def generate_certs(): init_nss_db() ca_cert = 'evroot.der' ca_key = 'evroot.key' prefix = "ev-valid" key_type = 'rsa' ee_ext_text = (EE_basic_constraints + EE_full_ku + Server_eku + authority_key_ident + aia_prefix + prefix + aia_suffix + endentity_crl + mozilla_testing_ev_policy) int_ext_text = (CA_basic_constraints + EE_full_ku + CA_eku + authority_key_ident + subject_key_ident + aia_prefix + "int-" + prefix + aia_suffix + intermediate_crl + mozilla_testing_ev_policy) [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db, srcdir, ca_key, ca_cert, prefix, int_ext_text, ee_ext_text, key_type) pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key, "int-" + prefix) import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,") import_untrusted_cert(ee_cert, prefix) # now we generate an end entity cert with an AIA with no OCSP URL no_ocsp_url_ext_aia = ("authorityInfoAccess =" + "caIssuers;URI:http://www.example.com/ca.html\n") [no_ocsp_key, no_ocsp_cert] = CertUtils.generate_cert_generic( db, srcdir, random.randint(100, 40000000), key_type, 'no-ocsp-url-cert', EE_basic_constraints + EE_full_ku + Server_eku + authority_key_ident + no_ocsp_url_ext_aia + endentity_crl + mozilla_testing_ev_policy, int_key, int_cert) import_untrusted_cert(no_ocsp_cert, 'no-ocsp-url-cert') [bad_ca_key, bad_ca_cert] = CertUtils.generate_cert_generic( db, srcdir, 1, 'rsa', 'non-evroot-ca', CA_basic_constraints + EE_full_ku + authority_key_ident) pk12file = CertUtils.generate_pkcs12(db, srcdir, bad_ca_cert, bad_ca_key, "non-evroot-ca") import_cert_and_pkcs12(bad_ca_cert, pk12file, "non-evroot-ca", "C,C,C") prefix = "non-ev-root" ee_ext_text = (EE_basic_constraints + EE_full_ku + Server_eku + authority_key_ident + aia_prefix + prefix + aia_suffix + endentity_crl + mozilla_testing_ev_policy) int_ext_text = (CA_basic_constraints + EE_full_ku + CA_eku + authority_key_ident + aia_prefix + "int-" + prefix + aia_suffix + intermediate_crl + subject_key_ident + mozilla_testing_ev_policy) [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db, srcdir, bad_ca_key, bad_ca_cert, prefix, int_ext_text, ee_ext_text, key_type) pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key, "int-" + prefix) import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,") import_untrusted_cert(ee_cert, prefix)
def generate_certs(): init_nss_db() ca_cert = 'evroot.der' ca_key = 'evroot.key' prefix = "ev-valid" key_type = 'rsa' ee_ext_text = (EE_basic_constraints + EE_full_ku + Server_eku + authority_key_ident + aia_prefix + prefix + aia_suffix + endentity_crl + mozilla_testing_ev_policy) int_ext_text = (CA_basic_constraints + EE_full_ku + CA_eku + authority_key_ident + subject_key_ident + aia_prefix + "int-" + prefix + aia_suffix + intermediate_crl + mozilla_testing_ev_policy) [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db, srcdir, ca_key, ca_cert, prefix, int_ext_text, ee_ext_text, key_type) pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key, "int-" + prefix) import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,") import_untrusted_cert(ee_cert, prefix) [bad_ca_key, bad_ca_cert] = CertUtils.generate_cert_generic( db, srcdir, 1, 'rsa', 'non-evroot-ca', CA_basic_constraints + EE_full_ku + authority_key_ident) pk12file = CertUtils.generate_pkcs12(db, srcdir, bad_ca_cert, bad_ca_key, "non-evroot-ca") import_cert_and_pkcs12(bad_ca_cert, pk12file, "non-evroot-ca", "C,C,C") prefix = "non-ev-root" ee_ext_text = (EE_basic_constraints + EE_full_ku + Server_eku + authority_key_ident + aia_prefix + prefix + aia_suffix + endentity_crl + mozilla_testing_ev_policy) int_ext_text = (CA_basic_constraints + EE_full_ku + CA_eku + authority_key_ident + aia_prefix + "int-" + prefix + aia_suffix + intermediate_crl + subject_key_ident + mozilla_testing_ev_policy) [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db, srcdir, bad_ca_key, bad_ca_cert, prefix, int_ext_text, ee_ext_text, key_type) pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key, "int-" + prefix) import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,") import_untrusted_cert(ee_cert, prefix)
def generate_certs(): CertUtils.init_dsa(db) ee_ext_text = EE_basic_constraints + EE_full_ku for name, key_type in pk_name.iteritems(): ca_name = "ca-" + name [ca_key, ca_cert] = CertUtils.generate_cert_generic(db, srcdir, random.randint(100,4000000), key_type, ca_name, CA_basic_constraints + CA_min_ku) [valid_int_key, valid_int_cert, ee_key, ee_cert] = ( CertUtils.generate_int_and_ee(db, srcdir, ca_key, ca_cert, name + "-valid", CA_basic_constraints, ee_ext_text, key_type) ) [int_key, int_cert] = CertUtils.generate_cert_generic(db, srcdir, random.randint(100,4000000), key_type, "int-" + name + "-tampered", ee_ext_text, ca_key, ca_cert) [ee_key, ee_cert] = CertUtils.generate_cert_generic(db, srcdir, random.randint(100,4000000), key_type, name + "-tampered-int-valid-ee", ee_ext_text, int_key, int_cert) #only tamper after ee has been generated tamper_cert(int_cert); [ee_key, ee_cert] = CertUtils.generate_cert_generic(db, srcdir, random.randint(100,4000000), key_type, name + "-valid-int-tampered-ee", ee_ext_text, valid_int_key, valid_int_cert) tamper_cert(ee_cert);
def generate_certs(): CertUtils.init_dsa(db) ee_ext_text = "" for name, key_type in pk_name.iteritems(): ca_name = "ca-" + name [ca_key, ca_cert] = CertUtils.generate_cert_generic(db, srcdir, random.randint(100,4000000), key_type, ca_name, CA_basic_constraints + CA_min_ku) [valid_int_key, valid_int_cert, ee_key, ee_cert] = ( CertUtils.generate_int_and_ee(db, srcdir, ca_key, ca_cert, name + "-valid", CA_basic_constraints, ee_ext_text, key_type) ) [int_key, int_cert] = CertUtils.generate_cert_generic(db, srcdir, random.randint(100,4000000), key_type, "int-" + name + "-tampered", ee_ext_text, ca_key, ca_cert) [ee_key, ee_cert] = CertUtils.generate_cert_generic(db, srcdir, random.randint(100,4000000), key_type, name + "-tampered-int-valid-ee", ee_ext_text, int_key, int_cert) #only tamper after ee has been generated tamper_cert(int_cert); [ee_key, ee_cert] = CertUtils.generate_cert_generic(db, srcdir, random.randint(100,4000000), key_type, name + "-valid-int-tampered-ee", ee_ext_text, valid_int_key, valid_int_cert) tamper_cert(ee_cert);
def generate_certs(): init_nss_db() ca_cert = 'evroot.der' ca_key = 'evroot.key' prefix = "ev-valid" key_type = 'rsa' ee_ext_text = (aia_prefix + prefix + aia_suffix + endentity_crl + mozilla_testing_ev_policy) int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix + intermediate_crl + mozilla_testing_ev_policy) [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db, srcdir, ca_key, ca_cert, prefix, int_ext_text, ee_ext_text, key_type) pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key, "int-" + prefix) import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,") import_untrusted_cert(ee_cert, prefix) # now we generate an end entity cert with an AIA with no OCSP URL no_ocsp_url_ext_aia = ("authorityInfoAccess =" + "caIssuers;URI:http://www.example.com/ca.html\n"); [no_ocsp_key, no_ocsp_cert] = CertUtils.generate_cert_generic(db, srcdir, random.randint(100, 40000000), key_type, 'no-ocsp-url-cert', no_ocsp_url_ext_aia + endentity_crl + mozilla_testing_ev_policy, int_key, int_cert); import_untrusted_cert(no_ocsp_cert, 'no-ocsp-url-cert'); # add an ev cert whose intermediate has a anypolicy oid prefix = "ev-valid-anypolicy-int" ee_ext_text = (aia_prefix + prefix + aia_suffix + endentity_crl + mozilla_testing_ev_policy) int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix + intermediate_crl + anypolicy_policy) [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db, srcdir, ca_key, ca_cert, prefix, int_ext_text, ee_ext_text, key_type) pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key, "int-" + prefix) import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,") import_untrusted_cert(ee_cert, prefix) [bad_ca_key, bad_ca_cert] = CertUtils.generate_cert_generic( db, srcdir, 1, 'rsa', 'non-evroot-ca', CA_extensions) pk12file = CertUtils.generate_pkcs12(db, srcdir, bad_ca_cert, bad_ca_key, "non-evroot-ca") import_cert_and_pkcs12(bad_ca_cert, pk12file, "non-evroot-ca", "C,C,C") prefix = "non-ev-root" ee_ext_text = (aia_prefix + prefix + aia_suffix + endentity_crl + mozilla_testing_ev_policy) int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix + intermediate_crl + mozilla_testing_ev_policy) [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db, srcdir, bad_ca_key, bad_ca_cert, prefix, int_ext_text, ee_ext_text, key_type) pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key, "int-" + prefix) import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,") import_untrusted_cert(ee_cert, prefix)
def generate_certs(): ca_cert = 'evroot.der' ca_key = 'evroot.key' prefix = "ev-valid" key_type = 'rsa' ee_ext_text = (aia_prefix + prefix + aia_suffix + endentity_crl + mozilla_testing_ev_policy) int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix + intermediate_crl + mozilla_testing_ev_policy) CertUtils.init_nss_db(srcdir) CertUtils.import_cert_and_pkcs12(srcdir, ca_cert, 'evroot.p12', 'evroot', 'C,C,C') [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db, srcdir, ca_key, ca_cert, prefix, int_ext_text, ee_ext_text, key_type) pk12file = CertUtils.generate_pkcs12(db, db, int_cert, int_key, "int-" + prefix) CertUtils.import_cert_and_pkcs12(srcdir, int_cert, pk12file, 'int-' + prefix, ',,') import_untrusted_cert(ee_cert, prefix) # now we generate an end entity cert with an AIA with no OCSP URL no_ocsp_url_ext_aia = ("authorityInfoAccess =" + "caIssuers;URI:http://www.example.com/ca.html\n"); [no_ocsp_key, no_ocsp_cert] = CertUtils.generate_cert_generic(db, srcdir, random.randint(100, 40000000), key_type, 'no-ocsp-url-cert', no_ocsp_url_ext_aia + endentity_crl + mozilla_testing_ev_policy, int_key, int_cert); import_untrusted_cert(no_ocsp_cert, 'no-ocsp-url-cert'); # add an ev cert whose intermediate has a anypolicy oid prefix = "ev-valid-anypolicy-int" ee_ext_text = (aia_prefix + prefix + aia_suffix + endentity_crl + mozilla_testing_ev_policy) int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix + intermediate_crl + anypolicy_policy) [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db, srcdir, ca_key, ca_cert, prefix, int_ext_text, ee_ext_text, key_type) pk12file = CertUtils.generate_pkcs12(db, db, int_cert, int_key, "int-" + prefix) CertUtils.import_cert_and_pkcs12(srcdir, int_cert, pk12file, 'int-' + prefix, ',,') import_untrusted_cert(ee_cert, prefix) [bad_ca_key, bad_ca_cert] = CertUtils.generate_cert_generic( db, srcdir, 1, 'rsa', 'non-evroot-ca', CA_extensions) pk12file = CertUtils.generate_pkcs12(db, db, bad_ca_cert, bad_ca_key, "non-evroot-ca") CertUtils.import_cert_and_pkcs12(srcdir, bad_ca_cert, pk12file, 'non-evroot-ca', 'C,C,C') prefix = "non-ev-root" ee_ext_text = (aia_prefix + prefix + aia_suffix + endentity_crl + mozilla_testing_ev_policy) int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix + intermediate_crl + mozilla_testing_ev_policy) [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db, srcdir, bad_ca_key, bad_ca_cert, prefix, int_ext_text, ee_ext_text, key_type) pk12file = CertUtils.generate_pkcs12(db, db, int_cert, int_key, "int-" + prefix) CertUtils.import_cert_and_pkcs12(srcdir, int_cert, pk12file, 'int-' + prefix, ',,') import_untrusted_cert(ee_cert, prefix)
def generate_certs(): init_nss_db() ca_cert = "evroot.der" ca_key = "evroot.key" prefix = "ev-valid" key_type = "rsa" ee_ext_text = ( EE_basic_constraints + EE_full_ku + Server_eku + authority_key_ident + aia_prefix + prefix + aia_suffix + endentity_crl + mozilla_testing_ev_policy ) int_ext_text = ( CA_basic_constraints + EE_full_ku + CA_eku + authority_key_ident + subject_key_ident + aia_prefix + "int-" + prefix + aia_suffix + intermediate_crl + mozilla_testing_ev_policy ) [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee( db, srcdir, ca_key, ca_cert, prefix, int_ext_text, ee_ext_text, key_type ) pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key, "int-" + prefix) import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,") import_untrusted_cert(ee_cert, prefix) # now we generate an end entity cert with an AIA with no OCSP URL no_ocsp_url_ext_aia = "authorityInfoAccess =" + "caIssuers;URI:http://www.example.com/ca.html\n" [no_ocsp_key, no_ocsp_cert] = CertUtils.generate_cert_generic( db, srcdir, random.randint(100, 40000000), key_type, "no-ocsp-url-cert", EE_basic_constraints + EE_full_ku + Server_eku + authority_key_ident + no_ocsp_url_ext_aia + endentity_crl + mozilla_testing_ev_policy, int_key, int_cert, ) import_untrusted_cert(no_ocsp_cert, "no-ocsp-url-cert") # add an ev cert whose intermediate has a anypolicy oid prefix = "ev-valid-anypolicy-int" ee_ext_text = ( EE_basic_constraints + EE_full_ku + Server_eku + authority_key_ident + aia_prefix + prefix + aia_suffix + endentity_crl + mozilla_testing_ev_policy ) int_ext_text = ( CA_basic_constraints + EE_full_ku + CA_eku + authority_key_ident + subject_key_ident + aia_prefix + "int-" + prefix + aia_suffix + intermediate_crl + anypolicy_policy ) [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee( db, srcdir, ca_key, ca_cert, prefix, int_ext_text, ee_ext_text, key_type ) pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key, "int-" + prefix) import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,") import_untrusted_cert(ee_cert, prefix) [bad_ca_key, bad_ca_cert] = CertUtils.generate_cert_generic( db, srcdir, 1, "rsa", "non-evroot-ca", CA_basic_constraints + EE_full_ku + authority_key_ident ) pk12file = CertUtils.generate_pkcs12(db, srcdir, bad_ca_cert, bad_ca_key, "non-evroot-ca") import_cert_and_pkcs12(bad_ca_cert, pk12file, "non-evroot-ca", "C,C,C") prefix = "non-ev-root" ee_ext_text = ( EE_basic_constraints + EE_full_ku + Server_eku + authority_key_ident + aia_prefix + prefix + aia_suffix + endentity_crl + mozilla_testing_ev_policy ) int_ext_text = ( CA_basic_constraints + EE_full_ku + CA_eku + authority_key_ident + aia_prefix + "int-" + prefix + aia_suffix + intermediate_crl + subject_key_ident + mozilla_testing_ev_policy ) [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee( db, srcdir, bad_ca_key, bad_ca_cert, prefix, int_ext_text, ee_ext_text, key_type ) pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key, "int-" + prefix) import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,") import_untrusted_cert(ee_cert, prefix)