• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#!/usr/bin/env python
2# Copyright 2016 The Chromium Authors
3# Use of this source code is governed by a BSD-style license that can be
4# found in the LICENSE file.
5
6"""A certificate tree with two self-signed root certificates(oldroot, newroot),
7and a third root certificate (newrootrollover) which has the same key as newroot
8but is signed by oldroot, all with the same subject and issuer.
9There are two intermediates with the same key, subject and issuer
10(oldintermediate signed by oldroot, and newintermediate signed by newroot).
11The target certificate is signed by the intermediate key.
12
13
14In graphical form:
15
16   oldroot-------->newrootrollover  newroot
17      |                      |        |
18      v                      v        v
19oldintermediate           newintermediate
20      |                          |
21      +------------+-------------+
22                   |
23                   v
24                 target
25
26
27Several chains are output:
28  key-rollover-oldchain.pem:
29    target<-oldintermediate<-oldroot
30  key-rollover-rolloverchain.pem:
31    target<-newintermediate<-newrootrollover<-oldroot
32  key-rollover-longrolloverchain.pem:
33    target<-newintermediate<-newroot<-newrootrollover<-oldroot
34  key-rollover-newchain.pem:
35    target<-newintermediate<-newroot
36
37All of these chains should verify successfully.
38"""
39
40import sys
41sys.path += ['../..']
42
43import gencerts
44
45# The new certs should have a newer notbefore date than "old" certs. This should
46# affect path builder sorting, but otherwise won't matter.
47JANUARY_2_2015_UTC = '150102120000Z'
48
49# Self-signed root certificates. Same name, different keys.
50oldroot = gencerts.create_self_signed_root_certificate('Root')
51oldroot.set_validity_range(gencerts.JANUARY_1_2015_UTC,
52                           gencerts.JANUARY_1_2016_UTC)
53newroot = gencerts.create_self_signed_root_certificate('Root')
54newroot.set_validity_range(JANUARY_2_2015_UTC, gencerts.JANUARY_1_2016_UTC)
55# Root with the new key signed by the old key.
56newrootrollover = gencerts.create_intermediate_certificate('Root', oldroot)
57newrootrollover.set_key(newroot.get_key())
58newrootrollover.set_validity_range(JANUARY_2_2015_UTC,
59                                   gencerts.JANUARY_1_2016_UTC)
60
61# Intermediate signed by oldroot.
62oldintermediate = gencerts.create_intermediate_certificate('Intermediate',
63                                                         oldroot)
64oldintermediate.set_validity_range(gencerts.JANUARY_1_2015_UTC,
65                                   gencerts.JANUARY_1_2016_UTC)
66# Intermediate signed by newroot. Same key as oldintermediate.
67newintermediate = gencerts.create_intermediate_certificate('Intermediate',
68                                                         newroot)
69newintermediate.set_key(oldintermediate.get_key())
70newintermediate.set_validity_range(JANUARY_2_2015_UTC,
71                                   gencerts.JANUARY_1_2016_UTC)
72
73# Target certificate.
74target = gencerts.create_end_entity_certificate('Target', oldintermediate)
75target.set_validity_range(gencerts.JANUARY_1_2015_UTC,
76                          gencerts.JANUARY_1_2016_UTC)
77
78gencerts.write_chain(__doc__,
79    [target, oldintermediate, oldroot], out_pem="oldchain.pem")
80gencerts.write_chain(__doc__,
81    [target, newintermediate, newrootrollover, oldroot],
82    out_pem="rolloverchain.pem")
83gencerts.write_chain(__doc__,
84    [target, newintermediate, newroot, newrootrollover, oldroot],
85    out_pem="longrolloverchain.pem")
86gencerts.write_chain(__doc__,
87    [target, newintermediate, newroot], out_pem="newchain.pem")
88