def generate_chain(intermediate_digest_algorithm): # Self-signed root certificate. root = common.create_self_signed_root_certificate('Root') # Intermediate certificate. intermediate = common.create_intermediate_certificate('Intermediate', root) intermediate.set_signature_hash(intermediate_digest_algorithm) intermediate.get_extensions().set_property('extendedKeyUsage', 'nsSGC') # Target certificate. target = common.create_end_entity_certificate('Target', intermediate) target.get_extensions().set_property('extendedKeyUsage', 'serverAuth,clientAuth') chain = [target, intermediate, root] common.write_chain(__doc__, chain, '%s-chain.pem' % intermediate_digest_algorithm)
#!/usr/bin/python # Copyright (c) 2015 The Chromium Authors. All rights reserved. # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. """Certificate chain with 1 intermediary, where the intermediary is expired (violates validity.notAfter). Verification is expected to fail.""" import common # Self-signed root certificate (part of trust store). root = common.create_self_signed_root_certificate('Root') # Intermediary certificate. intermediary = common.create_intermediary_certificate('Intermediary', root) intermediary.set_validity_range(common.JANUARY_1_2015_UTC, common.JANUARY_1_2016_UTC) # Target certificate. target = common.create_end_entity_certificate('Target', intermediary) chain = [target, intermediary] trusted = [root] # March 2nd, 2016 midnight UTC time = '160302120000Z' verify_result = False common.write_test_file(__doc__, chain, trusted, time, verify_result)
# Self-signed root certificate root = common.create_self_signed_root_certificate('Root') write_cert_to_file(root, 'root.pem') # Intermediate certificates i1_1 = common.create_intermediate_certificate('I1', root) write_cert_to_file(i1_1, 'i1_1.pem') # same name (after normalization), different key i1_2 = common.create_intermediate_certificate('i1', root) write_cert_to_file(i1_2, 'i1_2.pem') # different name i2 = common.create_intermediate_certificate('I2', root) write_cert_to_file(i2, 'i2.pem') # target certs c1 = common.create_end_entity_certificate('C1', i1_1) write_cert_to_file(c1, 'c1.pem') c2 = common.create_end_entity_certificate('C2', i1_2) write_cert_to_file(c2, 'c2.pem') d = common.create_end_entity_certificate('D', i2) write_cert_to_file(d, 'd.pem')
i_file_and_http_aia = common.create_intermediate_certificate('I', root) i_file_and_http_aia.set_key_path(i_base.get_key_path()) section = i_file_and_http_aia.config.get_section('issuer_info') section.set_property('caIssuers;URI.0', 'file:///dev/null') section.set_property('caIssuers;URI.1', 'http://url-for-aia2/I2.foo') i_invalid_and_http_aia = common.create_intermediate_certificate('I', root) i_invalid_and_http_aia.set_key_path(i_base.get_key_path()) section = i_invalid_and_http_aia.config.get_section('issuer_info') section.set_property('caIssuers;URI.0', 'foobar') section.set_property('caIssuers;URI.1', 'http://url-for-aia2/I2.foo') # target certs target = common.create_end_entity_certificate('target', i_base) common.write_string_to_file(target.get_cert_pem(), 'target_one_aia.pem') target = common.create_end_entity_certificate('target', i_no_aia) common.write_string_to_file(target.get_cert_pem(), 'target_no_aia.pem') target = common.create_end_entity_certificate('target', i_two_aia) common.write_string_to_file(target.get_cert_pem(), 'target_two_aia.pem') target = common.create_end_entity_certificate('target', i_three_aia) common.write_string_to_file(target.get_cert_pem(), 'target_three_aia.pem') target = common.create_end_entity_certificate('target', i_six_aia) common.write_string_to_file(target.get_cert_pem(), 'target_six_aia.pem') target = common.create_end_entity_certificate('target', i_file_aia)
certificate is wrong.""" import common # Self-signed root certificate (used as trust anchor). root = common.create_self_signed_root_certificate('Root') # Intermediate certificate to include in the certificate chain. intermediate = common.create_intermediate_certificate('Intermediate', root) # Actual intermediate that was used to sign the target certificate. It has the # same subject as expected, but a different RSA key from the certificate # included in the actual chain. wrong_intermediate = common.create_intermediate_certificate('Intermediate', root) # Target certificate, signed using |wrong_intermediate| NOT |intermediate|. target = common.create_end_entity_certificate('Target', wrong_intermediate) chain = [target, intermediate] trusted = common.TrustAnchor(root, constrained=False) time = common.DEFAULT_TIME verify_result = False errors = """[Context] Processing Certificate index: 1 [Error] Signature verification failed [Error] VerifySignedData failed """ common.write_test_file(__doc__, chain, trusted, time, verify_result, errors)
# found in the LICENSE file. """Certificate chain with 1 intermediate, a trusted root, and a target certificate that is not a CA, and yet has the keyCertSign bit set. Verification is expected to fail, since keyCertSign should only be asserted when CA is true.""" import common # Self-signed root certificate (used as trust anchor). root = common.create_self_signed_root_certificate("Root") # Intermediate certificate. intermediate = common.create_intermediate_certificate("Intermediate", root) # Target certificate (end entity but has keyCertSign bit set). target = common.create_end_entity_certificate("Target", intermediate) target.get_extensions().set_property("keyUsage", "critical,digitalSignature,keyEncipherment,keyCertSign") chain = [target, intermediate] trusted = common.TrustAnchor(root, constrained=False) time = common.DEFAULT_TIME verify_result = False errors = """[Context] Processing Certificate index: 1 [Error] Target certificate looks like a CA but does not set all CA properties """ common.write_test_file(__doc__, chain, trusted, time, verify_result, errors)
# same name (after normalization), different key i1_2 = common.create_intermediate_certificate("i1", root) write_cert_to_file(i1_2, "i1_2.pem") # different name i2 = common.create_intermediate_certificate("I2", root) write_cert_to_file(i2, "i2.pem") # Two intermediates with exactly the same name. i3_1 = common.create_intermediate_certificate("I3", root) write_cert_to_file(i3_1, "i3_1.pem") i3_2 = common.create_intermediate_certificate("I3", root) write_cert_to_file(i3_2, "i3_2.pem") # target certs c1 = common.create_end_entity_certificate("C1", i1_1) write_cert_to_file(c1, "c1.pem") c2 = common.create_end_entity_certificate("C2", i1_2) write_cert_to_file(c2, "c2.pem") d = common.create_end_entity_certificate("D", i2) write_cert_to_file(d, "d.pem") e1 = common.create_end_entity_certificate("E1", i3_1) write_cert_to_file(e1, "e1.pem") e2 = common.create_end_entity_certificate("E2", i3_2) write_cert_to_file(e2, "e2.pem")
# Copyright (c) 2016 The Chromium Authors. All rights reserved. # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. """Certificate chain with 2 intermediates and one end entity certificate. The root certificate has a pathlen:1 restriction. Ordinarily this would be an invalid chain, however constraints on this trust anchor are not enforced.""" import sys sys.path += ['..'] import common # Self-signed root certificate (used as trust anchor). root = common.create_self_signed_root_certificate('Root') root.get_extensions().set_property('basicConstraints', 'critical,CA:true,pathlen:1') # Intermediate 1 (no pathlen restriction). intermediate1 = common.create_intermediate_certificate('Intermediate1', root) # Intermediate 2 (no pathlen restriction). intermediate2 = common.create_intermediate_certificate('Intermediate2', intermediate1) # Target certificate. target = common.create_end_entity_certificate('Target', intermediate2) chain = [target, intermediate2, intermediate1, root] common.write_chain(__doc__, chain, 'chain.pem')