The Tor Browser / file diff

diff: security/manager/ssl/tests/unit/test_certificate_usages/generate.pl

security/manager/ssl/tests/unit/test_certificate_usages/generate.pl

changeset 0
6474c204b198
     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/security/manager/ssl/tests/unit/test_certificate_usages/generate.pl	Wed Dec 31 06:09:35 2014 +0100
     1.3 @@ -0,0 +1,108 @@
     1.4 +#!/usr/bin/perl
     1.5 +# Usage:
     1.6 +# PATH=$NSS_PREFIX/bin:$NSS_PREFIX/lib:$PATH ./generate.pl
     1.7 +
     1.8 +use Cwd;
     1.9 +use File::Temp qw/ tempfile tempdir /;
    1.10 +
    1.11 +use strict;
    1.12 +
    1.13 +my $srcdir=getcwd();
    1.14 +my $db = tempdir( CLEANUP => 1 );
    1.15 +my $noisefile=$db."/noise";
    1.16 +my $passwordfile=$db."/passwordfile";
    1.17 +my $ca_responses=$srcdir."/ca_responses";
    1.18 +my $ee_responses=$srcdir."/ee_responses";
    1.19 +
    1.20 +#my $db=$tmpdir;
    1.21 +
    1.22 +my @base_usages=("",
    1.23 +                 "certSigning,crlSigning",
    1.24 +                 "digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,certSigning,crlSigning",
    1.25 +                 "digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,crlSigning");
    1.26 +
    1.27 +my @ee_usages=("",
    1.28 +               "digitalSignature,keyEncipherment,dataEncipherment",
    1.29 +               "digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement",
    1.30 +               "certSigning");
    1.31 +my @eku_usages=("serverAuth,clientAuth,codeSigning,emailProtection,timeStamp,ocspResponder,stepUp,msTrustListSign",
    1.32 +                "serverAuth,clientAuth",
    1.33 +                "codeSigning,emailProtection",
    1.34 +                "timeStamp,ocspResponder,stepUp,msTrustListSign"
    1.35 +               );
    1.36 +
    1.37 +sub dsystem{
    1.38 +    my @args = @_;
    1.39 +    system(@args) == 0
    1.40 +    or die "system @args failed: $?";
    1.41 +}
    1.42 +
    1.43 +sub generate_certs(){
    1.44 +   for (my $i = 1; $i < scalar(@base_usages) + 1; $i++) {
    1.45 +     my $ca_name = "ca-$i";
    1.46 +     my $ca_key_usage = $base_usages[$i - 1];
    1.47 +     if (length($ca_key_usage) > 1) {
    1.48 +       $ca_key_usage = " --keyUsage $ca_key_usage,critical";
    1.49 +     }
    1.50 +     my $ca_email = "$ca_name\@example.com";
    1.51 +     my $ca_subject = "CN=$ca_name, E=$ca_email";
    1.52 +     print "key_usage=$ca_key_usage\n";
    1.53 +     dsystem("certutil -S -s '$ca_name' -s '$ca_subject' -t 'C,,' -x -m $i -v 120 -n '$ca_name' $ca_key_usage -Z SHA256 -2 -d $db -f $passwordfile -z $noisefile < $ca_responses");
    1.54 +
    1.55 +     #and now export
    1.56 +     dsystem("certutil -d $db -f $passwordfile -L -n $ca_name -r -o $srcdir/$ca_name.der");
    1.57 +
    1.58 +     for (my $j = 1; $j < scalar(@ee_usages) + 1; $j++) {
    1.59 +       ##do ee certs
    1.60 +       my $ee_name = "ee-$j-ca-$i";
    1.61 +       my $ee_key_usage = $ee_usages[$j - 1];
    1.62 +       if (length($ee_key_usage) > 1) {
    1.63 +         $ee_key_usage=" --keyUsage $ee_key_usage,critical";
    1.64 +       }
    1.65 +       my $serial = (scalar(@base_usages) + 1) * $j + $i;
    1.66 +       dsystem("certutil -S -n '$ee_name' -s 'CN=$ee_name' -c '$ca_name' $ee_key_usage -t 'P,,' -k rsa -g 1024 -Z SHA256 -m $serial -v 120 -d $db -f $passwordfile -z $noisefile < $ee_responses");
    1.67 +       #and export
    1.68 +       dsystem("certutil -d $db -f $passwordfile -L -n $ee_name -r -o $srcdir/$ee_name.der");
    1.69 +     }
    1.70 +     for (my $j = 1; $j < scalar(@eku_usages) + 1; $j++){
    1.71 +       my $ee_name = "ee-" . ($j + scalar(@ee_usages)) . "-ca-$i";
    1.72 +       my $eku_key_usage = $eku_usages[$j - 1];
    1.73 +       $eku_key_usage = " --extKeyUsage $eku_key_usage,critical";
    1.74 +       my $serial = 10000 + (scalar(@base_usages) + 1) * $j + $i;
    1.75 +       dsystem("certutil -S -n '$ee_name' -s 'CN=$ee_name' -c '$ca_name' $eku_key_usage -t 'P,,' -k rsa -g 1024 -Z SHA256 -m $serial -v 120 -d $db -f $passwordfile -z $noisefile < $ee_responses");
    1.76 +       #and export
    1.77 +       dsystem("certutil -d $db -f $passwordfile -L -n $ee_name -r -o $srcdir/$ee_name.der");
    1.78 +
    1.79 +     }
    1.80 +   }
    1.81 +}
    1.82 +
    1.83 +
    1.84 +sub main(){
    1.85 +
    1.86 +  ##setup
    1.87 +  dsystem("echo password1 > $passwordfile");
    1.88 +  dsystem("head --bytes 32 /dev/urandom > $noisefile");
    1.89 +
    1.90 +  ##why no include this in the source dir?
    1.91 +# XXX: certutil cannot generate basic constraints without interactive prompts,
    1.92 +#      so we need to build response files to answer its questions
    1.93 +# XXX: certutil cannot generate AKI/SKI without interactive prompts so we just
    1.94 +#      skip them.
    1.95 +  dsystem("echo y >  $ca_responses"); # Is this a CA?
    1.96 +  dsystem("echo >>   $ca_responses");# Accept default path length constraint (no constraint)
    1.97 +  dsystem("echo y >> $ca_responses"); # Is this a critical constraint?
    1.98 +  dsystem("echo n >  $ee_responses"); # Is this a CA?
    1.99 +  dsystem("echo >>   $ee_responses"); # Accept default path length constraint (no constraint)
   1.100 +  dsystem("echo y >> $ee_responses"); # Is this a critical constraint?
   1.101 +
   1.102 +  dsystem("certutil -d $db -N -f $passwordfile");
   1.103 +
   1.104 +  generate_certs();
   1.105 +
   1.106 +  print "Done\n";
   1.107 +
   1.108 +}
   1.109 +
   1.110 +
   1.111 +main();

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial