def make_chain(name, doc, excluded, permitted, sans):
# Intermediate certificate.
intermediate = gencerts.create_intermediate_certificate(
'Intermediate', root)
intermediate.set_key(intermediate_key)
add_excluded_name_constraints(intermediate, **excluded)
add_permitted_name_constraints(intermediate, **permitted)
# Target certificate.
target = gencerts.create_end_entity_certificate('t0', intermediate)
target.set_key(target_key)
add_sans(target, **sans)
chain = [target, intermediate, root]
gencerts.write_chain(doc, chain, '%s.pem' % name)
def generate_chain(intermediate_digest_algorithm):
# Self-signed root certificate.
root = gencerts.create_self_signed_root_certificate('Root')
# Intermediate certificate.
intermediate = gencerts.create_intermediate_certificate(
'Intermediate', root)
intermediate.set_signature_hash(intermediate_digest_algorithm)
intermediate.get_extensions().set_property('extendedKeyUsage', 'nsSGC')
# Target certificate.
target = gencerts.create_end_entity_certificate('Target', intermediate)
target.get_extensions().set_property('extendedKeyUsage',
'serverAuth,clientAuth')
chain = [target, intermediate, root]
gencerts.write_chain(__doc__, chain,
'%s-chain.pem' % intermediate_digest_algorithm)
def generate_chain(intermediate_digest_algorithm):
# Self-signed root certificate.
root = gencerts.create_self_signed_root_certificate('Root')
# Intermediate certificate.
intermediate = gencerts.create_intermediate_certificate(
'Intermediate', root)
intermediate.set_signature_hash(intermediate_digest_algorithm)
intermediate.get_extensions().set_property('extendedKeyUsage', 'nsSGC')
# Target certificate.
target = gencerts.create_end_entity_certificate('Target', intermediate)
target.get_extensions().set_property('extendedKeyUsage',
'serverAuth,clientAuth')
# TODO(eroman): Set subjectAltName by default rather than specifically in
# this test.
target.get_extensions().set_property('subjectAltName', 'DNS:test.example')
chain = [target, intermediate, root]
gencerts.write_chain(__doc__, chain,
'%s-chain.pem' % intermediate_digest_algorithm)
#!/usr/bin/python
# Copyright (c) 2015 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
"""Certificate chain where the intermediate has an unknown critical
extension."""
import sys
sys.path += ['../..']
import gencerts
# Self-signed root certificate.
root = gencerts.create_self_signed_root_certificate('Root')
# Intermediate that has an unknown critical extension.
intermediate = gencerts.create_intermediate_certificate('Intermediate', root)
intermediate.get_extensions().add_property('1.2.3.4',
'critical,DER:01:02:03:04')
# Target certificate.
target = gencerts.create_end_entity_certificate('Target', intermediate)
chain = [target, intermediate, root]
gencerts.write_chain(__doc__, chain, 'chain.pem')
sys.path += ['../..']
import gencerts
# The new certs should have a newer notbefore date than "old" certs. This should
# affect path builder sorting, but otherwise won't matter.
JANUARY_2_2015_UTC = '150102120000Z'
# Self-signed root certificates. Same name, different keys.
oldroot = gencerts.create_self_signed_root_certificate('Root')
oldroot.set_validity_range(gencerts.JANUARY_1_2015_UTC,
gencerts.JANUARY_1_2016_UTC)
newroot = gencerts.create_self_signed_root_certificate('Root')
newroot.set_validity_range(JANUARY_2_2015_UTC, gencerts.JANUARY_1_2016_UTC)
# Root with the new key signed by the old key.
newrootrollover = gencerts.create_intermediate_certificate('Root', oldroot)
newrootrollover.set_key(newroot.get_key())
newrootrollover.set_validity_range(JANUARY_2_2015_UTC,
gencerts.JANUARY_1_2016_UTC)
# Intermediate signed by oldroot.
oldintermediate = gencerts.create_intermediate_certificate(
'Intermediate', oldroot)
oldintermediate.set_validity_range(gencerts.JANUARY_1_2015_UTC,
gencerts.JANUARY_1_2016_UTC)
# Intermediate signed by newroot. Same key as oldintermediate.
newintermediate = gencerts.create_intermediate_certificate(
'Intermediate', newroot)
newintermediate.set_key(oldintermediate.get_key())
newintermediate.set_validity_range(JANUARY_2_2015_UTC,
gencerts.JANUARY_1_2016_UTC)
# Copyright (c) 2015 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
"""Certificate chain where the intermediate sets pathlen=0, and is followed by
a self-issued intermediate."""
import sys
sys.path += ['../..']
import gencerts
# Self-signed root certificate.
root = gencerts.create_self_signed_root_certificate('Root')
# Intermediate with pathlen 0
intermediate1 = gencerts.create_intermediate_certificate('Intermediate', root)
intermediate1.get_extensions().set_property('basicConstraints',
'critical,CA:true,pathlen:0')
# Another intermediate (with the same pathlen restriction).
# Note that this is self-issued but NOT self-signed.
intermediate2 = gencerts.create_intermediate_certificate(
'Intermediate', intermediate1)
intermediate2.get_extensions().set_property('basicConstraints',
'critical,CA:true,pathlen:0')
# Target certificate.
target = gencerts.create_end_entity_certificate('Target', intermediate2)
chain = [target, intermediate2, intermediate1, root]
gencerts.write_chain(__doc__, chain, 'chain.pem')
#!/usr/bin/python
# Copyright (c) 2015 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
"""Certificate chain where the root certificate is not self-signed (or
self-issued for that matter)."""
import sys
sys.path += ['../..']
import gencerts
shadow_root = gencerts.create_self_signed_root_certificate('ShadowRoot')
# Non-self-signed root certificate.
root = gencerts.create_intermediate_certificate('Root', shadow_root)
# Intermediate certificate.
intermediate = gencerts.create_intermediate_certificate('Intermediate', root)
# Target certificate.
target = gencerts.create_end_entity_certificate('Target', intermediate)
chain = [target, intermediate, root]
gencerts.write_chain(__doc__, chain, 'chain.pem')
#!/usr/bin/env python
# Copyright (c) 2015 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
"""Certificate chain where the target certificate is a CA rather than an
end-entity certificate (based on the basic constraints extension)."""
import sys
sys.path += ['../..']
import gencerts
# Self-signed root certificate.
root = gencerts.create_self_signed_root_certificate('Root')
# Intermediate certificate.
intermediate = gencerts.create_intermediate_certificate('Intermediate', root)
# Target certificate (is also a CA)
target = gencerts.create_intermediate_certificate('Target', intermediate)
chain = [target, intermediate, root]
gencerts.write_chain(__doc__, chain, 'chain.pem')
"""
import sys
sys.path += ['../..']
import gencerts
DATE_A = '150101120000Z'
DATE_B = '150102120000Z'
DATE_C = '150103120000Z'
DATE_Z = '180101120000Z'
root = gencerts.create_self_signed_root_certificate('Root')
root.set_validity_range(DATE_A, DATE_Z)
int_matching_ski_a = gencerts.create_intermediate_certificate(
'Intermediate', root)
int_matching_ski_a.set_validity_range(DATE_A, DATE_Z)
int_matching_ski_b = gencerts.create_intermediate_certificate(
'Intermediate', root)
int_matching_ski_b.set_validity_range(DATE_B, DATE_Z)
int_matching_ski_b.set_key(int_matching_ski_a.get_key())
int_matching_ski_c = gencerts.create_intermediate_certificate(
'Intermediate', root)
int_matching_ski_c.set_validity_range(DATE_C, DATE_Z)
int_matching_ski_c.set_key(int_matching_ski_a.get_key())
# For some reason, OpenSSL seems to require disabling SKID and AKID on the
# parent cert in order to generate an intermediate cert without a SKID.
root2 = gencerts.create_self_signed_root_certificate('Root')
# Generate the keys -- the same key is used for all intermediates and end entity
# certificates.
root_key = gencerts.get_or_generate_rsa_key(2048,
gencerts.create_key_path('root'))
i_key = gencerts.get_or_generate_rsa_key(2048, gencerts.create_key_path('i'))
target_key = gencerts.get_or_generate_rsa_key(
2048, gencerts.create_key_path('target'))
# Self-signed root certificate.
root = gencerts.create_self_signed_root_certificate('Root')
root.set_key(root_key)
gencerts.write_string_to_file(root.get_cert_pem(), 'root.pem')
# Intermediate certificates. All have the same subject and key.
i_base = gencerts.create_intermediate_certificate('I', root)
i_base.set_key(i_key)
gencerts.write_string_to_file(i_base.get_cert_pem(), 'i.pem')
i2 = gencerts.create_intermediate_certificate('I', root)
i2.set_key(i_key)
gencerts.write_string_to_file(i2.get_cert_pem(), 'i2.pem')
i3 = gencerts.create_intermediate_certificate('I', root)
i3.set_key(i_key)
gencerts.write_string_to_file(i3.get_cert_pem(), 'i3.pem')
# More Intermediate certificates, which are just to generate the proper config
# files so the target certs will have the desired Authority Information Access
# values. These ones aren't saved to files.
i_no_aia = gencerts.create_intermediate_certificate('I', root)
"""
import sys
sys.path += ['../..']
import gencerts
DATE_A = '150101120000Z'
DATE_B = '150102120000Z'
DATE_C = '180101120000Z'
DATE_D = '180102120000Z'
root = gencerts.create_self_signed_root_certificate('Root')
root.set_validity_range(DATE_A, DATE_D)
int_ac = gencerts.create_intermediate_certificate('Intermediate', root)
int_ac.set_validity_range(DATE_A, DATE_C)
int_ad = gencerts.create_intermediate_certificate('Intermediate', root)
int_ad.set_validity_range(DATE_A, DATE_D)
int_ad.set_key(int_ac.get_key())
int_bc = gencerts.create_intermediate_certificate('Intermediate', root)
int_bc.set_validity_range(DATE_B, DATE_C)
int_bc.set_key(int_ac.get_key())
int_bd = gencerts.create_intermediate_certificate('Intermediate', root)
int_bd.set_validity_range(DATE_B, DATE_D)
int_bd.set_key(int_ac.get_key())
target = gencerts.create_end_entity_certificate('Target', int_ac)
import sys
sys.path += ['../..']
import gencerts
DATE_A = '150101120000Z'
DATE_B = '150102120000Z'
DATE_Z = '180101120000Z'
root1 = gencerts.create_self_signed_root_certificate('Root1')
root1.set_validity_range(DATE_A, DATE_Z)
root2 = gencerts.create_self_signed_root_certificate('Root2')
root2.set_validity_range(DATE_A, DATE_Z)
root1_cross = gencerts.create_intermediate_certificate('Root1', root2)
root1_cross.set_key(root1.get_key())
root1_cross.set_validity_range(DATE_B, DATE_Z)
target = gencerts.create_end_entity_certificate('Target', root1)
target.set_validity_range(DATE_A, DATE_Z)
gencerts.write_chain('Root1', [root1], out_pem='root1.pem')
gencerts.write_chain('Root2', [root2], out_pem='root2.pem')
gencerts.write_chain(
'Root1 cross-signed by Root2, with a newer notBefore date'
' than Root1', [root1_cross],
out_pem='root1_cross.pem')
gencerts.write_chain('Target', [target], out_pem='target.pem')
import gencerts
DATE_A = '150101120000Z'
DATE_B = '150102120000Z'
DATE_C = '150103120000Z'
DATE_Z = '180101120000Z'
root = gencerts.create_self_signed_root_certificate('Root')
root.set_validity_range(DATE_A, DATE_Z)
root2 = gencerts.create_self_signed_root_certificate('Root2')
root2.set_validity_range(DATE_A, DATE_Z)
# Give the certs notBefore dates in reverse priority order so we can test that
# the issuer/serial key id didn't affect prioritization.
int_matching = gencerts.create_intermediate_certificate('Intermediate', root)
int_matching.set_validity_range(DATE_A, DATE_Z)
int_mismatch = gencerts.create_intermediate_certificate('Intermediate', root2)
int_mismatch.set_key(int_matching.get_key())
int_mismatch.set_validity_range(DATE_C, DATE_Z)
int_match_name_only = gencerts.create_intermediate_certificate(
'Intermediate', root)
int_match_name_only.set_key(int_matching.get_key())
int_match_name_only.set_validity_range(DATE_B, DATE_Z)
section = int_matching.config.get_section('signing_ca_ext')
section.set_property('authorityKeyIdentifier', 'issuer:always')
target = gencerts.create_end_entity_certificate('Target', int_matching)
target.set_validity_range(DATE_A, DATE_Z)
import gencerts
def write_cert_to_file(cert, filename):
gencerts.write_string_to_file(
"Generated by %s.\n"
"Refer to generator script docstring for details.\n%s" %
(sys.argv[0], cert.get_cert_pem()), filename)
# Self-signed root certificate
root = gencerts.create_self_signed_root_certificate('Root')
write_cert_to_file(root, 'root.pem')
# Intermediate certificates
i1_1 = gencerts.create_intermediate_certificate('I1', root)
write_cert_to_file(i1_1, 'i1_1.pem')
# same name (after normalization), different key
i1_2 = gencerts.create_intermediate_certificate('i1', root)
write_cert_to_file(i1_2, 'i1_2.pem')
# different name
i2 = gencerts.create_intermediate_certificate('I2', root)
write_cert_to_file(i2, 'i2.pem')
# Two intermediates with exactly the same name.
i3_1 = gencerts.create_intermediate_certificate('I3', root)
write_cert_to_file(i3_1, 'i3_1.pem')
i3_2 = gencerts.create_intermediate_certificate('I3', root)
write_cert_to_file(i3_2, 'i3_2.pem')
i_key = gencerts.get_or_generate_rsa_key(2048, gencerts.create_key_path('i'))
leaf_key = gencerts.get_or_generate_rsa_key(2048,
gencerts.create_key_path('leaf'))
# Self-signed root certificate.
root = gencerts.create_self_signed_root_certificate('Root')
root.set_key(root_key)
# Preserve the ordering of the distinguished name in CSRs when issuing
# certificates. This must be in the BASE ('ca') section.
root.config.get_section('ca').set_property('preserve', 'yes')
gencerts.write_string_to_file(root.get_cert_pem(), 'root.pem')
## Create intermediate certs
# Intermediate with two organizations as two distinct SETs, ordered O1 and O2
i_o1_o2 = gencerts.create_intermediate_certificate('I1', root)
i_o1_o2.set_key(i_key)
dn = i_o1_o2.get_subject()
dn.clear_properties()
dn.add_property('0.organizationName', 'O1')
dn.add_property('1.organizationName', 'O2')
gencerts.write_string_to_file(i_o1_o2.get_cert_pem(), 'int-o1-o2.pem')
# Intermediate with two organizations as two distinct SETs, ordered O2 and O1
i_o2_o1 = gencerts.create_intermediate_certificate('I2', root)
i_o2_o1.set_key(i_key)
dn = i_o2_o1.get_subject()
dn.clear_properties()
dn.add_property('0.organizationName', 'O2')
dn.add_property('1.organizationName', 'O1')
gencerts.write_string_to_file(i_o2_o1.get_cert_pem(), 'int-o2-o1.pem')
