michael@0: #!/usr/bin/python michael@0: michael@0: # This Source Code Form is subject to the terms of the Mozilla Public michael@0: # License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: # file, You can obtain one at http://mozilla.org/MPL/2.0/. michael@0: michael@0: import tempfile, os, sys michael@0: import random michael@0: libpath = os.path.abspath('../psm_common_py') michael@0: michael@0: sys.path.append(libpath) michael@0: michael@0: import CertUtils michael@0: michael@0: srcdir = os.getcwd() michael@0: db = tempfile.mkdtemp() michael@0: michael@0: CA_basic_constraints = "basicConstraints=critical,CA:TRUE\n" michael@0: michael@0: CA_min_ku = "keyUsage=critical, keyCertSign\n" michael@0: michael@0: pk_name = {'rsa': 'rsa', 'dsa': 'dsa', 'p384': 'secp384r1'} michael@0: michael@0: michael@0: def tamper_cert(cert_name): michael@0: f = open(cert_name, 'r+b') michael@0: f.seek(-3, 2) # third byte from the end to ensure we only touch the michael@0: # signature value. The location for the perturbation ensures that we are michael@0: # modifying just the tbsCertificate without the need of parsing the michael@0: # certificate. Also this guarantees that if a failure occurs it is because michael@0: # of an invalid signature and not another field that might have become michael@0: # invalid. michael@0: b = bytearray(f.read(1)) michael@0: for i in range(len(b)): michael@0: b[i] ^= 0x77 michael@0: f.seek(-1, 1) michael@0: f.write(b) michael@0: f.close() michael@0: return 1 michael@0: michael@0: def generate_certs(): michael@0: michael@0: CertUtils.init_dsa(db) michael@0: ee_ext_text = "" michael@0: for name, key_type in pk_name.iteritems(): michael@0: ca_name = "ca-" + name michael@0: [ca_key, ca_cert] = CertUtils.generate_cert_generic(db, michael@0: srcdir, michael@0: random.randint(100,4000000), michael@0: key_type, michael@0: ca_name, michael@0: CA_basic_constraints + CA_min_ku) michael@0: michael@0: [valid_int_key, valid_int_cert, ee_key, ee_cert] = ( michael@0: CertUtils.generate_int_and_ee(db, michael@0: srcdir, michael@0: ca_key, michael@0: ca_cert, michael@0: name + "-valid", michael@0: CA_basic_constraints, michael@0: ee_ext_text, michael@0: key_type) ) michael@0: michael@0: [int_key, int_cert] = CertUtils.generate_cert_generic(db, michael@0: srcdir, michael@0: random.randint(100,4000000), michael@0: key_type, michael@0: "int-" + name + "-tampered", michael@0: ee_ext_text, michael@0: ca_key, michael@0: ca_cert) michael@0: michael@0: michael@0: [ee_key, ee_cert] = CertUtils.generate_cert_generic(db, michael@0: srcdir, michael@0: random.randint(100,4000000), michael@0: key_type, michael@0: name + "-tampered-int-valid-ee", michael@0: ee_ext_text, michael@0: int_key, michael@0: int_cert) michael@0: #only tamper after ee has been generated michael@0: tamper_cert(int_cert); michael@0: michael@0: [ee_key, ee_cert] = CertUtils.generate_cert_generic(db, michael@0: srcdir, michael@0: random.randint(100,4000000), michael@0: key_type, michael@0: name + "-valid-int-tampered-ee", michael@0: ee_ext_text, michael@0: valid_int_key, michael@0: valid_int_cert) michael@0: tamper_cert(ee_cert); michael@0: michael@0: michael@0: generate_certs()