1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/manager/ssl/tests/unit/test_name_constraints/generate.py Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,363 @@
1.4 +#!/usr/bin/python
1.5 +
1.6 +# This Source Code Form is subject to the terms of the Mozilla Public
1.7 +# License, v. 2.0. If a copy of the MPL was not distributed with this
1.8 +# file, You can obtain one at http://mozilla.org/MPL/2.0/.
1.9 +
1.10 +import tempfile, os, sys
1.11 +import random
1.12 +import pexpect
1.13 +import subprocess
1.14 +import shutil
1.15 +
1.16 +libpath = os.path.abspath('../psm_common_py')
1.17 +
1.18 +sys.path.append(libpath)
1.19 +
1.20 +import CertUtils
1.21 +
1.22 +srcdir = os.getcwd()
1.23 +db = tempfile.mkdtemp()
1.24 +
1.25 +CA_basic_constraints = "basicConstraints = critical, CA:TRUE\n"
1.26 +EE_basic_constraints = "basicConstraints = CA:FALSE\n"
1.27 +
1.28 +CA_full_ku = ("keyUsage = keyCertSign, cRLSign\n")
1.29 +
1.30 +authority_key_ident = "authorityKeyIdentifier = keyid, issuer\n"
1.31 +subject_key_ident = "subjectKeyIdentifier = hash\n"
1.32 +
1.33 +def generate_family(db_dir, dst_dir, ca_key, ca_cert, base_name):
1.34 + key_type = 'rsa'
1.35 + ee_ext_base = EE_basic_constraints + authority_key_ident;
1.36 + #cn =foo.com
1.37 + CertUtils.generate_cert_generic(db,
1.38 + srcdir,
1.39 + 10,
1.40 + key_type,
1.41 + 'cn-www.foo.com-'+ base_name,
1.42 + ee_ext_base,
1.43 + ca_key,
1.44 + ca_cert,
1.45 + '/CN=www.foo.com')
1.46 + #cn = foo.org
1.47 + CertUtils.generate_cert_generic(db,
1.48 + srcdir,
1.49 + 11,
1.50 + key_type,
1.51 + 'cn-www.foo.org-'+ base_name,
1.52 + ee_ext_base,
1.53 + ca_key,
1.54 + ca_cert,
1.55 + '/CN=www.foo.org')
1.56 + #cn = foo.com, alt= foo.org
1.57 + alt_name_ext = 'subjectAltName =DNS:*.foo.org'
1.58 + CertUtils.generate_cert_generic(db,
1.59 + srcdir,
1.60 + 12,
1.61 + key_type,
1.62 + 'cn-www.foo.com-alt-foo.org-'+ base_name,
1.63 + ee_ext_base + alt_name_ext,
1.64 + ca_key,
1.65 + ca_cert,
1.66 + '/CN=www.foo.com')
1.67 + #cn = foo.org, alt= foo.com
1.68 + alt_name_ext = 'subjectAltName =DNS:*.foo.com'
1.69 + CertUtils.generate_cert_generic(db,
1.70 + srcdir,
1.71 + 13,
1.72 + key_type,
1.73 + 'cn-www.foo.org-alt-foo.com-'+ base_name,
1.74 + ee_ext_base + alt_name_ext,
1.75 + ca_key,
1.76 + ca_cert,
1.77 + '/CN=www.foo.org')
1.78 + #cn = foo.com, alt=foo.com
1.79 + alt_name_ext = 'subjectAltName =DNS:*.foo.com'
1.80 + CertUtils.generate_cert_generic(db,
1.81 + srcdir,
1.82 + 14,
1.83 + key_type,
1.84 + 'cn-www.foo.com-alt-foo.com-'+ base_name,
1.85 + ee_ext_base + alt_name_ext,
1.86 + ca_key,
1.87 + ca_cert,
1.88 + '/CN=www.foo.com')
1.89 + #cn = foo.org, alt=foo.org
1.90 + alt_name_ext = 'subjectAltName =DNS:*.foo.org'
1.91 + CertUtils.generate_cert_generic(db,
1.92 + srcdir,
1.93 + 15,
1.94 + key_type,
1.95 + 'cn-www.foo.org-alt-foo.org-'+ base_name,
1.96 + ee_ext_base + alt_name_ext,
1.97 + ca_key,
1.98 + ca_cert,
1.99 + '/CN=www.foo.org')
1.100 +
1.101 + #cn = foo.com, alt=foo.com,a.a.us,b.a.us
1.102 + alt_name_ext = 'subjectAltName =DNS:*.foo.com,DNS:*.a.a.us,DNS:*.b.a.us'
1.103 + CertUtils.generate_cert_generic(db,
1.104 + srcdir,
1.105 + 16,
1.106 + key_type,
1.107 + 'cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-'+ base_name,
1.108 + ee_ext_base + alt_name_ext,
1.109 + ca_key,
1.110 + ca_cert,
1.111 + '/CN=www.foo.com')
1.112 +
1.113 +
1.114 +
1.115 + #cn =foo.com O=bar C=US
1.116 + CertUtils.generate_cert_generic(db,
1.117 + srcdir,
1.118 + 17,
1.119 + key_type,
1.120 + 'cn-www.foo.com_o-bar_c-us-'+ base_name,
1.121 + ee_ext_base,
1.122 + ca_key,
1.123 + ca_cert,
1.124 + '/C=US/O=bar/CN=www.foo.com')
1.125 +
1.126 + #cn = foo.org O=bar C=US
1.127 + CertUtils.generate_cert_generic(db,
1.128 + srcdir,
1.129 + 18,
1.130 + key_type,
1.131 + 'cn-www.foo.org_o-bar_c-us-'+ base_name,
1.132 + ee_ext_base,
1.133 + ca_key,
1.134 + ca_cert,
1.135 + '/C=US/O=bar/CN=www.foo.org')
1.136 + #cn = foo.com, alt= foo.org
1.137 + alt_name_ext = 'subjectAltName =DNS:*.foo.org'
1.138 + CertUtils.generate_cert_generic(db,
1.139 + srcdir,
1.140 + 19,
1.141 + key_type,
1.142 + 'cn-www.foo.com_o-bar_c-us-alt-foo.org-'+ base_name,
1.143 + ee_ext_base + alt_name_ext,
1.144 + ca_key,
1.145 + ca_cert,
1.146 + '/C=US/O=bar/CN=www.foo.com')
1.147 + #cn = foo.org, alt= foo.com
1.148 + alt_name_ext = 'subjectAltName =DNS:*.foo.com'
1.149 + CertUtils.generate_cert_generic(db,
1.150 + srcdir,
1.151 + 20,
1.152 + key_type,
1.153 + 'cn-www.foo.org_o-bar_c-us-alt-foo.com-'+ base_name,
1.154 + ee_ext_base + alt_name_ext,
1.155 + ca_key,
1.156 + ca_cert,
1.157 + '/C=US/O=bar/CN=www.foo.org')
1.158 + #cn = foo.com, alt=foo.com
1.159 + alt_name_ext = 'subjectAltName =DNS:*.foo.com'
1.160 + CertUtils.generate_cert_generic(db,
1.161 + srcdir,
1.162 + 21,
1.163 + key_type,
1.164 + 'cn-www.foo.com_o-bar_c-us-alt-foo.com-'+ base_name,
1.165 + ee_ext_base + alt_name_ext,
1.166 + ca_key,
1.167 + ca_cert,
1.168 + '/C=US/O=bar/CN=www.foo.com')
1.169 + #cn = foo.org, alt=foo.org
1.170 + alt_name_ext = 'subjectAltName =DNS:*.foo.org'
1.171 + CertUtils.generate_cert_generic(db,
1.172 + srcdir,
1.173 + 22,
1.174 + key_type,
1.175 + 'cn-www.foo.org_o-bar_c-us-alt-foo.org-'+ base_name,
1.176 + ee_ext_base + alt_name_ext,
1.177 + ca_key,
1.178 + ca_cert,
1.179 + '/C=US/O=bar/CN=www.foo.org')
1.180 +
1.181 + #cn = foo.com, alt=foo.com,a.a.us.com,b.a.us
1.182 + alt_name_ext = 'subjectAltName =DNS:*.foo.com,DNS:*.a.a.us,DNS:*.b.a.us'
1.183 + CertUtils.generate_cert_generic(db,
1.184 + srcdir,
1.185 + 23,
1.186 + key_type,
1.187 + 'cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-'+ base_name,
1.188 + ee_ext_base + alt_name_ext,
1.189 + ca_key,
1.190 + ca_cert,
1.191 + '/C=US/O=bar/CN=www.foo.com')
1.192 +
1.193 +
1.194 +
1.195 +
1.196 +def self_sign_csr(db_dir, dst_dir, csr_name, key_file, serial_num, ext_text,
1.197 + out_prefix):
1.198 + extensions_filename = db_dir + "/openssl-exts"
1.199 + f = open(extensions_filename, 'w')
1.200 + f.write(ext_text)
1.201 + f.close()
1.202 + cert_name = dst_dir + "/" + out_prefix + ".der"
1.203 + os.system ("openssl x509 -req -sha256 -days 3650 -in " + csr_name +
1.204 + " -signkey " + key_file +
1.205 + " -set_serial " + str(serial_num) +
1.206 + " -extfile " + extensions_filename +
1.207 + " -outform DER -out " + cert_name)
1.208 +
1.209 +
1.210 +
1.211 +def generate_certs():
1.212 + key_type = 'rsa'
1.213 + ca_ext = CA_basic_constraints + CA_full_ku + subject_key_ident;
1.214 + ee_ext_text = (EE_basic_constraints + authority_key_ident)
1.215 + [ca_key, ca_cert] = CertUtils.generate_cert_generic(db,
1.216 + srcdir,
1.217 + 1,
1.218 + key_type,
1.219 + 'ca-nc',
1.220 + ca_ext)
1.221 + #now the constrained via perm
1.222 + name = 'int-nc-perm-foo.com-ca-nc'
1.223 + name_constraints = "nameConstraints = permitted;DNS:foo.com\n"
1.224 + [int_key, int_cert] = CertUtils.generate_cert_generic(db,
1.225 + srcdir,
1.226 + 101,
1.227 + key_type,
1.228 + name,
1.229 + ca_ext + authority_key_ident + name_constraints,
1.230 + ca_key,
1.231 + ca_cert)
1.232 + generate_family(db, srcdir, int_key, int_cert, name)
1.233 +
1.234 + #now the constrained via excl
1.235 + name = 'int-nc-excl-foo.com-ca-nc'
1.236 + name_constraints = "nameConstraints = excluded;DNS:foo.com\n"
1.237 + [int_key, int_cert] = CertUtils.generate_cert_generic(db,
1.238 + srcdir,
1.239 + 102,
1.240 + key_type,
1.241 + name,
1.242 + ca_ext + name_constraints + authority_key_ident,
1.243 + ca_key,
1.244 + ca_cert)
1.245 + generate_family(db, srcdir, int_key, int_cert, name)
1.246 +
1.247 + #now constrained to permitted: O=bar C=US
1.248 + name = 'int-nc-c-us-ca-nc'
1.249 + name_constraints = "nameConstraints = permitted;dirName:dir_sect\n[dir_sect]\nC=US\n\n\n"
1.250 + [int_key, int_cert] = CertUtils.generate_cert_generic(db,
1.251 + srcdir,
1.252 + 103,
1.253 + key_type,
1.254 + name,
1.255 + ca_ext + authority_key_ident + name_constraints,
1.256 + ca_key,
1.257 + ca_cert)
1.258 + generate_family(db, srcdir, int_key, int_cert, name)
1.259 +
1.260 + #now make a subCA that is also constrainted to foo.com (combine constraints)
1.261 + name = 'int-nc-foo.com-int-nc-c-us-ca-nc'
1.262 + name_constraints = "nameConstraints = permitted;DNS:foo.com\n\n\n"
1.263 + [int_key, int_cert] = CertUtils.generate_cert_generic(db,
1.264 + srcdir,
1.265 + 104,
1.266 + key_type,
1.267 + name,
1.268 + ca_ext + name_constraints + authority_key_ident,
1.269 + int_key,
1.270 + int_cert,
1.271 + '/C=US/CN='+ name)
1.272 + generate_family(db, srcdir, int_key, int_cert, name)
1.273 +
1.274 +
1.275 + #now single intermediate constrainted to permitted O=bar C=US & DNS foo.com
1.276 + name = 'int-nc-perm-foo.com_c-us-ca-nc'
1.277 + name_constraints = "nameConstraints = permitted;DNS:foo.com,permitted;dirName:dir_sect\n[dir_sect]\nC=US\n\n\n"
1.278 + [int_key, int_cert] = CertUtils.generate_cert_generic(db,
1.279 + srcdir,
1.280 + 105,
1.281 + key_type,
1.282 + name,
1.283 + ca_ext + authority_key_ident + name_constraints,
1.284 + ca_key,
1.285 + ca_cert)
1.286 + generate_family(db, srcdir, int_key, int_cert, name)
1.287 +
1.288 + #now constrainted to permitted C=UK (all ee must fail)
1.289 + name = 'int-nc-perm-c-uk-ca-nc'
1.290 + name_constraints = "nameConstraints = permitted;dirName:dir_sect\n[dir_sect]\nC=UK\n\n\n"
1.291 + [int_key, int_cert] = CertUtils.generate_cert_generic(db,
1.292 + srcdir,
1.293 + 106,
1.294 + key_type,
1.295 + name,
1.296 + ca_ext + authority_key_ident + name_constraints,
1.297 + ca_key,
1.298 + ca_cert)
1.299 + generate_family(db, srcdir, int_key, int_cert, name)
1.300 +
1.301 + #now an unconstrained sub intermediate from the UK cert (all ee must fail) not in the same name space
1.302 + name = 'int-c-us-int-nc-perm-c-uk-ca-nc'
1.303 + #name_constraints = "nameConstraints = permitted;DNS:foo.com\n\n\n"
1.304 + [int_key, int_cert] = CertUtils.generate_cert_generic(db,
1.305 + srcdir,
1.306 + 108,
1.307 + key_type,
1.308 + name,
1.309 + ca_ext + authority_key_ident,
1.310 + int_key,
1.311 + int_cert,
1.312 + '/C=US/CN='+ name)
1.313 + generate_family(db, srcdir, int_key, int_cert, name)
1.314 +
1.315 + #now we generate permitted to foo.com and example2.com
1.316 + name = 'int-nc-foo.com_a.us'
1.317 + name_constraints = "nameConstraints = permitted;DNS:foo.com,permitted;DNS:a.us\n"
1.318 + [int_key, int_cert] = CertUtils.generate_cert_generic(db,
1.319 + srcdir,
1.320 + 109,
1.321 + key_type,
1.322 + name,
1.323 + ca_ext + authority_key_ident + name_constraints,
1.324 + ca_key,
1.325 + ca_cert)
1.326 + generate_family(db, srcdir, int_key, int_cert, name)
1.327 +
1.328 + #A sub ca contrained to foo.com with signer constrained to foo.com and example2.com
1.329 + name = 'int-nc-foo.com-int-nc-foo.com_a.us'
1.330 + name_constraints = "nameConstraints = permitted;DNS:foo.com\n"
1.331 + [int_key, int_cert] = CertUtils.generate_cert_generic(db,
1.332 + srcdir,
1.333 + 110,
1.334 + key_type,
1.335 + name,
1.336 + ca_ext + authority_key_ident + name_constraints,
1.337 + ca_key,
1.338 + ca_cert)
1.339 + generate_family(db, srcdir, int_key, int_cert, name)
1.340 +
1.341 +
1.342 +
1.343 + #now we generate a root that is name constrained
1.344 + name_constraints = "nameConstraints = permitted;DNS:foo.com\n "
1.345 + [ca_key, ca_cert] = CertUtils.generate_cert_generic(db,
1.346 + srcdir,
1.347 + 1,
1.348 + key_type,
1.349 + 'ca-nc-perm-foo.com',
1.350 + ca_ext + name_constraints)
1.351 +
1.352 + #and an unconstrained int
1.353 + name = 'int-ca-nc-perm-foo.com'
1.354 + name_constraints = "\n"
1.355 + [int_key, int_cert] = CertUtils.generate_cert_generic(db,
1.356 + srcdir,
1.357 + 111,
1.358 + key_type,
1.359 + name,
1.360 + ca_ext + name_constraints + authority_key_ident,
1.361 + ca_key,
1.362 + ca_cert)
1.363 + generate_family(db, srcdir, int_key, int_cert, name)
1.364 +
1.365 +
1.366 +generate_certs()
