The Tor Browser / annotate

security/manager/ssl/tests/unit/test_ev_certs/generate.py@b8a032363ba2 (annotated)

security/manager/ssl/tests/unit/test_ev_certs/generate.py

Thu, 22 Jan 2015 13:21:57 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Thu, 22 Jan 2015 13:21:57 +0100
branch
TOR_BUG_9701
changeset 15
b8a032363ba2
permissions
-rwxr-xr-x

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

michael@0 1 #!/usr/bin/python
michael@0 2
michael@0 3 import tempfile, os, sys
michael@0 4 import random
michael@0 5 import pexpect
michael@0 6 import subprocess
michael@0 7 import shutil
michael@0 8
michael@0 9 libpath = os.path.abspath('../psm_common_py')
michael@0 10
michael@0 11 sys.path.append(libpath)
michael@0 12
michael@0 13 import CertUtils
michael@0 14
michael@0 15 srcdir = os.getcwd()
michael@0 16 db = tempfile.mkdtemp()
michael@0 17
michael@0 18 CA_extensions = ("basicConstraints = critical, CA:TRUE\n"
michael@0 19 "keyUsage = keyCertSign, cRLSign\n")
michael@0 20
michael@0 21 aia_prefix = "authorityInfoAccess = OCSP;URI:http://www.example.com:8888/"
michael@0 22 aia_suffix ="/\n"
michael@0 23 intermediate_crl = ("crlDistributionPoints = " +
michael@0 24 "URI:http://crl.example.com:8888/root-ev.crl\n")
michael@0 25 endentity_crl = ("crlDistributionPoints = " +
michael@0 26 "URI:http://crl.example.com:8888/ee-crl.crl\n")
michael@0 27
michael@0 28 mozilla_testing_ev_policy = ("certificatePolicies = @v3_ca_ev_cp\n\n" +
michael@0 29 "[ v3_ca_ev_cp ]\n" +
michael@0 30 "policyIdentifier = " +
michael@0 31 "1.3.6.1.4.1.13769.666.666.666.1.500.9.1\n\n" +
michael@0 32 "CPS.1 = \"http://mytestdomain.local/cps\"")
michael@0 33
michael@0 34 anypolicy_policy = ("certificatePolicies = @v3_ca_ev_cp\n\n" +
michael@0 35 "[ v3_ca_ev_cp ]\n" +
michael@0 36 "policyIdentifier = " +
michael@0 37 "2.5.29.32.0\n\n" +
michael@0 38 "CPS.1 = \"http://mytestdomain.local/cps\"")
michael@0 39
michael@0 40
michael@0 41 def import_untrusted_cert(certfile, nickname):
michael@0 42 os.system("certutil -A -d . -n " + nickname + " -i " + certfile +
michael@0 43 " -t ',,'")
michael@0 44
michael@0 45 def import_cert_and_pkcs12(certfile, pkcs12file, nickname, trustflags):
michael@0 46 os.system(" certutil -A -d . -n " + nickname + " -i " + certfile + " -t '" +
michael@0 47 trustflags + "'")
michael@0 48 child = pexpect.spawn("pk12util -i " + pkcs12file + " -d .")
michael@0 49 child.expect('Enter password for PKCS12 file:')
michael@0 50 child.sendline('')
michael@0 51 child.expect(pexpect.EOF)
michael@0 52
michael@0 53 def init_nss_db():
michael@0 54 nss_db_files = [ "cert8.db", "key3.db", "secmod.db" ]
michael@0 55 for file in nss_db_files:
michael@0 56 if os.path.isfile(file):
michael@0 57 os.remove(file)
michael@0 58 #now create DB
michael@0 59 child = pexpect.spawn("certutil -N -d .")
michael@0 60 child.expect("Enter new password:")
michael@0 61 child.sendline('')
michael@0 62 child.expect('Re-enter password:')
michael@0 63 child.sendline('')
michael@0 64 child.expect(pexpect.EOF)
michael@0 65 import_cert_and_pkcs12("evroot.der", "evroot.p12", "evroot", "C,C,C")
michael@0 66
michael@0 67
michael@0 68 def generate_certs():
michael@0 69 init_nss_db()
michael@0 70 ca_cert = 'evroot.der'
michael@0 71 ca_key = 'evroot.key'
michael@0 72 prefix = "ev-valid"
michael@0 73 key_type = 'rsa'
michael@0 74 ee_ext_text = (aia_prefix + prefix + aia_suffix +
michael@0 75 endentity_crl + mozilla_testing_ev_policy)
michael@0 76 int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix +
michael@0 77 intermediate_crl + mozilla_testing_ev_policy)
michael@0 78 [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
michael@0 79 srcdir,
michael@0 80 ca_key,
michael@0 81 ca_cert,
michael@0 82 prefix,
michael@0 83 int_ext_text,
michael@0 84 ee_ext_text,
michael@0 85 key_type)
michael@0 86 pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key,
michael@0 87 "int-" + prefix)
michael@0 88 import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,")
michael@0 89 import_untrusted_cert(ee_cert, prefix)
michael@0 90
michael@0 91 # now we generate an end entity cert with an AIA with no OCSP URL
michael@0 92 no_ocsp_url_ext_aia = ("authorityInfoAccess =" +
michael@0 93 "caIssuers;URI:http://www.example.com/ca.html\n");
michael@0 94 [no_ocsp_key, no_ocsp_cert] = CertUtils.generate_cert_generic(db,
michael@0 95 srcdir,
michael@0 96 random.randint(100, 40000000),
michael@0 97 key_type,
michael@0 98 'no-ocsp-url-cert',
michael@0 99 no_ocsp_url_ext_aia + endentity_crl +
michael@0 100 mozilla_testing_ev_policy,
michael@0 101 int_key, int_cert);
michael@0 102 import_untrusted_cert(no_ocsp_cert, 'no-ocsp-url-cert');
michael@0 103
michael@0 104 # add an ev cert whose intermediate has a anypolicy oid
michael@0 105 prefix = "ev-valid-anypolicy-int"
michael@0 106 ee_ext_text = (aia_prefix + prefix + aia_suffix +
michael@0 107 endentity_crl + mozilla_testing_ev_policy)
michael@0 108 int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix +
michael@0 109 intermediate_crl + anypolicy_policy)
michael@0 110
michael@0 111 [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
michael@0 112 srcdir,
michael@0 113 ca_key,
michael@0 114 ca_cert,
michael@0 115 prefix,
michael@0 116 int_ext_text,
michael@0 117 ee_ext_text,
michael@0 118 key_type)
michael@0 119 pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key,
michael@0 120 "int-" + prefix)
michael@0 121 import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,")
michael@0 122 import_untrusted_cert(ee_cert, prefix)
michael@0 123
michael@0 124
michael@0 125 [bad_ca_key, bad_ca_cert] = CertUtils.generate_cert_generic( db,
michael@0 126 srcdir,
michael@0 127 1,
michael@0 128 'rsa',
michael@0 129 'non-evroot-ca',
michael@0 130 CA_extensions)
michael@0 131 pk12file = CertUtils.generate_pkcs12(db, srcdir, bad_ca_cert, bad_ca_key,
michael@0 132 "non-evroot-ca")
michael@0 133 import_cert_and_pkcs12(bad_ca_cert, pk12file, "non-evroot-ca", "C,C,C")
michael@0 134 prefix = "non-ev-root"
michael@0 135 ee_ext_text = (aia_prefix + prefix + aia_suffix +
michael@0 136 endentity_crl + mozilla_testing_ev_policy)
michael@0 137 int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix +
michael@0 138 intermediate_crl + mozilla_testing_ev_policy)
michael@0 139 [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
michael@0 140 srcdir,
michael@0 141 bad_ca_key,
michael@0 142 bad_ca_cert,
michael@0 143 prefix,
michael@0 144 int_ext_text,
michael@0 145 ee_ext_text,
michael@0 146 key_type)
michael@0 147 pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key,
michael@0 148 "int-" + prefix)
michael@0 149 import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,")
michael@0 150 import_untrusted_cert(ee_cert, prefix)
michael@0 151
michael@0 152
michael@0 153
michael@0 154 generate_certs()

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial