def generate_rsa_cert(leaf_key_size):
JAN_2015 = '150101120000Z'
JAN_2018 = '180101120000Z'
# Self-signed root certificate.
root = common.create_self_signed_root_certificate('Root')
root.set_validity_range(JAN_2015, JAN_2018)
# Intermediate certificate.
intermediate = common.create_intermediate_certificate('Intermediate', root)
intermediate.set_validity_range(JAN_2015, JAN_2018)
# Leaf certificate.
leaf = common.create_end_entity_certificate(
'RSA %d Device Cert' % leaf_key_size, intermediate)
leaf.get_extensions().set_property('extendedKeyUsage', 'clientAuth')
device_key_path = common.create_key_path(leaf.name)
leaf.set_key(common.get_or_generate_rsa_key(leaf_key_size,
device_key_path))
leaf.set_validity_range(JAN_2015, JAN_2018)
chain = [leaf, intermediate, root]
chain_description = """Cast certificate chain where device certificate uses a
%d-bit RSA key""" % leaf_key_size
# Write the certificate chain.
chain_path = 'rsa%d_device_cert.pem' % leaf_key_size
common.write_chain(chain_description, chain, chain_path)
# Write the the signed data file.
create_signatures.create_signed_data(
device_key_path,
'../signeddata/rsa%d_device_cert_data.pem' % leaf_key_size,
'../certificates/' + chain_path)
def generate_chain(intermediate_digest_algorithm):
# Self-signed root certificate.
root = common.create_self_signed_root_certificate('Root')
# Intermediate certificate.
intermediate = common.create_intermediate_certificate('Intermediate', root)
intermediate.set_signature_hash(intermediate_digest_algorithm)
intermediate.get_extensions().set_property('extendedKeyUsage', 'nsSGC')
# Target certificate.
target = common.create_end_entity_certificate('Target', intermediate)
target.get_extensions().set_property('extendedKeyUsage',
'serverAuth,clientAuth')
chain = [target, intermediate, root]
common.write_chain(__doc__, chain,
'%s-chain.pem' % intermediate_digest_algorithm)
def generate_chain(intermediate_digest_algorithm):
# Self-signed root certificate.
root = common.create_self_signed_root_certificate('Root')
# Intermediate certificate.
intermediate = common.create_intermediate_certificate('Intermediate', root)
intermediate.set_signature_hash(intermediate_digest_algorithm)
intermediate.get_extensions().set_property('extendedKeyUsage',
'nsSGC')
# Target certificate.
target = common.create_end_entity_certificate('Target', intermediate)
target.get_extensions().set_property('extendedKeyUsage',
'serverAuth,clientAuth')
chain = [target, intermediate, root]
common.write_chain(__doc__, chain,
'%s-chain.pem' % intermediate_digest_algorithm)
def generate_policies_chain(intermediate_policies, leaf_policies):
"""Creates a certificate chain and writes it to a PEM file (in the current
directory).
The chain has 3 certificates (root, intermediate, leaf). The root has no
policies extension, whereas the intermediate has policies given by
|intermediate_policies| and the leaf has policies given by |leaf_policies|.
The policies are specified as a list, with the empty list meaning no policies
extension. Values in the list should be one of the OID constants (AUDIO_ONLY,
ANY_POLICY).
The name of the generated file is a human-readable serialization of this
function's parameters.
"""
# Self-signed root certificate.
root = common.create_self_signed_root_certificate('Root')
root.set_validity_range(JAN_2015, JAN_2018)
# Intermediate certificate.
intermediate = common.create_intermediate_certificate('Intermediate', root)
set_policies_from_list(intermediate, intermediate_policies)
intermediate.set_validity_range(JAN_2015, JAN_2018)
# Leaf certificate.
leaf = common.create_end_entity_certificate('Leaf', intermediate)
set_policies_from_list(leaf, leaf_policies)
leaf.get_extensions().set_property('extendedKeyUsage', 'clientAuth')
leaf.set_validity_range(JAN_2015, JAN_2018)
chain = [leaf, intermediate, root]
chain_description = """Cast certificate chain with the following policies:
Root: policies={}
Intermediate: policies={%s}
Leaf: policies={%s}""" % (', '.join(intermediate_policies),
', '.join(leaf_policies))
chain_file_name = 'policies_ica_%s_leaf_%s.pem' % (policies_to_filename(
intermediate_policies), policies_to_filename(leaf_policies))
common.write_chain(chain_description, chain, chain_file_name)
#!/usr/bin/python
# Copyright (c) 2015 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
"""Certificate chain where the intermediate lacks a keyUsage extension."""
import sys
sys.path += ['..']
import common
# Self-signed root certificate.
root = common.create_self_signed_root_certificate('Root')
# Intermediate that is missing keyCertSign.
intermediate = common.create_intermediate_certificate('Intermediate', root)
intermediate.get_extensions().set_property(
'keyUsage', 'critical,digitalSignature,keyEncipherment')
# Target certificate.
target = common.create_end_entity_certificate('Target', intermediate)
chain = [target, intermediate, root]
common.write_chain(__doc__, chain, 'chain.pem')
#!/usr/bin/python
# Copyright (c) 2017 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
"""Certificate chain where the target certificate sets the extended key usage
to clientAuth. Neither the root nor the intermediate have an EKU."""
import sys
sys.path += ['..']
import common
# Self-signed root certificate.
root = common.create_self_signed_root_certificate('Root')
# Intermediate certificate.
intermediate = common.create_intermediate_certificate('Intermediate', root)
# Target certificate.
target = common.create_end_entity_certificate('Target', intermediate)
target.get_extensions().set_property('extendedKeyUsage', 'clientAuth')
chain = [target, intermediate, root]
common.write_chain(__doc__, chain, 'chain.pem')
common.get_or_generate_rsa_key(2048, common.create_key_path('Target-rsa')),
'ec':
common.get_or_generate_ec_key('secp384r1',
common.create_key_path('Target-ec'))
}
KEY_USAGES = [
'decipherOnly', 'digitalSignature', 'keyAgreement', 'keyEncipherment'
]
# The proper key usage depends on the key purpose (serverAuth in this case),
# and the key type. Generate a variety of combinations.
for key_type in sorted(KEYS.keys()):
for key_usage in KEY_USAGES:
# Target certificate.
target = common.create_end_entity_certificate('Target', intermediate)
target.get_extensions().set_property('extendedKeyUsage', 'serverAuth')
target.get_extensions().set_property('keyUsage',
'critical,%s' % (key_usage))
# Set the key.
target.set_key(KEYS[key_type])
# Write the chain.
chain = [target, intermediate, root]
description = (
'Certificate chain where the target uses a %s key and has '
'the single key usage %s') % (key_type.upper(), key_usage)
common.write_chain(description, chain,
'%s-%s.pem' % (key_type, key_usage))
'rsa': common.get_or_generate_rsa_key(2048,
common.create_key_path('Target-rsa')),
'ec': common.get_or_generate_ec_key('secp384r1',
common.create_key_path('Target-ec'))
};
KEY_USAGES = [ 'decipherOnly',
'digitalSignature',
'keyAgreement',
'keyEncipherment' ]
# The proper key usage depends on the key purpose (serverAuth in this case),
# and the key type. Generate a variety of combinations.
for key_type in sorted(KEYS.keys()):
for key_usage in KEY_USAGES:
# Target certificate.
target = common.create_end_entity_certificate('Target', intermediate)
target.get_extensions().set_property('extendedKeyUsage', 'serverAuth')
target.get_extensions().set_property('keyUsage',
'critical,%s' % (key_usage))
# Set the key.
target.set_key(KEYS[key_type])
# Write the chain.
chain = [target, intermediate, root]
description = ('Certificate chain where the target certificate uses a %s '
'key and has the single key usage %s') % (key_type.upper(),
key_usage)
common.write_chain(description, chain, '%s-%s.pem' % (key_type, key_usage))
newrootrollover = common.create_intermediate_certificate('Root', oldroot)
newrootrollover.set_key(newroot.get_key())
newrootrollover.set_validity_range(JANUARY_2_2015_UTC,
common.JANUARY_1_2016_UTC)
# Intermediate signed by oldroot.
oldintermediate = common.create_intermediate_certificate(
'Intermediate', oldroot)
oldintermediate.set_validity_range(common.JANUARY_1_2015_UTC,
common.JANUARY_1_2016_UTC)
# Intermediate signed by newroot. Same key as oldintermediate.
newintermediate = common.create_intermediate_certificate(
'Intermediate', newroot)
newintermediate.set_key(oldintermediate.get_key())
newintermediate.set_validity_range(JANUARY_2_2015_UTC,
common.JANUARY_1_2016_UTC)
# Target certificate.
target = common.create_end_entity_certificate('Target', oldintermediate)
common.write_chain(__doc__, [target, oldintermediate, oldroot],
out_pem="oldchain.pem")
common.write_chain(__doc__,
[target, newintermediate, newrootrollover, oldroot],
out_pem="rolloverchain.pem")
common.write_chain(
__doc__, [target, newintermediate, newroot, newrootrollover, oldroot],
out_pem="longrolloverchain.pem")
common.write_chain(__doc__, [target, newintermediate, newroot],
out_pem="newchain.pem")
# Root with the new key signed by the old key.
newrootrollover = common.create_intermediate_certificate('Root', oldroot)
newrootrollover.set_key(newroot.get_key())
newrootrollover.set_validity_range(JANUARY_2_2015_UTC,
common.JANUARY_1_2016_UTC)
# Intermediate signed by oldroot.
oldintermediate = common.create_intermediate_certificate('Intermediate',
oldroot)
oldintermediate.set_validity_range(common.JANUARY_1_2015_UTC,
common.JANUARY_1_2016_UTC)
# Intermediate signed by newroot. Same key as oldintermediate.
newintermediate = common.create_intermediate_certificate('Intermediate',
newroot)
newintermediate.set_key(oldintermediate.get_key())
newintermediate.set_validity_range(JANUARY_2_2015_UTC,
common.JANUARY_1_2016_UTC)
# Target certificate.
target = common.create_end_entity_certificate('Target', oldintermediate)
common.write_chain(__doc__, [target, oldintermediate, oldroot],
out_pem="oldchain.pem")
common.write_chain(__doc__, [target, newintermediate, newrootrollover, oldroot],
out_pem="rolloverchain.pem")
common.write_chain(__doc__,
[target, newintermediate, newroot, newrootrollover, oldroot],
out_pem="longrolloverchain.pem")
common.write_chain(__doc__, [target, newintermediate, newroot],
out_pem="newchain.pem")
