def generate_chain(intermediate_digest_algorithm):
# Self-signed root certificate.
root = common.create_self_signed_root_certificate('Root')
# Intermediate certificate.
intermediate = common.create_intermediate_certificate('Intermediate', root)
intermediate.set_signature_hash(intermediate_digest_algorithm)
intermediate.get_extensions().set_property('extendedKeyUsage',
'nsSGC')
# Target certificate.
target = common.create_end_entity_certificate('Target', intermediate)
target.get_extensions().set_property('extendedKeyUsage',
'serverAuth,clientAuth')
chain = [target, intermediate, root]
common.write_chain(__doc__, chain,
'%s-chain.pem' % intermediate_digest_algorithm)
#!/usr/bin/python
# Copyright (c) 2015 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
"""Certificate chain with 1 intermediary, where the intermediary is expired
(violates validity.notAfter). Verification is expected to fail."""
import common
# Self-signed root certificate (part of trust store).
root = common.create_self_signed_root_certificate('Root')
# Intermediary certificate.
intermediary = common.create_intermediary_certificate('Intermediary', root)
intermediary.set_validity_range(common.JANUARY_1_2015_UTC,
common.JANUARY_1_2016_UTC)
# Target certificate.
target = common.create_end_entity_certificate('Target', intermediary)
chain = [target, intermediary]
trusted = [root]
# March 2nd, 2016 midnight UTC
time = '160302120000Z'
verify_result = False
common.write_test_file(__doc__, chain, trusted, time, verify_result)
# Self-signed root certificate
root = common.create_self_signed_root_certificate('Root')
write_cert_to_file(root, 'root.pem')
# Intermediate certificates
i1_1 = common.create_intermediate_certificate('I1', root)
write_cert_to_file(i1_1, 'i1_1.pem')
# same name (after normalization), different key
i1_2 = common.create_intermediate_certificate('i1', root)
write_cert_to_file(i1_2, 'i1_2.pem')
# different name
i2 = common.create_intermediate_certificate('I2', root)
write_cert_to_file(i2, 'i2.pem')
# target certs
c1 = common.create_end_entity_certificate('C1', i1_1)
write_cert_to_file(c1, 'c1.pem')
c2 = common.create_end_entity_certificate('C2', i1_2)
write_cert_to_file(c2, 'c2.pem')
d = common.create_end_entity_certificate('D', i2)
write_cert_to_file(d, 'd.pem')
i_file_and_http_aia = common.create_intermediate_certificate('I', root)
i_file_and_http_aia.set_key_path(i_base.get_key_path())
section = i_file_and_http_aia.config.get_section('issuer_info')
section.set_property('caIssuers;URI.0', 'file:///dev/null')
section.set_property('caIssuers;URI.1', 'http://url-for-aia2/I2.foo')
i_invalid_and_http_aia = common.create_intermediate_certificate('I', root)
i_invalid_and_http_aia.set_key_path(i_base.get_key_path())
section = i_invalid_and_http_aia.config.get_section('issuer_info')
section.set_property('caIssuers;URI.0', 'foobar')
section.set_property('caIssuers;URI.1', 'http://url-for-aia2/I2.foo')
# target certs
target = common.create_end_entity_certificate('target', i_base)
common.write_string_to_file(target.get_cert_pem(), 'target_one_aia.pem')
target = common.create_end_entity_certificate('target', i_no_aia)
common.write_string_to_file(target.get_cert_pem(), 'target_no_aia.pem')
target = common.create_end_entity_certificate('target', i_two_aia)
common.write_string_to_file(target.get_cert_pem(), 'target_two_aia.pem')
target = common.create_end_entity_certificate('target', i_three_aia)
common.write_string_to_file(target.get_cert_pem(), 'target_three_aia.pem')
target = common.create_end_entity_certificate('target', i_six_aia)
common.write_string_to_file(target.get_cert_pem(), 'target_six_aia.pem')
target = common.create_end_entity_certificate('target', i_file_aia)
certificate is wrong."""
import common
# Self-signed root certificate (used as trust anchor).
root = common.create_self_signed_root_certificate('Root')
# Intermediate certificate to include in the certificate chain.
intermediate = common.create_intermediate_certificate('Intermediate', root)
# Actual intermediate that was used to sign the target certificate. It has the
# same subject as expected, but a different RSA key from the certificate
# included in the actual chain.
wrong_intermediate = common.create_intermediate_certificate('Intermediate',
root)
# Target certificate, signed using |wrong_intermediate| NOT |intermediate|.
target = common.create_end_entity_certificate('Target', wrong_intermediate)
chain = [target, intermediate]
trusted = common.TrustAnchor(root, constrained=False)
time = common.DEFAULT_TIME
verify_result = False
errors = """[Context] Processing Certificate
index: 1
[Error] Signature verification failed
[Error] VerifySignedData failed
"""
common.write_test_file(__doc__, chain, trusted, time, verify_result, errors)
# found in the LICENSE file.
"""Certificate chain with 1 intermediate, a trusted root, and a target
certificate that is not a CA, and yet has the keyCertSign bit set. Verification
is expected to fail, since keyCertSign should only be asserted when CA is
true."""
import common
# Self-signed root certificate (used as trust anchor).
root = common.create_self_signed_root_certificate("Root")
# Intermediate certificate.
intermediate = common.create_intermediate_certificate("Intermediate", root)
# Target certificate (end entity but has keyCertSign bit set).
target = common.create_end_entity_certificate("Target", intermediate)
target.get_extensions().set_property("keyUsage", "critical,digitalSignature,keyEncipherment,keyCertSign")
chain = [target, intermediate]
trusted = common.TrustAnchor(root, constrained=False)
time = common.DEFAULT_TIME
verify_result = False
errors = """[Context] Processing Certificate
index: 1
[Error] Target certificate looks like a CA but does not set all CA properties
"""
common.write_test_file(__doc__, chain, trusted, time, verify_result, errors)
# same name (after normalization), different key
i1_2 = common.create_intermediate_certificate("i1", root)
write_cert_to_file(i1_2, "i1_2.pem")
# different name
i2 = common.create_intermediate_certificate("I2", root)
write_cert_to_file(i2, "i2.pem")
# Two intermediates with exactly the same name.
i3_1 = common.create_intermediate_certificate("I3", root)
write_cert_to_file(i3_1, "i3_1.pem")
i3_2 = common.create_intermediate_certificate("I3", root)
write_cert_to_file(i3_2, "i3_2.pem")
# target certs
c1 = common.create_end_entity_certificate("C1", i1_1)
write_cert_to_file(c1, "c1.pem")
c2 = common.create_end_entity_certificate("C2", i1_2)
write_cert_to_file(c2, "c2.pem")
d = common.create_end_entity_certificate("D", i2)
write_cert_to_file(d, "d.pem")
e1 = common.create_end_entity_certificate("E1", i3_1)
write_cert_to_file(e1, "e1.pem")
e2 = common.create_end_entity_certificate("E2", i3_2)
write_cert_to_file(e2, "e2.pem")
# Copyright (c) 2016 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
"""Certificate chain with 2 intermediates and one end entity certificate. The
root certificate has a pathlen:1 restriction. Ordinarily this would be an
invalid chain, however constraints on this trust anchor are not enforced."""
import sys
sys.path += ['..']
import common
# Self-signed root certificate (used as trust anchor).
root = common.create_self_signed_root_certificate('Root')
root.get_extensions().set_property('basicConstraints',
'critical,CA:true,pathlen:1')
# Intermediate 1 (no pathlen restriction).
intermediate1 = common.create_intermediate_certificate('Intermediate1', root)
# Intermediate 2 (no pathlen restriction).
intermediate2 = common.create_intermediate_certificate('Intermediate2',
intermediate1)
# Target certificate.
target = common.create_end_entity_certificate('Target', intermediate2)
chain = [target, intermediate2, intermediate1, root]
common.write_chain(__doc__, chain, 'chain.pem')
i_file_and_http_aia = common.create_intermediate_certificate('I', root)
i_file_and_http_aia.set_key_path(i_base.get_key_path())
section = i_file_and_http_aia.config.get_section('issuer_info')
section.set_property('caIssuers;URI.0', 'file:///dev/null')
section.set_property('caIssuers;URI.1', 'http://url-for-aia2/I2.foo')
i_invalid_and_http_aia = common.create_intermediate_certificate('I', root)
i_invalid_and_http_aia.set_key_path(i_base.get_key_path())
section = i_invalid_and_http_aia.config.get_section('issuer_info')
section.set_property('caIssuers;URI.0', 'foobar')
section.set_property('caIssuers;URI.1', 'http://url-for-aia2/I2.foo')
# target certs
target = common.create_end_entity_certificate('target', i_base)
common.write_string_to_file(target.get_cert_pem(), 'target_one_aia.pem')
target = common.create_end_entity_certificate('target', i_no_aia)
common.write_string_to_file(target.get_cert_pem(), 'target_no_aia.pem')
target = common.create_end_entity_certificate('target', i_two_aia)
common.write_string_to_file(target.get_cert_pem(), 'target_two_aia.pem')
target = common.create_end_entity_certificate('target', i_three_aia)
common.write_string_to_file(target.get_cert_pem(), 'target_three_aia.pem')
target = common.create_end_entity_certificate('target', i_six_aia)
common.write_string_to_file(target.get_cert_pem(), 'target_six_aia.pem')
target = common.create_end_entity_certificate('target', i_file_aia)
