def make_chain(name, doc, excluded, permitted, sans):
# Intermediate certificate.
intermediate = gencerts.create_intermediate_certificate(
'Intermediate', root)
intermediate.set_key(intermediate_key)
add_excluded_name_constraints(intermediate, **excluded)
add_permitted_name_constraints(intermediate, **permitted)
# Target certificate.
target = gencerts.create_end_entity_certificate('t0', intermediate)
target.set_key(target_key)
add_sans(target, **sans)
chain = [target, intermediate, root]
gencerts.write_chain(doc, chain, '%s.pem' % name)
def generate_chain(intermediate_digest_algorithm):
# Self-signed root certificate.
root = gencerts.create_self_signed_root_certificate('Root')
# Intermediate certificate.
intermediate = gencerts.create_intermediate_certificate(
'Intermediate', root)
intermediate.set_signature_hash(intermediate_digest_algorithm)
intermediate.get_extensions().set_property('extendedKeyUsage', 'nsSGC')
# Target certificate.
target = gencerts.create_end_entity_certificate('Target', intermediate)
target.get_extensions().set_property('extendedKeyUsage',
'serverAuth,clientAuth')
chain = [target, intermediate, root]
gencerts.write_chain(__doc__, chain,
'%s-chain.pem' % intermediate_digest_algorithm)
def generate_chain(intermediate_digest_algorithm):
# Self-signed root certificate.
root = gencerts.create_self_signed_root_certificate('Root')
# Intermediate certificate.
intermediate = gencerts.create_intermediate_certificate(
'Intermediate', root)
intermediate.set_signature_hash(intermediate_digest_algorithm)
intermediate.get_extensions().set_property('extendedKeyUsage', 'nsSGC')
# Target certificate.
target = gencerts.create_end_entity_certificate('Target', intermediate)
target.get_extensions().set_property('extendedKeyUsage',
'serverAuth,clientAuth')
# TODO(eroman): Set subjectAltName by default rather than specifically in
# this test.
target.get_extensions().set_property('subjectAltName', 'DNS:test.example')
chain = [target, intermediate, root]
gencerts.write_chain(__doc__, chain,
'%s-chain.pem' % intermediate_digest_algorithm)
#!/usr/bin/python
# Copyright (c) 2015 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
"""Certificate chain where the intermediate has an unknown critical
extension."""
import sys
sys.path += ['../..']
import gencerts
# Self-signed root certificate.
root = gencerts.create_self_signed_root_certificate('Root')
# Intermediate that has an unknown critical extension.
intermediate = gencerts.create_intermediate_certificate('Intermediate', root)
intermediate.get_extensions().add_property('1.2.3.4',
'critical,DER:01:02:03:04')
# Target certificate.
target = gencerts.create_end_entity_certificate('Target', intermediate)
chain = [target, intermediate, root]
gencerts.write_chain(__doc__, chain, 'chain.pem')
newrootrollover = gencerts.create_intermediate_certificate('Root', oldroot)
newrootrollover.set_key(newroot.get_key())
newrootrollover.set_validity_range(JANUARY_2_2015_UTC,
gencerts.JANUARY_1_2016_UTC)
# Intermediate signed by oldroot.
oldintermediate = gencerts.create_intermediate_certificate(
'Intermediate', oldroot)
oldintermediate.set_validity_range(gencerts.JANUARY_1_2015_UTC,
gencerts.JANUARY_1_2016_UTC)
# Intermediate signed by newroot. Same key as oldintermediate.
newintermediate = gencerts.create_intermediate_certificate(
'Intermediate', newroot)
newintermediate.set_key(oldintermediate.get_key())
newintermediate.set_validity_range(JANUARY_2_2015_UTC,
gencerts.JANUARY_1_2016_UTC)
# Target certificate.
target = gencerts.create_end_entity_certificate('Target', oldintermediate)
gencerts.write_chain(__doc__, [target, oldintermediate, oldroot],
out_pem="oldchain.pem")
gencerts.write_chain(__doc__,
[target, newintermediate, newrootrollover, oldroot],
out_pem="rolloverchain.pem")
gencerts.write_chain(
__doc__, [target, newintermediate, newroot, newrootrollover, oldroot],
out_pem="longrolloverchain.pem")
gencerts.write_chain(__doc__, [target, newintermediate, newroot],
out_pem="newchain.pem")
int_different_ski_a.set_validity_range(DATE_A, DATE_Z)
int_different_ski_b = gencerts.create_intermediate_certificate(
'Intermediate', root)
int_different_ski_b.set_validity_range(DATE_B, DATE_Z)
int_different_ski_b.set_key(int_different_ski_a.get_key())
int_different_ski_c = gencerts.create_intermediate_certificate(
'Intermediate', root)
int_different_ski_c.set_validity_range(DATE_C, DATE_Z)
int_different_ski_c.set_key(int_different_ski_a.get_key())
target = gencerts.create_end_entity_certificate('Target', int_matching_ski_a)
target.set_validity_range(DATE_A, DATE_Z)
gencerts.write_chain('The root', [root], out_pem='root.pem')
gencerts.write_chain(
'Intermediate with matching subjectKeyIdentifier and notBefore A',
[int_matching_ski_a],
out_pem='int_matching_ski_a.pem')
gencerts.write_chain(
'Intermediate with matching subjectKeyIdentifier and notBefore B',
[int_matching_ski_b],
out_pem='int_matching_ski_b.pem')
gencerts.write_chain(
'Intermediate with matching subjectKeyIdentifier and notBefore C',
[int_matching_ski_c],
out_pem='int_matching_ski_c.pem')
root.set_validity_range(DATE_A, DATE_D)
int_ac = gencerts.create_intermediate_certificate('Intermediate', root)
int_ac.set_validity_range(DATE_A, DATE_C)
int_ad = gencerts.create_intermediate_certificate('Intermediate', root)
int_ad.set_validity_range(DATE_A, DATE_D)
int_ad.set_key(int_ac.get_key())
int_bc = gencerts.create_intermediate_certificate('Intermediate', root)
int_bc.set_validity_range(DATE_B, DATE_C)
int_bc.set_key(int_ac.get_key())
int_bd = gencerts.create_intermediate_certificate('Intermediate', root)
int_bd.set_validity_range(DATE_B, DATE_D)
int_bd.set_key(int_ac.get_key())
target = gencerts.create_end_entity_certificate('Target', int_ac)
target.set_validity_range(DATE_A, DATE_D)
gencerts.write_chain('The root', [root], out_pem='root.pem')
gencerts.write_chain('Intermediate with validity range A..C', [int_ac],
out_pem='int_ac.pem')
gencerts.write_chain('Intermediate with validity range A..D', [int_ad],
out_pem='int_ad.pem')
gencerts.write_chain('Intermediate with validity range B..C', [int_bc],
out_pem='int_bc.pem')
gencerts.write_chain('Intermediate with validity range B..D', [int_bd],
out_pem='int_bd.pem')
gencerts.write_chain('The target', [target], out_pem='target.pem')
import sys
sys.path += ['../..']
import gencerts
DATE_A = '150101120000Z'
DATE_B = '150102120000Z'
DATE_Z = '180101120000Z'
root1 = gencerts.create_self_signed_root_certificate('Root1')
root1.set_validity_range(DATE_A, DATE_Z)
root2 = gencerts.create_self_signed_root_certificate('Root2')
root2.set_validity_range(DATE_A, DATE_Z)
root1_cross = gencerts.create_intermediate_certificate('Root1', root2)
root1_cross.set_key(root1.get_key())
root1_cross.set_validity_range(DATE_B, DATE_Z)
target = gencerts.create_end_entity_certificate('Target', root1)
target.set_validity_range(DATE_A, DATE_Z)
gencerts.write_chain('Root1', [root1], out_pem='root1.pem')
gencerts.write_chain('Root2', [root2], out_pem='root2.pem')
gencerts.write_chain(
'Root1 cross-signed by Root2, with a newer notBefore date'
' than Root1', [root1_cross],
out_pem='root1_cross.pem')
gencerts.write_chain('Target', [target], out_pem='target.pem')
int_mismatch = gencerts.create_intermediate_certificate('Intermediate', root2)
int_mismatch.set_key(int_matching.get_key())
int_mismatch.set_validity_range(DATE_C, DATE_Z)
int_match_name_only = gencerts.create_intermediate_certificate(
'Intermediate', root)
int_match_name_only.set_key(int_matching.get_key())
int_match_name_only.set_validity_range(DATE_B, DATE_Z)
section = int_matching.config.get_section('signing_ca_ext')
section.set_property('authorityKeyIdentifier', 'issuer:always')
target = gencerts.create_end_entity_certificate('Target', int_matching)
target.set_validity_range(DATE_A, DATE_Z)
gencerts.write_chain('The 1st root', [root], out_pem='root.pem')
gencerts.write_chain('The 2nd root', [root2], out_pem='root2.pem')
gencerts.write_chain('Intermediate with matching issuer name & serial',
[int_matching],
out_pem='int_matching.pem')
gencerts.write_chain('Intermediate with different issuer name & serial',
[int_mismatch],
out_pem='int_mismatch.pem')
gencerts.write_chain('Intermediate with same issuer name & different serial',
[int_match_name_only],
out_pem='int_match_name_only.pem')
gencerts.write_chain('The target', [target], out_pem='target.pem')
'ec':
gencerts.get_or_generate_ec_key('secp384r1',
gencerts.create_key_path('Target-ec'))
}
KEY_USAGES = [
'decipherOnly', 'digitalSignature', 'keyAgreement', 'keyEncipherment'
]
# The proper key usage depends on the key purpose (serverAuth in this case),
# and the key type. Generate a variety of combinations.
for key_type in sorted(KEYS.keys()):
for key_usage in KEY_USAGES:
# Target certificate.
target = gencerts.create_end_entity_certificate('Target', intermediate)
target.get_extensions().set_property('extendedKeyUsage', 'serverAuth')
target.get_extensions().set_property('keyUsage',
'critical,%s' % (key_usage))
# Set the key.
target.set_key(KEYS[key_type])
# Write the chain.
chain = [target, intermediate, root]
description = (
'Certificate chain where the target certificate uses a %s '
'key and has the single key usage %s') % (key_type.upper(),
key_usage)
gencerts.write_chain(description, chain,
'%s-%s.pem' % (key_type, key_usage))
