def make_chain(name, doc, excluded, permitted, sans): # Intermediate certificate. intermediate = gencerts.create_intermediate_certificate( 'Intermediate', root) intermediate.set_key(intermediate_key) add_excluded_name_constraints(intermediate, **excluded) add_permitted_name_constraints(intermediate, **permitted) # Target certificate. target = gencerts.create_end_entity_certificate('t0', intermediate) target.set_key(target_key) add_sans(target, **sans) chain = [target, intermediate, root] gencerts.write_chain(doc, chain, '%s.pem' % name)
def generate_chain(intermediate_digest_algorithm): # Self-signed root certificate. root = gencerts.create_self_signed_root_certificate('Root') # Intermediate certificate. intermediate = gencerts.create_intermediate_certificate( 'Intermediate', root) intermediate.set_signature_hash(intermediate_digest_algorithm) intermediate.get_extensions().set_property('extendedKeyUsage', 'nsSGC') # Target certificate. target = gencerts.create_end_entity_certificate('Target', intermediate) target.get_extensions().set_property('extendedKeyUsage', 'serverAuth,clientAuth') chain = [target, intermediate, root] gencerts.write_chain(__doc__, chain, '%s-chain.pem' % intermediate_digest_algorithm)
def generate_chain(intermediate_digest_algorithm): # Self-signed root certificate. root = gencerts.create_self_signed_root_certificate('Root') # Intermediate certificate. intermediate = gencerts.create_intermediate_certificate( 'Intermediate', root) intermediate.set_signature_hash(intermediate_digest_algorithm) intermediate.get_extensions().set_property('extendedKeyUsage', 'nsSGC') # Target certificate. target = gencerts.create_end_entity_certificate('Target', intermediate) target.get_extensions().set_property('extendedKeyUsage', 'serverAuth,clientAuth') # TODO(eroman): Set subjectAltName by default rather than specifically in # this test. target.get_extensions().set_property('subjectAltName', 'DNS:test.example') chain = [target, intermediate, root] gencerts.write_chain(__doc__, chain, '%s-chain.pem' % intermediate_digest_algorithm)
#!/usr/bin/python # Copyright (c) 2015 The Chromium Authors. All rights reserved. # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. """Certificate chain where the intermediate has an unknown critical extension.""" import sys sys.path += ['../..'] import gencerts # Self-signed root certificate. root = gencerts.create_self_signed_root_certificate('Root') # Intermediate that has an unknown critical extension. intermediate = gencerts.create_intermediate_certificate('Intermediate', root) intermediate.get_extensions().add_property('1.2.3.4', 'critical,DER:01:02:03:04') # Target certificate. target = gencerts.create_end_entity_certificate('Target', intermediate) chain = [target, intermediate, root] gencerts.write_chain(__doc__, chain, 'chain.pem')
sys.path += ['../..'] import gencerts # The new certs should have a newer notbefore date than "old" certs. This should # affect path builder sorting, but otherwise won't matter. JANUARY_2_2015_UTC = '150102120000Z' # Self-signed root certificates. Same name, different keys. oldroot = gencerts.create_self_signed_root_certificate('Root') oldroot.set_validity_range(gencerts.JANUARY_1_2015_UTC, gencerts.JANUARY_1_2016_UTC) newroot = gencerts.create_self_signed_root_certificate('Root') newroot.set_validity_range(JANUARY_2_2015_UTC, gencerts.JANUARY_1_2016_UTC) # Root with the new key signed by the old key. newrootrollover = gencerts.create_intermediate_certificate('Root', oldroot) newrootrollover.set_key(newroot.get_key()) newrootrollover.set_validity_range(JANUARY_2_2015_UTC, gencerts.JANUARY_1_2016_UTC) # Intermediate signed by oldroot. oldintermediate = gencerts.create_intermediate_certificate( 'Intermediate', oldroot) oldintermediate.set_validity_range(gencerts.JANUARY_1_2015_UTC, gencerts.JANUARY_1_2016_UTC) # Intermediate signed by newroot. Same key as oldintermediate. newintermediate = gencerts.create_intermediate_certificate( 'Intermediate', newroot) newintermediate.set_key(oldintermediate.get_key()) newintermediate.set_validity_range(JANUARY_2_2015_UTC, gencerts.JANUARY_1_2016_UTC)
# Copyright (c) 2015 The Chromium Authors. All rights reserved. # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. """Certificate chain where the intermediate sets pathlen=0, and is followed by a self-issued intermediate.""" import sys sys.path += ['../..'] import gencerts # Self-signed root certificate. root = gencerts.create_self_signed_root_certificate('Root') # Intermediate with pathlen 0 intermediate1 = gencerts.create_intermediate_certificate('Intermediate', root) intermediate1.get_extensions().set_property('basicConstraints', 'critical,CA:true,pathlen:0') # Another intermediate (with the same pathlen restriction). # Note that this is self-issued but NOT self-signed. intermediate2 = gencerts.create_intermediate_certificate( 'Intermediate', intermediate1) intermediate2.get_extensions().set_property('basicConstraints', 'critical,CA:true,pathlen:0') # Target certificate. target = gencerts.create_end_entity_certificate('Target', intermediate2) chain = [target, intermediate2, intermediate1, root] gencerts.write_chain(__doc__, chain, 'chain.pem')
#!/usr/bin/python # Copyright (c) 2015 The Chromium Authors. All rights reserved. # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. """Certificate chain where the root certificate is not self-signed (or self-issued for that matter).""" import sys sys.path += ['../..'] import gencerts shadow_root = gencerts.create_self_signed_root_certificate('ShadowRoot') # Non-self-signed root certificate. root = gencerts.create_intermediate_certificate('Root', shadow_root) # Intermediate certificate. intermediate = gencerts.create_intermediate_certificate('Intermediate', root) # Target certificate. target = gencerts.create_end_entity_certificate('Target', intermediate) chain = [target, intermediate, root] gencerts.write_chain(__doc__, chain, 'chain.pem')
#!/usr/bin/env python # Copyright (c) 2015 The Chromium Authors. All rights reserved. # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. """Certificate chain where the target certificate is a CA rather than an end-entity certificate (based on the basic constraints extension).""" import sys sys.path += ['../..'] import gencerts # Self-signed root certificate. root = gencerts.create_self_signed_root_certificate('Root') # Intermediate certificate. intermediate = gencerts.create_intermediate_certificate('Intermediate', root) # Target certificate (is also a CA) target = gencerts.create_intermediate_certificate('Target', intermediate) chain = [target, intermediate, root] gencerts.write_chain(__doc__, chain, 'chain.pem')
""" import sys sys.path += ['../..'] import gencerts DATE_A = '150101120000Z' DATE_B = '150102120000Z' DATE_C = '150103120000Z' DATE_Z = '180101120000Z' root = gencerts.create_self_signed_root_certificate('Root') root.set_validity_range(DATE_A, DATE_Z) int_matching_ski_a = gencerts.create_intermediate_certificate( 'Intermediate', root) int_matching_ski_a.set_validity_range(DATE_A, DATE_Z) int_matching_ski_b = gencerts.create_intermediate_certificate( 'Intermediate', root) int_matching_ski_b.set_validity_range(DATE_B, DATE_Z) int_matching_ski_b.set_key(int_matching_ski_a.get_key()) int_matching_ski_c = gencerts.create_intermediate_certificate( 'Intermediate', root) int_matching_ski_c.set_validity_range(DATE_C, DATE_Z) int_matching_ski_c.set_key(int_matching_ski_a.get_key()) # For some reason, OpenSSL seems to require disabling SKID and AKID on the # parent cert in order to generate an intermediate cert without a SKID. root2 = gencerts.create_self_signed_root_certificate('Root')
# Generate the keys -- the same key is used for all intermediates and end entity # certificates. root_key = gencerts.get_or_generate_rsa_key(2048, gencerts.create_key_path('root')) i_key = gencerts.get_or_generate_rsa_key(2048, gencerts.create_key_path('i')) target_key = gencerts.get_or_generate_rsa_key( 2048, gencerts.create_key_path('target')) # Self-signed root certificate. root = gencerts.create_self_signed_root_certificate('Root') root.set_key(root_key) gencerts.write_string_to_file(root.get_cert_pem(), 'root.pem') # Intermediate certificates. All have the same subject and key. i_base = gencerts.create_intermediate_certificate('I', root) i_base.set_key(i_key) gencerts.write_string_to_file(i_base.get_cert_pem(), 'i.pem') i2 = gencerts.create_intermediate_certificate('I', root) i2.set_key(i_key) gencerts.write_string_to_file(i2.get_cert_pem(), 'i2.pem') i3 = gencerts.create_intermediate_certificate('I', root) i3.set_key(i_key) gencerts.write_string_to_file(i3.get_cert_pem(), 'i3.pem') # More Intermediate certificates, which are just to generate the proper config # files so the target certs will have the desired Authority Information Access # values. These ones aren't saved to files. i_no_aia = gencerts.create_intermediate_certificate('I', root)
""" import sys sys.path += ['../..'] import gencerts DATE_A = '150101120000Z' DATE_B = '150102120000Z' DATE_C = '180101120000Z' DATE_D = '180102120000Z' root = gencerts.create_self_signed_root_certificate('Root') root.set_validity_range(DATE_A, DATE_D) int_ac = gencerts.create_intermediate_certificate('Intermediate', root) int_ac.set_validity_range(DATE_A, DATE_C) int_ad = gencerts.create_intermediate_certificate('Intermediate', root) int_ad.set_validity_range(DATE_A, DATE_D) int_ad.set_key(int_ac.get_key()) int_bc = gencerts.create_intermediate_certificate('Intermediate', root) int_bc.set_validity_range(DATE_B, DATE_C) int_bc.set_key(int_ac.get_key()) int_bd = gencerts.create_intermediate_certificate('Intermediate', root) int_bd.set_validity_range(DATE_B, DATE_D) int_bd.set_key(int_ac.get_key()) target = gencerts.create_end_entity_certificate('Target', int_ac)
import sys sys.path += ['../..'] import gencerts DATE_A = '150101120000Z' DATE_B = '150102120000Z' DATE_Z = '180101120000Z' root1 = gencerts.create_self_signed_root_certificate('Root1') root1.set_validity_range(DATE_A, DATE_Z) root2 = gencerts.create_self_signed_root_certificate('Root2') root2.set_validity_range(DATE_A, DATE_Z) root1_cross = gencerts.create_intermediate_certificate('Root1', root2) root1_cross.set_key(root1.get_key()) root1_cross.set_validity_range(DATE_B, DATE_Z) target = gencerts.create_end_entity_certificate('Target', root1) target.set_validity_range(DATE_A, DATE_Z) gencerts.write_chain('Root1', [root1], out_pem='root1.pem') gencerts.write_chain('Root2', [root2], out_pem='root2.pem') gencerts.write_chain( 'Root1 cross-signed by Root2, with a newer notBefore date' ' than Root1', [root1_cross], out_pem='root1_cross.pem') gencerts.write_chain('Target', [target], out_pem='target.pem')
import gencerts DATE_A = '150101120000Z' DATE_B = '150102120000Z' DATE_C = '150103120000Z' DATE_Z = '180101120000Z' root = gencerts.create_self_signed_root_certificate('Root') root.set_validity_range(DATE_A, DATE_Z) root2 = gencerts.create_self_signed_root_certificate('Root2') root2.set_validity_range(DATE_A, DATE_Z) # Give the certs notBefore dates in reverse priority order so we can test that # the issuer/serial key id didn't affect prioritization. int_matching = gencerts.create_intermediate_certificate('Intermediate', root) int_matching.set_validity_range(DATE_A, DATE_Z) int_mismatch = gencerts.create_intermediate_certificate('Intermediate', root2) int_mismatch.set_key(int_matching.get_key()) int_mismatch.set_validity_range(DATE_C, DATE_Z) int_match_name_only = gencerts.create_intermediate_certificate( 'Intermediate', root) int_match_name_only.set_key(int_matching.get_key()) int_match_name_only.set_validity_range(DATE_B, DATE_Z) section = int_matching.config.get_section('signing_ca_ext') section.set_property('authorityKeyIdentifier', 'issuer:always') target = gencerts.create_end_entity_certificate('Target', int_matching) target.set_validity_range(DATE_A, DATE_Z)
import gencerts def write_cert_to_file(cert, filename): gencerts.write_string_to_file( "Generated by %s.\n" "Refer to generator script docstring for details.\n%s" % (sys.argv[0], cert.get_cert_pem()), filename) # Self-signed root certificate root = gencerts.create_self_signed_root_certificate('Root') write_cert_to_file(root, 'root.pem') # Intermediate certificates i1_1 = gencerts.create_intermediate_certificate('I1', root) write_cert_to_file(i1_1, 'i1_1.pem') # same name (after normalization), different key i1_2 = gencerts.create_intermediate_certificate('i1', root) write_cert_to_file(i1_2, 'i1_2.pem') # different name i2 = gencerts.create_intermediate_certificate('I2', root) write_cert_to_file(i2, 'i2.pem') # Two intermediates with exactly the same name. i3_1 = gencerts.create_intermediate_certificate('I3', root) write_cert_to_file(i3_1, 'i3_1.pem') i3_2 = gencerts.create_intermediate_certificate('I3', root) write_cert_to_file(i3_2, 'i3_2.pem')
i_key = gencerts.get_or_generate_rsa_key(2048, gencerts.create_key_path('i')) leaf_key = gencerts.get_or_generate_rsa_key(2048, gencerts.create_key_path('leaf')) # Self-signed root certificate. root = gencerts.create_self_signed_root_certificate('Root') root.set_key(root_key) # Preserve the ordering of the distinguished name in CSRs when issuing # certificates. This must be in the BASE ('ca') section. root.config.get_section('ca').set_property('preserve', 'yes') gencerts.write_string_to_file(root.get_cert_pem(), 'root.pem') ## Create intermediate certs # Intermediate with two organizations as two distinct SETs, ordered O1 and O2 i_o1_o2 = gencerts.create_intermediate_certificate('I1', root) i_o1_o2.set_key(i_key) dn = i_o1_o2.get_subject() dn.clear_properties() dn.add_property('0.organizationName', 'O1') dn.add_property('1.organizationName', 'O2') gencerts.write_string_to_file(i_o1_o2.get_cert_pem(), 'int-o1-o2.pem') # Intermediate with two organizations as two distinct SETs, ordered O2 and O1 i_o2_o1 = gencerts.create_intermediate_certificate('I2', root) i_o2_o1.set_key(i_key) dn = i_o2_o1.get_subject() dn.clear_properties() dn.add_property('0.organizationName', 'O2') dn.add_property('1.organizationName', 'O1') gencerts.write_string_to_file(i_o2_o1.get_cert_pem(), 'int-o2-o1.pem')