1#!/usr/bin/env python3 2# Copyright 2016 The Chromium Authors 3# Use of this source code is governed by a BSD-style license that can be 4# found in the LICENSE file. 5 6import os 7import sys 8sys.path += ['..'] 9 10import gencerts 11 12# Generate the keys -- the same key is used for all intermediates and end entity 13# certificates. 14root_key = gencerts.get_or_generate_rsa_key(2048, 15 gencerts.create_key_path('root')) 16i_key = gencerts.get_or_generate_rsa_key(2048, gencerts.create_key_path('i')) 17target_key = gencerts.get_or_generate_rsa_key( 18 2048, gencerts.create_key_path('target')) 19 20# Self-signed root certificate. 21root = gencerts.create_self_signed_root_certificate('Root') 22root.set_key(root_key) 23gencerts.write_string_to_file(root.get_cert_pem(), 'root.pem') 24 25 26# Intermediate certificates. All have the same subject and key. 27i_base = gencerts.create_intermediate_certificate('I', root) 28i_base.set_key(i_key) 29gencerts.write_string_to_file(i_base.get_cert_pem(), 'i.pem') 30 31i2 = gencerts.create_intermediate_certificate('I', root) 32i2.set_key(i_key) 33gencerts.write_string_to_file(i2.get_cert_pem(), 'i2.pem') 34 35i3 = gencerts.create_intermediate_certificate('I', root) 36i3.set_key(i_key) 37gencerts.write_string_to_file(i3.get_cert_pem(), 'i3.pem') 38 39 40# More Intermediate certificates, which are just to generate the proper config 41# files so the target certs will have the desired Authority Information Access 42# values. These ones aren't saved to files. 43i_no_aia = gencerts.create_intermediate_certificate('I', root) 44i_no_aia.set_key(i_key) 45section = i_no_aia.config.get_section('signing_ca_ext') 46section.set_property('authorityInfoAccess', None) 47 48i_two_aia = gencerts.create_intermediate_certificate('I', root) 49i_two_aia.set_key(i_key) 50section = i_two_aia.config.get_section('issuer_info') 51section.set_property('caIssuers;URI.1', 'http://url-for-aia2/I2.foo') 52 53i_three_aia = gencerts.create_intermediate_certificate('I', root) 54i_three_aia.set_key(i_key) 55section = i_three_aia.config.get_section('issuer_info') 56section.set_property('caIssuers;URI.1', 'http://url-for-aia2/I2.foo') 57section.set_property('caIssuers;URI.2', 'http://url-for-aia3/I3.foo') 58 59i_six_aia = gencerts.create_intermediate_certificate('I', root) 60i_six_aia.set_key(i_key) 61section = i_six_aia.config.get_section('issuer_info') 62section.set_property('caIssuers;URI.1', 'http://url-for-aia2/I2.foo') 63section.set_property('caIssuers;URI.2', 'http://url-for-aia3/I3.foo') 64section.set_property('caIssuers;URI.3', 'http://url-for-aia4/I4.foo') 65section.set_property('caIssuers;URI.4', 'http://url-for-aia5/I5.foo') 66section.set_property('caIssuers;URI.5', 'http://url-for-aia6/I6.foo') 67 68i_file_aia = gencerts.create_intermediate_certificate('I', root) 69i_file_aia.set_key(i_key) 70section = i_file_aia.config.get_section('issuer_info') 71section.set_property('caIssuers;URI.0', 'file:///dev/null') 72 73i_invalid_url_aia = gencerts.create_intermediate_certificate('I', root) 74i_invalid_url_aia.set_key(i_key) 75section = i_invalid_url_aia.config.get_section('issuer_info') 76section.set_property('caIssuers;URI.0', 'foobar') 77 78i_file_and_http_aia = gencerts.create_intermediate_certificate('I', root) 79i_file_and_http_aia.set_key(i_key) 80section = i_file_and_http_aia.config.get_section('issuer_info') 81section.set_property('caIssuers;URI.0', 'file:///dev/null') 82section.set_property('caIssuers;URI.1', 'http://url-for-aia2/I2.foo') 83 84i_invalid_and_http_aia = gencerts.create_intermediate_certificate('I', root) 85i_invalid_and_http_aia.set_key(i_key) 86section = i_invalid_and_http_aia.config.get_section('issuer_info') 87section.set_property('caIssuers;URI.0', 'foobar') 88section.set_property('caIssuers;URI.1', 'http://url-for-aia2/I2.foo') 89 90 91# target certs 92 93target = gencerts.create_end_entity_certificate('target', i_base) 94target.set_key(target_key) 95target.get_extensions().set_property('subjectAltName', 'DNS:target') 96gencerts.write_string_to_file(target.get_cert_pem(), 'target_one_aia.pem') 97 98target = gencerts.create_end_entity_certificate('target', i_no_aia) 99target.set_key(target_key) 100target.get_extensions().set_property('subjectAltName', 'DNS:target') 101gencerts.write_string_to_file(target.get_cert_pem(), 'target_no_aia.pem') 102 103target = gencerts.create_end_entity_certificate('target', i_two_aia) 104target.set_key(target_key) 105target.get_extensions().set_property('subjectAltName', 'DNS:target') 106gencerts.write_string_to_file(target.get_cert_pem(), 'target_two_aia.pem') 107 108target = gencerts.create_end_entity_certificate('target', i_three_aia) 109target.set_key(target_key) 110target.get_extensions().set_property('subjectAltName', 'DNS:target') 111gencerts.write_string_to_file(target.get_cert_pem(), 'target_three_aia.pem') 112 113target = gencerts.create_end_entity_certificate('target', i_six_aia) 114target.set_key(target_key) 115target.get_extensions().set_property('subjectAltName', 'DNS:target') 116gencerts.write_string_to_file(target.get_cert_pem(), 'target_six_aia.pem') 117 118target = gencerts.create_end_entity_certificate('target', i_file_aia) 119target.set_key(target_key) 120target.get_extensions().set_property('subjectAltName', 'DNS:target') 121gencerts.write_string_to_file(target.get_cert_pem(), 'target_file_aia.pem') 122 123target = gencerts.create_end_entity_certificate('target', i_invalid_url_aia) 124target.set_key(target_key) 125target.get_extensions().set_property('subjectAltName', 'DNS:target') 126gencerts.write_string_to_file(target.get_cert_pem(), 127 'target_invalid_url_aia.pem') 128 129target = gencerts.create_end_entity_certificate('target', i_file_and_http_aia) 130target.set_key(target_key) 131target.get_extensions().set_property('subjectAltName', 'DNS:target') 132gencerts.write_string_to_file(target.get_cert_pem(), 133 'target_file_and_http_aia.pem') 134 135target = gencerts.create_end_entity_certificate('target', 136 i_invalid_and_http_aia) 137target.set_key(target_key) 138target.get_extensions().set_property('subjectAltName', 'DNS:target') 139gencerts.write_string_to_file(target.get_cert_pem(), 140 'target_invalid_and_http_aia.pem') 141