1#!/usr/bin/env python 2# Copyright 2019 The Chromium Authors 3# Use of this source code is governed by a BSD-style license that can be 4# found in the LICENSE file. 5 6"""Certificate chain where the intermediate was signed by a different 7certificate with a different key. The intermediate lacks an 8authorityKeyIdentifier extension as some verifiers will not try verifying with 9the bogus root if the authorityKeyIdentifier does not match the root's 10subjectKeyIdentifier. 11""" 12 13import sys 14sys.path += ['../..'] 15 16import gencerts 17 18# Self-signed root certificate, which actually signed the intermediate. 19root = gencerts.create_self_signed_root_certificate('Root') 20section = root.config.get_section('signing_ca_ext') 21# Don't include authorityKeyIdentifier extension in the intermediate issued by 22# the real root, otherwise the verifier might not even try to validate the 23# signature against the bogus root. 24section.remove_property('authorityKeyIdentifier') 25 26# Intermediate certificate. 27intermediate = gencerts.create_intermediate_certificate('Intermediate', root) 28 29# Target certificate. 30target = gencerts.create_end_entity_certificate('Target', intermediate) 31# TODO(eroman): Set subjectAltName by default rather than specifically in 32# this test. 33target.get_extensions().set_property('subjectAltName', 'DNS:test.example') 34 35# Self-signed root certificate that has nothing to do with this chain, but will 36# be saved as its root certificate. 37bogus_root = gencerts.create_self_signed_root_certificate('Root') 38 39chain = [target, intermediate, bogus_root] 40gencerts.write_chain(__doc__, chain, 'chain.pem') 41