1#!/usr/bin/env python 2# Copyright 2018 The Chromium Authors 3# Use of this source code is governed by a BSD-style license that can be 4# found in the LICENSE file. 5 6import sys 7sys.path += ['../..'] 8 9import gencerts 10 11def add_excluded_name_constraints(cert, num_dns, num_ip, num_dirnames, num_uri): 12 cert.get_extensions().set_property('nameConstraints', '@nameConstraints_info') 13 constraints = cert.config.get_section('nameConstraints_info') 14 for i in range(num_dns): 15 constraints.set_property('excluded;DNS.%i' % (i + 1), 'x%i.test' % i) 16 for i in range(num_ip): 17 b,c = divmod(i, 256) 18 a,b = divmod(b, 256) 19 constraints.set_property('excluded;IP.%i' % (i + 1), 20 '11.%i.%i.%i/255.255.255.255' % (a, b, c)) 21 for i in range(num_dirnames): 22 section_name = 'nameConstraints_dirname_x%i' % (i + 1) 23 dirname = cert.config.get_section(section_name) 24 dirname.set_property('commonName', '"x%i' % i) 25 constraints.set_property('excluded;dirName.%i' % (i + 1), section_name) 26 for i in range(num_uri): 27 constraints.set_property('excluded;URI.%i' % (i + 1), 'http://xest/%i' % i) 28 29 30def add_permitted_name_constraints( 31 cert, num_dns, num_ip, num_dirnames, num_uri): 32 cert.get_extensions().set_property('nameConstraints', '@nameConstraints_info') 33 constraints = cert.config.get_section('nameConstraints_info') 34 for i in range(num_dns): 35 constraints.set_property('permitted;DNS.%i' % (i + 1), 't%i.test' % i) 36 for i in range(num_ip): 37 b,c = divmod(i, 256) 38 a,b = divmod(b, 256) 39 constraints.set_property('permitted;IP.%i' % (i + 1), 40 '10.%i.%i.%i/255.255.255.255' % (a, b, c)) 41 for i in range(num_dirnames): 42 section_name = 'nameConstraints_dirname_p%i' % (i + 1) 43 dirname = cert.config.get_section(section_name) 44 dirname.set_property('commonName', '"t%i' % i) 45 constraints.set_property('permitted;dirName.%i' % (i + 1), section_name) 46 for i in range(num_uri): 47 constraints.set_property('permitted;URI.%i' % (i + 1), 48 'http://test/%i' % i) 49 50 51def add_sans(cert, num_dns, num_ip, num_dirnames, num_uri): 52 cert.get_extensions().set_property('subjectAltName', '@san_info') 53 sans = cert.config.get_section('san_info') 54 for i in range(num_dns): 55 sans.set_property('DNS.%i' % (i + 1), 't%i.test' % i) 56 for i in range(num_ip): 57 b,c = divmod(i, 256) 58 a,b = divmod(b, 256) 59 sans.set_property('IP.%i' % (i + 1), '10.%i.%i.%i' % (a, b, c)) 60 for i in range(num_dirnames): 61 section_name = 'san_dirname%i' % (i + 1) 62 dirname = cert.config.get_section(section_name) 63 dirname.set_property('commonName', '"t%i' % i) 64 sans.set_property('dirName.%i' % (i + 1), section_name) 65 for i in range(num_uri): 66 sans.set_property('URI.%i' % (i + 1), 'http://test/%i' % i) 67 68 69# Self-signed root certificate. 70root = gencerts.create_self_signed_root_certificate('Root') 71 72# Use the same keys for all the chains. Fewer key files to check in, and also 73# gives stability against re-ordering of the calls to |make_chain|. 74intermediate_key = gencerts.get_or_generate_rsa_key( 75 2048, gencerts.create_key_path('Intermediate')) 76target_key = gencerts.get_or_generate_rsa_key( 77 2048, gencerts.create_key_path('t0')) 78 79def make_chain(name, doc, excluded, permitted, sans): 80 # Intermediate certificate. 81 intermediate = gencerts.create_intermediate_certificate('Intermediate', root) 82 intermediate.set_key(intermediate_key) 83 add_excluded_name_constraints(intermediate, **excluded) 84 add_permitted_name_constraints(intermediate, **permitted) 85 86 # Target certificate. 87 target = gencerts.create_end_entity_certificate('t0', intermediate) 88 target.set_key(target_key) 89 add_sans(target, **sans) 90 91 chain = [target, intermediate, root] 92 gencerts.write_chain(doc, chain, '%s.pem' % name) 93 94 95make_chain( 96 'ok-all-types', 97 "A chain containing a large number of name constraints and names,\n" 98 "but below the limit.", 99 excluded=dict(num_dns=418, num_ip=418, num_dirnames=418, num_uri=1025), 100 permitted=dict(num_dns=418, num_ip=418, num_dirnames=418, num_uri=1025), 101 sans=dict(num_dns=418, num_ip=418, num_dirnames=417, num_uri=1025)) 102 103make_chain( 104 'toomany-all-types', 105 "A chain containing a large number of different types of name\n" 106 "constraints and names, above the limit.", 107 excluded=dict(num_dns=419, num_ip=419, num_dirnames=419, num_uri=0), 108 permitted=dict(num_dns=419, num_ip=419, num_dirnames=419, num_uri=0), 109 sans=dict(num_dns=419, num_ip=419, num_dirnames=418, num_uri=0)) 110 111make_chain( 112 'toomany-dns-excluded', 113 "A chain containing a large number of excluded DNS name\n" 114 "constraints and DNS names, above the limit.", 115 excluded=dict(num_dns=1025, num_ip=0, num_dirnames=0, num_uri=0), 116 permitted=dict(num_dns=0, num_ip=0, num_dirnames=0, num_uri=0), 117 sans=dict(num_dns=1024, num_ip=0, num_dirnames=0, num_uri=0)) 118make_chain( 119 'toomany-ips-excluded', 120 "A chain containing a large number of excluded IP name\n" 121 "constraints and IP names, above the limit.", 122 excluded=dict(num_dns=0, num_ip=1025, num_dirnames=0, num_uri=0), 123 permitted=dict(num_dns=0, num_ip=0, num_dirnames=0, num_uri=0), 124 sans=dict(num_dns=0, num_ip=1024, num_dirnames=0, num_uri=0)) 125make_chain( 126 'toomany-dirnames-excluded', 127 "A chain containing a large number of excluded directory name\n" 128 "constraints and directory names, above the limit.", 129 excluded=dict(num_dns=0, num_ip=0, num_dirnames=1025, num_uri=0), 130 permitted=dict(num_dns=0, num_ip=0, num_dirnames=0, num_uri=0), 131 sans=dict(num_dns=0, num_ip=0, num_dirnames=1024, num_uri=0)) 132 133make_chain( 134 'toomany-dns-permitted', 135 "A chain containing a large number of permitted DNS name\n" 136 "constraints and DNS names, above the limit.", 137 excluded=dict(num_dns=0, num_ip=0, num_dirnames=0, num_uri=0), 138 permitted=dict(num_dns=1025, num_ip=0, num_dirnames=0, num_uri=0), 139 sans=dict(num_dns=1024, num_ip=0, num_dirnames=0, num_uri=0)) 140make_chain( 141 'toomany-ips-permitted', 142 "A chain containing a large number of permitted IP name\n" 143 "constraints and IP names, above the limit.", 144 excluded=dict(num_dns=0, num_ip=0, num_dirnames=0, num_uri=0), 145 permitted=dict(num_dns=0, num_ip=1025, num_dirnames=0, num_uri=0), 146 sans=dict(num_dns=0, num_ip=1024, num_dirnames=0, num_uri=0)) 147make_chain( 148 'toomany-dirnames-permitted', 149 "A chain containing a large number of permitted directory name\n" 150 "constraints and directory names, above the limit.", 151 excluded=dict(num_dns=0, num_ip=0, num_dirnames=0, num_uri=0), 152 permitted=dict(num_dns=0, num_ip=0, num_dirnames=1025, num_uri=0), 153 sans=dict(num_dns=0, num_ip=0, num_dirnames=1024, num_uri=0)) 154 155make_chain( 156 'ok-different-types-dns', 157 "A chain containing a large number of name constraints and names,\n" 158 "but of different types, thus not triggering the limit.", 159 excluded=dict(num_dns=0, num_ip=1025, num_dirnames=1025, num_uri=1025), 160 permitted=dict(num_dns=0, num_ip=1025, num_dirnames=1025, num_uri=1025), 161 sans=dict(num_dns=1025, num_ip=0, num_dirnames=0, num_uri=0)) 162make_chain( 163 'ok-different-types-ips', 164 "A chain containing a large number of name constraints and names,\n" 165 "but of different types, thus not triggering the limit.", 166 excluded=dict(num_dns=1025, num_ip=0, num_dirnames=1025, num_uri=1025), 167 permitted=dict(num_dns=1025, num_ip=0, num_dirnames=1025, num_uri=1025), 168 sans=dict(num_dns=0, num_ip=1025, num_dirnames=0, num_uri=0)) 169make_chain( 170 'ok-different-types-dirnames', 171 "A chain containing a large number of name constraints and names,\n" 172 "but of different types, thus not triggering the limit.", 173 excluded=dict(num_dns=1025, num_ip=1025, num_dirnames=0, num_uri=1025), 174 permitted=dict(num_dns=1025, num_ip=1025, num_dirnames=0, num_uri=1025), 175 sans=dict(num_dns=0, num_ip=0, num_dirnames=1025, num_uri=0)) 176