mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-13 21:35:39 +00:00
bug 1181823 - convert test_ev_certs.js, test_keysize_ev.js, and test_validity.js to generate certificates at build time r=Cykesiopka r=mgoodwin
This commit is contained in:
David Keeler
parent
23b63d6acb
commit
b49becac5d
@ -92,44 +92,62 @@ static const size_t NUM_TEST_EV_ROOTS = 2;
|
||||
#endif
|
||||
|
||||
static struct nsMyTrustedEVInfo myTrustedEVInfos[] = {
|
||||
// IMPORTANT! When extending this list,
|
||||
// pairs of dotted_oid and oid_name should always be unique pairs.
|
||||
// In other words, if you add another list, that uses the same dotted_oid
|
||||
// as an existing entry, then please use the same oid_name.
|
||||
// IMPORTANT! When extending this list, if you add another entry that uses
|
||||
// the same dotted_oid as an existing entry, use the same oid_name.
|
||||
#ifdef DEBUG
|
||||
// Debug EV certificates should all use the OID (repeating EV OID is OK):
|
||||
// Debug EV certificates should all use the following OID:
|
||||
// 1.3.6.1.4.1.13769.666.666.666.1.500.9.1.
|
||||
// (multiple entries with the same OID is ok)
|
||||
// If you add or remove debug EV certs you must also modify NUM_TEST_EV_ROOTS
|
||||
// so that the correct number of certs are skipped as these debug EV certs are
|
||||
// NOT part of the default trust store.
|
||||
{
|
||||
// This is the testing EV signature (xpcshell) (RSA)
|
||||
// CN=XPCShell EV Testing (untrustworthy) CA,OU=Security Engineering,O=Mozilla - EV debug test CA,L=Mountain View,ST=CA,C=US"
|
||||
// This is the PSM xpcshell testing EV certificate. It can be generated
|
||||
// using pycert.py and the following specification:
|
||||
//
|
||||
// issuer:evroot
|
||||
// subject:evroot
|
||||
// subjectKey:ev
|
||||
// issuerKey:ev
|
||||
// validity:20150101-20350101
|
||||
// extension:basicConstraints:cA,
|
||||
// extension:keyUsage:keyCertSign,cRLSign
|
||||
//
|
||||
// If this ever needs to change, re-generate the certificate and update the
|
||||
// following entry with the new fingerprint, issuer, and serial number.
|
||||
"1.3.6.1.4.1.13769.666.666.666.1.500.9.1",
|
||||
"DEBUGtesting EV OID",
|
||||
SEC_OID_UNKNOWN,
|
||||
{ 0x2D, 0x94, 0x52, 0x70, 0xAA, 0x92, 0x13, 0x0B, 0x1F, 0xB1, 0x24,
|
||||
0x0B, 0x24, 0xB1, 0xEE, 0x4E, 0xFB, 0x7C, 0x43, 0x45, 0x45, 0x7F,
|
||||
0x97, 0x6C, 0x90, 0xBF, 0xD4, 0x8A, 0x04, 0x79, 0xE4, 0x68 },
|
||||
"MIGnMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWlu"
|
||||
"IFZpZXcxIzAhBgNVBAoMGk1vemlsbGEgLSBFViBkZWJ1ZyB0ZXN0IENBMR0wGwYD"
|
||||
"VQQLDBRTZWN1cml0eSBFbmdpbmVlcmluZzEvMC0GA1UEAwwmWFBDU2hlbGwgRVYg"
|
||||
"VGVzdGluZyAodW50cnVzdHdvcnRoeSkgQ0E=",
|
||||
"At+3zdo=",
|
||||
{ 0x85, 0x2A, 0x29, 0x38, 0x31, 0x09, 0x7D, 0x14, 0x0C, 0x83, 0xAB,
|
||||
0x8D, 0x6D, 0x54, 0x32, 0x77, 0x37, 0xC8, 0xBF, 0xB2, 0xC2, 0xEC,
|
||||
0xCC, 0x82, 0xC0, 0xA2, 0x5F, 0x24, 0x9D, 0xFD, 0xFB, 0xAB },
|
||||
"MBExDzANBgNVBAMMBmV2cm9vdA==",
|
||||
"GSsFG1fp8SGMxPjAQvdOBN26ij4=",
|
||||
nullptr
|
||||
},
|
||||
{
|
||||
// The RSA root with an inadequate key size used for EV key size checking
|
||||
// O=ev_root_rsa_2040,CN=XPCShell Key Size Testing rsa 2040-bit (EV)
|
||||
// This is an RSA root with an inadequate key size. It is used to test that
|
||||
// minimum key sizes are enforced when verifying for EV. It can be
|
||||
// generated using pycert.py and the following specification:
|
||||
//
|
||||
// issuer:ev_root_rsa_2040
|
||||
// subject:ev_root_rsa_2040
|
||||
// issuerKey:evRSA2040
|
||||
// subjectKey:evRSA2040
|
||||
// validity:20150101-20350101
|
||||
// extension:basicConstraints:cA,
|
||||
// extension:keyUsage:cRLSign,keyCertSign
|
||||
//
|
||||
// If this ever needs to change, re-generate the certificate and update the
|
||||
// following entry with the new fingerprint, issuer, and serial number.
|
||||
"1.3.6.1.4.1.13769.666.666.666.1.500.9.1",
|
||||
"DEBUGtesting EV OID",
|
||||
SEC_OID_UNKNOWN,
|
||||
{ 0x47, 0x8B, 0x21, 0xEE, 0x20, 0x3F, 0x2A, 0x14, 0x52, 0x70, 0xF9,
|
||||
0x75, 0xE0, 0x67, 0x93, 0x6E, 0x70, 0x3D, 0xA8, 0x8D, 0x09, 0x95,
|
||||
0x72, 0xF4, 0x03, 0x6F, 0x00, 0xA2, 0x33, 0x82, 0x8D, 0x46 },
|
||||
"MFExNDAyBgNVBAMMK1hQQ1NoZWxsIEtleSBTaXplIFRlc3RpbmcgcnNhIDIwNDAt"
|
||||
"Yml0IChFVikxGTAXBgNVBAoMEGV2X3Jvb3RfcnNhXzIwNDA=",
|
||||
"AhZ7jg==",
|
||||
{ 0x28, 0x79, 0xB9, 0x6C, 0x08, 0x71, 0x6C, 0x7D, 0xCE, 0x38, 0x8C,
|
||||
0xAB, 0x7E, 0xEB, 0x08, 0xA6, 0xF7, 0x2C, 0xCE, 0xE4, 0x47, 0xF5,
|
||||
0x72, 0xA1, 0xEB, 0x16, 0x9B, 0xC3, 0x49, 0x49, 0x72, 0x5D },
|
||||
"MBsxGTAXBgNVBAMMEGV2X3Jvb3RfcnNhXzIwNDA=",
|
||||
"N2nWLMPfNebIktpezTGThHoXsDU=",
|
||||
nullptr
|
||||
},
|
||||
#endif
|
||||
|
||||
@ -11,9 +11,12 @@ TEST_DIRS += [
|
||||
'test_cert_keyUsage',
|
||||
'test_cert_trust',
|
||||
'test_cert_version',
|
||||
'test_ev_certs',
|
||||
'test_intermediate_basic_usage_constraints',
|
||||
'test_keysize_ev',
|
||||
'test_pinning_dynamic',
|
||||
'test_ocsp_url',
|
||||
'test_validity',
|
||||
]
|
||||
|
||||
if not CONFIG['MOZ_NO_SMART_CARDS']:
|
||||
|
||||
@ -13,6 +13,7 @@ The input format is as follows:
|
||||
issuer:<string to use as the issuer common name>
|
||||
subject:<string to use as the subject common name>
|
||||
[version:<{1,2,3,4}>]
|
||||
[validity:<YYYYMMDD-YYYYMMDD|duration in days>]
|
||||
[issuerKey:alternate]
|
||||
[subjectKey:alternate]
|
||||
[extension:<extension name:<extension-specific data>>]
|
||||
@ -27,6 +28,7 @@ extKeyUsage:[serverAuth,clientAuth,codeSigning,emailProtection
|
||||
OCSPSigning,timeStamping]
|
||||
subjectAlternativeName:[<dNSName>,...]
|
||||
authorityInformationAccess:<OCSP URI>
|
||||
certificatePolicies:<policy OID>
|
||||
|
||||
Where:
|
||||
[] indicates an optional field or component of a field
|
||||
@ -39,12 +41,18 @@ For instance, the version field is optional. However, if it is
|
||||
specified, it must have exactly one value from the set {1,2,3,4}.
|
||||
|
||||
In the future it will be possible to specify other properties of the
|
||||
generated certificate (for example, its validity period, signature
|
||||
algorithm, etc.). For now, those fields have reasonable default values.
|
||||
Currently one shared RSA key is used for all signatures and subject
|
||||
public key information fields. Specifying "issuerKey:alternate" or
|
||||
"subjectKey:alternate" causes a different RSA key be used for signing
|
||||
or as the subject public key information field, respectively.
|
||||
generated certificate (for example, the signature algorithm). For now,
|
||||
those fields have reasonable default values. Currently one shared RSA
|
||||
key is used for all signatures and subject public key information
|
||||
fields. Specifying "issuerKey:alternate" or "subjectKey:alternate"
|
||||
causes a different RSA key be used for signing or as the subject public
|
||||
key information field, respectively. Other keys are also available -
|
||||
see pykey.py.
|
||||
|
||||
The validity period may be specified as either concrete notBefore and
|
||||
notAfter values or as a validity period centered around 'now'. For the
|
||||
latter, this will result in a notBefore of 'now' - duration/2 and a
|
||||
notAfter of 'now' + duration/2.
|
||||
"""
|
||||
|
||||
from pyasn1.codec.der import decoder
|
||||
@ -54,6 +62,7 @@ from pyasn1_modules import rfc2459
|
||||
import base64
|
||||
import datetime
|
||||
import hashlib
|
||||
import re
|
||||
import sys
|
||||
|
||||
import pykey
|
||||
@ -182,11 +191,11 @@ class Certificate:
|
||||
self.versionValue = 2 # a value of 2 is X509v3
|
||||
self.signature = 'sha256WithRSAEncryption'
|
||||
self.issuer = 'Default Issuer'
|
||||
now = datetime.datetime.utcnow()
|
||||
currentYear = datetime.datetime.strptime(str(now.year), '%Y')
|
||||
actualNow = datetime.datetime.utcnow()
|
||||
self.now = datetime.datetime.strptime(str(actualNow.year), '%Y')
|
||||
aYearAndAWhile = datetime.timedelta(days=550)
|
||||
self.notBefore = currentYear - aYearAndAWhile
|
||||
self.notAfter = currentYear + aYearAndAWhile
|
||||
self.notBefore = self.now - aYearAndAWhile
|
||||
self.notAfter = self.now + aYearAndAWhile
|
||||
self.subject = 'Default Subject'
|
||||
self.signatureAlgorithm = 'sha256WithRSAEncryption'
|
||||
self.extensions = None
|
||||
@ -238,6 +247,8 @@ class Certificate:
|
||||
self.subject = value
|
||||
elif param == 'issuer':
|
||||
self.issuer = value
|
||||
elif param == 'validity':
|
||||
self.decodeValidity(value)
|
||||
elif param == 'extension':
|
||||
self.decodeExtension(value)
|
||||
elif param == 'issuerKey':
|
||||
@ -254,6 +265,16 @@ class Certificate:
|
||||
else:
|
||||
raise UnknownVersionError(version)
|
||||
|
||||
def decodeValidity(self, duration):
|
||||
match = re.search('([0-9]{8})-([0-9]{8})', duration)
|
||||
if match:
|
||||
self.notBefore = datetime.datetime.strptime(match.group(1), '%Y%m%d')
|
||||
self.notAfter = datetime.datetime.strptime(match.group(2), '%Y%m%d')
|
||||
else:
|
||||
delta = datetime.timedelta(days=(int(duration) / 2))
|
||||
self.notBefore = self.now - delta
|
||||
self.notAfter = self.now + delta
|
||||
|
||||
def decodeExtension(self, extension):
|
||||
extensionType = extension.split(':')[0]
|
||||
value = ':'.join(extension.split(':')[1:])
|
||||
@ -267,6 +288,8 @@ class Certificate:
|
||||
self.addSubjectAlternativeName(value)
|
||||
elif extensionType == 'authorityInformationAccess':
|
||||
self.addAuthorityInformationAccess(value)
|
||||
elif extensionType == 'certificatePolicies':
|
||||
self.addCertificatePolicies(value)
|
||||
else:
|
||||
raise UnknownExtensionTypeError(extensionType)
|
||||
|
||||
@ -350,6 +373,16 @@ class Certificate:
|
||||
sequence.setComponentByPosition(0, accessDescription)
|
||||
self.addExtension(rfc2459.id_pe_authorityInfoAccess, sequence)
|
||||
|
||||
def addCertificatePolicies(self, policyOID):
|
||||
policies = rfc2459.CertificatePolicies()
|
||||
policy = rfc2459.PolicyInformation()
|
||||
if policyOID == 'any':
|
||||
policyOID = '2.5.29.32.0'
|
||||
policyIdentifier = rfc2459.CertPolicyId(policyOID)
|
||||
policy.setComponentByName('policyIdentifier', policyIdentifier)
|
||||
policies.setComponentByPosition(0, policy)
|
||||
self.addExtension(rfc2459.id_ce_certificatePolicies, policies)
|
||||
|
||||
def getVersion(self):
|
||||
return rfc2459.Version(self.versionValue).subtype(
|
||||
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))
|
||||
|
||||
@ -10,11 +10,20 @@ PKCS #8 file representing the (private) key. Also provides
|
||||
methods for signing data and representing the key as a subject
|
||||
public key info for use with pyasn1.
|
||||
|
||||
The key specification format is currently very simple. If it is
|
||||
empty, one RSA key is used. If it consists of the string
|
||||
'alternate', a different RSA key is used. In the future it will
|
||||
be possible to specify other properties of the key (type,
|
||||
strength, signature algorithm, etc.).
|
||||
The key specification format is as follows:
|
||||
|
||||
<empty string>: a 2048-bit RSA key
|
||||
alternate: a different 2048-bit RSA key
|
||||
ev: a 2048-bit RSA key that, when combined with the right pycert
|
||||
specification, results in a certificate that is enabled for
|
||||
extended validation in debug Firefox (see ExtendedValidation.cpp).
|
||||
evRSA2040: a 2040-bit RSA key that, when combined with the right pycert
|
||||
specification, results in a certificate that is enabled for
|
||||
extended validation in debug Firefox.
|
||||
rsa2040: a 2040-bit RSA key
|
||||
|
||||
In the future it will be possible to specify other properties of the key
|
||||
(type, strength, signature algorithm, etc.).
|
||||
"""
|
||||
|
||||
from pyasn1.codec.der import encoder
|
||||
@ -192,6 +201,162 @@ class RSAKey:
|
||||
'27bf42f0cfa751e507651c5638db9393dd23dd1f6b295151de44b77fe55a'
|
||||
'7b0df271e19a65c0', 16)
|
||||
|
||||
evRSA_N = long(
|
||||
'00b549895c9d00108d11a1f99f87a9e3d1a5db5dfaecf188da57bf641368'
|
||||
'8f2ce4722cff109038c17402c93a2a473dbd286aed3fdcd363cf5a291477'
|
||||
'01bdd818d7615bf9356bd5d3c8336aaa8c0971368a06c3cd4461b93e5142'
|
||||
'4e1744bb2eaad46aab38ce196821961f87714a1663693f09761cdf4d6ba1'
|
||||
'25eacec7be270d388f789f6cdf78ae3144ed28c45e79293863a7a22a4898'
|
||||
'0a36a40e72d579c9b925dff8c793362ffd6897a7c1754c5e97c967c3eadd'
|
||||
'1aae8aa2ccce348a0169b80e28a2d70c1a960c6f335f2da09b9b643f5abf'
|
||||
'ba49e8aaa981e960e27d87480bdd55dd9417fa18509fbb554ccf81a4397e'
|
||||
'8ba8128a34bdf27865c189e5734fb22905', 16)
|
||||
evRSA_E = 65537L
|
||||
evRSA_D = long(
|
||||
'00983d54f94d6f4c76eb23d6f93d78523530cf73b0d16254c6e781768d45'
|
||||
'f55681d1d02fb2bd2aac6abc1c389860935c52a0d8f41482010394778314'
|
||||
'1d864bff30803638a5c0152570ae9d18f3d8ca163efb475b0dddf32e7e16'
|
||||
'ec7565e6bb5e025c41c5c66e57a03cede554221f83045347a2c4c451c3dc'
|
||||
'e476b787ce0c057244be9e04ef13118dbbb3d5e0a6cc87029eafd4a69ed9'
|
||||
'b14759b15e39d8a9884e56f54d2f9ab013f0d15f318a9ab6b2f73d1ec3c9'
|
||||
'fe274ae89431a10640be7899b0011c5e5093a1834708689de100634dabde'
|
||||
'60fbd6aaefa3a33df34a1f36f60c043036b748d1c9ee98c4031a0afec60e'
|
||||
'fda0a990be524f5614eac4fdb34a52f951', 16)
|
||||
evRSA_P = long(
|
||||
'00eadc2cb33e5ff1ca376bbd95bd6a1777d2cf4fac47545e92d11a6209b9'
|
||||
'd5e4ded47834581c169b3c884742a09ea187505c1ca55414d8d25b497632'
|
||||
'd5ec2aaa05233430fad49892777a7d68e038f561a3b8969e60b0a263defb'
|
||||
'fda48a9b0ff39d95bc88b15267c8ade97b5107948e41e433249d87f7db10'
|
||||
'9d5d74584d86bcc1d7', 16)
|
||||
evRSA_Q = long(
|
||||
'00c59ae576a216470248d944a55b9e9bf93299da341ec56e558eba821abc'
|
||||
'e1bf57b79cf411d2904c774f9dba1f15185f607b0574a08205d6ec28b66a'
|
||||
'36d634232eaaf2fea37561abaf9d644b68db38c9964cb8c96ec0ac61eba6'
|
||||
'4d05b446542f423976f5acde4ecc95536d2df578954f93f0cfd9c58fb78b'
|
||||
'a2a76dd5ac284dc883', 16)
|
||||
evRSA_exp1 = long(
|
||||
'00c1d2ef3906331c52aca64811f9fe425beb2898322fb3db51032ce8d7e9'
|
||||
'fc32240be92019cf2480fcd5e329837127118b2a59a1bfe06c883e3a4447'
|
||||
'f3f031cd9aebd0b8d368fc79740d2cce8eadb324df7f091eafe1564361d5'
|
||||
'4920b01b0471230e5e47d93f8ed33963c517bc4fc78f6d8b1f9eba85bcce'
|
||||
'db7033026508db6285', 16)
|
||||
evRSA_exp2 = long(
|
||||
'008521b8db5694dfbe804a315f9efc9b65275c5490acf2a3456d65e6e610'
|
||||
'bf9f647fc67501d4f5772f232ac70ccdef9fc2a6dfa415c7c41b6afc7af9'
|
||||
'd07c3ca03f7ed93c09f0b99f2c304434322f1071709bbc1baa4c91575fa6'
|
||||
'a959e07d4996956d95e22b57938b6e47c8d51ffedfc9bf888ce0d1a3e42b'
|
||||
'65a89bed4b91d3e5f5', 16)
|
||||
evRSA_coef = long(
|
||||
'00dc497b06b920c8be0b0077b798e977eef744a90ec2c5d7e6cbb22448fa'
|
||||
'c72da81a33180e0d8a02e831460c7fc7fd3a612f7b9930b61b799f8e908e'
|
||||
'632e9ba0409b6aa70b03a3ba787426263b5bd5843df8476edb5d14f6a861'
|
||||
'3ebaf5b9cd5ca42f5fbd2802e08e4e49e5709f5151510caa5ab2c1c6eb3e'
|
||||
'fe9295d16e8c25c916', 16)
|
||||
|
||||
evRSA2040_N = long(
|
||||
'00ca7020dc215f57914d343fae4a015111697af997a5ece91866499fc23f'
|
||||
'1b88a118cbd30b10d91c7b9a0d4ee8972fcae56caf57f25fc1275a2a4dbc'
|
||||
'b982428c32ef587bf2387410330a0ffb16b8029bd783969ef675f6de38c1'
|
||||
'8f67193cb6c072f8b23d0b3374112627a57b90055771d9e62603f53788d7'
|
||||
'f63afa724f5d108096df31f89f26b1eb5f7c4357980e008fcd55d827dd26'
|
||||
'2395ca2f526a07897cc40c593b38716ebc0caa596719c6f29ac9b73a7a94'
|
||||
'4748a3aa3e09e9eb4d461ea0027e540926614728b9d243975cf9a0541bef'
|
||||
'd25e76b51f951110b0e7644fc7e38441791b6d2227384cb8004e23342372'
|
||||
'b1cf5cc3e73e31b7bbefa160e6862ebb', 16)
|
||||
evRSA2040_E = 65537L
|
||||
evRSA2040_D = long(
|
||||
'00b2db74bce92362abf72955a638ae8720ba3033bb7f971caf39188d7542'
|
||||
'eaa1c1abb5d205b1e2111f4791c08911a2e141e8cfd7054702d23100b564'
|
||||
'2c06e1a31b118afd1f9a2f396cced425c501d91435ca8656766ced2b93bb'
|
||||
'b8669fce9bacd727d1dacb3dafabc3293e35389eef8ea0b58e1aeb1a20e6'
|
||||
'a61f9fcd453f7567fe31d123b616a26fef4df1d6c9f7490111d028eefd1d'
|
||||
'972045b1a242273dd7a67ebf111db2741a5a93c7b2289cc4a236f5a99a6e'
|
||||
'c7a8206fdae1c1d04bdbb1980d4a298c5a17dae4186474a5f7835d882bce'
|
||||
'f24aef4ed6f149f94d96c9f7d78e647fc778a9017ff208d3b4a1768b1821'
|
||||
'62102cdab032fabbab38d5200a324649', 16)
|
||||
evRSA2040_P = long(
|
||||
'0f3844d0d4d4d6a21acd76a6fc370b8550e1d7ec5a6234172e790f0029ae'
|
||||
'651f6d5c59330ab19802b9d7a207de7a1fb778e3774fdbdc411750633d8d'
|
||||
'1b3fe075006ffcfd1d10e763c7a9227d2d5f0c2dade1c9e659c350a159d3'
|
||||
'6bb986f12636d4f9942b288bc0fe21da8799477173144249ca2e389e6c5c'
|
||||
'25aa78c8cad7d4df', 16)
|
||||
evRSA2040_Q = long(
|
||||
'0d4d0bedd1962f07a1ead6b23a4ed67aeaf1270f052a6d29ba074945c636'
|
||||
'1a5c4f8f07bf859e067aed3f4e6e323ef2aa8a6acd340b0bdc7cfe4fd329'
|
||||
'e3c97f870c7f7735792c6aa9d0f7e7542a28ed6f01b0e55a2b8d9c24a65c'
|
||||
'6da314c95484f5c7c3954a81bb016b07ed17ee9b06039695bca059a79f8d'
|
||||
'c2423d328d5265a5', 16)
|
||||
evRSA2040_exp1 = long(
|
||||
'09f29a2ff05be8a96d614ba31b08935420a86c6bc42b99a6692ea0da5763'
|
||||
'f01e596959b7ddce73ef9c2e4f6e5b40710887500d44ba0c3cd3132cba27'
|
||||
'475f39c2df7552e2d123a2497a4f97064028769a48a3624657f72bf539f3'
|
||||
'd0de234feccd3be8a0aa90c6bf6e9b0bed43070a24d061ff3ed1751a3ef2'
|
||||
'ff7f6b90b9dbd5fb', 16)
|
||||
evRSA2040_exp2 = long(
|
||||
'01a659e170cac120a03be1cf8f9df1caa353b03593bd7476e5853bd874c2'
|
||||
'87388601c6c341ce9d1d284a5eef1a3a669d32b816a5eaecd8b7844fe070'
|
||||
'64b9bca0c2b318d540277b3f7f1510d386bb36e03b04771e5d229e88893e'
|
||||
'13b753bfb94518bb638e2404bd6e6a993c1668d93fc0b82ff08aaf34347d'
|
||||
'3fe8397108c87ca5', 16)
|
||||
evRSA2040_coef = long(
|
||||
'040257c0d4a21c0b9843297c65652db66304fb263773d728b6abfa06d37a'
|
||||
'c0ca62c628023e09e37dc0a901e4ce1224180e2582a3aa4b6a1a7b98e2bd'
|
||||
'70077aec14ac8ab66a755c71e0fc102471f9bbc1b46a95aa0b645f2c38e7'
|
||||
'6450289619ea3f5e8ae61037bffcf8249f22aa4e76e2a01909f3feb290ce'
|
||||
'93edf57b10ebe796', 16)
|
||||
|
||||
rsa2040_N = long(
|
||||
'00bac0652fdfbc0055882ffbaeaceec88fa2d083c297dd5d40664dd3d90f'
|
||||
'52f9aa02bd8a50fba16e0fd991878ef475f9b350d9f8e3eb2abd717ce327'
|
||||
'b09788531f13df8e3e4e3b9d616bb8a41e5306eed2472163161051180127'
|
||||
'6a4eb66f07331b5cbc8bcae7016a8f9b3d4f2ac4553c624cf5263bcb348e'
|
||||
'8840de6612870960a792191b138fb217f765cec7bff8e94f16b39419bf75'
|
||||
'04c59a7e4f79bd6d173e9c7bf3d9d2a4e73cc180b0590a73d584fb7fc9b5'
|
||||
'4fa544607e53fc685c7a55fd44a81d4142b6af51ea6fa6cea52965a2e8c5'
|
||||
'd84f3ca024d6fbb9b005b9651ce5d9f2ecf40ed404981a9ffc02636e311b'
|
||||
'095c6332a0c87dc39271b5551481774b', 16)
|
||||
rsa2040_E = 65537L
|
||||
rsa2040_D = long(
|
||||
'603db267df97555cbed86b8df355034af28f1eb7f3e7829d239bcc273a7c'
|
||||
'7a69a10be8f21f1b6c4b02c6bae3731c3158b5bbff4605f57ab7b7b2a0cb'
|
||||
'a2ec005a2db5b1ea6e0aceea5bc745dcd2d0e9d6b80d7eb0ea2bc08127bc'
|
||||
'e35fa50c42cc411871ba591e23ba6a38484a33eff1347f907ee9a5a92a23'
|
||||
'11bb0b435510020f78e3bb00099db4d1182928096505fcba84f3ca1238fd'
|
||||
'1eba5eea1f391bbbcc5424b168063fc17e1ca6e1912ccba44f9d0292308a'
|
||||
'1fedb80612529b39f59d0a3f8180b5ba201132197f93a5815ded938df8e7'
|
||||
'd93c9b15766588f339bb59100afda494a7e452d7dd4c9a19ce2ec3a33a18'
|
||||
'b20f0b4dade172bee19f26f0dcbe41', 16)
|
||||
rsa2040_P = long(
|
||||
'0ec3869cb92d406caddf7a319ab29448bc505a05913707873361fc5b986a'
|
||||
'499fb65eeb815a7e37687d19f128087289d9bb8818e7bcca502c4900ad9a'
|
||||
'ece1179be12ff3e467d606fc820ea8f07ac9ebffe2236e38168412028822'
|
||||
'3e42dbe68dfd972a85a6447e51695f234da7911c67c9ab9531f33df3b994'
|
||||
'32d4ee88c9a4efbb', 16)
|
||||
rsa2040_Q = long(
|
||||
'0ca63934549e85feac8e0f5604303fd1849fe88af4b7f7e1213283bbc7a2'
|
||||
'c2a509f9273c428c68de3db93e6145f1b400bd6d4a262614e9043ad362d4'
|
||||
'eba4a6b995399c8934a399912199e841d8e8dbff0489f69e663796730b29'
|
||||
'80530b31cb70695a21625ea2adccc09d930516fa872211a91e22dd89fd9e'
|
||||
'b7da8574b72235b1', 16)
|
||||
rsa2040_exp1 = long(
|
||||
'0d7d3a75e17f65f8a658a485c4095c10a4f66979e2b73bca9cf8ef21253e'
|
||||
'1facac6d4791f58392ce8656f88f1240cc90c29653e3100c6d7a38ed44b1'
|
||||
'63b339e5f3b6e38912126c69b3ceff2e5192426d9649b6ffca1abb75d2ba'
|
||||
'2ed6d9a26aa383c5973d56216ff2edb90ccf887742a0f183ac92c94cf187'
|
||||
'657645c7772d9ad7', 16)
|
||||
rsa2040_exp2 = long(
|
||||
'03f550194c117f24bea285b209058032f42985ff55acebe88b16df9a3752'
|
||||
'7b4e61dc91a68dbc9a645134528ce5f248bda2893c96cb7be79ee73996c7'
|
||||
'c22577f6c2f790406f3472adb3b211b7e94494f32c5c6fcc0978839fe472'
|
||||
'4c31b06318a2489567b4fca0337acb1b841227aaa5f6c74800a2306929f0'
|
||||
'2ce038bad943df41', 16)
|
||||
rsa2040_coef = long(
|
||||
'080a7dbfa8c2584814c71664c56eb62ce4caf16afe88d4499159d674774a'
|
||||
'3a3ecddf1256c02fc91525c527692422d0aba94e5c41ee12dc71bb66f867'
|
||||
'9fa17e096f28080851ba046eb31885c1414e8985ade599d907af17453d1c'
|
||||
'caea2c0d06443f8367a6be154b125e390ee0d90f746f08801dd3f5367f59'
|
||||
'fba2e5a67c05f375', 16)
|
||||
|
||||
def __init__(self, specification = None):
|
||||
if not specification:
|
||||
self.RSA_N = self.sharedRSA_N
|
||||
@ -211,6 +376,33 @@ class RSAKey:
|
||||
self.RSA_exp1 = self.alternateRSA_exp1
|
||||
self.RSA_exp2 = self.alternateRSA_exp2
|
||||
self.RSA_coef = self.alternateRSA_coef
|
||||
elif specification == 'ev':
|
||||
self.RSA_N = self.evRSA_N
|
||||
self.RSA_E = self.evRSA_E
|
||||
self.RSA_D = self.evRSA_D
|
||||
self.RSA_P = self.evRSA_P
|
||||
self.RSA_Q = self.evRSA_Q
|
||||
self.RSA_exp1 = self.evRSA_exp1
|
||||
self.RSA_exp2 = self.evRSA_exp2
|
||||
self.RSA_coef = self.evRSA_coef
|
||||
elif specification == 'evRSA2040':
|
||||
self.RSA_N = self.evRSA2040_N
|
||||
self.RSA_E = self.evRSA2040_E
|
||||
self.RSA_D = self.evRSA2040_D
|
||||
self.RSA_P = self.evRSA2040_P
|
||||
self.RSA_Q = self.evRSA2040_Q
|
||||
self.RSA_exp1 = self.evRSA2040_exp1
|
||||
self.RSA_exp2 = self.evRSA2040_exp2
|
||||
self.RSA_coef = self.evRSA2040_coef
|
||||
elif specification == 'rsa2040':
|
||||
self.RSA_N = self.rsa2040_N
|
||||
self.RSA_E = self.rsa2040_E
|
||||
self.RSA_D = self.rsa2040_D
|
||||
self.RSA_P = self.rsa2040_P
|
||||
self.RSA_Q = self.rsa2040_Q
|
||||
self.RSA_exp1 = self.rsa2040_exp1
|
||||
self.RSA_exp2 = self.rsa2040_exp2
|
||||
self.RSA_coef = self.rsa2040_coef
|
||||
else:
|
||||
raise UnknownKeySpecificationError(specification)
|
||||
|
||||
@ -274,7 +466,7 @@ class RSAKey:
|
||||
# read the specification and output the key as ASCII-encoded PKCS #8.
|
||||
def main(output, inputPath):
|
||||
with open(inputPath) as configStream:
|
||||
output.write(RSAKey(configStream.read()).toPEM())
|
||||
output.write(RSAKey(configStream.read().strip()).toPEM())
|
||||
|
||||
# When run as a standalone program, this will read a specification from
|
||||
# stdin and output the certificate as PEM to stdout.
|
||||
|
||||
@ -9,8 +9,7 @@ do_get_profile(); // must be called before getting nsIX509CertDB
|
||||
const certdb = Cc["@mozilla.org/security/x509certdb;1"]
|
||||
.getService(Ci.nsIX509CertDB);
|
||||
|
||||
const evrootnick = "XPCShell EV Testing (untrustworthy) CA - Mozilla - " +
|
||||
"EV debug test CA";
|
||||
const evrootnick = "evroot";
|
||||
|
||||
// This is the list of certificates needed for the test
|
||||
// The certificates prefixed by 'int-' are intermediates
|
||||
@ -29,7 +28,7 @@ let certList = [
|
||||
];
|
||||
|
||||
function load_ca(ca_name) {
|
||||
var ca_filename = ca_name + ".der";
|
||||
var ca_filename = ca_name + ".pem";
|
||||
addCertFromFile(certdb, "test_ev_certs/" + ca_filename, 'CTu,CTu,CTu');
|
||||
}
|
||||
|
||||
@ -59,7 +58,7 @@ function check_ee_for_ev(cert_name, expected_ev) {
|
||||
|
||||
function run_test() {
|
||||
for (let i = 0 ; i < certList.length; i++) {
|
||||
let cert_filename = certList[i] + ".der";
|
||||
let cert_filename = certList[i] + ".pem";
|
||||
addCertFromFile(certdb, "test_ev_certs/" + cert_filename, ',,');
|
||||
}
|
||||
load_ca("evroot");
|
||||
@ -79,7 +78,6 @@ function run_test() {
|
||||
ocspResponder.stop(run_next_test);
|
||||
});
|
||||
|
||||
|
||||
add_test(function () {
|
||||
clearOCSPCache();
|
||||
|
||||
|
||||
Binary file not shown.
Binary file not shown.
@ -0,0 +1,4 @@
|
||||
issuer:int-ev-valid-anypolicy-int
|
||||
subject:ev-valid-anypolicy-int
|
||||
extension:authorityInformationAccess:http://www.example.com:8888/ev-valid-anypolicy-int/
|
||||
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
|
||||
Binary file not shown.
@ -0,0 +1,4 @@
|
||||
issuer:int-ev-valid
|
||||
subject:ev-valid
|
||||
extension:authorityInformationAccess:http://www.example.com:8888/ev-valid/
|
||||
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
|
||||
@ -1,43 +0,0 @@
|
||||
#!/usr/bin/python
|
||||
|
||||
import tempfile, os, sys
|
||||
import random
|
||||
|
||||
libpath = os.path.abspath('../psm_common_py')
|
||||
sys.path.append(libpath)
|
||||
|
||||
import CertUtils
|
||||
|
||||
dest_dir = os.getcwd()
|
||||
db = tempfile.mkdtemp()
|
||||
|
||||
CA_basic_constraints = "basicConstraints = critical, CA:TRUE\n"
|
||||
CA_min_ku = "keyUsage = critical, digitalSignature, keyCertSign, cRLSign\n"
|
||||
subject_key_ident = "subjectKeyIdentifier = hash\n"
|
||||
|
||||
cert_name = 'evroot'
|
||||
ext_text = CA_basic_constraints + CA_min_ku + subject_key_ident
|
||||
subject_string = ('/C=US/ST=CA/L=Mountain View' +
|
||||
'/O=Mozilla - EV debug test CA/OU=Security Engineering' +
|
||||
'/CN=XPCShell EV Testing (untrustworthy) CA')
|
||||
|
||||
# The db_dir argument of generate_cert_generic() is also set to dest_dir as
|
||||
# the .key file generated is needed by other certs.
|
||||
[ca_key, ca_cert] = CertUtils.generate_cert_generic(
|
||||
dest_dir,
|
||||
dest_dir,
|
||||
random.randint(100, 40000000),
|
||||
'rsa',
|
||||
cert_name,
|
||||
ext_text,
|
||||
subject_string = subject_string)
|
||||
|
||||
CertUtils.generate_pkcs12(db, dest_dir, ca_cert, ca_key, cert_name)
|
||||
|
||||
# Print a blank line and the information needed to enable EV for the root
|
||||
# generated by this script.
|
||||
print
|
||||
CertUtils.print_cert_info(ca_cert)
|
||||
print ('You now MUST update the compiled test EV root information to match ' +
|
||||
'the EV root information printed above. In addition, certs that chain ' +
|
||||
'up to this root in other folders will also need to be regenerated.' )
|
||||
@ -1,18 +0,0 @@
|
||||
-----BEGIN CERTIFICATE REQUEST-----
|
||||
MIIC7TCCAdUCAQAwgacxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UE
|
||||
BwwNTW91bnRhaW4gVmlldzEjMCEGA1UECgwaTW96aWxsYSAtIEVWIGRlYnVnIHRl
|
||||
c3QgQ0ExHTAbBgNVBAsMFFNlY3VyaXR5IEVuZ2luZWVyaW5nMS8wLQYDVQQDDCZY
|
||||
UENTaGVsbCBFViBUZXN0aW5nICh1bnRydXN0d29ydGh5KSBDQTCCASIwDQYJKoZI
|
||||
hvcNAQEBBQADggEPADCCAQoCggEBAJr67bfi/uwFBoNZUeL5XgA69ITW7zhPS429
|
||||
1sMBJyiBizHzwPXE+IlmuEMJaP6VKaICX95zpA0yLCr4QxCckTUIMoHmlgSI7yiZ
|
||||
Rfno4ck1O/U9rCUzzVzkOjyjw7HrOE+kdTeKJyNCDTURjtIgkz0vWVn9VsUcgwyV
|
||||
IEyy22Wbaz/JyVgHT5GiIeE0b/ZkypU+BE9I2Pjrjk/PY8ANdJjsowxzZoBQvpfp
|
||||
yRqPRI9D3Qulw+kTVbBqzV0vpHcNEji2qnfmIl2zEfdbMMVTmXX2iPUczRZ1eI/t
|
||||
3m+fEH1sLr0JtT1zMZys8RgyPSP9aEskbfAasM/2vuqmmKO+Ew8CAwEAAaAAMA0G
|
||||
CSqGSIb3DQEBBQUAA4IBAQANkAdB2CvolWXZzZT/aJapKym19Lqs7r1spDEWJO9L
|
||||
ga7+vSoeVEaBoaWU+tb3HXv5jIw3yn+Vnlgg/jkO7m0dZGyPxd9H0aqMhv5f5vC9
|
||||
te8d5BYwGtmPzbIILIxzoUx5uwSZNKbKu3poQnuoMQDy7h4fz2JYj03nh6ey/dyi
|
||||
YmZJWiuOqhvh7wwwRvM8XPL3fEAxSbfA6gblTInt6r2wVOToKbCjGmiB7DSk+QQU
|
||||
ZxHDdCKciW7GKRN8t6CoIcExbFLfQbmhFhH53d2YHDTExBCByMuvPtkx9rC38nZq
|
||||
dY+Qkg/Rz9++y2+JXlg8/nnG5XdWDJSOI6fl+rk91RUD
|
||||
-----END CERTIFICATE REQUEST-----
|
||||
Binary file not shown.
@ -1,28 +0,0 @@
|
||||
-----BEGIN PRIVATE KEY-----
|
||||
MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQC1SYlcnQAQjRGh
|
||||
+Z+HqePRpdtd+uzxiNpXv2QTaI8s5HIs/xCQOMF0Ask6Kkc9vShq7T/c02PPWikU
|
||||
dwG92BjXYVv5NWvV08gzaqqMCXE2igbDzURhuT5RQk4XRLsuqtRqqzjOGWghlh+H
|
||||
cUoWY2k/CXYc301roSXqzse+Jw04j3ifbN94rjFE7SjEXnkpOGOnoipImAo2pA5y
|
||||
1XnJuSXf+MeTNi/9aJenwXVMXpfJZ8Pq3RquiqLMzjSKAWm4Diii1wwalgxvM18t
|
||||
oJubZD9av7pJ6Kqpgelg4n2HSAvdVd2UF/oYUJ+7VUzPgaQ5fouoEoo0vfJ4ZcGJ
|
||||
5XNPsikFAgMBAAECggEBAJg9VPlNb0x26yPW+T14UjUwz3Ow0WJUxueBdo1F9VaB
|
||||
0dAvsr0qrGq8HDiYYJNcUqDY9BSCAQOUd4MUHYZL/zCANjilwBUlcK6dGPPYyhY+
|
||||
+0dbDd3zLn4W7HVl5rteAlxBxcZuV6A87eVUIh+DBFNHosTEUcPc5Ha3h84MBXJE
|
||||
vp4E7xMRjbuz1eCmzIcCnq/Upp7ZsUdZsV452KmITlb1TS+asBPw0V8xipq2svc9
|
||||
HsPJ/idK6JQxoQZAvniZsAEcXlCToYNHCGid4QBjTaveYPvWqu+joz3zSh829gwE
|
||||
MDa3SNHJ7pjEAxoK/sYO/aCpkL5ST1YU6sT9s0pS+VECgYEA6twssz5f8co3a72V
|
||||
vWoXd9LPT6xHVF6S0RpiCbnV5N7UeDRYHBabPIhHQqCeoYdQXBylVBTY0ltJdjLV
|
||||
7CqqBSM0MPrUmJJ3en1o4Dj1YaO4lp5gsKJj3vv9pIqbD/OdlbyIsVJnyK3pe1EH
|
||||
lI5B5DMknYf32xCdXXRYTYa8wdcCgYEAxZrldqIWRwJI2USlW56b+TKZ2jQexW5V
|
||||
jrqCGrzhv1e3nPQR0pBMd0+duh8VGF9gewV0oIIF1uwotmo21jQjLqry/qN1Yauv
|
||||
nWRLaNs4yZZMuMluwKxh66ZNBbRGVC9COXb1rN5OzJVTbS31eJVPk/DP2cWPt4ui
|
||||
p23VrChNyIMCgYEAwdLvOQYzHFKspkgR+f5CW+somDIvs9tRAyzo1+n8MiQL6SAZ
|
||||
zySA/NXjKYNxJxGLKlmhv+BsiD46REfz8DHNmuvQuNNo/Hl0DSzOjq2zJN9/CR6v
|
||||
4VZDYdVJILAbBHEjDl5H2T+O0zljxRe8T8ePbYsfnrqFvM7bcDMCZQjbYoUCgYEA
|
||||
hSG421aU376ASjFfnvybZSdcVJCs8qNFbWXm5hC/n2R/xnUB1PV3LyMqxwzN75/C
|
||||
pt+kFcfEG2r8evnQfDygP37ZPAnwuZ8sMEQ0Mi8QcXCbvBuqTJFXX6apWeB9SZaV
|
||||
bZXiK1eTi25HyNUf/t/Jv4iM4NGj5CtlqJvtS5HT5fUCgYEA3El7BrkgyL4LAHe3
|
||||
mOl37vdEqQ7Cxdfmy7IkSPrHLagaMxgODYoC6DFGDH/H/TphL3uZMLYbeZ+OkI5j
|
||||
LpugQJtqpwsDo7p4dCYmO1vVhD34R27bXRT2qGE+uvW5zVykL1+9KALgjk5J5XCf
|
||||
UVFRDKpassHG6z7+kpXRbowlyRY=
|
||||
-----END PRIVATE KEY-----
|
||||
@ -0,0 +1 @@
|
||||
ev
|
||||
Binary file not shown.
@ -0,0 +1,7 @@
|
||||
issuer:evroot
|
||||
subject:evroot
|
||||
subjectKey:ev
|
||||
issuerKey:ev
|
||||
validity:20150101-20350101
|
||||
extension:basicConstraints:cA,
|
||||
extension:keyUsage:keyCertSign,cRLSign
|
||||
@ -1,133 +0,0 @@
|
||||
#!/usr/bin/python
|
||||
|
||||
import tempfile, os, sys
|
||||
import random
|
||||
|
||||
libpath = os.path.abspath('../psm_common_py')
|
||||
|
||||
sys.path.append(libpath)
|
||||
|
||||
import CertUtils
|
||||
|
||||
srcdir = os.getcwd()
|
||||
db = tempfile.mkdtemp()
|
||||
|
||||
CA_extensions = ("basicConstraints = critical, CA:TRUE\n"
|
||||
"keyUsage = keyCertSign, cRLSign\n")
|
||||
|
||||
intermediate_crl = ("crlDistributionPoints = " +
|
||||
"URI:http://crl.example.com:8888/root-ev.crl\n")
|
||||
endentity_crl = ("crlDistributionPoints = " +
|
||||
"URI:http://crl.example.com:8888/ee-crl.crl\n")
|
||||
|
||||
anypolicy_policy = ("certificatePolicies = @v3_ca_ev_cp\n\n" +
|
||||
"[ v3_ca_ev_cp ]\n" +
|
||||
"policyIdentifier = " +
|
||||
"2.5.29.32.0\n\n" +
|
||||
"CPS.1 = \"http://mytestdomain.local/cps\"")
|
||||
|
||||
validity_days = 3 * 365 + 3 * 31 # 39 months
|
||||
|
||||
def import_untrusted_cert(certfile, nickname):
|
||||
os.system('certutil -A -d sql:%s -n %s -i %s -t ",,"' %
|
||||
(srcdir, nickname, certfile))
|
||||
|
||||
def generate_certs():
|
||||
ca_cert = 'evroot.der'
|
||||
ca_key = 'evroot.key'
|
||||
prefix = "ev-valid"
|
||||
key_type = 'rsa'
|
||||
ee_ext_text = (CertUtils.aia_prefix + prefix + CertUtils.aia_suffix +
|
||||
endentity_crl + CertUtils.mozilla_testing_ev_policy)
|
||||
int_ext_text = (CA_extensions + CertUtils.aia_prefix + "int-" + prefix +
|
||||
CertUtils.aia_suffix + intermediate_crl +
|
||||
CertUtils.mozilla_testing_ev_policy)
|
||||
|
||||
CertUtils.init_nss_db(srcdir)
|
||||
CertUtils.import_cert_and_pkcs12(srcdir, ca_cert, 'evroot.p12', 'evroot',
|
||||
'C,C,C')
|
||||
|
||||
[int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
|
||||
srcdir,
|
||||
ca_key,
|
||||
ca_cert,
|
||||
prefix,
|
||||
int_ext_text,
|
||||
ee_ext_text,
|
||||
key_type,
|
||||
ee_validity_in_days = validity_days)
|
||||
pk12file = CertUtils.generate_pkcs12(db, db, int_cert, int_key,
|
||||
"int-" + prefix)
|
||||
CertUtils.import_cert_and_pkcs12(srcdir, int_cert, pk12file,
|
||||
'int-' + prefix, ',,')
|
||||
import_untrusted_cert(ee_cert, prefix)
|
||||
|
||||
# now we generate an end entity cert with an AIA with no OCSP URL
|
||||
no_ocsp_url_ext_aia = ("authorityInfoAccess =" +
|
||||
"caIssuers;URI:http://www.example.com/ca.html\n");
|
||||
[no_ocsp_key, no_ocsp_cert] = CertUtils.generate_cert_generic(db,
|
||||
srcdir,
|
||||
random.randint(100, 40000000),
|
||||
key_type,
|
||||
'no-ocsp-url-cert',
|
||||
no_ocsp_url_ext_aia + endentity_crl +
|
||||
CertUtils.mozilla_testing_ev_policy,
|
||||
int_key, int_cert,
|
||||
validity_in_days = validity_days);
|
||||
import_untrusted_cert(no_ocsp_cert, 'no-ocsp-url-cert');
|
||||
|
||||
# add an ev cert whose intermediate has a anypolicy oid
|
||||
prefix = "ev-valid-anypolicy-int"
|
||||
ee_ext_text = (CertUtils.aia_prefix + prefix + CertUtils.aia_suffix +
|
||||
endentity_crl + CertUtils.mozilla_testing_ev_policy)
|
||||
int_ext_text = (CA_extensions + CertUtils.aia_prefix + "int-" + prefix +
|
||||
CertUtils.aia_suffix + intermediate_crl + anypolicy_policy)
|
||||
|
||||
[int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
|
||||
srcdir,
|
||||
ca_key,
|
||||
ca_cert,
|
||||
prefix,
|
||||
int_ext_text,
|
||||
ee_ext_text,
|
||||
key_type,
|
||||
ee_validity_in_days = validity_days)
|
||||
pk12file = CertUtils.generate_pkcs12(db, db, int_cert, int_key,
|
||||
"int-" + prefix)
|
||||
CertUtils.import_cert_and_pkcs12(srcdir, int_cert, pk12file,
|
||||
'int-' + prefix, ',,')
|
||||
import_untrusted_cert(ee_cert, prefix)
|
||||
|
||||
|
||||
[bad_ca_key, bad_ca_cert] = CertUtils.generate_cert_generic( db,
|
||||
srcdir,
|
||||
1,
|
||||
'rsa',
|
||||
'non-evroot-ca',
|
||||
CA_extensions)
|
||||
pk12file = CertUtils.generate_pkcs12(db, db, bad_ca_cert, bad_ca_key,
|
||||
"non-evroot-ca")
|
||||
CertUtils.import_cert_and_pkcs12(srcdir, bad_ca_cert, pk12file,
|
||||
'non-evroot-ca', 'C,C,C')
|
||||
prefix = "non-ev-root"
|
||||
ee_ext_text = (CertUtils.aia_prefix + prefix + CertUtils.aia_suffix +
|
||||
endentity_crl + CertUtils.mozilla_testing_ev_policy)
|
||||
int_ext_text = (CA_extensions + CertUtils.aia_prefix + "int-" + prefix +
|
||||
CertUtils.aia_suffix + intermediate_crl +
|
||||
CertUtils.mozilla_testing_ev_policy)
|
||||
[int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
|
||||
srcdir,
|
||||
bad_ca_key,
|
||||
bad_ca_cert,
|
||||
prefix,
|
||||
int_ext_text,
|
||||
ee_ext_text,
|
||||
key_type,
|
||||
ee_validity_in_days = validity_days)
|
||||
pk12file = CertUtils.generate_pkcs12(db, db, int_cert, int_key,
|
||||
"int-" + prefix)
|
||||
CertUtils.import_cert_and_pkcs12(srcdir, int_cert, pk12file,
|
||||
'int-' + prefix, ',,')
|
||||
import_untrusted_cert(ee_cert, prefix)
|
||||
|
||||
generate_certs()
|
||||
Binary file not shown.
@ -0,0 +1,7 @@
|
||||
issuer:evroot
|
||||
subject:int-ev-valid-anypolicy-int
|
||||
issuerKey:ev
|
||||
extension:basicConstraints:cA,
|
||||
extension:keyUsage:cRLSign,keyCertSign
|
||||
extension:authorityInformationAccess:http://www.example.com:8888/int-ev-valid-anypolicy-int/
|
||||
extension:certificatePolicies:any
|
||||
Binary file not shown.
@ -0,0 +1,7 @@
|
||||
issuer:evroot
|
||||
subject:int-ev-valid
|
||||
issuerKey:ev
|
||||
extension:basicConstraints:cA,
|
||||
extension:keyUsage:cRLSign,keyCertSign
|
||||
extension:authorityInformationAccess:http://www.example.com:8888/int-ev-valid/
|
||||
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
|
||||
Binary file not shown.
@ -0,0 +1,6 @@
|
||||
issuer:non-evroot-ca
|
||||
subject:int-non-ev-root
|
||||
extension:basicConstraints:cA,
|
||||
extension:keyUsage:cRLSign,keyCertSign
|
||||
extension:authorityInformationAccess:http://www.example.com:8888/int-non-ev-root/
|
||||
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
|
||||
Binary file not shown.
38
security/manager/ssl/tests/unit/test_ev_certs/moz.build
Normal file
38
security/manager/ssl/tests/unit/test_ev_certs/moz.build
Normal file
@ -0,0 +1,38 @@
|
||||
# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
|
||||
# vim: set filetype=python:
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
test_certificates = (
|
||||
'ev-valid-anypolicy-int.pem',
|
||||
'ev-valid.pem',
|
||||
'evroot.pem',
|
||||
'int-ev-valid-anypolicy-int.pem',
|
||||
'int-ev-valid.pem',
|
||||
'int-non-ev-root.pem',
|
||||
'no-ocsp-url-cert.pem',
|
||||
'non-ev-root.pem',
|
||||
'non-evroot-ca.pem',
|
||||
)
|
||||
|
||||
for test_certificate in test_certificates:
|
||||
input_file = test_certificate + '.certspec'
|
||||
GENERATED_FILES += [test_certificate]
|
||||
props = GENERATED_FILES[test_certificate]
|
||||
props.script = '../pycert.py'
|
||||
props.inputs = [input_file]
|
||||
TEST_HARNESS_FILES.xpcshell.security.manager.ssl.tests.unit.test_ev_certs += ['!%s' % test_certificate]
|
||||
|
||||
test_keys = (
|
||||
'evroot.key',
|
||||
'int-ev-valid.key',
|
||||
)
|
||||
|
||||
for test_key in test_keys:
|
||||
input_file = test_key + '.keyspec'
|
||||
GENERATED_FILES += [test_key]
|
||||
props = GENERATED_FILES[test_key]
|
||||
props.script = '../pykey.py'
|
||||
props.inputs = [input_file]
|
||||
TEST_HARNESS_FILES.xpcshell.security.manager.ssl.tests.unit.test_ev_certs += ['!%s' % test_key]
|
||||
Binary file not shown.
@ -0,0 +1,3 @@
|
||||
issuer:int-ev-valid
|
||||
subject:no-ocsp-url-cert
|
||||
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
|
||||
Binary file not shown.
@ -0,0 +1,4 @@
|
||||
issuer:int-non-ev-root
|
||||
subject:non-ev-root
|
||||
extension:authorityInformationAccess:http://www.example.com:8888/non-ev-root/
|
||||
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
|
||||
Binary file not shown.
@ -0,0 +1,4 @@
|
||||
issuer:non-evroot-ca
|
||||
subject:non-evroot-ca
|
||||
extension:basicConstraints:cA,
|
||||
extension:keyUsage:cRLSign,keyCertSign
|
||||
@ -1,5 +0,0 @@
|
||||
library=
|
||||
name=NSS Internal PKCS #11 Module
|
||||
parameters=configdir='sql:/home/m-c_drive/mozilla-inbound/security/manager/ssl/tests/unit/test_ev_certs' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''
|
||||
NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
|
||||
|
||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
@ -238,14 +238,5 @@ def generate_combination_chains():
|
||||
CertUtils.init_nss_db(srcdir)
|
||||
|
||||
generate_rsa_chains('1016', '1024', False)
|
||||
generate_rsa_chains('2040', '2048', True)
|
||||
generate_ecc_chains()
|
||||
generate_combination_chains()
|
||||
|
||||
# Print a blank line and the information needed to enable EV for any roots
|
||||
# generated by this script.
|
||||
print
|
||||
for cert_filename in generated_ev_root_filenames:
|
||||
CertUtils.print_cert_info(cert_filename)
|
||||
print ('You now MUST update the compiled test EV root information to match ' +
|
||||
'the EV root information printed above.')
|
||||
|
||||
@ -15,18 +15,13 @@ const SERVER_PORT = 8888;
|
||||
function getOCSPResponder(expectedCertNames) {
|
||||
let expectedPaths = expectedCertNames.slice();
|
||||
return startOCSPResponder(SERVER_PORT, "www.example.com", [],
|
||||
"test_keysize", expectedCertNames, expectedPaths);
|
||||
}
|
||||
|
||||
function certFromFile(filename) {
|
||||
let der = readFile(do_get_file("test_keysize/" + filename, false));
|
||||
return certDB.constructX509(der, der.length);
|
||||
"test_keysize_ev/", expectedCertNames, expectedPaths);
|
||||
}
|
||||
|
||||
function loadCert(certName, trustString) {
|
||||
let certFilename = certName + ".der";
|
||||
addCertFromFile(certDB, "test_keysize/" + certFilename, trustString);
|
||||
return certFromFile(certFilename);
|
||||
let certFilename = "test_keysize_ev/" + certName + ".pem";
|
||||
addCertFromFile(certDB, certFilename, trustString);
|
||||
return constructCertFromFile(certFilename);
|
||||
}
|
||||
|
||||
/**
|
||||
@ -36,7 +31,7 @@ function loadCert(certName, trustString) {
|
||||
* An array of nicknames of the certs to be responded to.
|
||||
* @param {String} rootCertFileName
|
||||
* The file name of the root cert. Can begin with ".." to reference
|
||||
* certs in folders other than "test_keysize/".
|
||||
* certs in folders other than "test_keysize_ev/".
|
||||
* @param {Array} intCertFileNames
|
||||
* An array of file names of any intermediate certificates.
|
||||
* @param {String} endEntityCertFileName
|
||||
@ -56,8 +51,11 @@ function addKeySizeTestForEV(expectedNamesForOCSP,
|
||||
for (let intCertFileName of intCertFileNames) {
|
||||
loadCert(intCertFileName, ",,");
|
||||
}
|
||||
checkEVStatus(certDB, certFromFile(endEntityCertFileName + ".der"),
|
||||
certificateUsageSSLServer, expectedResult);
|
||||
checkEVStatus(
|
||||
certDB,
|
||||
constructCertFromFile(`test_keysize_ev/${endEntityCertFileName}.pem`),
|
||||
certificateUsageSSLServer,
|
||||
expectedResult);
|
||||
|
||||
ocspResponder.stop(run_next_test);
|
||||
});
|
||||
@ -134,6 +132,14 @@ function run_test() {
|
||||
Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
|
||||
Services.prefs.setIntPref("security.OCSP.enabled", 1);
|
||||
|
||||
let smallKeyEVRoot =
|
||||
constructCertFromFile("test_keysize_ev/ev_root_rsa_2040.pem");
|
||||
equal(smallKeyEVRoot.sha256Fingerprint,
|
||||
"28:79:B9:6C:08:71:6C:7D:CE:38:8C:AB:7E:EB:08:A6:" +
|
||||
"F7:2C:CE:E4:47:F5:72:A1:EB:16:9B:C3:49:49:72:5D",
|
||||
"test sanity check: the small-key EV root must have the same " +
|
||||
"fingerprint as the corresponding entry in ExtendedValidation.cpp");
|
||||
|
||||
checkRSAChains(2040, 2048);
|
||||
|
||||
run_next_test();
|
||||
|
||||
@ -0,0 +1,5 @@
|
||||
issuer:ev_int_rsa_2048-evroot
|
||||
subject:ev_ee_rsa_2040-ev_int_rsa_2048-evroot
|
||||
subjectKey:rsa2040
|
||||
extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_rsa_2040-ev_int_rsa_2048-evroot/
|
||||
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
|
||||
@ -0,0 +1,5 @@
|
||||
issuer:ev_int_rsa_2040-evroot
|
||||
subject:ev_ee_rsa_2048-ev_int_rsa_2040-evroot
|
||||
issuerKey:rsa2040
|
||||
extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_rsa_2048-ev_int_rsa_2040-evroot/
|
||||
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
|
||||
@ -0,0 +1,4 @@
|
||||
issuer:ev_int_rsa_2048-ev_root_rsa_2040
|
||||
subject:ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040
|
||||
extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040/
|
||||
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
|
||||
@ -0,0 +1,4 @@
|
||||
issuer:ev_int_rsa_2048-evroot
|
||||
subject:ev_ee_rsa_2048-ev_int_rsa_2048-evroot
|
||||
extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_rsa_2048-ev_int_rsa_2048-evroot/
|
||||
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
|
||||
@ -0,0 +1,8 @@
|
||||
issuer:evroot
|
||||
subject:ev_int_rsa_2040-evroot
|
||||
issuerKey:ev
|
||||
subjectKey:rsa2040
|
||||
extension:basicConstraints:cA,
|
||||
extension:keyUsage:cRLSign,keyCertSign
|
||||
extension:authorityInformationAccess:http://www.example.com:8888/ev_int_rsa_2040-evroot/
|
||||
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
|
||||
@ -0,0 +1 @@
|
||||
rsa2040
|
||||
@ -0,0 +1,7 @@
|
||||
issuer:ev_root_rsa_2040
|
||||
subject:ev_int_rsa_2048-ev_root_rsa_2040
|
||||
issuerKey:evRSA2040
|
||||
extension:basicConstraints:cA,
|
||||
extension:keyUsage:cRLSign,keyCertSign
|
||||
extension:authorityInformationAccess:http://www.example.com:8888/ev_int_rsa_2048-ev_root_rsa_2040/
|
||||
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
|
||||
@ -0,0 +1,7 @@
|
||||
issuer:evroot
|
||||
subject:ev_int_rsa_2048-evroot
|
||||
issuerKey:ev
|
||||
extension:basicConstraints:cA,
|
||||
extension:keyUsage:cRLSign,keyCertSign
|
||||
extension:authorityInformationAccess:http://www.example.com:8888/ev_int_rsa_2048-evroot/
|
||||
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
|
||||
@ -0,0 +1 @@
|
||||
evRSA2040
|
||||
@ -0,0 +1,7 @@
|
||||
issuer:ev_root_rsa_2040
|
||||
subject:ev_root_rsa_2040
|
||||
issuerKey:evRSA2040
|
||||
subjectKey:evRSA2040
|
||||
validity:20150101-20350101
|
||||
extension:basicConstraints:cA,
|
||||
extension:keyUsage:cRLSign,keyCertSign
|
||||
@ -0,0 +1 @@
|
||||
ev
|
||||
@ -0,0 +1,7 @@
|
||||
issuer:evroot
|
||||
subject:evroot
|
||||
subjectKey:ev
|
||||
issuerKey:ev
|
||||
validity:20150101-20350101
|
||||
extension:basicConstraints:cA,
|
||||
extension:keyUsage:keyCertSign,cRLSign
|
||||
40
security/manager/ssl/tests/unit/test_keysize_ev/moz.build
Normal file
40
security/manager/ssl/tests/unit/test_keysize_ev/moz.build
Normal file
@ -0,0 +1,40 @@
|
||||
# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
|
||||
# vim: set filetype=python:
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
test_certificates = (
|
||||
'ev_ee_rsa_2040-ev_int_rsa_2048-evroot.pem',
|
||||
'ev_ee_rsa_2048-ev_int_rsa_2040-evroot.pem',
|
||||
'ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040.pem',
|
||||
'ev_ee_rsa_2048-ev_int_rsa_2048-evroot.pem',
|
||||
'ev_int_rsa_2040-evroot.pem',
|
||||
'ev_int_rsa_2048-ev_root_rsa_2040.pem',
|
||||
'ev_int_rsa_2048-evroot.pem',
|
||||
'ev_root_rsa_2040.pem',
|
||||
'evroot.pem',
|
||||
)
|
||||
|
||||
for test_certificate in test_certificates:
|
||||
input_file = test_certificate + '.certspec'
|
||||
GENERATED_FILES += [test_certificate]
|
||||
props = GENERATED_FILES[test_certificate]
|
||||
props.script = '../pycert.py'
|
||||
props.inputs = [input_file]
|
||||
TEST_HARNESS_FILES.xpcshell.security.manager.ssl.tests.unit.test_keysize_ev += ['!%s' % test_certificate]
|
||||
|
||||
test_keys = (
|
||||
'ev_int_rsa_2040.key',
|
||||
'ev_int_rsa_2048.key',
|
||||
'ev_root_rsa_2040.key',
|
||||
'evroot.key',
|
||||
)
|
||||
|
||||
for test_key in test_keys:
|
||||
input_file = test_key + '.keyspec'
|
||||
GENERATED_FILES += [test_key]
|
||||
props = GENERATED_FILES[test_key]
|
||||
props.script = '../pykey.py'
|
||||
props.inputs = [input_file]
|
||||
TEST_HARNESS_FILES.xpcshell.security.manager.ssl.tests.unit.test_keysize_ev += ['!%s' % test_key]
|
||||
@ -48,11 +48,11 @@ function addEVTest(expectedNamesForOCSP, rootCertFileName, intCertFileNames,
|
||||
clearOCSPCache();
|
||||
let ocspResponder = getOCSPResponder(expectedNamesForOCSP);
|
||||
|
||||
loadCert(`${rootCertFileName}.der`, "CTu,CTu,CTu");
|
||||
loadCert(`${rootCertFileName}.pem`, "CTu,CTu,CTu");
|
||||
for (let intCertFileName of intCertFileNames) {
|
||||
loadCert(`${intCertFileName}.der`, ",,");
|
||||
loadCert(`${intCertFileName}.pem`, ",,");
|
||||
}
|
||||
checkEVStatus(certDB, certFromFile(`${endEntityCertFileName}.der`),
|
||||
checkEVStatus(certDB, certFromFile(`${endEntityCertFileName}.pem`),
|
||||
certificateUsageSSLServer, expectedResult);
|
||||
|
||||
ocspResponder.stop(run_next_test);
|
||||
|
||||
Binary file not shown.
Binary file not shown.
@ -0,0 +1,5 @@
|
||||
issuer:ev_int_60_months-evroot
|
||||
subject:ev_ee_39_months-ev_int_60_months-evroot
|
||||
validity:1188
|
||||
extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_39_months-ev_int_60_months-evroot/
|
||||
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
|
||||
Binary file not shown.
@ -0,0 +1,5 @@
|
||||
issuer:ev_int_60_months-evroot
|
||||
subject:ev_ee_40_months-ev_int_60_months-evroot
|
||||
validity:1219
|
||||
extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_40_months-ev_int_60_months-evroot/
|
||||
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
|
||||
Binary file not shown.
@ -0,0 +1,8 @@
|
||||
issuer:evroot
|
||||
subject:ev_int_60_months-evroot
|
||||
issuerKey:ev
|
||||
validity:1825
|
||||
extension:basicConstraints:cA,
|
||||
extension:keyUsage:cRLSign,keyCertSign
|
||||
extension:authorityInformationAccess:http://www.example.com:8888/ev_int_60_months-evroot/
|
||||
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
|
||||
@ -0,0 +1 @@
|
||||
ev
|
||||
@ -0,0 +1,7 @@
|
||||
issuer:evroot
|
||||
subject:evroot
|
||||
subjectKey:ev
|
||||
issuerKey:ev
|
||||
validity:20150101-20350101
|
||||
extension:basicConstraints:cA,
|
||||
extension:keyUsage:keyCertSign,cRLSign
|
||||
@ -1,142 +0,0 @@
|
||||
#!/usr/bin/env python
|
||||
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
import math
|
||||
import os
|
||||
import random
|
||||
import sys
|
||||
import tempfile
|
||||
|
||||
sys.path.append(os.path.abspath('../psm_common_py'))
|
||||
import CertUtils
|
||||
|
||||
src_dir = os.getcwd()
|
||||
temp_dir = tempfile.mkdtemp()
|
||||
|
||||
generated_ev_certs = []
|
||||
def generate_and_import_cert(cert_name_prefix, cert_name_suffix,
|
||||
base_ext_text, signer_key_filename,
|
||||
signer_cert_filename, validity_in_months):
|
||||
"""
|
||||
Generates a certificate and imports it into the NSS DB.
|
||||
|
||||
Arguments:
|
||||
cert_name_prefix - prefix of the generated cert name
|
||||
cert_name_suffix - suffix of the generated cert name
|
||||
base_ext_text - the base text for the x509 extensions to be
|
||||
added to the certificate (extra extensions will
|
||||
be added if generating an EV cert)
|
||||
signer_key_filename - the filename of the key from which the
|
||||
cert will be signed. If an empty string is
|
||||
passed in the cert will be self signed
|
||||
(think CA roots).
|
||||
signer_cert_filename - the filename of the signer cert that will
|
||||
sign the certificate being generated.
|
||||
Ignored if an empty string is passed in
|
||||
for signer_key_filename.
|
||||
Must be in DER format.
|
||||
validity_in_months - the number of months the cert should be
|
||||
valid for.
|
||||
|
||||
Output:
|
||||
cert_name - the resultant (nick)name of the certificate
|
||||
key_filename - the filename of the key file (PEM format)
|
||||
cert_filename - the filename of the certificate (DER format)
|
||||
"""
|
||||
cert_name = 'ev_%s_%u_months' % (cert_name_prefix, validity_in_months)
|
||||
|
||||
# If the suffix is not the empty string, add a hyphen for visual
|
||||
# separation
|
||||
if cert_name_suffix:
|
||||
cert_name += '-' + cert_name_suffix
|
||||
|
||||
subject_string = '/CN=%s' % cert_name
|
||||
ev_ext_text = (CertUtils.aia_prefix + cert_name + CertUtils.aia_suffix +
|
||||
CertUtils.mozilla_testing_ev_policy)
|
||||
|
||||
# Reuse the existing RSA EV root
|
||||
if (signer_key_filename == '' and signer_cert_filename == ''):
|
||||
cert_name = 'evroot'
|
||||
key_filename = '../test_ev_certs/evroot.key'
|
||||
cert_filename = '../test_ev_certs/evroot.der'
|
||||
CertUtils.import_cert_and_pkcs12(src_dir, cert_filename,
|
||||
'../test_ev_certs/evroot.p12',
|
||||
cert_name, ',,')
|
||||
return [cert_name, key_filename, cert_filename]
|
||||
|
||||
# Don't regenerate a previously generated cert
|
||||
for cert in generated_ev_certs:
|
||||
if cert_name == cert[0]:
|
||||
return cert
|
||||
|
||||
validity_years = math.floor(validity_in_months / 12)
|
||||
validity_months = validity_in_months % 12
|
||||
[key_filename, cert_filename] = CertUtils.generate_cert_generic(
|
||||
temp_dir,
|
||||
src_dir,
|
||||
random.randint(100, 40000000),
|
||||
'rsa',
|
||||
cert_name,
|
||||
base_ext_text + ev_ext_text,
|
||||
signer_key_filename,
|
||||
signer_cert_filename,
|
||||
subject_string,
|
||||
validity_in_days = validity_years * 365 + validity_months * 31)
|
||||
generated_ev_certs.append([cert_name, key_filename, cert_filename])
|
||||
|
||||
# The dest_dir argument of generate_pkcs12() is also set to temp_dir
|
||||
# as the .p12 files do not need to be kept once they have been
|
||||
# imported.
|
||||
pkcs12_filename = CertUtils.generate_pkcs12(temp_dir, temp_dir,
|
||||
cert_filename,
|
||||
key_filename,
|
||||
cert_name)
|
||||
CertUtils.import_cert_and_pkcs12(src_dir, cert_filename,
|
||||
pkcs12_filename, cert_name, ',,')
|
||||
|
||||
return [cert_name, key_filename, cert_filename]
|
||||
|
||||
def generate_chain(ee_validity_months):
|
||||
"""
|
||||
Generates a certificate chain and imports the individual
|
||||
certificates into the NSS DB.
|
||||
"""
|
||||
ca_ext_text = ('basicConstraints = critical, CA:TRUE\n' +
|
||||
'keyUsage = keyCertSign, cRLSign\n')
|
||||
|
||||
[root_nick, root_key_file, root_cert_file] = generate_and_import_cert(
|
||||
'root',
|
||||
'',
|
||||
ca_ext_text,
|
||||
'',
|
||||
'',
|
||||
60)
|
||||
|
||||
[int_nick, int_key_file, int_cert_file] = generate_and_import_cert(
|
||||
'int',
|
||||
root_nick,
|
||||
ca_ext_text,
|
||||
root_key_file,
|
||||
root_cert_file,
|
||||
60)
|
||||
|
||||
generate_and_import_cert(
|
||||
'ee',
|
||||
int_nick,
|
||||
'',
|
||||
int_key_file,
|
||||
int_cert_file,
|
||||
ee_validity_months)
|
||||
|
||||
# Create a NSS DB for use by the OCSP responder.
|
||||
[noise_file, pwd_file] = CertUtils.init_nss_db(src_dir)
|
||||
|
||||
generate_chain(39)
|
||||
generate_chain(40)
|
||||
|
||||
# Remove unnecessary files
|
||||
os.remove(noise_file)
|
||||
os.remove(pwd_file)
|
||||
Binary file not shown.
33
security/manager/ssl/tests/unit/test_validity/moz.build
Normal file
33
security/manager/ssl/tests/unit/test_validity/moz.build
Normal file
@ -0,0 +1,33 @@
|
||||
# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
|
||||
# vim: set filetype=python:
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
test_certificates = (
|
||||
'ev_ee_39_months-ev_int_60_months-evroot.pem',
|
||||
'ev_ee_40_months-ev_int_60_months-evroot.pem',
|
||||
'ev_int_60_months-evroot.pem',
|
||||
'evroot.pem',
|
||||
)
|
||||
|
||||
for test_certificate in test_certificates:
|
||||
input_file = test_certificate + '.certspec'
|
||||
GENERATED_FILES += [test_certificate]
|
||||
props = GENERATED_FILES[test_certificate]
|
||||
props.script = '../pycert.py'
|
||||
props.inputs = [input_file]
|
||||
TEST_HARNESS_FILES.xpcshell.security.manager.ssl.tests.unit.test_validity += ['!%s' % test_certificate]
|
||||
|
||||
test_keys = (
|
||||
'ev_int_60_months-evroot.key',
|
||||
'evroot.key',
|
||||
)
|
||||
|
||||
for test_key in test_keys:
|
||||
input_file = test_key + '.keyspec'
|
||||
GENERATED_FILES += [test_key]
|
||||
props = GENERATED_FILES[test_key]
|
||||
props.script = '../pykey.py'
|
||||
props.inputs = [input_file]
|
||||
TEST_HARNESS_FILES.xpcshell.security.manager.ssl.tests.unit.test_validity += ['!%s' % test_key]
|
||||
@ -1,5 +0,0 @@
|
||||
library=
|
||||
name=NSS Internal PKCS #11 Module
|
||||
parameters=configdir='sql:/home/m-c_drive/mozilla-inbound/security/manager/ssl/tests/unit/test_validity' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''
|
||||
NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
|
||||
|
||||
@ -20,6 +20,7 @@ support-files =
|
||||
test_ocsp_url/**
|
||||
test_ocsp_fetch_method/**
|
||||
test_keysize/**
|
||||
test_keysize_ev/**
|
||||
test_pinning_dynamic/**
|
||||
test_onecrl/**
|
||||
test_validity/**
|
||||
|
||||
Loading…
Reference in New Issue
Block a user