1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/manager/ssl/tests/unit/test_ev_certs/generate.py Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,154 @@
1.4 +#!/usr/bin/python
1.5 +
1.6 +import tempfile, os, sys
1.7 +import random
1.8 +import pexpect
1.9 +import subprocess
1.10 +import shutil
1.11 +
1.12 +libpath = os.path.abspath('../psm_common_py')
1.13 +
1.14 +sys.path.append(libpath)
1.15 +
1.16 +import CertUtils
1.17 +
1.18 +srcdir = os.getcwd()
1.19 +db = tempfile.mkdtemp()
1.20 +
1.21 +CA_extensions = ("basicConstraints = critical, CA:TRUE\n"
1.22 + "keyUsage = keyCertSign, cRLSign\n")
1.23 +
1.24 +aia_prefix = "authorityInfoAccess = OCSP;URI:http://www.example.com:8888/"
1.25 +aia_suffix ="/\n"
1.26 +intermediate_crl = ("crlDistributionPoints = " +
1.27 + "URI:http://crl.example.com:8888/root-ev.crl\n")
1.28 +endentity_crl = ("crlDistributionPoints = " +
1.29 + "URI:http://crl.example.com:8888/ee-crl.crl\n")
1.30 +
1.31 +mozilla_testing_ev_policy = ("certificatePolicies = @v3_ca_ev_cp\n\n" +
1.32 + "[ v3_ca_ev_cp ]\n" +
1.33 + "policyIdentifier = " +
1.34 + "1.3.6.1.4.1.13769.666.666.666.1.500.9.1\n\n" +
1.35 + "CPS.1 = \"http://mytestdomain.local/cps\"")
1.36 +
1.37 +anypolicy_policy = ("certificatePolicies = @v3_ca_ev_cp\n\n" +
1.38 + "[ v3_ca_ev_cp ]\n" +
1.39 + "policyIdentifier = " +
1.40 + "2.5.29.32.0\n\n" +
1.41 + "CPS.1 = \"http://mytestdomain.local/cps\"")
1.42 +
1.43 +
1.44 +def import_untrusted_cert(certfile, nickname):
1.45 + os.system("certutil -A -d . -n " + nickname + " -i " + certfile +
1.46 + " -t ',,'")
1.47 +
1.48 +def import_cert_and_pkcs12(certfile, pkcs12file, nickname, trustflags):
1.49 + os.system(" certutil -A -d . -n " + nickname + " -i " + certfile + " -t '" +
1.50 + trustflags + "'")
1.51 + child = pexpect.spawn("pk12util -i " + pkcs12file + " -d .")
1.52 + child.expect('Enter password for PKCS12 file:')
1.53 + child.sendline('')
1.54 + child.expect(pexpect.EOF)
1.55 +
1.56 +def init_nss_db():
1.57 + nss_db_files = [ "cert8.db", "key3.db", "secmod.db" ]
1.58 + for file in nss_db_files:
1.59 + if os.path.isfile(file):
1.60 + os.remove(file)
1.61 + #now create DB
1.62 + child = pexpect.spawn("certutil -N -d .")
1.63 + child.expect("Enter new password:")
1.64 + child.sendline('')
1.65 + child.expect('Re-enter password:')
1.66 + child.sendline('')
1.67 + child.expect(pexpect.EOF)
1.68 + import_cert_and_pkcs12("evroot.der", "evroot.p12", "evroot", "C,C,C")
1.69 +
1.70 +
1.71 +def generate_certs():
1.72 + init_nss_db()
1.73 + ca_cert = 'evroot.der'
1.74 + ca_key = 'evroot.key'
1.75 + prefix = "ev-valid"
1.76 + key_type = 'rsa'
1.77 + ee_ext_text = (aia_prefix + prefix + aia_suffix +
1.78 + endentity_crl + mozilla_testing_ev_policy)
1.79 + int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix +
1.80 + intermediate_crl + mozilla_testing_ev_policy)
1.81 + [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
1.82 + srcdir,
1.83 + ca_key,
1.84 + ca_cert,
1.85 + prefix,
1.86 + int_ext_text,
1.87 + ee_ext_text,
1.88 + key_type)
1.89 + pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key,
1.90 + "int-" + prefix)
1.91 + import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,")
1.92 + import_untrusted_cert(ee_cert, prefix)
1.93 +
1.94 + # now we generate an end entity cert with an AIA with no OCSP URL
1.95 + no_ocsp_url_ext_aia = ("authorityInfoAccess =" +
1.96 + "caIssuers;URI:http://www.example.com/ca.html\n");
1.97 + [no_ocsp_key, no_ocsp_cert] = CertUtils.generate_cert_generic(db,
1.98 + srcdir,
1.99 + random.randint(100, 40000000),
1.100 + key_type,
1.101 + 'no-ocsp-url-cert',
1.102 + no_ocsp_url_ext_aia + endentity_crl +
1.103 + mozilla_testing_ev_policy,
1.104 + int_key, int_cert);
1.105 + import_untrusted_cert(no_ocsp_cert, 'no-ocsp-url-cert');
1.106 +
1.107 + # add an ev cert whose intermediate has a anypolicy oid
1.108 + prefix = "ev-valid-anypolicy-int"
1.109 + ee_ext_text = (aia_prefix + prefix + aia_suffix +
1.110 + endentity_crl + mozilla_testing_ev_policy)
1.111 + int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix +
1.112 + intermediate_crl + anypolicy_policy)
1.113 +
1.114 + [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
1.115 + srcdir,
1.116 + ca_key,
1.117 + ca_cert,
1.118 + prefix,
1.119 + int_ext_text,
1.120 + ee_ext_text,
1.121 + key_type)
1.122 + pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key,
1.123 + "int-" + prefix)
1.124 + import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,")
1.125 + import_untrusted_cert(ee_cert, prefix)
1.126 +
1.127 +
1.128 + [bad_ca_key, bad_ca_cert] = CertUtils.generate_cert_generic( db,
1.129 + srcdir,
1.130 + 1,
1.131 + 'rsa',
1.132 + 'non-evroot-ca',
1.133 + CA_extensions)
1.134 + pk12file = CertUtils.generate_pkcs12(db, srcdir, bad_ca_cert, bad_ca_key,
1.135 + "non-evroot-ca")
1.136 + import_cert_and_pkcs12(bad_ca_cert, pk12file, "non-evroot-ca", "C,C,C")
1.137 + prefix = "non-ev-root"
1.138 + ee_ext_text = (aia_prefix + prefix + aia_suffix +
1.139 + endentity_crl + mozilla_testing_ev_policy)
1.140 + int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix +
1.141 + intermediate_crl + mozilla_testing_ev_policy)
1.142 + [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
1.143 + srcdir,
1.144 + bad_ca_key,
1.145 + bad_ca_cert,
1.146 + prefix,
1.147 + int_ext_text,
1.148 + ee_ext_text,
1.149 + key_type)
1.150 + pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key,
1.151 + "int-" + prefix)
1.152 + import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,")
1.153 + import_untrusted_cert(ee_cert, prefix)
1.154 +
1.155 +
1.156 +
1.157 +generate_certs()
