michael@0: #!/usr/bin/python michael@0: michael@0: import tempfile, os, sys michael@0: import random michael@0: import pexpect michael@0: import subprocess michael@0: import shutil michael@0: michael@0: libpath = os.path.abspath('../psm_common_py') michael@0: michael@0: sys.path.append(libpath) michael@0: michael@0: import CertUtils michael@0: michael@0: srcdir = os.getcwd() michael@0: db = tempfile.mkdtemp() michael@0: michael@0: CA_extensions = ("basicConstraints = critical, CA:TRUE\n" michael@0: "keyUsage = keyCertSign, cRLSign\n") michael@0: michael@0: aia_prefix = "authorityInfoAccess = OCSP;URI:http://www.example.com:8888/" michael@0: aia_suffix ="/\n" michael@0: intermediate_crl = ("crlDistributionPoints = " + michael@0: "URI:http://crl.example.com:8888/root-ev.crl\n") michael@0: endentity_crl = ("crlDistributionPoints = " + michael@0: "URI:http://crl.example.com:8888/ee-crl.crl\n") michael@0: michael@0: mozilla_testing_ev_policy = ("certificatePolicies = @v3_ca_ev_cp\n\n" + michael@0: "[ v3_ca_ev_cp ]\n" + michael@0: "policyIdentifier = " + michael@0: "1.3.6.1.4.1.13769.666.666.666.1.500.9.1\n\n" + michael@0: "CPS.1 = \"http://mytestdomain.local/cps\"") michael@0: michael@0: anypolicy_policy = ("certificatePolicies = @v3_ca_ev_cp\n\n" + michael@0: "[ v3_ca_ev_cp ]\n" + michael@0: "policyIdentifier = " + michael@0: "2.5.29.32.0\n\n" + michael@0: "CPS.1 = \"http://mytestdomain.local/cps\"") michael@0: michael@0: michael@0: def import_untrusted_cert(certfile, nickname): michael@0: os.system("certutil -A -d . -n " + nickname + " -i " + certfile + michael@0: " -t ',,'") michael@0: michael@0: def import_cert_and_pkcs12(certfile, pkcs12file, nickname, trustflags): michael@0: os.system(" certutil -A -d . -n " + nickname + " -i " + certfile + " -t '" + michael@0: trustflags + "'") michael@0: child = pexpect.spawn("pk12util -i " + pkcs12file + " -d .") michael@0: child.expect('Enter password for PKCS12 file:') michael@0: child.sendline('') michael@0: child.expect(pexpect.EOF) michael@0: michael@0: def init_nss_db(): michael@0: nss_db_files = [ "cert8.db", "key3.db", "secmod.db" ] michael@0: for file in nss_db_files: michael@0: if os.path.isfile(file): michael@0: os.remove(file) michael@0: #now create DB michael@0: child = pexpect.spawn("certutil -N -d .") michael@0: child.expect("Enter new password:") michael@0: child.sendline('') michael@0: child.expect('Re-enter password:') michael@0: child.sendline('') michael@0: child.expect(pexpect.EOF) michael@0: import_cert_and_pkcs12("evroot.der", "evroot.p12", "evroot", "C,C,C") michael@0: michael@0: michael@0: def generate_certs(): michael@0: init_nss_db() michael@0: ca_cert = 'evroot.der' michael@0: ca_key = 'evroot.key' michael@0: prefix = "ev-valid" michael@0: key_type = 'rsa' michael@0: ee_ext_text = (aia_prefix + prefix + aia_suffix + michael@0: endentity_crl + mozilla_testing_ev_policy) michael@0: int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix + michael@0: intermediate_crl + mozilla_testing_ev_policy) michael@0: [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db, michael@0: srcdir, michael@0: ca_key, michael@0: ca_cert, michael@0: prefix, michael@0: int_ext_text, michael@0: ee_ext_text, michael@0: key_type) michael@0: pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key, michael@0: "int-" + prefix) michael@0: import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,") michael@0: import_untrusted_cert(ee_cert, prefix) michael@0: michael@0: # now we generate an end entity cert with an AIA with no OCSP URL michael@0: no_ocsp_url_ext_aia = ("authorityInfoAccess =" + michael@0: "caIssuers;URI:http://www.example.com/ca.html\n"); michael@0: [no_ocsp_key, no_ocsp_cert] = CertUtils.generate_cert_generic(db, michael@0: srcdir, michael@0: random.randint(100, 40000000), michael@0: key_type, michael@0: 'no-ocsp-url-cert', michael@0: no_ocsp_url_ext_aia + endentity_crl + michael@0: mozilla_testing_ev_policy, michael@0: int_key, int_cert); michael@0: import_untrusted_cert(no_ocsp_cert, 'no-ocsp-url-cert'); michael@0: michael@0: # add an ev cert whose intermediate has a anypolicy oid michael@0: prefix = "ev-valid-anypolicy-int" michael@0: ee_ext_text = (aia_prefix + prefix + aia_suffix + michael@0: endentity_crl + mozilla_testing_ev_policy) michael@0: int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix + michael@0: intermediate_crl + anypolicy_policy) michael@0: michael@0: [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db, michael@0: srcdir, michael@0: ca_key, michael@0: ca_cert, michael@0: prefix, michael@0: int_ext_text, michael@0: ee_ext_text, michael@0: key_type) michael@0: pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key, michael@0: "int-" + prefix) michael@0: import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,") michael@0: import_untrusted_cert(ee_cert, prefix) michael@0: michael@0: michael@0: [bad_ca_key, bad_ca_cert] = CertUtils.generate_cert_generic( db, michael@0: srcdir, michael@0: 1, michael@0: 'rsa', michael@0: 'non-evroot-ca', michael@0: CA_extensions) michael@0: pk12file = CertUtils.generate_pkcs12(db, srcdir, bad_ca_cert, bad_ca_key, michael@0: "non-evroot-ca") michael@0: import_cert_and_pkcs12(bad_ca_cert, pk12file, "non-evroot-ca", "C,C,C") michael@0: prefix = "non-ev-root" michael@0: ee_ext_text = (aia_prefix + prefix + aia_suffix + michael@0: endentity_crl + mozilla_testing_ev_policy) michael@0: int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix + michael@0: intermediate_crl + mozilla_testing_ev_policy) michael@0: [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db, michael@0: srcdir, michael@0: bad_ca_key, michael@0: bad_ca_cert, michael@0: prefix, michael@0: int_ext_text, michael@0: ee_ext_text, michael@0: key_type) michael@0: pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key, michael@0: "int-" + prefix) michael@0: import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,") michael@0: import_untrusted_cert(ee_cert, prefix) michael@0: michael@0: michael@0: michael@0: generate_certs()