security/manager/ssl/tests/unit/test_name_constraints/generate.py@6474c204b198
security/manager/ssl/tests/unit/test_name_constraints/generate.py
Wed, 31 Dec 2014 06:09:35 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 31 Dec 2014 06:09:35 +0100
- changeset 0
- 6474c204b198
- permissions
- -rwxr-xr-x
Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.
1 #!/usr/bin/python
3 # This Source Code Form is subject to the terms of the Mozilla Public
4 # License, v. 2.0. If a copy of the MPL was not distributed with this
5 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
7 import tempfile, os, sys
8 import random
9 import pexpect
10 import subprocess
11 import shutil
13 libpath = os.path.abspath('../psm_common_py')
15 sys.path.append(libpath)
17 import CertUtils
19 srcdir = os.getcwd()
20 db = tempfile.mkdtemp()
22 CA_basic_constraints = "basicConstraints = critical, CA:TRUE\n"
23 EE_basic_constraints = "basicConstraints = CA:FALSE\n"
25 CA_full_ku = ("keyUsage = keyCertSign, cRLSign\n")
27 authority_key_ident = "authorityKeyIdentifier = keyid, issuer\n"
28 subject_key_ident = "subjectKeyIdentifier = hash\n"
30 def generate_family(db_dir, dst_dir, ca_key, ca_cert, base_name):
31 key_type = 'rsa'
32 ee_ext_base = EE_basic_constraints + authority_key_ident;
33 #cn =foo.com
34 CertUtils.generate_cert_generic(db,
35 srcdir,
36 10,
37 key_type,
38 'cn-www.foo.com-'+ base_name,
39 ee_ext_base,
40 ca_key,
41 ca_cert,
42 '/CN=www.foo.com')
43 #cn = foo.org
44 CertUtils.generate_cert_generic(db,
45 srcdir,
46 11,
47 key_type,
48 'cn-www.foo.org-'+ base_name,
49 ee_ext_base,
50 ca_key,
51 ca_cert,
52 '/CN=www.foo.org')
53 #cn = foo.com, alt= foo.org
54 alt_name_ext = 'subjectAltName =DNS:*.foo.org'
55 CertUtils.generate_cert_generic(db,
56 srcdir,
57 12,
58 key_type,
59 'cn-www.foo.com-alt-foo.org-'+ base_name,
60 ee_ext_base + alt_name_ext,
61 ca_key,
62 ca_cert,
63 '/CN=www.foo.com')
64 #cn = foo.org, alt= foo.com
65 alt_name_ext = 'subjectAltName =DNS:*.foo.com'
66 CertUtils.generate_cert_generic(db,
67 srcdir,
68 13,
69 key_type,
70 'cn-www.foo.org-alt-foo.com-'+ base_name,
71 ee_ext_base + alt_name_ext,
72 ca_key,
73 ca_cert,
74 '/CN=www.foo.org')
75 #cn = foo.com, alt=foo.com
76 alt_name_ext = 'subjectAltName =DNS:*.foo.com'
77 CertUtils.generate_cert_generic(db,
78 srcdir,
79 14,
80 key_type,
81 'cn-www.foo.com-alt-foo.com-'+ base_name,
82 ee_ext_base + alt_name_ext,
83 ca_key,
84 ca_cert,
85 '/CN=www.foo.com')
86 #cn = foo.org, alt=foo.org
87 alt_name_ext = 'subjectAltName =DNS:*.foo.org'
88 CertUtils.generate_cert_generic(db,
89 srcdir,
90 15,
91 key_type,
92 'cn-www.foo.org-alt-foo.org-'+ base_name,
93 ee_ext_base + alt_name_ext,
94 ca_key,
95 ca_cert,
96 '/CN=www.foo.org')
98 #cn = foo.com, alt=foo.com,a.a.us,b.a.us
99 alt_name_ext = 'subjectAltName =DNS:*.foo.com,DNS:*.a.a.us,DNS:*.b.a.us'
100 CertUtils.generate_cert_generic(db,
101 srcdir,
102 16,
103 key_type,
104 'cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-'+ base_name,
105 ee_ext_base + alt_name_ext,
106 ca_key,
107 ca_cert,
108 '/CN=www.foo.com')
112 #cn =foo.com O=bar C=US
113 CertUtils.generate_cert_generic(db,
114 srcdir,
115 17,
116 key_type,
117 'cn-www.foo.com_o-bar_c-us-'+ base_name,
118 ee_ext_base,
119 ca_key,
120 ca_cert,
121 '/C=US/O=bar/CN=www.foo.com')
123 #cn = foo.org O=bar C=US
124 CertUtils.generate_cert_generic(db,
125 srcdir,
126 18,
127 key_type,
128 'cn-www.foo.org_o-bar_c-us-'+ base_name,
129 ee_ext_base,
130 ca_key,
131 ca_cert,
132 '/C=US/O=bar/CN=www.foo.org')
133 #cn = foo.com, alt= foo.org
134 alt_name_ext = 'subjectAltName =DNS:*.foo.org'
135 CertUtils.generate_cert_generic(db,
136 srcdir,
137 19,
138 key_type,
139 'cn-www.foo.com_o-bar_c-us-alt-foo.org-'+ base_name,
140 ee_ext_base + alt_name_ext,
141 ca_key,
142 ca_cert,
143 '/C=US/O=bar/CN=www.foo.com')
144 #cn = foo.org, alt= foo.com
145 alt_name_ext = 'subjectAltName =DNS:*.foo.com'
146 CertUtils.generate_cert_generic(db,
147 srcdir,
148 20,
149 key_type,
150 'cn-www.foo.org_o-bar_c-us-alt-foo.com-'+ base_name,
151 ee_ext_base + alt_name_ext,
152 ca_key,
153 ca_cert,
154 '/C=US/O=bar/CN=www.foo.org')
155 #cn = foo.com, alt=foo.com
156 alt_name_ext = 'subjectAltName =DNS:*.foo.com'
157 CertUtils.generate_cert_generic(db,
158 srcdir,
159 21,
160 key_type,
161 'cn-www.foo.com_o-bar_c-us-alt-foo.com-'+ base_name,
162 ee_ext_base + alt_name_ext,
163 ca_key,
164 ca_cert,
165 '/C=US/O=bar/CN=www.foo.com')
166 #cn = foo.org, alt=foo.org
167 alt_name_ext = 'subjectAltName =DNS:*.foo.org'
168 CertUtils.generate_cert_generic(db,
169 srcdir,
170 22,
171 key_type,
172 'cn-www.foo.org_o-bar_c-us-alt-foo.org-'+ base_name,
173 ee_ext_base + alt_name_ext,
174 ca_key,
175 ca_cert,
176 '/C=US/O=bar/CN=www.foo.org')
178 #cn = foo.com, alt=foo.com,a.a.us.com,b.a.us
179 alt_name_ext = 'subjectAltName =DNS:*.foo.com,DNS:*.a.a.us,DNS:*.b.a.us'
180 CertUtils.generate_cert_generic(db,
181 srcdir,
182 23,
183 key_type,
184 'cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-'+ base_name,
185 ee_ext_base + alt_name_ext,
186 ca_key,
187 ca_cert,
188 '/C=US/O=bar/CN=www.foo.com')
193 def self_sign_csr(db_dir, dst_dir, csr_name, key_file, serial_num, ext_text,
194 out_prefix):
195 extensions_filename = db_dir + "/openssl-exts"
196 f = open(extensions_filename, 'w')
197 f.write(ext_text)
198 f.close()
199 cert_name = dst_dir + "/" + out_prefix + ".der"
200 os.system ("openssl x509 -req -sha256 -days 3650 -in " + csr_name +
201 " -signkey " + key_file +
202 " -set_serial " + str(serial_num) +
203 " -extfile " + extensions_filename +
204 " -outform DER -out " + cert_name)
208 def generate_certs():
209 key_type = 'rsa'
210 ca_ext = CA_basic_constraints + CA_full_ku + subject_key_ident;
211 ee_ext_text = (EE_basic_constraints + authority_key_ident)
212 [ca_key, ca_cert] = CertUtils.generate_cert_generic(db,
213 srcdir,
214 1,
215 key_type,
216 'ca-nc',
217 ca_ext)
218 #now the constrained via perm
219 name = 'int-nc-perm-foo.com-ca-nc'
220 name_constraints = "nameConstraints = permitted;DNS:foo.com\n"
221 [int_key, int_cert] = CertUtils.generate_cert_generic(db,
222 srcdir,
223 101,
224 key_type,
225 name,
226 ca_ext + authority_key_ident + name_constraints,
227 ca_key,
228 ca_cert)
229 generate_family(db, srcdir, int_key, int_cert, name)
231 #now the constrained via excl
232 name = 'int-nc-excl-foo.com-ca-nc'
233 name_constraints = "nameConstraints = excluded;DNS:foo.com\n"
234 [int_key, int_cert] = CertUtils.generate_cert_generic(db,
235 srcdir,
236 102,
237 key_type,
238 name,
239 ca_ext + name_constraints + authority_key_ident,
240 ca_key,
241 ca_cert)
242 generate_family(db, srcdir, int_key, int_cert, name)
244 #now constrained to permitted: O=bar C=US
245 name = 'int-nc-c-us-ca-nc'
246 name_constraints = "nameConstraints = permitted;dirName:dir_sect\n[dir_sect]\nC=US\n\n\n"
247 [int_key, int_cert] = CertUtils.generate_cert_generic(db,
248 srcdir,
249 103,
250 key_type,
251 name,
252 ca_ext + authority_key_ident + name_constraints,
253 ca_key,
254 ca_cert)
255 generate_family(db, srcdir, int_key, int_cert, name)
257 #now make a subCA that is also constrainted to foo.com (combine constraints)
258 name = 'int-nc-foo.com-int-nc-c-us-ca-nc'
259 name_constraints = "nameConstraints = permitted;DNS:foo.com\n\n\n"
260 [int_key, int_cert] = CertUtils.generate_cert_generic(db,
261 srcdir,
262 104,
263 key_type,
264 name,
265 ca_ext + name_constraints + authority_key_ident,
266 int_key,
267 int_cert,
268 '/C=US/CN='+ name)
269 generate_family(db, srcdir, int_key, int_cert, name)
272 #now single intermediate constrainted to permitted O=bar C=US & DNS foo.com
273 name = 'int-nc-perm-foo.com_c-us-ca-nc'
274 name_constraints = "nameConstraints = permitted;DNS:foo.com,permitted;dirName:dir_sect\n[dir_sect]\nC=US\n\n\n"
275 [int_key, int_cert] = CertUtils.generate_cert_generic(db,
276 srcdir,
277 105,
278 key_type,
279 name,
280 ca_ext + authority_key_ident + name_constraints,
281 ca_key,
282 ca_cert)
283 generate_family(db, srcdir, int_key, int_cert, name)
285 #now constrainted to permitted C=UK (all ee must fail)
286 name = 'int-nc-perm-c-uk-ca-nc'
287 name_constraints = "nameConstraints = permitted;dirName:dir_sect\n[dir_sect]\nC=UK\n\n\n"
288 [int_key, int_cert] = CertUtils.generate_cert_generic(db,
289 srcdir,
290 106,
291 key_type,
292 name,
293 ca_ext + authority_key_ident + name_constraints,
294 ca_key,
295 ca_cert)
296 generate_family(db, srcdir, int_key, int_cert, name)
298 #now an unconstrained sub intermediate from the UK cert (all ee must fail) not in the same name space
299 name = 'int-c-us-int-nc-perm-c-uk-ca-nc'
300 #name_constraints = "nameConstraints = permitted;DNS:foo.com\n\n\n"
301 [int_key, int_cert] = CertUtils.generate_cert_generic(db,
302 srcdir,
303 108,
304 key_type,
305 name,
306 ca_ext + authority_key_ident,
307 int_key,
308 int_cert,
309 '/C=US/CN='+ name)
310 generate_family(db, srcdir, int_key, int_cert, name)
312 #now we generate permitted to foo.com and example2.com
313 name = 'int-nc-foo.com_a.us'
314 name_constraints = "nameConstraints = permitted;DNS:foo.com,permitted;DNS:a.us\n"
315 [int_key, int_cert] = CertUtils.generate_cert_generic(db,
316 srcdir,
317 109,
318 key_type,
319 name,
320 ca_ext + authority_key_ident + name_constraints,
321 ca_key,
322 ca_cert)
323 generate_family(db, srcdir, int_key, int_cert, name)
325 #A sub ca contrained to foo.com with signer constrained to foo.com and example2.com
326 name = 'int-nc-foo.com-int-nc-foo.com_a.us'
327 name_constraints = "nameConstraints = permitted;DNS:foo.com\n"
328 [int_key, int_cert] = CertUtils.generate_cert_generic(db,
329 srcdir,
330 110,
331 key_type,
332 name,
333 ca_ext + authority_key_ident + name_constraints,
334 ca_key,
335 ca_cert)
336 generate_family(db, srcdir, int_key, int_cert, name)
340 #now we generate a root that is name constrained
341 name_constraints = "nameConstraints = permitted;DNS:foo.com\n "
342 [ca_key, ca_cert] = CertUtils.generate_cert_generic(db,
343 srcdir,
344 1,
345 key_type,
346 'ca-nc-perm-foo.com',
347 ca_ext + name_constraints)
349 #and an unconstrained int
350 name = 'int-ca-nc-perm-foo.com'
351 name_constraints = "\n"
352 [int_key, int_cert] = CertUtils.generate_cert_generic(db,
353 srcdir,
354 111,
355 key_type,
356 name,
357 ca_ext + name_constraints + authority_key_ident,
358 ca_key,
359 ca_cert)
360 generate_family(db, srcdir, int_key, int_cert, name)
363 generate_certs()
