1#!/usr/bin/env python 2# Copyright 2018 The Chromium Authors 3# Use of this source code is governed by a BSD-style license that can be 4# found in the LICENSE file. 5 6import sys 7sys.path += ['../..'] 8 9import gencerts 10 11def add_excluded_name_constraints(cert, num_dns, num_ip, num_dirnames, num_uri): 12 cert.get_extensions().set_property('nameConstraints', '@nameConstraints_info') 13 constraints = cert.config.get_section('nameConstraints_info') 14 for i in range(num_dns): 15 constraints.set_property('excluded;DNS.%i' % (i + 1), 'x%i.test' % i) 16 for i in range(num_ip): 17 b,c = divmod(i, 256) 18 a,b = divmod(b, 256) 19 constraints.set_property('excluded;IP.%i' % (i + 1), 20 '11.%i.%i.%i/255.255.255.255' % (a, b, c)) 21 for i in range(num_dirnames): 22 section_name = 'nameConstraints_dirname_x%i' % (i + 1) 23 dirname = cert.config.get_section(section_name) 24 dirname.set_property('commonName', '"x%i' % i) 25 constraints.set_property('excluded;dirName.%i' % (i + 1), section_name) 26 for i in range(num_uri): 27 constraints.set_property('excluded;URI.%i' % (i + 1), 'http://xest/%i' % i) 28 29 30def add_permitted_name_constraints( 31 cert, num_dns, num_ip, num_dirnames, num_uri): 32 cert.get_extensions().set_property('nameConstraints', '@nameConstraints_info') 33 constraints = cert.config.get_section('nameConstraints_info') 34 for i in range(num_dns): 35 constraints.set_property('permitted;DNS.%i' % (i + 1), 't%i.test' % i) 36 for i in range(num_ip): 37 b,c = divmod(i, 256) 38 a,b = divmod(b, 256) 39 constraints.set_property('permitted;IP.%i' % (i + 1), 40 '10.%i.%i.%i/255.255.255.255' % (a, b, c)) 41 for i in range(num_dirnames): 42 section_name = 'nameConstraints_dirname_p%i' % (i + 1) 43 dirname = cert.config.get_section(section_name) 44 dirname.set_property('commonName', '"t%i' % i) 45 constraints.set_property('permitted;dirName.%i' % (i + 1), section_name) 46 for i in range(num_uri): 47 constraints.set_property('permitted;URI.%i' % (i + 1), 48 'http://test/%i' % i) 49 50 51def add_sans(cert, num_dns, num_ip, num_dirnames, num_uri): 52 cert.get_extensions().set_property('subjectAltName', '@san_info') 53 sans = cert.config.get_section('san_info') 54 for i in range(num_dns): 55 sans.set_property('DNS.%i' % (i + 1), 't%i.test' % i) 56 for i in range(num_ip): 57 b,c = divmod(i, 256) 58 a,b = divmod(b, 256) 59 sans.set_property('IP.%i' % (i + 1), '10.%i.%i.%i' % (a, b, c)) 60 for i in range(num_dirnames): 61 section_name = 'san_dirname%i' % (i + 1) 62 dirname = cert.config.get_section(section_name) 63 dirname.set_property('commonName', '"t%i' % i) 64 sans.set_property('dirName.%i' % (i + 1), section_name) 65 for i in range(num_uri): 66 sans.set_property('URI.%i' % (i + 1), 'http://test/%i' % i) 67 68 69# Self-signed root certificate. 70root = gencerts.create_self_signed_root_certificate('Root') 71 72# Use the same keys for all the chains. Fewer key files to check in, and also 73# gives stability against re-ordering of the calls to |make_chain|. 74intermediate_key = gencerts.get_or_generate_rsa_key( 75 2048, gencerts.create_key_path('Intermediate')) 76target_key = gencerts.get_or_generate_rsa_key( 77 2048, gencerts.create_key_path('t0')) 78 79def make_chain(name, doc, excluded, permitted, sans): 80 # Intermediate certificate. 81 intermediate = gencerts.create_intermediate_certificate('Intermediate', root) 82 intermediate.set_key(intermediate_key) 83 add_excluded_name_constraints(intermediate, **excluded) 84 add_permitted_name_constraints(intermediate, **permitted) 85 86 # Target certificate. 87 target = gencerts.create_end_entity_certificate('t0', intermediate) 88 target.set_key(target_key) 89 add_sans(target, **sans) 90 91 chain = [target, intermediate, root] 92 gencerts.write_chain(doc, chain, '%s.pem' % name) 93 94 95make_chain('ok-all-types', 96 "A chain containing a large number of name constraints and names,\n" 97 "but below the limit.", 98 excluded=dict(num_dns=170, 99 num_ip=170, 100 num_dirnames=170, 101 num_uri=1025), 102 permitted=dict(num_dns=171, 103 num_ip=171, 104 num_dirnames=172, 105 num_uri=1025), 106 sans=dict(num_dns=341, num_ip=341, num_dirnames=342, num_uri=1025)) 107 108make_chain('toomany-all-types', 109 "A chain containing a large number of different types of name\n" 110 "constraints and names, above the limit.", 111 excluded=dict(num_dns=170, num_ip=170, num_dirnames=170, num_uri=0), 112 permitted=dict(num_dns=172, num_ip=171, num_dirnames=172, num_uri=0), 113 sans=dict(num_dns=342, num_ip=341, num_dirnames=341, num_uri=0)) 114 115make_chain( 116 'toomany-dns-excluded', 117 "A chain containing a large number of excluded DNS name\n" 118 "constraints and DNS names, above the limit.", 119 excluded=dict(num_dns=1025, num_ip=0, num_dirnames=0, num_uri=0), 120 permitted=dict(num_dns=0, num_ip=0, num_dirnames=0, num_uri=0), 121 sans=dict(num_dns=1024, num_ip=0, num_dirnames=0, num_uri=0)) 122make_chain( 123 'toomany-ips-excluded', 124 "A chain containing a large number of excluded IP name\n" 125 "constraints and IP names, above the limit.", 126 excluded=dict(num_dns=0, num_ip=1025, num_dirnames=0, num_uri=0), 127 permitted=dict(num_dns=0, num_ip=0, num_dirnames=0, num_uri=0), 128 sans=dict(num_dns=0, num_ip=1024, num_dirnames=0, num_uri=0)) 129make_chain( 130 'toomany-dirnames-excluded', 131 "A chain containing a large number of excluded directory name\n" 132 "constraints and directory names, above the limit.", 133 excluded=dict(num_dns=0, num_ip=0, num_dirnames=1025, num_uri=0), 134 permitted=dict(num_dns=0, num_ip=0, num_dirnames=0, num_uri=0), 135 sans=dict(num_dns=0, num_ip=0, num_dirnames=1024, num_uri=0)) 136 137make_chain( 138 'toomany-dns-permitted', 139 "A chain containing a large number of permitted DNS name\n" 140 "constraints and DNS names, above the limit.", 141 excluded=dict(num_dns=0, num_ip=0, num_dirnames=0, num_uri=0), 142 permitted=dict(num_dns=1025, num_ip=0, num_dirnames=0, num_uri=0), 143 sans=dict(num_dns=1024, num_ip=0, num_dirnames=0, num_uri=0)) 144make_chain( 145 'toomany-ips-permitted', 146 "A chain containing a large number of permitted IP name\n" 147 "constraints and IP names, above the limit.", 148 excluded=dict(num_dns=0, num_ip=0, num_dirnames=0, num_uri=0), 149 permitted=dict(num_dns=0, num_ip=1025, num_dirnames=0, num_uri=0), 150 sans=dict(num_dns=0, num_ip=1024, num_dirnames=0, num_uri=0)) 151make_chain( 152 'toomany-dirnames-permitted', 153 "A chain containing a large number of permitted directory name\n" 154 "constraints and directory names, above the limit.", 155 excluded=dict(num_dns=0, num_ip=0, num_dirnames=0, num_uri=0), 156 permitted=dict(num_dns=0, num_ip=0, num_dirnames=1025, num_uri=0), 157 sans=dict(num_dns=0, num_ip=0, num_dirnames=1024, num_uri=0)) 158