def make_chain(name, doc, excluded, permitted, sans):
# Intermediate certificate.
intermediate = gencerts.create_intermediate_certificate(
'Intermediate', root)
intermediate.set_key(intermediate_key)
add_excluded_name_constraints(intermediate, **excluded)
add_permitted_name_constraints(intermediate, **permitted)
# Target certificate.
target = gencerts.create_end_entity_certificate('t0', intermediate)
target.set_key(target_key)
add_sans(target, **sans)
chain = [target, intermediate, root]
gencerts.write_chain(doc, chain, '%s.pem' % name)
def generate_chain(intermediate_digest_algorithm):
# Self-signed root certificate.
root = gencerts.create_self_signed_root_certificate('Root')
# Intermediate certificate.
intermediate = gencerts.create_intermediate_certificate(
'Intermediate', root)
intermediate.set_signature_hash(intermediate_digest_algorithm)
intermediate.get_extensions().set_property('extendedKeyUsage', 'nsSGC')
# Target certificate.
target = gencerts.create_end_entity_certificate('Target', intermediate)
target.get_extensions().set_property('extendedKeyUsage',
'serverAuth,clientAuth')
chain = [target, intermediate, root]
gencerts.write_chain(__doc__, chain,
'%s-chain.pem' % intermediate_digest_algorithm)
def generate_chain(intermediate_digest_algorithm):
# Self-signed root certificate.
root = gencerts.create_self_signed_root_certificate('Root')
# Intermediate certificate.
intermediate = gencerts.create_intermediate_certificate(
'Intermediate', root)
intermediate.set_signature_hash(intermediate_digest_algorithm)
intermediate.get_extensions().set_property('extendedKeyUsage', 'nsSGC')
# Target certificate.
target = gencerts.create_end_entity_certificate('Target', intermediate)
target.get_extensions().set_property('extendedKeyUsage',
'serverAuth,clientAuth')
# TODO(eroman): Set subjectAltName by default rather than specifically in
# this test.
target.get_extensions().set_property('subjectAltName', 'DNS:test.example')
chain = [target, intermediate, root]
gencerts.write_chain(__doc__, chain,
'%s-chain.pem' % intermediate_digest_algorithm)
#!/usr/bin/python
# Copyright (c) 2015 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
"""Certificate chain where the intermediate has an unknown critical
extension."""
import sys
sys.path += ['../..']
import gencerts
# Self-signed root certificate.
root = gencerts.create_self_signed_root_certificate('Root')
# Intermediate that has an unknown critical extension.
intermediate = gencerts.create_intermediate_certificate('Intermediate', root)
intermediate.get_extensions().add_property('1.2.3.4',
'critical,DER:01:02:03:04')
# Target certificate.
target = gencerts.create_end_entity_certificate('Target', intermediate)
chain = [target, intermediate, root]
gencerts.write_chain(__doc__, chain, 'chain.pem')
int_different_ski_a = gencerts.create_intermediate_certificate(
'Intermediate', root)
int_different_ski_a.set_validity_range(DATE_A, DATE_Z)
int_different_ski_b = gencerts.create_intermediate_certificate(
'Intermediate', root)
int_different_ski_b.set_validity_range(DATE_B, DATE_Z)
int_different_ski_b.set_key(int_different_ski_a.get_key())
int_different_ski_c = gencerts.create_intermediate_certificate(
'Intermediate', root)
int_different_ski_c.set_validity_range(DATE_C, DATE_Z)
int_different_ski_c.set_key(int_different_ski_a.get_key())
target = gencerts.create_end_entity_certificate('Target', int_matching_ski_a)
target.set_validity_range(DATE_A, DATE_Z)
gencerts.write_chain('The root', [root], out_pem='root.pem')
gencerts.write_chain(
'Intermediate with matching subjectKeyIdentifier and notBefore A',
[int_matching_ski_a],
out_pem='int_matching_ski_a.pem')
gencerts.write_chain(
'Intermediate with matching subjectKeyIdentifier and notBefore B',
[int_matching_ski_b],
out_pem='int_matching_ski_b.pem')
gencerts.write_chain(
i_file_and_http_aia = gencerts.create_intermediate_certificate('I', root)
i_file_and_http_aia.set_key(i_key)
section = i_file_and_http_aia.config.get_section('issuer_info')
section.set_property('caIssuers;URI.0', 'file:///dev/null')
section.set_property('caIssuers;URI.1', 'http://url-for-aia2/I2.foo')
i_invalid_and_http_aia = gencerts.create_intermediate_certificate('I', root)
i_invalid_and_http_aia.set_key(i_key)
section = i_invalid_and_http_aia.config.get_section('issuer_info')
section.set_property('caIssuers;URI.0', 'foobar')
section.set_property('caIssuers;URI.1', 'http://url-for-aia2/I2.foo')
# target certs
target = gencerts.create_end_entity_certificate('target', i_base)
target.set_key(target_key)
target.get_extensions().set_property('subjectAltName', 'DNS:target')
gencerts.write_string_to_file(target.get_cert_pem(), 'target_one_aia.pem')
target = gencerts.create_end_entity_certificate('target', i_no_aia)
target.set_key(target_key)
target.get_extensions().set_property('subjectAltName', 'DNS:target')
gencerts.write_string_to_file(target.get_cert_pem(), 'target_no_aia.pem')
target = gencerts.create_end_entity_certificate('target', i_two_aia)
target.set_key(target_key)
target.get_extensions().set_property('subjectAltName', 'DNS:target')
gencerts.write_string_to_file(target.get_cert_pem(), 'target_two_aia.pem')
target = gencerts.create_end_entity_certificate('target', i_three_aia)
root.set_validity_range(DATE_A, DATE_D)
int_ac = gencerts.create_intermediate_certificate('Intermediate', root)
int_ac.set_validity_range(DATE_A, DATE_C)
int_ad = gencerts.create_intermediate_certificate('Intermediate', root)
int_ad.set_validity_range(DATE_A, DATE_D)
int_ad.set_key(int_ac.get_key())
int_bc = gencerts.create_intermediate_certificate('Intermediate', root)
int_bc.set_validity_range(DATE_B, DATE_C)
int_bc.set_key(int_ac.get_key())
int_bd = gencerts.create_intermediate_certificate('Intermediate', root)
int_bd.set_validity_range(DATE_B, DATE_D)
int_bd.set_key(int_ac.get_key())
target = gencerts.create_end_entity_certificate('Target', int_ac)
target.set_validity_range(DATE_A, DATE_D)
gencerts.write_chain('The root', [root], out_pem='root.pem')
gencerts.write_chain('Intermediate with validity range A..C', [int_ac],
out_pem='int_ac.pem')
gencerts.write_chain('Intermediate with validity range A..D', [int_ad],
out_pem='int_ad.pem')
gencerts.write_chain('Intermediate with validity range B..C', [int_bc],
out_pem='int_bc.pem')
gencerts.write_chain('Intermediate with validity range B..D', [int_bd],
out_pem='int_bd.pem')
gencerts.write_chain('The target', [target], out_pem='target.pem')
import sys
sys.path += ['../..']
import gencerts
DATE_A = '150101120000Z'
DATE_B = '150102120000Z'
DATE_Z = '180101120000Z'
root1 = gencerts.create_self_signed_root_certificate('Root1')
root1.set_validity_range(DATE_A, DATE_Z)
root2 = gencerts.create_self_signed_root_certificate('Root2')
root2.set_validity_range(DATE_A, DATE_Z)
root1_cross = gencerts.create_intermediate_certificate('Root1', root2)
root1_cross.set_key(root1.get_key())
root1_cross.set_validity_range(DATE_B, DATE_Z)
target = gencerts.create_end_entity_certificate('Target', root1)
target.set_validity_range(DATE_A, DATE_Z)
gencerts.write_chain('Root1', [root1], out_pem='root1.pem')
gencerts.write_chain('Root2', [root2], out_pem='root2.pem')
gencerts.write_chain(
'Root1 cross-signed by Root2, with a newer notBefore date'
' than Root1', [root1_cross],
out_pem='root1_cross.pem')
gencerts.write_chain('Target', [target], out_pem='target.pem')
# same name (after normalization), different key
i1_2 = gencerts.create_intermediate_certificate('i1', root)
write_cert_to_file(i1_2, 'i1_2.pem')
# different name
i2 = gencerts.create_intermediate_certificate('I2', root)
write_cert_to_file(i2, 'i2.pem')
# Two intermediates with exactly the same name.
i3_1 = gencerts.create_intermediate_certificate('I3', root)
write_cert_to_file(i3_1, 'i3_1.pem')
i3_2 = gencerts.create_intermediate_certificate('I3', root)
write_cert_to_file(i3_2, 'i3_2.pem')
# target certs
c1 = gencerts.create_end_entity_certificate('C1', i1_1)
write_cert_to_file(c1, 'c1.pem')
c2 = gencerts.create_end_entity_certificate('C2', i1_2)
write_cert_to_file(c2, 'c2.pem')
d = gencerts.create_end_entity_certificate('D', i2)
write_cert_to_file(d, 'd.pem')
e1 = gencerts.create_end_entity_certificate('E1', i3_1)
write_cert_to_file(e1, 'e1.pem')
e2 = gencerts.create_end_entity_certificate('E2', i3_2)
write_cert_to_file(e2, 'e2.pem')
nc.add_property('permitted;dirName.2', 'nc_2')
nc_2 = nc_permit_o2_o1_o3.config.get_section('nc_2')
nc_2.add_property('organizationName', 'O1')
nc.add_property('permitted;dirName.3', 'nc_3')
nc_3 = nc_permit_o2_o1_o3.config.get_section('nc_3')
nc_3.add_property('organizationName', 'O3')
gencerts.write_string_to_file(nc_permit_o2_o1_o3.get_cert_pem(),
'nc-int-permit-o2-o1-o3.pem')
## Create leaf certs (note: The issuer name does not matter for these tests)
# Leaf missing an organization name
leaf_no_o = gencerts.create_end_entity_certificate('L1', root)
leaf_no_o.set_key(leaf_key)
dn = leaf_no_o.get_subject()
dn.clear_properties()
dn.add_property('commonName', 'O1')
gencerts.write_string_to_file(leaf_no_o.get_cert_pem(), 'leaf-no-o.pem')
# Leaf with two organizations as two distinct SETs, ordered O1 and O2
leaf_o1_o2 = gencerts.create_end_entity_certificate('L2', root)
leaf_o1_o2.set_key(leaf_key)
dn = leaf_o1_o2.get_subject()
dn.clear_properties()
dn.add_property('0.organizationName', 'O1')
dn.add_property('1.organizationName', 'O2')
dn.add_property('commonName', 'Leaf')
gencerts.write_string_to_file(leaf_o1_o2.get_cert_pem(), 'leaf-o1-o2.pem')
