def generate_and_maybe_import_cert(key_type, cert_name_suffix, base_ext_text, signer_key_filename, signer_cert_filename, dsa_param_filename, key_size, generate_ev): """ Generates a certificate and imports it into the NSS DB if appropriate. Arguments: key_type -- the type of key generated: potential values: 'rsa', 'dsa', or any of the curves found by 'openssl ecparam -list_curves' cert_name_suffix -- suffix of the generated cert name base_ext_text -- the base text for the x509 extensions to be added to the certificate (extra extensions will be added if generating an EV cert) signer_key_filename -- the filename of the key from which the cert will be signed. If an empty string is passed in the cert will be self signed (think CA roots). signer_cert_filename -- the filename of the signer cert that will sign the certificate being generated. Ignored if an empty string is passed in for signer_key_filename. Must be in DER format. dsa_param_filename -- the filename for the DSA param file key_size -- public key size for RSA certs generate_ev -- whether an EV cert should be generated Output: key_filename -- the filename of the key file (PEM format) cert_filename -- the filename of the certificate (DER format) """ cert_name = key_type + cert_name_suffix ev_ext_text = '' subject_string = ('/CN=XPCShell Key Size Testing %s %s-bit' % (key_type, key_size)) if generate_ev: cert_name = 'ev-' + cert_name ev_ext_text = (aia_prefix + cert_name + aia_suffix + mozilla_testing_ev_policy) subject_string += ' (EV)' # Use the organization field to store the cert nickname for easier debugging subject_string += '/O=' + cert_name [key_filename, cert_filename] = CertUtils.generate_cert_generic( db_dir, srcdir, random.randint(100, 40000000), key_type, cert_name, base_ext_text + ev_ext_text, signer_key_filename, signer_cert_filename, subject_string, dsa_param_filename, key_size) if generate_ev: # The dest_dir argument of generate_pkcs12() is also set to db_dir as # the .p12 files do not need to be kept once they have been imported. pkcs12_filename = CertUtils.generate_pkcs12(db_dir, db_dir, cert_filename, key_filename, cert_name) CertUtils.import_cert_and_pkcs12(srcdir, cert_filename, pkcs12_filename, cert_name, ',,') if not signer_key_filename: generated_ev_root_filenames.append(cert_filename) return [key_filename, cert_filename]
def generate_and_import_cert(cert_name_prefix, cert_name_suffix, base_ext_text, signer_key_filename, signer_cert_filename, validity_in_months): """ Generates a certificate and imports it into the NSS DB. Arguments: cert_name_prefix - prefix of the generated cert name cert_name_suffix - suffix of the generated cert name base_ext_text - the base text for the x509 extensions to be added to the certificate (extra extensions will be added if generating an EV cert) signer_key_filename - the filename of the key from which the cert will be signed. If an empty string is passed in the cert will be self signed (think CA roots). signer_cert_filename - the filename of the signer cert that will sign the certificate being generated. Ignored if an empty string is passed in for signer_key_filename. Must be in DER format. validity_in_months - the number of months the cert should be valid for. Output: cert_name - the resultant (nick)name of the certificate key_filename - the filename of the key file (PEM format) cert_filename - the filename of the certificate (DER format) """ cert_name = 'ev_%s_%u_months' % (cert_name_prefix, validity_in_months) # If the suffix is not the empty string, add a hyphen for visual # separation if cert_name_suffix: cert_name += '-' + cert_name_suffix subject_string = '/CN=%s' % cert_name ev_ext_text = (CertUtils.aia_prefix + cert_name + CertUtils.aia_suffix + CertUtils.mozilla_testing_ev_policy) # Reuse the existing RSA EV root if (signer_key_filename == '' and signer_cert_filename == ''): cert_name = 'evroot' key_filename = '../test_ev_certs/evroot.key' cert_filename = '../test_ev_certs/evroot.der' CertUtils.import_cert_and_pkcs12(src_dir, cert_filename, '../test_ev_certs/evroot.p12', cert_name, ',,') return [cert_name, key_filename, cert_filename] # Don't regenerate a previously generated cert for cert in generated_ev_certs: if cert_name == cert[0]: return cert validity_years = math.floor(validity_in_months / 12) validity_months = validity_in_months % 12 [key_filename, cert_filename] = CertUtils.generate_cert_generic( temp_dir, src_dir, random.randint(100, 40000000), 'rsa', cert_name, base_ext_text + ev_ext_text, signer_key_filename, signer_cert_filename, subject_string, validity_in_days = validity_years * 365 + validity_months * 31) generated_ev_certs.append([cert_name, key_filename, cert_filename]) # The dest_dir argument of generate_pkcs12() is also set to temp_dir # as the .p12 files do not need to be kept once they have been # imported. pkcs12_filename = CertUtils.generate_pkcs12(temp_dir, temp_dir, cert_filename, key_filename, cert_name) CertUtils.import_cert_and_pkcs12(src_dir, cert_filename, pkcs12_filename, cert_name, ',,') return [cert_name, key_filename, cert_filename]
def generate_certs(key_type, bad_key_size, ok_key_size, generate_ev): """ Generates the various certificates used by the key size tests. Arguments: key_type -- the type of key generated: potential values: 'rsa', 'dsa', or any of the curves found by 'openssl ecparam -list_curves' bad_key_size -- the public key size bad certs should have ok_key_size -- the public key size OK certs should have generate_ev -- whether an EV cert should be generated """ if key_type == 'dsa': CertUtils.init_dsa(db_dir, dsaBad_param_filename, bad_key_size) CertUtils.init_dsa(db_dir, dsaOK_param_filename, ok_key_size) # OK Chain if generate_ev and key_type == 'rsa': # Reuse the existing RSA EV root caOK_cert_name = 'evroot' caOK_key = '../test_ev_certs/evroot.key' caOK_cert = '../test_ev_certs/evroot.der' caOK_pkcs12_filename = '../test_ev_certs/evroot.p12' CertUtils.import_cert_and_pkcs12(srcdir, caOK_cert, caOK_pkcs12_filename, caOK_cert_name, ',,') else: [caOK_key, caOK_cert] = generate_and_maybe_import_cert(key_type, '-caOK', ca_ext_text, '', '', dsaOK_param_filename, ok_key_size, generate_ev) [intOK_key, intOK_cert] = generate_and_maybe_import_cert( key_type, '-intOK-caOK', ca_ext_text, caOK_key, caOK_cert, dsaOK_param_filename, ok_key_size, generate_ev) generate_and_maybe_import_cert(key_type, '-eeOK-intOK-caOK', ee_ext_text, intOK_key, intOK_cert, dsaOK_param_filename, ok_key_size, generate_ev) # Bad CA [caBad_key, caBad_cert] = generate_and_maybe_import_cert(key_type, '-caBad', ca_ext_text, '', '', dsaBad_param_filename, bad_key_size, generate_ev) [int_key, int_cert] = generate_and_maybe_import_cert( key_type, '-intOK-caBad', ca_ext_text, caBad_key, caBad_cert, dsaOK_param_filename, ok_key_size, generate_ev) generate_and_maybe_import_cert(key_type, '-eeOK-intOK-caBad', ee_ext_text, int_key, int_cert, dsaOK_param_filename, ok_key_size, generate_ev) # Bad Intermediate [intBad_key, intBad_cert] = generate_and_maybe_import_cert( key_type, '-intBad-caOK', ca_ext_text, caOK_key, caOK_cert, dsaBad_param_filename, bad_key_size, generate_ev) generate_and_maybe_import_cert(key_type, '-eeOK-intBad-caOK', ee_ext_text, intBad_key, intBad_cert, dsaOK_param_filename, ok_key_size, generate_ev) # Bad End Entity generate_and_maybe_import_cert(key_type, '-eeBad-intOK-caOK', ee_ext_text, intOK_key, intOK_cert, dsaBad_param_filename, bad_key_size, generate_ev)
def generate_certs(key_type, inadequate_key_size, adequate_key_size, generate_ev): """ Generates the various certificates used by the key size tests. Arguments: key_type -- the type of key generated: potential values: 'rsa', or any of the curves found by 'openssl ecparam -list_curves' inadequate_key_size -- a string defining the inadequate public key size for the generated certs adequate_key_size -- a string defining the adequate public key size for the generated certs generate_ev -- whether an EV cert should be generated """ # Generate chain with certs that have adequate sizes if generate_ev and key_type == 'rsa': # Reuse the existing RSA EV root rootOK_nick = 'evroot' caOK_key = '../test_ev_certs/evroot.key' caOK_cert = '../test_ev_certs/evroot.der' caOK_pkcs12_filename = '../test_ev_certs/evroot.p12' CertUtils.import_cert_and_pkcs12(srcdir, caOK_cert, caOK_pkcs12_filename, rootOK_nick, ',,') else: [rootOK_nick, caOK_key, caOK_cert] = generate_and_maybe_import_cert( key_type, 'root', '', ca_ext_text, '', '', adequate_key_size, generate_ev) [intOK_nick, intOK_key, intOK_cert] = generate_and_maybe_import_cert( key_type, 'int', rootOK_nick, ca_ext_text, caOK_key, caOK_cert, adequate_key_size, generate_ev) generate_and_maybe_import_cert( key_type, 'ee', intOK_nick, ee_ext_text, intOK_key, intOK_cert, adequate_key_size, generate_ev) # Generate chain with a root cert that has an inadequate size [rootNotOK_nick, rootNotOK_key, rootNotOK_cert] = generate_and_maybe_import_cert( key_type, 'root', '', ca_ext_text, '', '', inadequate_key_size, generate_ev) [int_nick, int_key, int_cert] = generate_and_maybe_import_cert( key_type, 'int', rootNotOK_nick, ca_ext_text, rootNotOK_key, rootNotOK_cert, adequate_key_size, generate_ev) generate_and_maybe_import_cert( key_type, 'ee', int_nick, ee_ext_text, int_key, int_cert, adequate_key_size, generate_ev) # Generate chain with an intermediate cert that has an inadequate size [intNotOK_nick, intNotOK_key, intNotOK_cert] = generate_and_maybe_import_cert( key_type, 'int', rootOK_nick, ca_ext_text, caOK_key, caOK_cert, inadequate_key_size, generate_ev) generate_and_maybe_import_cert( key_type, 'ee', intNotOK_nick, ee_ext_text, intNotOK_key, intNotOK_cert, adequate_key_size, generate_ev) # Generate chain with an end entity cert that has an inadequate size generate_and_maybe_import_cert( key_type, 'ee', intOK_nick, ee_ext_text, intOK_key, intOK_cert, inadequate_key_size, generate_ev)
def generate_and_maybe_import_cert(key_type, cert_name_prefix, cert_name_suffix, base_ext_text, signer_key_filename, signer_cert_filename, key_size, generate_ev): """ Generates a certificate and imports it into the NSS DB if appropriate. Arguments: key_type -- the type of key generated: potential values: 'rsa', or any of the curves found by 'openssl ecparam -list_curves' cert_name_prefix -- prefix of the generated cert name cert_name_suffix -- suffix of the generated cert name base_ext_text -- the base text for the x509 extensions to be added to the certificate (extra extensions will be added if generating an EV cert) signer_key_filename -- the filename of the key from which the cert will be signed. If an empty string is passed in the cert will be self signed (think CA roots). signer_cert_filename -- the filename of the signer cert that will sign the certificate being generated. Ignored if an empty string is passed in for signer_key_filename. Must be in DER format. key_size -- public key size for RSA certs generate_ev -- whether an EV cert should be generated Output: cert_name -- the resultant (nick)name of the certificate key_filename -- the filename of the key file (PEM format) cert_filename -- the filename of the certificate (DER format) """ cert_name = cert_name_prefix + '_' + key_type + '_' + key_size # If the suffix is not the empty string, add a hyphen for visual separation if cert_name_suffix: cert_name += '-' + cert_name_suffix ev_ext_text = '' subject_string = ('/CN=XPCShell Key Size Testing %s %s-bit' % (key_type, key_size)) if generate_ev: cert_name = 'ev_' + cert_name ev_ext_text = (aia_prefix + cert_name + aia_suffix + mozilla_testing_ev_policy) subject_string += ' (EV)' # Use the organization field to store the cert nickname for easier debugging subject_string += '/O=' + cert_name [key_filename, cert_filename] = CertUtils.generate_cert_generic( db_dir, srcdir, random.randint(100, 40000000), key_type, cert_name, base_ext_text + ev_ext_text, signer_key_filename, signer_cert_filename, subject_string, key_size) if generate_ev: # The dest_dir argument of generate_pkcs12() is also set to db_dir as # the .p12 files do not need to be kept once they have been imported. pkcs12_filename = CertUtils.generate_pkcs12(db_dir, db_dir, cert_filename, key_filename, cert_name) CertUtils.import_cert_and_pkcs12(srcdir, cert_filename, pkcs12_filename, cert_name, ',,') if not signer_key_filename: generated_ev_root_filenames.append(cert_filename) return [cert_name, key_filename, cert_filename]
def generate_certs(): ca_cert = 'evroot.der' ca_key = 'evroot.key' prefix = "ev-valid" key_type = 'rsa' ee_ext_text = (aia_prefix + prefix + aia_suffix + endentity_crl + mozilla_testing_ev_policy) int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix + intermediate_crl + mozilla_testing_ev_policy) CertUtils.init_nss_db(srcdir) CertUtils.import_cert_and_pkcs12(srcdir, ca_cert, 'evroot.p12', 'evroot', 'C,C,C') [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db, srcdir, ca_key, ca_cert, prefix, int_ext_text, ee_ext_text, key_type) pk12file = CertUtils.generate_pkcs12(db, db, int_cert, int_key, "int-" + prefix) CertUtils.import_cert_and_pkcs12(srcdir, int_cert, pk12file, 'int-' + prefix, ',,') import_untrusted_cert(ee_cert, prefix) # now we generate an end entity cert with an AIA with no OCSP URL no_ocsp_url_ext_aia = ("authorityInfoAccess =" + "caIssuers;URI:http://www.example.com/ca.html\n"); [no_ocsp_key, no_ocsp_cert] = CertUtils.generate_cert_generic(db, srcdir, random.randint(100, 40000000), key_type, 'no-ocsp-url-cert', no_ocsp_url_ext_aia + endentity_crl + mozilla_testing_ev_policy, int_key, int_cert); import_untrusted_cert(no_ocsp_cert, 'no-ocsp-url-cert'); # add an ev cert whose intermediate has a anypolicy oid prefix = "ev-valid-anypolicy-int" ee_ext_text = (aia_prefix + prefix + aia_suffix + endentity_crl + mozilla_testing_ev_policy) int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix + intermediate_crl + anypolicy_policy) [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db, srcdir, ca_key, ca_cert, prefix, int_ext_text, ee_ext_text, key_type) pk12file = CertUtils.generate_pkcs12(db, db, int_cert, int_key, "int-" + prefix) CertUtils.import_cert_and_pkcs12(srcdir, int_cert, pk12file, 'int-' + prefix, ',,') import_untrusted_cert(ee_cert, prefix) [bad_ca_key, bad_ca_cert] = CertUtils.generate_cert_generic( db, srcdir, 1, 'rsa', 'non-evroot-ca', CA_extensions) pk12file = CertUtils.generate_pkcs12(db, db, bad_ca_cert, bad_ca_key, "non-evroot-ca") CertUtils.import_cert_and_pkcs12(srcdir, bad_ca_cert, pk12file, 'non-evroot-ca', 'C,C,C') prefix = "non-ev-root" ee_ext_text = (aia_prefix + prefix + aia_suffix + endentity_crl + mozilla_testing_ev_policy) int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix + intermediate_crl + mozilla_testing_ev_policy) [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db, srcdir, bad_ca_key, bad_ca_cert, prefix, int_ext_text, ee_ext_text, key_type) pk12file = CertUtils.generate_pkcs12(db, db, int_cert, int_key, "int-" + prefix) CertUtils.import_cert_and_pkcs12(srcdir, int_cert, pk12file, 'int-' + prefix, ',,') import_untrusted_cert(ee_cert, prefix)
def generate_and_maybe_import_cert( key_type, cert_name_prefix, cert_name_suffix, base_ext_text, signer_key_filename, signer_cert_filename, key_size, generate_ev, ): """ Generates a certificate and imports it into the NSS DB if appropriate. If an equivalent certificate has already been generated, it is reused. Arguments: key_type -- the type of key generated: potential values: 'rsa', or any of the curves found by 'openssl ecparam -list_curves' cert_name_prefix -- prefix of the generated cert name cert_name_suffix -- suffix of the generated cert name base_ext_text -- the base text for the x509 extensions to be added to the certificate (extra extensions will be added if generating an EV cert) signer_key_filename -- the filename of the key from which the cert will be signed. If an empty string is passed in the cert will be self signed (think CA roots). signer_cert_filename -- the filename of the signer cert that will sign the certificate being generated. Ignored if an empty string is passed in for signer_key_filename. Must be in DER format. key_size -- public key size for RSA certs generate_ev -- whether an EV cert should be generated Output: cert_name -- the resultant (nick)name of the certificate key_filename -- the filename of the key file (PEM format) cert_filename -- the filename of the certificate (DER format) """ cert_name = cert_name_prefix + "_" + key_type + "_" + key_size # If the suffix is not the empty string, add a hyphen for visual separation if cert_name_suffix: cert_name += "-" + cert_name_suffix ev_ext_text = "" subject_string = "/CN=XPCShell Key Size Testing %s %s-bit" % (key_type, key_size) if generate_ev: cert_name = "ev_" + cert_name ev_ext_text = aia_prefix + cert_name + aia_suffix + mozilla_testing_ev_policy subject_string += " (EV)" # Use the organization field to store the cert nickname for easier debugging subject_string += "/O=" + cert_name # Reuse the existing RSA EV root if ( generate_ev and key_type == "rsa" and signer_key_filename == "" and signer_cert_filename == "" and key_size == "2048" ): cert_name = "evroot" key_filename = "../test_ev_certs/evroot.key" cert_filename = "../test_ev_certs/evroot.der" CertUtils.import_cert_and_pkcs12(srcdir, cert_filename, "../test_ev_certs/evroot.p12", cert_name, ",,") return [cert_name, key_filename, cert_filename] # Don't regenerate a previously generated cert for cert in generated_certs: if cert_name == cert[0]: return cert [key_filename, cert_filename] = CertUtils.generate_cert_generic( db_dir, srcdir, random.randint(100, 40000000), key_type, cert_name, base_ext_text + ev_ext_text, signer_key_filename, signer_cert_filename, subject_string, key_size, ) generated_certs.append([cert_name, key_filename, cert_filename]) if generate_ev: # The dest_dir argument of generate_pkcs12() is also set to db_dir as # the .p12 files do not need to be kept once they have been imported. pkcs12_filename = CertUtils.generate_pkcs12(db_dir, db_dir, cert_filename, key_filename, cert_name) CertUtils.import_cert_and_pkcs12(srcdir, cert_filename, pkcs12_filename, cert_name, ",,") if not signer_key_filename: generated_ev_root_filenames.append(cert_filename) return [cert_name, key_filename, cert_filename]
def generate_and_maybe_import_cert(key_type, cert_name_prefix, cert_name_suffix, base_ext_text, signer_key_filename, signer_cert_filename, key_size, generate_ev): """ Generates a certificate and imports it into the NSS DB if appropriate. If an equivalent certificate has already been generated, it is reused. Arguments: key_type -- the type of key generated: potential values: 'rsa', or any of the curves found by 'openssl ecparam -list_curves' cert_name_prefix -- prefix of the generated cert name cert_name_suffix -- suffix of the generated cert name base_ext_text -- the base text for the x509 extensions to be added to the certificate (extra extensions will be added if generating an EV cert) signer_key_filename -- the filename of the key from which the cert will be signed. If an empty string is passed in the cert will be self signed (think CA roots). signer_cert_filename -- the filename of the signer cert that will sign the certificate being generated. Ignored if an empty string is passed in for signer_key_filename. Must be in DER format. key_size -- public key size for RSA certs generate_ev -- whether an EV cert should be generated Output: cert_name -- the resultant (nick)name of the certificate key_filename -- the filename of the key file (PEM format) cert_filename -- the filename of the certificate (DER format) """ cert_name = cert_name_prefix + '_' + key_type + '_' + key_size # If the suffix is not the empty string, add a hyphen for visual separation if cert_name_suffix: cert_name += '-' + cert_name_suffix ev_ext_text = '' subject_string = ('/CN=XPCShell Key Size Testing %s %s-bit' % (key_type, key_size)) if generate_ev: cert_name = 'ev_' + cert_name ev_ext_text = (aia_prefix + cert_name + aia_suffix + mozilla_testing_ev_policy) subject_string += ' (EV)' # Use the organization field to store the cert nickname for easier debugging subject_string += '/O=' + cert_name # Reuse the existing RSA EV root if (generate_ev and key_type == 'rsa' and signer_key_filename == '' and signer_cert_filename == '' and key_size == '2048'): cert_name = 'evroot' key_filename = '../test_ev_certs/evroot.key' cert_filename = '../test_ev_certs/evroot.der' CertUtils.import_cert_and_pkcs12(srcdir, cert_filename, '../test_ev_certs/evroot.p12', cert_name, ',,') return [cert_name, key_filename, cert_filename] # Don't regenerate a previously generated cert for cert in generated_certs: if cert_name == cert[0]: return cert [key_filename, cert_filename] = CertUtils.generate_cert_generic( db_dir, srcdir, random.randint(100, 40000000), key_type, cert_name, base_ext_text + ev_ext_text, signer_key_filename, signer_cert_filename, subject_string, key_size) generated_certs.append([cert_name, key_filename, cert_filename]) if generate_ev: # The dest_dir argument of generate_pkcs12() is also set to db_dir as # the .p12 files do not need to be kept once they have been imported. pkcs12_filename = CertUtils.generate_pkcs12(db_dir, db_dir, cert_filename, key_filename, cert_name) CertUtils.import_cert_and_pkcs12(srcdir, cert_filename, pkcs12_filename, cert_name, ',,') if not signer_key_filename: generated_ev_root_filenames.append(cert_filename) return [cert_name, key_filename, cert_filename]
def generate_certs(key_type, inadequate_key_size, adequate_key_size, generate_ev): """ Generates the various certificates used by the key size tests. Arguments: key_type -- the type of key generated: potential values: 'rsa', or any of the curves found by 'openssl ecparam -list_curves' inadequate_key_size -- a string defining the inadequate public key size for the generated certs adequate_key_size -- a string defining the adequate public key size for the generated certs generate_ev -- whether an EV cert should be generated """ # Generate chain with certs that have adequate sizes if generate_ev and key_type == 'rsa': # Reuse the existing RSA EV root rootOK_nick = 'evroot' caOK_key = '../test_ev_certs/evroot.key' caOK_cert = '../test_ev_certs/evroot.der' caOK_pkcs12_filename = '../test_ev_certs/evroot.p12' CertUtils.import_cert_and_pkcs12(srcdir, caOK_cert, caOK_pkcs12_filename, rootOK_nick, ',,') else: [rootOK_nick, caOK_key, caOK_cert] = generate_and_maybe_import_cert(key_type, 'root', '', ca_ext_text, '', '', adequate_key_size, generate_ev) [intOK_nick, intOK_key, intOK_cert] = generate_and_maybe_import_cert(key_type, 'int', rootOK_nick, ca_ext_text, caOK_key, caOK_cert, adequate_key_size, generate_ev) generate_and_maybe_import_cert(key_type, 'ee', intOK_nick, ee_ext_text, intOK_key, intOK_cert, adequate_key_size, generate_ev) # Generate chain with a root cert that has an inadequate size [rootNotOK_nick, rootNotOK_key, rootNotOK_cert ] = generate_and_maybe_import_cert(key_type, 'root', '', ca_ext_text, '', '', inadequate_key_size, generate_ev) [int_nick, int_key, int_cert] = generate_and_maybe_import_cert(key_type, 'int', rootNotOK_nick, ca_ext_text, rootNotOK_key, rootNotOK_cert, adequate_key_size, generate_ev) generate_and_maybe_import_cert(key_type, 'ee', int_nick, ee_ext_text, int_key, int_cert, adequate_key_size, generate_ev) # Generate chain with an intermediate cert that has an inadequate size [intNotOK_nick, intNotOK_key, intNotOK_cert ] = generate_and_maybe_import_cert(key_type, 'int', rootOK_nick, ca_ext_text, caOK_key, caOK_cert, inadequate_key_size, generate_ev) generate_and_maybe_import_cert(key_type, 'ee', intNotOK_nick, ee_ext_text, intNotOK_key, intNotOK_cert, adequate_key_size, generate_ev) # Generate chain with an end entity cert that has an inadequate size generate_and_maybe_import_cert(key_type, 'ee', intOK_nick, ee_ext_text, intOK_key, intOK_cert, inadequate_key_size, generate_ev)
def generate_certs(key_type, bad_key_size, ok_key_size, generate_ev): """ Generates the various certificates used by the key size tests. Arguments: key_type -- the type of key generated: potential values: 'rsa', 'dsa', or any of the curves found by 'openssl ecparam -list_curves' bad_key_size -- the public key size bad certs should have ok_key_size -- the public key size OK certs should have generate_ev -- whether an EV cert should be generated """ if key_type == 'dsa': CertUtils.init_dsa(db_dir, dsaBad_param_filename, bad_key_size) CertUtils.init_dsa(db_dir, dsaOK_param_filename, ok_key_size) # OK Chain if generate_ev and key_type == 'rsa': # Reuse the existing RSA EV root caOK_cert_name = 'evroot' caOK_key = '../test_ev_certs/evroot.key' caOK_cert = '../test_ev_certs/evroot.der' caOK_pkcs12_filename = '../test_ev_certs/evroot.p12' CertUtils.import_cert_and_pkcs12(srcdir, caOK_cert, caOK_pkcs12_filename, caOK_cert_name, ',,') else: [caOK_key, caOK_cert] = generate_and_maybe_import_cert( key_type, '-caOK', ca_ext_text, '', '', dsaOK_param_filename, ok_key_size, generate_ev) [intOK_key, intOK_cert] = generate_and_maybe_import_cert( key_type, '-intOK-caOK', ca_ext_text, caOK_key, caOK_cert, dsaOK_param_filename, ok_key_size, generate_ev) generate_and_maybe_import_cert( key_type, '-eeOK-intOK-caOK', ee_ext_text, intOK_key, intOK_cert, dsaOK_param_filename, ok_key_size, generate_ev) # Bad CA [caBad_key, caBad_cert] = generate_and_maybe_import_cert( key_type, '-caBad', ca_ext_text, '', '', dsaBad_param_filename, bad_key_size, generate_ev) [int_key, int_cert] = generate_and_maybe_import_cert( key_type, '-intOK-caBad', ca_ext_text, caBad_key, caBad_cert, dsaOK_param_filename, ok_key_size, generate_ev) generate_and_maybe_import_cert( key_type, '-eeOK-intOK-caBad', ee_ext_text, int_key, int_cert, dsaOK_param_filename, ok_key_size, generate_ev) # Bad Intermediate [intBad_key, intBad_cert] = generate_and_maybe_import_cert( key_type, '-intBad-caOK', ca_ext_text, caOK_key, caOK_cert, dsaBad_param_filename, bad_key_size, generate_ev) generate_and_maybe_import_cert( key_type, '-eeOK-intBad-caOK', ee_ext_text, intBad_key, intBad_cert, dsaOK_param_filename, ok_key_size, generate_ev) # Bad End Entity generate_and_maybe_import_cert( key_type, '-eeBad-intOK-caOK', ee_ext_text, intOK_key, intOK_cert, dsaBad_param_filename, bad_key_size, generate_ev)