def generate_rsa_cert(leaf_key_size): JAN_2015 = '150101120000Z' JAN_2018 = '180101120000Z' # Self-signed root certificate. root = common.create_self_signed_root_certificate('Root') root.set_validity_range(JAN_2015, JAN_2018) # Intermediate certificate. intermediate = common.create_intermediate_certificate('Intermediate', root) intermediate.set_validity_range(JAN_2015, JAN_2018) # Leaf certificate. leaf = common.create_end_entity_certificate( 'RSA %d Device Cert' % leaf_key_size, intermediate) leaf.get_extensions().set_property('extendedKeyUsage', 'clientAuth') device_key_path = common.create_key_path(leaf.name) leaf.set_key(common.get_or_generate_rsa_key(leaf_key_size, device_key_path)) leaf.set_validity_range(JAN_2015, JAN_2018) chain = [leaf, intermediate, root] chain_description = """Cast certificate chain where device certificate uses a %d-bit RSA key""" % leaf_key_size # Write the certificate chain. chain_path = 'rsa%d_device_cert.pem' % leaf_key_size common.write_chain(chain_description, chain, chain_path) # Write the the signed data file. create_signatures.create_signed_data( device_key_path, '../signeddata/rsa%d_device_cert_data.pem' % leaf_key_size, '../certificates/' + chain_path)
def generate_chain(intermediate_digest_algorithm): # Self-signed root certificate. root = common.create_self_signed_root_certificate('Root') # Intermediate certificate. intermediate = common.create_intermediate_certificate('Intermediate', root) intermediate.set_signature_hash(intermediate_digest_algorithm) intermediate.get_extensions().set_property('extendedKeyUsage', 'nsSGC') # Target certificate. target = common.create_end_entity_certificate('Target', intermediate) target.get_extensions().set_property('extendedKeyUsage', 'serverAuth,clientAuth') chain = [target, intermediate, root] common.write_chain(__doc__, chain, '%s-chain.pem' % intermediate_digest_algorithm)
def generate_policies_chain(intermediate_policies, leaf_policies): """Creates a certificate chain and writes it to a PEM file (in the current directory). The chain has 3 certificates (root, intermediate, leaf). The root has no policies extension, whereas the intermediate has policies given by |intermediate_policies| and the leaf has policies given by |leaf_policies|. The policies are specified as a list, with the empty list meaning no policies extension. Values in the list should be one of the OID constants (AUDIO_ONLY, ANY_POLICY). The name of the generated file is a human-readable serialization of this function's parameters. """ # Self-signed root certificate. root = common.create_self_signed_root_certificate('Root') root.set_validity_range(JAN_2015, JAN_2018) # Intermediate certificate. intermediate = common.create_intermediate_certificate('Intermediate', root) set_policies_from_list(intermediate, intermediate_policies) intermediate.set_validity_range(JAN_2015, JAN_2018) # Leaf certificate. leaf = common.create_end_entity_certificate('Leaf', intermediate) set_policies_from_list(leaf, leaf_policies) leaf.get_extensions().set_property('extendedKeyUsage', 'clientAuth') leaf.set_validity_range(JAN_2015, JAN_2018) chain = [leaf, intermediate, root] chain_description = """Cast certificate chain with the following policies: Root: policies={} Intermediate: policies={%s} Leaf: policies={%s}""" % (', '.join(intermediate_policies), ', '.join(leaf_policies)) chain_file_name = 'policies_ica_%s_leaf_%s.pem' % (policies_to_filename( intermediate_policies), policies_to_filename(leaf_policies)) common.write_chain(chain_description, chain, chain_file_name)
#!/usr/bin/python # Copyright (c) 2015 The Chromium Authors. All rights reserved. # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. """Certificate chain where the intermediate lacks a keyUsage extension.""" import sys sys.path += ['..'] import common # Self-signed root certificate. root = common.create_self_signed_root_certificate('Root') # Intermediate that is missing keyCertSign. intermediate = common.create_intermediate_certificate('Intermediate', root) intermediate.get_extensions().set_property( 'keyUsage', 'critical,digitalSignature,keyEncipherment') # Target certificate. target = common.create_end_entity_certificate('Target', intermediate) chain = [target, intermediate, root] common.write_chain(__doc__, chain, 'chain.pem')
#!/usr/bin/python # Copyright (c) 2017 The Chromium Authors. All rights reserved. # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. """Certificate chain where the target certificate sets the extended key usage to clientAuth. Neither the root nor the intermediate have an EKU.""" import sys sys.path += ['..'] import common # Self-signed root certificate. root = common.create_self_signed_root_certificate('Root') # Intermediate certificate. intermediate = common.create_intermediate_certificate('Intermediate', root) # Target certificate. target = common.create_end_entity_certificate('Target', intermediate) target.get_extensions().set_property('extendedKeyUsage', 'clientAuth') chain = [target, intermediate, root] common.write_chain(__doc__, chain, 'chain.pem')
common.get_or_generate_rsa_key(2048, common.create_key_path('Target-rsa')), 'ec': common.get_or_generate_ec_key('secp384r1', common.create_key_path('Target-ec')) } KEY_USAGES = [ 'decipherOnly', 'digitalSignature', 'keyAgreement', 'keyEncipherment' ] # The proper key usage depends on the key purpose (serverAuth in this case), # and the key type. Generate a variety of combinations. for key_type in sorted(KEYS.keys()): for key_usage in KEY_USAGES: # Target certificate. target = common.create_end_entity_certificate('Target', intermediate) target.get_extensions().set_property('extendedKeyUsage', 'serverAuth') target.get_extensions().set_property('keyUsage', 'critical,%s' % (key_usage)) # Set the key. target.set_key(KEYS[key_type]) # Write the chain. chain = [target, intermediate, root] description = ( 'Certificate chain where the target uses a %s key and has ' 'the single key usage %s') % (key_type.upper(), key_usage) common.write_chain(description, chain, '%s-%s.pem' % (key_type, key_usage))
'rsa': common.get_or_generate_rsa_key(2048, common.create_key_path('Target-rsa')), 'ec': common.get_or_generate_ec_key('secp384r1', common.create_key_path('Target-ec')) }; KEY_USAGES = [ 'decipherOnly', 'digitalSignature', 'keyAgreement', 'keyEncipherment' ] # The proper key usage depends on the key purpose (serverAuth in this case), # and the key type. Generate a variety of combinations. for key_type in sorted(KEYS.keys()): for key_usage in KEY_USAGES: # Target certificate. target = common.create_end_entity_certificate('Target', intermediate) target.get_extensions().set_property('extendedKeyUsage', 'serverAuth') target.get_extensions().set_property('keyUsage', 'critical,%s' % (key_usage)) # Set the key. target.set_key(KEYS[key_type]) # Write the chain. chain = [target, intermediate, root] description = ('Certificate chain where the target certificate uses a %s ' 'key and has the single key usage %s') % (key_type.upper(), key_usage) common.write_chain(description, chain, '%s-%s.pem' % (key_type, key_usage))
newrootrollover = common.create_intermediate_certificate('Root', oldroot) newrootrollover.set_key(newroot.get_key()) newrootrollover.set_validity_range(JANUARY_2_2015_UTC, common.JANUARY_1_2016_UTC) # Intermediate signed by oldroot. oldintermediate = common.create_intermediate_certificate( 'Intermediate', oldroot) oldintermediate.set_validity_range(common.JANUARY_1_2015_UTC, common.JANUARY_1_2016_UTC) # Intermediate signed by newroot. Same key as oldintermediate. newintermediate = common.create_intermediate_certificate( 'Intermediate', newroot) newintermediate.set_key(oldintermediate.get_key()) newintermediate.set_validity_range(JANUARY_2_2015_UTC, common.JANUARY_1_2016_UTC) # Target certificate. target = common.create_end_entity_certificate('Target', oldintermediate) common.write_chain(__doc__, [target, oldintermediate, oldroot], out_pem="oldchain.pem") common.write_chain(__doc__, [target, newintermediate, newrootrollover, oldroot], out_pem="rolloverchain.pem") common.write_chain( __doc__, [target, newintermediate, newroot, newrootrollover, oldroot], out_pem="longrolloverchain.pem") common.write_chain(__doc__, [target, newintermediate, newroot], out_pem="newchain.pem")
# Root with the new key signed by the old key. newrootrollover = common.create_intermediate_certificate('Root', oldroot) newrootrollover.set_key(newroot.get_key()) newrootrollover.set_validity_range(JANUARY_2_2015_UTC, common.JANUARY_1_2016_UTC) # Intermediate signed by oldroot. oldintermediate = common.create_intermediate_certificate('Intermediate', oldroot) oldintermediate.set_validity_range(common.JANUARY_1_2015_UTC, common.JANUARY_1_2016_UTC) # Intermediate signed by newroot. Same key as oldintermediate. newintermediate = common.create_intermediate_certificate('Intermediate', newroot) newintermediate.set_key(oldintermediate.get_key()) newintermediate.set_validity_range(JANUARY_2_2015_UTC, common.JANUARY_1_2016_UTC) # Target certificate. target = common.create_end_entity_certificate('Target', oldintermediate) common.write_chain(__doc__, [target, oldintermediate, oldroot], out_pem="oldchain.pem") common.write_chain(__doc__, [target, newintermediate, newrootrollover, oldroot], out_pem="rolloverchain.pem") common.write_chain(__doc__, [target, newintermediate, newroot, newrootrollover, oldroot], out_pem="longrolloverchain.pem") common.write_chain(__doc__, [target, newintermediate, newroot], out_pem="newchain.pem")