michael@0: #!/usr/bin/python michael@0: michael@0: # This Source Code Form is subject to the terms of the Mozilla Public michael@0: # License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: # file, You can obtain one at http://mozilla.org/MPL/2.0/. michael@0: michael@0: import tempfile, os, sys michael@0: import random michael@0: import pexpect michael@0: import subprocess michael@0: import shutil michael@0: michael@0: libpath = os.path.abspath('../psm_common_py') michael@0: michael@0: sys.path.append(libpath) michael@0: michael@0: import CertUtils michael@0: michael@0: srcdir = os.getcwd() michael@0: db = tempfile.mkdtemp() michael@0: michael@0: CA_basic_constraints = "basicConstraints = critical, CA:TRUE\n" michael@0: EE_basic_constraints = "basicConstraints = CA:FALSE\n" michael@0: michael@0: CA_full_ku = ("keyUsage = keyCertSign, cRLSign\n") michael@0: michael@0: authority_key_ident = "authorityKeyIdentifier = keyid, issuer\n" michael@0: subject_key_ident = "subjectKeyIdentifier = hash\n" michael@0: michael@0: def generate_family(db_dir, dst_dir, ca_key, ca_cert, base_name): michael@0: key_type = 'rsa' michael@0: ee_ext_base = EE_basic_constraints + authority_key_ident; michael@0: #cn =foo.com michael@0: CertUtils.generate_cert_generic(db, michael@0: srcdir, michael@0: 10, michael@0: key_type, michael@0: 'cn-www.foo.com-'+ base_name, michael@0: ee_ext_base, michael@0: ca_key, michael@0: ca_cert, michael@0: '/CN=www.foo.com') michael@0: #cn = foo.org michael@0: CertUtils.generate_cert_generic(db, michael@0: srcdir, michael@0: 11, michael@0: key_type, michael@0: 'cn-www.foo.org-'+ base_name, michael@0: ee_ext_base, michael@0: ca_key, michael@0: ca_cert, michael@0: '/CN=www.foo.org') michael@0: #cn = foo.com, alt= foo.org michael@0: alt_name_ext = 'subjectAltName =DNS:*.foo.org' michael@0: CertUtils.generate_cert_generic(db, michael@0: srcdir, michael@0: 12, michael@0: key_type, michael@0: 'cn-www.foo.com-alt-foo.org-'+ base_name, michael@0: ee_ext_base + alt_name_ext, michael@0: ca_key, michael@0: ca_cert, michael@0: '/CN=www.foo.com') michael@0: #cn = foo.org, alt= foo.com michael@0: alt_name_ext = 'subjectAltName =DNS:*.foo.com' michael@0: CertUtils.generate_cert_generic(db, michael@0: srcdir, michael@0: 13, michael@0: key_type, michael@0: 'cn-www.foo.org-alt-foo.com-'+ base_name, michael@0: ee_ext_base + alt_name_ext, michael@0: ca_key, michael@0: ca_cert, michael@0: '/CN=www.foo.org') michael@0: #cn = foo.com, alt=foo.com michael@0: alt_name_ext = 'subjectAltName =DNS:*.foo.com' michael@0: CertUtils.generate_cert_generic(db, michael@0: srcdir, michael@0: 14, michael@0: key_type, michael@0: 'cn-www.foo.com-alt-foo.com-'+ base_name, michael@0: ee_ext_base + alt_name_ext, michael@0: ca_key, michael@0: ca_cert, michael@0: '/CN=www.foo.com') michael@0: #cn = foo.org, alt=foo.org michael@0: alt_name_ext = 'subjectAltName =DNS:*.foo.org' michael@0: CertUtils.generate_cert_generic(db, michael@0: srcdir, michael@0: 15, michael@0: key_type, michael@0: 'cn-www.foo.org-alt-foo.org-'+ base_name, michael@0: ee_ext_base + alt_name_ext, michael@0: ca_key, michael@0: ca_cert, michael@0: '/CN=www.foo.org') michael@0: michael@0: #cn = foo.com, alt=foo.com,a.a.us,b.a.us michael@0: alt_name_ext = 'subjectAltName =DNS:*.foo.com,DNS:*.a.a.us,DNS:*.b.a.us' michael@0: CertUtils.generate_cert_generic(db, michael@0: srcdir, michael@0: 16, michael@0: key_type, michael@0: 'cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-'+ base_name, michael@0: ee_ext_base + alt_name_ext, michael@0: ca_key, michael@0: ca_cert, michael@0: '/CN=www.foo.com') michael@0: michael@0: michael@0: michael@0: #cn =foo.com O=bar C=US michael@0: CertUtils.generate_cert_generic(db, michael@0: srcdir, michael@0: 17, michael@0: key_type, michael@0: 'cn-www.foo.com_o-bar_c-us-'+ base_name, michael@0: ee_ext_base, michael@0: ca_key, michael@0: ca_cert, michael@0: '/C=US/O=bar/CN=www.foo.com') michael@0: michael@0: #cn = foo.org O=bar C=US michael@0: CertUtils.generate_cert_generic(db, michael@0: srcdir, michael@0: 18, michael@0: key_type, michael@0: 'cn-www.foo.org_o-bar_c-us-'+ base_name, michael@0: ee_ext_base, michael@0: ca_key, michael@0: ca_cert, michael@0: '/C=US/O=bar/CN=www.foo.org') michael@0: #cn = foo.com, alt= foo.org michael@0: alt_name_ext = 'subjectAltName =DNS:*.foo.org' michael@0: CertUtils.generate_cert_generic(db, michael@0: srcdir, michael@0: 19, michael@0: key_type, michael@0: 'cn-www.foo.com_o-bar_c-us-alt-foo.org-'+ base_name, michael@0: ee_ext_base + alt_name_ext, michael@0: ca_key, michael@0: ca_cert, michael@0: '/C=US/O=bar/CN=www.foo.com') michael@0: #cn = foo.org, alt= foo.com michael@0: alt_name_ext = 'subjectAltName =DNS:*.foo.com' michael@0: CertUtils.generate_cert_generic(db, michael@0: srcdir, michael@0: 20, michael@0: key_type, michael@0: 'cn-www.foo.org_o-bar_c-us-alt-foo.com-'+ base_name, michael@0: ee_ext_base + alt_name_ext, michael@0: ca_key, michael@0: ca_cert, michael@0: '/C=US/O=bar/CN=www.foo.org') michael@0: #cn = foo.com, alt=foo.com michael@0: alt_name_ext = 'subjectAltName =DNS:*.foo.com' michael@0: CertUtils.generate_cert_generic(db, michael@0: srcdir, michael@0: 21, michael@0: key_type, michael@0: 'cn-www.foo.com_o-bar_c-us-alt-foo.com-'+ base_name, michael@0: ee_ext_base + alt_name_ext, michael@0: ca_key, michael@0: ca_cert, michael@0: '/C=US/O=bar/CN=www.foo.com') michael@0: #cn = foo.org, alt=foo.org michael@0: alt_name_ext = 'subjectAltName =DNS:*.foo.org' michael@0: CertUtils.generate_cert_generic(db, michael@0: srcdir, michael@0: 22, michael@0: key_type, michael@0: 'cn-www.foo.org_o-bar_c-us-alt-foo.org-'+ base_name, michael@0: ee_ext_base + alt_name_ext, michael@0: ca_key, michael@0: ca_cert, michael@0: '/C=US/O=bar/CN=www.foo.org') michael@0: michael@0: #cn = foo.com, alt=foo.com,a.a.us.com,b.a.us michael@0: alt_name_ext = 'subjectAltName =DNS:*.foo.com,DNS:*.a.a.us,DNS:*.b.a.us' michael@0: CertUtils.generate_cert_generic(db, michael@0: srcdir, michael@0: 23, michael@0: key_type, michael@0: 'cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-'+ base_name, michael@0: ee_ext_base + alt_name_ext, michael@0: ca_key, michael@0: ca_cert, michael@0: '/C=US/O=bar/CN=www.foo.com') michael@0: michael@0: michael@0: michael@0: michael@0: def self_sign_csr(db_dir, dst_dir, csr_name, key_file, serial_num, ext_text, michael@0: out_prefix): michael@0: extensions_filename = db_dir + "/openssl-exts" michael@0: f = open(extensions_filename, 'w') michael@0: f.write(ext_text) michael@0: f.close() michael@0: cert_name = dst_dir + "/" + out_prefix + ".der" michael@0: os.system ("openssl x509 -req -sha256 -days 3650 -in " + csr_name + michael@0: " -signkey " + key_file + michael@0: " -set_serial " + str(serial_num) + michael@0: " -extfile " + extensions_filename + michael@0: " -outform DER -out " + cert_name) michael@0: michael@0: michael@0: michael@0: def generate_certs(): michael@0: key_type = 'rsa' michael@0: ca_ext = CA_basic_constraints + CA_full_ku + subject_key_ident; michael@0: ee_ext_text = (EE_basic_constraints + authority_key_ident) michael@0: [ca_key, ca_cert] = CertUtils.generate_cert_generic(db, michael@0: srcdir, michael@0: 1, michael@0: key_type, michael@0: 'ca-nc', michael@0: ca_ext) michael@0: #now the constrained via perm michael@0: name = 'int-nc-perm-foo.com-ca-nc' michael@0: name_constraints = "nameConstraints = permitted;DNS:foo.com\n" michael@0: [int_key, int_cert] = CertUtils.generate_cert_generic(db, michael@0: srcdir, michael@0: 101, michael@0: key_type, michael@0: name, michael@0: ca_ext + authority_key_ident + name_constraints, michael@0: ca_key, michael@0: ca_cert) michael@0: generate_family(db, srcdir, int_key, int_cert, name) michael@0: michael@0: #now the constrained via excl michael@0: name = 'int-nc-excl-foo.com-ca-nc' michael@0: name_constraints = "nameConstraints = excluded;DNS:foo.com\n" michael@0: [int_key, int_cert] = CertUtils.generate_cert_generic(db, michael@0: srcdir, michael@0: 102, michael@0: key_type, michael@0: name, michael@0: ca_ext + name_constraints + authority_key_ident, michael@0: ca_key, michael@0: ca_cert) michael@0: generate_family(db, srcdir, int_key, int_cert, name) michael@0: michael@0: #now constrained to permitted: O=bar C=US michael@0: name = 'int-nc-c-us-ca-nc' michael@0: name_constraints = "nameConstraints = permitted;dirName:dir_sect\n[dir_sect]\nC=US\n\n\n" michael@0: [int_key, int_cert] = CertUtils.generate_cert_generic(db, michael@0: srcdir, michael@0: 103, michael@0: key_type, michael@0: name, michael@0: ca_ext + authority_key_ident + name_constraints, michael@0: ca_key, michael@0: ca_cert) michael@0: generate_family(db, srcdir, int_key, int_cert, name) michael@0: michael@0: #now make a subCA that is also constrainted to foo.com (combine constraints) michael@0: name = 'int-nc-foo.com-int-nc-c-us-ca-nc' michael@0: name_constraints = "nameConstraints = permitted;DNS:foo.com\n\n\n" michael@0: [int_key, int_cert] = CertUtils.generate_cert_generic(db, michael@0: srcdir, michael@0: 104, michael@0: key_type, michael@0: name, michael@0: ca_ext + name_constraints + authority_key_ident, michael@0: int_key, michael@0: int_cert, michael@0: '/C=US/CN='+ name) michael@0: generate_family(db, srcdir, int_key, int_cert, name) michael@0: michael@0: michael@0: #now single intermediate constrainted to permitted O=bar C=US & DNS foo.com michael@0: name = 'int-nc-perm-foo.com_c-us-ca-nc' michael@0: name_constraints = "nameConstraints = permitted;DNS:foo.com,permitted;dirName:dir_sect\n[dir_sect]\nC=US\n\n\n" michael@0: [int_key, int_cert] = CertUtils.generate_cert_generic(db, michael@0: srcdir, michael@0: 105, michael@0: key_type, michael@0: name, michael@0: ca_ext + authority_key_ident + name_constraints, michael@0: ca_key, michael@0: ca_cert) michael@0: generate_family(db, srcdir, int_key, int_cert, name) michael@0: michael@0: #now constrainted to permitted C=UK (all ee must fail) michael@0: name = 'int-nc-perm-c-uk-ca-nc' michael@0: name_constraints = "nameConstraints = permitted;dirName:dir_sect\n[dir_sect]\nC=UK\n\n\n" michael@0: [int_key, int_cert] = CertUtils.generate_cert_generic(db, michael@0: srcdir, michael@0: 106, michael@0: key_type, michael@0: name, michael@0: ca_ext + authority_key_ident + name_constraints, michael@0: ca_key, michael@0: ca_cert) michael@0: generate_family(db, srcdir, int_key, int_cert, name) michael@0: michael@0: #now an unconstrained sub intermediate from the UK cert (all ee must fail) not in the same name space michael@0: name = 'int-c-us-int-nc-perm-c-uk-ca-nc' michael@0: #name_constraints = "nameConstraints = permitted;DNS:foo.com\n\n\n" michael@0: [int_key, int_cert] = CertUtils.generate_cert_generic(db, michael@0: srcdir, michael@0: 108, michael@0: key_type, michael@0: name, michael@0: ca_ext + authority_key_ident, michael@0: int_key, michael@0: int_cert, michael@0: '/C=US/CN='+ name) michael@0: generate_family(db, srcdir, int_key, int_cert, name) michael@0: michael@0: #now we generate permitted to foo.com and example2.com michael@0: name = 'int-nc-foo.com_a.us' michael@0: name_constraints = "nameConstraints = permitted;DNS:foo.com,permitted;DNS:a.us\n" michael@0: [int_key, int_cert] = CertUtils.generate_cert_generic(db, michael@0: srcdir, michael@0: 109, michael@0: key_type, michael@0: name, michael@0: ca_ext + authority_key_ident + name_constraints, michael@0: ca_key, michael@0: ca_cert) michael@0: generate_family(db, srcdir, int_key, int_cert, name) michael@0: michael@0: #A sub ca contrained to foo.com with signer constrained to foo.com and example2.com michael@0: name = 'int-nc-foo.com-int-nc-foo.com_a.us' michael@0: name_constraints = "nameConstraints = permitted;DNS:foo.com\n" michael@0: [int_key, int_cert] = CertUtils.generate_cert_generic(db, michael@0: srcdir, michael@0: 110, michael@0: key_type, michael@0: name, michael@0: ca_ext + authority_key_ident + name_constraints, michael@0: ca_key, michael@0: ca_cert) michael@0: generate_family(db, srcdir, int_key, int_cert, name) michael@0: michael@0: michael@0: michael@0: #now we generate a root that is name constrained michael@0: name_constraints = "nameConstraints = permitted;DNS:foo.com\n " michael@0: [ca_key, ca_cert] = CertUtils.generate_cert_generic(db, michael@0: srcdir, michael@0: 1, michael@0: key_type, michael@0: 'ca-nc-perm-foo.com', michael@0: ca_ext + name_constraints) michael@0: michael@0: #and an unconstrained int michael@0: name = 'int-ca-nc-perm-foo.com' michael@0: name_constraints = "\n" michael@0: [int_key, int_cert] = CertUtils.generate_cert_generic(db, michael@0: srcdir, michael@0: 111, michael@0: key_type, michael@0: name, michael@0: ca_ext + name_constraints + authority_key_ident, michael@0: ca_key, michael@0: ca_cert) michael@0: generate_family(db, srcdir, int_key, int_cert, name) michael@0: michael@0: michael@0: generate_certs()