def generate_family(db_dir, dst_dir, ca_key, ca_cert, base_name):
key_type = 'rsa'
ee_ext_base = EE_basic_constraints + authority_key_ident
CertUtils.generate_cert_generic(db, srcdir, 10, key_type,
'cn-a.pinning2.example.com-' + base_name,
ee_ext_base, ca_key, ca_cert,
'/CN=a.pinning2.example.com')
CertUtils.generate_cert_generic(db, srcdir, 11, key_type,
'cn-x.a.pinning2.example.com-' + base_name,
ee_ext_base, ca_key, ca_cert,
'/CN=x.a.pinning2.example.com')
alt_name_ext = 'subjectAltName =DNS:a.pinning2.example.com'
CertUtils.generate_cert_generic(
db, srcdir, 12, key_type,
'cn-www.example.com-alt-a.pinning2.example-' + base_name,
ee_ext_base + alt_name_ext, ca_key, ca_cert, '/CN=www.example.com')
CertUtils.generate_cert_generic(db, srcdir, 13, key_type,
'cn-b.pinning2.example.com-' + base_name,
ee_ext_base, ca_key, ca_cert,
'/CN=b.pinning2.example.com')
CertUtils.generate_cert_generic(db, srcdir, 14, key_type,
'cn-x.b.pinning2.example.com-' + base_name,
ee_ext_base, ca_key, ca_cert,
'/CN=x.b.pinning2.example.com')
def generate_and_maybe_import_cert(key_type, cert_name_suffix, base_ext_text,
signer_key_filename, signer_cert_filename,
dsa_param_filename, key_size, generate_ev):
"""
Generates a certificate and imports it into the NSS DB if appropriate.
Arguments:
key_type -- the type of key generated: potential values: 'rsa', 'dsa',
or any of the curves found by 'openssl ecparam -list_curves'
cert_name_suffix -- suffix of the generated cert name
base_ext_text -- the base text for the x509 extensions to be added to the
certificate (extra extensions will be added if generating
an EV cert)
signer_key_filename -- the filename of the key from which the cert will
be signed. If an empty string is passed in the cert
will be self signed (think CA roots).
signer_cert_filename -- the filename of the signer cert that will sign the
certificate being generated. Ignored if an empty
string is passed in for signer_key_filename.
Must be in DER format.
dsa_param_filename -- the filename for the DSA param file
key_size -- public key size for RSA certs
generate_ev -- whether an EV cert should be generated
Output:
key_filename -- the filename of the key file (PEM format)
cert_filename -- the filename of the certificate (DER format)
"""
cert_name = key_type + cert_name_suffix
ev_ext_text = ''
subject_string = ('/CN=XPCShell Key Size Testing %s %s-bit' %
(key_type, key_size))
if generate_ev:
cert_name = 'ev-' + cert_name
ev_ext_text = (aia_prefix + cert_name + aia_suffix +
mozilla_testing_ev_policy)
subject_string += ' (EV)'
# Use the organization field to store the cert nickname for easier debugging
subject_string += '/O=' + cert_name
[key_filename, cert_filename] = CertUtils.generate_cert_generic(
db_dir, srcdir, random.randint(100, 40000000), key_type, cert_name,
base_ext_text + ev_ext_text, signer_key_filename, signer_cert_filename,
subject_string, dsa_param_filename, key_size)
if generate_ev:
# The dest_dir argument of generate_pkcs12() is also set to db_dir as
# the .p12 files do not need to be kept once they have been imported.
pkcs12_filename = CertUtils.generate_pkcs12(db_dir, db_dir,
cert_filename,
key_filename, cert_name)
CertUtils.import_cert_and_pkcs12(srcdir, cert_filename,
pkcs12_filename, cert_name, ',,')
if not signer_key_filename:
generated_ev_root_filenames.append(cert_filename)
return [key_filename, cert_filename]
def generate_certs():
key_type = "rsa"
ca_ext = CA_basic_constraints + CA_full_ku + subject_key_ident + CA_eku
ee_ext_text = EE_basic_constraints + authority_key_ident
[ca_key, ca_cert] = CertUtils.generate_cert_generic(db, srcdir, 1, key_type, "ca", ca_ext)
[int_key, int_cert] = CertUtils.generate_cert_generic(db, srcdir, 103, key_type, "int", ca_ext, ca_key, ca_cert)
# now the ee
CertUtils.generate_cert_generic(db, srcdir, 100, key_type, "ee", ee_ext_text, int_key, int_cert)
def generate_family(db_dir, dst_dir, ca_key, ca_cert, base_name):
key_type = 'rsa'
ee_ext_base = EE_basic_constraints + authority_key_ident;
CertUtils.generate_cert_generic(db,
srcdir,
10,
key_type,
'cn-a.pinning2.example.com-'+ base_name,
ee_ext_base,
ca_key,
ca_cert,
'/CN=a.pinning2.example.com')
CertUtils.generate_cert_generic(db,
srcdir,
11,
key_type,
'cn-x.a.pinning2.example.com-'+ base_name,
ee_ext_base,
ca_key,
ca_cert,
'/CN=x.a.pinning2.example.com')
alt_name_ext = 'subjectAltName =DNS:a.pinning2.example.com'
CertUtils.generate_cert_generic(db,
srcdir,
12,
key_type,
'cn-www.example.com-alt-a.pinning2.example-'+ base_name,
ee_ext_base + alt_name_ext,
ca_key,
ca_cert,
'/CN=www.example.com')
CertUtils.generate_cert_generic(db,
srcdir,
13,
key_type,
'cn-b.pinning2.example.com-'+ base_name,
ee_ext_base,
ca_key,
ca_cert,
'/CN=b.pinning2.example.com')
CertUtils.generate_cert_generic(db,
srcdir,
14,
key_type,
'cn-x.b.pinning2.example.com-'+ base_name,
ee_ext_base,
ca_key,
ca_cert,
'/CN=x.b.pinning2.example.com')
def generate_certs():
ee_ext_text = ""
for name, key_type in pk_name.iteritems():
ca_name = "ca-" + name
[ca_key, ca_cert] = CertUtils.generate_cert_generic(db,
srcdir,
random.randint(100,4000000),
key_type,
ca_name,
CA_basic_constraints + CA_min_ku)
[valid_int_key, valid_int_cert, ee_key, ee_cert] = (
CertUtils.generate_int_and_ee(db,
srcdir,
ca_key,
ca_cert,
name + "-valid",
CA_basic_constraints,
ee_ext_text,
key_type) )
[int_key, int_cert] = CertUtils.generate_cert_generic(db,
srcdir,
random.randint(100,4000000),
key_type,
"int-" + name + "-tampered",
ee_ext_text,
ca_key,
ca_cert)
[ee_key, ee_cert] = CertUtils.generate_cert_generic(db,
srcdir,
random.randint(100,4000000),
key_type,
name + "-tampered-int-valid-ee",
ee_ext_text,
int_key,
int_cert)
#only tamper after ee has been generated
tamper_cert(int_cert);
[ee_key, ee_cert] = CertUtils.generate_cert_generic(db,
srcdir,
random.randint(100,4000000),
key_type,
name + "-valid-int-tampered-ee",
ee_ext_text,
valid_int_key,
valid_int_cert)
tamper_cert(ee_cert);
def generate_certs(do_cert_generation):
ca_name = "ca"
if do_cert_generation:
[ca_key,
ca_cert] = CertUtils.generate_cert_generic(db, srcdir, 1, key_type,
ca_name,
CA_basic_constraints)
ee_ext_text = EE_basic_constraints + EE_full_ku
# now we do it again for valid basic constraints but strange eku/ku at the
# intermediate layer
eku_dict = generate_test_eku()
print eku_dict
for eku_name in (sorted(eku_dict.keys())):
# Divide the tests into multiple files to avoid time outs
js_outfile = open("../test_cert_eku-" + eku_name + ".js", "w")
js_outfile.write(js_file_header)
# generate int
int_name = "int-EKU-" + eku_name
int_serial = random.randint(100, 40000000)
eku_text = "extendedKeyUsage = " + eku_dict[eku_name]
if (eku_name == "NONE"):
eku_text = ""
int_ext_text = CA_basic_constraints + CA_full_ku + eku_text
if do_cert_generation:
[int_key, int_cert
] = CertUtils.generate_cert_generic(db, srcdir, int_serial,
key_type, int_name,
int_ext_text, ca_key, ca_cert)
js_outfile.write("\n")
js_outfile.write(gen_int_js_output(int_name))
for ee_eku_name in (sorted(eku_dict.keys())):
ee_base_name = "ee-EKU-" + ee_eku_name
ee_name = ee_base_name + "-" + int_name
ee_serial = random.randint(100, 40000000)
ee_eku = "extendedKeyUsage = critical," + eku_dict[ee_eku_name]
if (ee_eku_name == "NONE"):
ee_eku = ""
ee_ext_text = EE_basic_constraints + EE_full_ku + ee_eku
if do_cert_generation:
[ee_key, ee_cert] = CertUtils.generate_cert_generic(
db, srcdir, ee_serial, key_type, ee_name, ee_ext_text,
int_key, int_cert)
for cert_usage in (cert_usages):
js_outfile.write(
gen_ee_js_output(int_name, ee_base_name, cert_usage,
ee_name))
js_outfile.write(js_file_footer)
js_outfile.close()
def generate_certs():
key_type = 'rsa'
ca_ext = CA_basic_constraints + CA_full_ku + subject_key_ident + CA_eku
ee_ext_text = (EE_basic_constraints + authority_key_ident)
[ca_key,
ca_cert] = CertUtils.generate_cert_generic(db, srcdir, 1, key_type, 'ca',
ca_ext)
CertUtils.generate_cert_generic(db, srcdir, 100, key_type, 'ee',
ee_ext_text, ca_key, ca_cert)
shutil.copy(ca_cert, srcdir + "/" + "ca-1.der")
self_sign_csr(db, srcdir, db + "/ca.csr", ca_key, 2, ca_ext, "ca-2")
os.remove(ca_cert)
def generate_int_and_ee2(ca_key, ca_cert, suffix, int_ext_text, ee_ext_text):
int_name = "int-" + suffix
ee_name = "ee-int-" + suffix
int_serial = random.randint(100, 40000000)
ee_serial = random.randint(100, 40000000)
[int_key,
int_cert] = CertUtils.generate_cert_generic(db, srcdir, int_serial,
key_type, int_name,
int_ext_text, ca_key, ca_cert)
[ee_key,
ee_cert] = CertUtils.generate_cert_generic(db, srcdir, ee_serial,
key_type, ee_name, ee_ext_text,
int_key, int_cert)
return [int_key, int_cert, ee_key, ee_cert]
def generate_certs(do_cert_generation):
ca_name = "ca"
if do_cert_generation:
[ca_key, ca_cert] = CertUtils.generate_cert_generic(
db, srcdir, 1, key_type, ca_name,
CA_basic_constraints)
ee_ext_text = EE_basic_constraints + EE_full_ku
# now we do it again for valid basic constraints but strange eku/ku at the
# intermediate layer
eku_dict = generate_test_eku()
print eku_dict
for eku_name in (sorted(eku_dict.keys())):
# Divide the tests into multiple files to avoid time outs
js_outfile = open("../test_cert_eku-" + eku_name + ".js", "w")
js_outfile.write(js_file_header)
# generate int
int_name = "int-EKU-" + eku_name
int_serial = random.randint(100, 40000000)
eku_text = "extendedKeyUsage = " + eku_dict[eku_name]
if (eku_name == "NONE"):
eku_text = ""
int_ext_text = CA_basic_constraints + CA_full_ku + eku_text
if do_cert_generation:
[int_key, int_cert] = CertUtils.generate_cert_generic(
db, srcdir, int_serial, key_type, int_name,
int_ext_text, ca_key, ca_cert)
js_outfile.write("\n")
js_outfile.write(gen_int_js_output(int_name))
for ee_eku_name in (sorted(eku_dict.keys())):
ee_base_name = "ee-EKU-" + ee_eku_name
ee_name = ee_base_name + "-" + int_name
ee_serial = random.randint(100, 40000000)
ee_eku = "extendedKeyUsage = critical," + eku_dict[ee_eku_name]
if (ee_eku_name == "NONE"):
ee_eku = ""
ee_ext_text = EE_basic_constraints + EE_full_ku + ee_eku
if do_cert_generation:
[ee_key, ee_cert] = CertUtils.generate_cert_generic(
db, srcdir, ee_serial, key_type, ee_name,
ee_ext_text, int_key, int_cert)
for cert_usage in (cert_usages):
js_outfile.write(gen_ee_js_output(int_name, ee_base_name,
cert_usage, ee_name))
js_outfile.write(js_file_footer)
js_outfile.close()
def generate_certs():
key_type = 'rsa'
ca_ext = CA_basic_constraints + CA_full_ku + subject_key_ident + CA_eku
ee_ext_text = (EE_basic_constraints + authority_key_ident)
[ca_key,
ca_cert] = CertUtils.generate_cert_generic(db, srcdir, 1, key_type, 'ca',
ca_ext)
[int_key,
int_cert] = CertUtils.generate_cert_generic(db, srcdir, 103, key_type,
'int', ca_ext, ca_key,
ca_cert)
#now the ee
CertUtils.generate_cert_generic(db, srcdir, 100, key_type, 'ee',
ee_ext_text, int_key, int_cert)
def generate_certs():
[noise_file, pwd_file] = CertUtils.init_nss_db(srcdir)
generate_ca_cert(srcdir, srcdir, noise_file, 'ca')
generate_child_cert(srcdir, srcdir, noise_file, 'int', 'ca', False, '')
ocsp_url = "http://www.example.com:8888/"
generate_child_cert(srcdir, srcdir, noise_file, "a", 'int', True, ocsp_url)
generate_child_cert(srcdir, srcdir, noise_file, "b", 'int', True, ocsp_url)
def generate_certs():
[noise_file, pwd_file] = CertUtils.init_nss_db(srcdir)
generate_ca_cert(srcdir, srcdir, noise_file, 'ca')
generate_child_cert(srcdir, srcdir, noise_file, 'int', 'ca', False, '')
ocsp_url = "http://www.example.com:8080/"
generate_child_cert(srcdir, srcdir, noise_file, "a", 'int', True, ocsp_url)
generate_child_cert(srcdir, srcdir, noise_file, "b", 'int', True, ocsp_url)
def generate_certs(): [noise_file, pwd_file] = CertUtils.init_nss_db(db) generate_ca(db, srcdir, noise_file, "v1_ca", 1, False ) generate_ca(db, srcdir, noise_file, "v1_ca_bc", 1, True) generate_ca(db, srcdir, noise_file, "v2_ca", 2, False ) generate_ca(db, srcdir, noise_file, "v2_ca_bc", 2, True) generate_ca(db, srcdir, noise_file, "v3_ca", 3, True ) generate_ca(db, srcdir, noise_file, "v3_ca_missing_bc", 3, False)
def generate_certs():
[noise_file, pwd_file] = CertUtils.init_nss_db(db)
generate_ca(db, srcdir, noise_file, "v1_ca", 1, False)
generate_ca(db, srcdir, noise_file, "v1_ca_bc", 1, True)
generate_ca(db, srcdir, noise_file, "v2_ca", 2, False)
generate_ca(db, srcdir, noise_file, "v2_ca_bc", 2, True)
generate_ca(db, srcdir, noise_file, "v3_ca", 3, True)
generate_ca(db, srcdir, noise_file, "v3_ca_missing_bc", 3, False)
def generate_certs():
key_type = 'rsa'
ca_ext = CA_basic_constraints + CA_full_ku + subject_key_ident
ee_ext_text = (EE_basic_constraints + authority_key_ident)
[ca_key,
ca_cert] = CertUtils.generate_cert_generic(db, srcdir, 1, key_type,
'badca', ca_ext)
generate_family(db, srcdir, ca_key, ca_cert, 'badca')
ca_cert = 'pinningroot.der'
ca_key = 'pinningroot.key'
generate_family(db, srcdir, ca_key, ca_cert, 'pinningroot')
def generate_certs():
ee_ext_text = ""
for name, key_type in pk_name.iteritems():
ca_name = "ca-" + name
[ca_key, ca_cert
] = CertUtils.generate_cert_generic(db, srcdir,
random.randint(100, 4000000),
key_type, ca_name,
CA_basic_constraints + CA_min_ku)
[valid_int_key, valid_int_cert, ee_key,
ee_cert] = (CertUtils.generate_int_and_ee(db, srcdir, ca_key, ca_cert,
name + "-valid",
CA_basic_constraints,
ee_ext_text, key_type))
[int_key, int_cert
] = CertUtils.generate_cert_generic(db, srcdir,
random.randint(100,
4000000), key_type,
"int-" + name + "-tampered",
ee_ext_text, ca_key, ca_cert)
[ee_key, ee_cert
] = CertUtils.generate_cert_generic(db, srcdir,
random.randint(100,
4000000), key_type,
name + "-tampered-int-valid-ee",
ee_ext_text, int_key, int_cert)
#only tamper after ee has been generated
tamper_cert(int_cert)
[ee_key, ee_cert
] = CertUtils.generate_cert_generic(db, srcdir,
random.randint(100,
4000000), key_type,
name + "-valid-int-tampered-ee",
ee_ext_text, valid_int_key,
valid_int_cert)
tamper_cert(ee_cert)
def generate_certs():
init_nss_db()
ca_cert = 'evroot.der'
ca_key = 'evroot.key'
prefix = "ev-valid"
key_type = 'rsa'
ee_ext_text = (EE_basic_constraints + EE_full_ku + Server_eku +
authority_key_ident + aia_prefix + prefix + aia_suffix +
endentity_crl + mozilla_testing_ev_policy)
int_ext_text = (CA_basic_constraints + EE_full_ku + CA_eku +
authority_key_ident + subject_key_ident + aia_prefix +
"int-" + prefix + aia_suffix + intermediate_crl +
mozilla_testing_ev_policy)
[int_key, int_cert, ee_key,
ee_cert] = CertUtils.generate_int_and_ee(db, srcdir, ca_key, ca_cert,
prefix, int_ext_text,
ee_ext_text, key_type)
pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key,
"int-" + prefix)
import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,")
import_untrusted_cert(ee_cert, prefix)
# now we generate an end entity cert with an AIA with no OCSP URL
no_ocsp_url_ext_aia = ("authorityInfoAccess =" +
"caIssuers;URI:http://www.example.com/ca.html\n")
[no_ocsp_key, no_ocsp_cert] = CertUtils.generate_cert_generic(
db, srcdir, random.randint(100,
40000000), key_type, 'no-ocsp-url-cert',
EE_basic_constraints + EE_full_ku + Server_eku + authority_key_ident +
no_ocsp_url_ext_aia + endentity_crl + mozilla_testing_ev_policy,
int_key, int_cert)
import_untrusted_cert(no_ocsp_cert, 'no-ocsp-url-cert')
[bad_ca_key, bad_ca_cert] = CertUtils.generate_cert_generic(
db, srcdir, 1, 'rsa', 'non-evroot-ca',
CA_basic_constraints + EE_full_ku + authority_key_ident)
pk12file = CertUtils.generate_pkcs12(db, srcdir, bad_ca_cert, bad_ca_key,
"non-evroot-ca")
import_cert_and_pkcs12(bad_ca_cert, pk12file, "non-evroot-ca", "C,C,C")
prefix = "non-ev-root"
ee_ext_text = (EE_basic_constraints + EE_full_ku + Server_eku +
authority_key_ident + aia_prefix + prefix + aia_suffix +
endentity_crl + mozilla_testing_ev_policy)
int_ext_text = (CA_basic_constraints + EE_full_ku + CA_eku +
authority_key_ident + aia_prefix + "int-" + prefix +
aia_suffix + intermediate_crl + subject_key_ident +
mozilla_testing_ev_policy)
[int_key, int_cert, ee_key,
ee_cert] = CertUtils.generate_int_and_ee(db, srcdir, bad_ca_key,
bad_ca_cert, prefix,
int_ext_text, ee_ext_text,
key_type)
pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key,
"int-" + prefix)
import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,")
import_untrusted_cert(ee_cert, prefix)
def generate_certs():
[noise_file, pwd_file] = CertUtils.init_nss_db(db)
generate_ca(db, srcdir, noise_file, "v1_ca", 1, False)
generate_ca(db, srcdir, noise_file, "v1_ca_bc", 1, True)
generate_ca(db, srcdir, noise_file, "v2_ca", 2, False)
generate_ca(db, srcdir, noise_file, "v2_ca_bc", 2, True)
generate_ca(db, srcdir, noise_file, "v3_ca", 3, True)
generate_ca(db, srcdir, noise_file, "v3_ca_missing_bc", 3, False)
CertUtils.generate_self_signed_cert(db, srcdir, noise_file,
"v3_self_signed", 3, False, False)
CertUtils.generate_self_signed_cert(db, srcdir, noise_file,
"v3_self_signed_bc", 3, True, False)
CertUtils.generate_self_signed_cert(db, srcdir, noise_file,
"v4_self_signed", 4, False, False)
CertUtils.generate_self_signed_cert(db, srcdir, noise_file,
"v4_self_signed_bc", 4, True, False)
def generate_certs():
[noise_file, pwd_file] = CertUtils.init_nss_db(db)
generate_ca(db, srcdir, noise_file, "v1_ca", 1, False )
generate_ca(db, srcdir, noise_file, "v1_ca_bc", 1, True)
generate_ca(db, srcdir, noise_file, "v2_ca", 2, False )
generate_ca(db, srcdir, noise_file, "v2_ca_bc", 2, True)
generate_ca(db, srcdir, noise_file, "v3_ca", 3, True )
generate_ca(db, srcdir, noise_file, "v3_ca_missing_bc", 3, False)
CertUtils.generate_self_signed_cert(db, srcdir, noise_file, "v3_self_signed",
3, False, False)
CertUtils.generate_self_signed_cert(db, srcdir, noise_file, "v3_self_signed_bc",
3, True, False)
CertUtils.generate_self_signed_cert(db, srcdir, noise_file, "v4_self_signed",
4, False, False);
CertUtils.generate_self_signed_cert(db, srcdir, noise_file, "v4_self_signed_bc",
4, True, False);
def generate_cert(key_type, cert_name_prefix, cert_name_suffix, base_ext_text,
signer_key_filename, signer_cert_filename, key_size):
"""
Generates a certificate.
If an equivalent certificate has already been generated, it is reused.
Arguments:
key_type -- the type of key generated: potential values: 'rsa', or any of
the curves found by 'openssl ecparam -list_curves'
cert_name_prefix -- prefix of the generated cert name
cert_name_suffix -- suffix of the generated cert name
base_ext_text -- the base text for the x509 extensions to be added to the
certificate (extra extensions will be added if generating
an EV cert)
signer_key_filename -- the filename of the key from which the cert will
be signed. If an empty string is passed in the cert
will be self signed (think CA roots).
signer_cert_filename -- the filename of the signer cert that will sign the
certificate being generated. Ignored if an empty
string is passed in for signer_key_filename.
Must be in DER format.
key_size -- public key size for RSA certs
Output:
cert_name -- the resultant (nick)name of the certificate
key_filename -- the filename of the key file (PEM format)
cert_filename -- the filename of the certificate (DER format)
"""
cert_name = cert_name_prefix + '_' + key_type + '_' + key_size
# If the suffix is not the empty string, add a hyphen for visual separation
if cert_name_suffix:
cert_name += '-' + cert_name_suffix
ev_ext_text = ''
subject_string = ('/CN=XPCShell Key Size Testing %s %s-bit' %
(key_type, key_size))
# Use the organization field to store the cert nickname for easier debugging
subject_string += '/O=' + cert_name
# Don't regenerate a previously generated cert
for cert in generated_certs:
if cert_name == cert[0]:
return cert
[key_filename, cert_filename] = CertUtils.generate_cert_generic(
db_dir, srcdir, random.randint(100, 40000000), key_type, cert_name,
base_ext_text + ev_ext_text, signer_key_filename, signer_cert_filename,
subject_string, key_size, 3 * 365 + 3 * 31) # 39 months
generated_certs.append([cert_name, key_filename, cert_filename])
return [cert_name, key_filename, cert_filename]
def generate_int_and_ee2(ca_key, ca_cert, suffix, int_ext_text, ee_ext_text):
int_name = "int-" + suffix;
ee_name = "ee-int-" + suffix;
int_serial = random.randint(100, 40000000);
ee_serial = random.randint(100, 40000000);
[int_key, int_cert] = CertUtils.generate_cert_generic(db,
srcdir,
int_serial,
key_type,
int_name,
int_ext_text,
ca_key,
ca_cert);
[ee_key, ee_cert] = CertUtils.generate_cert_generic(db,
srcdir,
ee_serial,
key_type,
ee_name,
ee_ext_text,
int_key,
int_cert);
return [int_key, int_cert, ee_key, ee_cert]
def generate_certs():
key_type = 'rsa'
ca_ext = CA_basic_constraints + CA_full_ku + subject_key_ident + CA_eku;
ee_ext_text = (EE_basic_constraints + authority_key_ident)
[ca_key, ca_cert] = CertUtils.generate_cert_generic(db,
srcdir,
1,
key_type,
'ca',
ca_ext)
CertUtils.generate_cert_generic(db,
srcdir,
100,
key_type,
'ee',
ee_ext_text,
ca_key,
ca_cert)
shutil.copy(ca_cert, srcdir + "/" + "ca-1.der")
self_sign_csr(db, srcdir, db + "/ca.csr", ca_key, 2, ca_ext, "ca-2")
os.remove(ca_cert);
def generate_certs():
key_type = 'rsa'
ca_ext = CA_basic_constraints + CA_full_ku + subject_key_ident
ee_ext_text = (EE_basic_constraints + authority_key_ident)
[ca_key, ca_cert] = CertUtils.generate_cert_generic(db,
srcdir,
1,
key_type,
'badca',
ca_ext)
generate_family(db, srcdir, ca_key, ca_cert, 'badca')
ca_cert = 'pinningroot.der'
ca_key = 'pinningroot.key'
generate_family(db, srcdir, ca_key, ca_cert, 'pinningroot')
def generate_certs():
init_nss_db()
ca_cert = 'evroot.der'
ca_key = 'evroot.key'
prefix = "ev-valid"
key_type = 'rsa'
ee_ext_text = (EE_basic_constraints + EE_full_ku + Server_eku +
authority_key_ident + aia_prefix + prefix + aia_suffix +
endentity_crl + mozilla_testing_ev_policy)
int_ext_text = (CA_basic_constraints + EE_full_ku + CA_eku +
authority_key_ident + subject_key_ident +
aia_prefix + "int-" + prefix + aia_suffix +
intermediate_crl + mozilla_testing_ev_policy)
[int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
srcdir,
ca_key,
ca_cert,
prefix,
int_ext_text,
ee_ext_text,
key_type)
pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key,
"int-" + prefix)
import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,")
import_untrusted_cert(ee_cert, prefix)
[bad_ca_key, bad_ca_cert] = CertUtils.generate_cert_generic( db,
srcdir,
1,
'rsa',
'non-evroot-ca',
CA_basic_constraints + EE_full_ku +
authority_key_ident)
pk12file = CertUtils.generate_pkcs12(db, srcdir, bad_ca_cert, bad_ca_key,
"non-evroot-ca")
import_cert_and_pkcs12(bad_ca_cert, pk12file, "non-evroot-ca", "C,C,C")
prefix = "non-ev-root"
ee_ext_text = (EE_basic_constraints + EE_full_ku + Server_eku +
authority_key_ident + aia_prefix + prefix + aia_suffix +
endentity_crl + mozilla_testing_ev_policy)
int_ext_text = (CA_basic_constraints + EE_full_ku + CA_eku +
authority_key_ident + aia_prefix + "int-" + prefix +
aia_suffix + intermediate_crl + subject_key_ident +
mozilla_testing_ev_policy)
[int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
srcdir,
bad_ca_key,
bad_ca_cert,
prefix,
int_ext_text,
ee_ext_text,
key_type)
pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key,
"int-" + prefix)
import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,")
import_untrusted_cert(ee_cert, prefix)
def generate_certs():
[noise_file, pwd_file] = CertUtils.init_nss_db(srcdir)
generate_ca_cert(srcdir, srcdir, noise_file, 'ca')
generate_child_cert(srcdir, srcdir, noise_file, 'int', 'ca', False, '')
nick_baseurl = { 'no-path-url': "http://www.example.com:8888",
'ftp-url': "ftp://www.example.com:8888/",
'no-scheme-url': "www.example.com:8888/",
'empty-scheme-url': "://www.example.com:8888/",
'no-host-url': "http://:8888/",
'hTTp-url': "hTTp://www.example.com:8888/hTTp-url",
'https-url': "https://www.example.com:8888/https-url",
'bad-scheme': "/www.example.com",
'empty-port': "http://www.example.com:/",
'unknown-scheme': "ttp://www.example.com",
'negative-port': "http://www.example.com:-1",
'no-scheme-host-port': "/" }
for nick, url in nick_baseurl.iteritems():
generate_child_cert(srcdir, srcdir, noise_file, nick, 'int', True, url)
def generate_certs():
ca_name = "ca"
[ca_key, ca_cert ] = CertUtils.generate_cert_generic(db,
srcdir,
1,
key_type,
ca_name,
CA_basic_constraints)
ee_ext_text = EE_basic_constraints + EE_full_ku
#now the intermediates
generate_int_and_ee2(ca_key, ca_cert, "no-extensions", "", ee_ext_text)
generate_int_and_ee2(ca_key, ca_cert, "not-a-ca", EE_basic_constraints,
ee_ext_text)
generate_int_and_ee2(ca_key, ca_cert, "cA-FALSE-asserts-keyCertSign",
EE_basic_constraints + all_ku, ee_ext_text)
[int_key, int_cert, a, b] = generate_int_and_ee2(ca_key, ca_cert,
"limited-depth",
CA_limited_basic_constraints,
ee_ext_text);
#and a child using this one
generate_int_and_ee2(int_key, int_cert, "limited-depth-invalid",
CA_basic_constraints, ee_ext_text);
# now we do it again for valid basic constraints but strange eku/ku at the
# intermediate layer
generate_int_and_ee2(ca_key, ca_cert, "valid-ku-no-eku",
CA_basic_constraints + CA_min_ku, ee_ext_text);
generate_int_and_ee2(ca_key, ca_cert, "bad-ku-no-eku",
CA_basic_constraints + CA_bad_ku, ee_ext_text);
generate_int_and_ee2(ca_key, ca_cert, "no-ku-no-eku",
CA_basic_constraints, ee_ext_text);
generate_int_and_ee2(ca_key, ca_cert, "valid-ku-server-eku",
CA_basic_constraints + CA_min_ku + Server_eku,
ee_ext_text);
generate_int_and_ee2(ca_key, ca_cert, "bad-ku-server-eku",
CA_basic_constraints + CA_bad_ku + Server_eku,
ee_ext_text);
generate_int_and_ee2(ca_key, ca_cert, "no-ku-server-eku",
CA_basic_constraints + Server_eku, ee_ext_text);
def generate_certs():
[noise_file, pwd_file] = CertUtils.init_nss_db(srcdir)
generate_ca_cert(srcdir, srcdir, noise_file, 'ca')
generate_child_cert(srcdir, srcdir, noise_file, 'int', 'ca', False, '')
nick_baseurl = {
'no-path-url': "http://www.example.com:8888",
'ftp-url': "ftp://www.example.com:8888/",
'no-scheme-url': "www.example.com:8888/",
'empty-scheme-url': "://www.example.com:8888/",
'no-host-url': "http://:8888/",
'hTTp-url': "hTTp://www.example.com:8888/hTTp-url",
'https-url': "https://www.example.com:8888/https-url",
'bad-scheme': "/www.example.com",
'empty-port': "http://www.example.com:/",
'unknown-scheme': "ttp://www.example.com",
'negative-port': "http://www.example.com:-1",
'no-scheme-host-port': "/"
}
for nick, url in nick_baseurl.iteritems():
generate_child_cert(srcdir, srcdir, noise_file, nick, 'int', True, url)
def generate_certs():
ca_name = "ca"
[ca_key, ca_cert ] = CertUtils.generate_cert_generic(db,
srcdir,
1,
key_type,
ca_name,
CA_basic_constraints)
ee_ext_text = EE_basic_constraints + EE_full_ku
#now the intermediates
generate_int_and_ee2(ca_key, ca_cert, "no-extensions", "", ee_ext_text)
generate_int_and_ee2(ca_key, ca_cert, "not-a-ca", EE_basic_constraints,
ee_ext_text)
[int_key, int_cert, a, b] = generate_int_and_ee2(ca_key, ca_cert,
"limited-depth",
CA_limited_basic_constraints,
ee_ext_text);
#and a child using this one
generate_int_and_ee2(int_key, int_cert, "limited-depth-invalid",
CA_basic_constraints, ee_ext_text);
# now we do it again for valid basic constraints but strange eku/ku at the
# intermediate layer
generate_int_and_ee2(ca_key, ca_cert, "valid-ku-no-eku",
CA_basic_constraints + CA_min_ku, ee_ext_text);
generate_int_and_ee2(ca_key, ca_cert, "bad-ku-no-eku",
CA_basic_constraints + CA_bad_ku, ee_ext_text);
generate_int_and_ee2(ca_key, ca_cert, "no-ku-no-eku",
CA_basic_constraints, ee_ext_text);
generate_int_and_ee2(ca_key, ca_cert, "valid-ku-server-eku",
CA_basic_constraints + CA_min_ku + Server_eku,
ee_ext_text);
generate_int_and_ee2(ca_key, ca_cert, "bad-ku-server-eku",
CA_basic_constraints + CA_bad_ku + Server_eku,
ee_ext_text);
generate_int_and_ee2(ca_key, ca_cert, "no-ku-server-eku",
CA_basic_constraints + Server_eku, ee_ext_text);
def generate_certs():
ca_cert = 'evroot.der'
ca_key = 'evroot.key'
prefix = "ev-valid"
key_type = 'rsa'
ee_ext_text = (aia_prefix + prefix + aia_suffix +
endentity_crl + mozilla_testing_ev_policy)
int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix +
intermediate_crl + mozilla_testing_ev_policy)
CertUtils.init_nss_db(srcdir)
CertUtils.import_cert_and_pkcs12(srcdir, ca_cert, 'evroot.p12', 'evroot',
'C,C,C')
[int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
srcdir,
ca_key,
ca_cert,
prefix,
int_ext_text,
ee_ext_text,
key_type)
pk12file = CertUtils.generate_pkcs12(db, db, int_cert, int_key,
"int-" + prefix)
CertUtils.import_cert_and_pkcs12(srcdir, int_cert, pk12file,
'int-' + prefix, ',,')
import_untrusted_cert(ee_cert, prefix)
# now we generate an end entity cert with an AIA with no OCSP URL
no_ocsp_url_ext_aia = ("authorityInfoAccess =" +
"caIssuers;URI:http://www.example.com/ca.html\n");
[no_ocsp_key, no_ocsp_cert] = CertUtils.generate_cert_generic(db,
srcdir,
random.randint(100, 40000000),
key_type,
'no-ocsp-url-cert',
no_ocsp_url_ext_aia + endentity_crl +
mozilla_testing_ev_policy,
int_key, int_cert);
import_untrusted_cert(no_ocsp_cert, 'no-ocsp-url-cert');
# add an ev cert whose intermediate has a anypolicy oid
prefix = "ev-valid-anypolicy-int"
ee_ext_text = (aia_prefix + prefix + aia_suffix +
endentity_crl + mozilla_testing_ev_policy)
int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix +
intermediate_crl + anypolicy_policy)
[int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
srcdir,
ca_key,
ca_cert,
prefix,
int_ext_text,
ee_ext_text,
key_type)
pk12file = CertUtils.generate_pkcs12(db, db, int_cert, int_key,
"int-" + prefix)
CertUtils.import_cert_and_pkcs12(srcdir, int_cert, pk12file,
'int-' + prefix, ',,')
import_untrusted_cert(ee_cert, prefix)
[bad_ca_key, bad_ca_cert] = CertUtils.generate_cert_generic( db,
srcdir,
1,
'rsa',
'non-evroot-ca',
CA_extensions)
pk12file = CertUtils.generate_pkcs12(db, db, bad_ca_cert, bad_ca_key,
"non-evroot-ca")
CertUtils.import_cert_and_pkcs12(srcdir, bad_ca_cert, pk12file,
'non-evroot-ca', 'C,C,C')
prefix = "non-ev-root"
ee_ext_text = (aia_prefix + prefix + aia_suffix +
endentity_crl + mozilla_testing_ev_policy)
int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix +
intermediate_crl + mozilla_testing_ev_policy)
[int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
srcdir,
bad_ca_key,
bad_ca_cert,
prefix,
int_ext_text,
ee_ext_text,
key_type)
pk12file = CertUtils.generate_pkcs12(db, db, int_cert, int_key,
"int-" + prefix)
CertUtils.import_cert_and_pkcs12(srcdir, int_cert, pk12file,
'int-' + prefix, ',,')
import_untrusted_cert(ee_cert, prefix)
adequate_key_size,
generate_ev)
# Generate chain with an end entity cert that has an inadequate size
generate_and_maybe_import_cert(
key_type,
'ee',
intOK_nick,
ee_ext_text,
intOK_key,
intOK_cert,
inadequate_key_size,
generate_ev)
# Create a NSS DB for use by the OCSP responder.
CertUtils.init_nss_db(srcdir)
# TODO(bug 636807): SECKEY_PublicKeyStrengthInBits() rounds up the number of
# bits to the next multiple of 8 - therefore the highest key size less than 1024
# that can be tested is 1016, less than 2048 is 2040 and so on.
generate_certs('rsa', '1016', '1024', False)
generate_certs('rsa', '2040', '2048', True)
# Print a blank line and the information needed to enable EV for any roots
# generated by this script.
print
for cert_filename in generated_ev_root_filenames:
CertUtils.print_cert_info(cert_filename)
print ('You now MUST update the compiled test EV root information to match ' +
'the EV root information printed above.')
def generate_child_cert(db_dir, dest_dir, noise_file, name, ca_nick, is_ee,
ocsp_url):
return CertUtils.generate_child_cert(db_dir, dest_dir, noise_file, name,
ca_nick, 3, True, is_ee, ocsp_url)
csr_name = dest_dir + "/" + name + ".csr"
os.system ("openssl req -new -key " + key_name + " -days 3650" +
" -extensions v3_ca -batch -out " + csr_name +
" -utf8 -subj '/C=US/ST=CA/L=Mountain View" +
"/O=Mozilla - EV debug test CA/OU=Security Engineering" +
"/CN=XPCShell EV Testing (untrustworthy) CA'")
extensions_filename = db_dir + "/openssl-exts"
f = open(extensions_filename, 'w')
f.write(ext_text)
f.close()
cert_name = dest_dir + "/" + name + ".der"
signer_key_filename = key_name
os.system ("openssl x509 -req -sha256 -days 3650 -in " + csr_name +
" -signkey " + signer_key_filename +
" -set_serial " + str(serial_num) +
" -extfile " + extensions_filename +
" -outform DER -out " + cert_name)
return key_name, cert_name
prefix = "evroot"
[ca_key, ca_cert] = generate_root_cert(db, dest_dir, prefix,
CA_basic_constraints +
CA_min_ku + subject_key_ident)
CertUtils.generate_pkcs12(db, dest_dir, ca_cert, ca_key, prefix)
print ("You now MUST modify nsIdentityinfo.cpp to ensure the xpchell debug " +
"certificate there matches this newly generated one\n")
dsaBad_param_filename, bad_key_size, generate_ev)
generate_and_maybe_import_cert(key_type, '-eeOK-intBad-caOK', ee_ext_text,
intBad_key, intBad_cert,
dsaOK_param_filename, ok_key_size,
generate_ev)
# Bad End Entity
generate_and_maybe_import_cert(key_type, '-eeBad-intOK-caOK', ee_ext_text,
intOK_key, intOK_cert,
dsaBad_param_filename, bad_key_size,
generate_ev)
# Create a NSS DB for use by the OCSP responder.
CertUtils.init_nss_db(srcdir)
# TODO(bug 636807): SECKEY_PublicKeyStrengthInBits() rounds up the number of
# bits to the next multiple of 8 - therefore the highest key size less than 1024
# that can be tested is 1016, less than 2048 is 2040 and so on.
generate_certs('rsa', '1016', '1024', False)
generate_certs('rsa', '2040', '2048', True)
generate_certs('dsa', '960', '1024', False)
# Print a blank line and the information needed to enable EV for any roots
# generated by this script.
print
for cert_filename in generated_ev_root_filenames:
CertUtils.print_cert_info_for_ev(cert_filename)
print('You now MUST update the compiled test EV root information to match ' +
def generate_certs(key_type, bad_key_size, ok_key_size, generate_ev):
"""
Generates the various certificates used by the key size tests.
Arguments:
key_type -- the type of key generated: potential values: 'rsa', 'dsa',
or any of the curves found by 'openssl ecparam -list_curves'
bad_key_size -- the public key size bad certs should have
ok_key_size -- the public key size OK certs should have
generate_ev -- whether an EV cert should be generated
"""
if key_type == 'dsa':
CertUtils.init_dsa(db_dir, dsaBad_param_filename, bad_key_size)
CertUtils.init_dsa(db_dir, dsaOK_param_filename, ok_key_size)
# OK Chain
if generate_ev and key_type == 'rsa':
# Reuse the existing RSA EV root
caOK_cert_name = 'evroot'
caOK_key = '../test_ev_certs/evroot.key'
caOK_cert = '../test_ev_certs/evroot.der'
caOK_pkcs12_filename = '../test_ev_certs/evroot.p12'
CertUtils.import_cert_and_pkcs12(srcdir, caOK_cert,
caOK_pkcs12_filename, caOK_cert_name,
',,')
else:
[caOK_key,
caOK_cert] = generate_and_maybe_import_cert(key_type, '-caOK',
ca_ext_text, '', '',
dsaOK_param_filename,
ok_key_size, generate_ev)
[intOK_key, intOK_cert] = generate_and_maybe_import_cert(
key_type, '-intOK-caOK', ca_ext_text, caOK_key, caOK_cert,
dsaOK_param_filename, ok_key_size, generate_ev)
generate_and_maybe_import_cert(key_type, '-eeOK-intOK-caOK', ee_ext_text,
intOK_key, intOK_cert, dsaOK_param_filename,
ok_key_size, generate_ev)
# Bad CA
[caBad_key,
caBad_cert] = generate_and_maybe_import_cert(key_type, '-caBad',
ca_ext_text, '', '',
dsaBad_param_filename,
bad_key_size, generate_ev)
[int_key, int_cert] = generate_and_maybe_import_cert(
key_type, '-intOK-caBad', ca_ext_text, caBad_key, caBad_cert,
dsaOK_param_filename, ok_key_size, generate_ev)
generate_and_maybe_import_cert(key_type, '-eeOK-intOK-caBad', ee_ext_text,
int_key, int_cert, dsaOK_param_filename,
ok_key_size, generate_ev)
# Bad Intermediate
[intBad_key, intBad_cert] = generate_and_maybe_import_cert(
key_type, '-intBad-caOK', ca_ext_text, caOK_key, caOK_cert,
dsaBad_param_filename, bad_key_size, generate_ev)
generate_and_maybe_import_cert(key_type, '-eeOK-intBad-caOK', ee_ext_text,
intBad_key, intBad_cert,
dsaOK_param_filename, ok_key_size,
generate_ev)
# Bad End Entity
generate_and_maybe_import_cert(key_type, '-eeBad-intOK-caOK', ee_ext_text,
intOK_key, intOK_cert,
dsaBad_param_filename, bad_key_size,
generate_ev)
def generate_certs(key_type, inadequate_key_size, adequate_key_size, generate_ev):
"""
Generates the various certificates used by the key size tests.
Arguments:
key_type -- the type of key generated: potential values: 'rsa',
or any of the curves found by 'openssl ecparam -list_curves'
inadequate_key_size -- a string defining the inadequate public key size
for the generated certs
adequate_key_size -- a string defining the adequate public key size for
the generated certs
generate_ev -- whether an EV cert should be generated
"""
# Generate chain with certs that have adequate sizes
if generate_ev and key_type == 'rsa':
# Reuse the existing RSA EV root
rootOK_nick = 'evroot'
caOK_key = '../test_ev_certs/evroot.key'
caOK_cert = '../test_ev_certs/evroot.der'
caOK_pkcs12_filename = '../test_ev_certs/evroot.p12'
CertUtils.import_cert_and_pkcs12(srcdir, caOK_cert, caOK_pkcs12_filename,
rootOK_nick, ',,')
else:
[rootOK_nick, caOK_key, caOK_cert] = generate_and_maybe_import_cert(
key_type,
'root',
'',
ca_ext_text,
'',
'',
adequate_key_size,
generate_ev)
[intOK_nick, intOK_key, intOK_cert] = generate_and_maybe_import_cert(
key_type,
'int',
rootOK_nick,
ca_ext_text,
caOK_key,
caOK_cert,
adequate_key_size,
generate_ev)
generate_and_maybe_import_cert(
key_type,
'ee',
intOK_nick,
ee_ext_text,
intOK_key,
intOK_cert,
adequate_key_size,
generate_ev)
# Generate chain with a root cert that has an inadequate size
[rootNotOK_nick, rootNotOK_key, rootNotOK_cert] = generate_and_maybe_import_cert(
key_type,
'root',
'',
ca_ext_text,
'',
'',
inadequate_key_size,
generate_ev)
[int_nick, int_key, int_cert] = generate_and_maybe_import_cert(
key_type,
'int',
rootNotOK_nick,
ca_ext_text,
rootNotOK_key,
rootNotOK_cert,
adequate_key_size,
generate_ev)
generate_and_maybe_import_cert(
key_type,
'ee',
int_nick,
ee_ext_text,
int_key,
int_cert,
adequate_key_size,
generate_ev)
# Generate chain with an intermediate cert that has an inadequate size
[intNotOK_nick, intNotOK_key, intNotOK_cert] = generate_and_maybe_import_cert(
key_type,
'int',
rootOK_nick,
ca_ext_text,
caOK_key,
caOK_cert,
inadequate_key_size,
generate_ev)
generate_and_maybe_import_cert(
key_type,
'ee',
intNotOK_nick,
ee_ext_text,
intNotOK_key,
intNotOK_cert,
adequate_key_size,
generate_ev)
# Generate chain with an end entity cert that has an inadequate size
generate_and_maybe_import_cert(
key_type,
'ee',
intOK_nick,
ee_ext_text,
intOK_key,
intOK_cert,
inadequate_key_size,
generate_ev)
csr_name = dest_dir + "/" + name + ".csr"
os.system("openssl req -new -key " + key_name + " -days 3650" +
" -extensions v3_ca -batch -out " + csr_name +
" -utf8 -subj '/C=US/ST=CA/L=Mountain View" +
"/O=Mozilla - EV debug test CA/OU=Security Engineering" +
"/CN=XPCShell EV Testing (untrustworthy) CA'")
extensions_filename = db_dir + "/openssl-exts"
f = open(extensions_filename, 'w')
f.write(ext_text)
f.close()
cert_name = dest_dir + "/" + name + ".der"
signer_key_filename = key_name
os.system("openssl x509 -req -sha256 -days 3650 -in " + csr_name +
" -signkey " + signer_key_filename + " -set_serial " +
str(serial_num) + " -extfile " + extensions_filename +
" -outform DER -out " + cert_name)
return key_name, cert_name
prefix = "evroot"
[ca_key, ca_cert
] = generate_root_cert(db, dest_dir, prefix,
CA_basic_constraints + CA_min_ku + subject_key_ident)
CertUtils.generate_pkcs12(db, dest_dir, ca_cert, ca_key, prefix)
print("You now MUST modify nsIdentityinfo.cpp to ensure the xpchell debug " +
"certificate there matches this newly generated one\n")
ca_ext_text,
'',
'',
60)
[int_nick, int_key_file, int_cert_file] = generate_and_import_cert(
'int',
root_nick,
ca_ext_text,
root_key_file,
root_cert_file,
60)
generate_and_import_cert(
'ee',
int_nick,
'',
int_key_file,
int_cert_file,
ee_validity_months)
# Create a NSS DB for use by the OCSP responder.
[noise_file, pwd_file] = CertUtils.init_nss_db(src_dir)
generate_chain(39)
generate_chain(40)
# Remove unnecessary files
os.remove(noise_file)
os.remove(pwd_file)
def generate_and_maybe_import_cert(key_type, cert_name_prefix, cert_name_suffix,
base_ext_text, signer_key_filename,
signer_cert_filename, key_size, generate_ev):
"""
Generates a certificate and imports it into the NSS DB if appropriate.
Arguments:
key_type -- the type of key generated: potential values: 'rsa', or any of
the curves found by 'openssl ecparam -list_curves'
cert_name_prefix -- prefix of the generated cert name
cert_name_suffix -- suffix of the generated cert name
base_ext_text -- the base text for the x509 extensions to be added to the
certificate (extra extensions will be added if generating
an EV cert)
signer_key_filename -- the filename of the key from which the cert will
be signed. If an empty string is passed in the cert
will be self signed (think CA roots).
signer_cert_filename -- the filename of the signer cert that will sign the
certificate being generated. Ignored if an empty
string is passed in for signer_key_filename.
Must be in DER format.
key_size -- public key size for RSA certs
generate_ev -- whether an EV cert should be generated
Output:
cert_name -- the resultant (nick)name of the certificate
key_filename -- the filename of the key file (PEM format)
cert_filename -- the filename of the certificate (DER format)
"""
cert_name = cert_name_prefix + '_' + key_type + '_' + key_size
# If the suffix is not the empty string, add a hyphen for visual separation
if cert_name_suffix:
cert_name += '-' + cert_name_suffix
ev_ext_text = ''
subject_string = ('/CN=XPCShell Key Size Testing %s %s-bit' %
(key_type, key_size))
if generate_ev:
cert_name = 'ev_' + cert_name
ev_ext_text = (aia_prefix + cert_name + aia_suffix +
mozilla_testing_ev_policy)
subject_string += ' (EV)'
# Use the organization field to store the cert nickname for easier debugging
subject_string += '/O=' + cert_name
[key_filename, cert_filename] = CertUtils.generate_cert_generic(
db_dir,
srcdir,
random.randint(100, 40000000),
key_type,
cert_name,
base_ext_text + ev_ext_text,
signer_key_filename,
signer_cert_filename,
subject_string,
key_size)
if generate_ev:
# The dest_dir argument of generate_pkcs12() is also set to db_dir as
# the .p12 files do not need to be kept once they have been imported.
pkcs12_filename = CertUtils.generate_pkcs12(db_dir, db_dir,
cert_filename, key_filename,
cert_name)
CertUtils.import_cert_and_pkcs12(srcdir, cert_filename, pkcs12_filename,
cert_name, ',,')
if not signer_key_filename:
generated_ev_root_filenames.append(cert_filename)
return [cert_name, key_filename, cert_filename]
def gen_cert(cliopts, extensions, ca_key=None, ca_cert=None, subject=None):
return CertUtils.generate_cert_generic(cliopts.output_dir,
cliopts.output_dir, cliopts.serial,
'rsa', cliopts.certname, extensions,
ca_key, ca_cert, subject)
def generate_ca_cert(db_dir, dest_dir, noise_file, name):
return CertUtils.generate_ca_cert(db_dir, dest_dir, noise_file, name,
3, True)
def generate_certs():
js_outfile = open("../test_cert_eku.js", 'w');
ca_name = "ca"
[ca_key, ca_cert ] = CertUtils.generate_cert_generic(db,
srcdir,
1,
key_type,
ca_name,
CA_basic_constraints)
ee_ext_text = EE_basic_constraints + EE_full_ku
js_outfile.write(js_file_header);
# now we do it again for valid basic constraints but strange eku/ku at the
# intermediate layer
eku_dict = generate_test_eku();
print eku_dict
for eku_name in (sorted(eku_dict.keys())):
#generate int
int_name = "int-EKU-" + eku_name;
int_serial = random.randint(100, 40000000);
eku_text = "extendedKeyUsage = " + eku_dict[eku_name]
if (eku_name == "NONE"):
eku_text = ""
int_ext_text = CA_basic_constraints + CA_full_ku + eku_text
[int_key, int_cert] = CertUtils.generate_cert_generic(db,
srcdir,
int_serial,
key_type,
int_name,
int_ext_text,
ca_key,
ca_cert);
if ("NS" in int_name) or ("SA" in int_name) or ("NONE" in int_name):
if ("OS" not in int_name):
js_outfile.write("\n check_ok_ca(load_cert('"+ int_name + "', ',,'));\n")
else:
js_outfile.write("\n load_cert('"+ int_name +"', ',,');\n")
else:
if ( "CA" in int_name):
# classic allows a cert to be considered CA even if it only
# asserts the ClientAuth EKU, here we have a failure of
# expression. Insanity is more explicit and requires
# the ServerAuth EKU
js_outfile.write("\n check_cert_err_generic(load_cert('"+
int_name +"', ',,'), useMozillaPKIX ? -1 : " +
"0, certificateUsageSSLCA) ;\n")
else:
js_outfile.write("\n check_cert_err_generic(load_cert('"+
int_name +"', ',,'), useMozillaPKIX ? -1 : " +
"-1, certificateUsageSSLCA) ;\n")
for ee_eku_name in (sorted(eku_dict.keys())):
ee_base_name = "ee-EKU-" + ee_eku_name;
ee_name = ee_base_name + "-" + int_name
ee_serial = random.randint(100, 40000000);
ee_eku = "extendedKeyUsage = critical," + eku_dict[ee_eku_name]
if (ee_eku_name == "NONE"):
ee_eku = ""
ee_ext_text = EE_basic_constraints + EE_full_ku + ee_eku
[ee_key, ee_cert] = CertUtils.generate_cert_generic(db,
srcdir,
ee_serial,
key_type,
ee_name,
ee_ext_text,
int_key,
int_cert)
for cert_usage in (cert_usages):
js_outfile.write(gen_js_output(int_name, ee_base_name,
cert_usage, ee_name))
js_outfile.write(js_file_footer)
js_outfile.close()
def generate_and_maybe_import_cert(
key_type,
cert_name_prefix,
cert_name_suffix,
base_ext_text,
signer_key_filename,
signer_cert_filename,
key_size,
generate_ev,
):
"""
Generates a certificate and imports it into the NSS DB if appropriate.
If an equivalent certificate has already been generated, it is reused.
Arguments:
key_type -- the type of key generated: potential values: 'rsa', or any of
the curves found by 'openssl ecparam -list_curves'
cert_name_prefix -- prefix of the generated cert name
cert_name_suffix -- suffix of the generated cert name
base_ext_text -- the base text for the x509 extensions to be added to the
certificate (extra extensions will be added if generating
an EV cert)
signer_key_filename -- the filename of the key from which the cert will
be signed. If an empty string is passed in the cert
will be self signed (think CA roots).
signer_cert_filename -- the filename of the signer cert that will sign the
certificate being generated. Ignored if an empty
string is passed in for signer_key_filename.
Must be in DER format.
key_size -- public key size for RSA certs
generate_ev -- whether an EV cert should be generated
Output:
cert_name -- the resultant (nick)name of the certificate
key_filename -- the filename of the key file (PEM format)
cert_filename -- the filename of the certificate (DER format)
"""
cert_name = cert_name_prefix + "_" + key_type + "_" + key_size
# If the suffix is not the empty string, add a hyphen for visual separation
if cert_name_suffix:
cert_name += "-" + cert_name_suffix
ev_ext_text = ""
subject_string = "/CN=XPCShell Key Size Testing %s %s-bit" % (key_type, key_size)
if generate_ev:
cert_name = "ev_" + cert_name
ev_ext_text = aia_prefix + cert_name + aia_suffix + mozilla_testing_ev_policy
subject_string += " (EV)"
# Use the organization field to store the cert nickname for easier debugging
subject_string += "/O=" + cert_name
# Reuse the existing RSA EV root
if (
generate_ev
and key_type == "rsa"
and signer_key_filename == ""
and signer_cert_filename == ""
and key_size == "2048"
):
cert_name = "evroot"
key_filename = "../test_ev_certs/evroot.key"
cert_filename = "../test_ev_certs/evroot.der"
CertUtils.import_cert_and_pkcs12(srcdir, cert_filename, "../test_ev_certs/evroot.p12", cert_name, ",,")
return [cert_name, key_filename, cert_filename]
# Don't regenerate a previously generated cert
for cert in generated_certs:
if cert_name == cert[0]:
return cert
[key_filename, cert_filename] = CertUtils.generate_cert_generic(
db_dir,
srcdir,
random.randint(100, 40000000),
key_type,
cert_name,
base_ext_text + ev_ext_text,
signer_key_filename,
signer_cert_filename,
subject_string,
key_size,
)
generated_certs.append([cert_name, key_filename, cert_filename])
if generate_ev:
# The dest_dir argument of generate_pkcs12() is also set to db_dir as
# the .p12 files do not need to be kept once they have been imported.
pkcs12_filename = CertUtils.generate_pkcs12(db_dir, db_dir, cert_filename, key_filename, cert_name)
CertUtils.import_cert_and_pkcs12(srcdir, cert_filename, pkcs12_filename, cert_name, ",,")
if not signer_key_filename:
generated_ev_root_filenames.append(cert_filename)
return [cert_name, key_filename, cert_filename]
def generate_certs():
key_type = 'rsa'
ca_ext = CA_basic_constraints + CA_full_ku + subject_key_ident;
ee_ext_text = (EE_basic_constraints + authority_key_ident)
[ca_key, ca_cert] = CertUtils.generate_cert_generic(db,
srcdir,
1,
key_type,
'ca-nc',
ca_ext)
#now the constrained via perm
name = 'int-nc-perm-foo.com-ca-nc'
name_constraints = "nameConstraints = permitted;DNS:foo.com\n"
[int_key, int_cert] = CertUtils.generate_cert_generic(db,
srcdir,
101,
key_type,
name,
ca_ext + authority_key_ident + name_constraints,
ca_key,
ca_cert)
generate_family(db, srcdir, int_key, int_cert, name)
#now the constrained via excl
name = 'int-nc-excl-foo.com-ca-nc'
name_constraints = "nameConstraints = excluded;DNS:foo.com\n"
[int_key, int_cert] = CertUtils.generate_cert_generic(db,
srcdir,
102,
key_type,
name,
ca_ext + name_constraints + authority_key_ident,
ca_key,
ca_cert)
generate_family(db, srcdir, int_key, int_cert, name)
#now constrained to permitted: O=bar C=US
name = 'int-nc-c-us-ca-nc'
name_constraints = "nameConstraints = permitted;dirName:dir_sect\n[dir_sect]\nC=US\n\n\n"
[int_key, int_cert] = CertUtils.generate_cert_generic(db,
srcdir,
103,
key_type,
name,
ca_ext + authority_key_ident + name_constraints,
ca_key,
ca_cert)
generate_family(db, srcdir, int_key, int_cert, name)
#now make a subCA that is also constrainted to foo.com (combine constraints)
name = 'int-nc-foo.com-int-nc-c-us-ca-nc'
name_constraints = "nameConstraints = permitted;DNS:foo.com\n\n\n"
[int_key, int_cert] = CertUtils.generate_cert_generic(db,
srcdir,
104,
key_type,
name,
ca_ext + name_constraints + authority_key_ident,
int_key,
int_cert,
'/C=US/CN='+ name)
generate_family(db, srcdir, int_key, int_cert, name)
#now single intermediate constrainted to permitted O=bar C=US & DNS foo.com
name = 'int-nc-perm-foo.com_c-us-ca-nc'
name_constraints = "nameConstraints = permitted;DNS:foo.com,permitted;dirName:dir_sect\n[dir_sect]\nC=US\n\n\n"
[int_key, int_cert] = CertUtils.generate_cert_generic(db,
srcdir,
105,
key_type,
name,
ca_ext + authority_key_ident + name_constraints,
ca_key,
ca_cert)
generate_family(db, srcdir, int_key, int_cert, name)
#now constrainted to permitted C=UK (all ee must fail)
name = 'int-nc-perm-c-uk-ca-nc'
name_constraints = "nameConstraints = permitted;dirName:dir_sect\n[dir_sect]\nC=UK\n\n\n"
[int_key, int_cert] = CertUtils.generate_cert_generic(db,
srcdir,
106,
key_type,
name,
ca_ext + authority_key_ident + name_constraints,
ca_key,
ca_cert)
generate_family(db, srcdir, int_key, int_cert, name)
#now an unconstrained sub intermediate from the UK cert (all ee must fail) not in the same name space
name = 'int-c-us-int-nc-perm-c-uk-ca-nc'
#name_constraints = "nameConstraints = permitted;DNS:foo.com\n\n\n"
[int_key, int_cert] = CertUtils.generate_cert_generic(db,
srcdir,
108,
key_type,
name,
ca_ext + authority_key_ident,
int_key,
int_cert,
'/C=US/CN='+ name)
generate_family(db, srcdir, int_key, int_cert, name)
#now we generate permitted to foo.com and example2.com
name = 'int-nc-foo.com_a.us'
name_constraints = "nameConstraints = permitted;DNS:foo.com,permitted;DNS:a.us\n"
[int_key, int_cert] = CertUtils.generate_cert_generic(db,
srcdir,
109,
key_type,
name,
ca_ext + authority_key_ident + name_constraints,
ca_key,
ca_cert)
generate_family(db, srcdir, int_key, int_cert, name)
#A sub ca contrained to foo.com with signer constrained to foo.com and example2.com
name = 'int-nc-foo.com-int-nc-foo.com_a.us'
name_constraints = "nameConstraints = permitted;DNS:foo.com\n"
[int_key, int_cert] = CertUtils.generate_cert_generic(db,
srcdir,
110,
key_type,
name,
ca_ext + authority_key_ident + name_constraints,
ca_key,
ca_cert)
generate_family(db, srcdir, int_key, int_cert, name)
#now we generate a root that is name constrained
name_constraints = "nameConstraints = permitted;DNS:foo.com\n "
[ca_key, ca_cert] = CertUtils.generate_cert_generic(db,
srcdir,
1,
key_type,
'ca-nc-perm-foo.com',
ca_ext + name_constraints)
#and an unconstrained int
name = 'int-ca-nc-perm-foo.com'
name_constraints = "\n"
[int_key, int_cert] = CertUtils.generate_cert_generic(db,
srcdir,
111,
key_type,
name,
ca_ext + name_constraints + authority_key_ident,
ca_key,
ca_cert)
generate_family(db, srcdir, int_key, int_cert, name)
CA_basic_constraints = "basicConstraints = critical, CA:TRUE\n"
CA_min_ku = "keyUsage = critical, digitalSignature, keyCertSign, cRLSign\n"
subject_key_ident = "subjectKeyIdentifier = hash\n"
cert_name = 'evroot'
ext_text = CA_basic_constraints + CA_min_ku + subject_key_ident
subject_string = ('/C=US/ST=CA/L=Mountain View' +
'/O=Mozilla - EV debug test CA/OU=Security Engineering' +
'/CN=XPCShell EV Testing (untrustworthy) CA')
# The db_dir argument of generate_cert_generic() is also set to dest_dir as
# the .key file generated is needed by other certs.
[ca_key,
ca_cert] = CertUtils.generate_cert_generic(dest_dir,
dest_dir,
random.randint(100, 40000000),
'rsa',
cert_name,
ext_text,
subject_string=subject_string)
CertUtils.generate_pkcs12(db, dest_dir, ca_cert, ca_key, cert_name)
# Print a blank line and the information needed to enable EV for the root
# generated by this script.
print
CertUtils.print_cert_info(ca_cert)
print('You now MUST update the compiled test EV root information to match ' +
'the EV root information printed above. In addition, certs that chain ' +
'up to this root in other folders will also need to be regenerated.')
def generate_family(db_dir, dst_dir, ca_key, ca_cert, base_name):
key_type = 'rsa'
ee_ext_base = EE_basic_constraints + authority_key_ident;
#cn =foo.com
CertUtils.generate_cert_generic(db,
srcdir,
10,
key_type,
'cn-www.foo.com-'+ base_name,
ee_ext_base,
ca_key,
ca_cert,
'/CN=www.foo.com')
#cn = foo.org
CertUtils.generate_cert_generic(db,
srcdir,
11,
key_type,
'cn-www.foo.org-'+ base_name,
ee_ext_base,
ca_key,
ca_cert,
'/CN=www.foo.org')
#cn = foo.com, alt= foo.org
alt_name_ext = 'subjectAltName =DNS:*.foo.org'
CertUtils.generate_cert_generic(db,
srcdir,
12,
key_type,
'cn-www.foo.com-alt-foo.org-'+ base_name,
ee_ext_base + alt_name_ext,
ca_key,
ca_cert,
'/CN=www.foo.com')
#cn = foo.org, alt= foo.com
alt_name_ext = 'subjectAltName =DNS:*.foo.com'
CertUtils.generate_cert_generic(db,
srcdir,
13,
key_type,
'cn-www.foo.org-alt-foo.com-'+ base_name,
ee_ext_base + alt_name_ext,
ca_key,
ca_cert,
'/CN=www.foo.org')
#cn = foo.com, alt=foo.com
alt_name_ext = 'subjectAltName =DNS:*.foo.com'
CertUtils.generate_cert_generic(db,
srcdir,
14,
key_type,
'cn-www.foo.com-alt-foo.com-'+ base_name,
ee_ext_base + alt_name_ext,
ca_key,
ca_cert,
'/CN=www.foo.com')
#cn = foo.org, alt=foo.org
alt_name_ext = 'subjectAltName =DNS:*.foo.org'
CertUtils.generate_cert_generic(db,
srcdir,
15,
key_type,
'cn-www.foo.org-alt-foo.org-'+ base_name,
ee_ext_base + alt_name_ext,
ca_key,
ca_cert,
'/CN=www.foo.org')
#cn = foo.com, alt=foo.com,a.a.us,b.a.us
alt_name_ext = 'subjectAltName =DNS:*.foo.com,DNS:*.a.a.us,DNS:*.b.a.us'
CertUtils.generate_cert_generic(db,
srcdir,
16,
key_type,
'cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-'+ base_name,
ee_ext_base + alt_name_ext,
ca_key,
ca_cert,
'/CN=www.foo.com')
#cn =foo.com O=bar C=US
CertUtils.generate_cert_generic(db,
srcdir,
17,
key_type,
'cn-www.foo.com_o-bar_c-us-'+ base_name,
ee_ext_base,
ca_key,
ca_cert,
'/C=US/O=bar/CN=www.foo.com')
#cn = foo.org O=bar C=US
CertUtils.generate_cert_generic(db,
srcdir,
18,
key_type,
'cn-www.foo.org_o-bar_c-us-'+ base_name,
ee_ext_base,
ca_key,
ca_cert,
'/C=US/O=bar/CN=www.foo.org')
#cn = foo.com, alt= foo.org
alt_name_ext = 'subjectAltName =DNS:*.foo.org'
CertUtils.generate_cert_generic(db,
srcdir,
19,
key_type,
'cn-www.foo.com_o-bar_c-us-alt-foo.org-'+ base_name,
ee_ext_base + alt_name_ext,
ca_key,
ca_cert,
'/C=US/O=bar/CN=www.foo.com')
#cn = foo.org, alt= foo.com
alt_name_ext = 'subjectAltName =DNS:*.foo.com'
CertUtils.generate_cert_generic(db,
srcdir,
20,
key_type,
'cn-www.foo.org_o-bar_c-us-alt-foo.com-'+ base_name,
ee_ext_base + alt_name_ext,
ca_key,
ca_cert,
'/C=US/O=bar/CN=www.foo.org')
#cn = foo.com, alt=foo.com
alt_name_ext = 'subjectAltName =DNS:*.foo.com'
CertUtils.generate_cert_generic(db,
srcdir,
21,
key_type,
'cn-www.foo.com_o-bar_c-us-alt-foo.com-'+ base_name,
ee_ext_base + alt_name_ext,
ca_key,
ca_cert,
'/C=US/O=bar/CN=www.foo.com')
#cn = foo.org, alt=foo.org
alt_name_ext = 'subjectAltName =DNS:*.foo.org'
CertUtils.generate_cert_generic(db,
srcdir,
22,
key_type,
'cn-www.foo.org_o-bar_c-us-alt-foo.org-'+ base_name,
ee_ext_base + alt_name_ext,
ca_key,
ca_cert,
'/C=US/O=bar/CN=www.foo.org')
#cn = foo.com, alt=foo.com,a.a.us.com,b.a.us
alt_name_ext = 'subjectAltName =DNS:*.foo.com,DNS:*.a.a.us,DNS:*.b.a.us'
CertUtils.generate_cert_generic(db,
srcdir,
23,
key_type,
'cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-'+ base_name,
ee_ext_base + alt_name_ext,
ca_key,
ca_cert,
'/C=US/O=bar/CN=www.foo.com')
CA_basic_constraints = "basicConstraints = critical, CA:TRUE\n"
CA_min_ku = "keyUsage = critical, digitalSignature, keyCertSign, cRLSign\n"
subject_key_ident = "subjectKeyIdentifier = hash\n"
cert_name = 'evroot'
ext_text = CA_basic_constraints + CA_min_ku + subject_key_ident
subject_string = ('/C=US/ST=CA/L=Mountain View' +
'/O=Mozilla - EV debug test CA/OU=Security Engineering' +
'/CN=XPCShell EV Testing (untrustworthy) CA')
# The db_dir argument of generate_cert_generic() is also set to dest_dir as
# the .key file generated is needed by other certs.
[ca_key, ca_cert] = CertUtils.generate_cert_generic(
dest_dir,
dest_dir,
random.randint(100, 40000000),
'rsa',
cert_name,
ext_text,
subject_string = subject_string)
CertUtils.generate_pkcs12(db, dest_dir, ca_cert, ca_key, cert_name)
# Print a blank line and the information needed to enable EV for the root
# generated by this script.
print
CertUtils.print_cert_info_for_ev(ca_cert)
print ('You now MUST update the compiled test EV root information to match ' +
'the EV root information printed above. In addition, certs that chain ' +
'up to this root in other folders will also need to be regenerated.' )
def generate_certs():
init_nss_db()
ca_cert = 'evroot.der'
ca_key = 'evroot.key'
prefix = "ev-valid"
key_type = 'rsa'
ee_ext_text = (aia_prefix + prefix + aia_suffix +
endentity_crl + mozilla_testing_ev_policy)
int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix +
intermediate_crl + mozilla_testing_ev_policy)
[int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
srcdir,
ca_key,
ca_cert,
prefix,
int_ext_text,
ee_ext_text,
key_type)
pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key,
"int-" + prefix)
import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,")
import_untrusted_cert(ee_cert, prefix)
# now we generate an end entity cert with an AIA with no OCSP URL
no_ocsp_url_ext_aia = ("authorityInfoAccess =" +
"caIssuers;URI:http://www.example.com/ca.html\n");
[no_ocsp_key, no_ocsp_cert] = CertUtils.generate_cert_generic(db,
srcdir,
random.randint(100, 40000000),
key_type,
'no-ocsp-url-cert',
no_ocsp_url_ext_aia + endentity_crl +
mozilla_testing_ev_policy,
int_key, int_cert);
import_untrusted_cert(no_ocsp_cert, 'no-ocsp-url-cert');
# add an ev cert whose intermediate has a anypolicy oid
prefix = "ev-valid-anypolicy-int"
ee_ext_text = (aia_prefix + prefix + aia_suffix +
endentity_crl + mozilla_testing_ev_policy)
int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix +
intermediate_crl + anypolicy_policy)
[int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
srcdir,
ca_key,
ca_cert,
prefix,
int_ext_text,
ee_ext_text,
key_type)
pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key,
"int-" + prefix)
import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,")
import_untrusted_cert(ee_cert, prefix)
[bad_ca_key, bad_ca_cert] = CertUtils.generate_cert_generic( db,
srcdir,
1,
'rsa',
'non-evroot-ca',
CA_extensions)
pk12file = CertUtils.generate_pkcs12(db, srcdir, bad_ca_cert, bad_ca_key,
"non-evroot-ca")
import_cert_and_pkcs12(bad_ca_cert, pk12file, "non-evroot-ca", "C,C,C")
prefix = "non-ev-root"
ee_ext_text = (aia_prefix + prefix + aia_suffix +
endentity_crl + mozilla_testing_ev_policy)
int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix +
intermediate_crl + mozilla_testing_ev_policy)
[int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
srcdir,
bad_ca_key,
bad_ca_cert,
prefix,
int_ext_text,
ee_ext_text,
key_type)
pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key,
"int-" + prefix)
import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,")
import_untrusted_cert(ee_cert, prefix)
def generate_ca_cert(db_dir, dest_dir, noise_file, name):
return CertUtils.generate_ca_cert(db_dir, dest_dir, noise_file, name, 3,
True)
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
import tempfile, os, sys, random
libpath = os.path.abspath("../psm_common_py")
sys.path.append(libpath)
import CertUtils
dest_dir = os.getcwd()
db = tempfile.mkdtemp()
serial = random.randint(100, 40000000)
name = "client-cert"
[key, cert] = CertUtils.generate_cert_generic(db, dest_dir, serial, "rsa",
name, "")
CertUtils.generate_pkcs12(db, dest_dir, cert, key, name)
# Print a blank line and the fingerprint of the cert that ClientAuthServer.cpp
# should be modified with.
print
CertUtils.print_cert_info(cert)
print ('You now MUST update the fingerprint in ClientAuthServer.cpp to match ' +
'the fingerprint printed above.')
# Remove unnecessary .der file
os.remove(dest_dir + "/" + name + ".der")
def generate_child_cert(db_dir, dest_dir, noise_file, name, ca_nick,
cert_version, do_bc, is_ee):
return CertUtils.generate_child_cert(db_dir, dest_dir, noise_file, name,
ca_nick, cert_version, do_bc, is_ee,
'')
def generate_child_cert(db_dir, dest_dir, noise_file, name, ca_nick, is_ee,
ocsp_url):
return CertUtils.generate_child_cert(db_dir, dest_dir, noise_file, name,
ca_nick, 3, True, is_ee, ocsp_url)
def generate_and_import_cert(cert_name_prefix, cert_name_suffix,
base_ext_text, signer_key_filename,
signer_cert_filename, validity_in_months):
"""
Generates a certificate and imports it into the NSS DB.
Arguments:
cert_name_prefix - prefix of the generated cert name
cert_name_suffix - suffix of the generated cert name
base_ext_text - the base text for the x509 extensions to be
added to the certificate (extra extensions will
be added if generating an EV cert)
signer_key_filename - the filename of the key from which the
cert will be signed. If an empty string is
passed in the cert will be self signed
(think CA roots).
signer_cert_filename - the filename of the signer cert that will
sign the certificate being generated.
Ignored if an empty string is passed in
for signer_key_filename.
Must be in DER format.
validity_in_months - the number of months the cert should be
valid for.
Output:
cert_name - the resultant (nick)name of the certificate
key_filename - the filename of the key file (PEM format)
cert_filename - the filename of the certificate (DER format)
"""
cert_name = 'ev_%s_%u_months' % (cert_name_prefix, validity_in_months)
# If the suffix is not the empty string, add a hyphen for visual
# separation
if cert_name_suffix:
cert_name += '-' + cert_name_suffix
subject_string = '/CN=%s' % cert_name
ev_ext_text = (CertUtils.aia_prefix + cert_name + CertUtils.aia_suffix +
CertUtils.mozilla_testing_ev_policy)
# Reuse the existing RSA EV root
if (signer_key_filename == '' and signer_cert_filename == ''):
cert_name = 'evroot'
key_filename = '../test_ev_certs/evroot.key'
cert_filename = '../test_ev_certs/evroot.der'
CertUtils.import_cert_and_pkcs12(src_dir, cert_filename,
'../test_ev_certs/evroot.p12',
cert_name, ',,')
return [cert_name, key_filename, cert_filename]
# Don't regenerate a previously generated cert
for cert in generated_ev_certs:
if cert_name == cert[0]:
return cert
validity_years = math.floor(validity_in_months / 12)
validity_months = validity_in_months % 12
[key_filename, cert_filename] = CertUtils.generate_cert_generic(
temp_dir,
src_dir,
random.randint(100, 40000000),
'rsa',
cert_name,
base_ext_text + ev_ext_text,
signer_key_filename,
signer_cert_filename,
subject_string,
validity_in_days = validity_years * 365 + validity_months * 31)
generated_ev_certs.append([cert_name, key_filename, cert_filename])
# The dest_dir argument of generate_pkcs12() is also set to temp_dir
# as the .p12 files do not need to be kept once they have been
# imported.
pkcs12_filename = CertUtils.generate_pkcs12(temp_dir, temp_dir,
cert_filename,
key_filename,
cert_name)
CertUtils.import_cert_and_pkcs12(src_dir, cert_filename,
pkcs12_filename, cert_name, ',,')
return [cert_name, key_filename, cert_filename]
def generate_ca(db_dir, dest_dir, noise_file, name, version, do_bc):
CertUtils.generate_ca_cert(db_dir, dest_dir, noise_file, name, version,
do_bc)
generate_intermediates_and_ee_set(db_dir, dest_dir, noise_file, name)
def generate_cert(key_type, cert_name_prefix, cert_name_suffix, base_ext_text,
signer_key_filename, signer_cert_filename, key_size):
"""
Generates a certificate.
If an equivalent certificate has already been generated, it is reused.
Arguments:
key_type -- the type of key generated: potential values: 'rsa', or any of
the curves found by 'openssl ecparam -list_curves'
cert_name_prefix -- prefix of the generated cert name
cert_name_suffix -- suffix of the generated cert name
base_ext_text -- the base text for the x509 extensions to be added to the
certificate (extra extensions will be added if generating
an EV cert)
signer_key_filename -- the filename of the key from which the cert will
be signed. If an empty string is passed in the cert
will be self signed (think CA roots).
signer_cert_filename -- the filename of the signer cert that will sign the
certificate being generated. Ignored if an empty
string is passed in for signer_key_filename.
Must be in DER format.
key_size -- public key size for RSA certs
Output:
cert_name -- the resultant (nick)name of the certificate
key_filename -- the filename of the key file (PEM format)
cert_filename -- the filename of the certificate (DER format)
"""
cert_name = cert_name_prefix + '_' + key_type + '_' + key_size
# If the suffix is not the empty string, add a hyphen for visual separation
if cert_name_suffix:
cert_name += '-' + cert_name_suffix
ev_ext_text = ''
subject_string = ('/CN=XPCShell Key Size Testing %s %s-bit' %
(key_type, key_size))
# Use the organization field to store the cert nickname for easier debugging
subject_string += '/O=' + cert_name
# Don't regenerate a previously generated cert
for cert in generated_certs:
if cert_name == cert[0]:
return cert
[key_filename, cert_filename] = CertUtils.generate_cert_generic(
db_dir,
srcdir,
random.randint(100, 40000000),
key_type,
cert_name,
base_ext_text + ev_ext_text,
signer_key_filename,
signer_cert_filename,
subject_string,
key_size,
3 * 365 + 3 * 31) # 39 months
generated_certs.append([cert_name, key_filename, cert_filename])
return [cert_name, key_filename, cert_filename]
def generate_certs(key_type, bad_key_size, ok_key_size):
if key_type == 'dsa':
CertUtils.init_dsa(db_dir, dsaBad_param_filename, bad_key_size)
CertUtils.init_dsa(db_dir, dsaOK_param_filename, ok_key_size)
# OK Chain
[caOK_key, caOK_cert] = CertUtils.generate_cert_generic(
db_dir,
srcdir,
random.randint(100, 40000000),
key_type,
key_type + '-caOK',
ca_ext_text,
dsa_param_filename=dsaOK_param_filename,
key_size=ok_key_size)
[intOK_key, intOK_cert] = CertUtils.generate_cert_generic(
db_dir,
srcdir,
random.randint(100, 40000000),
key_type,
key_type + '-intOK-caOK',
ca_ext_text,
caOK_key,
caOK_cert,
dsa_param_filename=dsaOK_param_filename,
key_size=ok_key_size)
CertUtils.generate_cert_generic(db_dir,
srcdir,
random.randint(100, 40000000),
key_type,
key_type + '-eeOK-intOK-caOK',
ee_ext_text,
intOK_key,
intOK_cert,
dsa_param_filename=dsaOK_param_filename,
key_size=ok_key_size)
# Bad CA
[caBad_key, caBad_cert] = CertUtils.generate_cert_generic(
db_dir,
srcdir,
random.randint(100, 40000000),
key_type,
key_type + '-caBad',
ca_ext_text,
dsa_param_filename=dsaBad_param_filename,
key_size=bad_key_size)
[int_key, int_cert] = CertUtils.generate_cert_generic(
db_dir,
srcdir,
random.randint(100, 40000000),
key_type,
key_type + '-intOK-caBad',
ca_ext_text,
caBad_key,
caBad_cert,
dsa_param_filename=dsaOK_param_filename,
key_size=ok_key_size)
CertUtils.generate_cert_generic(db_dir,
srcdir,
random.randint(100, 40000000),
key_type,
key_type + '-eeOK-intOK-caBad',
ee_ext_text,
int_key,
int_cert,
dsa_param_filename=dsaOK_param_filename,
key_size=ok_key_size)
# Bad Intermediate
[intBad_key, intBad_cert] = CertUtils.generate_cert_generic(
db_dir,
srcdir,
random.randint(100, 40000000),
key_type,
key_type + '-intBad-caOK',
ca_ext_text,
caOK_key,
caOK_cert,
dsa_param_filename=dsaBad_param_filename,
key_size=bad_key_size)
CertUtils.generate_cert_generic(db_dir,
srcdir,
random.randint(100, 40000000),
key_type,
key_type + '-eeOK-intBad-caOK',
ee_ext_text,
intBad_key,
intBad_cert,
dsa_param_filename=dsaOK_param_filename,
key_size=ok_key_size)
# Bad End Entity
CertUtils.generate_cert_generic(db_dir,
srcdir,
random.randint(100, 40000000),
key_type,
key_type + '-eeBad-intOK-caOK',
ee_ext_text,
intOK_key,
intOK_cert,
dsa_param_filename=dsaBad_param_filename,
key_size=bad_key_size)