CA_basic_constraints = "basicConstraints = critical, CA:TRUE\n"
CA_min_ku = "keyUsage = critical, digitalSignature, keyCertSign, cRLSign\n"
subject_key_ident = "subjectKeyIdentifier = hash\n"
cert_name = 'evroot'
ext_text = CA_basic_constraints + CA_min_ku + subject_key_ident
subject_string = ('/C=US/ST=CA/L=Mountain View' +
'/O=Mozilla - EV debug test CA/OU=Security Engineering' +
'/CN=XPCShell EV Testing (untrustworthy) CA')
# The db_dir argument of generate_cert_generic() is also set to dest_dir as
# the .key file generated is needed by other certs.
[ca_key,
ca_cert] = CertUtils.generate_cert_generic(dest_dir,
dest_dir,
random.randint(100, 40000000),
'rsa',
cert_name,
ext_text,
subject_string=subject_string)
CertUtils.generate_pkcs12(db, dest_dir, ca_cert, ca_key, cert_name)
# Print a blank line and the information needed to enable EV for the root
# generated by this script.
print
CertUtils.print_cert_info(ca_cert)
print('You now MUST update the compiled test EV root information to match ' +
'the EV root information printed above. In addition, certs that chain ' +
'up to this root in other folders will also need to be regenerated.')
adequate_key_size,
generate_ev)
# Generate chain with an end entity cert that has an inadequate size
generate_and_maybe_import_cert(
key_type,
'ee',
intOK_nick,
ee_ext_text,
intOK_key,
intOK_cert,
inadequate_key_size,
generate_ev)
# Create a NSS DB for use by the OCSP responder.
CertUtils.init_nss_db(srcdir)
# TODO(bug 636807): SECKEY_PublicKeyStrengthInBits() rounds up the number of
# bits to the next multiple of 8 - therefore the highest key size less than 1024
# that can be tested is 1016, less than 2048 is 2040 and so on.
generate_certs('rsa', '1016', '1024', False)
generate_certs('rsa', '2040', '2048', True)
# Print a blank line and the information needed to enable EV for any roots
# generated by this script.
print
for cert_filename in generated_ev_root_filenames:
CertUtils.print_cert_info(cert_filename)
print ('You now MUST update the compiled test EV root information to match ' +
'the EV root information printed above.')
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
import tempfile, os, sys, random
libpath = os.path.abspath("../psm_common_py")
sys.path.append(libpath)
import CertUtils
dest_dir = os.getcwd()
db = tempfile.mkdtemp()
serial = random.randint(100, 40000000)
name = "client-cert"
[key, cert] = CertUtils.generate_cert_generic(db, dest_dir, serial, "rsa",
name, "")
CertUtils.generate_pkcs12(db, dest_dir, cert, key, name)
# Print a blank line and the fingerprint of the cert that ClientAuthServer.cpp
# should be modified with.
print
CertUtils.print_cert_info(cert)
print ('You now MUST update the fingerprint in ClientAuthServer.cpp to match ' +
'the fingerprint printed above.')
# Remove unnecessary .der file
os.remove(dest_dir + "/" + name + ".der")
generate_cert_chain('prime256v1', '256', 'prime256v1', '256', 'secp256k1',
'256', False)
generate_cert_chain('secp256k1', '256', 'prime256v1', '256', 'prime256v1',
'256', False)
def generate_combination_chains():
generate_cert_chain('rsa', '2048', 'prime256v1', '256', 'secp384r1', '384',
False)
generate_cert_chain('rsa', '2048', 'prime256v1', '256', 'secp224r1', '224',
False)
generate_cert_chain('prime256v1', '256', 'rsa', '1016', 'prime256v1',
'256', False)
# Create a NSS DB for use by the OCSP responder.
CertUtils.init_nss_db(srcdir)
generate_rsa_chains('1016', '1024', False)
generate_rsa_chains('2040', '2048', True)
generate_ecc_chains()
generate_combination_chains()
# Print a blank line and the information needed to enable EV for any roots
# generated by this script.
print
for cert_filename in generated_ev_root_filenames:
CertUtils.print_cert_info(cert_filename)
print('You now MUST update the compiled test EV root information to match ' +
'the EV root information printed above.')
