The Tor Browser / annotate

security/manager/ssl/tests/unit/test_name_constraints/generate.py@b8a032363ba2 (annotated)

security/manager/ssl/tests/unit/test_name_constraints/generate.py

Thu, 22 Jan 2015 13:21:57 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Thu, 22 Jan 2015 13:21:57 +0100
branch
TOR_BUG_9701
changeset 15
b8a032363ba2
permissions
-rwxr-xr-x

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

michael@0 1 #!/usr/bin/python
michael@0 2
michael@0 3 # This Source Code Form is subject to the terms of the Mozilla Public
michael@0 4 # License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0 5 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
michael@0 6
michael@0 7 import tempfile, os, sys
michael@0 8 import random
michael@0 9 import pexpect
michael@0 10 import subprocess
michael@0 11 import shutil
michael@0 12
michael@0 13 libpath = os.path.abspath('../psm_common_py')
michael@0 14
michael@0 15 sys.path.append(libpath)
michael@0 16
michael@0 17 import CertUtils
michael@0 18
michael@0 19 srcdir = os.getcwd()
michael@0 20 db = tempfile.mkdtemp()
michael@0 21
michael@0 22 CA_basic_constraints = "basicConstraints = critical, CA:TRUE\n"
michael@0 23 EE_basic_constraints = "basicConstraints = CA:FALSE\n"
michael@0 24
michael@0 25 CA_full_ku = ("keyUsage = keyCertSign, cRLSign\n")
michael@0 26
michael@0 27 authority_key_ident = "authorityKeyIdentifier = keyid, issuer\n"
michael@0 28 subject_key_ident = "subjectKeyIdentifier = hash\n"
michael@0 29
michael@0 30 def generate_family(db_dir, dst_dir, ca_key, ca_cert, base_name):
michael@0 31 key_type = 'rsa'
michael@0 32 ee_ext_base = EE_basic_constraints + authority_key_ident;
michael@0 33 #cn =foo.com
michael@0 34 CertUtils.generate_cert_generic(db,
michael@0 35 srcdir,
michael@0 36 10,
michael@0 37 key_type,
michael@0 38 'cn-www.foo.com-'+ base_name,
michael@0 39 ee_ext_base,
michael@0 40 ca_key,
michael@0 41 ca_cert,
michael@0 42 '/CN=www.foo.com')
michael@0 43 #cn = foo.org
michael@0 44 CertUtils.generate_cert_generic(db,
michael@0 45 srcdir,
michael@0 46 11,
michael@0 47 key_type,
michael@0 48 'cn-www.foo.org-'+ base_name,
michael@0 49 ee_ext_base,
michael@0 50 ca_key,
michael@0 51 ca_cert,
michael@0 52 '/CN=www.foo.org')
michael@0 53 #cn = foo.com, alt= foo.org
michael@0 54 alt_name_ext = 'subjectAltName =DNS:*.foo.org'
michael@0 55 CertUtils.generate_cert_generic(db,
michael@0 56 srcdir,
michael@0 57 12,
michael@0 58 key_type,
michael@0 59 'cn-www.foo.com-alt-foo.org-'+ base_name,
michael@0 60 ee_ext_base + alt_name_ext,
michael@0 61 ca_key,
michael@0 62 ca_cert,
michael@0 63 '/CN=www.foo.com')
michael@0 64 #cn = foo.org, alt= foo.com
michael@0 65 alt_name_ext = 'subjectAltName =DNS:*.foo.com'
michael@0 66 CertUtils.generate_cert_generic(db,
michael@0 67 srcdir,
michael@0 68 13,
michael@0 69 key_type,
michael@0 70 'cn-www.foo.org-alt-foo.com-'+ base_name,
michael@0 71 ee_ext_base + alt_name_ext,
michael@0 72 ca_key,
michael@0 73 ca_cert,
michael@0 74 '/CN=www.foo.org')
michael@0 75 #cn = foo.com, alt=foo.com
michael@0 76 alt_name_ext = 'subjectAltName =DNS:*.foo.com'
michael@0 77 CertUtils.generate_cert_generic(db,
michael@0 78 srcdir,
michael@0 79 14,
michael@0 80 key_type,
michael@0 81 'cn-www.foo.com-alt-foo.com-'+ base_name,
michael@0 82 ee_ext_base + alt_name_ext,
michael@0 83 ca_key,
michael@0 84 ca_cert,
michael@0 85 '/CN=www.foo.com')
michael@0 86 #cn = foo.org, alt=foo.org
michael@0 87 alt_name_ext = 'subjectAltName =DNS:*.foo.org'
michael@0 88 CertUtils.generate_cert_generic(db,
michael@0 89 srcdir,
michael@0 90 15,
michael@0 91 key_type,
michael@0 92 'cn-www.foo.org-alt-foo.org-'+ base_name,
michael@0 93 ee_ext_base + alt_name_ext,
michael@0 94 ca_key,
michael@0 95 ca_cert,
michael@0 96 '/CN=www.foo.org')
michael@0 97
michael@0 98 #cn = foo.com, alt=foo.com,a.a.us,b.a.us
michael@0 99 alt_name_ext = 'subjectAltName =DNS:*.foo.com,DNS:*.a.a.us,DNS:*.b.a.us'
michael@0 100 CertUtils.generate_cert_generic(db,
michael@0 101 srcdir,
michael@0 102 16,
michael@0 103 key_type,
michael@0 104 'cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-'+ base_name,
michael@0 105 ee_ext_base + alt_name_ext,
michael@0 106 ca_key,
michael@0 107 ca_cert,
michael@0 108 '/CN=www.foo.com')
michael@0 109
michael@0 110
michael@0 111
michael@0 112 #cn =foo.com O=bar C=US
michael@0 113 CertUtils.generate_cert_generic(db,
michael@0 114 srcdir,
michael@0 115 17,
michael@0 116 key_type,
michael@0 117 'cn-www.foo.com_o-bar_c-us-'+ base_name,
michael@0 118 ee_ext_base,
michael@0 119 ca_key,
michael@0 120 ca_cert,
michael@0 121 '/C=US/O=bar/CN=www.foo.com')
michael@0 122
michael@0 123 #cn = foo.org O=bar C=US
michael@0 124 CertUtils.generate_cert_generic(db,
michael@0 125 srcdir,
michael@0 126 18,
michael@0 127 key_type,
michael@0 128 'cn-www.foo.org_o-bar_c-us-'+ base_name,
michael@0 129 ee_ext_base,
michael@0 130 ca_key,
michael@0 131 ca_cert,
michael@0 132 '/C=US/O=bar/CN=www.foo.org')
michael@0 133 #cn = foo.com, alt= foo.org
michael@0 134 alt_name_ext = 'subjectAltName =DNS:*.foo.org'
michael@0 135 CertUtils.generate_cert_generic(db,
michael@0 136 srcdir,
michael@0 137 19,
michael@0 138 key_type,
michael@0 139 'cn-www.foo.com_o-bar_c-us-alt-foo.org-'+ base_name,
michael@0 140 ee_ext_base + alt_name_ext,
michael@0 141 ca_key,
michael@0 142 ca_cert,
michael@0 143 '/C=US/O=bar/CN=www.foo.com')
michael@0 144 #cn = foo.org, alt= foo.com
michael@0 145 alt_name_ext = 'subjectAltName =DNS:*.foo.com'
michael@0 146 CertUtils.generate_cert_generic(db,
michael@0 147 srcdir,
michael@0 148 20,
michael@0 149 key_type,
michael@0 150 'cn-www.foo.org_o-bar_c-us-alt-foo.com-'+ base_name,
michael@0 151 ee_ext_base + alt_name_ext,
michael@0 152 ca_key,
michael@0 153 ca_cert,
michael@0 154 '/C=US/O=bar/CN=www.foo.org')
michael@0 155 #cn = foo.com, alt=foo.com
michael@0 156 alt_name_ext = 'subjectAltName =DNS:*.foo.com'
michael@0 157 CertUtils.generate_cert_generic(db,
michael@0 158 srcdir,
michael@0 159 21,
michael@0 160 key_type,
michael@0 161 'cn-www.foo.com_o-bar_c-us-alt-foo.com-'+ base_name,
michael@0 162 ee_ext_base + alt_name_ext,
michael@0 163 ca_key,
michael@0 164 ca_cert,
michael@0 165 '/C=US/O=bar/CN=www.foo.com')
michael@0 166 #cn = foo.org, alt=foo.org
michael@0 167 alt_name_ext = 'subjectAltName =DNS:*.foo.org'
michael@0 168 CertUtils.generate_cert_generic(db,
michael@0 169 srcdir,
michael@0 170 22,
michael@0 171 key_type,
michael@0 172 'cn-www.foo.org_o-bar_c-us-alt-foo.org-'+ base_name,
michael@0 173 ee_ext_base + alt_name_ext,
michael@0 174 ca_key,
michael@0 175 ca_cert,
michael@0 176 '/C=US/O=bar/CN=www.foo.org')
michael@0 177
michael@0 178 #cn = foo.com, alt=foo.com,a.a.us.com,b.a.us
michael@0 179 alt_name_ext = 'subjectAltName =DNS:*.foo.com,DNS:*.a.a.us,DNS:*.b.a.us'
michael@0 180 CertUtils.generate_cert_generic(db,
michael@0 181 srcdir,
michael@0 182 23,
michael@0 183 key_type,
michael@0 184 'cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-'+ base_name,
michael@0 185 ee_ext_base + alt_name_ext,
michael@0 186 ca_key,
michael@0 187 ca_cert,
michael@0 188 '/C=US/O=bar/CN=www.foo.com')
michael@0 189
michael@0 190
michael@0 191
michael@0 192
michael@0 193 def self_sign_csr(db_dir, dst_dir, csr_name, key_file, serial_num, ext_text,
michael@0 194 out_prefix):
michael@0 195 extensions_filename = db_dir + "/openssl-exts"
michael@0 196 f = open(extensions_filename, 'w')
michael@0 197 f.write(ext_text)
michael@0 198 f.close()
michael@0 199 cert_name = dst_dir + "/" + out_prefix + ".der"
michael@0 200 os.system ("openssl x509 -req -sha256 -days 3650 -in " + csr_name +
michael@0 201 " -signkey " + key_file +
michael@0 202 " -set_serial " + str(serial_num) +
michael@0 203 " -extfile " + extensions_filename +
michael@0 204 " -outform DER -out " + cert_name)
michael@0 205
michael@0 206
michael@0 207
michael@0 208 def generate_certs():
michael@0 209 key_type = 'rsa'
michael@0 210 ca_ext = CA_basic_constraints + CA_full_ku + subject_key_ident;
michael@0 211 ee_ext_text = (EE_basic_constraints + authority_key_ident)
michael@0 212 [ca_key, ca_cert] = CertUtils.generate_cert_generic(db,
michael@0 213 srcdir,
michael@0 214 1,
michael@0 215 key_type,
michael@0 216 'ca-nc',
michael@0 217 ca_ext)
michael@0 218 #now the constrained via perm
michael@0 219 name = 'int-nc-perm-foo.com-ca-nc'
michael@0 220 name_constraints = "nameConstraints = permitted;DNS:foo.com\n"
michael@0 221 [int_key, int_cert] = CertUtils.generate_cert_generic(db,
michael@0 222 srcdir,
michael@0 223 101,
michael@0 224 key_type,
michael@0 225 name,
michael@0 226 ca_ext + authority_key_ident + name_constraints,
michael@0 227 ca_key,
michael@0 228 ca_cert)
michael@0 229 generate_family(db, srcdir, int_key, int_cert, name)
michael@0 230
michael@0 231 #now the constrained via excl
michael@0 232 name = 'int-nc-excl-foo.com-ca-nc'
michael@0 233 name_constraints = "nameConstraints = excluded;DNS:foo.com\n"
michael@0 234 [int_key, int_cert] = CertUtils.generate_cert_generic(db,
michael@0 235 srcdir,
michael@0 236 102,
michael@0 237 key_type,
michael@0 238 name,
michael@0 239 ca_ext + name_constraints + authority_key_ident,
michael@0 240 ca_key,
michael@0 241 ca_cert)
michael@0 242 generate_family(db, srcdir, int_key, int_cert, name)
michael@0 243
michael@0 244 #now constrained to permitted: O=bar C=US
michael@0 245 name = 'int-nc-c-us-ca-nc'
michael@0 246 name_constraints = "nameConstraints = permitted;dirName:dir_sect\n[dir_sect]\nC=US\n\n\n"
michael@0 247 [int_key, int_cert] = CertUtils.generate_cert_generic(db,
michael@0 248 srcdir,
michael@0 249 103,
michael@0 250 key_type,
michael@0 251 name,
michael@0 252 ca_ext + authority_key_ident + name_constraints,
michael@0 253 ca_key,
michael@0 254 ca_cert)
michael@0 255 generate_family(db, srcdir, int_key, int_cert, name)
michael@0 256
michael@0 257 #now make a subCA that is also constrainted to foo.com (combine constraints)
michael@0 258 name = 'int-nc-foo.com-int-nc-c-us-ca-nc'
michael@0 259 name_constraints = "nameConstraints = permitted;DNS:foo.com\n\n\n"
michael@0 260 [int_key, int_cert] = CertUtils.generate_cert_generic(db,
michael@0 261 srcdir,
michael@0 262 104,
michael@0 263 key_type,
michael@0 264 name,
michael@0 265 ca_ext + name_constraints + authority_key_ident,
michael@0 266 int_key,
michael@0 267 int_cert,
michael@0 268 '/C=US/CN='+ name)
michael@0 269 generate_family(db, srcdir, int_key, int_cert, name)
michael@0 270
michael@0 271
michael@0 272 #now single intermediate constrainted to permitted O=bar C=US & DNS foo.com
michael@0 273 name = 'int-nc-perm-foo.com_c-us-ca-nc'
michael@0 274 name_constraints = "nameConstraints = permitted;DNS:foo.com,permitted;dirName:dir_sect\n[dir_sect]\nC=US\n\n\n"
michael@0 275 [int_key, int_cert] = CertUtils.generate_cert_generic(db,
michael@0 276 srcdir,
michael@0 277 105,
michael@0 278 key_type,
michael@0 279 name,
michael@0 280 ca_ext + authority_key_ident + name_constraints,
michael@0 281 ca_key,
michael@0 282 ca_cert)
michael@0 283 generate_family(db, srcdir, int_key, int_cert, name)
michael@0 284
michael@0 285 #now constrainted to permitted C=UK (all ee must fail)
michael@0 286 name = 'int-nc-perm-c-uk-ca-nc'
michael@0 287 name_constraints = "nameConstraints = permitted;dirName:dir_sect\n[dir_sect]\nC=UK\n\n\n"
michael@0 288 [int_key, int_cert] = CertUtils.generate_cert_generic(db,
michael@0 289 srcdir,
michael@0 290 106,
michael@0 291 key_type,
michael@0 292 name,
michael@0 293 ca_ext + authority_key_ident + name_constraints,
michael@0 294 ca_key,
michael@0 295 ca_cert)
michael@0 296 generate_family(db, srcdir, int_key, int_cert, name)
michael@0 297
michael@0 298 #now an unconstrained sub intermediate from the UK cert (all ee must fail) not in the same name space
michael@0 299 name = 'int-c-us-int-nc-perm-c-uk-ca-nc'
michael@0 300 #name_constraints = "nameConstraints = permitted;DNS:foo.com\n\n\n"
michael@0 301 [int_key, int_cert] = CertUtils.generate_cert_generic(db,
michael@0 302 srcdir,
michael@0 303 108,
michael@0 304 key_type,
michael@0 305 name,
michael@0 306 ca_ext + authority_key_ident,
michael@0 307 int_key,
michael@0 308 int_cert,
michael@0 309 '/C=US/CN='+ name)
michael@0 310 generate_family(db, srcdir, int_key, int_cert, name)
michael@0 311
michael@0 312 #now we generate permitted to foo.com and example2.com
michael@0 313 name = 'int-nc-foo.com_a.us'
michael@0 314 name_constraints = "nameConstraints = permitted;DNS:foo.com,permitted;DNS:a.us\n"
michael@0 315 [int_key, int_cert] = CertUtils.generate_cert_generic(db,
michael@0 316 srcdir,
michael@0 317 109,
michael@0 318 key_type,
michael@0 319 name,
michael@0 320 ca_ext + authority_key_ident + name_constraints,
michael@0 321 ca_key,
michael@0 322 ca_cert)
michael@0 323 generate_family(db, srcdir, int_key, int_cert, name)
michael@0 324
michael@0 325 #A sub ca contrained to foo.com with signer constrained to foo.com and example2.com
michael@0 326 name = 'int-nc-foo.com-int-nc-foo.com_a.us'
michael@0 327 name_constraints = "nameConstraints = permitted;DNS:foo.com\n"
michael@0 328 [int_key, int_cert] = CertUtils.generate_cert_generic(db,
michael@0 329 srcdir,
michael@0 330 110,
michael@0 331 key_type,
michael@0 332 name,
michael@0 333 ca_ext + authority_key_ident + name_constraints,
michael@0 334 ca_key,
michael@0 335 ca_cert)
michael@0 336 generate_family(db, srcdir, int_key, int_cert, name)
michael@0 337
michael@0 338
michael@0 339
michael@0 340 #now we generate a root that is name constrained
michael@0 341 name_constraints = "nameConstraints = permitted;DNS:foo.com\n "
michael@0 342 [ca_key, ca_cert] = CertUtils.generate_cert_generic(db,
michael@0 343 srcdir,
michael@0 344 1,
michael@0 345 key_type,
michael@0 346 'ca-nc-perm-foo.com',
michael@0 347 ca_ext + name_constraints)
michael@0 348
michael@0 349 #and an unconstrained int
michael@0 350 name = 'int-ca-nc-perm-foo.com'
michael@0 351 name_constraints = "\n"
michael@0 352 [int_key, int_cert] = CertUtils.generate_cert_generic(db,
michael@0 353 srcdir,
michael@0 354 111,
michael@0 355 key_type,
michael@0 356 name,
michael@0 357 ca_ext + name_constraints + authority_key_ident,
michael@0 358 ca_key,
michael@0 359 ca_cert)
michael@0 360 generate_family(db, srcdir, int_key, int_cert, name)
michael@0 361
michael@0 362
michael@0 363 generate_certs()

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial