k rsa -g 1024 -Z SHA256 -m $serial -v 120 -d $db -f $passwordfile -z $noisefile < $ee_responses");
michael@0	73	#and export
michael@0	74	dsystem("certutil -d $db -f $passwordfile -L -n $ee_name -r -o $srcdir/$ee_name.der");
michael@0	75
michael@0	76	}
michael@0	77	}
michael@0	78	}
michael@0	79
michael@0	80
michael@0	81	sub main(){
michael@0	82
michael@0	83	##setup
michael@0	84	dsystem("echo password1 > $passwordfile");
michael@0	85	dsystem("head --bytes 32 /dev/urandom > $noisefile");
michael@0	86
michael@0	87	##why no include this in the source dir?
michael@0	88	# XXX: certutil cannot generate basic constraints without interactive prompts,
michael@0	89	# so we need to build response files to answer its questions
michael@0	90	# XXX: certutil cannot generate AKI/SKI without interactive prompts so we just
michael@0	91	# skip them.
michael@0	92	dsystem("echo y > $ca_responses"); # Is this a CA?
michael@0	93	dsystem("echo >> $ca_responses");# Accept default path length constraint (no constraint)
michael@0	94	dsystem("echo y >> $ca_responses"); # Is this a critical constraint?
michael@0	95	dsystem("echo n > $ee_responses"); # Is this a CA?
michael@0	96	dsystem("echo >> $ee_responses"); # Accept default path length constraint (no constraint)
michael@0	97	dsystem("echo y >> $ee_responses"); # Is this a critical constraint?
michael@0	98
michael@0	99	dsystem("certutil -d $db -N -f $passwordfile");
michael@0	100
michael@0	101	generate_certs();
michael@0	102
michael@0	103	print "Done\n";
michael@0	104
michael@0	105	}
michael@0	106
michael@0	107
michael@0	108	main();