def generate_certs(): init_nss_db() ca_cert = 'evroot.der' ca_key = 'evroot.key' prefix = "ev-valid" key_type = 'rsa' ee_ext_text = (EE_basic_constraints + EE_full_ku + Server_eku + authority_key_ident + aia_prefix + prefix + aia_suffix + endentity_crl + mozilla_testing_ev_policy) int_ext_text = (CA_basic_constraints + EE_full_ku + CA_eku + authority_key_ident + subject_key_ident + aia_prefix + "int-" + prefix + aia_suffix + intermediate_crl + mozilla_testing_ev_policy) [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db, srcdir, ca_key, ca_cert, prefix, int_ext_text, ee_ext_text, key_type) pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key, "int-" + prefix) import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,") import_untrusted_cert(ee_cert, prefix) # now we generate an end entity cert with an AIA with no OCSP URL no_ocsp_url_ext_aia = ("authorityInfoAccess =" + "caIssuers;URI:http://www.example.com/ca.html\n") [no_ocsp_key, no_ocsp_cert] = CertUtils.generate_cert_generic( db, srcdir, random.randint(100, 40000000), key_type, 'no-ocsp-url-cert', EE_basic_constraints + EE_full_ku + Server_eku + authority_key_ident + no_ocsp_url_ext_aia + endentity_crl + mozilla_testing_ev_policy, int_key, int_cert) import_untrusted_cert(no_ocsp_cert, 'no-ocsp-url-cert') [bad_ca_key, bad_ca_cert] = CertUtils.generate_cert_generic( db, srcdir, 1, 'rsa', 'non-evroot-ca', CA_basic_constraints + EE_full_ku + authority_key_ident) pk12file = CertUtils.generate_pkcs12(db, srcdir, bad_ca_cert, bad_ca_key, "non-evroot-ca") import_cert_and_pkcs12(bad_ca_cert, pk12file, "non-evroot-ca", "C,C,C") prefix = "non-ev-root" ee_ext_text = (EE_basic_constraints + EE_full_ku + Server_eku + authority_key_ident + aia_prefix + prefix + aia_suffix + endentity_crl + mozilla_testing_ev_policy) int_ext_text = (CA_basic_constraints + EE_full_ku + CA_eku + authority_key_ident + aia_prefix + "int-" + prefix + aia_suffix + intermediate_crl + subject_key_ident + mozilla_testing_ev_policy) [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db, srcdir, bad_ca_key, bad_ca_cert, prefix, int_ext_text, ee_ext_text, key_type) pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key, "int-" + prefix) import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,") import_untrusted_cert(ee_cert, prefix)
def generate_certs(): init_nss_db() ca_cert = 'evroot.der' ca_key = 'evroot.key' prefix = "ev-valid" key_type = 'rsa' ee_ext_text = (EE_basic_constraints + EE_full_ku + Server_eku + authority_key_ident + aia_prefix + prefix + aia_suffix + endentity_crl + mozilla_testing_ev_policy) int_ext_text = (CA_basic_constraints + EE_full_ku + CA_eku + authority_key_ident + subject_key_ident + aia_prefix + "int-" + prefix + aia_suffix + intermediate_crl + mozilla_testing_ev_policy) [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db, srcdir, ca_key, ca_cert, prefix, int_ext_text, ee_ext_text, key_type) pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key, "int-" + prefix) import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,") import_untrusted_cert(ee_cert, prefix) [bad_ca_key, bad_ca_cert] = CertUtils.generate_cert_generic( db, srcdir, 1, 'rsa', 'non-evroot-ca', CA_basic_constraints + EE_full_ku + authority_key_ident) pk12file = CertUtils.generate_pkcs12(db, srcdir, bad_ca_cert, bad_ca_key, "non-evroot-ca") import_cert_and_pkcs12(bad_ca_cert, pk12file, "non-evroot-ca", "C,C,C") prefix = "non-ev-root" ee_ext_text = (EE_basic_constraints + EE_full_ku + Server_eku + authority_key_ident + aia_prefix + prefix + aia_suffix + endentity_crl + mozilla_testing_ev_policy) int_ext_text = (CA_basic_constraints + EE_full_ku + CA_eku + authority_key_ident + aia_prefix + "int-" + prefix + aia_suffix + intermediate_crl + subject_key_ident + mozilla_testing_ev_policy) [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db, srcdir, bad_ca_key, bad_ca_cert, prefix, int_ext_text, ee_ext_text, key_type) pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key, "int-" + prefix) import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,") import_untrusted_cert(ee_cert, prefix)
def generate_and_maybe_import_cert(key_type, cert_name_suffix, base_ext_text, signer_key_filename, signer_cert_filename, dsa_param_filename, key_size, generate_ev): """ Generates a certificate and imports it into the NSS DB if appropriate. Arguments: key_type -- the type of key generated: potential values: 'rsa', 'dsa', or any of the curves found by 'openssl ecparam -list_curves' cert_name_suffix -- suffix of the generated cert name base_ext_text -- the base text for the x509 extensions to be added to the certificate (extra extensions will be added if generating an EV cert) signer_key_filename -- the filename of the key from which the cert will be signed. If an empty string is passed in the cert will be self signed (think CA roots). signer_cert_filename -- the filename of the signer cert that will sign the certificate being generated. Ignored if an empty string is passed in for signer_key_filename. Must be in DER format. dsa_param_filename -- the filename for the DSA param file key_size -- public key size for RSA certs generate_ev -- whether an EV cert should be generated Output: key_filename -- the filename of the key file (PEM format) cert_filename -- the filename of the certificate (DER format) """ cert_name = key_type + cert_name_suffix ev_ext_text = '' subject_string = ('/CN=XPCShell Key Size Testing %s %s-bit' % (key_type, key_size)) if generate_ev: cert_name = 'ev-' + cert_name ev_ext_text = (aia_prefix + cert_name + aia_suffix + mozilla_testing_ev_policy) subject_string += ' (EV)' # Use the organization field to store the cert nickname for easier debugging subject_string += '/O=' + cert_name [key_filename, cert_filename] = CertUtils.generate_cert_generic( db_dir, srcdir, random.randint(100, 40000000), key_type, cert_name, base_ext_text + ev_ext_text, signer_key_filename, signer_cert_filename, subject_string, dsa_param_filename, key_size) if generate_ev: # The dest_dir argument of generate_pkcs12() is also set to db_dir as # the .p12 files do not need to be kept once they have been imported. pkcs12_filename = CertUtils.generate_pkcs12(db_dir, db_dir, cert_filename, key_filename, cert_name) CertUtils.import_cert_and_pkcs12(srcdir, cert_filename, pkcs12_filename, cert_name, ',,') if not signer_key_filename: generated_ev_root_filenames.append(cert_filename) return [key_filename, cert_filename]
def generate_and_import_cert(cert_name_prefix, cert_name_suffix, base_ext_text, signer_key_filename, signer_cert_filename, validity_in_months): """ Generates a certificate and imports it into the NSS DB. Arguments: cert_name_prefix - prefix of the generated cert name cert_name_suffix - suffix of the generated cert name base_ext_text - the base text for the x509 extensions to be added to the certificate (extra extensions will be added if generating an EV cert) signer_key_filename - the filename of the key from which the cert will be signed. If an empty string is passed in the cert will be self signed (think CA roots). signer_cert_filename - the filename of the signer cert that will sign the certificate being generated. Ignored if an empty string is passed in for signer_key_filename. Must be in DER format. validity_in_months - the number of months the cert should be valid for. Output: cert_name - the resultant (nick)name of the certificate key_filename - the filename of the key file (PEM format) cert_filename - the filename of the certificate (DER format) """ cert_name = 'ev_%s_%u_months' % (cert_name_prefix, validity_in_months) # If the suffix is not the empty string, add a hyphen for visual # separation if cert_name_suffix: cert_name += '-' + cert_name_suffix subject_string = '/CN=%s' % cert_name ev_ext_text = (CertUtils.aia_prefix + cert_name + CertUtils.aia_suffix + CertUtils.mozilla_testing_ev_policy) # Reuse the existing RSA EV root if (signer_key_filename == '' and signer_cert_filename == ''): cert_name = 'evroot' key_filename = '../test_ev_certs/evroot.key' cert_filename = '../test_ev_certs/evroot.der' CertUtils.import_cert_and_pkcs12(src_dir, cert_filename, '../test_ev_certs/evroot.p12', cert_name, ',,') return [cert_name, key_filename, cert_filename] # Don't regenerate a previously generated cert for cert in generated_ev_certs: if cert_name == cert[0]: return cert validity_years = math.floor(validity_in_months / 12) validity_months = validity_in_months % 12 [key_filename, cert_filename] = CertUtils.generate_cert_generic( temp_dir, src_dir, random.randint(100, 40000000), 'rsa', cert_name, base_ext_text + ev_ext_text, signer_key_filename, signer_cert_filename, subject_string, validity_in_days = validity_years * 365 + validity_months * 31) generated_ev_certs.append([cert_name, key_filename, cert_filename]) # The dest_dir argument of generate_pkcs12() is also set to temp_dir # as the .p12 files do not need to be kept once they have been # imported. pkcs12_filename = CertUtils.generate_pkcs12(temp_dir, temp_dir, cert_filename, key_filename, cert_name) CertUtils.import_cert_and_pkcs12(src_dir, cert_filename, pkcs12_filename, cert_name, ',,') return [cert_name, key_filename, cert_filename]
CA_basic_constraints = "basicConstraints = critical, CA:TRUE\n" CA_min_ku = "keyUsage = critical, digitalSignature, keyCertSign, cRLSign\n" subject_key_ident = "subjectKeyIdentifier = hash\n" cert_name = 'evroot' ext_text = CA_basic_constraints + CA_min_ku + subject_key_ident subject_string = ('/C=US/ST=CA/L=Mountain View' + '/O=Mozilla - EV debug test CA/OU=Security Engineering' + '/CN=XPCShell EV Testing (untrustworthy) CA') # The db_dir argument of generate_cert_generic() is also set to dest_dir as # the .key file generated is needed by other certs. [ca_key, ca_cert] = CertUtils.generate_cert_generic(dest_dir, dest_dir, random.randint(100, 40000000), 'rsa', cert_name, ext_text, subject_string=subject_string) CertUtils.generate_pkcs12(db, dest_dir, ca_cert, ca_key, cert_name) # Print a blank line and the information needed to enable EV for the root # generated by this script. print CertUtils.print_cert_info(ca_cert) print('You now MUST update the compiled test EV root information to match ' + 'the EV root information printed above. In addition, certs that chain ' + 'up to this root in other folders will also need to be regenerated.')
# This Source Code Form is subject to the terms of the Mozilla Public # License, v. 2.0. If a copy of the MPL was not distributed with this # file, You can obtain one at http://mozilla.org/MPL/2.0/. import tempfile, os, sys, random libpath = os.path.abspath("../psm_common_py") sys.path.append(libpath) import CertUtils dest_dir = os.getcwd() db = tempfile.mkdtemp() serial = random.randint(100, 40000000) name = "client-cert" [key, cert] = CertUtils.generate_cert_generic(db, dest_dir, serial, "rsa", name, "") CertUtils.generate_pkcs12(db, dest_dir, cert, key, name) # Print a blank line and the fingerprint of the cert that ClientAuthServer.cpp # should be modified with. print CertUtils.print_cert_info(cert) print ('You now MUST update the fingerprint in ClientAuthServer.cpp to match ' + 'the fingerprint printed above.') # Remove unnecessary .der file os.remove(dest_dir + "/" + name + ".der")
def generate_certs(): init_nss_db() ca_cert = 'evroot.der' ca_key = 'evroot.key' prefix = "ev-valid" key_type = 'rsa' ee_ext_text = (aia_prefix + prefix + aia_suffix + endentity_crl + mozilla_testing_ev_policy) int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix + intermediate_crl + mozilla_testing_ev_policy) [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db, srcdir, ca_key, ca_cert, prefix, int_ext_text, ee_ext_text, key_type) pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key, "int-" + prefix) import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,") import_untrusted_cert(ee_cert, prefix) # now we generate an end entity cert with an AIA with no OCSP URL no_ocsp_url_ext_aia = ("authorityInfoAccess =" + "caIssuers;URI:http://www.example.com/ca.html\n"); [no_ocsp_key, no_ocsp_cert] = CertUtils.generate_cert_generic(db, srcdir, random.randint(100, 40000000), key_type, 'no-ocsp-url-cert', no_ocsp_url_ext_aia + endentity_crl + mozilla_testing_ev_policy, int_key, int_cert); import_untrusted_cert(no_ocsp_cert, 'no-ocsp-url-cert'); # add an ev cert whose intermediate has a anypolicy oid prefix = "ev-valid-anypolicy-int" ee_ext_text = (aia_prefix + prefix + aia_suffix + endentity_crl + mozilla_testing_ev_policy) int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix + intermediate_crl + anypolicy_policy) [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db, srcdir, ca_key, ca_cert, prefix, int_ext_text, ee_ext_text, key_type) pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key, "int-" + prefix) import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,") import_untrusted_cert(ee_cert, prefix) [bad_ca_key, bad_ca_cert] = CertUtils.generate_cert_generic( db, srcdir, 1, 'rsa', 'non-evroot-ca', CA_extensions) pk12file = CertUtils.generate_pkcs12(db, srcdir, bad_ca_cert, bad_ca_key, "non-evroot-ca") import_cert_and_pkcs12(bad_ca_cert, pk12file, "non-evroot-ca", "C,C,C") prefix = "non-ev-root" ee_ext_text = (aia_prefix + prefix + aia_suffix + endentity_crl + mozilla_testing_ev_policy) int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix + intermediate_crl + mozilla_testing_ev_policy) [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db, srcdir, bad_ca_key, bad_ca_cert, prefix, int_ext_text, ee_ext_text, key_type) pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key, "int-" + prefix) import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,") import_untrusted_cert(ee_cert, prefix)
csr_name = dest_dir + "/" + name + ".csr" os.system("openssl req -new -key " + key_name + " -days 3650" + " -extensions v3_ca -batch -out " + csr_name + " -utf8 -subj '/C=US/ST=CA/L=Mountain View" + "/O=Mozilla - EV debug test CA/OU=Security Engineering" + "/CN=XPCShell EV Testing (untrustworthy) CA'") extensions_filename = db_dir + "/openssl-exts" f = open(extensions_filename, 'w') f.write(ext_text) f.close() cert_name = dest_dir + "/" + name + ".der" signer_key_filename = key_name os.system("openssl x509 -req -sha256 -days 3650 -in " + csr_name + " -signkey " + signer_key_filename + " -set_serial " + str(serial_num) + " -extfile " + extensions_filename + " -outform DER -out " + cert_name) return key_name, cert_name prefix = "evroot" [ca_key, ca_cert ] = generate_root_cert(db, dest_dir, prefix, CA_basic_constraints + CA_min_ku + subject_key_ident) CertUtils.generate_pkcs12(db, dest_dir, ca_cert, ca_key, prefix) print("You now MUST modify nsIdentityinfo.cpp to ensure the xpchell debug " + "certificate there matches this newly generated one\n")
csr_name = dest_dir + "/" + name + ".csr" os.system ("openssl req -new -key " + key_name + " -days 3650" + " -extensions v3_ca -batch -out " + csr_name + " -utf8 -subj '/C=US/ST=CA/L=Mountain View" + "/O=Mozilla - EV debug test CA/OU=Security Engineering" + "/CN=XPCShell EV Testing (untrustworthy) CA'") extensions_filename = db_dir + "/openssl-exts" f = open(extensions_filename, 'w') f.write(ext_text) f.close() cert_name = dest_dir + "/" + name + ".der" signer_key_filename = key_name os.system ("openssl x509 -req -sha256 -days 3650 -in " + csr_name + " -signkey " + signer_key_filename + " -set_serial " + str(serial_num) + " -extfile " + extensions_filename + " -outform DER -out " + cert_name) return key_name, cert_name prefix = "evroot" [ca_key, ca_cert] = generate_root_cert(db, dest_dir, prefix, CA_basic_constraints + CA_min_ku + subject_key_ident) CertUtils.generate_pkcs12(db, dest_dir, ca_cert, ca_key, prefix) print ("You now MUST modify nsIdentityinfo.cpp to ensure the xpchell debug " + "certificate there matches this newly generated one\n")
def generate_and_maybe_import_cert(key_type, cert_name_prefix, cert_name_suffix, base_ext_text, signer_key_filename, signer_cert_filename, key_size, generate_ev): """ Generates a certificate and imports it into the NSS DB if appropriate. Arguments: key_type -- the type of key generated: potential values: 'rsa', or any of the curves found by 'openssl ecparam -list_curves' cert_name_prefix -- prefix of the generated cert name cert_name_suffix -- suffix of the generated cert name base_ext_text -- the base text for the x509 extensions to be added to the certificate (extra extensions will be added if generating an EV cert) signer_key_filename -- the filename of the key from which the cert will be signed. If an empty string is passed in the cert will be self signed (think CA roots). signer_cert_filename -- the filename of the signer cert that will sign the certificate being generated. Ignored if an empty string is passed in for signer_key_filename. Must be in DER format. key_size -- public key size for RSA certs generate_ev -- whether an EV cert should be generated Output: cert_name -- the resultant (nick)name of the certificate key_filename -- the filename of the key file (PEM format) cert_filename -- the filename of the certificate (DER format) """ cert_name = cert_name_prefix + '_' + key_type + '_' + key_size # If the suffix is not the empty string, add a hyphen for visual separation if cert_name_suffix: cert_name += '-' + cert_name_suffix ev_ext_text = '' subject_string = ('/CN=XPCShell Key Size Testing %s %s-bit' % (key_type, key_size)) if generate_ev: cert_name = 'ev_' + cert_name ev_ext_text = (aia_prefix + cert_name + aia_suffix + mozilla_testing_ev_policy) subject_string += ' (EV)' # Use the organization field to store the cert nickname for easier debugging subject_string += '/O=' + cert_name [key_filename, cert_filename] = CertUtils.generate_cert_generic( db_dir, srcdir, random.randint(100, 40000000), key_type, cert_name, base_ext_text + ev_ext_text, signer_key_filename, signer_cert_filename, subject_string, key_size) if generate_ev: # The dest_dir argument of generate_pkcs12() is also set to db_dir as # the .p12 files do not need to be kept once they have been imported. pkcs12_filename = CertUtils.generate_pkcs12(db_dir, db_dir, cert_filename, key_filename, cert_name) CertUtils.import_cert_and_pkcs12(srcdir, cert_filename, pkcs12_filename, cert_name, ',,') if not signer_key_filename: generated_ev_root_filenames.append(cert_filename) return [cert_name, key_filename, cert_filename]
def generate_certs(): ca_cert = 'evroot.der' ca_key = 'evroot.key' prefix = "ev-valid" key_type = 'rsa' ee_ext_text = (aia_prefix + prefix + aia_suffix + endentity_crl + mozilla_testing_ev_policy) int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix + intermediate_crl + mozilla_testing_ev_policy) CertUtils.init_nss_db(srcdir) CertUtils.import_cert_and_pkcs12(srcdir, ca_cert, 'evroot.p12', 'evroot', 'C,C,C') [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db, srcdir, ca_key, ca_cert, prefix, int_ext_text, ee_ext_text, key_type) pk12file = CertUtils.generate_pkcs12(db, db, int_cert, int_key, "int-" + prefix) CertUtils.import_cert_and_pkcs12(srcdir, int_cert, pk12file, 'int-' + prefix, ',,') import_untrusted_cert(ee_cert, prefix) # now we generate an end entity cert with an AIA with no OCSP URL no_ocsp_url_ext_aia = ("authorityInfoAccess =" + "caIssuers;URI:http://www.example.com/ca.html\n"); [no_ocsp_key, no_ocsp_cert] = CertUtils.generate_cert_generic(db, srcdir, random.randint(100, 40000000), key_type, 'no-ocsp-url-cert', no_ocsp_url_ext_aia + endentity_crl + mozilla_testing_ev_policy, int_key, int_cert); import_untrusted_cert(no_ocsp_cert, 'no-ocsp-url-cert'); # add an ev cert whose intermediate has a anypolicy oid prefix = "ev-valid-anypolicy-int" ee_ext_text = (aia_prefix + prefix + aia_suffix + endentity_crl + mozilla_testing_ev_policy) int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix + intermediate_crl + anypolicy_policy) [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db, srcdir, ca_key, ca_cert, prefix, int_ext_text, ee_ext_text, key_type) pk12file = CertUtils.generate_pkcs12(db, db, int_cert, int_key, "int-" + prefix) CertUtils.import_cert_and_pkcs12(srcdir, int_cert, pk12file, 'int-' + prefix, ',,') import_untrusted_cert(ee_cert, prefix) [bad_ca_key, bad_ca_cert] = CertUtils.generate_cert_generic( db, srcdir, 1, 'rsa', 'non-evroot-ca', CA_extensions) pk12file = CertUtils.generate_pkcs12(db, db, bad_ca_cert, bad_ca_key, "non-evroot-ca") CertUtils.import_cert_and_pkcs12(srcdir, bad_ca_cert, pk12file, 'non-evroot-ca', 'C,C,C') prefix = "non-ev-root" ee_ext_text = (aia_prefix + prefix + aia_suffix + endentity_crl + mozilla_testing_ev_policy) int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix + intermediate_crl + mozilla_testing_ev_policy) [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db, srcdir, bad_ca_key, bad_ca_cert, prefix, int_ext_text, ee_ext_text, key_type) pk12file = CertUtils.generate_pkcs12(db, db, int_cert, int_key, "int-" + prefix) CertUtils.import_cert_and_pkcs12(srcdir, int_cert, pk12file, 'int-' + prefix, ',,') import_untrusted_cert(ee_cert, prefix)
def generate_and_maybe_import_cert( key_type, cert_name_prefix, cert_name_suffix, base_ext_text, signer_key_filename, signer_cert_filename, key_size, generate_ev, ): """ Generates a certificate and imports it into the NSS DB if appropriate. If an equivalent certificate has already been generated, it is reused. Arguments: key_type -- the type of key generated: potential values: 'rsa', or any of the curves found by 'openssl ecparam -list_curves' cert_name_prefix -- prefix of the generated cert name cert_name_suffix -- suffix of the generated cert name base_ext_text -- the base text for the x509 extensions to be added to the certificate (extra extensions will be added if generating an EV cert) signer_key_filename -- the filename of the key from which the cert will be signed. If an empty string is passed in the cert will be self signed (think CA roots). signer_cert_filename -- the filename of the signer cert that will sign the certificate being generated. Ignored if an empty string is passed in for signer_key_filename. Must be in DER format. key_size -- public key size for RSA certs generate_ev -- whether an EV cert should be generated Output: cert_name -- the resultant (nick)name of the certificate key_filename -- the filename of the key file (PEM format) cert_filename -- the filename of the certificate (DER format) """ cert_name = cert_name_prefix + "_" + key_type + "_" + key_size # If the suffix is not the empty string, add a hyphen for visual separation if cert_name_suffix: cert_name += "-" + cert_name_suffix ev_ext_text = "" subject_string = "/CN=XPCShell Key Size Testing %s %s-bit" % (key_type, key_size) if generate_ev: cert_name = "ev_" + cert_name ev_ext_text = aia_prefix + cert_name + aia_suffix + mozilla_testing_ev_policy subject_string += " (EV)" # Use the organization field to store the cert nickname for easier debugging subject_string += "/O=" + cert_name # Reuse the existing RSA EV root if ( generate_ev and key_type == "rsa" and signer_key_filename == "" and signer_cert_filename == "" and key_size == "2048" ): cert_name = "evroot" key_filename = "../test_ev_certs/evroot.key" cert_filename = "../test_ev_certs/evroot.der" CertUtils.import_cert_and_pkcs12(srcdir, cert_filename, "../test_ev_certs/evroot.p12", cert_name, ",,") return [cert_name, key_filename, cert_filename] # Don't regenerate a previously generated cert for cert in generated_certs: if cert_name == cert[0]: return cert [key_filename, cert_filename] = CertUtils.generate_cert_generic( db_dir, srcdir, random.randint(100, 40000000), key_type, cert_name, base_ext_text + ev_ext_text, signer_key_filename, signer_cert_filename, subject_string, key_size, ) generated_certs.append([cert_name, key_filename, cert_filename]) if generate_ev: # The dest_dir argument of generate_pkcs12() is also set to db_dir as # the .p12 files do not need to be kept once they have been imported. pkcs12_filename = CertUtils.generate_pkcs12(db_dir, db_dir, cert_filename, key_filename, cert_name) CertUtils.import_cert_and_pkcs12(srcdir, cert_filename, pkcs12_filename, cert_name, ",,") if not signer_key_filename: generated_ev_root_filenames.append(cert_filename) return [cert_name, key_filename, cert_filename]
def generate_and_maybe_import_cert(key_type, cert_name_prefix, cert_name_suffix, base_ext_text, signer_key_filename, signer_cert_filename, key_size, generate_ev): """ Generates a certificate and imports it into the NSS DB if appropriate. If an equivalent certificate has already been generated, it is reused. Arguments: key_type -- the type of key generated: potential values: 'rsa', or any of the curves found by 'openssl ecparam -list_curves' cert_name_prefix -- prefix of the generated cert name cert_name_suffix -- suffix of the generated cert name base_ext_text -- the base text for the x509 extensions to be added to the certificate (extra extensions will be added if generating an EV cert) signer_key_filename -- the filename of the key from which the cert will be signed. If an empty string is passed in the cert will be self signed (think CA roots). signer_cert_filename -- the filename of the signer cert that will sign the certificate being generated. Ignored if an empty string is passed in for signer_key_filename. Must be in DER format. key_size -- public key size for RSA certs generate_ev -- whether an EV cert should be generated Output: cert_name -- the resultant (nick)name of the certificate key_filename -- the filename of the key file (PEM format) cert_filename -- the filename of the certificate (DER format) """ cert_name = cert_name_prefix + '_' + key_type + '_' + key_size # If the suffix is not the empty string, add a hyphen for visual separation if cert_name_suffix: cert_name += '-' + cert_name_suffix ev_ext_text = '' subject_string = ('/CN=XPCShell Key Size Testing %s %s-bit' % (key_type, key_size)) if generate_ev: cert_name = 'ev_' + cert_name ev_ext_text = (aia_prefix + cert_name + aia_suffix + mozilla_testing_ev_policy) subject_string += ' (EV)' # Use the organization field to store the cert nickname for easier debugging subject_string += '/O=' + cert_name # Reuse the existing RSA EV root if (generate_ev and key_type == 'rsa' and signer_key_filename == '' and signer_cert_filename == '' and key_size == '2048'): cert_name = 'evroot' key_filename = '../test_ev_certs/evroot.key' cert_filename = '../test_ev_certs/evroot.der' CertUtils.import_cert_and_pkcs12(srcdir, cert_filename, '../test_ev_certs/evroot.p12', cert_name, ',,') return [cert_name, key_filename, cert_filename] # Don't regenerate a previously generated cert for cert in generated_certs: if cert_name == cert[0]: return cert [key_filename, cert_filename] = CertUtils.generate_cert_generic( db_dir, srcdir, random.randint(100, 40000000), key_type, cert_name, base_ext_text + ev_ext_text, signer_key_filename, signer_cert_filename, subject_string, key_size) generated_certs.append([cert_name, key_filename, cert_filename]) if generate_ev: # The dest_dir argument of generate_pkcs12() is also set to db_dir as # the .p12 files do not need to be kept once they have been imported. pkcs12_filename = CertUtils.generate_pkcs12(db_dir, db_dir, cert_filename, key_filename, cert_name) CertUtils.import_cert_and_pkcs12(srcdir, cert_filename, pkcs12_filename, cert_name, ',,') if not signer_key_filename: generated_ev_root_filenames.append(cert_filename) return [cert_name, key_filename, cert_filename]
# vim: set filetype=python # This Source Code Form is subject to the terms of the Mozilla Public # License, v. 2.0. If a copy of the MPL was not distributed with this # file, You can obtain one at http://mozilla.org/MPL/2.0/. # After running this file you MUST modify ClientAuthServer.cpp to change the # fingerprint of the client cert import tempfile, os, sys, random libpath = os.path.abspath("../psm_common_py") sys.path.append(libpath) import CertUtils dest_dir = os.getcwd() db = tempfile.mkdtemp() serial = random.randint(100, 40000000) name = "client-cert" [key, cert] = CertUtils.generate_cert_generic(db, dest_dir, serial, "rsa", name, "") CertUtils.generate_pkcs12(db, dest_dir, cert, key, name) # Remove unnecessary .der file os.remove(dest_dir + "/" + name + ".der") print("You now MUST modify ClientAuthServer.cpp to ensure the xpchell debug " + "certificate there matches this newly generated one\n")
CA_basic_constraints = "basicConstraints = critical, CA:TRUE\n" CA_min_ku = "keyUsage = critical, digitalSignature, keyCertSign, cRLSign\n" subject_key_ident = "subjectKeyIdentifier = hash\n" cert_name = 'evroot' ext_text = CA_basic_constraints + CA_min_ku + subject_key_ident subject_string = ('/C=US/ST=CA/L=Mountain View' + '/O=Mozilla - EV debug test CA/OU=Security Engineering' + '/CN=XPCShell EV Testing (untrustworthy) CA') # The db_dir argument of generate_cert_generic() is also set to dest_dir as # the .key file generated is needed by other certs. [ca_key, ca_cert] = CertUtils.generate_cert_generic( dest_dir, dest_dir, random.randint(100, 40000000), 'rsa', cert_name, ext_text, subject_string = subject_string) CertUtils.generate_pkcs12(db, dest_dir, ca_cert, ca_key, cert_name) # Print a blank line and the information needed to enable EV for the root # generated by this script. print CertUtils.print_cert_info_for_ev(ca_cert) print ('You now MUST update the compiled test EV root information to match ' + 'the EV root information printed above. In addition, certs that chain ' + 'up to this root in other folders will also need to be regenerated.' )
def generate_certs(): init_nss_db() ca_cert = "evroot.der" ca_key = "evroot.key" prefix = "ev-valid" key_type = "rsa" ee_ext_text = ( EE_basic_constraints + EE_full_ku + Server_eku + authority_key_ident + aia_prefix + prefix + aia_suffix + endentity_crl + mozilla_testing_ev_policy ) int_ext_text = ( CA_basic_constraints + EE_full_ku + CA_eku + authority_key_ident + subject_key_ident + aia_prefix + "int-" + prefix + aia_suffix + intermediate_crl + mozilla_testing_ev_policy ) [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee( db, srcdir, ca_key, ca_cert, prefix, int_ext_text, ee_ext_text, key_type ) pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key, "int-" + prefix) import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,") import_untrusted_cert(ee_cert, prefix) # now we generate an end entity cert with an AIA with no OCSP URL no_ocsp_url_ext_aia = "authorityInfoAccess =" + "caIssuers;URI:http://www.example.com/ca.html\n" [no_ocsp_key, no_ocsp_cert] = CertUtils.generate_cert_generic( db, srcdir, random.randint(100, 40000000), key_type, "no-ocsp-url-cert", EE_basic_constraints + EE_full_ku + Server_eku + authority_key_ident + no_ocsp_url_ext_aia + endentity_crl + mozilla_testing_ev_policy, int_key, int_cert, ) import_untrusted_cert(no_ocsp_cert, "no-ocsp-url-cert") # add an ev cert whose intermediate has a anypolicy oid prefix = "ev-valid-anypolicy-int" ee_ext_text = ( EE_basic_constraints + EE_full_ku + Server_eku + authority_key_ident + aia_prefix + prefix + aia_suffix + endentity_crl + mozilla_testing_ev_policy ) int_ext_text = ( CA_basic_constraints + EE_full_ku + CA_eku + authority_key_ident + subject_key_ident + aia_prefix + "int-" + prefix + aia_suffix + intermediate_crl + anypolicy_policy ) [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee( db, srcdir, ca_key, ca_cert, prefix, int_ext_text, ee_ext_text, key_type ) pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key, "int-" + prefix) import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,") import_untrusted_cert(ee_cert, prefix) [bad_ca_key, bad_ca_cert] = CertUtils.generate_cert_generic( db, srcdir, 1, "rsa", "non-evroot-ca", CA_basic_constraints + EE_full_ku + authority_key_ident ) pk12file = CertUtils.generate_pkcs12(db, srcdir, bad_ca_cert, bad_ca_key, "non-evroot-ca") import_cert_and_pkcs12(bad_ca_cert, pk12file, "non-evroot-ca", "C,C,C") prefix = "non-ev-root" ee_ext_text = ( EE_basic_constraints + EE_full_ku + Server_eku + authority_key_ident + aia_prefix + prefix + aia_suffix + endentity_crl + mozilla_testing_ev_policy ) int_ext_text = ( CA_basic_constraints + EE_full_ku + CA_eku + authority_key_ident + aia_prefix + "int-" + prefix + aia_suffix + intermediate_crl + subject_key_ident + mozilla_testing_ev_policy ) [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee( db, srcdir, bad_ca_key, bad_ca_cert, prefix, int_ext_text, ee_ext_text, key_type ) pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key, "int-" + prefix) import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,") import_untrusted_cert(ee_cert, prefix)