def generate_family(db_dir, dst_dir, ca_key, ca_cert, base_name): key_type = 'rsa' ee_ext_base = EE_basic_constraints + authority_key_ident CertUtils.generate_cert_generic(db, srcdir, 10, key_type, 'cn-a.pinning2.example.com-' + base_name, ee_ext_base, ca_key, ca_cert, '/CN=a.pinning2.example.com') CertUtils.generate_cert_generic(db, srcdir, 11, key_type, 'cn-x.a.pinning2.example.com-' + base_name, ee_ext_base, ca_key, ca_cert, '/CN=x.a.pinning2.example.com') alt_name_ext = 'subjectAltName =DNS:a.pinning2.example.com' CertUtils.generate_cert_generic( db, srcdir, 12, key_type, 'cn-www.example.com-alt-a.pinning2.example-' + base_name, ee_ext_base + alt_name_ext, ca_key, ca_cert, '/CN=www.example.com') CertUtils.generate_cert_generic(db, srcdir, 13, key_type, 'cn-b.pinning2.example.com-' + base_name, ee_ext_base, ca_key, ca_cert, '/CN=b.pinning2.example.com') CertUtils.generate_cert_generic(db, srcdir, 14, key_type, 'cn-x.b.pinning2.example.com-' + base_name, ee_ext_base, ca_key, ca_cert, '/CN=x.b.pinning2.example.com')
def generate_and_maybe_import_cert(key_type, cert_name_suffix, base_ext_text, signer_key_filename, signer_cert_filename, dsa_param_filename, key_size, generate_ev): """ Generates a certificate and imports it into the NSS DB if appropriate. Arguments: key_type -- the type of key generated: potential values: 'rsa', 'dsa', or any of the curves found by 'openssl ecparam -list_curves' cert_name_suffix -- suffix of the generated cert name base_ext_text -- the base text for the x509 extensions to be added to the certificate (extra extensions will be added if generating an EV cert) signer_key_filename -- the filename of the key from which the cert will be signed. If an empty string is passed in the cert will be self signed (think CA roots). signer_cert_filename -- the filename of the signer cert that will sign the certificate being generated. Ignored if an empty string is passed in for signer_key_filename. Must be in DER format. dsa_param_filename -- the filename for the DSA param file key_size -- public key size for RSA certs generate_ev -- whether an EV cert should be generated Output: key_filename -- the filename of the key file (PEM format) cert_filename -- the filename of the certificate (DER format) """ cert_name = key_type + cert_name_suffix ev_ext_text = '' subject_string = ('/CN=XPCShell Key Size Testing %s %s-bit' % (key_type, key_size)) if generate_ev: cert_name = 'ev-' + cert_name ev_ext_text = (aia_prefix + cert_name + aia_suffix + mozilla_testing_ev_policy) subject_string += ' (EV)' # Use the organization field to store the cert nickname for easier debugging subject_string += '/O=' + cert_name [key_filename, cert_filename] = CertUtils.generate_cert_generic( db_dir, srcdir, random.randint(100, 40000000), key_type, cert_name, base_ext_text + ev_ext_text, signer_key_filename, signer_cert_filename, subject_string, dsa_param_filename, key_size) if generate_ev: # The dest_dir argument of generate_pkcs12() is also set to db_dir as # the .p12 files do not need to be kept once they have been imported. pkcs12_filename = CertUtils.generate_pkcs12(db_dir, db_dir, cert_filename, key_filename, cert_name) CertUtils.import_cert_and_pkcs12(srcdir, cert_filename, pkcs12_filename, cert_name, ',,') if not signer_key_filename: generated_ev_root_filenames.append(cert_filename) return [key_filename, cert_filename]
def generate_certs(): key_type = "rsa" ca_ext = CA_basic_constraints + CA_full_ku + subject_key_ident + CA_eku ee_ext_text = EE_basic_constraints + authority_key_ident [ca_key, ca_cert] = CertUtils.generate_cert_generic(db, srcdir, 1, key_type, "ca", ca_ext) [int_key, int_cert] = CertUtils.generate_cert_generic(db, srcdir, 103, key_type, "int", ca_ext, ca_key, ca_cert) # now the ee CertUtils.generate_cert_generic(db, srcdir, 100, key_type, "ee", ee_ext_text, int_key, int_cert)
def generate_family(db_dir, dst_dir, ca_key, ca_cert, base_name): key_type = 'rsa' ee_ext_base = EE_basic_constraints + authority_key_ident; CertUtils.generate_cert_generic(db, srcdir, 10, key_type, 'cn-a.pinning2.example.com-'+ base_name, ee_ext_base, ca_key, ca_cert, '/CN=a.pinning2.example.com') CertUtils.generate_cert_generic(db, srcdir, 11, key_type, 'cn-x.a.pinning2.example.com-'+ base_name, ee_ext_base, ca_key, ca_cert, '/CN=x.a.pinning2.example.com') alt_name_ext = 'subjectAltName =DNS:a.pinning2.example.com' CertUtils.generate_cert_generic(db, srcdir, 12, key_type, 'cn-www.example.com-alt-a.pinning2.example-'+ base_name, ee_ext_base + alt_name_ext, ca_key, ca_cert, '/CN=www.example.com') CertUtils.generate_cert_generic(db, srcdir, 13, key_type, 'cn-b.pinning2.example.com-'+ base_name, ee_ext_base, ca_key, ca_cert, '/CN=b.pinning2.example.com') CertUtils.generate_cert_generic(db, srcdir, 14, key_type, 'cn-x.b.pinning2.example.com-'+ base_name, ee_ext_base, ca_key, ca_cert, '/CN=x.b.pinning2.example.com')
def generate_certs(): ee_ext_text = "" for name, key_type in pk_name.iteritems(): ca_name = "ca-" + name [ca_key, ca_cert] = CertUtils.generate_cert_generic(db, srcdir, random.randint(100,4000000), key_type, ca_name, CA_basic_constraints + CA_min_ku) [valid_int_key, valid_int_cert, ee_key, ee_cert] = ( CertUtils.generate_int_and_ee(db, srcdir, ca_key, ca_cert, name + "-valid", CA_basic_constraints, ee_ext_text, key_type) ) [int_key, int_cert] = CertUtils.generate_cert_generic(db, srcdir, random.randint(100,4000000), key_type, "int-" + name + "-tampered", ee_ext_text, ca_key, ca_cert) [ee_key, ee_cert] = CertUtils.generate_cert_generic(db, srcdir, random.randint(100,4000000), key_type, name + "-tampered-int-valid-ee", ee_ext_text, int_key, int_cert) #only tamper after ee has been generated tamper_cert(int_cert); [ee_key, ee_cert] = CertUtils.generate_cert_generic(db, srcdir, random.randint(100,4000000), key_type, name + "-valid-int-tampered-ee", ee_ext_text, valid_int_key, valid_int_cert) tamper_cert(ee_cert);
def generate_certs(do_cert_generation): ca_name = "ca" if do_cert_generation: [ca_key, ca_cert] = CertUtils.generate_cert_generic(db, srcdir, 1, key_type, ca_name, CA_basic_constraints) ee_ext_text = EE_basic_constraints + EE_full_ku # now we do it again for valid basic constraints but strange eku/ku at the # intermediate layer eku_dict = generate_test_eku() print eku_dict for eku_name in (sorted(eku_dict.keys())): # Divide the tests into multiple files to avoid time outs js_outfile = open("../test_cert_eku-" + eku_name + ".js", "w") js_outfile.write(js_file_header) # generate int int_name = "int-EKU-" + eku_name int_serial = random.randint(100, 40000000) eku_text = "extendedKeyUsage = " + eku_dict[eku_name] if (eku_name == "NONE"): eku_text = "" int_ext_text = CA_basic_constraints + CA_full_ku + eku_text if do_cert_generation: [int_key, int_cert ] = CertUtils.generate_cert_generic(db, srcdir, int_serial, key_type, int_name, int_ext_text, ca_key, ca_cert) js_outfile.write("\n") js_outfile.write(gen_int_js_output(int_name)) for ee_eku_name in (sorted(eku_dict.keys())): ee_base_name = "ee-EKU-" + ee_eku_name ee_name = ee_base_name + "-" + int_name ee_serial = random.randint(100, 40000000) ee_eku = "extendedKeyUsage = critical," + eku_dict[ee_eku_name] if (ee_eku_name == "NONE"): ee_eku = "" ee_ext_text = EE_basic_constraints + EE_full_ku + ee_eku if do_cert_generation: [ee_key, ee_cert] = CertUtils.generate_cert_generic( db, srcdir, ee_serial, key_type, ee_name, ee_ext_text, int_key, int_cert) for cert_usage in (cert_usages): js_outfile.write( gen_ee_js_output(int_name, ee_base_name, cert_usage, ee_name)) js_outfile.write(js_file_footer) js_outfile.close()
def generate_certs(): key_type = 'rsa' ca_ext = CA_basic_constraints + CA_full_ku + subject_key_ident + CA_eku ee_ext_text = (EE_basic_constraints + authority_key_ident) [ca_key, ca_cert] = CertUtils.generate_cert_generic(db, srcdir, 1, key_type, 'ca', ca_ext) CertUtils.generate_cert_generic(db, srcdir, 100, key_type, 'ee', ee_ext_text, ca_key, ca_cert) shutil.copy(ca_cert, srcdir + "/" + "ca-1.der") self_sign_csr(db, srcdir, db + "/ca.csr", ca_key, 2, ca_ext, "ca-2") os.remove(ca_cert)
def generate_int_and_ee2(ca_key, ca_cert, suffix, int_ext_text, ee_ext_text): int_name = "int-" + suffix ee_name = "ee-int-" + suffix int_serial = random.randint(100, 40000000) ee_serial = random.randint(100, 40000000) [int_key, int_cert] = CertUtils.generate_cert_generic(db, srcdir, int_serial, key_type, int_name, int_ext_text, ca_key, ca_cert) [ee_key, ee_cert] = CertUtils.generate_cert_generic(db, srcdir, ee_serial, key_type, ee_name, ee_ext_text, int_key, int_cert) return [int_key, int_cert, ee_key, ee_cert]
def generate_certs(do_cert_generation): ca_name = "ca" if do_cert_generation: [ca_key, ca_cert] = CertUtils.generate_cert_generic( db, srcdir, 1, key_type, ca_name, CA_basic_constraints) ee_ext_text = EE_basic_constraints + EE_full_ku # now we do it again for valid basic constraints but strange eku/ku at the # intermediate layer eku_dict = generate_test_eku() print eku_dict for eku_name in (sorted(eku_dict.keys())): # Divide the tests into multiple files to avoid time outs js_outfile = open("../test_cert_eku-" + eku_name + ".js", "w") js_outfile.write(js_file_header) # generate int int_name = "int-EKU-" + eku_name int_serial = random.randint(100, 40000000) eku_text = "extendedKeyUsage = " + eku_dict[eku_name] if (eku_name == "NONE"): eku_text = "" int_ext_text = CA_basic_constraints + CA_full_ku + eku_text if do_cert_generation: [int_key, int_cert] = CertUtils.generate_cert_generic( db, srcdir, int_serial, key_type, int_name, int_ext_text, ca_key, ca_cert) js_outfile.write("\n") js_outfile.write(gen_int_js_output(int_name)) for ee_eku_name in (sorted(eku_dict.keys())): ee_base_name = "ee-EKU-" + ee_eku_name ee_name = ee_base_name + "-" + int_name ee_serial = random.randint(100, 40000000) ee_eku = "extendedKeyUsage = critical," + eku_dict[ee_eku_name] if (ee_eku_name == "NONE"): ee_eku = "" ee_ext_text = EE_basic_constraints + EE_full_ku + ee_eku if do_cert_generation: [ee_key, ee_cert] = CertUtils.generate_cert_generic( db, srcdir, ee_serial, key_type, ee_name, ee_ext_text, int_key, int_cert) for cert_usage in (cert_usages): js_outfile.write(gen_ee_js_output(int_name, ee_base_name, cert_usage, ee_name)) js_outfile.write(js_file_footer) js_outfile.close()
def generate_certs(): key_type = 'rsa' ca_ext = CA_basic_constraints + CA_full_ku + subject_key_ident + CA_eku ee_ext_text = (EE_basic_constraints + authority_key_ident) [ca_key, ca_cert] = CertUtils.generate_cert_generic(db, srcdir, 1, key_type, 'ca', ca_ext) [int_key, int_cert] = CertUtils.generate_cert_generic(db, srcdir, 103, key_type, 'int', ca_ext, ca_key, ca_cert) #now the ee CertUtils.generate_cert_generic(db, srcdir, 100, key_type, 'ee', ee_ext_text, int_key, int_cert)
def generate_certs(): [noise_file, pwd_file] = CertUtils.init_nss_db(srcdir) generate_ca_cert(srcdir, srcdir, noise_file, 'ca') generate_child_cert(srcdir, srcdir, noise_file, 'int', 'ca', False, '') ocsp_url = "http://www.example.com:8888/" generate_child_cert(srcdir, srcdir, noise_file, "a", 'int', True, ocsp_url) generate_child_cert(srcdir, srcdir, noise_file, "b", 'int', True, ocsp_url)
def generate_certs(): [noise_file, pwd_file] = CertUtils.init_nss_db(srcdir) generate_ca_cert(srcdir, srcdir, noise_file, 'ca') generate_child_cert(srcdir, srcdir, noise_file, 'int', 'ca', False, '') ocsp_url = "http://www.example.com:8080/" generate_child_cert(srcdir, srcdir, noise_file, "a", 'int', True, ocsp_url) generate_child_cert(srcdir, srcdir, noise_file, "b", 'int', True, ocsp_url)
def generate_certs(): [noise_file, pwd_file] = CertUtils.init_nss_db(db) generate_ca(db, srcdir, noise_file, "v1_ca", 1, False ) generate_ca(db, srcdir, noise_file, "v1_ca_bc", 1, True) generate_ca(db, srcdir, noise_file, "v2_ca", 2, False ) generate_ca(db, srcdir, noise_file, "v2_ca_bc", 2, True) generate_ca(db, srcdir, noise_file, "v3_ca", 3, True ) generate_ca(db, srcdir, noise_file, "v3_ca_missing_bc", 3, False)
def generate_certs(): [noise_file, pwd_file] = CertUtils.init_nss_db(db) generate_ca(db, srcdir, noise_file, "v1_ca", 1, False) generate_ca(db, srcdir, noise_file, "v1_ca_bc", 1, True) generate_ca(db, srcdir, noise_file, "v2_ca", 2, False) generate_ca(db, srcdir, noise_file, "v2_ca_bc", 2, True) generate_ca(db, srcdir, noise_file, "v3_ca", 3, True) generate_ca(db, srcdir, noise_file, "v3_ca_missing_bc", 3, False)
def generate_certs(): key_type = 'rsa' ca_ext = CA_basic_constraints + CA_full_ku + subject_key_ident ee_ext_text = (EE_basic_constraints + authority_key_ident) [ca_key, ca_cert] = CertUtils.generate_cert_generic(db, srcdir, 1, key_type, 'badca', ca_ext) generate_family(db, srcdir, ca_key, ca_cert, 'badca') ca_cert = 'pinningroot.der' ca_key = 'pinningroot.key' generate_family(db, srcdir, ca_key, ca_cert, 'pinningroot')
def generate_certs(): ee_ext_text = "" for name, key_type in pk_name.iteritems(): ca_name = "ca-" + name [ca_key, ca_cert ] = CertUtils.generate_cert_generic(db, srcdir, random.randint(100, 4000000), key_type, ca_name, CA_basic_constraints + CA_min_ku) [valid_int_key, valid_int_cert, ee_key, ee_cert] = (CertUtils.generate_int_and_ee(db, srcdir, ca_key, ca_cert, name + "-valid", CA_basic_constraints, ee_ext_text, key_type)) [int_key, int_cert ] = CertUtils.generate_cert_generic(db, srcdir, random.randint(100, 4000000), key_type, "int-" + name + "-tampered", ee_ext_text, ca_key, ca_cert) [ee_key, ee_cert ] = CertUtils.generate_cert_generic(db, srcdir, random.randint(100, 4000000), key_type, name + "-tampered-int-valid-ee", ee_ext_text, int_key, int_cert) #only tamper after ee has been generated tamper_cert(int_cert) [ee_key, ee_cert ] = CertUtils.generate_cert_generic(db, srcdir, random.randint(100, 4000000), key_type, name + "-valid-int-tampered-ee", ee_ext_text, valid_int_key, valid_int_cert) tamper_cert(ee_cert)
def generate_certs(): init_nss_db() ca_cert = 'evroot.der' ca_key = 'evroot.key' prefix = "ev-valid" key_type = 'rsa' ee_ext_text = (EE_basic_constraints + EE_full_ku + Server_eku + authority_key_ident + aia_prefix + prefix + aia_suffix + endentity_crl + mozilla_testing_ev_policy) int_ext_text = (CA_basic_constraints + EE_full_ku + CA_eku + authority_key_ident + subject_key_ident + aia_prefix + "int-" + prefix + aia_suffix + intermediate_crl + mozilla_testing_ev_policy) [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db, srcdir, ca_key, ca_cert, prefix, int_ext_text, ee_ext_text, key_type) pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key, "int-" + prefix) import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,") import_untrusted_cert(ee_cert, prefix) # now we generate an end entity cert with an AIA with no OCSP URL no_ocsp_url_ext_aia = ("authorityInfoAccess =" + "caIssuers;URI:http://www.example.com/ca.html\n") [no_ocsp_key, no_ocsp_cert] = CertUtils.generate_cert_generic( db, srcdir, random.randint(100, 40000000), key_type, 'no-ocsp-url-cert', EE_basic_constraints + EE_full_ku + Server_eku + authority_key_ident + no_ocsp_url_ext_aia + endentity_crl + mozilla_testing_ev_policy, int_key, int_cert) import_untrusted_cert(no_ocsp_cert, 'no-ocsp-url-cert') [bad_ca_key, bad_ca_cert] = CertUtils.generate_cert_generic( db, srcdir, 1, 'rsa', 'non-evroot-ca', CA_basic_constraints + EE_full_ku + authority_key_ident) pk12file = CertUtils.generate_pkcs12(db, srcdir, bad_ca_cert, bad_ca_key, "non-evroot-ca") import_cert_and_pkcs12(bad_ca_cert, pk12file, "non-evroot-ca", "C,C,C") prefix = "non-ev-root" ee_ext_text = (EE_basic_constraints + EE_full_ku + Server_eku + authority_key_ident + aia_prefix + prefix + aia_suffix + endentity_crl + mozilla_testing_ev_policy) int_ext_text = (CA_basic_constraints + EE_full_ku + CA_eku + authority_key_ident + aia_prefix + "int-" + prefix + aia_suffix + intermediate_crl + subject_key_ident + mozilla_testing_ev_policy) [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db, srcdir, bad_ca_key, bad_ca_cert, prefix, int_ext_text, ee_ext_text, key_type) pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key, "int-" + prefix) import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,") import_untrusted_cert(ee_cert, prefix)
def generate_certs(): [noise_file, pwd_file] = CertUtils.init_nss_db(db) generate_ca(db, srcdir, noise_file, "v1_ca", 1, False) generate_ca(db, srcdir, noise_file, "v1_ca_bc", 1, True) generate_ca(db, srcdir, noise_file, "v2_ca", 2, False) generate_ca(db, srcdir, noise_file, "v2_ca_bc", 2, True) generate_ca(db, srcdir, noise_file, "v3_ca", 3, True) generate_ca(db, srcdir, noise_file, "v3_ca_missing_bc", 3, False) CertUtils.generate_self_signed_cert(db, srcdir, noise_file, "v3_self_signed", 3, False, False) CertUtils.generate_self_signed_cert(db, srcdir, noise_file, "v3_self_signed_bc", 3, True, False) CertUtils.generate_self_signed_cert(db, srcdir, noise_file, "v4_self_signed", 4, False, False) CertUtils.generate_self_signed_cert(db, srcdir, noise_file, "v4_self_signed_bc", 4, True, False)
def generate_certs(): [noise_file, pwd_file] = CertUtils.init_nss_db(db) generate_ca(db, srcdir, noise_file, "v1_ca", 1, False ) generate_ca(db, srcdir, noise_file, "v1_ca_bc", 1, True) generate_ca(db, srcdir, noise_file, "v2_ca", 2, False ) generate_ca(db, srcdir, noise_file, "v2_ca_bc", 2, True) generate_ca(db, srcdir, noise_file, "v3_ca", 3, True ) generate_ca(db, srcdir, noise_file, "v3_ca_missing_bc", 3, False) CertUtils.generate_self_signed_cert(db, srcdir, noise_file, "v3_self_signed", 3, False, False) CertUtils.generate_self_signed_cert(db, srcdir, noise_file, "v3_self_signed_bc", 3, True, False) CertUtils.generate_self_signed_cert(db, srcdir, noise_file, "v4_self_signed", 4, False, False); CertUtils.generate_self_signed_cert(db, srcdir, noise_file, "v4_self_signed_bc", 4, True, False);
def generate_cert(key_type, cert_name_prefix, cert_name_suffix, base_ext_text, signer_key_filename, signer_cert_filename, key_size): """ Generates a certificate. If an equivalent certificate has already been generated, it is reused. Arguments: key_type -- the type of key generated: potential values: 'rsa', or any of the curves found by 'openssl ecparam -list_curves' cert_name_prefix -- prefix of the generated cert name cert_name_suffix -- suffix of the generated cert name base_ext_text -- the base text for the x509 extensions to be added to the certificate (extra extensions will be added if generating an EV cert) signer_key_filename -- the filename of the key from which the cert will be signed. If an empty string is passed in the cert will be self signed (think CA roots). signer_cert_filename -- the filename of the signer cert that will sign the certificate being generated. Ignored if an empty string is passed in for signer_key_filename. Must be in DER format. key_size -- public key size for RSA certs Output: cert_name -- the resultant (nick)name of the certificate key_filename -- the filename of the key file (PEM format) cert_filename -- the filename of the certificate (DER format) """ cert_name = cert_name_prefix + '_' + key_type + '_' + key_size # If the suffix is not the empty string, add a hyphen for visual separation if cert_name_suffix: cert_name += '-' + cert_name_suffix ev_ext_text = '' subject_string = ('/CN=XPCShell Key Size Testing %s %s-bit' % (key_type, key_size)) # Use the organization field to store the cert nickname for easier debugging subject_string += '/O=' + cert_name # Don't regenerate a previously generated cert for cert in generated_certs: if cert_name == cert[0]: return cert [key_filename, cert_filename] = CertUtils.generate_cert_generic( db_dir, srcdir, random.randint(100, 40000000), key_type, cert_name, base_ext_text + ev_ext_text, signer_key_filename, signer_cert_filename, subject_string, key_size, 3 * 365 + 3 * 31) # 39 months generated_certs.append([cert_name, key_filename, cert_filename]) return [cert_name, key_filename, cert_filename]
def generate_int_and_ee2(ca_key, ca_cert, suffix, int_ext_text, ee_ext_text): int_name = "int-" + suffix; ee_name = "ee-int-" + suffix; int_serial = random.randint(100, 40000000); ee_serial = random.randint(100, 40000000); [int_key, int_cert] = CertUtils.generate_cert_generic(db, srcdir, int_serial, key_type, int_name, int_ext_text, ca_key, ca_cert); [ee_key, ee_cert] = CertUtils.generate_cert_generic(db, srcdir, ee_serial, key_type, ee_name, ee_ext_text, int_key, int_cert); return [int_key, int_cert, ee_key, ee_cert]
def generate_certs(): key_type = 'rsa' ca_ext = CA_basic_constraints + CA_full_ku + subject_key_ident + CA_eku; ee_ext_text = (EE_basic_constraints + authority_key_ident) [ca_key, ca_cert] = CertUtils.generate_cert_generic(db, srcdir, 1, key_type, 'ca', ca_ext) CertUtils.generate_cert_generic(db, srcdir, 100, key_type, 'ee', ee_ext_text, ca_key, ca_cert) shutil.copy(ca_cert, srcdir + "/" + "ca-1.der") self_sign_csr(db, srcdir, db + "/ca.csr", ca_key, 2, ca_ext, "ca-2") os.remove(ca_cert);
def generate_certs(): init_nss_db() ca_cert = 'evroot.der' ca_key = 'evroot.key' prefix = "ev-valid" key_type = 'rsa' ee_ext_text = (EE_basic_constraints + EE_full_ku + Server_eku + authority_key_ident + aia_prefix + prefix + aia_suffix + endentity_crl + mozilla_testing_ev_policy) int_ext_text = (CA_basic_constraints + EE_full_ku + CA_eku + authority_key_ident + subject_key_ident + aia_prefix + "int-" + prefix + aia_suffix + intermediate_crl + mozilla_testing_ev_policy) [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db, srcdir, ca_key, ca_cert, prefix, int_ext_text, ee_ext_text, key_type) pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key, "int-" + prefix) import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,") import_untrusted_cert(ee_cert, prefix) [bad_ca_key, bad_ca_cert] = CertUtils.generate_cert_generic( db, srcdir, 1, 'rsa', 'non-evroot-ca', CA_basic_constraints + EE_full_ku + authority_key_ident) pk12file = CertUtils.generate_pkcs12(db, srcdir, bad_ca_cert, bad_ca_key, "non-evroot-ca") import_cert_and_pkcs12(bad_ca_cert, pk12file, "non-evroot-ca", "C,C,C") prefix = "non-ev-root" ee_ext_text = (EE_basic_constraints + EE_full_ku + Server_eku + authority_key_ident + aia_prefix + prefix + aia_suffix + endentity_crl + mozilla_testing_ev_policy) int_ext_text = (CA_basic_constraints + EE_full_ku + CA_eku + authority_key_ident + aia_prefix + "int-" + prefix + aia_suffix + intermediate_crl + subject_key_ident + mozilla_testing_ev_policy) [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db, srcdir, bad_ca_key, bad_ca_cert, prefix, int_ext_text, ee_ext_text, key_type) pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key, "int-" + prefix) import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,") import_untrusted_cert(ee_cert, prefix)
def generate_certs(): [noise_file, pwd_file] = CertUtils.init_nss_db(srcdir) generate_ca_cert(srcdir, srcdir, noise_file, 'ca') generate_child_cert(srcdir, srcdir, noise_file, 'int', 'ca', False, '') nick_baseurl = { 'no-path-url': "http://www.example.com:8888", 'ftp-url': "ftp://www.example.com:8888/", 'no-scheme-url': "www.example.com:8888/", 'empty-scheme-url': "://www.example.com:8888/", 'no-host-url': "http://:8888/", 'hTTp-url': "hTTp://www.example.com:8888/hTTp-url", 'https-url': "https://www.example.com:8888/https-url", 'bad-scheme': "/www.example.com", 'empty-port': "http://www.example.com:/", 'unknown-scheme': "ttp://www.example.com", 'negative-port': "http://www.example.com:-1", 'no-scheme-host-port': "/" } for nick, url in nick_baseurl.iteritems(): generate_child_cert(srcdir, srcdir, noise_file, nick, 'int', True, url)
def generate_certs(): ca_name = "ca" [ca_key, ca_cert ] = CertUtils.generate_cert_generic(db, srcdir, 1, key_type, ca_name, CA_basic_constraints) ee_ext_text = EE_basic_constraints + EE_full_ku #now the intermediates generate_int_and_ee2(ca_key, ca_cert, "no-extensions", "", ee_ext_text) generate_int_and_ee2(ca_key, ca_cert, "not-a-ca", EE_basic_constraints, ee_ext_text) generate_int_and_ee2(ca_key, ca_cert, "cA-FALSE-asserts-keyCertSign", EE_basic_constraints + all_ku, ee_ext_text) [int_key, int_cert, a, b] = generate_int_and_ee2(ca_key, ca_cert, "limited-depth", CA_limited_basic_constraints, ee_ext_text); #and a child using this one generate_int_and_ee2(int_key, int_cert, "limited-depth-invalid", CA_basic_constraints, ee_ext_text); # now we do it again for valid basic constraints but strange eku/ku at the # intermediate layer generate_int_and_ee2(ca_key, ca_cert, "valid-ku-no-eku", CA_basic_constraints + CA_min_ku, ee_ext_text); generate_int_and_ee2(ca_key, ca_cert, "bad-ku-no-eku", CA_basic_constraints + CA_bad_ku, ee_ext_text); generate_int_and_ee2(ca_key, ca_cert, "no-ku-no-eku", CA_basic_constraints, ee_ext_text); generate_int_and_ee2(ca_key, ca_cert, "valid-ku-server-eku", CA_basic_constraints + CA_min_ku + Server_eku, ee_ext_text); generate_int_and_ee2(ca_key, ca_cert, "bad-ku-server-eku", CA_basic_constraints + CA_bad_ku + Server_eku, ee_ext_text); generate_int_and_ee2(ca_key, ca_cert, "no-ku-server-eku", CA_basic_constraints + Server_eku, ee_ext_text);
def generate_certs(): ca_name = "ca" [ca_key, ca_cert ] = CertUtils.generate_cert_generic(db, srcdir, 1, key_type, ca_name, CA_basic_constraints) ee_ext_text = EE_basic_constraints + EE_full_ku #now the intermediates generate_int_and_ee2(ca_key, ca_cert, "no-extensions", "", ee_ext_text) generate_int_and_ee2(ca_key, ca_cert, "not-a-ca", EE_basic_constraints, ee_ext_text) [int_key, int_cert, a, b] = generate_int_and_ee2(ca_key, ca_cert, "limited-depth", CA_limited_basic_constraints, ee_ext_text); #and a child using this one generate_int_and_ee2(int_key, int_cert, "limited-depth-invalid", CA_basic_constraints, ee_ext_text); # now we do it again for valid basic constraints but strange eku/ku at the # intermediate layer generate_int_and_ee2(ca_key, ca_cert, "valid-ku-no-eku", CA_basic_constraints + CA_min_ku, ee_ext_text); generate_int_and_ee2(ca_key, ca_cert, "bad-ku-no-eku", CA_basic_constraints + CA_bad_ku, ee_ext_text); generate_int_and_ee2(ca_key, ca_cert, "no-ku-no-eku", CA_basic_constraints, ee_ext_text); generate_int_and_ee2(ca_key, ca_cert, "valid-ku-server-eku", CA_basic_constraints + CA_min_ku + Server_eku, ee_ext_text); generate_int_and_ee2(ca_key, ca_cert, "bad-ku-server-eku", CA_basic_constraints + CA_bad_ku + Server_eku, ee_ext_text); generate_int_and_ee2(ca_key, ca_cert, "no-ku-server-eku", CA_basic_constraints + Server_eku, ee_ext_text);
def generate_certs(): ca_cert = 'evroot.der' ca_key = 'evroot.key' prefix = "ev-valid" key_type = 'rsa' ee_ext_text = (aia_prefix + prefix + aia_suffix + endentity_crl + mozilla_testing_ev_policy) int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix + intermediate_crl + mozilla_testing_ev_policy) CertUtils.init_nss_db(srcdir) CertUtils.import_cert_and_pkcs12(srcdir, ca_cert, 'evroot.p12', 'evroot', 'C,C,C') [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db, srcdir, ca_key, ca_cert, prefix, int_ext_text, ee_ext_text, key_type) pk12file = CertUtils.generate_pkcs12(db, db, int_cert, int_key, "int-" + prefix) CertUtils.import_cert_and_pkcs12(srcdir, int_cert, pk12file, 'int-' + prefix, ',,') import_untrusted_cert(ee_cert, prefix) # now we generate an end entity cert with an AIA with no OCSP URL no_ocsp_url_ext_aia = ("authorityInfoAccess =" + "caIssuers;URI:http://www.example.com/ca.html\n"); [no_ocsp_key, no_ocsp_cert] = CertUtils.generate_cert_generic(db, srcdir, random.randint(100, 40000000), key_type, 'no-ocsp-url-cert', no_ocsp_url_ext_aia + endentity_crl + mozilla_testing_ev_policy, int_key, int_cert); import_untrusted_cert(no_ocsp_cert, 'no-ocsp-url-cert'); # add an ev cert whose intermediate has a anypolicy oid prefix = "ev-valid-anypolicy-int" ee_ext_text = (aia_prefix + prefix + aia_suffix + endentity_crl + mozilla_testing_ev_policy) int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix + intermediate_crl + anypolicy_policy) [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db, srcdir, ca_key, ca_cert, prefix, int_ext_text, ee_ext_text, key_type) pk12file = CertUtils.generate_pkcs12(db, db, int_cert, int_key, "int-" + prefix) CertUtils.import_cert_and_pkcs12(srcdir, int_cert, pk12file, 'int-' + prefix, ',,') import_untrusted_cert(ee_cert, prefix) [bad_ca_key, bad_ca_cert] = CertUtils.generate_cert_generic( db, srcdir, 1, 'rsa', 'non-evroot-ca', CA_extensions) pk12file = CertUtils.generate_pkcs12(db, db, bad_ca_cert, bad_ca_key, "non-evroot-ca") CertUtils.import_cert_and_pkcs12(srcdir, bad_ca_cert, pk12file, 'non-evroot-ca', 'C,C,C') prefix = "non-ev-root" ee_ext_text = (aia_prefix + prefix + aia_suffix + endentity_crl + mozilla_testing_ev_policy) int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix + intermediate_crl + mozilla_testing_ev_policy) [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db, srcdir, bad_ca_key, bad_ca_cert, prefix, int_ext_text, ee_ext_text, key_type) pk12file = CertUtils.generate_pkcs12(db, db, int_cert, int_key, "int-" + prefix) CertUtils.import_cert_and_pkcs12(srcdir, int_cert, pk12file, 'int-' + prefix, ',,') import_untrusted_cert(ee_cert, prefix)
adequate_key_size, generate_ev) # Generate chain with an end entity cert that has an inadequate size generate_and_maybe_import_cert( key_type, 'ee', intOK_nick, ee_ext_text, intOK_key, intOK_cert, inadequate_key_size, generate_ev) # Create a NSS DB for use by the OCSP responder. CertUtils.init_nss_db(srcdir) # TODO(bug 636807): SECKEY_PublicKeyStrengthInBits() rounds up the number of # bits to the next multiple of 8 - therefore the highest key size less than 1024 # that can be tested is 1016, less than 2048 is 2040 and so on. generate_certs('rsa', '1016', '1024', False) generate_certs('rsa', '2040', '2048', True) # Print a blank line and the information needed to enable EV for any roots # generated by this script. print for cert_filename in generated_ev_root_filenames: CertUtils.print_cert_info(cert_filename) print ('You now MUST update the compiled test EV root information to match ' + 'the EV root information printed above.')
def generate_child_cert(db_dir, dest_dir, noise_file, name, ca_nick, is_ee, ocsp_url): return CertUtils.generate_child_cert(db_dir, dest_dir, noise_file, name, ca_nick, 3, True, is_ee, ocsp_url)
csr_name = dest_dir + "/" + name + ".csr" os.system ("openssl req -new -key " + key_name + " -days 3650" + " -extensions v3_ca -batch -out " + csr_name + " -utf8 -subj '/C=US/ST=CA/L=Mountain View" + "/O=Mozilla - EV debug test CA/OU=Security Engineering" + "/CN=XPCShell EV Testing (untrustworthy) CA'") extensions_filename = db_dir + "/openssl-exts" f = open(extensions_filename, 'w') f.write(ext_text) f.close() cert_name = dest_dir + "/" + name + ".der" signer_key_filename = key_name os.system ("openssl x509 -req -sha256 -days 3650 -in " + csr_name + " -signkey " + signer_key_filename + " -set_serial " + str(serial_num) + " -extfile " + extensions_filename + " -outform DER -out " + cert_name) return key_name, cert_name prefix = "evroot" [ca_key, ca_cert] = generate_root_cert(db, dest_dir, prefix, CA_basic_constraints + CA_min_ku + subject_key_ident) CertUtils.generate_pkcs12(db, dest_dir, ca_cert, ca_key, prefix) print ("You now MUST modify nsIdentityinfo.cpp to ensure the xpchell debug " + "certificate there matches this newly generated one\n")
dsaBad_param_filename, bad_key_size, generate_ev) generate_and_maybe_import_cert(key_type, '-eeOK-intBad-caOK', ee_ext_text, intBad_key, intBad_cert, dsaOK_param_filename, ok_key_size, generate_ev) # Bad End Entity generate_and_maybe_import_cert(key_type, '-eeBad-intOK-caOK', ee_ext_text, intOK_key, intOK_cert, dsaBad_param_filename, bad_key_size, generate_ev) # Create a NSS DB for use by the OCSP responder. CertUtils.init_nss_db(srcdir) # TODO(bug 636807): SECKEY_PublicKeyStrengthInBits() rounds up the number of # bits to the next multiple of 8 - therefore the highest key size less than 1024 # that can be tested is 1016, less than 2048 is 2040 and so on. generate_certs('rsa', '1016', '1024', False) generate_certs('rsa', '2040', '2048', True) generate_certs('dsa', '960', '1024', False) # Print a blank line and the information needed to enable EV for any roots # generated by this script. print for cert_filename in generated_ev_root_filenames: CertUtils.print_cert_info_for_ev(cert_filename) print('You now MUST update the compiled test EV root information to match ' +
def generate_certs(key_type, bad_key_size, ok_key_size, generate_ev): """ Generates the various certificates used by the key size tests. Arguments: key_type -- the type of key generated: potential values: 'rsa', 'dsa', or any of the curves found by 'openssl ecparam -list_curves' bad_key_size -- the public key size bad certs should have ok_key_size -- the public key size OK certs should have generate_ev -- whether an EV cert should be generated """ if key_type == 'dsa': CertUtils.init_dsa(db_dir, dsaBad_param_filename, bad_key_size) CertUtils.init_dsa(db_dir, dsaOK_param_filename, ok_key_size) # OK Chain if generate_ev and key_type == 'rsa': # Reuse the existing RSA EV root caOK_cert_name = 'evroot' caOK_key = '../test_ev_certs/evroot.key' caOK_cert = '../test_ev_certs/evroot.der' caOK_pkcs12_filename = '../test_ev_certs/evroot.p12' CertUtils.import_cert_and_pkcs12(srcdir, caOK_cert, caOK_pkcs12_filename, caOK_cert_name, ',,') else: [caOK_key, caOK_cert] = generate_and_maybe_import_cert(key_type, '-caOK', ca_ext_text, '', '', dsaOK_param_filename, ok_key_size, generate_ev) [intOK_key, intOK_cert] = generate_and_maybe_import_cert( key_type, '-intOK-caOK', ca_ext_text, caOK_key, caOK_cert, dsaOK_param_filename, ok_key_size, generate_ev) generate_and_maybe_import_cert(key_type, '-eeOK-intOK-caOK', ee_ext_text, intOK_key, intOK_cert, dsaOK_param_filename, ok_key_size, generate_ev) # Bad CA [caBad_key, caBad_cert] = generate_and_maybe_import_cert(key_type, '-caBad', ca_ext_text, '', '', dsaBad_param_filename, bad_key_size, generate_ev) [int_key, int_cert] = generate_and_maybe_import_cert( key_type, '-intOK-caBad', ca_ext_text, caBad_key, caBad_cert, dsaOK_param_filename, ok_key_size, generate_ev) generate_and_maybe_import_cert(key_type, '-eeOK-intOK-caBad', ee_ext_text, int_key, int_cert, dsaOK_param_filename, ok_key_size, generate_ev) # Bad Intermediate [intBad_key, intBad_cert] = generate_and_maybe_import_cert( key_type, '-intBad-caOK', ca_ext_text, caOK_key, caOK_cert, dsaBad_param_filename, bad_key_size, generate_ev) generate_and_maybe_import_cert(key_type, '-eeOK-intBad-caOK', ee_ext_text, intBad_key, intBad_cert, dsaOK_param_filename, ok_key_size, generate_ev) # Bad End Entity generate_and_maybe_import_cert(key_type, '-eeBad-intOK-caOK', ee_ext_text, intOK_key, intOK_cert, dsaBad_param_filename, bad_key_size, generate_ev)
def generate_certs(key_type, inadequate_key_size, adequate_key_size, generate_ev): """ Generates the various certificates used by the key size tests. Arguments: key_type -- the type of key generated: potential values: 'rsa', or any of the curves found by 'openssl ecparam -list_curves' inadequate_key_size -- a string defining the inadequate public key size for the generated certs adequate_key_size -- a string defining the adequate public key size for the generated certs generate_ev -- whether an EV cert should be generated """ # Generate chain with certs that have adequate sizes if generate_ev and key_type == 'rsa': # Reuse the existing RSA EV root rootOK_nick = 'evroot' caOK_key = '../test_ev_certs/evroot.key' caOK_cert = '../test_ev_certs/evroot.der' caOK_pkcs12_filename = '../test_ev_certs/evroot.p12' CertUtils.import_cert_and_pkcs12(srcdir, caOK_cert, caOK_pkcs12_filename, rootOK_nick, ',,') else: [rootOK_nick, caOK_key, caOK_cert] = generate_and_maybe_import_cert( key_type, 'root', '', ca_ext_text, '', '', adequate_key_size, generate_ev) [intOK_nick, intOK_key, intOK_cert] = generate_and_maybe_import_cert( key_type, 'int', rootOK_nick, ca_ext_text, caOK_key, caOK_cert, adequate_key_size, generate_ev) generate_and_maybe_import_cert( key_type, 'ee', intOK_nick, ee_ext_text, intOK_key, intOK_cert, adequate_key_size, generate_ev) # Generate chain with a root cert that has an inadequate size [rootNotOK_nick, rootNotOK_key, rootNotOK_cert] = generate_and_maybe_import_cert( key_type, 'root', '', ca_ext_text, '', '', inadequate_key_size, generate_ev) [int_nick, int_key, int_cert] = generate_and_maybe_import_cert( key_type, 'int', rootNotOK_nick, ca_ext_text, rootNotOK_key, rootNotOK_cert, adequate_key_size, generate_ev) generate_and_maybe_import_cert( key_type, 'ee', int_nick, ee_ext_text, int_key, int_cert, adequate_key_size, generate_ev) # Generate chain with an intermediate cert that has an inadequate size [intNotOK_nick, intNotOK_key, intNotOK_cert] = generate_and_maybe_import_cert( key_type, 'int', rootOK_nick, ca_ext_text, caOK_key, caOK_cert, inadequate_key_size, generate_ev) generate_and_maybe_import_cert( key_type, 'ee', intNotOK_nick, ee_ext_text, intNotOK_key, intNotOK_cert, adequate_key_size, generate_ev) # Generate chain with an end entity cert that has an inadequate size generate_and_maybe_import_cert( key_type, 'ee', intOK_nick, ee_ext_text, intOK_key, intOK_cert, inadequate_key_size, generate_ev)
csr_name = dest_dir + "/" + name + ".csr" os.system("openssl req -new -key " + key_name + " -days 3650" + " -extensions v3_ca -batch -out " + csr_name + " -utf8 -subj '/C=US/ST=CA/L=Mountain View" + "/O=Mozilla - EV debug test CA/OU=Security Engineering" + "/CN=XPCShell EV Testing (untrustworthy) CA'") extensions_filename = db_dir + "/openssl-exts" f = open(extensions_filename, 'w') f.write(ext_text) f.close() cert_name = dest_dir + "/" + name + ".der" signer_key_filename = key_name os.system("openssl x509 -req -sha256 -days 3650 -in " + csr_name + " -signkey " + signer_key_filename + " -set_serial " + str(serial_num) + " -extfile " + extensions_filename + " -outform DER -out " + cert_name) return key_name, cert_name prefix = "evroot" [ca_key, ca_cert ] = generate_root_cert(db, dest_dir, prefix, CA_basic_constraints + CA_min_ku + subject_key_ident) CertUtils.generate_pkcs12(db, dest_dir, ca_cert, ca_key, prefix) print("You now MUST modify nsIdentityinfo.cpp to ensure the xpchell debug " + "certificate there matches this newly generated one\n")
ca_ext_text, '', '', 60) [int_nick, int_key_file, int_cert_file] = generate_and_import_cert( 'int', root_nick, ca_ext_text, root_key_file, root_cert_file, 60) generate_and_import_cert( 'ee', int_nick, '', int_key_file, int_cert_file, ee_validity_months) # Create a NSS DB for use by the OCSP responder. [noise_file, pwd_file] = CertUtils.init_nss_db(src_dir) generate_chain(39) generate_chain(40) # Remove unnecessary files os.remove(noise_file) os.remove(pwd_file)
def generate_and_maybe_import_cert(key_type, cert_name_prefix, cert_name_suffix, base_ext_text, signer_key_filename, signer_cert_filename, key_size, generate_ev): """ Generates a certificate and imports it into the NSS DB if appropriate. Arguments: key_type -- the type of key generated: potential values: 'rsa', or any of the curves found by 'openssl ecparam -list_curves' cert_name_prefix -- prefix of the generated cert name cert_name_suffix -- suffix of the generated cert name base_ext_text -- the base text for the x509 extensions to be added to the certificate (extra extensions will be added if generating an EV cert) signer_key_filename -- the filename of the key from which the cert will be signed. If an empty string is passed in the cert will be self signed (think CA roots). signer_cert_filename -- the filename of the signer cert that will sign the certificate being generated. Ignored if an empty string is passed in for signer_key_filename. Must be in DER format. key_size -- public key size for RSA certs generate_ev -- whether an EV cert should be generated Output: cert_name -- the resultant (nick)name of the certificate key_filename -- the filename of the key file (PEM format) cert_filename -- the filename of the certificate (DER format) """ cert_name = cert_name_prefix + '_' + key_type + '_' + key_size # If the suffix is not the empty string, add a hyphen for visual separation if cert_name_suffix: cert_name += '-' + cert_name_suffix ev_ext_text = '' subject_string = ('/CN=XPCShell Key Size Testing %s %s-bit' % (key_type, key_size)) if generate_ev: cert_name = 'ev_' + cert_name ev_ext_text = (aia_prefix + cert_name + aia_suffix + mozilla_testing_ev_policy) subject_string += ' (EV)' # Use the organization field to store the cert nickname for easier debugging subject_string += '/O=' + cert_name [key_filename, cert_filename] = CertUtils.generate_cert_generic( db_dir, srcdir, random.randint(100, 40000000), key_type, cert_name, base_ext_text + ev_ext_text, signer_key_filename, signer_cert_filename, subject_string, key_size) if generate_ev: # The dest_dir argument of generate_pkcs12() is also set to db_dir as # the .p12 files do not need to be kept once they have been imported. pkcs12_filename = CertUtils.generate_pkcs12(db_dir, db_dir, cert_filename, key_filename, cert_name) CertUtils.import_cert_and_pkcs12(srcdir, cert_filename, pkcs12_filename, cert_name, ',,') if not signer_key_filename: generated_ev_root_filenames.append(cert_filename) return [cert_name, key_filename, cert_filename]
def gen_cert(cliopts, extensions, ca_key=None, ca_cert=None, subject=None): return CertUtils.generate_cert_generic(cliopts.output_dir, cliopts.output_dir, cliopts.serial, 'rsa', cliopts.certname, extensions, ca_key, ca_cert, subject)
def generate_ca_cert(db_dir, dest_dir, noise_file, name): return CertUtils.generate_ca_cert(db_dir, dest_dir, noise_file, name, 3, True)
def generate_certs(): js_outfile = open("../test_cert_eku.js", 'w'); ca_name = "ca" [ca_key, ca_cert ] = CertUtils.generate_cert_generic(db, srcdir, 1, key_type, ca_name, CA_basic_constraints) ee_ext_text = EE_basic_constraints + EE_full_ku js_outfile.write(js_file_header); # now we do it again for valid basic constraints but strange eku/ku at the # intermediate layer eku_dict = generate_test_eku(); print eku_dict for eku_name in (sorted(eku_dict.keys())): #generate int int_name = "int-EKU-" + eku_name; int_serial = random.randint(100, 40000000); eku_text = "extendedKeyUsage = " + eku_dict[eku_name] if (eku_name == "NONE"): eku_text = "" int_ext_text = CA_basic_constraints + CA_full_ku + eku_text [int_key, int_cert] = CertUtils.generate_cert_generic(db, srcdir, int_serial, key_type, int_name, int_ext_text, ca_key, ca_cert); if ("NS" in int_name) or ("SA" in int_name) or ("NONE" in int_name): if ("OS" not in int_name): js_outfile.write("\n check_ok_ca(load_cert('"+ int_name + "', ',,'));\n") else: js_outfile.write("\n load_cert('"+ int_name +"', ',,');\n") else: if ( "CA" in int_name): # classic allows a cert to be considered CA even if it only # asserts the ClientAuth EKU, here we have a failure of # expression. Insanity is more explicit and requires # the ServerAuth EKU js_outfile.write("\n check_cert_err_generic(load_cert('"+ int_name +"', ',,'), useMozillaPKIX ? -1 : " + "0, certificateUsageSSLCA) ;\n") else: js_outfile.write("\n check_cert_err_generic(load_cert('"+ int_name +"', ',,'), useMozillaPKIX ? -1 : " + "-1, certificateUsageSSLCA) ;\n") for ee_eku_name in (sorted(eku_dict.keys())): ee_base_name = "ee-EKU-" + ee_eku_name; ee_name = ee_base_name + "-" + int_name ee_serial = random.randint(100, 40000000); ee_eku = "extendedKeyUsage = critical," + eku_dict[ee_eku_name] if (ee_eku_name == "NONE"): ee_eku = "" ee_ext_text = EE_basic_constraints + EE_full_ku + ee_eku [ee_key, ee_cert] = CertUtils.generate_cert_generic(db, srcdir, ee_serial, key_type, ee_name, ee_ext_text, int_key, int_cert) for cert_usage in (cert_usages): js_outfile.write(gen_js_output(int_name, ee_base_name, cert_usage, ee_name)) js_outfile.write(js_file_footer) js_outfile.close()
def generate_and_maybe_import_cert( key_type, cert_name_prefix, cert_name_suffix, base_ext_text, signer_key_filename, signer_cert_filename, key_size, generate_ev, ): """ Generates a certificate and imports it into the NSS DB if appropriate. If an equivalent certificate has already been generated, it is reused. Arguments: key_type -- the type of key generated: potential values: 'rsa', or any of the curves found by 'openssl ecparam -list_curves' cert_name_prefix -- prefix of the generated cert name cert_name_suffix -- suffix of the generated cert name base_ext_text -- the base text for the x509 extensions to be added to the certificate (extra extensions will be added if generating an EV cert) signer_key_filename -- the filename of the key from which the cert will be signed. If an empty string is passed in the cert will be self signed (think CA roots). signer_cert_filename -- the filename of the signer cert that will sign the certificate being generated. Ignored if an empty string is passed in for signer_key_filename. Must be in DER format. key_size -- public key size for RSA certs generate_ev -- whether an EV cert should be generated Output: cert_name -- the resultant (nick)name of the certificate key_filename -- the filename of the key file (PEM format) cert_filename -- the filename of the certificate (DER format) """ cert_name = cert_name_prefix + "_" + key_type + "_" + key_size # If the suffix is not the empty string, add a hyphen for visual separation if cert_name_suffix: cert_name += "-" + cert_name_suffix ev_ext_text = "" subject_string = "/CN=XPCShell Key Size Testing %s %s-bit" % (key_type, key_size) if generate_ev: cert_name = "ev_" + cert_name ev_ext_text = aia_prefix + cert_name + aia_suffix + mozilla_testing_ev_policy subject_string += " (EV)" # Use the organization field to store the cert nickname for easier debugging subject_string += "/O=" + cert_name # Reuse the existing RSA EV root if ( generate_ev and key_type == "rsa" and signer_key_filename == "" and signer_cert_filename == "" and key_size == "2048" ): cert_name = "evroot" key_filename = "../test_ev_certs/evroot.key" cert_filename = "../test_ev_certs/evroot.der" CertUtils.import_cert_and_pkcs12(srcdir, cert_filename, "../test_ev_certs/evroot.p12", cert_name, ",,") return [cert_name, key_filename, cert_filename] # Don't regenerate a previously generated cert for cert in generated_certs: if cert_name == cert[0]: return cert [key_filename, cert_filename] = CertUtils.generate_cert_generic( db_dir, srcdir, random.randint(100, 40000000), key_type, cert_name, base_ext_text + ev_ext_text, signer_key_filename, signer_cert_filename, subject_string, key_size, ) generated_certs.append([cert_name, key_filename, cert_filename]) if generate_ev: # The dest_dir argument of generate_pkcs12() is also set to db_dir as # the .p12 files do not need to be kept once they have been imported. pkcs12_filename = CertUtils.generate_pkcs12(db_dir, db_dir, cert_filename, key_filename, cert_name) CertUtils.import_cert_and_pkcs12(srcdir, cert_filename, pkcs12_filename, cert_name, ",,") if not signer_key_filename: generated_ev_root_filenames.append(cert_filename) return [cert_name, key_filename, cert_filename]
def generate_certs(): key_type = 'rsa' ca_ext = CA_basic_constraints + CA_full_ku + subject_key_ident; ee_ext_text = (EE_basic_constraints + authority_key_ident) [ca_key, ca_cert] = CertUtils.generate_cert_generic(db, srcdir, 1, key_type, 'ca-nc', ca_ext) #now the constrained via perm name = 'int-nc-perm-foo.com-ca-nc' name_constraints = "nameConstraints = permitted;DNS:foo.com\n" [int_key, int_cert] = CertUtils.generate_cert_generic(db, srcdir, 101, key_type, name, ca_ext + authority_key_ident + name_constraints, ca_key, ca_cert) generate_family(db, srcdir, int_key, int_cert, name) #now the constrained via excl name = 'int-nc-excl-foo.com-ca-nc' name_constraints = "nameConstraints = excluded;DNS:foo.com\n" [int_key, int_cert] = CertUtils.generate_cert_generic(db, srcdir, 102, key_type, name, ca_ext + name_constraints + authority_key_ident, ca_key, ca_cert) generate_family(db, srcdir, int_key, int_cert, name) #now constrained to permitted: O=bar C=US name = 'int-nc-c-us-ca-nc' name_constraints = "nameConstraints = permitted;dirName:dir_sect\n[dir_sect]\nC=US\n\n\n" [int_key, int_cert] = CertUtils.generate_cert_generic(db, srcdir, 103, key_type, name, ca_ext + authority_key_ident + name_constraints, ca_key, ca_cert) generate_family(db, srcdir, int_key, int_cert, name) #now make a subCA that is also constrainted to foo.com (combine constraints) name = 'int-nc-foo.com-int-nc-c-us-ca-nc' name_constraints = "nameConstraints = permitted;DNS:foo.com\n\n\n" [int_key, int_cert] = CertUtils.generate_cert_generic(db, srcdir, 104, key_type, name, ca_ext + name_constraints + authority_key_ident, int_key, int_cert, '/C=US/CN='+ name) generate_family(db, srcdir, int_key, int_cert, name) #now single intermediate constrainted to permitted O=bar C=US & DNS foo.com name = 'int-nc-perm-foo.com_c-us-ca-nc' name_constraints = "nameConstraints = permitted;DNS:foo.com,permitted;dirName:dir_sect\n[dir_sect]\nC=US\n\n\n" [int_key, int_cert] = CertUtils.generate_cert_generic(db, srcdir, 105, key_type, name, ca_ext + authority_key_ident + name_constraints, ca_key, ca_cert) generate_family(db, srcdir, int_key, int_cert, name) #now constrainted to permitted C=UK (all ee must fail) name = 'int-nc-perm-c-uk-ca-nc' name_constraints = "nameConstraints = permitted;dirName:dir_sect\n[dir_sect]\nC=UK\n\n\n" [int_key, int_cert] = CertUtils.generate_cert_generic(db, srcdir, 106, key_type, name, ca_ext + authority_key_ident + name_constraints, ca_key, ca_cert) generate_family(db, srcdir, int_key, int_cert, name) #now an unconstrained sub intermediate from the UK cert (all ee must fail) not in the same name space name = 'int-c-us-int-nc-perm-c-uk-ca-nc' #name_constraints = "nameConstraints = permitted;DNS:foo.com\n\n\n" [int_key, int_cert] = CertUtils.generate_cert_generic(db, srcdir, 108, key_type, name, ca_ext + authority_key_ident, int_key, int_cert, '/C=US/CN='+ name) generate_family(db, srcdir, int_key, int_cert, name) #now we generate permitted to foo.com and example2.com name = 'int-nc-foo.com_a.us' name_constraints = "nameConstraints = permitted;DNS:foo.com,permitted;DNS:a.us\n" [int_key, int_cert] = CertUtils.generate_cert_generic(db, srcdir, 109, key_type, name, ca_ext + authority_key_ident + name_constraints, ca_key, ca_cert) generate_family(db, srcdir, int_key, int_cert, name) #A sub ca contrained to foo.com with signer constrained to foo.com and example2.com name = 'int-nc-foo.com-int-nc-foo.com_a.us' name_constraints = "nameConstraints = permitted;DNS:foo.com\n" [int_key, int_cert] = CertUtils.generate_cert_generic(db, srcdir, 110, key_type, name, ca_ext + authority_key_ident + name_constraints, ca_key, ca_cert) generate_family(db, srcdir, int_key, int_cert, name) #now we generate a root that is name constrained name_constraints = "nameConstraints = permitted;DNS:foo.com\n " [ca_key, ca_cert] = CertUtils.generate_cert_generic(db, srcdir, 1, key_type, 'ca-nc-perm-foo.com', ca_ext + name_constraints) #and an unconstrained int name = 'int-ca-nc-perm-foo.com' name_constraints = "\n" [int_key, int_cert] = CertUtils.generate_cert_generic(db, srcdir, 111, key_type, name, ca_ext + name_constraints + authority_key_ident, ca_key, ca_cert) generate_family(db, srcdir, int_key, int_cert, name)
CA_basic_constraints = "basicConstraints = critical, CA:TRUE\n" CA_min_ku = "keyUsage = critical, digitalSignature, keyCertSign, cRLSign\n" subject_key_ident = "subjectKeyIdentifier = hash\n" cert_name = 'evroot' ext_text = CA_basic_constraints + CA_min_ku + subject_key_ident subject_string = ('/C=US/ST=CA/L=Mountain View' + '/O=Mozilla - EV debug test CA/OU=Security Engineering' + '/CN=XPCShell EV Testing (untrustworthy) CA') # The db_dir argument of generate_cert_generic() is also set to dest_dir as # the .key file generated is needed by other certs. [ca_key, ca_cert] = CertUtils.generate_cert_generic(dest_dir, dest_dir, random.randint(100, 40000000), 'rsa', cert_name, ext_text, subject_string=subject_string) CertUtils.generate_pkcs12(db, dest_dir, ca_cert, ca_key, cert_name) # Print a blank line and the information needed to enable EV for the root # generated by this script. print CertUtils.print_cert_info(ca_cert) print('You now MUST update the compiled test EV root information to match ' + 'the EV root information printed above. In addition, certs that chain ' + 'up to this root in other folders will also need to be regenerated.')
def generate_family(db_dir, dst_dir, ca_key, ca_cert, base_name): key_type = 'rsa' ee_ext_base = EE_basic_constraints + authority_key_ident; #cn =foo.com CertUtils.generate_cert_generic(db, srcdir, 10, key_type, 'cn-www.foo.com-'+ base_name, ee_ext_base, ca_key, ca_cert, '/CN=www.foo.com') #cn = foo.org CertUtils.generate_cert_generic(db, srcdir, 11, key_type, 'cn-www.foo.org-'+ base_name, ee_ext_base, ca_key, ca_cert, '/CN=www.foo.org') #cn = foo.com, alt= foo.org alt_name_ext = 'subjectAltName =DNS:*.foo.org' CertUtils.generate_cert_generic(db, srcdir, 12, key_type, 'cn-www.foo.com-alt-foo.org-'+ base_name, ee_ext_base + alt_name_ext, ca_key, ca_cert, '/CN=www.foo.com') #cn = foo.org, alt= foo.com alt_name_ext = 'subjectAltName =DNS:*.foo.com' CertUtils.generate_cert_generic(db, srcdir, 13, key_type, 'cn-www.foo.org-alt-foo.com-'+ base_name, ee_ext_base + alt_name_ext, ca_key, ca_cert, '/CN=www.foo.org') #cn = foo.com, alt=foo.com alt_name_ext = 'subjectAltName =DNS:*.foo.com' CertUtils.generate_cert_generic(db, srcdir, 14, key_type, 'cn-www.foo.com-alt-foo.com-'+ base_name, ee_ext_base + alt_name_ext, ca_key, ca_cert, '/CN=www.foo.com') #cn = foo.org, alt=foo.org alt_name_ext = 'subjectAltName =DNS:*.foo.org' CertUtils.generate_cert_generic(db, srcdir, 15, key_type, 'cn-www.foo.org-alt-foo.org-'+ base_name, ee_ext_base + alt_name_ext, ca_key, ca_cert, '/CN=www.foo.org') #cn = foo.com, alt=foo.com,a.a.us,b.a.us alt_name_ext = 'subjectAltName =DNS:*.foo.com,DNS:*.a.a.us,DNS:*.b.a.us' CertUtils.generate_cert_generic(db, srcdir, 16, key_type, 'cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-'+ base_name, ee_ext_base + alt_name_ext, ca_key, ca_cert, '/CN=www.foo.com') #cn =foo.com O=bar C=US CertUtils.generate_cert_generic(db, srcdir, 17, key_type, 'cn-www.foo.com_o-bar_c-us-'+ base_name, ee_ext_base, ca_key, ca_cert, '/C=US/O=bar/CN=www.foo.com') #cn = foo.org O=bar C=US CertUtils.generate_cert_generic(db, srcdir, 18, key_type, 'cn-www.foo.org_o-bar_c-us-'+ base_name, ee_ext_base, ca_key, ca_cert, '/C=US/O=bar/CN=www.foo.org') #cn = foo.com, alt= foo.org alt_name_ext = 'subjectAltName =DNS:*.foo.org' CertUtils.generate_cert_generic(db, srcdir, 19, key_type, 'cn-www.foo.com_o-bar_c-us-alt-foo.org-'+ base_name, ee_ext_base + alt_name_ext, ca_key, ca_cert, '/C=US/O=bar/CN=www.foo.com') #cn = foo.org, alt= foo.com alt_name_ext = 'subjectAltName =DNS:*.foo.com' CertUtils.generate_cert_generic(db, srcdir, 20, key_type, 'cn-www.foo.org_o-bar_c-us-alt-foo.com-'+ base_name, ee_ext_base + alt_name_ext, ca_key, ca_cert, '/C=US/O=bar/CN=www.foo.org') #cn = foo.com, alt=foo.com alt_name_ext = 'subjectAltName =DNS:*.foo.com' CertUtils.generate_cert_generic(db, srcdir, 21, key_type, 'cn-www.foo.com_o-bar_c-us-alt-foo.com-'+ base_name, ee_ext_base + alt_name_ext, ca_key, ca_cert, '/C=US/O=bar/CN=www.foo.com') #cn = foo.org, alt=foo.org alt_name_ext = 'subjectAltName =DNS:*.foo.org' CertUtils.generate_cert_generic(db, srcdir, 22, key_type, 'cn-www.foo.org_o-bar_c-us-alt-foo.org-'+ base_name, ee_ext_base + alt_name_ext, ca_key, ca_cert, '/C=US/O=bar/CN=www.foo.org') #cn = foo.com, alt=foo.com,a.a.us.com,b.a.us alt_name_ext = 'subjectAltName =DNS:*.foo.com,DNS:*.a.a.us,DNS:*.b.a.us' CertUtils.generate_cert_generic(db, srcdir, 23, key_type, 'cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-'+ base_name, ee_ext_base + alt_name_ext, ca_key, ca_cert, '/C=US/O=bar/CN=www.foo.com')
CA_basic_constraints = "basicConstraints = critical, CA:TRUE\n" CA_min_ku = "keyUsage = critical, digitalSignature, keyCertSign, cRLSign\n" subject_key_ident = "subjectKeyIdentifier = hash\n" cert_name = 'evroot' ext_text = CA_basic_constraints + CA_min_ku + subject_key_ident subject_string = ('/C=US/ST=CA/L=Mountain View' + '/O=Mozilla - EV debug test CA/OU=Security Engineering' + '/CN=XPCShell EV Testing (untrustworthy) CA') # The db_dir argument of generate_cert_generic() is also set to dest_dir as # the .key file generated is needed by other certs. [ca_key, ca_cert] = CertUtils.generate_cert_generic( dest_dir, dest_dir, random.randint(100, 40000000), 'rsa', cert_name, ext_text, subject_string = subject_string) CertUtils.generate_pkcs12(db, dest_dir, ca_cert, ca_key, cert_name) # Print a blank line and the information needed to enable EV for the root # generated by this script. print CertUtils.print_cert_info_for_ev(ca_cert) print ('You now MUST update the compiled test EV root information to match ' + 'the EV root information printed above. In addition, certs that chain ' + 'up to this root in other folders will also need to be regenerated.' )
def generate_certs(): init_nss_db() ca_cert = 'evroot.der' ca_key = 'evroot.key' prefix = "ev-valid" key_type = 'rsa' ee_ext_text = (aia_prefix + prefix + aia_suffix + endentity_crl + mozilla_testing_ev_policy) int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix + intermediate_crl + mozilla_testing_ev_policy) [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db, srcdir, ca_key, ca_cert, prefix, int_ext_text, ee_ext_text, key_type) pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key, "int-" + prefix) import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,") import_untrusted_cert(ee_cert, prefix) # now we generate an end entity cert with an AIA with no OCSP URL no_ocsp_url_ext_aia = ("authorityInfoAccess =" + "caIssuers;URI:http://www.example.com/ca.html\n"); [no_ocsp_key, no_ocsp_cert] = CertUtils.generate_cert_generic(db, srcdir, random.randint(100, 40000000), key_type, 'no-ocsp-url-cert', no_ocsp_url_ext_aia + endentity_crl + mozilla_testing_ev_policy, int_key, int_cert); import_untrusted_cert(no_ocsp_cert, 'no-ocsp-url-cert'); # add an ev cert whose intermediate has a anypolicy oid prefix = "ev-valid-anypolicy-int" ee_ext_text = (aia_prefix + prefix + aia_suffix + endentity_crl + mozilla_testing_ev_policy) int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix + intermediate_crl + anypolicy_policy) [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db, srcdir, ca_key, ca_cert, prefix, int_ext_text, ee_ext_text, key_type) pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key, "int-" + prefix) import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,") import_untrusted_cert(ee_cert, prefix) [bad_ca_key, bad_ca_cert] = CertUtils.generate_cert_generic( db, srcdir, 1, 'rsa', 'non-evroot-ca', CA_extensions) pk12file = CertUtils.generate_pkcs12(db, srcdir, bad_ca_cert, bad_ca_key, "non-evroot-ca") import_cert_and_pkcs12(bad_ca_cert, pk12file, "non-evroot-ca", "C,C,C") prefix = "non-ev-root" ee_ext_text = (aia_prefix + prefix + aia_suffix + endentity_crl + mozilla_testing_ev_policy) int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix + intermediate_crl + mozilla_testing_ev_policy) [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db, srcdir, bad_ca_key, bad_ca_cert, prefix, int_ext_text, ee_ext_text, key_type) pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key, "int-" + prefix) import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,") import_untrusted_cert(ee_cert, prefix)
# This Source Code Form is subject to the terms of the Mozilla Public # License, v. 2.0. If a copy of the MPL was not distributed with this # file, You can obtain one at http://mozilla.org/MPL/2.0/. import tempfile, os, sys, random libpath = os.path.abspath("../psm_common_py") sys.path.append(libpath) import CertUtils dest_dir = os.getcwd() db = tempfile.mkdtemp() serial = random.randint(100, 40000000) name = "client-cert" [key, cert] = CertUtils.generate_cert_generic(db, dest_dir, serial, "rsa", name, "") CertUtils.generate_pkcs12(db, dest_dir, cert, key, name) # Print a blank line and the fingerprint of the cert that ClientAuthServer.cpp # should be modified with. print CertUtils.print_cert_info(cert) print ('You now MUST update the fingerprint in ClientAuthServer.cpp to match ' + 'the fingerprint printed above.') # Remove unnecessary .der file os.remove(dest_dir + "/" + name + ".der")
def generate_child_cert(db_dir, dest_dir, noise_file, name, ca_nick, cert_version, do_bc, is_ee): return CertUtils.generate_child_cert(db_dir, dest_dir, noise_file, name, ca_nick, cert_version, do_bc, is_ee, '')
def generate_and_import_cert(cert_name_prefix, cert_name_suffix, base_ext_text, signer_key_filename, signer_cert_filename, validity_in_months): """ Generates a certificate and imports it into the NSS DB. Arguments: cert_name_prefix - prefix of the generated cert name cert_name_suffix - suffix of the generated cert name base_ext_text - the base text for the x509 extensions to be added to the certificate (extra extensions will be added if generating an EV cert) signer_key_filename - the filename of the key from which the cert will be signed. If an empty string is passed in the cert will be self signed (think CA roots). signer_cert_filename - the filename of the signer cert that will sign the certificate being generated. Ignored if an empty string is passed in for signer_key_filename. Must be in DER format. validity_in_months - the number of months the cert should be valid for. Output: cert_name - the resultant (nick)name of the certificate key_filename - the filename of the key file (PEM format) cert_filename - the filename of the certificate (DER format) """ cert_name = 'ev_%s_%u_months' % (cert_name_prefix, validity_in_months) # If the suffix is not the empty string, add a hyphen for visual # separation if cert_name_suffix: cert_name += '-' + cert_name_suffix subject_string = '/CN=%s' % cert_name ev_ext_text = (CertUtils.aia_prefix + cert_name + CertUtils.aia_suffix + CertUtils.mozilla_testing_ev_policy) # Reuse the existing RSA EV root if (signer_key_filename == '' and signer_cert_filename == ''): cert_name = 'evroot' key_filename = '../test_ev_certs/evroot.key' cert_filename = '../test_ev_certs/evroot.der' CertUtils.import_cert_and_pkcs12(src_dir, cert_filename, '../test_ev_certs/evroot.p12', cert_name, ',,') return [cert_name, key_filename, cert_filename] # Don't regenerate a previously generated cert for cert in generated_ev_certs: if cert_name == cert[0]: return cert validity_years = math.floor(validity_in_months / 12) validity_months = validity_in_months % 12 [key_filename, cert_filename] = CertUtils.generate_cert_generic( temp_dir, src_dir, random.randint(100, 40000000), 'rsa', cert_name, base_ext_text + ev_ext_text, signer_key_filename, signer_cert_filename, subject_string, validity_in_days = validity_years * 365 + validity_months * 31) generated_ev_certs.append([cert_name, key_filename, cert_filename]) # The dest_dir argument of generate_pkcs12() is also set to temp_dir # as the .p12 files do not need to be kept once they have been # imported. pkcs12_filename = CertUtils.generate_pkcs12(temp_dir, temp_dir, cert_filename, key_filename, cert_name) CertUtils.import_cert_and_pkcs12(src_dir, cert_filename, pkcs12_filename, cert_name, ',,') return [cert_name, key_filename, cert_filename]
def generate_ca(db_dir, dest_dir, noise_file, name, version, do_bc): CertUtils.generate_ca_cert(db_dir, dest_dir, noise_file, name, version, do_bc) generate_intermediates_and_ee_set(db_dir, dest_dir, noise_file, name)
def generate_certs(key_type, bad_key_size, ok_key_size): if key_type == 'dsa': CertUtils.init_dsa(db_dir, dsaBad_param_filename, bad_key_size) CertUtils.init_dsa(db_dir, dsaOK_param_filename, ok_key_size) # OK Chain [caOK_key, caOK_cert] = CertUtils.generate_cert_generic( db_dir, srcdir, random.randint(100, 40000000), key_type, key_type + '-caOK', ca_ext_text, dsa_param_filename=dsaOK_param_filename, key_size=ok_key_size) [intOK_key, intOK_cert] = CertUtils.generate_cert_generic( db_dir, srcdir, random.randint(100, 40000000), key_type, key_type + '-intOK-caOK', ca_ext_text, caOK_key, caOK_cert, dsa_param_filename=dsaOK_param_filename, key_size=ok_key_size) CertUtils.generate_cert_generic(db_dir, srcdir, random.randint(100, 40000000), key_type, key_type + '-eeOK-intOK-caOK', ee_ext_text, intOK_key, intOK_cert, dsa_param_filename=dsaOK_param_filename, key_size=ok_key_size) # Bad CA [caBad_key, caBad_cert] = CertUtils.generate_cert_generic( db_dir, srcdir, random.randint(100, 40000000), key_type, key_type + '-caBad', ca_ext_text, dsa_param_filename=dsaBad_param_filename, key_size=bad_key_size) [int_key, int_cert] = CertUtils.generate_cert_generic( db_dir, srcdir, random.randint(100, 40000000), key_type, key_type + '-intOK-caBad', ca_ext_text, caBad_key, caBad_cert, dsa_param_filename=dsaOK_param_filename, key_size=ok_key_size) CertUtils.generate_cert_generic(db_dir, srcdir, random.randint(100, 40000000), key_type, key_type + '-eeOK-intOK-caBad', ee_ext_text, int_key, int_cert, dsa_param_filename=dsaOK_param_filename, key_size=ok_key_size) # Bad Intermediate [intBad_key, intBad_cert] = CertUtils.generate_cert_generic( db_dir, srcdir, random.randint(100, 40000000), key_type, key_type + '-intBad-caOK', ca_ext_text, caOK_key, caOK_cert, dsa_param_filename=dsaBad_param_filename, key_size=bad_key_size) CertUtils.generate_cert_generic(db_dir, srcdir, random.randint(100, 40000000), key_type, key_type + '-eeOK-intBad-caOK', ee_ext_text, intBad_key, intBad_cert, dsa_param_filename=dsaOK_param_filename, key_size=ok_key_size) # Bad End Entity CertUtils.generate_cert_generic(db_dir, srcdir, random.randint(100, 40000000), key_type, key_type + '-eeBad-intOK-caOK', ee_ext_text, intOK_key, intOK_cert, dsa_param_filename=dsaBad_param_filename, key_size=bad_key_size)