def generate_certs():
init_nss_db()
ca_cert = 'evroot.der'
ca_key = 'evroot.key'
prefix = "ev-valid"
key_type = 'rsa'
ee_ext_text = (EE_basic_constraints + EE_full_ku + Server_eku +
authority_key_ident + aia_prefix + prefix + aia_suffix +
endentity_crl + mozilla_testing_ev_policy)
int_ext_text = (CA_basic_constraints + EE_full_ku + CA_eku +
authority_key_ident + subject_key_ident + aia_prefix +
"int-" + prefix + aia_suffix + intermediate_crl +
mozilla_testing_ev_policy)
[int_key, int_cert, ee_key,
ee_cert] = CertUtils.generate_int_and_ee(db, srcdir, ca_key, ca_cert,
prefix, int_ext_text,
ee_ext_text, key_type)
pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key,
"int-" + prefix)
import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,")
import_untrusted_cert(ee_cert, prefix)
# now we generate an end entity cert with an AIA with no OCSP URL
no_ocsp_url_ext_aia = ("authorityInfoAccess =" +
"caIssuers;URI:http://www.example.com/ca.html\n")
[no_ocsp_key, no_ocsp_cert] = CertUtils.generate_cert_generic(
db, srcdir, random.randint(100,
40000000), key_type, 'no-ocsp-url-cert',
EE_basic_constraints + EE_full_ku + Server_eku + authority_key_ident +
no_ocsp_url_ext_aia + endentity_crl + mozilla_testing_ev_policy,
int_key, int_cert)
import_untrusted_cert(no_ocsp_cert, 'no-ocsp-url-cert')
[bad_ca_key, bad_ca_cert] = CertUtils.generate_cert_generic(
db, srcdir, 1, 'rsa', 'non-evroot-ca',
CA_basic_constraints + EE_full_ku + authority_key_ident)
pk12file = CertUtils.generate_pkcs12(db, srcdir, bad_ca_cert, bad_ca_key,
"non-evroot-ca")
import_cert_and_pkcs12(bad_ca_cert, pk12file, "non-evroot-ca", "C,C,C")
prefix = "non-ev-root"
ee_ext_text = (EE_basic_constraints + EE_full_ku + Server_eku +
authority_key_ident + aia_prefix + prefix + aia_suffix +
endentity_crl + mozilla_testing_ev_policy)
int_ext_text = (CA_basic_constraints + EE_full_ku + CA_eku +
authority_key_ident + aia_prefix + "int-" + prefix +
aia_suffix + intermediate_crl + subject_key_ident +
mozilla_testing_ev_policy)
[int_key, int_cert, ee_key,
ee_cert] = CertUtils.generate_int_and_ee(db, srcdir, bad_ca_key,
bad_ca_cert, prefix,
int_ext_text, ee_ext_text,
key_type)
pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key,
"int-" + prefix)
import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,")
import_untrusted_cert(ee_cert, prefix)
def generate_certs():
init_nss_db()
ca_cert = 'evroot.der'
ca_key = 'evroot.key'
prefix = "ev-valid"
key_type = 'rsa'
ee_ext_text = (EE_basic_constraints + EE_full_ku + Server_eku +
authority_key_ident + aia_prefix + prefix + aia_suffix +
endentity_crl + mozilla_testing_ev_policy)
int_ext_text = (CA_basic_constraints + EE_full_ku + CA_eku +
authority_key_ident + subject_key_ident +
aia_prefix + "int-" + prefix + aia_suffix +
intermediate_crl + mozilla_testing_ev_policy)
[int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
srcdir,
ca_key,
ca_cert,
prefix,
int_ext_text,
ee_ext_text,
key_type)
pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key,
"int-" + prefix)
import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,")
import_untrusted_cert(ee_cert, prefix)
[bad_ca_key, bad_ca_cert] = CertUtils.generate_cert_generic( db,
srcdir,
1,
'rsa',
'non-evroot-ca',
CA_basic_constraints + EE_full_ku +
authority_key_ident)
pk12file = CertUtils.generate_pkcs12(db, srcdir, bad_ca_cert, bad_ca_key,
"non-evroot-ca")
import_cert_and_pkcs12(bad_ca_cert, pk12file, "non-evroot-ca", "C,C,C")
prefix = "non-ev-root"
ee_ext_text = (EE_basic_constraints + EE_full_ku + Server_eku +
authority_key_ident + aia_prefix + prefix + aia_suffix +
endentity_crl + mozilla_testing_ev_policy)
int_ext_text = (CA_basic_constraints + EE_full_ku + CA_eku +
authority_key_ident + aia_prefix + "int-" + prefix +
aia_suffix + intermediate_crl + subject_key_ident +
mozilla_testing_ev_policy)
[int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
srcdir,
bad_ca_key,
bad_ca_cert,
prefix,
int_ext_text,
ee_ext_text,
key_type)
pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key,
"int-" + prefix)
import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,")
import_untrusted_cert(ee_cert, prefix)
def generate_certs():
CertUtils.init_dsa(db)
ee_ext_text = EE_basic_constraints + EE_full_ku
for name, key_type in pk_name.iteritems():
ca_name = "ca-" + name
[ca_key, ca_cert] = CertUtils.generate_cert_generic(db,
srcdir,
random.randint(100,4000000),
key_type,
ca_name,
CA_basic_constraints + CA_min_ku)
[valid_int_key, valid_int_cert, ee_key, ee_cert] = (
CertUtils.generate_int_and_ee(db,
srcdir,
ca_key,
ca_cert,
name + "-valid",
CA_basic_constraints,
ee_ext_text,
key_type) )
[int_key, int_cert] = CertUtils.generate_cert_generic(db,
srcdir,
random.randint(100,4000000),
key_type,
"int-" + name + "-tampered",
ee_ext_text,
ca_key,
ca_cert)
[ee_key, ee_cert] = CertUtils.generate_cert_generic(db,
srcdir,
random.randint(100,4000000),
key_type,
name + "-tampered-int-valid-ee",
ee_ext_text,
int_key,
int_cert)
#only tamper after ee has been generated
tamper_cert(int_cert);
[ee_key, ee_cert] = CertUtils.generate_cert_generic(db,
srcdir,
random.randint(100,4000000),
key_type,
name + "-valid-int-tampered-ee",
ee_ext_text,
valid_int_key,
valid_int_cert)
tamper_cert(ee_cert);
def generate_certs():
CertUtils.init_dsa(db)
ee_ext_text = ""
for name, key_type in pk_name.iteritems():
ca_name = "ca-" + name
[ca_key, ca_cert] = CertUtils.generate_cert_generic(db,
srcdir,
random.randint(100,4000000),
key_type,
ca_name,
CA_basic_constraints + CA_min_ku)
[valid_int_key, valid_int_cert, ee_key, ee_cert] = (
CertUtils.generate_int_and_ee(db,
srcdir,
ca_key,
ca_cert,
name + "-valid",
CA_basic_constraints,
ee_ext_text,
key_type) )
[int_key, int_cert] = CertUtils.generate_cert_generic(db,
srcdir,
random.randint(100,4000000),
key_type,
"int-" + name + "-tampered",
ee_ext_text,
ca_key,
ca_cert)
[ee_key, ee_cert] = CertUtils.generate_cert_generic(db,
srcdir,
random.randint(100,4000000),
key_type,
name + "-tampered-int-valid-ee",
ee_ext_text,
int_key,
int_cert)
#only tamper after ee has been generated
tamper_cert(int_cert);
[ee_key, ee_cert] = CertUtils.generate_cert_generic(db,
srcdir,
random.randint(100,4000000),
key_type,
name + "-valid-int-tampered-ee",
ee_ext_text,
valid_int_key,
valid_int_cert)
tamper_cert(ee_cert);
def generate_certs():
init_nss_db()
ca_cert = 'evroot.der'
ca_key = 'evroot.key'
prefix = "ev-valid"
key_type = 'rsa'
ee_ext_text = (aia_prefix + prefix + aia_suffix +
endentity_crl + mozilla_testing_ev_policy)
int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix +
intermediate_crl + mozilla_testing_ev_policy)
[int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
srcdir,
ca_key,
ca_cert,
prefix,
int_ext_text,
ee_ext_text,
key_type)
pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key,
"int-" + prefix)
import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,")
import_untrusted_cert(ee_cert, prefix)
# now we generate an end entity cert with an AIA with no OCSP URL
no_ocsp_url_ext_aia = ("authorityInfoAccess =" +
"caIssuers;URI:http://www.example.com/ca.html\n");
[no_ocsp_key, no_ocsp_cert] = CertUtils.generate_cert_generic(db,
srcdir,
random.randint(100, 40000000),
key_type,
'no-ocsp-url-cert',
no_ocsp_url_ext_aia + endentity_crl +
mozilla_testing_ev_policy,
int_key, int_cert);
import_untrusted_cert(no_ocsp_cert, 'no-ocsp-url-cert');
# add an ev cert whose intermediate has a anypolicy oid
prefix = "ev-valid-anypolicy-int"
ee_ext_text = (aia_prefix + prefix + aia_suffix +
endentity_crl + mozilla_testing_ev_policy)
int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix +
intermediate_crl + anypolicy_policy)
[int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
srcdir,
ca_key,
ca_cert,
prefix,
int_ext_text,
ee_ext_text,
key_type)
pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key,
"int-" + prefix)
import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,")
import_untrusted_cert(ee_cert, prefix)
[bad_ca_key, bad_ca_cert] = CertUtils.generate_cert_generic( db,
srcdir,
1,
'rsa',
'non-evroot-ca',
CA_extensions)
pk12file = CertUtils.generate_pkcs12(db, srcdir, bad_ca_cert, bad_ca_key,
"non-evroot-ca")
import_cert_and_pkcs12(bad_ca_cert, pk12file, "non-evroot-ca", "C,C,C")
prefix = "non-ev-root"
ee_ext_text = (aia_prefix + prefix + aia_suffix +
endentity_crl + mozilla_testing_ev_policy)
int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix +
intermediate_crl + mozilla_testing_ev_policy)
[int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
srcdir,
bad_ca_key,
bad_ca_cert,
prefix,
int_ext_text,
ee_ext_text,
key_type)
pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key,
"int-" + prefix)
import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,")
import_untrusted_cert(ee_cert, prefix)
def generate_certs():
ca_cert = 'evroot.der'
ca_key = 'evroot.key'
prefix = "ev-valid"
key_type = 'rsa'
ee_ext_text = (aia_prefix + prefix + aia_suffix +
endentity_crl + mozilla_testing_ev_policy)
int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix +
intermediate_crl + mozilla_testing_ev_policy)
CertUtils.init_nss_db(srcdir)
CertUtils.import_cert_and_pkcs12(srcdir, ca_cert, 'evroot.p12', 'evroot',
'C,C,C')
[int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
srcdir,
ca_key,
ca_cert,
prefix,
int_ext_text,
ee_ext_text,
key_type)
pk12file = CertUtils.generate_pkcs12(db, db, int_cert, int_key,
"int-" + prefix)
CertUtils.import_cert_and_pkcs12(srcdir, int_cert, pk12file,
'int-' + prefix, ',,')
import_untrusted_cert(ee_cert, prefix)
# now we generate an end entity cert with an AIA with no OCSP URL
no_ocsp_url_ext_aia = ("authorityInfoAccess =" +
"caIssuers;URI:http://www.example.com/ca.html\n");
[no_ocsp_key, no_ocsp_cert] = CertUtils.generate_cert_generic(db,
srcdir,
random.randint(100, 40000000),
key_type,
'no-ocsp-url-cert',
no_ocsp_url_ext_aia + endentity_crl +
mozilla_testing_ev_policy,
int_key, int_cert);
import_untrusted_cert(no_ocsp_cert, 'no-ocsp-url-cert');
# add an ev cert whose intermediate has a anypolicy oid
prefix = "ev-valid-anypolicy-int"
ee_ext_text = (aia_prefix + prefix + aia_suffix +
endentity_crl + mozilla_testing_ev_policy)
int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix +
intermediate_crl + anypolicy_policy)
[int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
srcdir,
ca_key,
ca_cert,
prefix,
int_ext_text,
ee_ext_text,
key_type)
pk12file = CertUtils.generate_pkcs12(db, db, int_cert, int_key,
"int-" + prefix)
CertUtils.import_cert_and_pkcs12(srcdir, int_cert, pk12file,
'int-' + prefix, ',,')
import_untrusted_cert(ee_cert, prefix)
[bad_ca_key, bad_ca_cert] = CertUtils.generate_cert_generic( db,
srcdir,
1,
'rsa',
'non-evroot-ca',
CA_extensions)
pk12file = CertUtils.generate_pkcs12(db, db, bad_ca_cert, bad_ca_key,
"non-evroot-ca")
CertUtils.import_cert_and_pkcs12(srcdir, bad_ca_cert, pk12file,
'non-evroot-ca', 'C,C,C')
prefix = "non-ev-root"
ee_ext_text = (aia_prefix + prefix + aia_suffix +
endentity_crl + mozilla_testing_ev_policy)
int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix +
intermediate_crl + mozilla_testing_ev_policy)
[int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
srcdir,
bad_ca_key,
bad_ca_cert,
prefix,
int_ext_text,
ee_ext_text,
key_type)
pk12file = CertUtils.generate_pkcs12(db, db, int_cert, int_key,
"int-" + prefix)
CertUtils.import_cert_and_pkcs12(srcdir, int_cert, pk12file,
'int-' + prefix, ',,')
import_untrusted_cert(ee_cert, prefix)
def generate_certs():
init_nss_db()
ca_cert = "evroot.der"
ca_key = "evroot.key"
prefix = "ev-valid"
key_type = "rsa"
ee_ext_text = (
EE_basic_constraints
+ EE_full_ku
+ Server_eku
+ authority_key_ident
+ aia_prefix
+ prefix
+ aia_suffix
+ endentity_crl
+ mozilla_testing_ev_policy
)
int_ext_text = (
CA_basic_constraints
+ EE_full_ku
+ CA_eku
+ authority_key_ident
+ subject_key_ident
+ aia_prefix
+ "int-"
+ prefix
+ aia_suffix
+ intermediate_crl
+ mozilla_testing_ev_policy
)
[int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(
db, srcdir, ca_key, ca_cert, prefix, int_ext_text, ee_ext_text, key_type
)
pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key, "int-" + prefix)
import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,")
import_untrusted_cert(ee_cert, prefix)
# now we generate an end entity cert with an AIA with no OCSP URL
no_ocsp_url_ext_aia = "authorityInfoAccess =" + "caIssuers;URI:http://www.example.com/ca.html\n"
[no_ocsp_key, no_ocsp_cert] = CertUtils.generate_cert_generic(
db,
srcdir,
random.randint(100, 40000000),
key_type,
"no-ocsp-url-cert",
EE_basic_constraints
+ EE_full_ku
+ Server_eku
+ authority_key_ident
+ no_ocsp_url_ext_aia
+ endentity_crl
+ mozilla_testing_ev_policy,
int_key,
int_cert,
)
import_untrusted_cert(no_ocsp_cert, "no-ocsp-url-cert")
# add an ev cert whose intermediate has a anypolicy oid
prefix = "ev-valid-anypolicy-int"
ee_ext_text = (
EE_basic_constraints
+ EE_full_ku
+ Server_eku
+ authority_key_ident
+ aia_prefix
+ prefix
+ aia_suffix
+ endentity_crl
+ mozilla_testing_ev_policy
)
int_ext_text = (
CA_basic_constraints
+ EE_full_ku
+ CA_eku
+ authority_key_ident
+ subject_key_ident
+ aia_prefix
+ "int-"
+ prefix
+ aia_suffix
+ intermediate_crl
+ anypolicy_policy
)
[int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(
db, srcdir, ca_key, ca_cert, prefix, int_ext_text, ee_ext_text, key_type
)
pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key, "int-" + prefix)
import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,")
import_untrusted_cert(ee_cert, prefix)
[bad_ca_key, bad_ca_cert] = CertUtils.generate_cert_generic(
db, srcdir, 1, "rsa", "non-evroot-ca", CA_basic_constraints + EE_full_ku + authority_key_ident
)
pk12file = CertUtils.generate_pkcs12(db, srcdir, bad_ca_cert, bad_ca_key, "non-evroot-ca")
import_cert_and_pkcs12(bad_ca_cert, pk12file, "non-evroot-ca", "C,C,C")
prefix = "non-ev-root"
ee_ext_text = (
EE_basic_constraints
+ EE_full_ku
+ Server_eku
+ authority_key_ident
+ aia_prefix
+ prefix
+ aia_suffix
+ endentity_crl
+ mozilla_testing_ev_policy
)
int_ext_text = (
CA_basic_constraints
+ EE_full_ku
+ CA_eku
+ authority_key_ident
+ aia_prefix
+ "int-"
+ prefix
+ aia_suffix
+ intermediate_crl
+ subject_key_ident
+ mozilla_testing_ev_policy
)
[int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(
db, srcdir, bad_ca_key, bad_ca_cert, prefix, int_ext_text, ee_ext_text, key_type
)
pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key, "int-" + prefix)
import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,")
import_untrusted_cert(ee_cert, prefix)
