security/manager/ssl/tests/unit/test_ev_certs/generate.py@b8a032363ba2
security/manager/ssl/tests/unit/test_ev_certs/generate.py
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rwxr-xr-x
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
1 #!/usr/bin/python
3 import tempfile, os, sys
4 import random
5 import pexpect
6 import subprocess
7 import shutil
9 libpath = os.path.abspath('../psm_common_py')
11 sys.path.append(libpath)
13 import CertUtils
15 srcdir = os.getcwd()
16 db = tempfile.mkdtemp()
18 CA_extensions = ("basicConstraints = critical, CA:TRUE\n"
19 "keyUsage = keyCertSign, cRLSign\n")
21 aia_prefix = "authorityInfoAccess = OCSP;URI:http://www.example.com:8888/"
22 aia_suffix ="/\n"
23 intermediate_crl = ("crlDistributionPoints = " +
24 "URI:http://crl.example.com:8888/root-ev.crl\n")
25 endentity_crl = ("crlDistributionPoints = " +
26 "URI:http://crl.example.com:8888/ee-crl.crl\n")
28 mozilla_testing_ev_policy = ("certificatePolicies = @v3_ca_ev_cp\n\n" +
29 "[ v3_ca_ev_cp ]\n" +
30 "policyIdentifier = " +
31 "1.3.6.1.4.1.13769.666.666.666.1.500.9.1\n\n" +
32 "CPS.1 = \"http://mytestdomain.local/cps\"")
34 anypolicy_policy = ("certificatePolicies = @v3_ca_ev_cp\n\n" +
35 "[ v3_ca_ev_cp ]\n" +
36 "policyIdentifier = " +
37 "2.5.29.32.0\n\n" +
38 "CPS.1 = \"http://mytestdomain.local/cps\"")
41 def import_untrusted_cert(certfile, nickname):
42 os.system("certutil -A -d . -n " + nickname + " -i " + certfile +
43 " -t ',,'")
45 def import_cert_and_pkcs12(certfile, pkcs12file, nickname, trustflags):
46 os.system(" certutil -A -d . -n " + nickname + " -i " + certfile + " -t '" +
47 trustflags + "'")
48 child = pexpect.spawn("pk12util -i " + pkcs12file + " -d .")
49 child.expect('Enter password for PKCS12 file:')
50 child.sendline('')
51 child.expect(pexpect.EOF)
53 def init_nss_db():
54 nss_db_files = [ "cert8.db", "key3.db", "secmod.db" ]
55 for file in nss_db_files:
56 if os.path.isfile(file):
57 os.remove(file)
58 #now create DB
59 child = pexpect.spawn("certutil -N -d .")
60 child.expect("Enter new password:")
61 child.sendline('')
62 child.expect('Re-enter password:')
63 child.sendline('')
64 child.expect(pexpect.EOF)
65 import_cert_and_pkcs12("evroot.der", "evroot.p12", "evroot", "C,C,C")
68 def generate_certs():
69 init_nss_db()
70 ca_cert = 'evroot.der'
71 ca_key = 'evroot.key'
72 prefix = "ev-valid"
73 key_type = 'rsa'
74 ee_ext_text = (aia_prefix + prefix + aia_suffix +
75 endentity_crl + mozilla_testing_ev_policy)
76 int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix +
77 intermediate_crl + mozilla_testing_ev_policy)
78 [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
79 srcdir,
80 ca_key,
81 ca_cert,
82 prefix,
83 int_ext_text,
84 ee_ext_text,
85 key_type)
86 pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key,
87 "int-" + prefix)
88 import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,")
89 import_untrusted_cert(ee_cert, prefix)
91 # now we generate an end entity cert with an AIA with no OCSP URL
92 no_ocsp_url_ext_aia = ("authorityInfoAccess =" +
93 "caIssuers;URI:http://www.example.com/ca.html\n");
94 [no_ocsp_key, no_ocsp_cert] = CertUtils.generate_cert_generic(db,
95 srcdir,
96 random.randint(100, 40000000),
97 key_type,
98 'no-ocsp-url-cert',
99 no_ocsp_url_ext_aia + endentity_crl +
100 mozilla_testing_ev_policy,
101 int_key, int_cert);
102 import_untrusted_cert(no_ocsp_cert, 'no-ocsp-url-cert');
104 # add an ev cert whose intermediate has a anypolicy oid
105 prefix = "ev-valid-anypolicy-int"
106 ee_ext_text = (aia_prefix + prefix + aia_suffix +
107 endentity_crl + mozilla_testing_ev_policy)
108 int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix +
109 intermediate_crl + anypolicy_policy)
111 [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
112 srcdir,
113 ca_key,
114 ca_cert,
115 prefix,
116 int_ext_text,
117 ee_ext_text,
118 key_type)
119 pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key,
120 "int-" + prefix)
121 import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,")
122 import_untrusted_cert(ee_cert, prefix)
125 [bad_ca_key, bad_ca_cert] = CertUtils.generate_cert_generic( db,
126 srcdir,
127 1,
128 'rsa',
129 'non-evroot-ca',
130 CA_extensions)
131 pk12file = CertUtils.generate_pkcs12(db, srcdir, bad_ca_cert, bad_ca_key,
132 "non-evroot-ca")
133 import_cert_and_pkcs12(bad_ca_cert, pk12file, "non-evroot-ca", "C,C,C")
134 prefix = "non-ev-root"
135 ee_ext_text = (aia_prefix + prefix + aia_suffix +
136 endentity_crl + mozilla_testing_ev_policy)
137 int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix +
138 intermediate_crl + mozilla_testing_ev_policy)
139 [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
140 srcdir,
141 bad_ca_key,
142 bad_ca_cert,
143 prefix,
144 int_ext_text,
145 ee_ext_text,
146 key_type)
147 pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key,
148 "int-" + prefix)
149 import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,")
150 import_untrusted_cert(ee_cert, prefix)
154 generate_certs()
