def generate_and_maybe_import_cert(key_type, cert_name_suffix, base_ext_text,
signer_key_filename, signer_cert_filename,
dsa_param_filename, key_size, generate_ev):
"""
Generates a certificate and imports it into the NSS DB if appropriate.
Arguments:
key_type -- the type of key generated: potential values: 'rsa', 'dsa',
or any of the curves found by 'openssl ecparam -list_curves'
cert_name_suffix -- suffix of the generated cert name
base_ext_text -- the base text for the x509 extensions to be added to the
certificate (extra extensions will be added if generating
an EV cert)
signer_key_filename -- the filename of the key from which the cert will
be signed. If an empty string is passed in the cert
will be self signed (think CA roots).
signer_cert_filename -- the filename of the signer cert that will sign the
certificate being generated. Ignored if an empty
string is passed in for signer_key_filename.
Must be in DER format.
dsa_param_filename -- the filename for the DSA param file
key_size -- public key size for RSA certs
generate_ev -- whether an EV cert should be generated
Output:
key_filename -- the filename of the key file (PEM format)
cert_filename -- the filename of the certificate (DER format)
"""
cert_name = key_type + cert_name_suffix
ev_ext_text = ''
subject_string = ('/CN=XPCShell Key Size Testing %s %s-bit' %
(key_type, key_size))
if generate_ev:
cert_name = 'ev-' + cert_name
ev_ext_text = (aia_prefix + cert_name + aia_suffix +
mozilla_testing_ev_policy)
subject_string += ' (EV)'
# Use the organization field to store the cert nickname for easier debugging
subject_string += '/O=' + cert_name
[key_filename, cert_filename] = CertUtils.generate_cert_generic(
db_dir, srcdir, random.randint(100, 40000000), key_type, cert_name,
base_ext_text + ev_ext_text, signer_key_filename, signer_cert_filename,
subject_string, dsa_param_filename, key_size)
if generate_ev:
# The dest_dir argument of generate_pkcs12() is also set to db_dir as
# the .p12 files do not need to be kept once they have been imported.
pkcs12_filename = CertUtils.generate_pkcs12(db_dir, db_dir,
cert_filename,
key_filename, cert_name)
CertUtils.import_cert_and_pkcs12(srcdir, cert_filename,
pkcs12_filename, cert_name, ',,')
if not signer_key_filename:
generated_ev_root_filenames.append(cert_filename)
return [key_filename, cert_filename]
def generate_and_import_cert(cert_name_prefix, cert_name_suffix,
base_ext_text, signer_key_filename,
signer_cert_filename, validity_in_months):
"""
Generates a certificate and imports it into the NSS DB.
Arguments:
cert_name_prefix - prefix of the generated cert name
cert_name_suffix - suffix of the generated cert name
base_ext_text - the base text for the x509 extensions to be
added to the certificate (extra extensions will
be added if generating an EV cert)
signer_key_filename - the filename of the key from which the
cert will be signed. If an empty string is
passed in the cert will be self signed
(think CA roots).
signer_cert_filename - the filename of the signer cert that will
sign the certificate being generated.
Ignored if an empty string is passed in
for signer_key_filename.
Must be in DER format.
validity_in_months - the number of months the cert should be
valid for.
Output:
cert_name - the resultant (nick)name of the certificate
key_filename - the filename of the key file (PEM format)
cert_filename - the filename of the certificate (DER format)
"""
cert_name = 'ev_%s_%u_months' % (cert_name_prefix, validity_in_months)
# If the suffix is not the empty string, add a hyphen for visual
# separation
if cert_name_suffix:
cert_name += '-' + cert_name_suffix
subject_string = '/CN=%s' % cert_name
ev_ext_text = (CertUtils.aia_prefix + cert_name + CertUtils.aia_suffix +
CertUtils.mozilla_testing_ev_policy)
# Reuse the existing RSA EV root
if (signer_key_filename == '' and signer_cert_filename == ''):
cert_name = 'evroot'
key_filename = '../test_ev_certs/evroot.key'
cert_filename = '../test_ev_certs/evroot.der'
CertUtils.import_cert_and_pkcs12(src_dir, cert_filename,
'../test_ev_certs/evroot.p12',
cert_name, ',,')
return [cert_name, key_filename, cert_filename]
# Don't regenerate a previously generated cert
for cert in generated_ev_certs:
if cert_name == cert[0]:
return cert
validity_years = math.floor(validity_in_months / 12)
validity_months = validity_in_months % 12
[key_filename, cert_filename] = CertUtils.generate_cert_generic(
temp_dir,
src_dir,
random.randint(100, 40000000),
'rsa',
cert_name,
base_ext_text + ev_ext_text,
signer_key_filename,
signer_cert_filename,
subject_string,
validity_in_days = validity_years * 365 + validity_months * 31)
generated_ev_certs.append([cert_name, key_filename, cert_filename])
# The dest_dir argument of generate_pkcs12() is also set to temp_dir
# as the .p12 files do not need to be kept once they have been
# imported.
pkcs12_filename = CertUtils.generate_pkcs12(temp_dir, temp_dir,
cert_filename,
key_filename,
cert_name)
CertUtils.import_cert_and_pkcs12(src_dir, cert_filename,
pkcs12_filename, cert_name, ',,')
return [cert_name, key_filename, cert_filename]
def generate_certs(key_type, bad_key_size, ok_key_size, generate_ev):
"""
Generates the various certificates used by the key size tests.
Arguments:
key_type -- the type of key generated: potential values: 'rsa', 'dsa',
or any of the curves found by 'openssl ecparam -list_curves'
bad_key_size -- the public key size bad certs should have
ok_key_size -- the public key size OK certs should have
generate_ev -- whether an EV cert should be generated
"""
if key_type == 'dsa':
CertUtils.init_dsa(db_dir, dsaBad_param_filename, bad_key_size)
CertUtils.init_dsa(db_dir, dsaOK_param_filename, ok_key_size)
# OK Chain
if generate_ev and key_type == 'rsa':
# Reuse the existing RSA EV root
caOK_cert_name = 'evroot'
caOK_key = '../test_ev_certs/evroot.key'
caOK_cert = '../test_ev_certs/evroot.der'
caOK_pkcs12_filename = '../test_ev_certs/evroot.p12'
CertUtils.import_cert_and_pkcs12(srcdir, caOK_cert,
caOK_pkcs12_filename, caOK_cert_name,
',,')
else:
[caOK_key,
caOK_cert] = generate_and_maybe_import_cert(key_type, '-caOK',
ca_ext_text, '', '',
dsaOK_param_filename,
ok_key_size, generate_ev)
[intOK_key, intOK_cert] = generate_and_maybe_import_cert(
key_type, '-intOK-caOK', ca_ext_text, caOK_key, caOK_cert,
dsaOK_param_filename, ok_key_size, generate_ev)
generate_and_maybe_import_cert(key_type, '-eeOK-intOK-caOK', ee_ext_text,
intOK_key, intOK_cert, dsaOK_param_filename,
ok_key_size, generate_ev)
# Bad CA
[caBad_key,
caBad_cert] = generate_and_maybe_import_cert(key_type, '-caBad',
ca_ext_text, '', '',
dsaBad_param_filename,
bad_key_size, generate_ev)
[int_key, int_cert] = generate_and_maybe_import_cert(
key_type, '-intOK-caBad', ca_ext_text, caBad_key, caBad_cert,
dsaOK_param_filename, ok_key_size, generate_ev)
generate_and_maybe_import_cert(key_type, '-eeOK-intOK-caBad', ee_ext_text,
int_key, int_cert, dsaOK_param_filename,
ok_key_size, generate_ev)
# Bad Intermediate
[intBad_key, intBad_cert] = generate_and_maybe_import_cert(
key_type, '-intBad-caOK', ca_ext_text, caOK_key, caOK_cert,
dsaBad_param_filename, bad_key_size, generate_ev)
generate_and_maybe_import_cert(key_type, '-eeOK-intBad-caOK', ee_ext_text,
intBad_key, intBad_cert,
dsaOK_param_filename, ok_key_size,
generate_ev)
# Bad End Entity
generate_and_maybe_import_cert(key_type, '-eeBad-intOK-caOK', ee_ext_text,
intOK_key, intOK_cert,
dsaBad_param_filename, bad_key_size,
generate_ev)
def generate_certs(key_type, inadequate_key_size, adequate_key_size, generate_ev):
"""
Generates the various certificates used by the key size tests.
Arguments:
key_type -- the type of key generated: potential values: 'rsa',
or any of the curves found by 'openssl ecparam -list_curves'
inadequate_key_size -- a string defining the inadequate public key size
for the generated certs
adequate_key_size -- a string defining the adequate public key size for
the generated certs
generate_ev -- whether an EV cert should be generated
"""
# Generate chain with certs that have adequate sizes
if generate_ev and key_type == 'rsa':
# Reuse the existing RSA EV root
rootOK_nick = 'evroot'
caOK_key = '../test_ev_certs/evroot.key'
caOK_cert = '../test_ev_certs/evroot.der'
caOK_pkcs12_filename = '../test_ev_certs/evroot.p12'
CertUtils.import_cert_and_pkcs12(srcdir, caOK_cert, caOK_pkcs12_filename,
rootOK_nick, ',,')
else:
[rootOK_nick, caOK_key, caOK_cert] = generate_and_maybe_import_cert(
key_type,
'root',
'',
ca_ext_text,
'',
'',
adequate_key_size,
generate_ev)
[intOK_nick, intOK_key, intOK_cert] = generate_and_maybe_import_cert(
key_type,
'int',
rootOK_nick,
ca_ext_text,
caOK_key,
caOK_cert,
adequate_key_size,
generate_ev)
generate_and_maybe_import_cert(
key_type,
'ee',
intOK_nick,
ee_ext_text,
intOK_key,
intOK_cert,
adequate_key_size,
generate_ev)
# Generate chain with a root cert that has an inadequate size
[rootNotOK_nick, rootNotOK_key, rootNotOK_cert] = generate_and_maybe_import_cert(
key_type,
'root',
'',
ca_ext_text,
'',
'',
inadequate_key_size,
generate_ev)
[int_nick, int_key, int_cert] = generate_and_maybe_import_cert(
key_type,
'int',
rootNotOK_nick,
ca_ext_text,
rootNotOK_key,
rootNotOK_cert,
adequate_key_size,
generate_ev)
generate_and_maybe_import_cert(
key_type,
'ee',
int_nick,
ee_ext_text,
int_key,
int_cert,
adequate_key_size,
generate_ev)
# Generate chain with an intermediate cert that has an inadequate size
[intNotOK_nick, intNotOK_key, intNotOK_cert] = generate_and_maybe_import_cert(
key_type,
'int',
rootOK_nick,
ca_ext_text,
caOK_key,
caOK_cert,
inadequate_key_size,
generate_ev)
generate_and_maybe_import_cert(
key_type,
'ee',
intNotOK_nick,
ee_ext_text,
intNotOK_key,
intNotOK_cert,
adequate_key_size,
generate_ev)
# Generate chain with an end entity cert that has an inadequate size
generate_and_maybe_import_cert(
key_type,
'ee',
intOK_nick,
ee_ext_text,
intOK_key,
intOK_cert,
inadequate_key_size,
generate_ev)
def generate_and_maybe_import_cert(key_type, cert_name_prefix, cert_name_suffix,
base_ext_text, signer_key_filename,
signer_cert_filename, key_size, generate_ev):
"""
Generates a certificate and imports it into the NSS DB if appropriate.
Arguments:
key_type -- the type of key generated: potential values: 'rsa', or any of
the curves found by 'openssl ecparam -list_curves'
cert_name_prefix -- prefix of the generated cert name
cert_name_suffix -- suffix of the generated cert name
base_ext_text -- the base text for the x509 extensions to be added to the
certificate (extra extensions will be added if generating
an EV cert)
signer_key_filename -- the filename of the key from which the cert will
be signed. If an empty string is passed in the cert
will be self signed (think CA roots).
signer_cert_filename -- the filename of the signer cert that will sign the
certificate being generated. Ignored if an empty
string is passed in for signer_key_filename.
Must be in DER format.
key_size -- public key size for RSA certs
generate_ev -- whether an EV cert should be generated
Output:
cert_name -- the resultant (nick)name of the certificate
key_filename -- the filename of the key file (PEM format)
cert_filename -- the filename of the certificate (DER format)
"""
cert_name = cert_name_prefix + '_' + key_type + '_' + key_size
# If the suffix is not the empty string, add a hyphen for visual separation
if cert_name_suffix:
cert_name += '-' + cert_name_suffix
ev_ext_text = ''
subject_string = ('/CN=XPCShell Key Size Testing %s %s-bit' %
(key_type, key_size))
if generate_ev:
cert_name = 'ev_' + cert_name
ev_ext_text = (aia_prefix + cert_name + aia_suffix +
mozilla_testing_ev_policy)
subject_string += ' (EV)'
# Use the organization field to store the cert nickname for easier debugging
subject_string += '/O=' + cert_name
[key_filename, cert_filename] = CertUtils.generate_cert_generic(
db_dir,
srcdir,
random.randint(100, 40000000),
key_type,
cert_name,
base_ext_text + ev_ext_text,
signer_key_filename,
signer_cert_filename,
subject_string,
key_size)
if generate_ev:
# The dest_dir argument of generate_pkcs12() is also set to db_dir as
# the .p12 files do not need to be kept once they have been imported.
pkcs12_filename = CertUtils.generate_pkcs12(db_dir, db_dir,
cert_filename, key_filename,
cert_name)
CertUtils.import_cert_and_pkcs12(srcdir, cert_filename, pkcs12_filename,
cert_name, ',,')
if not signer_key_filename:
generated_ev_root_filenames.append(cert_filename)
return [cert_name, key_filename, cert_filename]
def generate_certs():
ca_cert = 'evroot.der'
ca_key = 'evroot.key'
prefix = "ev-valid"
key_type = 'rsa'
ee_ext_text = (aia_prefix + prefix + aia_suffix +
endentity_crl + mozilla_testing_ev_policy)
int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix +
intermediate_crl + mozilla_testing_ev_policy)
CertUtils.init_nss_db(srcdir)
CertUtils.import_cert_and_pkcs12(srcdir, ca_cert, 'evroot.p12', 'evroot',
'C,C,C')
[int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
srcdir,
ca_key,
ca_cert,
prefix,
int_ext_text,
ee_ext_text,
key_type)
pk12file = CertUtils.generate_pkcs12(db, db, int_cert, int_key,
"int-" + prefix)
CertUtils.import_cert_and_pkcs12(srcdir, int_cert, pk12file,
'int-' + prefix, ',,')
import_untrusted_cert(ee_cert, prefix)
# now we generate an end entity cert with an AIA with no OCSP URL
no_ocsp_url_ext_aia = ("authorityInfoAccess =" +
"caIssuers;URI:http://www.example.com/ca.html\n");
[no_ocsp_key, no_ocsp_cert] = CertUtils.generate_cert_generic(db,
srcdir,
random.randint(100, 40000000),
key_type,
'no-ocsp-url-cert',
no_ocsp_url_ext_aia + endentity_crl +
mozilla_testing_ev_policy,
int_key, int_cert);
import_untrusted_cert(no_ocsp_cert, 'no-ocsp-url-cert');
# add an ev cert whose intermediate has a anypolicy oid
prefix = "ev-valid-anypolicy-int"
ee_ext_text = (aia_prefix + prefix + aia_suffix +
endentity_crl + mozilla_testing_ev_policy)
int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix +
intermediate_crl + anypolicy_policy)
[int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
srcdir,
ca_key,
ca_cert,
prefix,
int_ext_text,
ee_ext_text,
key_type)
pk12file = CertUtils.generate_pkcs12(db, db, int_cert, int_key,
"int-" + prefix)
CertUtils.import_cert_and_pkcs12(srcdir, int_cert, pk12file,
'int-' + prefix, ',,')
import_untrusted_cert(ee_cert, prefix)
[bad_ca_key, bad_ca_cert] = CertUtils.generate_cert_generic( db,
srcdir,
1,
'rsa',
'non-evroot-ca',
CA_extensions)
pk12file = CertUtils.generate_pkcs12(db, db, bad_ca_cert, bad_ca_key,
"non-evroot-ca")
CertUtils.import_cert_and_pkcs12(srcdir, bad_ca_cert, pk12file,
'non-evroot-ca', 'C,C,C')
prefix = "non-ev-root"
ee_ext_text = (aia_prefix + prefix + aia_suffix +
endentity_crl + mozilla_testing_ev_policy)
int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix +
intermediate_crl + mozilla_testing_ev_policy)
[int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
srcdir,
bad_ca_key,
bad_ca_cert,
prefix,
int_ext_text,
ee_ext_text,
key_type)
pk12file = CertUtils.generate_pkcs12(db, db, int_cert, int_key,
"int-" + prefix)
CertUtils.import_cert_and_pkcs12(srcdir, int_cert, pk12file,
'int-' + prefix, ',,')
import_untrusted_cert(ee_cert, prefix)
def generate_and_maybe_import_cert(
key_type,
cert_name_prefix,
cert_name_suffix,
base_ext_text,
signer_key_filename,
signer_cert_filename,
key_size,
generate_ev,
):
"""
Generates a certificate and imports it into the NSS DB if appropriate.
If an equivalent certificate has already been generated, it is reused.
Arguments:
key_type -- the type of key generated: potential values: 'rsa', or any of
the curves found by 'openssl ecparam -list_curves'
cert_name_prefix -- prefix of the generated cert name
cert_name_suffix -- suffix of the generated cert name
base_ext_text -- the base text for the x509 extensions to be added to the
certificate (extra extensions will be added if generating
an EV cert)
signer_key_filename -- the filename of the key from which the cert will
be signed. If an empty string is passed in the cert
will be self signed (think CA roots).
signer_cert_filename -- the filename of the signer cert that will sign the
certificate being generated. Ignored if an empty
string is passed in for signer_key_filename.
Must be in DER format.
key_size -- public key size for RSA certs
generate_ev -- whether an EV cert should be generated
Output:
cert_name -- the resultant (nick)name of the certificate
key_filename -- the filename of the key file (PEM format)
cert_filename -- the filename of the certificate (DER format)
"""
cert_name = cert_name_prefix + "_" + key_type + "_" + key_size
# If the suffix is not the empty string, add a hyphen for visual separation
if cert_name_suffix:
cert_name += "-" + cert_name_suffix
ev_ext_text = ""
subject_string = "/CN=XPCShell Key Size Testing %s %s-bit" % (key_type, key_size)
if generate_ev:
cert_name = "ev_" + cert_name
ev_ext_text = aia_prefix + cert_name + aia_suffix + mozilla_testing_ev_policy
subject_string += " (EV)"
# Use the organization field to store the cert nickname for easier debugging
subject_string += "/O=" + cert_name
# Reuse the existing RSA EV root
if (
generate_ev
and key_type == "rsa"
and signer_key_filename == ""
and signer_cert_filename == ""
and key_size == "2048"
):
cert_name = "evroot"
key_filename = "../test_ev_certs/evroot.key"
cert_filename = "../test_ev_certs/evroot.der"
CertUtils.import_cert_and_pkcs12(srcdir, cert_filename, "../test_ev_certs/evroot.p12", cert_name, ",,")
return [cert_name, key_filename, cert_filename]
# Don't regenerate a previously generated cert
for cert in generated_certs:
if cert_name == cert[0]:
return cert
[key_filename, cert_filename] = CertUtils.generate_cert_generic(
db_dir,
srcdir,
random.randint(100, 40000000),
key_type,
cert_name,
base_ext_text + ev_ext_text,
signer_key_filename,
signer_cert_filename,
subject_string,
key_size,
)
generated_certs.append([cert_name, key_filename, cert_filename])
if generate_ev:
# The dest_dir argument of generate_pkcs12() is also set to db_dir as
# the .p12 files do not need to be kept once they have been imported.
pkcs12_filename = CertUtils.generate_pkcs12(db_dir, db_dir, cert_filename, key_filename, cert_name)
CertUtils.import_cert_and_pkcs12(srcdir, cert_filename, pkcs12_filename, cert_name, ",,")
if not signer_key_filename:
generated_ev_root_filenames.append(cert_filename)
return [cert_name, key_filename, cert_filename]
def generate_and_maybe_import_cert(key_type, cert_name_prefix,
cert_name_suffix, base_ext_text,
signer_key_filename, signer_cert_filename,
key_size, generate_ev):
"""
Generates a certificate and imports it into the NSS DB if appropriate.
If an equivalent certificate has already been generated, it is reused.
Arguments:
key_type -- the type of key generated: potential values: 'rsa', or any of
the curves found by 'openssl ecparam -list_curves'
cert_name_prefix -- prefix of the generated cert name
cert_name_suffix -- suffix of the generated cert name
base_ext_text -- the base text for the x509 extensions to be added to the
certificate (extra extensions will be added if generating
an EV cert)
signer_key_filename -- the filename of the key from which the cert will
be signed. If an empty string is passed in the cert
will be self signed (think CA roots).
signer_cert_filename -- the filename of the signer cert that will sign the
certificate being generated. Ignored if an empty
string is passed in for signer_key_filename.
Must be in DER format.
key_size -- public key size for RSA certs
generate_ev -- whether an EV cert should be generated
Output:
cert_name -- the resultant (nick)name of the certificate
key_filename -- the filename of the key file (PEM format)
cert_filename -- the filename of the certificate (DER format)
"""
cert_name = cert_name_prefix + '_' + key_type + '_' + key_size
# If the suffix is not the empty string, add a hyphen for visual separation
if cert_name_suffix:
cert_name += '-' + cert_name_suffix
ev_ext_text = ''
subject_string = ('/CN=XPCShell Key Size Testing %s %s-bit' %
(key_type, key_size))
if generate_ev:
cert_name = 'ev_' + cert_name
ev_ext_text = (aia_prefix + cert_name + aia_suffix +
mozilla_testing_ev_policy)
subject_string += ' (EV)'
# Use the organization field to store the cert nickname for easier debugging
subject_string += '/O=' + cert_name
# Reuse the existing RSA EV root
if (generate_ev and key_type == 'rsa' and signer_key_filename == ''
and signer_cert_filename == '' and key_size == '2048'):
cert_name = 'evroot'
key_filename = '../test_ev_certs/evroot.key'
cert_filename = '../test_ev_certs/evroot.der'
CertUtils.import_cert_and_pkcs12(srcdir, cert_filename,
'../test_ev_certs/evroot.p12',
cert_name, ',,')
return [cert_name, key_filename, cert_filename]
# Don't regenerate a previously generated cert
for cert in generated_certs:
if cert_name == cert[0]:
return cert
[key_filename, cert_filename] = CertUtils.generate_cert_generic(
db_dir, srcdir, random.randint(100, 40000000), key_type, cert_name,
base_ext_text + ev_ext_text, signer_key_filename, signer_cert_filename,
subject_string, key_size)
generated_certs.append([cert_name, key_filename, cert_filename])
if generate_ev:
# The dest_dir argument of generate_pkcs12() is also set to db_dir as
# the .p12 files do not need to be kept once they have been imported.
pkcs12_filename = CertUtils.generate_pkcs12(db_dir, db_dir,
cert_filename,
key_filename, cert_name)
CertUtils.import_cert_and_pkcs12(srcdir, cert_filename,
pkcs12_filename, cert_name, ',,')
if not signer_key_filename:
generated_ev_root_filenames.append(cert_filename)
return [cert_name, key_filename, cert_filename]
def generate_certs(key_type, inadequate_key_size, adequate_key_size,
generate_ev):
"""
Generates the various certificates used by the key size tests.
Arguments:
key_type -- the type of key generated: potential values: 'rsa',
or any of the curves found by 'openssl ecparam -list_curves'
inadequate_key_size -- a string defining the inadequate public key size
for the generated certs
adequate_key_size -- a string defining the adequate public key size for
the generated certs
generate_ev -- whether an EV cert should be generated
"""
# Generate chain with certs that have adequate sizes
if generate_ev and key_type == 'rsa':
# Reuse the existing RSA EV root
rootOK_nick = 'evroot'
caOK_key = '../test_ev_certs/evroot.key'
caOK_cert = '../test_ev_certs/evroot.der'
caOK_pkcs12_filename = '../test_ev_certs/evroot.p12'
CertUtils.import_cert_and_pkcs12(srcdir, caOK_cert,
caOK_pkcs12_filename, rootOK_nick,
',,')
else:
[rootOK_nick, caOK_key,
caOK_cert] = generate_and_maybe_import_cert(key_type, 'root', '',
ca_ext_text, '', '',
adequate_key_size,
generate_ev)
[intOK_nick, intOK_key,
intOK_cert] = generate_and_maybe_import_cert(key_type, 'int', rootOK_nick,
ca_ext_text, caOK_key,
caOK_cert, adequate_key_size,
generate_ev)
generate_and_maybe_import_cert(key_type, 'ee', intOK_nick, ee_ext_text,
intOK_key, intOK_cert, adequate_key_size,
generate_ev)
# Generate chain with a root cert that has an inadequate size
[rootNotOK_nick, rootNotOK_key, rootNotOK_cert
] = generate_and_maybe_import_cert(key_type, 'root', '', ca_ext_text, '',
'', inadequate_key_size, generate_ev)
[int_nick, int_key,
int_cert] = generate_and_maybe_import_cert(key_type, 'int',
rootNotOK_nick, ca_ext_text,
rootNotOK_key, rootNotOK_cert,
adequate_key_size, generate_ev)
generate_and_maybe_import_cert(key_type, 'ee', int_nick, ee_ext_text,
int_key, int_cert, adequate_key_size,
generate_ev)
# Generate chain with an intermediate cert that has an inadequate size
[intNotOK_nick, intNotOK_key, intNotOK_cert
] = generate_and_maybe_import_cert(key_type, 'int', rootOK_nick,
ca_ext_text, caOK_key, caOK_cert,
inadequate_key_size, generate_ev)
generate_and_maybe_import_cert(key_type, 'ee', intNotOK_nick, ee_ext_text,
intNotOK_key, intNotOK_cert,
adequate_key_size, generate_ev)
# Generate chain with an end entity cert that has an inadequate size
generate_and_maybe_import_cert(key_type, 'ee', intOK_nick, ee_ext_text,
intOK_key, intOK_cert, inadequate_key_size,
generate_ev)
def generate_certs(key_type, bad_key_size, ok_key_size, generate_ev):
"""
Generates the various certificates used by the key size tests.
Arguments:
key_type -- the type of key generated: potential values: 'rsa', 'dsa',
or any of the curves found by 'openssl ecparam -list_curves'
bad_key_size -- the public key size bad certs should have
ok_key_size -- the public key size OK certs should have
generate_ev -- whether an EV cert should be generated
"""
if key_type == 'dsa':
CertUtils.init_dsa(db_dir, dsaBad_param_filename, bad_key_size)
CertUtils.init_dsa(db_dir, dsaOK_param_filename, ok_key_size)
# OK Chain
if generate_ev and key_type == 'rsa':
# Reuse the existing RSA EV root
caOK_cert_name = 'evroot'
caOK_key = '../test_ev_certs/evroot.key'
caOK_cert = '../test_ev_certs/evroot.der'
caOK_pkcs12_filename = '../test_ev_certs/evroot.p12'
CertUtils.import_cert_and_pkcs12(srcdir, caOK_cert, caOK_pkcs12_filename,
caOK_cert_name, ',,')
else:
[caOK_key, caOK_cert] = generate_and_maybe_import_cert(
key_type,
'-caOK',
ca_ext_text,
'',
'',
dsaOK_param_filename,
ok_key_size,
generate_ev)
[intOK_key, intOK_cert] = generate_and_maybe_import_cert(
key_type,
'-intOK-caOK',
ca_ext_text,
caOK_key,
caOK_cert,
dsaOK_param_filename,
ok_key_size,
generate_ev)
generate_and_maybe_import_cert(
key_type,
'-eeOK-intOK-caOK',
ee_ext_text,
intOK_key,
intOK_cert,
dsaOK_param_filename,
ok_key_size,
generate_ev)
# Bad CA
[caBad_key, caBad_cert] = generate_and_maybe_import_cert(
key_type,
'-caBad',
ca_ext_text,
'',
'',
dsaBad_param_filename,
bad_key_size,
generate_ev)
[int_key, int_cert] = generate_and_maybe_import_cert(
key_type,
'-intOK-caBad',
ca_ext_text,
caBad_key,
caBad_cert,
dsaOK_param_filename,
ok_key_size,
generate_ev)
generate_and_maybe_import_cert(
key_type,
'-eeOK-intOK-caBad',
ee_ext_text,
int_key,
int_cert,
dsaOK_param_filename,
ok_key_size,
generate_ev)
# Bad Intermediate
[intBad_key, intBad_cert] = generate_and_maybe_import_cert(
key_type,
'-intBad-caOK',
ca_ext_text,
caOK_key,
caOK_cert,
dsaBad_param_filename,
bad_key_size,
generate_ev)
generate_and_maybe_import_cert(
key_type,
'-eeOK-intBad-caOK',
ee_ext_text,
intBad_key,
intBad_cert,
dsaOK_param_filename,
ok_key_size,
generate_ev)
# Bad End Entity
generate_and_maybe_import_cert(
key_type,
'-eeBad-intOK-caOK',
ee_ext_text,
intOK_key,
intOK_cert,
dsaBad_param_filename,
bad_key_size,
generate_ev)
