def generate_rsa_cert(leaf_key_size): JAN_2015 = '150101120000Z' JAN_2018 = '180101120000Z' # Self-signed root certificate. root = common.create_self_signed_root_certificate('Root') root.set_validity_range(JAN_2015, JAN_2018) # Intermediate certificate. intermediate = common.create_intermediate_certificate('Intermediate', root) intermediate.set_validity_range(JAN_2015, JAN_2018) # Leaf certificate. leaf = common.create_end_entity_certificate( 'RSA %d Device Cert' % leaf_key_size, intermediate) leaf.get_extensions().set_property('extendedKeyUsage', 'clientAuth') device_key_path = common.create_key_path(leaf.name) leaf.set_key(common.get_or_generate_rsa_key(leaf_key_size, device_key_path)) leaf.set_validity_range(JAN_2015, JAN_2018) chain = [leaf, intermediate, root] chain_description = """Cast certificate chain where device certificate uses a %d-bit RSA key""" % leaf_key_size # Write the certificate chain. chain_path = 'rsa%d_device_cert.pem' % leaf_key_size common.write_chain(chain_description, chain, chain_path) # Write the the signed data file. create_signatures.create_signed_data( device_key_path, '../signeddata/rsa%d_device_cert_data.pem' % leaf_key_size, '../certificates/' + chain_path)
def generate_chain(intermediate_digest_algorithm): # Self-signed root certificate. root = common.create_self_signed_root_certificate('Root') # Intermediate certificate. intermediate = common.create_intermediate_certificate('Intermediate', root) intermediate.set_signature_hash(intermediate_digest_algorithm) intermediate.get_extensions().set_property('extendedKeyUsage', 'nsSGC') # Target certificate. target = common.create_end_entity_certificate('Target', intermediate) target.get_extensions().set_property('extendedKeyUsage', 'serverAuth,clientAuth') chain = [target, intermediate, root] common.write_chain(__doc__, chain, '%s-chain.pem' % intermediate_digest_algorithm)
def generate_policies_chain(intermediate_policies, leaf_policies): """Creates a certificate chain and writes it to a PEM file (in the current directory). The chain has 3 certificates (root, intermediate, leaf). The root has no policies extension, whereas the intermediate has policies given by |intermediate_policies| and the leaf has policies given by |leaf_policies|. The policies are specified as a list, with the empty list meaning no policies extension. Values in the list should be one of the OID constants (AUDIO_ONLY, ANY_POLICY). The name of the generated file is a human-readable serialization of this function's parameters. """ # Self-signed root certificate. root = common.create_self_signed_root_certificate('Root') root.set_validity_range(JAN_2015, JAN_2018) # Intermediate certificate. intermediate = common.create_intermediate_certificate('Intermediate', root) set_policies_from_list(intermediate, intermediate_policies) intermediate.set_validity_range(JAN_2015, JAN_2018) # Leaf certificate. leaf = common.create_end_entity_certificate('Leaf', intermediate) set_policies_from_list(leaf, leaf_policies) leaf.get_extensions().set_property('extendedKeyUsage', 'clientAuth') leaf.set_validity_range(JAN_2015, JAN_2018) chain = [leaf, intermediate, root] chain_description = """Cast certificate chain with the following policies: Root: policies={} Intermediate: policies={%s} Leaf: policies={%s}""" % (', '.join(intermediate_policies), ', '.join(leaf_policies)) chain_file_name = 'policies_ica_%s_leaf_%s.pem' % (policies_to_filename( intermediate_policies), policies_to_filename(leaf_policies)) common.write_chain(chain_description, chain, chain_file_name)
""" import common # The new certs should have a newer notbefore date than "old" certs. This should # affect path builder sorting, but otherwise won't matter. JANUARY_2_2015_UTC = '150102120000Z' # Self-signed root certificates. Same name, different keys. oldroot = common.create_self_signed_root_certificate('Root') oldroot.set_validity_range(common.JANUARY_1_2015_UTC, common.JANUARY_1_2016_UTC) newroot = common.create_self_signed_root_certificate('Root') newroot.set_validity_range(JANUARY_2_2015_UTC, common.JANUARY_1_2016_UTC) # Root with the new key signed by the old key. newrootrollover = common.create_intermediate_certificate('Root', oldroot) newrootrollover.set_key(newroot.get_key()) newrootrollover.set_validity_range(JANUARY_2_2015_UTC, common.JANUARY_1_2016_UTC) # Intermediate signed by oldroot. oldintermediate = common.create_intermediate_certificate( 'Intermediate', oldroot) oldintermediate.set_validity_range(common.JANUARY_1_2015_UTC, common.JANUARY_1_2016_UTC) # Intermediate signed by newroot. Same key as oldintermediate. newintermediate = common.create_intermediate_certificate( 'Intermediate', newroot) newintermediate.set_key(oldintermediate.get_key()) newintermediate.set_validity_range(JANUARY_2_2015_UTC, common.JANUARY_1_2016_UTC)
#!/usr/bin/python # Copyright (c) 2017 The Chromium Authors. All rights reserved. # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. """Certificate chain where the target certificate sets the extended key usage to clientAuth. Neither the root nor the intermediate have an EKU.""" import sys sys.path += ['..'] import common # Self-signed root certificate. root = common.create_self_signed_root_certificate('Root') # Intermediate certificate. intermediate = common.create_intermediate_certificate('Intermediate', root) # Target certificate. target = common.create_end_entity_certificate('Target', intermediate) target.get_extensions().set_property('extendedKeyUsage', 'clientAuth') chain = [target, intermediate, root] common.write_chain(__doc__, chain, 'chain.pem')
def write_cert_to_file(cert, filename): common.write_string_to_file( "Generated by %s.\n" "Refer to generator script docstring for details.\n%s" % ( sys.argv[0], cert.get_cert_pem()), filename) # Self-signed root certificate root = common.create_self_signed_root_certificate('Root') write_cert_to_file(root, 'root.pem') # Intermediate certificates i1_1 = common.create_intermediate_certificate('I1', root) write_cert_to_file(i1_1, 'i1_1.pem') # same name (after normalization), different key i1_2 = common.create_intermediate_certificate('i1', root) write_cert_to_file(i1_2, 'i1_2.pem') # different name i2 = common.create_intermediate_certificate('I2', root) write_cert_to_file(i2, 'i2.pem') # target certs c1 = common.create_end_entity_certificate('C1', i1_1) write_cert_to_file(c1, 'c1.pem')
#!/usr/bin/python # Copyright (c) 2015 The Chromium Authors. All rights reserved. # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. """Certificate chain with 1 intermediate and a non-self-signed trust anchor. Verification should succeed, it doesn't matter that the root was not self-signed if it is designated as the trust anchor.""" import common uber_root = common.create_self_signed_root_certificate('UberRoot') # Non-self-signed root certificate (used as trust anchor) root = common.create_intermediate_certificate('Root', uber_root) # Intermediate certificate. intermediate = common.create_intermediate_certificate('Intermediate', root) # Target certificate. target = common.create_end_entity_certificate('Target', intermediate) chain = [target, intermediate] trusted = common.TrustAnchor(root, constrained=True) time = common.DEFAULT_TIME verify_result = True errors = None common.write_test_file(__doc__, chain, trusted, time, verify_result, errors)
def write_cert_to_file(cert, filename): common.write_string_to_file( "Generated by %s.\n" "Refer to generator script docstring for details.\n%s" % ( sys.argv[0], cert.get_cert_pem()), filename) # Self-signed root certificate root = common.create_self_signed_root_certificate('Root') write_cert_to_file(root, 'root.pem') # Intermediate certificates i1_1 = common.create_intermediate_certificate('I1', root) write_cert_to_file(i1_1, 'i1_1.pem') # same name (after normalization), different key i1_2 = common.create_intermediate_certificate('i1', root) write_cert_to_file(i1_2, 'i1_2.pem') # different name i2 = common.create_intermediate_certificate('I2', root) write_cert_to_file(i2, 'i2.pem') # Two intermediates with exactly the same name. i3_1 = common.create_intermediate_certificate('I3', root) write_cert_to_file(i3_1, 'i3_1.pem') i3_2 = common.create_intermediate_certificate('I3', root) write_cert_to_file(i3_2, 'i3_2.pem')
common.JANUARY_1_2021_UTC) # Generate the keys -- the same key is used for all intermediates and end entity # certificates. root_key = common.get_or_generate_rsa_key(2048, common.create_key_path('root')) i_key = common.get_or_generate_rsa_key(2048, common.create_key_path('i')) target_key = common.get_or_generate_rsa_key(2048, common.create_key_path('target')) # Self-signed root certificate. root = common.create_self_signed_root_certificate('Root') root.set_key(root_key) common.write_string_to_file(root.get_cert_pem(), 'root.pem') # Intermediate certificates. All have the same subject and key. i_base = common.create_intermediate_certificate('I', root) i_base.set_key(i_key) common.write_string_to_file(i_base.get_cert_pem(), 'i.pem') i2 = common.create_intermediate_certificate('I', root) i2.set_key(i_key) common.write_string_to_file(i2.get_cert_pem(), 'i2.pem') i3 = common.create_intermediate_certificate('I', root) i3.set_key(i_key) common.write_string_to_file(i3.get_cert_pem(), 'i3.pem') # More Intermediate certificates, which are just to generate the proper config # files so the target certs will have the desired Authority Information Access # values. These ones aren't saved to files. i_no_aia = common.create_intermediate_certificate('I', root)
#!/usr/bin/python # Copyright (c) 2015 The Chromium Authors. All rights reserved. # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. """Certificate chain with 1 intermediate, a trusted root, and a target certificate that is also a CA. Verification is expected to succeed, as the test code accepts any target certificate.""" import common # Self-signed root certificate (used as trust anchor). root = common.create_self_signed_root_certificate('Root') # Intermediate certificate. intermediate = common.create_intermediate_certificate('Intermediate', root) # Target certificate (is also a CA) target = common.create_intermediate_certificate('Target', intermediate) chain = [target, intermediate] trusted = common.TrustAnchor(root, constrained=False) time = common.DEFAULT_TIME verify_result = True common.write_test_file(__doc__, chain, trusted, time, verify_result)
#!/usr/bin/python # Copyright (c) 2015 The Chromium Authors. All rights reserved. # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. """Certificate chain where the target certificate is a CA rather than an end-entity certificate (based on the basic constraints extension).""" import sys sys.path += ['..'] import common # Self-signed root certificate. root = common.create_self_signed_root_certificate('Root') # Intermediate certificate. intermediate = common.create_intermediate_certificate('Intermediate', root) # Target certificate (is also a CA) target = common.create_intermediate_certificate('Target', intermediate) chain = [target, intermediate, root] common.write_chain(__doc__, chain, 'chain.pem')
# found in the LICENSE file. """Certificate chain with 2 intermediates. The first intermediate has a basic constraints path length of 0. The second one is self-issued so does not count against the path length.""" import sys sys.path += ['..'] import common # Self-signed root certificate (used as trust anchor). root = common.create_self_signed_root_certificate('Root') # Intermediate with pathlen 0 intermediate1 = common.create_intermediate_certificate('Intermediate', root) intermediate1.get_extensions().set_property('basicConstraints', 'critical,CA:true,pathlen:0') # Another intermediate (with the same pathlen restriction). # Note that this is self-issued but NOT self-signed. intermediate2 = common.create_intermediate_certificate('Intermediate', intermediate1) intermediate2.get_extensions().set_property('basicConstraints', 'critical,CA:true,pathlen:0') # Target certificate. target = common.create_end_entity_certificate('Target', intermediate2) chain = [target, intermediate2, intermediate1, root] common.write_chain(__doc__, chain, 'chain.pem')
#!/usr/bin/python # Copyright (c) 2015 The Chromium Authors. All rights reserved. # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. """Certificate chain with 1 intermediate and a non-self-signed trust anchor. Verification should succeed, it doesn't matter that the root was not self-signed if it is designated as the trust anchor.""" import common uber_root = common.create_self_signed_root_certificate('UberRoot') # Non-self-signed root certificate (used as trust anchor) root = common.create_intermediate_certificate('Root', uber_root) # Intermediate certificate. intermediate = common.create_intermediate_certificate('Intermediate', root) # Target certificate. target = common.create_end_entity_certificate('Target', intermediate) chain = [target, intermediate] trusted = common.TrustAnchor(root, constrained=True) time = common.DEFAULT_TIME verify_result = True common.write_test_file(__doc__, chain, trusted, time, verify_result)
# Copyright (c) 2015 The Chromium Authors. All rights reserved. # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. """Certificate chain with 1 intermediate, a trusted root, and a target certificate that is not a CA, and yet has the keyCertSign bit set. Verification is expected to fail, since keyCertSign should only be asserted when CA is true.""" import common # Self-signed root certificate (used as trust anchor). root = common.create_self_signed_root_certificate("Root") # Intermediate certificate. intermediate = common.create_intermediate_certificate("Intermediate", root) # Target certificate (end entity but has keyCertSign bit set). target = common.create_end_entity_certificate("Target", intermediate) target.get_extensions().set_property("keyUsage", "critical,digitalSignature,keyEncipherment,keyCertSign") chain = [target, intermediate] trusted = common.TrustAnchor(root, constrained=False) time = common.DEFAULT_TIME verify_result = False errors = """[Context] Processing Certificate index: 1 [Error] Target certificate looks like a CA but does not set all CA properties """
def write_cert_to_file(cert, filename): common.write_string_to_file( "Generated by %s.\n" "Refer to generator script docstring for details.\n%s" % (sys.argv[0], cert.get_cert_pem()), filename, ) # Self-signed root certificate root = common.create_self_signed_root_certificate("Root") write_cert_to_file(root, "root.pem") # Intermediate certificates i1_1 = common.create_intermediate_certificate("I1", root) write_cert_to_file(i1_1, "i1_1.pem") # same name (after normalization), different key i1_2 = common.create_intermediate_certificate("i1", root) write_cert_to_file(i1_2, "i1_2.pem") # different name i2 = common.create_intermediate_certificate("I2", root) write_cert_to_file(i2, "i2.pem") # Two intermediates with exactly the same name. i3_1 = common.create_intermediate_certificate("I3", root) write_cert_to_file(i3_1, "i3_1.pem") i3_2 = common.create_intermediate_certificate("I3", root) write_cert_to_file(i3_2, "i3_2.pem")
# Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. """Certificate chain with 2 intermediates and one end entity certificate. The root certificate has a pathlen:1 restriction, and constraints are enforced on this trust anchor making it an invalid chain.""" import common # Self-signed root certificate (used as trust anchor). root = common.create_self_signed_root_certificate('Root') root.get_extensions().set_property('basicConstraints', 'critical,CA:true,pathlen:1') # Intermediate 1 (no pathlen restriction). intermediate1 = common.create_intermediate_certificate('Intermediate1', root) # Intermediate 2 (no pathlen restriction). intermediate2 = common.create_intermediate_certificate('Intermediate2', intermediate1) # Target certificate. target = common.create_end_entity_certificate('Target', intermediate2) chain = [target, intermediate2, intermediate1] trusted = common.TrustAnchor(root, constrained=True) time = common.DEFAULT_TIME verify_result = False errors = """[Context] Processing Certificate index: 1 [Error] max_path_length reached
All of these chains should verify successfully. """ import common # The new certs should have a newer notbefore date than "old" certs. This should # affect path builder sorting, but otherwise won't matter. JANUARY_2_2015_UTC = '150102120000Z' # Self-signed root certificates. Same name, different keys. oldroot = common.create_self_signed_root_certificate('Root') oldroot.set_validity_range(common.JANUARY_1_2015_UTC, common.JANUARY_1_2016_UTC) newroot = common.create_self_signed_root_certificate('Root') newroot.set_validity_range(JANUARY_2_2015_UTC, common.JANUARY_1_2016_UTC) # Root with the new key signed by the old key. newrootrollover = common.create_intermediate_certificate('Root', oldroot) newrootrollover.set_key(newroot.get_key()) newrootrollover.set_validity_range(JANUARY_2_2015_UTC, common.JANUARY_1_2016_UTC) # Intermediate signed by oldroot. oldintermediate = common.create_intermediate_certificate('Intermediate', oldroot) oldintermediate.set_validity_range(common.JANUARY_1_2015_UTC, common.JANUARY_1_2016_UTC) # Intermediate signed by newroot. Same key as oldintermediate. newintermediate = common.create_intermediate_certificate('Intermediate', newroot) newintermediate.set_key(oldintermediate.get_key()) newintermediate.set_validity_range(JANUARY_2_2015_UTC, common.JANUARY_1_2016_UTC)
#!/usr/bin/python # Copyright (c) 2015 The Chromium Authors. All rights reserved. # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. """Certificate chain where the intermediate lacks a keyUsage extension.""" import sys sys.path += ['..'] import common # Self-signed root certificate. root = common.create_self_signed_root_certificate('Root') # Intermediate that is missing keyCertSign. intermediate = common.create_intermediate_certificate('Intermediate', root) intermediate.get_extensions().set_property( 'keyUsage', 'critical,digitalSignature,keyEncipherment') # Target certificate. target = common.create_end_entity_certificate('Target', intermediate) chain = [target, intermediate, root] common.write_chain(__doc__, chain, 'chain.pem')
# found in the LICENSE file. import os import sys sys.path += [os.path.join('..', 'verify_certificate_chain_unittest')] import common # Self-signed root certificate. Not saved to a .pem since the test doesn't need # it. root = common.create_self_signed_root_certificate('Root') # Intermediate certificates. All have the same subject and key. i_base = common.create_intermediate_certificate('I', root) common.write_string_to_file(i_base.get_cert_pem(), 'i.pem') i2 = common.create_intermediate_certificate('I', root) i2.set_key_path(i_base.get_key_path()) common.write_string_to_file(i2.get_cert_pem(), 'i2.pem') i3 = common.create_intermediate_certificate('I', root) i3.set_key_path(i_base.get_key_path()) common.write_string_to_file(i3.get_cert_pem(), 'i3.pem') # More Intermediate certificates, which are just to generate the proper config # files so the target certs will have the desired Authority Information Access # values. These ones aren't saved to files. i_no_aia = common.create_intermediate_certificate('I', root)