def make_chain(name, doc, excluded, permitted, sans): # Intermediate certificate. intermediate = gencerts.create_intermediate_certificate( 'Intermediate', root) intermediate.set_key(intermediate_key) add_excluded_name_constraints(intermediate, **excluded) add_permitted_name_constraints(intermediate, **permitted) # Target certificate. target = gencerts.create_end_entity_certificate('t0', intermediate) target.set_key(target_key) add_sans(target, **sans) chain = [target, intermediate, root] gencerts.write_chain(doc, chain, '%s.pem' % name)
def generate_chain(intermediate_digest_algorithm): # Self-signed root certificate. root = gencerts.create_self_signed_root_certificate('Root') # Intermediate certificate. intermediate = gencerts.create_intermediate_certificate( 'Intermediate', root) intermediate.set_signature_hash(intermediate_digest_algorithm) intermediate.get_extensions().set_property('extendedKeyUsage', 'nsSGC') # Target certificate. target = gencerts.create_end_entity_certificate('Target', intermediate) target.get_extensions().set_property('extendedKeyUsage', 'serverAuth,clientAuth') chain = [target, intermediate, root] gencerts.write_chain(__doc__, chain, '%s-chain.pem' % intermediate_digest_algorithm)
def generate_chain(intermediate_digest_algorithm): # Self-signed root certificate. root = gencerts.create_self_signed_root_certificate('Root') # Intermediate certificate. intermediate = gencerts.create_intermediate_certificate( 'Intermediate', root) intermediate.set_signature_hash(intermediate_digest_algorithm) intermediate.get_extensions().set_property('extendedKeyUsage', 'nsSGC') # Target certificate. target = gencerts.create_end_entity_certificate('Target', intermediate) target.get_extensions().set_property('extendedKeyUsage', 'serverAuth,clientAuth') # TODO(eroman): Set subjectAltName by default rather than specifically in # this test. target.get_extensions().set_property('subjectAltName', 'DNS:test.example') chain = [target, intermediate, root] gencerts.write_chain(__doc__, chain, '%s-chain.pem' % intermediate_digest_algorithm)
#!/usr/bin/python # Copyright (c) 2015 The Chromium Authors. All rights reserved. # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. """Certificate chain where the intermediate has an unknown critical extension.""" import sys sys.path += ['../..'] import gencerts # Self-signed root certificate. root = gencerts.create_self_signed_root_certificate('Root') # Intermediate that has an unknown critical extension. intermediate = gencerts.create_intermediate_certificate('Intermediate', root) intermediate.get_extensions().add_property('1.2.3.4', 'critical,DER:01:02:03:04') # Target certificate. target = gencerts.create_end_entity_certificate('Target', intermediate) chain = [target, intermediate, root] gencerts.write_chain(__doc__, chain, 'chain.pem')
int_different_ski_a = gencerts.create_intermediate_certificate( 'Intermediate', root) int_different_ski_a.set_validity_range(DATE_A, DATE_Z) int_different_ski_b = gencerts.create_intermediate_certificate( 'Intermediate', root) int_different_ski_b.set_validity_range(DATE_B, DATE_Z) int_different_ski_b.set_key(int_different_ski_a.get_key()) int_different_ski_c = gencerts.create_intermediate_certificate( 'Intermediate', root) int_different_ski_c.set_validity_range(DATE_C, DATE_Z) int_different_ski_c.set_key(int_different_ski_a.get_key()) target = gencerts.create_end_entity_certificate('Target', int_matching_ski_a) target.set_validity_range(DATE_A, DATE_Z) gencerts.write_chain('The root', [root], out_pem='root.pem') gencerts.write_chain( 'Intermediate with matching subjectKeyIdentifier and notBefore A', [int_matching_ski_a], out_pem='int_matching_ski_a.pem') gencerts.write_chain( 'Intermediate with matching subjectKeyIdentifier and notBefore B', [int_matching_ski_b], out_pem='int_matching_ski_b.pem') gencerts.write_chain(
i_file_and_http_aia = gencerts.create_intermediate_certificate('I', root) i_file_and_http_aia.set_key(i_key) section = i_file_and_http_aia.config.get_section('issuer_info') section.set_property('caIssuers;URI.0', 'file:///dev/null') section.set_property('caIssuers;URI.1', 'http://url-for-aia2/I2.foo') i_invalid_and_http_aia = gencerts.create_intermediate_certificate('I', root) i_invalid_and_http_aia.set_key(i_key) section = i_invalid_and_http_aia.config.get_section('issuer_info') section.set_property('caIssuers;URI.0', 'foobar') section.set_property('caIssuers;URI.1', 'http://url-for-aia2/I2.foo') # target certs target = gencerts.create_end_entity_certificate('target', i_base) target.set_key(target_key) target.get_extensions().set_property('subjectAltName', 'DNS:target') gencerts.write_string_to_file(target.get_cert_pem(), 'target_one_aia.pem') target = gencerts.create_end_entity_certificate('target', i_no_aia) target.set_key(target_key) target.get_extensions().set_property('subjectAltName', 'DNS:target') gencerts.write_string_to_file(target.get_cert_pem(), 'target_no_aia.pem') target = gencerts.create_end_entity_certificate('target', i_two_aia) target.set_key(target_key) target.get_extensions().set_property('subjectAltName', 'DNS:target') gencerts.write_string_to_file(target.get_cert_pem(), 'target_two_aia.pem') target = gencerts.create_end_entity_certificate('target', i_three_aia)
root.set_validity_range(DATE_A, DATE_D) int_ac = gencerts.create_intermediate_certificate('Intermediate', root) int_ac.set_validity_range(DATE_A, DATE_C) int_ad = gencerts.create_intermediate_certificate('Intermediate', root) int_ad.set_validity_range(DATE_A, DATE_D) int_ad.set_key(int_ac.get_key()) int_bc = gencerts.create_intermediate_certificate('Intermediate', root) int_bc.set_validity_range(DATE_B, DATE_C) int_bc.set_key(int_ac.get_key()) int_bd = gencerts.create_intermediate_certificate('Intermediate', root) int_bd.set_validity_range(DATE_B, DATE_D) int_bd.set_key(int_ac.get_key()) target = gencerts.create_end_entity_certificate('Target', int_ac) target.set_validity_range(DATE_A, DATE_D) gencerts.write_chain('The root', [root], out_pem='root.pem') gencerts.write_chain('Intermediate with validity range A..C', [int_ac], out_pem='int_ac.pem') gencerts.write_chain('Intermediate with validity range A..D', [int_ad], out_pem='int_ad.pem') gencerts.write_chain('Intermediate with validity range B..C', [int_bc], out_pem='int_bc.pem') gencerts.write_chain('Intermediate with validity range B..D', [int_bd], out_pem='int_bd.pem') gencerts.write_chain('The target', [target], out_pem='target.pem')
import sys sys.path += ['../..'] import gencerts DATE_A = '150101120000Z' DATE_B = '150102120000Z' DATE_Z = '180101120000Z' root1 = gencerts.create_self_signed_root_certificate('Root1') root1.set_validity_range(DATE_A, DATE_Z) root2 = gencerts.create_self_signed_root_certificate('Root2') root2.set_validity_range(DATE_A, DATE_Z) root1_cross = gencerts.create_intermediate_certificate('Root1', root2) root1_cross.set_key(root1.get_key()) root1_cross.set_validity_range(DATE_B, DATE_Z) target = gencerts.create_end_entity_certificate('Target', root1) target.set_validity_range(DATE_A, DATE_Z) gencerts.write_chain('Root1', [root1], out_pem='root1.pem') gencerts.write_chain('Root2', [root2], out_pem='root2.pem') gencerts.write_chain( 'Root1 cross-signed by Root2, with a newer notBefore date' ' than Root1', [root1_cross], out_pem='root1_cross.pem') gencerts.write_chain('Target', [target], out_pem='target.pem')
# same name (after normalization), different key i1_2 = gencerts.create_intermediate_certificate('i1', root) write_cert_to_file(i1_2, 'i1_2.pem') # different name i2 = gencerts.create_intermediate_certificate('I2', root) write_cert_to_file(i2, 'i2.pem') # Two intermediates with exactly the same name. i3_1 = gencerts.create_intermediate_certificate('I3', root) write_cert_to_file(i3_1, 'i3_1.pem') i3_2 = gencerts.create_intermediate_certificate('I3', root) write_cert_to_file(i3_2, 'i3_2.pem') # target certs c1 = gencerts.create_end_entity_certificate('C1', i1_1) write_cert_to_file(c1, 'c1.pem') c2 = gencerts.create_end_entity_certificate('C2', i1_2) write_cert_to_file(c2, 'c2.pem') d = gencerts.create_end_entity_certificate('D', i2) write_cert_to_file(d, 'd.pem') e1 = gencerts.create_end_entity_certificate('E1', i3_1) write_cert_to_file(e1, 'e1.pem') e2 = gencerts.create_end_entity_certificate('E2', i3_2) write_cert_to_file(e2, 'e2.pem')
nc.add_property('permitted;dirName.2', 'nc_2') nc_2 = nc_permit_o2_o1_o3.config.get_section('nc_2') nc_2.add_property('organizationName', 'O1') nc.add_property('permitted;dirName.3', 'nc_3') nc_3 = nc_permit_o2_o1_o3.config.get_section('nc_3') nc_3.add_property('organizationName', 'O3') gencerts.write_string_to_file(nc_permit_o2_o1_o3.get_cert_pem(), 'nc-int-permit-o2-o1-o3.pem') ## Create leaf certs (note: The issuer name does not matter for these tests) # Leaf missing an organization name leaf_no_o = gencerts.create_end_entity_certificate('L1', root) leaf_no_o.set_key(leaf_key) dn = leaf_no_o.get_subject() dn.clear_properties() dn.add_property('commonName', 'O1') gencerts.write_string_to_file(leaf_no_o.get_cert_pem(), 'leaf-no-o.pem') # Leaf with two organizations as two distinct SETs, ordered O1 and O2 leaf_o1_o2 = gencerts.create_end_entity_certificate('L2', root) leaf_o1_o2.set_key(leaf_key) dn = leaf_o1_o2.get_subject() dn.clear_properties() dn.add_property('0.organizationName', 'O1') dn.add_property('1.organizationName', 'O2') dn.add_property('commonName', 'Leaf') gencerts.write_string_to_file(leaf_o1_o2.get_cert_pem(), 'leaf-o1-o2.pem')