CA_basic_constraints = "basicConstraints = critical, CA:TRUE\n" CA_min_ku = "keyUsage = critical, digitalSignature, keyCertSign, cRLSign\n" subject_key_ident = "subjectKeyIdentifier = hash\n" cert_name = 'evroot' ext_text = CA_basic_constraints + CA_min_ku + subject_key_ident subject_string = ('/C=US/ST=CA/L=Mountain View' + '/O=Mozilla - EV debug test CA/OU=Security Engineering' + '/CN=XPCShell EV Testing (untrustworthy) CA') # The db_dir argument of generate_cert_generic() is also set to dest_dir as # the .key file generated is needed by other certs. [ca_key, ca_cert] = CertUtils.generate_cert_generic(dest_dir, dest_dir, random.randint(100, 40000000), 'rsa', cert_name, ext_text, subject_string=subject_string) CertUtils.generate_pkcs12(db, dest_dir, ca_cert, ca_key, cert_name) # Print a blank line and the information needed to enable EV for the root # generated by this script. print CertUtils.print_cert_info(ca_cert) print('You now MUST update the compiled test EV root information to match ' + 'the EV root information printed above. In addition, certs that chain ' + 'up to this root in other folders will also need to be regenerated.')
adequate_key_size, generate_ev) # Generate chain with an end entity cert that has an inadequate size generate_and_maybe_import_cert( key_type, 'ee', intOK_nick, ee_ext_text, intOK_key, intOK_cert, inadequate_key_size, generate_ev) # Create a NSS DB for use by the OCSP responder. CertUtils.init_nss_db(srcdir) # TODO(bug 636807): SECKEY_PublicKeyStrengthInBits() rounds up the number of # bits to the next multiple of 8 - therefore the highest key size less than 1024 # that can be tested is 1016, less than 2048 is 2040 and so on. generate_certs('rsa', '1016', '1024', False) generate_certs('rsa', '2040', '2048', True) # Print a blank line and the information needed to enable EV for any roots # generated by this script. print for cert_filename in generated_ev_root_filenames: CertUtils.print_cert_info(cert_filename) print ('You now MUST update the compiled test EV root information to match ' + 'the EV root information printed above.')
# This Source Code Form is subject to the terms of the Mozilla Public # License, v. 2.0. If a copy of the MPL was not distributed with this # file, You can obtain one at http://mozilla.org/MPL/2.0/. import tempfile, os, sys, random libpath = os.path.abspath("../psm_common_py") sys.path.append(libpath) import CertUtils dest_dir = os.getcwd() db = tempfile.mkdtemp() serial = random.randint(100, 40000000) name = "client-cert" [key, cert] = CertUtils.generate_cert_generic(db, dest_dir, serial, "rsa", name, "") CertUtils.generate_pkcs12(db, dest_dir, cert, key, name) # Print a blank line and the fingerprint of the cert that ClientAuthServer.cpp # should be modified with. print CertUtils.print_cert_info(cert) print ('You now MUST update the fingerprint in ClientAuthServer.cpp to match ' + 'the fingerprint printed above.') # Remove unnecessary .der file os.remove(dest_dir + "/" + name + ".der")
generate_cert_chain('prime256v1', '256', 'prime256v1', '256', 'secp256k1', '256', False) generate_cert_chain('secp256k1', '256', 'prime256v1', '256', 'prime256v1', '256', False) def generate_combination_chains(): generate_cert_chain('rsa', '2048', 'prime256v1', '256', 'secp384r1', '384', False) generate_cert_chain('rsa', '2048', 'prime256v1', '256', 'secp224r1', '224', False) generate_cert_chain('prime256v1', '256', 'rsa', '1016', 'prime256v1', '256', False) # Create a NSS DB for use by the OCSP responder. CertUtils.init_nss_db(srcdir) generate_rsa_chains('1016', '1024', False) generate_rsa_chains('2040', '2048', True) generate_ecc_chains() generate_combination_chains() # Print a blank line and the information needed to enable EV for any roots # generated by this script. print for cert_filename in generated_ev_root_filenames: CertUtils.print_cert_info(cert_filename) print('You now MUST update the compiled test EV root information to match ' + 'the EV root information printed above.')