def generate_rsa_cert(leaf_key_size):
JAN_2015 = '150101120000Z'
JAN_2018 = '180101120000Z'
# Self-signed root certificate.
root = common.create_self_signed_root_certificate('Root')
root.set_validity_range(JAN_2015, JAN_2018)
# Intermediate certificate.
intermediate = common.create_intermediate_certificate('Intermediate', root)
intermediate.set_validity_range(JAN_2015, JAN_2018)
# Leaf certificate.
leaf = common.create_end_entity_certificate(
'RSA %d Device Cert' % leaf_key_size, intermediate)
leaf.get_extensions().set_property('extendedKeyUsage', 'clientAuth')
device_key_path = common.create_key_path(leaf.name)
leaf.set_key(common.get_or_generate_rsa_key(leaf_key_size,
device_key_path))
leaf.set_validity_range(JAN_2015, JAN_2018)
chain = [leaf, intermediate, root]
chain_description = """Cast certificate chain where device certificate uses a
%d-bit RSA key""" % leaf_key_size
# Write the certificate chain.
chain_path = 'rsa%d_device_cert.pem' % leaf_key_size
common.write_chain(chain_description, chain, chain_path)
# Write the the signed data file.
create_signatures.create_signed_data(
device_key_path,
'../signeddata/rsa%d_device_cert_data.pem' % leaf_key_size,
'../certificates/' + chain_path)
def generate_chain(intermediate_digest_algorithm):
# Self-signed root certificate.
root = common.create_self_signed_root_certificate('Root')
# Intermediate certificate.
intermediate = common.create_intermediate_certificate('Intermediate', root)
intermediate.set_signature_hash(intermediate_digest_algorithm)
intermediate.get_extensions().set_property('extendedKeyUsage', 'nsSGC')
# Target certificate.
target = common.create_end_entity_certificate('Target', intermediate)
target.get_extensions().set_property('extendedKeyUsage',
'serverAuth,clientAuth')
chain = [target, intermediate, root]
common.write_chain(__doc__, chain,
'%s-chain.pem' % intermediate_digest_algorithm)
def generate_chain(intermediate_digest_algorithm):
# Self-signed root certificate.
root = common.create_self_signed_root_certificate('Root')
# Intermediate certificate.
intermediate = common.create_intermediate_certificate('Intermediate', root)
intermediate.set_signature_hash(intermediate_digest_algorithm)
intermediate.get_extensions().set_property('extendedKeyUsage',
'nsSGC')
# Target certificate.
target = common.create_end_entity_certificate('Target', intermediate)
target.get_extensions().set_property('extendedKeyUsage',
'serverAuth,clientAuth')
chain = [target, intermediate, root]
common.write_chain(__doc__, chain,
'%s-chain.pem' % intermediate_digest_algorithm)
def generate_policies_chain(intermediate_policies, leaf_policies):
"""Creates a certificate chain and writes it to a PEM file (in the current
directory).
The chain has 3 certificates (root, intermediate, leaf). The root has no
policies extension, whereas the intermediate has policies given by
|intermediate_policies| and the leaf has policies given by |leaf_policies|.
The policies are specified as a list, with the empty list meaning no policies
extension. Values in the list should be one of the OID constants (AUDIO_ONLY,
ANY_POLICY).
The name of the generated file is a human-readable serialization of this
function's parameters.
"""
# Self-signed root certificate.
root = common.create_self_signed_root_certificate('Root')
root.set_validity_range(JAN_2015, JAN_2018)
# Intermediate certificate.
intermediate = common.create_intermediate_certificate('Intermediate', root)
set_policies_from_list(intermediate, intermediate_policies)
intermediate.set_validity_range(JAN_2015, JAN_2018)
# Leaf certificate.
leaf = common.create_end_entity_certificate('Leaf', intermediate)
set_policies_from_list(leaf, leaf_policies)
leaf.get_extensions().set_property('extendedKeyUsage', 'clientAuth')
leaf.set_validity_range(JAN_2015, JAN_2018)
chain = [leaf, intermediate, root]
chain_description = """Cast certificate chain with the following policies:
Root: policies={}
Intermediate: policies={%s}
Leaf: policies={%s}""" % (', '.join(intermediate_policies),
', '.join(leaf_policies))
chain_file_name = 'policies_ica_%s_leaf_%s.pem' % (policies_to_filename(
intermediate_policies), policies_to_filename(leaf_policies))
common.write_chain(chain_description, chain, chain_file_name)
"""
import common
# The new certs should have a newer notbefore date than "old" certs. This should
# affect path builder sorting, but otherwise won't matter.
JANUARY_2_2015_UTC = '150102120000Z'
# Self-signed root certificates. Same name, different keys.
oldroot = common.create_self_signed_root_certificate('Root')
oldroot.set_validity_range(common.JANUARY_1_2015_UTC,
common.JANUARY_1_2016_UTC)
newroot = common.create_self_signed_root_certificate('Root')
newroot.set_validity_range(JANUARY_2_2015_UTC, common.JANUARY_1_2016_UTC)
# Root with the new key signed by the old key.
newrootrollover = common.create_intermediate_certificate('Root', oldroot)
newrootrollover.set_key(newroot.get_key())
newrootrollover.set_validity_range(JANUARY_2_2015_UTC,
common.JANUARY_1_2016_UTC)
# Intermediate signed by oldroot.
oldintermediate = common.create_intermediate_certificate(
'Intermediate', oldroot)
oldintermediate.set_validity_range(common.JANUARY_1_2015_UTC,
common.JANUARY_1_2016_UTC)
# Intermediate signed by newroot. Same key as oldintermediate.
newintermediate = common.create_intermediate_certificate(
'Intermediate', newroot)
newintermediate.set_key(oldintermediate.get_key())
newintermediate.set_validity_range(JANUARY_2_2015_UTC,
common.JANUARY_1_2016_UTC)
#!/usr/bin/python
# Copyright (c) 2017 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
"""Certificate chain where the target certificate sets the extended key usage
to clientAuth. Neither the root nor the intermediate have an EKU."""
import sys
sys.path += ['..']
import common
# Self-signed root certificate.
root = common.create_self_signed_root_certificate('Root')
# Intermediate certificate.
intermediate = common.create_intermediate_certificate('Intermediate', root)
# Target certificate.
target = common.create_end_entity_certificate('Target', intermediate)
target.get_extensions().set_property('extendedKeyUsage', 'clientAuth')
chain = [target, intermediate, root]
common.write_chain(__doc__, chain, 'chain.pem')
def write_cert_to_file(cert, filename):
common.write_string_to_file(
"Generated by %s.\n"
"Refer to generator script docstring for details.\n%s" % (
sys.argv[0], cert.get_cert_pem()),
filename)
# Self-signed root certificate
root = common.create_self_signed_root_certificate('Root')
write_cert_to_file(root, 'root.pem')
# Intermediate certificates
i1_1 = common.create_intermediate_certificate('I1', root)
write_cert_to_file(i1_1, 'i1_1.pem')
# same name (after normalization), different key
i1_2 = common.create_intermediate_certificate('i1', root)
write_cert_to_file(i1_2, 'i1_2.pem')
# different name
i2 = common.create_intermediate_certificate('I2', root)
write_cert_to_file(i2, 'i2.pem')
# target certs
c1 = common.create_end_entity_certificate('C1', i1_1)
write_cert_to_file(c1, 'c1.pem')
#!/usr/bin/python
# Copyright (c) 2015 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
"""Certificate chain with 1 intermediate and a non-self-signed trust anchor.
Verification should succeed, it doesn't matter that the root was not
self-signed if it is designated as the trust anchor."""
import common
uber_root = common.create_self_signed_root_certificate('UberRoot')
# Non-self-signed root certificate (used as trust anchor)
root = common.create_intermediate_certificate('Root', uber_root)
# Intermediate certificate.
intermediate = common.create_intermediate_certificate('Intermediate', root)
# Target certificate.
target = common.create_end_entity_certificate('Target', intermediate)
chain = [target, intermediate]
trusted = common.TrustAnchor(root, constrained=True)
time = common.DEFAULT_TIME
verify_result = True
errors = None
common.write_test_file(__doc__, chain, trusted, time, verify_result, errors)
def write_cert_to_file(cert, filename):
common.write_string_to_file(
"Generated by %s.\n"
"Refer to generator script docstring for details.\n%s" % (
sys.argv[0], cert.get_cert_pem()),
filename)
# Self-signed root certificate
root = common.create_self_signed_root_certificate('Root')
write_cert_to_file(root, 'root.pem')
# Intermediate certificates
i1_1 = common.create_intermediate_certificate('I1', root)
write_cert_to_file(i1_1, 'i1_1.pem')
# same name (after normalization), different key
i1_2 = common.create_intermediate_certificate('i1', root)
write_cert_to_file(i1_2, 'i1_2.pem')
# different name
i2 = common.create_intermediate_certificate('I2', root)
write_cert_to_file(i2, 'i2.pem')
# Two intermediates with exactly the same name.
i3_1 = common.create_intermediate_certificate('I3', root)
write_cert_to_file(i3_1, 'i3_1.pem')
i3_2 = common.create_intermediate_certificate('I3', root)
write_cert_to_file(i3_2, 'i3_2.pem')
common.JANUARY_1_2021_UTC)
# Generate the keys -- the same key is used for all intermediates and end entity
# certificates.
root_key = common.get_or_generate_rsa_key(2048, common.create_key_path('root'))
i_key = common.get_or_generate_rsa_key(2048, common.create_key_path('i'))
target_key = common.get_or_generate_rsa_key(2048,
common.create_key_path('target'))
# Self-signed root certificate.
root = common.create_self_signed_root_certificate('Root')
root.set_key(root_key)
common.write_string_to_file(root.get_cert_pem(), 'root.pem')
# Intermediate certificates. All have the same subject and key.
i_base = common.create_intermediate_certificate('I', root)
i_base.set_key(i_key)
common.write_string_to_file(i_base.get_cert_pem(), 'i.pem')
i2 = common.create_intermediate_certificate('I', root)
i2.set_key(i_key)
common.write_string_to_file(i2.get_cert_pem(), 'i2.pem')
i3 = common.create_intermediate_certificate('I', root)
i3.set_key(i_key)
common.write_string_to_file(i3.get_cert_pem(), 'i3.pem')
# More Intermediate certificates, which are just to generate the proper config
# files so the target certs will have the desired Authority Information Access
# values. These ones aren't saved to files.
i_no_aia = common.create_intermediate_certificate('I', root)
#!/usr/bin/python
# Copyright (c) 2015 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
"""Certificate chain with 1 intermediate, a trusted root, and a target
certificate that is also a CA. Verification is expected to succeed, as the test
code accepts any target certificate."""
import common
# Self-signed root certificate (used as trust anchor).
root = common.create_self_signed_root_certificate('Root')
# Intermediate certificate.
intermediate = common.create_intermediate_certificate('Intermediate', root)
# Target certificate (is also a CA)
target = common.create_intermediate_certificate('Target', intermediate)
chain = [target, intermediate]
trusted = common.TrustAnchor(root, constrained=False)
time = common.DEFAULT_TIME
verify_result = True
common.write_test_file(__doc__, chain, trusted, time, verify_result)
#!/usr/bin/python
# Copyright (c) 2015 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
"""Certificate chain where the target certificate is a CA rather than an
end-entity certificate (based on the basic constraints extension)."""
import sys
sys.path += ['..']
import common
# Self-signed root certificate.
root = common.create_self_signed_root_certificate('Root')
# Intermediate certificate.
intermediate = common.create_intermediate_certificate('Intermediate', root)
# Target certificate (is also a CA)
target = common.create_intermediate_certificate('Target', intermediate)
chain = [target, intermediate, root]
common.write_chain(__doc__, chain, 'chain.pem')
# found in the LICENSE file.
"""Certificate chain with 2 intermediates. The first intermediate has a basic
constraints path length of 0. The second one is self-issued so does not count
against the path length."""
import sys
sys.path += ['..']
import common
# Self-signed root certificate (used as trust anchor).
root = common.create_self_signed_root_certificate('Root')
# Intermediate with pathlen 0
intermediate1 = common.create_intermediate_certificate('Intermediate', root)
intermediate1.get_extensions().set_property('basicConstraints',
'critical,CA:true,pathlen:0')
# Another intermediate (with the same pathlen restriction).
# Note that this is self-issued but NOT self-signed.
intermediate2 = common.create_intermediate_certificate('Intermediate',
intermediate1)
intermediate2.get_extensions().set_property('basicConstraints',
'critical,CA:true,pathlen:0')
# Target certificate.
target = common.create_end_entity_certificate('Target', intermediate2)
chain = [target, intermediate2, intermediate1, root]
common.write_chain(__doc__, chain, 'chain.pem')
#!/usr/bin/python
# Copyright (c) 2015 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
"""Certificate chain with 1 intermediate and a non-self-signed trust anchor.
Verification should succeed, it doesn't matter that the root was not
self-signed if it is designated as the trust anchor."""
import common
uber_root = common.create_self_signed_root_certificate('UberRoot')
# Non-self-signed root certificate (used as trust anchor)
root = common.create_intermediate_certificate('Root', uber_root)
# Intermediate certificate.
intermediate = common.create_intermediate_certificate('Intermediate', root)
# Target certificate.
target = common.create_end_entity_certificate('Target', intermediate)
chain = [target, intermediate]
trusted = common.TrustAnchor(root, constrained=True)
time = common.DEFAULT_TIME
verify_result = True
common.write_test_file(__doc__, chain, trusted, time, verify_result)
# Copyright (c) 2015 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
"""Certificate chain with 1 intermediate, a trusted root, and a target
certificate that is not a CA, and yet has the keyCertSign bit set. Verification
is expected to fail, since keyCertSign should only be asserted when CA is
true."""
import common
# Self-signed root certificate (used as trust anchor).
root = common.create_self_signed_root_certificate("Root")
# Intermediate certificate.
intermediate = common.create_intermediate_certificate("Intermediate", root)
# Target certificate (end entity but has keyCertSign bit set).
target = common.create_end_entity_certificate("Target", intermediate)
target.get_extensions().set_property("keyUsage", "critical,digitalSignature,keyEncipherment,keyCertSign")
chain = [target, intermediate]
trusted = common.TrustAnchor(root, constrained=False)
time = common.DEFAULT_TIME
verify_result = False
errors = """[Context] Processing Certificate
index: 1
[Error] Target certificate looks like a CA but does not set all CA properties
"""
def write_cert_to_file(cert, filename):
common.write_string_to_file(
"Generated by %s.\n"
"Refer to generator script docstring for details.\n%s" % (sys.argv[0], cert.get_cert_pem()),
filename,
)
# Self-signed root certificate
root = common.create_self_signed_root_certificate("Root")
write_cert_to_file(root, "root.pem")
# Intermediate certificates
i1_1 = common.create_intermediate_certificate("I1", root)
write_cert_to_file(i1_1, "i1_1.pem")
# same name (after normalization), different key
i1_2 = common.create_intermediate_certificate("i1", root)
write_cert_to_file(i1_2, "i1_2.pem")
# different name
i2 = common.create_intermediate_certificate("I2", root)
write_cert_to_file(i2, "i2.pem")
# Two intermediates with exactly the same name.
i3_1 = common.create_intermediate_certificate("I3", root)
write_cert_to_file(i3_1, "i3_1.pem")
i3_2 = common.create_intermediate_certificate("I3", root)
write_cert_to_file(i3_2, "i3_2.pem")
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
"""Certificate chain with 2 intermediates and one end entity certificate. The
root certificate has a pathlen:1 restriction, and constraints are enforced
on this trust anchor making it an invalid chain."""
import common
# Self-signed root certificate (used as trust anchor).
root = common.create_self_signed_root_certificate('Root')
root.get_extensions().set_property('basicConstraints',
'critical,CA:true,pathlen:1')
# Intermediate 1 (no pathlen restriction).
intermediate1 = common.create_intermediate_certificate('Intermediate1', root)
# Intermediate 2 (no pathlen restriction).
intermediate2 = common.create_intermediate_certificate('Intermediate2',
intermediate1)
# Target certificate.
target = common.create_end_entity_certificate('Target', intermediate2)
chain = [target, intermediate2, intermediate1]
trusted = common.TrustAnchor(root, constrained=True)
time = common.DEFAULT_TIME
verify_result = False
errors = """[Context] Processing Certificate
index: 1
[Error] max_path_length reached
All of these chains should verify successfully.
"""
import common
# The new certs should have a newer notbefore date than "old" certs. This should
# affect path builder sorting, but otherwise won't matter.
JANUARY_2_2015_UTC = '150102120000Z'
# Self-signed root certificates. Same name, different keys.
oldroot = common.create_self_signed_root_certificate('Root')
oldroot.set_validity_range(common.JANUARY_1_2015_UTC, common.JANUARY_1_2016_UTC)
newroot = common.create_self_signed_root_certificate('Root')
newroot.set_validity_range(JANUARY_2_2015_UTC, common.JANUARY_1_2016_UTC)
# Root with the new key signed by the old key.
newrootrollover = common.create_intermediate_certificate('Root', oldroot)
newrootrollover.set_key(newroot.get_key())
newrootrollover.set_validity_range(JANUARY_2_2015_UTC,
common.JANUARY_1_2016_UTC)
# Intermediate signed by oldroot.
oldintermediate = common.create_intermediate_certificate('Intermediate',
oldroot)
oldintermediate.set_validity_range(common.JANUARY_1_2015_UTC,
common.JANUARY_1_2016_UTC)
# Intermediate signed by newroot. Same key as oldintermediate.
newintermediate = common.create_intermediate_certificate('Intermediate',
newroot)
newintermediate.set_key(oldintermediate.get_key())
newintermediate.set_validity_range(JANUARY_2_2015_UTC,
common.JANUARY_1_2016_UTC)
#!/usr/bin/python
# Copyright (c) 2015 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
"""Certificate chain where the intermediate lacks a keyUsage extension."""
import sys
sys.path += ['..']
import common
# Self-signed root certificate.
root = common.create_self_signed_root_certificate('Root')
# Intermediate that is missing keyCertSign.
intermediate = common.create_intermediate_certificate('Intermediate', root)
intermediate.get_extensions().set_property(
'keyUsage', 'critical,digitalSignature,keyEncipherment')
# Target certificate.
target = common.create_end_entity_certificate('Target', intermediate)
chain = [target, intermediate, root]
common.write_chain(__doc__, chain, 'chain.pem')
# found in the LICENSE file.
import os
import sys
sys.path += [os.path.join('..', 'verify_certificate_chain_unittest')]
import common
# Self-signed root certificate. Not saved to a .pem since the test doesn't need
# it.
root = common.create_self_signed_root_certificate('Root')
# Intermediate certificates. All have the same subject and key.
i_base = common.create_intermediate_certificate('I', root)
common.write_string_to_file(i_base.get_cert_pem(), 'i.pem')
i2 = common.create_intermediate_certificate('I', root)
i2.set_key_path(i_base.get_key_path())
common.write_string_to_file(i2.get_cert_pem(), 'i2.pem')
i3 = common.create_intermediate_certificate('I', root)
i3.set_key_path(i_base.get_key_path())
common.write_string_to_file(i3.get_cert_pem(), 'i3.pem')
# More Intermediate certificates, which are just to generate the proper config
# files so the target certs will have the desired Authority Information Access
# values. These ones aren't saved to files.
i_no_aia = common.create_intermediate_certificate('I', root)
