mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-21 17:25:36 +00:00
4bc9fe0d27
This patch does a few things: 1) It removes the symantecRoot and symantec_affected certs from build/pgo/certs' DB. 2) It upgrades that DB from the old format to SQLite (and this 8/3 to 9/4). 3) It adds a new cert "imminently_distrusted" to that DB for the bc test. 4) It changes the Subject of the immient distrust test to only have the CN field: this is because certutil reorders C to come after CN, and just like with the real Symantec certs, I had put C first. So rather than deal with importing the end entity for the pgo tests, I decided to just make things simple and change the tested subject. 5) Finally, it re-enables the test that was disabled in Bug 1434300. MozReview-Commit-ID: Bt2RKyInJje --HG-- rename : build/pgo/certs/cert8.db => build/pgo/certs/cert9.db rename : build/pgo/certs/key3.db => build/pgo/certs/key4.db extra : rebase_source : efceb67ae16f0af617bbd8bec201d52eee0f467d
217 lines
7.8 KiB
Python
217 lines
7.8 KiB
Python
#!/usr/bin/env python
|
|
# This Source Code Form is subject to the terms of the Mozilla Public
|
|
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
|
|
# This script exists to generate the Certificate Authority and server
|
|
# certificates used for SSL testing in Mochitest. The already generated
|
|
# certs are located at $topsrcdir/build/pgo/certs/ .
|
|
|
|
import mozinfo
|
|
import os
|
|
import random
|
|
import re
|
|
import shutil
|
|
import subprocess
|
|
import sys
|
|
import tempfile
|
|
|
|
from mozbuild.base import MozbuildObject
|
|
from mozfile import NamedTemporaryFile
|
|
from mozprofile.permissions import ServerLocations
|
|
|
|
dbFiles = [
|
|
re.compile("^cert[0-9]+\.db$"),
|
|
re.compile("^key[0-9]+\.db$"),
|
|
re.compile("^secmod\.db$")
|
|
]
|
|
|
|
def unlinkDbFiles(path):
|
|
for root, dirs, files in os.walk(path):
|
|
for name in files:
|
|
for dbFile in dbFiles:
|
|
if dbFile.match(name) and os.path.exists(os.path.join(root, name)):
|
|
os.unlink(os.path.join(root, name))
|
|
|
|
def dbFilesExist(path):
|
|
for root, dirs, files in os.walk(path):
|
|
for name in files:
|
|
for dbFile in dbFiles:
|
|
if dbFile.match(name) and os.path.exists(os.path.join(root, name)):
|
|
return True
|
|
return False
|
|
|
|
|
|
def runUtil(util, args, inputdata = None):
|
|
env = os.environ.copy()
|
|
if mozinfo.os == "linux":
|
|
pathvar = "LD_LIBRARY_PATH"
|
|
app_path = os.path.dirname(util)
|
|
if pathvar in env:
|
|
env[pathvar] = "%s%s%s" % (app_path, os.pathsep, env[pathvar])
|
|
else:
|
|
env[pathvar] = app_path
|
|
proc = subprocess.Popen([util] + args, env=env,
|
|
stdin=subprocess.PIPE if inputdata else None)
|
|
proc.communicate(inputdata)
|
|
return proc.returncode
|
|
|
|
|
|
def createRandomFile(randomFile):
|
|
for count in xrange(0, 2048):
|
|
randomFile.write(chr(random.randint(0, 255)))
|
|
|
|
|
|
def createCertificateAuthority(build, srcDir):
|
|
certutil = build.get_binary_path(what="certutil")
|
|
pk12util = build.get_binary_path(what="pk12util")
|
|
|
|
#TODO: mozfile.TemporaryDirectory
|
|
tempDbDir = tempfile.mkdtemp()
|
|
with NamedTemporaryFile() as pwfile, NamedTemporaryFile() as rndfile:
|
|
pgoCAModulePathSrc = os.path.join(srcDir, "pgoca.p12")
|
|
pgoCAPathSrc = os.path.join(srcDir, "pgoca.ca")
|
|
|
|
pwfile.write("\n")
|
|
|
|
# Create temporary certification database for CA generation
|
|
status = runUtil(certutil, ["-N", "-d", tempDbDir, "-f", pwfile.name])
|
|
if status:
|
|
return status
|
|
|
|
createRandomFile(rndfile)
|
|
status = runUtil(certutil, ["-S", "-d", tempDbDir, "-s", "CN=Temporary Certificate Authority, O=Mozilla Testing, OU=Profile Guided Optimization", "-t", "C,,", "-x", "-m", "1", "-v", "120", "-n", "pgo temporary ca", "-2", "-f", pwfile.name, "-z", rndfile.name], "Y\n0\nN\n")
|
|
if status:
|
|
return status
|
|
|
|
status = runUtil(certutil, ["-L", "-d", tempDbDir, "-n", "pgo temporary ca", "-a", "-o", pgoCAPathSrc, "-f", pwfile.name])
|
|
if status:
|
|
return status
|
|
|
|
status = runUtil(pk12util, ["-o", pgoCAModulePathSrc, "-n", "pgo temporary ca", "-d", tempDbDir, "-w", pwfile.name, "-k", pwfile.name])
|
|
if status:
|
|
return status
|
|
|
|
shutil.rmtree(tempDbDir)
|
|
return 0
|
|
|
|
|
|
def createSSLServerCertificate(build, srcDir):
|
|
certutil = build.get_binary_path(what="certutil")
|
|
pk12util = build.get_binary_path(what="pk12util")
|
|
|
|
with NamedTemporaryFile() as pwfile, NamedTemporaryFile() as rndfile:
|
|
pgoCAPath = os.path.join(srcDir, "pgoca.p12")
|
|
|
|
pwfile.write("\n")
|
|
|
|
if not dbFilesExist(srcDir):
|
|
# Make sure all DB files from src are really deleted
|
|
unlinkDbFiles(srcDir)
|
|
|
|
# Create certification database for ssltunnel
|
|
status = runUtil(certutil, ["-N", "-d", srcDir, "-f", pwfile.name])
|
|
if status:
|
|
return status
|
|
|
|
status = runUtil(pk12util, ["-i", pgoCAPath, "-w", pwfile.name, "-d", srcDir, "-k", pwfile.name])
|
|
if status:
|
|
return status
|
|
|
|
# Generate automatic certificate
|
|
locations = ServerLocations(os.path.join(build.topsrcdir,
|
|
"build", "pgo",
|
|
"server-locations.txt"))
|
|
iterator = iter(locations)
|
|
|
|
# Skips the first entry, I don't know why: bug 879740
|
|
iterator.next()
|
|
|
|
locationsParam = ""
|
|
firstLocation = ""
|
|
for loc in iterator:
|
|
if loc.scheme == "https" and "nocert" not in loc.options:
|
|
customCertOption = False
|
|
customCertRE = re.compile("^cert=(?:\w+)")
|
|
for option in loc.options:
|
|
match = customCertRE.match(option)
|
|
if match:
|
|
customCertOption = True
|
|
break
|
|
|
|
if not customCertOption:
|
|
if len(locationsParam) > 0:
|
|
locationsParam += ","
|
|
locationsParam += loc.host
|
|
|
|
if firstLocation == "":
|
|
firstLocation = loc.host
|
|
|
|
if not firstLocation:
|
|
print "Nothing to generate, no automatic secure hosts specified"
|
|
else:
|
|
createRandomFile(rndfile)
|
|
|
|
runUtil(certutil, ["-D", "-n", "pgo server certificate", "-d", srcDir, "-z", rndfile.name, "-f", pwfile.name])
|
|
# Ignore the result, the certificate may not be present when new database is being built
|
|
|
|
status = runUtil(certutil, ["-S", "-s", "CN=%s" % firstLocation, "-t", "Pu,,", "-c", "pgo temporary ca", "-m", "2", "-8", locationsParam, "-v", "120", "-n", "pgo server certificate", "-d", srcDir, "-z", rndfile.name, "-f", pwfile.name])
|
|
if status:
|
|
return status
|
|
|
|
status = runUtil(certutil, ["-S", "-s", "CN=Imminently Distrusted End Entity", "-t", "P,,", "-c", "pgo temporary ca", "-k", "rsa", "-g", "2048", "-Z", "SHA256", "-m", "1519140221", "-n", "imminently_distrusted", "-v", "120", "-8", "imminently-distrusted.example.com", "-d", srcDir, "-z", rndfile.name, "-f", pwfile.name])
|
|
if status:
|
|
return status
|
|
|
|
"""
|
|
As of February 2018, there are 15 more certificates which are not created by
|
|
this script. See bug 1441338:
|
|
|
|
selfsigned Pu,u,u
|
|
Unknown CA Cu,u,u
|
|
escapeattack1 Pu,u,u
|
|
untrustedandexpired Pu,u,u
|
|
alternateTrustedAuthority Cu,u,u
|
|
dynamicPinningGood Pu,u,u
|
|
staticPinningBad Pu,u,u
|
|
sha1_end_entity Pu,u,u
|
|
bug413909cert u,u,u
|
|
untrusted Pu,u,u
|
|
escapeattack2 Pu,u,u
|
|
expired Pu,u,u
|
|
dynamicPinningBad Pu,u,u
|
|
sha256_end_entity Pu,u,u
|
|
"""
|
|
|
|
return 0
|
|
|
|
if len(sys.argv) == 1:
|
|
print "Specify --gen-server or --gen-ca"
|
|
sys.exit(1)
|
|
|
|
build = MozbuildObject.from_environment()
|
|
certdir = os.path.join(build.topsrcdir, "build", "pgo", "certs")
|
|
if sys.argv[1] == "--gen-server":
|
|
certificateStatus = createSSLServerCertificate(build, certdir)
|
|
if certificateStatus:
|
|
print "TEST-UNEXPECTED-FAIL | SSL Server Certificate generation"
|
|
|
|
sys.exit(certificateStatus)
|
|
|
|
if sys.argv[1] == "--gen-ca":
|
|
certificateStatus = createCertificateAuthority(build, certdir)
|
|
if certificateStatus:
|
|
print "TEST-UNEXPECTED-FAIL | Certificate Authority generation"
|
|
else:
|
|
print "\n\n"
|
|
print "==================================================="
|
|
print " IMPORTANT:"
|
|
print " To use this new certificate authority in tests"
|
|
print " run 'make' at testing/mochitest"
|
|
print "==================================================="
|
|
|
|
sys.exit(certificateStatus)
|
|
|
|
print "Invalid option specified"
|
|
sys.exit(1)
|