security/manager/ssl/tests/unit/test_cert_signatures/generate.py@b8a032363ba2
security/manager/ssl/tests/unit/test_cert_signatures/generate.py
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rwxr-xr-x
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
1 #!/usr/bin/python
3 # This Source Code Form is subject to the terms of the Mozilla Public
4 # License, v. 2.0. If a copy of the MPL was not distributed with this
5 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
7 import tempfile, os, sys
8 import random
9 libpath = os.path.abspath('../psm_common_py')
11 sys.path.append(libpath)
13 import CertUtils
15 srcdir = os.getcwd()
16 db = tempfile.mkdtemp()
18 CA_basic_constraints = "basicConstraints=critical,CA:TRUE\n"
20 CA_min_ku = "keyUsage=critical, keyCertSign\n"
22 pk_name = {'rsa': 'rsa', 'dsa': 'dsa', 'p384': 'secp384r1'}
25 def tamper_cert(cert_name):
26 f = open(cert_name, 'r+b')
27 f.seek(-3, 2) # third byte from the end to ensure we only touch the
28 # signature value. The location for the perturbation ensures that we are
29 # modifying just the tbsCertificate without the need of parsing the
30 # certificate. Also this guarantees that if a failure occurs it is because
31 # of an invalid signature and not another field that might have become
32 # invalid.
33 b = bytearray(f.read(1))
34 for i in range(len(b)):
35 b[i] ^= 0x77
36 f.seek(-1, 1)
37 f.write(b)
38 f.close()
39 return 1
41 def generate_certs():
43 CertUtils.init_dsa(db)
44 ee_ext_text = ""
45 for name, key_type in pk_name.iteritems():
46 ca_name = "ca-" + name
47 [ca_key, ca_cert] = CertUtils.generate_cert_generic(db,
48 srcdir,
49 random.randint(100,4000000),
50 key_type,
51 ca_name,
52 CA_basic_constraints + CA_min_ku)
54 [valid_int_key, valid_int_cert, ee_key, ee_cert] = (
55 CertUtils.generate_int_and_ee(db,
56 srcdir,
57 ca_key,
58 ca_cert,
59 name + "-valid",
60 CA_basic_constraints,
61 ee_ext_text,
62 key_type) )
64 [int_key, int_cert] = CertUtils.generate_cert_generic(db,
65 srcdir,
66 random.randint(100,4000000),
67 key_type,
68 "int-" + name + "-tampered",
69 ee_ext_text,
70 ca_key,
71 ca_cert)
74 [ee_key, ee_cert] = CertUtils.generate_cert_generic(db,
75 srcdir,
76 random.randint(100,4000000),
77 key_type,
78 name + "-tampered-int-valid-ee",
79 ee_ext_text,
80 int_key,
81 int_cert)
82 #only tamper after ee has been generated
83 tamper_cert(int_cert);
85 [ee_key, ee_cert] = CertUtils.generate_cert_generic(db,
86 srcdir,
87 random.randint(100,4000000),
88 key_type,
89 name + "-valid-int-tampered-ee",
90 ee_ext_text,
91 valid_int_key,
92 valid_int_cert)
93 tamper_cert(ee_cert);
96 generate_certs()
