michael@0: #!/usr/bin/python michael@0: michael@0: # This Source Code Form is subject to the terms of the Mozilla Public michael@0: # License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: # file, You can obtain one at http://mozilla.org/MPL/2.0/. michael@0: michael@0: import tempfile, os, sys michael@0: import random michael@0: import pexpect michael@0: import subprocess michael@0: import shutil michael@0: michael@0: libpath = os.path.abspath('../psm_common_py') michael@0: michael@0: sys.path.append(libpath) michael@0: michael@0: import CertUtils michael@0: michael@0: srcdir = os.getcwd() michael@0: db = tempfile.mkdtemp() michael@0: michael@0: CA_basic_constraints = "basicConstraints = critical, CA:TRUE\n" michael@0: EE_basic_constraints = "basicConstraints = CA:FALSE\n" michael@0: michael@0: CA_full_ku = ("keyUsage = digitalSignature, nonRepudiation, keyEncipherment, " + michael@0: "dataEncipherment, keyAgreement, keyCertSign, cRLSign\n") michael@0: michael@0: CA_eku = ("extendedKeyUsage = critical, serverAuth, clientAuth, " + michael@0: "emailProtection, codeSigning\n") michael@0: michael@0: authority_key_ident = "authorityKeyIdentifier = keyid, issuer\n" michael@0: subject_key_ident = "subjectKeyIdentifier = hash\n" michael@0: michael@0: michael@0: def self_sign_csr(db_dir, dst_dir, csr_name, key_file, serial_num, ext_text, michael@0: out_prefix): michael@0: extensions_filename = db_dir + "/openssl-exts" michael@0: f = open(extensions_filename, 'w') michael@0: f.write(ext_text) michael@0: f.close() michael@0: cert_name = dst_dir + "/" + out_prefix + ".der" michael@0: os.system ("openssl x509 -req -sha256 -days 3650 -in " + csr_name + michael@0: " -signkey " + key_file + michael@0: " -set_serial " + str(serial_num) + michael@0: " -extfile " + extensions_filename + michael@0: " -outform DER -out " + cert_name) michael@0: michael@0: michael@0: michael@0: def generate_certs(): michael@0: key_type = 'rsa' michael@0: ca_ext = CA_basic_constraints + CA_full_ku + subject_key_ident + CA_eku; michael@0: ee_ext_text = (EE_basic_constraints + authority_key_ident) michael@0: [ca_key, ca_cert] = CertUtils.generate_cert_generic(db, michael@0: srcdir, michael@0: 1, michael@0: key_type, michael@0: 'ca', michael@0: ca_ext) michael@0: CertUtils.generate_cert_generic(db, michael@0: srcdir, michael@0: 100, michael@0: key_type, michael@0: 'ee', michael@0: ee_ext_text, michael@0: ca_key, michael@0: ca_cert) michael@0: michael@0: shutil.copy(ca_cert, srcdir + "/" + "ca-1.der") michael@0: self_sign_csr(db, srcdir, db + "/ca.csr", ca_key, 2, ca_ext, "ca-2") michael@0: os.remove(ca_cert); michael@0: michael@0: generate_certs()